[Fleet] Support granular privileges for endpoint action menu (#182617)

x-pack/plugins/security_solution/common/endpoint/service/authz/authz.test.ts

@@ -98,6 +98,27 @@ describe('Endpoint Authz service', () => {
       );
     });
 
+    it('should not give canReadFleetAgents if `fleet.readAgents` is false', () => {
+      fleetAuthz.fleet.readAgents = false;
+      expect(calculateEndpointAuthz(licenseService, fleetAuthz, userRoles).canReadFleetAgents).toBe(
+        false
+      );
+    });
+
+    it('should not give canWriteFleetAgents if `fleet.allAgents` is false', () => {
+      fleetAuthz.fleet.allAgents = false;
+      expect(
+        calculateEndpointAuthz(licenseService, fleetAuthz, userRoles).canWriteFleetAgents
+      ).toBe(false);
+    });
+
+    it('should not give canReadFleetAgentPolicies if `fleet.readAgentPolicies` is false', () => {
+      fleetAuthz.fleet.readAgentPolicies = false;
+      expect(
+        calculateEndpointAuthz(licenseService, fleetAuthz, userRoles).canReadFleetAgentPolicies
+      ).toBe(false);
+    });
+
     it('should not give canAccessEndpointManagement if not superuser', () => {
       userRoles = [];
       expect(
@@ -276,6 +297,9 @@ describe('Endpoint Authz service', () => {
         canWriteSecuritySolution: false,
         canReadSecuritySolution: false,
         canAccessFleet: false,
+        canReadFleetAgentPolicies: false,
+        canReadFleetAgents: false,
+        canWriteFleetAgents: false,
         canAccessEndpointActionsLogManagement: false,
         canAccessEndpointManagement: false,
         canCreateArtifactsByPolicy: false,

x-pack/plugins/security_solution/common/endpoint/service/authz/authz.ts

@@ -98,6 +98,9 @@ export const calculateEndpointAuthz = (
     canWriteSecuritySolution,
     canReadSecuritySolution,
     canAccessFleet: fleetAuthz?.fleet.all ?? false,
+    canReadFleetAgentPolicies: fleetAuthz?.fleet.readAgentPolicies ?? false,
+    canWriteFleetAgents: fleetAuthz?.fleet.allAgents ?? false,
+    canReadFleetAgents: fleetAuthz?.fleet.readAgents ?? false,
     canAccessEndpointManagement: hasEndpointManagementAccess, // TODO: is this one deprecated? it is the only place we need to check for superuser.
     canCreateArtifactsByPolicy: isPlatinumPlusLicense,
     canWriteEndpointList,
@@ -157,6 +160,9 @@ export const getEndpointAuthzInitialState = (): EndpointAuthz => {
     canWriteSecuritySolution: false,
     canReadSecuritySolution: false,
     canAccessFleet: false,
+    canReadFleetAgentPolicies: false,
+    canReadFleetAgents: false,
+    canWriteFleetAgents: false,
     canAccessEndpointActionsLogManagement: false,
     canAccessEndpointManagement: false,
     canCreateArtifactsByPolicy: false,

x-pack/plugins/security_solution/common/endpoint/types/authz.ts

@@ -16,6 +16,12 @@ export interface EndpointAuthz {
   canReadSecuritySolution: boolean;
   /** If the user has permissions to access Fleet */
   canAccessFleet: boolean;
+  /** If the user has permissions to access Fleet Agent policies */
+  canReadFleetAgentPolicies: boolean;
+  /** If the user has permissions to read Fleet Agents */
+  canReadFleetAgents: boolean;
+  /** If the user has permissions to write Fleet Agents */
+  canWriteFleetAgents: boolean;
   /** If the user has permissions to access Endpoint management (includes check to ensure they also have access to fleet) */
   canAccessEndpointManagement: boolean;
   /** If the user has permissions to access Actions Log management and also has a platinum license (used for endpoint details flyout) */

x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/use_endpoint_action_items.tsx

@@ -43,7 +43,9 @@ export const useEndpointActionItems = (
     canIsolateHost,
     canUnIsolateHost,
     canAccessEndpointActionsLogManagement,
-    canAccessFleet,
+    canReadFleetAgentPolicies,
+    canWriteFleetAgents,
+    canReadFleetAgents,
   } = useUserPrivileges().endpointPrivileges;
 
   return useMemo<ContextMenuItemNavByRouterProps[]>(() => {
@@ -177,7 +179,7 @@ export const useEndpointActionItems = (
           />
         ),
       },
-      ...(canAccessFleet
+      ...(canReadFleetAgentPolicies
         ? [
             {
               icon: 'gear',
@@ -204,6 +206,10 @@ export const useEndpointActionItems = (
                 />
               ),
             },
+          ]
+        : []),
+      ...(canReadFleetAgents
+        ? [
             {
               icon: 'gear',
               key: 'agentDetailsLink',
@@ -228,6 +234,10 @@ export const useEndpointActionItems = (
                 />
               ),
             },
+          ]
+        : []),
+      ...(canWriteFleetAgents
+        ? [
             {
               icon: 'gear',
               key: 'agentPolicyReassignLink',
@@ -272,6 +282,8 @@ export const useEndpointActionItems = (
     options?.isEndpointList,
     canIsolateHost,
     canUnIsolateHost,
-    canAccessFleet,
+    canReadFleetAgentPolicies,
+    canReadFleetAgents,
+    canWriteFleetAgents,
   ]);
 };

x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.test.tsx

@@ -1455,12 +1455,15 @@ describe('when on the endpoint list page', () => {
       const hostLink = await renderResult.findByTestId('hostLink');
       expect(hostLink).not.toBeNull();
     });
-    it('shows Agent Policy, View Agent Details and Reassign Policy Links when canAccessFleet RBAC control is enabled', async () => {
+    it('shows Agent Policy, View Agent Details and Reassign Policy Links when canReadFleetAgents,canWriteFleetAgents,canReadFleetAgentPolicies RBAC control is enabled', async () => {
       mockUserPrivileges.mockReturnValue({
         ...mockInitialUserPrivilegesState(),
         endpointPrivileges: {
           ...mockInitialUserPrivilegesState().endpointPrivileges,
           canAccessFleet: true,
+          canReadFleetAgents: true,
+          canWriteFleetAgents: true,
+          canReadFleetAgentPolicies: true,
         },
       });
       await renderAndClickActionsButton();