From 01b5cf0a88a0ddd905a8802326b521916c85c452 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 26 Mar 2018 10:40:36 -0400
Subject: [PATCH 001/183] partial implementation for OLS Phase 1

---
 .../client/lib/client_provider.js             | 41 ++++++++++++++
 src/server/saved_objects/client/lib/index.js  |  2 +
 .../client/lib/interceptor_registry.js        | 37 +++++++++++++
 .../client/saved_objects_client.js            | 53 +++++++++++++++++--
 .../saved_objects/saved_objects_mixin.js      |  9 ++--
 5 files changed, 133 insertions(+), 9 deletions(-)
 create mode 100644 src/server/saved_objects/client/lib/client_provider.js
 create mode 100644 src/server/saved_objects/client/lib/interceptor_registry.js

diff --git a/src/server/saved_objects/client/lib/client_provider.js b/src/server/saved_objects/client/lib/client_provider.js
new file mode 100644
index 00000000000000..2f26731b91b9c3
--- /dev/null
+++ b/src/server/saved_objects/client/lib/client_provider.js
@@ -0,0 +1,41 @@
+
+/**
+ * The default Saved Object Client provider.
+ * A custom implementation may be substituted by calling `SavedObjectClientProvider.setClientProvider`
+ *
+ * @param {*} server
+ * @param {*} request
+ */
+const DEFAULT_PROVIDER = function savedObjectsClientProvider(server, request) {
+
+  const cluster = server.plugins.elasticsearch.getCluster('admin');
+
+  const callCluster = (...args) => cluster.callWithRequest(request, ...args);
+
+  return server.savedObjectsClientFactory({ callCluster, request });
+};
+
+let activeProvider = DEFAULT_PROVIDER;
+
+/**
+ * Provider for the Saved Object Client.
+ */
+class ClientProvider {
+  constructor() {
+    this._activeProvider = DEFAULT_PROVIDER;
+  }
+
+  setClientProvider(provider) {
+    if (activeProvider !== DEFAULT_PROVIDER) {
+      throw new Error(`A Saved Objects Client Provider has already been registered. Registering multiple providers is not supported.`);
+    }
+
+    activeProvider = provider;
+  }
+
+  getClientProvider() {
+    return activeProvider;
+  }
+}
+
+export const SavedObjectClientProvider = new ClientProvider();
diff --git a/src/server/saved_objects/client/lib/index.js b/src/server/saved_objects/client/lib/index.js
index 3e90b4820f9c75..724046af2713a1 100644
--- a/src/server/saved_objects/client/lib/index.js
+++ b/src/server/saved_objects/client/lib/index.js
@@ -2,6 +2,8 @@ export { getSearchDsl } from './search_dsl';
 export { trimIdPrefix } from './trim_id_prefix';
 export { includedFields } from './included_fields';
 export { decorateEsError } from './decorate_es_error';
+export { SavedObjectClientProvider } from './client_provider';
+export { SavedObjectClientInterceptorRegistry } from './interceptor_registry';
 
 import * as errors from './errors';
 export { errors };
diff --git a/src/server/saved_objects/client/lib/interceptor_registry.js b/src/server/saved_objects/client/lib/interceptor_registry.js
new file mode 100644
index 00000000000000..ac6205eb9d1adf
--- /dev/null
+++ b/src/server/saved_objects/client/lib/interceptor_registry.js
@@ -0,0 +1,37 @@
+/**
+ * Registry for Saved Objects Client Request Interceptors.
+ *
+ * Interceptors will be invoked by the Saved Object Client prior to calling the ElasticSearch cluster,
+ * which allows interceptors to modify or interrupt the process.
+ */
+class SavedObjectClientRequestInterceptorRegistry {
+  constructor() {
+    this._interceptorFactories = [];
+  }
+
+  registerInterceptorFactory(interceptorFactory) {
+    if (typeof interceptorFactory !== 'function') {
+      throw new Error(`Invalid interceptor factory - must be a function`);
+    }
+
+    this._interceptorFactories.push(interceptorFactory);
+  }
+
+  createInterceptorsForRequest(request) {
+    const interceptors =  this._interceptorFactories.map(factory => factory(request));
+
+    const anyInvalid = interceptors.some(
+      interceptor => typeof interceptor.method !== 'string' || typeof interceptor.intercept !== 'function'
+    );
+
+    if (anyInvalid) {
+      throw new Error(
+        `One or more interceptors are invalid: each interceptor must include a 'method' property, and an 'intercept' function`
+      );
+    }
+
+    return interceptors;
+  }
+}
+
+export const SavedObjectClientInterceptorRegistry = new SavedObjectClientRequestInterceptorRegistry();
diff --git a/src/server/saved_objects/client/saved_objects_client.js b/src/server/saved_objects/client/saved_objects_client.js
index 79dc55540e039d..b6049dcebd0a53 100644
--- a/src/server/saved_objects/client/saved_objects_client.js
+++ b/src/server/saved_objects/client/saved_objects_client.js
@@ -17,12 +17,14 @@ export class SavedObjectsClient {
       mappings,
       callCluster,
       onBeforeWrite = () => {},
+      interceptors = []
     } = options;
 
     this._index = index;
     this._mappings = mappings;
     this._type = getRootType(this._mappings);
     this._onBeforeWrite = onBeforeWrite;
+    this._interceptors = interceptors;
     this._unwrappedCallCluster = callCluster;
   }
 
@@ -114,6 +116,8 @@ export class SavedObjectsClient {
     const time = this._getCurrentTime();
 
     try {
+      await this._invokeRequestInterceptors(method, type, attributes, options);
+
       const response = await this._writeToCluster(method, {
         id: this._generateEsId(type, id),
         type: this._type,
@@ -156,9 +160,12 @@ export class SavedObjectsClient {
       overwrite = false
     } = options;
     const time = this._getCurrentTime();
-    const objectToBulkRequest = (object) => {
+
+    const objectToBulkRequest = async (object) => {
       const method = object.id && !overwrite ? 'create' : 'index';
 
+      await this._invokeRequestInterceptors(method, object.type, object.attributes, options);
+
       return [
         {
           [method]: {
@@ -174,13 +181,18 @@ export class SavedObjectsClient {
       ];
     };
 
+    const bulkRequestBody = await objects.reduce(async (acc, object) => {
+      const collection = await acc;
+
+      const objectRequestBody = await objectToBulkRequest(object);
+
+      return [...collection, ...objectRequestBody];
+    }, Promise.resolve([]));
+
     const { items } = await this._writeToCluster('bulk', {
       index: this._index,
       refresh: 'wait_for',
-      body: objects.reduce((acc, object) => ([
-        ...acc,
-        ...objectToBulkRequest(object)
-      ]), []),
+      body: bulkRequestBody
     });
 
     return items.map((response, i) => {
@@ -224,6 +236,8 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async delete(type, id) {
+    await this._invokeRequestInterceptors('delete', type, id);
+
     const response = await this._writeToCluster('delete', {
       id: this._generateEsId(type, id),
       type: this._type,
@@ -282,6 +296,10 @@ export class SavedObjectsClient {
       throw new TypeError('options.searchFields must be an array');
     }
 
+    const method = 'search';
+
+    await this._invokeRequestInterceptors(method, type);
+
     const esOptions = {
       index: this._index,
       size: perPage,
@@ -347,6 +365,10 @@ export class SavedObjectsClient {
       return { saved_objects: [] };
     }
 
+    const method = 'mget';
+
+    await this._invokeRequestInterceptors(method, null);
+
     const response = await this._callCluster('mget', {
       index: this._index,
       body: {
@@ -389,6 +411,10 @@ export class SavedObjectsClient {
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id) {
+    const method = 'get';
+
+    await this._invokeRequestInterceptors(method, type, id);
+
     const response = await this._callCluster('get', {
       id: this._generateEsId(type, id),
       type: this._type,
@@ -424,6 +450,8 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
+    await this._invokeRequestInterceptors('update', type, attributes, options);
+
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
       id: this._generateEsId(type, id),
@@ -478,4 +506,19 @@ export class SavedObjectsClient {
   _getCurrentTime() {
     return new Date().toISOString();
   }
+
+  _collectRequestInterceptors(method) {
+    return this._interceptors.filter(interceptor => interceptor.method === method || interceptor.method === 'all');
+  }
+
+  async _invokeRequestInterceptors(method, type, ...args) {
+    const interceptors = this._collectRequestInterceptors(method);
+
+    for (const interceptor of interceptors) {
+      if (typeof interceptor.intercept !== 'function') {
+        throw new Error(`Request interceptor missing 'intercept' function`);
+      }
+      await interceptor.intercept(this, method, type, ...args);
+    }
+  }
 }
diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index 9a8ceb97704ee1..826f87c511f01f 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -1,4 +1,5 @@
 import { SavedObjectsClient } from './client';
+import { SavedObjectClientInterceptorRegistry, SavedObjectClientProvider } from './client/lib';
 
 import {
   createBulkGetRoute,
@@ -62,12 +63,13 @@ export function savedObjectsMixin(kbnServer, server) {
     }
   }
 
-  server.decorate('server', 'savedObjectsClientFactory', ({ callCluster }) => {
+  server.decorate('server', 'savedObjectsClientFactory', ({ callCluster, request }) => {
     return new SavedObjectsClient({
       index: server.config().get('kibana.index'),
       mappings: server.getKibanaIndexMappingsDsl(),
       callCluster,
       onBeforeWrite,
+      interceptors: request ? SavedObjectClientInterceptorRegistry.createInterceptorsForRequest(request) : []
     });
   });
 
@@ -79,9 +81,8 @@ export function savedObjectsMixin(kbnServer, server) {
       return savedObjectsClientCache.get(request);
     }
 
-    const { callWithRequest } = server.plugins.elasticsearch.getCluster('admin');
-    const callCluster = (...args) => callWithRequest(request, ...args);
-    const savedObjectsClient = server.savedObjectsClientFactory({ callCluster });
+    const clientProvider = SavedObjectClientProvider.getClientProvider();
+    const savedObjectsClient = clientProvider(server, request);
 
     savedObjectsClientCache.set(request, savedObjectsClient);
     return savedObjectsClient;

From 7cee640d3b2191ccac507a11e1e30770832745e6 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 17 Apr 2018 08:19:47 -0400
Subject: [PATCH 002/183] Allow Saved Objects Client to be wrapped

---
 .../client/lib/client_provider.js             | 56 +++++++++++-------
 src/server/saved_objects/client/lib/index.js  |  3 +-
 .../client/lib/interceptor_registry.js        | 37 ------------
 .../client/lib/prioritized_collection.js      | 40 +++++++++++++
 .../client/lib/prioritized_collection.test.js | 57 +++++++++++++++++++
 .../client/saved_objects_client.js            | 34 -----------
 .../saved_objects/saved_objects_mixin.js      | 17 +++---
 7 files changed, 142 insertions(+), 102 deletions(-)
 delete mode 100644 src/server/saved_objects/client/lib/interceptor_registry.js
 create mode 100644 src/server/saved_objects/client/lib/prioritized_collection.js
 create mode 100644 src/server/saved_objects/client/lib/prioritized_collection.test.js

diff --git a/src/server/saved_objects/client/lib/client_provider.js b/src/server/saved_objects/client/lib/client_provider.js
index 2f26731b91b9c3..e561274b963a12 100644
--- a/src/server/saved_objects/client/lib/client_provider.js
+++ b/src/server/saved_objects/client/lib/client_provider.js
@@ -1,41 +1,55 @@
+import { SavedObjectsClient } from '../saved_objects_client';
+import { PrioritizedCollection } from './prioritized_collection';
 
 /**
- * The default Saved Object Client provider.
- * A custom implementation may be substituted by calling `SavedObjectClientProvider.setClientProvider`
+ * The base Saved Objects Client.
  *
  * @param {*} server
  * @param {*} request
  */
-const DEFAULT_PROVIDER = function savedObjectsClientProvider(server, request) {
-
-  const cluster = server.plugins.elasticsearch.getCluster('admin');
-
-  const callCluster = (...args) => cluster.callWithRequest(request, ...args);
-
-  return server.savedObjectsClientFactory({ callCluster, request });
-};
-
-let activeProvider = DEFAULT_PROVIDER;
+function createBaseSavedObjectsClient(options) {
+
+  const {
+    server,
+    mappings,
+    callCluster,
+    onBeforeWrite,
+  } = options;
+
+  return new SavedObjectsClient({
+    index: server.config().get('kibana.index'),
+    mappings,
+    callCluster,
+    onBeforeWrite
+  });
+}
 
 /**
  * Provider for the Saved Object Client.
  */
 class ClientProvider {
   constructor() {
-    this._activeProvider = DEFAULT_PROVIDER;
+    this._optionBuilders = new PrioritizedCollection('optionBuilders');
+    this._wrappers = new PrioritizedCollection('savedObjectClientWrappers');
   }
 
-  setClientProvider(provider) {
-    if (activeProvider !== DEFAULT_PROVIDER) {
-      throw new Error(`A Saved Objects Client Provider has already been registered. Registering multiple providers is not supported.`);
-    }
+  addClientOptionBuilder(builder, priority) {
+    this._optionBuilders.add(builder, priority);
+  }
 
-    activeProvider = provider;
+  addClientWrapper(wrapper, priority) {
+    this._wrappers.add(wrapper, priority);
   }
 
-  getClientProvider() {
-    return activeProvider;
+  createWrappedSavedObjectsClient(options) {
+    const orderedBuilders = this._optionBuilders.toArray();
+    const clientOptions = orderedBuilders.reduce((acc, builder) => builder(acc), options);
+
+    const baseClient = createBaseSavedObjectsClient(clientOptions);
+
+    const orderedWrappers = this._wrappers.toArray();
+    return orderedWrappers.reduce((client, wrapper) => wrapper(client, clientOptions), baseClient);
   }
 }
 
-export const SavedObjectClientProvider = new ClientProvider();
+export const SavedObjectsClientProvider = new ClientProvider();
diff --git a/src/server/saved_objects/client/lib/index.js b/src/server/saved_objects/client/lib/index.js
index 724046af2713a1..ac10009b591180 100644
--- a/src/server/saved_objects/client/lib/index.js
+++ b/src/server/saved_objects/client/lib/index.js
@@ -2,8 +2,7 @@ export { getSearchDsl } from './search_dsl';
 export { trimIdPrefix } from './trim_id_prefix';
 export { includedFields } from './included_fields';
 export { decorateEsError } from './decorate_es_error';
-export { SavedObjectClientProvider } from './client_provider';
-export { SavedObjectClientInterceptorRegistry } from './interceptor_registry';
+export { SavedObjectsClientProvider } from './client_provider';
 
 import * as errors from './errors';
 export { errors };
diff --git a/src/server/saved_objects/client/lib/interceptor_registry.js b/src/server/saved_objects/client/lib/interceptor_registry.js
deleted file mode 100644
index ac6205eb9d1adf..00000000000000
--- a/src/server/saved_objects/client/lib/interceptor_registry.js
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Registry for Saved Objects Client Request Interceptors.
- *
- * Interceptors will be invoked by the Saved Object Client prior to calling the ElasticSearch cluster,
- * which allows interceptors to modify or interrupt the process.
- */
-class SavedObjectClientRequestInterceptorRegistry {
-  constructor() {
-    this._interceptorFactories = [];
-  }
-
-  registerInterceptorFactory(interceptorFactory) {
-    if (typeof interceptorFactory !== 'function') {
-      throw new Error(`Invalid interceptor factory - must be a function`);
-    }
-
-    this._interceptorFactories.push(interceptorFactory);
-  }
-
-  createInterceptorsForRequest(request) {
-    const interceptors =  this._interceptorFactories.map(factory => factory(request));
-
-    const anyInvalid = interceptors.some(
-      interceptor => typeof interceptor.method !== 'string' || typeof interceptor.intercept !== 'function'
-    );
-
-    if (anyInvalid) {
-      throw new Error(
-        `One or more interceptors are invalid: each interceptor must include a 'method' property, and an 'intercept' function`
-      );
-    }
-
-    return interceptors;
-  }
-}
-
-export const SavedObjectClientInterceptorRegistry = new SavedObjectClientRequestInterceptorRegistry();
diff --git a/src/server/saved_objects/client/lib/prioritized_collection.js b/src/server/saved_objects/client/lib/prioritized_collection.js
new file mode 100644
index 00000000000000..e958ac678a120e
--- /dev/null
+++ b/src/server/saved_objects/client/lib/prioritized_collection.js
@@ -0,0 +1,40 @@
+/**
+ * A simple collection of entities that can be prioritized.
+ */
+export class PrioritizedCollection {
+  constructor(name) {
+    this._name = name;
+    this._entities = {};
+  }
+
+  /**
+   * Add an entity to this collection.
+   *
+   * @param {*} entity the entity to store
+   * @param {number} priority optionally specify a priority. Omit to use the next available priority.
+   */
+  add(entity, priority = this._getNextPriority()) {
+    if (this._entities.hasOwnProperty(priority)) {
+      throw new Error(`${this._name} already has an entry with priority ${priority}. Please choose a different priority.`);
+    }
+    if (typeof priority !== 'number') {
+      throw new Error(`Priority for ${this._name} must be a number.`);
+    }
+
+    this._entities[priority] = entity;
+  }
+
+  /**
+   * Returns an array of all entities, in priority order.
+   */
+  toArray() {
+    return Object
+      .keys(this._entities)
+      .sort((priority1, priority2) => priority1 - priority2)
+      .map(key => this._entities[key]);
+  }
+
+  _getNextPriority() {
+    return Math.max(0, ...Object.keys(this._entities)) + 1;
+  }
+}
diff --git a/src/server/saved_objects/client/lib/prioritized_collection.test.js b/src/server/saved_objects/client/lib/prioritized_collection.test.js
new file mode 100644
index 00000000000000..56583403f34c2b
--- /dev/null
+++ b/src/server/saved_objects/client/lib/prioritized_collection.test.js
@@ -0,0 +1,57 @@
+import { PrioritizedCollection } from './prioritized_collection';
+
+describe('PrioritizedCollection', () => {
+  it('should add a single entry with a default priority', () => {
+    const collection = new PrioritizedCollection('unit test');
+    const entity = {};
+    collection.add(entity);
+
+    const result = collection.toArray();
+    expect(result).to.equal([entity]);
+  });
+
+  it('should prioritize entities in the order in which they are added', () => {
+    const collection = new PrioritizedCollection('unit test');
+    const entity1 = {};
+    const entity2 = {};
+
+    collection.add(entity1);
+    collection.add(entity2);
+
+    const result = collection.toArray();
+    expect(result).to.equal([entity1, entity2]);
+  });
+
+  it('should honor the provided priority', () => {
+    const collection = new PrioritizedCollection('unit test');
+    const entity1 = {};
+    const entity2 = {};
+
+    collection.add(entity1, 10);
+    collection.add(entity2, 1);
+
+    const result = collection.toArray();
+    expect(result).to.equal([entity2, entity1]);
+  });
+
+  it('should throw an error when a duplicate priority is specified', () => {
+    const collection = new PrioritizedCollection('unit test');
+    const entity1 = {};
+    const entity2 = {};
+
+    collection.add(entity1, 10);
+
+    expect(() => {
+      collection.add(entity2, 10);
+    }).to.throwError(`unit test already has an entry with priority 10. Please choose a different priority.`);
+  });
+
+  it('should throw an error when an invalid priority is specified', () => {
+    const collection = new PrioritizedCollection('unit test');
+    const entity1 = {};
+
+    expect(() => {
+      collection.add(entity1, 'not a number');
+    }).to.throwError(`Priority for unit test must be a number.`);
+  });
+});
diff --git a/src/server/saved_objects/client/saved_objects_client.js b/src/server/saved_objects/client/saved_objects_client.js
index b6049dcebd0a53..092dd0e4b45b26 100644
--- a/src/server/saved_objects/client/saved_objects_client.js
+++ b/src/server/saved_objects/client/saved_objects_client.js
@@ -17,14 +17,12 @@ export class SavedObjectsClient {
       mappings,
       callCluster,
       onBeforeWrite = () => {},
-      interceptors = []
     } = options;
 
     this._index = index;
     this._mappings = mappings;
     this._type = getRootType(this._mappings);
     this._onBeforeWrite = onBeforeWrite;
-    this._interceptors = interceptors;
     this._unwrappedCallCluster = callCluster;
   }
 
@@ -116,8 +114,6 @@ export class SavedObjectsClient {
     const time = this._getCurrentTime();
 
     try {
-      await this._invokeRequestInterceptors(method, type, attributes, options);
-
       const response = await this._writeToCluster(method, {
         id: this._generateEsId(type, id),
         type: this._type,
@@ -164,8 +160,6 @@ export class SavedObjectsClient {
     const objectToBulkRequest = async (object) => {
       const method = object.id && !overwrite ? 'create' : 'index';
 
-      await this._invokeRequestInterceptors(method, object.type, object.attributes, options);
-
       return [
         {
           [method]: {
@@ -236,7 +230,6 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async delete(type, id) {
-    await this._invokeRequestInterceptors('delete', type, id);
 
     const response = await this._writeToCluster('delete', {
       id: this._generateEsId(type, id),
@@ -296,10 +289,6 @@ export class SavedObjectsClient {
       throw new TypeError('options.searchFields must be an array');
     }
 
-    const method = 'search';
-
-    await this._invokeRequestInterceptors(method, type);
-
     const esOptions = {
       index: this._index,
       size: perPage,
@@ -365,10 +354,6 @@ export class SavedObjectsClient {
       return { saved_objects: [] };
     }
 
-    const method = 'mget';
-
-    await this._invokeRequestInterceptors(method, null);
-
     const response = await this._callCluster('mget', {
       index: this._index,
       body: {
@@ -411,9 +396,6 @@ export class SavedObjectsClient {
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id) {
-    const method = 'get';
-
-    await this._invokeRequestInterceptors(method, type, id);
 
     const response = await this._callCluster('get', {
       id: this._generateEsId(type, id),
@@ -450,7 +432,6 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
-    await this._invokeRequestInterceptors('update', type, attributes, options);
 
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
@@ -506,19 +487,4 @@ export class SavedObjectsClient {
   _getCurrentTime() {
     return new Date().toISOString();
   }
-
-  _collectRequestInterceptors(method) {
-    return this._interceptors.filter(interceptor => interceptor.method === method || interceptor.method === 'all');
-  }
-
-  async _invokeRequestInterceptors(method, type, ...args) {
-    const interceptors = this._collectRequestInterceptors(method);
-
-    for (const interceptor of interceptors) {
-      if (typeof interceptor.intercept !== 'function') {
-        throw new Error(`Request interceptor missing 'intercept' function`);
-      }
-      await interceptor.intercept(this, method, type, ...args);
-    }
-  }
 }
diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index 826f87c511f01f..4169dedc77aaba 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -1,5 +1,4 @@
-import { SavedObjectsClient } from './client';
-import { SavedObjectClientInterceptorRegistry, SavedObjectClientProvider } from './client/lib';
+import { SavedObjectsClientProvider } from './client/lib';
 
 import {
   createBulkGetRoute,
@@ -64,12 +63,12 @@ export function savedObjectsMixin(kbnServer, server) {
   }
 
   server.decorate('server', 'savedObjectsClientFactory', ({ callCluster, request }) => {
-    return new SavedObjectsClient({
-      index: server.config().get('kibana.index'),
+    return SavedObjectsClientProvider.createWrappedSavedObjectsClient({
+      server,
+      request,
       mappings: server.getKibanaIndexMappingsDsl(),
       callCluster,
-      onBeforeWrite,
-      interceptors: request ? SavedObjectClientInterceptorRegistry.createInterceptorsForRequest(request) : []
+      onBeforeWrite
     });
   });
 
@@ -81,8 +80,10 @@ export function savedObjectsMixin(kbnServer, server) {
       return savedObjectsClientCache.get(request);
     }
 
-    const clientProvider = SavedObjectClientProvider.getClientProvider();
-    const savedObjectsClient = clientProvider(server, request);
+    const { callWithRequest } = server.plugins.elasticsearch.getCluster('admin');
+    const callCluster = (...args) => callWithRequest(request, ...args);
+
+    const savedObjectsClient = server.savedObjectsClientFactory({ callCluster, request });
 
     savedObjectsClientCache.set(request, savedObjectsClient);
     return savedObjectsClient;

From 0afd1c1c0093c4a5521c9ecc7efd1f6caeb09619 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 17 Apr 2018 17:02:02 -0400
Subject: [PATCH 003/183] Add placeholder "kibana.namespace" configuration
 property

---
 src/core_plugins/kibana/index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/core_plugins/kibana/index.js b/src/core_plugins/kibana/index.js
index 189009f037ea9d..afabf0c0e8b8c0 100644
--- a/src/core_plugins/kibana/index.js
+++ b/src/core_plugins/kibana/index.js
@@ -30,7 +30,8 @@ export default function (kibana) {
       return Joi.object({
         enabled: Joi.boolean().default(true),
         defaultAppId: Joi.string().default('home'),
-        index: Joi.string().default('.kibana')
+        index: Joi.string().default('.kibana'),
+        namespace: Joi.string().default('kibana')
       }).default();
     },
 

From 30e86d12684e648fa0f94721e65a34b44b639a66 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 18 Apr 2018 14:12:01 -0400
Subject: [PATCH 004/183] revert changes to saved objects client

---
 .../client/saved_objects_client.js            | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/src/server/saved_objects/client/saved_objects_client.js b/src/server/saved_objects/client/saved_objects_client.js
index 092dd0e4b45b26..79dc55540e039d 100644
--- a/src/server/saved_objects/client/saved_objects_client.js
+++ b/src/server/saved_objects/client/saved_objects_client.js
@@ -156,8 +156,7 @@ export class SavedObjectsClient {
       overwrite = false
     } = options;
     const time = this._getCurrentTime();
-
-    const objectToBulkRequest = async (object) => {
+    const objectToBulkRequest = (object) => {
       const method = object.id && !overwrite ? 'create' : 'index';
 
       return [
@@ -175,18 +174,13 @@ export class SavedObjectsClient {
       ];
     };
 
-    const bulkRequestBody = await objects.reduce(async (acc, object) => {
-      const collection = await acc;
-
-      const objectRequestBody = await objectToBulkRequest(object);
-
-      return [...collection, ...objectRequestBody];
-    }, Promise.resolve([]));
-
     const { items } = await this._writeToCluster('bulk', {
       index: this._index,
       refresh: 'wait_for',
-      body: bulkRequestBody
+      body: objects.reduce((acc, object) => ([
+        ...acc,
+        ...objectToBulkRequest(object)
+      ]), []),
     });
 
     return items.map((response, i) => {
@@ -230,7 +224,6 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async delete(type, id) {
-
     const response = await this._writeToCluster('delete', {
       id: this._generateEsId(type, id),
       type: this._type,
@@ -396,7 +389,6 @@ export class SavedObjectsClient {
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id) {
-
     const response = await this._callCluster('get', {
       id: this._generateEsId(type, id),
       type: this._type,
@@ -432,7 +424,6 @@ export class SavedObjectsClient {
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
-
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
       id: this._generateEsId(type, id),

From 936180b82c6d9fdd3625f583e564b0f6bc2ef682 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 19 Apr 2018 13:15:38 -0400
Subject: [PATCH 005/183] Remove circular dependency

---
 .../client/lib/client_provider.js             | 28 ++-----------------
 .../saved_objects/saved_objects_mixin.js      | 20 +++++++++++--
 2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/src/server/saved_objects/client/lib/client_provider.js b/src/server/saved_objects/client/lib/client_provider.js
index e561274b963a12..a0e510a75fb756 100644
--- a/src/server/saved_objects/client/lib/client_provider.js
+++ b/src/server/saved_objects/client/lib/client_provider.js
@@ -1,29 +1,5 @@
-import { SavedObjectsClient } from '../saved_objects_client';
 import { PrioritizedCollection } from './prioritized_collection';
 
-/**
- * The base Saved Objects Client.
- *
- * @param {*} server
- * @param {*} request
- */
-function createBaseSavedObjectsClient(options) {
-
-  const {
-    server,
-    mappings,
-    callCluster,
-    onBeforeWrite,
-  } = options;
-
-  return new SavedObjectsClient({
-    index: server.config().get('kibana.index'),
-    mappings,
-    callCluster,
-    onBeforeWrite
-  });
-}
-
 /**
  * Provider for the Saved Object Client.
  */
@@ -41,11 +17,11 @@ class ClientProvider {
     this._wrappers.add(wrapper, priority);
   }
 
-  createWrappedSavedObjectsClient(options) {
+  createSavedObjectsClient(baseClientFactory, options) {
     const orderedBuilders = this._optionBuilders.toArray();
     const clientOptions = orderedBuilders.reduce((acc, builder) => builder(acc), options);
 
-    const baseClient = createBaseSavedObjectsClient(clientOptions);
+    const baseClient = baseClientFactory(clientOptions);
 
     const orderedWrappers = this._wrappers.toArray();
     return orderedWrappers.reduce((client, wrapper) => wrapper(client, clientOptions), baseClient);
diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index 4169dedc77aaba..d5d7b2c4c31cf5 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -1,5 +1,5 @@
 import { SavedObjectsClientProvider } from './client/lib';
-
+import { SavedObjectsClient } from './client';
 import {
   createBulkGetRoute,
   createCreateRoute,
@@ -63,7 +63,23 @@ export function savedObjectsMixin(kbnServer, server) {
   }
 
   server.decorate('server', 'savedObjectsClientFactory', ({ callCluster, request }) => {
-    return SavedObjectsClientProvider.createWrappedSavedObjectsClient({
+    const createBaseClient = (options) => {
+      const {
+        server,
+        mappings,
+        callCluster,
+        onBeforeWrite,
+      } = options;
+
+      return new SavedObjectsClient({
+        index: server.config().get('kibana.index'),
+        mappings,
+        callCluster,
+        onBeforeWrite
+      });
+    };
+
+    return SavedObjectsClientProvider.createSavedObjectsClient(createBaseClient, {
       server,
       request,
       mappings: server.getKibanaIndexMappingsDsl(),

From 4d4f9462f896f2394531d071fcb293c9164edf01 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 24 Apr 2018 10:12:25 -0400
Subject: [PATCH 006/183] Removing namespace setting, we're using
 xpack.security.rbac.application

---
 src/core_plugins/kibana/index.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/core_plugins/kibana/index.js b/src/core_plugins/kibana/index.js
index afabf0c0e8b8c0..a8e759424a8429 100644
--- a/src/core_plugins/kibana/index.js
+++ b/src/core_plugins/kibana/index.js
@@ -31,7 +31,6 @@ export default function (kibana) {
         enabled: Joi.boolean().default(true),
         defaultAppId: Joi.string().default('home'),
         index: Joi.string().default('.kibana'),
-        namespace: Joi.string().default('kibana')
       }).default();
     },
 

From df569df451728867264bf248046367b1711373f4 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 24 Apr 2018 12:21:25 -0400
Subject: [PATCH 007/183] Adding config.getDefault

---
 src/server/config/config.js      | 15 +++++++++++++++
 src/server/config/config.test.js | 25 +++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/src/server/config/config.js b/src/server/config/config.js
index 61276a645f7deb..e415ef04e39bb1 100644
--- a/src/server/config/config.js
+++ b/src/server/config/config.js
@@ -123,11 +123,24 @@ export class Config {
     return clone(value);
   }
 
+  getDefault(key) {
+    const schemaDescription = Joi.describe(this.getSchema());
+    const parts = key.split('.');
+    const path = `children.${parts.join('.children.')}`;
+    const description = _.get(schemaDescription, path);
+    if (!description) {
+      throw new Error('Unknown config key: ' + key);
+    }
+
+    return _.get(description, 'flags.default');
+  }
+
   has(key) {
     function has(key, schema, path) {
       path = path || [];
       // Catch the partial paths
       if (path.join('.') === key) return true;
+
       // Only go deep on inner objects with children
       if (_.size(schema._inner.children)) {
         for (let i = 0; i < schema._inner.children.length; i++) {
@@ -174,4 +187,6 @@ export class Config {
 
     return this[schema];
   }
+
+
 }
diff --git a/src/server/config/config.test.js b/src/server/config/config.test.js
index ac45557e22cb55..14b7ffd2226d9c 100644
--- a/src/server/config/config.test.js
+++ b/src/server/config/config.test.js
@@ -213,6 +213,31 @@ describe('lib/config/config', function () {
 
     });
 
+    describe('#getDefault(key)', function () {
+      let config;
+
+      beforeEach(function () {
+        config = new Config(schema);
+        config.set(data);
+      });
+
+      it('should return undefined if there is no default', function () {
+        const hostDefault = config.getDefault('test.client.host');
+        expect(hostDefault).toBeUndefined();
+      });
+
+      it('should return default if specified', function () {
+        const typeDefault = config.getDefault('test.client.type');
+        expect(typeDefault).toBe('datastore');
+      });
+
+      it('should throw exception for unknown key', function () {
+        expect(() => {
+          config.getDefault('foo.bar');
+        }).toThrow();
+      });
+    });
+
     describe('#extendSchema(key, schema)', function () {
       let config;
       beforeEach(function () {

From 9979fb9c2654c3aef289ed5c9e895a7cf213c9fd Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 25 Apr 2018 09:25:36 -0400
Subject: [PATCH 008/183] Expose SavedObjectsClientProvider on the server for
 easy plugin consumption

---
 src/server/saved_objects/saved_objects_mixin.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index d5d7b2c4c31cf5..2cf83946de63b1 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -62,6 +62,8 @@ export function savedObjectsMixin(kbnServer, server) {
     }
   }
 
+  server.decorate('server', 'getSavedObjectsClientProvider', () => SavedObjectsClientProvider);
+
   server.decorate('server', 'savedObjectsClientFactory', ({ callCluster, request }) => {
     const createBaseClient = (options) => {
       const {

From 646a80a1f1bdaa0b005300d76113f90799d7263c Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 25 Apr 2018 10:46:40 -0400
Subject: [PATCH 009/183] migrate x-pack changes into kibana

---
 x-pack/plugins/security/index.js              |  37 ++++-
 .../public/services/application_privilege.js  |  19 +++
 .../public/services/shield_privileges.js      |   3 +-
 .../public/views/management/edit_role.html    |  24 +++
 .../public/views/management/edit_role.js      |  28 +++-
 .../server/lib/__tests__/validate_config.js   |  19 ++-
 .../lib/authorization/create_default_roles.js |  47 ++++++
 .../server/lib/check_user_permission.js       |  14 ++
 .../lib/mirror_status_and_initialize.js       |  63 ++++++++
 .../lib/mirror_status_and_initialize.test.js  | 138 ++++++++++++++++++
 .../privileges/privilege_action_registry.js   |  32 ++++
 .../server/lib/privileges/privileges.js       |  56 +++++++
 .../security/server/lib/role_schema.js        |   3 +-
 .../lib/saved_object_client_interceptor.js    |  42 ++++++
 .../saved_objects_client_wrapper.js           |  17 +++
 .../secure_options_builder.js                 |  19 +++
 .../secure_saved_objects_client.js            |  96 ++++++++++++
 .../security/server/lib/validate_config.js    |  11 +-
 .../server/routes/api/v1/privileges.js        |  28 ++++
 .../v1/roles/contains_other_applications.js   |  15 ++
 .../roles/contains_other_applications.test.js |  66 +++++++++
 .../api/v1/{roles.js => roles/index.js}       |  24 ++-
 x-pack/server/lib/esjs_shield_plugin.js       |  31 ++++
 23 files changed, 814 insertions(+), 18 deletions(-)
 create mode 100644 x-pack/plugins/security/public/services/application_privilege.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/create_default_roles.js
 create mode 100644 x-pack/plugins/security/server/lib/check_user_permission.js
 create mode 100644 x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
 create mode 100644 x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
 create mode 100644 x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
 create mode 100644 x-pack/plugins/security/server/lib/privileges/privileges.js
 create mode 100644 x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
 create mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
 create mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
 create mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
 create mode 100644 x-pack/plugins/security/server/routes/api/v1/privileges.js
 create mode 100644 x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
 create mode 100644 x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js
 rename x-pack/plugins/security/server/routes/api/v1/{roles.js => roles/index.js} (69%)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 5e4602d4480844..2810f7ae3cb7fb 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -16,7 +16,12 @@ import { validateConfig } from './server/lib/validate_config';
 import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
-import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+import { mirrorStatusAndInitialize } from './server/lib/mirror_status_and_initialize';
+import { secureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/saved_objects_client_wrapper';
+import { secureSavedObjectsClientOptionsBuilder } from './server/lib/saved_objects_client/secure_options_builder';
+import { registerPrivilegesWithCluster } from './server/lib/privileges/privilege_action_registry';
+import { createDefaultRoles } from './server/lib/authorization/create_default_roles';
+import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -37,6 +42,11 @@ export const security = (kibana) => new kibana.Plugin({
         hostname: Joi.string().hostname(),
         port: Joi.number().integer().min(0).max(65535)
       }).default(),
+      rbac: Joi.object({
+        enabled: Joi.boolean().default(false),
+        createDefaultRoles: Joi.boolean().default(true),
+        application: Joi.string().default('kibana'),
+      }).default(),
     }).default();
   },
 
@@ -64,21 +74,29 @@ export const security = (kibana) => new kibana.Plugin({
 
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
-        sessionTimeout: config.get('xpack.security.sessionTimeout')
+        sessionTimeout: config.get('xpack.security.sessionTimeout'),
+        rbacEnabled: config.get('xpack.security.rbac.enabled')
       };
     }
   },
 
   async init(server) {
-    const thisPlugin = this;
+    const config = server.config();
     const xpackMainPlugin = server.plugins.xpack_main;
-    mirrorPluginStatus(xpackMainPlugin, thisPlugin);
+
+    mirrorStatusAndInitialize(xpackMainPlugin.status, this.status, async () => {
+      if (!config.get('xpack.security.rbac.enabled')) {
+        return;
+      }
+
+      await registerPrivilegesWithCluster(server);
+      await createDefaultRoles(server);
+    });
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
-    xpackMainPlugin.info.feature(thisPlugin.id).registerLicenseCheckResultsGenerator(checkLicense);
+    xpackMainPlugin.info.feature(this.id).registerLicenseCheckResultsGenerator(checkLicense);
 
-    const config = server.config();
     validateConfig(config, message => server.log(['security', 'warning'], message));
 
     // Create a Hapi auth scheme that should be applied to each request.
@@ -88,6 +106,12 @@ export const security = (kibana) => new kibana.Plugin({
     // automatically assigned to all routes that don't contain an auth config.
     server.auth.strategy('session', 'login', 'required');
 
+    if (config.get('xpack.security.rbac.enabled')) {
+      const savedObjectsClientProvider = server.getSavedObjectsClientProvider();
+      savedObjectsClientProvider.addClientOptionBuilder((options) => secureSavedObjectsClientOptionsBuilder(server, options));
+      savedObjectsClientProvider.addClientWrapper(secureSavedObjectsClientWrapper);
+    }
+
     getUserProvider(server);
 
     await initAuthenticator(server);
@@ -95,6 +119,7 @@ export const security = (kibana) => new kibana.Plugin({
     initUsersApi(server);
     initRolesApi(server);
     initIndicesApi(server);
+    initPrivilegesApi(server);
     initLoginView(server, xpackMainPlugin);
     initLogoutView(server);
 
diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
new file mode 100644
index 00000000000000..2b21eb7e63e4bd
--- /dev/null
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import 'angular-resource';
+import { uiModules } from 'ui/modules';
+
+const module = uiModules.get('security', ['ngResource']);
+module.service('ApplicationPrivilege', ($resource, chrome) => {
+  const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
+  const ShieldPrivilege = $resource(baseUrl);
+
+  return ShieldPrivilege;
+});
diff --git a/x-pack/plugins/security/public/services/shield_privileges.js b/x-pack/plugins/security/public/services/shield_privileges.js
index aabd0a95b26cab..a00b326ab82da3 100644
--- a/x-pack/plugins/security/public/services/shield_privileges.js
+++ b/x-pack/plugins/security/public/services/shield_privileges.js
@@ -35,5 +35,6 @@ module.constant('shieldPrivileges', {
     'create_index',
     'view_index_metadata',
     'read_cross_cluster',
-  ]
+  ],
+  applications: []
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index f547788606cc32..768f50a2107586 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -96,6 +96,30 @@ <h1 class="kuiTitle">
           </div>
         </div>
 
+        <!-- Kibana custom privileges -->
+        <div class="kuiFormSection" ng-if="rbacEnabled">
+          <label class="kuiFormLabel">
+            Kibana Privileges
+          </label>
+
+          <div class="kuiInputNote kuiInputNote--warning" ng-if="role.hasUnsupportedCustomPrivileges">
+            Changes to this section are not supported: this role contains application privileges that do not belong to this instance of Kibana.
+          </div>
+
+          <div ng-repeat="privilege in kibanaPrivileges track by privilege.name">
+            <label>
+              <input
+                class="kuiCheckBox"
+                type="checkbox"
+                ng-checked="includesPermission(role, privilege)"
+                ng-click="togglePermission(role, privilege)"
+                ng-disabled="role.metadata._reserved || !isRoleEnabled(role) || role.hasUnsupportedCustomPrivileges"
+              />
+              <span class="kuiOptionLabel">{{privilege.metadata.displayName}}</span>
+            </label>
+          </div>
+        </div>
+
         <!-- Run-as privileges -->
         <div class="kuiFormSection">
           <label class="kuiFormLabel">
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 1494c86c8971a8..349807d1836c80 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -11,6 +11,7 @@ import { toggle } from 'plugins/security/lib/util';
 import { isRoleEnabled } from 'plugins/security/lib/role';
 import template from 'plugins/security/views/management/edit_role.html';
 import 'angular-ui-select';
+import 'plugins/security/services/application_privilege';
 import 'plugins/security/services/shield_user';
 import 'plugins/security/services/shield_role';
 import 'plugins/security/services/shield_privileges';
@@ -43,9 +44,14 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       return new ShieldRole({
         cluster: [],
         indices: [],
-        run_as: []
+        run_as: [],
+        applications: []
       });
     },
+    kibanaPrivileges(ApplicationPrivilege, kbnUrl, Promise, Private) {
+      return ApplicationPrivilege.query().$promise
+        .catch(checkLicenseError(kbnUrl, Promise, Private));
+    },
     users(ShieldUser, kbnUrl, Promise, Private) {
       // $promise is used here because the result is an ngResource, not a promise itself
       return ShieldUser.query().$promise
@@ -58,7 +64,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope) {
+  controller($injector, $scope, rbacEnabled) {
     const $route = $injector.get('$route');
     const kbnUrl = $injector.get('kbnUrl');
     const shieldPrivileges = $injector.get('shieldPrivileges');
@@ -71,6 +77,8 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.users = $route.current.locals.users;
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
+    $scope.kibanaPrivileges = $route.current.locals.kibanaPrivileges;
+    $scope.rbacEnabled = rbacEnabled;
     $scope.rolesHref = `#${ROLES_PATH}`;
 
     this.isNewRole = $route.current.params.name == null;
@@ -138,6 +146,22 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
     $scope.toggle = toggle;
     $scope.includes = _.includes;
+    $scope.togglePermission = (role, permission) => {
+      const shouldRemove = $scope.hasPermission(role, permission);
+      const rolePermissions = role.applications || [];
+      if (shouldRemove) {
+        role.applications = rolePermissions.filter(rolePermission => rolePermission.name === permission.name);
+      } else {
+        role.applications = rolePermissions.concat([permission]);
+      }
+    };
+
+    $scope.hasPermission = (role, permission) => {
+      // TODO(legrego): faking until ES is implemented
+      const rolePermissions = role.applications || [];
+      return rolePermissions.find(rolePermission => permission.name === rolePermission.name);
+    };
+
     $scope.union = _.flow(_.union, _.compact);
   }
 });
diff --git a/x-pack/plugins/security/server/lib/__tests__/validate_config.js b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
index 2474179a311db5..2804f50f4c9769 100644
--- a/x-pack/plugins/security/server/lib/__tests__/validate_config.js
+++ b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
@@ -16,7 +16,8 @@ describe('Validate config', function () {
   beforeEach(() => {
     config = {
       get: sinon.stub(),
-      set: sinon.stub()
+      getDefault: sinon.stub(),
+      set: sinon.stub(),
     };
     log.reset();
   });
@@ -74,4 +75,20 @@ describe('Validate config', function () {
     sinon.assert.calledWith(config.set, 'xpack.security.secureCookies', true);
     sinon.assert.notCalled(log);
   });
+
+  it('should throw error if xpack.security.rbac.application is the default when kibana.index is set', function () {
+    // other valid keys that we need
+    config.get.withArgs('server.ssl.key').returns('foo');
+    config.get.withArgs('server.ssl.certificate').returns('bar');
+    config.get.withArgs('xpack.security.encryptionKey').returns(validKey);
+
+    config.get.withArgs('kibana.index').returns('notDefaultIndex');
+    config.get.withArgs('xpack.security.rbac.application').returns('defaultApplication');
+    config.getDefault.withArgs('kibana.index').returns('defaultIndex');
+    config.getDefault.withArgs('xpack.security.rbac.application').returns('defaultApplication');
+
+    expect(() => validateConfig(config, log)).to.throwError();
+
+    sinon.assert.notCalled(log);
+  });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
new file mode 100644
index 00000000000000..73837d0e490f74
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+
+const createRoleIfDoesntExist = async (callCluster, name) => {
+  try {
+    await callCluster('shield.getRole', { name });
+  } catch (err) {
+    if (err.statusCode !== 404) {
+      throw err;
+    }
+
+    await callCluster('shield.putRole', {
+      name,
+      body: {
+        cluster: [],
+        index: [],
+        // application: [ { "privileges": [ "kibana:all" ], "resources": [ "*" ] } ]
+      }
+    });
+  }
+};
+
+export async function createDefaultRoles(server) {
+  const config = server.config();
+
+  if (!config.get('xpack.security.rbac.createDefaultRoles')) {
+    return;
+  }
+
+  const application = config.get('xpack.security.rbac.application');
+
+  const callCluster = getClient(server).callWithInternalUser;
+
+  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_user`);
+  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_dashboard_only_user`);
+
+  await Promise.all([createKibanaUserRole, createKibanaDashboardOnlyRole]);
+}
diff --git a/x-pack/plugins/security/server/lib/check_user_permission.js b/x-pack/plugins/security/server/lib/check_user_permission.js
new file mode 100644
index 00000000000000..6890a6fc790929
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/check_user_permission.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+
+export async function checkUserPermission(permission, hasPermission) {
+  // POC Stub. TODO: Use ES Permissions API once implemented.
+  return Promise.resolve(hasPermission);
+}
diff --git a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
new file mode 100644
index 00000000000000..af9ad91db70fb4
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
@@ -0,0 +1,63 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+import { Observable } from 'rxjs';
+
+export function mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreen) {
+  const currentState$ = Observable
+    .of({
+      state: upstreamStatus.state,
+      message: upstreamStatus.message,
+    });
+
+  const newState$ = Observable
+    .fromEvent(upstreamStatus, 'change', null, (previousState, previousMsg, state, message) => {
+      return {
+        state,
+        message,
+      };
+    });
+
+  const state$ = Observable.merge(currentState$, newState$);
+
+  let onGreenPromise;
+  const onGreen$ = Observable.create(observer => {
+    if (!onGreenPromise) {
+      onGreenPromise = onGreen();
+    }
+
+    onGreenPromise
+      .then(() => {
+        observer.next({
+          state: 'green',
+          message: 'Ready',
+        });
+      })
+      .catch((err) => {
+        onGreenPromise = null;
+        observer.next({
+          state: 'red',
+          message: err.message
+        });
+      });
+  });
+
+
+  state$
+    .switchMap(({ state, message }) => {
+      if (state !== 'green') {
+        return Observable.of({ state, message });
+      }
+
+      return onGreen$;
+    })
+    .do(({ state, message }) => {
+      downstreamStatus[state](message);
+    })
+    .subscribe();
+}
diff --git a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
new file mode 100644
index 00000000000000..7c1cb525761306
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
@@ -0,0 +1,138 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+import { EventEmitter } from 'events';
+import { once } from 'lodash';
+import { mirrorStatusAndInitialize } from './mirror_status_and_initialize';
+
+['red', 'yellow', 'disabled' ].forEach(state => {
+  test(`mirrors ${state} immediately`, () => {
+    const message = `${state} is the status`;
+    const upstreamStatus = new EventEmitter();
+    upstreamStatus.state = state;
+    upstreamStatus.message = message;
+
+    const downstreamStatus = {
+      [state]: jest.fn()
+    };
+
+    mirrorStatusAndInitialize(upstreamStatus, downstreamStatus);
+    expect(downstreamStatus[state]).toHaveBeenCalledTimes(1);
+    expect(downstreamStatus[state]).toHaveBeenCalledWith(message);
+  });
+});
+
+test(`calls onGreen and doesn't immediately set downstream status when the initial status is green`, () => {
+  const upstreamStatus = new EventEmitter();
+  upstreamStatus.state = 'green';
+  upstreamStatus.message = '';
+
+  const downstreamStatus = {
+    green: jest.fn()
+  };
+
+  const onGreenMock = jest.fn().mockImplementation(() => new Promise(() => {}));
+  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
+  expect(onGreenMock).toHaveBeenCalledTimes(1);
+  expect(downstreamStatus.green).toHaveBeenCalledTimes(0);
+});
+
+test(`only calls onGreen once if it resolves immediately`, () => {
+  const upstreamStatus = new EventEmitter();
+  upstreamStatus.state = 'green';
+  upstreamStatus.message = '';
+
+  const downstreamStatus = {
+    green: () => {}
+  };
+
+  const onGreenMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
+  upstreamStatus.emit('change', '', '', 'green', '');
+  expect(onGreenMock).toHaveBeenCalledTimes(1);
+});
+
+test(`calls onGreen twice if it rejects`, (done) => {
+  const upstreamStatus = new EventEmitter();
+  upstreamStatus.state = 'green';
+  upstreamStatus.message = '';
+
+  const downstreamStatus = {
+    red: once(() => {
+      // once we see this red, we immediately trigger the upstream status again
+      // to have it retrigger the onGreen function
+      upstreamStatus.emit('change', '', '', 'green', '');
+    }),
+  };
+
+  let count = 0;
+  const onGreenMock = jest.fn().mockImplementation(() => {
+    if (++count === 2) {
+      done();
+    }
+
+    return Promise.reject(new Error());
+  });
+
+  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
+});
+
+test(`sets downstream status to green when onGreen promise resolves`, (done) => {
+  const state = 'green';
+  const message = `${state} is the status`;
+  const upstreamStatus = new EventEmitter();
+  upstreamStatus.state = state;
+  upstreamStatus.message = message;
+
+  const downstreamStatus = {
+    green: () => {
+      done();
+    }
+  };
+
+  const onGreenMock = jest.fn().mockImplementation(() => Promise.resolve());
+  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
+});
+
+test(`sets downstream status to red when onGreen promise rejects`, (done) => {
+  const upstreamStatus = new EventEmitter();
+  upstreamStatus.state = 'green';
+  upstreamStatus.message = '';
+
+  const errorMessage = 'something went real wrong';
+
+  const downstreamStatus = {
+    red: (msg) => {
+      expect(msg).toBe(errorMessage);
+      done();
+    }
+  };
+
+  const onGreenMock = jest.fn().mockImplementation(() => Promise.reject(new Error(errorMessage)));
+  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
+});
+
+['red', 'yellow', 'disabled' ].forEach(state => {
+  test(`switches from uninitialized to ${state} on event`, () => {
+    const message = `${state} is the status`;
+    const upstreamStatus = new EventEmitter();
+    upstreamStatus.state = 'uninitialized';
+    upstreamStatus.message = 'uninitialized';
+
+    const downstreamStatus = {
+      uninitialized: jest.fn(),
+      [state]: jest.fn(),
+    };
+
+    mirrorStatusAndInitialize(upstreamStatus, downstreamStatus);
+    upstreamStatus.emit('change', '', '', state, message);
+    expect(downstreamStatus[state]).toHaveBeenCalledTimes(1);
+    expect(downstreamStatus[state]).toHaveBeenCalledWith(message);
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
new file mode 100644
index 00000000000000..86b1023fcb9b47
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { buildPrivilegeMap } from './privileges';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+export async function registerPrivilegesWithCluster(server) {
+  return;
+
+  const config = server.config();
+  const kibanaVersion = config.get('pkg.version');
+  const application = config.get('xpack.security.rbac.application');
+
+  const privilegeActionMapping = buildPrivilegeMap(application, kibanaVersion);
+
+  server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
+
+  const callCluster = getClient(server).callWithInternalUser;
+
+  // TODO(legrego) - non-working stub
+  await callCluster('shield.postPrivileges', {
+    body: {
+      [application]: privilegeActionMapping
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
new file mode 100644
index 00000000000000..becfaa5aee78de
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+export function buildPrivilegeMap(application, kibanaVersion) {
+  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges('');
+
+  const commonMetadata = {
+    kibanaVersion
+  };
+
+  function getActionName(...nameParts) {
+    return nameParts.join('/');
+  }
+
+  const privilegeActionMap = [];
+
+  privilegeActionMap.push({
+    application,
+    name: 'all',
+    actions: [getActionName('*')],
+    metadata: {
+      ...commonMetadata,
+      displayName: 'all'
+    }
+  });
+
+  privilegeActionMap.push({
+    application,
+    name: 'read',
+    actions: [...readSavedObjectsPrivileges],
+    metadata: {
+      ...commonMetadata,
+      displayName: 'read'
+    }
+  });
+
+  return privilegeActionMap;
+}
+
+function buildSavedObjectsReadPrivileges(prefix) {
+  const readActions = ['get', 'mget', 'search'];
+  return buildSavedObjectsPrivileges(prefix, readActions);
+}
+
+function buildSavedObjectsPrivileges(prefix, actions) {
+  const objectTypes = ['dashboard', 'visualization', 'search'];
+  return objectTypes
+    .map(type => actions.map(action => `${prefix}/${type}/${action}`))
+    .reduce((acc, types) => [...acc, ...types], []);
+}
diff --git a/x-pack/plugins/security/server/lib/role_schema.js b/x-pack/plugins/security/server/lib/role_schema.js
index a38880b89320e2..7a41e9fa541213 100644
--- a/x-pack/plugins/security/server/lib/role_schema.js
+++ b/x-pack/plugins/security/server/lib/role_schema.js
@@ -19,6 +19,7 @@ export const roleSchema = {
     query: Joi.string().allow('')
   }),
   run_as: Joi.array().items(Joi.string()),
+  applications: Joi.array(),
   metadata: Joi.object(),
   transient_metadata: Joi.object()
-};
\ No newline at end of file
+};
diff --git a/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js b/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
new file mode 100644
index 00000000000000..9ad4b71b44594b
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { checkUserPermission } from './check_user_permission';
+
+export function checkSavedObjectPermissions() {
+  return (request) => ({
+    method: 'all',
+    intercept: async (client, method, type) => {
+      const action = `kibana:/savedobject/${method}/${type}`;
+
+      const { credentials } = request.auth;
+
+      // TODO(larry): dashboard_mode_auth_scope.js uses request's SOC before the user is attached to the request. Chicken and egg...
+      if (!credentials) {
+        console.warn(
+          `!!!!DANGER!!!! No credentials on request (${request.path})! Unable to authorize Saved Object Client request. See trace below:`
+        );
+        console.trace();
+        return;
+      }
+
+      const { roles } = request.auth.credentials;
+
+      const fakeAccessCheck = roles.indexOf('kibana_ols_user') >= 0;
+
+      const hasPermission = await checkUserPermission(action, fakeAccessCheck || true);
+      console.log('hasPermission returned', hasPermission);
+
+      if (!hasPermission) {
+        const errorMessage = `Unauthorized: User must have "kibana:all" permission to perform this action.`;
+        throw client.errors.decorateForbiddenError(new Error(), errorMessage);
+      }
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js b/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
new file mode 100644
index 00000000000000..6f02b232210c4e
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { SecureSavedObjectsClient } from './secure_saved_objects_client';
+
+export function secureSavedObjectsClientWrapper(baseClient, options) {
+  return new SecureSavedObjectsClient({
+    baseClient,
+    ...options
+  });
+}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
new file mode 100644
index 00000000000000..229570f401010c
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+export function secureSavedObjectsClientOptionsBuilder(server, options) {
+  const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+  const { callWithInternalUser } = adminCluster;
+
+  return {
+    ...options,
+    application: server.config().get('xpack.security.rbac.application'),
+    callCluster: callWithInternalUser
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
new file mode 100644
index 00000000000000..796ae9151e3f01
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -0,0 +1,96 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import Boom from 'boom';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+export class SecureSavedObjectsClient {
+  constructor(options) {
+    const {
+      server,
+      request,
+      baseClient,
+      application,
+    } = options;
+
+    this.errors = baseClient.errors;
+
+    this._client = baseClient;
+    this._application = application;
+    this._callCluster = getClient(server).callWithRequest;
+    this._request = request;
+  }
+
+  async create(type, attributes = {}, options = {}) {
+    await this._performAuthorizationCheck(type, 'create', attributes, options);
+
+    return await this._client.create(type, attributes, options);
+  }
+
+  async bulkCreate(objects, options = {}) {
+    for (const object of objects) {
+      await this._performAuthorizationCheck(object.type, 'create', object.attributes);
+    }
+
+    return await this._client.bulkCreate(objects, options);
+  }
+
+  async delete(type, id) {
+    await this._performAuthorizationCheck(type, 'delete');
+
+    return await this._client.delete(type, id);
+  }
+
+  async find(options = {}) {
+    // TODO(legrego) - need to constrain which types users can search for...
+    await this._performAuthorizationCheck(null, 'search', null, options);
+
+    return await this._client.find(options);
+  }
+
+  async bulkGet(objects = []) {
+    for (const object of objects) {
+      await this._performAuthorizationCheck(object.type, 'mget', object.attributes);
+    }
+
+    return await this._client.bulkGet(objects);
+  }
+
+  async get(type, id) {
+    await this._performAuthorizationCheck(type, 'get');
+
+    return await this._client.get(type, id);
+  }
+
+  async update(type, id, attributes, options = {}) {
+    await this._performAuthorizationCheck(type, attributes, options);
+
+    return await this._client.update(type, id, attributes, options);
+  }
+
+  async _performAuthorizationCheck(type, action, attributes = {}, options = {}) { // eslint-disable-line no-unused-vars
+    return;
+    // TODO(legrego) use ES Custom Privilege API once implemented.
+    const kibanaAction = `saved-objects/${type}/${action}`;
+
+    const privilegeCheck = await this._callCluster(this._request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: this._application,
+          resources: ['default'],
+          privileges: [kibanaAction]
+        }]
+      }
+    });
+
+    if (!privilegeCheck.has_all_requested) {
+      throw Boom.unauthorized(`User ${privilegeCheck.username} is not authorized to ${action} objects of type ${type}`);
+    }
+  }
+}
diff --git a/x-pack/plugins/security/server/lib/validate_config.js b/x-pack/plugins/security/server/lib/validate_config.js
index af62d81e344ff7..0b9061389a92c1 100644
--- a/x-pack/plugins/security/server/lib/validate_config.js
+++ b/x-pack/plugins/security/server/lib/validate_config.js
@@ -6,6 +6,11 @@
 
 const crypto = require('crypto');
 
+const isDefault = (config, key) => {
+  console.log(config.getDefault(key), config.get(key));
+  return config.getDefault(key) === config.get(key);
+};
+
 export function validateConfig(config, log) {
   if (config.get('xpack.security.encryptionKey') == null) {
     log('Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on ' +
@@ -27,4 +32,8 @@ export function validateConfig(config, log) {
   } else {
     config.set('xpack.security.secureCookies', true);
   }
-}
\ No newline at end of file
+
+  if (!isDefault(config, 'kibana.index') && isDefault(config, 'xpack.security.rbac.application')) {
+    throw new Error('When setting kibana.index, xpack.security.rbac.application must be set as well.');
+  }
+}
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
new file mode 100644
index 00000000000000..7d3ac9ead2e4e5
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { getClient } from '../../../../../../server/lib/get_client_shield';
+import { buildPrivilegeMap } from '../../../lib/privileges/privileges';
+
+export function initPrivilegesApi(server) {
+  const callWithInternalUser = getClient(server).callWithInternalUser; // eslint-disable-line no-unused-vars
+
+  const config = server.config();
+  const kibanaVersion = config.get('pkg.version');
+  const application = config.get('xpack.security.rbac.application');
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/v1/privileges',
+    handler(request, reply) {
+
+      reply(buildPrivilegeMap(application, kibanaVersion));
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
new file mode 100644
index 00000000000000..43a4e57f9d1a46
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+export function containsOtherApplications(role, ourApplication) {
+  if (!role.applications || role.applications.length === 0) {
+    return false;
+  }
+
+  return role.applications.some(x => x.application !== ourApplication);
+}
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js
new file mode 100644
index 00000000000000..e7ea134fad5b97
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js
@@ -0,0 +1,66 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+
+import { containsOtherApplications } from "./contains_other_applications";
+
+test(`returns true for roles that grant privileges to other Kibanas`, () => {
+  const roles = [
+    {
+      _expectedResult: false,
+      cluster: [],
+      indices: [
+        {
+          names: ['logstash-*'],
+          privileges: ['read']
+        }
+      ],
+      run_as: [],
+      metadata: {
+        _reserved: true
+      },
+      transient_metadata: {
+        enabled: true
+      },
+      name: 'logstash_reader'
+    },
+    {
+      _expectedResult: false,
+      cluster: [],
+      indices: [],
+      applications: [
+        { application: 'kibana', privileges: ['read'], resources: ['*'] }
+      ],
+      run_as: [],
+      metadata: {},
+      transient_metadata: {
+        enabled: true
+      },
+      name: 'kibana_user'
+    },
+    {
+      _expectedResult: true,
+      cluster: [],
+      indices: [],
+      applications: [
+        { application: 'other-kibana', privileges: ['read'], resources: ['*'] }
+      ],
+      run_as: [],
+      metadata: {},
+      transient_metadata: {
+        enabled: true
+      },
+      name: 'kibana_user'
+    }
+  ];
+
+  roles.forEach(role => {
+    const result = containsOtherApplications(role, 'kibana');
+    expect(result).toEqual(role._expectedResult);
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles.js b/x-pack/plugins/security/server/routes/api/v1/roles/index.js
similarity index 69%
rename from x-pack/plugins/security/server/routes/api/v1/roles.js
rename to x-pack/plugins/security/server/routes/api/v1/roles/index.js
index 331d85bb58c50d..d965f561510d70 100644
--- a/x-pack/plugins/security/server/routes/api/v1/roles.js
+++ b/x-pack/plugins/security/server/routes/api/v1/roles/index.js
@@ -6,10 +6,11 @@
 
 import _ from 'lodash';
 import Boom from 'boom';
-import { getClient } from '../../../../../../server/lib/get_client_shield';
-import { roleSchema } from '../../../lib/role_schema';
-import { wrapError } from '../../../lib/errors';
-import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
+import { getClient } from '../../../../../../../server/lib/get_client_shield';
+import { roleSchema } from '../../../../lib/role_schema';
+import { wrapError } from '../../../../lib/errors';
+import { routePreCheckLicense } from '../../../../lib/route_pre_check_license';
+import { containsOtherApplications } from './contains_other_applications';
 
 export function initRolesApi(server) {
   const callWithRequest = getClient(server).callWithRequest;
@@ -19,9 +20,18 @@ export function initRolesApi(server) {
     method: 'GET',
     path: '/api/security/v1/roles',
     handler(request, reply) {
+      const config = server.config();
+
       return callWithRequest(request, 'shield.getRole').then(
         (response) => {
-          const roles = _.map(response, (role, name) => _.assign(role, { name }));
+          const application = config.get('xpack.security.rbac.application');
+
+          const roles = _.map(response, (role, name) => {
+            const hasUnsupportedCustomPrivileges = containsOtherApplications(role, application);
+
+            return _.assign(role, { name, hasUnsupportedCustomPrivileges });
+          });
+
           return reply(roles);
         },
         _.flow(wrapError, reply)
@@ -54,7 +64,9 @@ export function initRolesApi(server) {
     path: '/api/security/v1/roles/{name}',
     handler(request, reply) {
       const name = request.params.name;
-      const body = _.omit(request.payload, 'name');
+      // TODO(legrego) - temporarily remove applications from role until ES API is implemented
+      const body = _.omit(request.payload, ['name', 'applications', 'hasUnsupportedCustomPrivileges']);
+
       return callWithRequest(request, 'shield.putRole', { name, body }).then(
         () => reply(request.payload),
         _.flow(wrapError, reply));
diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js
index f4e5cf17329293..016ade902029c5 100644
--- a/x-pack/server/lib/esjs_shield_plugin.js
+++ b/x-pack/server/lib/esjs_shield_plugin.js
@@ -361,5 +361,36 @@
         fmt: '/_xpack/security/oauth2/token'
       }
     });
+
+    shield.getPrivilege = ca({
+      method: 'GET',
+      urls: [{
+        fmt: '/_xpack/security/privilege/<%=privilege%>',
+        req: {
+          privilege: {
+            type: 'string',
+            required: false
+          }
+        }
+      }, {
+        fmt: '/_xpack/security/privilege'
+      }]
+    });
+
+    shield.postPrivileges = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_xpack/security/privilege'
+      }
+    });
+
+    shield.hasPrivileges = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_xpack/security/user/_has_privileges'
+      }
+    });
   };
 }));

From cfa9af318d89790476f21f60326d0abd48e46584 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 25 Apr 2018 10:55:04 -0400
Subject: [PATCH 010/183] move spaces plugin to kibana

---
 x-pack/index.js                               |   4 +-
 x-pack/plugins/spaces/common/mock_spaces.js   |  22 +++
 x-pack/plugins/spaces/index.js                |  55 ++++++
 x-pack/plugins/spaces/public/images/demo.png  | Bin 0 -> 3748 bytes
 .../plugins/spaces/public/register_feature.js |  21 +++
 .../views/management/components/index.js      |   8 +
 .../components/manage_space_page.js           | 165 ++++++++++++++++++
 .../management/components/spaces_grid_page.js | 141 +++++++++++++++
 .../spaces/public/views/management/index.js   |  44 +++++
 .../views/management/manage_spaces.less       |   3 +
 .../public/views/management/page_routes.js    |  61 +++++++
 .../public/views/management/template.html     |   1 +
 .../spaces/public/views/nav_control/index.js  |   7 +
 .../public/views/nav_control/nav_control.html |   8 +
 .../public/views/nav_control/nav_control.js   |  22 +++
 .../public/views/space_selector/index.js      |  37 ++++
 .../views/space_selector/space_selector.html  |   3 +
 .../views/space_selector/space_selector.js    |  67 +++++++
 .../views/space_selector/space_selector.less  |  33 ++++
 .../spaces/server/lib/check_license.js        |  36 ++++
 x-pack/plugins/spaces/server/lib/errors.js    |  11 ++
 .../server/lib/route_pre_check_license.js     |  20 +++
 .../plugins/spaces/server/lib/space_schema.js |  14 ++
 .../spaces/server/lib/validate_config.js      |  10 ++
 .../spaces/server/routes/api/v1/spaces.js     |  68 ++++++++
 25 files changed, 860 insertions(+), 1 deletion(-)
 create mode 100644 x-pack/plugins/spaces/common/mock_spaces.js
 create mode 100644 x-pack/plugins/spaces/index.js
 create mode 100644 x-pack/plugins/spaces/public/images/demo.png
 create mode 100644 x-pack/plugins/spaces/public/register_feature.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/manage_spaces.less
 create mode 100644 x-pack/plugins/spaces/public/views/management/page_routes.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/template.html
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control.html
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control.js
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/space_selector.html
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/space_selector.js
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/space_selector.less
 create mode 100644 x-pack/plugins/spaces/server/lib/check_license.js
 create mode 100644 x-pack/plugins/spaces/server/lib/errors.js
 create mode 100644 x-pack/plugins/spaces/server/lib/route_pre_check_license.js
 create mode 100644 x-pack/plugins/spaces/server/lib/space_schema.js
 create mode 100644 x-pack/plugins/spaces/server/lib/validate_config.js
 create mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.js

diff --git a/x-pack/index.js b/x-pack/index.js
index ba26c8fcf41610..0190eeb87b0645 100644
--- a/x-pack/index.js
+++ b/x-pack/index.js
@@ -21,6 +21,7 @@ import { licenseManagement } from './plugins/license_management';
 import { cloud } from './plugins/cloud';
 import { indexManagement } from './plugins/index_management';
 import { consoleExtensions } from './plugins/console_extensions';
+import { spaces } from './plugins/spaces';
 
 module.exports = function (kibana) {
   return [
@@ -40,6 +41,7 @@ module.exports = function (kibana) {
     licenseManagement(kibana),
     cloud(kibana),
     indexManagement(kibana),
-    consoleExtensions(kibana)
+    consoleExtensions(kibana),
+    spaces(kibana)
   ];
 };
diff --git a/x-pack/plugins/spaces/common/mock_spaces.js b/x-pack/plugins/spaces/common/mock_spaces.js
new file mode 100644
index 00000000000000..a11d4d251a4157
--- /dev/null
+++ b/x-pack/plugins/spaces/common/mock_spaces.js
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const mockSpaces = [{
+  id: 'engineering',
+  name: 'Engineering',
+  description: 'This is the Engineering Space',
+  logo: 'logoKubernetes'
+}, {
+  id: 'sales',
+  name: 'Sales',
+  description: 'This is the Sales Space',
+  logo: 'logoElastic'
+}, {
+  id: 'support',
+  name: 'Support',
+  description: 'This is the Support Space',
+  logo: 'logoElasticStack'
+}];
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
new file mode 100644
index 00000000000000..e445768119d0b3
--- /dev/null
+++ b/x-pack/plugins/spaces/index.js
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { resolve } from 'path';
+import { validateConfig } from './server/lib/validate_config';
+import { checkLicense } from './server/lib/check_license';
+import { initSpacesApi } from './server/routes/api/v1/spaces';
+import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+
+export const spaces = (kibana) => new kibana.Plugin({
+  id: 'spaces',
+  configPrefix: 'xpack.spaces',
+  publicDir: resolve(__dirname, 'public'),
+  require: ['kibana', 'elasticsearch', 'xpack_main'],
+
+  config(Joi) {
+    return Joi.object({
+      enabled: Joi.boolean().default(true),
+    }).default();
+  },
+
+  uiExports: {
+    chromeNavControls: ['plugins/spaces/views/nav_control'],
+    managementSections: ['plugins/spaces/views/management'],
+    apps: [{
+      id: 'space_selector',
+      title: 'Spaces',
+      main: 'plugins/spaces/views/space_selector',
+      hidden: true,
+    }],
+    hacks: [],
+    home: ['plugins/spaces/register_feature'],
+    injectDefaultVars: function () {
+      return { };
+    }
+  },
+
+  async init(server) {
+    const thisPlugin = this;
+    const xpackMainPlugin = server.plugins.xpack_main;
+    mirrorPluginStatus(xpackMainPlugin, thisPlugin);
+
+    // Register a function that is called whenever the xpack info changes,
+    // to re-compute the license check results for this plugin
+    xpackMainPlugin.info.feature(thisPlugin.id).registerLicenseCheckResultsGenerator(checkLicense);
+
+    const config = server.config();
+    validateConfig(config, message => server.log(['spaces', 'warning'], message));
+
+    initSpacesApi(server);
+  }
+});
diff --git a/x-pack/plugins/spaces/public/images/demo.png b/x-pack/plugins/spaces/public/images/demo.png
new file mode 100644
index 0000000000000000000000000000000000000000..700526918d4e76dfadc05ed21bc7db19cbe16e54
GIT binary patch
literal 3748
zcmeAS@N?(olHy`uVBq!ia0y~yU<?IfFAg@K$l9JW2|$XmILO_JVcj{Imq2!8W=KRy
zgs+cPa(=E}VoH8es$NBI0Z<hKgH44MkeQoWlBiITo0C^;Rbi_HR$&EXgM{^!6u?SK
zvTc<jd;=7m^NUgyO!Z9k43zA+6ciL}ic-?7f?V97+JQV<rHqo20xNy}^73-Ma$~*x
zqI7*jOG`_A10#JSBVC{h-Qvo;lEez#ykcdDAuw}XQj3#|G7CyF^Yauy<|ZcPmzLNn
zDS<441Bg3IGSd(?<rPD{1@xdkNJigK&p;n;Hc+b#NYu)|C^HpkGst{9LmRM46fvkh
zHu@mTksJf@DOeQfRXZ*leR#0harqolk7Qur`RVE67*fIb_V(T0SXY78i`5gE3pMy!
zFL0zf6{<D=n5dKet#(Fl%$&<xD~wXjYpbUIRPp{$@uQo8k%@&vK*6B_lX2j`!iSo|
z=fAsm8iEx45%_W8g1&v-yXW$I?MuF<3)X-4dhoNt?%v<B%A>}1_5c2^-`V=7>Ic8=
z-`}V1*Zn=32Q>A79An_!&Dr{@4haqpA?y=k9Y=*mLt->d5S0}koIW7CPQf7|=7DA1
zV($Nf0-^hbIdsH+{5yX8(e?k^m)HOO8~um<$K(1GLluVx2X%#2b7uzwb8`pNBB@9o
zP634roE=%upNRl-@1lkkZeq^BTwKDm=+;h4*9L}04TV(`k4^w)`?(D(%JTdK6&w_}
ze)RuW?tYlgI`1F*yz`TOer@OKc(t&5Zr!!tUs~tyc)$K$ef{qvjjH><yxy+LFI%_F
z{vUty?mmXb&8#k8-~6qTWn?<cw8)C*ofQ+yIWd8&o4>y<W#QoA?s#Re<28qXMYKc6
z`FrcH3o01sD6BgCV4bqVgB->{+v@#s?hOYvG_2qoH4I;veRz7c_WbeBSN&%S|4?{P
zewtmVc`1|r;$IcfT90l%=d7`Q?-^GT%UJ(s|GT^zNk%4f5rM1HdS}&z6$)Y*1NV*!
zA_qw0^KSp@`aOGpNG3Ct3;!tF&i`$%xe%y|GyhdF-)n(b#d?1$4+ZX;6)*SiKO_Ht
z^K?yMKGI?gTzf-C37Fe}$@@)`7cd`rIfQ7NwFB$W39K%ryJrX~I4lqnxY~7A5t!Rj
z7z5AhEdyrB6)Y}WlZrclxh>KmWOMhZQKMlsnixhi&S=Sir4*f4`KO}Z&|D4JCux*t
qS}*nMarh5GP!9yNo3cmbhw$9v!qZA*?gD$73=E#GelF{r5}E)nodm`J

