search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.59k stars 8.1k forks source link

[Security Solution] Serverless, VIEWER cannot use AI Assistant #169695

Closed stephmilovic closed 10 months ago

stephmilovic commented 10 months ago

Describe the bug: VIEWER role cannot use AI Assistant

Not sure if it is supposed to be hidden, we do not think so

elasticmachine commented 10 months ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 10 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

stephmilovic commented 10 months ago

@jamesspi is this a bug?

jamesspi commented 10 months ago

Do we have a description of what the other serverless roles allow? We do need a way for someone to restrict access to the assistant in serverless, as they can do in ESS today - just not sure what role that would/could be.

@spong , do you remember what you had discussed with the team when you were working on RBAC in this regard?

spong commented 10 months ago

Steph was asking me about this last week -- for serverless the RBAC implementation only grants access to the assistant for the security complete productType. There was no discussion of controlling access by individual roles on serverless at the time I was doing this work.

That said, if the role doesn't have read access to connectors (and so couldn't make a request to the actions connector), then that would disable it for them even on the complete productType tier.

Do we have a description of what the other serverless roles allow? We do need a way for someone to restrict access to the assistant in serverless, as they can do in ESS today - just not sure what role that would/could be.

We'll need to reach out to @semd or @machadoum for details here I think. AFAIK there's no RBAC UI for serverless roles like in ESS, so roles would need to be configured up front if that's indeed the case. @semd / @machadoum, is there a way to programmatically setup roles in serverless using the existing RBAC controls we shipped for ESS, or do we have to create a specific assistant role for serverless, and then admins can assign that role to users?

If the latter, @jamesspi, once we see the list of serverless roles/capabilities (edit: here it is), can you direct me as to which roles out of the box should have assistant access and we can make that change? There is no Feature/UI Area entry for the assistant at this moment.

stephmilovic commented 10 months ago

closing for ticket linked above, #7927