Permissions for team-based queues

In Splunk Enterprise Security, team-based queues are how security operations center (SOC) teams organize and act on findings and investigations. Access to these queues is governed by permissions assigned to roles within your organization.

Queue permissions define what a role can do within a specific queue. This gives administrators precise control over each team's capabilities, matching the queue's purpose to the actions that team is authorized to complete.

This document explains what each permission does, how permissions interact with each other, and how they determine which queues a user sees.

By assigning specific permissions to roles, administrators ensure that:

  • Analysts can work effectively within their assigned queue without accidentally or intentionally modifying items that belong to another team.
  • Escalation paths are clearly defined: a finding moves to the next queue only through an authorized action by a user with the right permissions.
  • Sensitive or high-priority queues can be restricted to senior analysts or administrators, while broader queues remain accessible to all tiers.
Admins assign permissions per queue, per role. A role might have different permissions in different queues. For example, Update access in their primary team queue and only Read access in a queue they monitor but do not own.
Note: The read permission is a prerequisite for the update permission. A user cannot modify items in a queue they are not permitted to see. Create, delete, and execute permissions can be assigned independently of the read permission, though in practice most roles that can act on a queue will also have the read permission assigned.

The following permissions can be assigned to a role for each queue:

Permission What it allows Needs read permission as prerequisite? Supported?
Create Creating new items in the queue, such as manual findings or investigations.

In addition, moving an item to a new queue requires the create permission in the destination queue.		 No Yes
Read Viewing items in the queue, including findings and investigations, along with related notes, files, and response plans. N/A Yes
Update Modifying items in the queue. Includes editing fields, changing status or disposition, moving items between queues, adding findings to investigations, and managing notes, files, and response plans. Yes Yes
Delete Deleting items in the queue, such as findings and investigations.
Note: Deleting findings and investigations is not supported yet. You can still remove notes, files, or response plans with the update permission.
No No
Execute Running response actions on items in the queue. Does not apply to Splunk SOAR actions or playbooks.
Note: You can't run ping, nbtstats, or nslookup response actions with the execute permission.
No Yes
Note: Create is the only permission that allows a user to add new items to a queue, and it does not require Read. However, a user with only Create access will not see the queue on the Mission Control page and will not be able to view or interact with items already in the queue. In most cases, these permissions are assigned together.

Manage role-based access for a queue

Follow these steps to choose which roles can access a queue and define exactly what each role is allowed to do:

  1. In Splunk Enterprise Security, select Configure and then Findings and investigations.

  2. Select the Manage queues page.

  3. Expand the queue you want to edit.

  4. Select the Roles tab.

  5. Select Edit.

  6. If Show advanced configuration options is unchecked, make sure to check it.

  7. Select the check boxes for the roles you want to grant access for.

  8. Select the check boxes for the more granular permissions you want to assign.

  9. Select Save.