[Detections & Response] RBAC - Add Detection Alerts kibana feature

[denar50]

What this Does

This PR introduces Alerts RBAC: a dedicated Kibana feature (securitySolutionAlertsV1) for controlling who can view and edit detection alerts. Alerts permissions are moved out of the Rules feature and into this new Alerts feature, so that access to alerts (viewing, updating status, assigning, tagging) can be granted independently from rules (managing detection rules):

The change is part of the broader Security Solution RBAC Epic and follows the same pattern as:

• Rules RBAC — rules-specific read/all privileges
• Exceptions RBAC — exceptions subfeatures under Rules

Summary of what moves:

Before	After
Alerts read/edit implied by Rules or legacy Security features	Alerts read/edit come from the Alerts feature (securitySolutionAlertsV1)
Update operations (status, assignees, tags) allowed with Rules read in some cases	Update requires Alerts edit (or legacy deprecated privilege for backward compatibility)

New privilege model:

• Alerts feature – Read: read_alerts (UI), alerts-read (API). View alerts, open flyouts, see tables.
• Alerts feature – All: edit_alerts (UI), alerts-all (API). All of the above plus: change status, set assignees, set tags, bulk actions.

Backward compatibility is preserved for existing roles: users with only legacy Security (siem/siemV2/siemV3/siemV4) or Rules (securitySolutionRulesV1/V2) read access still get a deprecated “update alerts” capability so they can continue to perform alert updates until roles are migrated.

Note also that, similarly to the previous PRs for this epic, this does not update the prebuilt/test roles, which will come in a subsequent PR. This means that using an existing prebuilt role will implicitly exercise the role migration path, as do the existing tests.

---

How to Review

Permissions change (high level)

• API: Alert update routes (open/close, set tags, set assignees) now require ALERTS_API_ALL or ALERTS_API_UPDATE_DEPRECATED_PRIVILEGE. Read-only alert operations require ALERTS_API_READ.
• UI: Alerts UI uses the Alerts feature’s read_alerts / edit_alerts; the capability switcher grants the deprecated update capability to legacy Security and Rules features so existing roles keep update behavior.
• New configurations to consider: You can have Rules without Alerts (manage rules, no alert access) and Alerts without Rules (view/edit alerts, no rule management). Reviewers should sanity-check both.

Testing setup

• Roles and users: As mentioned earlier, prebuilt roles can be used to examine how legacy roles will behave, and to verify backwards compatibility. However, the net new functionality/permissions can and should be tested with custom roles. Luckily, we've written some tools to assist with this.
  • First, we have a script to generate users and roles from a yaml config file. Simply run the script to add/update the users and roles referenced in the yaml file.
  • To get one started, I've prepared a yaml file with all nine permutations of the new Rules and Alerts RBAC permissions. To test a particular combination, simply log in as the user with the corresponding role. For example, to test Alerts edit without Rules access, log in as alerts-all|rules-none (password: changeme).

---

Areas of Interest

Please verify behavior in these areas with Alerts read only vs Alerts read + edit (and, if possible, Rules without Alerts and Alerts without Rules).

Alerts Page

• Dashboards: Tiles and links that show or link to alerts respect Alerts read; any edit/action from a dashboard should respect Alerts edit.
• Alerts table: Loads and shows data only when the user has Alerts read. Sorting, filtering, and column visibility should work for read users.
  • Row actions: Status, assignees, tags, and other update actions are visible/enabled only when the user has Alerts edit (or legacy update).
  • Bulk actions: Bulk status change, assignees, tags, etc. require Alerts edit; otherwise hidden or disabled.
• Alerts flyout: Opens for read users; in-flyout update actions (status, assignees, tags) only for users with Alerts edit (or legacy update).

Timeline

• Alerts shown in Timeline respect Alerts read; any in-Timeline action that updates an alert (e.g. status, assignee, tags) should require Alerts edit (or legacy update).

Rule Details – Alerts tab

• Alerts table on the Rule Details page follows the same rules: read-only for Alerts read; row/bulk update actions for Alerts edit (or legacy update).

Elastic Assistant (EA) – Risk contributions / flyout

• Any UI that shows or updates alerts in the context of EA (e.g. risk contributions, flyout) should respect Alerts read for viewing and Alerts edit for updates.

Cases

• Cases and case-attached alerts: Viewing alerts attached to a case requires Alerts read. Updating those alerts (status, assignees, tags) from the Case view should require Alerts edit (or legacy update).

---

Checklist for Reviewers

• Confirmed Alerts read only can view alerts everywhere (Alerts page, Timeline, Rule Details, Cases, EA) but cannot perform update actions.
• Confirmed Alerts read + edit can perform status/assignee/tag updates (row and bulk) in all areas above.
• Confirmed Rules without Alerts cannot see or interact with alerts (or see appropriate empty/denied state).
• Confirmed Alerts without Rules can use the Alerts page and alert actions without rule management access.
• Confirmed legacy Security/Rules-only roles still have update capability (backward compatibility).

---

Related links

• RBAC Epic
• Rules RBAC PR
• Exceptions RBAC PR

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!

[pborgonovi]

/ci

[rylnd]

/ci

[rylnd]

/ci

[rylnd]

/ci

[rylnd]

/ci

[rylnd]

@denar50 what's the story with this comment?

[rylnd]

/ci

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 8863f31

Failed CI Steps

• Check Types

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	8769	8771	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.1MB	11.1MB	+1.9KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	172.8KB	173.3KB	+546.0B
securitySolutionEss	35.5KB	35.6KB	+102.0B
securitySolutionServerless	47.2KB	47.3KB	+98.0B
total			+746.0B

History

• 💛 Build #397286 was flaky e6ce514
• 💔 Build #396551 failed d56a77f
• 💔 Build #396472 failed dfb671b
• 💚 Build #394916 succeeded 9b6b23e
• 💔 Build #394812 failed de5553e

cc @rylnd