Why does ITSI throw a role-related error after ins...

spkriyaz · ‎09-29-2020

Hi,

Currently I am facing role related issue in ITSI. I installed ITSI 4.3.1 version in Splunk enterprise 8.0.3 and after successful installation when I open the ITSI app the below error pops out saying "Could not load page settings. Check that you have the proper roles and permissions. Details: Page not found!" and when I try to open other options like glass tables, deep-dive etc. it throws another error saying

"Deep Dive could not be loaded. Possible cause: connection lost. Try restarting the Splunk platform. Status: 404 (Not Found) Details: Page not found!"

Below is my authorise list for role_admin which looks ok but not sure why the above errors occur. Could you please help with your expertise. I have attached the screenshot as well.

C:\Program Files\Splunk\bin>splunk btool authorize list role_admin
[role_admin]
accelerate_datamodel = enabled
admin_all_objects = enabled
apps_backup = enabled
apps_restore = enabled
change_authentication = enabled
cumulativeRTSrchJobsQuota = 400
cumulativeSrchJobsQuota = 200
dispatch_rest_to_indexers = disabled
edit_authentication_extensions = enabled
edit_bookmarks_mc = enabled
edit_cmd = enabled
edit_deployment_client = enabled
edit_deployment_server = enabled
edit_dist_peer = enabled
edit_encryption_key_provider = enabled
edit_forwarders = enabled
edit_health = enabled
edit_httpauths = enabled
edit_indexer_cluster = enabled
edit_indexerdiscovery = enabled
edit_input_defaults = enabled
edit_local_apps = enabled
edit_metric_schema = enabled
edit_metrics_rollup = enabled
edit_modinput_admon = enabled
edit_modinput_perfmon = enabled
edit_modinput_winhostmon = enabled
edit_modinput_winnetmon = enabled
edit_modinput_winprintmon = enabled
edit_monitor = enabled
edit_restmap = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_concurrency_all = enabled
edit_search_head_clustering = enabled
edit_search_schedule_priority = enabled
edit_search_scheduler = enabled
edit_search_server = enabled
edit_server = enabled
edit_server_crl = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_splunktcp_token = enabled
edit_tcp = enabled
edit_tcp_stream = enabled
edit_telemetry_settings = enabled
edit_token_http = disabled
edit_tokens_all = enabled
edit_tokens_own = enabled
edit_tokens_settings = enabled
edit_udp = enabled
edit_upload_and_index = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
edit_win_eventlogs = enabled
edit_win_regmon = enabled
edit_win_wmiconf = enabled
edit_workload_pools = enabled
edit_workload_rules = enabled
get_diag = enabled
grantableRoles = admin
importRoles = itoa_admin;itoa_analyst;itoa_user;power;user
indexes_edit = enabled
install_apps = enabled
license_edit = enabled
license_tab = enabled
license_view_warnings = enabled
list_cascading_plans = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_dist_peer = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_pdfserver = enabled
list_pipeline_sets = enabled
list_search_head_clustering = disabled
list_search_scheduler = enabled
list_settings = disabled
list_storage_passwords = disabled
list_tokens_all = enabled
list_win_localavailablelogs = enabled
list_workload_pools = enabled
list_workload_rules = enabled
never_expire = enabled
never_lockout = enabled
read_metric_ad = disabled
refresh_application_licenses = enabled
rest_apps_management = enabled
restart_reason = enabled
restart_splunkd = enabled
rtSrchJobsQuota = 100
run_collect = enabled
run_debug_commands = enabled
run_mcollect = enabled
run_msearch = enabled
schedule_rtsearch = enabled
select_workload_pools = enabled
srchDiskQuota = 25000
srchFilter = *
srchFilterSelecting = true
srchIndexesAllowed = *;_*;itsi_grouped_alerts;itsi_notable_archive;itsi_notable_audit;itsi_summary;itsi_tracked_alerts
srchIndexesDefault = main
srchJobsQuota = 50
srchMaxTime = 8640000
srchTimeWin = 0
web_debug = enabled
write_metric_ad = disabled
write_pdfserver = enabled

ohbuckeyeio · ‎10-28-2022

I was seeing the same thing on the Event Types page. Fixed it by granting the admin role inheritance of the following:
itoa_admin
itoa_analyst
itoa_user

sweetie · ‎05-09-2022

Hi @spkriyaz ,

Was your issue fixed and how? I am facing same issue in ITE work app for Entity management. Thanks

mattiaslundstro · ‎09-15-2022

Hi, I'm also experiencing the same issue for some users - did you manage to fix it?

Why does ITSI throw a role-related error after installation (ITSI 4.3.1 version in Splunk enterprise 8.0.3)?

using ITSI

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?