Solved: Re: 401 Error after Making SOAR Permissions Change

ohoxha · 02-24-2025 07:52 AM

Have a ticket out but Support is saying they'll need 6 business days to address. Sent emails to account reps and no responses. Currently have no access to SIEM or SOAR.

Made an accidental change to Permissions in SOAR, which is now causing all users to fail to log into either platform (SIEM or SOAR). Have tried a million different permission options, including Chronicle API Admin, Editor, SOAR Admin, and everything under the sun.

Network tab shows that SecOps is identifying all the permission sets and global data access, and even returns historical searches from the SIEM side, but then will return a request from https://XXXX.siemplify-soar.com/api/external/v1/auth/siem?format=camel as "No permission to login."

Then I get Error: "401 Unauthorized - An error occurred during authentication. Please try again."

Any ideas?

To clarify: I've granted "Chronicle API Admin" and "Chronicle SOAR Admin" to users and they still receive this error.

ajohnson

The group would be case sensitive in your IDP so would be good to double check that it matches "Chronicle SOAR Admin" exactly. It may be worth checking IAM for the GCP Project as well to ensure that group has the SOAR Admin and Chronicle API Admin roles assigned.

Without an API key to pull the other groups or knowledge of the groups in there, you may have to wait for Support to get back.

View solution in original post

ajohnson

Do you have a unified SecOps instance (SOAR and SIEM in the UI) or a standalone SOAR?
Do you use GAIA (Google auth), local SOAR accounts, or another IDP?
What change did you make? If you changed the IDP Group Mapping in SOAR and use a 3rd party IDP, you may be able to work around it by adding whichever group(s) are currently in SOAR as groups in your IDP.

ohoxha

Unified Instance. We use another IDP via Google Workspace. We added groups in the IDP based off what we think the name of the new SOAR Group was, but can't be sure because we can't remember the spelling or syntax. Is there a way to see SOAR Groups without having access to the platform?

ajohnson

If you have an api key for SOAR generated there is an endpoint you can call: /api/external/v1/idp-group-mapping
using: {tenant}.siemplify-soar.com/swagger/index.html

There is a default group called "Chronicle SOAR Admin" that you can add to your IDP if you have not deleted it.

ohoxha

Hi - I tried to set up an API key through GCP Credentials and limited to Chronicle API, but it's giving a 401 error on the swagger website. Assuming I needed to have generated the API key from the SOAR platform when I had access or is there another way to generate one now?

The swagger URL is really interesting. Wasn't aware that it existed. Will likely help in the future if this happens again. Thank you!

ajohnson

Yea it would have needed to be created in SOAR prior.

Are you able to add the "Chronicle SOAR Admin" group to your IDP?

ohoxha

Yeah, added that, but it didn't grant any additional access. Still the 401 error.

ajohnson

The group would be case sensitive in your IDP so would be good to double check that it matches "Chronicle SOAR Admin" exactly. It may be worth checking IAM for the GCP Project as well to ensure that group has the SOAR Admin and Chronicle API Admin roles assigned.

Without an API key to pull the other groups or knowledge of the groups in there, you may have to wait for Support to get back.

ohoxha

Thank you very much for your help! We managed to get support and regained access to our tenant by updating the IDP Mapping page in SOAR. As I'm sure everyone here knows, it needed to match exactly. We did have a pre-built "Admin" IDP group in SOAR, so if others go through this, try creating an "Admin" group in your IDP.

Will definitely be generating an API key as a backup in case this happens again. Thanks!

ajohnson

Happy to hear that you were able to get in! Was the default group in SOAR "Admin" instead of "Chronicle SOAR Admin" ?