Modify analyst permissions within Episode Review in ITSI

By default, ITSI service-level permissions apply to episodes in Episode Review. This means that analysts can only see events from services for which they have read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.

You can disable service-level permissions for Episode Review using the itsi_team.conf file.

Prerequisites

• Only users with file system access, such as system administrators, can disable service-level permissions for Episode Review.
• Review the steps in How to edit a configuration file in the Admin Manual.

Steps

1. Open or create an itsi_team.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
2. Under the [notable_event_review_security_group] stanza, set disabled to 1

If teams are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to are not displayed for notable events. For information about teams, see Overview of teams in ITSI.

Configure read and write permissions on a saved view of Episode Review to restrict permissions for certain roles. By default, read and write permissions are granted to Everyone (all roles) for a newly created view of Episode Review.

Prerequisites

You must have the itoa_admin or itoa_team_admin role, or be assigned the configure_perms capability, to set permissions on a saved Episode Review. For more information, see Configure users and roles in ITSI.

Steps

1. Within Episode Review, click the side arrow to show alternate views.
   
2. Click Full Lister Page.
3. On the Episode Review lister page, locate the saved view you want to edit and click Edit > Permissions.
4. Allow or prevent analysts from reading or writing to the saved Episode Review. Everyone is granted read/write access by default.
5. Click Save.