elastic · gergoabraham · Nov 21, 2025 · Sep 26, 2025
@@ -87,7 +87,7 @@ const MenuItemsComponent: FC<MenuItemsProps> = ({
         )}
       </EuiFlexItem>
 
-      {canUserEditList && (
+      {canUserEditList && !isReadonly && (
         <EuiFlexItem>
           <EuiButton
             data-test-subj={`${dataTestSubj || ''}LinkRulesButton`}

@@ -90,7 +90,24 @@ describe('MenuItems', () => {
     expect(wrapper.getByTestId('MenuActionsActionItem3')).toBeDisabled();
   });
 
-  it('should not render Manage rules', () => {
+  it('should not render Manage rules when read only', () => {
+    const wrapper = render(
+      <MenuItems
+        isReadonly={true}
+        canUserEditList={true}
+        linkedRules={rules}
+        securityLinkAnchorComponent={securityLinkAnchorComponentMock}
+        onExportList={onExportList}
+        onDeleteList={onDeleteList}
+        onDuplicateList={onDuplicateList}
+        onManageRules={onManageRules}
+      />
+    );
+
+    expect(wrapper.queryByTestId('LinkRulesButton')).not.toBeInTheDocument();
+  });
+
+  it('should not render Manage rules if user cannot edit list', () => {
     const wrapper = render(
       <MenuItems
         isReadonly={false}

@@ -140,6 +140,8 @@ const ExceptionsViewerComponent = ({
     ...initialState,
   });
 
+  const isReadOnlyOnCurrentList = isEndpointSpecified ? !canWriteEndpointExceptions : isReadOnly;
+
   // Reducer actions
   const setLastUpdated = useCallback(
     (lastUpdate: string | number): void => {
@@ -522,7 +524,7 @@ const ExceptionsViewerComponent = ({
               />
               <EuiSpacer size="m" />
               <ExceptionsViewerSearchBar
-                canAddException={isEndpointSpecified ? !canWriteEndpointExceptions : isReadOnly}
+                isReadOnly={isReadOnlyOnCurrentList}
                 isEndpoint={isEndpointSpecified}
                 isSearching={viewerState === 'searching'}
                 onSearch={handleSearch}
@@ -533,8 +535,8 @@ const ExceptionsViewerComponent = ({
           <EuiSpacer size="l" />
 
           <ExceptionsViewerItems
-            isReadOnly={isEndpointSpecified ? !canWriteEndpointExceptions : isReadOnly}
-            disableActions={isReadOnly || viewerState === 'deleting' || !canWriteEndpointExceptions}
+            isReadOnly={isReadOnlyOnCurrentList}
+            disableActions={isReadOnlyOnCurrentList || viewerState === 'deleting'}
             exceptions={exceptions}
             isEndpoint={isEndpointSpecified}
             ruleReferences={allReferences}

@@ -18,7 +18,7 @@ describe('ExceptionsViewerSearchBar', () => {
         onSearch={jest.fn()}
         onAddExceptionClick={jest.fn()}
         isSearching={false}
-        canAddException
+        isReadOnly
       />
     );
 
@@ -29,7 +29,7 @@ describe('ExceptionsViewerSearchBar', () => {
     const mockOnAddExceptionClick = jest.fn();
     const wrapper = mount(
       <ExceptionsViewerSearchBar
-        canAddException={false}
+        isReadOnly={false}
         isEndpoint={false}
         isSearching={false}
         onSearch={jest.fn()}
@@ -49,7 +49,7 @@ describe('ExceptionsViewerSearchBar', () => {
     const mockOnAddExceptionClick = jest.fn();
     const wrapper = mount(
       <ExceptionsViewerSearchBar
-        canAddException={false}
+        isReadOnly={false}
         isEndpoint={true}
         isSearching={false}
         onSearch={jest.fn()}

@@ -43,7 +43,7 @@ const ITEMS_SCHEMA = {
 };
 
 interface ExceptionsViewerSearchBarProps {
-  canAddException: boolean;
+  isReadOnly: boolean;
   // Exception list type used to determine what type of item is
   // being created when "onAddExceptionClick" is invoked
   isEndpoint: boolean;
@@ -56,7 +56,7 @@ interface ExceptionsViewerSearchBarProps {
  * Search exception items and take actions (to creat an item)
  */
 const ExceptionsViewerSearchBarComponent = ({
-  canAddException,
+  isReadOnly,
   isEndpoint,
   isSearching,
   onSearch,
@@ -91,7 +91,7 @@ const ExceptionsViewerSearchBarComponent = ({
           onChange={handleOnSearch}
         />
       </EuiFlexItem>
-      {!canAddException && (
+      {!isReadOnly && (
         <EuiFlexItem grow={false}>
           <EuiButton
             data-test-subj="exceptionsHeaderAddExceptionBtn"

