Object Level Security, phase 1

.github/CODEOWNERS

@@ -248,6 +248,7 @@ x-pack/plugins/telemetry_collection_xpack/schema/ @elastic/kibana-core @elastic/
 /x-pack/test/ui_capabilities/ @elastic/kibana-security
 /x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security
 /x-pack/test/functional/apps/security/ @elastic/kibana-security
+/x-pack/test/saved_object_acl/ @elastic/kibana-security
 /x-pack/test/security_api_integration/ @elastic/kibana-security
 /x-pack/test/security_functional/ @elastic/kibana-security
 /x-pack/test/spaces_api_integration/ @elastic/kibana-security

docs/development/core/public/kibana-plugin-core-public.md

@@ -98,6 +98,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [Plugin](./kibana-plugin-core-public.plugin.md) | The interface that should be returned by a <code>PluginInitializer</code>. |
 | [PluginInitializerContext](./kibana-plugin-core-public.plugininitializercontext.md) | The available core services passed to a <code>PluginInitializer</code> |
 | [SavedObject](./kibana-plugin-core-public.savedobject.md) | |
+| [SavedObjectACL](./kibana-plugin-core-public.savedobjectacl.md) | The "Access Control List" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-public.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectError](./kibana-plugin-core-public.savedobjecterror.md) | |
 | [SavedObjectReference](./kibana-plugin-core-public.savedobjectreference.md) | A reference to another saved object. |

docs/development/core/public/kibana-plugin-core-public.savedobject.acl.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObject](./kibana-plugin-core-public.savedobject.md) &gt; [acl](./kibana-plugin-core-public.savedobject.acl.md)
+
+## SavedObject.acl property
+
+<b>Signature:</b>
+
+```typescript
+acl?: SavedObjectACL;
+```

docs/development/core/public/kibana-plugin-core-public.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [acl](./kibana-plugin-core-public.savedobject.acl.md) | <code>SavedObjectACL</code> | |
 | [attributes](./kibana-plugin-core-public.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-public.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-public.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/public/kibana-plugin-core-public.savedobjectacl.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectACL](./kibana-plugin-core-public.savedobjectacl.md)
+
+## SavedObjectACL interface
+
+The "Access Control List" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectACL 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-public.savedobjectacl.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/public/kibana-plugin-core-public.savedobjectacl.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectACL](./kibana-plugin-core-public.savedobjectacl.md) &gt; [owner](./kibana-plugin-core-public.savedobjectacl.owner.md)
+
+## SavedObjectACL.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/server/kibana-plugin-core-server.md

@@ -137,6 +137,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [RouteValidatorConfig](./kibana-plugin-core-server.routevalidatorconfig.md) | The configuration object to the RouteValidator class. Set <code>params</code>, <code>query</code> and/or <code>body</code> to specify the validation logic to follow for that property. |
 | [RouteValidatorOptions](./kibana-plugin-core-server.routevalidatoroptions.md) | Additional options for the RouteValidator class to modify its default behaviour. |
 | [SavedObject](./kibana-plugin-core-server.savedobject.md) | |
+| [SavedObjectACL](./kibana-plugin-core-server.savedobjectacl.md) | The "Access Control List" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-server.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectExportBaseOptions](./kibana-plugin-core-server.savedobjectexportbaseoptions.md) | |
 | [SavedObjectMigrationContext](./kibana-plugin-core-server.savedobjectmigrationcontext.md) | Migration context provided when invoking a [migration handler](./kibana-plugin-core-server.savedobjectmigrationfn.md) |
@@ -152,6 +153,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [SavedObjectsBulkUpdateOptions](./kibana-plugin-core-server.savedobjectsbulkupdateoptions.md) | |
 | [SavedObjectsBulkUpdateResponse](./kibana-plugin-core-server.savedobjectsbulkupdateresponse.md) | |
 | [SavedObjectsCheckConflictsObject](./kibana-plugin-core-server.savedobjectscheckconflictsobject.md) | |
+| [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md) | |
 | [SavedObjectsCheckConflictsResponse](./kibana-plugin-core-server.savedobjectscheckconflictsresponse.md) | |
 | [SavedObjectsClientProviderOptions](./kibana-plugin-core-server.savedobjectsclientprovideroptions.md) | Options to control the creation of the Saved Objects Client. |
 | [SavedObjectsClientWrapperOptions](./kibana-plugin-core-server.savedobjectsclientwrapperoptions.md) | Options passed to each SavedObjectsClientWrapperFactory to aid in creating the wrapper instance. |

