[Security][9.1] Security roles siemV3 migration for Global Artifact Management

[gergoabraham]

Tip

looks huge, but

• 5,402 lines snapshot tests
• 714 lines yaml files

Summary

This PR adds a new feature version siemV3 with the required role migrations, in order to enable the new privilege global_artifact_management_all for users where needed.

Caution

In case you are looking at this PR as a template for an upcoming role deprecation, here's a learning.

Adding role deprecations and updating predefined roles should be in separate PRs.

If you add only the role deprecations in your first PR, the existing tests using the old predefined roles can catch bugs in the role deprecation logic! And then in an upcoming PR, you can update the predefined roles.

(This PR contained a bug in the role deprecations, which bug was fortunately found by the subset of tests that are performed periodically on MKI, but we should not rely on that.)

What's in the PR?

• Required changes around security role migration from siemV2 to siemV3

• Improvements by parameterizing siemV3 in lots of places, to ease future role migrations by decreasing the occurrences that have to be changed.

• A new function called baseFeatureConfigModifier() in ProductFeaturesConfig: now product features have the ability to modify the base Kibana feature. de05a3b

• Product feature endpointArtifactManagement is split to ESS/Serverless counterparts, and adds role migrations to the base Kibana config using baseFeatureConfigModifier() (1c31f56). This solves 2 problems:

  • Different migrations are needed for ESS and Serverless.
  • The product feature endpointArtifactManagement, and hence the privilege global_artifact_management_all is not available on all serverless tiers (see these fails), therefore the migration needed to be separated from the base Kibana feature config.
  • (note: these changes were safeguarded by the role migration tests and snapshot tests)

• Security / Global Artifact Management [space awareness]:

  • moves the sub-privilege out of feature flag, in order to be able to target it for role migrations
  • adds a 'Coming soon' test to the privilege
    • endpointManagementSpaceAwarenessEnabled:false
      
    • endpointManagementSpaceAwarenessEnabled:true
      
  • role migration is added: in short, any artifact ALL privilege causes the new Global Artifact Management ALL privilege to be added (https://github.com/elastic/security-team/issues/11717)
  • predefined roles are updated locally
    (note: in elasticsearch-controller, it'll be updated after this PR is merged and deployed, https://github.com/elastic/elasticsearch-controller/pull/1010)

• tests!

  • testing the migration itself: b8d90d0 and 309abb3
  • snapshot test with deprecated features: https://github.com/elastic/kibana/pull/219566/files#diff-ed11536475a7a6f0a835cbc950c3b7405093058ad42bab30cf06f41ed21561a3
  • some functional tests enabled for deprecated features: 4b4f49e

Global Artifact Management role migrations

flowchart LR

    subgraph siemV2[siem/siemV2]
        none1[none]
    end

    subgraph siemV3
        none2[none]
    end

    none1 --> none2

Loading

flowchart LR

    subgraph siemV2[siem/siemV2]
        read1[read]
    end

    subgraph siemV3
        read2[read]
    end

    read1 --> read2

Loading

flowchart LR
    classDef serverless stroke:blue,stroke-dasharray: 5 5

    subgraph siemV2[siem/siemV2]
        subgraph minread1[minimal_read]
            minread1_subs["`trusted_applications_read
                event_filters_read
                blocklist_read
                host_isolation_exceptions_read`"]

            minall1_subs["`trusted_applications_all
                event_filters_all
                blocklist_all
                host_isolation_exceptions_all`"]

            eer1["`endpoint_exceptions_read
                (only serverless)`"]:::serverless
            eea1["`endpoint_exceptions_all
                (only serverless)`"]:::serverless
        end
    end

    subgraph siemV3
        subgraph minread2[minimal_read]
            minread2_subs["`trusted_applications_read
                event_filters_read
                blocklist_read
                host_isolation_exceptions_read`"]

            minall2_subs["`trusted_applications_all
                event_filters_all
                blocklist_all
                host_isolation_exceptions_all`"]

            eer2["`endpoint_exceptions_read
                (only serverless)`"]:::serverless
            eea2["`endpoint_exceptions_all
                (only serverless)`"]:::serverless
            g2[global_artifact_management_all]

        end
    end


    minread1 --> minread2
    minread1_subs -->|each to his own| minread2_subs
    minall1_subs -->|global for any of these| g2
    minall1_subs -->|each to his own| minall2_subs

    eer1 -->|only serverless| eer2
    eea1 -->|only serverless| eea2
    eea1 -->|only serverless| g2
    linkStyle 4,5,6 stroke:#00f,color:blue

Loading

notes for above:

• global_artifact_management_all have to be added for any artifact write privilege (trusted apps, event filters, blocklists, host isolation exceptions)
• on serverless, there is a separate endpoint exceptions privilege, it counts as an artifact

flowchart LR

    subgraph siemV2[siem/siemV2]
        all1[all]
    end

    subgraph siemV3
        subgraph minall2[minimal_all]
            g1[global_artifact_management_all]
        end
    end

    all1 -->|keep access to the included Endpoint Exceptions ALL| g1
    all1 -->|enable sub-feature toggle| minall2

Loading

Caution

siem/siemV2:ALL migration above contained a BUG! 🐛
Here's the fix, with the updated diagram: #225331

notes for above:
both on serverless and ESS, Endpoint Exceptions are included in ALL, hence the migration