literal 0
HcmV?d00001

diff --git a/x-pack/plugins/spaces/public/register_feature.js b/x-pack/plugins/spaces/public/register_feature.js
new file mode 100644
index 00000000000000..b386ffbf829102
--- /dev/null
+++ b/x-pack/plugins/spaces/public/register_feature.js
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+
+
+import { FeatureCatalogueRegistryProvider, FeatureCatalogueCategory } from 'ui/registry/feature_catalogue';
+
+FeatureCatalogueRegistryProvider.register(() => {
+  return {
+    id: 'spaces',
+    title: 'Spaces',
+    description: 'You know, for space.',
+    icon: '/plugins/kibana/assets/app_security.svg',
+    path: '/app/kibana#/management/spaces/list',
+    showOnHomePage: true,
+    category: FeatureCatalogueCategory.ADMIN
+  };
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/index.js b/x-pack/plugins/spaces/public/views/management/components/index.js
new file mode 100644
index 00000000000000..5da70aad9e8e58
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/index.js
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { SpacesGridPage } from './spaces_grid_page';
+export { ManageSpacePage } from './manage_space_page';
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
new file mode 100644
index 00000000000000..00d3d5a58ccf8b
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
@@ -0,0 +1,165 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiText,
+  EuiSpacer,
+  EuiPageContent,
+  EuiForm,
+  EuiFormRow,
+  EuiFieldText,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiButton,
+} from '@elastic/eui';
+
+import { Notifier, toastNotifications } from 'ui/notify';
+
+export class ManageSpacePage extends React.Component {
+  state = {
+    space: {},
+    error: null
+  }
+
+  componentDidMount() {
+    this.notifier = new Notifier({ location: 'Spaces' });
+
+    const {
+      space,
+      httpAgent,
+      chrome
+    } = this.props;
+
+    if (space) {
+      httpAgent
+        .get(chrome.addBasePath(`/api/spaces/v1/spaces/${space}`))
+        .then(result => {
+          if (result.data) {
+            this.setState({
+              space: result.data
+            });
+          }
+        })
+        .catch(error => {
+          this.setState({
+            error
+          });
+        });
+    }
+  }
+
+  render() {
+    const {
+      name = '',
+      description = ''
+    } = this.state.space;
+
+    return (
+      <EuiPageContent>
+        <EuiForm>
+          <EuiText><h1>{this.getTitle()}</h1></EuiText>
+          <EuiSpacer />
+          <EuiFormRow
+            label="Name"
+            helpText="Name your space"
+          >
+            <EuiFieldText
+              name="name"
+              placeholder={'Awesome space'}
+              value={name}
+              onChange={this.onNameChange}
+            />
+          </EuiFormRow>
+          <EuiFormRow
+            label="Description"
+            helpText="Describe your space"
+          >
+            <EuiFieldText
+              name="description"
+              placeholder={'This is where the magic happens'}
+              value={description}
+              onChange={this.onDescriptionChange}
+            />
+          </EuiFormRow>
+
+          <EuiFlexGroup>
+            <EuiFlexItem grow={false}>
+              <EuiButton fill onClick={this.saveSpace}>Save</EuiButton>
+            </EuiFlexItem>
+            <EuiFlexItem grow={false}>
+              <EuiButton onClick={this.backToSpacesList}>
+                Cancel
+              </EuiButton>
+            </EuiFlexItem>
+          </EuiFlexGroup>
+
+          {this.getActionButtons}
+        </EuiForm>
+      </EuiPageContent>
+    );
+  }
+
+  getTitle = () => {
+    const isEditing = !!this.props.space;
+    if (isEditing) {
+      return `Edit space`;
+    }
+    return `Create a space`;
+  }
+
+  onNameChange = (e) => {
+    this.setState({
+      space: {
+        ...this.state.space,
+        name: e.target.value
+      }
+    });
+  }
+
+  onDescriptionChange = (e) => {
+    this.setState({
+      space: {
+        ...this.state.space,
+        description: e.target.value
+      }
+    });
+  }
+
+  saveSpace = () => {
+    const {
+      name = '',
+      id = name.toLowerCase(),
+      description
+    } = this.state.space;
+
+    const { httpAgent, chrome } = this.props;
+
+    if (name && description) {
+      console.log(this.state.space);
+      httpAgent
+        .post(chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(id)}`), { id, name, description })
+        .then(result => {
+          toastNotifications.addSuccess(`Saved '${result.data.id}'`);
+          window.location.hash = `#/management/spaces/list`;
+        })
+        .catch(error => {
+          toastNotifications.addError(error);
+        });
+    }
+  }
+
+  backToSpacesList = () => {
+    window.location.hash = `#/management/spaces/list`;
+  }
+}
+
+ManageSpacePage.propTypes = {
+  space: PropTypes.string,
+  httpAgent: PropTypes.func.isRequired,
+  chrome: PropTypes.object
+};
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
new file mode 100644
index 00000000000000..108f28c6e207d4
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
@@ -0,0 +1,141 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import PropTypes from 'prop-types';
+
+import {
+  EuiPageContent,
+  EuiBasicTable,
+  EuiSearchBar,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiText,
+  EuiButton,
+  EuiSpacer,
+  EuiLink,
+} from '@elastic/eui';
+
+
+
+const pagination = {
+  pageIndex: 0,
+  pageSize: 10,
+  totalItemCount: 10000,
+  pageSizeOptions: [10, 25, 50]
+};
+
+export class SpacesGridPage extends React.Component {
+  state = {
+    selectedSpaces: [],
+    spaces: []
+  }
+
+  componentDidMount() {
+    const {
+      httpAgent,
+      chrome
+    } = this.props;
+
+    httpAgent
+      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
+      .then(response => {
+        this.setState({
+          spaces: response.data
+        });
+      })
+      .catch(error => {
+        this.setState({
+          error
+        });
+      });
+  }
+
+  render() {
+    const {
+      spaces
+    } = this.state;
+
+    return (
+      <EuiPageContent>
+        <EuiFlexGroup justifyContent={'spaceBetween'}>
+          <EuiFlexItem grow={false}>
+            <EuiText><h1>Spaces</h1></EuiText>
+          </EuiFlexItem>
+          <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
+        </EuiFlexGroup>
+        <EuiSpacer size={'xl'} />
+        <EuiSearchBar
+          box={{
+            placeholder: 'Search for a space...',
+          }}
+          onChange={() => {}}
+        />
+        <EuiSpacer size={'xl'} />
+        <EuiBasicTable
+          items={spaces}
+          columns={this.getColumnConfig()}
+          selection={this.getSelectionConfig()}
+          pagination={pagination}
+          onChange={() => {}}
+        />
+      </EuiPageContent>
+    );
+  }
+
+  getPrimaryActionButton() {
+    if (this.state.selectedSpaces.length > 0) {
+      const count = this.state.selectedSpaces.length;
+      return (
+        <EuiButton fill color={'danger'}>
+          {`Delete ${count > 1 ? `${count} spaces` : 'space'}`}
+        </EuiButton>
+      );
+    }
+
+    return (
+      <EuiButton fill onClick={() => { window.location.hash = `#/management/spaces/create`; }}>Create new space</EuiButton>
+    );
+  }
+
+  getColumnConfig() {
+    const columns = [{
+      field: 'name',
+      name: 'Space',
+      sortable: true,
+      render: (value, record) => {
+        return (
+          <EuiLink onClick={() => { window.location.hash = `#/management/spaces/edit/${encodeURIComponent(record.id)}`; }}>
+            {value}
+          </EuiLink>
+        );
+      }
+    }, {
+      field: 'description',
+      name: 'Description',
+      sortable: true
+    }];
+
+    return columns;
+  }
+
+  getSelectionConfig() {
+    return {
+      itemId: 'id',
+      selectable: (space) => space.id,
+      onSelectionChange: this.onSelectionChange
+    };
+  }
+
+  onSelectionChange = (selectedSpaces) => {
+    this.setState({ selectedSpaces });
+  }
+}
+
+SpacesGridPage.propTypes = {
+  chrome: PropTypes.object.isRequired,
+  httpAgent: PropTypes.func.isRequired
+};
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/index.js b/x-pack/plugins/spaces/public/views/management/index.js
new file mode 100644
index 00000000000000..2f711925fb4439
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/index.js
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import 'plugins/spaces/views/management/page_routes';
+import routes from 'ui/routes';
+
+import { management } from 'ui/management';
+
+routes.defaults(/\/management/, {
+  resolve: {
+    spacesManagementSection: function () {
+
+      function deregisterSpaces() {
+        management.deregister('spaces');
+      }
+
+      function ensureSpagesRegistered() {
+        const registerSpaces = () => management.register('spaces', {
+          display: 'Spaces',
+          order: 10
+        });
+        const getSpaces = () => management.getSection('spaces');
+
+        const spaces = (management.hasItem('spaces')) ? getSpaces() : registerSpaces();
+
+        if (!spaces.hasItem('manage_spaces')) {
+          spaces.register('manage_spaces', {
+            name: 'spacesManagementLink',
+            order: 10,
+            display: 'Spaces Management',
+            url: `#/management/spaces/list`,
+          });
+        }
+      }
+
+      deregisterSpaces();
+
+      ensureSpagesRegistered();
+    }
+  }
+});
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
new file mode 100644
index 00000000000000..67fc3da7f81714
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -0,0 +1,3 @@
+.application, .euiPanel {
+  background: #f5f5f5
+}
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
new file mode 100644
index 00000000000000..4e8f5e53c19f43
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import 'ui/autoload/styles';
+import 'plugins/spaces/views/management/manage_spaces.less';
+import template from 'plugins/spaces/views/management/template.html';
+
+import React from 'react';
+import { render, unmountComponentAtNode } from 'react-dom';
+import { SpacesGridPage, ManageSpacePage } from './components';
+
+import routes from 'ui/routes';
+
+const reactRootNodeId = 'manageSpacesReactRoot';
+
+routes.when('/management/spaces/list', {
+  template,
+  controller: function ($scope, $http, chrome) {
+    const domNode = document.getElementById(reactRootNodeId);
+
+    render(<SpacesGridPage httpAgent={$http} chrome={chrome} />, domNode);
+
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      unmountComponentAtNode(domNode);
+    });
+  }
+});
+
+routes.when('/management/spaces/create', {
+  template,
+  controller: function ($scope,  $http, chrome) {
+    const domNode = document.getElementById(reactRootNodeId);
+
+    render(<ManageSpacePage httpAgent={$http} chrome={chrome} />, domNode);
+
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      unmountComponentAtNode(domNode);
+    });
+  }
+});
+
+routes.when('/management/spaces/edit/:space', {
+  template,
+  controller: function ($scope, $http, $route, chrome) {
+    const domNode = document.getElementById(reactRootNodeId);
+
+    const { space } = $route.current.params;
+
+    render(<ManageSpacePage httpAgent={$http} space={space} chrome={chrome} />, domNode);
+
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      unmountComponentAtNode(domNode);
+    });
+  }
+});
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/template.html b/x-pack/plugins/spaces/public/views/management/template.html
new file mode 100644
index 00000000000000..8da58b1e3a5471
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/template.html
@@ -0,0 +1 @@
+<div id="manageSpacesReactRoot" />
diff --git a/x-pack/plugins/spaces/public/views/nav_control/index.js b/x-pack/plugins/spaces/public/views/nav_control/index.js
new file mode 100644
index 00000000000000..475360ac74a3b2
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import './nav_control';
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.html b/x-pack/plugins/spaces/public/views/nav_control/nav_control.html
new file mode 100644
index 00000000000000..5baf3e7785798f
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.html
@@ -0,0 +1,8 @@
+<div ng-controller="spacesNavController">
+  <global-nav-link
+    kbn-route="route"
+    icon="'plugins/spaces/images/demo.png'"
+    tooltip-content="'Clicking this should do something'"
+    label="'Engineering Space'"
+  ></global-nav-link>
+</div>
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
new file mode 100644
index 00000000000000..c479488247b790
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { constant } from 'lodash';
+import { chromeNavControlsRegistry } from 'ui/registry/chrome_nav_controls';
+import { uiModules } from 'ui/modules';
+import template from 'plugins/spaces/views/nav_control/nav_control.html';
+
+chromeNavControlsRegistry.register(constant({
+  name: 'spaces',
+  order: 90,
+  template
+}));
+
+const module = uiModules.get('spaces', ['kibana']);
+
+module.controller('spacesNavController', () => {
+
+});
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.js
new file mode 100644
index 00000000000000..a18a1ccdaed7fb
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.js
@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import 'ui/autoload/styles';
+import chrome from 'ui/chrome';
+import 'plugins/spaces/views/space_selector/space_selector.less';
+import template from 'plugins/spaces/views/space_selector/space_selector.html';
+
+import React from 'react';
+import ReactDOM from 'react-dom';
+import { SpaceSelector } from './space_selector';
+import { mockSpaces } from '../../../common/mock_spaces';
+
+
+chrome
+  .setVisible(false)
+  .setRootTemplate(template);
+
+// hack to wait for angular template to be ready
+const waitForAngularReady = new Promise(resolve => {
+  const checkInterval = setInterval(() => {
+    const hasElm = !!document.querySelector('#spaceSelectorRoot');
+    if (hasElm) {
+      clearInterval(checkInterval);
+      resolve();
+    }
+  }, 10);
+});
+
+waitForAngularReady.then(() => {
+  ReactDOM.render(<SpaceSelector spaces={mockSpaces} />, document.getElementById('spaceSelectorRoot'));
+});
+
+
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.html b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
new file mode 100644
index 00000000000000..1c18634fd4419a
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
@@ -0,0 +1,3 @@
+<div>
+  <div id="spaceSelectorRoot" />
+</div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
new file mode 100644
index 00000000000000..48c42bf89b3851
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiPage,
+  EuiPageHeader,
+  EuiPageBody,
+  EuiPageContent,
+  EuiPageHeaderSection,
+  EuiCard,
+  EuiIcon,
+  EuiText,
+  EuiFlexGroup,
+  EuiFlexItem,
+} from '@elastic/eui';
+
+export const SpaceSelector = (props) => (
+  <EuiPage>
+    <EuiPageHeader>
+      <EuiPageHeaderSection className="logoHeader">
+        <EuiIcon size="xxl" type={`logoKibana`} />
+      </EuiPageHeaderSection>
+    </EuiPageHeader>
+    <EuiPageBody>
+      <EuiPageContent>
+        <EuiText className="spaceWelcomeText">
+          <p className="welcomeLarge">Welcome to Kibana.</p>
+          <p className="welcomeMedium">Select a space to begin.</p>
+        </EuiText>
+
+        <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly" className="spacesGroup">
+          {props.spaces.map(renderSpace)}
+        </EuiFlexGroup>
+
+        <EuiText className="spaceProfileText">
+          <p>You can change your workspace at anytime by accessing your profile within Kibana.</p>
+        </EuiText>
+      </EuiPageContent>
+    </EuiPageBody>
+  </EuiPage>
+);
+
+function renderSpace(space) {
+  return (
+    <EuiFlexItem key={space.id} grow={false} className="spaceCard">
+      <EuiCard
+        icon={<EuiIcon size="xxl" type={space.logo} />}
+        title={renderSpaceTitle(space)}
+        description={space.description}
+        onClick={() => window.alert('Card clicked')}
+      />
+    </EuiFlexItem>
+  );
+}
+
+function renderSpaceTitle(space) {
+  return (
+    <div className="spaceCardTitle">
+      <span>{space.name}</span>
+      {/* <EuiIcon type={'starEmpty'} size="s" /> */}
+    </div>
+  );
+}
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.less b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
new file mode 100644
index 00000000000000..85c93682fde6f5
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
@@ -0,0 +1,33 @@
+.application, .euiPanel {
+  background: #f5f5f5
+}
+
+.logoHeader {
+  width: 100%;
+  text-align: center;
+}
+
+.spaceWelcomeText, .spaceProfileText {
+  text-align: center;
+}
+
+.spacesGroup {
+  margin: 30px 0 50px 0;
+}
+
+.spaceCard {
+  width: 225px;
+}
+
+.spaceCardTitle .euiIcon {
+  float: right;
+}
+
+.euiText .welcomeLarge {
+  font-size: 2em;
+  margin-bottom: 5px;
+}
+
+.welcomeMedium {
+  font-size: 1.4em;
+}
diff --git a/x-pack/plugins/spaces/server/lib/check_license.js b/x-pack/plugins/spaces/server/lib/check_license.js
new file mode 100644
index 00000000000000..f88e8f8221f000
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/check_license.js
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/**
+ * @typedef {Object} LicenseCheckResult Result of the license check.
+ * @property {boolean} showSpaces Indicates whether spaces should be enabled
+ */
+
+/**
+ * Returns object that defines behavior of the spaces related features based
+ * on the license information extracted from the xPackInfo.
+ * @param {XPackInfo} xPackInfo XPackInfo instance to extract license information from.
+ * @returns {LicenseCheckResult}
+ */
+export function checkLicense(xPackInfo) {
+  if (!xPackInfo.isAvailable()) {
+    return {
+      showSpaces: false
+    };
+  }
+
+  const isAnyXpackLicense = xPackInfo.license.isOneOf(['basic', 'platinum', 'trial']);
+
+  if (!isAnyXpackLicense) {
+    return {
+      showSpaces: false
+    };
+  }
+
+  return {
+    showSpaces: true
+  };
+}
diff --git a/x-pack/plugins/spaces/server/lib/errors.js b/x-pack/plugins/spaces/server/lib/errors.js
new file mode 100644
index 00000000000000..6996faeaac8de6
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/errors.js
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { wrap as wrapBoom } from 'boom';
+
+export function wrapError(error) {
+  return wrapBoom(error, error.status);
+}
diff --git a/x-pack/plugins/spaces/server/lib/route_pre_check_license.js b/x-pack/plugins/spaces/server/lib/route_pre_check_license.js
new file mode 100644
index 00000000000000..891e9fc4125a9b
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/route_pre_check_license.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+const Boom = require('boom');
+
+export function routePreCheckLicense(server) {
+  const xpackMainPlugin = server.plugins.xpack_main;
+  const pluginId = 'spaces';
+  return function forbidApiAccess(request, reply) {
+    const licenseCheckResults = xpackMainPlugin.info.feature(pluginId).getLicenseCheckResults();
+    if (!licenseCheckResults.showSpaces) {
+      reply(Boom.forbidden(licenseCheckResults.linksMessage));
+    } else {
+      reply();
+    }
+  };
+}
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.js
new file mode 100644
index 00000000000000..4ed8d965fe0400
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/space_schema.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Joi from 'joi';
+
+export const spaceSchema = {
+  id: Joi.string(),
+  name: Joi.string().required(),
+  description: Joi.string().required(),
+  metadata: Joi.object(),
+};
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/server/lib/validate_config.js b/x-pack/plugins/spaces/server/lib/validate_config.js
new file mode 100644
index 00000000000000..44493d21fb6d47
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/validate_config.js
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+
+export function validateConfig() {
+  // TODO(legrego): implement if needed.
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
new file mode 100644
index 00000000000000..223df491b15664
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { getClient } from '../../../../../../server/lib/get_client_shield';
+import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
+import { spaceSchema } from '../../../lib/space_schema';
+
+import { mockSpaces } from '../../../../common/mock_spaces';
+
+export function initSpacesApi(server) {
+  const callWithRequest = getClient(server).callWithRequest; // eslint-disable-line no-unused-vars
+  const routePreCheckLicenseFn = routePreCheckLicense(server);
+
+  server.route({
+    method: 'GET',
+    path: '/api/spaces/v1/spaces',
+    handler(request, reply) {
+      reply(mockSpaces);
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+
+  server.route({
+    method: 'GET',
+    path: '/api/spaces/v1/spaces/{id}',
+    handler(request, reply) {
+      const id = request.params.id;
+      const space = mockSpaces.find(space => space.id === id);
+      reply(space || Boom.notFound());
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+
+  server.route({
+    method: 'POST',
+    path: '/api/spaces/v1/spaces/{id}',
+    handler(request, reply) {
+      mockSpaces.push(request.payload);
+      reply(request.payload);
+    },
+    config: {
+      validate: {
+        payload: spaceSchema
+      },
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+
+  server.route({
+    method: 'DELETE',
+    path: '/api/spaces/v1/spaces/{id}',
+    handler(request, reply) {
+      mockSpaces = mockSpaces.filter(space => space !== request.params.id);
+      reply().code(204);
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+}

From d4386db51a644bc41d6e539bc1e5c6bde41edcff Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 27 Apr 2018 08:07:05 -0400
Subject: [PATCH 011/183] [Spaces WIP] Additional space management UI (#18607)

Functional space management UI
---
 x-pack/plugins/spaces/index.js                |   2 +
 x-pack/plugins/spaces/mappings.json           |  12 +
 .../components/confirm_delete_modal.js        |  50 ++++
 .../components/delete_spaces_button.js        | 107 ++++++++
 .../components/manage_space_page.js           | 228 +++++++++++++-----
 .../management/components/page_header.js      |  43 ++++
 .../management/components/spaces_grid_page.js | 186 +++++++++-----
 .../views/management/lib/spaces_data_store.js |  35 +++
 .../management/lib/spaces_data_store.test.js  |  44 ++++
 .../views/management/manage_spaces.less       |   4 +
 .../public/views/management/page_routes.js    |  25 +-
 .../public/views/space_selector/index.js      |  31 +--
 .../views/space_selector/space_selector.html  |   2 +-
 .../views/space_selector/space_selector.js    | 118 +++++----
 .../spaces/server/routes/api/v1/spaces.js     |  84 +++++--
 15 files changed, 766 insertions(+), 205 deletions(-)
 create mode 100644 x-pack/plugins/spaces/mappings.json
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/page_header.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js

diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index e445768119d0b3..71bc7da340c563 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -9,6 +9,7 @@ import { validateConfig } from './server/lib/validate_config';
 import { checkLicense } from './server/lib/check_license';
 import { initSpacesApi } from './server/routes/api/v1/spaces';
 import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+import mappings from './mappings.json';
 
 export const spaces = (kibana) => new kibana.Plugin({
   id: 'spaces',
@@ -32,6 +33,7 @@ export const spaces = (kibana) => new kibana.Plugin({
       hidden: true,
     }],
     hacks: [],
+    mappings,
     home: ['plugins/spaces/register_feature'],
     injectDefaultVars: function () {
       return { };
diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
new file mode 100644
index 00000000000000..835d2c299e0edc
--- /dev/null
+++ b/x-pack/plugins/spaces/mappings.json
@@ -0,0 +1,12 @@
+{
+  "space": {
+    "properties": {
+      "name": {
+        "type": "text"
+      },
+      "description": {
+        "type": "text"
+      }
+    }
+  }
+}
diff --git a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
new file mode 100644
index 00000000000000..587f32911a383d
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import PropTypes from 'prop-types';
+
+import {
+  EuiOverlayMask,
+  EuiConfirmModal,
+} from '@elastic/eui';
+
+export const ConfirmDeleteModal = (props) => {
+  const {
+    spaces
+  } = props;
+
+  const buttonText = spaces.length > 1
+    ? `Delete ${spaces.length} spaces`
+    : `Delete space`;
+
+  const bodyQuestion = spaces.length > 1
+    ? `Are you sure you want to delete these ${spaces.length} spaces?`
+    : `Are you sure you want to delete this space?`;
+
+  return (
+    <EuiOverlayMask>
+      <EuiConfirmModal
+        buttonColor={'danger'}
+        cancelButtonText={'Cancel'}
+        confirmButtonText={buttonText}
+        onCancel={props.onCancel}
+        onConfirm={props.onConfirm}
+        title={`Confirm Delete`}
+        defaultFocusedButton={'cancel'}
+      >
+        <p>{bodyQuestion}</p>
+        <p>This operation cannot be undone!</p>
+      </EuiConfirmModal>
+    </EuiOverlayMask>
+  );
+};
+
+ConfirmDeleteModal.propTypes = {
+  spaces: PropTypes.array.isRequired,
+  onCancel: PropTypes.func.isRequired,
+  onConfirm: PropTypes.func.isRequired
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
new file mode 100644
index 00000000000000..f1b403671fa955
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
@@ -0,0 +1,107 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import { ConfirmDeleteModal } from './confirm_delete_modal';
+import {
+  EuiButton
+} from '@elastic/eui';
+import { toastNotifications } from 'ui/notify';
+
+export class DeleteSpacesButton extends Component {
+  state = {
+    showConfirmModal: false
+  };
+
+  render() {
+    const numSpaces = this.props.spaces.length;
+
+    const buttonText = numSpaces > 1
+      ? `Delete ${numSpaces} spaces`
+      : `Delete space`;
+
+    return (
+      <Fragment>
+        <EuiButton color={'danger'} onClick={this.onDeleteClick}>
+          {buttonText}
+        </EuiButton>
+        {this.getConfirmDeleteModal()}
+      </Fragment>
+    );
+  }
+
+  onDeleteClick = () => {
+    this.setState({
+      showConfirmModal: true
+    });
+  };
+
+  getConfirmDeleteModal = () => {
+    if (!this.state.showConfirmModal) {
+      return null;
+    }
+
+    return (
+      <ConfirmDeleteModal
+        spaces={this.props.spaces}
+        onCancel={() => {
+          this.setState({
+            showConfirmModal: false
+          });
+        }}
+        onConfirm={this.deleteSpaces}
+      />
+    );
+  };
+
+  deleteSpaces = () => {
+    const {
+      httpAgent,
+      chrome,
+      spaces
+    } = this.props;
+
+    console.log(this.props, spaces);
+
+    const deleteOperations = spaces.map(space => {
+      return httpAgent.delete(
+        chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(space.id)}`)
+      );
+    });
+
+    Promise.all(deleteOperations)
+      .then(() => {
+        this.setState({
+          showConfirmModal: false
+        });
+
+        const message = spaces.length > 1
+          ? `Deleted ${spaces.length} spaces.`
+          : `Deleted "${spaces[0].name}" space.`;
+
+        toastNotifications.addSuccess(message);
+
+        if (this.props.onDelete) {
+          this.props.onDelete();
+        }
+      })
+      .catch(error => {
+        const {
+          message = ''
+        } = error.data || {};
+
+        toastNotifications.addDanger(`Error deleting space: ${message}`);
+      });
+  };
+}
+
+DeleteSpacesButton.propTypes = {
+  spaces: PropTypes.array.isRequired,
+  httpAgent: PropTypes.func.isRequired,
+  chrome: PropTypes.object.isRequired,
+  onDelete: PropTypes.func
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
index 00d3d5a58ccf8b..7e04213f6d4667 100644
--- a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
@@ -9,6 +9,7 @@ import PropTypes from 'prop-types';
 import {
   EuiText,
   EuiSpacer,
+  EuiPage,
   EuiPageContent,
   EuiForm,
   EuiFormRow,
@@ -18,13 +19,16 @@ import {
   EuiButton,
 } from '@elastic/eui';
 
+import { PageHeader } from './page_header';
+import { DeleteSpacesButton } from './delete_spaces_button';
+
 import { Notifier, toastNotifications } from 'ui/notify';
 
 export class ManageSpacePage extends React.Component {
   state = {
     space: {},
-    error: null
-  }
+    validate: false
+  };
 
   componentDidMount() {
     this.notifier = new Notifier({ location: 'Spaces' });
@@ -46,9 +50,12 @@ export class ManageSpacePage extends React.Component {
           }
         })
         .catch(error => {
-          this.setState({
-            error
-          });
+          const {
+            message = ''
+          } = error.data || {};
+
+          toastNotifications.addDanger(`Error loading space: ${message}`);
+          this.backToSpacesList();
         });
     }
   }
@@ -60,57 +67,83 @@ export class ManageSpacePage extends React.Component {
     } = this.state.space;
 
     return (
-      <EuiPageContent>
-        <EuiForm>
-          <EuiText><h1>{this.getTitle()}</h1></EuiText>
-          <EuiSpacer />
-          <EuiFormRow
-            label="Name"
-            helpText="Name your space"
-          >
-            <EuiFieldText
-              name="name"
-              placeholder={'Awesome space'}
-              value={name}
-              onChange={this.onNameChange}
-            />
-          </EuiFormRow>
-          <EuiFormRow
-            label="Description"
-            helpText="Describe your space"
-          >
-            <EuiFieldText
-              name="description"
-              placeholder={'This is where the magic happens'}
-              value={description}
-              onChange={this.onDescriptionChange}
-            />
-          </EuiFormRow>
-
-          <EuiFlexGroup>
-            <EuiFlexItem grow={false}>
-              <EuiButton fill onClick={this.saveSpace}>Save</EuiButton>
-            </EuiFlexItem>
-            <EuiFlexItem grow={false}>
-              <EuiButton onClick={this.backToSpacesList}>
-                Cancel
-              </EuiButton>
-            </EuiFlexItem>
-          </EuiFlexGroup>
-
-          {this.getActionButtons}
-        </EuiForm>
-      </EuiPageContent>
+      <EuiPage>
+        <PageHeader breadcrumbs={this.props.breadcrumbs}/>
+        <EuiPageContent>
+          <EuiForm>
+            <EuiFlexGroup justifyContent={'spaceBetween'}>
+              <EuiFlexItem grow={false}>
+                <EuiText><h1>{this.getTitle()}</h1></EuiText>
+              </EuiFlexItem>
+              {this.getActionButton()}
+            </EuiFlexGroup>
+
+            <EuiSpacer />
+
+            <EuiFormRow
+              label="Name"
+              helpText="Name your space"
+              {...this.validateName()}
+            >
+              <EuiFieldText
+                name="name"
+                placeholder={'Awesome space'}
+                value={name}
+                onChange={this.onNameChange}
+              />
+            </EuiFormRow>
+            <EuiFormRow
+              label="Description"
+              helpText="Describe your space"
+              {...this.validateDescription()}
+            >
+              <EuiFieldText
+                name="description"
+                placeholder={'This is where the magic happens'}
+                value={description}
+                onChange={this.onDescriptionChange}
+              />
+            </EuiFormRow>
+
+            <EuiFlexGroup>
+              <EuiFlexItem grow={false}>
+                <EuiButton fill onClick={this.saveSpace}>Save</EuiButton>
+              </EuiFlexItem>
+              <EuiFlexItem grow={false}>
+                <EuiButton onClick={this.backToSpacesList}>
+                  Cancel
+                </EuiButton>
+              </EuiFlexItem>
+            </EuiFlexGroup>
+          </EuiForm>
+        </EuiPageContent>
+      </EuiPage>
     );
   }
 
   getTitle = () => {
-    const isEditing = !!this.props.space;
-    if (isEditing) {
+    if (this.editingExistingSpace()) {
       return `Edit space`;
     }
     return `Create a space`;
-  }
+  };
+
+  getActionButton = () => {
+    if (this.editingExistingSpace()) {
+      return (
+        <EuiFlexItem grow={false}>
+          <DeleteSpacesButton
+            spaces={[this.state.space]}
+            httpAgent={this.props.httpAgent}
+            chrome={this.props.chrome}
+            onDelete={this.backToSpacesList}
+          />
+        </EuiFlexItem>
+      );
+    }
+
+    return null;
+  };
 
   onNameChange = (e) => {
     this.setState({
@@ -119,7 +152,7 @@ export class ManageSpacePage extends React.Component {
         name: e.target.value
       }
     });
-  }
+  };
 
   onDescriptionChange = (e) => {
     this.setState({
@@ -128,38 +161,115 @@ export class ManageSpacePage extends React.Component {
         description: e.target.value
       }
     });
-  }
+  };
 
   saveSpace = () => {
+    this.setState({
+      validate: true
+    }, () => {
+      const { isInvalid } = this.validateForm();
+      if (isInvalid) return;
+      this._performSave();
+    });
+  };
+
+  _performSave = () => {
     const {
       name = '',
-      id = name.toLowerCase(),
+      id = name.toLowerCase().replace(/\s/g, '-'),
       description
     } = this.state.space;
 
     const { httpAgent, chrome } = this.props;
 
+    const params = {
+      name,
+      id,
+      description
+    };
+
+    const overwrite = this.editingExistingSpace();
+
     if (name && description) {
-      console.log(this.state.space);
       httpAgent
-        .post(chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(id)}`), { id, name, description })
+        .post(chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(id)}?overwrite=${overwrite}`), params)
         .then(result => {
           toastNotifications.addSuccess(`Saved '${result.data.id}'`);
           window.location.hash = `#/management/spaces/list`;
         })
         .catch(error => {
-          toastNotifications.addError(error);
+          const {
+            message = ''
+          } = error.data || {};
+
+          toastNotifications.addDanger(`Error saving space: ${message}`);
         });
     }
-  }
+  };
 
   backToSpacesList = () => {
     window.location.hash = `#/management/spaces/list`;
-  }
+  };
+
+  validateName = () => {
+    if (!this.state.validate) {
+      return {};
+    }
+
+    const {
+      name
+    } = this.state.space;
+
+    if (!name) {
+      return {
+        isInvalid: true,
+        error: 'Name is required'
+      };
+    }
+
+    return {};
+  };
+
+  validateDescription = () => {
+    if (!this.state.validate) {
+      return {};
+    }
+
+    const {
+      description
+    } = this.state.space;
+
+    if (!description) {
+      return {
+        isInvalid: true,
+        error: 'Description is required'
+      };
+    }
+
+    return {};
+  };
+
+  validateForm = () => {
+    if (!this.state.validate) {
+      return {};
+    }
+
+    const validations = [this.validateName(), this.validateDescription()];
+    if (validations.some(validation => validation.isInvalid)) {
+      return {
+        isInvalid: true
+      };
+    }
+
+    return {};
+  };
+
+  editingExistingSpace = () => !!this.props.space;
 }
 
 ManageSpacePage.propTypes = {
   space: PropTypes.string,
   httpAgent: PropTypes.func.isRequired,
-  chrome: PropTypes.object
-};
\ No newline at end of file
+  chrome: PropTypes.object,
+  breadcrumbs: PropTypes.array.isRequired,
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.js b/x-pack/plugins/spaces/public/views/management/components/page_header.js
new file mode 100644
index 00000000000000..956c2809b325f8
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/page_header.js
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component }  from 'react';
+import PropTypes from 'prop-types';
+
+import {
+  EuiHeader,
+  EuiHeaderSection,
+  EuiHeaderBreadcrumb,
+  EuiHeaderBreadcrumbs
+} from '@elastic/eui';
+
+export class PageHeader extends Component {
+  render() {
+    return (
+      <EuiHeader>
+        <EuiHeaderSection>
+          <EuiHeaderBreadcrumbs>
+            {this.props.breadcrumbs.map(this.buildBreadcrumb)}
+          </EuiHeaderBreadcrumbs>
+        </EuiHeaderSection>
+      </EuiHeader>
+    );
+  }
+
+  buildBreadcrumb = (breadcrumb) => {
+    return (
+      <EuiHeaderBreadcrumb key={breadcrumb.id} href={breadcrumb.href} isActive={breadcrumb.current}>
+        {breadcrumb.display}
+      </EuiHeaderBreadcrumb>
+    );
+  }
+}
+
+
+
+PageHeader.propTypes = {
+  breadcrumbs: PropTypes.array.isRequired
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
index 108f28c6e207d4..4bb49bcbe23e7e 100644
--- a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
@@ -4,10 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
+import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 
 import {
+  EuiPage,
   EuiPageContent,
   EuiBasicTable,
   EuiSearchBar,
@@ -19,80 +20,82 @@ import {
   EuiLink,
 } from '@elastic/eui';
 
+import { PageHeader } from './page_header';
+import { SpacesDataStore } from '../lib/spaces_data_store';
+import { DeleteSpacesButton } from './delete_spaces_button';
 
 
-const pagination = {
-  pageIndex: 0,
-  pageSize: 10,
-  totalItemCount: 10000,
-  pageSizeOptions: [10, 25, 50]
-};
-
-export class SpacesGridPage extends React.Component {
+export class SpacesGridPage extends Component {
   state = {
     selectedSpaces: [],
-    spaces: []
+    displayedSpaces: [],
+    loading: true,
+    searchCriteria: '',
+    pagination: {
+      pageIndex: 0,
+      pageSize: 10,
+      totalItemCount: 0,
+      pageSizeOptions: [10, 25, 50]
+    }
+  };
+
+  constructor(props) {
+    super(props);
+    this.dataStore = new SpacesDataStore();
   }
 
   componentDidMount() {
-    const {
-      httpAgent,
-      chrome
-    } = this.props;
-
-    httpAgent
-      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
-      .then(response => {
-        this.setState({
-          spaces: response.data
-        });
-      })
-      .catch(error => {
-        this.setState({
-          error
-        });
-      });
+    this.loadGrid();
   }
 
   render() {
-    const {
-      spaces
-    } = this.state;
+    const filteredSpaces = this.dataStore.search(this.state.searchCriteria);
+
+    const pagination = {
+      ...this.state.pagination,
+      totalItemCount: filteredSpaces.length
+    };
 
     return (
-      <EuiPageContent>
-        <EuiFlexGroup justifyContent={'spaceBetween'}>
-          <EuiFlexItem grow={false}>
-            <EuiText><h1>Spaces</h1></EuiText>
-          </EuiFlexItem>
-          <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
-        </EuiFlexGroup>
-        <EuiSpacer size={'xl'} />
-        <EuiSearchBar
-          box={{
-            placeholder: 'Search for a space...',
-          }}
-          onChange={() => {}}
-        />
-        <EuiSpacer size={'xl'} />
-        <EuiBasicTable
-          items={spaces}
-          columns={this.getColumnConfig()}
-          selection={this.getSelectionConfig()}
-          pagination={pagination}
-          onChange={() => {}}
-        />
-      </EuiPageContent>
+      <EuiPage>
+        <PageHeader breadcrumbs={this.props.breadcrumbs}/>
+        <EuiPageContent>
+          <EuiFlexGroup justifyContent={'spaceBetween'}>
+            <EuiFlexItem grow={false}>
+              <EuiText><h1>Spaces</h1></EuiText>
+            </EuiFlexItem>
+            <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
+          </EuiFlexGroup>
+          <EuiSpacer size={'xl'} />
+          <EuiSearchBar
+            box={{
+              placeholder: 'Search for a space...',
+              incremental: true
+            }}
+            onChange={this.onSearchChange}
+          />
+          <EuiSpacer size={'xl'} />
+          <EuiBasicTable
+            items={this.state.displayedSpaces}
+            columns={this.getColumnConfig()}
+            selection={this.getSelectionConfig()}
+            pagination={pagination}
+            onChange={this.onTableChange}
+          />
+        </EuiPageContent>
+      </EuiPage>
     );
   }
 
   getPrimaryActionButton() {
     if (this.state.selectedSpaces.length > 0) {
-      const count = this.state.selectedSpaces.length;
       return (
-        <EuiButton fill color={'danger'}>
-          {`Delete ${count > 1 ? `${count} spaces` : 'space'}`}
-        </EuiButton>
+        <DeleteSpacesButton
+          spaces={this.state.selectedSpaces}
+          httpAgent={this.props.httpAgent}
+          chrome={this.props.chrome}
+          onDelete={this.loadGrid}
+        />
       );
     }
 
@@ -101,8 +104,43 @@ export class SpacesGridPage extends React.Component {
     );
   }
 
+  loadGrid = () => {
+    const {
+      httpAgent,
+      chrome
+    } = this.props;
+
+    this.setState({
+      loading: true,
+      displayedSpaces: [],
+      selectedSpaces: []
+    });
+
+    this.dataStore.loadSpaces([]);
+
+    const setSpaces = (spaces) => {
+      this.dataStore.loadSpaces(spaces);
+      this.setState({
+        loading: false,
+        displayedSpaces: this.dataStore.getPage(this.state.pagination.pageIndex, this.state.pagination.pageSize)
+      });
+    };
+
+    httpAgent
+      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
+      .then(response => {
+        setSpaces(response.data);
+      })
+      .catch(error => {
+        this.setState({
+          loading: false,
+          error
+        });
+      });
+  };
+
   getColumnConfig() {
-    const columns = [{
+    return [{
       field: 'name',
       name: 'Space',
       sortable: true,
@@ -118,8 +156,6 @@ export class SpacesGridPage extends React.Component {
       name: 'Description',
       sortable: true
     }];
-
-    return columns;
   }
 
   getSelectionConfig() {
@@ -130,12 +166,36 @@ export class SpacesGridPage extends React.Component {
     };
   }
 
+ onTableChange = ({ page = {} }) => {
+   const {
+     index: pageIndex,
+     size: pageSize
+   } = page;
+
+   this.setState({
+     pagination: {
+       ...this.state.pagination,
+       pageIndex,
+       pageSize
+     }
+   });
+ };
+
   onSelectionChange = (selectedSpaces) => {
     this.setState({ selectedSpaces });
-  }
+  };
+
+  onSearchChange = ({ text = '' }) => {
+    this.dataStore.search(text);
+    this.setState({
+      searchCriteria: text,
+      displayedSpaces: this.dataStore.getPage(this.state.pagination.pageIndex, this.state.pagination.pageSize)
+    });
+  };
 }
 
 SpacesGridPage.propTypes = {
   chrome: PropTypes.object.isRequired,
-  httpAgent: PropTypes.func.isRequired
-};
\ No newline at end of file
+  httpAgent: PropTypes.func.isRequired,
+  breadcrumbs: PropTypes.array.isRequired
+};
diff --git a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
new file mode 100644
index 00000000000000..64e7f6c5fa6354
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SpacesDataStore {
+  constructor(spaces = []) {
+    this.loadSpaces(spaces);
+  }
+
+  loadSpaces(spaces = []) {
+    this._spaces = [...spaces];
+    this._matchedSpaces = [...spaces];
+  }
+
+  search(searchCriteria, caseSensitive = false) {
+    const criteria = caseSensitive ? searchCriteria : searchCriteria.toLowerCase();
+
+    this._matchedSpaces = this._spaces.filter(space => {
+      const spaceName = caseSensitive ? space.name : space.name.toLowerCase();
+
+      return spaceName.indexOf(criteria) >= 0;
+    });
+
+    return this._matchedSpaces;
+  }
+
+  getPage(pageIndex, pageSize) {
+    const startIndex = Math.min(pageIndex * pageSize, this._matchedSpaces.length);
+    const endIndex = Math.min(startIndex + pageSize, this._matchedSpaces.length);
+
+    return this._matchedSpaces.slice(startIndex, endIndex);
+  }
+}
diff --git a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js
new file mode 100644
index 00000000000000..eac71d490902d2
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesDataStore } from './spaces_data_store';
+
+const spaces = [{
+  id: 1,
+  name: 'foo',
+  description: 'foo'
+}, {
+  id: 2,
+  name: 'bar',
+  description: 'bar'
+}, {
+  id: 3,
+  name: 'sample text',
+  description: 'some sample text'
+}];
+
+test(`it doesn't filter results with no search applied`, () => {
+  const store = new SpacesDataStore(spaces);
+  expect(store.getPage(0, 3)).toEqual(spaces);
+});
+
+test(`it filters results when search is applied`, () => {
+  const store = new SpacesDataStore(spaces);
+  const filteredResults = store.search('bar');
+
+  expect(filteredResults).toEqual([spaces[1]]);
+
+  expect(store.getPage(0, 3)).toEqual([spaces[1]]);
+});
+
+test(`it filters based on a partial match`, () => {
+  const store = new SpacesDataStore(spaces);
+  const filteredResults = store.search('mpl');
+
+  expect(filteredResults).toEqual([spaces[2]]);
+
+  expect(store.getPage(0, 3)).toEqual([spaces[2]]);
+});
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
index 67fc3da7f81714..a9696d0c2f824e 100644
--- a/x-pack/plugins/spaces/public/views/management/manage_spaces.less
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -1,3 +1,7 @@
 .application, .euiPanel {
   background: #f5f5f5
 }
+
+.euiPage {
+  padding: 0;
+}
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index 4e8f5e53c19f43..c7fd24674f00d7 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -21,7 +21,11 @@ routes.when('/management/spaces/list', {
   controller: function ($scope, $http, chrome) {
     const domNode = document.getElementById(reactRootNodeId);
 
-    render(<SpacesGridPage httpAgent={$http} chrome={chrome} />, domNode);
+    render(<SpacesGridPage
+      httpAgent={$http}
+      chrome={chrome}
+      breadcrumbs={routes.getBreadcrumbs()}
+    />, domNode);
 
     // unmount react on controller destroy
     $scope.$on('$destroy', () => {
@@ -35,7 +39,11 @@ routes.when('/management/spaces/create', {
   controller: function ($scope,  $http, chrome) {
     const domNode = document.getElementById(reactRootNodeId);
 
-    render(<ManageSpacePage httpAgent={$http} chrome={chrome} />, domNode);
+    render(<ManageSpacePage
+      httpAgent={$http}
+      chrome={chrome}
+      breadcrumbs={routes.getBreadcrumbs()}
+    />, domNode);
 
     // unmount react on controller destroy
     $scope.$on('$destroy', () => {
@@ -44,6 +52,10 @@ routes.when('/management/spaces/create', {
   }
 });
 
+routes.when('/management/spaces/edit', {
+  redirectTo: '/management/spaces/list'
+});
+
 routes.when('/management/spaces/edit/:space', {
   template,
   controller: function ($scope, $http, $route, chrome) {
@@ -51,11 +63,16 @@ routes.when('/management/spaces/edit/:space', {
 
     const { space } = $route.current.params;
 
-    render(<ManageSpacePage httpAgent={$http} space={space} chrome={chrome} />, domNode);
+    render(<ManageSpacePage
+      httpAgent={$http}
+      space={space}
+      chrome={chrome}
+      breadcrumbs={routes.getBreadcrumbs()}
+    />, domNode);
 
     // unmount react on controller destroy
     $scope.$on('$destroy', () => {
       unmountComponentAtNode(domNode);
     });
   }
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.js
index a18a1ccdaed7fb..ee258cc542bd14 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/index.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.js
@@ -8,30 +8,23 @@ import 'ui/autoload/styles';
 import chrome from 'ui/chrome';
 import 'plugins/spaces/views/space_selector/space_selector.less';
 import template from 'plugins/spaces/views/space_selector/space_selector.html';
+import { uiModules } from 'ui/modules';
 
 import React from 'react';
-import ReactDOM from 'react-dom';
+import { render, unmountComponentAtNode } from 'react-dom';
 import { SpaceSelector } from './space_selector';
-import { mockSpaces } from '../../../common/mock_spaces';
 
+const module = uiModules.get('spaces_selector', []);
+module.controller('spacesSelectorController', ($scope, $http) => {
+  const domNode = document.getElementById('spaceSelectorRoot');
+  render(<SpaceSelector httpAgent={$http} chrome={chrome} />, domNode);
+
+  // unmount react on controller destroy
+  $scope.$on('$destroy', () => {
+    unmountComponentAtNode(domNode);
+  });
+});
 
 chrome
   .setVisible(false)
   .setRootTemplate(template);
-
-// hack to wait for angular template to be ready
-const waitForAngularReady = new Promise(resolve => {
-  const checkInterval = setInterval(() => {
-    const hasElm = !!document.querySelector('#spaceSelectorRoot');
-    if (hasElm) {
-      clearInterval(checkInterval);
-      resolve();
-    }
-  }, 10);
-});
-
-waitForAngularReady.then(() => {
-  ReactDOM.render(<SpaceSelector spaces={mockSpaces} />, document.getElementById('spaceSelectorRoot'));
-});
-
-
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.html b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
index 1c18634fd4419a..73bf9f23236f7c 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
@@ -1,3 +1,3 @@
-<div>
+<div ng-controller="spacesSelectorController">
   <div id="spaceSelectorRoot" />
 </div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index 48c42bf89b3851..4a4a042c587f02 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
+import React, { Component } from 'react';
 import {
   EuiPage,
   EuiPageHeader,
@@ -18,50 +18,82 @@ import {
   EuiFlexItem,
 } from '@elastic/eui';
 
-export const SpaceSelector = (props) => (
-  <EuiPage>
-    <EuiPageHeader>
-      <EuiPageHeaderSection className="logoHeader">
-        <EuiIcon size="xxl" type={`logoKibana`} />
-      </EuiPageHeaderSection>
-    </EuiPageHeader>
-    <EuiPageBody>
-      <EuiPageContent>
-        <EuiText className="spaceWelcomeText">
-          <p className="welcomeLarge">Welcome to Kibana.</p>
-          <p className="welcomeMedium">Select a space to begin.</p>
-        </EuiText>
+export class SpaceSelector extends Component {
+  state = {
+    loading: false,
+    spaces: []
+  };
 
-        <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly" className="spacesGroup">
-          {props.spaces.map(renderSpace)}
-        </EuiFlexGroup>
+  componentDidMount() {
+    this.loadSpaces();
+  }
 
-        <EuiText className="spaceProfileText">
-          <p>You can change your workspace at anytime by accessing your profile within Kibana.</p>
-        </EuiText>
-      </EuiPageContent>
-    </EuiPageBody>
-  </EuiPage>
-);
+  loadSpaces() {
+    this.setState({ loading: true });
+    const { httpAgent, chrome } = this.props;
 
-function renderSpace(space) {
-  return (
-    <EuiFlexItem key={space.id} grow={false} className="spaceCard">
-      <EuiCard
-        icon={<EuiIcon size="xxl" type={space.logo} />}
-        title={renderSpaceTitle(space)}
-        description={space.description}
-        onClick={() => window.alert('Card clicked')}
-      />
-    </EuiFlexItem>
-  );
-}
+    httpAgent
+      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
+      .then(response => {
+        this.setState({
+          loading: false,
+          spaces: response.data
+        });
+      });
+  }
+
+  render() {
+    const {
+      spaces
+    } = this.state;
+
+    return (
+      <EuiPage>
+        <EuiPageHeader>
+          <EuiPageHeaderSection className="logoHeader">
+            <EuiIcon size="xxl" type={`logoKibana`} />
+          </EuiPageHeaderSection>
+        </EuiPageHeader>
+        <EuiPageBody>
+          <EuiPageContent>
+            <EuiText className="spaceWelcomeText">
+              <p className="welcomeLarge">Welcome to Kibana.</p>
+              <p className="welcomeMedium">Select a space to begin.</p>
+            </EuiText>
+
+            <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly" className="spacesGroup">
+              {spaces.map(this.renderSpace)}
+            </EuiFlexGroup>
+
+            <EuiText className="spaceProfileText">
+              <p>You can change your workspace at anytime by accessing your profile within Kibana.</p>
+            </EuiText>
+          </EuiPageContent>
+        </EuiPageBody>
+      </EuiPage>
+    );
+  }
+
+  renderSpace = (space) => {
+    return (
+      <EuiFlexItem key={space.id} grow={false} className="spaceCard">
+        <EuiCard
+          icon={<EuiIcon size="xxl" type={space.logo} />}
+          title={this.renderSpaceTitle(space)}
+          description={space.description}
+          onClick={() => window.alert('Card clicked')}
+        />
+      </EuiFlexItem>
+    );
+  };
+
+  renderSpaceTitle = (space) => {
+    return (
+      <div className="spaceCardTitle">
+        <span>{space.name}</span>
+        {/* <EuiIcon type={'starEmpty'} size="s" /> */}
+      </div>
+    );
+  };
 
-function renderSpaceTitle(space) {
-  return (
-    <div className="spaceCardTitle">
-      <span>{space.name}</span>
-      {/* <EuiIcon type={'starEmpty'} size="s" /> */}
-    </div>
-  );
 }
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 223df491b15664..003e4e7f55cb2d 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -4,22 +4,36 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import Boom from 'boom';
-import { getClient } from '../../../../../../server/lib/get_client_shield';
+import { omit } from 'lodash';
 import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
 import { spaceSchema } from '../../../lib/space_schema';
-
-import { mockSpaces } from '../../../../common/mock_spaces';
+import { wrapError } from '../../../lib/errors';
 
 export function initSpacesApi(server) {
-  const callWithRequest = getClient(server).callWithRequest; // eslint-disable-line no-unused-vars
   const routePreCheckLicenseFn = routePreCheckLicense(server);
 
   server.route({
     method: 'GET',
     path: '/api/spaces/v1/spaces',
-    handler(request, reply) {
-      reply(mockSpaces);
+    async handler(request, reply) {
+      const client = request.getSavedObjectsClient();
+
+      let spaces;
+
+      try {
+        const result = await client.find({
+          type: 'space'
+        });
+
+        spaces = result.saved_objects.map(space => ({
+          ...space.attributes,
+          id: space.id
+        }));
+      } catch(e) {
+        return reply(wrapError(e));
+      }
+
+      return reply(spaces);
     },
     config: {
       pre: [routePreCheckLicenseFn]
@@ -29,10 +43,22 @@ export function initSpacesApi(server) {
   server.route({
     method: 'GET',
     path: '/api/spaces/v1/spaces/{id}',
-    handler(request, reply) {
+    async handler(request, reply) {
       const id = request.params.id;
-      const space = mockSpaces.find(space => space.id === id);
-      reply(space || Boom.notFound());
+
+      const client = request.getSavedObjectsClient();
+
+      let space;
+      try {
+        space = await client.get('space', id);
+      } catch (e) {
+        return reply(wrapError(e));
+      }
+
+      return reply({
+        ...space.attributes,
+        id: space.id
+      });
     },
     config: {
       pre: [routePreCheckLicenseFn]
@@ -42,9 +68,24 @@ export function initSpacesApi(server) {
   server.route({
     method: 'POST',
     path: '/api/spaces/v1/spaces/{id}',
-    handler(request, reply) {
-      mockSpaces.push(request.payload);
-      reply(request.payload);
+    async handler(request, reply) {
+      const client = request.getSavedObjectsClient();
+
+      const {
+        overwrite = false
+      } = request.query;
+
+      const space = omit(request.payload, ['id']);
+      const id = request.params.id;
+
+      let result;
+      try {
+        result = await client.create('space', { ...space }, { id, overwrite });
+      } catch(e) {
+        return reply(wrapError(e));
+      }
+
+      return reply(result);
     },
     config: {
       validate: {
@@ -57,9 +98,20 @@ export function initSpacesApi(server) {
   server.route({
     method: 'DELETE',
     path: '/api/spaces/v1/spaces/{id}',
-    handler(request, reply) {
-      mockSpaces = mockSpaces.filter(space => space !== request.params.id);
-      reply().code(204);
+    async handler(request, reply) {
+      const client = request.getSavedObjectsClient();
+
+      const id = request.params.id;
+
+      let result;
+
+      try {
+        result = await client.delete('space', id);
+      } catch(e) {
+        return reply(wrapError(e));
+      }
+
+      return reply(result).code(204);
     },
     config: {
       pre: [routePreCheckLicenseFn]

From e4abf8a5daf1f91ff26b3a38762b2ccb4c504b1c Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Mon, 30 Apr 2018 13:35:28 -0400
Subject: [PATCH 012/183] Porting Spencers changes over (#18664)

---
 .../core/development-basepath.asciidoc        |  6 +--
 src/server/config/complete.js                 |  4 ++
 src/server/config/complete.test.js            | 10 ++---
 src/server/http/index.js                      |  6 +--
 src/ui/public/chrome/api/nav.js               |  4 +-
 src/ui/ui_apps/ui_app.js                      |  2 +-
 src/ui/ui_nav_links/__tests__/ui_nav_link.js  | 39 +++++--------------
 src/ui/ui_nav_links/ui_nav_link.js            |  6 +--
 src/ui/ui_nav_links/ui_nav_links_mixin.js     |  5 +--
 src/ui/ui_render/ui_render_mixin.js           |  2 +-
 10 files changed, 33 insertions(+), 51 deletions(-)

diff --git a/docs/development/core/development-basepath.asciidoc b/docs/development/core/development-basepath.asciidoc
index b7e0dec88bf50e..2da65079350150 100644
--- a/docs/development/core/development-basepath.asciidoc
+++ b/docs/development/core/development-basepath.asciidoc
@@ -48,15 +48,15 @@ $http.get(chrome.addBasePath('/api/plugin/things'));
 [float]
 ==== Server side
 
-Append `config.get('server.basePath')` to any absolute URL path.
+Append `request.getBasePath()` to any absolute URL path.
 
 ["source","shell"]
 -----------
 const basePath = server.config().get('server.basePath');
 server.route({
   path: '/redirect',
-  handler(req, reply) {
-    reply.redirect(`${basePath}/otherLocation`);
+  handler(request, reply) {
+    reply.redirect(`${request.getBasePath()}/otherLocation`);
   }
 });
 -----------
diff --git a/src/server/config/complete.js b/src/server/config/complete.js
index 70acb2edf043f9..3a9da4911c2194 100644
--- a/src/server/config/complete.js
+++ b/src/server/config/complete.js
@@ -33,6 +33,10 @@ export default function (kbnServer, server, config) {
     return kbnServer.config;
   });
 
+  server.decorate('request', 'getBasePath', function () {
+    return kbnServer.config.get('server.basePath');
+  });
+
   const unusedKeys = getUnusedConfigKeys(kbnServer.disabledPluginSpecs, kbnServer.settings, config.get())
     .map(key => `"${key}"`);
 
diff --git a/src/server/config/complete.test.js b/src/server/config/complete.test.js
index 437a05c06c4a13..2db0b1641dd19a 100644
--- a/src/server/config/complete.test.js
+++ b/src/server/config/complete.test.js
@@ -40,16 +40,16 @@ describe('server/config completeMixin()', function () {
   };
 
   describe('server decoration', () => {
-    it('adds a config() function to the server', () => {
-      const { config, callCompleteMixin, server } = setup({
+    it('adds several server/request decorations', () => {
+      const { callCompleteMixin, server } = setup({
         settings: {},
         configValues: {}
       });
 
       callCompleteMixin();
-      sinon.assert.calledOnce(server.decorate);
-      sinon.assert.calledWith(server.decorate, 'server', 'config', sinon.match.func);
-      expect(server.decorate.firstCall.args[2]()).toBe(config);
+      sinon.assert.callCount(server.decorate, 2);
+      sinon.assert.calledWithExactly(server.decorate, 'server', 'config', sinon.match.func);
+      sinon.assert.calledWithExactly(server.decorate, 'request', 'getBasePath', sinon.match.func);
     });
   });
 
diff --git a/src/server/http/index.js b/src/server/http/index.js
index 7d22dc93bd71fa..d42e2bcc031d8d 100644
--- a/src/server/http/index.js
+++ b/src/server/http/index.js
@@ -76,7 +76,7 @@ export default async function (kbnServer, server, config) {
     path: '/',
     method: 'GET',
     handler(req, reply) {
-      const basePath = config.get('server.basePath');
+      const basePath = req.getBasePath();
       const defaultRoute = config.get('server.defaultRoute');
       reply.redirect(`${basePath}${defaultRoute}`);
     }
@@ -90,7 +90,7 @@ export default async function (kbnServer, server, config) {
       if (path === '/' || path.charAt(path.length - 1) !== '/') {
         return reply(Boom.notFound());
       }
-      const pathPrefix = config.get('server.basePath') ? `${config.get('server.basePath')}/` : '';
+      const pathPrefix = req.getBasePath() ? `${req.getBasePath()}/` : '';
       return reply.redirect(format({
         search: req.url.search,
         pathname: pathPrefix + path.slice(0, -1),
@@ -110,7 +110,7 @@ export default async function (kbnServer, server, config) {
         const uiSettings = request.getUiSettingsService();
         const stateStoreInSessionStorage = await uiSettings.get('state:storeInSessionStorage');
         if (!stateStoreInSessionStorage) {
-          reply().redirect(config.get('server.basePath') + url);
+          reply().redirect(request.getBasePath() + url);
           return;
         }
 
diff --git a/src/ui/public/chrome/api/nav.js b/src/ui/public/chrome/api/nav.js
index c1d0ceea932758..6e00e4ad51e66c 100644
--- a/src/ui/public/chrome/api/nav.js
+++ b/src/ui/public/chrome/api/nav.js
@@ -135,8 +135,8 @@ export function initChromeNavApi(chrome, internals) {
   };
 
   internals.nav.forEach(link => {
-    link.url = relativeToAbsolute(link.url);
-    link.subUrlBase = relativeToAbsolute(link.subUrlBase);
+    link.url = relativeToAbsolute(chrome.addBasePath(link.url));
+    link.subUrlBase = relativeToAbsolute(chrome.addBasePath(link.subUrlBase));
   });
 
   // simulate a possible change in url to initialize the
diff --git a/src/ui/ui_apps/ui_app.js b/src/ui/ui_apps/ui_app.js
index 9f9c73bd8d345d..b41f178d2656fd 100644
--- a/src/ui/ui_apps/ui_app.js
+++ b/src/ui/ui_apps/ui_app.js
@@ -54,7 +54,7 @@ export class UiApp {
       // unless an app is hidden it gets a navlink, but we only respond to `getNavLink()`
       // if the app is also listed. This means that all apps in the kibanaPayload will
       // have a navLink property since that list includes all normally accessible apps
-      this._navLink = new UiNavLink(kbnServer.config.get('server.basePath'), {
+      this._navLink = new UiNavLink({
         id: this._id,
         title: this._title,
         order: this._order,
diff --git a/src/ui/ui_nav_links/__tests__/ui_nav_link.js b/src/ui/ui_nav_links/__tests__/ui_nav_link.js
index ee3a8c6c977c96..3f4294408fc6e4 100644
--- a/src/ui/ui_nav_links/__tests__/ui_nav_link.js
+++ b/src/ui/ui_nav_links/__tests__/ui_nav_link.js
@@ -5,7 +5,6 @@ import { UiNavLink } from '../ui_nav_link';
 describe('UiNavLink', () => {
   describe('constructor', () => {
     it('initializes the object properties as expected', () => {
-      const urlBasePath = 'http://localhost:5601/rnd';
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -17,13 +16,13 @@ describe('UiNavLink', () => {
         disabled: true
       };
 
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
       expect(link.toJSON()).to.eql({
         id: spec.id,
         title: spec.title,
         order: spec.order,
-        url: `${urlBasePath}${spec.url}`,
-        subUrlBase: `${urlBasePath}${spec.url}`,
+        url: spec.url,
+        subUrlBase: spec.url,
         description: spec.description,
         icon: spec.icon,
         hidden: spec.hidden,
@@ -35,22 +34,7 @@ describe('UiNavLink', () => {
       });
     });
 
-    it('initializes the url property without a base path when one is not specified in the spec', () => {
-      const urlBasePath = undefined;
-      const spec = {
-        id: 'kibana:discover',
-        title: 'Discover',
-        order: -1003,
-        url: '/app/kibana#/discover',
-        description: 'interactively explore your data',
-        icon: 'plugins/kibana/assets/discover.svg',
-      };
-      const link = new UiNavLink(urlBasePath, spec);
-      expect(link.toJSON()).to.have.property('url', spec.url);
-    });
-
     it('initializes the order property to 0 when order is not specified in the spec', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -58,13 +42,12 @@ describe('UiNavLink', () => {
         description: 'interactively explore your data',
         icon: 'plugins/kibana/assets/discover.svg',
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('order', 0);
     });
 
     it('initializes the linkToLastSubUrl property to false when false is specified in the spec', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -74,13 +57,12 @@ describe('UiNavLink', () => {
         icon: 'plugins/kibana/assets/discover.svg',
         linkToLastSubUrl: false
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('linkToLastSubUrl', false);
     });
 
     it('initializes the linkToLastSubUrl property to true by default', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -89,13 +71,12 @@ describe('UiNavLink', () => {
         description: 'interactively explore your data',
         icon: 'plugins/kibana/assets/discover.svg',
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('linkToLastSubUrl', true);
     });
 
     it('initializes the hidden property to false by default', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -104,13 +85,12 @@ describe('UiNavLink', () => {
         description: 'interactively explore your data',
         icon: 'plugins/kibana/assets/discover.svg',
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('hidden', false);
     });
 
     it('initializes the disabled property to false by default', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -119,13 +99,12 @@ describe('UiNavLink', () => {
         description: 'interactively explore your data',
         icon: 'plugins/kibana/assets/discover.svg',
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('disabled', false);
     });
 
     it('initializes the tooltip property to an empty string by default', () => {
-      const urlBasePath = undefined;
       const spec = {
         id: 'kibana:discover',
         title: 'Discover',
@@ -134,7 +113,7 @@ describe('UiNavLink', () => {
         description: 'interactively explore your data',
         icon: 'plugins/kibana/assets/discover.svg',
       };
-      const link = new UiNavLink(urlBasePath, spec);
+      const link = new UiNavLink(spec);
 
       expect(link.toJSON()).to.have.property('tooltip', '');
     });
diff --git a/src/ui/ui_nav_links/ui_nav_link.js b/src/ui/ui_nav_links/ui_nav_link.js
index 322717c446d96f..c4b2c4be78e801 100644
--- a/src/ui/ui_nav_links/ui_nav_link.js
+++ b/src/ui/ui_nav_links/ui_nav_link.js
@@ -1,5 +1,5 @@
 export class UiNavLink {
-  constructor(urlBasePath, spec) {
+  constructor(spec) {
     const {
       id,
       title,
@@ -17,8 +17,8 @@ export class UiNavLink {
     this._id = id;
     this._title = title;
     this._order = order;
-    this._url = `${urlBasePath || ''}${url}`;
-    this._subUrlBase = `${urlBasePath || ''}${subUrlBase || url}`;
+    this._url = url;
+    this._subUrlBase = subUrlBase || url;
     this._description = description;
     this._icon = icon;
     this._linkToLastSubUrl = linkToLastSubUrl;
diff --git a/src/ui/ui_nav_links/ui_nav_links_mixin.js b/src/ui/ui_nav_links/ui_nav_links_mixin.js
index 38411c799bf348..d769d065fe842f 100644
--- a/src/ui/ui_nav_links/ui_nav_links_mixin.js
+++ b/src/ui/ui_nav_links/ui_nav_links_mixin.js
@@ -1,13 +1,12 @@
 import { UiNavLink } from './ui_nav_link';
 
-export function uiNavLinksMixin(kbnServer, server, config) {
+export function uiNavLinksMixin(kbnServer, server) {
   const uiApps = server.getAllUiApps();
 
   const { navLinkSpecs = [] } = kbnServer.uiExports;
-  const urlBasePath = config.get('server.basePath');
 
   const fromSpecs = navLinkSpecs
-    .map(navLinkSpec => new UiNavLink(urlBasePath, navLinkSpec));
+    .map(navLinkSpec => new UiNavLink(navLinkSpec));
 
   const fromApps = uiApps
     .map(app => app.getNavLink())
diff --git a/src/ui/ui_render/ui_render_mixin.js b/src/ui/ui_render/ui_render_mixin.js
index 6387177ed7c5ac..9bcc1aea9d16f8 100644
--- a/src/ui/ui_render/ui_render_mixin.js
+++ b/src/ui/ui_render/ui_render_mixin.js
@@ -96,7 +96,7 @@ export function uiRenderMixin(kbnServer, server, config) {
       branch: config.get('pkg.branch'),
       buildNum: config.get('pkg.buildNum'),
       buildSha: config.get('pkg.buildSha'),
-      basePath: config.get('server.basePath'),
+      basePath: request.getBasePath(),
       serverName: config.get('server.name'),
       devMode: config.get('env.dev'),
       translations: translations,

From 63d5eaacc7a0c5ea922b6f388496c0cdd8662a92 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 3 May 2018 15:16:12 -0400
Subject: [PATCH 013/183] Spaces mapping (#18778)

* Introducing URL Context

Merging to `spaces-phase-1`, and open TODO items in this PR will be addressed in separate PRs.
---
 src/server/config/complete.js                 |  4 -
 src/server/config/complete.test.js            |  1 -
 src/server/http/index.js                      |  2 +
 src/server/http/setup_base_path_provider.js   | 19 ++++
 x-pack/plugins/spaces/index.js                |  7 +-
 x-pack/plugins/spaces/mappings.json           |  6 ++
 .../__snapshots__/page_header.test.js.snap    | 15 +++
 .../components/manage_space_page.js           | 68 ++++++++++++-
 .../management/components/page_header.test.js | 35 +++++++
 .../management/components/spaces_grid_page.js |  4 +
 .../management/components/url_context.js      | 97 +++++++++++++++++++
 .../views/management/lib/url_context_utils.js | 13 +++
 .../management/lib/url_context_utils.test.js  | 24 +++++
 .../__snapshots__/space_selector.test.js.snap | 77 +++++++++++++++
 .../public/views/space_selector/index.js      |  4 +-
 .../views/space_selector/space_selector.js    | 26 ++++-
 .../space_selector/space_selector.test.js     | 71 ++++++++++++++
 .../server/lib/space_request_interceptors.js  | 73 ++++++++++++++
 .../plugins/spaces/server/lib/space_schema.js |  6 +-
 .../spaces/server/routes/api/v1/spaces.js     | 18 ++--
 20 files changed, 544 insertions(+), 26 deletions(-)
 create mode 100644 src/server/http/setup_base_path_provider.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/page_header.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/url_context.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/space_request_interceptors.js

diff --git a/src/server/config/complete.js b/src/server/config/complete.js
index 3a9da4911c2194..70acb2edf043f9 100644
--- a/src/server/config/complete.js
+++ b/src/server/config/complete.js
@@ -33,10 +33,6 @@ export default function (kbnServer, server, config) {
     return kbnServer.config;
   });
 
-  server.decorate('request', 'getBasePath', function () {
-    return kbnServer.config.get('server.basePath');
-  });
-
   const unusedKeys = getUnusedConfigKeys(kbnServer.disabledPluginSpecs, kbnServer.settings, config.get())
     .map(key => `"${key}"`);
 
diff --git a/src/server/config/complete.test.js b/src/server/config/complete.test.js
index 2db0b1641dd19a..4ea53b761cb07f 100644
--- a/src/server/config/complete.test.js
+++ b/src/server/config/complete.test.js
@@ -49,7 +49,6 @@ describe('server/config completeMixin()', function () {
       callCompleteMixin();
       sinon.assert.callCount(server.decorate, 2);
       sinon.assert.calledWithExactly(server.decorate, 'server', 'config', sinon.match.func);
-      sinon.assert.calledWithExactly(server.decorate, 'request', 'getBasePath', sinon.match.func);
     });
   });
 
diff --git a/src/server/http/index.js b/src/server/http/index.js
index d42e2bcc031d8d..af43411595c554 100644
--- a/src/server/http/index.js
+++ b/src/server/http/index.js
@@ -11,6 +11,7 @@ import { setupConnection } from './setup_connection';
 import { setupRedirectServer } from './setup_redirect_server';
 import { registerHapiPlugins } from './register_hapi_plugins';
 import { setupBasePathRewrite } from './setup_base_path_rewrite';
+import { setupBasePathProvider } from './setup_base_path_provider';
 import { setupXsrf } from './xsrf';
 
 export default async function (kbnServer, server, config) {
@@ -20,6 +21,7 @@ export default async function (kbnServer, server, config) {
 
   setupConnection(server, config);
   setupBasePathRewrite(server, config);
+  setupBasePathProvider(server, config);
   await setupRedirectServer(config);
   registerHapiPlugins(server);
 
diff --git a/src/server/http/setup_base_path_provider.js b/src/server/http/setup_base_path_provider.js
new file mode 100644
index 00000000000000..a1655d0124dbc4
--- /dev/null
+++ b/src/server/http/setup_base_path_provider.js
@@ -0,0 +1,19 @@
+export function setupBasePathProvider(server, config) {
+
+  server.decorate('request', 'setBasePath', function (basePath) {
+    const request = this;
+    if (request.app._basePath) {
+      throw new Error(`Request basePath was previously set. Setting multiple times is not supported.`);
+    }
+    request.app._basePath = basePath;
+  });
+
+  server.decorate('request', 'getBasePath', function () {
+    const request = this;
+
+    const serverBasePath = config.get('server.basePath');
+    const requestBasePath = request.app._basePath || '';
+
+    return `${serverBasePath}${requestBasePath}`;
+  });
+}
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 71bc7da340c563..5780998378cf84 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -8,6 +8,7 @@ import { resolve } from 'path';
 import { validateConfig } from './server/lib/validate_config';
 import { checkLicense } from './server/lib/check_license';
 import { initSpacesApi } from './server/routes/api/v1/spaces';
+import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
 import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
 import mappings from './mappings.json';
 
@@ -36,7 +37,9 @@ export const spaces = (kibana) => new kibana.Plugin({
     mappings,
     home: ['plugins/spaces/register_feature'],
     injectDefaultVars: function () {
-      return { };
+      return {
+        spaces: []
+      };
     }
   },
 
@@ -53,5 +56,7 @@ export const spaces = (kibana) => new kibana.Plugin({
     validateConfig(config, message => server.log(['spaces', 'warning'], message));
 
     initSpacesApi(server);
+
+    initSpacesRequestInterceptors(server);
   }
 });
diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
index 835d2c299e0edc..2a26218cd48fb2 100644
--- a/x-pack/plugins/spaces/mappings.json
+++ b/x-pack/plugins/spaces/mappings.json
@@ -1,9 +1,15 @@
 {
+  "spaceId": {
+    "type": "keyword"
+  },
   "space": {
     "properties": {
       "name": {
         "type": "text"
       },
+      "urlContext": {
+        "type": "keyword"
+      },
       "description": {
         "type": "text"
       }
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
new file mode 100644
index 00000000000000..936f678055d413
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
@@ -0,0 +1,15 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<div
+  className="euiHeader"
+>
+  <div
+    className="euiHeaderSection euiHeaderSection--left"
+  >
+    <div
+      className="euiHeaderBreadcrumbs"
+    />
+  </div>
+</div>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
index 7e04213f6d4667..b7cc6e887e84d3 100644
--- a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
@@ -23,6 +23,8 @@ import { PageHeader } from './page_header';
 import { DeleteSpacesButton } from './delete_spaces_button';
 
 import { Notifier, toastNotifications } from 'ui/notify';
+import { UrlContext } from './url_context';
+import { toUrlContext, isValidUrlContext } from '../lib/url_context_utils';
 
 export class ManageSpacePage extends React.Component {
   state = {
@@ -105,6 +107,13 @@ export class ManageSpacePage extends React.Component {
               />
             </EuiFormRow>
 
+            <UrlContext
+              space={this.state.space}
+              editingExistingSpace={this.editingExistingSpace()}
+              editable={true}
+              onChange={this.onUrlContextChange}
+            />
+
             <EuiFlexGroup>
               <EuiFlexItem grow={false}>
                 <EuiButton fill onClick={this.saveSpace}>Save</EuiButton>
@@ -146,10 +155,21 @@ export class ManageSpacePage extends React.Component {
   };
 
   onNameChange = (e) => {
+    const canUpdateContext = !this.editingExistingSpace();
+
+    let {
+      urlContext
+    } = this.state.space;
+
+    if (canUpdateContext) {
+      urlContext = toUrlContext(e.target.value);
+    }
+
     this.setState({
       space: {
         ...this.state.space,
-        name: e.target.value
+        name: e.target.value,
+        urlContext
       }
     });
   };
@@ -163,6 +183,15 @@ export class ManageSpacePage extends React.Component {
     });
   };
 
+  onUrlContextChange = (e) => {
+    this.setState({
+      space: {
+        ...this.state.space,
+        urlContext: toUrlContext(e.target.value)
+      }
+    });
+  };
+
   saveSpace = () => {
     this.setState({
       validate: true
@@ -176,8 +205,9 @@ export class ManageSpacePage extends React.Component {
   _performSave = () => {
     const {
       name = '',
-      id = name.toLowerCase().replace(/\s/g, '-'),
-      description
+      id = toUrlContext(name),
+      description,
+      urlContext
     } = this.state.space;
 
     const { httpAgent, chrome } = this.props;
@@ -185,7 +215,8 @@ export class ManageSpacePage extends React.Component {
     const params = {
       name,
       id,
-      description
+      description,
+      urlContext
     };
 
     const overwrite = this.editingExistingSpace();
@@ -249,12 +280,39 @@ export class ManageSpacePage extends React.Component {
     return {};
   };
 
+  validateUrlContext = () => {
+    if (!this.state.validate) {
+      return {};
+    }
+
+    const {
+      urlContext
+    } = this.state.space;
+
+    if (!urlContext) {
+      return {
+        isInvalid: true,
+        error: 'URL Context is required'
+      };
+    }
+
+    if (!isValidUrlContext(urlContext)) {
+      return {
+        isInvalid: true,
+        error: 'URL Context only allows a-z, 0-9, and the "-" character'
+      };
+    }
+
+    return {};
+
+  };
+
   validateForm = () => {
     if (!this.state.validate) {
       return {};
     }
 
-    const validations = [this.validateName(), this.validateDescription()];
+    const validations = [this.validateName(), this.validateDescription(), this.validateUrlContext()];
     if (validations.some(validation => validation.isInvalid)) {
       return {
         isInvalid: true
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.test.js b/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
new file mode 100644
index 00000000000000..b960175b38debd
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { PageHeader } from './page_header';
+import { render } from 'enzyme';
+import renderer from 'react-test-renderer';
+
+test('it renders without crashing', () => {
+  const component = renderer.create(
+    <PageHeader breadcrumbs={[]}/>
+  );
+  expect(component).toMatchSnapshot();
+});
+
+test('it renders breadcrumbs', () => {
+  const component = render(
+    <PageHeader breadcrumbs={[{
+      id: 'id-1',
+      href: 'myhref-1',
+      current: false
+    }, {
+      id: 'id-2',
+      href: 'myhref-2',
+      current: true
+    }]}
+    />
+  );
+
+  expect(component.find('a')).toHaveLength(2);
+
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
index 4bb49bcbe23e7e..c89ae778afbc5b 100644
--- a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
@@ -155,6 +155,10 @@ export class SpacesGridPage extends Component {
       field: 'description',
       name: 'Description',
       sortable: true
+    }, {
+      field: 'urlContext',
+      name: 'URL Context',
+      sortable: true
     }];
   }
 
diff --git a/x-pack/plugins/spaces/public/views/management/components/url_context.js b/x-pack/plugins/spaces/public/views/management/components/url_context.js
new file mode 100644
index 00000000000000..418a51b29347e4
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/url_context.js
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiFormRow,
+  EuiLink,
+  EuiFieldText,
+  EuiCallOut,
+  EuiSpacer
+} from '@elastic/eui';
+
+export class UrlContext extends Component {
+  textFieldRef = null;
+
+  state = {
+    editing: false
+  };
+
+  render() {
+    const {
+      urlContext = ''
+    } = this.props.space;
+
+    return (
+      <Fragment>
+        <EuiFormRow
+          label={this.getLabel()}
+          helpText={this.getHelpText()}
+        >
+          <div>
+            <EuiFieldText
+              readOnly={!this.state.editing}
+              placeholder={this.state.editing ? null : 'give your space a name to see its URL Context'}
+              value={urlContext}
+              onChange={this.onChange}
+              inputRef={(ref) => this.textFieldRef = ref}
+            />
+            {this.getCallOut()}
+          </div>
+        </EuiFormRow>
+      </Fragment>
+    );
+  }
+
+  getLabel = () => {
+    const editLinkText = this.state.editing ? `[stop editing]` : `[edit]`;
+    return (<p>URL Context <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
+  };
+
+  getHelpText = () => {
+    return (<p>Links within Kibana will include this space identifier</p>);
+  };
+
+  getCallOut = () => {
+    if (this.props.editingExistingSpace && this.state.editing) {
+      return (
+        <Fragment>
+          <EuiSpacer />
+          <EuiCallOut
+            color={'warning'}
+            size={'s'}
+            title={'Changing the URL Context will invalidate all existing links and bookmarks to this space'}
+          />
+        </Fragment>
+      );
+    }
+
+    return null;
+  };
+
+  onEditClick = () => {
+    this.setState({
+      editing: !this.state.editing
+    }, () => {
+      if (this.textFieldRef && this.state.editing) {
+        this.textFieldRef.focus();
+      }
+    });
+  };
+
+  onChange = (e) => {
+    if (!this.state.editing) return;
+    this.props.onChange(e);
+  };
+}
+
+UrlContext.propTypes = {
+  space: PropTypes.object.isRequired,
+  editable: PropTypes.bool.isRequired,
+  editingExistingSpace: PropTypes.bool.isRequired,
+  onChange: PropTypes.func
+};
diff --git a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js b/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js
new file mode 100644
index 00000000000000..bf9fe48d4037ac
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function toUrlContext(value = '') {
+  return value.toLowerCase().replace(/[^a-z0-9]/g, '-');
+}
+
+export function isValidUrlContext(value = '') {
+  return value === toUrlContext(value);
+}
diff --git a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js b/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js
new file mode 100644
index 00000000000000..522436163271fb
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { toUrlContext } from './url_context_utils';
+
+test('it converts whitespace to dashes', () => {
+  const input = `this is a test`;
+  expect(toUrlContext(input)).toEqual('this-is-a-test');
+});
+
+test('it converts everything to lowercase', () => {
+  const input = `THIS IS A TEST`;
+  expect(toUrlContext(input)).toEqual('this-is-a-test');
+});
+
+test('it converts non-alphanumeric characters to dashes', () => {
+  const input = `~!@#$%^&*()_+-=[]{}\|';:"/.,<>?` + "`";
+
+  const expectedResult = new Array(input.length + 1).join('-');
+
+  expect(toUrlContext(input)).toEqual(expectedResult);
+});
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
new file mode 100644
index 00000000000000..cfb329dd6d7a16
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -0,0 +1,77 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<div
+  className="euiPage"
+>
+  <div
+    className="euiPageHeader"
+  >
+    <div
+      className="euiPageHeaderSection logoHeader"
+    >
+      <svg
+        className="euiIcon euiIcon--xxLarge"
+        height="40"
+        style={
+          Object {
+            "fill": undefined,
+          }
+        }
+        viewBox="0 0 30 40"
+        width="30"
+        xmlns="http://www.w3.org/2000/svg"
+      >
+        <path
+          d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
+          fill="#3EBEB0"
+        />
+        <path
+          d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
+          fill="#37A595"
+        />
+        <path
+          d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
+          fill="#353535"
+        />
+        <path
+          d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
+          fill="#E9478B"
+        />
+      </svg>
+    </div>
+  </div>
+  <div
+    className="euiPageBody"
+  >
+    <div
+      className="euiPanel euiPanel--paddingLarge euiPageContent"
+    >
+      <div
+        className="euiText spaceWelcomeText"
+      >
+        <p
+          className="welcomeLarge"
+        >
+          Welcome to Kibana.
+        </p>
+        <p
+          className="welcomeMedium"
+        >
+          Select a space to begin.
+        </p>
+      </div>
+      <div
+        className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--justifyContentSpaceEvenly euiFlexGroup--responsive spacesGroup"
+      />
+      <div
+        className="euiText spaceProfileText"
+      >
+        <p>
+          You can change your workspace at anytime by accessing your profile within Kibana.
+        </p>
+      </div>
+    </div>
+  </div>
+</div>
+`;
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.js
index ee258cc542bd14..21efd3d762dda6 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/index.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.js
@@ -15,9 +15,9 @@ import { render, unmountComponentAtNode } from 'react-dom';
 import { SpaceSelector } from './space_selector';
 
 const module = uiModules.get('spaces_selector', []);
-module.controller('spacesSelectorController', ($scope, $http) => {
+module.controller('spacesSelectorController', ($scope, $http, spaces) => {
   const domNode = document.getElementById('spaceSelectorRoot');
-  render(<SpaceSelector httpAgent={$http} chrome={chrome} />, domNode);
+  render(<SpaceSelector spaces={spaces} httpAgent={$http} chrome={chrome} />, domNode);
 
   // unmount react on controller destroy
   $scope.$on('$destroy', () => {
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index 4a4a042c587f02..9137262bc0efd5 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -5,6 +5,7 @@
  */
 
 import React, { Component } from 'react';
+import PropTypes from 'prop-types';
 import {
   EuiPage,
   EuiPageHeader,
@@ -24,8 +25,17 @@ export class SpaceSelector extends Component {
     spaces: []
   };
 
+  constructor(props) {
+    super(props);
+    if (Array.isArray(props.spaces)) {
+      this.state.spaces = [...props.spaces];
+    }
+  }
+
   componentDidMount() {
-    this.loadSpaces();
+    if (this.state.spaces.length === 0) {
+      this.loadSpaces();
+    }
   }
 
   loadSpaces() {
@@ -81,7 +91,7 @@ export class SpaceSelector extends Component {
           icon={<EuiIcon size="xxl" type={space.logo} />}
           title={this.renderSpaceTitle(space)}
           description={space.description}
-          onClick={() => window.alert('Card clicked')}
+          onClick={this.createSpaceClickHandler(space)}
         />
       </EuiFlexItem>
     );
@@ -96,4 +106,16 @@ export class SpaceSelector extends Component {
     );
   };
 
+  createSpaceClickHandler = (space) => {
+    return () => {
+      window.location = this.props.chrome.addBasePath(`/s/${space.urlContext}`);
+    };
+  }
+
 }
+
+SpaceSelector.propTypes = {
+  spaces: PropTypes.array,
+  httpAgent: PropTypes.func.isRequired,
+  chrome: PropTypes.object.isRequired,
+};
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
new file mode 100644
index 00000000000000..e32f6045191299
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
@@ -0,0 +1,71 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { SpaceSelector } from './space_selector';
+import chrome from 'ui/chrome';
+import renderer from 'react-test-renderer';
+import { render, shallow } from 'enzyme';
+
+function getHttpAgent(spaces = []) {
+  const httpAgent = () => {};
+  httpAgent.get = jest.fn(() => Promise.resolve({ data: spaces }));
+
+  return httpAgent;
+}
+
+
+test('it renders without crashing', () => {
+  const httpAgent = getHttpAgent();
+  const component = renderer.create(
+    <SpaceSelector spaces={[]} httpAgent={httpAgent} chrome={chrome}/>
+  );
+  expect(component).toMatchSnapshot();
+});
+
+test('it uses the spaces on props, when provided', () => {
+  const httpAgent = getHttpAgent();
+
+  const spaces = [{
+    id: 'space-1',
+    name: 'Space 1',
+    description: 'This is the first space',
+    urlContext: 'space-1-context'
+  }];
+
+  const component = render(
+    <SpaceSelector spaces={spaces} httpAgent={httpAgent} chrome={chrome}/>
+  );
+
+  return Promise
+    .resolve()
+    .then(() => {
+      expect(component.find('.spaceCard')).toHaveLength(1);
+      expect(httpAgent.get).toHaveBeenCalledTimes(0);
+    });
+});
+
+test('it queries for spaces when not provided on props', () => {
+  const spaces = [{
+    id: 'space-1',
+    name: 'Space 1',
+    description: 'This is the first space',
+    urlContext: 'space-1-context'
+  }];
+
+  const httpAgent = getHttpAgent(spaces);
+
+  const component = shallow(
+    <SpaceSelector httpAgent={httpAgent} chrome={chrome}/>
+  );
+
+  return Promise
+    .resolve()
+    .then(() => {
+      expect(httpAgent.get).toHaveBeenCalledTimes(1);
+      expect(component.update().find('.spaceCard')).toHaveLength(1);
+    });
+});
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
new file mode 100644
index 00000000000000..c7d8f71d713132
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { wrapError } from './errors';
+
+export function initSpacesRequestInterceptors(server) {
+  const contextCache = new WeakMap();
+
+  server.ext('onRequest', async function spacesOnRequestHandler(request, reply) {
+    const path = request.path;
+
+    // If navigating within the context of a space, then we store the Space's URL Context on the request,
+    // and rewrite the request to not include the space identifier in the URL.
+
+    if (path.startsWith('/s/')) {
+      const pathParts = path.split('/');
+
+      const spaceUrlContext = pathParts[2];
+
+      const reqBasePath = `/s/${spaceUrlContext}`;
+      request.setBasePath(reqBasePath);
+
+      const newUrl = {
+        ...request.url,
+        path: path.substr(reqBasePath.length) || '/',
+        pathname: path.substr(reqBasePath.length) || '/',
+        href: path.substr(reqBasePath.length) || '/'
+      };
+
+      request.setUrl(newUrl);
+      contextCache.set(request, spaceUrlContext);
+    }
+
+    return reply.continue();
+  });
+
+  server.ext('onPostAuth', async function spacesOnRequestHandler(request, reply) {
+    const path = request.path;
+
+    const isRequestingKibanaRoot = path === '/';
+    const urlContext = contextCache.get(request);
+
+    // if requesting the application root, then show the Space Selector UI to allow the user to choose which space
+    // they wish to visit. This is done "onPostAuth" to allow the Saved Objects Client to use the request's auth scope,
+    // which is not available at the time of "onRequest".
+    if (isRequestingKibanaRoot && !urlContext) {
+      try {
+        const client = request.getSavedObjectsClient();
+        const { total, saved_objects: spaceObjects } = await client.find({
+          type: 'space'
+        });
+
+        if (total > 0) {
+          // render spaces selector instead of home page
+          const app = server.getHiddenUiAppById('space_selector');
+          return reply.renderApp(app, {
+            spaces: spaceObjects.map(so => ({ ...so.attributes, id: so.id }))
+          });
+        }
+
+      } catch(e) {
+        return reply(wrapError(e));
+      }
+    }
+
+    return reply.continue();
+  });
+
+
+}
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.js
index 4ed8d965fe0400..d4f7af6f4c37f8 100644
--- a/x-pack/plugins/spaces/server/lib/space_schema.js
+++ b/x-pack/plugins/spaces/server/lib/space_schema.js
@@ -6,9 +6,9 @@
 
 import Joi from 'joi';
 
-export const spaceSchema = {
+export const spaceSchema = Joi.object({
   id: Joi.string(),
   name: Joi.string().required(),
   description: Joi.string().required(),
-  metadata: Joi.object(),
-};
\ No newline at end of file
+  urlContext: Joi.string().regex(/[a-z0-9\-]+/, `lower case, a-z, 0-9, and "-" are allowed`).required()
+}).default();
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 003e4e7f55cb2d..647cebe8dfce56 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -44,21 +44,23 @@ export function initSpacesApi(server) {
     method: 'GET',
     path: '/api/spaces/v1/spaces/{id}',
     async handler(request, reply) {
-      const id = request.params.id;
+      const spaceId = request.params.id;
 
       const client = request.getSavedObjectsClient();
 
-      let space;
       try {
-        space = await client.get('space', id);
+        const {
+          id,
+          attributes
+        } = await client.get('space', spaceId);
+
+        return reply({
+          id,
+          ...attributes
+        });
       } catch (e) {
         return reply(wrapError(e));
       }
-
-      return reply({
-        ...space.attributes,
-        id: space.id
-      });
     },
     config: {
       pre: [routePreCheckLicenseFn]

From d679cf55392fa2a9ccdc32400b4a84ae15d59c64 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Wed, 16 May 2018 10:01:25 -0400
Subject: [PATCH 014/183] Beginning to use the ES APIs to insert/check
 privileges (#18645)

* Beginning to use the ES APIs to insert/check privileges

* Removing todo comment, I think we're good with the current check

* Adding ability to edit kibana application privileges

* Introducing DEFAULT_RESOURCE constant

* Removing unused arguments when performing saved objects auth check

* Performing bulkCreate auth more efficiently

* Throwing error in SavedObjectClient.find if type isn't provided

* Fixing Reporting and removing errant console.log

* Introducing a separate hasPrivileges "service"

* Adding tests and fleshing out the has privileges "service"

* Fixing error message

* You can now edit whatever roles you want

* We're gonna throw the find error in another PR

* Changing conflicting version detection to work when user has no
application privileges

* Throwing correct error when user is forbidden

* Removing unused interceptor

* Adding warning if they're editing a role with application privileges we
can't edit

* Fixing filter...

