[Security Solution] Endpoint RBAC integration with AppFeatures architecture

config/serverless.security.yml

@@ -8,7 +8,11 @@ xpack.uptime.enabled: false
 
 ## Enable the Serverless Security plugin
 xpack.serverless.security.enabled: true
-xpack.serverless.security.productTypes: [{ product_line: 'security', product_tier: 'complete' }]
+xpack.serverless.security.productTypes:
+  [
+    { product_line: 'security', product_tier: 'complete' },
+    { product_line: 'endpoint', product_tier: 'complete' },
+  ]
 
 ## Set the home route
 uiSettings.overrides.defaultRoute: /app/security/get_started

x-pack/plugins/fleet/common/constants/authz.ts

@@ -72,6 +72,18 @@ export const ENDPOINT_PRIVILEGES: Record<string, PrivilegeMapObject> = deepFreez
     privilegeType: 'api',
     privilegeName: 'readHostIsolationExceptions',
   },
+  accessHostIsolationExceptions: {
+    appId: DEFAULT_APP_CATEGORIES.security.id,
+    privilegeSplit: '-',
+    privilegeType: 'api',
+    privilegeName: 'accessHostIsolationExceptions',
+  },
+  deleteHostIsolationExceptions: {
+    appId: DEFAULT_APP_CATEGORIES.security.id,
+    privilegeSplit: '-',
+    privilegeType: 'api',
+    privilegeName: 'deleteHostIsolationExceptions',
+  },
   writeBlocklist: {
     appId: DEFAULT_APP_CATEGORIES.security.id,
     privilegeSplit: '-',
@@ -126,6 +138,12 @@ export const ENDPOINT_PRIVILEGES: Record<string, PrivilegeMapObject> = deepFreez
     privilegeType: 'api',
     privilegeName: 'writeHostIsolation',
   },
+  writeHostIsolationRelease: {
+    appId: DEFAULT_APP_CATEGORIES.security.id,
+    privilegeSplit: '-',
+    privilegeType: 'api',
+    privilegeName: 'writeHostIsolationRelease',
+  },
   writeProcessOperations: {
     appId: DEFAULT_APP_CATEGORIES.security.id,
     privilegeSplit: '-',

x-pack/plugins/security_solution/common/endpoint/service/authz/authz.ts

@@ -19,27 +19,12 @@ import type { MaybeImmutable } from '../../types';
  * level, use `calculateEndpointAuthz()`
  *
  * @param fleetAuthz
- * @param isEndpointRbacEnabled
- * @param isSuperuser
  * @param privilege
  */
 export function hasKibanaPrivilege(
   fleetAuthz: FleetAuthz,
-  isEndpointRbacEnabled: boolean,
-  isSuperuser: boolean = false,
   privilege: keyof typeof ENDPOINT_PRIVILEGES
 ): boolean {
-  // user is superuser, always return true
-  if (isSuperuser) {
-    return true;
-  }
-
-  // not superuser and FF not enabled, no access
-  if (!isEndpointRbacEnabled) {
-    return false;
-  }
-
-  // FF enabled, access based on privileges
   return fleetAuthz.packagePrivileges?.endpoint?.actions[privilege].executePackageAction ?? false;
 }
 
@@ -50,181 +35,58 @@ export function hasKibanaPrivilege(
  * @param licenseService
  * @param fleetAuthz
  * @param userRoles
- * @param isEndpointRbacEnabled
- * @param permissions
- * @param hasHostIsolationExceptionsItems if set to `true`, then Host Isolation Exceptions related authz properties
- * may be adjusted to account for a license downgrade scenario
  */
-
-// eslint-disable-next-line complexity
 export const calculateEndpointAuthz = (
   licenseService: LicenseService,
   fleetAuthz: FleetAuthz,
-  userRoles: MaybeImmutable<string[]> = [],
-  isEndpointRbacEnabled: boolean = false,
-  hasHostIsolationExceptionsItems: boolean = false
+  userRoles: MaybeImmutable<string[]> = []
 ): EndpointAuthz => {
   const isPlatinumPlusLicense = licenseService.isPlatinumPlus();
   const isEnterpriseLicense = licenseService.isEnterprise();
   const hasEndpointManagementAccess = userRoles.includes('superuser');
 
