[RAC] RBAC around rules/alerts in Observability/Security Solutions

[XavierM]

We would like to explain how RBAC will work for the rules and alerts in observability and security solutions. We want to make sure that we will have all the same expectation around the RBAC. We do not think this work is trivial and we need to make decision now and being in agreement therefore this work is not going to be in jeopardy for the 7.14 release.

Let's start by observability since it is simpler.

Observability

Logs, Metrics, APM and Uptime will allow the CRUD on rules and alerts through the kibana privileges already existing for these solutions. Observability solutions are already managing the creation of rules through their kibana privileges. Only the rules that the user has access to will show up in the stack management rules section.

The caveat here if you do have all these solutions set to none, you won't see the alerts too. It also mean that we will create multiple indices like .alerts-observability-logs*, .alerts-observability-metrics*, .alerts-observability-apm*, .alerts-observability-uptime*.

Security solutions

We are going to change our global siem kibana privileges to three new ones like below

Cases and timelines are straight forward to us at this point. We are going to deprecated 'siem' privileges and create a migration from our old siem privileges to the three new ones.

Let's talk about Rules & Alerts privileges, this one will allow us to be able add sub feature privileges around our rules and alerts to match our security workflow

• we can have a read user who can activate a rule but can not modified the rule
• we can have a read user who will be able to update the status of an alert
• we can have a read user who can crud exceptions
• we can have a read user who can add actions on rules
• etc....

For 7.14, we won't have any sub-feature but at least it is showing our thinking about it and will let us brainstorm and collaborate.

[cyrille-leclerc]

FYI Elastic built-in role "apm_user" using permissions based on the source data rather than on the visualisation application:

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[yctercero]

FYI - this is how we would like to the split to look on the UI. Allowing users to give users read access to rules, and write access for alerts if need be.