[Security] Add entity store and asset criticality index privileges to built in Editor and Viewer roles (#129662)

opauloh · elasticsearchmachine · web-flow · commit aa58fc7f43c5 · 2025-07-31T02:53:48.000+02:00
* Adding asset criticality and entity store permissions to built in roles

* Update docs/changelog/129662.yaml

* [CI] Auto commit changes from spotless

* Corrects entity store index pattern

Updates the entity store index pattern to ensure it matches the minimum necessary index name and narrow it down to the correct use case

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/docs/changelog/129662.yaml b/docs/changelog/129662.yaml
@@ -0,0 +1,6 @@
+pr: 129662
+summary: "[Security] Add entity store and asset criticality index privileges to built\
+  \ in Editor, Viewer and Kibana System roles"
+area: Authorization
+type: enhancement
+issues: []
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -547,7 +547,7 @@ static RoleDescriptor kibanaSystem(String name) {
                     .indices(".asset-criticality.asset-criticality-*")
                     .privileges("create_index", "manage", "read", "write")
                     .build(),
-                RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read").build(),
+                RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(),
                 // For cloud_defend usageCollection
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-cloud_defend.*", "metrics-cloud_defend.*")
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -75,6 +75,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
     public static final String LISTS_ITEMS_INDEX = ".items-*";
     public static final String LISTS_ITEMS_INDEX_REINDEXED_V8 = ".reindexed-v8-items-*";
 
+    /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */
+    public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*";
+    public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*";
+
     /** Index pattern for Universal Profiling */
     public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*";
     public static final String UNIVERSAL_PROFILING_BACKING_INDICES = ".profiling-*";
@@ -784,7 +788,9 @@ private static RoleDescriptor buildViewerRoleDescriptor() {
                         ReservedRolesStore.LISTS_ITEMS_INDEX,
                         ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8,
                         ReservedRolesStore.LISTS_INDEX_REINDEXED_V8,
-                        ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8
+                        ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8,
+                        ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX,
+                        ReservedRolesStore.ASSET_CRITICALITY_INDEX
                     )
                     .privileges("read", "view_index_metadata")
                     .build(),
@@ -846,10 +852,16 @@ private static RoleDescriptor buildEditorRoleDescriptor() {
                         ReservedRolesStore.LISTS_ITEMS_INDEX,
                         ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8,
                         ReservedRolesStore.LISTS_INDEX_REINDEXED_V8,
-                        ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8
+                        ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8,
+                        ReservedRolesStore.ASSET_CRITICALITY_INDEX
                     )
                     .privileges("read", "view_index_metadata", "write", "maintenance")
                     .build(),
+                // Security - Entity Store is view only
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX)
+                    .privileges("read", "view_index_metadata")
+                    .build(),
                 // Alerts-as-data
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1851,6 +1851,13 @@ public void testKibanaSystemRole() {
             assertViewIndexMetadata(kibanaRole, indexName);
         });
 
+        Arrays.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach(indexName -> {
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertViewIndexMetadata(kibanaRole, indexName);
+        });
+
         Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> {
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));
@@ -3676,6 +3683,9 @@ public void testPredefinedViewerRole() {
         assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, randomAlphaOfLength(5));
 
+        assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5));
+
         assertOnlyReadAllowed(role, ".slo-observability." + randomIntBetween(0, 5));
         assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5));
 
@@ -3746,6 +3756,7 @@ public void testPredefinedEditorRole() {
         assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, randomAlphaOfLength(5));
 
         assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5));
@@ -3756,6 +3767,7 @@ public void testPredefinedEditorRole() {
         assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.alerts-" + randomIntBetween(0, 5));
         assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".preview.alerts-" + randomIntBetween(0, 5));
         assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.preview.alerts-" + randomIntBetween(0, 5));
+        assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5));
 
         assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5));
         assertReadWriteAndManage(role, ".slo-observability." + randomIntBetween(0, 5));
