Description
openedon Jul 30, 2024
Kibana version:
serverless
Describe the bug:
Users who have access to the Secuirity Project with any role, except Admin, can't access Security > Findings > Misconfigurations and Security > Rules > Benchmarks pages. These pages seem to work only for organisation owners
Steps to reproduce:
- Create a Security project on cloud.elastic.co
- As an owner install CSPM integration and wait for data ingestion
- Go to Project Settings > Users and Roles
- Invite a user to an organisation with access only to the created project and a role "Editor"
- Login with this new user to cloud.elastic.co and open the security project
- Navigate to Security > Rules > Benchmarks or Security > Findings > Misconfigurations (Vulnerabilties most likely also affected) pages and see that the findings or benchmark rules don't load
Expected behavior:
Cloud Security features should be available for users with Editor role, but even better with Editor or Viewer (only read-only features) roles
Screenshots (if relevant):
Errors in browser console (if relevant):
GET /internal/cloud_security_posture/benchmarks 403 (Forbidden)
Provide logs and/or server output (if relevant):
Any additional context:
Initially I thought our features didn't work even with the Admin role, but that's because I wasn't logging out after changing the role (which might be an issue by itself in general, but not specific to us). I updated the issue to note that our features don't work with Editor and Viewer roles
A related issue in ESS
We require specific setup for users to access Cloud Security features, but the access control on Serverless is different, so we need to find a way to make our features work there
@elastic/kibana-cloud-security-posture
