Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..

Hi,

I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about

So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.

Hope that helps.

The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.

You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.