From 5c19287a9d8c4625161a035c876d5740f2fbc6b4 Mon Sep 17 00:00:00 2001
From: Nate Archer <12628964+DonNateR@users.noreply.github.com>
Date: Wed, 24 Feb 2021 10:25:19 -0600
Subject: [PATCH] Issue 437: Maintenance permission (#492) (#529)

* Issue #437: Add maintenance permission for SIEM index

* Rework detections section

* Add slight edits to the new section.

* Add a couple more grammar edits.

* Update docs/getting-started/detections-req.asciidoc

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>

* Add back in accidental deletion

Co-authored-by: DonNateR <>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
---
 docs/getting-started/detections-req.asciidoc | 26 +++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc
index 893b1d9bbe..72c4db7939 100644
--- a/docs/getting-started/detections-req.asciidoc
+++ b/docs/getting-started/detections-req.asciidoc
@@ -42,7 +42,7 @@ and restarting {kib}, you must restart all detection rules.
 To enable the <<detection-engine-overview, Detections feature>>, a user with
 these privileges must visit (click on) the *Detections* page:
 
-* The `manage` cluster privilege
+* The `manage` cluster privilege.
 * {kib} space `All` privileges for the `Security` feature (see
 {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]).
 * The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices:
@@ -74,24 +74,32 @@ image::images/sec-admin-user.png[]
 [[access-detections-ui]]
 == Access and use Detections
 
-After enabling Detections, only users with these permission can view and use the
-*Detections* page:
+After enabling Detections, only users with these permissions can view and use rules and alerts on the *Detections* page:
 
-* {kib} space `All` privileges for the `Security`  and `Saved Objects
-Management` features
-* The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices:
+**All**
+
+These permissions are required for both rule and alert management:
+
+* {kib} space with `All` privileges enabled for `Security`.
+* The `read`, `write`, `view_index_metadata`, and `maintenance` index privileges for all of these system indices:
 ** `.siem-signals-<kib-space>`
 ** `.lists-<kib-space>`
 ** `.items-<kib-space>`
 +
 Where `<kib-space>` is the {kib} space name.
 
-Here's a screenshot of a user role that can view and create detection rules in all {kib}
-spaces:
-
 [role="screenshot"]
 image::images/sec-user.png[]
 
+**Rule**
+
+For rule management, make sure {kib} space with `All` privileges is enabled for both `Security` and `Saved Objects Management` features.
+
+**Alert**
+
+If you only want a user to update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required.
+
+
 [discrete]
 [[adv-list-settings]]
 == Configure list upload limits