[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege

[spong]

Summary

Add's the list plugins Saved Objects (exception-list and exception-list-agnostic) to the Security feature privilege.

Resolves #90715

Test Instructions

Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege Security:All have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with Security:Read should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the Saved Objects Management feature privilege, and this feature privilege should no longer be required to use any of the Detections features.

To add test users:

t1_analyst ("siem": ["read"]):

cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json

hunter ("siem": ["all"]):

cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json

Note: Be sure to remove these users after testing if using a public cluster.

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials -- docs label added, will work with @jmikell821 on doc changes
• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[dhurley14]

Do we want to target 7.11.1 with this change too?

[dhurley14]

LGTM! thanks for the quick fix here :)

[spong]

Do we want to target 7.11.1 with this change too?

@dhurley14, just checked with a few folks on making plugin registration changes like this in a patch release and it was noted that there aren't versioned docs for patch releases and could make for some trouble in the difference in documentation between 7.11.0/7.11.1. So going to just target 7.12, and we can update the documentation for that release going forward.

[spong]

@jmikell821, I don't think we currently call out the necessary Kibana Space Privileges in our docs? With this PR those will change (no longer needing Saved Objects Management). Perhaps we can have a section in the detections pre-req docs that detail the the different permutations used within the Security app? Happy to sync on getting those together, just ping me 🙂.

[jmikell821]

@jmikell821, I don't think we currently call out the necessary Kibana Space Privileges in our docs? With this PR those will change (no longer needing Saved Objects Management). Perhaps we can have a section in the detections pre-req docs that detail the the different permutations used within the Security app? Happy to sync on getting those together, just ping me 🙂.

Hi @spong here's what we say about Kibana Space privileges in the Security docs:

To use Elastic Security, you must have at least:
Read privilege for the Security feature in the Kibana space (see Spaces).
Read and view_index_metadata privileges for all Elastic Security indices, such as filebeat-, packetbeat-, logs-, and endgame- indices.

I'd like to make sure all the listed permissions are correct for 7.12 and that we don't have any missing.

[spong]

Hi @spong here's what we say about Kibana Space privileges in the Security docs:

To use Elastic Security, you must have at least:
Read privilege for the Security feature in the Kibana space (see Spaces).
Read and view_index_metadata privileges for all Elastic Security indices, such as filebeat-, packetbeat-, logs-, and endgame- indices.

I'd like to make sure all the listed permissions are correct for 7.12 and that we don't have any missing.

++, sounds good @jmikell821! We'll need to add details around the Actions and Connectors and Stack Alerts feature privileges to round out our documentation (asking for more information on the intricacies between the two from the alerting team now :).

[spong]

@elasticmachine merge upstream

[spong]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: d3d1f96

Metrics [docs]

✅ unchanged

History

• 💚 Build #105858 succeeded 3e15d7f
• 💔 Build #105784 failed f455eb0
• 💚 Build #105454 succeeded 86fc1f6

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kibanamachine]

Backport result

{"level":"info","message":"POST https://api.github.com/graphql (status: 200)"}
{"level":"info","message":"POST https://api.github.com/graphql (status: 200)"}
{"meta":{"labels":["Feature:Detection Rules","Feature:Rule Exceptions","Team: SecuritySolution","Team:Detections and Resp","auto-backport","bug","docs","release_note:skip","v7.12.0","v8.0.0"],"branchLabelMapping":{"^v8.0.0$":"master","^v7.12.0$":"7.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"},"existingTargetPullRequests":[]},"level":"info","message":"Inputs when calculating target branches:"}
{"meta":["7.x"],"level":"info","message":"Target branches inferred from labels:"}
{"meta":{"killed":false,"code":2,"signal":null,"cmd":"git remote rm kibanamachine","stdout":"","stderr":"error: No such remote: 'kibanamachine'\n"},"level":"info","message":"exec error 'git remote rm kibanamachine':"}
{"meta":{"killed":false,"code":2,"signal":null,"cmd":"git remote rm elastic","stdout":"","stderr":"error: No such remote: 'elastic'\n"},"level":"info","message":"exec error 'git remote rm elastic':"}
{"level":"info","message":"Backporting [{\"sourceBranch\":\"master\",\"targetBranchesFromLabels\":[\"7.x\"],\"sha\":\"b11b8b8c9b69bc0bb2c54f388d7bbae0737c297b\",\"formattedMessage\":\"[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\",\"originalMessage\":\"[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\\n\\n## Summary\\r\\n\\r\\nAdd's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege.\\r\\n\\r\\nResolves https://github.com/elastic/kibana/issues/90715\\r\\n\\r\\n### Test Instructions\\r\\nLoad pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features.\\r\\n\\r\\nTo add test users:\\r\\n\\r\\nt1_analyst (`\\\"siem\\\": [\\\"read\\\"]`):\\r\\n``` bash\\r\\ncd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/\\r\\n./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json\\r\\n./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json\\r\\n```\\r\\n\\r\\nhunter (`\\\"siem\\\": [\\\"all\\\"]`):\\r\\n``` bash\\r\\ncd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/\\r\\n./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json\\r\\n./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json\\r\\n```\\r\\n\\r\\nNote: Be sure to remove these users after testing if using a public cluster.\\r\\n\\r\\n### Checklist\\r\\n\\r\\nDelete any items that are not applicable to this PR.\\r\\n\\r\\n- [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes\\r\\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios\",\"pullNumber\":90895,\"existingTargetPullRequests\":[]}] to 7.x"}

Backporting to 7.x:
{"level":"info","message":"Backporting via filesystem"}
{"level":"info","message":"Creating PR with title: \"[7.x] [Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\". kibanamachine:backport/7.x/pr-90895 -> 7.x"}
{"level":"info","message":"POST /repos/elastic/kibana/pulls - 201 in 1133ms"}
{"level":"info","message":"Adding assignees to #91075: spong"}
{"level":"info","message":"POST /repos/elastic/kibana/issues/91075/assignees - 201 in 504ms"}
{"level":"info","message":"Adding labels: backport"}
{"level":"info","message":"POST /repos/elastic/kibana/issues/91075/labels - 200 in 382ms"}
View pull request: https://github.com/elastic/kibana/pull/91075