Open banderror opened 2 months ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detection-engine (Team:Detection Engine)
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)
I think this comment from @cnasikas is a great starting point for understanding what we're going to be needing. @cnasikas - any updates on the POC mentioned there?
We currently group features like rules, alerts, exceptions all under a single feature id
like:
id: 'siem', <--- feature ID
alerting:['siem.queryRule'], // other rule types are omitted for brevity
privileges: {
all: {
alerting: {
rule: {
all: ['siem.queryRule'], // other rule types are omitted for brevity,
},
alert: {
all: ['siem.queryRule'], // other rule types are omitted for brevity,
},
},
// more privileges
},
read: {
alerting: {
rule: {
read: ['siem.queryRule'], // other rule types are omitted for brevity,
},
alert: {
all: ['siem.queryRule'], // other rule types are omitted for brevity,
},
},
// more privileges
},
}
We will want to split rules, alerts and exceptions from this grouping so users can now specify privileges for each. These would be pulled up to be something like:
id: 'siem', <--- old feature ID
alerting:[]
privileges: {
all: {
// alerting privilege is removed
// more privileges
},
read: {
// alerting privilege is removed
// more privileges
},
}
id: 'ruleManagement', <--- new feature ID
alerting: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
privileges: {
all: {
alerting: {
rule: {
all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
},
alert: {
all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
},
},
// more privileges
},
read: {
alerting: {
rule: {
read: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
},
alert: {
all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
},
},
// more privileges
},
}
id: 'exceptionsManagement', <--- new feature ID
lists: [],
privileges: {
all: {},
read: {},
}
Essentially, we'll be splitting an existing privilege into multiple privileges, each with their own sub-privileges.
Epics: https://github.com/elastic/security-team/issues/9533 (internal), https://github.com/elastic/kibana/issues/172348 Related to: https://github.com/elastic/kibana/issues/68814
Summary
The @elastic/kibana-security team who will be working on building a role migration mechanism would appreciate any requirements for it from the Security Solution side.
Let's put together a list of requirements and share it with the team in https://github.com/elastic/kibana/issues/68814.