elastic · nastasha-solomon · Apr 15, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -26,8 +26,8 @@ To use exceptions, your role must have the appropriate access. To learn how to a
 
 :::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
 
-- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the `Security > Rules, Alerts, and Exceptions` {{kib}} feature and deselect **Manage Exceptions** for the `Exceptions` sub-feature.
-- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs at least `Read` {{kib}} privileges for the `Security > Rules, Alerts, and Exceptions` {{kib}} feature and ensure **Manage Exceptions** remains selected for the `Exceptions` sub-feature.
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the `Security > Rules and Exceptions` {{kib}} feature and deselect **Manage Exceptions** for the `Exceptions` sub-feature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs at least `Read` {{kib}} privileges for the `Security > Rules and Exceptions` {{kib}} feature and ensure **Manage Exceptions** remains selected for the `Exceptions` sub-feature. You can pair **Read** for **Rules** with **All** for **Exceptions** so users can maintain exceptions without changing the rest of the rule. Refer to [View and manage rules and exceptions separately](/solutions/security/detect-and-alert/detections-privileges.md#rules-exceptions-subfeatures).
 
 :::
 

@@ -29,10 +29,10 @@
 
 When creating custom roles for detection features, you'll need to grant access to system indices that include your space ID (`<space-id>`). For example, the default space uses `.alerts-security.alerts-default`. Refer to the following details to understand which system indices your role might require access to.
 
-{applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` You can give a role access to alerts only, rules only, or both.
+{applies_to}`stack: ga 9.4+` You can give a role access to alerts only, rules only, or both.
 
-:::{admonition} Role access to rules and alerts in 9.4
-:applies_to: {"stack": "ga 9.4+", "serverless": "ga"}
+:::{admonition} Role access to rules and alerts
+:applies_to: {"stack": "ga 9.4+"}
 Starting in {{stack}} 9.4, new custom roles require explicit **Rules and Exceptions** and **Alerts** privileges. Earlier releases sometimes granted alert-related access indirectly through broader **Security** privileges or the **Rules, Alerts, and Exceptions** feature. Review custom roles after an upgrade to confirm each role still has the intended access to alerts.
 :::
 
@@ -63,8 +63,8 @@
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
-    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ## Preview rules
@@ -78,11 +78,11 @@
     - `.internal.preview.alerts-security.alerts-<space-id>-*`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
-    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
-## Manage rules
+## Manage rules [detections-privileges-manage-rules]
 
 Cluster privileges
 :   None
@@ -95,8 +95,8 @@
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
-    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ::::{note}
@@ -108,6 +108,22 @@
 To import rules with actions, you need at least `Read` privileges. To overwrite or add new connectors during import, you need `All` privileges.
 ::::
 
+### Optional sub-features privileges for managing rules [detections-privileges-manage-rules-subfeatures]
+
+```{applies_to}
+stack: ga 9.4+
+serverless: ga
+```
+
+Assigning `All` on `Rules` grants the full set of rule actions by default (create, edit, delete, enable, disable, and the rest). **Customize sub-feature privileges** lets you turn off specific actions for a role. For example, you can remove one capability for the role (such as enabling or disabling rules) while still granting the role access to other actions that `All` provides. 
+
+The following table illustrates this by compareing the default setup with a customized role.
+
+| Situation | What you can do |
+| --- | --- |
+| **`All` for `Rules`**, and every rule sub-feature is still enabled (the out-of-the-box setup) | You can do everything described for **`All`** on **`Rules`** in [View and manage rules and exceptions separately](#rules-exceptions-subfeatures), including enabling and disabling rules. |
+| **`All` for `Rules`**, but the role was customized and some sub-features were turned off | You can only do what remains allowed. For example, you might still create or edit rules while **Enable and disable rules** (or another sub-feature) is turned off for your role. |
+
 ## Manage alerts
 
 Allows you to manage alerts.
@@ -124,8 +140,8 @@
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `Read` for `Alerts`: View alerts, open alert flyouts, and view alert tables on pages and dashboards with alert-related flows.
-    - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for `Alerts`: Everything that `Read` provides, plus changing alert status, setting assignees, setting tags, and bulk actions on alerts.
+:   - {applies_to}`stack: ga 9.4+` `Read` for `Alerts`: View alerts, open alert flyouts, and view alert tables on pages and dashboards with alert-related flows.
+    - {applies_to}`stack: ga 9.4+` `All` for `Alerts`: Everything that `Read` provides, plus changing alert status, setting assignees, setting tags, and bulk actions on alerts.
     - {applies_to}`stack: ga 9.3` `All` for the `Rules, Alerts, and Exceptions` feature to view alert management flows
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
@@ -138,10 +154,35 @@
 :   None
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` At least `Read` for the `Rules and Exceptions` feature and **Manage Exceptions** selected for the `Exceptions` sub-feature
+:   - {applies_to}`stack: ga 9.4+` At least `Read` for the `Rules and Exceptions` feature and **Manage Exceptions** selected for the `Exceptions` sub-feature. Refer to [View and manage rules and exceptions separately](#rules-exceptions-subfeatures) for valid combinations of **Rules** and **Exceptions** access.
     - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
+
+## View and manage rules and exceptions separately [rules-exceptions-subfeatures]
+
+```{applies_to}
+stack: ga 9.4+
+```
+
+After setting `Read` or `All` on `Rules and Exceptions`, you can toggle **Customize sub-feature privileges** to set independent access to rules and exceptions. To learn about sub-feature privileges, refer to [](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#_sub_feature_privileges).
+
+Cluster privileges
+:   None
+
+Index privileges
+:   None
+
+{{kib}} privileges
+:   - `Read` for `Rules`: View detection rules (including the {{rules-ui}} table, rule details, and rule monitoring).
+    - `All` for `Rules`: Create, edit, duplicate, delete, enable, and disable detection rules. Optional rule sub-features can narrow this access. Refer to to [](#detections-privileges-manage-rules-subfeatures) to learn more.
+    - `Read` for `Exceptions` (deselect **Manage Exceptions**): View exception lists and exception items.
+    - `All` for `Exceptions` (**Manage Exceptions** selected): Create and manage exceptions for rules and shared exception lists.
+
+::::{note}
+`Read` on `Rules` and `All` on `Exceptions` lets you manage rule exceptions and shared exception lists without permission to create or change rules.
+::::
+
 ## Manage value lists [detections-privileges-manage-value-lists]
 
 Cluster privileges
@@ -153,8 +194,8 @@
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
-    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ::::{important}

@@ -27,6 +27,20 @@ You can ingest your data before migrating your assets, or migrate your assets fi
 
 ::::{applies-switch}
 
+:::{applies-item} { "stack": "ga 9.4+", "serverless": "ga" }
+**Requirements**
+
+* Minimum [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for these **Security** features:
+
+  - `All` for **SIEM migrations**
+  - At least `Read` for **Rules**
+* A working [LLM connector](/explore-analyze/ai-features/llm-guides/llm-connectors.md).
+* {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
+* {{Stack}} users: {{ml}} must be enabled.
+* {{serverless-short}} users: a [Security Complete](/deploy-manage/deploy/elastic-cloud/project-settings.md) subscription.
+* {{ecloud}} users: {{ml}} must be enabled. We recommend a minimum size of 4GB of RAM per {{ml}} zone.
+:::
+
 :::{applies-item} { "stack": "ga 9.3", "serverless": "ga" }
 **Requirements**
 
@@ -54,6 +68,8 @@ You can ingest your data before migrating your assets, or migrate your assets fi
 
 ::::{admonition} Splunk dashboard migration limitations
 * Only supports `visualization`, `chart`, `table`, and `single value (Metric)` Splunk dashboard panels, not `map`, `event`, or `html` panels. You can still migrate a dashboard that contains unsupported panels, but those panels appear as `Unsupported` in migrated dashboards.
+::::{admonition} Splunk dashboard migration limitations
+Only supports `visualization`, `chart`, `table`, and `single value (Metric)` Splunk dashboard panels, not `map`, `event`, or `html` panels. You can still migrate a dashboard that contains unsupported panels, but those panels appear as `Unsupported` in migrated dashboards.
 ::::
 
 ## Get started with Automatic Migration