* Beginning to only update privileges when they need to be

* More tests

* One more test...

* Restricting the rbac application name that can be chosen

* Removing DEFAULT_RESOURCE check

* Supporting 1024 characters for the role name

* Renaming some variables, fixing issue with role w/ no kibana privileges

* Throwing decorated general error when appropriate

* Fixing test description

* Dedent does nothing...

* Renaming some functions
---
 .../printable_pdf/server/execute_job/index.js |   3 +-
 x-pack/plugins/security/common/constants.js   |   7 +
 x-pack/plugins/security/index.js              |  16 +-
 .../public/views/management/edit_role.html    |  29 ++-
 .../public/views/management/edit_role.js      |  71 +++++-
 .../__snapshots__/has_privileges.test.js.snap |   3 +
 .../lib/authorization/create_default_roles.js |  24 +-
 .../lib/authorization/has_privileges.js       |  55 +++++
 .../lib/authorization/has_privileges.test.js  | 231 ++++++++++++++++++
 .../lib/privileges/equivalent_privileges.js   |  11 +
 .../security/server/lib/privileges/index.js   |   8 +
 .../privileges/privilege_action_registry.js   |  19 +-
 .../privilege_action_registry.test.js         | 209 ++++++++++++++++
 .../server/lib/privileges/privileges.js       |  58 ++---
 .../lib/saved_object_client_interceptor.js    |  42 ----
 .../secure_options_builder.js                 |   6 +-
 .../secure_saved_objects_client.js            |  59 ++---
 .../security/server/lib/validate_config.js    |   1 -
 .../server/routes/api/v1/privileges.js        |   4 +-
 .../v1/roles/contains_other_applications.js   |  15 --
 .../roles/contains_other_applications.test.js |  66 -----
 .../server/routes/api/v1/roles/index.js       |  12 +-
 22 files changed, 709 insertions(+), 240 deletions(-)
 create mode 100644 x-pack/plugins/security/common/constants.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/has_privileges.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
 create mode 100644 x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js
 create mode 100644 x-pack/plugins/security/server/lib/privileges/index.js
 create mode 100644 x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
 delete mode 100644 x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
 delete mode 100644 x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
 delete mode 100644 x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js

diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
index 9010af6a71234b..3c0e2854428c4d 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
@@ -45,7 +45,8 @@ function executeJobFn(server) {
       return callWithRequest(fakeRequest, endpoint, clientParams, options);
     };
     const savedObjectsClient = server.savedObjectsClientFactory({
-      callCluster: callEndpoint
+      callCluster: callEndpoint,
+      request: fakeRequest
     });
     const uiSettings = server.uiSettingsServiceFactory({
       savedObjectsClient
diff --git a/x-pack/plugins/security/common/constants.js b/x-pack/plugins/security/common/constants.js
new file mode 100644
index 00000000000000..2786acb56b0571
--- /dev/null
+++ b/x-pack/plugins/security/common/constants.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const DEFAULT_RESOURCE = 'default';
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 2810f7ae3cb7fb..0346fa90b9cfa2 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -19,9 +19,10 @@ import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { mirrorStatusAndInitialize } from './server/lib/mirror_status_and_initialize';
 import { secureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/saved_objects_client_wrapper';
 import { secureSavedObjectsClientOptionsBuilder } from './server/lib/saved_objects_client/secure_options_builder';
-import { registerPrivilegesWithCluster } from './server/lib/privileges/privilege_action_registry';
+import { registerPrivilegesWithCluster } from './server/lib/privileges';
 import { createDefaultRoles } from './server/lib/authorization/create_default_roles';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
+import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -45,7 +46,10 @@ export const security = (kibana) => new kibana.Plugin({
       rbac: Joi.object({
         enabled: Joi.boolean().default(false),
         createDefaultRoles: Joi.boolean().default(true),
-        application: Joi.string().default('kibana'),
+        application: Joi.string().default('kibana').regex(
+          /[a-zA-Z0-9-_]+/,
+          `may contain alphanumeric characters (a-z, A-Z, 0-9), underscores and hyphens`
+        ),
       }).default(),
     }).default();
   },
@@ -75,7 +79,8 @@ export const security = (kibana) => new kibana.Plugin({
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
         sessionTimeout: config.get('xpack.security.sessionTimeout'),
-        rbacEnabled: config.get('xpack.security.rbac.enabled')
+        rbacEnabled: config.get('xpack.security.rbac.enabled'),
+        rbacApplication: config.get('xpack.security.rbac.application'),
       };
     }
   },
@@ -107,8 +112,11 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     if (config.get('xpack.security.rbac.enabled')) {
+      const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
       const savedObjectsClientProvider = server.getSavedObjectsClientProvider();
-      savedObjectsClientProvider.addClientOptionBuilder((options) => secureSavedObjectsClientOptionsBuilder(server, options));
+      savedObjectsClientProvider.addClientOptionBuilder(options =>
+        secureSavedObjectsClientOptionsBuilder(server, hasPrivilegesWithRequest, options)
+      );
       savedObjectsClientProvider.addClientWrapper(secureSavedObjectsClientWrapper);
     }
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index 768f50a2107586..8c8c5d692cce21 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -1,8 +1,10 @@
 <kbn-management-app section="security" omit-breadcrumb-pages="['edit']">
   <!-- This content gets injected below the localNav. -->
   <div class="kuiViewContent kuiViewContent--constrainedWidth kuiViewContentItem">
+
     <!-- Subheader -->
     <div class="kuiBar kuiVerticalRhythm">
+
       <div class="kuiBarSection">
         <!-- Title -->
         <h1 class="kuiTitle">
@@ -39,6 +41,18 @@ <h1 class="kuiTitle">
       </div>
     </div>
 
+    <div class="kuiBar kuiVerticalRhythm" ng-if="otherApplications.length > 0">
+      <div class="kuiInfoPanel kuiInfoPanel--warning">
+        <div class="kuiInfoPanelHeader">
+          <span class="kuiInfoPanelHeader__icon kuiIcon kuiIcon--warning fa-warning"></span>
+          <span class="kuiInfoPanelHeader__title">
+            This role contains application privileges for the {{ otherApplications.join(', ') }} application(s) that can't be edited.
+            If they are for other instances of Kibana, you must manage those privileges on that Kibana.
+          </span>
+        </div>
+      </div>
+    </div>
+
     <!-- Form -->
     <form name="form" novalidate class="kuiVerticalRhythm">
       <!-- Name -->
@@ -56,7 +70,7 @@ <h1 class="kuiTitle">
           ng-model="role.name"
           required
           pattern="[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*"
-          maxlength="30"
+          maxlength="1024"
           data-test-subj="roleFormNameInput"
         />
 
@@ -102,20 +116,15 @@ <h1 class="kuiTitle">
             Kibana Privileges
           </label>
 
-          <div class="kuiInputNote kuiInputNote--warning" ng-if="role.hasUnsupportedCustomPrivileges">
-            Changes to this section are not supported: this role contains application privileges that do not belong to this instance of Kibana.
-          </div>
-
-          <div ng-repeat="privilege in kibanaPrivileges track by privilege.name">
+          <div ng-repeat="(key, value) in kibanaPrivileges">
             <label>
               <input
                 class="kuiCheckBox"
                 type="checkbox"
-                ng-checked="includesPermission(role, privilege)"
-                ng-click="togglePermission(role, privilege)"
-                ng-disabled="role.metadata._reserved || !isRoleEnabled(role) || role.hasUnsupportedCustomPrivileges"
+                ng-model="kibanaPrivileges[key]"
+                ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
               />
-              <span class="kuiOptionLabel">{{privilege.metadata.displayName}}</span>
+              <span class="kuiOptionLabel">{{key}}</span>
             </label>
           </div>
         </div>
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 349807d1836c80..3f0ab02129dbb3 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -21,6 +21,57 @@ import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
+import { DEFAULT_RESOURCE } from '../../../common/constants';
+
+const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
+  const kibanaPrivileges = kibanaApplicationPrivilege.reduce((acc, p) => {
+    acc[p.name] = false;
+    return acc;
+  }, {});
+
+  if (!role.applications || role.applications.length === 0) {
+    return kibanaPrivileges;
+  }
+
+  const applications = role.applications.filter(x => x.application === application);
+
+  const assigned =  _.uniq(_.flatten(_.pluck(applications, 'privileges')));
+  assigned.forEach(a => {
+    kibanaPrivileges[a] = true;
+  });
+
+  return kibanaPrivileges;
+};
+
+const setApplicationPrivileges = (kibanaPrivileges, role, application) => {
+  if (!role.applications) {
+    role.applications = [];
+  }
+
+  // we first remove the matching application entries
+  role.applications = role.applications.filter(x => {
+    return x.application !== application;
+  });
+
+  const privileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
+
+  // if we still have them, put the application entry back
+  if (privileges.length > 0) {
+    role.applications = [...role.applications, {
+      application,
+      privileges,
+      resources: [ DEFAULT_RESOURCE ]
+    }];
+  }
+};
+
+const getOtherApplications = (kibanaPrivileges, role, application) => {
+  if (!role.applications || role.applications.length === 0) {
+    return [];
+  }
+
+  return role.applications.map(x => x.application).filter(x => x !== application);
+};
 
 routes.when(`${EDIT_ROLES_PATH}/:name?`, {
   template,
@@ -48,7 +99,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
         applications: []
       });
     },
-    kibanaPrivileges(ApplicationPrivilege, kbnUrl, Promise, Private) {
+    kibanaApplicationPrivilege(ApplicationPrivilege, kbnUrl, Promise, Private) {
       return ApplicationPrivilege.query().$promise
         .catch(checkLicenseError(kbnUrl, Promise, Private));
     },
@@ -64,7 +115,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope, rbacEnabled) {
+  controller($injector, $scope, rbacEnabled, rbacApplication) {
     const $route = $injector.get('$route');
     const kbnUrl = $injector.get('kbnUrl');
     const shieldPrivileges = $injector.get('shieldPrivileges');
@@ -77,8 +128,13 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.users = $route.current.locals.users;
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
-    $scope.kibanaPrivileges = $route.current.locals.kibanaPrivileges;
+
     $scope.rbacEnabled = rbacEnabled;
+    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
+    const role = $route.current.locals.role;
+    $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivilege, role, rbacApplication);
+    $scope.otherApplications = getOtherApplications(kibanaApplicationPrivilege, role, rbacApplication);
+
     $scope.rolesHref = `#${ROLES_PATH}`;
 
     this.isNewRole = $route.current.params.name == null;
@@ -103,6 +159,9 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.saveRole = (role) => {
       role.indices = role.indices.filter((index) => index.names.length);
       role.indices.forEach((index) => index.query || delete index.query);
+
+      setApplicationPrivileges($scope.kibanaPrivileges, role, rbacApplication);
+
       return role.$save()
         .then(() => toastNotifications.addSuccess('Updated role'))
         .then($scope.goToRoleList)
@@ -156,12 +215,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       }
     };
 
-    $scope.hasPermission = (role, permission) => {
-      // TODO(legrego): faking until ES is implemented
-      const rolePermissions = role.applications || [];
-      return rolePermissions.find(rolePermission => permission.name === rolePermission.name);
-    };
-
     $scope.union = _.flow(_.union, _.compact);
   }
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap
new file mode 100644
index 00000000000000..e191d4b14b6f00
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`throws error if missing version privilege and has login privilege 1`] = `"Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user."`;
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
index 73837d0e490f74..933c36a98cf7ab 100644
--- a/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
+++ b/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
@@ -8,9 +8,10 @@
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
+import { DEFAULT_RESOURCE } from '../../../common/constants';
 
 
-const createRoleIfDoesntExist = async (callCluster, name) => {
+const createRoleIfDoesntExist = async (callCluster, { name, application, privilege }) => {
   try {
     await callCluster('shield.getRole', { name });
   } catch (err) {
@@ -23,7 +24,13 @@ const createRoleIfDoesntExist = async (callCluster, name) => {
       body: {
         cluster: [],
         index: [],
-        // application: [ { "privileges": [ "kibana:all" ], "resources": [ "*" ] } ]
+        applications: [
+          {
+            application,
+            privileges: [ privilege ],
+            resources: [ DEFAULT_RESOURCE ]
+          }
+        ]
       }
     });
   }
@@ -40,8 +47,17 @@ export async function createDefaultRoles(server) {
 
   const callCluster = getClient(server).callWithInternalUser;
 
-  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_user`);
-  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_dashboard_only_user`);
+  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, {
+    name: `${application}_rbac_user`,
+    application,
+    privilege: 'all'
+  });
+
+  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, {
+    name: `${application}_rbac_dashboard_only_user`,
+    application,
+    privilege: 'read'
+  });
 
   await Promise.all([createKibanaUserRole, createKibanaDashboardOnlyRole]);
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
new file mode 100644
index 00000000000000..bd91272ebbcf56
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getClient } from '../../../../../server/lib/get_client_shield';
+import { DEFAULT_RESOURCE } from '../../../common/constants';
+import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
+
+const getMissingPrivileges = (resource, application, privilegeCheck) => {
+  const privileges = privilegeCheck.application[application][resource];
+  return Object.keys(privileges).filter(key => privileges[key] === false);
+};
+
+export function hasPrivilegesWithServer(server) {
+  const callWithRequest = getClient(server).callWithRequest;
+
+  const config = server.config();
+  const kibanaVersion = config.get('pkg.version');
+  const application = config.get('xpack.security.rbac.application');
+
+  return function hasPrivilegesWithRequest(request) {
+    return async function hasPrivileges(privileges) {
+
+      const versionPrivilege = getVersionPrivilege(kibanaVersion);
+      const loginPrivilege = getLoginPrivilege();
+
+      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [DEFAULT_RESOURCE],
+            privileges: [versionPrivilege, loginPrivilege, ...privileges]
+          }]
+        }
+      });
+
+      const success = privilegeCheck.has_all_requested;
+      const missingPrivileges = getMissingPrivileges(DEFAULT_RESOURCE, application, privilegeCheck);
+
+      // We include the login privilege on all privileges, so the existence of it and not the version privilege
+      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
+      // know whether the user just wasn't authorized for this instance of Kibana in general
+      if (missingPrivileges.includes(versionPrivilege) && !missingPrivileges.includes(loginPrivilege)) {
+        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      }
+
+      return {
+        success,
+        missing: missingPrivileges
+      };
+    };
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
new file mode 100644
index 00000000000000..9d6b9580c47d8f
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -0,0 +1,231 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { hasPrivilegesWithServer } from './has_privileges';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+import { DEFAULT_RESOURCE } from '../../../common/constants';
+import { getLoginPrivilege, getVersionPrivilege } from '../privileges';
+
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn()
+}));
+
+let mockCallWithRequest;
+beforeEach(() => {
+  mockCallWithRequest = jest.fn();
+  getClient.mockReturnValue({
+    callWithRequest: mockCallWithRequest
+  });
+});
+
+const defaultVersion = 'default-version';
+const defaultApplication = 'default-application';
+
+const createMockServer = ({ settings = {} } = {}) => {
+  const mockServer = {
+    config: jest.fn().mockReturnValue({
+      get: jest.fn()
+    })
+  };
+
+  const defaultSettings = {
+    'pkg.version': defaultVersion,
+    'xpack.security.rbac.application': defaultApplication
+  };
+
+  mockServer.config().get.mockImplementation(key => {
+    return key in settings ? settings[key] : defaultSettings[key];
+  });
+
+  return mockServer;
+};
+
+const mockResponse = (hasAllRequested, privileges, application = defaultApplication) => {
+  mockCallWithRequest.mockImplementationOnce(async () => ({
+    has_all_requested: hasAllRequested,
+    application: {
+      [application]: {
+        [DEFAULT_RESOURCE]: privileges
+      }
+    }
+  }));
+};
+
+
+test(`calls shield.hasPrivileges with request`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(true, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const request = {};
+  const hasPrivileges = hasPrivilegesWithRequest(request);
+  await hasPrivileges(['foo']);
+
+  expect(mockCallWithRequest).toHaveBeenCalledWith(request, expect.anything(), expect.anything());
+});
+
+test(`calls shield.hasPrivileges with clientParams`, async () => {
+  const application = 'foo-application';
+  const version = 'foo-version';
+  const mockServer = createMockServer({
+    settings: {
+      'xpack.security.rbac.application': application,
+      'pkg.version': version
+    }
+  });
+
+  mockResponse(true, {
+    [getVersionPrivilege(version)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  }, application);
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+
+  const privilege = 'foo';
+  await hasPrivileges([privilege]);
+
+  const clientParams = mockCallWithRequest.mock.calls[0][2];
+  const applicationParam = clientParams.body.applications[0];
+  expect(applicationParam).toHaveProperty('application', application);
+  expect(applicationParam).toHaveProperty('resources', [DEFAULT_RESOURCE]);
+  expect(applicationParam).toHaveProperty('privileges');
+  expect(applicationParam.privileges).toContain(privilege);
+});
+
+test(`includes version privilege when checking privileges`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(true, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const request = {};
+  const hasPrivileges = hasPrivilegesWithRequest(request);
+  await hasPrivileges(['foo']);
+
+  const clientParams = mockCallWithRequest.mock.calls[0][2];
+  const applicationParam = clientParams.body.applications[0];
+  expect(applicationParam.privileges).toContain(getVersionPrivilege(defaultVersion));
+});
+
+test(`includes login privilege when checking privileges`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(true, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const request = {};
+  const hasPrivileges = hasPrivilegesWithRequest(request);
+  await hasPrivileges(['foo']);
+
+  const clientParams = mockCallWithRequest.mock.calls[0][2];
+  const applicationParam = clientParams.body.applications[0];
+  expect(applicationParam.privileges).toContain(getLoginPrivilege());
+});
+
+test(`returns success when has_all_requested`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(true, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.success).toBe(true);
+});
+
+test(`returns false success when has_all_requested is false`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: false,
+  });
+  mockCallWithRequest.mockImplementationOnce(async () => ({
+    has_all_requested: false,
+    application: {
+      [defaultApplication]: {
+        [DEFAULT_RESOURCE]: {
+          foo: false
+        }
+      }
+    }
+  }));
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.success).toBe(false);
+});
+
+test(`returns missing privileges`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: false,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.missing).toEqual(['foo']);
+});
+
+test(`excludes granted privileges from missing privileges`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: false,
+    bar: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.missing).toEqual(['foo']);
+});
+
+test(`throws error if missing version privilege and has login privilege`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: false,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  await expect(hasPrivileges(['foo'])).rejects.toThrowErrorMatchingSnapshot();
+});
+
+test(`doesn't throw error if missing version privilege and missing login privilege`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  await hasPrivileges(['foo']);
+});
diff --git a/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js b/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js
new file mode 100644
index 00000000000000..35e2fd12af6d71
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isEqual } from 'lodash';
+
+export function equivalentPrivileges(p1, p2) {
+  return isEqual(p1, p2);
+}
diff --git a/x-pack/plugins/security/server/lib/privileges/index.js b/x-pack/plugins/security/server/lib/privileges/index.js
new file mode 100644
index 00000000000000..a270b8a60331e9
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/privileges/index.js
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { registerPrivilegesWithCluster } from './privilege_action_registry';
+export { getLoginPrivilege, getVersionPrivilege } from './privileges';
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 86b1023fcb9b47..7d31b287fe664c 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -9,24 +9,29 @@
 
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
+import { equivalentPrivileges } from './equivalent_privileges';
 
 export async function registerPrivilegesWithCluster(server) {
-  return;
-
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
 
-  const privilegeActionMapping = buildPrivilegeMap(application, kibanaVersion);
+  const expectedPrivileges = buildPrivilegeMap(application, kibanaVersion);
 
   server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
 
   const callCluster = getClient(server).callWithInternalUser;
 
-  // TODO(legrego) - non-working stub
+  // we only want to post the privileges when they're going to change as Elasticsearch has
+  // to clear the role cache to get these changes reflected in the _has_privileges API
+  const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
+  if (equivalentPrivileges(existingPrivileges, expectedPrivileges)) {
+    server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
+    return;
+  }
+
+  server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
   await callCluster('shield.postPrivileges', {
-    body: {
-      [application]: privilegeActionMapping
-    }
+    body: expectedPrivileges
   });
 }
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
new file mode 100644
index 00000000000000..2fcfd5c2caaa00
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -0,0 +1,209 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { registerPrivilegesWithCluster } from './privilege_action_registry';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+import { buildPrivilegeMap } from './privileges';
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn(),
+}));
+jest.mock('./privileges', () => ({
+  buildPrivilegeMap: jest.fn(),
+}));
+
+const registerPrivilegesWithClusterTest = (description, { settings = {}, expectedPrivileges, existingPrivileges, assert }) => {
+  const registerMockCallWithInternalUser = () => {
+    const callWithInternalUser = jest.fn();
+    getClient.mockReturnValue({
+      callWithInternalUser,
+    });
+    return callWithInternalUser;
+  };
+
+  const defaultVersion = 'default-version';
+  const defaultApplication = 'default-application';
+
+  const createMockServer = () => {
+    const mockServer = {
+      config: jest.fn().mockReturnValue({
+        get: jest.fn(),
+      }),
+      log: jest.fn(),
+    };
+
+    const defaultSettings = {
+      'pkg.version': defaultVersion,
+      'xpack.security.rbac.application': defaultApplication,
+    };
+
+    mockServer.config().get.mockImplementation(key => {
+      return key in settings ? settings[key] : defaultSettings[key];
+    });
+
+    return mockServer;
+  };
+
+  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, privileges) => {
+    return () => {
+      expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
+      expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
+        privilege: defaultApplication,
+      });
+      expect(mockCallWithInternalUser).toHaveBeenCalledWith(
+        'shield.postPrivileges',
+        {
+          body: privileges,
+        }
+      );
+
+      const application = settings['xpack.security.rbac.application'] || defaultApplication;
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Registering Kibana Privileges with Elasticsearch for ${application}`
+      );
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Updated Kibana Privileges with Elasticearch for ${application}`
+      );
+    };
+  };
+
+  const createExpectDidntUpdatePrivileges = (mockServer, mockCallWithInternalUser) => {
+    return () => {
+      expect(mockCallWithInternalUser).toHaveBeenCalledTimes(1);
+      expect(mockCallWithInternalUser).toHaveBeenLastCalledWith('shield.getPrivilege', {
+        privilege: defaultApplication
+      });
+
+      const application = settings['xpack.security.rbac.application'] || defaultApplication;
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Registering Kibana Privileges with Elasticsearch for ${application}`
+      );
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Kibana Privileges already registered with Elasticearch for ${application}`
+      );
+    };
+  };
+
+  test(description, async () => {
+    const mockServer = createMockServer();
+    const mockCallWithInternalUser = registerMockCallWithInternalUser();
+    mockCallWithInternalUser.mockImplementationOnce(async () => (existingPrivileges));
+    buildPrivilegeMap.mockReturnValue(expectedPrivileges);
+
+    await registerPrivilegesWithCluster(mockServer);
+
+    assert({
+      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, expectedPrivileges),
+      expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser),
+      mocks: {
+        buildPrivilegeMap
+      }
+    });
+  });
+};
+
+registerPrivilegesWithClusterTest(`passes application and kibanaVersion to buildPrivilegeMap`, {
+  settings: {
+    'pkg.version': 'foo-version',
+    'xpack.security.rbac.application': 'foo-application',
+  },
+  assert: ({ mocks }) => {
+    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith('foo-application', 'foo-version');
+  },
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges don't match`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: {
+    expected: false
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested privileges don't match`, {
+  expectedPrivileges: {
+    kibana: {
+      expected: true
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: false
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested privileges arrays don't match`, {
+  expectedPrivileges: {
+    kibana: {
+      expected: ['one', 'two']
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: ['one']
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested propertry array values are reordered`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: ['one', 'two']
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      foo: ['two', 'one']
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`doesn't update privileges when simple top-level privileges match`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: {
+    expected: true
+  },
+  assert: ({ expectDidntUpdatePrivileges }) => {
+    expectDidntUpdatePrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`doesn't update privileges when nested properties are reordered`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: true,
+      bar: false
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      bar: false,
+      foo: true
+    }
+  },
+  assert: ({ expectDidntUpdatePrivileges }) => {
+    expectDidntUpdatePrivileges();
+  }
+});
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index becfaa5aee78de..e05be3117f934a 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -7,50 +7,46 @@
 /*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
-export function buildPrivilegeMap(application, kibanaVersion) {
-  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges('');
+export function getVersionPrivilege(kibanaVersion) {
+  return `version:${kibanaVersion}`;
+}
 
-  const commonMetadata = {
-    kibanaVersion
-  };
+export function getLoginPrivilege() {
+  return `action:login`;
+}
 
-  function getActionName(...nameParts) {
-    return nameParts.join('/');
-  }
+export function buildPrivilegeMap(application, kibanaVersion) {
+  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges();
 
-  const privilegeActionMap = [];
+  const privilegeActions = {};
 
-  privilegeActionMap.push({
+  privilegeActions.all = {
     application,
     name: 'all',
-    actions: [getActionName('*')],
-    metadata: {
-      ...commonMetadata,
-      displayName: 'all'
-    }
-  });
-
-  privilegeActionMap.push({
+    actions: [getVersionPrivilege(kibanaVersion), getLoginPrivilege(), 'action:*'],
+    metadata: {}
+  };
+
+  privilegeActions.read = {
     application,
     name: 'read',
-    actions: [...readSavedObjectsPrivileges],
-    metadata: {
-      ...commonMetadata,
-      displayName: 'read'
-    }
-  });
-
-  return privilegeActionMap;
+    actions: [getVersionPrivilege(kibanaVersion), getLoginPrivilege(), ...readSavedObjectsPrivileges],
+    metadata: {}
+  };
+
+  return {
+    [application]: privilegeActions
+  };
 }
 
-function buildSavedObjectsReadPrivileges(prefix) {
+function buildSavedObjectsReadPrivileges() {
   const readActions = ['get', 'mget', 'search'];
-  return buildSavedObjectsPrivileges(prefix, readActions);
+  return buildSavedObjectsPrivileges(readActions);
 }
 
-function buildSavedObjectsPrivileges(prefix, actions) {
-  const objectTypes = ['dashboard', 'visualization', 'search'];
+function buildSavedObjectsPrivileges(actions) {
+  const objectTypes = ['config', 'dashboard', 'index-pattern', 'search', 'visualization', 'graph-workspace'];
   return objectTypes
-    .map(type => actions.map(action => `${prefix}/${type}/${action}`))
+    .map(type => actions.map(action => `action:saved-objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);
 }
diff --git a/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js b/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
deleted file mode 100644
index 9ad4b71b44594b..00000000000000
--- a/x-pack/plugins/security/server/lib/saved_object_client_interceptor.js
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-import { checkUserPermission } from './check_user_permission';
-
-export function checkSavedObjectPermissions() {
-  return (request) => ({
-    method: 'all',
-    intercept: async (client, method, type) => {
-      const action = `kibana:/savedobject/${method}/${type}`;
-
-      const { credentials } = request.auth;
-
-      // TODO(larry): dashboard_mode_auth_scope.js uses request's SOC before the user is attached to the request. Chicken and egg...
-      if (!credentials) {
-        console.warn(
-          `!!!!DANGER!!!! No credentials on request (${request.path})! Unable to authorize Saved Object Client request. See trace below:`
-        );
-        console.trace();
-        return;
-      }
-
-      const { roles } = request.auth.credentials;
-
-      const fakeAccessCheck = roles.indexOf('kibana_ols_user') >= 0;
-
-      const hasPermission = await checkUserPermission(action, fakeAccessCheck || true);
-      console.log('hasPermission returned', hasPermission);
-
-      if (!hasPermission) {
-        const errorMessage = `Unauthorized: User must have "kibana:all" permission to perform this action.`;
-        throw client.errors.decorateForbiddenError(new Error(), errorMessage);
-      }
-    }
-  });
-}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
index 229570f401010c..65f0ce3ff64e8f 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
@@ -7,13 +7,13 @@
 /*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
-export function secureSavedObjectsClientOptionsBuilder(server, options) {
+export function secureSavedObjectsClientOptionsBuilder(server, hasPrivilegesWithRequest, options) {
   const adminCluster = server.plugins.elasticsearch.getCluster('admin');
   const { callWithInternalUser } = adminCluster;
 
   return {
     ...options,
-    application: server.config().get('xpack.security.rbac.application'),
-    callCluster: callWithInternalUser
+    callCluster: callWithInternalUser,
+    hasPrivilegesWithRequest
   };
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 796ae9151e3f01..8793985233c35c 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -4,39 +4,31 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-import Boom from 'boom';
-import { getClient } from '../../../../../server/lib/get_client_shield';
+import { get, uniq } from 'lodash';
 
 export class SecureSavedObjectsClient {
   constructor(options) {
     const {
-      server,
       request,
+      hasPrivilegesWithRequest,
       baseClient,
-      application,
     } = options;
 
     this.errors = baseClient.errors;
 
     this._client = baseClient;
-    this._application = application;
-    this._callCluster = getClient(server).callWithRequest;
-    this._request = request;
+    this._hasPrivileges = hasPrivilegesWithRequest(request);
   }
 
   async create(type, attributes = {}, options = {}) {
-    await this._performAuthorizationCheck(type, 'create', attributes, options);
+    await this._performAuthorizationCheck(type, 'create');
 
     return await this._client.create(type, attributes, options);
   }
 
   async bulkCreate(objects, options = {}) {
-    for (const object of objects) {
-      await this._performAuthorizationCheck(object.type, 'create', object.attributes);
-    }
+    const types = uniq(objects.map(o => o.type));
+    await this._performAuthorizationCheck(types, 'create');
 
     return await this._client.bulkCreate(objects, options);
   }
@@ -48,15 +40,14 @@ export class SecureSavedObjectsClient {
   }
 
   async find(options = {}) {
-    // TODO(legrego) - need to constrain which types users can search for...
-    await this._performAuthorizationCheck(null, 'search', null, options);
+    await this._performAuthorizationCheck(options.type, 'search');
 
     return await this._client.find(options);
   }
 
   async bulkGet(objects = []) {
     for (const object of objects) {
-      await this._performAuthorizationCheck(object.type, 'mget', object.attributes);
+      await this._performAuthorizationCheck(object.type, 'mget');
     }
 
     return await this._client.bulkGet(objects);
@@ -69,28 +60,26 @@ export class SecureSavedObjectsClient {
   }
 
   async update(type, id, attributes, options = {}) {
-    await this._performAuthorizationCheck(type, attributes, options);
+    await this._performAuthorizationCheck(type, 'update');
 
     return await this._client.update(type, id, attributes, options);
   }
 
-  async _performAuthorizationCheck(type, action, attributes = {}, options = {}) { // eslint-disable-line no-unused-vars
-    return;
-    // TODO(legrego) use ES Custom Privilege API once implemented.
-    const kibanaAction = `saved-objects/${type}/${action}`;
-
-    const privilegeCheck = await this._callCluster(this._request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: this._application,
-          resources: ['default'],
-          privileges: [kibanaAction]
-        }]
-      }
-    });
-
-    if (!privilegeCheck.has_all_requested) {
-      throw Boom.unauthorized(`User ${privilegeCheck.username} is not authorized to ${action} objects of type ${type}`);
+  async _performAuthorizationCheck(typeOrTypes, action) {
+    const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
+    const actions = types.map(type => `action:saved-objects/${type}/${action}`);
+
+    let result;
+    try {
+      result = await this._hasPrivileges(actions);
+    } catch(error) {
+      const { reason } = get(error, 'body.error', {});
+      throw this._client.errors.decorateGeneralError(error, reason);
+    }
+
+    if (!result.success) {
+      const msg = `Unable to ${action} ${types.join(',')}, missing ${result.missing.join(',')}`;
+      throw this._client.errors.decorateForbiddenError(new Error(msg));
     }
   }
 }
diff --git a/x-pack/plugins/security/server/lib/validate_config.js b/x-pack/plugins/security/server/lib/validate_config.js
index 0b9061389a92c1..d1f80cb65b7ac9 100644
--- a/x-pack/plugins/security/server/lib/validate_config.js
+++ b/x-pack/plugins/security/server/lib/validate_config.js
@@ -7,7 +7,6 @@
 const crypto = require('crypto');
 
 const isDefault = (config, key) => {
-  console.log(config.getDefault(key), config.get(key));
   return config.getDefault(key) === config.get(key);
 };
 
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 7d3ac9ead2e4e5..1e6ac21fb54e06 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -21,8 +21,8 @@ export function initPrivilegesApi(server) {
     method: 'GET',
     path: '/api/security/v1/privileges',
     handler(request, reply) {
-
-      reply(buildPrivilegeMap(application, kibanaVersion));
+      const privileges = buildPrivilegeMap(application, kibanaVersion);
+      reply(Object.values(privileges[application]));
     }
   });
 }
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
deleted file mode 100644
index 43a4e57f9d1a46..00000000000000
--- a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.js
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-export function containsOtherApplications(role, ourApplication) {
-  if (!role.applications || role.applications.length === 0) {
-    return false;
-  }
-
-  return role.applications.some(x => x.application !== ourApplication);
-}
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js b/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js
deleted file mode 100644
index e7ea134fad5b97..00000000000000
--- a/x-pack/plugins/security/server/routes/api/v1/roles/contains_other_applications.test.js
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-import { containsOtherApplications } from "./contains_other_applications";
-
-test(`returns true for roles that grant privileges to other Kibanas`, () => {
-  const roles = [
-    {
-      _expectedResult: false,
-      cluster: [],
-      indices: [
-        {
-          names: ['logstash-*'],
-          privileges: ['read']
-        }
-      ],
-      run_as: [],
-      metadata: {
-        _reserved: true
-      },
-      transient_metadata: {
-        enabled: true
-      },
-      name: 'logstash_reader'
-    },
-    {
-      _expectedResult: false,
-      cluster: [],
-      indices: [],
-      applications: [
-        { application: 'kibana', privileges: ['read'], resources: ['*'] }
-      ],
-      run_as: [],
-      metadata: {},
-      transient_metadata: {
-        enabled: true
-      },
-      name: 'kibana_user'
-    },
-    {
-      _expectedResult: true,
-      cluster: [],
-      indices: [],
-      applications: [
-        { application: 'other-kibana', privileges: ['read'], resources: ['*'] }
-      ],
-      run_as: [],
-      metadata: {},
-      transient_metadata: {
-        enabled: true
-      },
-      name: 'kibana_user'
-    }
-  ];
-
-  roles.forEach(role => {
-    const result = containsOtherApplications(role, 'kibana');
-    expect(result).toEqual(role._expectedResult);
-  });
-});
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/index.js b/x-pack/plugins/security/server/routes/api/v1/roles/index.js
index d965f561510d70..8e0e114798c3c7 100644
--- a/x-pack/plugins/security/server/routes/api/v1/roles/index.js
+++ b/x-pack/plugins/security/server/routes/api/v1/roles/index.js
@@ -10,7 +10,6 @@ import { getClient } from '../../../../../../../server/lib/get_client_shield';
 import { roleSchema } from '../../../../lib/role_schema';
 import { wrapError } from '../../../../lib/errors';
 import { routePreCheckLicense } from '../../../../lib/route_pre_check_license';
-import { containsOtherApplications } from './contains_other_applications';
 
 export function initRolesApi(server) {
   const callWithRequest = getClient(server).callWithRequest;
@@ -20,16 +19,10 @@ export function initRolesApi(server) {
     method: 'GET',
     path: '/api/security/v1/roles',
     handler(request, reply) {
-      const config = server.config();
-
       return callWithRequest(request, 'shield.getRole').then(
         (response) => {
-          const application = config.get('xpack.security.rbac.application');
-
           const roles = _.map(response, (role, name) => {
-            const hasUnsupportedCustomPrivileges = containsOtherApplications(role, application);
-
-            return _.assign(role, { name, hasUnsupportedCustomPrivileges });
+            return _.assign(role, { name });
           });
 
           return reply(roles);
@@ -64,8 +57,7 @@ export function initRolesApi(server) {
     path: '/api/security/v1/roles/{name}',
     handler(request, reply) {
       const name = request.params.name;
-      // TODO(legrego) - temporarily remove applications from role until ES API is implemented
-      const body = _.omit(request.payload, ['name', 'applications', 'hasUnsupportedCustomPrivileges']);
+      const body = _.omit(request.payload, 'name');
 
       return callWithRequest(request, 'shield.putRole', { name, body }).then(
         () => reply(request.payload),

From 50c73b45971bb9a487e0eb2fd72d52ba9fcaa226 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Mon, 21 May 2018 11:38:37 -0400
Subject: [PATCH 015/183] [Spaces] Space Avatar with selector in main Kibana
 menu (#18609)

Adds Space Avatar with selector in main Kibana menu
---
 package.json                                  |   2 +-
 x-pack/package.json                           |   2 +-
 x-pack/plugins/spaces/common/mock_spaces.js   |  22 -
 .../spaces/common/spaces_url_parser.js        |  44 ++
 .../spaces/common/spaces_url_parser.test.js   |  39 ++
 x-pack/plugins/spaces/index.js                |  20 +-
 .../spaces/public/lib/spaces_manager.js       |  38 ++
 .../public/views/components/space_card.js     |  40 ++
 .../public/views/components/space_card.less   |   9 +
 .../views/components/space_card.test.js       |  32 ++
 .../public/views/components/space_cards.js    |  58 +++
 .../views/components/space_cards.test.js      |  46 ++
 .../components/manage_space_page.js           |  23 +-
 .../public/views/management/page_routes.js    |   7 +
 .../public/views/nav_control/nav_control.html |   7 +-
 .../public/views/nav_control/nav_control.js   |  18 +-
 .../public/views/nav_control/nav_control.less |   8 +
 .../views/nav_control/nav_control_modal.js    | 136 +++++
 .../__snapshots__/space_selector.test.js.snap |  14 +-
 .../public/views/space_selector/index.js      |   6 +-
 .../views/space_selector/space_selector.js    |  60 +--
 .../views/space_selector/space_selector.less  |  15 +-
 .../space_selector/space_selector.test.js     |  30 +-
 .../server/lib/check_duplicate_context.js     |  36 ++
 .../spaces/server/lib/get_active_space.js     |  51 ++
 .../spaces/server/routes/api/v1/spaces.js     |  98 +++-
 x-pack/yarn.lock                              | 468 +-----------------
 yarn.lock                                     | 352 +++----------
 28 files changed, 806 insertions(+), 875 deletions(-)
 delete mode 100644 x-pack/plugins/spaces/common/mock_spaces.js
 create mode 100644 x-pack/plugins/spaces/common/spaces_url_parser.js
 create mode 100644 x-pack/plugins/spaces/common/spaces_url_parser.test.js
 create mode 100644 x-pack/plugins/spaces/public/lib/spaces_manager.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_card.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_card.less
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_card.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_cards.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_cards.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control.less
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
 create mode 100644 x-pack/plugins/spaces/server/lib/check_duplicate_context.js
 create mode 100644 x-pack/plugins/spaces/server/lib/get_active_space.js

diff --git a/package.json b/package.json
index 9c6acdfd452646..5bdf13c0206311 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "url": "https://github.com/elastic/kibana.git"
   },
   "dependencies": {
-    "@elastic/eui": "v0.0.44",
+    "@elastic/eui": "v0.0.47",
     "@elastic/filesaver": "1.1.2",
     "@elastic/numeral": "2.3.2",
     "@elastic/ui-ace": "0.2.3",
diff --git a/x-pack/package.json b/x-pack/package.json
index 95c3ecd15dfb41..bfcb1dd5a9905b 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -75,7 +75,7 @@
     "yargs": "4.7.1"
   },
   "dependencies": {
-    "@elastic/eui": "0.0.44",
+    "@elastic/eui": "0.0.47",
     "@elastic/node-crypto": "0.1.2",
     "@elastic/node-phantom-simple": "2.2.4",
     "@elastic/numeral": "2.3.2",
diff --git a/x-pack/plugins/spaces/common/mock_spaces.js b/x-pack/plugins/spaces/common/mock_spaces.js
deleted file mode 100644
index a11d4d251a4157..00000000000000
--- a/x-pack/plugins/spaces/common/mock_spaces.js
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export const mockSpaces = [{
-  id: 'engineering',
-  name: 'Engineering',
-  description: 'This is the Engineering Space',
-  logo: 'logoKubernetes'
-}, {
-  id: 'sales',
-  name: 'Sales',
-  description: 'This is the Sales Space',
-  logo: 'logoElastic'
-}, {
-  id: 'support',
-  name: 'Support',
-  description: 'This is the Support Space',
-  logo: 'logoElasticStack'
-}];
diff --git a/x-pack/plugins/spaces/common/spaces_url_parser.js b/x-pack/plugins/spaces/common/spaces_url_parser.js
new file mode 100644
index 00000000000000..075f09eea03a3f
--- /dev/null
+++ b/x-pack/plugins/spaces/common/spaces_url_parser.js
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function getSpaceUrlContext(basePath = '/', defaultContext = null) {
+  // Look for `/s/space-url-context` in the base path
+  const matchResult = basePath.match(/\/s\/([a-z0-9\-]+)/);
+
+  if (!matchResult || matchResult.length === 0) {
+    return defaultContext;
+  }
+
+  // Ignoring first result, we only want the capture group result at index 1
+  const [, urlContext = defaultContext] = matchResult;
+
+  return urlContext;
+}
+
+export function stripSpaceUrlContext(basePath = '/') {
+  const currentSpaceUrlContext = getSpaceUrlContext(basePath);
+
+  let basePathWithoutSpace;
+  if (currentSpaceUrlContext) {
+    const indexOfSpaceContext = basePath.indexOf(`/s/${currentSpaceUrlContext}`);
+
+    const startsWithSpace = indexOfSpaceContext === 0;
+
+    if (startsWithSpace) {
+      basePathWithoutSpace = '/';
+    } else {
+      basePathWithoutSpace = basePath.substring(0, indexOfSpaceContext);
+    }
+  } else {
+    basePathWithoutSpace = basePath;
+  }
+
+  if (basePathWithoutSpace.endsWith('/')) {
+    return basePathWithoutSpace.substr(0, -1);
+  }
+
+  return basePathWithoutSpace;
+}
diff --git a/x-pack/plugins/spaces/common/spaces_url_parser.test.js b/x-pack/plugins/spaces/common/spaces_url_parser.test.js
new file mode 100644
index 00000000000000..ee0813b2f70acb
--- /dev/null
+++ b/x-pack/plugins/spaces/common/spaces_url_parser.test.js
@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { stripSpaceUrlContext, getSpaceUrlContext } from './spaces_url_parser';
+
+test('it removes the space url context from the base path when the space is not at the root', () => {
+  const basePath = `/foo/s/my-space`;
+  expect(stripSpaceUrlContext(basePath)).toEqual('/foo');
+});
+
+test('it removes the space url context from the base path when the space is the root', () => {
+  const basePath = `/s/my-space`;
+  expect(stripSpaceUrlContext(basePath)).toEqual('');
+});
+
+test(`it doesn't change base paths without a space url context`, () => {
+  const basePath = `/this/is/a-base-path/ok`;
+  expect(stripSpaceUrlContext(basePath)).toEqual(basePath);
+});
+
+test('it accepts no parameters', () => {
+  expect(stripSpaceUrlContext()).toEqual('');
+});
+
+test('it remove the trailing slash', () => {
+  expect(stripSpaceUrlContext('/')).toEqual('');
+});
+
+test('it identifies the space url context', () => {
+  const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
+  expect(getSpaceUrlContext(basePath)).toEqual('my-awesome-space-lives-here');
+});
+
+test('it handles base url without a space url context', () => {
+  const basePath = `/this/is/a/crazy/path/s`;
+  expect(getSpaceUrlContext(basePath)).toEqual(null);
+});
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 5780998378cf84..0bca945be795fb 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -10,6 +10,8 @@ import { checkLicense } from './server/lib/check_license';
 import { initSpacesApi } from './server/routes/api/v1/spaces';
 import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
 import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+import { getActiveSpace } from './server/lib/get_active_space';
+import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
 
 export const spaces = (kibana) => new kibana.Plugin({
@@ -31,6 +33,7 @@ export const spaces = (kibana) => new kibana.Plugin({
       id: 'space_selector',
       title: 'Spaces',
       main: 'plugins/spaces/views/space_selector',
+      url: 'space_selector',
       hidden: true,
     }],
     hacks: [],
@@ -38,8 +41,23 @@ export const spaces = (kibana) => new kibana.Plugin({
     home: ['plugins/spaces/register_feature'],
     injectDefaultVars: function () {
       return {
-        spaces: []
+        spaces: [],
+        activeSpace: null
       };
+    },
+    replaceInjectedVars: async function (vars, request) {
+      try {
+        vars.activeSpace = {
+          valid: true,
+          space: await getActiveSpace(request.getSavedObjectsClient(), request.getBasePath())
+        };
+      } catch(e) {
+        vars.activeSpace = {
+          valid: false,
+          error: wrapError(e).output.payload
+        };
+      }
+      return vars;
     }
   },
 
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.js b/x-pack/plugins/spaces/public/lib/spaces_manager.js
new file mode 100644
index 00000000000000..77b1ea9b514caf
--- /dev/null
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.js
@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SpacesManager {
+  constructor(httpAgent, chrome) {
+    this._httpAgent = httpAgent;
+    this._baseUrl = chrome.addBasePath(`/api/spaces/v1`);
+  }
+
+  async getSpaces() {
+    return await this._httpAgent
+      .get(`${this._baseUrl}/spaces`)
+      .then(response => response.data);
+  }
+
+  async getSpace(id) {
+    return await this._httpAgent
+      .get(`${this._baseUrl}/space/${id}`);
+  }
+
+  async createSpace(space) {
+    return await this._httpAgent
+      .post(`${this._baseUrl}/space`, space);
+  }
+
+  async updateSpace(space) {
+    return await this._httpAgent
+      .put(`${this._baseUrl}/space/${space.id}?overwrite=true`, space);
+  }
+
+  async deleteSpace(space) {
+    return await this._httpAgent
+      .delete(`${this._baseUrl}/space/${space.id}`);
+  }
+}
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.js b/x-pack/plugins/spaces/public/views/components/space_card.js
new file mode 100644
index 00000000000000..12cc3555175559
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_card.js
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiCard,
+  EuiText
+} from '@elastic/eui';
+import './space_card.less';
+
+export const SpaceCard = (props) => {
+  const {
+    space,
+    onClick
+  } = props;
+
+  return (
+    <EuiCard
+      className="spaceCard"
+      title={renderSpaceTitle(space)}
+      description={renderSpaceDescription(space)}
+      onClick={onClick}
+    />
+  );
+};
+
+function renderSpaceTitle(space) {
+  return (
+    <div className="spaceCardTitle">
+      <EuiText><h3>{space.name}</h3></EuiText>
+    </div>
+  );
+}
+
+function renderSpaceDescription(space) {
+  return space.description;
+}
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.less b/x-pack/plugins/spaces/public/views/components/space_card.less
new file mode 100644
index 00000000000000..a75fbfaa2f3430
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_card.less
@@ -0,0 +1,9 @@
+.spaceCard, .euiCard.euiCard--isClickable.spaceCard {
+    width: 310px;
+    height: 230px;
+    min-height: 200px;
+}
+
+.spaceCardDescription {
+  margin-bottom: 10px;
+}
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.test.js b/x-pack/plugins/spaces/public/views/components/space_card.test.js
new file mode 100644
index 00000000000000..f79c74201eeeef
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_card.test.js
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { SpaceCard } from './space_card';
+
+test('it renders without crashing', () => {
+  const space = {
+    name: 'space name',
+    description: 'space description'
+  };
+
+  shallow(<SpaceCard space={space} />);
+});
+
+test('it is clickable', () => {
+  const space = {
+    name: 'space name',
+    description: 'space description'
+  };
+
+  const clickHandler = jest.fn();
+
+  const wrapper = mount(<SpaceCard space={space} onClick={clickHandler} />);
+  wrapper.simulate('click');
+
+  expect(clickHandler).toHaveBeenCalledTimes(1);
+});
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.js b/x-pack/plugins/spaces/public/views/components/space_cards.js
new file mode 100644
index 00000000000000..2e92ce4a290eab
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.js
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import chrome from 'ui/chrome';
+import { SpaceCard } from './space_card';
+import { stripSpaceUrlContext } from '../../../common/spaces_url_parser';
+import {
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiSpacer,
+} from '@elastic/eui';
+import { chunk } from 'lodash';
+
+export class SpaceCards extends Component {
+  render() {
+    const maxSpacesPerRow = 3;
+    const rows = chunk(this.props.spaces, maxSpacesPerRow);
+
+    return (
+      <Fragment>
+        {
+          rows.map((row, idx) => (
+            <Fragment key={idx}>
+              <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly">
+                {row.map(this.renderSpace)}
+              </EuiFlexGroup>
+              <EuiSpacer />
+            </Fragment>
+          ))
+        }
+      </Fragment>
+
+    );
+  }
+
+  renderSpace = (space) => (
+    <EuiFlexItem key={space.id} grow={false}>
+      <SpaceCard space={space} onClick={this.createSpaceClickHandler(space)} />
+    </EuiFlexItem>
+  );
+
+  createSpaceClickHandler = (space) => {
+    return () => {
+      const baseUrlWithoutSpace = stripSpaceUrlContext(chrome.getBasePath());
+
+      window.location = `${baseUrlWithoutSpace}/s/${space.urlContext}`;
+    };
+  };
+}
+
+SpaceCards.propTypes = {
+  spaces: PropTypes.array.isRequired,
+};
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.test.js b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
new file mode 100644
index 00000000000000..b221e6f337afc3
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { SpaceCards } from './space_cards';
+import { EuiFlexGroup } from '@elastic/eui';
+import { SpaceCard } from './space_card';
+
+test('it renders without crashing', () => {
+  const space = {
+    id: 'space-id',
+    name: 'space name',
+    description: 'space description'
+  };
+
+  shallow(<SpaceCards spaces={[space]} />);
+});
+
+test('it renders spaces in groups of 3', () => {
+  function buildSpace(name) {
+    return {
+      id: `id-${name}`,
+      name,
+      description: `desc-${name}`
+    };
+  }
+
+  const spaces = [
+    buildSpace(1),
+    buildSpace(2),
+    buildSpace(3),
+    buildSpace(4)
+  ];
+
+  const wrapper = mount(<SpaceCards spaces={spaces} />);
+
+  const groups = wrapper.find(EuiFlexGroup);
+  expect(groups).toHaveLength(2);
+
+  expect(groups.at(0).find(SpaceCard)).toHaveLength(3);
+  expect(groups.at(1).find(SpaceCard)).toHaveLength(1);
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
index b7cc6e887e84d3..2262e597fb433b 100644
--- a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
@@ -37,13 +37,11 @@ export class ManageSpacePage extends React.Component {
 
     const {
       space,
-      httpAgent,
-      chrome
+      spacesManager
     } = this.props;
 
     if (space) {
-      httpAgent
-        .get(chrome.addBasePath(`/api/spaces/v1/spaces/${space}`))
+      spacesManager.getSpace(space)
         .then(result => {
           if (result.data) {
             this.setState({
@@ -210,8 +208,6 @@ export class ManageSpacePage extends React.Component {
       urlContext
     } = this.state.space;
 
-    const { httpAgent, chrome } = this.props;
-
     const params = {
       name,
       id,
@@ -219,13 +215,17 @@ export class ManageSpacePage extends React.Component {
       urlContext
     };
 
-    const overwrite = this.editingExistingSpace();
-
     if (name && description) {
-      httpAgent
-        .post(chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(id)}?overwrite=${overwrite}`), params)
+      let action;
+      if (this.editingExistingSpace()) {
+        action = this.props.spacesManager.updateSpace(params);
+      } else {
+        action = this.props.spacesManager.createSpace(params);
+      }
+
+      action
         .then(result => {
-          toastNotifications.addSuccess(`Saved '${result.data.id}'`);
+          toastNotifications.addSuccess(`Saved '${result.data.name}'`);
           window.location.hash = `#/management/spaces/list`;
         })
         .catch(error => {
@@ -327,6 +327,7 @@ export class ManageSpacePage extends React.Component {
 
 ManageSpacePage.propTypes = {
   space: PropTypes.string,
+  spacesManager: PropTypes.object,
   httpAgent: PropTypes.func.isRequired,
   chrome: PropTypes.object,
   breadcrumbs: PropTypes.array.isRequired,
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index c7fd24674f00d7..e07a5b95aeb239 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -11,6 +11,7 @@ import template from 'plugins/spaces/views/management/template.html';
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
 import { SpacesGridPage, ManageSpacePage } from './components';
+import { SpacesManager } from '../../lib/spaces_manager';
 
 import routes from 'ui/routes';
 
@@ -39,10 +40,13 @@ routes.when('/management/spaces/create', {
   controller: function ($scope,  $http, chrome) {
     const domNode = document.getElementById(reactRootNodeId);
 
+    const spacesManager = new SpacesManager($http, chrome);
+
     render(<ManageSpacePage
       httpAgent={$http}
       chrome={chrome}
       breadcrumbs={routes.getBreadcrumbs()}
+      spacesManager={spacesManager}
     />, domNode);
 
     // unmount react on controller destroy
@@ -63,11 +67,14 @@ routes.when('/management/spaces/edit/:space', {
 
     const { space } = $route.current.params;
 
+    const spacesManager = new SpacesManager($http, chrome);
+
     render(<ManageSpacePage
       httpAgent={$http}
       space={space}
       chrome={chrome}
       breadcrumbs={routes.getBreadcrumbs()}
+      spacesManager={spacesManager}
     />, domNode);
 
     // unmount react on controller destroy
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.html b/x-pack/plugins/spaces/public/views/nav_control/nav_control.html
index 5baf3e7785798f..284866cc43bed5 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.html
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.html
@@ -1,8 +1,3 @@
 <div ng-controller="spacesNavController">
-  <global-nav-link
-    kbn-route="route"
-    icon="'plugins/spaces/images/demo.png'"
-    tooltip-content="'Clicking this should do something'"
-    label="'Engineering Space'"
-  ></global-nav-link>
+  <div id="spacesNavReactRoot" />
 </div>
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index c479488247b790..74be5a7f627dd5 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -7,7 +7,13 @@
 import { constant } from 'lodash';
 import { chromeNavControlsRegistry } from 'ui/registry/chrome_nav_controls';
 import { uiModules } from 'ui/modules';
+import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
 import template from 'plugins/spaces/views/nav_control/nav_control.html';
+import 'plugins/spaces/views/nav_control/nav_control.less';
+
+import React from 'react';
+import { render, unmountComponentAtNode } from 'react-dom';
+import { NavControlModal } from 'plugins/spaces/views/nav_control/nav_control_modal';
 
 chromeNavControlsRegistry.register(constant({
   name: 'spaces',
@@ -17,6 +23,16 @@ chromeNavControlsRegistry.register(constant({
 
 const module = uiModules.get('spaces', ['kibana']);
 
-module.controller('spacesNavController', () => {
+module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) => {
+  const domNode = document.getElementById(`spacesNavReactRoot`);
+
+  const spacesManager = new SpacesManager($http, chrome);
+
+  render(<NavControlModal spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
+
+  // unmount react on controller destroy
+  $scope.$on('$destroy', () => {
+    unmountComponentAtNode(domNode);
+  });
 
 });
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.less b/x-pack/plugins/spaces/public/views/nav_control/nav_control.less
new file mode 100644
index 00000000000000..19f56c5ea10776
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.less
@@ -0,0 +1,8 @@
+.global-nav-link__icon .spaceNavGraphic {
+    margin-top: 0.5em;
+}
+
+.selectSpaceModal {
+  min-width: 450px;
+  max-width: 1200px;
+}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
new file mode 100644
index 00000000000000..1827d5bf8519da
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
@@ -0,0 +1,136 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiModal,
+  EuiModalHeader,
+  EuiModalHeaderTitle,
+  EuiModalBody,
+  EuiOverlayMask,
+  EuiAvatar,
+} from '@elastic/eui';
+import { SpaceCards } from '../components/space_cards';
+import { Notifier } from 'ui/notify';
+
+export class NavControlModal extends Component {
+    state = {
+      isOpen: false,
+      loading: false,
+      spaces: []
+    };
+
+    notifier = new Notifier(`Spaces`);
+
+    async loadSpaces() {
+      const {
+        spacesManager
+      } = this.props;
+
+      this.setState({
+        loading: true
+      });
+
+      const spaces = await spacesManager.getSpaces();
+      this.setState({
+        spaces,
+        loading: false
+      });
+    }
+
+    componentDidMount() {
+      const {
+        activeSpace
+      } = this.props;
+
+      if (activeSpace && !activeSpace.valid) {
+        const { error = {} } = activeSpace;
+        if (error.message) {
+          this.notifier.error(error.message);
+        }
+      }
+    }
+
+    render() {
+      let modal;
+      if (this.state.isOpen) {
+        modal = (
+          <EuiOverlayMask>
+            <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
+              <EuiModalHeader>
+                <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
+              </EuiModalHeader>
+              <EuiModalBody>
+                <SpaceCards spaces={this.state.spaces} />
+              </EuiModalBody>
+            </EuiModal>
+          </EuiOverlayMask>
+        );
+      }
+
+      return (
+        <div>{this.getActiveSpaceButton()}{modal}</div>
+      );
+    }
+
+    getActiveSpaceButton = () => {
+      const {
+        activeSpace
+      } = this.props;
+
+      if (!activeSpace) {
+        return null;
+      }
+
+      if (activeSpace.valid && activeSpace.space) {
+        return this.getButton(
+          <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={activeSpace.space.name} />,
+          activeSpace.space.name
+        );
+      } else if (activeSpace.error) {
+        return this.getButton(
+          <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
+          'error'
+        );
+      }
+
+      return null;
+    };
+
+    getButton = (linkIcon, linkTitle) => {
+      return (
+        <div className="global-nav-link">
+          <a className="global-nav-link__anchor" onClick={this.togglePortal}>
+            <div className="global-nav-link__icon">{linkIcon}</div>
+            <div className="global-nav-link__title">{linkTitle}</div>
+          </a>
+        </div>
+      );
+    };
+
+    togglePortal = () => {
+      const isOpening = !this.state.isOpen;
+      if (isOpening) {
+        this.loadSpaces();
+      }
+
+      this.setState({
+        isOpen: !this.state.isOpen
+      });
+    };
+
+    closePortal = () => {
+      this.setState({
+        isOpen: false
+      });
+    }
+}
+
+NavControlModal.propTypes = {
+  activeSpace: PropTypes.object,
+  spacesManager: PropTypes.object.isRequired
+};
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index cfb329dd6d7a16..7de6fd437aabc2 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -45,7 +45,7 @@ exports[`it renders without crashing 1`] = `
     className="euiPageBody"
   >
     <div
-      className="euiPanel euiPanel--paddingLarge euiPageContent"
+      className="euiPanel euiPanel--paddingLarge euiPageContent spaceSelectorPageContent"
     >
       <div
         className="euiText spaceWelcomeText"
@@ -61,16 +61,12 @@ exports[`it renders without crashing 1`] = `
           Select a space to begin.
         </p>
       </div>
-      <div
-        className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--justifyContentSpaceEvenly euiFlexGroup--responsive spacesGroup"
+      <hr
+        className="euiHorizontalRule euiHorizontalRule--full euiHorizontalRule--marginLarge"
       />
       <div
-        className="euiText spaceProfileText"
-      >
-        <p>
-          You can change your workspace at anytime by accessing your profile within Kibana.
-        </p>
-      </div>
+        className="euiSpacer euiSpacer--l"
+      />
     </div>
   </div>
 </div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.js
index 21efd3d762dda6..21bc86bee93c28 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/index.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.js
@@ -8,6 +8,7 @@ import 'ui/autoload/styles';
 import chrome from 'ui/chrome';
 import 'plugins/spaces/views/space_selector/space_selector.less';
 import template from 'plugins/spaces/views/space_selector/space_selector.html';
+import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
 import { uiModules } from 'ui/modules';
 
 import React from 'react';
@@ -17,7 +18,10 @@ import { SpaceSelector } from './space_selector';
 const module = uiModules.get('spaces_selector', []);
 module.controller('spacesSelectorController', ($scope, $http, spaces) => {
   const domNode = document.getElementById('spaceSelectorRoot');
-  render(<SpaceSelector spaces={spaces} httpAgent={$http} chrome={chrome} />, domNode);
+
+  const spacesManager = new SpacesManager($http, chrome);
+
+  render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />, domNode);
 
   // unmount react on controller destroy
   $scope.$on('$destroy', () => {
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index 9137262bc0efd5..805dff7546decb 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -12,12 +12,12 @@ import {
   EuiPageBody,
   EuiPageContent,
   EuiPageHeaderSection,
-  EuiCard,
   EuiIcon,
+  EuiSpacer,
   EuiText,
-  EuiFlexGroup,
-  EuiFlexItem,
+  EuiHorizontalRule,
 } from '@elastic/eui';
+import { SpaceCards } from '../components/space_cards';
 
 export class SpaceSelector extends Component {
   state = {
@@ -40,14 +40,13 @@ export class SpaceSelector extends Component {
 
   loadSpaces() {
     this.setState({ loading: true });
-    const { httpAgent, chrome } = this.props;
+    const { spacesManager } = this.props;
 
-    httpAgent
-      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
-      .then(response => {
+    spacesManager.getSpaces()
+      .then(spaces => {
         this.setState({
           loading: false,
-          spaces: response.data
+          spaces
         });
       });
   }
@@ -65,57 +64,26 @@ export class SpaceSelector extends Component {
           </EuiPageHeaderSection>
         </EuiPageHeader>
         <EuiPageBody>
-          <EuiPageContent>
+          <EuiPageContent className="spaceSelectorPageContent">
             <EuiText className="spaceWelcomeText">
               <p className="welcomeLarge">Welcome to Kibana.</p>
               <p className="welcomeMedium">Select a space to begin.</p>
             </EuiText>
 
-            <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly" className="spacesGroup">
-              {spaces.map(this.renderSpace)}
-            </EuiFlexGroup>
+            <EuiHorizontalRule />
+
+            <SpaceCards spaces={spaces} />
+
+            <EuiSpacer />
 
-            <EuiText className="spaceProfileText">
-              <p>You can change your workspace at anytime by accessing your profile within Kibana.</p>
-            </EuiText>
           </EuiPageContent>
         </EuiPageBody>
       </EuiPage>
     );
   }
-
-  renderSpace = (space) => {
-    return (
-      <EuiFlexItem key={space.id} grow={false} className="spaceCard">
-        <EuiCard
-          icon={<EuiIcon size="xxl" type={space.logo} />}
-          title={this.renderSpaceTitle(space)}
-          description={space.description}
-          onClick={this.createSpaceClickHandler(space)}
-        />
-      </EuiFlexItem>
-    );
-  };
-
-  renderSpaceTitle = (space) => {
-    return (
-      <div className="spaceCardTitle">
-        <span>{space.name}</span>
-        {/* <EuiIcon type={'starEmpty'} size="s" /> */}
-      </div>
-    );
-  };
-
-  createSpaceClickHandler = (space) => {
-    return () => {
-      window.location = this.props.chrome.addBasePath(`/s/${space.urlContext}`);
-    };
-  }
-
 }
 
 SpaceSelector.propTypes = {
   spaces: PropTypes.array,
-  httpAgent: PropTypes.func.isRequired,
-  chrome: PropTypes.object.isRequired,
+  spacesManager: PropTypes.object.isRequired
 };
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.less b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
index 85c93682fde6f5..4dcf7fad24b80c 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
@@ -15,19 +15,16 @@
   margin: 30px 0 50px 0;
 }
 
-.spaceCard {
-  width: 225px;
-}
-
-.spaceCardTitle .euiIcon {
-  float: right;
-}
-
 .euiText .welcomeLarge {
   font-size: 2em;
-  margin-bottom: 5px;
+  margin-bottom: 15px;
 }
 
 .welcomeMedium {
   font-size: 1.4em;
 }
+
+.spaceSelectorPageContent {
+  box-shadow: none;
+  border: none;
+}
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
index e32f6045191299..2277ec4757a7e9 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
@@ -9,6 +9,8 @@ import { SpaceSelector } from './space_selector';
 import chrome from 'ui/chrome';
 import renderer from 'react-test-renderer';
 import { render, shallow } from 'enzyme';
+import { SpacesManager } from '../../lib/spaces_manager';
+
 
 function getHttpAgent(spaces = []) {
   const httpAgent = () => {};
@@ -17,17 +19,26 @@ function getHttpAgent(spaces = []) {
   return httpAgent;
 }
 
+function getSpacesManager(spaces = []) {
+  const manager = new SpacesManager(getHttpAgent(spaces), chrome);
+
+  const origGet = manager.getSpaces;
+  manager.getSpaces = jest.fn(origGet);
+
+  return manager;
+}
+
 
 test('it renders without crashing', () => {
-  const httpAgent = getHttpAgent();
+  const spacesManager = getSpacesManager();
   const component = renderer.create(
-    <SpaceSelector spaces={[]} httpAgent={httpAgent} chrome={chrome}/>
+    <SpaceSelector spaces={[]} spacesManager={spacesManager}/>
   );
   expect(component).toMatchSnapshot();
 });
 
 test('it uses the spaces on props, when provided', () => {
-  const httpAgent = getHttpAgent();
+  const spacesManager = getSpacesManager();
 
   const spaces = [{
     id: 'space-1',
@@ -37,14 +48,14 @@ test('it uses the spaces on props, when provided', () => {
   }];
 
   const component = render(
-    <SpaceSelector spaces={spaces} httpAgent={httpAgent} chrome={chrome}/>
+    <SpaceSelector spaces={spaces} spacesManager={spacesManager} />
   );
 
   return Promise
     .resolve()
     .then(() => {
       expect(component.find('.spaceCard')).toHaveLength(1);
-      expect(httpAgent.get).toHaveBeenCalledTimes(0);
+      expect(spacesManager.getSpaces).toHaveBeenCalledTimes(0);
     });
 });
 
@@ -56,16 +67,15 @@ test('it queries for spaces when not provided on props', () => {
     urlContext: 'space-1-context'
   }];
 
-  const httpAgent = getHttpAgent(spaces);
+  const spacesManager = getSpacesManager(spaces);
 
