Security

user with multiple roles

harald_leitl
Path Finder

Hi,
I got following behavior.

An ldap user is member of two roles. (role A = ldap groupA & role B = ldap groupB)

role A has properties set to srchIndexesAllowed = index1;index2;index3
role B has properties set to srchIndexesAllowed = index2;index4;index5

When searching for index=* the user only sees indexes from role A (index1;index2;index3).

In Splunk manager the user has both roles assigned.

What am I doing wrong?

we are currently running on 4.3.3.

thx,

harry

Tags (3)
0 Karma
1 Solution

harald_leitl
Path Finder

The problem was caused by a search filter set on role 'A' in authorize.conf.

here is the solution:
http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships

thx

View solution in original post

0 Karma

harald_leitl
Path Finder

The problem was caused by a search filter set on role 'A' in authorize.conf.

here is the solution:
http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships

thx

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi harald_leitl

have a look at this answer, where you can find some basic ldap troubleshooting tips.

cheers,

Mus

0 Karma

harald_leitl
Path Finder

As explained above, role 'A' is allowed to search through index1;index2;index3 and role 'B' is allowed to search through index2;index4;index5.

I thought, if I assign both roles the user would be capable of searching through index1;index2;index3;index4 and index5.

my search to verify the result:

index=*

The result I got:
Only events from index1;index2;index3 were included in the result.

The result I was looking for:
events from index1;index2;index3;index4 and index5 are shown

0 Karma

harald_leitl
Path Finder

I don't think I have a problem with authentication and ldap.

In splunk manager I see that both splunk roles are assigned to the user.

However, it seems the user only gets capabilities of role 'A'.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...