-  const canWriteSecuritySolution = hasKibanaPrivilege(
-    fleetAuthz,
-    true,
-    hasEndpointManagementAccess,
-    'writeSecuritySolution'
-  );
-  const canReadSecuritySolution =
-    canWriteSecuritySolution ||
-    hasKibanaPrivilege(fleetAuthz, true, hasEndpointManagementAccess, 'readSecuritySolution');
-  const canWriteEndpointList = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeEndpointList'
-  );
-  const canReadEndpointList =
-    canWriteEndpointList ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readEndpointList'
-    );
-  const canWritePolicyManagement = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writePolicyManagement'
-  );
-  const canReadPolicyManagement =
-    canWritePolicyManagement ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readPolicyManagement'
-    );
-  const canWriteActionsLogManagement = hasKibanaPrivilege(
+  const canWriteSecuritySolution = hasKibanaPrivilege(fleetAuthz, 'writeSecuritySolution');
+  const canReadSecuritySolution = hasKibanaPrivilege(fleetAuthz, 'readSecuritySolution');
+  const canWriteEndpointList = hasKibanaPrivilege(fleetAuthz, 'writeEndpointList');
+  const canReadEndpointList = hasKibanaPrivilege(fleetAuthz, 'readEndpointList');
+  const canWritePolicyManagement = hasKibanaPrivilege(fleetAuthz, 'writePolicyManagement');
+  const canReadPolicyManagement = hasKibanaPrivilege(fleetAuthz, 'readPolicyManagement');
+  const canWriteActionsLogManagement = hasKibanaPrivilege(fleetAuthz, 'writeActionsLogManagement');
+  const canReadActionsLogManagement = hasKibanaPrivilege(fleetAuthz, 'readActionsLogManagement');
+  const canIsolateHost = hasKibanaPrivilege(fleetAuthz, 'writeHostIsolation');
+  const canUnIsolateHost = hasKibanaPrivilege(fleetAuthz, 'writeHostIsolationRelease');
+  const canWriteProcessOperations = hasKibanaPrivilege(fleetAuthz, 'writeProcessOperations');
+  const canWriteTrustedApplications = hasKibanaPrivilege(fleetAuthz, 'writeTrustedApplications');
+  const canReadTrustedApplications = hasKibanaPrivilege(fleetAuthz, 'readTrustedApplications');
+  const canWriteHostIsolationExceptions = hasKibanaPrivilege(
     fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeActionsLogManagement'
-  );
-  const canReadActionsLogManagement =
-    canWriteActionsLogManagement ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readActionsLogManagement'
-    );
-  const canIsolateHost = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeHostIsolation'
-  );
-  const canWriteProcessOperations = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeProcessOperations'
-  );
-  const canWriteTrustedApplications = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeTrustedApplications'
-  );
-  const canReadTrustedApplications =
-    canWriteTrustedApplications ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readTrustedApplications'
-    );
-
-  const hasWriteHostIsolationExceptionsPermission = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
     'writeHostIsolationExceptions'
   );
-  const canWriteHostIsolationExceptions =
-    hasWriteHostIsolationExceptionsPermission && isPlatinumPlusLicense;
-
-  const hasReadHostIsolationExceptionsPermission =
-    hasWriteHostIsolationExceptionsPermission ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readHostIsolationExceptions'
-    );
-  // Calculate the Host Isolation Exceptions Authz. Some of these authz properties could be
-  // set to `true` in cases where license was downgraded, but entries still exist.
-  const canReadHostIsolationExceptions =
-    canWriteHostIsolationExceptions ||
-    (hasReadHostIsolationExceptionsPermission &&
-      // We still allow `read` if not Platinum license, but entries exists for HIE
-      (isPlatinumPlusLicense || hasHostIsolationExceptionsItems));
-
-  const canDeleteHostIsolationExceptions =
-    canWriteHostIsolationExceptions ||
-    // Should be able to delete if host isolation exceptions exists and license is not platinum+
-    (hasWriteHostIsolationExceptionsPermission &&
-      !isPlatinumPlusLicense &&
-      hasHostIsolationExceptionsItems);
-
-  const canWriteBlocklist = hasKibanaPrivilege(
+  const canReadHostIsolationExceptions = hasKibanaPrivilege(
     fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeBlocklist'
+    'readHostIsolationExceptions'
   );
-  const canReadBlocklist =
-    canWriteBlocklist ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readBlocklist'
-    );
-  const canWriteEventFilters = hasKibanaPrivilege(
+  const canAccessHostIsolationExceptions = hasKibanaPrivilege(
     fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeEventFilters'
+    'accessHostIsolationExceptions'
   );
-  const canReadEventFilters =
-    canWriteEventFilters ||
-    hasKibanaPrivilege(
-      fleetAuthz,
-      isEndpointRbacEnabled,
-      hasEndpointManagementAccess,
-      'readEventFilters'
-    );
-  const canWriteFileOperations = hasKibanaPrivilege(
+  const canDeleteHostIsolationExceptions = hasKibanaPrivilege(
     fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeFileOperations'
+    'deleteHostIsolationExceptions'
   );
+  const canWriteBlocklist = hasKibanaPrivilege(fleetAuthz, 'writeBlocklist');
+  const canReadBlocklist = hasKibanaPrivilege(fleetAuthz, 'readBlocklist');
+  const canWriteEventFilters = hasKibanaPrivilege(fleetAuthz, 'writeEventFilters');
+  const canReadEventFilters = hasKibanaPrivilege(fleetAuthz, 'readEventFilters');
+  const canWriteFileOperations = hasKibanaPrivilege(fleetAuthz, 'writeFileOperations');
 