-  const component = shallow(
-    <SpaceSelector httpAgent={httpAgent} chrome={chrome}/>
+  shallow(
+    <SpaceSelector spacesManager={spacesManager}/>
   );
 
   return Promise
     .resolve()
     .then(() => {
-      expect(httpAgent.get).toHaveBeenCalledTimes(1);
-      expect(component.update().find('.spaceCard')).toHaveLength(1);
+      expect(spacesManager.getSpaces).toHaveBeenCalledTimes(1);
     });
 });
diff --git a/x-pack/plugins/spaces/server/lib/check_duplicate_context.js b/x-pack/plugins/spaces/server/lib/check_duplicate_context.js
new file mode 100644
index 00000000000000..a3f0125fb777ce
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/check_duplicate_context.js
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function createDuplicateContextQuery(index, { id, urlContext }) {
+  let mustNotClause = {};
+
+  if (id) {
+    mustNotClause = {
+      must_not: {
+        term: {
+          '_id': `space:${id}`
+        }
+      }
+    };
+  }
+
+  return {
+    index,
+    ignore: [404],
+    body: {
+      query: {
+        bool: {
+          must: {
+            term: {
+              [`space.urlContext`]: urlContext
+            }
+          },
+          ...mustNotClause
+        }
+      }
+    }
+  };
+}
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.js
new file mode 100644
index 00000000000000..7fb7821e752741
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.js
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { wrapError } from './errors';
+import { getSpaceUrlContext } from '../../common/spaces_url_parser';
+
+export async function getActiveSpace(savedObjectsClient, basePath) {
+  const spaceContext = getSpaceUrlContext(basePath);
+
+  if (!spaceContext) {
+    return null;
+  }
+
+  let spaces;
+  try {
+    const {
+      saved_objects: savedObjects
+    } = await savedObjectsClient.find({
+      type: 'space',
+      search: `"${spaceContext}"`,
+      search_fields: ['urlContext'],
+    });
+
+    spaces = savedObjects || [];
+  } catch(e) {
+    throw wrapError(e);
+  }
+
+  if (spaces.length === 0) {
+    throw Boom.notFound(
+      `The Space you requested could not be found. Please select a different Space to continue.`
+    );
+  }
+
+  if (spaces.length > 1) {
+    const spaceNames = spaces.map(s => s.attributes.name).join(', ');
+
+    throw Boom.badRequest(
+      `Multiple Spaces share this URL Context: (${spaceNames}). Please correct this in the Management Section.`
+    );
+  }
+
+  return {
+    id: spaces[0].id,
+    ...spaces[0].attributes
+  };
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 647cebe8dfce56..019513dafbb8c6 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -4,14 +4,50 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import Boom from 'boom';
 import { omit } from 'lodash';
+import { getClient } from '../../../../../../server/lib/get_client_shield';
 import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
 import { spaceSchema } from '../../../lib/space_schema';
 import { wrapError } from '../../../lib/errors';
+import { createDuplicateContextQuery } from '../../../lib/check_duplicate_context';
 
 export function initSpacesApi(server) {
   const routePreCheckLicenseFn = routePreCheckLicense(server);
 
+  function convertSavedObjectToSpace(savedObject) {
+    return {
+      id: savedObject.id,
+      ...savedObject.attributes
+    };
+  }
+
+  const callWithInternalUser = getClient(server).callWithInternalUser;
+
+  const config = server.config();
+
+  async function checkForDuplicateContext(space) {
+    const query = createDuplicateContextQuery(config.get('kibana.index'), space);
+
+    // TODO(legrego): Once the SOC is split into a client & repository, this "callWithInternalUser" call should
+    // be replaced to use the repository instead.
+    const { hits } = await callWithInternalUser('search', query);
+
+    const { total, hits: conflicts } = hits;
+
+    let error;
+
+    if (total > 0) {
+      const firstConflictName = conflicts[0]._source.space.name;
+
+      error = Boom.badRequest(
+        `Another Space (${firstConflictName}) already uses this URL Context. Please choose a different URL Context.`
+      );
+    }
+
+    return { error };
+  }
+
   server.route({
     method: 'GET',
     path: '/api/spaces/v1/spaces',
@@ -25,10 +61,7 @@ export function initSpacesApi(server) {
           type: 'space'
         });
 
-        spaces = result.saved_objects.map(space => ({
-          ...space.attributes,
-          id: space.id
-        }));
+        spaces = result.saved_objects.map(convertSavedObjectToSpace);
       } catch(e) {
         return reply(wrapError(e));
       }
@@ -42,22 +75,16 @@ export function initSpacesApi(server) {
 
   server.route({
     method: 'GET',
-    path: '/api/spaces/v1/spaces/{id}',
+    path: '/api/spaces/v1/space/{id}',
     async handler(request, reply) {
       const spaceId = request.params.id;
 
       const client = request.getSavedObjectsClient();
 
       try {
-        const {
-          id,
-          attributes
-        } = await client.get('space', spaceId);
-
-        return reply({
-          id,
-          ...attributes
-        });
+        const response = await client.get('space', spaceId);
+
+        return reply(convertSavedObjectToSpace(response));
       } catch (e) {
         return reply(wrapError(e));
       }
@@ -69,7 +96,7 @@ export function initSpacesApi(server) {
 
   server.route({
     method: 'POST',
-    path: '/api/spaces/v1/spaces/{id}',
+    path: '/api/spaces/v1/space',
     async handler(request, reply) {
       const client = request.getSavedObjectsClient();
 
@@ -78,6 +105,13 @@ export function initSpacesApi(server) {
       } = request.query;
 
       const space = omit(request.payload, ['id']);
+
+      const { error } = await checkForDuplicateContext(space);
+
+      if (error) {
+        return reply(wrapError(error));
+      }
+
       const id = request.params.id;
 
       let result;
@@ -87,7 +121,37 @@ export function initSpacesApi(server) {
         return reply(wrapError(e));
       }
 
-      return reply(result);
+      return reply(convertSavedObjectToSpace(result));
+    }
+  });
+
+  server.route({
+    method: 'PUT',
+    path: '/api/spaces/v1/space/{id}',
+    async handler(request, reply) {
+      const client = request.getSavedObjectsClient();
+
+      const {
+        overwrite = false
+      } = request.query;
+
+      const space = omit(request.payload, ['id']);
+      const id = request.params.id;
+
+      const { error } = await checkForDuplicateContext({ ...space, id });
+
+      if (error) {
+        return reply(wrapError(error));
+      }
+
+      let result;
+      try {
+        result = await client.create('space', { ...space }, { id, overwrite });
+      } catch(e) {
+        return reply(wrapError(e));
+      }
+
+      return reply(convertSavedObjectToSpace(result));
     },
     config: {
       validate: {
@@ -99,7 +163,7 @@ export function initSpacesApi(server) {
 
   server.route({
     method: 'DELETE',
-    path: '/api/spaces/v1/spaces/{id}',
+    path: '/api/spaces/v1/space/{id}',
     async handler(request, reply) {
       const client = request.getSavedObjectsClient();
 
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index 9747bb69a2f7c3..fb4184fbbb6322 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -10,30 +10,25 @@
     esutils "^2.0.2"
     js-tokens "^3.0.0"
 
-"@elastic/eui@0.0.44":
-  version "0.0.44"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.44.tgz#b0b58eb1b10d6f8de017f548bb06c5b5f71e3d61"
+"@elastic/eui@0.0.47":
+  version "0.0.47"
+  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.47.tgz#5bae27966bb1d68bb3106853610a407509053b44"
   dependencies:
     brace "^0.10.0"
     classnames "^2.2.5"
     core-js "^2.5.1"
-    eslint-config-prettier "^2.9.0"
-    eslint-plugin-prettier "^2.6.0"
     focus-trap-react "^3.0.4"
     highlight.js "^9.12.0"
     html "^1.0.0"
-    jquery "^3.2.1"
     keymirror "^0.1.1"
     lodash "^3.10.1"
     numeral "^2.0.6"
-    prettier "^1.11.1"
     prop-types "^15.6.0"
     react-ace "^5.5.0"
     react-color "^2.13.8"
     react-datepicker v1.4.1
     react-input-autosize "^2.2.1"
     react-virtualized "^9.18.5"
-    serve "^6.3.1"
     tabbable "^1.1.0"
     uuid "^3.1.0"
 
@@ -97,13 +92,6 @@ accept@2.x.x:
     boom "5.x.x"
     hoek "4.x.x"
 
-accepts@~1.3.4:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.5.tgz#eb777df6011723a3b14e8a72c0805c8e86746bd2"
-  dependencies:
-    mime-types "~2.1.18"
-    negotiator "0.6.1"
-
 acorn-globals@^4.0.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/acorn-globals/-/acorn-globals-4.1.0.tgz#ab716025dbe17c54d3ef81d32ece2b2d99fe2538"
@@ -122,10 +110,6 @@ add-event-listener@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/add-event-listener/-/add-event-listener-0.0.1.tgz#a76229ebc64c8aefae204a16273a2f255abea2d0"
 
-address@^1.0.1:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/address/-/address-1.0.3.tgz#b5f50631f8d6cec8bd20c963963afb55e06cbce9"
-
 agentkeepalive@^2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/agentkeepalive/-/agentkeepalive-2.2.0.tgz#c5d1bd4b129008f1163f236f86e5faea2026e2ef"
@@ -185,12 +169,6 @@ angular-ui-bootstrap@1.2.5:
   version "1.2.5"
   resolved "https://registry.yarnpkg.com/angular-ui-bootstrap/-/angular-ui-bootstrap-1.2.5.tgz#b0c1eff0bf3b7a65668984a1b81820a90dc60995"
 
-ansi-align@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/ansi-align/-/ansi-align-2.0.0.tgz#c36aeccba563b89ceb556f3690f0b1d9e3547f7f"
-  dependencies:
-    string-width "^2.0.0"
-
 ansi-cyan@^0.1.1:
   version "0.1.1"
   resolved "https://registry.yarnpkg.com/ansi-cyan/-/ansi-cyan-0.1.1.tgz#538ae528af8982f28ae30d86f2f17456d2609873"
@@ -276,10 +254,6 @@ aproba@^1.0.3:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/aproba/-/aproba-1.2.0.tgz#6802e6264efd18c790a1b0d517f0f2627bf2c94a"
 
-arch@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/arch/-/arch-2.1.0.tgz#3613aa46149064b3c1f0607919bf1d4786e82889"
-
 archy@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/archy/-/archy-1.0.0.tgz#f9c8c13757cc1dd7bc379ac77b2c62a5c2868c40"
@@ -304,15 +278,6 @@ argparse@~0.1.15:
     underscore "~1.7.0"
     underscore.string "~2.4.0"
 
-args@4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/args/-/args-4.0.0.tgz#5ca24cdba43d4b17111c56616f5f2e9d91933954"
-  dependencies:
-    camelcase "5.0.0"
-    chalk "2.3.2"
-    leven "2.1.0"
-    mri "1.1.0"
-
 argv-split@^2.0.1:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/argv-split/-/argv-split-2.0.1.tgz#be264117790dbd5ccd63ec3f449a1804814ac4c5"
@@ -947,12 +912,6 @@ base@^0.11.1:
     mixin-deep "^1.2.0"
     pascalcase "^0.1.1"
 
-basic-auth@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/basic-auth/-/basic-auth-2.0.0.tgz#015db3f353e02e56377755f962742e8981e7bbba"
-  dependencies:
-    safe-buffer "5.1.1"
-
 bcrypt-pbkdf@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.1.tgz#63bc5dcb61331b92bc05fd528953c33462a06f8d"
@@ -979,7 +938,7 @@ bluebird@3.1.1:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.1.1.tgz#7e2e4318d62ae72a674f6aea6357bb4def1a6e41"
 
-bluebird@3.5.1, bluebird@^3.3.1:
+bluebird@^3.3.1:
   version "3.5.1"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.5.1.tgz#d9551f9de98f1fcda1e683d17ee91a0602ee2eb9"
 
@@ -1017,18 +976,6 @@ boom@5.x.x:
   dependencies:
     hoek "4.x.x"
 
-boxen@1.3.0:
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/boxen/-/boxen-1.3.0.tgz#55c6c39a8ba58d9c61ad22cd877532deb665a20b"
-  dependencies:
-    ansi-align "^2.0.0"
-    camelcase "^4.0.0"
-    chalk "^2.0.1"
-    cli-boxes "^1.0.0"
-    string-width "^2.0.0"
-    term-size "^1.2.0"
-    widest-line "^2.0.0"
-
 brace-expansion@^1.0.0, brace-expansion@^1.1.7:
   version "1.1.8"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.8.tgz#c07b211c7c952ec1f8efd51a77ef0d1d3990a292"
@@ -1144,10 +1091,6 @@ builtin-modules@^1.0.0:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/builtin-modules/-/builtin-modules-1.1.1.tgz#270f076c5a72c02f5b65a47df94c5fe3a278892f"
 
-bytes@3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.0.0.tgz#d32815404d689699f85a4ea4fa8755dd13a96048"
-
 cache-base@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/cache-base/-/cache-base-1.0.1.tgz#0a7f46416831c8b662ee36fe4e7c59d76f666ab2"
@@ -1180,10 +1123,6 @@ camelcase-keys@^2.0.0:
     camelcase "^2.0.0"
     map-obj "^1.0.0"
 
-camelcase@5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-5.0.0.tgz#03295527d58bd3cd4aa75363f35b2e8d97be2f42"
-
 camelcase@^1.0.2:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-1.2.1.tgz#9bb5304d2e0b56698b2c758b08a3eaa9daa58a39"
@@ -1196,7 +1135,7 @@ camelcase@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-3.0.0.tgz#32fc4b9fcdaf845fcdf7e73bb97cac2261f0ab0a"
 
-camelcase@^4.0.0, camelcase@^4.1.0:
+camelcase@^4.1.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-4.1.0.tgz#d545635be1e33c542649c69173e5de6acfae34dd"
 
@@ -1232,22 +1171,6 @@ chai@~1.9.2:
     assertion-error "1.0.0"
     deep-eql "0.1.3"
 
-chalk@2.3.2, chalk@^2.3.2:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.2.tgz#250dc96b07491bfd601e648d66ddf5f60c7a5c65"
-  dependencies:
-    ansi-styles "^3.2.1"
-    escape-string-regexp "^1.0.5"
-    supports-color "^5.3.0"
-
-chalk@2.4.0:
-  version "2.4.0"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.0.tgz#a060a297a6b57e15b61ca63ce84995daa0fe6e52"
-  dependencies:
-    ansi-styles "^3.2.1"
-    escape-string-regexp "^1.0.5"
-    supports-color "^5.3.0"
-
 chalk@^1.0.0, chalk@^1.1.3:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-1.1.3.tgz#a8115c55e4a702fe4d150abd3872822a7e09fc98"
@@ -1266,6 +1189,14 @@ chalk@^2.0.0, chalk@^2.0.1, chalk@^2.3.0:
     escape-string-regexp "^1.0.5"
     supports-color "^4.0.0"
 
+chalk@^2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.2.tgz#250dc96b07491bfd601e648d66ddf5f60c7a5c65"
+  dependencies:
+    ansi-styles "^3.2.1"
+    escape-string-regexp "^1.0.5"
+    supports-color "^5.3.0"
+
 chance@1.0.10:
   version "1.0.10"
   resolved "https://registry.yarnpkg.com/chance/-/chance-1.0.10.tgz#03500b04ad94e778dd2891b09ec73a6ad87b1996"
@@ -1312,10 +1243,6 @@ classnames@2.2.5, classnames@^2.1.2, classnames@^2.2.3, classnames@^2.2.4, class
   version "2.2.5"
   resolved "https://registry.yarnpkg.com/classnames/-/classnames-2.2.5.tgz#fb3801d453467649ef3603c7d61a02bd129bde6d"
 
-cli-boxes@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/cli-boxes/-/cli-boxes-1.0.0.tgz#4fa917c3e59c94a004cd61f8ee509da651687143"
-
 cli-cursor@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/cli-cursor/-/cli-cursor-1.0.2.tgz#64da3f7d56a54412e59794bd62dc35295e8f2987"
@@ -1334,13 +1261,6 @@ clipboard@^1.6.1:
     select "^1.1.2"
     tiny-emitter "^2.0.0"
 
-clipboardy@1.2.3:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/clipboardy/-/clipboardy-1.2.3.tgz#0526361bf78724c1f20be248d428e365433c07ef"
-  dependencies:
-    arch "^2.1.0"
-    execa "^0.8.0"
-
 cliui@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/cliui/-/cliui-2.1.0.tgz#4b475760ff80264c762c3a1719032e91c7fea0d1"
@@ -1460,24 +1380,6 @@ component-emitter@^1.2.0, component-emitter@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/component-emitter/-/component-emitter-1.2.1.tgz#137918d6d78283f7df7a6b7c5a63e140e69425e6"
 
-compressible@~2.0.13:
-  version "2.0.13"
-  resolved "https://registry.yarnpkg.com/compressible/-/compressible-2.0.13.tgz#0d1020ab924b2fdb4d6279875c7d6daba6baa7a9"
-  dependencies:
-    mime-db ">= 1.33.0 < 2"
-
-compression@^1.6.2:
-  version "1.7.2"
-  resolved "http://registry.npmjs.org/compression/-/compression-1.7.2.tgz#aaffbcd6aaf854b44ebb280353d5ad1651f59a69"
-  dependencies:
-    accepts "~1.3.4"
-    bytes "3.0.0"
-    compressible "~2.0.13"
-    debug "2.6.9"
-    on-headers "~1.0.1"
-    safe-buffer "5.1.1"
-    vary "~1.1.2"
-
 concat-map@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
@@ -1514,10 +1416,6 @@ content-type-parser@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/content-type-parser/-/content-type-parser-1.0.2.tgz#caabe80623e63638b2502fd4c7f12ff4ce2352e7"
 
-content-type@1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b"
-
 content@3.x.x:
   version "3.0.6"
   resolved "https://registry.yarnpkg.com/content/-/content-3.0.6.tgz#9c2e301e9ae515ed65a4b877d78aa5659bb1b809"
@@ -1789,10 +1687,6 @@ d3@3.5.6:
   version "3.5.6"
   resolved "https://registry.yarnpkg.com/d3/-/d3-3.5.6.tgz#9451c651ca733fb9672c81fb7f2655164a73a42d"
 
-dargs@5.1.0:
-  version "5.1.0"
-  resolved "https://registry.yarnpkg.com/dargs/-/dargs-5.1.0.tgz#ec7ea50c78564cd36c9d5ec18f66329fade27829"
-
 dashdash@^1.12.0:
   version "1.14.1"
   resolved "https://registry.yarnpkg.com/dashdash/-/dashdash-1.14.1.tgz#853cfa0f7cbe2fed5de20326b8dd581035f6e2f0"
@@ -1828,7 +1722,7 @@ debug@2.2.0:
   dependencies:
     ms "0.7.1"
 
-debug@2.6.9, debug@2.X, debug@^2.2.0, debug@^2.3.3, debug@^2.6.0, debug@^2.6.8:
+debug@2.X, debug@^2.2.0, debug@^2.3.3, debug@^2.6.8:
   version "2.6.9"
   resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f"
   dependencies:
@@ -1937,22 +1831,10 @@ delegates@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/delegates/-/delegates-1.0.0.tgz#84c6e159b81904fdca59a0ef44cd870d31250f9a"
 
-depd@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.1.tgz#5783b4e1c459f06fa5ca27f991f3d06e7a310359"
-
-depd@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9"
-
 deprecated@^0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/deprecated/-/deprecated-0.0.1.tgz#f9c9af5464afa1e7a971458a8bdef2aa94d5bb19"
 
-destroy@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.0.4.tgz#978857442c44749e4206613e37946205826abd80"
-
 detect-file@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/detect-file/-/detect-file-1.0.0.tgz#f0d66d03672a825cb1b73bdb3fe62310c8e552b7"
@@ -1971,13 +1853,6 @@ detect-newline@2.X, detect-newline@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/detect-newline/-/detect-newline-2.1.0.tgz#f41f1c10be4b00e87b5f13da680759f2c5bfd3e2"
 
-detect-port@1.2.2:
-  version "1.2.2"
-  resolved "https://registry.yarnpkg.com/detect-port/-/detect-port-1.2.2.tgz#57a44533632d8bc74ad255676866ca43f96c7469"
-  dependencies:
-    address "^1.0.1"
-    debug "^2.6.0"
-
 dfa@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/dfa/-/dfa-1.1.0.tgz#d30218bd10d030fa421df3ebbc82285463a31781"
@@ -2089,10 +1964,6 @@ ecc-jsbn@~0.1.1:
   dependencies:
     jsbn "~0.1.0"
 
-ee-first@1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/ee-first/-/ee-first-1.1.1.tgz#590c61156b0ae2f4f0255732a158b266bc56b21d"
-
 elasticsearch@13.0.1:
   version "13.0.1"
   resolved "https://registry.yarnpkg.com/elasticsearch/-/elasticsearch-13.0.1.tgz#fa58204233052c4cd221e8721e48f3906b385b32"
@@ -2104,10 +1975,6 @@ elasticsearch@13.0.1:
     lodash.isempty "^4.4.0"
     lodash.trimend "^4.5.1"
 
-encodeurl@~1.0.2:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59"
-
 encoding@^0.1.11:
   version "0.1.12"
   resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
@@ -2200,10 +2067,6 @@ es6-promise@~2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/es6-promise/-/es6-promise-2.0.1.tgz#ccc4963e679f0ca9fb187c777b9e583d3c7573c2"
 
-escape-html@~1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
-
 escape-string-regexp@1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-1.0.2.tgz#4dbc2fe674e71949caf3fb2695ce7f2dc1d9a8d1"
@@ -2252,19 +2115,6 @@ escodegen@~1.3.2:
   optionalDependencies:
     source-map "~0.1.33"
 
-eslint-config-prettier@^2.9.0:
-  version "2.9.0"
-  resolved "https://registry.yarnpkg.com/eslint-config-prettier/-/eslint-config-prettier-2.9.0.tgz#5ecd65174d486c22dff389fe036febf502d468a3"
-  dependencies:
-    get-stdin "^5.0.1"
-
-eslint-plugin-prettier@^2.6.0:
-  version "2.6.0"
-  resolved "https://registry.yarnpkg.com/eslint-plugin-prettier/-/eslint-plugin-prettier-2.6.0.tgz#33e4e228bdb06142d03c560ce04ec23f6c767dd7"
-  dependencies:
-    fast-diff "^1.1.1"
-    jest-docblock "^21.0.0"
-
 esprima@^3.1.3:
   version "3.1.3"
   resolved "https://registry.yarnpkg.com/esprima/-/esprima-3.1.3.tgz#fdca51cee6133895e3c88d535ce49dbff62a4633"
@@ -2301,10 +2151,6 @@ esutils@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/esutils/-/esutils-1.0.0.tgz#8151d358e20c8acc7fb745e7472c0025fe496570"
 
-etag@~1.8.1:
-  version "1.8.1"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887"
-
 exec-sh@^0.2.0:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/exec-sh/-/exec-sh-0.2.1.tgz#163b98a6e89e6b65b47c2a28d215bc1f63989c38"
@@ -2335,18 +2181,6 @@ execa@^0.7.0:
     signal-exit "^3.0.0"
     strip-eof "^1.0.0"
 
-execa@^0.8.0:
-  version "0.8.0"
-  resolved "https://registry.yarnpkg.com/execa/-/execa-0.8.0.tgz#d8d76bbc1b55217ed190fd6dd49d3c774ecfc8da"
-  dependencies:
-    cross-spawn "^5.0.1"
-    get-stream "^3.0.0"
-    is-stream "^1.1.0"
-    npm-run-path "^2.0.0"
-    p-finally "^1.0.0"
-    signal-exit "^3.0.0"
-    strip-eof "^1.0.0"
-
 exit-hook@^1.0.0:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/exit-hook/-/exit-hook-1.1.1.tgz#f05ca233b48c05d54fff07765df8507e95c02ff8"
@@ -2488,10 +2322,6 @@ fast-deep-equal@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-1.0.0.tgz#96256a3bc975595eb36d82e9929d060d893439ff"
 
-fast-diff@^1.1.1:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/fast-diff/-/fast-diff-1.1.2.tgz#4b62c42b8e03de3f848460b639079920695d0154"
-
 fast-json-stable-stringify@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/fast-json-stable-stringify/-/fast-json-stable-stringify-2.0.0.tgz#d5142c0caee6b1189f87d3a76111064f86c8bbf2"
@@ -2550,10 +2380,6 @@ fileset@^2.0.2:
     glob "^7.0.3"
     minimatch "^3.0.3"
 
-filesize@3.6.1:
-  version "3.6.1"
-  resolved "https://registry.yarnpkg.com/filesize/-/filesize-3.6.1.tgz#090bb3ee01b6f801a8a8be99d31710b3422bb317"
-
 fill-keys@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/fill-keys/-/fill-keys-1.0.2.tgz#9a8fa36f4e8ad634e3bf6b4f3c8882551452eb20"
@@ -2731,22 +2557,10 @@ fragment-cache@^0.2.1:
   dependencies:
     map-cache "^0.2.2"
 
-fresh@0.5.2:
-  version "0.5.2"
-  resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.5.2.tgz#3d8cadd90d976569fa835ab1f8e4b23a105605a7"
-
 from@^0.1.3:
   version "0.1.7"
   resolved "https://registry.yarnpkg.com/from/-/from-0.1.7.tgz#83c60afc58b9c56997007ed1a768b3ab303a44fe"
 
-fs-extra@5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-5.0.0.tgz#414d0110cdd06705734d055652c5411260c31abd"
-  dependencies:
-    graceful-fs "^4.1.2"
-    jsonfile "^4.0.0"
-    universalify "^0.1.0"
-
 fs-mkdirp-stream@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/fs-mkdirp-stream/-/fs-mkdirp-stream-1.0.0.tgz#0b7815fc3201c6a69e14db98ce098c16935259eb"
@@ -2833,10 +2647,6 @@ get-stdin@^4.0.1:
   version "4.0.1"
   resolved "https://registry.yarnpkg.com/get-stdin/-/get-stdin-4.0.1.tgz#b968c6b0a04384324902e8bf1a5df32579a450fe"
 
-get-stdin@^5.0.1:
-  version "5.0.1"
-  resolved "https://registry.yarnpkg.com/get-stdin/-/get-stdin-5.0.1.tgz#122e161591e21ff4c52530305693f20e6393a398"
-
 get-stream@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/get-stream/-/get-stream-3.0.0.tgz#8e943d1358dc37555054ecbe2edb05aa174ede14"
@@ -3236,7 +3046,7 @@ gulplog@^1.0.0:
   dependencies:
     glogg "^1.0.0"
 
-handlebars@4.0.11, handlebars@^4.0.3:
+handlebars@^4.0.3:
   version "4.0.11"
   resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.11.tgz#630a35dfe0294bc281edae6ffc5d329fc7982dcc"
   dependencies:
@@ -3475,15 +3285,6 @@ htmlparser2@^3.9.1:
     inherits "^2.0.1"
     readable-stream "^2.0.2"
 
-http-errors@1.6.2:
-  version "1.6.2"
-  resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.6.2.tgz#0a002cc85707192a7e7946ceedc11155f60ec736"
-  dependencies:
-    depd "1.1.1"
-    inherits "2.0.3"
-    setprototypeof "1.0.3"
-    statuses ">= 1.3.1 < 2"
-
 http-errors@~1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.4.0.tgz#6c0242dea6b3df7afda153c71089b31c6e82aabf"
@@ -3491,15 +3292,6 @@ http-errors@~1.4.0:
     inherits "2.0.1"
     statuses ">= 1.2.1 < 2"
 
-http-errors@~1.6.2:
-  version "1.6.3"
-  resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.6.3.tgz#8b55680bb4be283a0b5bf4ea2e38580be1d9320d"
-  dependencies:
-    depd "~1.1.2"
-    inherits "2.0.3"
-    setprototypeof "1.1.0"
-    statuses ">= 1.4.0 < 2"
-
 http-signature@~1.1.0:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/http-signature/-/http-signature-1.1.1.tgz#df72e267066cd0ac67fb76adf8e134a8fbcf91bf"
@@ -3566,7 +3358,7 @@ inherits@1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/inherits/-/inherits-1.0.2.tgz#ca4309dadee6b54cc0b8d247e8d7c7a0975bdc9b"
 
-inherits@2, inherits@2.0.3, inherits@^2.0.1, inherits@^2.0.3, inherits@~2.0.0, inherits@~2.0.1, inherits@~2.0.3:
+inherits@2, inherits@^2.0.1, inherits@^2.0.3, inherits@~2.0.0, inherits@~2.0.1, inherits@~2.0.3:
   version "2.0.3"
   resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de"
 
@@ -3611,10 +3403,6 @@ invert-kv@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/invert-kv/-/invert-kv-1.0.0.tgz#104a8e4aaca6d3d8cd157a8ef8bfab2d7a3ffdb6"
 
-ip@1.1.5:
-  version "1.1.5"
-  resolved "https://registry.yarnpkg.com/ip/-/ip-1.1.5.tgz#bdded70114290828c0a039e72ef25f5aaec4354a"
-
 iron@4.x.x:
   version "4.0.5"
   resolved "https://registry.yarnpkg.com/iron/-/iron-4.0.5.tgz#4f042cceb8b9738f346b59aa734c83a89bc31428"
@@ -3834,7 +3622,7 @@ is-relative@^1.0.0:
   dependencies:
     is-unc-path "^1.0.0"
 
-is-stream@1.1.0, is-stream@^1.0.1, is-stream@^1.1.0:
+is-stream@^1.0.1, is-stream@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
 
@@ -3872,10 +3660,6 @@ is-windows@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/is-windows/-/is-windows-1.0.1.tgz#310db70f742d259a16a369202b51af84233310d9"
 
-is-wsl@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-wsl/-/is-wsl-1.1.0.tgz#1f16e4aa22b04d1336b66188a66af3c600c3a66d"
-
 isarray@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/isarray/-/isarray-0.0.1.tgz#8a18acfca9a8f4177e09abfc6038939b05d1eedf"
@@ -4065,10 +3849,6 @@ jest-diff@^22.4.3:
     jest-get-type "^22.4.3"
     pretty-format "^22.4.3"
 
-jest-docblock@^21.0.0:
-  version "21.2.0"
-  resolved "https://registry.yarnpkg.com/jest-docblock/-/jest-docblock-21.2.0.tgz#51529c3b30d5fd159da60c27ceedc195faf8d414"
-
 jest-docblock@^22.4.3:
   version "22.4.3"
   resolved "https://registry.yarnpkg.com/jest-docblock/-/jest-docblock-22.4.3.tgz#50886f132b42b280c903c592373bb6e93bb68b19"
@@ -4305,7 +4085,7 @@ jquery@^3.1.1:
   version "3.2.1"
   resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.2.1.tgz#5c4d9de652af6cd0a770154a631bba12b015c787"
 
-jquery@^3.2.1, jquery@^3.3.1:
+jquery@^3.3.1:
   version "3.3.1"
   resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.3.1.tgz#958ce29e81c9790f31be7792df5d4d95fc57fbca"
 
@@ -4383,12 +4163,6 @@ json5@^0.5.1:
   version "0.5.1"
   resolved "https://registry.yarnpkg.com/json5/-/json5-0.5.1.tgz#1eade7acc012034ad84e2396767ead9fa5495821"
 
-jsonfile@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/jsonfile/-/jsonfile-4.0.0.tgz#8771aae0799b64076b76640fca058f9c10e33ecb"
-  optionalDependencies:
-    graceful-fs "^4.1.6"
-
 jsonify@~0.0.0:
   version "0.0.0"
   resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73"
@@ -4476,7 +4250,7 @@ left-pad@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.2.0.tgz#d30a73c6b8201d8f7d8e7956ba9616087a68e0ee"
 
-leven@2.1.0, leven@^2.1.0:
+leven@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/leven/-/leven-2.1.0.tgz#c2e7a9f772094dee9d34202ae8acce4687875580"
 
@@ -4858,21 +4632,6 @@ methods@^1.1.1, methods@~1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
 
-micro-compress@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/micro-compress/-/micro-compress-1.0.0.tgz#53f5a80b4ad0320ca165a559b6e3df145d4f704f"
-  dependencies:
-    compression "^1.6.2"
-
-micro@9.1.4:
-  version "9.1.4"
-  resolved "https://registry.yarnpkg.com/micro/-/micro-9.1.4.tgz#dbe655f34bb3390509898ddf3fda12348f5cbaa9"
-  dependencies:
-    content-type "1.0.4"
-    is-stream "1.1.0"
-    mri "1.1.0"
-    raw-body "2.3.2"
-
 micromatch@^2.1.5, micromatch@^2.3.11, micromatch@^2.3.7:
   version "2.3.11"
   resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-2.3.11.tgz#86677c97d1720b363431d04d0d15293bd38c1565"
@@ -4913,30 +4672,16 @@ mime-db@1.x.x:
   version "1.32.0"
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.32.0.tgz#485b3848b01a3cda5f968b4882c0771e58e09414"
 
-"mime-db@>= 1.33.0 < 2", mime-db@~1.33.0:
-  version "1.33.0"
-  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.33.0.tgz#a3492050a5cb9b63450541e39d9788d2272783db"
-
 mime-db@~1.30.0:
   version "1.30.0"
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.30.0.tgz#74c643da2dd9d6a45399963465b26d5ca7d71f01"
 
-mime-types@2.1.18, mime-types@~2.1.18:
-  version "2.1.18"
-  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.18.tgz#6f323f60a83d11146f831ff11fd66e2fe5503bb8"
-  dependencies:
-    mime-db "~1.33.0"
-
 mime-types@^2.1.12, mime-types@~2.1.17, mime-types@~2.1.7:
   version "2.1.17"
   resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.17.tgz#09d7a393f03e995a79f8af857b70a9e0ab16557a"
   dependencies:
     mime-db "~1.30.0"
 
-mime@1.4.1:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6"
-
 mime@^1.4.1:
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1"
@@ -5067,10 +4812,6 @@ moment@2.x.x, "moment@>= 2.9.0", moment@^2.13.0, moment@^2.20.1:
   version "2.20.1"
   resolved "https://registry.yarnpkg.com/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
 
-mri@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/mri/-/mri-1.1.0.tgz#5c0a3f29c8ccffbbb1ec941dcec09d71fa32f36a"
-
 ms@0.7.1:
   version "0.7.1"
   resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.1.tgz#9cd13c03adbff25b65effde7ce864ee952017098"
@@ -5141,10 +4882,6 @@ nearley@^2.7.10:
     railroad-diagrams "^1.0.0"
     randexp "^0.4.2"
 
-negotiator@0.6.1:
-  version "0.6.1"
-  resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.1.tgz#2b327184e8992101177b28563fb5e7102acd0ca9"
-
 ngreact@^0.5.1:
   version "0.5.1"
   resolved "https://registry.yarnpkg.com/ngreact/-/ngreact-0.5.1.tgz#2dcccc1541771796689d13e51bb8d5010af41c57"
@@ -5200,10 +4937,6 @@ node-pre-gyp@^0.6.39:
     tar "^2.2.1"
     tar-pack "^3.4.0"
 
-node-version@1.1.3:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/node-version/-/node-version-1.1.3.tgz#1081c87cce6d2dbbd61d0e51e28c287782678496"
-
 nomnom@~1.6.2:
   version "1.6.2"
   resolved "https://registry.yarnpkg.com/nomnom/-/nomnom-1.6.2.tgz#84a66a260174408fc5b77a18f888eccc44fb6971"
@@ -5385,16 +5118,6 @@ object.values@^1.0.4:
     function-bind "^1.1.0"
     has "^1.0.1"
 
-on-finished@~2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.3.0.tgz#20f1336481b083cd75337992a16971aa2d906947"
-  dependencies:
-    ee-first "1.1.1"
-
-on-headers@~1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/on-headers/-/on-headers-1.0.1.tgz#928f5d0f470d49342651ea6794b0857c100693f7"
-
 once@^1.3.0, once@^1.3.1, once@^1.3.2, once@^1.3.3, once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
@@ -5411,16 +5134,6 @@ onetime@^1.0.0:
   version "1.1.0"
   resolved "http://registry.npmjs.org/onetime/-/onetime-1.1.0.tgz#a1f7838f8314c516f05ecefcbc4ccfe04b4ed789"
 
-openssl-self-signed-certificate@1.1.6:
-  version "1.1.6"
-  resolved "https://registry.yarnpkg.com/openssl-self-signed-certificate/-/openssl-self-signed-certificate-1.1.6.tgz#9d3a4776b1a57e9847350392114ad2f915a83dd4"
-
-opn@5.3.0:
-  version "5.3.0"
-  resolved "https://registry.yarnpkg.com/opn/-/opn-5.3.0.tgz#64871565c863875f052cfdf53d3e3cb5adb53b1c"
-  dependencies:
-    is-wsl "^1.1.0"
-
 optimist@^0.6.1:
   version "0.6.1"
   resolved "https://registry.yarnpkg.com/optimist/-/optimist-0.6.1.tgz#da3ea74686fa21a19a111c326e90eb15a0196686"
@@ -5582,7 +5295,7 @@ path-is-absolute@^1.0.0, path-is-absolute@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz#174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f"
 
-path-is-inside@1.0.2, path-is-inside@^1.0.1:
+path-is-inside@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/path-is-inside/-/path-is-inside-1.0.2.tgz#365417dede44430d1c11af61027facf074bdfc53"
 
@@ -5617,12 +5330,6 @@ path-to-regexp@^1.0.0, path-to-regexp@^1.7.0:
   dependencies:
     isarray "0.0.1"
 
-path-type@3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/path-type/-/path-type-3.0.0.tgz#cef31dc8e0a1a3bb0d105c0cd97cf3bf47f4e36f"
-  dependencies:
-    pify "^3.0.0"
-
 path-type@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/path-type/-/path-type-1.1.0.tgz#59c44f7ee491da704da415da5a4070ba4f8fe441"
@@ -5685,10 +5392,6 @@ pify@^2.0.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/pify/-/pify-2.3.0.tgz#ed141a6ac043a849ea588498e7dca8b15330e90c"
 
-pify@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/pify/-/pify-3.0.0.tgz#e5a4acd2c101fdf3d9a4d07f0dbc4db49dd28176"
-
 pinkie-promise@^2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/pinkie-promise/-/pinkie-promise-2.0.1.tgz#2135d6dfa7a358c069ac9b178776288228450ffa"
@@ -5793,10 +5496,6 @@ preserve@^0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/preserve/-/preserve-0.2.0.tgz#815ed1f6ebc65926f865b310c0713bcb3315ce4b"
 
-prettier@^1.11.1:
-  version "1.12.1"
-  resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.12.1.tgz#c1ad20e803e7749faf905a409d2367e06bbe7325"
-
 pretty-format@^22.4.3:
   version "22.4.3"
   resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-22.4.3.tgz#f873d780839a9c02e9664c8a082e9ee79eaac16f"
@@ -5969,28 +5668,6 @@ randomatic@^1.1.3:
     is-number "^3.0.0"
     kind-of "^4.0.0"
 
-range-parser@~1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
-
-raw-body@2.3.2:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.3.2.tgz#bcd60c77d3eb93cde0050295c3f379389bc88f89"
-  dependencies:
-    bytes "3.0.0"
-    http-errors "1.6.2"
-    iconv-lite "0.4.19"
-    unpipe "1.0.0"
-
-rc@^1.0.1, rc@^1.1.6:
-  version "1.2.6"
-  resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.6.tgz#eb18989c6d4f4f162c399f79ddd29f3835568092"
-  dependencies:
-    deep-extend "~0.4.0"
-    ini "~1.3.0"
-    minimist "^1.2.0"
-    strip-json-comments "~2.0.1"
-
 rc@^1.1.7:
   version "1.2.3"
   resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.3.tgz#51575a900f8dd68381c710b4712c2154c3e2035b"
@@ -6376,19 +6053,6 @@ regexpu-core@^2.0.0:
     regjsgen "^0.2.0"
     regjsparser "^0.1.4"
 
-registry-auth-token@3.3.2:
-  version "3.3.2"
-  resolved "https://registry.yarnpkg.com/registry-auth-token/-/registry-auth-token-3.3.2.tgz#851fd49038eecb586911115af845260eec983f20"
-  dependencies:
-    rc "^1.1.6"
-    safe-buffer "^5.0.1"
-
-registry-url@3.1.0:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/registry-url/-/registry-url-3.1.0.tgz#3d4ef870f73dde1d77f0cf9a381432444e174942"
-  dependencies:
-    rc "^1.0.1"
-
 regjsgen@^0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/regjsgen/-/regjsgen-0.2.0.tgz#6c016adeac554f75823fe37ac05b92d5a4edb1f7"
@@ -6671,7 +6335,7 @@ rxjs@5.3.0:
   dependencies:
     symbol-observable "^1.0.1"
 
-safe-buffer@5.1.1, safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
@@ -6733,55 +6397,10 @@ semver@^5.4.1, semver@^5.5.0:
   version "5.5.0"
   resolved "https://registry.yarnpkg.com/semver/-/semver-5.5.0.tgz#dc4bbc7a6ca9d916dee5d43516f0092b58f7b8ab"
 
-send@0.16.2:
-  version "0.16.2"
-  resolved "https://registry.yarnpkg.com/send/-/send-0.16.2.tgz#6ecca1e0f8c156d141597559848df64730a6bbc1"
-  dependencies:
-    debug "2.6.9"
-    depd "~1.1.2"
-    destroy "~1.0.4"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    fresh "0.5.2"
-    http-errors "~1.6.2"
-    mime "1.4.1"
-    ms "2.0.0"
-    on-finished "~2.3.0"
-    range-parser "~1.2.0"
-    statuses "~1.4.0"
-
 sequencify@~0.0.7:
   version "0.0.7"
   resolved "https://registry.yarnpkg.com/sequencify/-/sequencify-0.0.7.tgz#90cff19d02e07027fd767f5ead3e7b95d1e7380c"
 
-serve@^6.3.1:
-  version "6.5.6"
-  resolved "https://registry.yarnpkg.com/serve/-/serve-6.5.6.tgz#579136688f80f6bf4a618ca8e8cba10dfb4d95e3"
-  dependencies:
-    args "4.0.0"
-    basic-auth "2.0.0"
-    bluebird "3.5.1"
-    boxen "1.3.0"
-    chalk "2.4.0"
-    clipboardy "1.2.3"
-    dargs "5.1.0"
-    detect-port "1.2.2"
-    filesize "3.6.1"
-    fs-extra "5.0.0"
-    handlebars "4.0.11"
-    ip "1.1.5"
-    micro "9.1.4"
-    micro-compress "1.0.0"
-    mime-types "2.1.18"
-    node-version "1.1.3"
-    openssl-self-signed-certificate "1.1.6"
-    opn "5.3.0"
-    path-is-inside "1.0.2"
-    path-type "3.0.0"
-    send "0.16.2"
-    update-check "1.3.2"
-
 set-blocking@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-1.0.0.tgz#cd5e5d938048df1ac92dfe92e1f16add656f5ec5"
@@ -6818,14 +6437,6 @@ setimmediate@^1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285"
 
-setprototypeof@1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.0.3.tgz#66567e37043eeb4f04d91bd658c0cbefb55b8e04"
-
-setprototypeof@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.1.0.tgz#d0bd85536887b6fe7c0d818cb962d9d91c54e656"
-
 shallow-copy@~0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/shallow-copy/-/shallow-copy-0.0.1.tgz#415f42702d73d810330292cc5ee86eae1a11a170"
@@ -7074,14 +6685,10 @@ static-module@^1.1.0:
     static-eval "~0.2.0"
     through2 "~0.4.1"
 
-"statuses@>= 1.2.1 < 2", statuses@~1.4.0:
+"statuses@>= 1.2.1 < 2":
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.4.0.tgz#bb73d446da2796106efcc1b601a253d6c46bd087"
 
-"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2":
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c"
-
 stealthy-require@^1.1.0:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/stealthy-require/-/stealthy-require-1.1.1.tgz#35b09875b4ff49f26a777e509b3090a3226bf24b"
@@ -7339,12 +6946,6 @@ temp@^0.8.3:
     os-tmpdir "^1.0.0"
     rimraf "~2.2.6"
 
-term-size@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/term-size/-/term-size-1.2.0.tgz#458b83887f288fc56d6fffbfad262e26638efa69"
-  dependencies:
-    execa "^0.7.0"
-
 test-exclude@^4.1.1:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/test-exclude/-/test-exclude-4.1.1.tgz#4d84964b0966b0087ecc334a2ce002d3d9341e26"
@@ -7648,14 +7249,6 @@ unique-stream@^2.0.2:
     json-stable-stringify "^1.0.0"
     through2-filter "^2.0.0"
 
-universalify@^0.1.0:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.1.1.tgz#fa71badd4437af4c148841e3b3b165f9e9e590b7"
-
-unpipe@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/unpipe/-/unpipe-1.0.0.tgz#b2bf4ee8514aae6165b4817829d21b2ef49904ec"
-
 unset-value@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/unset-value/-/unset-value-1.0.0.tgz#8376873f7d2335179ffb1e6fc3a8ed0dfc8ab559"
@@ -7663,13 +7256,6 @@ unset-value@^1.0.0:
     has-value "^0.3.1"
     isobject "^3.0.0"
 
-update-check@1.3.2:
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/update-check/-/update-check-1.3.2.tgz#460f9e9ab24820367f3edbeb4d4142d9936ff171"
-  dependencies:
-    registry-auth-token "3.3.2"
-    registry-url "3.1.0"
-
 urix@^0.1.0, urix@~0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/urix/-/urix-0.1.0.tgz#da937f7a62e21fec1fd18d49b35c2935067a6c72"
@@ -7732,10 +7318,6 @@ value-or-function@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/value-or-function/-/value-or-function-3.0.0.tgz#1c243a50b595c1be54a754bfece8563b9ff8d813"
 
-vary@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
-
 venn.js@0.2.9:
   version "0.2.9"
   resolved "https://registry.yarnpkg.com/venn.js/-/venn.js-0.2.9.tgz#33c29075efa484731d59d884752900cc33033656"
@@ -7934,12 +7516,6 @@ wide-align@^1.1.0:
   dependencies:
     string-width "^1.0.2"
 
-widest-line@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/widest-line/-/widest-line-2.0.0.tgz#0142a4e8a243f8882c0233aa0e0281aa76152273"
-  dependencies:
-    string-width "^2.1.1"
-
 window-size@0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/window-size/-/window-size-0.1.0.tgz#5438cd2ea93b202efa3a19fe8887aee7c94f9c9d"
diff --git a/yarn.lock b/yarn.lock
index c544a9acbb4577..2098dda85233c6 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -77,30 +77,25 @@
   version "0.0.0"
   uid ""
 
-"@elastic/eui@0.0.44", "@elastic/eui@v0.0.44":
-  version "0.0.44"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.44.tgz#b0b58eb1b10d6f8de017f548bb06c5b5f71e3d61"
+"@elastic/eui@0.0.47", "@elastic/eui@v0.0.47":
+  version "0.0.47"
+  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.47.tgz#5bae27966bb1d68bb3106853610a407509053b44"
   dependencies:
     brace "^0.10.0"
     classnames "^2.2.5"
     core-js "^2.5.1"
-    eslint-config-prettier "^2.9.0"
-    eslint-plugin-prettier "^2.6.0"
     focus-trap-react "^3.0.4"
     highlight.js "^9.12.0"
     html "^1.0.0"
-    jquery "^3.2.1"
     keymirror "^0.1.1"
     lodash "^3.10.1"
     numeral "^2.0.6"
-    prettier "^1.11.1"
     prop-types "^15.6.0"
     react-ace "^5.5.0"
     react-color "^2.13.8"
     react-datepicker v1.4.1
     react-input-autosize "^2.2.1"
     react-virtualized "^9.18.5"
-    serve "^6.3.1"
     tabbable "^1.1.0"
     uuid "^3.1.0"
 
@@ -181,14 +176,6 @@
   version "9.4.7"
   resolved "https://registry.yarnpkg.com/@types/node/-/node-9.4.7.tgz#57d81cd98719df2c9de118f2d5f3b1120dcd7275"
 
-"@zeit/check-updates@1.1.0":
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/@zeit/check-updates/-/check-updates-1.1.0.tgz#d0f65026a36f27cd1fd54c647d8294447c1d2d8b"
-  dependencies:
-    chalk "2.3.0"
-    ms "2.1.1"
-    update-notifier "2.3.0"
-
 JSONStream@1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/JSONStream/-/JSONStream-1.1.1.tgz#c98bfd88c8f1e1e8694e53c5baa6c8691553e59a"
@@ -226,13 +213,6 @@ accepts@1.3.3:
     mime-types "~2.1.11"
     negotiator "0.6.1"
 
-accepts@~1.3.4:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.5.tgz#eb777df6011723a3b14e8a72c0805c8e86746bd2"
-  dependencies:
-    mime-types "~2.1.18"
-    negotiator "0.6.1"
-
 acorn-dynamic-import@^2.0.0:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/acorn-dynamic-import/-/acorn-dynamic-import-2.0.2.tgz#c752bd210bef679501b6c6cb7fc84f8f47158cc4"
@@ -281,10 +261,6 @@ add-event-listener@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/add-event-listener/-/add-event-listener-0.0.1.tgz#a76229ebc64c8aefae204a16273a2f255abea2d0"
 
-address@^1.0.1:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/address/-/address-1.0.3.tgz#b5f50631f8d6cec8bd20c963963afb55e06cbce9"
-
 adm-zip@0.4.7:
   version "0.4.7"
   resolved "https://registry.yarnpkg.com/adm-zip/-/adm-zip-0.4.7.tgz#8606c2cbf1c426ce8c8ec00174447fd49b6eafc1"
@@ -506,10 +482,6 @@ aproba@^1.0.3:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/aproba/-/aproba-1.2.0.tgz#6802e6264efd18c790a1b0d517f0f2627bf2c94a"
 
-arch@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/arch/-/arch-2.1.0.tgz#3613aa46149064b3c1f0607919bf1d4786e82889"
-
 are-we-there-yet@~1.1.2:
   version "1.1.4"
   resolved "https://registry.yarnpkg.com/are-we-there-yet/-/are-we-there-yet-1.1.4.tgz#bb5dca382bb94f05e15194373d16fd3ba1ca110d"
@@ -530,16 +502,6 @@ argparse@~0.1.15:
     underscore "~1.7.0"
     underscore.string "~2.4.0"
 
-args@3.0.8:
-  version "3.0.8"
-  resolved "https://registry.yarnpkg.com/args/-/args-3.0.8.tgz#2f425ab639c69d74ff728f3d7c6e93b97b91af7c"
-  dependencies:
-    camelcase "4.1.0"
-    chalk "2.1.0"
-    mri "1.1.0"
-    pkginfo "0.4.1"
-    string-similarity "1.2.0"
-
 arr-diff@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/arr-diff/-/arr-diff-2.0.0.tgz#8f3b827f955a8bd669697e4a4256ac3ceae356cf"
@@ -1560,12 +1522,6 @@ base@^0.11.1:
     mixin-deep "^1.2.0"
     pascalcase "^0.1.1"
 
-basic-auth@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/basic-auth/-/basic-auth-2.0.0.tgz#015db3f353e02e56377755f962742e8981e7bbba"
-  dependencies:
-    safe-buffer "5.1.1"
-
 batch-processor@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/batch-processor/-/batch-processor-1.0.0.tgz#75c95c32b748e0850d10c2b168f6bdbe9891ace8"
@@ -1622,14 +1578,14 @@ bluebird@3.4.6:
   version "3.4.6"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.4.6.tgz#01da8d821d87813d158967e743d5fe6c62cf8c0f"
 
-bluebird@3.5.1, bluebird@^3.3.0:
-  version "3.5.1"
-  resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.5.1.tgz#d9551f9de98f1fcda1e683d17ee91a0602ee2eb9"
-
 bluebird@^2.10.0, bluebird@^2.9.24:
   version "2.11.0"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-2.11.0.tgz#534b9033c022c9579c56ba3b3e5a5caafbb650e1"
 
+bluebird@^3.3.0:
+  version "3.5.1"
+  resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.5.1.tgz#d9551f9de98f1fcda1e683d17ee91a0602ee2eb9"
+
 bmp-js@0.0.3:
   version "0.0.3"
   resolved "https://registry.yarnpkg.com/bmp-js/-/bmp-js-0.0.3.tgz#64113e9c7cf1202b376ed607bf30626ebe57b18a"
@@ -1716,7 +1672,7 @@ boom@5.2.0, boom@5.x.x:
   dependencies:
     hoek "4.x.x"
 
-boxen@1.3.0, boxen@^1.2.1, boxen@^1.2.2:
+boxen@^1.2.1, boxen@^1.2.2:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/boxen/-/boxen-1.3.0.tgz#55c6c39a8ba58d9c61ad22cd877532deb665a20b"
   dependencies:
@@ -2064,10 +2020,6 @@ camelcase-keys@^3.0.0:
     camelcase "^3.0.0"
     map-obj "^1.0.0"
 
-camelcase@4.1.0, camelcase@^4.0.0, camelcase@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-4.1.0.tgz#d545635be1e33c542649c69173e5de6acfae34dd"
-
 camelcase@^1.0.2:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-1.2.1.tgz#9bb5304d2e0b56698b2c758b08a3eaa9daa58a39"
@@ -2080,6 +2032,10 @@ camelcase@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-3.0.0.tgz#32fc4b9fcdaf845fcdf7e73bb97cac2261f0ab0a"
 
+camelcase@^4.0.0, camelcase@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-4.1.0.tgz#d545635be1e33c542649c69173e5de6acfae34dd"
+
 caniuse-api@^1.5.2:
   version "1.6.1"
   resolved "https://registry.yarnpkg.com/caniuse-api/-/caniuse-api-1.6.1.tgz#b534e7c734c4f81ec5fbe8aca2ad24354b962c6c"
@@ -2139,14 +2095,6 @@ chai@3.5.0, "chai@>=1.9.2 <4.0.0":
     deep-eql "^0.1.3"
     type-detect "^1.0.0"
 
-chalk@2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.1.0.tgz#ac5becf14fa21b99c6c92ca7a7d7cfd5b17e743e"
-  dependencies:
-    ansi-styles "^3.1.0"
-    escape-string-regexp "^1.0.5"
-    supports-color "^4.0.0"
-
 chalk@2.3.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.0.tgz#b5ea48efc9c1793dccc9b4767c93914d3f2d52ba"
@@ -2155,14 +2103,6 @@ chalk@2.3.0:
     escape-string-regexp "^1.0.5"
     supports-color "^4.0.0"
 
-chalk@2.3.2, chalk@^2.0.0, chalk@^2.0.1, chalk@^2.1.0, chalk@^2.3.0, chalk@^2.3.1, chalk@^2.3.2:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.2.tgz#250dc96b07491bfd601e648d66ddf5f60c7a5c65"
-  dependencies:
-    ansi-styles "^3.2.1"
-    escape-string-regexp "^1.0.5"
-    supports-color "^5.3.0"
-
 chalk@^1.0.0, chalk@^1.1.1, chalk@^1.1.3, chalk@~1.1.1:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-1.1.3.tgz#a8115c55e4a702fe4d150abd3872822a7e09fc98"
@@ -2173,6 +2113,14 @@ chalk@^1.0.0, chalk@^1.1.1, chalk@^1.1.3, chalk@~1.1.1:
     strip-ansi "^3.0.0"
     supports-color "^2.0.0"
 
+chalk@^2.0.0, chalk@^2.0.1, chalk@^2.1.0, chalk@^2.3.0, chalk@^2.3.1, chalk@^2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.2.tgz#250dc96b07491bfd601e648d66ddf5f60c7a5c65"
+  dependencies:
+    ansi-styles "^3.2.1"
+    escape-string-regexp "^1.0.5"
+    supports-color "^5.3.0"
+
 chalk@~0.5.1:
   version "0.5.1"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-0.5.1.tgz#663b3a648b68b55d04690d49167aa837858f2174"
@@ -2389,13 +2337,6 @@ clipboard@^1.6.1:
     select "^1.1.2"
     tiny-emitter "^2.0.0"
 
-clipboardy@1.2.3:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/clipboardy/-/clipboardy-1.2.3.tgz#0526361bf78724c1f20be248d428e365433c07ef"
-  dependencies:
-    arch "^2.1.0"
-    execa "^0.8.0"
-
 cliui@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/cliui/-/cliui-2.1.0.tgz#4b475760ff80264c762c3a1719032e91c7fea0d1"
@@ -2607,24 +2548,6 @@ component-inherit@0.0.3:
   version "0.0.3"
   resolved "https://registry.yarnpkg.com/component-inherit/-/component-inherit-0.0.3.tgz#645fc4adf58b72b649d5cae65135619db26ff143"
 
-compressible@~2.0.13:
-  version "2.0.13"
-  resolved "https://registry.yarnpkg.com/compressible/-/compressible-2.0.13.tgz#0d1020ab924b2fdb4d6279875c7d6daba6baa7a9"
-  dependencies:
-    mime-db ">= 1.33.0 < 2"
-
-compression@^1.6.2:
-  version "1.7.2"
-  resolved "http://registry.npmjs.org/compression/-/compression-1.7.2.tgz#aaffbcd6aaf854b44ebb280353d5ad1651f59a69"
-  dependencies:
-    accepts "~1.3.4"
-    bytes "3.0.0"
-    compressible "~2.0.13"
-    debug "2.6.9"
-    on-headers "~1.0.1"
-    safe-buffer "5.1.1"
-    vary "~1.1.2"
-
 concat-map@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
@@ -2739,7 +2662,7 @@ content-type-parser@^1.0.1, content-type-parser@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/content-type-parser/-/content-type-parser-1.0.2.tgz#caabe80623e63638b2502fd4c7f12ff4ce2352e7"
 
-content-type@1.0.4, content-type@~1.0.1, content-type@~1.0.4:
+content-type@~1.0.1, content-type@~1.0.4:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b"
 
@@ -3301,10 +3224,6 @@ d@1:
   dependencies:
     es5-ext "^0.10.9"
 
-dargs@5.1.0:
-  version "5.1.0"
-  resolved "https://registry.yarnpkg.com/dargs/-/dargs-5.1.0.tgz#ec7ea50c78564cd36c9d5ec18f66329fade27829"
-
 dashdash@^1.12.0:
   version "1.14.1"
   resolved "https://registry.yarnpkg.com/dashdash/-/dashdash-1.14.1.tgz#853cfa0f7cbe2fed5de20326b8dd581035f6e2f0"
@@ -3352,7 +3271,7 @@ debug@2.6.0:
   dependencies:
     ms "0.7.2"
 
-debug@2.6.9, debug@2.X, debug@^2.1.1, debug@^2.2.0, debug@^2.3.3, debug@^2.6.0, debug@^2.6.6, debug@^2.6.8, debug@^2.6.9:
+debug@2.6.9, debug@2.X, debug@^2.1.1, debug@^2.2.0, debug@^2.3.3, debug@^2.6.6, debug@^2.6.8, debug@^2.6.9:
   version "2.6.9"
   resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f"
   dependencies:
@@ -3531,7 +3450,7 @@ depd@~1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/depd/-/depd-1.0.1.tgz#80aec64c9d6d97e65cc2a9caa93c0aa6abf73aaa"
 
-depd@~1.1.0, depd@~1.1.1, depd@~1.1.2:
+depd@~1.1.0, depd@~1.1.1:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9"
 
@@ -3542,10 +3461,6 @@ des.js@^1.0.0:
     inherits "^2.0.1"
     minimalistic-assert "^1.0.0"
 
-destroy@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.0.4.tgz#978857442c44749e4206613e37946205826abd80"
-
 detect-indent@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/detect-indent/-/detect-indent-4.0.0.tgz#f76d064352cdf43a1cb6ce619c4ee3a9475de208"
@@ -3560,13 +3475,6 @@ detect-newline@2.X, detect-newline@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/detect-newline/-/detect-newline-2.1.0.tgz#f41f1c10be4b00e87b5f13da680759f2c5bfd3e2"
 
-detect-port@1.2.2:
-  version "1.2.2"
-  resolved "https://registry.yarnpkg.com/detect-port/-/detect-port-1.2.2.tgz#57a44533632d8bc74ad255676866ca43f96c7469"
-  dependencies:
-    address "^1.0.1"
-    debug "^2.6.0"
-
 dezalgo@^1.0.0:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/dezalgo/-/dezalgo-1.0.3.tgz#7f742de066fc748bc8db820569dddce49bf0d456"
@@ -3845,7 +3753,7 @@ encode-uri-query@1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/encode-uri-query/-/encode-uri-query-1.0.0.tgz#d632be4aafe8316c6145007ffb2844c5312b194c"
 
-encodeurl@~1.0.1, encodeurl@~1.0.2:
+encodeurl@~1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59"
 
@@ -4364,10 +4272,6 @@ esutils@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/esutils/-/esutils-1.0.0.tgz#8151d358e20c8acc7fb745e7472c0025fe496570"
 
-etag@~1.8.1:
-  version "1.8.1"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887"
-
 even-better@7.0.2:
   version "7.0.2"
   resolved "https://registry.yarnpkg.com/even-better/-/even-better-7.0.2.tgz#d056f429c90ecc20ee9494aca0a751f743504d2e"
@@ -4446,18 +4350,6 @@ execa@^0.7.0:
     signal-exit "^3.0.0"
     strip-eof "^1.0.0"
 
-execa@^0.8.0:
-  version "0.8.0"
-  resolved "https://registry.yarnpkg.com/execa/-/execa-0.8.0.tgz#d8d76bbc1b55217ed190fd6dd49d3c774ecfc8da"
-  dependencies:
-    cross-spawn "^5.0.1"
-    get-stream "^3.0.0"
-    is-stream "^1.1.0"
-    npm-run-path "^2.0.0"
-    p-finally "^1.0.0"
-    signal-exit "^3.0.0"
-    strip-eof "^1.0.0"
-
 execa@^0.9.0:
   version "0.9.0"
   resolved "https://registry.yarnpkg.com/execa/-/execa-0.9.0.tgz#adb7ce62cf985071f60580deb4a88b9e34712d01"
@@ -4773,10 +4665,6 @@ fileset@^2.0.2:
     glob "^7.0.3"
     minimatch "^3.0.3"
 
-filesize@3.6.0:
-  version "3.6.0"
-  resolved "https://registry.yarnpkg.com/filesize/-/filesize-3.6.0.tgz#22d079615624bb6fd3c04026120628a41b3f4efa"
-
 fill-keys@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/fill-keys/-/fill-keys-1.0.2.tgz#9a8fa36f4e8ad634e3bf6b4f3c8882551452eb20"
@@ -4971,10 +4859,6 @@ fragment-cache@^0.2.1:
   dependencies:
     map-cache "^0.2.2"
 
-fresh@0.5.2:
-  version "0.5.2"
-  resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.5.2.tgz#3d8cadd90d976569fa835ab1f8e4b23a105605a7"
-
 from@^0.1.3, from@~0:
   version "0.1.7"
   resolved "https://registry.yarnpkg.com/from/-/from-0.1.7.tgz#83c60afc58b9c56997007ed1a768b3ab303a44fe"
@@ -4997,14 +4881,6 @@ fs-extra@4.0.3, fs-extra@^4.0.1:
     jsonfile "^4.0.0"
     universalify "^0.1.0"
 
-fs-extra@5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-5.0.0.tgz#414d0110cdd06705734d055652c5411260c31abd"
-  dependencies:
-    graceful-fs "^4.1.2"
-    jsonfile "^4.0.0"
-    universalify "^0.1.0"
-
 fs-extra@^3.0.1:
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-3.0.1.tgz#3794f378c58b342ea7dbbb23095109c4b3b62291"
@@ -5630,9 +5506,9 @@ h2o2@5.1.1:
     joi "9.X.X"
     wreck "9.X.X"
 
-handlebars@4.0.11, handlebars@^4.0.1, handlebars@^4.0.3:
-  version "4.0.11"
-  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.11.tgz#630a35dfe0294bc281edae6ffc5d329fc7982dcc"
+handlebars@4.0.5:
+  version "4.0.5"
+  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.5.tgz#92c6ed6bb164110c50d4d8d0fbddc70806c6f8e7"
   dependencies:
     async "^1.4.0"
     optimist "^0.6.1"
@@ -5640,9 +5516,9 @@ handlebars@4.0.11, handlebars@^4.0.1, handlebars@^4.0.3:
   optionalDependencies:
     uglify-js "^2.6"
 
-handlebars@4.0.5:
-  version "4.0.5"
-  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.5.tgz#92c6ed6bb164110c50d4d8d0fbddc70806c6f8e7"
+handlebars@^4.0.1, handlebars@^4.0.3:
+  version "4.0.11"
+  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.11.tgz#630a35dfe0294bc281edae6ffc5d329fc7982dcc"
   dependencies:
     async "^1.4.0"
     optimist "^0.6.1"
@@ -6250,10 +6126,6 @@ ip-regex@^1.0.1:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/ip-regex/-/ip-regex-1.0.3.tgz#dc589076f659f419c222039a33316f1c7387effd"
 
-ip@1.1.5:
-  version "1.1.5"
-  resolved "https://registry.yarnpkg.com/ip/-/ip-1.1.5.tgz#bdded70114290828c0a039e72ef25f5aaec4354a"
-
 iron@4.x.x:
   version "4.0.5"
   resolved "https://registry.yarnpkg.com/iron/-/iron-4.0.5.tgz#4f042cceb8b9738f346b59aa734c83a89bc31428"
@@ -6600,7 +6472,7 @@ is-retry-allowed@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/is-retry-allowed/-/is-retry-allowed-1.1.0.tgz#11a060568b67339444033d0125a61a20d564fb34"
 
-is-stream@1.1.0, is-stream@^1.0.0, is-stream@^1.0.1, is-stream@^1.1.0:
+is-stream@^1.0.0, is-stream@^1.0.1, is-stream@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
 
@@ -6658,10 +6530,6 @@ is-word-character@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/is-word-character/-/is-word-character-1.0.1.tgz#5a03fa1ea91ace8a6eb0c7cd770eb86d65c8befb"
 
-is-wsl@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-wsl/-/is-wsl-1.1.0.tgz#1f16e4aa22b04d1336b66188a66af3c600c3a66d"
-
 isarray@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/isarray/-/isarray-0.0.1.tgz#8a18acfca9a8f4177e09abfc6038939b05d1eedf"
@@ -7336,7 +7204,7 @@ jpeg-js@^0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/jpeg-js/-/jpeg-js-0.2.0.tgz#53e448ec9d263e683266467e9442d2c5a2ef5482"
 
-jquery@^3.1.1, jquery@^3.2.1, jquery@^3.3.1:
+jquery@^3.1.1, jquery@^3.3.1:
   version "3.3.1"
   resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.3.1.tgz#958ce29e81c9790f31be7792df5d4d95fc57fbca"
 
@@ -8421,21 +8289,6 @@ methods@^1.1.1, methods@~1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
 
-micro-compress@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/micro-compress/-/micro-compress-1.0.0.tgz#53f5a80b4ad0320ca165a559b6e3df145d4f704f"
-  dependencies:
-    compression "^1.6.2"
-
-micro@9.1.0:
-  version "9.1.0"
-  resolved "https://registry.yarnpkg.com/micro/-/micro-9.1.0.tgz#f2effba306639076e994c007c327dfc36a5185e9"
-  dependencies:
-    content-type "1.0.4"
-    is-stream "1.1.0"
-    mri "1.1.0"
-    raw-body "2.3.2"
-
 micromatch@^2.1.5, micromatch@^2.3.11:
   version "2.3.11"
   resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-2.3.11.tgz#86677c97d1720b363431d04d0d15293bd38c1565"
@@ -8479,11 +8332,11 @@ miller-rabin@^4.0.0:
     bn.js "^4.0.0"
     brorand "^1.0.1"
 
-mime-db@1.x.x, "mime-db@>= 1.33.0 < 2", mime-db@~1.33.0:
+mime-db@1.x.x, mime-db@~1.33.0:
   version "1.33.0"
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.33.0.tgz#a3492050a5cb9b63450541e39d9788d2272783db"
 
-mime-types@2.1.18, mime-types@^2.1.12, mime-types@~2.1.11, mime-types@~2.1.17, mime-types@~2.1.18, mime-types@~2.1.7:
+mime-types@^2.1.12, mime-types@~2.1.11, mime-types@~2.1.17, mime-types@~2.1.18, mime-types@~2.1.7:
   version "2.1.18"
   resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.18.tgz#6f323f60a83d11146f831ff11fd66e2fe5503bb8"
   dependencies:
@@ -8493,10 +8346,6 @@ mime@1.3.x:
   version "1.3.6"
   resolved "https://registry.yarnpkg.com/mime/-/mime-1.3.6.tgz#591d84d3653a6b0b4a3b9df8de5aa8108e72e5e0"
 
-mime@1.4.1:
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6"
-
 mime@^1.2.11, mime@^1.3.4, mime@^1.4.1:
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1"
@@ -8656,10 +8505,6 @@ moment@2.x.x, "moment@>= 2.9.0", moment@^2.10.6, moment@^2.13.0, moment@^2.20.1:
   version "2.21.0"
   resolved "https://registry.yarnpkg.com/moment/-/moment-2.21.0.tgz#2a114b51d2a6ec9e6d83cf803f838a878d8a023a"
 
-mri@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/mri/-/mri-1.1.0.tgz#5c0a3f29c8ccffbbb1ec941dcec09d71fa32f36a"
-
 ms@0.7.0:
   version "0.7.0"
   resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.0.tgz#865be94c2e7397ad8a57da6a633a6e2f30798b83"
@@ -8676,7 +8521,7 @@ ms@2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8"
 
-ms@2.1.1, ms@^2.0.0:
+ms@^2.0.0:
   version "2.1.1"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.1.tgz#30a5864eb3ebb0a66f2ebe6d727af06a09d86e0a"
 
@@ -8879,10 +8724,6 @@ node-status-codes@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/node-status-codes/-/node-status-codes-1.0.0.tgz#5ae5541d024645d32a58fcddc9ceecea7ae3ac2f"
 
-node-version@1.1.0:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/node-version/-/node-version-1.1.0.tgz#f437d7ba407e65e2c4eaef8887b1718ba523d4f0"
-
 nomnom@~1.6.2:
   version "1.6.2"
   resolved "https://registry.yarnpkg.com/nomnom/-/nomnom-1.6.2.tgz#84a66a260174408fc5b77a18f888eccc44fb6971"
@@ -9106,10 +8947,6 @@ on-finished@~2.3.0:
   dependencies:
     ee-first "1.1.1"
 
-on-headers@~1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/on-headers/-/on-headers-1.0.1.tgz#928f5d0f470d49342651ea6794b0857c100693f7"
-
 once@1.x, once@^1.3.0, once@^1.3.1, once@^1.3.2, once@^1.3.3, once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
@@ -9126,16 +8963,6 @@ onetime@^2.0.0:
   dependencies:
     mimic-fn "^1.0.0"
 
-openssl-self-signed-certificate@1.1.6:
-  version "1.1.6"
-  resolved "https://registry.yarnpkg.com/openssl-self-signed-certificate/-/openssl-self-signed-certificate-1.1.6.tgz#9d3a4776b1a57e9847350392114ad2f915a83dd4"
-
-opn@5.2.0:
-  version "5.2.0"
-  resolved "https://registry.yarnpkg.com/opn/-/opn-5.2.0.tgz#71fdf934d6827d676cecbea1531f95d354641225"
-  dependencies:
-    is-wsl "^1.1.0"
-
 optimist@^0.6.1, optimist@~0.6.1:
   version "0.6.1"
   resolved "https://registry.yarnpkg.com/optimist/-/optimist-0.6.1.tgz#da3ea74686fa21a19a111c326e90eb15a0196686"
@@ -9387,7 +9214,7 @@ path-is-absolute@^1.0.0, path-is-absolute@^1.0.1, path-is-absolute@~1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz#174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f"
 
-path-is-inside@1.0.2, path-is-inside@^1.0.1, path-is-inside@^1.0.2:
+path-is-inside@^1.0.1, path-is-inside@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/path-is-inside/-/path-is-inside-1.0.2.tgz#365417dede44430d1c11af61027facf074bdfc53"
 
@@ -9412,12 +9239,6 @@ path-to-regexp@^1.0.0, path-to-regexp@^1.7.0:
   dependencies:
     isarray "0.0.1"
 
-path-type@3.0.0, path-type@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/path-type/-/path-type-3.0.0.tgz#cef31dc8e0a1a3bb0d105c0cd97cf3bf47f4e36f"
-  dependencies:
-    pify "^3.0.0"
-
 path-type@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/path-type/-/path-type-1.1.0.tgz#59c44f7ee491da704da415da5a4070ba4f8fe441"
@@ -9432,6 +9253,12 @@ path-type@^2.0.0:
   dependencies:
     pify "^2.0.0"
 
+path-type@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/path-type/-/path-type-3.0.0.tgz#cef31dc8e0a1a3bb0d105c0cd97cf3bf47f4e36f"
+  dependencies:
+    pify "^3.0.0"
+
 pause-stream@0.0.11:
   version "0.0.11"
   resolved "https://registry.yarnpkg.com/pause-stream/-/pause-stream-0.0.11.tgz#fe5a34b0cbce12b5aa6a2b403ee2e73b602f1445"
@@ -9564,10 +9391,6 @@ pkg-up@^2.0.0:
   dependencies:
     find-up "^2.1.0"
 
-pkginfo@0.4.1:
-  version "0.4.1"
-  resolved "https://registry.yarnpkg.com/pkginfo/-/pkginfo-0.4.1.tgz#b5418ef0439de5425fc4995042dced14fb2a84ff"
-
 plugin-error@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/plugin-error/-/plugin-error-1.0.1.tgz#77016bd8919d0ac377fdcdd0322328953ca5781c"
@@ -9903,10 +9726,6 @@ preserve@^0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/preserve/-/preserve-0.2.0.tgz#815ed1f6ebc65926f865b310c0713bcb3315ce4b"
 
-prettier@^1.11.1:
-  version "1.11.1"
-  resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.11.1.tgz#61e43fc4cd44e68f2b0dfc2c38cd4bb0fccdcc75"
-
 prettier@^1.12.1:
   version "1.12.1"
   resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.12.1.tgz#c1ad20e803e7749faf905a409d2367e06bbe7325"
@@ -10181,7 +10000,7 @@ randomfill@^1.0.3:
     randombytes "^2.0.5"
     safe-buffer "^5.1.0"
 
-range-parser@^1.2.0, range-parser@~1.2.0:
+range-parser@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
 
@@ -11109,7 +10928,7 @@ rxjs@5.4.3:
   dependencies:
     symbol-observable "^1.0.1"
 
-safe-buffer@5.1.1, safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
@@ -11226,51 +11045,6 @@ semver@~4.3.3:
   version "4.3.6"
   resolved "https://registry.yarnpkg.com/semver/-/semver-4.3.6.tgz#300bc6e0e86374f7ba61068b5b1ecd57fc6532da"
 
-send@0.16.2:
-  version "0.16.2"
-  resolved "https://registry.yarnpkg.com/send/-/send-0.16.2.tgz#6ecca1e0f8c156d141597559848df64730a6bbc1"
-  dependencies:
-    debug "2.6.9"
-    depd "~1.1.2"
-    destroy "~1.0.4"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    fresh "0.5.2"
-    http-errors "~1.6.2"
-    mime "1.4.1"
-    ms "2.0.0"
-    on-finished "~2.3.0"
-    range-parser "~1.2.0"
-    statuses "~1.4.0"
-
-serve@^6.3.1:
-  version "6.5.3"
-  resolved "https://registry.yarnpkg.com/serve/-/serve-6.5.3.tgz#39ae7b7ff5934a9ca93ba7235344eb34b726cc48"
-  dependencies:
-    "@zeit/check-updates" "1.1.0"
-    args "3.0.8"
-    basic-auth "2.0.0"
-    bluebird "3.5.1"
-    boxen "1.3.0"
-    chalk "2.3.2"
-    clipboardy "1.2.3"
-    dargs "5.1.0"
-    detect-port "1.2.2"
-    filesize "3.6.0"
-    fs-extra "5.0.0"
-    handlebars "4.0.11"
-    ip "1.1.5"
-    micro "9.1.0"
-    micro-compress "1.0.0"
-    mime-types "2.1.18"
-    node-version "1.1.0"
-    openssl-self-signed-certificate "1.1.6"
-    opn "5.2.0"
-    path-is-inside "1.0.2"
-    path-type "3.0.0"
-    send "0.16.2"
-
 set-blocking@^2.0.0, set-blocking@~2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"
@@ -11745,7 +11519,7 @@ static-module@^2.2.0:
     static-eval "^2.0.0"
     through2 "~2.0.3"
 
-statuses@1, "statuses@>= 1.2.1 < 2", "statuses@>= 1.3.1 < 2", statuses@~1.4.0:
+statuses@1, "statuses@>= 1.2.1 < 2", "statuses@>= 1.3.1 < 2":
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.4.0.tgz#bb73d446da2796106efcc1b601a253d6c46bd087"
 
@@ -11817,12 +11591,6 @@ string-length@^2.0.0:
     astral-regex "^1.0.0"
     strip-ansi "^4.0.0"
 
-string-similarity@1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/string-similarity/-/string-similarity-1.2.0.tgz#d75153cb383846318b7a39a8d9292bb4db4e9c30"
-  dependencies:
-    lodash "^4.13.1"
-
 string-width@^1.0.1, string-width@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-1.0.2.tgz#118bdf5b8cdc51a2a7e70d211e07e2b0b9b107d3"
@@ -12720,7 +12488,19 @@ upath@^1.0.0:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/upath/-/upath-1.0.4.tgz#ee2321ba0a786c50973db043a50b7bcba822361d"
 
-update-notifier@2.3.0, update-notifier@^2.2.0:
+update-notifier@^0.5.0:
+  version "0.5.0"
+  resolved "https://registry.yarnpkg.com/update-notifier/-/update-notifier-0.5.0.tgz#07b5dc2066b3627ab3b4f530130f7eddda07a4cc"
+  dependencies:
+    chalk "^1.0.0"
+    configstore "^1.0.0"
+    is-npm "^1.0.0"
+    latest-version "^1.0.0"
+    repeating "^1.1.2"
+    semver-diff "^2.0.0"
+    string-length "^1.0.0"
+
+update-notifier@^2.2.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/update-notifier/-/update-notifier-2.3.0.tgz#4e8827a6bb915140ab093559d7014e3ebb837451"
   dependencies:
@@ -12734,18 +12514,6 @@ update-notifier@2.3.0, update-notifier@^2.2.0:
     semver-diff "^2.0.0"
     xdg-basedir "^3.0.0"
 
-update-notifier@^0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/update-notifier/-/update-notifier-0.5.0.tgz#07b5dc2066b3627ab3b4f530130f7eddda07a4cc"
-  dependencies:
-    chalk "^1.0.0"
-    configstore "^1.0.0"
-    is-npm "^1.0.0"
-    latest-version "^1.0.0"
-    repeating "^1.1.2"
-    semver-diff "^2.0.0"
-    string-length "^1.0.0"
-
 urix@^0.1.0, urix@~0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/urix/-/urix-0.1.0.tgz#da937f7a62e21fec1fd18d49b35c2935067a6c72"
@@ -12857,10 +12625,6 @@ value-or-function@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/value-or-function/-/value-or-function-3.0.0.tgz#1c243a50b595c1be54a754bfece8563b9ff8d813"
 
-vary@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
-
 vega-canvas@1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/vega-canvas/-/vega-canvas-1.0.1.tgz#22cfa510af0cfbd920fc6af8b6111d3de5e63c44"

From 7db020ee69fd7ff8075be29a65e145583b16f726 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Mon, 21 May 2018 11:55:14 -0400
Subject: [PATCH 016/183] [Spaces] Create Default Space on startup (#19177)

When Kibana starts, a Default Space will be created if one does not already exist. The Default Space will contain all objects that are not currently assigned to any other space (i.e., objects created prior to Spaces being enabled, or objects created directly within the Default Space).

