We are in SplunkCloud with ES 7.0.0
As a user with the sc_admin or ess_admin role when selecting an incident to edit, the drop-down for "Status" gives no matches. All other drop-downs give options as expected.
We've tried enable/disable all statuses, creating new statuses, adding/removing transitions roles for ALL statuses, granting permissions to edit_reviewstatus for additional roles, granting write permissions to kvstore reviewstatuses_lookup, and several other things.
Is there a key thing we are missing to be able to change status on incidents with the ess_admin user?
This turned out to be the sharing permissions on Enterprise Security App was set to "App".
The fix was to change this to "Global".
This turned out to be the sharing permissions on Enterprise Security App was set to "App".
The fix was to change this to "Global".