Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom Role on ES

akai
Explorer
2 weeks ago

Hello,

I have create a custom role and assigned the same permissions as ess_user, including adding it to the enforce_es_permissions setting. But for whatever reason the user doesn't see any notables on Mission Control (I get a Search did not return any findings or investigations). User also has access to the notable index and can see the events there when doing a normal search.

If I assign the ess_user role to the same user, the Mission Control panel gets populated.

Running on Splunk Cloud.

Anything I am missing or tips for debugging permission issues?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
2 weeks ago

@akai 

Instead of cloning, try role inheritance, ess_user permissions may not be sufficient for Mission Control. Also make sure relevant mc_* capabilities are available for the new role.

Refer below, for creating role in Mission Control.
#https://help.splunk.com/en/splunk-enterprise-security-7/mission-control/investigate-and-respond-to-t...


Note: There might be some delay before your changes reflect in Mission Control.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @akai 

As well as the new role having the capabilities from ess_user, you will also need to ensure it has permissions to see the relevant lookups , indexes and other knowledge objects which are managed within the app contexts not within the role itself.

Have you added your new custom role to the read permissions of the ES lookups and other knowledge objects such as the lookup definitions and macros?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

akai
Explorer
2 weeks ago

Hey @livehybrid

Thank you for the quick response!

As far as I can see the permissions on lookups and knowledge objects owned by ES are shared globally with Read all, so I assume at least being able to get the notables populated in Mission Control should be happening, as I mentioned, searching in the notable index does return data (the role also has access to index=*).

Anything specific I could check here? I am not sure if anything shows up in the internal indexes, regarding errors or whatnot.

EDIT: I would also add that I attempt to clone ess_user, but that did not change the result.

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
2 weeks ago

@akai 

Instead of cloning, try role inheritance, ess_user permissions may not be sufficient for Mission Control. Also make sure relevant mc_* capabilities are available for the new role.

Refer below, for creating role in Mission Control.
#https://help.splunk.com/en/splunk-enterprise-security-7/mission-control/investigate-and-respond-to-t...


Note: There might be some delay before your changes reflect in Mission Control.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

akai
Explorer
2 weeks ago

Hello @PrewinThomas,

I went ahead and set the inheritance for ess_user, and now I can see the notables on Mission Control with a user with the custom role. Unfortunately, this doesn't fix the root issue, which I think is more in-line with what @livehybrid mentioned, because even granting additional permission to own notables I still get errors when assigning the notables.

I would rather not inherit ess_analyst because it has permissions that I do not want to grant to this role.

0 Karma
Reply
Solved! Jump to solution

akai
Explorer
2 weeks ago

After changing some more permissions and also changing the status transitions permissions (which took me forever to figure out I needed to do), everything seems to be working when inheriting the ess_user role, which is fine by me. I'm still not sure why this is necessary, but I can live with it for now.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...