- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Admin Down! Restarting Splunk does not reload Auth...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I seem to have foobar'd my Admin account, resulting in the majority of the admin privileges not working through the UI:
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1
I have edited the \local\authorize to match that of the \default config and restarted Splunk via CLI, but this has not restored my previous admin privileges.
C:\Program Files\Splunk\etc\system\local\authorize.conf as follows to reset:
(a cut and copy from \default\authorize.conf)
[role_admin]
accelerate_datamodel = enabled
admin_all_objects = enabled
change_authentication = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
edit_dist_peer = enabled
edit_forwarders = enabled
edit_httpauths = enabled
edit_input_defaults = enabled
edit_monitor = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_server = enabled
edit_server = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_tcp = enabled
edit_udp = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
license_edit = enabled
license_tab = enabled
list_forwarders = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
run_debug_commands = enabled
# This enables the windows specific capabilities for admin
edit_win_eventlogs = enabled
edit_win_wmiconf = enabled
edit_win_regmon = enabled
edit_win_admon = enabled
edit_win_perfmon = enabled
list_win_localavailablelogs = enabled
list_pdfserver = enabled
write_pdfserver = enabled
importRoles = power;user
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.
Restart and relax...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.
Restart and relax...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.
I removed all the permissions from the user role, which then locked my admin role.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
