[One workflows] UI authorization gates (elastic#260260)

Closes elastic/security-team#16110

This PR aligns the Workflows UI with Kibana **Workflows** feature
sub-privileges (`application.capabilities.workflowsManagement.*`) and
related signals so users are not offered actions that reliably fail with
**403**.

---

## Summary

Below is a consolidated inventory of **gates implemented** (by surface).
Capability names match the UI keys from `WorkflowsManagementUiActions`
in `@kbn/workflows/common/privileges`.

### 1. Application shell

| Surface | Control / behavior | Required capability or condition |
Primary code |
| ------- | ------------------ | -------------------------------- |
------------ |
| Workflows app | All routes (`/`, `/create`, `/:id`) | `readWorkflow`
(`useWorkflowsCapabilities`), otherwise **Access Denied** (no child
routes mount) | `public/routes.tsx` (`WorkflowsReadPermissionsWrapper`)
|

---

### 2. List page and table

| Surface | Control / behavior | Required capability | Primary code |
| ------- | ------------------ | ------------------- | ------------ |
| List header | **Create** workflow | `createWorkflow` |
`pages/workflows/index.tsx` |
| List header | **Import** | `createWorkflow` |
`pages/workflows/index.tsx` |
| List table | Row **Enabled** toggle | `updateWorkflow` |
`features/workflow_list/ui/workflow_list.tsx` |
| List table | Row **Run** | `executeWorkflow` (+ workflow
enabled/valid) | `workflow_list.tsx` |
| List table | Row **Edit** | `updateWorkflow` | `workflow_list.tsx` |
| List table | Row **Clone** | `createWorkflow` | `workflow_list.tsx` |
| List table | Row **Delete** | `deleteWorkflow` | `workflow_list.tsx` |
| List table | Bulk **Enable** / **Disable** | `updateWorkflow` |
`use_workflow_bulk_actions.tsx` |
| List table | Bulk **Delete** | `deleteWorkflow` |
`use_workflow_bulk_actions.tsx` |
| Empty state | Create affordance | `createWorkflow` (from parent) |
`components/workflows_empty_state/workflows_empty_state.tsx` |

**Note:** **Export** (row and bulk) relies on app-level `readWorkflow`;
there is no separate export capability toggle in the UI.

---

### 3. Workflow detail — header and page

| Surface | Control / behavior | Required capability | Primary code |
| ------- | ------------------ | ------------------- | ------------ |
| Detail header | **Executions** tab | `readWorkflowExecution` |
`pages/workflow_detail/ui/workflow_detail_header.tsx` |
| Detail header | **Enabled** switch | `updateWorkflow` |
`workflow_detail_header.tsx` |
| Detail header | **Run** | `executeWorkflow` |
`workflow_detail_header.tsx` |
| Detail header | **Save** | `createWorkflow` (new) or `updateWorkflow`
(existing) | `workflow_detail_header.tsx` |
| Detail page | Executions **list** / **detail** UI |
`readWorkflowExecution` | `workflow_detail_page.tsx` |

---

### 4. Run / test modals

| Surface | Control / behavior | Required capability or signal | Primary
code |
| ------- | ------------------ | ----------------------------- |
------------ |
| Full-workflow **test** modal | Modal open / run | `executeWorkflow` |
`workflow_detail_test_modal.tsx` |
| **Execute** modal (Run + test title variants) | **Historical** tab |
`readWorkflowExecution` (disabled tab, tooltip, fallback initial tab) |
`workflow_execute_modal.tsx`, `workflow_execute_modal_helpers.ts`,
`workflow_execute_historical_form.tsx` under `features/run_workflow/ui/`
|
| **Execute** modal | **Alert** tab | RAC index prefetch / message
patterns on **`onError`** disable the tab | `workflow_execute_modal.tsx`
|
| **Execute** modal | **Manual** / **Index** / **Document** | Execute
path | `workflow_execute_modal.tsx` and related forms |

---

### 5. Editor — single step and YAML

| Surface | Control / behavior | Required capability | Primary code |
| ------- | ------------------ | ------------------- | ------------ |
| YAML gutter | **Run step** | `executeWorkflow` (disabled + tooltip via
shared helpers; denied → **Execute** privilege copy) |
`widgets/workflow_yaml_editor/ui/run_step_button.tsx`,
`shared/ui/workflow_action_buttons/get_workflow_tooltip_content.tsx` |
| Editor | **Run single step** handler | `executeWorkflow` |
`workflow_detail_editor.tsx` |
| **Test step** modal | Render / use | `executeWorkflow` |
`workflow_detail_test_step_modal.tsx` |

---

### 6. Execution detail

| Surface | Control / behavior | Required capability | Primary code |
| ------- | ------------------ | ------------------- | ------------ |
| Execution panel | **Replay** / **Run again** | `executeWorkflow` (+
syntax valid) | `workflow_execution_panel.tsx` |
| Execution panel | **Resume** | `executeWorkflow` |
`resume_execution_button.tsx` |
| Execution panel | **Cancel** | `cancelWorkflowExecution` |
`cancel_execution_button.tsx` |

---

### 7. Agent Builder — workflow YAML attachment

| Surface | Control / behavior | Required capability | Primary code |
| ------- | ------------------ | ------------------- | ------------ |
| Canvas (flyout) | **Save** (new YAML) | `createWorkflow` |
`features/ai_integration/attachment_renderers/workflow_yaml_attachment_renderer.tsx`
|
| Canvas | **Save as new** | `createWorkflow` | Same |
| Canvas | **Override** | `updateWorkflow` | Same |
| Canvas | **Open in editor** | `readWorkflow` | Same |


## 🎥 Demo

### User without read privilege
<img width="1788" height="1188" alt="Screenshot 2026-03-30 at 15 58 44"
src="https://github.com/user-attachments/assets/38b0aba3-4103-4967-927d-f0c5b89a2b33"
/>

### User with only read privilege


https://github.com/user-attachments/assets/dc72c6b5-1b30-42d0-a222-ec82fd0fd811

### User with read + update (no create)


https://github.com/user-attachments/assets/55568770-cfce-4f51-abc3-c6c0ef9388aa

### User with read + create (no update)


https://github.com/user-attachments/assets/8d73d89c-32dd-48a8-b499-825c423450a4

### User with execution capabilities (no read executions)


https://github.com/user-attachments/assets/bef9d6c4-275f-46ef-989a-0393f8a48885

### User with full execution capabilities


https://github.com/user-attachments/assets/0d27164e-8825-47cb-9432-03a374616b61

### User with CRUD capabilites


https://github.com/user-attachments/assets/f5e5b49d-0d86-4d68-8abc-0bcf480f2b30

### Full privileges user


https://github.com/user-attachments/assets/f4c29113-9373-4f09-bfd1-2d552d343b53

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: yngrdyn

src/platform/packages/shared/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.ts

@@ -28,7 +28,7 @@ export const useFetchAlertsIndexNamesQuery = (
   { http, ruleTypeIds }: UseFetchAlertsIndexNamesQueryParams,
   options?: Pick<
     QueryOptionsOverrides<typeof fetchAlertsIndexNames>,
-    'context' | 'onError' | 'refetchOnWindowFocus' | 'staleTime' | 'enabled'
+    'context' | 'enabled' | 'onError' | 'refetchOnWindowFocus' | 'retry' | 'staleTime'
   >
 ) => {
   return useQuery({

src/platform/plugins/shared/workflows_management/common/components/access_denied.tsx

