Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SecuritySolution] Breaking out timeline & note privileges (#201780)
## Summary Epic: elastic/security-team#7998 In this PR we're breaking out the `timeline` and `notes` features into their own feature privilege definition. Previously, access to both features was granted implicitly through the `siem` feature. However, we found that this level of access control is not sufficient for all clients who wanted a more fine-grained way to grant access to parts of security solution. In order to break out `timeline` and `notes` from `siem`, we had to deprecate it feature privilege definition for. That is why you'll find plenty of changes of `siem` to `siemV2` in this PR. We're making use of the feature privilege's `replacedBy` functionality, allowing for a seamless migration of deprecated roles. This means that roles that previously granted `siem.all` are now granted `siemV2.all`, `timeline.all` and `notes.all` (same for `*.read`). Existing users are not impacted and should all still have the correct access. We added tests to make sure this is working as expected. Alongside the `ui` privileges, this PR also adds dedicated API tags. Those tags haven been added to the new and previous version of the privilege definitions to allow for a clean migration: ```mermaid flowchart LR subgraph v1 A(siem) --> Y(all) A --> X(read) Y -->|api| W(timeline_write / timeline_read / notes_read / notes_write) X -->|api| V(timeline_read /notes_read) end subgraph v2 A-->|replacedBy| C[siemV2] A-->|replacedBy| E[timeline] A-->|replacedBy| G[notes] E --> L(all) E --> M(read) L -->|api| N(timeline_write / timeline_read) M -->|api| P(timeline_read) G --> Q(all) G --> I(read) Q -->|api| R(notes_write / notes_read) I -->|api| S(notes_read) end ``` ### Visual changes #### Hidden/disabled elements Most of the changes are happening "under" the hood and are only expressed in case a user has a role with `timeline.none` or `notes.none`. This would hide and/or disable elements that would usually allow them to interact with either timeline or the notes feature (within timeline or the event flyout currently). As an example, this is how the hover actions look for a user with and without timeline access: | With timeline access | Without timeline access | | --- | --- | | <img width="616" alt="Screenshot 2024-12-18 at 17 22 49" src="https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042" /> | <img width="724" alt="Screenshot 2024-12-18 at 17 23 29" src="https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47" /> | #### Roles Another visible change of this PR is the addition of `Timeline` and `Notes` in the edit-role screen: | Before | After | | ------- | ------ | | <img width="746" alt="Screenshot 2024-12-12 at 16 31 43" src="https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43" /> | <img width="738" alt="Screenshot 2024-12-12 at 16 32 53" src="https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd" /> | We made sure that for migrated roles that hard `security.all` selected, this screen correctly shows `security.all`, `timeline.all` and `notes.all` after the privilege migration. #### Timeline toast There are tons of places in security solution where `Investigate / Add to timeline` are shown. We did our best to disable all of these actions but there is no guarantee that this PR catches all the places where we link to timeline (actions). One layer of extra protection is that the API endpoints don't give access to timelines to users without the correct privileges. Another one is a Redux middleware that makes sure timelines cannot be shown in missed cases. The following toast will be shown instead of the timeline: <img width="354" alt="Screenshot 2024-12-19 at 10 34 23" src="https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3" /> ### Changes to predefined security roles All predefined security roles have been updated to grant the new privileges (in ESS and serverless). In accordance with the migration, all roles with `siem.all` have been assigned `siemV2.all`, `timeline.all` and `notes.all` (and `*.read` respectively). ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: PhilippeOberti <philippe.oberti@elastic.co> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
- Loading branch information
4 people
authored
Jan 20, 2025
1 parent
032c481
commit 1b167d9