Solved: user with multiple roles

harald_leitl · ‎11-28-2012

Hi,
I got following behavior.

An ldap user is member of two roles. (role A = ldap groupA & role B = ldap groupB)

role A has properties set to srchIndexesAllowed = index1;index2;index3
role B has properties set to srchIndexesAllowed = index2;index4;index5

When searching for index=* the user only sees indexes from role A (index1;index2;index3).

In Splunk manager the user has both roles assigned.

What am I doing wrong?

we are currently running on 4.3.3.

thx,

harry

harald_leitl · ‎11-30-2012

The problem was caused by a search filter set on role 'A' in authorize.conf.

thx

harald_leitl · ‎11-30-2012

The problem was caused by a search filter set on role 'A' in authorize.conf.

thx

MuS · ‎11-28-2012

Hi harald_leitl

have a look at this answer, where you can find some basic ldap troubleshooting tips.

cheers,

Mus

harald_leitl · ‎11-28-2012

As explained above, role 'A' is allowed to search through index1;index2;index3 and role 'B' is allowed to search through index2;index4;index5.

I thought, if I assign both roles the user would be capable of searching through index1;index2;index3;index4 and index5.

my search to verify the result:

index=*

The result I got:
Only events from index1;index2;index3 were included in the result.

The result I was looking for:
events from index1;index2;index3;index4 and index5 are shown

harald_leitl · ‎11-28-2012

I don't think I have a problem with authentication and ldap.

In splunk manager I see that both splunk roles are assigned to the user.

However, it seems the user only gets capabilities of role 'A'.

user with multiple roles