From e2b7fd4f65efb1488ca4aeb9ad04974fe47b51fd Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 25 Apr 2024 14:47:04 -0400
Subject: [PATCH 1/2] rbac

---
 rbac/permissions                              | 27 ++++++++---------
 rbac/roles                                    | 30 ++++++++++---------
 .../modules/elastic/elasticdetectionstore.go  | 14 ++++-----
 3 files changed, 36 insertions(+), 35 deletions(-)

diff --git a/rbac/permissions b/rbac/permissions
index 8869dc27..41a27b76 100644
--- a/rbac/permissions
+++ b/rbac/permissions
@@ -12,11 +12,13 @@ cases/read:       case-monitor
 cases/write:      case-admin
 config/read:      config-monitor
 config/write:     config-admin
+detections/read:  detection-monitor
+detections/write: detection-admin
 events/read:      event-monitor
 events/write:     event-admin
 events/ack:       event-admin
-grid/read:				grid-monitor
-grid/write:				grid-admin
+grid/read:        grid-monitor
+grid/write:       grid-admin
 jobs/read:        job-monitor
 jobs/pivot:       job-user
 jobs/write:       job-admin
@@ -29,20 +31,17 @@ roles/write:      user-admin
 users/read:       user-monitor
 users/write:      user-admin
 users/delete:     user-admin
-detection/read:   agent
-detection/write:  agent
-detection/read:   event-monitor
-detection/write:  event-admin
 
 # Define low-level permission set inheritence relationships
 # Syntax      => roleB: roleA
 # Explanation => roleA inherits all of roleB's permissions
 
-case-monitor:     case-admin
-config-monitor:		config-admin
-event-monitor:    event-admin
-grid-monitor:			grid-admin
-job-monitor:      job-admin
-job-user:         job-admin
-node-monitor:     node-admin
-user-monitor:     user-admin
+case-monitor:      case-admin
+config-monitor:    config-admin
+detection-monitor: detection-admin
+event-monitor:     event-admin
+grid-monitor:      grid-admin
+job-monitor:       job-admin
+job-user:          job-admin
+node-monitor:      node-admin
+user-monitor:      user-admin
diff --git a/rbac/roles b/rbac/roles
index fac0f76c..d61a6e8e 100644
--- a/rbac/roles
+++ b/rbac/roles
@@ -8,17 +8,19 @@
 # Syntax      => roleX: roleY roleZ
 # Explanation => roleY and roleZ are granted permissions of roleX
 
-case-monitor:     auditor limited-auditor
-case-admin:       analyst limited-analyst superuser
-config-admin:     superuser
-event-admin:      analyst limited-analyst superuser
-event-monitor:    auditor limited-auditor
-grid-admin:				superuser
-node-admin:       agent
-node-monitor:     analyst limited-analyst auditor limited-auditor superuser
-user-admin:       superuser
-user-monitor:     analyst auditor
-job-admin:        analyst superuser
-job-user:         limited-analyst
-job-monitor:      auditor
-job-processor:    agent
+case-monitor:      auditor limited-auditor
+case-admin:        analyst limited-analyst superuser
+config-admin:      superuser
+detection-monitor: auditor limited-auditor
+detection-admin:   agent analyst superuser
+event-admin:       analyst limited-analyst superuser
+event-monitor:     auditor limited-auditor
+grid-admin:        superuser
+node-admin:        agent
+node-monitor:      analyst limited-analyst auditor limited-auditor superuser
+user-admin:        superuser
+user-monitor:      analyst auditor
+job-admin:         analyst superuser
+job-user:          limited-analyst
+job-monitor:       auditor
+job-processor:     agent
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 0539a43c..e6762515 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -166,7 +166,7 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 }
 
 func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, kind string, id string) (*model.EventIndexResults, error) {
-	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+	if err := store.server.CheckAuthorized(ctx, "write", "detections"); err != nil {
 		return nil, err
 	}
 
@@ -198,7 +198,7 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 func (store *ElasticDetectionstore) Index(ctx context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error) {
 	results := model.NewEventIndexResults()
 
-	err := store.server.CheckAuthorized(ctx, "write", "detection")
+	err := store.server.CheckAuthorized(ctx, "write", "detections")
 	if err != nil {
 		return results, err
 	}
@@ -265,7 +265,7 @@ func (store *ElasticDetectionstore) deleteDocument(ctx context.Context, index st
 }
 
 func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
-	err := store.server.CheckAuthorized(ctx, "read", "detection")
+	err := store.server.CheckAuthorized(ctx, "read", "detections")
 	if err != nil {
 		return nil, err
 	}
@@ -285,7 +285,7 @@ func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind str
 }
 
 func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
-	err := store.server.CheckAuthorized(ctx, "read", "detection")
+	err := store.server.CheckAuthorized(ctx, "read", "detections")
 	if err != nil {
 		return nil, err
 	}
@@ -332,7 +332,7 @@ func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, ma
 func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max int) ([]interface{}, error) {
 	var objects []interface{}
 
-	err := store.server.CheckAuthorized(ctx, "read", "detection")
+	err := store.server.CheckAuthorized(ctx, "read", "detections")
 	if err != nil {
 		return nil, err
 	}
@@ -410,7 +410,7 @@ func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max
 }
 
 func (store *ElasticDetectionstore) DetectionSearch(ctx context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error) {
-	err := store.server.CheckAuthorized(ctx, "read", "detection")
+	err := store.server.CheckAuthorized(ctx, "read", "detections")
 	if err != nil {
 		return nil, err
 	}
@@ -524,7 +524,7 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 }
 
 func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error) {
-	err := store.server.CheckAuthorized(ctx, "write", "detection")
+	err := store.server.CheckAuthorized(ctx, "write", "detections")
 	if err != nil {
 		return nil, err
 	}

From d66f4f4a07f7c604d968752c1052f7110e8d42c1 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 25 Apr 2024 14:49:40 -0400
Subject: [PATCH 2/2] add missing role

---
 rbac/roles | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rbac/roles b/rbac/roles
index d61a6e8e..0b729d17 100644
--- a/rbac/roles
+++ b/rbac/roles
@@ -11,7 +11,7 @@
 case-monitor:      auditor limited-auditor
 case-admin:        analyst limited-analyst superuser
 config-admin:      superuser
-detection-monitor: auditor limited-auditor
+detection-monitor: limited-analyst auditor limited-auditor
 detection-admin:   agent analyst superuser
 event-admin:       analyst limited-analyst superuser
 event-monitor:     auditor limited-auditor