Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

authorize.conf configuration

d_lim
Path Finder
‎09-22-2020 03:27 AM

Hi there, 

Looking into /opt/splunk/etc/system/local/authorize.conf I saw alot of configurations as below. 

Would like to understand how this came about, and is it of any concern?

transition_reviewstatus-10_to 11 = enabled
transition_reviewstatus-10_to 12 = disabled
transition_reviewstatus-10_to 13 = depreciated
transition_reviewstatus......
transition_reviewstatus......

Searching the internal logs gives this -
index=_internal component=AuthorizationManager

09-22-2020 15:15:25.219 +0800 WARN AuthorizationManager - Capability 'transition_reviewstatus-9_to 8' is not recognized by Splunk. Ignoring...

Labels (2)
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎09-22-2020 06:01 AM

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

View solution in original post

Reply
Solved! Jump to solution

96nick
Communicator
‎09-22-2020 06:04 AM

Those entries appear related to the Splunk App for PCI Compliance. Take a look at the link below and look at 'Edit notable events':

https://docs.splunk.com/Documentation/PCI/4.3.0/Install/ConfigureUsersRoles

 

To sum it up, it's a capability used to transition between different statuses in an investigation.

More info here:

https://docs.splunk.com/Documentation/PCI/4.3.0/User/Investigationstatus

0 Karma
Reply
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎09-22-2020 06:01 AM

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...