[Security][9.3 & Serverless][RBAC] Ability to grant access to alerts

[nastasha-solomon]

Summary

Fixes https://github.com/elastic/docs-content-internal/issues/796.

Preview

• Entity risk scoring - Updated custom stack roles privs to show access needed to view alert risk contributions in entity details. Need to know which predefined roles provide this access.
• View the Privileged user monitoring dashboard - Updated privs for viewing the Privileged user monitoring dashboard.
• Attack discovery - Added a new tab for privs needed to access Attack discovery alerts.
• Cases - Updated privs for adding alerts to cases.

Generative AI disclosure

1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?

• Yes
• No

Cursor + Auto mode

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

🔍 Preview links for changed docs

• explore-analyze/cases/control-case-access.md
• solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
• solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
• solutions/security/ai/attack-discovery.md
• solutions/security/detect-and-alert/detections-privileges.md

[nastasha-solomon]

@rylnd is there an equivalent predefined serverless role that provide access to viewing alert risk contributions in entity details?

[rylnd]

I believe the T3 Analyst is the only role with default access to both Entity Analytics and Alerts. @jaredburgettelastic could probably confirm.

[jaredburgettelastic]

👋 Am I understanding correctly that we're looking for which default Serverless roles have access to read both risk scoring and Security alerts?

The definitions can be found here: https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.yaml

Based on the above link, it looks like we have many built-in roles which have read access to both:

• viewer
• editor
• t1_analyst
• t2_analyst
• t3_analyst
• threat_intelligence_analyst
• rule_author
• soc_manager
• detections_admin
• platform_engineer
• endpoint_operations_analyst
• endpoint_policy_manager

[nastasha-solomon]

Oh yeah, good distinction @jaredburgettelastic - you are correct in that I'm looking for serverless roles that provide the minimum level of access needed (read) to use the entity scoring feature and view Security alerts.

[alaudazzi]

I left a few suggestions, otherwise LGTM.