[ResponseOps][Alerting] Kibana alert 'role visibility' not documented

[Matthew-Jenkins]

Kibana version: 8.12.2 Elasticsearch version: 8.12.2 Server OS version: Rhel 9 Browser version: Edge Browser OS version:

Original install method (e.g. download page, yum, from source, etc.): tar Describe the bug: 'role visibility' is not documented Steps to reproduce:

1. log into kibana
2. click hamburger menu and alerts
3. click manage rules
4. click create rule
5. type a name
6. pick alert type
7. scroll down and 'alert visibility' dropdown is there. This value is neither documented in the ui, the kibana alert docs or the alert api docs.

The value isn't editable through the ui once you create the alert. It looks like it goes by 'consumer' in the api which is a disconnect between ui and api. Or maybe that does something completely different.

Expected behavior:

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[fterrani]

I think this "Role visibility" (was it meant to be Rule visibility?...) indeed matches the consumer parameter in the Alerting API.

After some (quick and dirty) testing, here is what I found:

• It seems all rules defined in Elastic all have the same rule "base type" (so to speak).
• In the Alerting API, the value given to the consumer parameter refers to the application or feature that owns the rule.
• Changing the value in Role visibility affects the consumer returned when listing the rules with the Alerting API.
• Sometimes the consumer is forced by the app you create the rule in.
• Other times, you can select it manually (as described above).
• It seems a given app filters all existing rules to display only those that have specific consumer values (probably those that make the most sense for it).
• If kept empty, the field asks to give the rule a "scope" which seem to match the behavior.
• Finally, it seems all rules defined in Elastic are displayed under Stack Management, no matter in which apps they were created.

Also, here are some apps and their matching consumer value for 8.14.0:

Rule creation method	Produced consumer value
Stack Management with Logs role visibility	logs
Stack Management with Metrics role visibility	infrastructure (!)
Stack Management with Stack Rules role visibility	stackAlerts
Observability > APM	apm
Security > Rules	siem

Finally, here are other possible values for the consumer parameter:

• alerts
• discover
• metrics
• ml
• monitoring
• securitySolution
• uptime

EDIT: @dmlemeshko Is there a reason not to label this with docs or documentation?

[cnasikas]

@fterrani This is a great explanation of the "Role visibility" feature and the consumer field. What you say is correct.

In the Alerting API, the value given to the consumer parameter refers to the application or feature that owns the rule.

At the moment refers to the feature that owns the rule. In the future, we plan to decouple features from consumers.

If kept empty, the field asks to give the rule a "scope" which seems to match the behavior.

Could you please elaborate more on this?

Finally, it seems all rules defined in Elastic are displayed under Stack Management, no matter in which apps they were created.

Correct assuming you have permission to view them.

@Matthew-Jenkins @fterrani The reason we have not documented it so far is that we want to move away from the "Role visibility" feature because we think it is confusing. Nevertheless, the feature is for a long time and I think we probably should. @lcawl What do you think?

[lcawl]

The "Role visibility" option is mentioned in some of the rule-specific pages (e.g. https://www.elastic.co/guide/en/observability/8.14/custom-threshold-alert.html#custom-threshold-role-visibility, https://www.elastic.co/guide/en/kibana/current/rule-type-es-query.html) but not others (e.g. https://www.elastic.co/guide/en/machine-learning/current/ml-configuring-alerts.html). In the API description, there's no mapping between "consumer" and "visibility" terminology.

In my opinion, the most helpful place for clarification would be directly in the UI, so we should add a tooltip for this field (either right away for active releases or when that feature is revamped). I can also do a survey of the rule types that offer this option in the UI and ensure we're using similar explanations until it's replaced.

[fterrani]

If kept empty, the field asks to give the rule a "scope" which seems to match the behavior.

Could you please elaborate more on this?

@cnasikas Sure, and sorry for taking so long to reply!

It's quite simple. If I remember correctly, when you empty the Role visibility field (see @Matthew-Jenkins 's screenshot) and try to send the form, a red error message appears right below it and says something like you must specify a scope.

I was surprised to see the word scope at first. That now makes three words to refer to the same thing (scope, role visibility and consumer)? But after thinking about it, its meaning seemed to match what I observed regarding the value contained in consumer and the corresponding behavior.