@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { renderHook } from '@testing-library/react';
+import { TestProviders } from '../../../../common/mock';
+import { useAlertExceptionActions } from './use_add_exception_actions';
+import { useUserData } from '../../user_info';
+import { useEndpointExceptionsCapability } from '../../../../exceptions/hooks/use_endpoint_exceptions_capability';
+
+jest.mock('../../user_info');
+const mockUseUserData = useUserData as jest.Mock;
+
+jest.mock('../../../../exceptions/hooks/use_endpoint_exceptions_capability');
+const mockUseEndpointExceptionsCapability = useEndpointExceptionsCapability as jest.Mock;
+
+describe('useAlertExceptionActions', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should return both add rule exception and add endpoint exception menu items with all privileges', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: true, hasIndexWrite: true }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(true);
+
+    const { result } = renderHook(
+      () => useAlertExceptionActions({ isEndpointAlert: true, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(2);
+    expect(result.current.exceptionActionItems.map(({ key, disabled }) => [key, disabled])).toEqual(
+      [
+        ['add-endpoint-exception-menu-item', false],
+        ['add-exception-menu-item', false],
+      ]
+    );
+  });
+
+  it('should disable adding endpoint exceptions when user has no endpoint exceptions ALL privilege', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: true, hasIndexWrite: true }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(false);
+
+    const { result } = renderHook(
+      () => useAlertExceptionActions({ isEndpointAlert: true, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(2);
+    expect(result.current.exceptionActionItems.map(({ key, disabled }) => [key, disabled])).toEqual(
+      [
+        ['add-endpoint-exception-menu-item', true],
+        ['add-exception-menu-item', false],
+      ]
+    );
+  });
+
+  it('should disable adding endpoint exceptions when alert is not an endpoint alert', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: true, hasIndexWrite: true }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(true);
+
+    const { result } = renderHook(
+      () =>
+        useAlertExceptionActions({ isEndpointAlert: false, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(2);
+    expect(result.current.exceptionActionItems.map(({ key, disabled }) => [key, disabled])).toEqual(
+      [
+        ['add-endpoint-exception-menu-item', true],
+        ['add-exception-menu-item', false],
+      ]
+    );
+  });
+
+  it('should disable adding rule exceptions when user has no security:ALL privilege', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: false, hasIndexWrite: true }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(true);
+
+    const { result } = renderHook(
+      () => useAlertExceptionActions({ isEndpointAlert: true, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(2);
+    expect(result.current.exceptionActionItems.map(({ key, disabled }) => [key, disabled])).toEqual(
+      [
+        ['add-endpoint-exception-menu-item', false],
+        ['add-exception-menu-item', true],
+      ]
+    );
+  });
+
+  it('should disable adding rule exceptions when user has no index write privilege', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: true, hasIndexWrite: false }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(true);
+
+    const { result } = renderHook(
+      () => useAlertExceptionActions({ isEndpointAlert: true, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(2);
+    expect(result.current.exceptionActionItems.map(({ key, disabled }) => [key, disabled])).toEqual(
+      [
+        ['add-endpoint-exception-menu-item', false],
+        ['add-exception-menu-item', true],
+      ]
+    );
+  });
+
+  it('should not return menu items when user has neither security:ALL nor endpoint exceptions ALL privilege', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: false, hasIndexWrite: true }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(false);
+
+    const { result } = renderHook(
+      () => useAlertExceptionActions({ isEndpointAlert: true, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(0);
+  });
+
+  it('should not return menu items when user has neither index write and it is not an endpoint alert', () => {
+    mockUseUserData.mockReturnValue([{ canUserCRUD: true, hasIndexWrite: false }]);
+    mockUseEndpointExceptionsCapability.mockReturnValue(true);
+
+    const { result } = renderHook(
+      () =>
+        useAlertExceptionActions({ isEndpointAlert: false, onAddExceptionTypeClick: jest.fn() }),
+      { wrapper: TestProviders }
+    );
+
+    expect(result.current.exceptionActionItems.length).toEqual(0);
+  });
+});
@@ -13,16 +13,17 @@ import { useUserData } from '../../user_info';
 import { ACTION_ADD_ENDPOINT_EXCEPTION, ACTION_ADD_EXCEPTION } from '../translations';
 import type { AlertTableContextMenuItem } from '../types';
 
-interface UseExceptionActionProps {
+export interface UseExceptionActionProps {
   isEndpointAlert: boolean;
   onAddExceptionTypeClick: (type?: ExceptionListTypeEnum) => void;
 }
 
-export const useExceptionActions = ({
+export const useAlertExceptionActions = ({
   isEndpointAlert,
   onAddExceptionTypeClick,
 }: UseExceptionActionProps) => {
   const [{ canUserCRUD, hasIndexWrite }] = useUserData();
+  const canWriteEndpointExceptions = useEndpointExceptionsCapability('crudEndpointExceptions');
 
   const handleDetectionExceptionModal = useCallback(() => {
     onAddExceptionTypeClick();
@@ -32,12 +33,12 @@ export const useExceptionActions = ({
     onAddExceptionTypeClick(ExceptionListTypeEnum.ENDPOINT);
   }, [onAddExceptionTypeClick]);
 
