I'm trying to get why ess-admin role is present when it should not be assigned to users?
Well, the essuser maps to the Splunk power user, which is why the essadmin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.
Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?
Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂
There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages
"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"
There are usually 3 roles in a SIEM:
admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc. author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats. analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.
why ess-admin role is present when it should not be assigned to users?