Roles
The roles and their capabilities in Alert Manager Enterprise are displayed in the table below.
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Application | ||||
| App installation | ✅ | ❌ | ❌ | ❌ |
| App update | ✅ | ❌ | ❌ | ❌ |
| AME setup | ✅ | ❌ | ❌ | ❌ |
| AME update tasks | ✅ | ✅ | ❌ | ❌ |
| AME configuration (license, logging, proxy) | ✅ | ❌ | ❌ | ❌ |
| Events | ||||
| View events | ✅ | ✅ | ✅ | ✅ |
| Add and view comments to existing events | ✅ | ✅ | ✅ | ✅ |
| View the count, history and result fields | ✅ | ✅ | ✅ | ✅ |
| Filter events by time range | ✅ | ✅ | ✅ | ✅ |
| Filter events by tag | ✅ | ✅ | ✅ | ✅ |
| Search events by priority | ✅ | ✅ | ✅ | ✅ |
| Invoke Splunk Workflow Actions | ✅ | ✅ | ✅ | ✅ |
| Modify events | ✅ | ✅ | ✅ | ❌ |
| Assign a user to an event | ✅ | ✅ | ✅ | ❌ |
| Update the notification scheme | ✅ | ✅ | ✅ | ❌ |
| Update the status of an event | ✅ | ✅ | ✅ | ❌ |
| Update the urgency of an event | ✅ | ✅ | ✅ | ❌ |
| Edit multiple events at the same time | ✅ | ✅ | ✅ | ❌ |
| Update the status of an event | ✅ | ✅ | ✅ | ❌ |
| Tag an event with MITRE ATT&CK or CYBER kill-chain | ✅ | ✅ | ✅ | ❌ |
| Start the search that created the event | ✅ | ✅ | ✅ | ❌ |
| Delete events | ✅ | ✅ | ❌ | ❌ |
| Templates | ||||
| Apply template on alert action | ✅ | ✅ | ✅ | ✅ |
| Create template | ✅ | ✅ | ✅ | ❌ |
| Update template | ✅ | ✅ | ✅ | ❌ |
| Delete template | ✅ | ✅ | ✅ | ❌ |
| Rules | ||||
| Set rules to suppress alerts concerning an event | ✅ | ✅ | ✅ | ❌ |
| Set conditions for an event to become automatically resolved | ✅ | ✅ | �✅ | ❌ |
| Delete status | ✅ | ✅ | ✅ | ❌ |
| Set time restrictions for rules to be applied | ✅ | ✅ | ✅ | ❌ |
| Tags | ||||
| Create tags | ✅ | ✅ | ✅ | ❌ |
| Update tags | ✅ | ✅ | ✅ | ❌ |
| Delete tags | ✅ | ✅ | ✅ | ❌ |
| Update predefined MITRE ATT&CK© tags | ✅ | ✅ | ✅ | ❌ |
| Tenants | ||||
| Create tenants | ✅ | ✅ | ❌ | ❌ |
| Configuration templates available | ✅ | ✅ | ❌ | ❌ |
| Delete uninitialized tenants | ✅ | ✅ | ❌ | ❌ |
| Test HEC Connectivity | ✅ | ✅ | ❌ | ❌ |
| Initialize tenants with the corresponding event collection and roles | ✅ | ❌ | ❌ | ❌ |
| Delete initialized tenants | ✅ | ❌ | ❌ | ❌ |
| Notifications | ||||
| Assign a status to an event that will trigger the notifications specified in the events notification scheme | ✅ | ✅ | ✅ | ❌ |
| Configure notifications on status change | ✅ | ✅ | ❌ | ❌ |
| Statuses | ||||
| Create statuses | ✅ | ✅ | ❌ | ❌ |
| Update statuses | ✅ | ✅ | ❌ | ❌ |
| Delete statuses | ✅ | ✅ | ❌ | ❌ |
| Set description for statuses | ✅ | ✅ | ��❌ | ❌ |
| Resolutions | ||||
| Create resolution | ✅ | ✅ | ❌ | ❌ |
| Update resolution | ✅ | ✅ | ❌ | ❌ |
| Delete resolution | ✅ | ✅ | ❌ | ❌ |
| Set description for resolutions | ✅ | ✅ | ❌ | ❌ |