@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { EuiProvider } from '@elastic/eui';
+import { render, screen } from '@testing-library/react';
+import React from 'react';
+import { I18nProvider } from '@kbn/i18n-react';
+import { AccessDenied } from './access_denied';
+
+jest.mock('@kbn/kibana-react-plugin/public', () => ({
+  useKibana: () => ({
+    services: {
+      http: {
+        basePath: {
+          prepend: (path: string) => `/mock-base-path${path}`,
+        },
+      },
+    },
+  }),
+}));
+
+jest.mock('../../hooks/use_workflow_breadcrumbs/use_workflow_breadcrumbs', () => ({
+  useWorkflowsBreadcrumbs: jest.fn(),
+}));
+
+const renderWithProviders = (component: React.ReactElement) =>
+  render(
+    <I18nProvider>
+      <EuiProvider colorMode="light">{component}</EuiProvider>
+    </I18nProvider>
+  );
+
+describe('AccessDenied', () => {
+  it('renders no-read empty state copy and data-test-subj', () => {
+    renderWithProviders(<AccessDenied />);
+
+    expect(screen.getByTestId('workflowsNoReadAccessEmptyState')).toBeInTheDocument();
+    expect(screen.getByText('Contact your administrator for access')).toBeInTheDocument();
+    expect(
+      screen.getByText('To view workflows in this space, you need additional privileges.')
+    ).toBeInTheDocument();
+  });
+
+  it('lists required privileges in the empty prompt footer when requirements are provided', () => {
+    renderWithProviders(<AccessDenied requirements={['Workflows: Read']} />);
+
+    expect(
+      screen.getByTestId('workflowsNoReadAccessRequiredPrivilegesSection')
+    ).toBeInTheDocument();
+    expect(screen.getByText('Minimum privileges required in this space:')).toBeInTheDocument();
+    expect(screen.getByText('Workflows: Read')).toBeInTheDocument();
+  });
+
+  it('uses the light lock illustration in light mode', () => {
+    renderWithProviders(<AccessDenied />);
+
+    const image = screen.getByRole('img', { name: 'Restricted access' });
+    expect(image).toHaveAttribute(
+      'src',
+      '/mock-base-path/plugins/workflowsManagement/assets/lock_light.svg'
+    );
+  });
+});