-  const canWriteExecuteOperations = hasKibanaPrivilege(
-    fleetAuthz,
-    isEndpointRbacEnabled,
-    hasEndpointManagementAccess,
-    'writeExecuteOperations'
-  );
+  const canWriteExecuteOperations = hasKibanaPrivilege(fleetAuthz, 'writeExecuteOperations');
 
   return {
     canWriteSecuritySolution,
     canReadSecuritySolution,
-    canAccessFleet: fleetAuthz?.fleet.all ?? userRoles.includes('superuser'),
-    canAccessEndpointManagement: hasEndpointManagementAccess,
+    canAccessFleet: fleetAuthz?.fleet.all ?? false,
+    canAccessEndpointManagement: hasEndpointManagementAccess, // TODO: is this one deprecated? it is the only place we need to check for superuser.
     canCreateArtifactsByPolicy: isPlatinumPlusLicense,
     canWriteEndpointList,
     canReadEndpointList,
@@ -235,13 +97,14 @@ export const calculateEndpointAuthz = (
     canAccessEndpointActionsLogManagement: canReadActionsLogManagement && isPlatinumPlusLicense,
     // Response Actions
     canIsolateHost: canIsolateHost && isPlatinumPlusLicense,
-    canUnIsolateHost: canIsolateHost,
+    canUnIsolateHost,
     canKillProcess: canWriteProcessOperations && isEnterpriseLicense,
     canSuspendProcess: canWriteProcessOperations && isEnterpriseLicense,
     canGetRunningProcesses: canWriteProcessOperations && isEnterpriseLicense,
     canAccessResponseConsole:
       isEnterpriseLicense &&
       (canIsolateHost ||
+        canUnIsolateHost ||
         canWriteProcessOperations ||
         canWriteFileOperations ||
         canWriteExecuteOperations),
@@ -250,7 +113,8 @@ export const calculateEndpointAuthz = (
     // artifacts
     canWriteTrustedApplications,
     canReadTrustedApplications,
-    canWriteHostIsolationExceptions,
+    canWriteHostIsolationExceptions: canWriteHostIsolationExceptions && isPlatinumPlusLicense,
+    canAccessHostIsolationExceptions: canAccessHostIsolationExceptions && isPlatinumPlusLicense,
     canReadHostIsolationExceptions,
     canDeleteHostIsolationExceptions,
     canWriteBlocklist,
@@ -275,7 +139,7 @@ export const getEndpointAuthzInitialState = (): EndpointAuthz => {
     canWriteActionsLogManagement: false,
     canReadActionsLogManagement: false,
     canIsolateHost: false,
-    canUnIsolateHost: true,
+    canUnIsolateHost: false,
     canKillProcess: false,
     canSuspendProcess: false,
     canGetRunningProcesses: false,
@@ -285,6 +149,7 @@ export const getEndpointAuthzInitialState = (): EndpointAuthz => {
     canWriteTrustedApplications: false,
     canReadTrustedApplications: false,
     canWriteHostIsolationExceptions: false,
+    canAccessHostIsolationExceptions: false,
     canReadHostIsolationExceptions: false,
     canDeleteHostIsolationExceptions: false,
     canWriteBlocklist: false,

