search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.58k stars 8.09k forks source link

[Security Solution] Formulate requirements for the role migration mechanism #184579

Open banderror opened 2 months ago

banderror commented 2 months ago

Epics: https://github.com/elastic/security-team/issues/9533 (internal), https://github.com/elastic/kibana/issues/172348 Related to: https://github.com/elastic/kibana/issues/68814

Summary

The @elastic/kibana-security team who will be working on building a role migration mechanism would appreciate any requirements for it from the Security Solution side.

Let's put together a list of requirements and share it with the team in https://github.com/elastic/kibana/issues/68814.

elasticmachine commented 2 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 2 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 2 months ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 2 months ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

yctercero commented 3 weeks ago

I think this comment from @cnasikas is a great starting point for understanding what we're going to be needing. @cnasikas - any updates on the POC mentioned there?

We currently group features like rules, alerts, exceptions all under a single feature id like:

id: 'siem', <--- feature ID
alerting:['siem.queryRule'], // other rule types are omitted for brevity
privileges: {
    all: {
      alerting: {
        rule: {
          all: ['siem.queryRule'], // other rule types are omitted for brevity,
        },
        alert: {
          all: ['siem.queryRule'], // other rule types are omitted for brevity,
        },
      },
      // more privileges
    },
    read: {
      alerting: {
        rule: {
          read: ['siem.queryRule'], // other rule types are omitted for brevity,
        },
        alert: {
          all: ['siem.queryRule'], // other rule types are omitted for brevity,
        },
      },
       // more privileges
    },
  }

We will want to split rules, alerts and exceptions from this grouping so users can now specify privileges for each. These would be pulled up to be something like:

id: 'siem', <--- old feature ID
alerting:[]
privileges: {
    all: {
       // alerting privilege is removed
      // more privileges
    },
    read: {
       // alerting privilege is removed
      // more privileges
    },
  }

id: 'ruleManagement', <--- new feature ID
alerting: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
privileges: {
    all: {
      alerting: {
        rule: {
          all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
        },
        alert: {
          all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
        },
      },
      // more privileges
    },
    read: {
      alerting: {
        rule: {
          read: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
        },
        alert: {
          all: [{ ruleTypeId: 'siem.queryRule', consumers: ['siem'] }],
        },
      },
       // more privileges
    },
  }

id: 'exceptionsManagement', <--- new feature ID
lists: [],
privileges: {
    all: {},
    read: {},
  }

Essentially, we'll be splitting an existing privilege into multiple privileges, each with their own sub-privileges.