elastic · gergoabraham · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
@@ -93,6 +93,10 @@ const securityProductFeaturesConfig: Record<
                         // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
                         // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege.
                         'global_artifact_management_all',
+
+                        // As we are switching from `all` to `minimal_all`, Endpoint Exceptions is needed to be added, as it was included in `all`,
+                        // but not in `minimal_all`.
+                        'endpoint_exceptions_all',
                       ],
                     };
                   }

diff --git a/...rkflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/...rkflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts
@@ -133,16 +133,29 @@ export default function ({ getService }: FtrProviderContext) {
 
         describe(`${deprecatedSiem}:ALL`, () => {
           // siem:ALL includes Endpoint Exceptions both on ESS and Serverless
-          it('should add global_artifact_management:ALL', async () => {
+          it('@skipInServerless should add global_artifact_management:ALL on ESS', async () => {
             await putDeprecatedSiemPrivilegesInRole(['all']);
 
             expect(await getMigratedSiemFeaturesFromRole()).to.eql([
               // sub-features toggle enabled to show Global Artifact Management
               'minimal_all',
-              // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all
+              // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour
               'global_artifact_management_all',
             ]);
           });
+
+          it('@skipInEss should add global_artifact_management:ALL and endpoint_exceptions:ALL on serverless', async () => {
+            await putDeprecatedSiemPrivilegesInRole(['all']);
+
+            expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+              // sub-features toggle enabled to show Global Artifact Management
+              'minimal_all',
+              // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour
+              'global_artifact_management_all',
+              // Enpdoint Exceptions were included in siem:ALL, so we need to include them in siem:MINIMAL_ALL
+              'endpoint_exceptions_all',
+            ]);
+          });
         });
 
         describe(`${deprecatedSiem}:MINIMAL_ALL`, () => {

diff --git a/...k/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/...k/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts
@@ -1085,6 +1085,8 @@ export default function ({ getService }: FtrProviderContext) {
                 "ui:siemV3/investigation-guide-interactions",
                 "ui:siemV3/threat-intelligence",
                 "ui:siemV3/writeGlobalArtifacts",
+                "ui:siemV3/showEndpointExceptions",
+                "ui:siemV3/crudEndpointExceptions",
               ],
               "blocklist_all": Array [
                 "login:",
@@ -3737,6 +3739,8 @@ export default function ({ getService }: FtrProviderContext) {
                 "ui:siemV3/investigation-guide-interactions",
                 "ui:siemV3/threat-intelligence",
                 "ui:siemV3/writeGlobalArtifacts",
+                "ui:siemV3/showEndpointExceptions",
+                "ui:siemV3/crudEndpointExceptions",
               ],
               "blocklist_all": Array [
                 "login:",