From a3f6882e34b7ec640154be3aa17b25bf47fc8826 Mon Sep 17 00:00:00 2001
From: Mark Hopkin <mark.hopkin@elastic.co>
Date: Thu, 10 Oct 2024 10:34:22 +0100
Subject: [PATCH] Give the kibana system user permission to read security
 entities (#114363)

* Give the kibana system user .entities read permissions

* Update docs/changelog/114363.yaml

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
(cherry picked from commit cbd3613dbf6b1a3731090117f736cb1cec5e1967)

# Conflicts:
#	x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
---
 docs/changelog/114363.yaml                                   | 5 +++++
 .../authz/store/KibanaOwnedReservedRoleDescriptors.java      | 2 ++
 2 files changed, 7 insertions(+)
 create mode 100644 docs/changelog/114363.yaml

diff --git a/docs/changelog/114363.yaml b/docs/changelog/114363.yaml
new file mode 100644
index 0000000000000..51ca9ed34a7ca
--- /dev/null
+++ b/docs/changelog/114363.yaml
@@ -0,0 +1,5 @@
+pr: 114363
+summary: Give the kibana system user permission to read security entities
+area: Infra/Core
+type: enhancement
+issues: []
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
index d4e5489b86c84..7b7b0adc9ee32 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -458,11 +458,13 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportUpdateSettingsAction.TYPE.name()
                     )
                     .build(),
+                // security entity analytics indices
                 RoleDescriptor.IndicesPrivileges.builder().indices("risk-score.risk-*").privileges("all").build(),
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".asset-criticality.asset-criticality-*")
                     .privileges("create_index", "manage", "read")
                     .build(),
+                RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read").build(),
                 // For cloud_defend usageCollection
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-cloud_defend.*", "metrics-cloud_defend.*")