Solved: How to identify where the Splunk roles - authorize...

harshal_chakran · ‎02-07-2022

Hi all,
I have an authorize.conf located in an application, which is usually deployed via Deployer to SH members.
There is also an authorize.conf at our system/local directory ( Created by GUI).

Currently these two files are bit interlinked now.
Example : A role is created at App level ( deployed via deployer) , but some inheritance/reference was added via GUI, hence this entry gets logged in system/local

Is there any way to identify if the role is present in system/local OR in the app??

isoutamo · ‎02-07-2022

If you could log into cmd line or run remotely splunk command on SHC nodes you could use

splunk btool authorize list --debug

to see which version takes precedence. If needed you can try those app and user parameters too.

r. Ismo

View solution in original post

isoutamo · ‎02-07-2022

If you could log into cmd line or run remotely splunk command on SHC nodes you could use

splunk btool authorize list --debug

to see which version takes precedence. If needed you can try those app and user parameters too.

r. Ismo

gcusello · ‎02-07-2022

Hi @harshal_chakran,

you can use btool to have all the active configuractions:

./splunk cmd btool autorize -list --debug

Ciao.

Giuseppe

How to identify where the Splunk roles - authorize.conf is located in an app

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!