-  const disabledAddEndpointException = !canUserCRUD || !hasIndexWrite || !isEndpointAlert;
+  const disabledAddEndpointException = !canWriteEndpointExceptions || !isEndpointAlert;
   const disabledAddException = !canUserCRUD || !hasIndexWrite;
 
   const exceptionActionItems: AlertTableContextMenuItem[] = useMemo(
     () =>
-      disabledAddException
+      disabledAddException && disabledAddEndpointException
         ? []
         : [
             {
@@ -65,26 +66,3 @@ export const useExceptionActions = ({
 
   return { exceptionActionItems };
 };
-
-export const useAlertExceptionActions = ({
-  isEndpointAlert,
-  onAddExceptionTypeClick,
-}: UseExceptionActionProps) => {
-  const { exceptionActionItems } = useExceptionActions({
-    isEndpointAlert,
-    onAddExceptionTypeClick,
-  });
-
-  const canWriteEndpointExceptions = useEndpointExceptionsCapability('crudEndpointExceptions');
-  // Endpoint exceptions are available for:
-  // Serverless Endpoint Essentials/Complete PLI and
-  // on ESS Security Kibana sub-feature Endpoint Exceptions (enabled when Security feature is enabled)
-  if (!canWriteEndpointExceptions) {
-    return {
-      exceptionActionItems: exceptionActionItems.map((item) => {
-        return { ...item, disabled: item.name === ACTION_ADD_ENDPOINT_EXCEPTION };
-      }),
-    };
-  }
-  return { exceptionActionItems };
-};
@@ -5,7 +5,7 @@
  * 2.0.
  */
 import type { FC } from 'react';
-import React, { useMemo } from 'react';
+import React from 'react';
 import type {
   ExceptionListItemIdentifiers,
   GetExceptionItemProps,
@@ -22,7 +22,6 @@ import { getFormattedComments } from '../../utils/ui.helpers';
 import { LinkToRuleDetails } from '../link_to_rule_details';
 import { ExceptionsUtility } from '../exceptions_utility';
 import * as i18n from '../../translations/list_exception_items';
-import { useEndpointExceptionsCapability } from '../../hooks/use_endpoint_exceptions_capability';
 import { ShowValueListModal } from '../../../value_list/components/show_value_list_modal';
 
 interface ListExceptionItemsProps {
@@ -60,27 +59,28 @@ const ListExceptionItemsComponent: FC<ListExceptionItemsProps> = ({
   onPaginationChange,
   onCreateExceptionListItem,
 }) => {
-  const canWriteEndpointExceptions = useEndpointExceptionsCapability('crudEndpointExceptions');
-
-  const editButtonText = useMemo(() => {
-    return listType === ExceptionListTypeEnum.ENDPOINT
+  const editButtonText =
+    listType === ExceptionListTypeEnum.ENDPOINT
       ? i18n.EXCEPTION_ITEM_CARD_EDIT_ENDPOINT_LABEL
       : i18n.EXCEPTION_ITEM_CARD_EDIT_LABEL;
-  }, [listType]);
 
-  const deleteButtonText = useMemo(() => {
-    return listType === ExceptionListTypeEnum.ENDPOINT
+  const deleteButtonText =
+    listType === ExceptionListTypeEnum.ENDPOINT
       ? i18n.EXCEPTION_ITEM_CARD_DELETE_ENDPOINT_LABEL
       : i18n.EXCEPTION_ITEM_CARD_DELETE_LABEL;
-  }, [listType]);
+
+  const exceptionsTitle =
+    listType === ExceptionListTypeEnum.ENDPOINT
+      ? i18n.EXCEPTION_UTILITY_ENDPOINT_TITLE
+      : i18n.EXCEPTION_UTILITY_TITLE;
 
   return (
     <>
       <ExceptionItems
         viewerStatus={viewerStatus as ViewerStatus}
         listType={listType as ExceptionListTypeEnum}
         ruleReferences={ruleReferences}
-        isReadOnly={isReadOnly || !canWriteEndpointExceptions}
+        isReadOnly={isReadOnly}
         exceptions={exceptions}
         emptyViewerTitle={emptyViewerTitle}
         emptyViewerBody={emptyViewerBody}
@@ -99,7 +99,7 @@ const ListExceptionItemsComponent: FC<ListExceptionItemsProps> = ({
         exceptionsUtilityComponent={() =>
           hideUtility ? null : (
             <ExceptionsUtility
-              exceptionsTitle={i18n.EXCEPTION_UTILITY_TITLE}
+              exceptionsTitle={exceptionsTitle}
               pagination={pagination}
               lastUpdated={lastUpdated}
             />