[EDR Workflows][Bug] Show artifact links without endpoint list privilege#226561
Merged
gergoabraham merged 10 commits intoelastic:mainfrom Jul 22, 2025
Merged
Conversation
gergoabraham
added
release_note:fix
backport:skip
gergoabraham
added
the
Team:Defend Workflows
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
joeypoon
approved these changes
Jul 4, 2025
Member
joeypoon
left a comment
joeypoon
left a comment
There was a problem hiding this comment.
🙆♂️
A small side effect is that on the breadcrumb, Endpoints won't be clickable.
assuming we're cool with this on a product level.
Contributor
Author
@caitlinbetz, do you think this change is acceptable? |
Contributor
Author
✅ this is acceptable, confirmed offline by @roxana-gheorghe |
PhilippeOberti
approved these changes
Jul 14, 2025
szwarckonrad
approved these changes
Jul 15, 2025
pzl
approved these changes
Jul 18, 2025
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Page load bundle
History
|
tiansivive
pushed a commit
to tiansivive/kibana
that referenced
this pull request
Jul 22, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
added
the
backport:all-open
Contributor
|
Starting backport for target branches: 8.17, 8.18, 8.19, 9.0, 9.1 |
Contributor
|
Starting backport for target branches: 8.17, 8.18, 8.19, 9.0, 9.1 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 23, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 4b9d2c5)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 23, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 4b9d2c5)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 23, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 4b9d2c5)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 23, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 4b9d2c5)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
1 similar comment
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 23, 2025
…privilege (#226561) (#229057) # Backport This will backport the following commits from `main` to `9.1`: - [[EDR Workflows][Bug] Show artifact links without endpoint list privilege (#226561)](#226561) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Gergő Ábrahám","email":"gergo.abraham@elastic.co"},"sourceCommit":{"committedDate":"2025-07-22T15:39:18Z","message":"[EDR Workflows][Bug] Show artifact links without endpoint list privilege (#226561)\n\n## Summary\n\nIn Serverless, Security solution, under Assets/Endpoints, if user didn't\nhave access to Endpoints (`endpoint_list_read|all`), the whole Endpoints\ngroup was filtered without showing any other subpage. This can occur\nonly with custom roles as no pre-built roles exist with these\nconditions.\n\nThis PR fixes this by simply removing the `link` from the group, so it\nwon't be filtered when Endpoint access is missing.\n\n<img width=\"492\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453\"\n/>\n\nA small side effect is that on the breadcrumb, Endpoints won't be\nclickable.\n\n| Before | After |\n|-|-|\n| <img width=\"422\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018\"\n/> | <img width=\"434\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59\"\n/> |\n\n> [!NOTE]\n> The added cypress test does not test this issue actually, as custom\nroles cannot be used in cypress tests at the moment. Hopefully this can\nbe improved in the future.\n\n### How to test\n\nTo do some manual tests, you can add the following custom roles to the\nfile below **before starting up the local serverless instance**:\n\nsrc/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml\n\n<details><summary>Custom roles</summary>\n\n\n```yml\nendpoint_list_NONE_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n resources: '*'\n run_as: []\n\nendpoint_list_NONE_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n resources: '*'\n run_as: []\n\n```\n\n\n</details> \n\n\n### Todo\n- [x] run on MKI before merge\n\nhttps://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"4b9d2c50d070ef18d709270c79cf4a1b7f98de14","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Defend Workflows","backport:all-open","v9.2.0"],"title":"[EDR Workflows][Bug] Show artifact links without endpoint list privilege","number":226561,"url":"https://github.com/elastic/kibana/pull/226561","mergeCommit":{"message":"[EDR Workflows][Bug] Show artifact links without endpoint list privilege (#226561)\n\n## Summary\n\nIn Serverless, Security solution, under Assets/Endpoints, if user didn't\nhave access to Endpoints (`endpoint_list_read|all`), the whole Endpoints\ngroup was filtered without showing any other subpage. This can occur\nonly with custom roles as no pre-built roles exist with these\nconditions.\n\nThis PR fixes this by simply removing the `link` from the group, so it\nwon't be filtered when Endpoint access is missing.\n\n<img width=\"492\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453\"\n/>\n\nA small side effect is that on the breadcrumb, Endpoints won't be\nclickable.\n\n| Before | After |\n|-|-|\n| <img width=\"422\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018\"\n/> | <img width=\"434\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59\"\n/> |\n\n> [!NOTE]\n> The added cypress test does not test this issue actually, as custom\nroles cannot be used in cypress tests at the moment. Hopefully this can\nbe improved in the future.\n\n### How to test\n\nTo do some manual tests, you can add the following custom roles to the\nfile below **before starting up the local serverless instance**:\n\nsrc/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml\n\n<details><summary>Custom roles</summary>\n\n\n```yml\nendpoint_list_NONE_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n resources: '*'\n run_as: []\n\nendpoint_list_NONE_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n resources: '*'\n run_as: []\n\n```\n\n\n</details> \n\n\n### Todo\n- [x] run on MKI before merge\n\nhttps://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"4b9d2c50d070ef18d709270c79cf4a1b7f98de14"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/226561","number":226561,"mergeCommit":{"message":"[EDR Workflows][Bug] Show artifact links without endpoint list privilege (#226561)\n\n## Summary\n\nIn Serverless, Security solution, under Assets/Endpoints, if user didn't\nhave access to Endpoints (`endpoint_list_read|all`), the whole Endpoints\ngroup was filtered without showing any other subpage. This can occur\nonly with custom roles as no pre-built roles exist with these\nconditions.