[Request] Permissions for alert suppression in machine learning rules

[joepeeples]

Description

Users need a read permission for the .ml-anomalies-* index if the user in question is going to be authoring/managing ML Rules with Alert Suppression.

Background & resources

• Discussion: (internal link)
• Related PR: https://github.com/elastic/project-controller/pull/945
• Point of contact: @rylnd @yctercero @elastic/security-detection-engine
• Test environments: unknown

Which documentation set does this change impact?

ESS and serverless

ESS release

8.15

Serverless release

Unknown

Feature differences

Unknown. Since it's a privileges thing, I assume there's an equivalent serverless prebuilt role that provides read access to the .ml-anomalies-* index pattern, but that isn't clear from the thread. @rylnd could you confirm which serverless roles are required?

API docs impact

Unknown

Prerequisites, privileges, feature flags

Unknown

[rylnd]

Thanks for filing this, @joepeeples! I think I can provide the missing context here:

1. This is a UI feature: if they do not have read permission to that pattern, we are unable to populate field options in the "suppress by" section of the rule creation form, and it will be disabled.
2. I believe all of our prebuilt security roles will now contain this permission, as per this PR

[joepeeples]

• Semi-blocked by https://github.com/elastic/security-docs/pull/5779, because we'll need to document the required index privilege for serverless custom roles (which will be available in GA). But first we need to add custom role content in general to serverless docs, and then we can update it with the ML rule index priv requirements.