[REQUEST]: Document the privileges needed for Fleet and Integrations

[criamico]

Description

Recently we've received several requests (in SDHs and other places) to document how to setup roles and privileges for running Fleet and integrations. The privileges system in Fleet changed with 8.0.0 but I'm not sure if it was ever created a specific docs page to explain it.

So I think we should document:

• What privileges are needed for a user the wants to run Fleet & Integrations. This is for a user that is not superuser.
  • Privileges for a role can be "all", "read" and "none", we should explain what they mean and the error messages that the user receives when they're not set properly
• What are the privileges needed for our API call (see this SDH), as we allow certain api calls only to some roles, however this is not documented anywhere. I'll open an issue to change it on openapi specs and then it can be updated on https://www.elastic.co/guide/en/fleet/8.11/fleet-apis: [Fleet] Expand openapi docs with privileges needed for each API call kibana#172155

Resources

Current docs

Currently I could only find a line on the docs

Fleet currently requires a Kibana user with All privileges on Fleet and Integrations. Since many Integrations assets are shared across spaces, users need the Kibana privileges in all spaces.

I think we should expand it to a separate page as it doesn't seem very clear to user what this means.

Some explanation about the privilege system for Fleet is in the original PR (it was introduced in 8.1): elastic/kibana#108252 (comment). Feel free to contact me for further explanations.

How to create a role for fleet:

Also, the viewer and editor built-in roles grant similar privileges:

• Editor role behaves like Fleet > All, Integrations > All
• Viewer role behaves like Fleet -> None, Integrations -> Read

Collaboration

The documentation team will investigate the issue and create the initial content.

Point of contact.

Main contact: @

Stakeholders:

[leandrojmp]

Hello, is there any update on this?

We need to know what are the privileges needed by a user to be able to access Fleet Server since we do not want to make everyone a superuser, I couldn't find any documenation on this.

[kilfoyle]

@leandrojmp I'm very sorry but I won't be able to look at this issue to update the documentation until mid-January.

Until then, perhaps @criamico can provide some guidance.

[leandrojmp]

Hello @kilfoyle is there any update on this?

[kilfoyle]

Thanks for the reminder @leandrojmp and apologies for the delay. I've opened up this PR.

@criamico The above PR updates the regular Fleet & Agent docs. For the Fleet API docs, since those are generated directly out of the Fleet API spec, we'll need to wait for your elastic/kibana#172155 issue to close, and then I or anyone can regenerate the docs using these instructions.

[criamico]

Thanks @kilfoyle for picking up this ticket! I'll see if elastic/kibana#172155 can get prioritized in one of the upcoming sprints.

[kilfoyle]

Just for reference, here's the new docs page: Required roles and privileges

[kilfoyle]

I think this can be closed, since the public docs are updated and there's a separate PR (elastic/kibana#172155) for the API docs.