Deployment Architecture

authorize.conf configuration

d_lim
Path Finder

Hi there, 

Looking into /opt/splunk/etc/system/local/authorize.conf I saw alot of configurations as below. 

Would like to understand how this came about, and is it of any concern?

transition_reviewstatus-10_to 11 = enabled
transition_reviewstatus-10_to 12 = disabled
transition_reviewstatus-10_to 13 = depreciated
transition_reviewstatus......
transition_reviewstatus......

Searching the internal logs gives this -
index=_internal component=AuthorizationManager

09-22-2020 15:15:25.219 +0800 WARN AuthorizationManager - Capability 'transition_reviewstatus-9_to 8' is not recognized by Splunk. Ignoring...

Labels (2)
Tags (1)
1 Solution

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

View solution in original post

96nick
Communicator

Those entries appear related to the Splunk App for PCI Compliance. Take a look at the link below and look at 'Edit notable events':

https://docs.splunk.com/Documentation/PCI/4.3.0/Install/ConfigureUsersRoles

 

To sum it up, it's a capability used to transition between different statuses in an investigation.

More info here:

https://docs.splunk.com/Documentation/PCI/4.3.0/User/Investigationstatus

0 Karma

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...