docs/development/core/server/kibana-plugin-core-server.savedobject.acl.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObject](./kibana-plugin-core-server.savedobject.md) &gt; [acl](./kibana-plugin-core-server.savedobject.acl.md)
+
+## SavedObject.acl property
+
+<b>Signature:</b>
+
+```typescript
+acl?: SavedObjectACL;
+```

docs/development/core/server/kibana-plugin-core-server.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [acl](./kibana-plugin-core-server.savedobject.acl.md) | <code>SavedObjectACL</code> | |
 | [attributes](./kibana-plugin-core-server.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-server.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectacl.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectACL](./kibana-plugin-core-server.savedobjectacl.md)
+
+## SavedObjectACL interface
+
+The "Access Control List" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectACL 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-server.savedobjectacl.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/server/kibana-plugin-core-server.savedobjectacl.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectACL](./kibana-plugin-core-server.savedobjectacl.md) &gt; [owner](./kibana-plugin-core-server.savedobjectacl.owner.md)
+
+## SavedObjectACL.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.acl.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsBulkCreateObject](./kibana-plugin-core-server.savedobjectsbulkcreateobject.md) &gt; [acl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.acl.md)
+
+## SavedObjectsBulkCreateObject.acl property
+
+The [acl](./kibana-plugin-core-server.savedobjectacl.md) to associate with this saved object.
+
+<b>Signature:</b>
+
+```typescript
+acl?: SavedObjectACL;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.md

@@ -15,6 +15,7 @@ export interface SavedObjectsBulkCreateObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [acl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.acl.md) | <code>SavedObjectACL</code> | The [acl](./kibana-plugin-core-server.savedobjectacl.md) to associate with this saved object. |
 | [attributes](./kibana-plugin-core-server.savedobjectsbulkcreateobject.attributes.md) | <code>T</code> | |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobjectsbulkcreateobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. If undefined, this will be automatically set to the current Kibana version when the object is created. If this is set to a non-semver value, or it is set to a semver value greater than the current Kibana version, it will result in an error. |
 | [id](./kibana-plugin-core-server.savedobjectsbulkcreateobject.id.md) | <code>string</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectscheckconflictsoptions.acl.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md) &gt; [acl](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.acl.md)
+
+## SavedObjectsCheckConflictsOptions.acl property
+
+An [acl](./kibana-plugin-core-server.savedobjectacl.md) which should be compatible with conflicting objects.
+
+<b>Signature:</b>
+
+```typescript
+acl?: SavedObjectACL;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectscheckconflictsoptions.md

@@ -0,0 +1,19 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md)
+
+## SavedObjectsCheckConflictsOptions interface
+
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectsCheckConflictsOptions extends SavedObjectsBaseOptions 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [acl](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.acl.md) | <code>SavedObjectACL</code> | An [acl](./kibana-plugin-core-server.savedobjectacl.md) which should be compatible with conflicting objects. |
+

docs/development/core/server/kibana-plugin-core-server.savedobjectsclient.checkconflicts.md

@@ -9,15 +9,15 @@ Check what conflicts will result when creating a given array of saved objects. T
 <b>Signature:</b>
 
 ```typescript
-checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsBaseOptions): Promise<SavedObjectsCheckConflictsResponse>;
+checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsCheckConflictsOptions): Promise<SavedObjectsCheckConflictsResponse>;
 ```
 
