Skip to content

refactor(write restricted dashboards): Assign clear error messages for access control errors #248062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SiddharthMantri wants to merge 4 commits into
base: main
Choose a base branch
from
Open

refactor(write restricted dashboards): Assign clear error messages for access control errors #248062

SiddharthMantri wants to merge 4 commits into from
+45 −18

Conversation

@SiddharthMantri
Copy link
Contributor

@SiddharthMantri SiddharthMantri commented Jan 7, 2026

Closes #237817

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

@SiddharthMantri
Copy link
Contributor Author

SiddharthMantri commented Jan 8, 2026

@elasticmachine merge upstream

@SiddharthMantri SiddharthMantri marked this pull request as ready for review January 8, 2026 12:27
@SiddharthMantri SiddharthMantri requested a review from a team as a code owner January 8, 2026 12:27
@SiddharthMantri SiddharthMantri added Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// backport:version Backport to applied version labels v9.3.0 labels Jan 8, 2026
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 8, 2026

Pinging @elastic/kibana-security (Team:Security)

@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 8, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #52 / Endpoint plugin @ess @serverless @skipInServerlessMKI Endpoint artifacts (via lists plugin): Trusted Applications "before all" hook in "@ess @serverless @skipInServerlessMKI Endpoint artifacts (via lists plugin): Trusted Applications"

Metrics [docs]

✅ unchanged

jeramysoucy
jeramysoucy reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

@jeramysoucy jeramysoucy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one consideration for enforceAccessControl which can deny based on RBAC.

x-pack/platform/plugins/shared/security/server/saved_objects/access_control_service.ts
Comment on lines +127 to +129
new Error(
`Access denied: Unable to manage access control for ${typeList}. The "manage_access_control" privilege is required to change access control of objects owned by another user.`
)
Copy link
Contributor

@jeramysoucy jeramysoucy Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if they are denied access because they now lack RBAC privs?

x-pack/platform/plugins/shared/security/server/saved_objects/access_control_service.ts
Comment on lines +168 to +170
new Error(
`Access denied: Unable to manage access control for ${typeList}. The "manage_access_control" privilege is required to change access control of objects owned by another user.`
)
Copy link
Contributor

@jeramysoucy jeramysoucy Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, what if they are denied access because they now lack RBAC privs?

@jeramysoucy
Copy link
Contributor

jeramysoucy commented Jan 9, 2026

@SiddharthMantri Could you update the PR description?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeramysoucy jeramysoucy jeramysoucy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport:version Backport to applied version labels Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Write restricted dashboards] Clear error messages for Access Control errors

3 participants

@SiddharthMantri @elasticmachine @jeramysoucy