Point of contact: @rylnd @yctercero @elastic/security-detection-engine
Test environments: unknown
Which documentation set does this change impact?
ESS and serverless
ESS release
8.15
Serverless release
Unknown
Feature differences
Unknown. Since it's a privileges thing, I assume there's an equivalent serverless prebuilt role that provides read access to the .ml-anomalies-* index pattern, but that isn't clear from the thread. @rylnd could you confirm which serverless roles are required?
Thanks for filing this, @joepeeples! I think I can provide the missing context here:
This is a UI feature: if they do not have read permission to that pattern, we are unable to populate field options in the "suppress by" section of the rule creation form, and it will be disabled.
I believe all of our prebuilt security roles will now contain this permission, as per this PR
Semi-blocked by https://github.com/elastic/security-docs/pull/5779, because we'll need to document the required index privilege for serverless custom roles (which will be available in GA). But first we need to add custom role content in general to serverless docs, and then we can update it with the ML rule index priv requirements.
Description
Users need a read permission for the
.ml-anomalies-*
index if the user in question is going to be authoring/managing ML Rules with Alert Suppression.Background & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.15
Serverless release
Unknown
Feature differences
Unknown. Since it's a privileges thing, I assume there's an equivalent serverless prebuilt role that provides read access to the
.ml-anomalies-*
index pattern, but that isn't clear from the thread. @rylnd could you confirm which serverless roles are required?API docs impact
Unknown
Prerequisites, privileges, feature flags
Unknown