Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where do I change the capabilities for a role in a search head cluster?

a212830
Champion
‎08-03-2016 11:15 AM

Hi,

In a search head cluster, if I need to change the capabilities in a role, where should I do it?

0 Karma
Reply

ddrillic
Ultra Champion
‎08-03-2016 12:25 PM

An elaborate discussion about it at Search Head Cluster: How to manage new roles between Search Head Cluster Members?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎08-04-2016 07:10 AM

Also, I think on 6.4 the role and user definitions became replicable. In prior releases changes to those items may not have replicated to other search head cluster members. Also, I thought I remember something about that config needing to live in system/local while in a SHC. If things look like they aren't working, try making the change in the UI and seeing where splunk throws that config? Spitballing here.

0 Karma
Reply

somesoni2
Revered Legend
‎08-03-2016 11:32 AM

Depends upon how you're configuring your authorization.conf. If you're deploying it through Deployer server (SHC deployer), then you would need to update the role definition/authorize.conf there. If you're managing the authorize.conf directly on the SH, then either, update the role definition from Splunk Web UI from any one Search Head (it will get replicated to others), OR update the authorize.conf file on ALL search heads (updating file system directly doesn't trigger replication).

0 Karma
Reply

a212830
Champion
‎08-03-2016 11:41 AM

I have an authorize.conf pushed by the deployer, but it doesn't have anything listing capabilities.

0 Karma
Reply

somesoni2
Revered Legend
‎08-03-2016 11:49 AM

That means, right now you're using the default capability list for your roles (Or in other words, using the default roles) as defined in your Search Head at $Splunk_Home/etc/system/default/authorize.conf. So, to override/update this, just add something like this in your authorize.conf available on Deployer.

[role_roleNameYouWantToUpdate]
capabilityName = enabled

See the authorize.conf specification here https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/authorizeconf#.5Brole_.3CroleName.3E.5D

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...