Skip to content

[Security][RBAC][9.3 & Serverless]: The Rules feature priv is being renamed to Rules, Alerts and Exceptions #4433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nastasha-solomon wants to merge 2 commits into
base: main
Choose a base branch
from
+8 −8
Open

[Security][RBAC][9.3 & Serverless]: The Rules feature priv is being renamed to Rules, Alerts and Exceptions #4433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
40aee97
First draft
nastasha-solomon Dec 19, 2025
325098f
Merge branch 'main' into issue-611-priv-name-update
nastasha-solomon Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion solutions/security/ai/attack-discovery.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ Ensure your role has:

Ensure your role has:

* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.

Copy link
Contributor Author

@nastasha-solomon nastasha-solomon Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: Will need to update this screenshot when the changes are available in the next snapshot or 9.3 BC.

![attack-discovery-rules-rbac](/solutions/images/attack-discovery-rules-rbac.png "elasticsearch =60%x60%")

Expand Down
12 changes: 6 additions & 6 deletions solutions/security/detect-and-alert/detections-requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,12 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j

| Action | Cluster Privileges | Index Privileges | Kibana Privileges |
| --- | --- | --- | --- |
| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.<br> |
| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.<br> |
| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules, Alerts, and Exceptions` feature. |
| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
| Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features |

### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]
Expand Down
2 changes: 1 addition & 1 deletion solutions/security/get-started/automatic-migration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ You can ingest your data before migrating your assets, or migrate your assets fi
:::{applies-item} { "stack": "ga 9.3", "serverless": "ga" }
**Requirements**

* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
* A working [LLM connector](/explore-analyze/ai-features/llm-guides/llm-connectors.md).
* {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
* {{Stack}} users: {{ml}} must be enabled.
Expand Down
Loading