should not be assigning ess_admin role to users. It is a container role which is used just to give additional capabilities and inherited by admin (or sc_admin in splunk cloud) to be used for ES installation and upgrade tasks. It contains no ACLs https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles
... View more