Account, user, and entitlements troubleshooting

Troubleshooting user, account, and entitlements issues are associated with the Entitlements service. The IBM Security QRadar® Suite Software Entitlements service manages accounts, users, and roles, along with the change log and connection to IBM Cloud Pak® foundational services.

Identity provider (IDP) is unavailable on IBM Cloud Pak foundational services console

It is not possible to add users from one or more modified IDP directories.

It is not possible to add users from one or more modified IDP directories after significant changes to the IDP configuration of the cluster where IBM Security QRadar Suite Software is installed.

For example, this problem might occur following the restoration of a QRadar Suite Software backup to a different cluster, or if an identity provider is directly removed from the IBM Cloud Pak foundational services console. To remove an identity provider, complete the steps in Removing an identity provider from QRadar Suite Software.

Resolving the inability to add users and modify an account after an IDP is removed

If the users of the connected identity provider are not removed from the account, the account is compromised, affecting functions such as User profile, Add User, and Edit account settings.

From the compromised account, remove any users of the identity provider that is removed from QRadar Suite Software.
Edit the account and remove the identity provider from all accounts.

After you remove the users and edit the accounts, verify that a valid identity provider is still connected to the account. Make sure that the connected identity provider exists on the IBM Cloud Pak foundational services console.

Verify that all functions are restored and User and Account Management is working as expected.

Synchronizing the latest IDP connections with QRadar Suite Software

QRadar Suite Software provides an action to synchronize significant changes to the IBM Cloud Pak foundational services IDP connections with the Entitlements service. For example, if an identity provider is removed and added again with a different realm name, or with a different set of users, this action syncs the changes and updates the Entitlements database.

Install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility.

The sync_ldap action triggers an internal routine in the Entitlements service that queries foundational services for the latest IDP connections. If changes are detected, these changes are applied to all the affected users and accounts that are stored in the Entitlements service. When the action is completed, the Entitlements service deployment is updated and all the Entitlements service pods are restarted.

Run the following command. No parameters are needed.

cpctl remediation sync_ldap

The following output shows an example of what you see when the action is completed.

Executing playbook sync_ldap.yaml

- localhost on hosts: localhost -
Gathering Facts...
  localhost ok
Update LDAP directories stored in Entitlements service...
  localhost ok | msg: OK (unknown bytes)
Patch Deployment to Restart Entitlements Pods...
  localhost ok
cp4s namespace...
  localhost ok
Patch Deployment to Restart Pods...
  localhost done
Show LDAP sync status...
  localhost ok: {
    "changed": false,
    "msg": "LDAP directories are in sync"
}

If the action fails, check the status of the Entitlements service by running the following command.

cpctl diagnostics check_deployment --only entitle --token "$(oc whoami -t)"

System Administration account admin person is unavailable

When the System Administration account is configured with only one user with the "Accounts management" Admin role and that user is unavailable, no one can do accounts management for QRadar Suite Software.

The System Administration account has no valid users with the "Accounts management" Admin role.

When you change the System Administration account through the user management page, QRadar Suite Software makes sure that there is always at least one user with the accounts management access. When the admin user is unavailable, give the admin permission to a different user on the System Administration account or add a user to the account to do accounts management tasks.

Resolving account admin unavailable

Before you begin, you must have cluster administrator access with the Kubernetes command-line interface tool to the cluster where QRadar Suite Software is installed.

To find the namespace where QRadar Suite Software is installed, run the following commands.

oc get pod -lrun=cp-serviceability --all-namespaces --no-headers| awk '{print $1}'

echo $NAMESPACE

To identify a running isc-entitlements pod, run the following commands:

POD=$(oc get pods -lname=isc-entitlements -n=$NAMESPACE --no-headers | grep -i running | head -1 | awk '{print $1}')

echo $POD

Confirm that the result of step 1 is similar to the following output.
```
isc-entitlements-c5bc499ff-2qwb5
```
1. If no output results from the isc_entitlements command, run the oc get pods -lname=isc-entitlements command and verify that pods are present and are in a Running state.
2. If no pods are in the Running state, see the instructions for running MustGather.

To find the ID for the System Administration account, run the following command:

oc exec $POD -n=$NAMESPACE -- node ./utilities/listAccounts.js

Obtain the ID from the output as shown in the following example:

┌─────────┬────────────────────────────────────────┬──────────────────────────────────┐
│ (index) │               Account ID               │           Account Name           │
├─────────┼────────────────────────────────────────┼──────────────────────────────────┤
│    0    │ '88bb81d6-2e5a-4ca2-b5ee-f5d2f391d549' │     'System Administration'      │
│    1    │ '9b0a1cb6-97b3-42aa-88e7-11e428eee301' │     'Test account 1'             │
│    2    │ 'a6be0459-5a69-40fd-aea6-847a6792a781' │     'Test account 2'             │
│    3    │ 'a8bb651d-5f9b-4447-802e-a1d3a514d988' │     'Test account 3'             │
└─────────┴────────────────────────────────────────┴──────────────────────────────────┘

Run the setAdminUser command with the user ID of the new Admin and the account ID of the System Administration account.

oc exec $POD -n=$NAMESPACE -- node ./utilities/setAdminUser.js <username> <account_ID>

If the user does not exist on the account, the command searches the identity providers that are connected to IBM Cloud Pak foundational services. If the specified user is found, that user is added to the System Administration account and given the accounts management Admin role on that account.

The following log is an example of the output from the command:

{"level":"info","message":"Getting connected IDP directories...","ibm_datetime":"2021-09-14T12:04:22.635Z"}
{"level":"info","message":"Searching IDP connections for test.user@company.com...","ibm_datetime":"2021-09-14T12:04:23.411Z"}
{"level":"info","message":"Found test.user@company.com: Bluepages#uid=I00206754,c=ie,ou=bluepages,o=ibm.com, adding user to account","ibm_datetime":"2021-09-14T12:04:24.299Z"}
{"level":"info","message":"User 'test.user@company.com' has been provisioned in account '88bb81d6-2e5a-4ca2-b5ee-f5d2f391d549'. Current subscription: a7a63e2e-d6cb-4ced-be7b-af7473d2138b","ibm_datetime":"2021-09-14T12:04:27.204Z"}
{"level":"info","message":"Attempting to give test.user@company.com Admin role on all applications in account 88bb81d6-2e5a-4ca2-b5ee-f5d2f391d549","ibm_datetime":"2021-09-14T12:04:27.205Z"}
{"level":"info","label":"system-account","message":"Attempt to set: \"test.user@company.com\" as Admin on 3 applications","ibm_datetime":"2021-09-14T12:04:27.425Z"}
{"level":"info","message":"Complete","ibm_datetime":"2021-09-14T12:04:27.632Z"}

Validate the solution by verifying that the administrator that is added in the cluster administrator response procedure can access the System Administration account with account management Admin privileges.