[Security][RBAC][9.4 & Serverless] Rule Exceptions subfeature privilege

solutions/security/detect-and-alert/add-manage-exceptions.md

@@ -33,7 +33,39 @@
 
 ::::
 
+## Requirements [exceptions-requirements]
 
+To use exceptions ensure your role has the appropriate access. To learn how to access other detection features, refer to [](/solutions/security/detect-and-alert/detections-requirements.md).
+
+### Exceptions requirements
+
+::::{applies-switch}
+
+:::{applies-item} { "stack": "ga 9.0" }
+
+**Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Security** feature. 
+
+:::
+
+:::{applies-item} { "stack": "ga 9.3" }
+
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
+
+:::
+
+:::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
+
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature and `Read` for the **Security > Rules > Exceptions** subfeature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needsat least `Read` {{kib}} privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature and `All` for the **Security > Rules > Exceptions** subfeature.
+:::
+
+::::
+
+### {{elastic-endpoint}} exceptions requirements 
+
+- **View only access**: To view {{elastic-endpoint}} exceptions, your role needs at least `Read` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
+- **Manage access**: To create and manage {{elastic-endpoint}} exceptions, your role needs `All` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
 
 ## Add exceptions to a rule [detection-rule-exceptions]
 

solutions/security/detect-and-alert/detections-requirements.md

@@ -65,7 +65,7 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j
 | Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
 | Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
 | Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
-| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
+| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `Read` for the `Rules, Alerts, and Exceptions ` feature and `All` for the `Exceptions` subfeature |
 | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features |
 
 ### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]