elastic
diff --git a/‎.ci/es-snapshots/Jenkinsfile_verify_es‎
Lines changed: 2 additions & 2 deletions b/‎.ci/es-snapshots/Jenkinsfile_verify_es‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.eslintignore‎
Lines changed: 1 addition & 0 deletions b/‎.eslintignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/kibana.yml‎
Lines changed: 1 addition & 1 deletion b/‎config/kibana.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/api/saved-objects/bulk_get.asciidoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/api/saved-objects/bulk_get.asciidoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/apm/api.asciidoc‎
Lines changed: 12 additions & 10 deletions b/‎docs/apm/api.asciidoc‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎docs/apm/apm-app-users.asciidoc‎
Lines changed: 256 additions & 0 deletions b/‎docs/apm/apm-app-users.asciidoc‎
Lines changed: 256 additions & 0 deletions
diff --git a/‎docs/apm/index.asciidoc‎
Lines changed: 2 additions & 0 deletions b/‎docs/apm/index.asciidoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/development/core/public/kibana-plugin-core-public.appcategory.label.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/development/core/public/kibana-plugin-core-public.appcategory.label.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/development/core/public/kibana-plugin-core-public.appcategory.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/development/core/public/kibana-plugin-core-public.appcategory.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/development/core/server/kibana-plugin-core-server.httpservicesetup.registerroutehandlercontext.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/development/core/server/kibana-plugin-core-server.httpservicesetup.registerroutehandlercontext.md‎
Lines changed: 1 addition & 1 deletion
@@ -22,8 +22,8 @@ def SNAPSHOT_MANIFEST = "https://storage.googleapis.com/kibana-ci-es-snapshots-d
 kibanaPipeline(timeoutMinutes: 150) {
   catchErrors {
     slackNotifications.onFailure(
-      title: ":broken_heart: *<${env.BUILD_URL}|[${SNAPSHOT_VERSION}] ES Snapshot Verification Failure>*",
-      message: ":broken_heart: [${SNAPSHOT_VERSION}] ES Snapshot Verification Failure",
+      title: "*<${env.BUILD_URL}|[${SNAPSHOT_VERSION}] ES Snapshot Verification Failure>*",
+      message: "[${SNAPSHOT_VERSION}] ES Snapshot Verification Failure",
     ) {
       retryable.enable(2)
       withEnv(["ES_SNAPSHOT_MANIFEST=${SNAPSHOT_MANIFEST}"]) {
 
@@ -3,6 +3,7 @@
 /.es
 /build
 /built_assets
+/config/apm.dev.js
 /data
 /html_docs
 /optimize
 
@@ -90,7 +90,7 @@
 # Specifies the path where Kibana creates the process ID file.
 #pid.file: /var/run/kibana.pid
 
-# Enables you specify a file where Kibana stores log output.
+# Enables you to specify a file where Kibana stores log output.
 #logging.dest: stdout
 
 # Set the value of this setting to true to suppress all logging output.
 
@@ -35,7 +35,7 @@ experimental[] Retrieve multiple {kib} saved objects by ID.
 ==== Response body
 
 `saved_objects`::
-  (array) Top-level property the contains objects that represent the response for each of the requested objects. The order of the objects in the response is identical to the order of the objects in the request.
+  (array) Top-level property containing objects that represent the response for each of the requested objects. The order of the objects in the response is identical to the order of the objects in the request.
 
 Saved objects that are unable to persist are replaced with an error object.
 
 
@@ -11,6 +11,12 @@ Some APM app features are provided via a REST API:
 * <<agent-config-api>>
 * <<apm-annotation-api>>
 
+[float]
+[[apm-api-example]]
+=== Using the APIs
+
+Users interacting with APM APIs must have <<apm-app-api-user,sufficient privileges>>.
+In addition, there are request headers to be aware of, like `kbn-xsrf: true`, and `Content-Type: applicaton/json`.
 Here's an example CURL request that adds an annotation to the APM app:
 
 [source,curl]
@@ -32,16 +38,8 @@ curl -X POST \
     }'
 ----
 
-For more information, the Kibana <<api,REST API reference>> provides information on how to use Kibana APIs,
-like required request headers and authentication options.
-
-// AGENT CONFIG API
-// GET --> Feature (APM) Read
-// CREATE/EDIT/DELETE --> Feature (APM) All
-
-// ANNOTATION API
-// Feature (APM) All
-// Index: `observability-annotations`. Privileges: `create_index`, `create_doc`, `manage`, and `read`.
+The Kibana <<api,REST API reference>> provides additional information on how to use Kibana APIs,
+required request headers, and token-based authentication options.
 
