Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

authorize.conf configuration

d_lim
Path Finder
‎09-22-2020 03:27 AM

Hi there, 

Looking into /opt/splunk/etc/system/local/authorize.conf I saw alot of configurations as below. 

Would like to understand how this came about, and is it of any concern?

transition_reviewstatus-10_to 11 = enabled
transition_reviewstatus-10_to 12 = disabled
transition_reviewstatus-10_to 13 = depreciated
transition_reviewstatus......
transition_reviewstatus......

Searching the internal logs gives this -
index=_internal component=AuthorizationManager

09-22-2020 15:15:25.219 +0800 WARN AuthorizationManager - Capability 'transition_reviewstatus-9_to 8' is not recognized by Splunk. Ignoring...

Labels (2)
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎09-22-2020 06:01 AM

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

View solution in original post

Reply
Solved! Jump to solution

96nick
Communicator
‎09-22-2020 06:04 AM

Those entries appear related to the Splunk App for PCI Compliance. Take a look at the link below and look at 'Edit notable events':

https://docs.splunk.com/Documentation/PCI/4.3.0/Install/ConfigureUsersRoles

 

To sum it up, it's a capability used to transition between different statuses in an investigation.

More info here:

https://docs.splunk.com/Documentation/PCI/4.3.0/User/Investigationstatus

0 Karma
Reply
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎09-22-2020 06:01 AM

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...