hello Joe,
usually i create several roles in order to manage seggregation of duties :
- one role to technically manage the tool (server administration) but no access to policies nor incident.
- one role to manage account and role (unfortunately we cannot split that with existing DLP privilege).
- one role to manage policies (create/update/delete). You cannot split these policy privileges. Sinve v14.0 you can create a dedicated role to review policies, with only a read privilege on all policies. You can split also this role into several based on policy groups, so you may have some people working on network policies some others on endpoint policies.....
- several to manage incident depending on incident assessment workflow designed with my customer. You can introduce several seggregation at this level based on incident originator attributes, incident type (network, endpoint,...), ..... Main thing is that usually i just give right to delete incident to very few roles.
It is very important to have this kind of seggregation in your role definition, check that you will have enough people working on DLP because if not at the end few users will combine several roles
regards
Regards