I have a problem where an admin role user cannot see another analyst user to assign specific notable events to. However, I do not have any problems when I as another admin user try to assign the analyst user that the other admin role cannot see.
I have checked notable_owners_lookup and it was filled correctly with the expected users.
What could be the issue here and where should we check?
I've seen this issue on Linux hosts with Splunk 7.3.x, where Splunk admin roles were assigned via RBAC using AD groups. There was an issue where the AD group membership was not being correctly identified on Linux, which resulted in the user still showing as admin in Splunk, but not having Splunk admin privileges.
The issue was fixed during a Splunk upgrade, but you could also try the following if your situation is similar:
- Running systemctl restart sssd - Open settings -> authentication methods -> reload - Use the CLI or make an API call to reload the authentication: