Hi,
I have been trying to debug this for over a month now. Also checked with other Splunk experts who are also stumped. Hence resorting to Splunk answers. I hope this has a simple answer.
I have a LDAP (AD) integrated Splunk with the following roles assigned to our LDAP security group "ONC-IntOps Splunk Viewers-gs" - user and viewers (dont ask why I need both). This worked great in that it allowed authorized users read access by just adding/removing them from the group... till last month :-(.
I don't know what changed but now every time an (LDAP) user logs in for the first time, she/he gets auto-assigned to user, viewers and ALSO admin roles! This is the role map configuration section of the authentication.conf. I swear - nothing more.
[roleMap_ActiveDirectory]
admin = abc123
user = ONC-IntOps Splunk Viewers-gs
viewers = ONC-IntOps Splunk Viewers-gs
Any idea why every user gets assigned the admin role?
Regards,
-Srinath
... View more