diff --git a/packages/kbn-es/src/serverless_resources/security_roles.json b/packages/kbn-es/src/serverless_resources/security_roles.json index 8a2b6187d2a65..c02151ae8e2a3 100644 --- a/packages/kbn-es/src/serverless_resources/security_roles.json +++ b/packages/kbn-es/src/serverless_resources/security_roles.json @@ -1,11 +1,117 @@ { + "viewer": { + "name": "viewer", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".lists-*", ".siem-signals-*", ".items-*"], + "privileges": ["read", "view_index_metadata"] + }, + { + "names": [".alerts*", ".preview.alerts*", ".internal.alerts-security.alerts-*"], + "privileges": ["read", "view_index_metadata"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*", + "risk-score.risk-score-*" + ], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts", "endpoint_list_read"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"], + "osquery":["read"], + "discover": ["all"], + "dashboard": ["all"], + "canvas": ["all"], + "graph": ["all"], + "maps": ["all"], + "visualize": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "editor": { + "name": "editor", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".lists-*", ".siem-signals-*", ".items-*"], + "privileges": ["read", "view_index_metadata", "write", "maintenance"] + }, + { + "names": [".alerts*", ".preview.alerts*", ".internal.alerts*", "risk-score.risk-score-*"], + "privileges": ["read", "view_index_metadata", "write", "maintenance"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts", "endpoint_list_all", "trusted_applications_all", "event_filters_all", "host_isolation_exceptions_all", "blocklist_all", "policy_management_read", "host_isolation_all", "process_operations_all", "actions_log_management_all", "file_operations_all"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "osquery":["all"], + "discover": ["all"], + "dashboard": ["all"], + "canvas": ["all"], + "graph": ["all"], + "maps": ["all"], + "visualize": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, "t1_analyst": { "name": "t1_analyst", "elasticsearch": { "cluster": [], "indices": [ { - "names": [".alerts-security*", ".siem-signals-*"], + "names": [".alerts-security*", ".siem-signals-*", ".internal.alerts-security.alerts-*"], "privileges": ["read", "write", "maintenance"] }, { @@ -56,7 +162,7 @@ "cluster": [], "indices": [ { - "names": [".alerts-security*", ".siem-signals-*"], + "names": [".alerts-security*", ".siem-signals-*", ".internal.alerts-security.alerts-*"], "privileges": ["read", "write", "maintenance"] }, { @@ -122,7 +228,7 @@ "privileges": ["read", "write"] }, { - "names": [".alerts-security*", ".siem-signals-*"], + "names": [".alerts-security*", ".siem-signals-*", ".internal.alerts-security.alerts-*"], "privileges": ["read", "write"] }, { @@ -178,7 +284,7 @@ "cluster": [], "indices":[ { - "names": [".alerts-security*", ".siem-signals-*"], + "names": [".alerts-security*", ".siem-signals-*", ".internal.alerts-security.alerts-*"], "privileges": ["read", "write", "maintenance"] }, { @@ -252,6 +358,7 @@ "names": [ ".alerts-security*", ".preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".internal.preview.alerts-security*", ".siem-signals-*" ], @@ -316,6 +423,7 @@ "names": [ ".alerts-security*", ".preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".internal.preview.alerts-security*", ".siem-signals-*" ], @@ -361,6 +469,7 @@ ".alerts-security*", ".preview.alerts-security*", ".internal.preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".lists*", ".items*", "apm-*-transaction*", @@ -436,6 +545,7 @@ "names": [ ".alerts-security*", ".preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".internal.preview.alerts-security*", ".siem-signals-*" ], @@ -498,6 +608,7 @@ "names": [ ".alerts-security*", ".preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".internal.preview.alerts-security*", ".siem-signals-*" ], @@ -559,6 +670,7 @@ "names": [ ".alerts-security*", ".preview.alerts-security*", + ".internal.alerts-security.alerts-*", ".internal.preview.alerts-security*", ".siem-signals-*" ], diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index 6676fc5c067a1..ca065b08b54ac 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -18,6 +18,8 @@ export type SecurityRoleName = ServerlessSecurityRoleName | EssSecurityRoleName; export enum ROLES { // Serverless roles + viewer = 'viewer', + editor = 'editor', t1_analyst = 't1_analyst', t2_analyst = 't2_analyst', t3_analyst = 't3_analyst', diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts index 563bba803ea64..df53ceaebe475 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts @@ -482,7 +482,7 @@ export default ({ getService }: FtrProviderContext) => { manage_ccr: false, manage_index_templates: true, monitor_watcher: false, - monitor_transform: false, + monitor_transform: true, read_ilm: false, manage_api_key: false, manage_security: false, diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/alert_tags/alert_tags_privileges.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/alert_tags/alert_tags_privileges.cy.ts index c9d223383588b..cbf57c12806ae 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/alert_tags/alert_tags_privileges.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/alert_tags/alert_tags_privileges.cy.ts @@ -22,11 +22,16 @@ import { ALERTS_URL } from '../../../../urls/navigation'; import { waitForAlertsToPopulate } from '../../../../tasks/create_new_rule'; import { ALERTS_TABLE_ROW_LOADER, + ALERT_TAGGING_CONTEXT_MENU_ITEM, SELECTED_ALERT_TAG, + TAKE_ACTION_POPOVER_BTN, UNSELECTED_ALERT_TAG, } from '../../../../screens/alerts'; +const CANNOT_INTERACT_WITH_TAGS: SecurityRoleName[] = [ROLES.viewer]; + const CAN_INTERACT_WITH_TAGS: SecurityRoleName[] = [ + ROLES.editor, ROLES.t1_analyst, ROLES.t2_analyst, // ROLES.t3_analyst, @@ -79,4 +84,19 @@ describe('Alert tagging privileges', { tags: ['@ess', '@serverless'] }, () => { }); }); }); + + describe('do not have privileges', () => { + CANNOT_INTERACT_WITH_TAGS.forEach((role) => { + it(`${role} cannot add and remove a tag using the alert bulk action menu`, () => { + login(role); + visitWithTimeRange(ALERTS_URL, { role }); + waitForAlertsToPopulate(); + + // Add a tag to one alert + selectNumberOfAlerts(1); + cy.get(TAKE_ACTION_POPOVER_BTN).click(); + cy.get(ALERT_TAGGING_CONTEXT_MENU_ITEM).should('not.exist'); + }); + }); + }); }); diff --git a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts index 55ce4bed99098..fe4ac0f35910e 100644 --- a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts +++ b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts @@ -35,15 +35,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { }); // Run the same set of tests against all of the Security Solution roles - const ROLES: SecurityRoleName[] = [ - 't2_analyst', - 'rule_author', - 'soc_manager', - 'detections_admin', - 'platform_engineer', - 'hunter', - 'hunter_no_actions', - ]; + const ROLES: SecurityRoleName[] = ['detections_admin', 'hunter', 'hunter_no_actions']; for (const role of ROLES) { describe(`when running with user/role [${role}]`, () => {