 ////
 *******************************************************
@@ -61,6 +59,8 @@ The following Agent configuration APIs are available:
 * <<apm-list-config>> to list all Agent configurations.
 * <<apm-search-config>> to search for an Agent configuration.
 
+See <<apm-app-api-config-manager>> for information on the privileges required to use this API endpoint.
+
 ////
 *******************************************************
 ////
@@ -327,6 +327,8 @@ The following APIs are available:
 By default, annotations are stored in a newly created `observability-annotations` index.
 The name of this index can be changed in your `config.yml` by editing `xpack.observability.annotations.index`.
 
+See <<apm-app-api-annotation-manager>> for information on the privileges required to use this API endpoint.
+
 ////
 *******************************************************
 ////
 
@@ -0,0 +1,256 @@
+[role="xpack"]
+[[apm-app-users]]
+== APM app users and privileges
+
+:beat_default_index_prefix: apm
+:beat_kib_app: APM app
+:annotation_index: `observability-annotations`
+
+++++
+<titleabbrev>Users and privileges</titleabbrev>
+++++
+
+You can use role-based access control to grant users access to secured
+resources. The roles that you set up depend on your organization's security
+requirements and the minimum privileges required to use specific features.
+
+{es-security-features} provides {ref}/built-in-roles.html[built-in roles] that grant a
+subset of the privileges needed by APM users.
+When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy.
+If no built-in role is available, you can assign users the privileges needed to accomplish a specific task.
+In general, there are three types of privileges you'll work with:
+
+* **Elasticsearch cluster privileges**: Manage the actions a user can perform against your cluster.
+* **Elasticsearch index privileges**: Control access to the data in specific indices your cluster.
+* **Kibana space privileges**: Grant users write or read access to features and apps within Kibana.
+
+////
+***********************************  ***********************************
+////
+
+[role="xpack"]
+[[apm-app-reader]]
+=== APM reader user
+
+++++
+<titleabbrev>Create an APM reader user</titleabbrev>
+++++
+
+[[apm-app-reader-full]]
+==== Full APM reader
+
+APM reader users typically need to view the APM app, dashboards, and visualizations that contain APM data.
+These users might also need to create and edit dashboards, visualizations, and machine learning jobs.
+
+. Assign the following built-in roles:
++
+[options="header"]
+|====
+|Role | Purpose
+
+|`kibana_admin`
+|Grants access to all features in Kibana.
+
+|`apm_user`
+|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
+
+|`machine_learning_admin`
+|Grants the privileges required to create, update, and view machine learning jobs
+|====
+
+[[apm-app-reader-partial]]
+==== Partial APM reader
+
+In some instances, you may wish to restrict certain Kibana apps that a user has access to.
+
+. Assign the following built in roles:
++
+[options="header"]
+|====
+|Role | Purpose
+|`apm_user`
+|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
+|====
+
+. Assign space privileges to any Kibana space that the user needs access to.
+Here are two examples:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+| `Read` or `All` on the {beat_kib_app}
+| Allow the use of the the {beat_kib_app}
+
+| Spaces
+| `Read` or `All` on Dashboards, Visualize, and Discover
+| Allow the user to view, edit, and create dashboards, as well as browse data.
+|====
+
+. Finally, assign the following role if a user needs to enable and edit machine learning features:
++
+[options="header"]
+|====
+|Role | Purpose
+
+|`machine_learning_admin`
+|Grants the privileges required to create, update, and view machine learning jobs
+|====
+
+////
+***********************************  ***********************************
+////
+
+[role="xpack"]
+[[apm-app-central-config-user]]
+=== APM app central config user
+
+++++
+<titleabbrev>Create a central config user</titleabbrev>
+++++
+
+[[apm-app-central-config-manager]]
+==== Central configuration manager
+
+Central configuration users need to be able to view, create, update, and delete Agent configurations.
+
+. Assign the following built-in roles:
++
+[options="header"]
+|====
+|Role | Purpose
+
+|`apm_user`
+|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
+|====
+
+. Assign the following Kibana space privileges:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+|`All` on {beat_kib_app}
+|Allow full use of the {beat_kib_app}
+|====
+
+[[apm-app-central-config-reader]]
+==== Central configuration reader
+
+In some instances, you may wish to create a user that can only read central configurations,
+but not create, update, or delete them.
+
+. Assign the following built-in roles:
++
+[options="header"]
+|====
+|Role | Purpose
+|`apm_user`
+|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
+|====
+
+. Assign the following Kibana space privileges:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+|`read` on the {beat_kib_app}
+|Allow read access to the {beat_kib_app}
+|====
+
+[[apm-app-central-config-api]]
+==== Central configuration API
+
+See <<apm-app-api-user>>.
+
+////
+***********************************  ***********************************
+////
+
+[role="xpack"]
+[[apm-app-api-user]]
+=== APM app API user
+
+++++
+<titleabbrev>Create an API user</titleabbrev>
+++++
+
+[[apm-app-api-config-manager]]
+==== Central configuration API
+
+Users can list, search, create, update, and delete central configurations via the APM app API.
+
+. Assign the following Kibana space privileges:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+|`all` on the {beat_kib_app}
+|Allow all access to the {beat_kib_app}
+|====
+
+[[apm-app-api-config-reader]]
+==== Central configuration API reader
+
+Sometimes a user only needs to list and search central configurations via the APM app API.
+
+. Assign the following Kibana space privileges:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+|`read` on the {beat_kib_app}
+|Allow read access to the {beat_kib_app}
+|====
+
+[[apm-app-api-annotation-manager]]
+==== Annotation API
+
+Users can use the annotation API to create annotations on their APM data.
+
+. Create a new role, named something like `annotation_role`,
+and assign the following privileges:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+|Index
+|`manage` on +{annotation_index}+ index
+|Check if the +{annotation_index}+ index exists
+
+|Index
+|`read` on +{annotation_index}+ index
+|Read the +{annotation_index}+ index
+
+|Index
+|`create_index` on +{annotation_index}+ index
+|Create the +{annotation_index}+ index
+
+|Index
+|`create_doc` on +{annotation_index}+ index
+|Create new annotations in the +{annotation_index}+ index
+|====
+
+. Assign the `annotation_role` created previously,
+and the following Kibana space privileges to any annotation API users:
++
+[options="header"]
+|====
+|Type | Privilege | Purpose
+
+| Spaces
+|`all` on the {beat_kib_app}
+|Allow all access to the {beat_kib_app}
+|====
+
+//LEARN MORE
+//Learn more about <<kibana-feature-privileges,feature privileges>>.
@@ -31,6 +31,8 @@ include::getting-started.asciidoc[]
 