Note

siem sub-privileges are not included in READ/ALL parent privileges. The user needs to enable them one-by-one after enabling the sub-feature privileges toggle. So Endpoint Exception here is an exception. In any sense of the word.

flowchart LR
    classDef serverless stroke:blue,stroke-dasharray: 5 5

    subgraph siemV2[siem/siemV2]
        subgraph minall1[minimal_all]
            minread1_subs["`trusted_applications_read
                event_filters_read
                blocklist_read
                host_isolation_exceptions_read`"]

            minall1_subs["`trusted_applications_all
                event_filters_all
                blocklist_all
                host_isolation_exceptions_all`"]

            eer1["`endpoint_exceptions_read
                (only serverless)`"]:::serverless
            eea1["`endpoint_exceptions_all
                (only serverless)`"]:::serverless
        end
    end

    subgraph siemV3
        subgraph minall2[minimal_all]
            minread2_subs["`trusted_applications_read
                event_filters_read
                blocklist_read
                host_isolation_exceptions_read`"]

            minall2_subs["`trusted_applications_all
                event_filters_all
                blocklist_all
                host_isolation_exceptions_all`"]

            g2[global_artifact_management_all]

            eer2["`endpoint_exceptions_read
                (only serverless)`"]:::serverless
            eea2["`endpoint_exceptions_all
                (only serverless)`"]:::serverless

        end
    end

    minall1 -->|only on ESS to keep access to the included Endpoint Exceptions ALL| g2

    minall1 --> minall2
    minread1_subs -->|each to his own| minread2_subs
    minall1_subs -->|global for any of these| g2
    minall1_subs -->|each to his own| minall2_subs

    eer1 -->|only serverless| eer2
    eea1 -->|only serverless| eea2
    eea1 -->|only serverless| g2
    linkStyle 5,6,7 stroke:#00f,color:#00f


    linkStyle 0 stroke:#0a0,color:#0a0

Loading

notes for above:
when sub-feature privileges are enabled,

• on ESS endpoint exceptions are still automatically included, that's why we need to add global access
• on serverless, endpoint exceptions are controlled by the sub-feature privilege (just like all other artifact privileges, see the note above)

Background

• Previous role migration PR: [SecuritySolution] Breaking out timeline & note privileges #201780
• Role migration description: feat: allow plugins to deprecate and replace features and feature privileges #186800

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

[semd]

Hey @gergoabraham, thanks for the ping.
After talking with @michaelolo24, we decided we'll try to include this inside the V3 migration. We'll keep you posted

[gergoabraham]

Hey @gergoabraham, thanks for the ping. After talking with @michaelolo24, we decided we'll try to include this inside the V3 migration. We'll keep you posted

hey @semd,

i think it is included in this PR - i used your related draft PR (#207258) as a starting point for unifying Endpoint Exceptions privilege/subfeature, and i'd say all of the modifications are included in this PR, so looks like there's nothing to do on your side, except reviewing this PR : )

[jillguyonnet]

Fleet changes LGTM

[KDKHD]

The following files look good:

### elastic/security-generative-ai

* x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx
* x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx
* x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts

[vgomez-el]

LGTM!

[jaredburgettelastic]

👍 Entity Analytics changes are straightforward and LGTM, thank you!

[semd]

Agreed with the Defend Workflows team that we'll work towards unification on 9.2. We go with the current approach for 9.1.
code LGTM! 🚀

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: cee449a
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-219566-cee449ab49af
• Security Deployment
• Elasticsearch Serverless Deployment

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.8MB	1.8MB	+26.0B
securitySolution	9.4MB	9.4MB	+27.0B
total			+53.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	168.2KB	168.3KB	+82.0B

History

• 💔 Build #311034 failed 5132bc3
• 💔 Build #310722 failed 93d8721
• 💔 Build #310650 failed 309abb3
• 💔 Build #310534 failed a4dd40a

cc @gergoabraham

[sukhwindersingh-qasource]

Hi @gergoabraham ,

We have validated this ticket on latest 9.2.0-Serverless builds and below are the observations

Login Credentials

• https://p.elstc.co/paste/N4Qux86T#5Mrtf2FtuC4+1oESCpq+zbFUNFKJdTTHS2cu0dQugDB

Below are the Testing Details :

Build Details:

VERSION: 9.2.0
BUILD: 87753
COMMIT: 27183690142a5590b4ad72d060c43cad869f3f3c

Detailed Observations with Screen-captures for 9.2.0-Serverless:

• Validated SIM v2/SIEM v2 to SIEM v3 migration ensures global artifact management privilege is retained only when all or any artifact has 'all' privilege; none if privileges are 'read' or 'none ✔

  • The global artifact management role migration is working as expected.
  • If all artifacts have "All", it shows "All" for the global artifact management
  • If any single artifact has "All", it shows "All" for or the global artifact management
  • If all artifacts have "Read", it shows "None" for the global artifact management
  • If all artifacts are "None", it shows "None" for the global artifact management as well.

• Users with global artifact management privilege set to 'all' are able to create artifacts globally. : ✔

Trusted.applications.-.Kibana.Mozilla.Firefox.Private.Browsing.2025-07-01.18-18-34.mp4

• Pre-built rules with global 'all' access to artifacts are able to create artifacts globally : ✔

Members.Mozilla.Firefox.2025-07-01.18-21-51.mp4

Trusted.applications.-.Kibana.Mozilla.Firefox.Private.Browsing.2025-07-01.18-24-45.mp4

Please let us know if anything else is required from our end.

Thanks !!