Skip to content

Commit

Permalink
[Security Solution] Make savedQueryManagement feature explicit in Ser…
Browse files Browse the repository at this point in the history 
…verless (elastic#208911)

## Summary

Remove the implicit grant of the `savedQueryManagement` feature with the
Security Solution basic feature (ID: `siemV2`) in Serverless.


This is a follow-up of elastic#202863

### Feature `siemV2`
This change only affects new roles created with the `siemV2` feature,
introduced recently
[here](elastic#201780).
This change will align the Roles UI in Serverless and ESS, both
requiring the `savedQueryManagement` feature to be explicitly granted to
be able to manage saved queries.

### Feature `siem`
Roles using the deprecated `siem` feature will still implicitly receive
the `savedQueryManagement` feature (via an implicit grant of `discover`,
`dashboard`, `visualize`, and `maps`) + migration to their `*v2`
features which include `savedQueryManagement`. So there's no behavior
change for existing roles using the old `siem` feature (no breaking
change).

## Screenshots

The siem/siemV2 feature toggle:
<img width="774" alt="siem feature"
src="https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c"
/>

The savedQueryManagement feature toggle:
<img width="774" alt="Saved query feature"
src="https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b"
/>
  • Loading branch information
@semd
semd authored Jan 31, 2025
1 parent 31b010d commit 3d5972a
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 58 deletions.
24 changes: 12 additions & 12 deletions config/serverless.security.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,6 @@ xpack.features.overrides:
privileges: [ "all" ]
- feature: "maps_v2"
privileges: [ "all" ]
- feature: "savedQueryManagement"
privileges: [ "all" ]
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
### Dashboard, and Visualize apps.
Expand All @@ -57,34 +55,36 @@ xpack.features.overrides:
privileges: [ "read" ]
- feature: "maps_v2"
privileges: [ "read" ]
- feature: "savedQueryManagement"
privileges: [ "read" ]

### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
siem:
privileges:
### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
### Visualize features.
all.composedOf:
- feature: "discover"
- feature: "discover_v2"
privileges: [ "all" ]
- feature: "dashboard_v2"
privileges: [ "all" ]
- feature: "dashboard"
- feature: "visualize_v2"
privileges: [ "all" ]
- feature: "visualize"
- feature: "maps_v2"
privileges: [ "all" ]
- feature: "maps"
- feature: "savedQueryManagement"
privileges: [ "all" ]
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
### Dashboard, and Visualize apps.
read.composedOf:
- feature: "discover"
- feature: "discover_v2"
privileges: [ "read" ]
- feature: "dashboard_v2"
privileges: [ "read" ]
- feature: "dashboard"
- feature: "visualize_v2"
privileges: [ "read" ]
- feature: "visualize"
- feature: "maps_v2"
privileges: [ "read" ]
- feature: "maps"
- feature: "savedQueryManagement"
privileges: [ "read" ]

## Cloud settings
Expand Down
46 changes: 0 additions & 46 deletions ...k/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -925,22 +925,6 @@ export default function ({ getService }: FtrProviderContext) {
"saved_object:map/share_to_space",
"ui:maps_v2/save",
"ui:maps_v2/show",
"api:savedQuery:manage",
"api:savedQuery:read",
"saved_object:query/bulk_get",
"saved_object:query/get",
"saved_object:query/find",
"saved_object:query/open_point_in_time",
"saved_object:query/close_point_in_time",
"saved_object:query/create",
"saved_object:query/bulk_create",
"saved_object:query/update",
"saved_object:query/bulk_update",
"saved_object:query/delete",
"saved_object:query/bulk_delete",
"saved_object:query/share_to_space",
"ui:savedQueryManagement/showQueries",
"ui:savedQueryManagement/saveQuery",
],
"blocklist_all": Array [
"login:",
Expand Down Expand Up @@ -1779,22 +1763,6 @@ export default function ({ getService }: FtrProviderContext) {
"saved_object:map/share_to_space",
"ui:maps_v2/save",
"ui:maps_v2/show",
"api:savedQuery:manage",
"api:savedQuery:read",
"saved_object:query/bulk_get",
"saved_object:query/get",
"saved_object:query/find",
"saved_object:query/open_point_in_time",
"saved_object:query/close_point_in_time",
"saved_object:query/create",
"saved_object:query/bulk_create",
"saved_object:query/update",
"saved_object:query/bulk_update",
"saved_object:query/delete",
"saved_object:query/bulk_delete",
"saved_object:query/share_to_space",
"ui:savedQueryManagement/showQueries",
"ui:savedQueryManagement/saveQuery",
],
"minimal_read": Array [
"login:",
Expand Down Expand Up @@ -2125,13 +2093,6 @@ export default function ({ getService }: FtrProviderContext) {
"ui:catalogue/maps",
"ui:navLinks/maps",
"ui:maps_v2/show",
"api:savedQuery:read",
"saved_object:query/bulk_get",
"saved_object:query/get",
"saved_object:query/find",
"saved_object:query/open_point_in_time",
"saved_object:query/close_point_in_time",
"ui:savedQueryManagement/showQueries",
],
"policy_management_all": Array [
"login:",
Expand Down Expand Up @@ -2498,13 +2459,6 @@ export default function ({ getService }: FtrProviderContext) {
"ui:catalogue/maps",
"ui:navLinks/maps",
"ui:maps_v2/show",
"api:savedQuery:read",
"saved_object:query/bulk_get",
"saved_object:query/get",
"saved_object:query/find",
"saved_object:query/open_point_in_time",
"saved_object:query/close_point_in_time",
"ui:savedQueryManagement/showQueries",
],
"scan_operations_all": Array [
"login:",
Expand Down

0 comments on commit 3d5972a

Please sign in to comment.