[Security Solution]RBAC: User able to add and Delete Note on Security Set to READ Access

[karanbirsingh-qasource]

Describe the bug RBAC: User able to add and Delete Note on Security Set to READ Access

Kibana/Elasticsearch Stack version

Version: 8.15.0
Commit: c616ed3da09e04c766be0d791373dc78c1231e12
Build:  76008

Preconditions

• Create a custom user and assign a role to it in which set following

Elasticsearch index privilege:

index : * privilege: read write view_index_metadata manage

Kibana Space privilege: All Space Bulk Action: All access to all feature Set Security to None

Steps to reproduce

• Navigate to Alert Table to timeline table
• Observed that note icon is disabled to be clicked so user can add the note
• Click on view details of the same alert
• Click on Expand details and then notes tab
• Validate here user is able to add note to same alert and also able to remove the added note while security app priveldge is set to READ

Additional update

• Setting Security to None hide the note page in application
• observation to timeline note app on security to none

Expected Result

• RBAC: User should not able to add and Delete Note on Security Set to READ Access

Screen-Cast

https://github.com/user-attachments/assets/bdf4a5d0-4915-4cc1-afef-596f7162b3c8

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[amolnater-qasource]

Reviewed & assigned to @MadameSheema

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[janmonschke]

For context, the note is not actually persisted. When the page is reloaded, the note is gone. The backend is making sure the permissions are taken into account. The frontend however is not regarding the permissions yet.

[janmonschke]

@karanbirsingh-qasource The was fixed and merged to main and 8.15 yesterday.

[karanbirsingh-qasource]

Hi @MadameSheema

we have validated this issue and found the issue to be fixed ✔️

Build Details:

VERSION: 8.15.0 BC6
BUILD: 76360
COMMIT: 8aa0b59da12c996e3048d8875446667ee6e15c7f

Screen-Shot

• not able to add and neither delete existing note for custom user with read access to security applciation

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks!!