[EDR Workflows] Workflow Insights - RBAC #205088
Merged
+691
−80
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jbudz
approved these changes
Dec 23, 2024
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
szwarckonrad
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
semd
reviewed
Jan 2, 2025
.../management/pages/endpoint_hosts/view/details/components/insights/workflow_insights_scan.tsx
Show resolved
Hide resolved
semd
approved these changes
Jan 3, 2025
joeypoon
approved these changes
Jan 3, 2025
e40pud
approved these changes
Jan 6, 2025
|
Starting backport for target branches: 8.x |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 7, 2025
## Access Control for Endpoint Workflow Insights
This PR adds access control to the Endpoint Workflow Insights
functionality. Both the UI and API are gated based on the following
conditions. If these conditions are not met, the content will not
render, and direct API calls will return errors.
Access Conditions
```
1. Serverless: Requires the Endpoint Complete Tier.
2. ESS: Requires an Enterprise License.
3. User Privileges:
3.1 Endpoint Insights Privilege must be enabled:
3.1.1 Endpoint Insights All: Grants full access.
3.1.2 Endpoint Insights Read:
3.1.2.1 Allows users to view generated insights but prevents triggering new scans.
3.1.2.2 With Trusted Applications privilege: Users can remediate already generated insights.
3.1.2.3 Without Trusted Applications privilege: No actions can be taken.
3.1.3Endpoint Insights None: The section is not rendered.
```
Predefined serverless roles that should include endpoint insights
privilege(as defined
[here](elastic/security-team#11460)):
- Tier 3 analyst
- Rule Author
- SOC Manager
- Endpoint Operations Analyst
- Endpoint Policy Manager
- Platform Engineer
Once this PR is merged and changes make it to canary release, [this
follow-up
PR](elastic/elasticsearch-controller#816) should
be merged.
Note on Testing and Local Setup
To test these changes locally, the `defendInsights` assistant feature
must be enabled. You can do this by updating the following line in the
code: [Enable defendInsights
here](https://github.com/elastic/kibana/blob/2ae68bdaac180c62750798c148bed4fd01de07fe/x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/capabilities/index.ts#L23).
Cypress Tests
Cypress tests in this PR are currently skipped because the
`defendInsights` feature is not enabled by default. These tests should
be enabled once the feature is turned on in the main branch. Successful
run with all cypress tests enabled can be found
[here](https://buildkite.com/elastic/kibana-pull-request/builds/262774#0193f3c2-eddd-48b6-9103-fb7338304f15).
<details>
<summary>Screenshots</summary>
</details>
---------
Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 2f61892)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
tomsonpl
approved these changes
Jan 7, 2025
| return response.forbidden({ | ||
| body: { | ||
| message: | ||
| 'Your license does not support Defend Workflows. Please upgrade your license.', |
There was a problem hiding this comment.
Shouldn't this be in i18n?
| return response.forbidden({ | ||
| body: { | ||
| message: | ||
| 'Your license does not support Defend Workflows. Please upgrade your license.', |
kibanamachine
added a commit
that referenced
this pull request
Jan 7, 2025
# Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Workflow Insights - RBAC (#205088)](#205088) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-07T09:33:25Z","message":"[EDR Workflows] Workflow Insights - RBAC (#205088)\n\n## Access Control for Endpoint Workflow Insights\r\n\r\nThis PR adds access control to the Endpoint Workflow Insights\r\nfunctionality. Both the UI and API are gated based on the following\r\nconditions. If these conditions are not met, the content will not\r\nrender, and direct API calls will return errors.\r\n\r\nAccess Conditions\r\n```\r\n1. Serverless: Requires the Endpoint Complete Tier.\r\n2. ESS: Requires an Enterprise License.\r\n3. User Privileges:\r\n 3.1 Endpoint Insights Privilege must be enabled:\r\n 3.1.1 Endpoint Insights All: Grants full access.\r\n\t3.1.2 Endpoint Insights Read:\r\n\t 3.1.2.1 Allows users to view generated insights but prevents triggering new scans.\r\n\t 3.1.2.2 With Trusted Applications privilege: Users can remediate already generated insights.\r\n\t 3.1.2.3 Without Trusted Applications privilege: No actions can be taken.\r\n\t3.1.3Endpoint Insights None: The section is not rendered.\r\n```\r\n\r\nPredefined serverless roles that should include endpoint insights\r\nprivilege(as defined\r\n[here](https://github.com/elastic/security-team/issues/11460)):\r\n- Tier 3 analyst\r\n- Rule Author\r\n- SOC Manager\r\n- Endpoint Operations Analyst\r\n- Endpoint Policy Manager\r\n- Platform Engineer\r\n\r\nOnce this PR is merged and changes make it to canary release, [this\r\nfollow-up\r\nPR](elastic/elasticsearch-controller#816) should\r\nbe merged.