[Cyera] Cannot execute ILM policy delete step

[muskan-agarwal26]

Kibana/Elasticsearch Stack version: 8.18.5

Describe the bug:

The kibana_system role lacks the necessary permissions to delete system indices related to logs-cyera.classification and logs-cyera.issue, logs-cyera.datastore as defined in the ILM policy located here.

Steps to reproduce:

• Checkout the muskan-agarwal26:cyera_classification_datastream-0.1.0, muskan-agarwal26:cyera_issue_datastream-0.1.0 and muskan-agarwal26:cyera_datastore_datastream-0.1.0 branch for Cyera package and create a zip of the respective package.
• Upload the package zip to a hosted deployment.
• Add the integration.
• Monitor the hidden index under Stack Management > Index Management and wait for the ILM policy’s delete phase to trigger.

Current behavior:

• It shows permission issue in deleting the index

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-cyera.classification-default-2025.09.05-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-cyera.issue-default-2025.09.05-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-cyera.datastore-default-2025.09.05-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

Expected behavior:

• Index must be delete after the time duration mentioned in the ILM policy

[elasticsearchmachine]

Pinging @elastic/es-data-management (Team:Data Management)

[PeteGillinElastic]

See also #235999, which is an identical issue from a different user with a different project for repo. (The wording of the issues is otherwise identical, so I'm guessing there's a connection.)

[PeteGillinElastic]

And another: #235996.

[nielsbauman]

These ILM policies are not owned by Elasticsearch itself, but rather by the Fleet integrations team. Therefore, I'm transferring this over to the Kibana repo.