Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Response Ops] Rules navigation appears if user has access to Actions and Connectors but no rule types #158256

Closed
ymao1 opened this issue May 23, 2023 · 4 comments · Fixed by #171417
Closed

[Response Ops] Rules navigation appears if user has access to Actions and Connectors but no rule types #158256

ymao1 opened this issue May 23, 2023 · 4 comments · Fixed by #171417
Assignees
@umbopepato
Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@ymao1
Copy link
Contributor

ymao1 commented May 23, 2023

When we have a role that gives a user access to Actions and Connectors but no alerting rule types, the user is still able to see Rules in the Stack Management navigation. Going to the page will show No access but I believe that this menu item shouldn't show up at all for this role.
Screenshot 2023-05-22 at 2 26 40 PM
Screenshot 2023-05-22 at 2 27 27 PM
Screenshot 2023-05-22 at 2 27 35 PM
@ymao1 ymao1 added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels May 23, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@pmuellr pmuellr moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors May 25, 2023
@XavierM XavierM moved this from Awaiting Triage to In Progress in AppEx: ResponseOps - Rules & Alerts Management Sep 26, 2023
@umbopepato
Copy link
Member

It looks like the capabilities that result from such a role configuration include triggersActions:

image (1)

which is associated to the Rules app in the ManagementSection and thus makes the page visible:

271642827-7a4d0573-daf8-4829-84f8-e6d0000ea491

@mdefazio should we remove that capability from Actions and Connectors?

@mdefazio
Copy link
Contributor

Likely need others input here, but if I'm understanding this...
Allowing Actions and Connectors, enables triggersActions, which also enables Rules behind the scenes (does it this still show as 'None' even if triggersActions is true?

So what happens when access to Stack Rules is allowed? Not saying it should, but does this enable Actions and Connectors via triggersActions as well?

While I should likely know this, when am I using Actions and Connectors outside of Rules or Cases? There was always the intention, but are they used elsewhere?

Looking at the screenshots, should this config only effect triggersActionsConnectors? Enabling Stack Rules would then effect triggersActions...but this is me likely not understanding.

And since we're here...shouldn't Maintenance Windows be tied closer to the triggersActions? Since you would be stopping actions by creating a maintenance window

@umbopepato
Copy link
Member

umbopepato commented Oct 2, 2023
edited
Loading

does it this still show as 'None' even if triggersActions is true?

It does, and when inspecting the role in http calls only actions: ["all"] is present under kibana.

So what happens when access to Stack Rules is allowed? Not saying it should, but does this enable Actions and Connectors via triggersActions as well?

It does not, the only enabled feature is stackAlerts: ["all"].

To my (still very limited) understanding, the mapping between privileges and capabilities in this case seems to be:

Privilege display name Privilege id Capability id
Actions and Connectors actions triggersActionsConnectors
Stack rules stackAlerts triggersActions

@XavierM XavierM moved this from In Progress to Todo in AppEx: ResponseOps - Rules & Alerts Management Oct 4, 2023
umbopepato added a commit to umbopepato/kibana that referenced this issue Nov 16, 2023
@umbopepato
Hide Logs tab in Stack Mgmt Rules page when missing the necessary pri…
acd6c22 
…vileges

Closes elastic#158256
@umbopepato umbopepato mentioned this issue Nov 16, 2023
Merged
umbopepato added a commit that referenced this issue Dec 5, 2023
@umbopepato @XavierM
[RAM] Hide Logs tab in Rules page to unauthorized users, deduplicate …
0f5b544 
…rule types requests (#171417)

Closes #158256, #155394

## Summary

- Hides the Logs tab in the Stack Management > Rules page when the user
lacks the necessary permissions to avoid error messages (as shown in
#158256)
- Switches old `useLoadRuleTypes` hook usages to the new
`useLoadRuleTypesQuery` hook
- Assigns a staleTime to the rule types query to avoid duplicated
requests (as shown in #155394)

---------

Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@umbopepato umbopepato

Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Rules & Alerts Management
Status: Done
Milestone
No milestone
4 participants
@mdefazio @ymao1 @elasticmachine @umbopepato