Add required roles and privileges for Fleet & Integrations (#868)

* Add required roles and privileges for Fleet & Integrations * fix * Capitalize 'Integrations' * one more... (cherry picked from commit be9a718)
elastic · Jan 31, 2024 · fd86678 · fd86678
1 parent 7b11463
commit fd86678
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/docs/en/ingest-management/fleet/fleet.asciidoc b/docs/en/ingest-management/fleet/fleet.asciidoc
@@ -22,9 +22,12 @@ external infrastructure management solution and
 <<install-standalone-elastic-agent,install {agent} in standalone mode>> instead.
 ****
 
-IMPORTANT: {fleet} currently requires a {kib} user with `All` privileges on
+[IMPORTANT]
+====
+{fleet} currently requires a {kib} user with `All` privileges on
 {fleet} and {integrations}. Since many Integrations assets are shared across
-spaces, users need the {kib} privileges in all spaces.
+spaces, users need the {kib} privileges in all spaces. Refer to <<fleet-roles-and-privileges>> to learn how to create a user role with the required privileges to access {fleet} and {integrations}.
+====
 
 To learn how to add {agent}s to {fleet}, refer to
 <<install-fleet-managed-elastic-agent>>.

diff --git a/docs/en/ingest-management/images/kibana-fleet-privileges.png b/docs/en/ingest-management/images/kibana-fleet-privileges.png
diff --git a/docs/en/ingest-management/index.asciidoc b/docs/en/ingest-management/index.asciidoc
@@ -141,6 +141,8 @@ include::agent-policies.asciidoc[leveloffset=+2]
 
 include::create-agent-policies-no-UI.asciidoc[leveloffset=+3]
 
+include::security/fleet-roles-and-privileges.asciidoc[leveloffset=+2]
+
 include::security/enrollment-tokens.asciidoc[leveloffset=+2]
 
 include::fleet/fleet-api-docs.asciidoc[leveloffset=+2]

diff --git a/docs/en/ingest-management/security/fleet-roles-and-privileges.asciidoc b/docs/en/ingest-management/security/fleet-roles-and-privileges.asciidoc
@@ -0,0 +1,45 @@
+[[fleet-roles-and-privileges]]
+= Required roles and privileges
+
+Beginning with {stack} version 8.1, you no longer require the built-in `elastic` superuser credentials to use {fleet} and Integrations.
+
+Assigning the {kib} feature privileges `Fleet` and `Integrations` grants access to these features:
+
+`all`:: Grants full read-write access.
+`read`:: Grants read-only access.
+
+The built-in `editor` role grants the following privileges, supporting full read-write access to {fleet} and Integrations:
+
+* {Fleet}: `All`
+* Integrations: `All`
+
+The built-in `viewer` role grants the following privileges, supporting read-only access to {fleet} and Integrations:
+
+* {Fleet}:: `None`
+* Integrations:: `Read`
+
+You can also create a new role that can be assigned to a user to grant access to {fleet} and Integrations.
+
+[discrete]
+[[fleet-roles-and-privileges-create]]
+== Create a role for {fleet}
+
+To create a new role with full access to use and manage {fleet} and Integrations:
+
+. In {kib}, go to **Management -> Stack Management**.
+. In the **Security** section, select **Roles**.
+. Select **Create role**.
+. Specify a name for the role.
+. Leave the {es} settings at their defaults, or refer to {ref}/security-privileges.html[Security privileges] for descriptions of the available settings.
+. In the {kib} section, select **Add Kibana privilege**.
+. In the **Spaces** menu, select *** All Spaces**. Since many Integrations assets are shared across spaces, the users needs the {kib} privileges in all spaces.
+. Expand the **Management** section.
+. Set **Fleet** privileges to **All**.
+. Set **Integrations** privileges to **All**.
+
+[role="screenshot"]
+image::images/kibana-fleet-privileges.png[Kibana privileges flyout showing Fleet and Integrations set to All]
+
+To create a read-only user for Integrations, follow the same steps as above but set the **Fleet** privileges to **None** and the **Integrations** privileges to **Read**.
+
+Read-only access to {fleet} is not currently supported but is planned for development in a later release.