Security

Not able to find users from Splunk UI ????

harishalipaka
Motivator

Hi All,

We have Created Role with name "Pulsenewuser" with the capabilities (edit_user,edit_roles,edit_roles_grantable) .
When we are adding "Pulsenewuser" Role to the users ,we are not able find the users from Splunk UI.

please can you help me out from this ,we are using splunk 7.1.4 enterprise edition(same thing working fine in splunk 6.6.2)

Thanks
Harish
0 Karma

tchimento_splun
Splunk Employee
Splunk Employee

By including edit_roles_grantable as a capability you have specified that any user assigned to that role will be limited to the capabilities that were included in that role. The result is that all the users who already existed and have been assigned to a role that has MORE capabilities than the role 'Pulsenewuser' will no longer be accessible.

General behavior and configuration guidance for edit_roles_grantable:

In the UI create a role called subadmin [or name of your choice] and make sure the following options are configured:

[role_subadmin]
edit_roles_grantable = enabled
edit_roles = disabled
edit_users = enabled

When the new role is created, the following change will be made in Splunk/etc/system/local/authorize.conf:

grantableRoles = subadmin [you should confirm this - if the entry doesn't match that, make the change. ** After any manual edits of authorize.conf, use Settings > Access control > Authentication method > Reload authentication configuration or changes won’t be applied.]

Configure the subadmin role in the UI to include/exclude the capabilities to meet the specific limitations you want to impose on the subadmin. Create a newadmin user and assign them to the subadmin role. The user newadmin will only be able to see and use the capabilities that are included in the subadmin role.

For example, if you want to remove access to the delete_by_keyword capability, configure the subadmin role as described above but without the delete_by_keyword capability. When the newadmin user logs into Splunk, they will not have that option in their list of capabilities.

0 Karma

inventsekar
Ultra Champion

when you create Pulsenewuser, did you just create from zero or did you create by cloning an already existing role and edited?
if you created Pulsenewuser from zero, maybe, delete it and clone a very basic role and edit/update the roles.

0 Karma

skalliger
SplunkTrust
SplunkTrust

What is your problem exactly? The role is used to create new users but you can not create new users? Are the users found in the following rest call?
| rest /services/authentication/users

Skalli

0 Karma

inventsekar
Ultra Champion

may i know, when you run | rest /services/authorization/roles , do you get the "Pulsenewuser" listed out?

0 Karma

harishalipaka
Motivator

@inventsekar
yes,we did logout and login.

Thanks
Harish
0 Karma

harishalipaka
Motivator

@inventsekar

Thanks for your reply..

Yes ,am getting the "Pulsenewuser" list

Thanks
Harish
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...