src/platform/plugins/shared/workflows_management/public/assets/lock_dark.svg

@@ -0,0 +1,202 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import {
+  EuiBadge,
+  EuiEmptyPrompt,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiHorizontalRule,
+  EuiImage,
+  EuiPageTemplate,
+  EuiPanel,
+  EuiText,
+  type EuiThemeComputed,
+  useEuiTheme,
+} from '@elastic/eui';
+import { css } from '@emotion/react';
+import React from 'react';
+import type { HttpSetup } from '@kbn/core/public';
+import { i18n } from '@kbn/i18n';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { useKibana } from '@kbn/kibana-react-plugin/public';
+import { useWorkflowsBreadcrumbs } from '../../hooks/use_workflow_breadcrumbs/use_workflow_breadcrumbs';
+
+const PROMPT_MAX_WIDTH_PX = 740;
+const LOCK_ASSET_BASE = '/plugins/workflowsManagement/assets';
+
+const getEmptyPromptLayoutStyles = (
+  euiTheme: EuiThemeComputed,
+  options: { flushFooterToCard: boolean }
+) => css`
+  && > .euiEmptyPrompt__main {
+    inline-size: min(100%, ${PROMPT_MAX_WIDTH_PX}px);
+    padding-inline: ${euiTheme.size.xl};
+    padding-block-start: ${euiTheme.size.xl};
+    padding-block-end: ${euiTheme.size.xl};
+  }
+  ${options.flushFooterToCard
+    ? `
+    && > .euiEmptyPrompt__footer {
+      padding: 0;
+      margin: 0;
+      background: transparent;
+      border: none;
+    }
+  `
+    : ''}
+`;
+
+const getPrivilegeBadgeStyles = (euiTheme: EuiThemeComputed) => css`
+  padding-block: 0;
+  padding-inline: ${euiTheme.size.xs};
+  min-block-size: 0;
+  line-height: ${euiTheme.size.m};
+`;
+
+function getLockIllustrationSrc(http: HttpSetup | undefined, colorMode: string): string {
+  const file = colorMode === 'LIGHT' ? 'lock_light.svg' : 'lock_dark.svg';
+  return http?.basePath.prepend(`${LOCK_ASSET_BASE}/${file}`) ?? '';
+}
+
+interface PrivilegesFooterProps {
+  requirements: readonly string[];
+}
+
+const PrivilegesFooter = ({ requirements }: PrivilegesFooterProps) => {
+  const { euiTheme } = useEuiTheme();
+
+  return (
+    <>
+      <EuiHorizontalRule
+        margin="none"
+        css={{
+          marginBlockStart: euiTheme.size.xs,
+          marginBlockEnd: 0,
+        }}
+      />
+      <EuiPanel
+        data-test-subj="workflowsNoReadAccessRequiredPrivilegesSection"
+        color="subdued"
+        borderRadius="none"
+        paddingSize="none"
+        hasBorder={false}
+        hasShadow={false}
+        css={{
+          textAlign: 'center',
+          borderBottomLeftRadius: euiTheme.border.radius.medium,
+          borderBottomRightRadius: euiTheme.border.radius.medium,
+          paddingBlockStart: euiTheme.size.s,
+          paddingInline: euiTheme.size.m,
+          paddingBlockEnd: euiTheme.size.m,
+        }}
+      >
+        <EuiText color="subdued" textAlign="center" size="xs">
+          <p css={{ marginBlock: 0 }}>
+            <FormattedMessage
+              id="platform.plugins.shared.workflows_management.ui.noReadAccess.requiredPrivileges"
+              defaultMessage="Minimum privileges required in this space:"
+            />
+          </p>
+        </EuiText>
+        <EuiFlexGroup
+          gutterSize="xs"
+          wrap
+          justifyContent="center"
+          responsive={false}
+          css={{ marginBlockStart: euiTheme.size.xs }}
+        >
+          {requirements.map((requirement) => (
+            <EuiFlexItem key={requirement} grow={false}>
+              <EuiBadge color="hollow" css={getPrivilegeBadgeStyles(euiTheme)}>
+                {requirement}
+              </EuiBadge>
+            </EuiFlexItem>
+          ))}
+        </EuiFlexGroup>
+      </EuiPanel>
+    </>
+  );
+};
+
+export interface AccessDeniedProps {
+  /** Human-readable privilege labels (e.g. UI action names) needed to use the app in this space. */
+  requirements?: readonly string[];
+}
+
+export const AccessDenied = ({ requirements }: AccessDeniedProps): JSX.Element => {
+  useWorkflowsBreadcrumbs();
+  const { euiTheme, colorMode } = useEuiTheme();
+  const {
+    services: { http },
+  } = useKibana();
+
+  const lockSrc = getLockIllustrationSrc(http, colorMode);
+  const hasPrivilegesFooter = Boolean(requirements?.length);
+
+  return (
+    <EuiPageTemplate
+      offset={0}
+      paddingSize="none"
+      grow
+      css={{
+        backgroundColor: euiTheme.colors.backgroundBaseSubdued,
+        minHeight: 'var(--kbn-application--content-height, 100vh)',
+      }}
+    >
+      <EuiPageTemplate.Section
+        grow
+        css={{
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'center',
+        }}
+      >
+        <EuiEmptyPrompt
+          data-test-subj="workflowsNoReadAccessEmptyState"
+          hasShadow
+          color="plain"
+          paddingSize="none"
+          css={getEmptyPromptLayoutStyles(euiTheme, { flushFooterToCard: hasPrivilegesFooter })}
+          icon={
+            <EuiImage
+              size="s"
+              src={lockSrc}
+              alt={i18n.translate(
+                'platform.plugins.shared.workflows_management.ui.noReadAccess.illustrationAlt',
+                { defaultMessage: 'Restricted access' }
+              )}
+            />
+          }
+          title={
+            <h2>
+              <FormattedMessage
+                id="platform.plugins.shared.workflows_management.ui.noReadAccess.title"
+                defaultMessage="Contact your administrator for access"
+              />
+            </h2>
+          }
+          body={
+            <p css={{ marginBlockEnd: 0, textAlign: 'center' }}>
+              <FormattedMessage
+                id="platform.plugins.shared.workflows_management.ui.noReadAccess.description"
+                defaultMessage="To view workflows in this space, you need additional privileges."
+              />
+            </p>
+          }
+          footer={
+            hasPrivilegesFooter && requirements ? (
+              <PrivilegesFooter requirements={requirements} />
+            ) : undefined
+          }
+        />
+      </EuiPageTemplate.Section>
+    </EuiPageTemplate>
+  );
+};