[FEATURE] Create controls to allow a cluster administrator to determine what menu items show up for different groups of users

[cwperks]

Is your feature request related to a problem?

Currently, there are not many controls in place for cluster administrators to determine the menu items in OpenSearch Dashboards.

For instance, there are really only 3 levels of control:

1. Users mapped to kibana_user - These users can see all menu items except for Security under the Management section of the main menu. While kibana_user lets the user see all plugins, it does not give them permission to use the plugin. Users mapped to this role often get Forbidden errors when trying to use different functionality in OpenSearch Dashboards

2. Users mapped to kibana_read_only - Users mapped to this role are restricted from seeing most pages. The full list of pages they are allowed to view is defined here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/plugin.ts#L91

3. Security Admins - Security Admins can see all of what 1 can see and can also see Security under the Management sub-menu. In order to hide security from 1, security-dashboards-plugin calls an endpoint to see if the logged in user has api permission

There should be better controls to reveal whether the logged in user should see a particular menu item.

One idea could be to copy similar logic to 3) across various dashboards plugins to see if the logged in user has permission to a given dashboards plugin. If the user does not have permission then do not reveal it in the main menu.

[cwperks]

I think it would make sense for the backend security plugin to reveal a has_permission API that is limited to cluster actions at first.

i.e.

POST _plugins/_security/api/has_permission
{
     "cluster_permission": "cluster:admin/opendistro/alerting/alerts/get"
}

Dashboards plugins can call on this API to determine if the logged in user can minimally use their dashboard plugin. Its the responsibility of the dashboard plugin to determine what permissions constitute a minimum experience for the plugin.

Based on the response the plugins can determine whether to render their plugin in the main menu:

1. 404 - This response code would mean security plugin is not installed, disabled or running in SSL Only mode
2. false - The logged in user does not have the requisite access and the menu item should not be displayed
3. true - The logged in user has the requisite permissions and the menu item should display accordingly.