The Aggregation role is a service user role intended only for aggregation of data. It has the minimum role permissions required to do aggregation:
The Aggregation role is available only on Security Analytics 10.5 services and it can be used for an aggregation account. Members of this role or service users with these permissions can perform aggregation on Decoders, Concentrators, Archivers, and Brokers. The aggregate permission allows service users to perform aggregation of sessions and metadata along with raw packets and logs.
You can still use the decoder.manage, concentrator.manage, and archiver.manage permissions, but the Aggregation role permissions allow aggregation only and prevent the other available operations.
You access the service roles from the Administration > Services (select a service) > Actions > View > Security > Roles tab.
The following figure shows the permissions in the Aggregation role.