topic Re: Cloned Role in Splunk Enterprise Security

Cloned Role

dspencer — Thu, 09 Apr 2026 13:38:35 GMT

Hello,

I created a new role that is the same as ess_analyst but it doesn't have any inheritance, all the capabilities are native. My new role can't see investigations and my research hasn't given me any answers.

All the permissions I can think of are wide open, is there anything I'm missing or is it required to inherit from a default role?

Re: Cloned Role

livehybrid — Thu, 09 Apr 2026 18:39:40 GMT

Hi @dspencer

Have you added the new role with permissions to the relevant ES apps and lookups etc? The capabilities themselves aren’t enough, they need permission to the knowledge objects too.
you might find that inheriting the original role with your custom role would work better?

see this other post for more info https://community.splunk.com/t5/Splunk-Enterprise-Security/Custom-Role-on-ES/m-p/751853#M12626

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Re: Cloned Role

dspencer — Thu, 09 Apr 2026 19:51:28 GMT

Thanks for the response.

I've tried to add my role to the 'data inputs -> 'app manager' -> 'enforce_es_permissions", but that just gives me an error.

Do you have or know of specific documentation of how to set role permissions of a search head cluster?

Re: Cloned Role

lmaclean — Thu, 09 Apr 2026 23:22:36 GMT

For a search head cluster, it replicates changes that you make via the GUI, CLI or REST calls. So, for example if you created the role in the GUI that would have been pushed out to the rest of the cluster and then as per the documentation you updated the ACLs via the "enforce_es_permissions" the ES portion is sorted but this is just the capabilities of what a user can do and not the permissions of what they can access...

Now you will either need to edit each App/Add-on/Knowledge Object manually in the GUI to allow the permissions, or you can create a local.meta in each App/Add-on on the Deployer and do it for the entire App/Add-on or specific types of knowledge objects within or specific knowledge objects themselves (not recommended from a deployer).

Ref:

Re: Cloned Role

dspencer — Fri, 10 Apr 2026 18:01:13 GMT

Thanks everyone for the advise, I've decided to inherit ess_analyst to make life easier.