[Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners and admins #189538
Assignees
Labels
8.16 candidate
bug
Fixes for quality problems that affect the customer experience
Project:Serverless
Work as part of the Serverless project for its initial release
Team:Cloud Security
Cloud Security team related
Comments
maxcold
added
bug
|
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
maxcold
changed the title
This was referenced Jul 30, 2024
Closed
kfirpeled
added
8.1 candidate
8.16 candidate
Project:Serverless
|
@maxcold Thanks for testing this and opening the ticket- Here is expected behaviour for Viewer and Editor roles. |
kfirpeled
changed the title
maxcold
changed the title
2 tasks
opauloh
added a commit
that referenced
this issue
Oct 8, 2024
…ed Objects (#194224) ## Summary This PR fixes #189538, by adding `csp-rule-template` to the Security Default Saved Objects. This allows users with the [viewer role](https://www.elastic.co/docs/current/serverless/general/assign-user-roles) to Security projects in Serverless to see the [Cloud Security Posture Benchmark rules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template) that are stored as saved objects installed with the Cloud Security Posture integration. ### Snapshots    
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 8, 2024
…ed Objects (elastic#194224) ## Summary This PR fixes elastic#189538, by adding `csp-rule-template` to the Security Default Saved Objects. This allows users with the [viewer role](https://www.elastic.co/docs/current/serverless/general/assign-user-roles) to Security projects in Serverless to see the [Cloud Security Posture Benchmark rules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template) that are stored as saved objects installed with the Cloud Security Posture integration. ### Snapshots     (cherry picked from commit 3862012)
kibanamachine
added a commit
that referenced
this issue
Oct 8, 2024
…lt Saved Objects (#194224) (#195338) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add csp-rule-template to the Security Default Saved Objects (#194224)](#194224) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Paulo Silva","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-08T01:43:49Z","message":"[Security Solution] Add csp-rule-template to the Security Default Saved Objects (#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding `csp-rule-template` to the Security\r\nDefault Saved Objects.\r\n\r\nThis allows users with the [viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto Security projects in Serverless to see the [Cloud Security Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat are stored as saved objects installed with the Cloud Security\r\nPosture integration.\r\n\r\n\r\n### Snapshots\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d ).(\\d ).\\d $":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team: SecuritySolution","Team:Cloud Security","v8.16.0","backport:version"],"title":"[Security Solution] Add csp-rule-template to the Security Default Saved Objects","number":194224,"url":"https://github.com/elastic/kibana/pull/194224","mergeCommit":{"message":"[Security Solution] Add csp-rule-template to the Security Default Saved Objects (#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding `csp-rule-template` to the Security\r\nDefault Saved Objects.\r\n\r\nThis allows users with the [viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto Security projects in Serverless to see the [Cloud Security Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat are stored as saved objects installed with the Cloud Security\r\nPosture integration.\r\n\r\n\r\n### Snapshots\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194224","number":194224,"mergeCommit":{"message":"[Security Solution] Add csp-rule-template to the Security Default Saved Objects (#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding `csp-rule-template` to the Security\r\nDefault Saved Objects.\r\n\r\nThis allows users with the [viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto Security projects in Serverless to see the [Cloud Security Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat are stored as saved objects installed with the Cloud Security\r\nPosture integration.\r\n\r\n\r\n### Snapshots\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Paulo Silva <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana version:
serverless
Describe the bug:
Users who have access to the Secuirity Project with any role, except Admin, can't access Security > Findings > Misconfigurations and Security > Rules > Benchmarks pages. These pages seem to work only for organisation owners
Steps to reproduce:
Expected behavior:
Cloud Security features should be available for users with Editor role, but even better with Editor or Viewer (only read-only features) roles
Screenshots (if relevant):
Errors in browser console (if relevant):
GET /internal/cloud_security_posture/benchmarks 403 (Forbidden)
Provide logs and/or server output (if relevant):
Any additional context:
Initially I thought our features didn't work even with the Admin role, but that's because I wasn't logging out after changing the role (which might be an issue by itself in general, but not specific to us). I updated the issue to note that our features don't work with Editor and Viewer roles
A related issue in ESS
We require specific setup for users to access Cloud Security features, but the access control on Serverless is different, so we need to find a way to make our features work there
@elastic/kibana-cloud-security-posture
The text was updated successfully, but these errors were encountered: