Add "Space management" feature

[kobelb]

Currently, the ability to manage spaces is only granted with the "All" base privileges, and must be granted at all spaces. This isn't obvious, and it also is limiting because you can't create a role which can only manage spaces or manage a subset of spaces.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

A couple of thoughts/notes for future me, or whoever picks this up:

To enable the feature control toggles, Spaces management currently requires access to /api/features, which is granted to the "Global all" privilege. We originally designed it this way because we didn't want under-privileged users to be able to enumerate all of the registered Kibana features.

In order to introduce a "Space management" feature, we will probably need to relax this restriction, or enhance that API endpoint to only return a subset of features based on the current user's privileges.
Of these two, my vote is the former, although this poses another design challenge because we will be allowing users to toggle visibility for features they themselves don't have access to...

An alternative is to prevent features from being toggled/viewed unless the user has access to all features. If we take this route, then the user will only be able to customize the space description and avatar. This means that a user effectively needs "space all" in order to manage the space to its full capacity, which perhaps reduces the usefulness of having a separate feature.

---

When creating a role that can manage spaces, we will have the following scenarios:

1. Granting "Global all" will allow the user to create/update/delete any space, just as they can today.
2. Otherwise, you're granting "Space management" to a predefined set of existing spaces, so this will allow the user to update/delete any of those spaces, but will not allow creation.
3. What does it mean to grant the "Space management: read" privilege? They'll see the spaces management screen for the spaces they're authorized to manage, but they presumably won't be able to do anything?

---

BWC: This new feature will need to be excluded from the existing space base privileges, because we don't want to grant this to existing users with "space: all". However, we still need to grant access to users with "Global all".

[erwin-willemsen]

I am very interested in this solution, because I want certain users to be able to manage Spaces within Kibana management, but do not have any other possibilities within Kibana management. The role "kibana_admin" has to much authorizations for this group of users.

[legrego]

I am very interested in this solution, because I want certain users to be able to manage Spaces within Kibana management, but do not have any other possibilities within Kibana management. The role "kibana_admin" has to much authorizations for this group of users.

Thanks @erwin-willemsen, we appreciate the feedback. For your situation, would you want your users to be able to manage all spaces (including the ability to create new spaces), or should they only be able to manage a subset of spaces (presumably spaces which already exist)?

[erwin-willemsen]

Dear Larry, I would like for my users (a specific group) to be able to manage all spaces, including the ability to create new spaces and delete deprecated ones, but nothing else within Kibana - Management. Kind regards/Met vriendelijke groet, Erwin Willemsen consultant <mailto:roos.groen@enable-u.nl>+31 (0) 6 11 85 53 50 [http://images.enable-u.com/images/logo%20Enable%20U.png] From: Larry Gregory <notifications@github.com> Sent: dinsdag 8 september 2020 12:44 To: elastic/kibana <kibana@noreply.github.com> Cc: Erwin Willemsen <erwin.willemsen@enable-u.com>; Mention <mention@noreply.github.com> Subject: Re: [elastic/kibana] Add "Space management" feature (#51759) I am very interested in this solution, because I want certain users to be able to manage Spaces within Kibana management, but do not have any other possibilities within Kibana management. The role "kibana_admin" has to much authorizations for this group of users. Thanks @erwin-willemsen<https://github.com/erwin-willemsen>, we appreciate the feedback. For your situation, would you want your users to be able to manage all spaces (including the ability to create new spaces), or should they only be able to manage a subset of spaces (presumably spaces which already exist)? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#51759 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANLEQOS3YGLDTKYZPG6NWHDSEYDGVANCNFSM4JR3XF7A>. == This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. Enable-U, Asterweg 19D11, 1031 HL Amsterdam, www.enable-u.com<http://www.enable-u.com/>