\n\nThis PR fixes this by simply removing the `link` from the group, so it\nwon't be filtered when Endpoint access is missing.\n\n<img width=\"492\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453\"\n/>\n\nA small side effect is that on the breadcrumb, Endpoints won't be\nclickable.\n\n| Before | After |\n|-|-|\n| <img width=\"422\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018\"\n/> | <img width=\"434\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59\"\n/> |\n\n> [!NOTE]\n> The added cypress test does not test this issue actually, as custom\nroles cannot be used in cypress tests at the moment. Hopefully this can\nbe improved in the future.\n\n### How to test\n\nTo do some manual tests, you can add the following custom roles to the\nfile below **before starting up the local serverless instance**:\n\nsrc/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml\n\n<details><summary>Custom roles</summary>\n\n\n```yml\nendpoint_list_NONE_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n resources: '*'\n run_as: []\n\nendpoint_list_NONE_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_READ:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n - feature_siemV3.trusted_applications_read\n - feature_siemV3.event_filters_read\n - feature_siemV3.host_isolation_exceptions_read\n - feature_siemV3.blocklist_read\n resources: '*'\n run_as: []\n\nendpoint_list_READ_artifacts_NONE:\n cluster: []\n indices:\n - names:\n - '.lists-*'\n - '.items-*'\n - '.alerts-security.alerts-*'\n - '.siem-signals*'\n privileges:\n - 'read'\n - 'view_index_metadata'\n allow_restricted_indices: false\n applications:\n - application: 'kibana-.kibana'\n privileges:\n - feature_siemV3.minimal_all\n - feature_siemV3.endpoint_list_read\n resources: '*'\n run_as: []\n\n```\n\n\n</details> \n\n\n### Todo\n- [x] run on MKI before merge\n\nhttps://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"4b9d2c50d070ef18d709270c79cf4a1b7f98de14"}}]}] BACKPORT--> Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
kdelemme
pushed a commit
to kdelemme/kibana
that referenced
this pull request
Jul 23, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Jul 25, 2025
…ege (elastic#226561) ## Summary In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (`endpoint_list_read|all`), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions. This PR fixes this by simply removing the `link` from the group, so it won't be filtered when Endpoint access is missing. <img width="492" alt="image" src="https://github.com/user-attachments/assets/14af8a2f-2b60-497a-96c7-d6c6da91b453" /> A small side effect is that on the breadcrumb, Endpoints won't be clickable. | Before | After | |-|-| | <img width="422" alt="image" src="https://github.com/user-attachments/assets/a97d8d0e-81ad-4faa-87fe-e48f038f6018" /> | <img width="434" alt="image" src="https://github.com/user-attachments/assets/b9a3cbe4-dc06-4c77-899a-7c020b553c59" /> | > [!NOTE] > The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future. ### How to test To do some manual tests, you can add the following custom roles to the file below **before starting up the local serverless instance**: src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml <details><summary>Custom roles</summary> ```yml endpoint_list_NONE_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all resources: '*' run_as: [] endpoint_list_NONE_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_READ: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read - feature_siemV3.trusted_applications_read - feature_siemV3.event_filters_read - feature_siemV3.host_isolation_exceptions_read - feature_siemV3.blocklist_read resources: '*' run_as: [] endpoint_list_READ_artifacts_NONE: cluster: [] indices: - names: - '.lists-*' - '.items-*' - '.alerts-security.alerts-*' - '.siem-signals*' privileges: - 'read' - 'view_index_metadata' allow_restricted_indices: false applications: - application: 'kibana-.kibana' privileges: - feature_siemV3.minimal_all - feature_siemV3.endpoint_list_read resources: '*' run_as: [] ``` </details> ### Todo - [x] run on MKI before merge https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gergoabraham
deleted the
show-artifact-links-without-endpoint-list-privilege
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
In Serverless, Security solution, under Assets/Endpoints, if user didn't have access to Endpoints (
endpoint_list_read|all), the whole Endpoints group was filtered without showing any other subpage. This can occur only with custom roles as no pre-built roles exist with these conditions.This PR fixes this by simply removing the
linkfrom the group, so it won't be filtered when Endpoint access is missing.A small side effect is that on the breadcrumb, Endpoints won't be clickable.
Note
The added cypress test does not test this issue actually, as custom roles cannot be used in cypress tests at the moment. Hopefully this can be improved in the future.
How to test
To do some manual tests, you can add the following custom roles to the file below before starting up the local serverless instance:
src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml
Custom roles
Todo
https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3027/steps/canvas?jid=0197d5be-7b77-44a0-85f2-8f4a37657980
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.