elasticmachine
commented
2 years ago Pinging @elastic/security-solution (Team: SecuritySolution)
Open yctercero opened 2 years ago
elasticmachine
commented
2 years ago Pinging @elastic/security-solution (Team: SecuritySolution)
elasticmachine
commented
2 years ago Pinging @elastic/response-ops (Team:ResponseOps)
yctercero
commented
2 years ago @joepeeples @nastasha-solomon pinging to see if you think it's worth documenting for detections users.
Chatting with @mikecote - this is expected behavior that matches that of the saved object management import in that a user with Saved Object Management all and Actions none can still import rules with actions. There is a blurb about it in the Saved Object docs - https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html#_required_permissions_6
NOTE: Granting access to Saved Objects Management will authorize users to manage all saved objects in Kibana, including objects that are managed by applications they may not otherwise be authorized to access.
Thought I'd just point it out as QA had pinged us about it as a bug.
nastasha-solomon
commented
2 years ago @yctercero I think it's a good call to document these priv combinations and their outcomes. We definitely don't want ambiguous or incorrect priv docs to be the thing that stops users from actually being able to use our products/features.
Also, are there specific priv requirements for exporting rules with and without actions?
yctercero
commented
2 years ago @nastasha-solomon
I believe that for export you need Security Solution all but no specific actions privileges. May need to test that out though to double check.
nastasha-solomon
commented
2 years ago @yctercero apologies for the late reply.
Looking over these scenarios again, I believe number 2 (All Security privs and All Saved Objects Management privs) is the only one that's not covered in the Security docs. Numbers 3 and 4 are described in the Enable and access detections table in our Detections perquisites and requirements topic. Number 1 is also implied in the note--though we could be more clear about the expected result.
If the note isn't descriptive or clear enough, maybe we break it out into a separate table. The new table would cover minimum privs needed to import/export rules with or without actions. Or, it could be more detailed and describe the varying levels of access users would get with certain priv combos. WDYT?
cc: @joepeeples @jmikell821
Issue
Confusion around necessary privileges for actions and connectors and expected behavior.
Cases
All, Actions and connectorsNone--> Cannot interact with actions in detections, can't import rules with actionsAll, Actions and connectorsNoneAND Saved Objects ManagementAll--> Can interact with actions in detections, can import rules with actionsAll, Actions and connectorsRead--> Can interact with actions, import rules with actions, can't create or update connectorsAll, Actions and connectorsAll--> Can interact with actions and connectors in detectionsTable form
| | import rule + actions | import rule + no actions | |:--:| :---: | :---: | | security solution `All`, Actions and Connectors `None` | no | yes | | security solution `All`, Actions and Connectors `None`, Saved Objects management `All` | yes | yes | | security solution `All`, Actions and Connectors `Read` | yes | yes | | security solution `All`, Actions and Connectors `All` | yes | yes |Summary
This is not intuitive as even QA has reported some of this behavior as a bug though it's expected. Possible actions to take could be to: