Skip to content

Commit daefcfc

Browse files
tiansivivecursoragent
tiansivive
and
cursoragent
authored
[Security] Mirror elasticsearch-controller role changes to Kibana roles.yml (#271321)
## Summary Mirrors the index privilege changes from [elasticsearch-controller#1777](elastic/elasticsearch-controller#1777) (merged 2026-05-22 by @ymao1) into the Kibana serverless roles file. Two changes: - **Viewer role**: adds `read` on `.entity_analytics.entity-leads*` and `.entity_analytics.watchlists.*` (watchlists + entity leads visibility for read-only users) - **Asset-criticality write roles**: adds `view_index_metadata` on `.entities.v2.latest.security_*` for all roles that already have `write` on `.asset-criticality.asset-criticality-*`. Affected: `editor`, `platform_engineer`, `t2_analyst`, `t3_analyst`, `threat_intelligence_analyst`, `rule_author`, `endpoint_operations_analyst`, `endpoint_policy_manager`. Context: @simitt flagged the requirement to mirror controller changes into this file during controller PR review. The mismatch is not enforced at runtime but the file header explicitly states it should stay in sync. Made with [Cursor](https://cursor.com) Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 067cbe7 commit daefcfc

1 file changed

Lines changed: 16 additions & 6 deletions

File tree

  • src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,8 @@ viewer:
4444
- '.entities.v2.latest.security_*'
4545
- 'entities-latest-*'
4646
- '.ml-anomalies-*'
47+
- '.entity_analytics.entity-leads*'
48+
- '.entity_analytics.watchlists.*'
4749
- security_solution-*.misconfiguration_latest*
4850
privileges:
4951
- read
@@ -129,6 +131,7 @@ editor:
129131
- 'entities-latest-*'
130132
privileges:
131133
- 'read'
134+
- 'view_index_metadata'
132135
- 'write'
133136
allow_restricted_indices: false
134137
- names:
@@ -282,7 +285,6 @@ t2_analyst:
282285
- .entities.v1.latest.security_*
283286
- .entities.v1.updates.security_*
284287
- '.entities.v1.history.*.security_*'
285-
- '.entities.v2.latest.security_*'
286288
- 'entities-latest-*'
287289
- '.ml-anomalies-*'
288290
- security_solution-*.misconfiguration_latest*
@@ -291,8 +293,10 @@ t2_analyst:
291293
- read
292294
- names:
293295
- .asset-criticality.asset-criticality-*
296+
- '.entities.v2.latest.security_*'
294297
privileges:
295298
- read
299+
- view_index_metadata
296300
- write
297301
applications:
298302
- application: 'kibana-.kibana'
@@ -338,9 +342,11 @@ t3_analyst:
338342
- winlogbeat-*
339343
- logstash-*
340344
- .asset-criticality.asset-criticality-*
345+
- '.entities.v2.latest.security_*'
341346
- security_solution-*.misconfiguration_latest*
342347
privileges:
343348
- read
349+
- view_index_metadata
344350
- write
345351
- names:
346352
- .alerts-security*
@@ -364,7 +370,6 @@ t3_analyst:
364370
- .entities.v1.latest.security_*
365371
- .entities.v1.updates.security_*
366372
- '.entities.v1.history.*.security_*'
367-
- '.entities.v2.latest.security_*'
368373
- 'entities-latest-*'
369374
- '.ml-anomalies-*'
370375
- .entity_analytics.monitoring*
@@ -432,8 +437,10 @@ threat_intelligence_analyst:
432437
- read
433438
- names:
434439
- .asset-criticality.asset-criticality-*
440+
- '.entities.v2.latest.security_*'
435441
privileges:
436442
- read
443+
- view_index_metadata
437444
- write
438445
- names:
439446
- .lists*
@@ -457,7 +464,6 @@ threat_intelligence_analyst:
457464
- .entities.v1.latest.security_*
458465
- .entities.v1.updates.security_*
459466
- '.entities.v1.history.*.security_*'
460-
- '.entities.v2.latest.security_*'
461467
- 'entities-latest-*'
462468
- '.ml-anomalies-*'
463469
privileges:
@@ -507,9 +513,11 @@ rule_author:
507513
- winlogbeat-*
508514
- logstash-*
509515
- .asset-criticality.asset-criticality-*
516+
- '.entities.v2.latest.security_*'
510517
- security_solution-*.misconfiguration_latest*
511518
privileges:
512519
- read
520+
- view_index_metadata
513521
- write
514522
- names:
515523
- .alerts-security*
@@ -538,7 +546,6 @@ rule_author:
538546
- .entities.v1.latest.security_*
539547
- .entities.v1.updates.security_*
540548
- '.entities.v1.history.*.security_*'
541-
- '.entities.v2.latest.security_*'
542549
- 'entities-latest-*'
543550
- '.ml-anomalies-*'
544551
- .entity_analytics.monitoring*
@@ -790,6 +797,7 @@ platform_engineer:
790797
- 'entities-latest-*'
791798
privileges:
792799
- read
800+
- view_index_metadata
793801
- write
794802
- names:
795803
- '.ml-anomalies-*'
@@ -863,7 +871,6 @@ endpoint_operations_analyst:
863871
- .entities.v1.latest.security_*
864872
- .entities.v1.updates.security_*
865873
- '.entities.v1.history.*.security_*'
866-
- '.entities.v2.latest.security_*'
867874
- 'entities-latest-*'
868875
- '.ml-anomalies-*'
869876
- security_solution-*.misconfiguration_latest*
@@ -882,8 +889,10 @@ endpoint_operations_analyst:
882889
- maintenance
883890
- names:
884891
- .asset-criticality.asset-criticality-*
892+
- '.entities.v2.latest.security_*'
885893
privileges:
886894
- read
895+
- view_index_metadata
887896
- write
888897
applications:
889898
- application: 'kibana-.kibana'
@@ -956,16 +965,17 @@ endpoint_policy_manager:
956965
- .entities.v1.latest.security_*
957966
- .entities.v1.updates.security_*
958967
- '.entities.v1.history.*.security_*'
959-
- '.entities.v2.latest.security_*'
960968
- 'entities-latest-*'
961969
- '.ml-anomalies-*'
962970
- security_solution-*.misconfiguration_latest*
963971
privileges:
964972
- read
965973
- names:
966974
- .asset-criticality.asset-criticality-*
975+
- '.entities.v2.latest.security_*'
967976
privileges:
968977
- read
978+
- view_index_metadata
969979
- write
970980
- names:
971981
- .lists*

0 commit comments

Comments
 (0)