Security

Users missing from Access Control

chillsgrove
Explorer

We have almost 500 Splunk users in our organization (a mix of local and LDAP). About 200+ of our Splunk users are no longer appearing in the "User" tab under Access Control. A mix of both local users and LDAP users are not visible however they are still able to login to Splunk and use it without issues. Unfortunately I'm not able to administer their account through the GUI though.

We are using a search-head cluster on Splunk v7.3.2. I've already logged into each individual search-head and verified they are missing from all of them.

Any advice to point me in the right direction on how to solve this is greatly appreciated.

1 Solution

chillsgrove
Explorer

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

  1. In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

edit_roles_grantable = enabled

grantableRoles = admin

  1. Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

  1. Restart Splunk on the SH

  2. Login to the SH as an admin user and check if missing users are visible.

View solution in original post

adobrzeniecki
Path Finder

Hello, I am experiencing this issue as well with SAML and using Splunk 8.1.2. We have over 50+ users in SAML. THey are being mapped in authentication.conf to roles that do exist. When i run the rest call above it only shows me 20 users. These 20 users are also only showing up in the GUI. BUT when i run that rest command and add the username of someone who is missing, it returns results for that user. 
I need some assistance here and i have a feeling that this may be a bug ticket. Does anyone have any information at all?

0 Karma

chillsgrove
Explorer

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

  1. In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

edit_roles_grantable = enabled

grantableRoles = admin

  1. Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

  1. Restart Splunk on the SH

  2. Login to the SH as an admin user and check if missing users are visible.

View solution in original post

ivanreis
Builder

Check the rest api command below:

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name

Or run the command through CLI, but I believe the rest api can give you a better output format

./splunk list user
username: admin
full-name: Administrator
role: admin

0 Karma

chillsgrove
Explorer

Using the rest api command I get a return result of 292 users. However, in the $SPLUNKHOME/etc/users directory there are 451 users listed. I'm missing about 159 users in the GUI.

0 Karma

cosminstefanmar
Explorer

We are getting same error, did you find an explanation of why a big chunk of users might be missing when pulling via REST API?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!