\r\n\r\nNote on Testing and Local Setup\r\n\r\nTo test these changes locally, the `defendInsights` assistant feature\r\nmust be enabled. You can do this by updating the following line in the\r\ncode: [Enable defendInsights\r\nhere](https://github.com/elastic/kibana/blob/2ae68bdaac180c62750798c148bed4fd01de07fe/x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/capabilities/index.ts#L23).\r\n\r\nCypress Tests\r\n\r\nCypress tests in this PR are currently skipped because the\r\n`defendInsights` feature is not enabled by default. These tests should\r\nbe enabled once the feature is turned on in the main branch. Successful\r\nrun with all cypress tests enabled can be found\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/262774#0193f3c2-eddd-48b6-9103-fb7338304f15).\r\n\r\n<details>\r\n<summary>Screenshots</summary>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"2f61892e84b31ebd4774cae2686ebd6c4c2cab89","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Defend Workflows","backport:prev-minor","v8.18.0"],"title":"[EDR Workflows] Workflow Insights - RBAC ","number":205088,"url":"https://github.com/elastic/kibana/pull/205088","mergeCommit":{"message":"[EDR Workflows] Workflow Insights - RBAC (#205088)\n\n## Access Control for Endpoint Workflow Insights\r\n\r\nThis PR adds access control to the Endpoint Workflow Insights\r\nfunctionality. Both the UI and API are gated based on the following\r\nconditions. If these conditions are not met, the content will not\r\nrender, and direct API calls will return errors.\r\n\r\nAccess Conditions\r\n```\r\n1. Serverless: Requires the Endpoint Complete Tier.\r\n2. ESS: Requires an Enterprise License.\r\n3. User Privileges:\r\n 3.1 Endpoint Insights Privilege must be enabled:\r\n 3.1.1 Endpoint Insights All: Grants full access.\r\n\t3.1.2 Endpoint Insights Read:\r\n\t 3.1.2.1 Allows users to view generated insights but prevents triggering new scans.\r\n\t 3.1.2.2 With Trusted Applications privilege: Users can remediate already generated insights.\r\n\t 3.1.2.3 Without Trusted Applications privilege: No actions can be taken.\r\n\t3.1.3Endpoint Insights None: The section is not rendered.\r\n```\r\n\r\nPredefined serverless roles that should include endpoint insights\r\nprivilege(as defined\r\n[here](https://github.com/elastic/security-team/issues/11460)):\r\n- Tier 3 analyst\r\n- Rule Author\r\n- SOC Manager\r\n- Endpoint Operations Analyst\r\n- Endpoint Policy Manager\r\n- Platform Engineer\r\n\r\nOnce this PR is merged and changes make it to canary release, [this\r\nfollow-up\r\nPR](elastic/elasticsearch-controller#816) should\r\nbe merged.\r\n\r\nNote on Testing and Local Setup\r\n\r\nTo test these changes locally, the `defendInsights` assistant feature\r\nmust be enabled. You can do this by updating the following line in the\r\ncode: [Enable defendInsights\r\nhere](https://github.com/elastic/kibana/blob/2ae68bdaac180c62750798c148bed4fd01de07fe/x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/capabilities/index.ts#L23).\r\n\r\nCypress Tests\r\n\r\nCypress tests in this PR are currently skipped because the\r\n`defendInsights` feature is not enabled by default. These tests should\r\nbe enabled once the feature is turned on in the main branch. Successful\r\nrun with all cypress tests enabled can be found\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/262774#0193f3c2-eddd-48b6-9103-fb7338304f15).\r\n\r\n<details>\r\n<summary>Screenshots</summary>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"2f61892e84b31ebd4774cae2686ebd6c4c2cab89"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/205088","number":205088,"mergeCommit":{"message":"[EDR Workflows] Workflow Insights - RBAC (#205088)\n\n## Access Control for Endpoint Workflow Insights\r\n\r\nThis PR adds access control to the Endpoint Workflow Insights\r\nfunctionality. Both the UI and API are gated based on the following\r\nconditions. If these conditions are not met, the content will not\r\nrender, and direct API calls will return errors.\r\n\r\nAccess Conditions\r\n```\r\n1. Serverless: Requires the Endpoint Complete Tier.\r\n2. ESS: Requires an Enterprise License.\r\n3. User Privileges:\r\n 3.1 Endpoint Insights Privilege must be enabled:\r\n 3.1.1 Endpoint Insights All: Grants full access.\r\n\t3.1.2 Endpoint Insights Read:\r\n\t 3.1.2.1 Allows users to view generated insights but prevents triggering new scans.\r\n\t 3.1.2.2 With Trusted Applications privilege: Users can remediate already generated insights.\r\n\t 3.1.2.3 Without Trusted Applications privilege: No actions can be taken.