[Security Solution] Rules managment RBAC subfeatures

[dplumlee]

Resolves: https://github.com/elastic/security-team/issues/14598
Resolves: https://github.com/elastic/security-team/issues/15244
Resolves: #246471
Based off this PR: #244637

Overview

Adds the following new subfeatures to the Rules RBAC feature within security solution:

• security_solution_investigation_guide_edit: ability to modify the note field on detection rules
• security_solution_custom_highlighted_fields_edit: ability to modify the investigation_fields field on detection rules
• security_solution_enable_disable_rules: ability to enable/disable detection rules
• security_solution_manual_run_rules: ability to manually run detection rules
• security_solution_rules_management_settings: ability to access rules management settings

Summary

All of these subfeatures are included in the rules:all feature and can be added as extra permissions to a role with only rules:read capabilities.

This PR modifies detection rules UI to support the new granular permissions logic. The rules table has been updated to handle new edge cases with bulk actions when a user only has rules:read permissions as well as the rule edit page and MITRE coverage overview page.

We also modify the API behavior for the rules PUT, rules PATCH, and bulk actions endpoints to be able to edit specific rule params (e.g. note, investigation_fields, enable, etc.) with read only permissions as long as the user has the corresponding subfeature permission. This involved implementing a new server-side permission check that is accessible via the securitySolution context.

The exceptions_list subfeature has also been added to the granular permission PUT route logic along with the new subfeatures added in this PR.

Automated testing

Lastly, this PR adds a lot of test coverage (jest and ess integration) to the logic implemented in both this PR and #245722, and covers the many new edge cases that the granular permissions create. Unit tests have been added for the detection rules client logic in:

• detection_rules_client.patch_rule.test.ts
• detection_rules_client.update_rule.test.ts

And FTR tests have been added for our CRUD and bulk actions operations in:

• x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/trial_license_complete_tier/patch_rules.ts
• x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/trial_license_complete_tier/update_rules.ts
• x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/perform_bulk_enable_disable.ts
• x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/perform_bulk_action.ts
• x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/perform_bulk_action_dry_run.ts

Screenshots

All taken with the rules-read-subfeatures-all listed in the testing utils section below

Rules table bulk actions - now interact-able with rules:read and new rules subfeatures

---

Rules table row overflow menu - now a user can manually run a rule with read permissions if the have the correct permissions

---

Rule edit page - a user can now use the rule edit form if they have the permissions to modify note or investigation_fields

---

Testing Utils

Testing configs and scripts

This bash script will add/update the kibana roles defined in the config.yml file into your local instance. Usernames will be the same as the role titles and all passwords are set to a default `changeme`. In this file we have `rules-all`, `rules-read`, and `rules-read-subfeatures-all` which can be modified to omit certain permissions based on whatever testing is needed.

config.yaml
rbac-ess-testing-roles.sh

[pborgonovi]

PR Testing

Case 1

Rules:Read + Alerts:Read

• Opening Rules page I get the following:
  • feature_securitySolutionRulesV4.all is missing
    • Role is set to Rules Read. Do we still display this warning?
  • feature_securitySolutionAlertsV1.all is missing
    • Role is set to Alerts Read - do we still display this warning?
  • Missing read, write, view_index_metadata, manage privileges for the .alerts-security.alerts-default
    • Does the role still require index privilege despite of having Alerts subfeature set to Read?
• Opening Rule Details page and scrolling down: no alerts tab, the space is blank until I select either exceptions or executions tab.

Role definition

``` { "rulesread-alertsread": { "cluster": [ "all" ], "indices": [ { "names": [ "auditbeat-*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false }, { "names": [ ".items-*", ".lists-*" ], "privileges": [ "manage", "view_index_metadata", "read", "write" ], "field_security": { "grant": [ "*" ] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_siemV5.all", "feature_securitySolutionRulesV4.read", "feature_securitySolutionAlertsV1.read", "feature_dev_tools.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true }, "description": "Rules read / Alerts read" } } ```

Screenshots

Screen.Recording.2026-02-11.at.10.52.59.AM.mov

Case 2

Rules: Read + Alerts All

• Missing read, write, view_index_metadata, manage privileges for the .alerts-security.alerts-default index
  • Does the role still require index privilege despite of having Alerts subfeature set to All?
• Missing all privileges for the securitySolutionRulesV4 feature.
  • Should this be displayed? This role has Rules Read

[pborgonovi]

@dplumlee

when no alerts index is present we are showing error messages due to field not located. I suppose these fields should be blank until an index exists?

[dplumlee]

@pborgonovi Looking at this it seems to be something better suited to be fixed in the alerts RBAC PR since that's where most of the alerting stuff is changed

[chetnarajput-qasource]

/ci

[chetnarajput-qasource]

/ci

[rgodfrey-elastic]

LGTM. Thanks for adding the maxSize

[cnasikas]

Thanks! Maybe you can skip calling bulkEditRuleParamsWithReadAuth if the array is empty?

[cnasikas]

Could we add the max size to bulkEditParamsOperationsSchema instead and keep the minSize (basically revert the change here and use bulkEditParamsOperationsSchema)? Could my suggestion to skip calling bulkEditRuleParamsWithReadAuth in your code if the array is empty? If not, could we at least be sure that inside the bulkEditRuleParamsWithReadAuth we skip if the operations array is empty?

[dplumlee]

Talked with @cnasikas about this more in slack. Basically, removing the minSize here is the easier schema refactor of the possible options to maintain current workflows with the new RBAC logic being added. A better path in the future would probably entail adding the add and delete operations to bulkEditParamsOperationsSchema (which right now only allows set). This could allow us to reduce our dependency on the paramsModifier that we currently use in our bulk actions methods (and is responsible for the use case of an empty operations array). Made a slight modification in accordance to this comment but leaving the rest of it for now.

[elasticmachine]

⏳ Build in-progress

• Buildkite Build
• Commit: 83d0ad2
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-250131-83d0ad26ec25
• Security Deployment

Failed CI Steps

• Jest Tests #9

Test Failures

• [job] [logs] Jest Tests #9 / AssetDocumentTab should select table tab when path tab is table

History

• 💛 Build #422104 was flaky 416698f
• 💔 Build #422011 failed 18d6877
• 💔 Build #421777 failed 92f5e13
• 💚 Build #421707 succeeded 63d33a2

cc @denar50 @dplumlee