Add custom roles and manage capabilities in Splunk Enterprise Security

Create a custom role for Splunk Enterprise Security and manage the capabilities assigned to that role. Add a custom role in Splunk Enterprise Security so that you can update access control lists (ACLs) for that role.
Note: If you add capabilities to custom roles or existing roles on the Splunk platform Settings page, you must update the ACLs.
To add custom roles, follow these steps:
  1. In the Splunk platform, go to Settings.
  2. Select Data and then select Data inputs.
  3. Select App Permissions Manager and then select enforce_es_permissions.
  4. In the Managed Roles field, add the new custom roles as a comma separated list.
  5. Select Save.
The custom roles that you add are populated in the Roles and capabilities page of Splunk Enterprise Security within 60 seconds so that you can enable specific ACLs. If you only add role-based capabilities to the role and don't add the ACLs, the ACLs don't get updated. This applies to both custom roles and existing roles such as ess_analyst. For example: If you add the edit_correlationsearches capability to the existing ess_analyst role, an error message is displayed when a user with the ess_analyst role attempts to save edits to a detection because detections do not have the ess_analyst role included in their "write" ACLs.