Troubleshoot User Access Issues

This section lists the issues and steps to troubleshoot them.

Default Connection Access in Log Observer Connect

A user cannot access the Log Observer Connect default Splunk Cloud Platform connection.

The default connection requires Splunk Cloud Platform credentials. This connection is unavailable if Splunk Cloud is currently offline or if the user has authenticated using the secondary login method.

Check whether Splunk Cloud Platform is available:

If Splunk Cloud Platform is available, re-authenticate with Unified Identity. A secondary login method should be used only as a backup when the primary platform is unavailable, as it does not provide the full range of Unified Identity capabilities. Always sign in with Unified Identity.

Mismatched Email Addresses

The user has authenticated into different accounts using both the secondary login method and Unified Identity.

Splunk Observability Cloud links the same account across login methods by email address, and the email addresses do not match.

Splunk Observability Cloud links the same account across different login methods by matching the user's email address. If these email addresses do not match, the user's login fails.

Confirm that the email address from the identity provider assertion matches the address verified at the user's first Unified Identity login.

Permissions Mismatch Between Splunk Platforms

In login and permissions fallback scenarios, the user's permissions in Splunk Observability Cloud do not match their assigned capabilities in Splunk Cloud Platform.

This issue occurs during fallback scenarios. Splunk Observability Cloud relies on stored snapshot, which means it may not always reflect real-time changes made in Splunk Cloud Platform. This can happen for the following reasons.
  • User roles or capabilities were updated in Splunk Cloud Platform after the last sync. These permissions are automatically corrected upon the user's next Unified Identity login.
  • The user has not logged in with Unified Identity in the past week, leaving the system without a valid, recent snapshot to reference. The system assigns the organization's default SSO role to the user.

User Cannot Access Splunk Observability Cloud

The user can't log in to Splunk Observability Cloud after configuring centralized user and role management. The user sees error message, "You do not have access to Splunk Observability Cloud…"

The user's Splunk Cloud Platform and related services might be undergoing maintenance or outage. Alternatively, the administrator who configured centralized user and role management might have forgotten to give the user the o11y_access role.

  1. Confirm that the Splunk Cloud Platform instance is available and not undergoing maintenance.
  2. Confirm that the user with login problems has both of the following roles in Splunk Cloud Platform:
Alternatively, you can set up login and permission fallback. See How to Set Up Login and Permission Fallback.

UI Errors After Centralized User and Role Configuration

After an administrator has set up centralized user and role management, the user sees errors across the UI after logging in.

The user's Splunk Cloud Platform stack might be undergoing maintenance. Another cause might be that token authentication is not active on the Splunk Cloud Platform instance.

  1. Confirm that the paired Splunk search head or search head cluster is available and not undergoing maintenance.
  2. Check that token authentication is active on the Splunk Cloud Platform instance.