search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.8k stars 8.19k forks source link

[Security Solution] "No Data" screen is displayed when a user has missing privileges #114960

Open xcrzx opened 3 years ago

xcrzx commented 3 years ago

Description

Users with insufficient privileges to use Security Solution see welcome screen with a call to add more data instead of the insufficient privileges callout. That could confuse some users as data is already there, but it is not visible due to a lack of the required privileges.

Steps to reproduce

  1. Create a role with the following privileges: sec-admin-user
  2. Log in as a user with the created role to Kibana
  3. Navigate to Security > Overview

Current behavior

Welcome screen is displayed with a call to add data:

*It seems like the empty screen is being shown because the user doesn't have privileges to `.log-` indices.**

Expected behavior

A clear message to the user that they do not have the required read privilege for the .log-* indices to access Security Solution. Something similar to the following callout:

elasticmachine commented 3 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 3 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

banderror commented 3 years ago

Should be fixed in https://github.com/elastic/kibana/pull/115016 🙌

xcrzx commented 3 years ago

Should be fixed in #115016 🙌

We will still have inconsistent UI when users don't have privileges to read from filebeat-*, packetbeat-*, logs-*, and endgame-* indices:

Page What is displayed
Overview ⚠️ Add Data screen
Alerts Fully accessible
Rules Fully accessible
Exceptions Fully accessible
Hosts ⚠️ Add Data screen
Network ⚠️ Add Data screen
Timelines ⚠️ Add Data screen
Endpoints No privileges message
Trusted Applications No privileges message
Event Filters No privileges message
Host Isolation Exceptions No privileges message

In my opinion, we should not show the Add Data screen to users with insufficient privileges as that will mislead them. They would not solve their access issues by adding data as there is already data in indices. Instead, we should communicate what is wrong with their privileges and how to set them up properly. But this is more of a product question. @jethr0null, could you please provide your input on what we should display to users in that case?

jethr0null commented 2 years ago

@xcrzx your proposal to make the experience consistent (showing the no privileges message) makes sense to me. That said, I am not able to speak to any design conventions we might have in place (nor do I focus on those specific UIs from a PM perspective) so I'll loop a few folks in to confirm that the guidance/feedback I'm providing is sound.

@paulewing does the proposed path forward make sense to you? @yiyangliu9286 are there any design conventions that we should be aware of as we consider this change?

cchaos commented 2 years ago

I think this has more to do with the new "No data" logic check that was implemented for the interstitial screen. If there truly is data, but the user has no access to it, then likely it can bypass the "No data" screen to the final page where the original callout occurs (at least as a quick fix). cc @kevinlog as you implemented this new logic check.

But if a user has no access at all, I'm not sure there's much point in sending them all the way to the content page with a dismissable message. Likely design could help with consistent messaging/UI to present these types of screens across the entire soution.

kevinlog commented 2 years ago

spoke with @yctercero offline.

In a previous conversation with @xcrzx , I asked if this was a regression introduced by the new Data Screen and he said he didn't think it was.

I wouldn't expect the new Add Data screen to change existing behavior as it is still shown based on Sourcerer and the indicesExist check.

For instance, here's the logic on the Network page: https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/network/pages/network.tsx#L155

Let me know of any questions or clarifications needed!

yctercero commented 2 years ago

@kevinlog thanks so much!

We're taking it on and taking it as an opportunity to audit the UX around these privileges.

pborgonovi commented 2 months ago

On latest 8.15 BC:

Created the following role and had a new user assigned to it:

image

Upon login and launching Security app:

https://github.com/user-attachments/assets/18ecb483-3ef8-4e11-b7b2-9dc81f59d5ed

yctercero commented 2 weeks ago

@ARWNightingale is working on designs for updated privileges for exceptions, rules, alerts. Can we wrap this ticket into that effort? https://github.com/elastic/security-team/issues/10405

cc @approksiu