Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cloned Role

dspencer
Path Finder
‎04-09-2026 06:38 AM

Hello,

I created a new role that is the same as ess_analyst but it doesn't have any inheritance, all the capabilities are native. My new role can't see investigations and my research hasn't given me any answers.

All the permissions I can think of are wide open, is there anything I'm missing or is it required to inherit from a default role?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dspencer
Path Finder
a month ago

Thanks everyone for the advise, I've decided to inherit ess_analyst to make life easier. 

View solution in original post

Reply
Solved! Jump to solution
Solution

dspencer
Path Finder
a month ago

Thanks everyone for the advise, I've decided to inherit ess_analyst to make life easier. 

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2026 11:39 AM

Hi @dspencer 

Have you added the new role with permissions to the relevant ES apps and lookups etc? The capabilities themselves aren’t enough, they need permission to the knowledge objects too. 
you might find that inheriting the original role with your custom role would work better?

see this other post for more info https://community.splunk.com/t5/Splunk-Enterprise-Security/Custom-Role-on-ES/m-p/751853#M12626

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply
Solved! Jump to solution

dspencer
Path Finder
‎04-09-2026 12:51 PM

Thanks for the response.

I've tried to add my role to the 'data inputs -> 'app manager' -> 'enforce_es_permissions", but that just gives me an error.

Do you have or know of specific documentation of how to set role permissions of a search head cluster?

 

0 Karma
Reply
Solved! Jump to solution

lmaclean
Path Finder
‎04-09-2026 04:22 PM

For a search head cluster, it replicates changes that you make via the GUI, CLI or REST calls. So, for example if you created the role in the GUI that would have been pushed out to the rest of the cluster and then as per the documentation you updated the ACLs via the "enforce_es_permissions" the ES portion is sorted but this is just the capabilities of what a user can do and not the permissions of what they can access...

Now you will either need to edit each App/Add-on/Knowledge Object manually in the GUI to allow the permissions, or you can create a local.meta in each App/Add-on on the Deployer and do it for the entire App/Add-on or specific types of knowledge objects within or specific knowledge objects themselves (not recommended from a deployer).

Ref:

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...