Skip to content

[Security][RBAC][9.4 & Serverless] Rule Exceptions subfeature privilege #4400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nastasha-solomon wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Security][RBAC][9.4 & Serverless] Rule Exceptions subfeature privilege #4400

nastasha-solomon wants to merge 5 commits into from
+33 −1

Conversation

@nastasha-solomon
Copy link
Contributor

@nastasha-solomon nastasha-solomon commented Dec 17, 2025
edited
Loading

⚠️ DO NOT MERGE until dev PR is merged ⚠️

Summary

Fixes https://github.com/elastic/docs-content-internal/issues/598 by doing the following:

  • Updated the privs for managing exceptions in the detection requirements priv table.
  • Clarified privs needed to access regular exceptions in 9.4/Serverless. Added a new section for this info, plus details about privs needed for accessing endpoint exceptions.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No

@nastasha-solomon nastasha-solomon self-assigned this Dec 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025
edited
Loading

🔍 Preview links for changed docs

@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025
edited
Loading

Vale Linting Results

Summary: 1 suggestion found

💡 Suggestions (1)
File Line Rule Message
solutions/security/detect-and-alert/add-manage-exceptions.md 65 Elastic.Capitalization 'exceptions requirements' should use sentence-style capitalization.

nastasha-solomon
nastasha-solomon commented Dec 19, 2025
View reviewed changes
solutions/security/detect-and-alert/add-manage-exceptions.md
:::
:::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
Copy link
Contributor Author

@nastasha-solomon nastasha-solomon Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: Might need to remove the reference to a future-future stack version before merging. Need to check on this.

Suggested change
:::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
:::{applies-item} { "serverless": "ga" }

Copy link
Member

@bmorelli25 bmorelli25 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. Should be fine? The table with "planned" headings looks good in preview.

nastasha-solomon
nastasha-solomon commented Dec 19, 2025
View reviewed changes
solutions/security/detect-and-alert/detections-requirements.md
| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.<br> |
| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `Read` for the `Rules, Alerts, and Exceptions ` feature and `All` for the `Exceptions` subfeature |
Copy link
Contributor Author

@nastasha-solomon nastasha-solomon Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above.

Suggested change
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `Read` for the `Rules, Alerts, and Exceptions ` feature and `All` for the `Exceptions` subfeature |
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - applies_to}`serverless: ga`: `Read` for the `Rules, Alerts, and Exceptions ` feature and `All` for the `Exceptions` subfeature |

@nastasha-solomon nastasha-solomon marked this pull request as ready for review December 19, 2025 20:17
@nastasha-solomon nastasha-solomon requested a review from a team as a code owner December 19, 2025 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmorelli25 bmorelli25 bmorelli25 approved these changes

@dhurley14 dhurley14 Awaiting requested review from dhurley14

@dplumlee dplumlee Awaiting requested review from dplumlee

Assignees

@nastasha-solomon nastasha-solomon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nastasha-solomon @bmorelli25