Deployment Architecture

authorize.conf configuration

d_lim
Path Finder

Hi there, 

Looking into /opt/splunk/etc/system/local/authorize.conf I saw alot of configurations as below. 

Would like to understand how this came about, and is it of any concern?

transition_reviewstatus-10_to 11 = enabled
transition_reviewstatus-10_to 12 = disabled
transition_reviewstatus-10_to 13 = depreciated
transition_reviewstatus......
transition_reviewstatus......

Searching the internal logs gives this -
index=_internal component=AuthorizationManager

09-22-2020 15:15:25.219 +0800 WARN AuthorizationManager - Capability 'transition_reviewstatus-9_to 8' is not recognized by Splunk. Ignoring...

Labels (2)
Tags (1)
1 Solution

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

View solution in original post

96nick
Communicator

Those entries appear related to the Splunk App for PCI Compliance. Take a look at the link below and look at 'Edit notable events':

https://docs.splunk.com/Documentation/PCI/4.3.0/Install/ConfigureUsersRoles

 

To sum it up, it's a capability used to transition between different statuses in an investigation.

More info here:

https://docs.splunk.com/Documentation/PCI/4.3.0/User/Investigationstatus

0 Karma

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...