Splunk Enterprise Security

Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

10306629
New Member

"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"

The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.

0 Karma

vicky05ssr04
Engager

hello maraman even I have the same problem, the solution provided seems very appropriate. The trouble is I could see the roles admin, ess_analyst tagged to most of the users. what are the things that still need to checked and how, please let me know.

0 Karma

10306629
New Member

Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hi,

I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about

So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.

Hope that helps.

0 Karma

hardikJsheth
Motivator

The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.

You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...