 ## Parameters
 
 | Parameter | Type | Description |
 | --- | --- | --- |
 | objects | <code>SavedObjectsCheckConflictsObject[]</code> | |
-| options | <code>SavedObjectsBaseOptions</code> | |
+| options | <code>SavedObjectsCheckConflictsOptions</code> | |
 
 <b>Returns:</b>
 

docs/development/core/server/kibana-plugin-core-server.savedobjectscreateoptions.acl.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCreateOptions](./kibana-plugin-core-server.savedobjectscreateoptions.md) &gt; [acl](./kibana-plugin-core-server.savedobjectscreateoptions.acl.md)
+
+## SavedObjectsCreateOptions.acl property
+
+The [acl](./kibana-plugin-core-server.savedobjectacl.md) to associate with this saved object.
+
+<b>Signature:</b>
+
+```typescript
+acl?: SavedObjectACL;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectscreateoptions.md

@@ -15,6 +15,7 @@ export interface SavedObjectsCreateOptions extends SavedObjectsBaseOptions
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [acl](./kibana-plugin-core-server.savedobjectscreateoptions.acl.md) | <code>SavedObjectACL</code> | The [acl](./kibana-plugin-core-server.savedobjectacl.md) to associate with this saved object. |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobjectscreateoptions.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. If undefined, this will be automatically set to the current Kibana version when the object is created. If this is set to a non-semver value, or it is set to a semver value greater than the current Kibana version, it will result in an error. |
 | [id](./kibana-plugin-core-server.savedobjectscreateoptions.id.md) | <code>string</code> | (not recommended) Specify an id for the document |
 | [initialNamespaces](./kibana-plugin-core-server.savedobjectscreateoptions.initialnamespaces.md) | <code>string[]</code> | Optional initial namespaces for the object to be created in. If this is defined, it will supersede the namespace ID that is in [SavedObjectsCreateOptions](./kibana-plugin-core-server.savedobjectscreateoptions.md)<!-- -->.<!-- -->Note: this can only be used for multi-namespace object types. |

docs/development/core/server/kibana-plugin-core-server.savedobjectserrorhelpers.createincompatibleaclerror.md

@@ -0,0 +1,23 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md) &gt; [createIncompatibleACLError](./kibana-plugin-core-server.savedobjectserrorhelpers.createincompatibleaclerror.md)
+
+## SavedObjectsErrorHelpers.createIncompatibleACLError() method
+
+<b>Signature:</b>
+
+```typescript
+static createIncompatibleACLError(type: string, id: string): DecoratedError;
+```
+
+## Parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| type | <code>string</code> | |
+| id | <code>string</code> | |
+
+<b>Returns:</b>
+
+`DecoratedError`
+

docs/development/core/server/kibana-plugin-core-server.savedobjectserrorhelpers.md

@@ -18,6 +18,7 @@ export declare class SavedObjectsErrorHelpers
 | [createBadRequestError(reason)](./kibana-plugin-core-server.savedobjectserrorhelpers.createbadrequesterror.md) | <code>static</code> | |
 | [createConflictError(type, id, reason)](./kibana-plugin-core-server.savedobjectserrorhelpers.createconflicterror.md) | <code>static</code> | |
 | [createGenericNotFoundError(type, id)](./kibana-plugin-core-server.savedobjectserrorhelpers.creategenericnotfounderror.md) | <code>static</code> | |
+| [createIncompatibleACLError(type, id)](./kibana-plugin-core-server.savedobjectserrorhelpers.createincompatibleaclerror.md) | <code>static</code> | |
 | [createIndexAliasNotFoundError(alias)](./kibana-plugin-core-server.savedobjectserrorhelpers.createindexaliasnotfounderror.md) | <code>static</code> | |
 | [createInvalidVersionError(versionInput)](./kibana-plugin-core-server.savedobjectserrorhelpers.createinvalidversionerror.md) | <code>static</code> | |
 | [createTooManyRequestsError(type, id)](./kibana-plugin-core-server.savedobjectserrorhelpers.createtoomanyrequestserror.md) | <code>static</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.bulkcreate.md

