diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index 893b1d9bbe..733d086aa8 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -42,7 +42,7 @@ and restarting {kib}, you must restart all detection rules. To enable the <>, a user with these privileges must visit (click on) the *Detections* page: -* The `manage` cluster privilege +* The `manage` cluster privilege. * {kib} space `All` privileges for the `Security` feature (see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]). * The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices: @@ -74,24 +74,32 @@ image::images/sec-admin-user.png[] [[access-detections-ui]] == Access and use Detections -After enabling Detections, only users with these permission can view and use the -*Detections* page: +After enabling Detections, only users with these permissions can view and use rules and alerts on the *Detections* page: -* {kib} space `All` privileges for the `Security` and `Saved Objects -Management` features -* The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: +**All** + +These permissions are required for both rule and alert management: + +* {kib} space with `All` privileges enabled for `Security`. +* The `read`, `write`, `view_index_metadata`, and `maintenance` index privileges for all of these system indices: ** `.siem-signals-` ** `.lists-` ** `.items-` + Where `` is the {kib} space name. -Here's a screenshot of a user role that can view and create detection rules in all {kib} -spaces: - [role="screenshot"] image::images/sec-user.png[] +**Rule** + +For rule management, make sure {kib} space with `All` privileges is enabled for both `Security` and `Saved Objects Management` features. + +**Alert** + +If you only want a user to update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. + + [discrete] [[adv-list-settings]] == Configure list upload limits