Roles
This page outlines the roles and their capabilities in Alert Manager Enterprise (AME), as detailed in the tables below.
Application
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
AME configuration (license, logging, proxy) | ✅ | ❌ | ❌ | ❌ |
AME setup | ✅ | ❌ | ❌ | ❌ |
AME update tasks | ✅ | ✅ | ❌ | ❌ |
App installation | ✅ | ❌ | ❌ | ❌ |
App update | ✅ | ❌ | ❌ | ❌ |
Events
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Add and view comments to existing events | ✅ | ✅ | ✅ | ✅ |
Assign a user to an event | ✅ | ✅ | ✅ | ❌ |
Delete events | ✅ | ✅ | ❌ | ❌ |
Edit multiple events at the same time | ✅ | ✅ | ✅ | ❌ |
Filter events by tag | ✅ | ✅ | ✅ | ✅ |
Filter events by time range | ✅ | ✅ | ✅ | ✅ |
Invoke Splunk Workflow Actions | ✅ | ✅ | ✅ | ✅ |
Modify events | ✅ | ✅ | ✅ | ❌ |
Search events by priority | ✅ | ✅ | ✅ | ✅ |
Start the search that created the event | ✅ | ✅ | ✅ | ❌ |
Tag an event with MITRE ATT&CK or Cyber Kill Chain | ✅ | ✅ | ✅ | ❌ |
Update the notification scheme | ✅ | ✅ | ✅ | ❌ |
Update the status of an event | ✅ | ✅ | ✅ | ❌ |
Update the urgency of an event | ✅ | ✅ | ✅ | ❌ |
View events | ✅ | ✅ | ✅ | ✅ |
View the count, history, and result fields | ✅ | ✅ | ✅ | ✅ |
Templates
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Apply template on alert action | ✅ | ✅ | ✅ | ✅ |
Create template | ✅ | ✅ | ✅ | ❌ |
Delete template | ✅ | ✅ | ✅ | ❌ |
Update template | ✅ | ✅ | ✅ | ❌ |
Rules
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Delete status | ✅ | ✅ | ✅ | ❌ |
Set conditions for automatic event resolution | ✅ | ✅ | ✅ | ❌ |
Set rules to suppress event alerts | ✅ | ✅ | ✅ | ❌ |
Set time restrictions for rules | ✅ | ✅ | ✅ | ❌ |
Tags
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Create tags | ✅ | ✅ | ✅ | ❌ |
Delete tags | ✅ | ✅ | ✅ | ❌ |
Update predefined MITRE ATT&CK© tags | ✅ | ✅ | ✅ | ❌ |
Update tags | ✅ | ✅ | ✅ | ❌ |
Tenants
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Configuration templates available | ✅ | ✅ | ❌ | ❌ |
Create tenants | ✅ | ✅ | ❌ | ❌ |
Delete tenants | ✅ | ✅ | ❌ | ❌ |
Initialize tenants with event collection and roles | ✅ | ❌ | ❌ | ❌ |
Test HEC Connectivity | ✅ | ✅ | ❌ | ❌ |
Notifications
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Assign a status to an event that will trigger notifications | ✅ | ✅ | ✅ | ❌ |
Configure notifications on status change | ✅ | ✅ | ❌ | ❌ |
Update and delete a notification scheme | ✅ | ✅ | ❌ | ❌ |
Statuses
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Create statuses | ✅ | ✅ | ❌ | ❌ |
Delete statuses | ✅ | ✅ | ❌ | ❌ |
Set description for statuses | ✅ | ✅ | ❌ | ❌ |
Update statuses | ✅ | ✅ | ❌ | ❌ |
Resolutions
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Create resolution | ✅ | ✅ | ❌ | ❌ |
Delete resolution | ✅ | ✅ | ❌ | ❌ |
Set description for resolutions | ✅ | ✅ | ❌ | ❌ |
Update resolution | ✅ | ✅ | ❌ | ❌ |
SLAs
Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
---|---|---|---|---|
Create SLA | ✅ | ✅ | ❌ | ❌ |
Delete SLA | ✅ | ✅ | ❌ | ❌ |
Update SLA | ✅ | ✅ | ❌ | ❌ |