\r\n\t3.1.3Endpoint Insights None: The section is not rendered.\r\n```\r\n\r\nPredefined serverless roles that should include endpoint insights\r\nprivilege(as defined\r\n[here](https://github.com/elastic/security-team/issues/11460)):\r\n- Tier 3 analyst\r\n- Rule Author\r\n- SOC Manager\r\n- Endpoint Operations Analyst\r\n- Endpoint Policy Manager\r\n- Platform Engineer\r\n\r\nOnce this PR is merged and changes make it to canary release, [this\r\nfollow-up\r\nPR](elastic/elasticsearch-controller#816) should\r\nbe merged.\r\n\r\nNote on Testing and Local Setup\r\n\r\nTo test these changes locally, the `defendInsights` assistant feature\r\nmust be enabled. You can do this by updating the following line in the\r\ncode: [Enable defendInsights\r\nhere](https://github.com/elastic/kibana/blob/2ae68bdaac180c62750798c148bed4fd01de07fe/x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/capabilities/index.ts#L23).\r\n\r\nCypress Tests\r\n\r\nCypress tests in this PR are currently skipped because the\r\n`defendInsights` feature is not enabled by default. These tests should\r\nbe enabled once the feature is turned on in the main branch. Successful\r\nrun with all cypress tests enabled can be found\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/262774#0193f3c2-eddd-48b6-9103-fb7338304f15).\r\n\r\n<details>\r\n<summary>Screenshots</summary>\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"2f61892e84b31ebd4774cae2686ebd6c4c2cab89"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Konrad Szwarc <[email protected]>
kowalczyk-krzysztof
pushed a commit
to kowalczyk-krzysztof/kibana
that referenced
this pull request
Jan 7, 2025
## Access Control for Endpoint Workflow Insights
This PR adds access control to the Endpoint Workflow Insights
functionality. Both the UI and API are gated based on the following
conditions. If these conditions are not met, the content will not
render, and direct API calls will return errors.
Access Conditions
```
1. Serverless: Requires the Endpoint Complete Tier.
2. ESS: Requires an Enterprise License.
3. User Privileges:
3.1 Endpoint Insights Privilege must be enabled:
3.1.1 Endpoint Insights All: Grants full access.
3.1.2 Endpoint Insights Read:
3.1.2.1 Allows users to view generated insights but prevents triggering new scans.
3.1.2.2 With Trusted Applications privilege: Users can remediate already generated insights.
3.1.2.3 Without Trusted Applications privilege: No actions can be taken.
3.1.3Endpoint Insights None: The section is not rendered.
```
Predefined serverless roles that should include endpoint insights
privilege(as defined
[here](elastic/security-team#11460)):
- Tier 3 analyst
- Rule Author
- SOC Manager
- Endpoint Operations Analyst
- Endpoint Policy Manager
- Platform Engineer
Once this PR is merged and changes make it to canary release, [this
follow-up
PR](elastic/elasticsearch-controller#816) should
be merged.
Note on Testing and Local Setup
To test these changes locally, the `defendInsights` assistant feature
must be enabled. You can do this by updating the following line in the
code: [Enable defendInsights
here](https://github.com/elastic/kibana/blob/2ae68bdaac180c62750798c148bed4fd01de07fe/x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/capabilities/index.ts#L23).
Cypress Tests
Cypress tests in this PR are currently skipped because the
`defendInsights` feature is not enabled by default. These tests should
be enabled once the feature is turned on in the main branch. Successful
run with all cypress tests enabled can be found
[here](https://buildkite.com/elastic/kibana-pull-request/builds/262774#0193f3c2-eddd-48b6-9103-fb7338304f15).
<details>
<summary>Screenshots</summary>
</details>
---------
Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Access Control for Endpoint Workflow Insights
This PR adds access control to the Endpoint Workflow Insights functionality. Both the UI and API are gated based on the following conditions. If these conditions are not met, the content will not render, and direct API calls will return errors.
Access Conditions
Predefined serverless roles that should include endpoint insights privilege(as defined here):
Once this PR is merged and changes make it to canary release, this follow-up PR should be merged.
Note on Testing and Local Setup
To test these changes locally, the
defendInsightsassistant feature must be enabled. You can do this by updating the following line in the code: Enable defendInsights here.Cypress Tests
Cypress tests in this PR are currently skipped because the
defendInsightsfeature is not enabled by default. These tests should be enabled once the feature is turned on in the main branch. Successful run with all cypress tests enabled can be found here.Screenshots