To enable this, this PR also introduces the concept of Reserved Spaces, which is denoted by a `_reserved` property on the `space` object. Reserved Spaces:
1. Cannot be deleted
2. Cannot have their URL Context Changed

This PR does not address:
1. Disabling the UI for reserved roles - this will be enabled via https://github.com/elastic/kibana/pull/19035 once this PR is merged into it.
---
 x-pack/plugins/spaces/common/constants.js     |   7 +
 .../spaces/common/is_reserved_space.js        |  17 ++
 .../spaces/common/is_reserved_space.test.js   |  25 ++
 x-pack/plugins/spaces/index.js                |   3 +
 x-pack/plugins/spaces/mappings.json           |  11 +-
 .../spaces/server/lib/create_default_space.js |  43 +++
 .../server/lib/create_default_space.test.js   |  98 +++++++
 .../server/lib/space_request_interceptors.js  |  24 +-
 .../lib/space_request_interceptors.test.js    | 254 ++++++++++++++++++
 .../plugins/spaces/server/lib/space_schema.js |   3 +-
 .../spaces/server/routes/api/v1/spaces.js     |  36 ++-
 .../server/routes/api/v1/spaces.test.js       | 151 +++++++++++
 12 files changed, 666 insertions(+), 6 deletions(-)
 create mode 100644 x-pack/plugins/spaces/common/constants.js
 create mode 100644 x-pack/plugins/spaces/common/is_reserved_space.js
 create mode 100644 x-pack/plugins/spaces/common/is_reserved_space.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/create_default_space.js
 create mode 100644 x-pack/plugins/spaces/server/lib/create_default_space.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
 create mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js

diff --git a/x-pack/plugins/spaces/common/constants.js b/x-pack/plugins/spaces/common/constants.js
new file mode 100644
index 00000000000000..40e064ef983593
--- /dev/null
+++ b/x-pack/plugins/spaces/common/constants.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const DEFAULT_SPACE_ID = `default`;
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.js b/x-pack/plugins/spaces/common/is_reserved_space.js
new file mode 100644
index 00000000000000..7fe0a647268863
--- /dev/null
+++ b/x-pack/plugins/spaces/common/is_reserved_space.js
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { get } from 'lodash';
+
+/**
+ * Returns whether the given Space is reserved or not.
+ *
+ * @param space the space
+ * @returns boolean
+ */
+export function isReservedSpace(space) {
+  return get(space, '_reserved', false);
+}
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.test.js b/x-pack/plugins/spaces/common/is_reserved_space.test.js
new file mode 100644
index 00000000000000..a2d610199ba38a
--- /dev/null
+++ b/x-pack/plugins/spaces/common/is_reserved_space.test.js
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isReservedSpace } from './is_reserved_space';
+
+test('it returns true for reserved spaces', () => {
+  const space = {
+    _reserved: true
+  };
+
+  expect(isReservedSpace(space)).toEqual(true);
+});
+
+test('it returns false for non-reserved spaces', () => {
+  const space = {};
+
+  expect(isReservedSpace(space)).toEqual(false);
+});
+
+test('it handles empty imput', () => {
+  expect(isReservedSpace()).toEqual(false);
+});
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 0bca945be795fb..603b8ddb22e11c 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -9,6 +9,7 @@ import { validateConfig } from './server/lib/validate_config';
 import { checkLicense } from './server/lib/check_license';
 import { initSpacesApi } from './server/routes/api/v1/spaces';
 import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
+import { createDefaultSpace } from './server/lib/create_default_space';
 import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
 import { getActiveSpace } from './server/lib/get_active_space';
 import { wrapError } from './server/lib/errors';
@@ -76,5 +77,7 @@ export const spaces = (kibana) => new kibana.Plugin({
     initSpacesApi(server);
 
     initSpacesRequestInterceptors(server);
+
+    await createDefaultSpace(server);
   }
 });
diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
index 2a26218cd48fb2..0f7ea917e12ef8 100644
--- a/x-pack/plugins/spaces/mappings.json
+++ b/x-pack/plugins/spaces/mappings.json
@@ -5,13 +5,22 @@
   "space": {
     "properties": {
       "name": {
-        "type": "text"
+        "type": "text",
+        "fields": {
+          "keyword": {
+            "type": "keyword",
+            "ignore_above": 2048
+          }
+        }
       },
       "urlContext": {
         "type": "keyword"
       },
       "description": {
         "type": "text"
+      },
+      "_reserved": {
+        "type": "boolean"
       }
     }
   }
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.js
new file mode 100644
index 00000000000000..a58307152412a2
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.js
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getClient } from '../../../../server/lib/get_client_shield';
+import { DEFAULT_SPACE_ID } from '../../common/constants';
+
+export async function createDefaultSpace(server) {
+  const { callWithInternalUser: callCluster } = getClient(server);
+
+  const savedObjectsClient = server.savedObjectsClientFactory({ callCluster });
+
+  const defaultSpaceExists = await doesDefaultSpaceExist(savedObjectsClient);
+
+  if (defaultSpaceExists) {
+    return;
+  }
+
+  const options = {
+    id: DEFAULT_SPACE_ID
+  };
+
+  await savedObjectsClient.create('space', {
+    name: 'Default Space',
+    description: 'This is your Default Space!',
+    urlContext: '',
+    _reserved: true
+  }, options);
+}
+
+async function doesDefaultSpaceExist(savedObjectsClient) {
+  try {
+    await savedObjectsClient.get('space', DEFAULT_SPACE_ID);
+    return true;
+  } catch (e) {
+    if (savedObjectsClient.errors.isNotFoundError(e)) {
+      return false;
+    }
+    throw e;
+  }
+}
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
new file mode 100644
index 00000000000000..1d127955b9e1a7
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
@@ -0,0 +1,98 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import Boom from 'boom';
+import { getClient } from '../../../../server/lib/get_client_shield';
+import { createDefaultSpace } from './create_default_space';
+
+jest.mock('../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn()
+}));
+
+let mockCallWithRequest;
+beforeEach(() => {
+  mockCallWithRequest = jest.fn();
+  getClient.mockReturnValue({
+    callWithRequest: mockCallWithRequest
+  });
+});
+
+const createMockServer = (settings = {}) => {
+
+  const {
+    defaultExists = false
+  } = settings;
+
+  const mockServer = {
+    config: jest.fn().mockReturnValue({
+      get: jest.fn()
+    }),
+    savedObjectsClientFactory: jest.fn().mockReturnValue({
+      get: jest.fn().mockImplementation(() => {
+        if (defaultExists) {
+          return;
+        }
+        throw Boom.notFound('unit test: default space not found');
+      }),
+      create: jest.fn().mockReturnValue(),
+      errors: {
+        isNotFoundError: (e) => e.message === 'unit test: default space not found'
+      }
+    })
+  };
+
+  mockServer.config().get.mockImplementation(key => {
+    return settings[key];
+  });
+
+  return mockServer;
+};
+
+test(`it creates the default space when one does not exist`, async () => {
+  const server = createMockServer({
+    defaultExists: false
+  });
+
+  await createDefaultSpace(server);
+
+  const client = server.savedObjectsClientFactory();
+
+  expect(client.get).toHaveBeenCalledTimes(1);
+  expect(client.create).toHaveBeenCalledTimes(1);
+  expect(client.create).toHaveBeenCalledWith(
+    'space',
+    { "_reserved": true, "description": "This is your Default Space!", "name": "Default Space", "urlContext": "" },
+    { "id": "default" }
+  );
+});
+
+test(`it does not attempt to recreate the default space if it already exists`, async () => {
+  const server = createMockServer({
+    defaultExists: true
+  });
+
+  await createDefaultSpace(server);
+
+  const client = server.savedObjectsClientFactory();
+
+  expect(client.get).toHaveBeenCalledTimes(1);
+  expect(client.create).toHaveBeenCalledTimes(0);
+});
+
+test(`it throws all other errors from the saved objects client`, async () => {
+  const server = createMockServer({
+    defaultExists: true,
+  });
+
+  const client = server.savedObjectsClientFactory();
+  client.get = () => { throw new Error('unit test: unexpected exception condition'); };
+
+  try {
+    await createDefaultSpace(server);
+    throw new Error(`Expected error to be thrown!`);
+  } catch (e) {
+    expect(e.message).toEqual('unit test: unexpected exception condition');
+  }
+});
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
index c7d8f71d713132..6f4330ba283cc2 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
@@ -53,6 +53,28 @@ export function initSpacesRequestInterceptors(server) {
           type: 'space'
         });
 
+        if (total === 1) {
+          // If only one space is available, then send user there directly.
+          // No need for an interstitial screen where there is only one possible outcome.
+          const space = spaceObjects[0];
+          const {
+            urlContext
+          } = space.attributes;
+
+          const config = server.config();
+          const basePath = config.get('server.basePath');
+          const defaultRoute = config.get('server.defaultRoute');
+
+          let destination;
+          if (urlContext) {
+            destination = `${basePath}/s/${urlContext}${defaultRoute}`;
+          } else {
+            destination = `${basePath}${defaultRoute}`;
+          }
+
+          return reply.redirect(destination);
+        }
+
         if (total > 0) {
           // render spaces selector instead of home page
           const app = server.getHiddenUiAppById('space_selector');
@@ -61,7 +83,7 @@ export function initSpacesRequestInterceptors(server) {
           });
         }
 
-      } catch(e) {
+      } catch (e) {
         return reply(wrapError(e));
       }
     }
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
new file mode 100644
index 00000000000000..434ec530ba6f31
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
@@ -0,0 +1,254 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import sinon from 'sinon';
+import { Server } from 'hapi';
+import { initSpacesRequestInterceptors } from './space_request_interceptors';
+
+describe('interceptors', () => {
+  const sandbox = sinon.sandbox.create();
+  const teardowns = [];
+  let request;
+
+  beforeEach(() => {
+    teardowns.push(() => sandbox.restore());
+    request = async (path, setupFn = () => { }) => {
+
+      const server = new Server();
+
+      server.connection({ port: 0 });
+
+      initSpacesRequestInterceptors(server);
+
+      server.route({
+        method: 'GET',
+        path: '/',
+        handler: (req, reply) => {
+          return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
+        }
+      });
+
+      await setupFn(server);
+
+      server.decorate('request', 'getBasePath', jest.fn());
+      server.decorate('request', 'setBasePath', jest.fn());
+
+      teardowns.push(() => server.stop());
+
+      return await server.inject({
+        method: 'GET',
+        url: path,
+      });
+    };
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  describe('onRequest', () => {
+    test('handles paths without a space identifier', async () => {
+      const testHandler = jest.fn((req, reply) => {
+        expect(req.path).toBe("/");
+        return reply.continue();
+      });
+
+      await request('/', (server) => {
+        server.ext('onRequest', testHandler);
+      });
+
+      expect(testHandler).toHaveBeenCalledTimes(1);
+    });
+
+    test('strips the Space URL Context from the request', async () => {
+      const testHandler = jest.fn((req, reply) => {
+        expect(req.path).toBe("/");
+        return reply.continue();
+      });
+
+      await request('/s/foo', (server) => {
+        server.ext('onRequest', testHandler);
+      });
+
+      expect(testHandler).toHaveBeenCalledTimes(1);
+    });
+
+    test('ignores space identifiers in the middle of the path', async () => {
+      const testHandler = jest.fn((req, reply) => {
+        expect(req.path).toBe("/some/path/s/foo/bar");
+        return reply.continue();
+      });
+
+      await request('/some/path/s/foo/bar', (server) => {
+        server.ext('onRequest', testHandler);
+      });
+
+      expect(testHandler).toHaveBeenCalledTimes(1);
+    });
+
+    test('strips the Space URL Context from the request, maintaining the rest of the path', async () => {
+      const testHandler = jest.fn((req, reply) => {
+        expect(req.path).toBe('/i/love/spaces.html');
+        expect(req.query).toEqual({
+          queryParam: 'queryValue'
+        });
+        return reply.continue();
+      });
+
+      await request('/s/foo/i/love/spaces.html?queryParam=queryValue', (server) => {
+        server.ext('onRequest', testHandler);
+      });
+
+      expect(testHandler).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe('onPostAuth', () => {
+    const serverBasePath = '/my/base/path';
+    const defaultRoute = '/app/custom-app';
+
+    const config = {
+      'server.basePath': serverBasePath,
+      'server.defaultRoute': defaultRoute
+    };
+
+    const setupTest = (server, spaces, testHandler) => {
+      // Mock server.config()
+      server.decorate('server', 'config', () => {
+        return {
+          get: (key) => {
+            return config[key];
+          }
+        };
+      });
+
+      // Mock server.getSavedObjectsClient()
+      server.decorate('request', 'getSavedObjectsClient', () => {
+        return {
+          find: jest.fn(() => {
+            return {
+              total: spaces.length,
+              saved_objects: spaces
+            };
+          })
+        };
+      });
+
+      // Register test inspector
+      server.ext('onPreResponse', testHandler);
+    };
+
+    describe('with a single available space', () => {
+      test('it redirects to the defaultRoute within the context of the single Space when navigating to Kibana root', async () => {
+        const testHandler = jest.fn((req, reply) => {
+          const { response } = req;
+
+          if (response && response.isBoom) {
+            throw response;
+          }
+
+          expect(response.statusCode).toEqual(302);
+          expect(response.headers.location).toEqual(`${serverBasePath}/s/a-space${defaultRoute}`);
+
+          return reply.continue();
+        });
+
+        const spaces = [{
+          id: 'space:a-space',
+          attributes: {
+            name: 'a space',
+            urlContext: 'a-space',
+          }
+        }];
+
+        await request('/', (server) => {
+          setupTest(server, spaces, testHandler);
+        });
+
+        expect(testHandler).toHaveBeenCalledTimes(1);
+      });
+
+      test('it redirects to the defaultRoute within the context of the Default Space when navigating to Kibana root', async () => {
+        // This is very similar to the test above, but this handles the condition where the only available space is the Default Space,
+        // which does not have a URL Context. In this scenario, the end result is the same as the other test, but the final URL the user
+        // is redirected to does not contain a space identifier (e.g., /s/foo)
+
+        const testHandler = jest.fn((req, reply) => {
+          const { response } = req;
+
+          if (response && response.isBoom) {
+            throw response;
+          }
+
+          expect(response.statusCode).toEqual(302);
+          expect(response.headers.location).toEqual(`${serverBasePath}${defaultRoute}`);
+
+          return reply.continue();
+        });
+
+        const spaces = [{
+          id: 'space:default',
+          attributes: {
+            name: 'Default Space',
+            urlContext: '',
+          }
+        }];
+
+        await request('/', (server) => {
+          setupTest(server, spaces, testHandler);
+        });
+
+        expect(testHandler).toHaveBeenCalledTimes(1);
+      });
+    });
+
+    describe('with multiple available spaces', () => {
+      test('it redirects to the Space Selector App when navigating to Kibana root', async () => {
+
+        const spaces = [{
+          id: 'space:a-space',
+          attributes: {
+            name: 'a space',
+            urlContext: 'a-space',
+          }
+        }, {
+          id: 'space:b-space',
+          attributes: {
+            name: 'b space',
+            urlContext: 'b-space',
+          }
+        }];
+
+        const getHiddenUiAppHandler = jest.fn(() => { return '<div>space selector</div>'; });
+
+        const testHandler = jest.fn((req, reply) => {
+          const { response } = req;
+
+          if (response && response.isBoom) {
+            throw response;
+          }
+
+          expect(response.statusCode).toEqual(200);
+          expect(response.source).toEqual({ "app": "<div>space selector</div>", "renderApp": true });
+
+          return reply.continue();
+        });
+
+        await request('/', (server) => {
+          server.decorate('server', 'getHiddenUiAppById', getHiddenUiAppHandler);
+          server.decorate('reply', 'renderApp', function (app) {
+            this({ renderApp: true, app });
+          });
+
+          setupTest(server, spaces, testHandler);
+        });
+
+        expect(getHiddenUiAppHandler).toHaveBeenCalledTimes(1);
+        expect(getHiddenUiAppHandler).toHaveBeenCalledWith('space_selector');
+        expect(testHandler).toHaveBeenCalledTimes(1);
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.js
index d4f7af6f4c37f8..88c134ca6f82b9 100644
--- a/x-pack/plugins/spaces/server/lib/space_schema.js
+++ b/x-pack/plugins/spaces/server/lib/space_schema.js
@@ -10,5 +10,6 @@ export const spaceSchema = Joi.object({
   id: Joi.string(),
   name: Joi.string().required(),
   description: Joi.string().required(),
-  urlContext: Joi.string().regex(/[a-z0-9\-]+/, `lower case, a-z, 0-9, and "-" are allowed`).required()
+  urlContext: Joi.string().regex(/[a-z0-9\-]+/, `lower case, a-z, 0-9, and "-" are allowed`).required(),
+  _reserved: Joi.boolean()
 }).default();
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 019513dafbb8c6..64b893b93239d5 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -10,6 +10,7 @@ import { getClient } from '../../../../../../server/lib/get_client_shield';
 import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
 import { spaceSchema } from '../../../lib/space_schema';
 import { wrapError } from '../../../lib/errors';
+import { isReservedSpace } from '../../../../common/is_reserved_space';
 import { createDuplicateContextQuery } from '../../../lib/check_duplicate_context';
 
 export function initSpacesApi(server) {
@@ -104,7 +105,7 @@ export function initSpacesApi(server) {
         overwrite = false
       } = request.query;
 
-      const space = omit(request.payload, ['id']);
+      const space = omit(request.payload, ['id', '_reserved']);
 
       const { error } = await checkForDuplicateContext(space);
 
@@ -116,8 +117,16 @@ export function initSpacesApi(server) {
 
       let result;
       try {
+        const existingSpace = await getSpaceById(client, id);
+
+        // Reserved Spaces cannot have their _reserved or urlContext properties altered.
+        if (isReservedSpace(existingSpace)) {
+          space._reserved = true;
+          space.urlContext = existingSpace.urlContext;
+        }
+
         result = await client.create('space', { ...space }, { id, overwrite });
-      } catch(e) {
+      } catch (e) {
         return reply(wrapError(e));
       }
 
@@ -172,8 +181,13 @@ export function initSpacesApi(server) {
       let result;
 
       try {
+        const existingSpace = await getSpaceById(client, id);
+        if (isReservedSpace(existingSpace)) {
+          return reply(wrapError(Boom.badRequest('This Space cannot be deleted because it is reserved.')));
+        }
+
         result = await client.delete('space', id);
-      } catch(e) {
+      } catch (e) {
         return reply(wrapError(e));
       }
 
@@ -183,4 +197,20 @@ export function initSpacesApi(server) {
       pre: [routePreCheckLicenseFn]
     }
   });
+
+  async function getSpaceById(client, spaceId) {
+    try {
+      const existingSpace = await client.get('space', spaceId);
+      console.log(existingSpace);
+      return {
+        id: existingSpace.id,
+        ...existingSpace.attributes
+      };
+    } catch (e) {
+      if (client.errors.isNotFoundError(e)) {
+        return null;
+      }
+      throw e;
+    }
+  }
 }
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
new file mode 100644
index 00000000000000..2318b4cd243195
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
@@ -0,0 +1,151 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Server } from 'hapi';
+import { initSpacesApi } from './spaces';
+
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request, reply) => reply.continue()
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {})
+      };
+    }
+  };
+});
+
+const spaces = [{
+  id: 'space:a-space',
+  attributes: {
+    name: 'a space',
+    urlContext: 'a-space',
+  }
+}, {
+  id: 'space:b-space',
+  attributes: {
+    name: 'b space',
+    urlContext: 'b-space',
+  }
+}, {
+  id: 'space:default',
+  attributes: {
+    name: 'Default Space',
+    urlContext: '',
+    _reserved: true
+  }
+}];
+
+describe('Spaces API', () => {
+  const teardowns = [];
+  let request;
+
+  beforeEach(() => {
+    request = async (method, path, setupFn = () => { }) => {
+
+      const server = new Server();
+
+      server.connection({ port: 0 });
+
+      await setupFn(server);
+
+      server.decorate('server', 'config', jest.fn(() => {
+        return {
+          get: () => ''
+        };
+      }));
+
+      initSpacesApi(server);
+
+      server.decorate('request', 'getBasePath', jest.fn());
+      server.decorate('request', 'setBasePath', jest.fn());
+
+      // Mock server.getSavedObjectsClient()
+      server.decorate('request', 'getSavedObjectsClient', () => {
+        return {
+          get: jest.fn((type, id) => {
+            return spaces.filter(s => s.id === `${type}:${id}`)[0];
+          }),
+          find: jest.fn(() => {
+            return {
+              total: spaces.length,
+              saved_objects: spaces
+            };
+          }),
+          delete: jest.fn()
+        };
+      });
+
+      teardowns.push(() => server.stop());
+
+      return await server.inject({
+        method,
+        url: path,
+      });
+    };
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test(`'GET spaces' returns all available spaces`, async () => {
+    const response = await request('GET', '/api/spaces/v1/spaces');
+
+    const {
+      statusCode,
+      payload
+    } = response;
+
+    expect(statusCode).toEqual(200);
+    const resultSpaces = JSON.parse(payload);
+    expect(resultSpaces.map(s => s.id)).toEqual(spaces.map(s => s.id));
+  });
+
+  test(`'GET spaces/{id}' returns the space with that id`, async () => {
+    const response = await request('GET', '/api/spaces/v1/space/default');
+
+    const {
+      statusCode,
+      payload
+    } = response;
+
+    expect(statusCode).toEqual(200);
+    const resultSpace = JSON.parse(payload);
+    expect(resultSpace.id).toEqual('space:default');
+  });
+
+  test(`'DELETE spaces/{id}' deletes the space`, async () => {
+    const response = await request('DELETE', '/api/spaces/v1/space/a-space');
+
+    const {
+      statusCode
+    } = response;
+
+    expect(statusCode).toEqual(204);
+  });
+
+  test(`'DELETE spaces/{id}' cannot delete reserved spaces`, async () => {
+    const response = await request('DELETE', '/api/spaces/v1/space/default');
+
+    const {
+      statusCode,
+      payload
+    } = response;
+
+    expect(statusCode).toEqual(400);
+    expect(JSON.parse(payload)).toEqual({
+      statusCode: 400,
+      error: "Bad Request",
+      message: "This Space cannot be deleted because it is reserved."
+    });
+  });
+});

From 36e7a67b5e6822ad9670f3b0c8a56d844bb7e963 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 22 May 2018 11:05:20 -0400
Subject: [PATCH 017/183] Adding built-in types and alphabetizing (#19306)

---
 x-pack/plugins/security/server/lib/privileges/privileges.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index e05be3117f934a..129d4b3abfb3ea 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -45,7 +45,7 @@ function buildSavedObjectsReadPrivileges() {
 }
 
 function buildSavedObjectsPrivileges(actions) {
-  const objectTypes = ['config', 'dashboard', 'index-pattern', 'search', 'visualization', 'graph-workspace'];
+  const objectTypes = ['config', 'dashboard', 'graph-workspace', 'index-pattern', 'search', 'timelion-sheet', 'url', 'visualization'];
   return objectTypes
     .map(type => actions.map(action => `action:saved-objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);

From 06eb78422cd3c600a15ee691b3be440da3373f38 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 22 May 2018 14:56:02 -0400
Subject: [PATCH 018/183] Filtering out non-default resource Kibana privileges
 (#19321)

---
 x-pack/plugins/security/public/views/management/edit_role.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 3f0ab02129dbb3..ba159bc0c95d9a 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -33,7 +33,10 @@ const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
     return kibanaPrivileges;
   }
 
-  const applications = role.applications.filter(x => x.application === application);
+  // we're filtering out privileges for non-default resources as well incase
+  // the roles were created in a future version
+  const applications = role.applications
+    .filter(x => x.application === application && x.application.resources.all(r => r === DEFAULT_RESOURCE));
 
   const assigned =  _.uniq(_.flatten(_.pluck(applications, 'privileges')));
   assigned.forEach(a => {

From 767fb277a4b35db977f14c6355e6b3bac8519ee6 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 29 May 2018 10:41:58 -0400
Subject: [PATCH 019/183] Removing unused file

---
 .../security/server/lib/check_user_permission.js   | 14 --------------
 1 file changed, 14 deletions(-)
 delete mode 100644 x-pack/plugins/security/server/lib/check_user_permission.js

diff --git a/x-pack/plugins/security/server/lib/check_user_permission.js b/x-pack/plugins/security/server/lib/check_user_permission.js
deleted file mode 100644
index 6890a6fc790929..00000000000000
--- a/x-pack/plugins/security/server/lib/check_user_permission.js
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-
-export async function checkUserPermission(permission, hasPermission) {
-  // POC Stub. TODO: Use ES Permissions API once implemented.
-  return Promise.resolve(hasPermission);
-}

From 203ec3ef4ea1f2ac0d335390f6b51d57ad95b03a Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 29 May 2018 14:18:45 -0400
Subject: [PATCH 020/183] Adding kibana_rbac_dashboard_only_user to dashboard
 only mode roles (#19511)

---
 x-pack/plugins/dashboard_mode/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/dashboard_mode/index.js b/x-pack/plugins/dashboard_mode/index.js
index ba6124a5b79529..059e2a9a41f9bf 100644
--- a/x-pack/plugins/dashboard_mode/index.js
+++ b/x-pack/plugins/dashboard_mode/index.js
@@ -28,7 +28,7 @@ export function dashboardMode(kibana) {
       uiSettingDefaults: {
         [CONFIG_DASHBOARD_ONLY_MODE_ROLES]: {
           description: 'Roles that belong to View Dashboards Only mode',
-          value: ['kibana_dashboard_only_user'],
+          value: ['kibana_dashboard_only_user', 'kibana_rbac_dashboard_only_user'],
         }
       },
       app: {

From d818cc64545a30ec433bee53f5e7a1865ab7dd24 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 29 May 2018 14:19:16 -0400
Subject: [PATCH 021/183] Adding create default roles test (#19505)

---
 .../create_default_roles.test.js.snap         |   9 +
 .../create_default_roles.test.js              | 216 ++++++++++++++++++
 2 files changed, 225 insertions(+)
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js

diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
new file mode 100644
index 00000000000000..9fdbc5479a0225
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
@@ -0,0 +1,9 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`dashboard_only_user throws error when shield.getRole throws non 404 error 1`] = `undefined`;
+
+exports[`dashboard_only_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
+
+exports[`rbac_user throws error when sheild.getRole throws non 404 error 1`] = `undefined`;
+
+exports[`rbac_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
new file mode 100644
index 00000000000000..98d95cd6e9fbf5
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
@@ -0,0 +1,216 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createDefaultRoles } from './create_default_roles';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+import { DEFAULT_RESOURCE } from '../../../common/constants';
+
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn()
+}));
+
+const mockShieldClient = () => {
+  const mockCallWithInternalUser = jest.fn();
+  getClient.mockReturnValue({
+    callWithInternalUser: mockCallWithInternalUser
+  });
+
+  return {
+    mockCallWithInternalUser
+  };
+};
+
+const defaultApplication = 'foo-application';
+
+const createMockServer = ({ settings = {} } = {}) => {
+  const mockServer = {
+    config: jest.fn().mockReturnValue({
+      get: jest.fn()
+    })
+  };
+
+  const defaultSettings = {
+    'xpack.security.rbac.createDefaultRoles': true,
+    'xpack.security.rbac.application': defaultApplication
+  };
+
+  mockServer.config().get.mockImplementation(key => {
+    return key in settings ? settings[key] : defaultSettings[key];
+  });
+
+  return mockServer;
+};
+
+test(`doesn't create roles if createDefaultRoles is false`, async () => {
+  const { mockCallWithInternalUser } = mockShieldClient();
+  const mockServer = createMockServer({
+    settings: {
+      'xpack.security.rbac.createDefaultRoles': false
+    }
+  });
+
+  await createDefaultRoles(mockServer);
+
+  expect(mockCallWithInternalUser).toHaveBeenCalledTimes(0);
+});
+
+describe(`rbac_user`, () => {
+  test(`doesn't create \${application}_rbac_user when it exists`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockReturnValue(null);
+
+    await createDefaultRoles(mockServer);
+
+    expect(mockCallWithInternalUser).not.toHaveBeenCalledWith('shield.putRole', expect.anything());
+  });
+
+  test(`creates \${application}_rbac_user when it doesn't exist`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
+        throw {
+          statusCode: 404
+        };
+      }
+
+      return null;
+    });
+
+    await createDefaultRoles(mockServer);
+
+    expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.putRole', {
+      name: `${defaultApplication}_rbac_user`,
+      body: {
+        cluster: [],
+        index: [],
+        applications: [
+          {
+            application: defaultApplication,
+            privileges: [ 'all' ],
+            resources: [ DEFAULT_RESOURCE ]
+          }
+        ]
+      }
+    });
+  });
+
+  test(`throws error when sheild.getRole throws non 404 error`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
+        throw {
+          statusCode: 500
+        };
+      }
+
+      return null;
+    });
+
+    expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
+  });
+
+  test(`throws error when shield.putRole throws error`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
+        throw {
+          statusCode: 404
+        };
+      }
+
+      if (endpoint === 'shield.putRole' && params.name === `${defaultApplication}_rbac_user`) {
+        throw new Error('Some other error');
+      }
+
+      return null;
+    });
+
+    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
+  });
+});
+
+describe(`dashboard_only_user`, () => {
+  test(`doesn't create \${application}_rbac_dashboard_only_user when it exists`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockReturnValue(null);
+
+    await createDefaultRoles(mockServer);
+
+    expect(mockCallWithInternalUser).not.toHaveBeenCalledWith('shield.putRole', expect.anything());
+  });
+
+  test(`creates \${application}_rbac_dashboard_only_user when it doesn't exist`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
+        throw {
+          statusCode: 404
+        };
+      }
+
+      return null;
+    });
+
+    await createDefaultRoles(mockServer);
+
+    expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.putRole', {
+      name: `${defaultApplication}_rbac_dashboard_only_user`,
+      body: {
+        cluster: [],
+        index: [],
+        applications: [
+          {
+            application: defaultApplication,
+            privileges: [ 'read' ],
+            resources: [ DEFAULT_RESOURCE ]
+          }
+        ]
+      }
+    });
+  });
+
+  test(`throws error when shield.getRole throws non 404 error`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
+        throw {
+          statusCode: 500
+        };
+      }
+
+      return null;
+    });
+
+    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
+  });
+
+  test(`throws error when shield.putRole throws error`, async () => {
+    const { mockCallWithInternalUser } = mockShieldClient();
+    const mockServer = createMockServer();
+    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
+      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
+        throw {
+          statusCode: 404
+        };
+      }
+
+      if (endpoint === 'shield.putRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
+        throw new Error('Some other error');
+      }
+
+      return null;
+    });
+
+    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
+  });
+});

From d8d98103a9b073504b46a29be28806236bb6a4fb Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 1 Jun 2018 08:00:04 -0400
Subject: [PATCH 022/183] RBAC - SecurityAuditLogger (#19571)

* Manually porting over the AuditLogger for use within the security audit
logger

* HasPrivileges now returns the user from the request

* Has privileges returns username from privilegeCheck

* Adding first eventType to the security audit logger

* Adding authorization success message

* Logging arguments when authorization success

* Fixing test description

* Logging args during audit failures
---
 x-pack/plugins/security/index.js              |   7 ++
 .../security/server/lib/audit_logger.js       |  47 ++++++++
 .../security/server/lib/audit_logger.test.js  | 113 ++++++++++++++++++
 .../lib/authorization/has_privileges.js       |   3 +-
 .../lib/authorization/has_privileges.test.js  |  43 +++++--
 .../secure_options_builder.js                 |   4 +-
 .../secure_saved_objects_client.js            |  48 ++++++--
 7 files changed, 241 insertions(+), 24 deletions(-)
 create mode 100644 x-pack/plugins/security/server/lib/audit_logger.js
 create mode 100644 x-pack/plugins/security/server/lib/audit_logger.test.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 0346fa90b9cfa2..535fbf8cf82d32 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -23,6 +23,8 @@ import { registerPrivilegesWithCluster } from './server/lib/privileges';
 import { createDefaultRoles } from './server/lib/authorization/create_default_roles';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
+import { SecurityAuditLogger } from './server/lib/audit_logger';
+import { AuditLogger } from '../../server/lib/audit_logger';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -51,6 +53,9 @@ export const security = (kibana) => new kibana.Plugin({
           `may contain alphanumeric characters (a-z, A-Z, 0-9), underscores and hyphens`
         ),
       }).default(),
+      audit: Joi.object({
+        enabled: Joi.boolean().default(false)
+      }).default(),
     }).default();
   },
 
@@ -98,6 +103,8 @@ export const security = (kibana) => new kibana.Plugin({
       await createDefaultRoles(server);
     });
 
+    server.expose('auditLogger', new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security')));
+
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
     xpackMainPlugin.info.feature(this.id).registerLicenseCheckResultsGenerator(checkLicense);
diff --git a/x-pack/plugins/security/server/lib/audit_logger.js b/x-pack/plugins/security/server/lib/audit_logger.js
new file mode 100644
index 00000000000000..22cf207e3d363a
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/audit_logger.js
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SecurityAuditLogger {
+  constructor(config, auditLogger) {
+    this._enabled = config.get('xpack.security.audit.enabled');
+    this._auditLogger = auditLogger;
+  }
+
+  savedObjectsAuthorizationFailure(username, action, types, missing, args) {
+    if (!this._enabled) {
+      return;
+    }
+
+    this._auditLogger.log(
+      'saved_objects_authorization_failure',
+      `${username} unauthorized to ${action} ${types.join(',')}, missing ${missing.join(',')}`,
+      {
+        username,
+        action,
+        types,
+        missing,
+        args
+      }
+    );
+  }
+
+  savedObjectsAuthorizationSuccess(username, action, types, args) {
+    if (!this._enabled) {
+      return;
+    }
+
+    this._auditLogger.log(
+      'saved_objects_authorization_success',
+      `${username} authorized to ${action} ${types.join(',')}`,
+      {
+        username,
+        action,
+        types,
+        args,
+      }
+    );
+  }
+}
diff --git a/x-pack/plugins/security/server/lib/audit_logger.test.js b/x-pack/plugins/security/server/lib/audit_logger.test.js
new file mode 100644
index 00000000000000..da727552aae58a
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/audit_logger.test.js
@@ -0,0 +1,113 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SecurityAuditLogger } from './audit_logger';
+
+
+const createMockConfig = (settings) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  const defaultSettings = {};
+
+  mockConfig.get.mockImplementation(key => {
+    return key in settings ? settings[key] : defaultSettings[key];
+  });
+
+  return mockConfig;
+};
+
+const createMockAuditLogger = () => {
+  return {
+    log: jest.fn()
+  };
+};
+
+describe(`#savedObjectsAuthorizationFailure`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    securityAuditLogger.savedObjectsAuthorizationFailure();
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const types = [ 'foo-type-1', 'foo-type-2' ];
+    const missing = [`action:saved-objects/${types[0]}/foo-action`, `action:saved-objects/${types[1]}/foo-action`];
+    const args = {
+      'foo': 'bar',
+      'baz': 'quz',
+    };
+
+    securityAuditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'saved_objects_authorization_failure',
+      expect.stringContaining(`${username} unauthorized to ${action}`),
+      {
+        username,
+        action,
+        types,
+        missing,
+        args,
+      }
+    );
+  });
+});
+
+describe(`#savedObjectsAuthorizationSuccess`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    securityAuditLogger.savedObjectsAuthorizationSuccess();
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const types = [ 'foo-type-1', 'foo-type-2' ];
+    const args = {
+      'foo': 'bar',
+      'baz': 'quz',
+    };
+
+    securityAuditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'saved_objects_authorization_success',
+      expect.stringContaining(`${username} authorized to ${action}`),
+      {
+        username,
+        action,
+        types,
+        args,
+      }
+    );
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index bd91272ebbcf56..03a0642ecb8e8c 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -48,7 +48,8 @@ export function hasPrivilegesWithServer(server) {
 
       return {
         success,
-        missing: missingPrivileges
+        missing: missingPrivileges,
+        username: privilegeCheck.username,
       };
     };
   };
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index 9d6b9580c47d8f..aed3dbcfe94ccd 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -43,8 +43,9 @@ const createMockServer = ({ settings = {} } = {}) => {
   return mockServer;
 };
 
-const mockResponse = (hasAllRequested, privileges, application = defaultApplication) => {
+const mockResponse = (hasAllRequested, privileges, application = defaultApplication, username = '') => {
   mockCallWithRequest.mockImplementationOnce(async () => ({
+    username: username,
     has_all_requested: hasAllRequested,
     application: {
       [application]: {
@@ -151,6 +152,21 @@ test(`returns success when has_all_requested`, async () => {
   expect(result.success).toBe(true);
 });
 
+test(`returns username from has_privileges response when has_all_requested`, async () => {
+  const mockServer = createMockServer();
+  const username = 'foo-username';
+  mockResponse(true, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: true,
+  }, defaultApplication, username);
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.username).toBe(username);
+});
+
 test(`returns false success when has_all_requested is false`, async () => {
   const mockServer = createMockServer();
   mockResponse(false, {
@@ -158,16 +174,6 @@ test(`returns false success when has_all_requested is false`, async () => {
     [getLoginPrivilege()]: true,
     foo: false,
   });
-  mockCallWithRequest.mockImplementationOnce(async () => ({
-    has_all_requested: false,
-    application: {
-      [defaultApplication]: {
-        [DEFAULT_RESOURCE]: {
-          foo: false
-        }
-      }
-    }
-  }));
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
   const hasPrivileges = hasPrivilegesWithRequest({});
@@ -175,6 +181,21 @@ test(`returns false success when has_all_requested is false`, async () => {
   expect(result.success).toBe(false);
 });
 
+test(`returns username from has_privileges when has_all_requested is false`, async () => {
+  const username = 'foo-username';
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: true,
+    [getLoginPrivilege()]: true,
+    foo: false,
+  }, defaultApplication, username);
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({ });
+  const result = await hasPrivileges(['foo']);
+  expect(result.username).toBe(username);
+});
+
 test(`returns missing privileges`, async () => {
   const mockServer = createMockServer();
   mockResponse(false, {
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
index 65f0ce3ff64e8f..9eba7621bf5d8d 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
@@ -10,10 +10,12 @@
 export function secureSavedObjectsClientOptionsBuilder(server, hasPrivilegesWithRequest, options) {
   const adminCluster = server.plugins.elasticsearch.getCluster('admin');
   const { callWithInternalUser } = adminCluster;
+  const auditLogger = server.plugins.security.auditLogger;
 
   return {
     ...options,
     callCluster: callWithInternalUser,
-    hasPrivilegesWithRequest
+    hasPrivilegesWithRequest,
+    auditLogger
   };
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 8793985233c35c..08ee87d5f281bf 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -12,60 +12,83 @@ export class SecureSavedObjectsClient {
       request,
       hasPrivilegesWithRequest,
       baseClient,
+      auditLogger,
     } = options;
 
     this.errors = baseClient.errors;
 
     this._client = baseClient;
     this._hasPrivileges = hasPrivilegesWithRequest(request);
+    this._auditLogger = auditLogger;
   }
 
   async create(type, attributes = {}, options = {}) {
-    await this._performAuthorizationCheck(type, 'create');
+    await this._performAuthorizationCheck(type, 'create', {
+      type,
+      attributes,
+      options,
+    });
 
     return await this._client.create(type, attributes, options);
   }
 
   async bulkCreate(objects, options = {}) {
     const types = uniq(objects.map(o => o.type));
-    await this._performAuthorizationCheck(types, 'create');
+    await this._performAuthorizationCheck(types, 'create', {
+      objects,
+      options,
+    });
 
     return await this._client.bulkCreate(objects, options);
   }
 
   async delete(type, id) {
-    await this._performAuthorizationCheck(type, 'delete');
+    await this._performAuthorizationCheck(type, 'delete', {
+      type,
+      id,
+    });
 
     return await this._client.delete(type, id);
   }
 
   async find(options = {}) {
-    await this._performAuthorizationCheck(options.type, 'search');
+    await this._performAuthorizationCheck(options.type, 'search', {
+      options,
+    });
 
     return await this._client.find(options);
   }
 
   async bulkGet(objects = []) {
-    for (const object of objects) {
-      await this._performAuthorizationCheck(object.type, 'mget');
-    }
+    const types = uniq(objects.map(o => o.type));
+    await this._performAuthorizationCheck(types, 'mget', {
+      objects,
+    });
 
     return await this._client.bulkGet(objects);
   }
 
   async get(type, id) {
-    await this._performAuthorizationCheck(type, 'get');
+    await this._performAuthorizationCheck(type, 'get', {
+      type,
+      id,
+    });
 
     return await this._client.get(type, id);
   }
 
   async update(type, id, attributes, options = {}) {
-    await this._performAuthorizationCheck(type, 'update');
+    await this._performAuthorizationCheck(type, 'update', {
+      type,
+      id,
+      attributes,
+      options,
+    });
 
     return await this._client.update(type, id, attributes, options);
   }
 
-  async _performAuthorizationCheck(typeOrTypes, action) {
+  async _performAuthorizationCheck(typeOrTypes, action, args) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const actions = types.map(type => `action:saved-objects/${type}/${action}`);
 
@@ -77,7 +100,10 @@ export class SecureSavedObjectsClient {
       throw this._client.errors.decorateGeneralError(error, reason);
     }
 
-    if (!result.success) {
+    if (result.success) {
+      this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
+    } else {
+      this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing, args);
       const msg = `Unable to ${action} ${types.join(',')}, missing ${result.missing.join(',')}`;
       throw this._client.errors.decorateForbiddenError(new Error(msg));
     }

From 3e8e694313f205aef3abad1ac8d763d2ed2b6e29 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Mon, 4 Jun 2018 15:59:59 -0400
Subject: [PATCH 023/183] RBAC Integration Tests (#19647)

* Porting over the saved objects tests, a bunch are failing, I believe
because security is preventing the requests

* Running saved objects tests with rbac and xsrf disabled

* Adding users

* BulkGet now tests under 3 users

* Adding create tests

* Adding delete tests

* Adding find tests

* Adding get tests

* Adding bulkGet forbidden tests

* Adding not a kibana user tests

* Update tests

* Renaming the actions/privileges to be closer to the functions on the
saved object client itself

* Cleaning up tests and removing without index tests

I'm considering the without index tests to be out of scope for the RBAC
API testing, and we already have unit coverage for these and integration
coverage via the OSS Saved Objects API tests.

* Fixing misspelling
---
 .../security/server/lib/audit_logger.test.js  |   2 +-
 .../lib/authorization/has_privileges.js       |   3 +-
 .../lib/authorization/has_privileges.test.js  |  18 +-
 .../server/lib/privileges/privileges.js       |   4 +-
 .../secure_saved_objects_client.js            |  10 +-
 .../test/rbac_api_integration/apis/index.js   |  11 +
 .../apis/saved_objects/bulk_get.js            | 149 ++++++++++++
 .../apis/saved_objects/create.js              | 111 +++++++++
 .../apis/saved_objects/delete.js              | 127 +++++++++++
 .../apis/saved_objects/find.js                | 212 ++++++++++++++++++
 .../apis/saved_objects/get.js                 | 143 ++++++++++++
 .../apis/saved_objects/index.js               |  51 +++++
 .../apis/saved_objects/lib/authentication.js  |  24 ++
 .../apis/saved_objects/update.js              | 152 +++++++++++++
 x-pack/test/rbac_api_integration/config.js    |  57 +++++
 .../test/rbac_api_integration/services/es.js  |  20 ++
 16 files changed, 1083 insertions(+), 11 deletions(-)
 create mode 100644 x-pack/test/rbac_api_integration/apis/index.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/create.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/find.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/get.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/index.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/update.js
 create mode 100644 x-pack/test/rbac_api_integration/config.js
 create mode 100644 x-pack/test/rbac_api_integration/services/es.js

diff --git a/x-pack/plugins/security/server/lib/audit_logger.test.js b/x-pack/plugins/security/server/lib/audit_logger.test.js
index da727552aae58a..51c8698da818d6 100644
--- a/x-pack/plugins/security/server/lib/audit_logger.test.js
+++ b/x-pack/plugins/security/server/lib/audit_logger.test.js
@@ -48,7 +48,7 @@ describe(`#savedObjectsAuthorizationFailure`, () => {
     const username = 'foo-user';
     const action = 'foo-action';
     const types = [ 'foo-type-1', 'foo-type-2' ];
-    const missing = [`action:saved-objects/${types[0]}/foo-action`, `action:saved-objects/${types[1]}/foo-action`];
+    const missing = [`action:saved_objects/${types[0]}/foo-action`, `action:saved_objects/${types[1]}/foo-action`];
     const args = {
       'foo': 'bar',
       'baz': 'quz',
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index 03a0642ecb8e8c..5f119db027cb6f 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -48,7 +48,8 @@ export function hasPrivilegesWithServer(server) {
 
       return {
         success,
-        missing: missingPrivileges,
+        // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
+        missing: missingPrivileges.filter(p => p !== versionPrivilege),
         username: privilegeCheck.username,
       };
     };
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index aed3dbcfe94ccd..b2e2759c3419b3 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -241,8 +241,8 @@ test(`throws error if missing version privilege and has login privilege`, async
 test(`doesn't throw error if missing version privilege and missing login privilege`, async () => {
   const mockServer = createMockServer();
   mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
+    [getVersionPrivilege(defaultVersion)]: false,
+    [getLoginPrivilege()]: false,
     foo: true,
   });
 
@@ -250,3 +250,17 @@ test(`doesn't throw error if missing version privilege and missing login privile
   const hasPrivileges = hasPrivilegesWithRequest({});
   await hasPrivileges(['foo']);
 });
+
+test(`excludes version privilege when missing version privilege and missing login privilege`, async () => {
+  const mockServer = createMockServer();
+  mockResponse(false, {
+    [getVersionPrivilege(defaultVersion)]: false,
+    [getLoginPrivilege()]: false,
+    foo: true,
+  });
+
+  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const hasPrivileges = hasPrivilegesWithRequest({});
+  const result = await hasPrivileges(['foo']);
+  expect(result.missing).toEqual([getLoginPrivilege()]);
+});
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index 129d4b3abfb3ea..e2dc9b2ff7ece3 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -40,13 +40,13 @@ export function buildPrivilegeMap(application, kibanaVersion) {
 }
 
 function buildSavedObjectsReadPrivileges() {
-  const readActions = ['get', 'mget', 'search'];
+  const readActions = ['get', 'bulk_get', 'find'];
   return buildSavedObjectsPrivileges(readActions);
 }
 
 function buildSavedObjectsPrivileges(actions) {
   const objectTypes = ['config', 'dashboard', 'graph-workspace', 'index-pattern', 'search', 'timelion-sheet', 'url', 'visualization'];
   return objectTypes
-    .map(type => actions.map(action => `action:saved-objects/${type}/${action}`))
+    .map(type => actions.map(action => `action:saved_objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 08ee87d5f281bf..0a2f9490c16649 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -34,7 +34,7 @@ export class SecureSavedObjectsClient {
 
   async bulkCreate(objects, options = {}) {
     const types = uniq(objects.map(o => o.type));
-    await this._performAuthorizationCheck(types, 'create', {
+    await this._performAuthorizationCheck(types, 'bulk_create', {
       objects,
       options,
     });
@@ -52,7 +52,7 @@ export class SecureSavedObjectsClient {
   }
 
   async find(options = {}) {
-    await this._performAuthorizationCheck(options.type, 'search', {
+    await this._performAuthorizationCheck(options.type, 'find', {
       options,
     });
 
@@ -61,7 +61,7 @@ export class SecureSavedObjectsClient {
 
   async bulkGet(objects = []) {
     const types = uniq(objects.map(o => o.type));
-    await this._performAuthorizationCheck(types, 'mget', {
+    await this._performAuthorizationCheck(types, 'bulk_get', {
       objects,
     });
 
@@ -90,7 +90,7 @@ export class SecureSavedObjectsClient {
 
   async _performAuthorizationCheck(typeOrTypes, action, args) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
-    const actions = types.map(type => `action:saved-objects/${type}/${action}`);
+    const actions = types.map(type => `action:saved_objects/${type}/${action}`);
 
     let result;
     try {
@@ -104,7 +104,7 @@ export class SecureSavedObjectsClient {
       this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
     } else {
       this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing, args);
-      const msg = `Unable to ${action} ${types.join(',')}, missing ${result.missing.join(',')}`;
+      const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${result.missing.sort().join(',')}`;
       throw this._client.errors.decorateForbiddenError(new Error(msg));
     }
   }
diff --git a/x-pack/test/rbac_api_integration/apis/index.js b/x-pack/test/rbac_api_integration/apis/index.js
new file mode 100644
index 00000000000000..eff74e5f38dbe2
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/index.js
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('apis RBAC', () => {
+    loadTestFile(require.resolve('./saved_objects'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
new file mode 100644
index 00000000000000..18fe5a015dc785
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
@@ -0,0 +1,149 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const BULK_REQUESTS = [
+    {
+      type: 'visualization',
+      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+    },
+    {
+      type: 'dashboard',
+      id: 'does not exist',
+    },
+    {
+      type: 'config',
+      id: '7.0.0-alpha1',
+    },
+  ];
+
+  describe('_bulk_get', () => {
+    const expectResults = resp => {
+      expect(resp.body).to.eql({
+        saved_objects: [
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: resp.body.saved_objects[0].version,
+            attributes: {
+              title: 'Count of requests',
+              description: '',
+              version: 1,
+              // cheat for some of the more complex attributes
+              visState: resp.body.saved_objects[0].attributes.visState,
+              uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
+              kibanaSavedObjectMeta:
+                resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
+            },
+          },
+          {
+            id: 'does not exist',
+            type: 'dashboard',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: resp.body.saved_objects[2].version,
+            attributes: {
+              buildNum: 8467,
+              defaultIndex: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            },
+          },
+        ],
+      });
+    };
+
+    const expectForbidden = resp => {
+      //eslint-disable-next-line max-len
+      const missingActions = `action:login,action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to bulk_get config,dashboard,visualization, missing ${missingActions}`
+      });
+    };
+
+    const bulkGetTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.default.statusCode}`, async () => {
+          await supertest
+            .post(`/api/saved_objects/_bulk_get`)
+            .auth(auth.username, auth.password)
+            .send(BULK_REQUESTS)
+            .expect(tests.default.statusCode)
+            .then(tests.default.response);
+        });
+      });
+    };
+
+    bulkGetTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectForbidden,
+        }
+      }
+    });
+
+    bulkGetTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
new file mode 100644
index 00000000000000..0db0fc41b5c4a6
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
@@ -0,0 +1,111 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('create', () => {
+    const expectResults = (resp) => {
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 1,
+        attributes: {
+          title: 'My favorite vis'
+        }
+      });
+    };
+
+    const createExpectForbidden = canLogin => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to create visualization, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/visualization/create`
+      });
+    };
+
+    const createTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+        it(`should return ${tests.default.statusCode}`, async () => {
+          await supertest
+            .post(`/api/saved_objects/visualization`)
+            .auth(auth.username, auth.password)
+            .send({
+              attributes: {
+                title: 'My favorite vis'
+              }
+            })
+            .expect(tests.default.statusCode)
+            .then(tests.default.response);
+        });
+      });
+    };
+
+    createTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectForbidden(false),
+        },
+      }
+    });
+
+    createTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
new file mode 100644
index 00000000000000..ea73c927b869e5
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -0,0 +1,127 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+
+    const expectEmpty = (resp) => {
+      expect(resp.body).to.eql({});
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Not Found'
+      });
+    };
+
+    const createExpectForbidden = canLogin => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to delete dashboard, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/dashboard/delete`
+      });
+    };
+
+    const deleteTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.actualId.statusCode} when deleting a doc`, async () => (
+          await supertest
+            .delete(`/api/saved_objects/dashboard/be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .expect(tests.actualId.statusCode)
+            .then(tests.actualId.response)
+        ));
+
+        it(`should return ${tests.invalidId.statusCode} when deleting an unknown doc`, async () => (
+          await supertest
+            .delete(`/api/saved_objects/dashboard/not-a-real-id`)
+            .auth(auth.username, auth.password)
+            .expect(tests.invalidId.statusCode)
+            .then(tests.invalidId.response)
+        ));
+      });
+    };
+
+    deleteTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: createExpectForbidden(false),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectForbidden(false),
+        }
+      }
+    });
+
+    deleteTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        }
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
new file mode 100644
index 00000000000000..72a3fa2ec2bfce
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -0,0 +1,212 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('find', () => {
+
+    const expectResults = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 1,
+        saved_objects: [
+          {
+            type: 'visualization',
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            version: 1,
+            attributes: {
+              'title': 'Count of requests'
+            }
+          }
+        ]
+      });
+    };
+
+    const createExpectEmpty = (page, perPage, total) => (resp) => {
+      expect(resp.body).to.eql({
+        page: page,
+        per_page: perPage,
+        total: total,
+        saved_objects: []
+      });
+    };
+
+    const createExpectForbidden = (canLogin, type) => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to find ${type}, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/${type}/find`
+      });
+    };
+
+    const findTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
+          await supertest
+            .get('/api/saved_objects/_find?type=visualization&fields=title')
+            .auth(auth.username, auth.password)
+            .expect(tests.normal.statusCode)
+            .then(tests.normal.response)
+        ));
+
+        describe('unknown type', () => {
+          it(`should return ${tests.unknownType.statusCode} with ${tests.unknownType.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=wigwags')
+              .auth(auth.username, auth.password)
+              .expect(tests.unknownType.statusCode)
+              .then(tests.unknownType.response)
+          ));
+        });
+
+        describe('page beyond total', () => {
+          it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=visualization&page=100&per_page=100')
+              .auth(auth.username, auth.password)
+              .expect(tests.pageBeyondTotal.statusCode)
+              .then(tests.pageBeyondTotal.response)
+          ));
+        });
+
+        describe('unknown search field', () => {
+          it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=wigwags&search_fields=a')
+              .auth(auth.username, auth.password)
+              .expect(tests.unknownSearchField.statusCode)
+              .then(tests.unknownSearchField.response)
+          ));
+        });
+      });
+    };
+
+    findTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectForbidden(false, 'visualization'),
+        },
+        unknownType: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectForbidden(false, 'wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectForbidden(false, 'visualization'),
+        },
+        unknownSearchField: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectForbidden(false, 'wigwags'),
+        },
+      }
+    });
+
+    findTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'individual responses',
+          statusCode: 200,
+          response: expectResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+      },
+    });
+
+    findTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'individual responses',
+          statusCode: 200,
+          response: expectResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+      },
+    });
+
+    findTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'individual responses',
+          statusCode: 200,
+          response: expectResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectForbidden(true, 'wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectForbidden(true, 'wigwags'),
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
new file mode 100644
index 00000000000000..e5a462d30d30cb
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -0,0 +1,143 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('get', () => {
+
+    const expectResults = (resp) => {
+      expect(resp.body).to.eql({
+        id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+        type: 'visualization',
+        updated_at: '2017-09-21T18:51:23.794Z',
+        version: resp.body.version,
+        attributes: {
+          title: 'Count of requests',
+          description: '',
+          version: 1,
+          // cheat for some of the more complex attributes
+          visState: resp.body.attributes.visState,
+          uiStateJSON: resp.body.attributes.uiStateJSON,
+          kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta
+        }
+      });
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        error: 'Not Found',
+        message: 'Not Found',
+        statusCode: 404,
+      });
+    };
+
+    const expectForbidden = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to get visualization, missing action:login,action:saved_objects/visualization/get`
+      });
+    };
+
+    const getTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.exists.statusCode}`, async () => (
+          await supertest
+            .get(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .expect(tests.exists.statusCode)
+            .then(tests.exists.response)
+        ));
+
+        describe('document does not exist', () => {
+          it(`should return ${tests.doesntExist.statusCode}`, async () => (
+            await supertest
+              .get(`/api/saved_objects/visualization/foobar`)
+              .auth(auth.username, auth.password)
+              .expect(tests.doesntExist.statusCode)
+              .then(tests.doesntExist.response)
+          ));
+        });
+      });
+    };
+
+    getTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: expectForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectForbidden,
+        },
+      }
+    });
+
+    getTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
new file mode 100644
index 00000000000000..644bf23220648e
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from "./lib/authentication";
+
+export default function ({ loadTestFile, getService }) {
+  const es = getService('es');
+
+  describe('saved_objects', () => {
+    before(async () => {
+      await es.shield.putUser({
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+          roles: [],
+          full_name: 'not a kibana user',
+          email: 'not_a_kibana_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+          roles: ['kibana_rbac_user'],
+          full_name: 'a kibana user',
+          email: 'a_kibana_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+          roles: ["kibana_rbac_dashboard_only_user"],
+          full_name: 'a kibana dashboard only user',
+          email: 'a_kibana_dashboard_only_user@elastic.co',
+        }
+      });
+    });
+    loadTestFile(require.resolve('./bulk_get'));
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
new file mode 100644
index 00000000000000..e095a032934eaf
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const AUTHENTICATION = {
+  NOT_A_KIBANA_USER: {
+    USERNAME: 'not_a_kibana_user',
+    PASSWORD: 'password'
+  },
+  SUPERUSER: {
+    USERNAME: 'elastic',
+    PASSWORD: 'changeme'
+  },
+  KIBANA_RBAC_USER: {
+    USERNAME: 'a_kibana_rbac_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_RBAC_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_rbac_dashboard_only_user',
+    PASSWORD: 'password'
+  }
+};
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
new file mode 100644
index 00000000000000..a9f5f0ab81aaba
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -0,0 +1,152 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const expectResults = resp => {
+      // loose uuid validation
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 2,
+        attributes: {
+          title: 'My second favorite vis'
+        }
+      });
+    };
+
+    const expectNotFound = resp => {
+      expect(resp.body).eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Not Found'
+      });
+    };
+
+    const createExpectForbidden = canLogin => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to update visualization, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/visualization/update`
+      });
+    };
+
+    const updateTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+        it(`should return ${tests.exists.statusCode}`, async () => {
+          await supertest
+            .put(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .send({
+              attributes: {
+                title: 'My second favorite vis'
+              }
+            })
+            .expect(tests.exists.statusCode)
+            .then(tests.exists.response);
+        });
+
+        describe('unknown id', () => {
+          it(`should return ${tests.doesntExist.statusCode}`, async () => {
+            await supertest
+              .put(`/api/saved_objects/visualization/not an id`)
+              .auth(auth.username, auth.password)
+              .send({
+                attributes: {
+                  title: 'My second favorite vis'
+                }
+              })
+              .expect(tests.doesntExist.statusCode)
+              .then(tests.doesntExist.response);
+          });
+        });
+      });
+    };
+
+    updateTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: createExpectForbidden(false),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectForbidden(false),
+        },
+      }
+    });
+
+    updateTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+      }
+    });
+
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
new file mode 100644
index 00000000000000..481b14913da919
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/config.js
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import path from 'path';
+import { resolveKibanaPath } from '@kbn/plugin-helpers';
+import { EsProvider } from './services/es';
+
+export default async function ({ readConfigFile }) {
+
+  const config = {
+    kibana: {
+      api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
+      functional: await readConfigFile(require.resolve('../../../test/functional/config.js'))
+    },
+    xpack: {
+      api: await readConfigFile(require.resolve('../api_integration/config.js'))
+    }
+  };
+
+  return {
+    testFiles: [require.resolve('./apis')],
+    servers: config.xpack.api.get('servers'),
+    services: {
+      es: EsProvider,
+      supertest: config.kibana.api.get('services.supertest'),
+      supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
+      esArchiver: config.kibana.functional.get('services.esArchiver'),
+    },
+    junit: {
+      reportName: 'X-Pack RBAC API Integration Tests',
+    },
+
+    esArchiver: {
+      directory: resolveKibanaPath(path.join('test', 'api_integration', 'fixtures', 'es_archiver'))
+    },
+
+    esTestCluster: {
+      ...config.xpack.api.get('esTestCluster'),
+      serverArgs: [
+        ...config.xpack.api.get('esTestCluster.serverArgs'),
+      ],
+    },
+
+    kbnTestServer: {
+      ...config.xpack.api.get('kbnTestServer'),
+      serverArgs: [
+        ...config.xpack.api.get('kbnTestServer.serverArgs'),
+        '--optimize.enabled=false',
+        '--xpack.security.rbac.enabled=true',
+        '--server.xsrf.disableProtection=true',
+      ],
+    },
+  };
+}
diff --git a/x-pack/test/rbac_api_integration/services/es.js b/x-pack/test/rbac_api_integration/services/es.js
new file mode 100644
index 00000000000000..420541fa7ec5f6
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/services/es.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import elasticsearch from 'elasticsearch';
+import shieldPlugin from '../../../server/lib/esjs_shield_plugin';
+
+export function EsProvider({ getService }) {
+  const config = getService('config');
+
+  return new elasticsearch.Client({
+    host: formatUrl(config.get('servers.elasticsearch')),
+    requestTimeout: config.get('timeouts.esRequestTimeout'),
+    plugins: [shieldPlugin]
+  });
+}

From 1231c7073daec6ab8fb8b6042b8ab157712fbb6d Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 5 Jun 2018 07:51:24 -0400
Subject: [PATCH 024/183] Fixing "conflicts" after merging master

---
 x-pack/plugins/security/index.js              | 38 +++++++++++++++----
 .../saved_objects_client_wrapper.js           | 17 ---------
 .../secure_options_builder.js                 | 21 ----------
 .../secure_saved_objects_client.js            | 31 ++++++++-------
 4 files changed, 45 insertions(+), 62 deletions(-)
 delete mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
 delete mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 535fbf8cf82d32..8d3a74c65391b2 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -17,14 +17,13 @@ import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { mirrorStatusAndInitialize } from './server/lib/mirror_status_and_initialize';
-import { secureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/saved_objects_client_wrapper';
-import { secureSavedObjectsClientOptionsBuilder } from './server/lib/saved_objects_client/secure_options_builder';
 import { registerPrivilegesWithCluster } from './server/lib/privileges';
 import { createDefaultRoles } from './server/lib/authorization/create_default_roles';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
+import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -103,7 +102,8 @@ export const security = (kibana) => new kibana.Plugin({
       await createDefaultRoles(server);
     });
 
-    server.expose('auditLogger', new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security')));
+    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
+    server.expose('auditLogger', auditLogger);
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
@@ -120,11 +120,33 @@ export const security = (kibana) => new kibana.Plugin({
 
     if (config.get('xpack.security.rbac.enabled')) {
       const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
-      const savedObjectsClientProvider = server.getSavedObjectsClientProvider();
-      savedObjectsClientProvider.addClientOptionBuilder(options =>
-        secureSavedObjectsClientOptionsBuilder(server, hasPrivilegesWithRequest, options)
-      );
-      savedObjectsClientProvider.addClientWrapper(secureSavedObjectsClientWrapper);
+      const { savedObjects } = server;
+
+      savedObjects.setScopedSavedObjectsClientFactory(({
+        request,
+        index,
+        mappings,
+        onBeforeWrite
+      }) => {
+        const hasPrivileges = hasPrivilegesWithRequest(request);
+
+        const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+        const { callWithInternalUser } = adminCluster;
+
+        const repository = new savedObjects.SavedObjectsRepository({
+          index,
+          mappings,
+          onBeforeWrite,
+          callCluster: callWithInternalUser
+        });
+
+        return new SecureSavedObjectsClient({
+          repository,
+          errors: savedObjects.SavedObjectsClient.errors,
+          hasPrivileges,
+          auditLogger,
+        });
+      });
     }
 
     getUserProvider(server);
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js b/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
deleted file mode 100644
index 6f02b232210c4e..00000000000000
--- a/x-pack/plugins/security/server/lib/saved_objects_client/saved_objects_client_wrapper.js
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-import { SecureSavedObjectsClient } from './secure_saved_objects_client';
-
-export function secureSavedObjectsClientWrapper(baseClient, options) {
-  return new SecureSavedObjectsClient({
-    baseClient,
-    ...options
-  });
-}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
deleted file mode 100644
index 9eba7621bf5d8d..00000000000000
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-export function secureSavedObjectsClientOptionsBuilder(server, hasPrivilegesWithRequest, options) {
-  const adminCluster = server.plugins.elasticsearch.getCluster('admin');
-  const { callWithInternalUser } = adminCluster;
-  const auditLogger = server.plugins.security.auditLogger;
-
-  return {
-    ...options,
-    callCluster: callWithInternalUser,
-    hasPrivilegesWithRequest,
-    auditLogger
-  };
-}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 0a2f9490c16649..65e2d5890fea7a 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -9,16 +9,15 @@ import { get, uniq } from 'lodash';
 export class SecureSavedObjectsClient {
   constructor(options) {
     const {
-      request,
-      hasPrivilegesWithRequest,
-      baseClient,
+      errors,
+      repository,
+      hasPrivileges,
       auditLogger,
     } = options;
 
-    this.errors = baseClient.errors;
-
-    this._client = baseClient;
-    this._hasPrivileges = hasPrivilegesWithRequest(request);
+    this.errors = errors;
+    this._repository = repository;
+    this._hasPrivileges = hasPrivileges;
     this._auditLogger = auditLogger;
   }
 
@@ -29,7 +28,7 @@ export class SecureSavedObjectsClient {
       options,
     });
 
-    return await this._client.create(type, attributes, options);
+    return await this._repository.create(type, attributes, options);
   }
 
   async bulkCreate(objects, options = {}) {
@@ -39,7 +38,7 @@ export class SecureSavedObjectsClient {
       options,
     });
 
-    return await this._client.bulkCreate(objects, options);
+    return await this._repository.bulkCreate(objects, options);
   }
 
   async delete(type, id) {
@@ -48,7 +47,7 @@ export class SecureSavedObjectsClient {
       id,
     });
 
-    return await this._client.delete(type, id);
+    return await this._repository.delete(type, id);
   }
 
   async find(options = {}) {
@@ -56,7 +55,7 @@ export class SecureSavedObjectsClient {
       options,
     });
 
-    return await this._client.find(options);
+    return await this._repository.find(options);
   }
 
   async bulkGet(objects = []) {
@@ -65,7 +64,7 @@ export class SecureSavedObjectsClient {
       objects,
     });
 
-    return await this._client.bulkGet(objects);
+    return await this._repository.bulkGet(objects);
   }
 
   async get(type, id) {
@@ -74,7 +73,7 @@ export class SecureSavedObjectsClient {
       id,
     });
 
-    return await this._client.get(type, id);
+    return await this._repository.get(type, id);
   }
 
   async update(type, id, attributes, options = {}) {
@@ -85,7 +84,7 @@ export class SecureSavedObjectsClient {
       options,
     });
 
-    return await this._client.update(type, id, attributes, options);
+    return await this._repository.update(type, id, attributes, options);
   }
 
   async _performAuthorizationCheck(typeOrTypes, action, args) {
@@ -97,7 +96,7 @@ export class SecureSavedObjectsClient {
       result = await this._hasPrivileges(actions);
     } catch(error) {
       const { reason } = get(error, 'body.error', {});
-      throw this._client.errors.decorateGeneralError(error, reason);
+      throw this.errors.decorateGeneralError(error, reason);
     }
 
     if (result.success) {
@@ -105,7 +104,7 @@ export class SecureSavedObjectsClient {
     } else {
       this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing, args);
       const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${result.missing.sort().join(',')}`;
-      throw this._client.errors.decorateForbiddenError(new Error(msg));
+      throw this.errors.decorateForbiddenError(new Error(msg));
     }
   }
 }

From 99d70b91bcfb03cd27cfc067668a2d714804fabc Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 6 Jun 2018 14:18:58 -0400
Subject: [PATCH 025/183] Removing some white-space differences

---
 src/core_plugins/kibana/index.js | 2 +-
 src/server/config/config.js      | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/core_plugins/kibana/index.js b/src/core_plugins/kibana/index.js
index 334f8dd25611c0..622373089f38ea 100644
--- a/src/core_plugins/kibana/index.js
+++ b/src/core_plugins/kibana/index.js
@@ -50,7 +50,7 @@ export default function (kibana) {
       return Joi.object({
         enabled: Joi.boolean().default(true),
         defaultAppId: Joi.string().default('home'),
-        index: Joi.string().default('.kibana'),
+        index: Joi.string().default('.kibana')
       }).default();
     },
 
diff --git a/src/server/config/config.js b/src/server/config/config.js
index b9793176d3dc36..977028649d464c 100644
--- a/src/server/config/config.js
+++ b/src/server/config/config.js
@@ -159,7 +159,6 @@ export class Config {
       path = path || [];
       // Catch the partial paths
       if (path.join('.') === key) return true;
-
       // Only go deep on inner objects with children
       if (_.size(schema._inner.children)) {
         for (let i = 0; i < schema._inner.children.length; i++) {
@@ -206,6 +205,4 @@ export class Config {
 
     return this[schema];
   }
-
-
 }

From db18d1e7c5ff05f900e8cde93b84c0e2cd04960d Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 6 Jun 2018 14:19:36 -0400
Subject: [PATCH 026/183] Deleting files that got left behind in a merge

---
 .../client/lib/client_provider.js             | 31 ----------
 .../client/lib/prioritized_collection.js      | 40 -------------
 .../client/lib/prioritized_collection.test.js | 57 -------------------
 3 files changed, 128 deletions(-)
 delete mode 100644 src/server/saved_objects/client/lib/client_provider.js
 delete mode 100644 src/server/saved_objects/client/lib/prioritized_collection.js
 delete mode 100644 src/server/saved_objects/client/lib/prioritized_collection.test.js

diff --git a/src/server/saved_objects/client/lib/client_provider.js b/src/server/saved_objects/client/lib/client_provider.js
deleted file mode 100644
index a0e510a75fb756..00000000000000
--- a/src/server/saved_objects/client/lib/client_provider.js
+++ /dev/null
@@ -1,31 +0,0 @@
-import { PrioritizedCollection } from './prioritized_collection';
-
-/**
- * Provider for the Saved Object Client.
- */
-class ClientProvider {
-  constructor() {
-    this._optionBuilders = new PrioritizedCollection('optionBuilders');
-    this._wrappers = new PrioritizedCollection('savedObjectClientWrappers');
-  }
-
-  addClientOptionBuilder(builder, priority) {
-    this._optionBuilders.add(builder, priority);
-  }
-
-  addClientWrapper(wrapper, priority) {
-    this._wrappers.add(wrapper, priority);
-  }
-
-  createSavedObjectsClient(baseClientFactory, options) {
-    const orderedBuilders = this._optionBuilders.toArray();
-    const clientOptions = orderedBuilders.reduce((acc, builder) => builder(acc), options);
-
-    const baseClient = baseClientFactory(clientOptions);
-
-    const orderedWrappers = this._wrappers.toArray();
-    return orderedWrappers.reduce((client, wrapper) => wrapper(client, clientOptions), baseClient);
-  }
-}
-
-export const SavedObjectsClientProvider = new ClientProvider();
diff --git a/src/server/saved_objects/client/lib/prioritized_collection.js b/src/server/saved_objects/client/lib/prioritized_collection.js
deleted file mode 100644
index e958ac678a120e..00000000000000
--- a/src/server/saved_objects/client/lib/prioritized_collection.js
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * A simple collection of entities that can be prioritized.
- */
-export class PrioritizedCollection {
-  constructor(name) {
-    this._name = name;
-    this._entities = {};
-  }
-
-  /**
-   * Add an entity to this collection.
-   *
-   * @param {*} entity the entity to store
-   * @param {number} priority optionally specify a priority. Omit to use the next available priority.
-   */
-  add(entity, priority = this._getNextPriority()) {
-    if (this._entities.hasOwnProperty(priority)) {
-      throw new Error(`${this._name} already has an entry with priority ${priority}. Please choose a different priority.`);
-    }
-    if (typeof priority !== 'number') {
-      throw new Error(`Priority for ${this._name} must be a number.`);
-    }
-
-    this._entities[priority] = entity;
-  }
-
-  /**
-   * Returns an array of all entities, in priority order.
-   */
-  toArray() {
-    return Object
-      .keys(this._entities)
-      .sort((priority1, priority2) => priority1 - priority2)
-      .map(key => this._entities[key]);
-  }
-
-  _getNextPriority() {
-    return Math.max(0, ...Object.keys(this._entities)) + 1;
-  }
-}
diff --git a/src/server/saved_objects/client/lib/prioritized_collection.test.js b/src/server/saved_objects/client/lib/prioritized_collection.test.js
deleted file mode 100644
index 56583403f34c2b..00000000000000
--- a/src/server/saved_objects/client/lib/prioritized_collection.test.js
+++ /dev/null
@@ -1,57 +0,0 @@
-import { PrioritizedCollection } from './prioritized_collection';
-
-describe('PrioritizedCollection', () => {
-  it('should add a single entry with a default priority', () => {
-    const collection = new PrioritizedCollection('unit test');
-    const entity = {};
-    collection.add(entity);
-
-    const result = collection.toArray();
-    expect(result).to.equal([entity]);
-  });
-
-  it('should prioritize entities in the order in which they are added', () => {
-    const collection = new PrioritizedCollection('unit test');
-    const entity1 = {};
-    const entity2 = {};
-
-    collection.add(entity1);
-    collection.add(entity2);
-
-    const result = collection.toArray();
-    expect(result).to.equal([entity1, entity2]);
-  });
-
-  it('should honor the provided priority', () => {
-    const collection = new PrioritizedCollection('unit test');
-    const entity1 = {};
-    const entity2 = {};
-
-    collection.add(entity1, 10);
-    collection.add(entity2, 1);
-
-    const result = collection.toArray();
-    expect(result).to.equal([entity2, entity1]);
-  });
-
-  it('should throw an error when a duplicate priority is specified', () => {
-    const collection = new PrioritizedCollection('unit test');
-    const entity1 = {};
-    const entity2 = {};
-
-    collection.add(entity1, 10);
-
-    expect(() => {
-      collection.add(entity2, 10);
-    }).to.throwError(`unit test already has an entry with priority 10. Please choose a different priority.`);
-  });
-
-  it('should throw an error when an invalid priority is specified', () => {
-    const collection = new PrioritizedCollection('unit test');
-    const entity1 = {};
-
-    expect(() => {
-      collection.add(entity1, 'not a number');
-    }).to.throwError(`Priority for unit test must be a number.`);
-  });
-});

From d79305604ac8ae9a01855b8eaaef2b94b9492d50 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 6 Jun 2018 14:40:05 -0400
Subject: [PATCH 027/183] Adding the RBAC API Integration Tests

---
 x-pack/scripts/functional_tests.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index a7804100c52cbd..6d533bb92a8bb2 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -9,4 +9,5 @@ require('@kbn/test').runTestsCli([
   require.resolve('../test/functional/config.js'),
   require.resolve('../test/api_integration/config.js'),
   require.resolve('../test/saml_api_integration/config.js'),
+  require.resolve('../test/rbac_api_integration/config.js'),,
 ]);

From 7f2c9b07f3f7635c13e8d23e30726408b9d61e48 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Thu, 7 Jun 2018 08:08:57 -0400
Subject: [PATCH 028/183] SavedObjectClient.find filtering (#19708)

* Adding ability to specify filters when calling the repository

* Implementing find filtering

* Revert "Adding ability to specify filters when calling the repository"

This reverts commit 9da30a15dbe2ce73e7e4fee6d2565b3bbc32b884.

