[9.4] [Entity Analytics][Lead generation] Hide leads section and disable Generate button based on ES index permissions (#266586)#267383
Merged
Conversation
…nerate button based on ES index permissions (elastic#266586) ## Summary Follow-up to elastic#265956, addressing the review request by @ymao1 in [this comment](elastic#265956 (review)). Closes elastic/security-team#17123 Adds permission-aware UI behaviour to the leads section based on the user's Elasticsearch index-level access to `.entity_analytics.entity-leads-*`: - **No read access**: the entire leads section is hidden - **Read but no write access**: leads are shown, but the Generate and Refresh buttons are disabled with a tooltip explaining the permission requirement - **Full access**: no change, UI behaves as before ### How it works A new internal API route `GET /internal/entity_analytics/leads/privileges` checks `read` and `write` privileges on the leads index pattern for the current user (using `checkPrivilegesDynamicallyWithRequest`). The result is fetched once on page load inside `useHuntingLeads` and drives the UI state. ## Screenshots Generate button disabled (no write access) <img width="1722" height="783" alt="Screenshot 2026-04-30 at 1 54 51 PM" src="https://github.com/user-attachments/assets/eade852a-f204-49f3-a96d-08e64913049c" /> Leads section hidden (no read access) <img width="1919" height="903" alt="Screenshot 2026-04-30 at 1 54 02 PM" src="https://github.com/user-attachments/assets/99649213-f63e-4304-b76a-4cfc922bb987" /> ## Testing ### Test users to create Use the Kibana Dev Console (`Stack Management > Dev Tools`) to create the following users. **1. Full access user** (read + write on leads index) ``` POST /_security/role/leads_full_access { "indices": [ { "names": [".entity_analytics.entity-leads-*"], "privileges": ["read", "write", "create_index"] } ] } POST /_security/user/leads_full_user { "roles": ["kibana_admin", "leads_full_access"] } ``` **2. Read-only user** (read on leads index, no write) ``` POST /_security/role/leads_read_only { "indices": [ { "names": [".entity_analytics.entity-leads-*"], "privileges": ["read"] } ] } POST /_security/user/leads_read_user { "roles": ["kibana_admin", "leads_read_only"] } ``` **3. No access user** (no leads index permissions) ``` POST /_security/user/leads_no_access_user { "roles": ["kibana_admin"] } ``` ### Test steps 1. Log in as `leads_full_user` and navigate to the Entity Analytics page. The leads section should be fully visible with Generate and Refresh buttons enabled. 2. Log in as `leads_read_user` and navigate to the Entity Analytics page. The leads section should be visible but the Generate and Refresh buttons should be disabled with a tooltip. 3. Log in as `leads_no_access_user` and navigate to the Entity Analytics page. The leads section should not be rendered. > Note: For steps 2 and 3 to be meaningful, lead generation should have been enabled first (via a full-access user) so the index exists. The privilege check is role-based and works even before the index is created. (cherry picked from commit 4aec4fe)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
Author
💚 Build Succeeded
Metrics [docs]Async chunks
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto9.4:Questions ?
Please refer to the Backport tool documentation