 include::how-to-guides.asciidoc[]
 
+include::apm-app-users.asciidoc[]
+
 include::settings.asciidoc[]
 
 include::api.asciidoc[]
 
@@ -4,7 +4,7 @@
 
 ## AppCategory.label property
 
-Label used for cateogry name. Also used as aria-label if one isn't set.
+Label used for category name. Also used as aria-label if one isn't set.
 
 <b>Signature:</b>
 
 
@@ -19,6 +19,6 @@ export interface AppCategory
 |  [ariaLabel](./kibana-plugin-core-public.appcategory.arialabel.md) | <code>string</code> | If the visual label isn't appropriate for screen readers, can override it here |
 |  [euiIconType](./kibana-plugin-core-public.appcategory.euiicontype.md) | <code>string</code> | Define an icon to be used for the category If the category is only 1 item, and no icon is defined, will default to the product icon Defaults to initials if no icon is defined |
 |  [id](./kibana-plugin-core-public.appcategory.id.md) | <code>string</code> | Unique identifier for the categories |
-|  [label](./kibana-plugin-core-public.appcategory.label.md) | <code>string</code> | Label used for cateogry name. Also used as aria-label if one isn't set. |
+|  [label](./kibana-plugin-core-public.appcategory.label.md) | <code>string</code> | Label used for category name. Also used as aria-label if one isn't set. |
 |  [order](./kibana-plugin-core-public.appcategory.order.md) | <code>number</code> | The order that categories will be sorted in Prefer large steps between categories to allow for further editing (Default categories are in steps of 1000) |
 
@@ -21,7 +21,7 @@ registerRouteHandlerContext: <T extends keyof RequestHandlerContext>(contextName
    'myApp',
    (context, req) => {
     async function search (id: string) {
-      return await context.elasticsearch.adminClient.callAsInternalUser('endpoint', id);
+      return await context.elasticsearch.legacy.client.callAsInternalUser('endpoint', id);
     }
     return { search };
    }
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ registerRouteHandlerContext: <T extends keyof RequestHandlerContext>(contextName`
`21`	`21`	`'myApp',`
`22`	`22`	`(context, req) => {`
`23`	`23`	`async function search (id: string) {`
`24`		`- return await context.elasticsearch.adminClient.callAsInternalUser('endpoint', id);`
	`24`	`+ return await context.elasticsearch.legacy.client.callAsInternalUser('endpoint', id);`
`25`	`25`	`}`
`26`	`26`	`return { search };`
`27`	`27`	`}`