Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them?
To create investigations, a user must be an ess_admin or have the edit_timeline capability. See
http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles to see how to add the capability.
If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation.