elastic · kibanamachine · Oct 6, 2023 · Oct 6, 2023
diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json
@@ -38307,7 +38307,6 @@
     "xpack.triggersActionsUI.sections.rulesList.monthsLabel": "mois",
     "xpack.triggersActionsUI.sections.rulesList.multipleTitle": "règles",
     "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateDescription": "Contactez votre administrateur système.",
-    "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateTitle": "Aucune autorisation pour créer des règles",
     "xpack.triggersActionsUI.sections.rulesList.previousSnooze": "Précédent",
     "xpack.triggersActionsUI.sections.rulesList.refreshRulesButtonLabel": "Actualiser",
     "xpack.triggersActionsUI.sections.rulesList.remainingSnoozeIndefinite": "Indéfiniment",

diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
@@ -38298,7 +38298,6 @@
     "xpack.triggersActionsUI.sections.rulesList.monthsLabel": "月",
     "xpack.triggersActionsUI.sections.rulesList.multipleTitle": "ルール",
     "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateDescription": "システム管理者にお問い合わせください。",
-    "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateTitle": "ルールを作成する権限がありません",
     "xpack.triggersActionsUI.sections.rulesList.previousSnooze": "前へ",
     "xpack.triggersActionsUI.sections.rulesList.refreshRulesButtonLabel": "更新",
     "xpack.triggersActionsUI.sections.rulesList.remainingSnoozeIndefinite": "永久",

diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
@@ -38292,7 +38292,6 @@
     "xpack.triggersActionsUI.sections.rulesList.monthsLabel": "个月",
     "xpack.triggersActionsUI.sections.rulesList.multipleTitle": "规则",
     "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateDescription": "请联系您的系统管理员。",
-    "xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateTitle": "没有创建规则的权限",
     "xpack.triggersActionsUI.sections.rulesList.previousSnooze": "上一步",
     "xpack.triggersActionsUI.sections.rulesList.refreshRulesButtonLabel": "刷新",
     "xpack.triggersActionsUI.sections.rulesList.remainingSnoozeIndefinite": "无限期",

diff --git a/...lugins/triggers_actions_ui/public/application/components/prompts/no_permission_prompt.tsx b/...lugins/triggers_actions_ui/public/application/components/prompts/no_permission_prompt.tsx
@@ -16,8 +16,8 @@ export const NoPermissionPrompt = () => (
     title={
       <h1>
         <FormattedMessage
-          id="xpack.triggersActionsUI.sections.rulesList.noPermissionToCreateTitle"
-          defaultMessage="No permissions to create rules"
+          id="xpack.triggersActionsUI.sections.rulesList.noPermissionToReadTitle"
+          defaultMessage="No permissions to read rules"
         />
       </h1>
     }

diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_types_query.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_types_query.ts
@@ -64,6 +64,9 @@ export const useLoadRuleTypesQuery = (props: UseLoadRuleTypesQueryProps) => {
   const authorizedToCreateAnyRules = authorizedRuleTypes.some(
     (ruleType) => ruleType.authorizedConsumers[ALERTS_FEATURE_ID]?.all
   );
+  const authorizedToReadAnyRules =
+    authorizedToCreateAnyRules ||
+    authorizedRuleTypes.some((ruleType) => ruleType.authorizedConsumers[ALERTS_FEATURE_ID]?.read);
 
   return {
     ruleTypesState: {
@@ -73,6 +76,7 @@ export const useLoadRuleTypesQuery = (props: UseLoadRuleTypesQueryProps) => {
     },
     hasAnyAuthorizedRuleType,
     authorizedRuleTypes,
+    authorizedToReadAnyRules,
     authorizedToCreateAnyRules,
     isSuccess,
   };

diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rules_list_ui_state.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rules_list_ui_state.ts
@@ -9,6 +9,7 @@ import { isEmpty } from 'lodash';
 import { RulesListFilters } from '../../types';
 
 interface UseUiProps {
+  authorizedToReadAnyRules: boolean;
   authorizedToCreateAnyRules: boolean;
   filters: RulesListFilters;
   hasDefaultRuleTypesFiltersOn: boolean;
@@ -37,6 +38,7 @@ const getFilterApplied = ({ hasEmptyTypesFilter, filters }: GetFilterAppliedProp
 };
 
 export const useRulesListUiState = ({
+  authorizedToReadAnyRules,
   authorizedToCreateAnyRules,
   filters,
   hasDefaultRuleTypesFiltersOn,
@@ -56,8 +58,9 @@ export const useRulesListUiState = ({
   const isInitialLoading = isInitialLoadingRuleTypes || isInitialLoadingRules;
   const isLoading = isLoadingRuleTypes || isLoadingRules;
 
-  const showNoAuthPrompt = !isInitialLoadingRuleTypes && !authorizedToCreateAnyRules;
-  const showCreateFirstRulePrompt = !isLoading && !hasData && !isFilterApplied;
+  const showNoAuthPrompt = !isInitialLoadingRuleTypes && !authorizedToReadAnyRules;
+  const showCreateFirstRulePrompt =
+    !isLoading && !hasData && !isFilterApplied && authorizedToCreateAnyRules;
   const showSpinner =
     isInitialLoading && (isLoadingRuleTypes || (!showNoAuthPrompt && isLoadingRules));
   const showRulesList = !showSpinner && !showCreateFirstRulePrompt && !showNoAuthPrompt;

diff --git a/...s_actions_ui/public/application/sections/rule_details/components/rule_definition.test.tsx b/...s_actions_ui/public/application/sections/rule_details/components/rule_definition.test.tsx
@@ -23,6 +23,7 @@ jest.mock('./rule_actions', () => ({
 jest.mock('../../../lib/capabilities', () => ({
   hasAllPrivilege: jest.fn(() => true),
   hasSaveRulesCapability: jest.fn(() => true),
+  hasShowActionsCapability: jest.fn(() => true),
   hasExecuteActionsCapability: jest.fn(() => true),
   hasManageApiKeysCapability: jest.fn(() => true),
 }));

diff --git a/...iggers_actions_ui/public/application/sections/rule_details/components/rule_definition.tsx b/...iggers_actions_ui/public/application/sections/rule_details/components/rule_definition.tsx
@@ -21,7 +21,11 @@ import { formatDuration } from '@kbn/alerting-plugin/common';
 import { RuleDefinitionProps } from '../../../../types';
 import { RuleType, useLoadRuleTypes } from '../../../..';
 import { useKibana } from '../../../../common/lib/kibana';
-import { hasAllPrivilege, hasExecuteActionsCapability } from '../../../lib/capabilities';
+import {
+  hasAllPrivilege,
+  hasExecuteActionsCapability,
+  hasShowActionsCapability,
+} from '../../../lib/capabilities';
 import { RuleActions } from './rule_actions';
 import { RuleEdit } from '../../rule_form';
 
@@ -60,6 +64,7 @@ export const RuleDefinition: React.FunctionComponent<RuleDefinitionProps> = ({
       values: { numberOfConditions },
     });
   };
+  const canReadActions = hasShowActionsCapability(capabilities);
   const canExecuteActions = hasExecuteActionsCapability(capabilities);
   const canSaveRule =
     rule &&
@@ -209,11 +214,21 @@ export const RuleDefinition: React.FunctionComponent<RuleDefinitionProps> = ({
                 })}
               </ItemTitleRuleSummary>
               <EuiFlexItem grow={3}>
-                <RuleActions
-                  ruleActions={rule.actions}
-                  actionTypeRegistry={actionTypeRegistry}
-                  legacyNotifyWhen={rule.notifyWhen}
-                />
+                {canReadActions ? (
+                  <RuleActions
+                    ruleActions={rule.actions}
+                    actionTypeRegistry={actionTypeRegistry}
+                    legacyNotifyWhen={rule.notifyWhen}
+                  />
+                ) : (
+                  <EuiFlexItem>
+                    <EuiText size="s">
+                      {i18n.translate('xpack.triggersActionsUI.ruleDetails.cannotReadActions', {
+                        defaultMessage: 'Connector feature privileges are required to view actions',
+                      })}
+                    </EuiText>
+                  </EuiFlexItem>
+                )}
               </EuiFlexItem>
             </EuiFlexGroup>
           </EuiFlexItem>

diff --git a/...gins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx b/...gins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx
@@ -243,6 +243,7 @@ export const RulesList = ({
     ruleTypesState,
     hasAnyAuthorizedRuleType,
     authorizedRuleTypes,
+    authorizedToReadAnyRules,
     authorizedToCreateAnyRules,
     isSuccess: isLoadRuleTypesSuccess,
   } = useLoadRuleTypesQuery({ filteredRuleTypes });
@@ -285,6 +286,7 @@ export const RulesList = ({
     });
 
   const { showSpinner, showRulesList, showNoAuthPrompt, showCreateFirstRulePrompt } = useUiState({
+    authorizedToReadAnyRules,
     authorizedToCreateAnyRules,
     filters,
     hasDefaultRuleTypesFiltersOn,

diff --git a/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts b/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts
@@ -297,20 +297,56 @@ export default ({ getService, getPageObjects }: FtrProviderContext) => {
           'Create rule button',
           async () => await testSubjects.exists('createRuleButton')
         );
+        await retry.waitFor(
+          'Create rule button is enabled',
+          async () => await testSubjects.isEnabled('createRuleButton')
+        );
       });
 
       it(`shows the no permission prompt when the user has no permissions`, async () => {
+        // We kept this test to make sure that the stack management rule page
+        // is showing the right prompt corresponding to the right privileges.
+        // Knowing that o11y alert page won't come up if you do not have any
+        // kind of privileges to o11y
+        await observability.users.setTestUserRole({
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [
+            {
+              base: [],
+              feature: {
+                discover: ['read'],
+              },
+              spaces: ['*'],
+            },
+          ],
+        });
+        await observability.alerts.common.navigateToRulesPage();
+        await retry.waitFor(
+          'No permissions prompt',
+          async () => await testSubjects.exists('noPermissionPrompt')
+        );
+        await observability.users.restoreDefaultTestUserRole();
+      });
+
+      it(`shows the rules list in read-only mode when the user only has read permissions`, async () => {
         await observability.users.setTestUserRole(
           observability.users.defineBasicObservabilityRole({
             logs: ['read'],
           })
         );
         await observability.alerts.common.navigateToRulesPage();
         await retry.waitFor(
-          'No permissions prompt',
-          async () => await testSubjects.exists('noPermissionPrompt')
+          'Read-only rules list is visible',
+          async () => await testSubjects.exists('rulesList')
+        );
+        await retry.waitFor(
+          'Create rule button is disabled',
+          async () => !(await testSubjects.isEnabled('createRuleButton'))
         );
-
         await observability.users.restoreDefaultTestUserRole();
       });
     });