* Adding integration tests for find filtering

* Adding forbidden auth logging

* Adding asserts to make sure some audit log isn't used

* Adding more audit log specific tests

* Necessarly is not a work, unfortunately

* Fixing test

* More descriptive name than "result"

* Better unauthorized find message?

* Adding getTypes tests
---
 .../saved_objects/service/lib/repository.js   |   6 +-
 .../service/lib/repository.test.js            |  77 ++
 .../secure_saved_objects_client.js            |  59 +-
 .../secure_saved_objects_client.test.js       | 898 ++++++++++++++++++
 .../apis/saved_objects/find.js                | 104 +-
 x-pack/test/rbac_api_integration/config.js    |   7 +-
 .../saved_objects/basic/data.json.gz          | Bin 0 -> 1837 bytes
 .../saved_objects/basic/mappings.json         | 283 ++++++
 8 files changed, 1405 insertions(+), 29 deletions(-)
 create mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
 create mode 100644 x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
 create mode 100644 x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json

diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 6f3b4fffb21586..b7675adb5239af 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -19,7 +19,7 @@
 
 import uuid from 'uuid';
 
-import { getRootType } from '../../../mappings';
+import { getRootType, getRootPropertiesObjects } from '../../../mappings';
 import { getSearchDsl } from './search_dsl';
 import { trimIdPrefix } from './trim_id_prefix';
 import { includedFields } from './included_fields';
@@ -406,6 +406,10 @@ export class SavedObjectsRepository {
     };
   }
 
+  getTypes() {
+    return Object.keys(getRootPropertiesObjects(this._mappings));
+  }
+
   async _writeToCluster(method, params) {
     try {
       await this._onBeforeWrite();
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index a02bfb9abb6194..d3e66c0554e438 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -632,6 +632,83 @@ describe('SavedObjectsRepository', () => {
     });
   });
 
+  describe('#getTypes', () => {
+    it(`returns no types if mappings have no types`, () => {
+      const mappings = {
+        doc: {
+          properties: {
+            'updated_at': {
+              type: 'date'
+            },
+          }
+        }
+      };
+
+      savedObjectsRepository = new SavedObjectsRepository({
+        index: '.kibana-test',
+        mappings,
+        callCluster: callAdminCluster,
+        onBeforeWrite
+      });
+
+      const types = savedObjectsRepository.getTypes();
+      expect(types).toEqual([]);
+    });
+
+    it(`returns single type defined in mappings`, () => {
+      const mappings = {
+        doc: {
+          properties: {
+            'updated_at': {
+              type: 'date'
+            },
+            'index-pattern': {
+              properties: {}
+            }
+          }
+        }
+      };
+
+      savedObjectsRepository = new SavedObjectsRepository({
+        index: '.kibana-test',
+        mappings,
+        callCluster: callAdminCluster,
+        onBeforeWrite
+      });
+
+      const types = savedObjectsRepository.getTypes();
+      expect(types).toEqual(['index-pattern']);
+    });
+
+    it(`returns multiple types defined in mappings`, () => {
+      const mappings = {
+        doc: {
+          properties: {
+            'updated_at': {
+              type: 'date'
+            },
+            'index-pattern': {
+              properties: {}
+            },
+            'visualization': {
+              properties: {}
+            },
+          }
+        }
+      };
+
+      savedObjectsRepository = new SavedObjectsRepository({
+        index: '.kibana-test',
+        mappings,
+        callCluster: callAdminCluster,
+        onBeforeWrite
+      });
+
+      const types = savedObjectsRepository.getTypes();
+      expect(types).toEqual(['index-pattern', 'visualization']);
+    });
+  });
+
   describe('onBeforeWrite', () => {
     it('blocks calls to callCluster of requests', async () => {
       onBeforeWrite.returns(delay(500));
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 65e2d5890fea7a..53d8dadeb180b0 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -6,6 +6,10 @@
 
 import { get, uniq } from 'lodash';
 
+const getPrivilege = (type, action) => {
+  return `action:saved_objects/${type}/${action}`;
+};
+
 export class SecureSavedObjectsClient {
   constructor(options) {
     const {
@@ -51,11 +55,38 @@ export class SecureSavedObjectsClient {
   }
 
   async find(options = {}) {
-    await this._performAuthorizationCheck(options.type, 'find', {
-      options,
-    });
+    const action = 'find';
 
-    return await this._repository.find(options);
+    // when we have the type or types, it makes our life easy
+    if (options.type) {
+      await this._performAuthorizationCheck(options.type, action, { options });
+      return await this._repository.find(options);
+    }
+
+    // otherwise, we have to filter for only their authorized types
+    const types = this._repository.getTypes();
+    const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
+    const hasPrivilegesResult = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
+    const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
+      .filter(([ , privilege]) => !hasPrivilegesResult.missing.includes(privilege))
+      .map(([type]) => type);
+
+    if (authorizedTypes.length === 0) {
+      this._auditLogger.savedObjectsAuthorizationFailure(
+        hasPrivilegesResult.username,
+        action,
+        types,
+        hasPrivilegesResult.missing,
+        { options }
+      );
+      throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
+    }
+    this._auditLogger.savedObjectsAuthorizationSuccess(hasPrivilegesResult.username, action, authorizedTypes, { options });
+
+    return await this._repository.find({
+      ...options,
+      type: authorizedTypes
+    });
   }
 
   async bulkGet(objects = []) {
@@ -89,15 +120,8 @@ export class SecureSavedObjectsClient {
 
   async _performAuthorizationCheck(typeOrTypes, action, args) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
-    const actions = types.map(type => `action:saved_objects/${type}/${action}`);
-
-    let result;
-    try {
-      result = await this._hasPrivileges(actions);
-    } catch(error) {
-      const { reason } = get(error, 'body.error', {});
-      throw this.errors.decorateGeneralError(error, reason);
-    }
+    const privileges = types.map(type => getPrivilege(type, action));
+    const result = await this._hasSavedObjectPrivileges(privileges);
 
     if (result.success) {
       this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
@@ -107,4 +131,13 @@ export class SecureSavedObjectsClient {
       throw this.errors.decorateForbiddenError(new Error(msg));
     }
   }
+
+  async _hasSavedObjectPrivileges(privileges) {
+    try {
+      return await this._hasPrivileges(privileges);
+    } catch(error) {
+      const { reason } = get(error, 'body.error', {});
+      throw this.errors.decorateGeneralError(error, reason);
+    }
+  }
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
new file mode 100644
index 00000000000000..036ed7a5e0c3af
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -0,0 +1,898 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SecureSavedObjectsClient } from './secure_saved_objects_client';
+
+const createMockErrors = () => {
+  const forbiddenError = new Error('Mock ForbiddenError');
+  const generalError = new Error('Mock GeneralError');
+
+  return {
+    forbiddenError,
+    decorateForbiddenError: jest.fn().mockReturnValue(forbiddenError),
+    generalError,
+    decorateGeneralError: jest.fn().mockReturnValue(generalError)
+  };
+};
+
+const createMockAuditLogger = () => {
+  return {
+    savedObjectsAuthorizationFailure: jest.fn(),
+    savedObjectsAuthorizationSuccess: jest.fn(),
+  };
+};
+
+describe('#errors', () => {
+  test(`assigns errors from constructor to .errors`, () => {
+    const errors = Symbol();
+
+    const client = new SecureSavedObjectsClient({ errors });
+
+    expect(client.errors).toBe(errors);
+  });
+});
+
+describe('#create', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        `action:saved_objects/${type}/create`
+      ],
+      username
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const attributes = Symbol();
+    const options = Symbol();
+
+    await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'create',
+      [type],
+      [`action:saved_objects/${type}/create`],
+      {
+        type,
+        attributes,
+        options,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.create`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      create: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.create(type, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
+      type,
+      attributes,
+      options,
+    });
+  });
+});
+
+describe('#bulkCreate', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        `action:saved_objects/${type1}/bulk_create`
+      ],
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const objects = [
+      { type: type1 },
+      { type: type1 },
+      { type: type2 },
+    ];
+    const options = Symbol();
+
+    await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([
+      `action:saved_objects/${type1}/bulk_create`,
+      `action:saved_objects/${type2}/bulk_create`
+    ]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'bulk_create',
+      [type2, type1],
+      [`action:saved_objects/${type1}/bulk_create`],
+      {
+        objects,
+        options,
+      }
+    );
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.bulkCreate`, async () => {
+    const username = Symbol();
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkCreate: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const objects = [
+      { type: type1, otherThing: 'sup' },
+      { type: type2, otherThing: 'everyone' },
+    ];
+    const options = Symbol();
+
+    const result = await client.bulkCreate(objects, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
+      objects,
+      options,
+    });
+  });
+});
+
+describe('#delete', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        `action:saved_objects/${type}/delete`
+      ],
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+
+    await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'delete',
+      [type],
+      [`action:saved_objects/${type}/delete`],
+      {
+        type,
+        id,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.delete`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      delete: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+
+    const result = await client.delete(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
+      type,
+      id,
+    });
+  });
+});
+
+describe('#find', () => {
+  describe('type', () => {
+    test(`throws decorated ForbiddenError when type is sinuglar and user isn't authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: false,
+        missing: [
+          `action:saved_objects/${type}/find`
+        ],
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = { type };
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type],
+        [`action:saved_objects/${type}/find`],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when type is an array and user isn't authorized for one type`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: false,
+        missing: [
+          `action:saved_objects/${type1}/find`
+        ],
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = { type: [ type1, type2 ] };
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type2, type1],
+        [`action:saved_objects/${type1}/find`],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when type is an array and user isn't authorized for either type`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: false,
+        missing: [
+          `action:saved_objects/${type1}/find`,
+          `action:saved_objects/${type2}/find`
+        ],
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = { type: [ type1, type2 ] };
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type2, type1],
+        [`action:saved_objects/${type2}/find`, `action:saved_objects/${type1}/find`],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+
+      await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`calls and returns result of repository.find`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: true,
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = { type };
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type });
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+        options,
+      });
+    });
+  });
+
+  describe('no type', () => {
+    test(`throws decorated ForbiddenError when user has no authorized types`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockRepository = {
+        getTypes: jest.fn().mockReturnValue([type])
+      };
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: false,
+        missing: [
+          `action:saved_objects/${type}/find`
+        ],
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = Symbol();
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type],
+        [`action:saved_objects/${type}/find`],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const mockRepository = {
+        getTypes: jest.fn().mockReturnValue([type1, type2])
+      };
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+
+      await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`specifies authorized types when calling repository.find()`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const mockRepository = {
+        getTypes: jest.fn().mockReturnValue([type1, type2]),
+        find: jest.fn(),
+      };
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: false,
+        missing: [
+          `action:saved_objects/${type1}/find`
+        ]
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+
+      await client.find();
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
+        type: [type2]
+      }));
+    });
+
+    test(`calls and returns result of repository.find`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        getTypes: jest.fn().mockReturnValue([type]),
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        success: true,
+        missing: [],
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+      const options = Symbol();
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type: [type] });
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+        options,
+      });
+    });
+  });
+});
+
+describe('#bulkGet', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        `action:saved_objects/${type1}/bulk_get`
+      ],
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const objects = [
+      { type: type1 },
+      { type: type1 },
+      { type: type2 },
+    ];
+
+    await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/bulk_get`, `action:saved_objects/${type2}/bulk_get`]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'bulk_get',
+      [type2, type1],
+      [`action:saved_objects/${type1}/bulk_get`],
+      {
+        objects
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.bulkGet`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkGet: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const objects = [
+      { type: type1, id: 'foo-id' },
+      { type: type2, id: 'bar-id' },
+    ];
+
+    const result = await client.bulkGet(objects);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
+      objects,
+    });
+  });
+});
+
+describe('#get', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        `action:saved_objects/${type}/get`
+      ],
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+
+    await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'get',
+      [type],
+      [`action:saved_objects/${type}/get`],
+      {
+        type,
+        id,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.get`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      get: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+
+    const result = await client.get(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
+      type,
+      id,
+    });
+  });
+});
+
+describe('#update', () => {
+  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: false,
+      missing: [
+        'action:saved_objects/foo/update'
+      ],
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
+
+    await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'update',
+      [type],
+      [`action:saved_objects/${type}/update`],
+      {
+        type,
+        id,
+        attributes,
+        options,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`calls and returns result of repository.update`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      update: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      success: true,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      repository: mockRepository,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.update(type, id, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
+      type,
+      id,
+      attributes,
+      options,
+    });
+  });
+});
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index 72a3fa2ec2bfce..e00dd1aa907155 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -13,7 +13,7 @@ export default function ({ getService }) {
 
   describe('find', () => {
 
-    const expectResults = (resp) => {
+    const expectVisualizationResults = (resp) => {
       expect(resp.body).to.eql({
         page: 1,
         per_page: 20,
@@ -31,6 +31,44 @@ export default function ({ getService }) {
       });
     };
 
+    const expectAllResults = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 4,
+        saved_objects: [
+          {
+            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            type: 'index-pattern',
+            updated_at: '2017-09-21T18:49:16.270Z',
+            version: 1,
+            attributes: resp.body.saved_objects[0].attributes
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: 1,
+            attributes: resp.body.saved_objects[1].attributes
+          },
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1,
+            attributes: resp.body.saved_objects[2].attributes
+          },
+          {
+            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
+            type: 'dashboard',
+            updated_at: '2017-09-21T18:57:40.826Z',
+            version: 1,
+            attributes: resp.body.saved_objects[3].attributes
+          },
+        ]
+      });
+    };
+
     const createExpectEmpty = (page, perPage, total) => (resp) => {
       expect(resp.body).to.eql({
         page: page,
@@ -40,7 +78,7 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectForbidden = (canLogin, type) => resp => {
+    const createExpectActionForbidden = (canLogin, type) => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -48,6 +86,14 @@ export default function ({ getService }) {
       });
     };
 
+    const expectForbiddenCantFindAnyTypes = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Not authorized to find saved_object`
+      });
+    };
+
     const findTest = (description, { auth, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/basic'));
@@ -90,6 +136,16 @@ export default function ({ getService }) {
               .then(tests.unknownSearchField.response)
           ));
         });
+
+        describe('no type', () => {
+          it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find')
+              .auth(auth.username, auth.password)
+              .expect(tests.noType.statusCode)
+              .then(tests.noType.response)
+          ));
+        });
       });
     };
 
@@ -102,23 +158,28 @@ export default function ({ getService }) {
         normal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectForbidden(false, 'visualization'),
+          response: createExpectActionForbidden(false, 'visualization'),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectForbidden(false, 'wigwags'),
+          response: createExpectActionForbidden(false, 'wigwags'),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectForbidden(false, 'visualization'),
+          response: createExpectActionForbidden(false, 'visualization'),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectForbidden(false, 'wigwags'),
+          response: createExpectActionForbidden(false, 'wigwags'),
         },
+        noType: {
+          description: `forbidded can't find any types`,
+          statusCode: 403,
+          response: expectForbiddenCantFindAnyTypes,
+        }
       }
     });
 
@@ -129,9 +190,9 @@ export default function ({ getService }) {
       },
       tests: {
         normal: {
-          description: 'individual responses',
+          description: 'only the visualization',
           statusCode: 200,
-          response: expectResults,
+          response: expectVisualizationResults,
         },
         unknownType: {
           description: 'empty result',
@@ -148,6 +209,11 @@ export default function ({ getService }) {
           statusCode: 200,
           response: createExpectEmpty(1, 20, 0),
         },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults,
+        },
       },
     });
 
@@ -158,9 +224,9 @@ export default function ({ getService }) {
       },
       tests: {
         normal: {
-          description: 'individual responses',
+          description: 'only the visualization',
           statusCode: 200,
-          response: expectResults,
+          response: expectVisualizationResults,
         },
         unknownType: {
           description: 'empty result',
@@ -177,6 +243,11 @@ export default function ({ getService }) {
           statusCode: 200,
           response: createExpectEmpty(1, 20, 0),
         },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults,
+        },
       },
     });
 
@@ -187,14 +258,14 @@ export default function ({ getService }) {
       },
       tests: {
         normal: {
-          description: 'individual responses',
+          description: 'only the visualization',
           statusCode: 200,
-          response: expectResults,
+          response: expectVisualizationResults,
         },
         unknownType: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectForbidden(true, 'wigwags'),
+          response: createExpectActionForbidden(true, 'wigwags'),
         },
         pageBeyondTotal: {
           description: 'empty result',
@@ -204,7 +275,12 @@ export default function ({ getService }) {
         unknownSearchField: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectForbidden(true, 'wigwags'),
+          response: createExpectActionForbidden(true, 'wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults,
         },
       }
     });
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
index 481b14913da919..b9f3f19b0576c9 100644
--- a/x-pack/test/rbac_api_integration/config.js
+++ b/x-pack/test/rbac_api_integration/config.js
@@ -33,8 +33,13 @@ export default async function ({ readConfigFile }) {
       reportName: 'X-Pack RBAC API Integration Tests',
     },
 
+    // The saved_objects/basic archives are almost an exact replica of the ones in OSS
+    // with the exception of a bogus "not-a-visualization" type that I added to make sure
+    // the find filtering without a type specified worked correctly. Once we have the ability
+    // to specify more granular access to the objects via the Kibana privileges, this should
+    // no longer be necessary, and it's only required as long as we do read/all privileges.
     esArchiver: {
-      directory: resolveKibanaPath(path.join('test', 'api_integration', 'fixtures', 'es_archiver'))
+      directory: path.join(__dirname, 'fixtures', 'es_archiver')
     },
 
     esTestCluster: {
diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
new file mode 100644
index 0000000000000000000000000000000000000000..910382479979df82f1c8d640cf8aba428bbb393f
GIT binary patch
literal 1837
zcmV+|2h#W-iwFP!000026YX1DZ`(E$e$THkytg4XBs+~0J$38Qp+j$If(}>{7_@jK
zaiv6!q;hHC|2~qs$IfkO>SHV~ZFEQ;e*AcDmdLA}!C<H_a~KALAr;|p*9y)EFRbLs
zJeWt8QMj-j#$VZjWW;q^GtPFUR^SGVa-ucJEI9Nho<}@ybO;e0`991>BwS2KQ%V+x
z`}>E}h%D;yN)$3|r|wMB(^+*l%|%X$20AC&cA9wpY~&q|CjPO15bPZW{{DC}^Zsi4
z_tmuX*qNB-ZYnNfrHM*LKR4rCa|*8+aQdF4uG>p1F&)#q+byzPlx_cVbu!FM-;-f*
zGJI*eDiWKA-4nMaCskUqEOxR`6qz<c&-|@I$#SzQ^B57Xz>0v#Fd++W2WnYZ8Hr;F
zG0~N@?ka)M*HWaviSV=CNL9Bjch?~rOLG2%s4D3?P`2qBCQV|6h$0II7eBSh^$}Sg
z*aV(Aqnn{-&1TJ=YvX~VLLslYdsd_ikPn7a3m<39^D?&f5p{(dfK=i@vSTI|+WD{q
z9|s3h@L61HP~XL%zXO<%GeZx%76+^6AB+VqG-Qg243F_NkT4lg3}PG#At}qqiYb}K
zc`jJxfg3<ZO=88wl#(GbIG7kpOfNGvqGGW|gvsL)p%7&>iv|-r*NfN9WwWO)T_3nn
z4i2iFLXqb=%f2ECI1Ub`T}nxqunfim5lJm3j7&+AVhKShq(WZeL8HmoD3oY+%mR|Y
ziJJzEbz4-00y&PDRJxSo1INiaY@4&LJjrpHyMzcNpfUE!&R>a4+jkH|Y8G+`QbAe7
zfX?k(NE|O9Z$O$C3(i!s4Nw(?8r7?V+i_ybqBkJbBu3As!HAei5eMeCzMB@aY4%~_
z=98tUKK|VRa0@sL5@2zn(NkIB+y+L^8Py4XLLE%pd@814j;jj41te}R-Ej=eJUW2L
zIegmhtB<G9z{1U7AvtCO4LrpB>2qe!Sp^}H6fKKgkXyjzHWcP-ux<gfxJ&dN$}M2i
zRvGBYv>>;DOWdVU4<%wYF{g5LdHkOO6sjND4iGMmR4y`w$}dYqm{?Ld2?5df;1Ule
zhBkKwb`=Y%5Q!`%7CJ=qHR(bjaw-F6!#j04tZv{ecj|waJIkG&t0%eN6pAcjaWETu
zV{b%wo)G`;3ryvphumD6dXvu0rD}Zd%F?1>oW3toBR$yLpLMPwQHV&v^_zNW_qv4j
zBRM={svw+wBlg!}K<O+b(d3bL#CkgK$Mg$7m`umB!@UmEeKqUvh`q8VJrL2Ls!UY(
z4wzAJq|KDJqw$lfd^bL^GOF(~#Mrl!<V2Fx8u!(@)>zt;i?%H^lf*(^zGYeKo7SWB
zrJK=q5nM<&{wDw<TP}Coalc%+VfLn)Q)v)3EliF4KD>HV2~n6IPwpjzy&5327UfYU
zm5B4!VH+Sz=lY~Z)#&5~xjp4$+c{YPuU6exWB$uR7ik0E^K9Rm)2rq3)I2(CTwTrQ
zQrs-1iCAwT((9J!^sKIro9>TUooP-5txlN;nG$~2ilxxydTq>%7}xf6NVC7U@L~Rh
z3*B0q-SJZwWF-Uju{NwP?Tk(x++c|fY^6!~wL1G`+=-NPxdn75+ike_%Oz5i7@T?j
z3i=!%`)JSjs}6?-#49F44jrNC0x}o8Tw;&MvwBNcH`uL{P<ku`cUME2WJ2j%h#{k`
zh`Z;H-A$J5cSU>4&XQCsG|%sd{MzopvP@Ce%&jyg$ZXQ;%+)$j!;uOTNJ)K6O0w{p
z+b>;$t<+BLP-~;xJYh<UxIR$W(XSv*>x)g@xZ*CVuDey}$Uh_Hwvs}NGKUvNfBL4|
zHYq<ErYxJA@IJ4zyuVxBKcOb(E{u>?OIn^TyHT=WE=c}y^x=IKC{=!0VympKtueBK
z^U@J`vjxkZw$8gotF0G~L8?;hccf*WIwEI4KP>)+P`?9BdePqI8dsVexs1~RTAkN6
z9NZ_bI+hwAc1C5QzpU0;|9LWW{W!_u!o7&Jc3*^$xu894P%VFCmZn4{3qd3e7BHPn
zr^GE3{&R+I^xZQ%&w@Q~d@$MXWan1J`po=kO+rqXwpX&f``JrQG82{S?RJrpeS^8(
z@crHD!S2}9d6en<rZNY=mrA--L^m+rr`D;;W?m_kE>QcX%<aGw4!r7^B{ebX*f@Su
z!r$s|%e#HV28K_DOd&0`F7EUjkA+qBTC%|r<OBa;VD|6Dz@G$@y<mDU`2F4S$eVfI
z$~}5h!`p#>0xbvbmjfr0;Kd~HXKM#ah$N__4nfyll`@rca%t6mh@#Fwx1)u!D=714
zx21Lvul29*6eAw$;wv#CG5Ltwob-zedR5e~Hmd&Nv!S@~;Od>+9UC&CM`ZL|!#~&X
b&o%sW4gXxjKiBa8uNwYeR=}DNj7b0hF`<E~

literal 0
HcmV?d00001

diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
new file mode 100644
index 00000000000000..107a45fab187bc
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
@@ -0,0 +1,283 @@
+{
+  "type": "index",
+  "value": {
+    "index": ".kibana",
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "auto_expand_replicas": "0-1",
+        "number_of_replicas": "0"
+      }
+    },
+    "mappings": {
+      "doc": {
+        "dynamic": "strict",
+        "properties": {
+          "config": {
+            "dynamic": "true",
+            "properties": {
+              "buildNum": {
+                "type": "keyword"
+              },
+              "defaultIndex": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 256
+                  }
+                }
+              }
+            }
+          },
+          "dashboard": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "optionsJSON": {
+                "type": "text"
+              },
+              "panelsJSON": {
+                "type": "text"
+              },
+              "refreshInterval": {
+                "properties": {
+                  "display": {
+                    "type": "keyword"
+                  },
+                  "pause": {
+                    "type": "boolean"
+                  },
+                  "section": {
+                    "type": "integer"
+                  },
+                  "value": {
+                    "type": "integer"
+                  }
+                }
+              },
+              "timeFrom": {
+                "type": "keyword"
+              },
+              "timeRestore": {
+                "type": "boolean"
+              },
+              "timeTo": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "graph-workspace": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "numLinks": {
+                "type": "integer"
+              },
+              "numVertices": {
+                "type": "integer"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "wsState": {
+                "type": "text"
+              }
+            }
+          },
+          "index-pattern": {
+            "properties": {
+              "fieldFormatMap": {
+                "type": "text"
+              },
+              "fields": {
+                "type": "text"
+              },
+              "intervalName": {
+                "type": "keyword"
+              },
+              "notExpandable": {
+                "type": "boolean"
+              },
+              "sourceFilters": {
+                "type": "text"
+              },
+              "timeFieldName": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              }
+            }
+          },
+          "search": {
+            "properties": {
+              "columns": {
+                "type": "keyword"
+              },
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "sort": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "server": {
+            "properties": {
+              "uuid": {
+                "type": "keyword"
+              }
+            }
+          },
+          "timelion-sheet": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "timelion_chart_height": {
+                "type": "integer"
+              },
+              "timelion_columns": {
+                "type": "integer"
+              },
+              "timelion_interval": {
+                "type": "keyword"
+              },
+              "timelion_other_interval": {
+                "type": "keyword"
+              },
+              "timelion_rows": {
+                "type": "integer"
+              },
+              "timelion_sheet": {
+                "type": "text"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "type": {
+            "type": "keyword"
+          },
+          "updated_at": {
+            "type": "date"
+          },
+          "url": {
+            "properties": {
+              "accessCount": {
+                "type": "long"
+              },
+              "accessDate": {
+                "type": "date"
+              },
+              "createDate": {
+                "type": "date"
+              },
+              "url": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              }
+            }
+          },
+          "visualization": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "savedSearchId": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "visState": {
+                "type": "text"
+              }
+            }
+          }
+        }
+      }
+    },
+    "aliases": {}
+  }
+}
\ No newline at end of file

From b6093bcf7aa402fb171d8bf11c3df9c353127dc5 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 10:49:22 -0400
Subject: [PATCH 029/183] Trying to isolate cause of rbac test failures

---
 x-pack/scripts/functional_tests.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 6d533bb92a8bb2..e5ebf7603e2406 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -6,8 +6,8 @@
 
 require('@kbn/plugin-helpers').babelRegister();
 require('@kbn/test').runTestsCli([
-  require.resolve('../test/functional/config.js'),
-  require.resolve('../test/api_integration/config.js'),
-  require.resolve('../test/saml_api_integration/config.js'),
-  require.resolve('../test/rbac_api_integration/config.js'),,
+  // require.resolve('../test/functional/config.js'),
+  // require.resolve('../test/api_integration/config.js'),
+  // require.resolve('../test/saml_api_integration/config.js'),
+  require.resolve('../test/rbac_api_integration/config.js'),
 ]);

From 4abf5ed5e399e2040fab08e09ef5837d125a55e0 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 13:55:55 -0400
Subject: [PATCH 030/183] Adding .toLowerCase() to work around capitalization
 issue

---
 x-pack/plugins/security/server/lib/privileges/privileges.js | 3 ++-
 x-pack/scripts/functional_tests.js                          | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index e2dc9b2ff7ece3..75db22423928ff 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -8,7 +8,8 @@
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
 export function getVersionPrivilege(kibanaVersion) {
-  return `version:${kibanaVersion}`;
+  // TODO: Remove the .toLowerCase() once the capitalization with app privileges is fixed
+  return `version:${kibanaVersion.toLowerCase()}`;
 }
 
 export function getLoginPrivilege() {
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index e5ebf7603e2406..dfd9282d37234c 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -6,8 +6,8 @@
 
 require('@kbn/plugin-helpers').babelRegister();
 require('@kbn/test').runTestsCli([
-  // require.resolve('../test/functional/config.js'),
-  // require.resolve('../test/api_integration/config.js'),
-  // require.resolve('../test/saml_api_integration/config.js'),
+  require.resolve('../test/functional/config.js'),
+  require.resolve('../test/api_integration/config.js'),
+  require.resolve('../test/saml_api_integration/config.js'),
   require.resolve('../test/rbac_api_integration/config.js'),
 ]);

From d951a2055e5551b9a2bd6e8deae2eb57286ddd89 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 14:02:17 -0400
Subject: [PATCH 031/183] No longer exposing the auditLogger, we don't need it
 like that right now

---
 x-pack/plugins/security/index.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 8d3a74c65391b2..70596f89e4039b 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -102,9 +102,6 @@ export const security = (kibana) => new kibana.Plugin({
       await createDefaultRoles(server);
     });
 
-    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
-    server.expose('auditLogger', auditLogger);
-
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
     xpackMainPlugin.info.feature(this.id).registerLicenseCheckResultsGenerator(checkLicense);
@@ -118,6 +115,7 @@ export const security = (kibana) => new kibana.Plugin({
     // automatically assigned to all routes that don't contain an auth config.
     server.auth.strategy('session', 'login', 'required');
 
+    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
     if (config.get('xpack.security.rbac.enabled')) {
       const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
       const { savedObjects } = server;

From 89204258e8175eb30b592ef47a33f5a33efb8f20 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 14:18:16 -0400
Subject: [PATCH 032/183] Removing some unused code

---
 .../security/public/services/application_privilege.js    | 4 +---
 .../security/public/views/management/edit_role.js        | 9 ---------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
index 2b21eb7e63e4bd..57d2871ecbad39 100644
--- a/x-pack/plugins/security/public/services/application_privilege.js
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -13,7 +13,5 @@ import { uiModules } from 'ui/modules';
 const module = uiModules.get('security', ['ngResource']);
 module.service('ApplicationPrivilege', ($resource, chrome) => {
   const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
-  const ShieldPrivilege = $resource(baseUrl);
-
-  return ShieldPrivilege;
+  return $resource(baseUrl);
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index ba159bc0c95d9a..ffc1962f449378 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -208,15 +208,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
     $scope.toggle = toggle;
     $scope.includes = _.includes;
-    $scope.togglePermission = (role, permission) => {
-      const shouldRemove = $scope.hasPermission(role, permission);
-      const rolePermissions = role.applications || [];
-      if (shouldRemove) {
-        role.applications = rolePermissions.filter(rolePermission => rolePermission.name === permission.name);
-      } else {
-        role.applications = rolePermissions.concat([permission]);
-      }
-    };
 
     $scope.union = _.flow(_.union, _.compact);
   }

From 91d04e4210ce32bb26456d12e5ad144f3a5a7c35 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 14:25:25 -0400
Subject: [PATCH 033/183] Removing defaultSettings from test that doesn't
 utilize them

---
 x-pack/plugins/security/server/lib/audit_logger.test.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/audit_logger.test.js b/x-pack/plugins/security/server/lib/audit_logger.test.js
index 51c8698da818d6..2157cf514755b6 100644
--- a/x-pack/plugins/security/server/lib/audit_logger.test.js
+++ b/x-pack/plugins/security/server/lib/audit_logger.test.js
@@ -11,10 +11,8 @@ const createMockConfig = (settings) => {
     get: jest.fn()
   };
 
-  const defaultSettings = {};
-
   mockConfig.get.mockImplementation(key => {
-    return key in settings ? settings[key] : defaultSettings[key];
+    return settings[key];
   });
 
   return mockConfig;

From 430d72cb774beb7dfb885bdd5e4c41fa2ee5e1ed Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 14:40:32 -0400
Subject: [PATCH 034/183] Fixing misspelling

---
 .../__snapshots__/create_default_roles.test.js.snap             | 2 +-
 .../server/lib/authorization/create_default_roles.test.js       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
index 9fdbc5479a0225..20c6d549ffb22d 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
@@ -4,6 +4,6 @@ exports[`dashboard_only_user throws error when shield.getRole throws non 404 err
 
 exports[`dashboard_only_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
 
-exports[`rbac_user throws error when sheild.getRole throws non 404 error 1`] = `undefined`;
+exports[`rbac_user throws error when shield.getRole throws non 404 error 1`] = `undefined`;
 
 exports[`rbac_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
index 98d95cd6e9fbf5..fba00600397d96 100644
--- a/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
@@ -99,7 +99,7 @@ describe(`rbac_user`, () => {
     });
   });
 
-  test(`throws error when sheild.getRole throws non 404 error`, async () => {
+  test(`throws error when shield.getRole throws non 404 error`, async () => {
     const { mockCallWithInternalUser } = mockShieldClient();
     const mockServer = createMockServer();
     mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {

From 7977f00d7d412b2291382e66b59150bdc56f0300 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 14:44:30 -0400
Subject: [PATCH 035/183] Don't need an explicit login privilege when we have
 them all

---
 x-pack/plugins/security/server/lib/privileges/privileges.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index 75db22423928ff..8c11014b4ae14f 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -24,7 +24,7 @@ export function buildPrivilegeMap(application, kibanaVersion) {
   privilegeActions.all = {
     application,
     name: 'all',
-    actions: [getVersionPrivilege(kibanaVersion), getLoginPrivilege(), 'action:*'],
+    actions: [getVersionPrivilege(kibanaVersion), 'action:*'],
     metadata: {}
   };
 

From 4b52a1f9cc78c8259770549d8343c0ce42d2c9ae Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 7 Jun 2018 14:59:02 -0400
Subject: [PATCH 036/183] [Spaces] - Reactify roles screen (#19035)

Redesigned Role Management screen using React and EUI
---
 package.json                                  |   4 +-
 .../kbn-ui-framework/dist/ui_framework.css    | 206 -------------
 x-pack/package.json                           |   2 +-
 .../security/public/documentation_links.js    |   5 +-
 .../security/public/lib/__tests__/role.js     |  35 ---
 x-pack/plugins/security/public/lib/role.js    |  11 +-
 .../plugins/security/public/lib/role.test.js  |  59 ++++
 .../plugins/security/public/objects/index.js  |   9 +
 .../security/public/objects/lib/get_fields.js |  14 +
 .../security/public/objects/lib/roles.js      |  16 +
 .../plugins/security/public/objects/role.js   |  13 +
 .../public/services/role_privileges.js        |  42 +++
 .../public/views/management/edit_role.html    | 194 -------------
 .../public/views/management/edit_role.js      | 220 --------------
 .../collapsible_panel.test.js.snap            |  59 ++++
 .../__snapshots__/page_header.test.js.snap    |  15 +
 .../edit_role/components/collapsible_panel.js |  74 +++++
 .../components/collapsible_panel.less         |   4 +
 .../components/collapsible_panel.test.js      |  57 ++++
 .../components/delete_role_button.js          |  78 +++++
 .../components/delete_role_button.test.js     |  41 +++
 .../edit_role/components/edit_role_page.js    | 274 ++++++++++++++++++
 .../management/edit_role/components/index.js  |   7 +
 .../edit_role/components/page_header.js       |  35 +++
 .../edit_role/components/page_header.test.js  |  32 ++
 .../cluster_privileges.test.js.snap           |  92 ++++++
 .../elasticsearch_privileges.test.js.snap     | 160 ++++++++++
 .../index_privilege_form.test.js.snap         | 184 ++++++++++++
 .../index_privileges.test.js.snap             |   3 +
 .../privileges/cluster_privileges.js          |  75 +++++
 .../privileges/cluster_privileges.test.js     |  20 ++
 .../privileges/elasticsearch_privileges.js    | 163 +++++++++++
 .../privileges/elasticsearch_privileges.less  |   3 +
 .../elasticsearch_privileges.test.js          |  72 +++++
 .../edit_role/components/privileges/index.js  |   8 +
 .../privileges/index_privilege_form.js        | 260 +++++++++++++++++
 .../privileges/index_privilege_form.test.js   | 206 +++++++++++++
 .../components/privileges/index_privileges.js | 158 ++++++++++
 .../privileges/index_privileges.test.js       |  54 ++++
 .../privileges/kibana_privileges.js           | 101 +++++++
 .../components/reserved_role_badge.js         |  34 +++
 .../components/reserved_role_badge.test.js    |  32 ++
 .../views/management/edit_role/edit_role.html |   1 +
 .../views/management/edit_role/edit_role.less |  10 +
 .../views/management/edit_role/index.js       | 134 +++++++++
 .../__snapshots__/validate_role.test.js.snap  |   3 +
 .../lib/get_application_privileges.js         |  26 ++
 .../lib/set_application_privileges.js         |  49 ++++
 .../management/edit_role/lib/validate_role.js |  86 ++++++
 .../edit_role/lib/validate_role.test.js       |  94 ++++++
 .../index_privileges_form.html                | 128 --------
 .../index_privileges_form.js                  |  60 ----
 .../index_privileges_form.less                |   7 -
 .../public/views/management/management.js     |   3 +-
 .../public/views/management/management.less   |   1 -
 .../server/lib/check_user_permission.js       |  14 -
 .../server/lib/privileges/privileges.js       |   2 +-
 x-pack/plugins/spaces/common/index.js         |   7 +
 x-pack/plugins/spaces/index.js                |   2 +-
 .../__snapshots__/page_header.test.js.snap    |  16 +-
 .../components/manage_space_page.js           |  28 +-
 .../management/components/page_header.js      |  20 +-
 .../management/components/page_header.test.js |  16 +-
 .../components/reserved_space_badge.js        |  37 +++
 .../components/reserved_space_badge.test.js   |  30 ++
 .../management/components/url_context.js      |   6 +-
 .../views/management/manage_spaces.less       |   4 +-
 x-pack/yarn.lock                              | 112 +++++--
 yarn.lock                                     | 103 +++++--
 69 files changed, 3169 insertions(+), 961 deletions(-)
 delete mode 100644 x-pack/plugins/security/public/lib/__tests__/role.js
 create mode 100644 x-pack/plugins/security/public/lib/role.test.js
 create mode 100644 x-pack/plugins/security/public/objects/index.js
 create mode 100644 x-pack/plugins/security/public/objects/lib/get_fields.js
 create mode 100644 x-pack/plugins/security/public/objects/lib/roles.js
 create mode 100644 x-pack/plugins/security/public/objects/role.js
 create mode 100644 x-pack/plugins/security/public/services/role_privileges.js
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role.html
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.less
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/index.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/edit_role.html
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/edit_role.less
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/index.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
 delete mode 100644 x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.html
 delete mode 100644 x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.js
 delete mode 100644 x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.less
 delete mode 100644 x-pack/plugins/security/server/lib/check_user_permission.js
 create mode 100644 x-pack/plugins/spaces/common/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js

diff --git a/package.json b/package.json
index 5bdf13c0206311..d6f2bffd002e89 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "url": "https://github.com/elastic/kibana.git"
   },
   "dependencies": {
-    "@elastic/eui": "v0.0.47",
+    "@elastic/eui": "v0.0.51",
     "@elastic/filesaver": "1.1.2",
     "@elastic/numeral": "2.3.2",
     "@elastic/ui-ace": "0.2.3",
@@ -205,8 +205,8 @@
     "validate-npm-package-name": "2.2.2",
     "vega-lib": "^3.3.1",
     "vega-lite": "^2.4.0",
-    "vega-tooltip": "^0.9.14",
     "vega-schema-url-parser": "1.0.0",
+    "vega-tooltip": "^0.9.14",
     "vision": "4.1.0",
     "webpack": "3.6.0",
     "webpack-merge": "4.1.0",
diff --git a/packages/kbn-ui-framework/dist/ui_framework.css b/packages/kbn-ui-framework/dist/ui_framework.css
index 0d013535e35554..101f718149647b 100644
--- a/packages/kbn-ui-framework/dist/ui_framework.css
+++ b/packages/kbn-ui-framework/dist/ui_framework.css
@@ -78,15 +78,12 @@ main {
   overflow: hidden; }
 
 .kuiActionItem {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between; }
@@ -105,15 +102,12 @@ main {
   background-color: rgba(0, 0, 0, 0.1); }
 
 .kuiBar {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -121,22 +115,18 @@ main {
   /* 1 */ }
 
 .kuiBarSection {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
   margin-left: 25px;
   margin-right: 25px; }
   .kuiBarSection:not(:first-child):not(:last-child):not(:only-child) {
-    -webkit-box-pack: center;
     -webkit-justify-content: center;
         -ms-flex-pack: center;
             justify-content: center;
@@ -145,12 +135,10 @@ main {
     margin-left: 0; }
   .kuiBarSection:last-child {
     margin-right: 0;
-    -webkit-box-flex: 0;
     -webkit-flex: 0 1 auto;
         -ms-flex: 0 1 auto;
             flex: 0 1 auto;
     /* 4 */
-    -webkit-box-pack: end;
     -webkit-justify-content: flex-end;
         -ms-flex-pack: end;
             justify-content: flex-end;
@@ -201,12 +189,10 @@ main {
    * 1. Solves whitespace problems introduced by inline elements.
    */
 .kuiButton__inner {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
   /* 1 */
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -513,11 +499,9 @@ main {
     background-color: rgba(165, 231, 255, 0.5); }
 
 .kuiButtonGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
@@ -545,24 +529,19 @@ main {
   margin-left: 2px; }
 
 .kuiButtonGroup--fullWidth {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
   .kuiButtonGroup--fullWidth > .kuiButton {
-    -webkit-box-flex: 1;
     -webkit-flex: 1 1 auto;
         -ms-flex: 1 1 auto;
             flex: 1 1 auto;
     text-align: center; }
 
 .kuiCard {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
@@ -572,20 +551,15 @@ main {
   line-height: 1.5; }
 
 .kuiCard__description {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: start;
   -webkit-justify-content: flex-start;
       -ms-flex-pack: start;
           justify-content: flex-start;
@@ -613,7 +587,6 @@ main {
  * 2. Offset the spacing between wrapped cards.
  */
 .kuiCardGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
@@ -628,7 +601,6 @@ main {
    * 2. Use an even margin all around the card so that the spacing is still even when wrapped.
    */ }
   .kuiCardGroup .kuiCard {
-    -webkit-box-flex: 1;
     -webkit-flex: 1 1 auto;
         -ms-flex: 1 1 auto;
             flex: 1 1 auto;
@@ -636,7 +608,6 @@ main {
     margin: 15px;
     /* 2 */ }
     .kuiCardGroup .kuiCard .kuiCard__description {
-      -webkit-box-flex: 1;
       -webkit-flex: 1 1 auto;
           -ms-flex: 1 1 auto;
               flex: 1 1 auto; }
@@ -687,20 +658,15 @@ main {
   right: 0;
   left: 0;
   background: rgba(255, 255, 255, 0.7);
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -736,11 +702,9 @@ main {
   cursor: pointer; }
 
 .kuiColorPicker__preview {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
@@ -890,11 +854,9 @@ main {
   margin-right: 8px; }
 
 .kuiContextMenu__itemLayout {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
@@ -1071,13 +1033,11 @@ main {
     color: #ffffff; }
 
 .kuiContextMenuItem__inner {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
 
 .kuiContextMenuItem__text {
-  -webkit-box-flex: 1;
   -webkit-flex-grow: 1;
       -ms-flex-positive: 1;
           flex-grow: 1; }
@@ -1096,13 +1056,11 @@ main {
     text-decoration: none; }
 
 .kuiEvent {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
 
 .kuiEventSymbol {
-  -webkit-box-flex: 0;
   -webkit-flex: 0 1 auto;
       -ms-flex: 0 1 auto;
           flex: 0 1 auto;
@@ -1111,7 +1069,6 @@ main {
   padding-right: 8px; }
 
 .kuiEventBody {
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 0%;
       -ms-flex: 1 1 0%;
           flex: 1 1 0%; }
@@ -1150,16 +1107,13 @@ main {
   border-bottom: solid 2px #00A69B; }
 
 .kuiFlexGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
   .kuiFlexGroup .kuiFlexItem {
-    -webkit-box-flex: 1;
     -webkit-flex-grow: 1;
         -ms-flex-positive: 1;
             flex-grow: 1; }
@@ -1185,13 +1139,11 @@ main {
     margin: 20px; }
 
 .kuiFlexGroup--justifyContentSpaceEvenly {
-  -webkit-box-pack: space-evenly;
   -webkit-justify-content: space-evenly;
       -ms-flex-pack: space-evenly;
           justify-content: space-evenly; }
 
 .kuiFlexGroup--justifyContentSpaceBetween {
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between; }
@@ -1202,31 +1154,26 @@ main {
           justify-content: space-around; }
 
 .kuiFlexGroup--justifyContentCenter {
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center; }
 
 .kuiFlexGroup--justifyContentFlexEnd {
-  -webkit-box-pack: end;
   -webkit-justify-content: flex-end;
       -ms-flex-pack: end;
           justify-content: flex-end; }
 
 .kuiFlexGroup--alignItemsStart {
-  -webkit-box-align: start;
   -webkit-align-items: flex-start;
       -ms-flex-align: start;
           align-items: flex-start; }
 
 .kuiFlexGroup--alignItemsCenter {
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
 
 .kuiFlexGroup--alignItemsEnd {
-  -webkit-box-align: end;
   -webkit-align-items: flex-end;
       -ms-flex-align: end;
           align-items: flex-end; }
@@ -1243,7 +1190,6 @@ main {
             flex-wrap: wrap; } }
 
 .kuiFlexGrid {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
@@ -1252,12 +1198,10 @@ main {
           flex-wrap: wrap;
   margin-bottom: 0; }
   .kuiFlexGrid > .kuiFlexItem {
-    -webkit-box-flex: 0;
     -webkit-flex-grow: 0;
         -ms-flex-positive: 0;
             flex-grow: 0; }
     .kuiFlexGrid > .kuiFlexItem.kuiFlexItem--flexGrowZero {
-      -webkit-box-flex: 0 !important;
       -webkit-flex-grow: 0 !important;
           -ms-flex-positive: 0 !important;
               flex-grow: 0 !important;
@@ -1274,7 +1218,6 @@ main {
 
 .kuiFlexGrid--gutterSmall {
   margin: -4px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1285,7 +1228,6 @@ main {
 
 .kuiFlexGrid--gutterSmall {
   margin: -4px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1296,7 +1238,6 @@ main {
 
 .kuiFlexGrid--gutterSmall {
   margin: -4px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1314,7 +1255,6 @@ main {
 
 .kuiFlexGrid--gutterMedium {
   margin: -8px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1325,7 +1265,6 @@ main {
 
 .kuiFlexGrid--gutterMedium {
   margin: -8px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1336,7 +1275,6 @@ main {
 
 .kuiFlexGrid--gutterMedium {
   margin: -8px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1354,7 +1292,6 @@ main {
 
 .kuiFlexGrid--gutterLarge {
   margin: -12px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1365,7 +1302,6 @@ main {
 
 .kuiFlexGrid--gutterLarge {
   margin: -12px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1376,7 +1312,6 @@ main {
 
 .kuiFlexGrid--gutterLarge {
   margin: -12px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1394,7 +1329,6 @@ main {
 
 .kuiFlexGrid--gutterXLarge {
   margin: -16px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1405,7 +1339,6 @@ main {
 
 .kuiFlexGrid--gutterXLarge {
   margin: -16px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1416,7 +1349,6 @@ main {
 
 .kuiFlexGrid--gutterXLarge {
   margin: -16px;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -1429,13 +1361,10 @@ main {
  * 1. Allow KuiPanels to expand to fill the item.
  */
 .kuiFlexItem {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
   /* 1 */
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
@@ -1446,7 +1375,6 @@ main {
    */ }
   .kuiFlexItem.kuiFlexItem--flexGrowZero {
     /* 1 */
-    -webkit-box-flex: 0;
     -webkit-flex-grow: 0;
         -ms-flex-positive: 0;
             flex-grow: 0;
@@ -1456,52 +1384,42 @@ main {
             flex-basis: auto;
     /* 2 */ }
   .kuiFlexItem.kuiFlexItem--flexGrow1 {
-    -webkit-box-flex: 1;
     -webkit-flex-grow: 1;
         -ms-flex-positive: 1;
             flex-grow: 1; }
   .kuiFlexItem.kuiFlexItem--flexGrow2 {
-    -webkit-box-flex: 2;
     -webkit-flex-grow: 2;
         -ms-flex-positive: 2;
             flex-grow: 2; }
   .kuiFlexItem.kuiFlexItem--flexGrow3 {
-    -webkit-box-flex: 3;
     -webkit-flex-grow: 3;
         -ms-flex-positive: 3;
             flex-grow: 3; }
   .kuiFlexItem.kuiFlexItem--flexGrow4 {
-    -webkit-box-flex: 4;
     -webkit-flex-grow: 4;
         -ms-flex-positive: 4;
             flex-grow: 4; }
   .kuiFlexItem.kuiFlexItem--flexGrow5 {
-    -webkit-box-flex: 5;
     -webkit-flex-grow: 5;
         -ms-flex-positive: 5;
             flex-grow: 5; }
   .kuiFlexItem.kuiFlexItem--flexGrow6 {
-    -webkit-box-flex: 6;
     -webkit-flex-grow: 6;
         -ms-flex-positive: 6;
             flex-grow: 6; }
   .kuiFlexItem.kuiFlexItem--flexGrow7 {
-    -webkit-box-flex: 7;
     -webkit-flex-grow: 7;
         -ms-flex-positive: 7;
             flex-grow: 7; }
   .kuiFlexItem.kuiFlexItem--flexGrow8 {
-    -webkit-box-flex: 8;
     -webkit-flex-grow: 8;
         -ms-flex-positive: 8;
             flex-grow: 8; }
   .kuiFlexItem.kuiFlexItem--flexGrow9 {
-    -webkit-box-flex: 9;
     -webkit-flex-grow: 9;
         -ms-flex-positive: 9;
             flex-grow: 9; }
   .kuiFlexItem.kuiFlexItem--flexGrow10 {
-    -webkit-box-flex: 10;
     -webkit-flex-grow: 10;
         -ms-flex-positive: 10;
             flex-grow: 10; }
@@ -1592,11 +1510,9 @@ main {
       background-color: #0079a5; }
 
 .kuiCheckBoxLabel {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -1860,18 +1776,15 @@ main {
  * 1. We may want to put elements in here which have different heights.
  */
 .kuiFieldGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
   /* 1 */ }
 
 .kuiFieldGroup--alignTop {
-  -webkit-box-align: start;
   -webkit-align-items: flex-start;
       -ms-flex-align: start;
           align-items: flex-start; }
@@ -1882,7 +1795,6 @@ main {
     margin-left: 10px; }
 
 .kuiFieldGroupSection--wide {
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto; }
@@ -1890,7 +1802,6 @@ main {
     width: 100%; }
 
 .kuiGallery {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
@@ -1899,20 +1810,15 @@ main {
           flex-wrap: wrap; }
 
 .kuiGalleryItem {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
@@ -1931,15 +1837,12 @@ main {
     border-color: #00A6FF; }
 
 .kuiGalleryItem__image {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
@@ -1970,15 +1873,12 @@ main {
   color: #666; }
 
 .kuiHeaderBar {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -1990,22 +1890,18 @@ main {
  * 1. Align a single section to the left by default.
  */
 .kuiHeaderBarSection {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
   margin-left: 25px;
   margin-right: 25px; }
   .kuiHeaderBarSection:not(:first-child):not(:last-child):not(:only-child) {
-    -webkit-box-pack: center;
     -webkit-justify-content: center;
         -ms-flex-pack: center;
             justify-content: center;
@@ -2014,12 +1910,10 @@ main {
     margin-left: 0; }
   .kuiHeaderBarSection:last-child {
     margin-right: 0;
-    -webkit-box-flex: 0;
     -webkit-flex: 0 1 auto;
         -ms-flex: 0 1 auto;
             flex: 0 1 auto;
     /* 4 */
-    -webkit-box-pack: end;
     -webkit-justify-content: flex-end;
         -ms-flex-pack: end;
             justify-content: flex-end;
@@ -2118,11 +2012,9 @@ main {
  * 1. Align with first line of title text if it wraps.
  */
 .kuiInfoPanelHeader {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: baseline;
   -webkit-align-items: baseline;
       -ms-flex-align: baseline;
           align-items: baseline;
@@ -2179,11 +2071,9 @@ main {
  *    a bit.
  */
 .kuiLocalBreadcrumbs {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -2253,15 +2143,12 @@ main {
   padding: 0; }
 
 .kuiDatePickerNavigation {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -2425,13 +2312,11 @@ main {
     /* 1 */ }
 
 .kuiLocalDropdownPanels {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
 
 .kuiLocalDropdownPanel {
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 0%;
       -ms-flex: 1 1 0%;
           flex: 1 1 0%; }
@@ -2460,15 +2345,12 @@ main {
     margin-bottom: 0; }
 
 .kuiLocalDropdownHeader {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -2487,7 +2369,6 @@ main {
     color: #cecece; }
 
 .kuiLocalDropdownHeader__actions {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
@@ -2549,21 +2430,17 @@ main {
     color: #9e9e9e; }
 
 .kuiLocalMenu {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
 
 .kuiLocalMenuItem {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -2615,16 +2492,12 @@ main {
  *    dropdown.
  */
 .kuiLocalNav {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -2643,15 +2516,12 @@ main {
  * 1. Allow row to expand if the content is so long that it wraps.
  */
 .kuiLocalNavRow {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -2659,11 +2529,9 @@ main {
   /* 1 */ }
 
 .kuiLocalNavRow__section {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: stretch;
   -webkit-align-items: stretch;
       -ms-flex-align: stretch;
           align-items: stretch; }
@@ -2678,14 +2546,12 @@ main {
 .kuiLocalNavRow--secondary {
   padding: 0 10px;
   /* 1 */
-  -webkit-box-align: start;
   -webkit-align-items: flex-start;
       -ms-flex-align: start;
           align-items: flex-start;
   /* 1 */ }
 
 .kuiLocalSearch {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
@@ -2708,7 +2574,6 @@ main {
   transition: border-color 0.1s linear;
   min-height: 30px;
   /* 1 */
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 100%;
       -ms-flex: 1 1 100%;
           flex: 1 1 100%;
@@ -2738,7 +2603,6 @@ main {
 
 .kuiLocalSearchInput--secondary {
   height: 30px;
-  -webkit-box-flex: 0;
   -webkit-flex: 0 0 auto;
       -ms-flex: 0 0 auto;
           flex: 0 0 auto;
@@ -2750,11 +2614,9 @@ main {
     border-right-color: #333333; }
 
 .kuiLocalSearchAssistedInput {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 100%;
       -ms-flex: 1 1 100%;
           flex: 1 1 100%;
@@ -2857,11 +2719,9 @@ main {
  * 1. We want the bottom border on selected tabs to be flush with the bottom of the container.
  */
 .kuiLocalTabs {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: end;
   -webkit-align-items: flex-end;
       -ms-flex-align: end;
           align-items: flex-end;
@@ -2906,11 +2766,9 @@ main {
     color: #dedede; }
 
 .kuiLocalTitle {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -3042,7 +2900,6 @@ main {
     /* 3 */ }
 
 .kuiMenuButtonGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
@@ -3050,7 +2907,6 @@ main {
     margin-left: 4px; }
 
 .kuiMenuButtonGroup--alignRight {
-  -webkit-box-pack: end;
   -webkit-justify-content: flex-end;
       -ms-flex-pack: end;
           justify-content: flex-end; }
@@ -3073,7 +2929,6 @@ main {
     color: #191E23; }
 
 .kuiMicroButtonGroup {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex; }
@@ -3087,15 +2942,12 @@ main {
   left: 0;
   right: 0;
   bottom: 0;
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
@@ -3121,15 +2973,12 @@ main {
   min-width: auto; }
 
 .kuiModalHeader {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -3170,11 +3019,9 @@ main {
     color: #cecece; }
 
 .kuiModalFooter {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-pack: end;
   -webkit-justify-content: flex-end;
       -ms-flex-pack: end;
           justify-content: flex-end;
@@ -3213,11 +3060,9 @@ main {
  * 1. Put 10px of space between each child.
  */
 .kuiPager {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
@@ -3237,21 +3082,16 @@ main {
   border-radius: 4px; }
 
 .kuiPanel--prompt {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
   text-align: center;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
@@ -3268,29 +3108,23 @@ main {
   border-radius: 0; }
 
 .kuiPanel--centered {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-pack: center;
   -webkit-justify-content: center;
       -ms-flex-pack: center;
           justify-content: center;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center; }
 
 .kuiPanelHeader {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -3352,22 +3186,18 @@ main {
  * 1. Undo what barSection mixin does.
  */
 .kuiPanelHeaderSection {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
   margin-left: 25px;
   margin-right: 25px; }
   .kuiPanelHeaderSection:not(:first-child):not(:last-child):not(:only-child) {
-    -webkit-box-pack: center;
     -webkit-justify-content: center;
         -ms-flex-pack: center;
             justify-content: center;
@@ -3376,12 +3206,10 @@ main {
     margin-left: 0; }
   .kuiPanelHeaderSection:last-child {
     margin-right: 0;
-    -webkit-box-flex: 0;
     -webkit-flex: 0 1 auto;
         -ms-flex: 0 1 auto;
             flex: 0 1 auto;
     /* 4 */
-    -webkit-box-pack: end;
     -webkit-justify-content: flex-end;
         -ms-flex-pack: end;
             justify-content: flex-end;
@@ -3406,7 +3234,6 @@ main {
   background-color: #FFF;
   border: 1px solid #D9D9D9;
   border-radius: 4px;
-  -webkit-box-flex: 1;
   -webkit-flex-grow: 1;
       -ms-flex-positive: 1;
           flex-grow: 1; }
@@ -3419,7 +3246,6 @@ main {
   .kuiPanelSimple.kuiPanelSimple--shadow {
     box-shadow: 0 16px 16px -8px rgba(0, 0, 0, 0.1); }
   .kuiPanelSimple.kuiPanelSimple--flexGrowZero {
-    -webkit-box-flex: 0;
     -webkit-flex-grow: 0;
         -ms-flex-positive: 0;
             flex-grow: 0; }
@@ -3513,16 +3339,12 @@ main {
     color: #ffffff; }
 
 .kuiEmptyTablePrompt {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-orient: vertical;
-  -webkit-box-direction: normal;
   -webkit-flex-direction: column;
       -ms-flex-direction: column;
           flex-direction: column;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
@@ -3537,11 +3359,9 @@ main {
   margin-top: 10px; }
 
 .kuiStatusText {
-  display: -webkit-inline-box;
   display: -webkit-inline-flex;
   display: -ms-inline-flexbox;
   display: inline-flex;
-  -webkit-box-align: baseline;
   -webkit-align-items: baseline;
       -ms-flex-align: baseline;
           align-items: baseline; }
@@ -3657,11 +3477,9 @@ main {
     display: block;
     opacity: 1; }
   .kuiTableHeaderCellButton .kuiTableHeaderCell__liner {
-    display: -webkit-box;
     display: -webkit-flex;
     display: -ms-flexbox;
     display: flex;
-    -webkit-box-align: center;
     -webkit-align-items: center;
         -ms-flex-align: center;
             align-items: center; }
@@ -3762,7 +3580,6 @@ main {
   line-height: 1.5; }
 
 .kuiTabs {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
@@ -3886,15 +3703,12 @@ main {
     /* 1 */ }
 
 .kuiToolBar {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -3945,22 +3759,18 @@ main {
       border-color: #0079a5; }
 
 .kuiToolBarSection {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
   margin-left: 25px;
   margin-right: 25px; }
   .kuiToolBarSection:not(:first-child):not(:last-child):not(:only-child) {
-    -webkit-box-pack: center;
     -webkit-justify-content: center;
         -ms-flex-pack: center;
             justify-content: center;
@@ -3969,12 +3779,10 @@ main {
     margin-left: 0; }
   .kuiToolBarSection:last-child {
     margin-right: 0;
-    -webkit-box-flex: 0;
     -webkit-flex: 0 1 auto;
         -ms-flex: 0 1 auto;
             flex: 0 1 auto;
     /* 4 */
-    -webkit-box-pack: end;
     -webkit-justify-content: flex-end;
         -ms-flex-pack: end;
             justify-content: flex-end;
@@ -3994,15 +3802,12 @@ main {
   /* 1 */ }
 
 .kuiToolBarFooter {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-pack: justify;
   -webkit-justify-content: space-between;
       -ms-flex-pack: justify;
           justify-content: space-between;
@@ -4014,22 +3819,18 @@ main {
   border: 1px solid #D9D9D9; }
 
 .kuiToolBarFooterSection {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
   margin-left: 25px;
   margin-right: 25px; }
   .kuiToolBarFooterSection:not(:first-child):not(:last-child):not(:only-child) {
-    -webkit-box-pack: center;
     -webkit-justify-content: center;
         -ms-flex-pack: center;
             justify-content: center;
@@ -4038,12 +3839,10 @@ main {
     margin-left: 0; }
   .kuiToolBarFooterSection:last-child {
     margin-right: 0;
-    -webkit-box-flex: 0;
     -webkit-flex: 0 1 auto;
         -ms-flex: 0 1 auto;
             flex: 0 1 auto;
     /* 4 */
-    -webkit-box-pack: end;
     -webkit-justify-content: flex-end;
         -ms-flex-pack: end;
             justify-content: flex-end;
@@ -4061,17 +3860,14 @@ main {
  *    kuiToolBarSection sibling.
  */
 .kuiToolBarSearch {
-  display: -webkit-box;
   display: -webkit-flex;
   display: -ms-flexbox;
   display: flex;
-  -webkit-box-align: center;
   -webkit-align-items: center;
       -ms-flex-align: center;
           align-items: center;
   margin-left: 25px;
   margin-right: 25px;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
@@ -4087,7 +3883,6 @@ main {
     /* 1 */ }
 
 .kuiToolBarSearchBox {
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto;
@@ -4210,7 +4005,6 @@ main {
 
 .kuiView {
   background-color: #FFF;
-  -webkit-box-flex: 1;
   -webkit-flex: 1 1 auto;
       -ms-flex: 1 1 auto;
           flex: 1 1 auto; }
diff --git a/x-pack/package.json b/x-pack/package.json
index bfcb1dd5a9905b..95aa06158b637e 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -75,7 +75,7 @@
     "yargs": "4.7.1"
   },
   "dependencies": {
-    "@elastic/eui": "0.0.47",
+    "@elastic/eui": "v0.0.51",
     "@elastic/node-crypto": "0.1.2",
     "@elastic/node-phantom-simple": "2.2.4",
     "@elastic/numeral": "2.3.2",
diff --git a/x-pack/plugins/security/public/documentation_links.js b/x-pack/plugins/security/public/documentation_links.js
index 8d9bb3c2256b4d..d357451d48ac74 100644
--- a/x-pack/plugins/security/public/documentation_links.js
+++ b/x-pack/plugins/security/public/documentation_links.js
@@ -7,5 +7,8 @@
 import { ELASTIC_WEBSITE_URL, DOC_LINK_VERSION } from 'ui/documentation_links';
 
 export const documentationLinks = {
-  dashboardViewMode: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/xpack-view-modes.html`
+  dashboardViewMode: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/xpack-view-modes.html`,
+  esClusterPrivileges: `${ELASTIC_WEBSITE_URL}guide/en/x-pack/${DOC_LINK_VERSION}/security-privileges.html#security-privileges`,
+  esIndicesPrivileges: `${ELASTIC_WEBSITE_URL}guide/en/x-pack/${DOC_LINK_VERSION}/security-privileges.html#privileges-list-indices`,
+  esRunAsPrivileges: `${ELASTIC_WEBSITE_URL}guide/en/x-pack/${DOC_LINK_VERSION}/security-privileges.html#_run_as_privilege`,
 };
diff --git a/x-pack/plugins/security/public/lib/__tests__/role.js b/x-pack/plugins/security/public/lib/__tests__/role.js
deleted file mode 100644
index efb22152ef7b19..00000000000000
--- a/x-pack/plugins/security/public/lib/__tests__/role.js
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { isRoleEnabled } from '../role';
-
-describe('role', () => {
-  describe('isRoleEnabled', () => {
-    it('should return false if role is explicitly not enabled', () => {
-      const testRole = {
-        transient_metadata: {
-          enabled: false
-        }
-      };
-      expect(isRoleEnabled(testRole)).to.be(false);
-    });
-
-    it('should return true if role is explicitly enabled', () => {
-      const testRole = {
-        transient_metadata: {
-          enabled: true
-        }
-      };
-      expect(isRoleEnabled(testRole)).to.be(true);
-    });
-
-    it('should return true if role is NOT explicitly enabled or disabled', () => {
-      const testRole = {};
-      expect(isRoleEnabled(testRole)).to.be(true);
-    });
-  });
-});
diff --git a/x-pack/plugins/security/public/lib/role.js b/x-pack/plugins/security/public/lib/role.js
index 89eade0f0584e2..96057aa55f5954 100644
--- a/x-pack/plugins/security/public/lib/role.js
+++ b/x-pack/plugins/security/public/lib/role.js
@@ -14,4 +14,13 @@ import { get } from 'lodash';
  */
 export function isRoleEnabled(role) {
   return get(role, 'transient_metadata.enabled', true);
-}
\ No newline at end of file
+}
+
+/**
+ * Returns whether given role is reserved or not.
+ *
+ * @param {role} the Role as returned by roles API
+ */
+export function isReservedRole(role) {
+  return get(role, 'metadata._reserved', false);
+}
diff --git a/x-pack/plugins/security/public/lib/role.test.js b/x-pack/plugins/security/public/lib/role.test.js
new file mode 100644
index 00000000000000..4c6e9fb896dcf1
--- /dev/null
+++ b/x-pack/plugins/security/public/lib/role.test.js
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isRoleEnabled, isReservedRole } from './role';
+
+describe('role', () => {
+  describe('isRoleEnabled', () => {
+    test('should return false if role is explicitly not enabled', () => {
+      const testRole = {
+        transient_metadata: {
+          enabled: false
+        }
+      };
+      expect(isRoleEnabled(testRole)).toBe(false);
+    });
+
+    test('should return true if role is explicitly enabled', () => {
+      const testRole = {
+        transient_metadata: {
+          enabled: true
+        }
+      };
+      expect(isRoleEnabled(testRole)).toBe(true);
+    });
+
+    test('should return true if role is NOT explicitly enabled or disabled', () => {
+      const testRole = {};
+      expect(isRoleEnabled(testRole)).toBe(true);
+    });
+  });
+
+  describe('isReservedRole', () => {
+    test('should return false if role is explicitly not reserved', () => {
+      const testRole = {
+        metadata: {
+          _reserved: false
+        }
+      };
+      expect(isReservedRole(testRole)).toBe(false);
+    });
+
+    test('should return true if role is explicitly reserved', () => {
+      const testRole = {
+        metadata: {
+          _reserved: true
+        }
+      };
+      expect(isReservedRole(testRole)).toBe(true);
+    });
+
+    test('should return false if role is NOT explicitly reserved or not reserved', () => {
+      const testRole = {};
+      expect(isReservedRole(testRole)).toBe(false);
+    });
+  });
+});
diff --git a/x-pack/plugins/security/public/objects/index.js b/x-pack/plugins/security/public/objects/index.js
new file mode 100644
index 00000000000000..a6238ca879901c
--- /dev/null
+++ b/x-pack/plugins/security/public/objects/index.js
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { saveRole, deleteRole } from './lib/roles';
+
+export { getFields } from './lib/get_fields';
diff --git a/x-pack/plugins/security/public/objects/lib/get_fields.js b/x-pack/plugins/security/public/objects/lib/get_fields.js
new file mode 100644
index 00000000000000..a80f6bfe8eed1d
--- /dev/null
+++ b/x-pack/plugins/security/public/objects/lib/get_fields.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import chrome from 'ui/chrome';
+
+const apiBase = chrome.addBasePath(`/api/security/v1/fields`);
+
+export async function getFields($http, query) {
+  return await $http
+    .get(`${apiBase}/${query}`)
+    .then(response => response.data || []);
+}
diff --git a/x-pack/plugins/security/public/objects/lib/roles.js b/x-pack/plugins/security/public/objects/lib/roles.js
new file mode 100644
index 00000000000000..5fdd95a7ccb64e
--- /dev/null
+++ b/x-pack/plugins/security/public/objects/lib/roles.js
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import chrome from 'ui/chrome';
+
+const apiBase = chrome.addBasePath(`/api/security/v1/roles`);
+
+export async function saveRole($http, role) {
+  return await $http.post(`${apiBase}/${role.name}`, role);
+}
+
+export async function deleteRole($http, name) {
+  return await $http.delete(`${apiBase}/${name}`);
+}
diff --git a/x-pack/plugins/security/public/objects/role.js b/x-pack/plugins/security/public/objects/role.js
new file mode 100644
index 00000000000000..98448db207cea8
--- /dev/null
+++ b/x-pack/plugins/security/public/objects/role.js
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class Role {
+  name = null;
+  cluster = [];
+  indices = [];
+  run_as = []; //eslint-disable-line camelcase
+  applications = [];
+}
diff --git a/x-pack/plugins/security/public/services/role_privileges.js b/x-pack/plugins/security/public/services/role_privileges.js
new file mode 100644
index 00000000000000..794a4b30674e5b
--- /dev/null
+++ b/x-pack/plugins/security/public/services/role_privileges.js
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+const clusterPrivileges = [
+  'all',
+  'monitor',
+  'manage',
+  'manage_security',
+  'manage_index_templates',
+  'manage_pipeline',
+  'manage_ingest_pipelines',
+  'transport_client',
+  'manage_ml',
+  'monitor_ml',
+  'manage_watcher',
+  'monitor_watcher',
+];
+const indexPrivileges = [
+  'all',
+  'manage',
+  'monitor',
+  'read',
+  'index',
+  'create',
+  'delete',
+  'write',
+  'delete_index',
+  'create_index',
+  'view_index_metadata',
+  'read_cross_cluster',
+];
+
+export function getClusterPrivileges() {
+  return [...clusterPrivileges];
+}
+
+export function getIndexPrivileges() {
+  return [...indexPrivileges];
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
deleted file mode 100644
index 8c8c5d692cce21..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ /dev/null
@@ -1,194 +0,0 @@
-<kbn-management-app section="security" omit-breadcrumb-pages="['edit']">
-  <!-- This content gets injected below the localNav. -->
-  <div class="kuiViewContent kuiViewContent--constrainedWidth kuiViewContentItem">
-
-    <!-- Subheader -->
-    <div class="kuiBar kuiVerticalRhythm">
-
-      <div class="kuiBarSection">
-        <!-- Title -->
-        <h1 class="kuiTitle">
-          <span ng-if="editRole.isNewRole">
-            New Role
-          </span>
-          <span ng-if="!editRole.isNewRole">
-            &ldquo;{{ role.name }}&rdquo; Role
-          </span>
-        </h1>
-      </div>
-
-      <div class="kuiBarSection">
-        <!-- Delete button -->
-        <button
-          ng-if="!editRole.isNewRole && !role.metadata._reserved"
-          class="kuiButton kuiButton--danger kuiButton--iconText"
-          ng-click="deleteRole(role)"
-          tooltip="Delete Role"
-        >
-          <span class="kuiButton__inner">
-            <span class="kuiButton__icon kuiIcon fa-trash"></span>
-            <span>Delete role</span>
-          </span>
-        </button>
-        <div
-          ng-if="role.metadata._reserved"
-          class="kuiBadge kuiBadge--default"
-          tooltip="Reserved roles are built-in and cannot be removed or modified."
-        >
-          <span class="kuiIcon fa-lock"></span>
-          Reserved
-        </div>
-      </div>
-    </div>
-
-    <div class="kuiBar kuiVerticalRhythm" ng-if="otherApplications.length > 0">
-      <div class="kuiInfoPanel kuiInfoPanel--warning">
-        <div class="kuiInfoPanelHeader">
-          <span class="kuiInfoPanelHeader__icon kuiIcon kuiIcon--warning fa-warning"></span>
-          <span class="kuiInfoPanelHeader__title">
-            This role contains application privileges for the {{ otherApplications.join(', ') }} application(s) that can't be edited.
-            If they are for other instances of Kibana, you must manage those privileges on that Kibana.
-          </span>
-        </div>
-      </div>
-    </div>
-
-    <!-- Form -->
-    <form name="form" novalidate class="kuiVerticalRhythm">
-      <!-- Name -->
-      <div class="kuiFormSection">
-        <label for="name" class="kuiFormLabel">
-          Name
-        </label>
-        <input
-          type="text"
-          class="fullWidth"
-          ng-class="::editRole.isNewRole ? 'kuiTextInput' : 'kuiStaticInput'"
-          ng-disabled="!editRole.isNewRole"
-          id="name"
-          name="name"
-          ng-model="role.name"
-          required
-          pattern="[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*"
-          maxlength="1024"
-          data-test-subj="roleFormNameInput"
-        />
-
-        <!-- Errors -->
-        <div
-          class="kuiInputNote kuiInputNote--danger"
-          ng-show="form.name.$error.pattern"
-        >
-          Name must begin with a letter or underscore and contain only letters, underscores, and numbers.
-        </div>
-
-        <div
-          class="kuiInputNote kuiInputNote--danger"
-          ng-show="form.name.$touched && form.name.$error.required"
-        >
-          Name is required.
-        </div>
-      </div>
-
-      <div class="kuiVerticalRhythm">
-        <!-- Cluster privileges -->
-        <div class="kuiFormSection">
-          <label class="kuiFormLabel">
-            Cluster Privileges
-          </label>
-          <div ng-repeat="privilege in privileges.cluster">
-            <label>
-              <input
-                class="kuiCheckBox"
-                type="checkbox"
-                ng-checked="includes(role.cluster, privilege)"
-                ng-click="toggle(role.cluster, privilege)"
-                ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
-              />
-              <span class="kuiOptionLabel">{{privilege}}</span>
-            </label>
-          </div>
-        </div>
-
-        <!-- Kibana custom privileges -->
-        <div class="kuiFormSection" ng-if="rbacEnabled">
-          <label class="kuiFormLabel">
-            Kibana Privileges
-          </label>
-
-          <div ng-repeat="(key, value) in kibanaPrivileges">
-            <label>
-              <input
-                class="kuiCheckBox"
-                type="checkbox"
-                ng-model="kibanaPrivileges[key]"
-                ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
-              />
-              <span class="kuiOptionLabel">{{key}}</span>
-            </label>
-          </div>
-        </div>
-
-        <!-- Run-as privileges -->
-        <div class="kuiFormSection">
-          <label class="kuiFormLabel">
-            Run As Privileges
-          </label>
-          <ui-select
-            multiple
-            ng-model="role.run_as"
-            ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
-          >
-            <ui-select-match placeholder="Add a user...">
-              {{$item}}
-            </ui-select-match>
-            <ui-select-choices repeat="user as user in union([$select.search], users) | filter:$select.search">
-              <div ng-bind-html="user"></div>
-            </ui-select-choices>
-          </ui-select>
-        </div>
-
-        <!-- Index privileges -->
-        <div class="kuiFormSection">
-          <kbn-index-privileges-form
-            is-new-role="editRole.isNewRole"
-            indices="role.indices"
-            index-patterns="indexPatterns"
-            privileges="privileges"
-            field-options="editRole.fieldOptions"
-            is-reserved="role.metadata._reserved"
-            is-enabled="isRoleEnabled(role)"
-            allow-document-level-security="allowDocumentLevelSecurity"
-            allow-field-level-security="allowFieldLevelSecurity"
-            add-index="addIndex(indices)"
-            remove-index="toggle(indices, index)"
-          ></kbn-index-privileges-form>
-        </div>
-      </div>
-
-      <div class="kuiVerticalRhythm">
-        <!-- Form actions -->
-        <div class="kuiFormSection kuiFormFooter">
-          <button
-            class="kuiButton kuiButton--primary"
-            ng-click="saveRole(role)"
-            ng-if="!role.metadata._reserved && isRoleEnabled(role)"
-            ng-disabled="form.$invalid || !areIndicesValid(role.indices)"
-            data-test-subj="roleFormSaveButton"
-          >
-            Save
-          </button>
-
-          <a
-            class="kuiButton kuiButton--basic"
-            ng-if="!role.metadata._reserved"
-            ng-href="{{rolesHref}}"
-            data-test-subj="roleFormCancelButton"
-          >
-            Cancel
-          </a>
-        </div>
-      </div>
-    </form>
-  </div>
-</kbn-management-app>
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
deleted file mode 100644
index 3f0ab02129dbb3..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import _ from 'lodash';
-import routes from 'ui/routes';
-import { fatalError, toastNotifications } from 'ui/notify';
-import { toggle } from 'plugins/security/lib/util';
-import { isRoleEnabled } from 'plugins/security/lib/role';
-import template from 'plugins/security/views/management/edit_role.html';
-import 'angular-ui-select';
-import 'plugins/security/services/application_privilege';
-import 'plugins/security/services/shield_user';
-import 'plugins/security/services/shield_role';
-import 'plugins/security/services/shield_privileges';
-import 'plugins/security/services/shield_indices';
-
-import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
-import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
-import { checkLicenseError } from 'plugins/security/lib/check_license_error';
-import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
-
-const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
-  const kibanaPrivileges = kibanaApplicationPrivilege.reduce((acc, p) => {
-    acc[p.name] = false;
-    return acc;
-  }, {});
-
-  if (!role.applications || role.applications.length === 0) {
-    return kibanaPrivileges;
-  }
-
-  const applications = role.applications.filter(x => x.application === application);
-
-  const assigned =  _.uniq(_.flatten(_.pluck(applications, 'privileges')));
-  assigned.forEach(a => {
-    kibanaPrivileges[a] = true;
-  });
-
-  return kibanaPrivileges;
-};
-
-const setApplicationPrivileges = (kibanaPrivileges, role, application) => {
-  if (!role.applications) {
-    role.applications = [];
-  }
-
-  // we first remove the matching application entries
-  role.applications = role.applications.filter(x => {
-    return x.application !== application;
-  });
-
-  const privileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
-
-  // if we still have them, put the application entry back
-  if (privileges.length > 0) {
-    role.applications = [...role.applications, {
-      application,
-      privileges,
-      resources: [ DEFAULT_RESOURCE ]
-    }];
-  }
-};
-
-const getOtherApplications = (kibanaPrivileges, role, application) => {
-  if (!role.applications || role.applications.length === 0) {
-    return [];
-  }
-
-  return role.applications.map(x => x.application).filter(x => x !== application);
-};
-
-routes.when(`${EDIT_ROLES_PATH}/:name?`, {
-  template,
-  resolve: {
-    role($route, ShieldRole, kbnUrl, Promise, Notifier) {
-      const name = $route.current.params.name;
-      if (name != null) {
-        return ShieldRole.get({ name }).$promise
-          .catch((response) => {
-
-            if (response.status !== 404) {
-              return fatalError(response);
-            }
-
-            const notifier = new Notifier();
-            notifier.error(`No "${name}" role found.`);
-            kbnUrl.redirect(ROLES_PATH);
-            return Promise.halt();
-          });
-      }
-      return new ShieldRole({
-        cluster: [],
-        indices: [],
-        run_as: [],
-        applications: []
-      });
-    },
-    kibanaApplicationPrivilege(ApplicationPrivilege, kbnUrl, Promise, Private) {
-      return ApplicationPrivilege.query().$promise
-        .catch(checkLicenseError(kbnUrl, Promise, Private));
-    },
-    users(ShieldUser, kbnUrl, Promise, Private) {
-      // $promise is used here because the result is an ngResource, not a promise itself
-      return ShieldUser.query().$promise
-        .then(users => _.map(users, 'username'))
-        .catch(checkLicenseError(kbnUrl, Promise, Private));
-    },
-    indexPatterns(Private) {
-      const indexPatterns = Private(IndexPatternsProvider);
-      return indexPatterns.getTitles();
-    }
-  },
-  controllerAs: 'editRole',
-  controller($injector, $scope, rbacEnabled, rbacApplication) {
-    const $route = $injector.get('$route');
-    const kbnUrl = $injector.get('kbnUrl');
-    const shieldPrivileges = $injector.get('shieldPrivileges');
-    const Notifier = $injector.get('Notifier');
-    const Private = $injector.get('Private');
-    const confirmModal = $injector.get('confirmModal');
-    const shieldIndices = $injector.get('shieldIndices');
-
-    $scope.role = $route.current.locals.role;
-    $scope.users = $route.current.locals.users;
-    $scope.indexPatterns = $route.current.locals.indexPatterns;
-    $scope.privileges = shieldPrivileges;
-
-    $scope.rbacEnabled = rbacEnabled;
-    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
-    const role = $route.current.locals.role;
-    $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivilege, role, rbacApplication);
-    $scope.otherApplications = getOtherApplications(kibanaApplicationPrivilege, role, rbacApplication);
-
-    $scope.rolesHref = `#${ROLES_PATH}`;
-
-    this.isNewRole = $route.current.params.name == null;
-    this.fieldOptions = {};
-
-    const notifier = new Notifier();
-
-    $scope.deleteRole = (role) => {
-      const doDelete = () => {
-        role.$delete()
-          .then(() => toastNotifications.addSuccess('Deleted role'))
-          .then($scope.goToRoleList)
-          .catch(error => notifier.error(_.get(error, 'data.message')));
-      };
-      const confirmModalOptions = {
-        confirmButtonText: 'Delete role',
-        onConfirm: doDelete
-      };
-      confirmModal('Are you sure you want to delete this role? This action is irreversible!', confirmModalOptions);
-    };
-
-    $scope.saveRole = (role) => {
-      role.indices = role.indices.filter((index) => index.names.length);
-      role.indices.forEach((index) => index.query || delete index.query);
-
-      setApplicationPrivileges($scope.kibanaPrivileges, role, rbacApplication);
-
-      return role.$save()
-        .then(() => toastNotifications.addSuccess('Updated role'))
-        .then($scope.goToRoleList)
-        .catch(error => notifier.error(_.get(error, 'data.message')));
-    };
-
-    $scope.goToRoleList = () => {
-      kbnUrl.redirect(ROLES_PATH);
-    };
-
-    $scope.addIndex = indices => {
-      indices.push({ names: [], privileges: [], field_security: { grant: ['*'] } });
-    };
-
-    $scope.areIndicesValid = (indices) => {
-      return indices
-        .filter((index) => index.names.length)
-        .find((index) => index.privileges.length === 0) == null;
-    };
-
-    $scope.fetchFieldOptions = (index) => {
-      const indices = index.names.join(',');
-      const fieldOptions = this.fieldOptions;
-      if (indices && fieldOptions[indices] == null) {
-        shieldIndices.getFields(indices)
-          .then((fields) => fieldOptions[indices] = fields)
-          .catch(() => fieldOptions[indices] = []);
-      }
-    };
-
-    $scope.isRoleEnabled = isRoleEnabled;
-
-    const xpackInfo = Private(XPackInfoProvider);
-    $scope.allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
-    $scope.allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
-
-    $scope.$watch('role.indices', (indices) => {
-      if (!indices.length) $scope.addIndex(indices);
-      else indices.forEach($scope.fetchFieldOptions);
-    }, true);
-
-    $scope.toggle = toggle;
-    $scope.includes = _.includes;
-    $scope.togglePermission = (role, permission) => {
-      const shouldRemove = $scope.hasPermission(role, permission);
-      const rolePermissions = role.applications || [];
-      if (shouldRemove) {
-        role.applications = rolePermissions.filter(rolePermission => rolePermission.name === permission.name);
-      } else {
-        role.applications = rolePermissions.concat([permission]);
-      }
-    };
-
-    $scope.union = _.flow(_.union, _.compact);
-  }
-});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap
new file mode 100644
index 00000000000000..d946357354fe2c
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap
@@ -0,0 +1,59 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without blowing up 1`] = `
+<EuiPanel
+  grow={true}
+  hasShadow={false}
+  paddingSize="m"
+>
+  <EuiFlexGroup
+    alignItems="baseline"
+    component="div"
+    direction="row"
+    gutterSize="s"
+    justifyContent="flexStart"
+    responsive={false}
+    wrap={false}
+  >
+    <EuiFlexItem
+      component="div"
+      grow={false}
+    >
+      <EuiTitle
+        size="m"
+      >
+        <h2>
+          <EuiIcon
+            className="collapsiblePanel__logo"
+            size="xl"
+            type="logoElasticsearch"
+          />
+           
+          Elasticsearch
+        </h2>
+      </EuiTitle>
+    </EuiFlexItem>
+    <EuiFlexItem
+      component="div"
+      grow={false}
+    >
+      <EuiLink
+        color="primary"
+        onClick={[Function]}
+        size="s"
+        type="button"
+      >
+        hide
+      </EuiLink>
+    </EuiFlexItem>
+  </EuiFlexGroup>
+  <React.Fragment>
+    <EuiSpacer
+      size="l"
+    />
+    <p>
+      child
+    </p>
+  </React.Fragment>
+</EuiPanel>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
new file mode 100644
index 00000000000000..628a5c068f83a0
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
@@ -0,0 +1,15 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<div>
+  <EuiBreadcrumbs
+    breadcrumbs={Array []}
+    max={5}
+    responsive={true}
+    truncate={true}
+  />
+  <EuiSpacer
+    size="l"
+  />
+</div>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js
new file mode 100644
index 00000000000000..f2bac7a02b99c8
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js
@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import './collapsible_panel.less';
+import {
+  EuiPanel,
+  EuiLink,
+  EuiIcon,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiTitle,
+  EuiSpacer,
+} from '@elastic/eui';
+
+export class CollapsiblePanel extends Component {
+  static propTypes = {
+    iconType: PropTypes.string.isRequired,
+    title: PropTypes.string.isRequired,
+  }
+
+  state = {
+    collapsed: false
+  }
+
+  render() {
+    return (
+      <EuiPanel>
+        {this.getTitle()}
+        {this.getForm()}
+      </EuiPanel>
+    );
+  }
+
+  getTitle = () => {
+    return (
+      <EuiFlexGroup alignItems={'baseline'} gutterSize="s" responsive={false}>
+        <EuiFlexItem grow={false}>
+          <EuiTitle>
+            <h2>
+              <EuiIcon type={this.props.iconType} size={'xl'} className={'collapsiblePanel__logo'} /> {this.props.title}
+            </h2>
+          </EuiTitle>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiLink size={'s'} onClick={this.toggleCollapsed}>{this.state.collapsed ? 'show' : 'hide'}</EuiLink>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+    );
+  };
+
+  getForm = () => {
+    if (this.state.collapsed) {
+      return null;
+    }
+
+    return (
+      <Fragment>
+        <EuiSpacer />
+        {this.props.children}
+      </Fragment>
+    );
+  }
+
+  toggleCollapsed = () => {
+    this.setState({
+      collapsed: !this.state.collapsed
+    });
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.less b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.less
new file mode 100644
index 00000000000000..ffb065880c5609
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.less
@@ -0,0 +1,4 @@
+.collapsiblePanel__logo {
+  margin-right: 8px;
+  vertical-align: text-bottom;
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js
new file mode 100644
index 00000000000000..ec0182101653ac
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { CollapsiblePanel } from './collapsible_panel';
+import { EuiLink } from '@elastic/eui';
+
+test('it renders without blowing up', () => {
+  const wrapper = shallow(
+    <CollapsiblePanel
+      iconType="logoElasticsearch"
+      title="Elasticsearch"
+    >
+      <p>child</p>
+    </CollapsiblePanel>
+  );
+
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('it renders children by default', () => {
+  const wrapper = mount(
+    <CollapsiblePanel
+      iconType="logoElasticsearch"
+      title="Elasticsearch"
+    >
+      <p className="child">child 1</p>
+      <p className="child">child 2</p>
+    </CollapsiblePanel>
+  );
+
+  expect(wrapper.find(CollapsiblePanel)).toHaveLength(1);
+  expect(wrapper.find('.child')).toHaveLength(2);
+});
+
+test('it hides children when the "hide" link is clicked', () => {
+  const wrapper = mount(
+    <CollapsiblePanel
+      iconType="logoElasticsearch"
+      title="Elasticsearch"
+    >
+      <p className="child">child 1</p>
+      <p className="child">child 2</p>
+    </CollapsiblePanel>
+  );
+
+  expect(wrapper.find(CollapsiblePanel)).toHaveLength(1);
+  expect(wrapper.find('.child')).toHaveLength(2);
+
+  wrapper.find(EuiLink).simulate('click');
+
+  expect(wrapper.find('.child')).toHaveLength(0);
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js
new file mode 100644
index 00000000000000..805dfb232fff48
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js
@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiButton,
+  EuiOverlayMask,
+  EuiConfirmModal,
+} from '@elastic/eui';
+
+export class DeleteRoleButton extends Component {
+  static propTypes = {
+    canDelete: PropTypes.bool.isRequired,
+    onDelete: PropTypes.func.isRequired
+  }
+
+  state = {
+    showModal: false
+  }
+
+  render() {
+    if (!this.props.canDelete) {
+      return null;
+    }
+
+    return (
+      <Fragment>
+        <EuiButton color={'danger'} iconType={'trash'} onClick={this.showModal}>
+          Delete Role
+        </EuiButton>
+        {this.maybeShowModal()}
+      </Fragment>
+    );
+  }
+
+  maybeShowModal = () => {
+    if (!this.state.showModal) {
+      return null;
+    }
+    return (
+      <EuiOverlayMask>
+        <EuiConfirmModal
+          title={'Delete Role'}
+          onCancel={this.closeModal}
+          onConfirm={this.onConfirmDelete}
+          cancelButtonText={"No, don't delete"}
+          confirmButtonText={"Yes, delete role"}
+          buttonColor={'danger'}
+        >
+          <p>Are you sure you want to delete this role?</p>
+          <p>This action cannot be undone!</p>
+        </EuiConfirmModal>
+      </EuiOverlayMask>
+    );
+  }
+
+  closeModal = () => {
+    this.setState({
+      showModal: false
+    });
+  }
+
+  showModal = () => {
+    this.setState({
+      showModal: true
+    });
+  }
+
+  onConfirmDelete = () => {
+    this.closeModal();
+    this.props.onDelete();
+  }
+}
+
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js
new file mode 100644
index 00000000000000..477ffbebf8699e
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js
@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiButton,
+  EuiConfirmModal,
+} from '@elastic/eui';
+import { DeleteRoleButton } from './delete_role_button';
+import {
+  shallow,
+  mount
+} from 'enzyme';
+
+test('it renders without crashing', () => {
+  const deleteHandler = jest.fn();
+  const wrapper = shallow(<DeleteRoleButton canDelete={true} onDelete={deleteHandler} />);
+  expect(wrapper.find(EuiButton)).toHaveLength(1);
+  expect(deleteHandler).toHaveBeenCalledTimes(0);
+});
+
+test('it shows a confirmation dialog when clicked', () => {
+  const deleteHandler = jest.fn();
+  const wrapper = mount(<DeleteRoleButton canDelete={true} onDelete={deleteHandler} />);
+
+  wrapper.find(EuiButton).simulate('click');
+
+  expect(wrapper.find(EuiConfirmModal)).toHaveLength(1);
+
+  expect(deleteHandler).toHaveBeenCalledTimes(0);
+});
+
+test('it renders nothing when canDelete is false', () => {
+  const deleteHandler = jest.fn();
+  const wrapper = shallow(<DeleteRoleButton canDelete={false} onDelete={deleteHandler} />);
+  expect(wrapper.find('*')).toHaveLength(0);
+  expect(deleteHandler).toHaveBeenCalledTimes(0);
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
new file mode 100644
index 00000000000000..13cd7a4f1823b8
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
@@ -0,0 +1,274 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import { get } from 'lodash';
+import { toastNotifications } from 'ui/notify';
+import {
+  EuiPanel,
+  EuiTitle,
+  EuiSpacer,
+  EuiPage,
+  EuiButtonEmpty,
+  EuiForm,
+  EuiFormRow,
+  EuiFieldText,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiButton,
+} from '@elastic/eui';
+import { PageHeader } from './page_header';
+import { saveRole, deleteRole } from '../../../../objects';
+import { isReservedRole } from '../../../../lib/role';
+import { RoleValidator } from '../lib/validate_role';
+import { ReservedRoleBadge } from './reserved_role_badge';
+import { ROLES_PATH } from '../../management_urls';
+import { DeleteRoleButton } from './delete_role_button';
+import { ElasticsearchPrivileges, KibanaPrivileges } from './privileges';
+
+export class EditRolePage extends Component {
+  static propTypes = {
+    role: PropTypes.object.isRequired,
+    runAsUsers: PropTypes.array.isRequired,
+    indexPatterns: PropTypes.array.isRequired,
+    httpClient: PropTypes.func.isRequired,
+    rbacEnabled: PropTypes.bool.isRequired,
+    rbacApplication: PropTypes.string,
+    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
+    allowFieldLevelSecurity: PropTypes.bool.isRequired,
+    kibanaAppPrivileges: PropTypes.array.isRequired,
+    notifier: PropTypes.func.isRequired,
+  };
+
+  constructor(props) {
+    super(props);
+    this.state = {
+      role: props.role,
+      formError: null
+    };
+    this.validator = new RoleValidator({ shouldValidate: false });
+  }
+
+  render() {
+    return (
+      <EuiPage className="editRolePage">
+        <PageHeader breadcrumbs={this.props.breadcrumbs} />
+        <EuiForm {...this.state.formError}>
+          {this.getFormTitle()}
+
+          <EuiSpacer />
+
+          {this.getRoleName()}
+
+          {this.getElasticsearchPrivileges()}
+
+          {this.getKibanaPrivileges()}
+
+          <EuiSpacer />
+
+          {this.getFormButtons()}
+        </EuiForm>
+      </EuiPage>
+    );
+  }
+
+  getFormTitle = () => {
+    let titleText;
+    if (isReservedRole(this.props.role)) {
+      titleText = 'Viewing role';
+    } else if (this.editingExistingRole()) {
+      titleText = 'Edit role';
+    } else {
+      titleText = 'Create role';
+    }
+
+    return (
+      <EuiTitle size="l"><h1>{titleText} <ReservedRoleBadge role={this.props.role} /></h1></EuiTitle>
+    );
+  };
+
+  getActionButton = () => {
+    if (this.editingExistingRole() && !isReservedRole(this.props.role)) {
+      return (
+        <EuiFlexItem grow={false}>
+          <DeleteRoleButton canDelete={true} onDelete={this.handleDeleteRole} />
+        </EuiFlexItem>
+      );
+    }
+
+    return null;
+  };
+
+  getRoleName = () => {
+    return (
+      <EuiPanel>
+        <EuiFormRow
+          label={'Role name'}
+          helpText={
+            !isReservedRole(this.props.role) && this.editingExistingRole() ?
+              "A role's name cannot be changed once it has been created." : undefined
+          }
+          {...this.validator.validateRoleName(this.state.role)}
+        >
+
+          <EuiFieldText
+            name={'name'}
+            value={this.state.role.name || ''}
+            onChange={this.onNameChange}
+            readOnly={isReservedRole(this.props.role) || this.editingExistingRole()}
+          />
+        </EuiFormRow>
+      </EuiPanel>
+    );
+  }
+
+  onNameChange = (e) => {
+    const rawValue = e.target.value;
+    const name = rawValue.replace(/\s/g, '-');
+
+    this.setState({
+      role: {
+        ...this.state.role,
+        name
+      }
+    });
+  }
+
+  getElasticsearchPrivileges() {
+    return (
+      <div>
+        <EuiSpacer />
+        <ElasticsearchPrivileges
+          role={this.state.role}
+          editable={!isReservedRole(this.state.role)}
+          httpClient={this.props.httpClient}
+          onChange={this.onRoleChange}
+          runAsUsers={this.props.runAsUsers}
+          validator={this.validator}
+          indexPatterns={this.props.indexPatterns}
+          allowDocumentLevelSecurity={this.props.allowDocumentLevelSecurity}
+          allowFieldLevelSecurity={this.props.allowFieldLevelSecurity}
+        />
+      </div>
+    );
+  }
+
+  onRoleChange = (role) => {
+    this.setState({
+      role
+    });
+  }
+
+  getKibanaPrivileges = () => {
+    if (!this.props.rbacEnabled) {
+      return null;
+    }
+
+    return (
+      <div>
+        <EuiSpacer />
+        <KibanaPrivileges
+          kibanaAppPrivileges={this.props.kibanaAppPrivileges}
+          rbacApplication={this.props.rbacApplication}
+          role={this.state.role}
+          onChange={this.onRoleChange}
+        />
+      </div>
+    );
+  };
+
+  getFormButtons = () => {
+    if (isReservedRole(this.props.role)) {
+      return (
+        <EuiButton onClick={this.backToRoleList}>
+          Return to role list
+        </EuiButton>
+      );
+    }
+
+    const saveText = this.editingExistingRole() ? 'Update role' : 'Create role';
+
+    return (
+      <EuiFlexGroup responsive={false}>
+        <EuiFlexItem grow={false}>
+          <EuiButton fill onClick={this.saveRole} disabled={isReservedRole(this.props.role)}>{saveText}</EuiButton>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiButtonEmpty onClick={this.backToRoleList}>
+            Cancel
+          </EuiButtonEmpty>
+        </EuiFlexItem>
+        <EuiFlexItem grow={true} />
+        {this.getActionButton()}
+      </EuiFlexGroup>
+    );
+  };
+
+  editingExistingRole = () => {
+    return !!this.props.role.name;
+  };
+
+  isPlaceholderPrivilege = (indexPrivilege) => {
+    return indexPrivilege.names.length === 0;
+  };
+
+  saveRole = () => {
+    this.validator.enableValidation();
+
+    const result = this.validator.validateForSave(this.state.role);
+    if (result.isInvalid) {
+      this.setState({
+        formError: result
+      });
+    } else {
+      this.setState({
+        formError: null
+      });
+
+      const {
+        httpClient,
+        notifier,
+      } = this.props;
+
+      const role = {
+        ...this.state.role
+      };
+
+      role.indices = role.indices.filter(i => !this.isPlaceholderPrivilege(i));
+      role.indices.forEach((index) => index.query || delete index.query);
+
+      saveRole(httpClient, role)
+        .then(() => {
+          toastNotifications.addSuccess('Saved role');
+          this.backToRoleList();
+        })
+        .catch(error => {
+          notifier.error(get(error, 'data.message'));
+        });
+    }
+  };
+
+  handleDeleteRole = () => {
+    const {
+      httpClient,
+      role,
+      notifier,
+    } = this.props;
+
+    deleteRole(httpClient, role.name)
+      .then(() => {
+        toastNotifications.addSuccess('Deleted role');
+        this.backToRoleList();
+      })
+      .catch(error => {
+        notifier.error(get(error, 'data.message'));
+      });
+  };
+
+  backToRoleList = () => {
+    window.location.hash = ROLES_PATH;
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/index.js b/x-pack/plugins/security/public/views/management/edit_role/components/index.js
new file mode 100644
index 00000000000000..1a0afb37c47917
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { EditRolePage } from './edit_role_page';
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
new file mode 100644
index 00000000000000..87aac824908179
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+
+import {
+  EuiBreadcrumbs,
+  EuiSpacer,
+} from '@elastic/eui';
+
+export class PageHeader extends Component {
+  render() {
+    return (
+      <div>
+        <EuiBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
+        <EuiSpacer />
+      </div>
+    );
+  }
+
+  buildBreadcrumb = (breadcrumb) => {
+    return {
+      text: breadcrumb.display,
+      href: breadcrumb.href,
+    };
+  }
+}
+
+PageHeader.propTypes = {
+  breadcrumbs: PropTypes.array.isRequired
+};
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
new file mode 100644
index 00000000000000..99f6994ea98981
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { PageHeader } from './page_header';
+import { EuiBreadcrumbs } from '@elastic/eui';
+
+test('it renders without crashing', () => {
+  const wrapper = shallow(<PageHeader breadcrumbs={[]} />);
+  expect(wrapper.find(EuiBreadcrumbs)).toHaveLength(1);
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('it renders breadcrumbs', () => {
+  const breadcrumbs = [{
+    display: 'item-1',
+    href: '#item-1',
+  }, {
+    display: 'item-2',
+    href: '#item-2',
+  }, {
+    display: 'item-3',
+    href: '#item-3',
+  }];
+
+  const wrapper = mount(<PageHeader breadcrumbs={breadcrumbs} />);
+  expect(wrapper.find(EuiBreadcrumbs)).toHaveLength(1);
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap
new file mode 100644
index 00000000000000..5315e277468ed8
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap
@@ -0,0 +1,92 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<EuiFlexGroup
+  alignItems="stretch"
+  component="div"
+  direction="row"
+  gutterSize="l"
+  justifyContent="flexStart"
+  responsive={true}
+  wrap={false}
+>
+  <EuiFlexItem
+    component="div"
+    grow={true}
+    key="0"
+  >
+    <EuiCheckboxGroup
+      disabled={false}
+      idToSelectedMap={Object {}}
+      onChange={[Function]}
+      options={
+        Array [
+          Object {
+            "id": "all",
+            "label": "all",
+          },
+          Object {
+            "id": "monitor",
+            "label": "monitor",
+          },
+          Object {
+            "id": "manage",
+            "label": "manage",
+          },
+          Object {
+            "id": "manage_security",
+            "label": "manage_security",
+          },
+          Object {
+            "id": "manage_index_templates",
+            "label": "manage_index_templates",
+          },
+          Object {
+            "id": "manage_pipeline",
+            "label": "manage_pipeline",
+          },
+        ]
+      }
+    />
+  </EuiFlexItem>
+  <EuiFlexItem
+    component="div"
+    grow={true}
+    key="1"
+  >
+    <EuiCheckboxGroup
+      disabled={false}
+      idToSelectedMap={Object {}}
+      onChange={[Function]}
+      options={
+        Array [
+          Object {
+            "id": "manage_ingest_pipelines",
+            "label": "manage_ingest_pipelines",
+          },
+          Object {
+            "id": "transport_client",
+            "label": "transport_client",
+          },
+          Object {
+            "id": "manage_ml",
+            "label": "manage_ml",
+          },
+          Object {
+            "id": "monitor_ml",
+            "label": "monitor_ml",
+          },
+          Object {
+            "id": "manage_watcher",
+            "label": "manage_watcher",
+          },
+          Object {
+            "id": "monitor_watcher",
+            "label": "monitor_watcher",
+          },
+        ]
+      }
+    />
+  </EuiFlexItem>
+</EuiFlexGroup>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
new file mode 100644
index 00000000000000..dfc6b43dff6364
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
@@ -0,0 +1,160 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<CollapsiblePanel
+  iconType="logoElasticsearch"
+  title="Elasticsearch"
+>
+  <React.Fragment>
+    <EuiDescribedFormGroup
+      description={
+        <p>
+          Manage the actions this role can perform against your cluster. 
+          <EuiLink
+            className="editRole__learnMore"
+            color="primary"
+            href="undefinedguide/en/x-pack/undefined/security-privileges.html#security-privileges"
+            target="_blank"
+            type="button"
+          >
+            Learn more
+          </EuiLink>
+        </p>
+      }
+      fullWidth={false}
+      gutterSize="l"
+      title={
+        <h3>
+          Cluster privileges
+        </h3>
+      }
+      titleSize="xs"
+    >
+      <EuiFormRow
+        describedByIds={Array []}
+        fullWidth={true}
+        hasEmptyLabelSpace={true}
+      >
+        <ClusterPrivileges
+          onChange={[Function]}
+          role={
+            Object {
+              "cluster": Array [],
+              "indices": Array [],
+              "run_as": Array [],
+            }
+          }
+        />
+      </EuiFormRow>
+    </EuiDescribedFormGroup>
+    <EuiSpacer
+      size="l"
+    />
+    <EuiDescribedFormGroup
+      description={
+        <p>
+          Allow requests to be submitted on the behalf of other users. 
+          <EuiLink
+            className="editRole__learnMore"
+            color="primary"
+            href="undefinedguide/en/x-pack/undefined/security-privileges.html#_run_as_privilege"
+            target="_blank"
+            type="button"
+          >
+            Learn more
+          </EuiLink>
+        </p>
+      }
+      fullWidth={false}
+      gutterSize="l"
+      title={
+        <h3>
+          Run As privileges
+        </h3>
+      }
+      titleSize="xs"
+    >
+      <EuiFormRow
+        describedByIds={Array []}
+        fullWidth={false}
+        hasEmptyLabelSpace={true}
+      >
+        <EuiComboBox
+          isClearable={true}
+          isDisabled={false}
+          onChange={[Function]}
+          options={Array []}
+          placeholder="Add a user..."
+          selectedOptions={Array []}
+          singleSelection={false}
+        />
+      </EuiFormRow>
+    </EuiDescribedFormGroup>
+    <EuiSpacer
+      size="l"
+    />
+    <EuiTitle
+      size="xs"
+    >
+      <h3>
+        Index privileges
+      </h3>
+    </EuiTitle>
+    <EuiSpacer
+      size="s"
+    />
+    <EuiText
+      color="subdued"
+      grow={true}
+      size="s"
+    >
+      <p>
+        Control access to the data in your cluster. 
+        <EuiLink
+          className="editRole__learnMore"
+          color="primary"
+          href="undefinedguide/en/x-pack/undefined/security-privileges.html#privileges-list-indices"
+          target="_blank"
+          type="button"
+        >
+          Learn more
+        </EuiLink>
+      </p>
+    </EuiText>
+    <IndexPrivileges
+      allowDocumentLevelSecurity={true}
+      allowFieldLevelSecurity={true}
+      httpClient={[MockFunction]}
+      indexPatterns={Array []}
+      onChange={[MockFunction]}
+      role={
+        Object {
+          "cluster": Array [],
+          "indices": Array [],
+          "run_as": Array [],
+        }
+      }
+      validator={
+        RoleValidator {
+          "_shouldValidate": undefined,
+        }
+      }
+    />
+    <EuiHorizontalRule
+      margin="l"
+      size="full"
+    />
+    <EuiButton
+      color="primary"
+      fill={false}
+      iconSide="left"
+      iconType="plusInCircle"
+      onClick={[Function]}
+      size="s"
+      type="button"
+    >
+      Add index privilege
+    </EuiButton>
+  </React.Fragment>
+</CollapsiblePanel>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
new file mode 100644
index 00000000000000..b84dcc659d5f96
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
@@ -0,0 +1,184 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<React.Fragment>
+  <EuiHorizontalRule
+    margin="l"
+    size="full"
+  />
+  <EuiFlexGroup
+    alignItems="stretch"
+    className="index-privilege-form"
+    component="div"
+    direction="row"
+    gutterSize="l"
+    justifyContent="flexStart"
+    responsive={true}
+    wrap={false}
+  >
+    <EuiFlexItem
+      component="div"
+      grow={true}
+    >
+      <React.Fragment>
+        <EuiFlexGroup
+          alignItems="stretch"
+          component="div"
+          direction="row"
+          gutterSize="l"
+          justifyContent="flexStart"
+          responsive={true}
+          wrap={false}
+        >
+          <EuiFlexItem
+            component="div"
+            grow={true}
+          >
+            <EuiFormRow
+              describedByIds={Array []}
+              fullWidth={true}
+              hasEmptyLabelSpace={false}
+              isInvalid={false}
+              label="Indices"
+            >
+              <EuiComboBox
+                isClearable={true}
+                isDisabled={false}
+                onChange={[Function]}
+                onCreateOption={[Function]}
+                options={Array []}
+                selectedOptions={Array []}
+                singleSelection={false}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          <EuiFlexItem
+            component="div"
+            grow={true}
+          >
+            <EuiFormRow
+              describedByIds={Array []}
+              fullWidth={true}
+              hasEmptyLabelSpace={false}
+              label="Privileges"
+            >
+              <EuiComboBox
+                isClearable={true}
+                isDisabled={false}
+                onChange={[Function]}
+                options={
+                  Array [
+                    Object {
+                      "label": "all",
+                    },
+                    Object {
+                      "label": "manage",
+                    },
+                    Object {
+                      "label": "monitor",
+                    },
+                    Object {
+                      "label": "read",
+                    },
+                    Object {
+                      "label": "index",
+                    },
+                    Object {
+                      "label": "create",
+                    },
+                    Object {
+                      "label": "delete",
+                    },
+                    Object {
+                      "label": "write",
+                    },
+                    Object {
+                      "label": "delete_index",
+                    },
+                    Object {
+                      "label": "create_index",
+                    },
+                    Object {
+                      "label": "view_index_metadata",
+                    },
+                    Object {
+                      "label": "read_cross_cluster",
+                    },
+                  ]
+                }
+                selectedOptions={Array []}
+                singleSelection={false}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          <EuiFlexItem
+            component="div"
+            grow={true}
+          >
+            <EuiFormRow
+              className="indexPrivilegeForm__grantedFieldsRow"
+              describedByIds={Array []}
+              fullWidth={true}
+              hasEmptyLabelSpace={false}
+              helpText="If no fields are granted, then users assigned to this role will not be able to see any data for this index."
+              label="Granted fields (optional)"
+            >
+              <React.Fragment>
+                <EuiComboBox
+                  isClearable={true}
+                  isDisabled={false}
+                  onChange={[Function]}
+                  onCreateOption={[Function]}
+                  options={Array []}
+                  selectedOptions={Array []}
+                  singleSelection={false}
+                />
+              </React.Fragment>
+            </EuiFormRow>
+          </EuiFlexItem>
+        </EuiFlexGroup>
+        <EuiSpacer
+          size="l"
+        />
+        <EuiFlexGroup
+          alignItems="stretch"
+          component="div"
+          direction="column"
+          gutterSize="l"
+          justifyContent="flexStart"
+          responsive={true}
+          wrap={false}
+        >
+          <EuiFlexItem
+            component="div"
+            grow={true}
+          >
+            <EuiSwitch
+              compressed={true}
+              label="Restrict documents query"
+              onChange={[Function]}
+            />
+          </EuiFlexItem>
+        </EuiFlexGroup>
+      </React.Fragment>
+    </EuiFlexItem>
+    <EuiFlexItem
+      component="div"
+      grow={false}
+    >
+      <EuiFormRow
+        describedByIds={Array []}
+        fullWidth={false}
+        hasEmptyLabelSpace={true}
+      >
+        <EuiButtonIcon
+          aria-label="Delete index privilege"
+          color="danger"
+          iconType="trash"
+          type="button"
+        />
+      </EuiFormRow>
+    </EuiFlexItem>
+  </EuiFlexGroup>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap
new file mode 100644
index 00000000000000..189c4766c29f99
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `Array []`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
new file mode 100644
index 00000000000000..e67ddd16a7fb3c
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+import _ from 'lodash';
+import PropTypes from 'prop-types';
+import { getClusterPrivileges } from '../../../../../services/role_privileges';
+import { isReservedRole } from '../../../../../lib/role';
+import {
+  EuiCheckboxGroup,
+  EuiFlexGroup,
+  EuiFlexItem,
+} from '@elastic/eui';
+
+export class ClusterPrivileges extends Component {
+  static propTypes = {
+    role: PropTypes.object.isRequired,
+    onChange: PropTypes.func.isRequired,
+  };
+
+  render() {
+
+    const clusterPrivileges = getClusterPrivileges();
+    const privilegeGroups = _.chunk(clusterPrivileges, clusterPrivileges.length / 2);
+
+    return (
+      <EuiFlexGroup>
+        {privilegeGroups.map(this.buildCheckboxGroup)}
+      </EuiFlexGroup>
+    );
+  }
+
+  buildCheckboxGroup = (items, key) => {
+    const role = this.props.role;
+
+    const checkboxes = items.map(i => ({
+      id: i,
+      label: i
+    }));
+
+    const selectionMap = (role.cluster || [])
+      .map(k => ({ [k]: true }))
+      .reduce((acc, o) => ({ ...acc, ...o }), {});
+
+    return (
+      <EuiFlexItem key={key}>
+        <EuiCheckboxGroup
+          options={checkboxes}
+          idToSelectedMap={selectionMap}
+          onChange={this.onClusterPrivilegesChange}
+          disabled={isReservedRole(role)}
+        />
+      </EuiFlexItem>
+    );
+  };
+
+  onClusterPrivilegesChange = (privilege) => {
+    const { cluster } = this.props.role;
+    const indexOfExistingPrivilege = cluster.indexOf(privilege);
+
+    const shouldRemove = indexOfExistingPrivilege >= 0;
+
+    const newClusterPrivs = [...cluster];
+    if (shouldRemove) {
+      newClusterPrivs.splice(indexOfExistingPrivilege, 1);
+    } else {
+      newClusterPrivs.push(privilege);
+    }
+
+    this.props.onChange(newClusterPrivs);
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
new file mode 100644
index 00000000000000..f75cf0ade71a9f
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { ClusterPrivileges } from './cluster_privileges';
+import { EuiCheckboxGroup } from '@elastic/eui';
+
+test('it renders without crashing', () => {
+  const wrapper = shallow(<ClusterPrivileges role={{}} onChange={jest.fn()} />);
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('it renders 2 checkbox groups of privileges', () => {
+  const wrapper = mount(<ClusterPrivileges role={{}} onChange={jest.fn()} />);
+  expect(wrapper.find(EuiCheckboxGroup)).toHaveLength(2);
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
new file mode 100644
index 00000000000000..a0c6eca6f0c6e7
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
@@ -0,0 +1,163 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiText,
+  EuiSpacer,
+  EuiComboBox,
+  EuiFormRow,
+  EuiButton,
+  EuiDescribedFormGroup,
+  EuiTitle,
+  EuiHorizontalRule,
+  EuiLink,
+} from '@elastic/eui';
+import './elasticsearch_privileges.less';
+import { ClusterPrivileges } from './cluster_privileges';
+import { IndexPrivileges } from './index_privileges';
+import { CollapsiblePanel } from '../collapsible_panel';
+import { documentationLinks } from '../../../../../documentation_links';
+
+export class ElasticsearchPrivileges extends Component {
+  static propTypes = {
+    role: PropTypes.object.isRequired,
+    editable: PropTypes.bool.isRequired,
+    httpClient: PropTypes.func.isRequired,
+    onChange: PropTypes.func.isRequired,
+    runAsUsers: PropTypes.array.isRequired,
+    validator: PropTypes.object.isRequired,
+    indexPatterns: PropTypes.array.isRequired,
+    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
+    allowFieldLevelSecurity: PropTypes.bool.isRequired,
+  };
+
+  render() {
+    return (
+      <CollapsiblePanel iconType={'logoElasticsearch'} title={'Elasticsearch'}>
+        {this.getForm()}
+      </CollapsiblePanel>
+    );
+  }
+
+  getForm = () => {
+    const {
+      role,
+      httpClient,
+      validator,
+      onChange,
+      indexPatterns,
+      allowDocumentLevelSecurity,
+      allowFieldLevelSecurity,
+    } = this.props;
+
+    const indexProps = {
+      role,
+      httpClient,
+      validator,
+      indexPatterns,
+      allowDocumentLevelSecurity,
+      allowFieldLevelSecurity,
+      onChange,
+    };
+
+    return (
+      <Fragment>
+        <EuiDescribedFormGroup
+          title={<h3>Cluster privileges</h3>}
+          description={
+            <p>
+              Manage the actions this role can perform against your cluster. {this.learnMore(documentationLinks.esClusterPrivileges)}
+            </p>
+          }
+        >
+          <EuiFormRow fullWidth={true} hasEmptyLabelSpace>
+            <ClusterPrivileges role={this.props.role} onChange={this.onClusterPrivilegesChange} />
+          </EuiFormRow>
+        </EuiDescribedFormGroup>
+
+        <EuiSpacer />
+
+        <EuiDescribedFormGroup
+          title={<h3>Run As privileges</h3>}
+          description={
+            <p>
+              Allow requests to be submitted on the behalf of other users. {this.learnMore(documentationLinks.esRunAsPrivileges)}
+            </p>
+          }
+        >
+          <EuiFormRow hasEmptyLabelSpace>
+            <EuiComboBox
+              placeholder={this.props.editable ? 'Add a user...' : null}
+              options={this.props.runAsUsers.map(username => ({ id: username, label: username }))}
+              selectedOptions={this.props.role.run_as.map(u => ({ label: u }))}
+              onChange={this.onRunAsUserChange}
+              isDisabled={!this.props.editable}
+            />
+          </EuiFormRow>
+        </EuiDescribedFormGroup>
+
+        <EuiSpacer />
+
+        <EuiTitle size={'xs'}><h3>Index privileges</h3></EuiTitle>
+        <EuiSpacer size={'s'} />
+        <EuiText size={'s'} color={'subdued'}>
+          <p>Control access to the data in your cluster. {this.learnMore(documentationLinks.esIndicesPrivileges)}</p>
+        </EuiText>
+
+        <IndexPrivileges {...indexProps} />
+
+        <EuiHorizontalRule />
+
+        {this.props.editable && (
+          <EuiButton size={'s'} iconType={'plusInCircle'} onClick={this.addIndexPrivilege}>Add index privilege</EuiButton>
+        )}
+      </Fragment>
+    );
+  }
+
+  learnMore = (href) => (
+    <EuiLink className="editRole__learnMore" href={href} target={'_blank'}>
+      Learn more
+    </EuiLink>
+  );
+
+  addIndexPrivilege = () => {
+    const { role } = this.props;
+
+    const newIndices = [...role.indices, {
+      names: [],
+      privileges: [],
+      field_security: {
+        grant: ['*']
+      }
+    }];
+
+    this.props.onChange({
+      ...this.props.role,
+      indices: newIndices
+    });
+  };
+
+  onClusterPrivilegesChange = (cluster) => {
+    const role = {
+      ...this.props.role,
+      cluster
+    };
+
+    this.props.onChange(role);
+  }
+
+  onRunAsUserChange = (users) => {
+    const role = {
+      ...this.props.role,
+      run_as: users.map(u => u.label)
+    };
+
+    this.props.onChange(role);
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less
new file mode 100644
index 00000000000000..776ef72a4627e5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less
@@ -0,0 +1,3 @@
+.editRole__learnMore {
+  margin-left: 5px;
+}
\ No newline at end of file
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
new file mode 100644
index 00000000000000..7a2af5723e543d
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { IndexPrivileges } from './index_privileges';
+import { ClusterPrivileges } from './cluster_privileges';
+import { ElasticsearchPrivileges } from './elasticsearch_privileges';
+import { RoleValidator } from '../../lib/validate_role';
+
+test('it renders without crashing', () => {
+  const props = {
+    role: {
+      cluster: [],
+      indices: [],
+      run_as: []
+    },
+    editable: true,
+    httpClient: jest.fn(),
+    onChange: jest.fn(),
+    runAsUsers: [],
+    indexPatterns: [],
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+  };
+  const wrapper = shallow(<ElasticsearchPrivileges {...props} />);
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('it renders ClusterPrivileges', () => {
+  const props = {
+    role: {
+      cluster: [],
+      indices: [],
+      run_as: []
+    },
+    editable: true,
+    httpClient: jest.fn(),
+    onChange: jest.fn(),
+    runAsUsers: [],
+    indexPatterns: [],
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+  };
+  const wrapper = mount(<ElasticsearchPrivileges {...props} />);
+  expect(wrapper.find(ClusterPrivileges)).toHaveLength(1);
+});
+
+test('it renders IndexPrivileges', () => {
+  const props = {
+    role: {
+      cluster: [],
+      indices: [],
+      run_as: []
+    },
+    editable: true,
+    httpClient: jest.fn(),
+    onChange: jest.fn(),
+    runAsUsers: [],
+    indexPatterns: [],
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+  };
+  const wrapper = mount(<ElasticsearchPrivileges {...props} />);
+  expect(wrapper.find(IndexPrivileges)).toHaveLength(1);
+});
\ No newline at end of file
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js
new file mode 100644
index 00000000000000..d142af394b1555
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { ElasticsearchPrivileges } from './elasticsearch_privileges';
+export { KibanaPrivileges } from './kibana_privileges';
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js
new file mode 100644
index 00000000000000..ee62b80c5e282f
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js
@@ -0,0 +1,260 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiComboBox,
+  EuiTextArea,
+  EuiFormRow,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiSwitch,
+  EuiSpacer,
+  EuiHorizontalRule,
+  EuiButtonIcon,
+} from '@elastic/eui';
+import { getIndexPrivileges } from '../../../../../services/role_privileges';
+
+const fromOption = (option) => option.label;
+const toOption = (value) => ({ label: value });
+
+export class IndexPrivilegeForm extends Component {
+  static propTypes = {
+    indexPrivilege: PropTypes.object.isRequired,
+    indexPatterns: PropTypes.array.isRequired,
+    availableFields: PropTypes.array,
+    onChange: PropTypes.func.isRequired,
+    isReservedRole: PropTypes.bool.isRequired,
+    allowDelete: PropTypes.bool.isRequired,
+    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
+    allowFieldLevelSecurity: PropTypes.bool.isRequired,
+    validator: PropTypes.object.isRequired,
+  };
+
+  constructor(props) {
+    super(props);
+    this.state = {
+      queryExpanded: !!props.indexPrivilege.query,
+      documentQuery: props.indexPrivilege.query
+    };
+  }
+
+  render() {
+    return (
+      <Fragment>
+        <EuiHorizontalRule />
+        <EuiFlexGroup className="index-privilege-form">
+          <EuiFlexItem>
+            {this.getPrivilegeForm()}
+          </EuiFlexItem>
+          {this.props.allowDelete && (
+            <EuiFlexItem grow={false}>
+              <EuiFormRow hasEmptyLabelSpace>
+                <EuiButtonIcon aria-label={'Delete index privilege'} color={'danger'} onClick={this.props.onDelete} iconType={'trash'} />
+              </EuiFormRow>
+            </EuiFlexItem>
+          )}
+        </EuiFlexGroup>
+      </Fragment>
+    );
+  }
+
+  getPrivilegeForm = () => {
+    return (
+      <Fragment>
+        <EuiFlexGroup>
+          <EuiFlexItem>
+            <EuiFormRow label={'Indices'} fullWidth={true} {...this.props.validator.validateIndexPrivilege(this.props.indexPrivilege)}>
+              <EuiComboBox
+                options={this.props.indexPatterns.map(toOption)}
+                selectedOptions={this.props.indexPrivilege.names.map(toOption)}
+                onCreateOption={this.onCreateIndexPatternOption}
+                onChange={this.onIndexPatternsChange}
+                isDisabled={this.props.isReservedRole}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          <EuiFlexItem>
+            <EuiFormRow label={'Privileges'} fullWidth={true}>
+              <EuiComboBox
+                options={getIndexPrivileges().map(toOption)}
+                selectedOptions={this.props.indexPrivilege.privileges.map(toOption)}
+                onChange={this.onPrivilegeChange}
+                isDisabled={this.props.isReservedRole}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          {this.getGrantedFieldsControl()}
+        </EuiFlexGroup>
+
+        <EuiSpacer />
+
+        {this.getGrantedDocumentsControl()}
+      </Fragment>
+    );
+  };
+
+  getGrantedFieldsControl = () => {
+    const {
+      allowFieldLevelSecurity,
+      availableFields,
+      indexPrivilege,
+      isReservedRole,
+    } = this.props;
+
+    if (!allowFieldLevelSecurity) {
+      return null;
+    }
+
+    const { grant = [] } = indexPrivilege.field_security || {};
+
+    if (allowFieldLevelSecurity) {
+      return (
+        <EuiFlexItem>
+          <EuiFormRow
+            label={'Granted fields (optional)'}
+            fullWidth={true}
+            className="indexPrivilegeForm__grantedFieldsRow"
+            helpText={
+              !isReservedRole && grant.length === 0 ?
+                'If no fields are granted, then users assigned to this role will not be able to see any data for this index.' : undefined
+            }
+          >
+            <Fragment>
+              <EuiComboBox
+                options={availableFields ? availableFields.map(toOption) : []}
+                selectedOptions={grant.map(toOption)}
+                onCreateOption={this.onCreateGrantedField}
+                onChange={this.onGrantedFieldsChange}
+                isDisabled={this.props.isReservedRole}
+              />
+            </Fragment>
+          </EuiFormRow>
+        </EuiFlexItem>
+      );
+    }
+
+    return null;
+  }
+
+  getGrantedDocumentsControl = () => {
+    const {
+      allowDocumentLevelSecurity,
+      indexPrivilege,
+    } = this.props;
+
+    if (!allowDocumentLevelSecurity) {
+      return null;
+    }
+
+    return (
+      <EuiFlexGroup direction="column">
+        {!this.props.isReservedRole &&
+          <EuiFlexItem>
+            <EuiSwitch
+              label={'Restrict documents query'}
+              compressed={true}
+              value={this.state.queryExanded}
+              onChange={this.toggleDocumentQuery}
+            />
+          </EuiFlexItem>
+        }
+        {this.state.queryExpanded &&
+          <EuiFlexItem>
+            <EuiFormRow label={'Granted documents query'} fullWidth={true}>
+              <EuiTextArea
+                style={{ resize: "none" }}
+                fullWidth={true}
+                value={indexPrivilege.query}
+                onChange={this.onQueryChange}
+                readOnly={this.props.isReservedRole}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+        }
+      </EuiFlexGroup>
+    );
+  };
+
+  toggleDocumentQuery = () => {
+    const willToggleOff = this.state.queryExanded;
+    const willToggleOn = !willToggleOff;
+
+    // If turning off, then save the current query in state so that we can restore it if the user changes their mind.
+    this.setState({
+      queryExpanded: !this.state.queryExpanded,
+      documentQuery: willToggleOff ? this.props.indexPrivilege.query : this.state.documentQuery
+    });
+
+    // If turning off, then remove the query from the Index Privilege
+    if (willToggleOff) {
+      this.props.onChange({
+        ...this.props.indexPrivilege,
+        query: '',
+      });
+    }
+
+    // If turning on, then restore the saved query if available
+    if (willToggleOn && !this.props.indexPrivilege.query && this.state.documentQuery) {
+      this.props.onChange({
+        ...this.props.indexPrivilege,
+        query: this.state.documentQuery,
+      });
+    }
+  };
+
+  onCreateIndexPatternOption = (option) => {
+    const newIndexPatterns = this.props.indexPrivilege.names.concat([option]);
+
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      names: newIndexPatterns,
+    });
+  };
+
+  onIndexPatternsChange = (newPatterns) => {
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      names: newPatterns.map(fromOption),
+    });
+  };
+
+  onPrivilegeChange = (newPrivileges) => {
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      privileges: newPrivileges.map(fromOption),
+    });
+  };
+
+  onQueryChange = (e) => {
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      query: e.target.value,
+    });
+  };
+
+  onCreateGrantedField = (grant) => {
+    const newGrants = this.props.indexPrivilege.field_security.grant.concat([grant]);
+
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      field_security: {
+        ...this.props.indexPrivilege.field_security,
+        grant: newGrants,
+      },
+    });
+  };
+
+  onGrantedFieldsChange = (grantedFields) => {
+    this.props.onChange({
+      ...this.props.indexPrivilege,
+      field_security: {
+        ...this.props.indexPrivilege.field_security,
+        grant: grantedFields.map(fromOption),
+      },
+    });
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js
new file mode 100644
index 00000000000000..1fed539d2526dc
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js
@@ -0,0 +1,206 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { IndexPrivilegeForm } from './index_privilege_form';
+import { RoleValidator } from '../../lib/validate_role';
+import { EuiSwitch, EuiTextArea, EuiButtonIcon } from '@elastic/eui';
+
+test('it renders without crashing', () => {
+  const props = {
+    indexPrivilege: {
+      names: [],
+      privileges: [],
+      query: null,
+      field_security: {
+        grant: []
+      }
+    },
+    indexPatterns: [],
+    availableFields: [],
+    isReservedRole: false,
+    allowDelete: true,
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+    onChange: jest.fn()
+  };
+
+  const wrapper = shallow(<IndexPrivilegeForm {...props} />);
+  expect(wrapper).toMatchSnapshot();
+});
+
+describe('delete button', () => {
+  const props = {
+    indexPrivilege: {
+      names: [],
+      privileges: [],
+      query: null,
+      field_security: {
+        grant: []
+      }
+    },
+    indexPatterns: [],
+    availableFields: [],
+    isReservedRole: false,
+    allowDelete: true,
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+    onChange: jest.fn(),
+    onDelete: jest.fn()
+  };
+
+  test('it is hidden when allowDelete is false', () => {
+    const testProps = {
+      ...props,
+      allowDelete: false
+    };
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(EuiButtonIcon)).toHaveLength(0);
+  });
+
+  test('it is shown when allowDelete is true', () => {
+    const testProps = {
+      ...props,
+      allowDelete: true
+    };
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(EuiButtonIcon)).toHaveLength(1);
+  });
+
+  test('it invokes onDelete when clicked', () => {
+    const testProps = {
+      ...props,
+      allowDelete: true
+    };
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    wrapper.find(EuiButtonIcon).simulate('click');
+    expect(testProps.onDelete).toHaveBeenCalledTimes(1);
+  });
+});
+
+describe(`document level security`, () => {
+  const props = {
+    indexPrivilege: {
+      names: [],
+      privileges: [],
+      query: "some query",
+      field_security: {
+        grant: []
+      }
+    },
+    indexPatterns: [],
+    availableFields: [],
+    isReservedRole: false,
+    allowDelete: true,
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+    onChange: jest.fn()
+  };
+
+  test(`inputs are hidden when DLS is not allowed`, () => {
+    const testProps = {
+      ...props,
+      allowDocumentLevelSecurity: false
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(EuiSwitch)).toHaveLength(0);
+    expect(wrapper.find(EuiTextArea)).toHaveLength(0);
+  });
+
+  test('only the switch is shown when allowed, and query is empty', () => {
+    const testProps = {
+      ...props,
+      indexPrivilege: {
+        ...props.indexPrivilege,
+        query: null
+      }
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(EuiSwitch)).toHaveLength(1);
+    expect(wrapper.find(EuiTextArea)).toHaveLength(0);
+  });
+
+  test('both inputs are shown when allowed, and query is not empty', () => {
+    const testProps = {
+      ...props,
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(EuiSwitch)).toHaveLength(1);
+    expect(wrapper.find(EuiTextArea)).toHaveLength(1);
+  });
+});
+
+describe('field level security', () => {
+  const props = {
+    indexPrivilege: {
+      names: [],
+      privileges: [],
+      query: null,
+      field_security: {
+        grant: ["foo*"]
+      }
+    },
+    indexPatterns: [],
+    availableFields: [],
+    isReservedRole: false,
+    allowDelete: true,
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+    onChange: jest.fn()
+  };
+
+  test(`input is hidden when FLS is not allowed`, () => {
+    const testProps = {
+      ...props,
+      allowFieldLevelSecurity: false
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find(".indexPrivilegeForm__grantedFieldsRow")).toHaveLength(0);
+  });
+
+  test('input is shown when allowed', () => {
+    const testProps = {
+      ...props,
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
+  });
+
+  test('it displays a warning when no fields are granted', () => {
+    const testProps = {
+      ...props,
+      indexPrivilege: {
+        ...props.indexPrivilege,
+        field_security: {
+          grant: []
+        }
+      }
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
+    expect(wrapper.find(".euiFormHelpText")).toHaveLength(1);
+  });
+
+  test('it does not display a warning when fields are granted', () => {
+    const testProps = {
+      ...props
+    };
+
+    const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
+    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
+    expect(wrapper.find(".euiFormHelpText")).toHaveLength(0);
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
new file mode 100644
index 00000000000000..cb72ecd7aa4bfd
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
@@ -0,0 +1,158 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import _ from 'lodash';
+import { isReservedRole, isRoleEnabled } from '../../../../../lib/role';
+import { IndexPrivilegeForm } from './index_privilege_form';
+import { getFields } from '../../../../../objects';
+
+export class IndexPrivileges extends Component {
+  static propTypes = {
+    role: PropTypes.object.isRequired,
+    indexPatterns: PropTypes.array.isRequired,
+    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
+    allowFieldLevelSecurity: PropTypes.bool.isRequired,
+    httpClient: PropTypes.func.isRequired,
+    onChange: PropTypes.func.isRequired,
+    validator: PropTypes.object.isRequired,
+  }
+
+  state = {
+    availableFields: {}
+  }
+
+  componentDidMount() {
+    this.loadAvailableFields(this.props.role.indices);
+  }
+
+  render() {
+    const { indices = [] } = this.props.role;
+
+    const {
+      indexPatterns,
+      allowDocumentLevelSecurity,
+      allowFieldLevelSecurity
+    } = this.props;
+
+    const props = {
+      indexPatterns,
+      // If editing an existing role while that has been disabled, always show the FLS/DLS fields because currently
+      // a role is only marked as disabled if it has FLS/DLS setup (usually before the user changed to a license that
+      // doesn't permit FLS/DLS).
+      allowDocumentLevelSecurity: allowDocumentLevelSecurity || !isRoleEnabled(this.props.role),
+      allowFieldLevelSecurity: allowFieldLevelSecurity || !isRoleEnabled(this.props.role),
+      isReservedRole: isReservedRole(this.props.role)
+    };
+
+    const forms = indices.map((indexPrivilege, idx) => (
+      <IndexPrivilegeForm
+        key={idx}
+        {...props}
+        validator={this.props.validator}
+        allowDelete={!props.isReservedRole}
+        indexPrivilege={indexPrivilege}
+        availableFields={this.state.availableFields[indexPrivilege.names.join(',')]}
+        onChange={this.onIndexPrivilegeChange(idx)}
+        onDelete={this.onIndexPrivilegeDelete(idx)}
+      />
+    ));
+
+    return forms;
+  }
+
+  addIndexPrivilege = () => {
+    const { role } = this.props;
+
+    const newIndices = [...role.indices, {
+      names: [],
+      privileges: [],
+      field_security: {
+        grant: ['*']
+      }
+    }];
+
+    this.props.onChange({
+      ...this.props.role,
+      indices: newIndices
+    });
+  };
+
+  onIndexPrivilegeChange = (privilegeIndex) => {
+    return (updatedPrivilege) => {
+      const { role } = this.props;
+      const { indices } = role;
+
+      const newIndices = [...indices];
+      newIndices[privilegeIndex] = updatedPrivilege;
+
+      this.props.onChange({
+        ...this.props.role,
+        indices: newIndices
+      });
+
+      this.loadAvailableFields(newIndices);
+    };
+  };
+
+  onIndexPrivilegeDelete = (privilegeIndex) => {
+    return () => {
+      const { role } = this.props;
+
+      const newIndices = [...role.indices];
+      newIndices.splice(privilegeIndex, 1);
+
+      this.props.onChange({
+        ...this.props.role,
+        indices: newIndices
+      });
+    };
+  }
+
+  isPlaceholderPrivilege = (indexPrivilege) => {
+    return indexPrivilege.names.length === 0;
+  };
+
+  loadAvailableFields(indices) {
+    // Reserved roles cannot be edited, and therefore do not need to fetch available fields.
+    if (isReservedRole(this.props.role)) {
+      return;
+    }
+
+    const patterns = indices.map(index => index.names.join(','));
+
+    const cachedPatterns = Object.keys(this.state.availableFields);
+    const patternsToFetch = _.difference(patterns, cachedPatterns);
+
+    const fetchRequests = patternsToFetch.map(this.loadFieldsForPattern);
+
+    Promise.all(fetchRequests)
+      .then(response => {
+
+        this.setState({
+          availableFields: {
+            ...this.state.availableFields,
+            ...response.reduce((acc, o) => ({ ...acc, ...o }), {})
+          }
+        });
+      });
+  }
+
+  loadFieldsForPattern = async (pattern) => {
+    if (!pattern) return { [pattern]: [] };
+
+    try {
+      return {
+        [pattern]: await getFields(this.props.httpClient, pattern)
+      };
+
+    } catch (e) {
+      return {
+        [pattern]: []
+      };
+    }
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
new file mode 100644
index 00000000000000..221d301ceef0f3
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { IndexPrivileges } from './index_privileges';
+import { IndexPrivilegeForm } from './index_privilege_form';
+import { RoleValidator } from '../../lib/validate_role';
+
+test('it renders without crashing', () => {
+  const props = {
+    role: {
+      cluster: [],
+      indices: [],
+      run_as: []
+    },
+    httpClient: jest.fn(),
+    onChange: jest.fn(),
+    indexPatterns: [],
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+  };
+  const wrapper = shallow(<IndexPrivileges {...props} />);
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('it renders a IndexPrivilegeForm for each privilege on the role', () => {
+  const props = {
+    role: {
+      cluster: [],
+      indices: [{
+        names: ['foo*'],
+        privileges: ['all'],
+        query: '*',
+        field_security: {
+          grant: ['some_field']
+        }
+      }],
+      run_as: []
+    },
+    httpClient: jest.fn(),
+    onChange: jest.fn(),
+    indexPatterns: [],
+    allowDocumentLevelSecurity: true,
+    allowFieldLevelSecurity: true,
+    validator: new RoleValidator(),
+  };
+  const wrapper = mount(<IndexPrivileges {...props} />);
+  expect(wrapper.find(IndexPrivilegeForm)).toHaveLength(1);
+});
\ No newline at end of file
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
new file mode 100644
index 00000000000000..a8c2a2c52cbe00
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
@@ -0,0 +1,101 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import { isReservedRole } from '../../../../../lib/role';
+import { getKibanaPrivileges } from '../../lib/get_application_privileges';
+import { setApplicationPrivileges } from '../../lib/set_application_privileges';
+
+import { CollapsiblePanel } from '../collapsible_panel';
+import {
+  EuiSelect,
+  EuiDescribedFormGroup,
+  EuiFormRow,
+} from '@elastic/eui';
+
+const noPrivilegeValue = '-none-';
+
+export class KibanaPrivileges extends Component {
+  static propTypes = {
+    role: PropTypes.object.isRequired,
+    spaces: PropTypes.array,
+    kibanaAppPrivileges: PropTypes.array.isRequired,
+    onChange: PropTypes.func.isRequired,
+  };
+
+  idPrefix = () => `${this.props.rbacApplication}_`;
+
+  privilegeToId = (privilege) => `${this.idPrefix()}${privilege}`;
+
+  idToPrivilege = (id) => id.split(this.idPrefix())[1];
+
+  render() {
+    return (
+      <CollapsiblePanel iconType={'logoKibana'} title={'Kibana'}>
+        {this.getForm()}
+      </CollapsiblePanel>
+    );
+  }
+
+  getForm = () => {
+    const {
+      kibanaAppPrivileges,
+      role,
+      rbacApplication
+    } = this.props;
+
+    const kibanaPrivileges = getKibanaPrivileges(kibanaAppPrivileges, role, rbacApplication);
+
+    const options = [
+      { value: noPrivilegeValue, text: 'none' },
+      ...Object.keys(kibanaPrivileges).map(p => ({
+        value: p,
+        text: p
+      }))
+    ];
+
+    const value = Object.keys(kibanaPrivileges).find(p => kibanaPrivileges[p]) || noPrivilegeValue;
+
+    return (
+      <EuiDescribedFormGroup
+        title={<p>Application privileges</p>}
+        description={<p>Manage the actions this role can perform within Kibana.</p>}
+      >
+        <EuiFormRow hasEmptyLabelSpace>
+          <EuiSelect
+            options={options}
+            value={value}
+            onChange={this.onKibanaPrivilegesChange}
+            disabled={isReservedRole(role)}
+          />
+        </EuiFormRow>
+      </EuiDescribedFormGroup>
+    );
+  }
+
+  onKibanaPrivilegesChange = (e) => {
+    const role = {
+      ...this.props.role,
+      applications: [...this.props.role.applications]
+    };
+
+    const privilege = e.target.value;
+
+    if (privilege === noPrivilegeValue) {
+      // unsetting all privileges -- only necessary until RBAC Phase 3
+      const noPrivileges = {};
+      setApplicationPrivileges(noPrivileges, role, this.props.rbacApplication);
+    } else {
+      const newPrivileges = {
+        [privilege]: true
+      };
+      setApplicationPrivileges(newPrivileges, role, this.props.rbacApplication);
+    }
+
+    this.props.onChange(role);
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js
new file mode 100644
index 00000000000000..8b750b19338ed4
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import PropTypes from 'prop-types';
+
+import { isReservedRole } from '../../../../lib/role';
+import {
+  EuiIcon,
+  EuiToolTip,
+} from '@elastic/eui';
+
+
+export const ReservedRoleBadge = (props) => {
+  const {
+    role
+  } = props;
+
+  if (isReservedRole(role)) {
+    return (
+      <EuiToolTip content={'Reserved roles are built-in and cannot be removed or modified.'}>
+        <EuiIcon style={{ verticalAlign: "super" }} type={'lock'} />
+      </EuiToolTip>
+    );
+  }
+  return null;
+};
+
+ReservedRoleBadge.propTypes = {
+  role: PropTypes.object.isRequired
+};
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js
new file mode 100644
index 00000000000000..939348661a7417
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiIcon
+} from '@elastic/eui';
+import { ReservedRoleBadge } from './reserved_role_badge';
+import {
+  shallow
+} from 'enzyme';
+
+const reservedRole = {
+  metadata: {
+    _reserved: true
+  }
+};
+
+const unreservedRole = {};
+
+test('it renders without crashing', () => {
+  const wrapper = shallow(<ReservedRoleBadge role={reservedRole} />);
+  expect(wrapper.find(EuiIcon)).toHaveLength(1);
+});
+
+test('it renders nothing for an unreserved role', () => {
+  const wrapper = shallow(<ReservedRoleBadge role={unreservedRole} />);
+  expect(wrapper.find('*')).toHaveLength(0);
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role/edit_role.html
new file mode 100644
index 00000000000000..5539f0521dd79c
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/edit_role.html
@@ -0,0 +1 @@
+<div id="editRoleReactRoot" />
diff --git a/x-pack/plugins/security/public/views/management/edit_role/edit_role.less b/x-pack/plugins/security/public/views/management/edit_role/edit_role.less
new file mode 100644
index 00000000000000..d4f7ac04880d60
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/edit_role.less
@@ -0,0 +1,10 @@
+#editRoleReactRoot {
+  background: #f5f5f5;
+  flex-grow: 1;
+}
+
+.editRolePage {
+  max-width: 1000px;
+  margin-left: auto;
+  margin-right: auto;
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
new file mode 100644
index 00000000000000..e356b9d7c01b6e
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import _ from 'lodash';
+import routes from 'ui/routes';
+import { fatalError } from 'ui/notify';
+import template from 'plugins/security/views/management/edit_role/edit_role.html';
+import 'plugins/security/views/management/edit_role/edit_role.less';
+import 'angular-ui-select';
+import 'plugins/security/services/application_privilege';
+import 'plugins/security/services/shield_user';
+import 'plugins/security/services/shield_role';
+import 'plugins/security/services/shield_privileges';
+import 'plugins/security/services/shield_indices';
+
+import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
+import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
+import { checkLicenseError } from 'plugins/security/lib/check_license_error';
+import { EDIT_ROLES_PATH, ROLES_PATH } from '../management_urls';
+
+import { EditRolePage } from './components';
+
+import React from 'react';
+import { render, unmountComponentAtNode } from 'react-dom';
+
+routes.when(`${EDIT_ROLES_PATH}/:name?`, {
+  template,
+  resolve: {
+    role($route, ShieldRole, kbnUrl, Promise, Notifier) {
+      const name = $route.current.params.name;
+
+      let role;
+
+      if (name != null) {
+        role = ShieldRole.get({ name }).$promise
+          .catch((response) => {
+
+            if (response.status !== 404) {
+              return fatalError(response);
+            }
+
+            const notifier = new Notifier();
+            notifier.error(`No "${name}" role found.`);
+            kbnUrl.redirect(ROLES_PATH);
+            return Promise.halt();
+          });
+
+      } else {
+        role = Promise.resolve(new ShieldRole({
+          cluster: [],
+          indices: [],
+          run_as: [],
+          applications: []
+        }));
+      }
+
+      return role.then(res => res.toJSON());
+    },
+    kibanaApplicationPrivilege(ApplicationPrivilege, kbnUrl, Promise, Private) {
+      return ApplicationPrivilege.query().$promise
+        .then(privileges => privileges.map(p => p.toJSON()))
+        .catch(checkLicenseError(kbnUrl, Promise, Private));
+    },
+    users(ShieldUser, kbnUrl, Promise, Private) {
+      // $promise is used here because the result is an ngResource, not a promise itself
+      return ShieldUser.query().$promise
+        .then(users => _.map(users, 'username'))
+        .catch(checkLicenseError(kbnUrl, Promise, Private));
+    },
+    indexPatterns(Private) {
+      const indexPatterns = Private(IndexPatternsProvider);
+      return indexPatterns.getTitles();
+    }
+  },
+  controllerAs: 'editRole',
+  controller($injector, $scope, $http, rbacEnabled, rbacApplication) {
+    const $route = $injector.get('$route');
+    const Private = $injector.get('Private');
+
+    const Notifier = $injector.get('Notifier');
+
+    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
+    const role = $route.current.locals.role;
+
+    const xpackInfo = Private(XPackInfoProvider);
+    const allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
+    const allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
+
+    const domNode = document.getElementById('editRoleReactRoot');
+
+    const {
+      users,
+      indexPatterns,
+    } = $route.current.locals;
+
+    const routeBreadcrumbs = routes.getBreadcrumbs();
+
+    render(<EditRolePage
+      runAsUsers={users}
+      role={role}
+      kibanaAppPrivileges={kibanaApplicationPrivilege}
+      indexPatterns={indexPatterns}
+      rbacEnabled={rbacEnabled}
+      rbacApplication={rbacApplication}
+      httpClient={$http}
+      breadcrumbs={transformBreadcrumbs(routeBreadcrumbs)}
+      allowDocumentLevelSecurity={allowDocumentLevelSecurity}
+      allowFieldLevelSecurity={allowFieldLevelSecurity}
+      notifier={Notifier}
+    />, domNode);
+
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      unmountComponentAtNode(domNode);
+    });
+  }
+});
+
+function transformBreadcrumbs(routeBreadcrumbs) {
+  const indexOfEdit = routeBreadcrumbs.findIndex(b => b.id === 'edit');
+
+  const hasEntryAfterEdit = indexOfEdit >= 0 && indexOfEdit < (routeBreadcrumbs.length - 1);
+
+  if (hasEntryAfterEdit) {
+    // The entry after 'edit' is the name of the role being edited (if any). We don't want to use the "humanized" version of the role name here
+    const roleName = routeBreadcrumbs[indexOfEdit + 1];
+    roleName.display = roleName.id;
+  }
+
+  return routeBreadcrumbs.filter(b => b.id !== 'edit');
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
new file mode 100644
index 00000000000000..20b4280b7f493b
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`validateIndexPrivileges it throws when indices is not an array 1`] = `"Expected role.indices to be an array"`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
new file mode 100644
index 00000000000000..1ee8d201806b69
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import _ from 'lodash';
+
+export function getKibanaPrivileges(kibanaApplicationPrivilege, role, application) {
+  const kibanaPrivileges = kibanaApplicationPrivilege.reduce((acc, p) => {
+    acc[p.name] = false;
+    return acc;
+  }, {});
+
+  if (!role.applications || role.applications.length === 0) {
+    return kibanaPrivileges;
+  }
+
+  const applications = role.applications.filter(x => x.application === application);
+
+  const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
+  assigned.forEach(a => {
+    kibanaPrivileges[a] = true;
+  });
+
+  return kibanaPrivileges;
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
new file mode 100644
index 00000000000000..e6e133fbf69bd5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DEFAULT_RESOURCE } from '../../../../../common/constants';
+
+export function setApplicationPrivileges(kibanaPrivileges, role, application) {
+  if (!role.applications) {
+    role.applications = [];
+  }
+
+  // we first remove the matching application entries
+  role.applications = role.applications.filter(x => {
+    return x.application !== application;
+  });
+
+  const privileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
+
+  // if we still have them, put the application entry back
+  if (privileges.length > 0) {
+    role.applications = [...role.applications, {
+      application,
+      privileges,
+      resources: [DEFAULT_RESOURCE]
+    }];
+  }
+}
+
+export function togglePrivilege(role, application, permission) {
+  const appPermissions = role.applications
+    .find(a => a.application === application && a.resources[0] === DEFAULT_RESOURCE);
+
+  if (!appPermissions) {
+    role.applications.push({
+      application,
+      privileges: [permission],
+      resources: [DEFAULT_RESOURCE]
+    });
+  } else {
+    const indexOfExisting = appPermissions.privileges.indexOf(permission);
+    if (indexOfExisting >= 0) {
+      appPermissions.privileges.splice(indexOfExisting, 1);
+    } else {
+      appPermissions.privileges.push(permission);
+    }
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
new file mode 100644
index 00000000000000..3fc638a83782cb
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class RoleValidator {
+  constructor(options = {}) {
+    this._shouldValidate = options.shouldValidate;
+  }
+
+  enableValidation() {
+    this._shouldValidate = true;
+  }
+
+  disableValidation() {
+    this._shouldValidate = false;
+  }
+
+  validateRoleName(role) {
+    if (!this._shouldValidate) return valid();
+
+    if (!role.name) {
+      return invalid(`Please provide a role name`);
+    }
+    if (role.name.length > 1024) {
+      return invalid(`Name must not exceed 1024 characters`);
+    }
+    if (!role.name.match(/^[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*$/)) {
+      return invalid(`Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`);
+    }
+    return valid();
+  }
+
+  validateIndexPrivileges(role) {
+    if (!this._shouldValidate) return valid();
+
+    if (!Array.isArray(role.indices)) {
+      throw new TypeError(`Expected role.indices to be an array`);
+    }
+
+    const areIndicesValid = role.indices
+      .map(this.validateIndexPrivilege.bind(this))
+      .find((result) => result.isInvalid) == null;
+
+    if (areIndicesValid) {
+      return valid();
+    }
+    return invalid();
+  }
+
+  validateIndexPrivilege(indexPrivilege) {
+    if (!this._shouldValidate) return valid();
+
+    if (indexPrivilege.names.length && !indexPrivilege.privileges.length) {
+      return invalid(`At least one privilege is required`);
+    }
+    return valid();
+  }
+
+  validateForSave(role) {
+    const { isInvalid: isNameInvalid } = this.validateRoleName(role);
+    const { isInvalid: areIndicesInvalid } = this.validateIndexPrivileges(role);
+
+    if (isNameInvalid || areIndicesInvalid) {
+      return invalid();
+    }
+
+    return valid();
+  }
+
+}
+
+function invalid(error) {
+  return {
+    isInvalid: true,
+    error
+  };
+}
+
+function valid() {
+  return {
+    isInvalid: false
+  };
+}
+
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
new file mode 100644
index 00000000000000..47d2bfe59a37e6
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
@@ -0,0 +1,94 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { RoleValidator } from "./validate_role";
+
+let validator;
+
+describe('validateRoleName', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  test('it allows an alphanumeric role name', () => {
+    const role = {
+      name: 'This-is-30-character-role-name'
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({ isInvalid: false });
+  });
+
+  test('it requires a non-empty value', () => {
+    const role = {
+      name: ''
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({ isInvalid: true, error: `Please provide a role name` });
+  });
+
+  test('it cannot exceed 1024 characters', () => {
+    const role = {
+      name: new Array(1026).join('A')
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({ isInvalid: true, error: `Name must not exceed 1024 characters` });
+  });
+
+  const charList = `!#%^&*()+=[]{}\|';:"/,<>?`.split('');
+  charList.forEach(element => {
+    test(`it cannot support the "${element}" character`, () => {
+      const role = {
+        name: `role-${element}`
+      };
+
+      expect(validator.validateRoleName(role)).toEqual(
+        {
+          isInvalid: true,
+          error: `Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`
+        }
+      );
+    });
+  });
+});
+
+describe('validateIndexPrivileges', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  test('it ignores privilegs with no indices defined', () => {
+    const role = {
+      indices: [{
+        names: [],
+        privileges: []
+      }]
+    };
+
+    expect(validator.validateIndexPrivileges(role)).toEqual({
+      isInvalid: false
+    });
+  });
+
+  test('it requires privilges when an index is defined', () => {
+    const role = {
+      indices: [{
+        names: ['index-*'],
+        privileges: []
+      }]
+    };
+
+    expect(validator.validateIndexPrivileges(role)).toEqual({
+      isInvalid: true
+    });
+  });
+
+  test('it throws when indices is not an array', () => {
+    const role = {
+      indices: null
+    };
+
+    expect(() => validator.validateIndexPrivileges(role)).toThrowErrorMatchingSnapshot();
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.html b/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.html
deleted file mode 100644
index 829b0dfaefa926..00000000000000
--- a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.html
+++ /dev/null
@@ -1,128 +0,0 @@
-<div class="kuiFormSection">
-  <label class="kuiFormLabel">
-    Index Privileges
-  </label>
-
-  <!-- Panel list -->
-  <div class="kuiList">
-    <div
-      class="kuiListItem"
-      ng-repeat="index in indices"
-      data-test-subj="{{ 'indicesPrivileges' + $index }}"
-    >
-      <!-- Top row -->
-      <div class="kuiFormSubSection">
-        <!-- Select indices -->
-        <div class="kuiColumn kuiColumn--6">
-          <label class="kuiFormSubLabel">
-            Indices
-          </label>
-          <ui-select
-            multiple
-            ng-model="index.names"
-            ng-disabled="isReserved || !isEnabled"
-            data-test-subj="{{ 'indicesInput' + $index }}"
-          >
-            <ui-select-match>{{$item}}</ui-select-match>
-            <ui-select-choices repeat="indexPattern in indexPrivilegesController.union([$select.search], indexPatterns) | filter:$select.search">
-              <div ng-bind-html="indexPattern"></div>
-            </ui-select-choices>
-          </ui-select>
-
-        <!-- TODO: Minimize markup so we don't need to worry about whitespsace. -->
-        </div><div class="kuiColumn kuiColumn--5">
-        <!-- Select privileges -->
-          <label class="kuiFormSubLabel">
-            Privileges
-          </label>
-          <ui-select
-            ng-class="{'kuiInputError' : index.names.length && !index.privileges.length}"
-            multiple
-            ng-model="index.privileges"
-            ng-disabled="isReserved || !isEnabled"
-            data-test-subj="{{ 'privilegesInput' + $index }}"
-          >
-            <ui-select-match>{{$item}}</ui-select-match>
-            <ui-select-choices repeat="privilege in privileges.indices | filter:$select.search" >
-              <div ng-bind-html="privilege" data-test-subj="{{ 'privilegeOption-'+  privilege }}"></div>
-            </ui-select-choices>
-          </ui-select>
-
-          <!-- Errors -->
-          <div
-            class="kuiInputNote kuiInputNote--danger"
-            ng-show="index.names.length && !index.privileges.length"
-          >
-            Indices must contain at least one privilege.
-          </div>
-
-        <!-- TODO: Minimize markup so we don't need to worry about whitespsace. -->
-        </div><div class="kuiColumn kuiColumn--1">
-          <label class="kuiFormSubLabel">&nbsp;</label>
-          <!-- Delete index privilege -->
-          <button
-            class="kuiButton kuiButton--danger fullWidth"
-            ng-if="!isReserved && indices.length > 1"
-            ng-click="indexPrivilegesController.removeIndex(index)"
-            tooltip="Remove index privilege"
-            data-test-subj="{{ 'removeIndicesPrivileges' + $index }}"
-          >
-            <span class="kuiButton__icon kuiIcon fa-trash"></span>
-          </button>
-        </div>
-      </div>
-
-      <!-- Bottom row -->
-      <div class="kuiFormSubSection">
-        <!-- Query -->
-        <div class="kuiColumn kuiColumn--6" ng-if="indexPrivilegesController.showDocumentLevelSecurity">
-          <label for="query" class="kuiFormSubLabel">
-            Granted Documents Query
-            <span class="kuiFormSubLabel__note">Optional</span>
-          </label>
-          <textarea
-            class="kuiTextArea fullWidth"
-            id="query"
-            rows="1"
-            ng-model="index.query"
-            ng-disabled="isReserved || !isEnabled"
-            data-test-subj="{{ 'queryInput' + $index }}"
-          ></textarea>
-
-        <!-- TODO: Minimize markup so we don't need to worry about whitespsace. -->
-        </div><div class="kuiColumn kuiColumn--5" ng-if="indexPrivilegesController.showFieldLevelSecurity">
-        <!-- Select fields -->
-          <label class="kuiFormSubLabel">
-            Granted Fields
-            <span class="kuiFormSubLabel__note">Optional</span>
-          </label>
-          <ui-select
-            multiple
-            ng-model="index.field_security.grant"
-            ng-disabled="isReserved || !isEnabled"
-            data-test-subj="{{ 'fieldInput' + $index }}"
-          >
-            <ui-select-match>{{$item}}</ui-select-match>
-            <ui-select-choices repeat="field in indexPrivilegesController.union([$select.search], fieldOptions[index.names]) | filter:$select.search | limitTo:25">
-              <div ng-bind-html="field" data-test-subj="{{ 'fieldOption-' + field }}"></div>
-            </ui-select-choices>
-          </ui-select>
-        <!-- TODO: Minimize markup so we don't need to worry about whitespsace. -->
-        </div><div class="kuiColumn kuiColumn--1">
-          <div ng-if="!isReserved && isEnabled && $index === indices.length - 1">
-            <label class="kuiFormSubLabel">&nbsp;</label>
-            <!-- Add index privilege -->
-            <button
-              ng-click="indexPrivilegesController.addIndex()"
-              class="kuiButton kuiButton--primary fullWidth"
-              tooltip="Add index privilege"
-              data-test-subj="{{ 'addIndicesPrivileges' + $index }}"
-            >
-              <span class="kuiButton__icon kuiIcon fa-plus"></span>
-            </button>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-</div>
diff --git a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.js b/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.js
deleted file mode 100644
index 1bb058f56d0960..00000000000000
--- a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.js
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import _ from 'lodash';
-import { uiModules } from 'ui/modules';
-import template from './index_privileges_form.html';
-
-const module = uiModules.get('security', ['kibana']);
-module.directive('kbnIndexPrivilegesForm', function () {
-  return {
-    template,
-    scope: {
-      isNewRole: '=',
-      indices: '=',
-      indexPatterns: '=',
-      privileges: '=',
-      fieldOptions: '=',
-      isReserved: '=',
-      isEnabled: '=',
-      allowDocumentLevelSecurity: '=',
-      allowFieldLevelSecurity: '=',
-      addIndex: '&',
-      removeIndex: '&',
-    },
-    restrict: 'E',
-    replace: true,
-    controllerAs: 'indexPrivilegesController',
-    controller: function ($scope) {
-      this.addIndex = function addIndex() {
-        $scope.addIndex({ indices: $scope.indices });
-      };
-
-      this.removeIndex = function removeIndex(index) {
-        $scope.removeIndex({ indices: $scope.indices, index });
-      };
-
-      this.getIndexTitle = function getIndexTitle(index) {
-        const indices = index.names.length ? index.names.join(', ') : 'No indices';
-        const privileges = index.privileges.length ? index.privileges.join(', ') : 'No privileges';
-        return `${indices} (${privileges})`;
-      };
-
-      this.union = _.flow(_.union, _.compact);
-
-      // If editing an existing role while that has been disabled, always show the FLS/DLS fields because currently
-      // a role is only marked as disabled if it has FLS/DLS setup (usually before the user changed to a license that
-      // doesn't permit FLS/DLS).
-      if (!$scope.isNewRole && !$scope.isEnabled) {
-        this.showDocumentLevelSecurity = true;
-        this.showFieldLevelSecurity = true;
-      } else {
-        this.showDocumentLevelSecurity = $scope.allowDocumentLevelSecurity;
-        this.showFieldLevelSecurity = $scope.allowFieldLevelSecurity;
-      }
-    },
-  };
-});
diff --git a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.less b/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.less
deleted file mode 100644
index edd7a4898f45a0..00000000000000
--- a/x-pack/plugins/security/public/views/management/index_privileges_form/index_privileges_form.less
+++ /dev/null
@@ -1,7 +0,0 @@
-.indexPrivilegesForm {
-  height: 550px;
-}
-
-.indexPrivilegesList {
-  flex: 0 0 400px;
-}
diff --git a/x-pack/plugins/security/public/views/management/management.js b/x-pack/plugins/security/public/views/management/management.js
index b2bd09e67e9bf1..f7000478cbfc7f 100644
--- a/x-pack/plugins/security/public/views/management/management.js
+++ b/x-pack/plugins/security/public/views/management/management.js
@@ -5,12 +5,11 @@
  */
 
 import 'plugins/security/views/management/change_password_form/change_password_form';
-import 'plugins/security/views/management/index_privileges_form/index_privileges_form';
 import 'plugins/security/views/management/password_form/password_form';
 import 'plugins/security/views/management/users';
 import 'plugins/security/views/management/roles';
 import 'plugins/security/views/management/edit_user';
-import 'plugins/security/views/management/edit_role';
+import 'plugins/security/views/management/edit_role/index';
 import 'plugins/security/views/management/management.less';
 import routes from 'ui/routes';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
diff --git a/x-pack/plugins/security/public/views/management/management.less b/x-pack/plugins/security/public/views/management/management.less
index d9e16650aeecce..14fc8f4fa13248 100644
--- a/x-pack/plugins/security/public/views/management/management.less
+++ b/x-pack/plugins/security/public/views/management/management.less
@@ -1,5 +1,4 @@
 @import '~plugins/xpack_main/style/main.less';
-@import './index_privileges_form/index_privileges_form';
 
