Closed stephmilovic closed 10 months ago
Pinging @elastic/security-threat-hunting (Team:Threat Hunting)
Pinging @elastic/security-solution (Team: SecuritySolution)
@jamesspi is this a bug?
Do we have a description of what the other serverless roles allow? We do need a way for someone to restrict access to the assistant in serverless, as they can do in ESS today - just not sure what role that would/could be.
@spong , do you remember what you had discussed with the team when you were working on RBAC in this regard?
Steph was asking me about this last week -- for serverless the RBAC implementation only grants access to the assistant for the security complete
productType. There was no discussion of controlling access by individual roles on serverless at the time I was doing this work.
That said, if the role doesn't have read
access to connectors (and so couldn't make a request to the actions connector), then that would disable it for them even on the complete
productType tier.
Do we have a description of what the other serverless roles allow? We do need a way for someone to restrict access to the assistant in serverless, as they can do in ESS today - just not sure what role that would/could be.
We'll need to reach out to @semd or @machadoum for details here I think. AFAIK there's no RBAC UI for serverless roles like in ESS, so roles would need to be configured up front if that's indeed the case. @semd / @machadoum, is there a way to programmatically setup roles in serverless using the existing RBAC controls we shipped for ESS, or do we have to create a specific assistant
role for serverless, and then admins can assign that role to users?
If the latter, @jamesspi, once we see the list of serverless roles/capabilities (edit: here it is), can you direct me as to which roles out of the box should have assistant access and we can make that change? There is no Feature/UI Area
entry for the assistant at this moment.
closing for ticket linked above, #7927
Describe the bug: VIEWER role cannot use AI Assistant
Not sure if it is supposed to be hidden, we do not think so