Splunk® IT Service Intelligence

Event Analytics Manual

Modify analyst permissions within Episode Review in ITSI

As a Splunk IT Service Intelligence (ITSI) administrator, you can customize the way analysts view and interact with events and episodes in Episode Review.

Modify which events analysts can see

By default, ITSI service-level permissions apply to episodes in Episode Review. This means that analysts can only see events from services for which they have read permission. If an event is not associated with a particular service (none of the fields in the event contains service information) then all users can view the event.

You can disable service-level permissions for Episode Review using the itsi_team.conf file.


  • Only users with file system access, such as system administrators, can disable service-level permissions for Episode Review.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. Open or create an itsi_team.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local.
  2. Under the [notable_event_review_security_group] stanza, set disabled to 1

If teams are disabled for Episode Review, all ITSI users can see all notable events, regardless of which service they are associated with. However, service information for services that a user does not have read access to are not displayed for notable events. For information about teams, see Overview of teams in ITSI.

Configure read/write permissions

Configure read and write permissions on a saved view of Episode Review to restrict permissions for certain roles. By default, read and write permissions are granted to Everyone (all roles) for a newly created view of Episode Review.


You must have the itoa_admin or itoa_team_admin role, or be assigned the configure_perms capability, to set permissions on a saved Episode Review. For more information, see Configure users and roles in ITSI.


  1. Within Episode Review, click the side arrow to show alternate views.
  2. Click Full Lister Page.
  3. On the Episode Review lister page, locate the saved view you want to edit and click Edit > Permissions.
  4. Allow or prevent analysts from reading or writing to the saved Episode Review. Everyone is granted read/write access by default.
  5. Click Save.
Last modified on 28 April, 2023
Customize Episode Review in ITSI   Customize episode statuses in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters