search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.73k stars 8.14k forks source link

[Security Solution] [Detection Engine] An user without Cases privilegies can still see System Action option under Rule Actions section and is thrown an error if tries to save a rule using it #191681

Open pborgonovi opened 3 weeks ago

pborgonovi commented 3 weeks ago

Describe the bug: An user without Cases privilegies can still see System Action option available under Actions section and is thrown an error if tries to save a rule using it

Kibana/Elasticsearch Stack version: 8.16 SNAPSHOT

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Steps to reproduce:

  1. Create a custom role without Cases privilegies
  2. Create a new user and assign the custom role
  3. Access Kibana with new user credentials
  4. Create or edit a rule and under Actions section select Cases
  5. Save the new rule or save the changes

Current behavior: User is still able to select Cases and is thrown an error when trying to save the rule

{
  "name": "Error",
  "body": {
    "message": "Unauthorized to execute actions",
    "status_code": 403
  },
  "message": "",
  "stack": "Error\n    at fetch_Fetch.fetchResponse (https://exp.kb.us-west2.gcp.elastic-cloud.com/6b091fe3b410/bundles/core/core.entry.js:16:223678)\n    at async https://exp.kb.us-west2.gcp.elastic-cloud.com/6b091fe3b410/bundles/core/core.entry.js:16:221670\n    at async https://exp.kb.us-west2.gcp.elastic-cloud.com/6b091fe3b410/bundles/core/core.entry.js:16:221627"
}

Expected behavior: User should not be able to select Cases as an action

Screenshots (if relevant):

https://github.com/user-attachments/assets/c9d02a9f-1dbb-4c4b-a613-805de0d8796a

Image

Image

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

elasticmachine commented 3 weeks ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 3 weeks ago

Pinging @elastic/security-solution (Team: SecuritySolution)

dhurley14 commented 3 weeks ago

Thanks for finding this. I'm going to tag response ops as I believe they own the component that displays all of the connectors.

elasticmachine commented 3 weeks ago

Pinging @elastic/response-ops (Team:ResponseOps)

elasticmachine commented 2 weeks ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

cnasikas commented 2 weeks ago

Hey! Yes, the ResponseOps own this component and it is also happening on the stack management page. Ideally, we should not show the system actions to which the user does not have access. I put it in our backlog.