-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution]Read User for Security able to update Alert Status #126331
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Reviewed & assigned to @MadameSheema |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
@karanbirsingh-qasource is this present in earlier releases too? Trying to figure out how all these read only issues came about or if they've all been there for a while. Thanks so much for the testing! |
sure @yctercero we can check the issue behavior earlier releases and it is occuring on all the previous releases Observations
Please let me known if any other checkpoint to check for this issue. thanks !! |
I reached out to the RAC team about this as it has to do with how they implemented this feature within cases. It looks like this behavior was documented here - #102929 This might be partly a product question. I assume that someone who is assigned read only in "Security" and all in "Cases" is meant to just be working everything having to do with cases. Not sure how affective their role would be if they can't update the alert status, but based on the Kibana privileges it doesn't make sense that they are able to update the alert status in the case. If a user with read only in "Security" should not be able to update the alert from the case, I would just hide that feature all together. Any feedback here @MikePaquette @jethr0null ? (not sure who is the cases PM) |
Pinging @elastic/response-ops (Team:ResponseOps) |
Pinging @elastic/response-ops-cases (Feature:Cases) |
This is occurring because the user has If you all would like for us to change it so that it doesn't matter whether the user has |
This will also come into alignment with what the Security solution does in the alerts table. If you have read permissions to Security Solution, you cannot change the status of an alert from the table (they hide the context menu item). If you have all you can. Although, I test it and the API seems to not respect the privileges when updating the status of an alert. |
Describe the bug
Read User for Security able to update Alert Status
Build Details
Pre-Condition
Steps
Additional Observation
Expected Result
User should not able to update alert status from case with read Privilege
Screen-Cast
update-alert-status.mp4
The text was updated successfully, but these errors were encountered: