[Security Solution][Detections] Adds list plugin Saved Objects to Sec…

…urity feature privilege (#90895) ## Summary Add's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege. Resolves #90715 ### Test Instructions Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features. To add test users: t1_analyst (`"siem": ["read"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json ``` hunter (`"siem": ["all"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json ``` Note: Be sure to remove these users after testing if using a public cluster. ### Checklist Delete any items that are not applicable to this PR. - [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
elastic · Feb 11, 2021 · c76f01d · c76f01d
1 parent 17b2b27
commit c76f01d
Show file tree

Hide file tree

Showing 13 changed files with 616 additions and 553 deletions.
diff --git a/...ion/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json b/...ion/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json
@@ -26,8 +26,7 @@
         "siem": ["all"],
         "actions": ["read"],
         "builtInAlerts": ["all"],
-        "dev_tools": ["all"],
-        "savedObjectsManagement": ["all"]
+        "dev_tools": ["all"]
       },
       "spaces": ["*"]
     }

diff --git a/...urity_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md b/...urity_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md
@@ -2,7 +2,6 @@ This user can CRUD rules and signals. The main difference here is the user has
 
 ```json
 "builtInAlerts": ["all"],
-"savedObjectsManagement": ["all"]
 ```
 
 privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules

diff --git a/...rity_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json b/...rity_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json
@@ -30,8 +30,7 @@
         "ml": ["read"],
         "siem": ["all"],
         "actions": ["read"],
-        "builtInAlerts": ["all"],
-        "savedObjectsManagement": ["all"]
+        "builtInAlerts": ["all"]
       },
       "spaces": ["*"]
     }

diff --git a/...on/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json b/...on/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json
@@ -30,8 +30,7 @@
         "ml": ["all"],
         "siem": ["all"],
         "actions": ["all"],
-        "builtInAlerts": ["all"],
-        "savedObjectsManagement": ["all"]
+        "builtInAlerts": ["all"]
       },
       "spaces": ["*"]
     }

diff --git a/...rity_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json b/...rity_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json
@@ -24,8 +24,7 @@
         "ml": ["read"],
         "siem": ["read"],
         "actions": ["read"],
-        "builtInAlerts": ["read"],
-        "savedObjectsManagement": ["read"]
+        "builtInAlerts": ["read"]
       },
       "spaces": ["*"]
     }

diff --git a/...solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json b/...solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json
@@ -28,8 +28,7 @@
         "ml": ["read"],
         "siem": ["all"],
         "actions": ["read"],
-        "builtInAlerts": ["all"],
-        "savedObjectsManagement": ["all"]
+        "builtInAlerts": ["all"]
       },
       "spaces": ["*"]
     }

diff --git a/...solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json b/...solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json
@@ -28,8 +28,7 @@
         "ml": ["read"],
         "siem": ["all"],
         "actions": ["all"],
-        "builtInAlerts": ["all"],
-        "savedObjectsManagement": ["all"]
+        "builtInAlerts": ["all"]
       },
       "spaces": ["*"]
     }

diff --git a/..._solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json b/..._solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json
@@ -21,10 +21,9 @@
     {
       "feature": {
         "ml": ["read"],
-        "siem": ["all"],
+        "siem": ["read"],
         "actions": ["read"],
-        "builtInAlerts": ["read"],
-        "savedObjectsManagement": ["read"]
+        "builtInAlerts": ["read"]
       },
       "spaces": ["*"]
     }

diff --git a/..._solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json b/..._solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json
@@ -23,10 +23,9 @@
     {
       "feature": {
         "ml": ["read"],
-        "siem": ["all"],
+        "siem": ["read"],
         "actions": ["read"],
-        "builtInAlerts": ["read"],
-        "savedObjectsManagement": ["read"]
+        "builtInAlerts": ["read"]
       },
       "spaces": ["*"]
     }

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
@@ -219,6 +219,8 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               'cases-comments',
               'cases-configure',
               'cases-user-actions',
+              'exception-list',
+              'exception-list-agnostic',
               ...savedObjectTypes,
             ],
             read: ['config'],
@@ -243,6 +245,8 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               'cases-comments',
               'cases-configure',
               'cases-user-actions',
+              'exception-list',
+              'exception-list-agnostic',
               ...savedObjectTypes,
             ],
           },

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/roles_users_utils/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/roles_users_utils/index.ts
@@ -100,7 +100,6 @@ interface RoleInterface {
       siem: string[];
       actions: string[];
       builtInAlerts: string[];
-      savedObjectsManagement: string[];
     };
     spaces: string[];
   }>;