Hi All, We have Splunk Security ENT 6.6.2 - EOL, I know! our admins guys are working on upgrading. My Problem. We created 2 new user groups. Team A and Team B We gave Team A - Total access to data in half the indexes. Role restrictions on indexes We gave Team B - Total access to data in the other half the indexes. Role restrictions on indexes The outcome was as expected, Team A can only see data from indexes for their role and likewise for Team B. This is where we have a problem, Both Teams need to user the Incident Review Dashboard and Both teams need to assign notable events to users within their own Team. As Owners. However, they cannot, and the system gives errors. If we take the role restriction off. So both teams can see all Data. Then they can assign notable events. Our internal Splunk admin, say it is a bug in this version and the system needs to be upgraded. My questions, Has anyone experienced similar?  Is there a bug and if so, any reference that can be found on the bug? Are there any workarounds regarding this problem? We have 2 teams that need to use the Incident Review to respond to alerts. However, these teams need to be independent and should not be able to see data within indexes that belongs to the other Team. Thanks for any advise. ... View more