Best practices for assigning permissions in team-based queues

Using role-based access control with role inheritance

When using role inheritance for custom roles, it's generally a best practice to assign queue permissions to the custom role, and not the inherited role. Assigning the permissions to the custom role makes it more clear that the role itself and not the inherited capabilities have granted access. For example, if you create a role called custom_analyst_role, and inherit the capabilities from ess_analyst, assign the queue permissions to custom_analyst_role when you're managing role-based access in Splunk Enterprise Security team-based queues.