Hi,
In a search head cluster, if I need to change the capabilities in a role, where should I do it?
An elaborate discussion about it at Search Head Cluster: How to manage new roles between Search Head Cluster Members?
Also, I think on 6.4 the role and user definitions became replicable. In prior releases changes to those items may not have replicated to other search head cluster members. Also, I thought I remember something about that config needing to live in system/local while in a SHC. If things look like they aren't working, try making the change in the UI and seeing where splunk throws that config? Spitballing here.
Depends upon how you're configuring your authorization.conf. If you're deploying it through Deployer server (SHC deployer), then you would need to update the role definition/authorize.conf there. If you're managing the authorize.conf directly on the SH, then either, update the role definition from Splunk Web UI from any one Search Head (it will get replicated to others), OR update the authorize.conf file on ALL search heads (updating file system directly doesn't trigger replication).
I have an authorize.conf pushed by the deployer, but it doesn't have anything listing capabilities.
That means, right now you're using the default capability list for your roles (Or in other words, using the default roles) as defined in your Search Head at $Splunk_Home/etc/system/default/authorize.conf. So, to override/update this, just add something like this in your authorize.conf available on Deployer.
[role_roleNameYouWantToUpdate]
capabilityName = enabled
See the authorize.conf specification here https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/authorizeconf#.5Brole_.3CroleName.3E.5D