Skip to content

Commit

Permalink
Issue 437: Maintenance permission (elastic#492) (elastic#530)
Browse files Browse the repository at this point in the history
* Issue elastic#437: Add maintenance permission for SIEM index

* Rework detections section

* Add slight edits to the new section.

* Add a couple more grammar edits.

* Update docs/getting-started/detections-req.asciidoc

Co-authored-by: Garrett Spong <[email protected]>

* Add back in accidental deletion

Co-authored-by: DonNateR <>
Co-authored-by: Garrett Spong <[email protected]>

Co-authored-by: Garrett Spong <[email protected]>
  • Loading branch information
narcher7 and spong authored Feb 24, 2021
1 parent 9cc019e commit 8e84540
Showing 1 changed file with 17 additions and 9 deletions.
26 changes: 17 additions & 9 deletions docs/getting-started/detections-req.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ and restarting {kib}, you must restart all detection rules.
To enable the <<detection-engine-overview, Detections feature>>, a user with
these privileges must visit (click on) the *Detections* page:

* The `manage` cluster privilege
* The `manage` cluster privilege.
* {kib} space `All` privileges for the `Security` feature (see
{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]).
* The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices:
Expand Down Expand Up @@ -74,24 +74,32 @@ image::images/sec-admin-user.png[]
[[access-detections-ui]]
== Access and use Detections

After enabling Detections, only users with these permission can view and use the
*Detections* page:
After enabling Detections, only users with these permissions can view and use rules and alerts on the *Detections* page:

* {kib} space `All` privileges for the `Security` and `Saved Objects
Management` features
* The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices:
**All**

These permissions are required for both rule and alert management:

* {kib} space with `All` privileges enabled for `Security`.
* The `read`, `write`, `view_index_metadata`, and `maintenance` index privileges for all of these system indices:
** `.siem-signals-<kib-space>`
** `.lists-<kib-space>`
** `.items-<kib-space>`
+
Where `<kib-space>` is the {kib} space name.

Here's a screenshot of a user role that can view and create detection rules in all {kib}
spaces:

[role="screenshot"]
image::images/sec-user.png[]

**Rule**

For rule management, make sure {kib} space with `All` privileges is enabled for both `Security` and `Saved Objects Management` features.

**Alert**

If you only want a user to update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required.


[discrete]
[[adv-list-settings]]
== Configure list upload limits
Expand Down

0 comments on commit 8e84540

Please sign in to comment.