I am running into an issue where nested AD groups that are in my Splunk AD group do not get the access that everyone else does. The situation when something like... I set up an AD group called Splunk_Win and there were several users in it who had the correct access and could view data. I had a manager request him and his team be added to the group so our Sysadmin added their team group to Splunk_Win and not individually. The manager then said they were getting error logging in and needed access now for an emergency. Our sysadmin decided it was best to just add the manager to Splunk_Win and whala, manager had the access he needed. I re-created this with another member of the group and asked them to screen shot what they saw (I can't add it but I'll type it out) Sorry, but we're having trouble signing you in AADSTS50105: The signed in user user.user@company.com is not assigned to a role for the application a1c025ed-e585-42ab-b809-a4f7b4fd3ea1 (Splunk Enterprise and Splunk Cloud. This error leads me to believe there is a disconnect between Azure and Splunk. The set up is SSO/SAML and as I said above, if the user goes into the Splunk AD group by themselves they get the access need. Has anyone run into this or has any ideas (besides adding individuals) to get nested groups to work in Splunk? ... View more

Hi there 🙂 I am in the process of migrating from Enterprise to Cloud and as I am setting up Splunk roles for the SAML groups that will use Splunk I am running into the issue that I have some elevated users that need to see certain index's but not everything. I wrote out an example below to get the user Tony the access he needs. • Lets say I have a SAML/AD group called Splunk_Marvel with Tony, Steve, and Peter as members. This group is to see the role “marvel events” and only this role (The role can see indexes called “comic” and “sidekicks”). • I also have a SAML/AD group called Splunk_DC with Bruce, Clark, and Harley as members, this group is only supposed to see the role “dc events” and only this role (this role can see indexes “comic”, “identity” and “powers”). • Now Tony asked his manager/put in a request to see the index “identity” and his manager approved but reminded him that only he can see it and not Steve and Peter. So what I’m running into for options/solutions to this is… • Give Splunk_Marvel the role “dc_events” …but now Steve and Peter are not supposed to see the index “identity” and Tony shouldn’t see “Powers” • Create a new SAML/AD group that just has Tony in it, add it as a SAML group in cloud, and also create a new role to view just the index “identity”. • Create a local spunk account for Tony to use (he’s a big enough deal) and assign that index to him specifically. WAIT!! wait wait Tony’s boss was talking to the sysadmin for Splunk and they said NO LOCAL SPLUNK ACCOUNTS!! ONLY SAML CAN BE USED FOR LOGIN!! So how do I give Tony the access he needs without creating a new AD/SAML group for just him or giving him access to data he and his team shouldn’t see. ... View more