@@ -9,15 +9,15 @@ Creates multiple documents at once
 <b>Signature:</b>
 
 ```typescript
-bulkCreate<T = unknown>(objects: Array<SavedObjectsBulkCreateObject<T>>, options?: SavedObjectsCreateOptions): Promise<SavedObjectsBulkResponse<T>>;
+bulkCreate<T = unknown>(objects: Array<SavedObjectsBulkCreateObject<T>>, options?: SavedObjectsBulkCreateOptions): Promise<SavedObjectsBulkResponse<T>>;
 ```
 
 ## Parameters
 
 | Parameter | Type | Description |
 | --- | --- | --- |
 | objects | <code>Array&lt;SavedObjectsBulkCreateObject&lt;T&gt;&gt;</code> | |
-| options | <code>SavedObjectsCreateOptions</code> | |
+| options | <code>SavedObjectsBulkCreateOptions</code> | |
 
 <b>Returns:</b>
 

docs/development/core/server/kibana-plugin-core-server.savedobjectsrepository.checkconflicts.md

@@ -9,15 +9,15 @@ Check what conflicts will result when creating a given array of saved objects. T
 <b>Signature:</b>
 
 ```typescript
-checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsBaseOptions): Promise<SavedObjectsCheckConflictsResponse>;
+checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsCheckConflictsOptions): Promise<SavedObjectsCheckConflictsResponse>;
 ```
 
 ## Parameters
 
 | Parameter | Type | Description |
 | --- | --- | --- |
 | objects | <code>SavedObjectsCheckConflictsObject[]</code> | |
-| options | <code>SavedObjectsBaseOptions</code> | |
+| options | <code>SavedObjectsCheckConflictsOptions</code> | |
 
 <b>Returns:</b>
 

docs/development/core/server/kibana-plugin-core-server.savedobjectstype.classification.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsType](./kibana-plugin-core-server.savedobjectstype.md) &gt; [classification](./kibana-plugin-core-server.savedobjectstype.classification.md)
+
+## SavedObjectsType.classification property
+
+The for the type.
+
+<b>Signature:</b>
+
+```typescript
+classification?: SavedObjectsClassification;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectstype.md

@@ -18,6 +18,7 @@ This is only internal for now, and will only be public when we expose the regist
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [classification](./kibana-plugin-core-server.savedobjectstype.classification.md) | <code>SavedObjectsClassification</code> | The for the type. |
 | [convertToAliasScript](./kibana-plugin-core-server.savedobjectstype.converttoaliasscript.md) | <code>string</code> | If defined, will be used to convert the type to an alias. |
 | [convertToMultiNamespaceTypeVersion](./kibana-plugin-core-server.savedobjectstype.converttomultinamespacetypeversion.md) | <code>string</code> | If defined, objects of this type will be converted to a 'multiple' or 'multiple-isolated' namespace type when migrating to this version.<!-- -->Requirements:<!-- -->1. This string value must be a valid semver version 2. This type must have previously specified [\`namespaceType: 'single'\`](./kibana-plugin-core-server.savedobjectsnamespacetype.md) 3. This type must also specify [\`namespaceType: 'multiple'\`](./kibana-plugin-core-server.savedobjectsnamespacetype.md) \*or\* [\`namespaceType: 'multiple-isolated'\`](./kibana-plugin-core-server.savedobjectsnamespacetype.md)<!-- -->Example of a single-namespace type in 7.12:
 ```ts

docs/development/core/server/kibana-plugin-core-server.savedobjecttyperegistry.isconfidential.md

@@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectTypeRegistry](./kibana-plugin-core-server.savedobjecttyperegistry.md) &gt; [isConfidential](./kibana-plugin-core-server.savedobjecttyperegistry.isconfidential.md)
+
+## SavedObjectTypeRegistry.isConfidential() method
+
+Returns `true` if the given type is marked as `confidential`<!-- -->, and `false` otherwise.
+
+<b>Signature:</b>
+
+```typescript
+isConfidential(type: string): boolean;
+```
+
+## Parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| type | <code>string</code> | |
+
+<b>Returns:</b>
+
+`boolean`
+