[Fleet]: User is unable to navigate between spaces when Security solution spaces are created and custom user has only access to Fleet: All and Integrations: All.

[amolnater-qasource]

Kibana Build details:

VERSION: 8.16.0-SNAPSHOT
BUILD: 79269
COMMIT: 574ec2fc5f383da6bff0d506cc6ab76803119dae

Role:

Space2: Security Solution
Integrations: All
Fleet: All
Agents: All
Agent policies: All
Settings: All

Space3: Security Solution
Integrations: All
Fleet: All
Agents: All
Agent policies: All
Settings: All

Preconditions:

1. 8.16.0-SNAPSHOT Kibana cloud environment should be available.
2. New User should be created with above defined role.

Steps to reproduce:

1. Login with the above user.
2. Navigate to Space2.
3. Now from the spaces selection select Space3.
4. Observe user is unable to navigate to Space3.

Expected Result:
User should be able to navigate between spaces when Security solution spaces are created and custom user has only access to Fleet: All and Integrations: All.
This should be managed as user is not able to navigate between spaces.

Note:

• We updated space in the url manually to access different spaces.

Screen Recording:

Agent.policies.-.Fleet.-.Elastic.-.Google.Chrome.2024-10-17.14-31-51.mp4

Feature:
https://github.com/elastic/ingest-dev/issues/2903
https://github.com/elastic/ingest-dev/issues/1664

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[amolnater-qasource]

@muskangulati-qasource Please review.

[muskangulati-qasource]

Secondary Review is Done for this ticket!

[nchaulet]

I am not sure there is an issue here, I think it's the expected behavior of the space switch cc @elastic/kibana-security

[jeramysoucy]

I was unable to reproduce the issue.

1. How are you creating this role with these specific permissions? Can you provide the API call you are using? I ask because in the UI it is not possible to assign Fleet All unless it applies to All spaces. I also do not see granular permissions for Agents and Agent policies in the UI. Could you query the role and provide the output (GET kbn:/api/security/role/[role_name])?
2. Can you query for the user's privileges and provide the output? (GET /_security/user/_privileges)
3. Is this behavior still occurring in 8.16.1?

[amolnater-qasource]

Hi @jeramysoucy

Thank you for looking into this issue.
Please find below the details for the same.

• You can enable the feature flag for Fleet- xpack.fleet.enableExperimental: ['subfeaturePrivileges']
• General Steps:
  • Create 2 spaces- with both as Security Solution selected.
  • Create a user role Select Spaces: All and Privileges: Fleet: All & Integrations: All
  • Login with the user and now attempt to navigate between the spaces for this Custom user.
  • Observe user is unable to navigate between the spaces.

Further, the issue is also reproducible on latest 8.16.1.

Screen Recording:

Agents.-.Fleet.-.Elastic.-.Google.Chrome.2024-12-04.11-28-12.mp4

Output for : GET kbn:/api/security/role/Custom
console_export.txt

Output for: GET /_security/user/_privileges
Sec privileges.txt

Please let us know if anything else is required from our end.

Thanks!

[jeramysoucy]

@amolnater-qasource This is expected due to the landing page for spaces. When changing spaces, users are redirected to the landing page of the space, and in this case, the spaces are designated as security solution view, and the user does not have permission to access the security solution app.

[amolnater-qasource]

@jeramysoucy Thank you for the update.

So could you please confirm if in such navigation the custom user has to manually update the url to access other spaces?

If that is the case, we can proceed to close this issue.
Thank you!

[jeramysoucy]

So could you please confirm if in such navigation the custom user has to manually update the url to access other spaces?

The user would need to go to a URL for an app within the space that they have access to. It is not an ideal situation, but the spaces are designated with a specific solution view. Any users that do not have access to the default landing page, but access to the space in some other way, will experience this. The space's solution view could be changed to get around this (remove the security solution view), or the user could be granted minimal privilege to the app of the space's designated purpose (security in this case).

[nchaulet]

Thanks @jeramysoucy for the investigation/explanation so looks like we can close that one, as it seems not a Fleet specific issue

[amolnater-qasource]

Thank you for the confirmation @jeramysoucy and @nchaulet