x-pack/plugins/security_solution/common/endpoint/service/authz/mocks.ts

@@ -20,8 +20,6 @@ export const getEndpointAuthzInitialStateMock = (
 
       return mockPrivileges;
     }, {} as EndpointAuthz),
-    // this one is currently treated special in that everyone can un-isolate
-    canUnIsolateHost: true,
     ...overrides,
   };
 

x-pack/plugins/security_solution/common/endpoint/service/response_actions/constants.ts

@@ -63,6 +63,7 @@ export type ConsoleResponseActionCommands = typeof CONSOLE_RESPONSE_ACTION_COMMA
 
 export type ResponseConsoleRbacControls =
   | 'writeHostIsolation'
+  | 'writeHostIsolationRelease'
   | 'writeProcessOperations'
   | 'writeFileOperations'
   | 'writeExecuteOperations';
@@ -75,7 +76,7 @@ export const RESPONSE_CONSOLE_ACTION_COMMANDS_TO_RBAC_FEATURE_CONTROL: Record<
   ResponseConsoleRbacControls
 > = Object.freeze({
   isolate: 'writeHostIsolation',
-  release: 'writeHostIsolation',
+  release: 'writeHostIsolationRelease',
   'kill-process': 'writeProcessOperations',
   'suspend-process': 'writeProcessOperations',
   processes: 'writeProcessOperations',

x-pack/plugins/security_solution/common/endpoint/types/authz.ts

@@ -58,6 +58,12 @@ export interface EndpointAuthz {
   canWriteHostIsolationExceptions: boolean;
   /** if user has read permissions for host isolation exceptions */
   canReadHostIsolationExceptions: boolean;
+  /**
+   * if user has permissions to access host isolation exceptions. This could be set to false, while
+   * `canReadHostIsolationExceptions` is true in cases where the license might have been downgraded.
+   * It is used to show the UI elements that allow users to navigate to the host isolation exceptions.
+   */
+  canAccessHostIsolationExceptions: boolean;
   /**
    * if user has permissions to delete host isolation exceptions. This could be set to true, while
    * `canWriteHostIsolationExceptions` is false in cases where the license might have been downgraded.

x-pack/plugins/security_solution/common/types/app_features.ts

@@ -10,6 +10,14 @@ export enum AppFeatureSecurityKey {
    * Enables Advanced Insights (Entity Risk, GenAI)
    */
   advancedInsights = 'advanced_insights',
+  /**
+   * Enables Endpoint Response Actions like isolate host, trusted apps, blocklist, etc.
+   */
+  endpointResponseActions = 'endpoint_response_actions',
+  /**
+   * Enables Endpoint Exceptions like isolate host, trusted apps, blocklist, etc.
+   */
+  endpointExceptions = 'endpoint_exceptions',
 }
 
 export enum AppFeatureCasesKey {