[Discuss] Creating new app privileges for package install

[juliaElastic]

This discussion started on the Fleet RBAC work.

@dakrone @tvernum Could provide some input here?
To summarize the situation:

• We're currently designing the next phases of Fleet and Integration's RBAC model and we want to plan ahead enough to ensure we don't need any breaking changes to our model which would require role migrations (which don't exist).
• We suspect that at some point, Elasticsearch will be responsible for installing packages directly (see this doc) and want to be sure that any package install privileges we introduce now could easily be adopted by Elasticsearch in the future without requiring a breaking change or role migrations.
• In order to facilitate this, we're considering breaking out the package install privileges into a separate set of application privileges from Kibana's application privileges. See https://github.com/elastic/obs-dc-team/issues/731#issuecomment-1094658965 for details.

Questions for you all:

• When package installation is changed to be done by Elasticsearch, would ES be able to read application privileges for a theoretical "integrations" application?
• Aside from "is it possible", is this even a good idea from an API / design perspective?
• Should we just assume that once package install is in Elasticsearch, that role migrations would be available as well to solve this problem? (this would create a hard dependency between these separate projects)
• Do you have any better ideas?

Originally posted by @joshdover in https://github.com/elastic/obs-dc-team/issues/731#issuecomment-1095039629

[elasticmachine]

Pinging @elastic/es-security (Team:Security)