[Security Solution] Maintenance window is not displayed for non-admin users in Serverless

[MadameSheema]

Related to: #184160

Summary

Describe the bug:

• Maintenance window is not displayed for non-admin users

Kibana/Elasticsearch Stack version:

• Latest serverless

Initial context:

• To have a maintenance window setup on a Security project

Steps to reproduce:

1. Enter to the Security project where the maintenace window is set with a user with a role different from admin
2. Navigate to the Rules page

Current behavior:

• The maintenance window is not displayed

Expected behavior:

• The maintenance window should be displayed for all the roles that have at least "read" permission in this table (internal).
• The skipped Serverless test should be unskipped

Extra information:

• This behaviour seems to be happening with all the built-in roles different from the admin one.

To do

Fix Security Solution's predefined roles in Serverless:

• in project-controller (main source file, internal)
• in kibana (secondary source file)

Code review might be needed from @dhurley14, because he is familiar with serverless roles area.

When the bug is fixed, in the same PR please unskip the corresponding test for the Maintenance Window callout: #184160.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[nikitaindik]

We have investigated the issue a bit together with @MadameSheema. Here's what we found:

This piece of code skips requesting active maintenance windows and causes the callout not to be shown:
https://github.com/elastic/kibana/blob/main/packages/kbn-alerts-ui-shared/src/maintenance_window_callout/index.tsx#L57

  const isMaintenanceWindowDisabled =
    !capabilities[MAINTENANCE_WINDOW_FEATURE_ID].show &&
    !capabilities[MAINTENANCE_WINDOW_FEATURE_ID].save;

  const { data: activeMaintenanceWindows = [] } = useFetchActiveMaintenanceWindows(kibanaServices, {
    enabled: !isMaintenanceWindowDisabled,
  });

Checked locally. Looks like for all Serverless roles other than admin, both capabilities[MAINTENANCE_WINDOW_FEATURE_ID].show and capabilities[MAINTENANCE_WINDOW_FEATURE_ID].save are false.

I have no knowledge about capabilities and how they are related to Serverless roles. But you folks probably understand what's going on.

[cnasikas]

To my understanding, this is only applicable to security solution. It seems that in packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml you do not give access to the MW feature to the roles. It seems to not be related to how the MW works.

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Security Solution Platform)

[cnasikas]

Btw maybe it is not a bug. Handling MWs is an administrative process and maybe a T1 analyst should not have access to them. It seems to me it is a product decision on which roles should have access to MW.

[banderror]

@cnasikas Thank you for localizing the issue 🙏 I think it's a bug - we only show a callout in Security on the Rule Management page when there's a maintenance window currently active. So we'll need to fix our predefined roles in Serverless:

• in project-controller (main source file, internal)
• and in kibana (secondary source file)

I assigned it to our team.