Re: User Mapping

edwardrose · ‎02-15-2021

Hello All,

I am trying to find where a user is getting mapped to a role. I can see that the user is mapped to the power role in the webui, but I do not see the user being mapped there in /opt/splunk/etc/system/local/authentication.conf. So what am I missing? Also there is nothing in /opt/splunk/etc/apps/* that would map the user to the power role.

Thoughts?

thanks

ed

scelikok · ‎02-15-2021

Hi @edwardrose,

User role mappings are in below file;

$SPLUNK_HOME/etc/passwd

If this reply helps you an upvote and "Accept as Solution" is appreciated.

richgalloway · ‎02-16-2021

~~There is no role mapping info in the passwd file, @scelikok~~

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎02-16-2021

Hi @richgalloway,

Inside $SPLUNK_HOME/etc/passwd below bold field is user role for local Splun authentication. If user has more roles they are listed there comma separated.

:admin:password_hash::Administrator:admin:changeme@example.com:::18624

In case of LDAP authentication user -> role mapping is in authentication.conf

If this reply helps you an upvote and "Accept as Solution" is appreciated.

richgalloway · ‎02-16-2021

Thanks for straightening me out, @scelikok . I ran a quick test and the mapping of user to role(s) is indeed in passwd. Authorize.conf maps the roles to capabilities and other settings.

I'll remove my erroneous answer to avoid confusion.

---
If this reply helps you, Karma would be appreciated.

edwardrose · ‎02-15-2021

authorize.conf is used for mapping capabilities to roles

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/authorizeconf

User Mapping

administration

configuration

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...