topic Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users? in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/201464#M1068 <P>Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them? </P> Thu, 09 Jun 2016 07:24:26 GMT szabados 2016-06-09T07:24:26Z Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users? https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/201464#M1068 <P>Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them? </P> Thu, 09 Jun 2016 07:24:26 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/201464#M1068 szabados 2016-06-09T07:24:26Z Re: Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users? https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/201465#M1069 <P>To create investigations, a user must be an ess_admin or have the <CODE>edit_timeline</CODE> capability. See<BR /> <A href="http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles" target="_blank">http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles</A> to see how to add the capability.</P> <P>If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation. </P> Tue, 29 Sep 2020 09:54:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/201465#M1069 smoir_splunk 2020-09-29T09:54:28Z Re: Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users? https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/645285#M11545 <P>should not be assigning ess_admin role to users. It is a container role which is used just to give additional capabilities and inherited by admin (or sc_admin in splunk cloud) to be used for ES installation and upgrade tasks. It contains no ACLs</P><P><A href="https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles" target="_blank">https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles</A></P> Wed, 31 May 2023 17:34:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-role-or-capability-is-needed-to/m-p/645285#M11545 tskinner_splunk 2023-05-31T17:34:08Z