 .kuiFormFooter {
   display: flex;
diff --git a/x-pack/plugins/security/server/lib/check_user_permission.js b/x-pack/plugins/security/server/lib/check_user_permission.js
deleted file mode 100644
index 6890a6fc790929..00000000000000
--- a/x-pack/plugins/security/server/lib/check_user_permission.js
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-
-export async function checkUserPermission(permission, hasPermission) {
-  // POC Stub. TODO: Use ES Permissions API once implemented.
-  return Promise.resolve(hasPermission);
-}
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index e05be3117f934a..129d4b3abfb3ea 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -45,7 +45,7 @@ function buildSavedObjectsReadPrivileges() {
 }
 
 function buildSavedObjectsPrivileges(actions) {
-  const objectTypes = ['config', 'dashboard', 'index-pattern', 'search', 'visualization', 'graph-workspace'];
+  const objectTypes = ['config', 'dashboard', 'graph-workspace', 'index-pattern', 'search', 'timelion-sheet', 'url', 'visualization'];
   return objectTypes
     .map(type => actions.map(action => `action:saved-objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);
diff --git a/x-pack/plugins/spaces/common/index.js b/x-pack/plugins/spaces/common/index.js
new file mode 100644
index 00000000000000..1cd6907d3d64c1
--- /dev/null
+++ b/x-pack/plugins/spaces/common/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { isReservedSpace } from './is_reserved_space';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 603b8ddb22e11c..38d2e84cc992f9 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -52,7 +52,7 @@ export const spaces = (kibana) => new kibana.Plugin({
           valid: true,
           space: await getActiveSpace(request.getSavedObjectsClient(), request.getBasePath())
         };
-      } catch(e) {
+      } catch (e) {
         vars.activeSpace = {
           valid: false,
           error: wrapError(e).output.payload
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
index 936f678055d413..c7cbfdb53fd737 100644
--- a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
@@ -1,15 +1,13 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`it renders without crashing 1`] = `
-<div
-  className="euiHeader"
->
-  <div
-    className="euiHeaderSection euiHeaderSection--left"
+<EuiHeader>
+  <EuiHeaderSection
+    side="left"
   >
-    <div
-      className="euiHeaderBreadcrumbs"
+    <EuiHeaderBreadcrumbs
+      breadcrumbs={Array []}
     />
-  </div>
-</div>
+  </EuiHeaderSection>
+</EuiHeader>
 `;
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
index 2262e597fb433b..2207076c3e695b 100644
--- a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
@@ -25,6 +25,8 @@ import { DeleteSpacesButton } from './delete_spaces_button';
 import { Notifier, toastNotifications } from 'ui/notify';
 import { UrlContext } from './url_context';
 import { toUrlContext, isValidUrlContext } from '../lib/url_context_utils';
+import { isReservedSpace } from '../../../../common';
+import { ReservedSpaceBadge } from './reserved_space_badge';
 
 export class ManageSpacePage extends React.Component {
   state = {
@@ -71,12 +73,7 @@ export class ManageSpacePage extends React.Component {
         <PageHeader breadcrumbs={this.props.breadcrumbs}/>
         <EuiPageContent>
           <EuiForm>
-            <EuiFlexGroup justifyContent={'spaceBetween'}>
-              <EuiFlexItem grow={false}>
-                <EuiText><h1>{this.getTitle()}</h1></EuiText>
-              </EuiFlexItem>
-              {this.getActionButton()}
-            </EuiFlexGroup>
+            {this.getFormHeading()}
 
             <EuiSpacer />
 
@@ -108,7 +105,7 @@ export class ManageSpacePage extends React.Component {
             <UrlContext
               space={this.state.space}
               editingExistingSpace={this.editingExistingSpace()}
-              editable={true}
+              editable={!isReservedSpace(this.state.space)}
               onChange={this.onUrlContextChange}
             />
 
@@ -128,6 +125,19 @@ export class ManageSpacePage extends React.Component {
     );
   }
 
+  getFormHeading = () => {
+    const isReserved = isReservedSpace(this.state.space);
+
+    return (
+      <EuiFlexGroup justifyContent={'spaceBetween'}>
+        <EuiFlexItem grow={false}>
+          <EuiText><h1>{this.getTitle()}</h1></EuiText>
+        </EuiFlexItem>
+        {isReserved ? this.getReservedBadge() : this.getActionButton()}
+      </EuiFlexGroup>
+    );
+  };
+
   getTitle = () => {
     if (this.editingExistingSpace()) {
       return `Edit space`;
@@ -135,8 +145,10 @@ export class ManageSpacePage extends React.Component {
     return `Create a space`;
   };
 
+  getReservedBadge = () => <ReservedSpaceBadge space={this.state.space} />;
+
   getActionButton = () => {
-    if (this.editingExistingSpace()) {
+    if (this.editingExistingSpace() && !isReservedSpace(this.state.space)) {
       return (
         <EuiFlexItem grow={false}>
           <DeleteSpacesButton
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.js b/x-pack/plugins/spaces/public/views/management/components/page_header.js
index 956c2809b325f8..19a76b3d6ccf55 100644
--- a/x-pack/plugins/spaces/public/views/management/components/page_header.js
+++ b/x-pack/plugins/spaces/public/views/management/components/page_header.js
@@ -4,13 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component }  from 'react';
+import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 
 import {
   EuiHeader,
   EuiHeaderSection,
-  EuiHeaderBreadcrumb,
   EuiHeaderBreadcrumbs
 } from '@elastic/eui';
 
@@ -19,25 +18,20 @@ export class PageHeader extends Component {
     return (
       <EuiHeader>
         <EuiHeaderSection>
-          <EuiHeaderBreadcrumbs>
-            {this.props.breadcrumbs.map(this.buildBreadcrumb)}
-          </EuiHeaderBreadcrumbs>
+          <EuiHeaderBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
         </EuiHeaderSection>
       </EuiHeader>
     );
   }
 
   buildBreadcrumb = (breadcrumb) => {
-    return (
-      <EuiHeaderBreadcrumb key={breadcrumb.id} href={breadcrumb.href} isActive={breadcrumb.current}>
-        {breadcrumb.display}
-      </EuiHeaderBreadcrumb>
-    );
+    return {
+      text: breadcrumb.display,
+      href: breadcrumb.href,
+    };
   }
 }
 
-
-
 PageHeader.propTypes = {
   breadcrumbs: PropTypes.array.isRequired
-};
+};
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.test.js b/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
index b960175b38debd..706a6de4a0abc1 100644
--- a/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
+++ b/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
@@ -6,30 +6,28 @@
 
 import React from 'react';
 import { PageHeader } from './page_header';
-import { render } from 'enzyme';
-import renderer from 'react-test-renderer';
+import { mount, shallow } from 'enzyme';
 
 test('it renders without crashing', () => {
-  const component = renderer.create(
+  const component = shallow(
     <PageHeader breadcrumbs={[]}/>
   );
   expect(component).toMatchSnapshot();
 });
 
 test('it renders breadcrumbs', () => {
-  const component = render(
+  const component = mount(
     <PageHeader breadcrumbs={[{
-      id: 'id-1',
+      display: 'id-1',
       href: 'myhref-1',
-      current: false
     }, {
-      id: 'id-2',
+      display: 'id-2',
       href: 'myhref-2',
-      current: true
     }]}
     />
   );
 
-  expect(component.find('a')).toHaveLength(2);
+  expect(component.find('a.euiBreadcrumb')).toHaveLength(1);
+  expect(component.find('span.euiBreadcrumb')).toHaveLength(1);
 
 });
diff --git a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js b/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js
new file mode 100644
index 00000000000000..0ea7e05d77e12a
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js
@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import PropTypes from 'prop-types';
+
+import { isReservedSpace } from '../../../../common';
+import {
+  EuiBadge,
+  EuiToolTip,
+  EuiFlexItem,
+} from '@elastic/eui';
+
+
+export const ReservedSpaceBadge = (props) => {
+  const {
+    space
+  } = props;
+
+  if (isReservedSpace(space)) {
+    return (
+      <EuiFlexItem grow={false}>
+        <EuiToolTip content={'Reserved spaces are built-in and can only be partially changed.'}>
+          <EuiBadge iconType={'lock'}>Reserved Space</EuiBadge>
+        </EuiToolTip>
+      </EuiFlexItem>
+    );
+  }
+  return null;
+};
+
+ReservedSpaceBadge.propTypes = {
+  space: PropTypes.object.isRequired
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js b/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js
new file mode 100644
index 00000000000000..e45926b8598246
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js
@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiBadge
+} from '@elastic/eui';
+import { ReservedSpaceBadge } from './reserved_space_badge';
+import {
+  shallow
+} from 'enzyme';
+
+const reservedSpace = {
+  _reserved: true
+};
+
+const unreservedSpace = {};
+
+test('it renders without crashing', () => {
+  const wrapper = shallow(<ReservedSpaceBadge space={reservedSpace} />);
+  expect(wrapper.find(EuiBadge)).toHaveLength(1);
+});
+
+test('it renders nothing for an unreserved space', () => {
+  const wrapper = shallow(<ReservedSpaceBadge space={unreservedSpace} />);
+  expect(wrapper.find('*')).toHaveLength(0);
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/url_context.js b/x-pack/plugins/spaces/public/views/management/components/url_context.js
index 418a51b29347e4..6253e36d0f9e2e 100644
--- a/x-pack/plugins/spaces/public/views/management/components/url_context.js
+++ b/x-pack/plugins/spaces/public/views/management/components/url_context.js
@@ -35,7 +35,7 @@ export class UrlContext extends Component {
           <div>
             <EuiFieldText
               readOnly={!this.state.editing}
-              placeholder={this.state.editing ? null : 'give your space a name to see its URL Context'}
+              placeholder={this.state.editing || !this.props.editable ? null : 'give your space a name to see its URL Context'}
               value={urlContext}
               onChange={this.onChange}
               inputRef={(ref) => this.textFieldRef = ref}
@@ -48,6 +48,10 @@ export class UrlContext extends Component {
   }
 
   getLabel = () => {
+    if (!this.props.editable) {
+      return (<p>URL Context</p>);
+    }
+
     const editLinkText = this.state.editing ? `[stop editing]` : `[edit]`;
     return (<p>URL Context <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
   };
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
index a9696d0c2f824e..ae515cbb829fa1 100644
--- a/x-pack/plugins/spaces/public/views/management/manage_spaces.less
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -1,7 +1,7 @@
-.application, .euiPanel {
+.manageSpaces__application, .manageSpaces__.euiPanel {
   background: #f5f5f5
 }
 
-.euiPage {
+.manageSpaces__euiPage {
   padding: 0;
 }
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index fb4184fbbb6322..7c39d6e8fae06e 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -10,9 +10,9 @@
     esutils "^2.0.2"
     js-tokens "^3.0.0"
 
-"@elastic/eui@0.0.47":
-  version "0.0.47"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.47.tgz#5bae27966bb1d68bb3106853610a407509053b44"
+"@elastic/eui@v0.0.51":
+  version "0.0.51"
+  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.51.tgz#5d809af270dd9994a609fd01eaa84e21a62fff98"
   dependencies:
     brace "^0.10.0"
     classnames "^2.2.5"
@@ -990,8 +990,8 @@ brace@0.10.0, brace@^0.10.0:
     w3c-blob "0.0.1"
 
 brace@^0.11.0:
-  version "0.11.0"
-  resolved "https://registry.yarnpkg.com/brace/-/brace-0.11.0.tgz#155cd80607687dc8cb908f0df94e62a033c1d563"
+  version "0.11.1"
+  resolved "https://registry.yarnpkg.com/brace/-/brace-0.11.1.tgz#4896fcc9d544eef45f4bb7660db320d3b379fe58"
 
 braces@^1.8.2:
   version "1.8.5"
@@ -1072,6 +1072,10 @@ buffer-equal@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/buffer-equal/-/buffer-equal-1.0.0.tgz#59616b498304d556abd466966b22eeda3eca5fbe"
 
+buffer-from@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.0.tgz#87fcaa3a298358e0ade6e442cfce840740d1ad04"
+
 buffer@^3.0.1:
   version "3.6.0"
   resolved "https://registry.yarnpkg.com/buffer/-/buffer-3.6.0.tgz#a72c936f77b96bf52f5f7e7b467180628551defb"
@@ -1400,7 +1404,16 @@ concat-stream@1.5.1:
     readable-stream "~2.0.0"
     typedarray "~0.0.5"
 
-concat-stream@^1.4.7, concat-stream@~1.6.0:
+concat-stream@^1.4.7:
+  version "1.6.2"
+  resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.2.tgz#904bdf194cd3122fc675c77fc4ac3d4ff0fd1a34"
+  dependencies:
+    buffer-from "^1.0.0"
+    inherits "^2.0.3"
+    readable-stream "^2.2.2"
+    typedarray "^0.0.6"
+
+concat-stream@~1.6.0:
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.0.tgz#0aac662fd52be78964d5532f694784e70110acf7"
   dependencies:
@@ -1443,8 +1456,8 @@ core-js@^2.4.0, core-js@^2.5.0:
   resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.3.tgz#8acc38345824f16d8365b7c9b4259168e8ed603e"
 
 core-js@^2.5.1:
-  version "2.5.5"
-  resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.5.tgz#b14dde936c640c0579a6b50cabcc132dd6127e3b"
+  version "2.5.7"
+  resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.7.tgz#f972608ff0cead68b841a16a932d0b183791814e"
 
 core-util-is@1.0.2, core-util-is@~1.0.0:
   version "1.0.2"
@@ -2470,8 +2483,8 @@ focus-trap-react@^3.0.4, focus-trap-react@^3.1.1:
     focus-trap "^2.0.1"
 
 focus-trap@^2.0.1:
-  version "2.4.2"
-  resolved "https://registry.yarnpkg.com/focus-trap/-/focus-trap-2.4.2.tgz#44ea1c55a9c22c2b6529dcebbde6390eb2ee4c88"
+  version "2.4.5"
+  resolved "https://registry.yarnpkg.com/focus-trap/-/focus-trap-2.4.5.tgz#91c9c9ffb907f8f4446d80202dda9c12c2853ddb"
   dependencies:
     tabbable "^1.0.3"
 
@@ -3316,10 +3329,16 @@ icalendar@0.7.1:
   version "0.7.1"
   resolved "https://registry.yarnpkg.com/icalendar/-/icalendar-0.7.1.tgz#d0d3486795f8f1c5cf4f8cafac081b4b4e7a32ae"
 
-iconv-lite@0.4.19, iconv-lite@^0.4.19, iconv-lite@~0.4.13:
+iconv-lite@0.4.19, iconv-lite@^0.4.19:
   version "0.4.19"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.19.tgz#f7468f60135f5e5dad3399c0a81be9a1603a082b"
 
+iconv-lite@~0.4.13:
+  version "0.4.23"
+  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.23.tgz#297871f63be507adcfbfca715d0cd0eed84e9a63"
+  dependencies:
+    safer-buffer ">= 2.1.2 < 3"
+
 ieee754@^1.1.4:
   version "1.1.8"
   resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.8.tgz#be33d40ac10ef1926701f6f08a2d86fbfd1ad3e4"
@@ -4513,7 +4532,11 @@ lodash@3.10.1, lodash@^3.10.0, lodash@^3.10.1:
   version "3.10.1"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
 
-lodash@^4.0.1, lodash@^4.13.1, lodash@^4.14.0, lodash@^4.15.0, lodash@^4.17.4, lodash@^4.2.0, lodash@^4.2.1:
+lodash@^4.0.1:
+  version "4.17.10"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
+
+lodash@^4.13.1, lodash@^4.14.0, lodash@^4.15.0, lodash@^4.17.4, lodash@^4.2.0, lodash@^4.2.1:
   version "4.17.4"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.4.tgz#78203a4d1c328ae1d86dca6460e369b57f4055ae"
 
@@ -5539,7 +5562,7 @@ prop-types@15.5.8:
   dependencies:
     fbjs "^0.8.9"
 
-prop-types@^15.5.0, prop-types@^15.5.10, prop-types@^15.5.4, prop-types@^15.5.8, prop-types@^15.6.0:
+prop-types@^15.5.0, prop-types@^15.5.4, prop-types@^15.6.0:
   version "15.6.0"
   resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.6.0.tgz#ceaf083022fc46b4a35f69e13ef75aed0d639856"
   dependencies:
@@ -5547,7 +5570,7 @@ prop-types@^15.5.0, prop-types@^15.5.10, prop-types@^15.5.4, prop-types@^15.5.8,
     loose-envify "^1.3.1"
     object-assign "^4.1.1"
 
-prop-types@^15.6.1:
+prop-types@^15.5.10, prop-types@^15.5.8, prop-types@^15.6.1:
   version "15.6.1"
   resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.6.1.tgz#36644453564255ddda391191fb3a125cbdf654ca"
   dependencies:
@@ -5710,8 +5733,8 @@ react-clipboard.js@^1.1.2:
     prop-types "^15.5.0"
 
 react-color@^2.13.8:
-  version "2.13.8"
-  resolved "https://registry.yarnpkg.com/react-color/-/react-color-2.13.8.tgz#bcc58f79a722b9bfc37c402e68cd18f26970aee4"
+  version "2.14.1"
+  resolved "https://registry.yarnpkg.com/react-color/-/react-color-2.14.1.tgz#db8ad4f45d81e74896fc2e1c99508927c6d084e0"
   dependencies:
     lodash "^4.0.1"
     material-colors "^1.2.1"
@@ -5743,6 +5766,10 @@ react-input-autosize@^2.1.2, react-input-autosize@^2.2.1:
   dependencies:
     prop-types "^15.5.8"
 
+react-lifecycles-compat@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/react-lifecycles-compat/-/react-lifecycles-compat-3.0.4.tgz#4f1a273afdfc8f3488a8c516bfda78f872352362"
+
 react-markdown-renderer@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/react-markdown-renderer/-/react-markdown-renderer-1.4.0.tgz#f3b95bd9fc7f7bf8ab3f0150aa696b41740e7d01"
@@ -5855,14 +5882,15 @@ react-test-renderer@^16.0.0-0, react-test-renderer@^16.2.0:
     prop-types "^15.6.0"
 
 react-virtualized@^9.18.5:
-  version "9.18.5"
-  resolved "https://registry.yarnpkg.com/react-virtualized/-/react-virtualized-9.18.5.tgz#42dd390ebaa7ea809bfcaf775d39872641679b89"
+  version "9.19.1"
+  resolved "https://registry.yarnpkg.com/react-virtualized/-/react-virtualized-9.19.1.tgz#84b53253df2d9df61c85ce037141edccc70a73fd"
   dependencies:
     babel-runtime "^6.26.0"
     classnames "^2.2.3"
     dom-helpers "^2.4.0 || ^3.0.0"
     loose-envify "^1.3.0"
     prop-types "^15.6.0"
+    react-lifecycles-compat "^3.0.4"
 
 react-vis@^1.8.1:
   version "1.8.2"
@@ -5924,7 +5952,7 @@ read-pkg@^1.0.0:
     isarray "0.0.1"
     string_decoder "~0.10.x"
 
-readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable-stream@^2.0.4, readable-stream@^2.0.5, readable-stream@^2.0.6, readable-stream@^2.1.4, readable-stream@^2.1.5, readable-stream@^2.2.2:
+readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable-stream@^2.0.4, readable-stream@^2.0.5, readable-stream@^2.0.6, readable-stream@^2.1.4, readable-stream@^2.1.5:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.3.tgz#368f2512d79f9d46fdfc71349ae7878bbc1eb95c"
   dependencies:
@@ -5936,6 +5964,18 @@ readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable
     string_decoder "~1.0.3"
     util-deprecate "~1.0.1"
 
+readable-stream@^2.2.2:
+  version "2.3.6"
+  resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.6.tgz#b11c27d88b8ff1fbe070643cf94b0c79ae1b0aaf"
+  dependencies:
+    core-util-is "~1.0.0"
+    inherits "~2.0.3"
+    isarray "~1.0.0"
+    process-nextick-args "~2.0.0"
+    safe-buffer "~5.1.1"
+    string_decoder "~1.1.1"
+    util-deprecate "~1.0.1"
+
 readable-stream@^2.3.3, readable-stream@^2.3.5:
   version "2.3.5"
   resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.5.tgz#b4f85003a938cbb6ecbce2a124fb1012bd1a838d"
@@ -6335,10 +6375,18 @@ rxjs@5.3.0:
   dependencies:
     symbol-observable "^1.0.1"
 
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
+safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
+
+"safer-buffer@>= 2.1.2 < 3":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+
 samsam@1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.2.tgz#bec11fdc83a9fda063401210e40176c3024d1567"
@@ -6739,6 +6787,12 @@ string_decoder@~1.0.3:
   dependencies:
     safe-buffer "~5.1.0"
 
+string_decoder@~1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.1.1.tgz#9cf1611ba62685d7030ae9e4ba34149c3af03fc8"
+  dependencies:
+    safe-buffer "~5.1.0"
+
 stringstream@~0.0.4, stringstream@~0.0.5:
   version "0.0.5"
   resolved "https://registry.yarnpkg.com/stringstream/-/stringstream-0.0.5.tgz#4e484cd4de5a0bbbee18e46307710a8a81621878"
@@ -6898,8 +6952,8 @@ tabbable@1.1.0:
   resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.0.tgz#2c9a9c9f09db5bb0659f587d532548dd6ef2067b"
 
 tabbable@^1.0.3, tabbable@^1.1.0:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.2.tgz#b171680aea6e0a3e9281ff23532e2e5de11c0d94"
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.3.tgz#0e4ee376f3631e42d7977a074dbd2b3827843081"
 
 tar-fs@1.13.0:
   version "1.13.0"
@@ -7160,8 +7214,8 @@ typedarray@^0.0.6, typedarray@~0.0.5:
   resolved "https://registry.yarnpkg.com/typedarray/-/typedarray-0.0.6.tgz#867ac74e3864187b1d3d47d996a78ec5c8830777"
 
 ua-parser-js@^0.7.9:
-  version "0.7.17"
-  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.17.tgz#e9ec5f9498b9ec910e7ae3ac626a805c4d09ecac"
+  version "0.7.18"
+  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.18.tgz#a7bfd92f56edfb117083b69e31d2aa8882d4b1ed"
 
 uglify-js@^2.6:
   version "2.8.29"
@@ -7293,10 +7347,14 @@ uuid@3.0.1:
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.0.1.tgz#6544bba2dfda8c1cf17e629a3a305e2bb1fee6c1"
 
-uuid@^3.0.0, uuid@^3.1.0:
+uuid@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.1.0.tgz#3dd3d3e790abc24d7b0d3a034ffababe28ebbc04"
 
+uuid@^3.1.0:
+  version "3.2.1"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.2.1.tgz#12c528bb9d58d0b9265d9a2f6f0fe8be17ff1f14"
+
 v8flags@^2.0.2:
   version "2.1.1"
   resolved "https://registry.yarnpkg.com/v8flags/-/v8flags-2.1.1.tgz#aab1a1fa30d45f88dd321148875ac02c0b55e5b4"
@@ -7489,8 +7547,8 @@ whatwg-encoding@^1.0.1:
     iconv-lite "0.4.19"
 
 whatwg-fetch@>=0.10.0:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.3.tgz#9c84ec2dcf68187ff00bc64e1274b442176e1c84"
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.4.tgz#dde6a5df315f9d39991aa17621853d720b85566f"
 
 whatwg-url@^6.3.0:
   version "6.4.0"
diff --git a/yarn.lock b/yarn.lock
index 2098dda85233c6..459cd99a1d3eaf 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -77,9 +77,9 @@
   version "0.0.0"
   uid ""
 
-"@elastic/eui@0.0.47", "@elastic/eui@v0.0.47":
-  version "0.0.47"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.47.tgz#5bae27966bb1d68bb3106853610a407509053b44"
+"@elastic/eui@v0.0.51":
+  version "0.0.51"
+  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.51.tgz#5d809af270dd9994a609fd01eaa84e21a62fff98"
   dependencies:
     brace "^0.10.0"
     classnames "^2.2.5"
@@ -1860,6 +1860,10 @@ buffer-equal@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/buffer-equal/-/buffer-equal-1.0.0.tgz#59616b498304d556abd466966b22eeda3eca5fbe"
 
+buffer-from@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.0.tgz#87fcaa3a298358e0ade6e442cfce840740d1ad04"
+
 buffer-xor@^1.0.3:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/buffer-xor/-/buffer-xor-1.0.3.tgz#26e61ed1422fb70dd42e6e36729ed51d855fe8d9"
@@ -2576,7 +2580,16 @@ concat-stream@1.6.0:
     readable-stream "^2.2.2"
     typedarray "^0.0.6"
 
-concat-stream@^1.4.7, concat-stream@^1.5.2, concat-stream@^1.6.0, concat-stream@~1.6.0:
+concat-stream@^1.4.7:
+  version "1.6.2"
+  resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.2.tgz#904bdf194cd3122fc675c77fc4ac3d4ff0fd1a34"
+  dependencies:
+    buffer-from "^1.0.0"
+    inherits "^2.0.3"
+    readable-stream "^2.2.2"
+    typedarray "^0.0.6"
+
+concat-stream@^1.5.2, concat-stream@^1.6.0, concat-stream@~1.6.0:
   version "1.6.1"
   resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.1.tgz#261b8f518301f1d834e36342b9fea095d2620a26"
   dependencies:
@@ -2699,10 +2712,14 @@ core-js@^1.0.0:
   version "1.2.7"
   resolved "https://registry.yarnpkg.com/core-js/-/core-js-1.2.7.tgz#652294c14651db28fa93bd2d5ff2983a4f08c636"
 
-core-js@^2.2.0, core-js@^2.4.0, core-js@^2.5.0, core-js@^2.5.1:
+core-js@^2.2.0, core-js@^2.5.0:
   version "2.5.3"
   resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.3.tgz#8acc38345824f16d8365b7c9b4259168e8ed603e"
 
+core-js@^2.4.0, core-js@^2.5.1:
+  version "2.5.7"
+  resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.5.7.tgz#f972608ff0cead68b841a16a932d0b183791814e"
+
 core-util-is@1.0.2, core-util-is@~1.0.0:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7"
@@ -4772,8 +4789,8 @@ focus-trap-react@^3.0.4, focus-trap-react@^3.1.1:
     focus-trap "^2.0.1"
 
 focus-trap@^2.0.1:
-  version "2.4.3"
-  resolved "https://registry.yarnpkg.com/focus-trap/-/focus-trap-2.4.3.tgz#95edc23e77829b7772cb2486d61fd6371ce112f9"
+  version "2.4.5"
+  resolved "https://registry.yarnpkg.com/focus-trap/-/focus-trap-2.4.5.tgz#91c9c9ffb907f8f4446d80202dda9c12c2853ddb"
   dependencies:
     tabbable "^1.0.3"
 
@@ -5905,7 +5922,7 @@ icalendar@0.7.1:
   version "0.7.1"
   resolved "https://registry.yarnpkg.com/icalendar/-/icalendar-0.7.1.tgz#d0d3486795f8f1c5cf4f8cafac081b4b4e7a32ae"
 
-iconv-lite@0.4, iconv-lite@0.4.19, iconv-lite@^0.4.13, iconv-lite@^0.4.17, iconv-lite@^0.4.19, iconv-lite@~0.4.13:
+iconv-lite@0.4, iconv-lite@0.4.19, iconv-lite@^0.4.13, iconv-lite@^0.4.17, iconv-lite@^0.4.19:
   version "0.4.19"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.19.tgz#f7468f60135f5e5dad3399c0a81be9a1603a082b"
 
@@ -5917,6 +5934,12 @@ iconv-lite@0.4.7:
   version "0.4.7"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.7.tgz#89d32fec821bf8597f44609b4bc09bed5c209a23"
 
+iconv-lite@~0.4.13:
+  version "0.4.23"
+  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.23.tgz#297871f63be507adcfbfca715d0cd0eed84e9a63"
+  dependencies:
+    safer-buffer ">= 2.1.2 < 3"
+
 icss-replace-symbols@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/icss-replace-symbols/-/icss-replace-symbols-1.1.0.tgz#06ea6f83679a7749e386cfe1fe812ae5db223ded"
@@ -10041,7 +10064,16 @@ rc@^1.0.1, rc@^1.1.6, rc@^1.1.7:
     minimist "^1.2.0"
     strip-json-comments "~2.0.1"
 
-react-ace@^5.5.0, react-ace@^5.9.0:
+react-ace@^5.5.0:
+  version "5.10.0"
+  resolved "https://registry.yarnpkg.com/react-ace/-/react-ace-5.10.0.tgz#e328b37ac52759f700be5afdb86ada2f5ec84c5e"
+  dependencies:
+    brace "^0.11.0"
+    lodash.get "^4.4.2"
+    lodash.isequal "^4.1.1"
+    prop-types "^15.5.8"
+
+react-ace@^5.9.0:
   version "5.9.0"
   resolved "https://registry.yarnpkg.com/react-ace/-/react-ace-5.9.0.tgz#427a1cc4869b960a6f9748aa7eb169a9269fc336"
   dependencies:
@@ -10129,6 +10161,10 @@ react-input-range@^1.3.0:
     autobind-decorator "^1.3.4"
     prop-types "^15.5.8"
 
+react-lifecycles-compat@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/react-lifecycles-compat/-/react-lifecycles-compat-3.0.4.tgz#4f1a273afdfc8f3488a8c516bfda78f872352362"
+
 react-markdown-renderer@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/react-markdown-renderer/-/react-markdown-renderer-1.4.0.tgz#f3b95bd9fc7f7bf8ab3f0150aa696b41740e7d01"
@@ -10271,14 +10307,15 @@ react-toggle@4.0.2:
     classnames "^2.2.5"
 
 react-virtualized@^9.18.5:
-  version "9.18.5"
-  resolved "https://registry.yarnpkg.com/react-virtualized/-/react-virtualized-9.18.5.tgz#42dd390ebaa7ea809bfcaf775d39872641679b89"
+  version "9.19.1"
+  resolved "https://registry.yarnpkg.com/react-virtualized/-/react-virtualized-9.19.1.tgz#84b53253df2d9df61c85ce037141edccc70a73fd"
   dependencies:
     babel-runtime "^6.26.0"
     classnames "^2.2.3"
     dom-helpers "^2.4.0 || ^3.0.0"
     loose-envify "^1.3.0"
     prop-types "^15.6.0"
+    react-lifecycles-compat "^3.0.4"
 
 react-vis@^1.8.1:
   version "1.9.2"
@@ -10381,7 +10418,7 @@ read-pkg@^2.0.0:
     normalize-package-data "^2.3.2"
     path-type "^2.0.0"
 
-readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable-stream@^2.0.4, readable-stream@^2.0.5, readable-stream@^2.0.6, readable-stream@^2.1.4, readable-stream@^2.1.5, readable-stream@^2.2.2, readable-stream@^2.3.3, readable-stream@^2.3.5, readable-stream@~2.3.3:
+readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable-stream@^2.0.4, readable-stream@^2.0.5, readable-stream@^2.0.6, readable-stream@^2.1.4, readable-stream@^2.1.5, readable-stream@^2.3.3, readable-stream@^2.3.5, readable-stream@~2.3.3:
   version "2.3.5"
   resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.5.tgz#b4f85003a938cbb6ecbce2a124fb1012bd1a838d"
   dependencies:
@@ -10393,6 +10430,18 @@ readable-stream@^2.0.0, readable-stream@^2.0.1, readable-stream@^2.0.2, readable
     string_decoder "~1.0.3"
     util-deprecate "~1.0.1"
 
+readable-stream@^2.2.2:
+  version "2.3.6"
+  resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.6.tgz#b11c27d88b8ff1fbe070643cf94b0c79ae1b0aaf"
+  dependencies:
+    core-util-is "~1.0.0"
+    inherits "~2.0.3"
+    isarray "~1.0.0"
+    process-nextick-args "~2.0.0"
+    safe-buffer "~5.1.1"
+    string_decoder "~1.1.1"
+    util-deprecate "~1.0.1"
+
 readable-stream@~1.0.2:
   version "1.0.34"
   resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-1.0.34.tgz#125820e34bc842d2f2aaafafe4c2916ee32c157c"
@@ -10928,10 +10977,14 @@ rxjs@5.4.3:
   dependencies:
     symbol-observable "^1.0.1"
 
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
+safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
+
 safe-json-stringify@~1:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/safe-json-stringify/-/safe-json-stringify-1.1.0.tgz#bd2b6dad1ebafab3c24672a395527f01804b7e19"
@@ -10949,6 +11002,10 @@ safefs@^4.0.0:
     editions "^1.1.1"
     graceful-fs "^4.1.4"
 
+"safer-buffer@>= 2.1.2 < 3":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+
 samsam@1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.2.tgz#bec11fdc83a9fda063401210e40176c3024d1567"
@@ -11622,6 +11679,12 @@ string_decoder@~1.0.3:
   dependencies:
     safe-buffer "~5.1.0"
 
+string_decoder@~1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.1.1.tgz#9cf1611ba62685d7030ae9e4ba34149c3af03fc8"
+  dependencies:
+    safe-buffer "~5.1.0"
+
 stringstream@~0.0.4, stringstream@~0.0.5:
   version "0.0.5"
   resolved "https://registry.yarnpkg.com/stringstream/-/stringstream-0.0.5.tgz#4e484cd4de5a0bbbee18e46307710a8a81621878"
@@ -11820,8 +11883,8 @@ tabbable@1.1.0:
   resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.0.tgz#2c9a9c9f09db5bb0659f587d532548dd6ef2067b"
 
 tabbable@^1.0.3, tabbable@^1.1.0:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.2.tgz#b171680aea6e0a3e9281ff23532e2e5de11c0d94"
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.3.tgz#0e4ee376f3631e42d7977a074dbd2b3827843081"
 
 table@^3.7.8:
   version "3.8.3"
@@ -12276,8 +12339,8 @@ typescript@^2.8.1:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.8.1.tgz#6160e4f8f195d5ba81d4876f9c0cc1fbc0820624"
 
 ua-parser-js@^0.7.9:
-  version "0.7.17"
-  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.17.tgz#e9ec5f9498b9ec910e7ae3ac626a805c4d09ecac"
+  version "0.7.18"
+  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.18.tgz#a7bfd92f56edfb117083b69e31d2aa8882d4b1ed"
 
 uc.micro@^1.0.1, uc.micro@^1.0.3:
   version "1.0.5"
@@ -13116,7 +13179,11 @@ whatwg-encoding@^1.0.1, whatwg-encoding@^1.0.3:
   dependencies:
     iconv-lite "0.4.19"
 
-whatwg-fetch@>=0.10.0, whatwg-fetch@^2.0.3:
+whatwg-fetch@>=0.10.0:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.4.tgz#dde6a5df315f9d39991aa17621853d720b85566f"
+
+whatwg-fetch@^2.0.3:
   version "2.0.3"
   resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.3.tgz#9c84ec2dcf68187ff00bc64e1274b442176e1c84"
 

From 60d5917e40208a9a4a81bcac3d92a562cf237d4a Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 15:00:27 -0400
Subject: [PATCH 037/183] Removing unused code, fixing misspelling, adding
 comment

---
 .../lib/privileges/privilege_action_registry.test.js       | 2 +-
 x-pack/plugins/security/server/routes/api/v1/privileges.js | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index 2fcfd5c2caaa00..398a68a097ed94 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -162,7 +162,7 @@ registerPrivilegesWithClusterTest(`updates privileges when nested privileges arr
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when nested propertry array values are reordered`, {
+registerPrivilegesWithClusterTest(`updates privileges when nested property array values are reordered`, {
   expectedPrivileges: {
     kibana: {
       foo: ['one', 'two']
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 1e6ac21fb54e06..f7d6e7c6a00394 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -7,12 +7,9 @@
 /*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
-import { getClient } from '../../../../../../server/lib/get_client_shield';
 import { buildPrivilegeMap } from '../../../lib/privileges/privileges';
 
 export function initPrivilegesApi(server) {
-  const callWithInternalUser = getClient(server).callWithInternalUser; // eslint-disable-line no-unused-vars
-
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
@@ -21,6 +18,10 @@ export function initPrivilegesApi(server) {
     method: 'GET',
     path: '/api/security/v1/privileges',
     handler(request, reply) {
+      // we're returing our representation of the privileges, as opposed to the ones that are stored
+      // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
+      // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
+      // into a different structure for enforcement within Elasticsearch
       const privileges = buildPrivilegeMap(application, kibanaVersion);
       reply(Object.values(privileges[application]));
     }

From 4b3c6bae3e5aee41d407b1f2ebf615461493bfd4 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 7 Jun 2018 15:02:36 -0400
Subject: [PATCH 038/183] Putting a file back

---
 .../routes/api/v1/{roles/index.js => roles.js}      | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)
 rename x-pack/plugins/security/server/routes/api/v1/{roles/index.js => roles.js} (84%)

diff --git a/x-pack/plugins/security/server/routes/api/v1/roles/index.js b/x-pack/plugins/security/server/routes/api/v1/roles.js
similarity index 84%
rename from x-pack/plugins/security/server/routes/api/v1/roles/index.js
rename to x-pack/plugins/security/server/routes/api/v1/roles.js
index 8e0e114798c3c7..180160cb85a17e 100644
--- a/x-pack/plugins/security/server/routes/api/v1/roles/index.js
+++ b/x-pack/plugins/security/server/routes/api/v1/roles.js
@@ -6,10 +6,10 @@
 
 import _ from 'lodash';
 import Boom from 'boom';
-import { getClient } from '../../../../../../../server/lib/get_client_shield';
-import { roleSchema } from '../../../../lib/role_schema';
-import { wrapError } from '../../../../lib/errors';
-import { routePreCheckLicense } from '../../../../lib/route_pre_check_license';
+import { getClient } from '../../../../../../server/lib/get_client_shield';
+import { roleSchema } from '../../../lib/role_schema';
+import { wrapError } from '../../../lib/errors';
+import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
 
 export function initRolesApi(server) {
   const callWithRequest = getClient(server).callWithRequest;
@@ -21,9 +21,7 @@ export function initRolesApi(server) {
     handler(request, reply) {
       return callWithRequest(request, 'shield.getRole').then(
         (response) => {
-          const roles = _.map(response, (role, name) => {
-            return _.assign(role, { name });
-          });
+          const roles = _.map(response, (role, name) => _.assign(role, { name }));
 
           return reply(roles);
         },
@@ -58,7 +56,6 @@ export function initRolesApi(server) {
     handler(request, reply) {
       const name = request.params.name;
       const body = _.omit(request.payload, 'name');
-
       return callWithRequest(request, 'shield.putRole', { name, body }).then(
         () => reply(request.payload),
         _.flow(wrapError, reply));

From 117b0d4262c946f82b35a8286fb86173e52255f9 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Mon, 11 Jun 2018 11:42:55 -0400
Subject: [PATCH 039/183] No longer creating the roles on start-up (#19799)

---
 x-pack/plugins/security/index.js              |   3 -
 .../create_default_roles.test.js.snap         |   9 -
 .../lib/authorization/create_default_roles.js |  63 -----
 .../create_default_roles.test.js              | 216 ------------------
 .../apis/saved_objects/index.js               |  30 +++
 5 files changed, 30 insertions(+), 291 deletions(-)
 delete mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
 delete mode 100644 x-pack/plugins/security/server/lib/authorization/create_default_roles.js
 delete mode 100644 x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 70596f89e4039b..e0db6b206e3d91 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -18,7 +18,6 @@ import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { mirrorStatusAndInitialize } from './server/lib/mirror_status_and_initialize';
 import { registerPrivilegesWithCluster } from './server/lib/privileges';
-import { createDefaultRoles } from './server/lib/authorization/create_default_roles';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
@@ -46,7 +45,6 @@ export const security = (kibana) => new kibana.Plugin({
       }).default(),
       rbac: Joi.object({
         enabled: Joi.boolean().default(false),
-        createDefaultRoles: Joi.boolean().default(true),
         application: Joi.string().default('kibana').regex(
           /[a-zA-Z0-9-_]+/,
           `may contain alphanumeric characters (a-z, A-Z, 0-9), underscores and hyphens`
@@ -99,7 +97,6 @@ export const security = (kibana) => new kibana.Plugin({
       }
 
       await registerPrivilegesWithCluster(server);
-      await createDefaultRoles(server);
     });
 
     // Register a function that is called whenever the xpack info changes,
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
deleted file mode 100644
index 20c6d549ffb22d..00000000000000
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/create_default_roles.test.js.snap
+++ /dev/null
@@ -1,9 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`dashboard_only_user throws error when shield.getRole throws non 404 error 1`] = `undefined`;
-
-exports[`dashboard_only_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
-
-exports[`rbac_user throws error when shield.getRole throws non 404 error 1`] = `undefined`;
-
-exports[`rbac_user throws error when shield.putRole throws error 1`] = `"Some other error"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
deleted file mode 100644
index 933c36a98cf7ab..00000000000000
--- a/x-pack/plugins/security/server/lib/authorization/create_default_roles.js
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
-import { getClient } from '../../../../../server/lib/get_client_shield';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
-
-
-const createRoleIfDoesntExist = async (callCluster, { name, application, privilege }) => {
-  try {
-    await callCluster('shield.getRole', { name });
-  } catch (err) {
-    if (err.statusCode !== 404) {
-      throw err;
-    }
-
-    await callCluster('shield.putRole', {
-      name,
-      body: {
-        cluster: [],
-        index: [],
-        applications: [
-          {
-            application,
-            privileges: [ privilege ],
-            resources: [ DEFAULT_RESOURCE ]
-          }
-        ]
-      }
-    });
-  }
-};
-
-export async function createDefaultRoles(server) {
-  const config = server.config();
-
-  if (!config.get('xpack.security.rbac.createDefaultRoles')) {
-    return;
-  }
-
-  const application = config.get('xpack.security.rbac.application');
-
-  const callCluster = getClient(server).callWithInternalUser;
-
-  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, {
-    name: `${application}_rbac_user`,
-    application,
-    privilege: 'all'
-  });
-
-  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, {
-    name: `${application}_rbac_dashboard_only_user`,
-    application,
-    privilege: 'read'
-  });
-
-  await Promise.all([createKibanaUserRole, createKibanaDashboardOnlyRole]);
-}
diff --git a/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js b/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
deleted file mode 100644
index fba00600397d96..00000000000000
--- a/x-pack/plugins/security/server/lib/authorization/create_default_roles.test.js
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { createDefaultRoles } from './create_default_roles';
-import { getClient } from '../../../../../server/lib/get_client_shield';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
-
-jest.mock('../../../../../server/lib/get_client_shield', () => ({
-  getClient: jest.fn()
-}));
-
-const mockShieldClient = () => {
-  const mockCallWithInternalUser = jest.fn();
-  getClient.mockReturnValue({
-    callWithInternalUser: mockCallWithInternalUser
-  });
-
-  return {
-    mockCallWithInternalUser
-  };
-};
-
-const defaultApplication = 'foo-application';
-
-const createMockServer = ({ settings = {} } = {}) => {
-  const mockServer = {
-    config: jest.fn().mockReturnValue({
-      get: jest.fn()
-    })
-  };
-
-  const defaultSettings = {
-    'xpack.security.rbac.createDefaultRoles': true,
-    'xpack.security.rbac.application': defaultApplication
-  };
-
-  mockServer.config().get.mockImplementation(key => {
-    return key in settings ? settings[key] : defaultSettings[key];
-  });
-
-  return mockServer;
-};
-
-test(`doesn't create roles if createDefaultRoles is false`, async () => {
-  const { mockCallWithInternalUser } = mockShieldClient();
-  const mockServer = createMockServer({
-    settings: {
-      'xpack.security.rbac.createDefaultRoles': false
-    }
-  });
-
-  await createDefaultRoles(mockServer);
-
-  expect(mockCallWithInternalUser).toHaveBeenCalledTimes(0);
-});
-
-describe(`rbac_user`, () => {
-  test(`doesn't create \${application}_rbac_user when it exists`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockReturnValue(null);
-
-    await createDefaultRoles(mockServer);
-
-    expect(mockCallWithInternalUser).not.toHaveBeenCalledWith('shield.putRole', expect.anything());
-  });
-
-  test(`creates \${application}_rbac_user when it doesn't exist`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
-        throw {
-          statusCode: 404
-        };
-      }
-
-      return null;
-    });
-
-    await createDefaultRoles(mockServer);
-
-    expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.putRole', {
-      name: `${defaultApplication}_rbac_user`,
-      body: {
-        cluster: [],
-        index: [],
-        applications: [
-          {
-            application: defaultApplication,
-            privileges: [ 'all' ],
-            resources: [ DEFAULT_RESOURCE ]
-          }
-        ]
-      }
-    });
-  });
-
-  test(`throws error when shield.getRole throws non 404 error`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
-        throw {
-          statusCode: 500
-        };
-      }
-
-      return null;
-    });
-
-    expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
-  });
-
-  test(`throws error when shield.putRole throws error`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_user`) {
-        throw {
-          statusCode: 404
-        };
-      }
-
-      if (endpoint === 'shield.putRole' && params.name === `${defaultApplication}_rbac_user`) {
-        throw new Error('Some other error');
-      }
-
-      return null;
-    });
-
-    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
-  });
-});
-
-describe(`dashboard_only_user`, () => {
-  test(`doesn't create \${application}_rbac_dashboard_only_user when it exists`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockReturnValue(null);
-
-    await createDefaultRoles(mockServer);
-
-    expect(mockCallWithInternalUser).not.toHaveBeenCalledWith('shield.putRole', expect.anything());
-  });
-
-  test(`creates \${application}_rbac_dashboard_only_user when it doesn't exist`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
-        throw {
-          statusCode: 404
-        };
-      }
-
-      return null;
-    });
-
-    await createDefaultRoles(mockServer);
-
-    expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.putRole', {
-      name: `${defaultApplication}_rbac_dashboard_only_user`,
-      body: {
-        cluster: [],
-        index: [],
-        applications: [
-          {
-            application: defaultApplication,
-            privileges: [ 'read' ],
-            resources: [ DEFAULT_RESOURCE ]
-          }
-        ]
-      }
-    });
-  });
-
-  test(`throws error when shield.getRole throws non 404 error`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
-        throw {
-          statusCode: 500
-        };
-      }
-
-      return null;
-    });
-
-    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
-  });
-
-  test(`throws error when shield.putRole throws error`, async () => {
-    const { mockCallWithInternalUser } = mockShieldClient();
-    const mockServer = createMockServer();
-    mockCallWithInternalUser.mockImplementation(async (endpoint, params) => {
-      if (endpoint === 'shield.getRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
-        throw {
-          statusCode: 404
-        };
-      }
-
-      if (endpoint === 'shield.putRole' && params.name === `${defaultApplication}_rbac_dashboard_only_user`) {
-        throw new Error('Some other error');
-      }
-
-      return null;
-    });
-
-    await expect(createDefaultRoles(mockServer)).rejects.toThrowErrorMatchingSnapshot();
-  });
-});
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index 644bf23220648e..1199bd5986e66d 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -11,6 +11,36 @@ export default function ({ loadTestFile, getService }) {
 
   describe('saved_objects', () => {
     before(async () => {
+      await es.shield.putRole({
+        name: 'kibana_rbac_user',
+        body: {
+          cluster: [],
+          index: [],
+          applications: [
+            {
+              application: 'kibana',
+              privileges: [ 'all' ],
+              resources: [ 'default' ]
+            }
+          ]
+        }
+      });
+
+      await es.shield.putRole({
+        name: 'kibana_rbac_dashboard_only_user',
+        body: {
+          cluster: [],
+          index: [],
+          applications: [
+            {
+              application: 'kibana',
+              privileges: [ 'read' ],
+              resources: [ 'default' ]
+            }
+          ]
+        }
+      });
+
       await es.shield.putUser({
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         body: {

From c42635bf34c271e9787ac59d96c0d8fbd50ee023 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 12 Jun 2018 14:50:19 -0400
Subject: [PATCH 040/183] Removing kibana_rbac_dashboard_only_user from
 dashboard only role defaults

---
 x-pack/plugins/dashboard_mode/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/dashboard_mode/index.js b/x-pack/plugins/dashboard_mode/index.js
index 4333aa772c779b..e4afe029fc01ad 100644
--- a/x-pack/plugins/dashboard_mode/index.js
+++ b/x-pack/plugins/dashboard_mode/index.js
@@ -29,7 +29,7 @@ export function dashboardMode(kibana) {
         [CONFIG_DASHBOARD_ONLY_MODE_ROLES]: {
           name: 'Dashboards only roles',
           description: `Roles that belong to View Dashboards Only mode`,
-          value: ['kibana_dashboard_only_user', 'kibana_rbac_dashboard_only_user'],
+          value: ['kibana_dashboard_only_user'],
           category: ['dashboard'],
         }
       },

From e88707679bbbdac100f52c98d7654f18c7bda48b Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 12 Jun 2018 15:07:27 -0400
Subject: [PATCH 041/183] Fixing small issue with editing Kibana privileges

---
 x-pack/plugins/security/public/views/management/edit_role.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index ffc1962f449378..77316db93bbd26 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -36,7 +36,7 @@ const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
   // we're filtering out privileges for non-default resources as well incase
   // the roles were created in a future version
   const applications = role.applications
-    .filter(x => x.application === application && x.application.resources.all(r => r === DEFAULT_RESOURCE));
+    .filter(x => x.application === application && x.resources.every(r => r === DEFAULT_RESOURCE));
 
   const assigned =  _.uniq(_.flatten(_.pluck(applications, 'privileges')));
   assigned.forEach(a => {

From a76e4a51b9749df33d8f880bddc536a01cf1a676 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 13 Jun 2018 15:22:13 -0400
Subject: [PATCH 042/183] [RBAC Phase 1] - Update application privileges when
 XPack license changes (#19839)

* Adding start to supporting basic license and switching to plat/gold

* Initialize application privilages on XPack license change

* restore mirror_status_and_initialize

* additional tests and peer review updates

* Introducing watchStatusAndLicenseToInitialize

* Adding some tests

* One more test

* Even better tests

* Removing unused mirrorStatusAndInitialize

* Throwing an error if the wrong status function is called
---
 x-pack/plugins/security/index.js              |  45 ++--
 .../security/server/lib/check_license.js      |   5 +-
 .../lib/mirror_status_and_initialize.js       |  63 -----
 .../lib/mirror_status_and_initialize.test.js  | 138 -----------
 .../watch_status_and_license_to_initialize.js |  55 +++++
 ...h_status_and_license_to_initialize.test.js | 223 ++++++++++++++++++
 .../server/lib/__tests__/xpack_info.js        |  76 +++++-
 .../xpack_main/server/lib/xpack_info.js       |  51 +++-
 8 files changed, 429 insertions(+), 227 deletions(-)
 delete mode 100644 x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
 delete mode 100644 x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
 create mode 100644 x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
 create mode 100644 x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index e0db6b206e3d91..0c60bd282b9e4d 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -16,13 +16,13 @@ import { validateConfig } from './server/lib/validate_config';
 import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
-import { mirrorStatusAndInitialize } from './server/lib/mirror_status_and_initialize';
-import { registerPrivilegesWithCluster } from './server/lib/privileges';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
 import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
+import { registerPrivilegesWithCluster } from './server/lib/privileges';
+import { watchStatusAndLicenseToInitialize } from './server/lib/watch_status_and_license_to_initialize';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -88,20 +88,23 @@ export const security = (kibana) => new kibana.Plugin({
   },
 
   async init(server) {
+    const plugin = this;
+
     const config = server.config();
     const xpackMainPlugin = server.plugins.xpack_main;
+    const xpackInfo = xpackMainPlugin.info;
 
-    mirrorStatusAndInitialize(xpackMainPlugin.status, this.status, async () => {
-      if (!config.get('xpack.security.rbac.enabled')) {
-        return;
-      }
-
-      await registerPrivilegesWithCluster(server);
-    });
+    const xpackInfoFeature = xpackInfo.feature(plugin.id);
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
-    xpackMainPlugin.info.feature(this.id).registerLicenseCheckResultsGenerator(checkLicense);
+    xpackInfoFeature.registerLicenseCheckResultsGenerator(checkLicense);
+
+    watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
+      if (license.allowRbac) {
+        await registerPrivilegesWithCluster(server);
+      }
+    });
 
     validateConfig(config, message => server.log(['security', 'warning'], message));
 
@@ -123,9 +126,23 @@ export const security = (kibana) => new kibana.Plugin({
         mappings,
         onBeforeWrite
       }) => {
-        const hasPrivileges = hasPrivilegesWithRequest(request);
-
         const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+
+        if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
+          const { callWithRequest } = adminCluster;
+          const callCluster = (...args) => callWithRequest(request, ...args);
+
+          const repository = new savedObjects.SavedObjectsRepository({
+            index,
+            mappings,
+            onBeforeWrite,
+            callCluster,
+          });
+
+          return new savedObjects.SavedObjectsClient(repository);
+        }
+
+        const hasPrivileges = hasPrivilegesWithRequest(request);
         const { callWithInternalUser } = adminCluster;
 
         const repository = new savedObjects.SavedObjectsRepository({
@@ -156,9 +173,7 @@ export const security = (kibana) => new kibana.Plugin({
     initLogoutView(server);
 
     server.injectUiAppVars('login', () => {
-      const pluginId = 'security';
-      const xpackInfo = server.plugins.xpack_main.info;
-      const { showLogin, loginMessage, allowLogin } = xpackInfo.feature(pluginId).getLicenseCheckResults() || {};
+      const { showLogin, loginMessage, allowLogin } = xpackInfo.feature(plugin.id).getLicenseCheckResults() || {};
 
       return {
         loginState: {
diff --git a/x-pack/plugins/security/server/lib/check_license.js b/x-pack/plugins/security/server/lib/check_license.js
index 624f80e64be79d..b1f26ced352ad8 100644
--- a/x-pack/plugins/security/server/lib/check_license.js
+++ b/x-pack/plugins/security/server/lib/check_license.js
@@ -33,6 +33,7 @@ export function checkLicense(xPackInfo) {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       loginMessage: 'Login is currently disabled. Administrators should consult the Kibana logs for more details.'
     };
   }
@@ -46,6 +47,7 @@ export function checkLicense(xPackInfo) {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: isLicenseBasic
         ? 'Your Basic license does not support Security. Please upgrade your license.'
         : 'Access is denied because Security is disabled in Elasticsearch.'
@@ -60,6 +62,7 @@ export function checkLicense(xPackInfo) {
     showLinks: true,
     // Only platinum and trial licenses are compliant with field- and document-level security.
     allowRoleDocumentLevelSecurity: isLicensePlatinumOrTrial,
-    allowRoleFieldLevelSecurity: isLicensePlatinumOrTrial
+    allowRoleFieldLevelSecurity: isLicensePlatinumOrTrial,
+    allowRbac: true,
   };
 }
diff --git a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
deleted file mode 100644
index af9ad91db70fb4..00000000000000
--- a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.js
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-import { Observable } from 'rxjs';
-
-export function mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreen) {
-  const currentState$ = Observable
-    .of({
-      state: upstreamStatus.state,
-      message: upstreamStatus.message,
-    });
-
-  const newState$ = Observable
-    .fromEvent(upstreamStatus, 'change', null, (previousState, previousMsg, state, message) => {
-      return {
-        state,
-        message,
-      };
-    });
-
-  const state$ = Observable.merge(currentState$, newState$);
-
-  let onGreenPromise;
-  const onGreen$ = Observable.create(observer => {
-    if (!onGreenPromise) {
-      onGreenPromise = onGreen();
-    }
-
-    onGreenPromise
-      .then(() => {
-        observer.next({
-          state: 'green',
-          message: 'Ready',
-        });
-      })
-      .catch((err) => {
-        onGreenPromise = null;
-        observer.next({
-          state: 'red',
-          message: err.message
-        });
-      });
-  });
-
-
-  state$
-    .switchMap(({ state, message }) => {
-      if (state !== 'green') {
-        return Observable.of({ state, message });
-      }
-
-      return onGreen$;
-    })
-    .do(({ state, message }) => {
-      downstreamStatus[state](message);
-    })
-    .subscribe();
-}
diff --git a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js b/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
deleted file mode 100644
index 7c1cb525761306..00000000000000
--- a/x-pack/plugins/security/server/lib/mirror_status_and_initialize.test.js
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-import { EventEmitter } from 'events';
-import { once } from 'lodash';
-import { mirrorStatusAndInitialize } from './mirror_status_and_initialize';
-
-['red', 'yellow', 'disabled' ].forEach(state => {
-  test(`mirrors ${state} immediately`, () => {
-    const message = `${state} is the status`;
-    const upstreamStatus = new EventEmitter();
-    upstreamStatus.state = state;
-    upstreamStatus.message = message;
-
-    const downstreamStatus = {
-      [state]: jest.fn()
-    };
-
-    mirrorStatusAndInitialize(upstreamStatus, downstreamStatus);
-    expect(downstreamStatus[state]).toHaveBeenCalledTimes(1);
-    expect(downstreamStatus[state]).toHaveBeenCalledWith(message);
-  });
-});
-
-test(`calls onGreen and doesn't immediately set downstream status when the initial status is green`, () => {
-  const upstreamStatus = new EventEmitter();
-  upstreamStatus.state = 'green';
-  upstreamStatus.message = '';
-
-  const downstreamStatus = {
-    green: jest.fn()
-  };
-
-  const onGreenMock = jest.fn().mockImplementation(() => new Promise(() => {}));
-  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
-  expect(onGreenMock).toHaveBeenCalledTimes(1);
-  expect(downstreamStatus.green).toHaveBeenCalledTimes(0);
-});
-
-test(`only calls onGreen once if it resolves immediately`, () => {
-  const upstreamStatus = new EventEmitter();
-  upstreamStatus.state = 'green';
-  upstreamStatus.message = '';
-
-  const downstreamStatus = {
-    green: () => {}
-  };
-
-  const onGreenMock = jest.fn().mockImplementation(() => Promise.resolve());
-
-  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
-  upstreamStatus.emit('change', '', '', 'green', '');
-  expect(onGreenMock).toHaveBeenCalledTimes(1);
-});
-
-test(`calls onGreen twice if it rejects`, (done) => {
-  const upstreamStatus = new EventEmitter();
-  upstreamStatus.state = 'green';
-  upstreamStatus.message = '';
-
-  const downstreamStatus = {
-    red: once(() => {
-      // once we see this red, we immediately trigger the upstream status again
-      // to have it retrigger the onGreen function
-      upstreamStatus.emit('change', '', '', 'green', '');
-    }),
-  };
-
-  let count = 0;
-  const onGreenMock = jest.fn().mockImplementation(() => {
-    if (++count === 2) {
-      done();
-    }
-
-    return Promise.reject(new Error());
-  });
-
-  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
-});
-
-test(`sets downstream status to green when onGreen promise resolves`, (done) => {
-  const state = 'green';
-  const message = `${state} is the status`;
-  const upstreamStatus = new EventEmitter();
-  upstreamStatus.state = state;
-  upstreamStatus.message = message;
-
-  const downstreamStatus = {
-    green: () => {
-      done();
-    }
-  };
-
-  const onGreenMock = jest.fn().mockImplementation(() => Promise.resolve());
-  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
-});
-
-test(`sets downstream status to red when onGreen promise rejects`, (done) => {
-  const upstreamStatus = new EventEmitter();
-  upstreamStatus.state = 'green';
-  upstreamStatus.message = '';
-
-  const errorMessage = 'something went real wrong';
-
-  const downstreamStatus = {
-    red: (msg) => {
-      expect(msg).toBe(errorMessage);
-      done();
-    }
-  };
-
-  const onGreenMock = jest.fn().mockImplementation(() => Promise.reject(new Error(errorMessage)));
-  mirrorStatusAndInitialize(upstreamStatus, downstreamStatus, onGreenMock);
-});
-
-['red', 'yellow', 'disabled' ].forEach(state => {
-  test(`switches from uninitialized to ${state} on event`, () => {
-    const message = `${state} is the status`;
-    const upstreamStatus = new EventEmitter();
-    upstreamStatus.state = 'uninitialized';
-    upstreamStatus.message = 'uninitialized';
-
-    const downstreamStatus = {
-      uninitialized: jest.fn(),
-      [state]: jest.fn(),
-    };
-
-    mirrorStatusAndInitialize(upstreamStatus, downstreamStatus);
-    upstreamStatus.emit('change', '', '', state, message);
-    expect(downstreamStatus[state]).toHaveBeenCalledTimes(1);
-    expect(downstreamStatus[state]).toHaveBeenCalledWith(message);
-  });
-});
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
new file mode 100644
index 00000000000000..6e68a4e404705c
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { Observable } from 'rxjs';
+
+export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlugin, initialize) {
+  const xpackInfo = xpackMainPlugin.info;
+  const xpackInfoFeature = xpackInfo.feature(downstreamPlugin.id);
+
+  const upstreamStatus = xpackMainPlugin.status;
+  const currentStatus$ = Observable
+    .of({
+      state: upstreamStatus.state,
+      message: upstreamStatus.message,
+    });
+  const newStatus$ = Observable
+    .fromEvent(upstreamStatus, 'change', null, (previousState, previousMsg, state, message) => {
+      return {
+        state,
+        message,
+      };
+    });
+  const status$ = Observable.merge(currentStatus$, newStatus$);
+
+  const currentLicense$ = Observable
+    .of(xpackInfoFeature.getLicenseCheckResults());
+  const newLicense$ = Observable
+    .fromEventPattern(xpackInfoFeature.registerLicenseChangeCallback)
+    .map(() => xpackInfoFeature.getLicenseCheckResults());
+  const license$ = Observable.merge(currentLicense$, newLicense$);
+
+  Observable.combineLatest(status$, license$)
+    .map(([status, license]) => ({ status, license }))
+    .switchMap(({ status, license }) => {
+      if (status.state !== 'green') {
+        return Observable.of({ state: status.state, message: status.message });
+      }
+
+      return initialize(license)
+        .then(() => ({
+          state: 'green',
+          message: 'Ready',
+        }))
+        .catch((err) => ({
+          state: 'red',
+          message: err.message
+        }));
+    })
+    .do(({ state, message }) => {
+      downstreamPlugin.status[state](message);
+    })
+    .subscribe();
+}
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
new file mode 100644
index 00000000000000..3826edf6767617
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -0,0 +1,223 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
+ * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
+import { EventEmitter } from 'events';
+import { watchStatusAndLicenseToInitialize } from './watch_status_and_license_to_initialize';
+
+const createMockXpackMainPluginAndFeature = (featureId) => {
+  const licenseChangeCallbacks = [];
+
+  const mockFeature = {
+    getLicenseCheckResults: jest.fn(),
+    registerLicenseChangeCallback: (callback) => {
+      licenseChangeCallbacks.push(callback);
+    },
+    mock: {
+      triggerLicenseChange: () => {
+        for (const callback of licenseChangeCallbacks) {
+          callback();
+        }
+      },
+      setLicenseCheckResults: (value) => {
+        mockFeature.getLicenseCheckResults.mockReturnValue(value);
+      }
+    }
+  };
+
+  const mockXpackMainPlugin =  {
+    info: {
+      feature: (id) => {
+        if (id === featureId) {
+          return mockFeature;
+        }
+        throw new Error('Unexpected feature');
+      }
+    },
+    status: new EventEmitter(),
+    mock: {
+      setStatus: (state, message) => {
+        mockXpackMainPlugin.status.state = state;
+        mockXpackMainPlugin.status.message = message;
+        mockXpackMainPlugin.status.emit('change', null, null, state, message);
+      }
+    }
+  };
+
+  return { mockXpackMainPlugin, mockFeature };
+};
+
+const createMockDownstreamPlugin = (id) => {
+  const defaultImplementation = () => { throw new Error('Not implemented'); };
+  return {
+    id,
+    status: {
+      disabled: jest.fn().mockImplementation(defaultImplementation),
+      yellow: jest.fn().mockImplementation(defaultImplementation),
+      green: jest.fn().mockImplementation(defaultImplementation),
+      red: jest.fn().mockImplementation(defaultImplementation),
+    },
+  };
+};
+
+['red', 'yellow', 'disabled' ].forEach(state => {
+  test(`mirrors ${state} immediately`, () => {
+    const pluginId = 'foo-plugin';
+    const message = `${state} is now the state`;
+    const { mockXpackMainPlugin } = createMockXpackMainPluginAndFeature(pluginId);
+    mockXpackMainPlugin.mock.setStatus(state, message);
+    const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+    const initializeMock = jest.fn();
+    downstreamPlugin.status[state].mockImplementation(() => {});
+
+    watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+    expect(initializeMock).not.toHaveBeenCalled();
+    expect(downstreamPlugin.status[state]).toHaveBeenCalledTimes(1);
+    expect(downstreamPlugin.status[state]).toHaveBeenCalledWith(message);
+  });
+});
+
+test(`calls initialize and doesn't immediately set downstream status when the initial status is green`, () => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green', 'green is now the state');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => new Promise(() => {}));
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  expect(downstreamPlugin.status.green).toHaveBeenCalledTimes(0);
+});
+
+test(`sets downstream plugin's status to green when initialize resolves`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green', 'green is now the state');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.green.mockImplementation(actualMessage =>
+  {
+    expect(actualMessage).toBe('Ready');
+    done();
+  });
+});
+
+test(`sets downstream plugin's status to red when initialize rejects`, (done) => {
+  const pluginId = 'foo-plugin';
+  const errorMessage = 'the error message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.reject(new Error(errorMessage)));
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.red.mockImplementation(message => {
+    expect(message).toBe(errorMessage);
+    done();
+  });
+});
+
+test(`calls initialize twice when it gets a new license and the status is green`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const firstLicenseCheckResults = Symbol();
+  const secondLicenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(firstLicenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  let count = 0;
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    ++count;
+    if (count === 1) {
+      mockFeature.mock.setLicenseCheckResults(secondLicenseCheckResults);
+      mockFeature.mock.triggerLicenseChange();
+    }
+    if (count === 2) {
+      expect(initializeMock).toHaveBeenCalledWith(firstLicenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledWith(secondLicenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledTimes(2);
+      done();
+    }
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
+test(`doesn't call initialize twice when it gets a new license when the status isn't green`, (done) => {
+  const pluginId = 'foo-plugin';
+  const redMessage = 'the red message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const firstLicenseCheckResults = Symbol();
+  const secondLicenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(firstLicenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    mockXpackMainPlugin.mock.setStatus('red', redMessage);
+    mockFeature.mock.setLicenseCheckResults(secondLicenseCheckResults);
+    mockFeature.mock.triggerLicenseChange();
+  });
+
+  downstreamPlugin.status.red.mockImplementation(message => {
+    expect(message).toBe(redMessage);
+    expect(initializeMock).toHaveBeenCalledTimes(1);
+    expect(initializeMock).toHaveBeenCalledWith(firstLicenseCheckResults);
+    done();
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
+test(`calls initialize twice when the status changes to green twice`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  let count = 0;
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    ++count;
+    if (count === 1) {
+      mockXpackMainPlugin.mock.setStatus('green');
+    }
+    if (count === 2) {
+      expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledTimes(2);
+      done();
+    }
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
diff --git a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
index 4d896268d4d8a2..ded2fe0e5eab6e 100644
--- a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
@@ -67,7 +67,7 @@ describe('XPackInfo', () => {
 
     mockServer = sinon.stub({
       plugins: { elasticsearch: mockElasticsearchPlugin },
-      log() {}
+      log() { }
     });
   });
 
@@ -151,9 +151,9 @@ describe('XPackInfo', () => {
       expect(xPackInfo.unavailableReason()).to.be(randomError);
       sinon.assert.calledWithExactly(
         mockServer.log,
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [data] cluster. ${randomError}`
+        ` for the [data] cluster. ${randomError}`
       );
 
       const badRequestError = new Error('Bad request');
@@ -168,9 +168,9 @@ describe('XPackInfo', () => {
       );
       sinon.assert.calledWithExactly(
         mockServer.log,
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [data] cluster. ${badRequestError}`
+        ` for the [data] cluster. ${badRequestError}`
       );
 
       mockElasticsearchCluster.callWithInternalUser.returns(getMockXPackInfoAPIResponse());
@@ -462,6 +462,72 @@ describe('XPackInfo', () => {
       });
     });
 
+    it('registerLicenseChangeCallback() does not invoke callbacks if license has not changed', async () => {
+      const securityFeature = xPackInfo.feature('security');
+      const watcherFeature = xPackInfo.feature('watcher');
+
+      const securityChangeCallback = sinon.stub();
+      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
+
+      const watcherChangeCallback = sinon.stub();
+      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
+
+      mockElasticsearchCluster.callWithInternalUser.returns(
+        getMockXPackInfoAPIResponse({ mode: 'gold' })
+      );
+
+      await xPackInfo.refreshNow();
+
+      sinon.assert.notCalled(securityChangeCallback);
+      sinon.assert.notCalled(watcherChangeCallback);
+    });
+
+    it('registerLicenseChangeCallback() invokes callbacks on license change', async () => {
+      const securityFeature = xPackInfo.feature('security');
+      const watcherFeature = xPackInfo.feature('watcher');
+
+      const securityChangeCallback = sinon.stub();
+      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
+
+      const watcherChangeCallback = sinon.stub();
+      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
+
+      mockElasticsearchCluster.callWithInternalUser.returns(
+        getMockXPackInfoAPIResponse({ mode: 'platinum' })
+      );
+
+      await xPackInfo.refreshNow();
+
+      sinon.assert.calledOnce(securityChangeCallback);
+      sinon.assert.calledOnce(watcherChangeCallback);
+    });
+
+    it('registerLicenseChangeCallback() gracefully handles callbacks that throw errors', async () => {
+      const securityFeature = xPackInfo.feature('security');
+      const watcherFeature = xPackInfo.feature('watcher');
+
+      const securityChangeCallback = sinon.stub().throws(new Error(`Something happened`));
+      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
+
+      const watcherChangeCallback = sinon.stub();
+      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
+
+      mockElasticsearchCluster.callWithInternalUser.returns(
+        getMockXPackInfoAPIResponse({ mode: 'platinum' })
+      );
+
+      await xPackInfo.refreshNow();
+
+      sinon.assert.calledOnce(securityChangeCallback);
+      sinon.assert.calledOnce(watcherChangeCallback);
+
+      sinon.assert.calledWithExactly(
+        mockServer.log,
+        ['license', 'error', 'xpack'],
+        `Error during invocation of license change callback for security. Error: Something happened`
+      );
+    });
+
     it('getLicenseCheckResults() correctly returns feature specific info.', async () => {
       const securityFeature = xPackInfo.feature('security');
       const watcherFeature = xPackInfo.feature('watcher');
diff --git a/x-pack/plugins/xpack_main/server/lib/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
index c1146295544391..84cf2807cbc078 100644
--- a/x-pack/plugins/xpack_main/server/lib/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
@@ -28,6 +28,13 @@ export class XPackInfo {
    */
   _featureLicenseCheckResultsGenerators = new Map();
 
+  /**
+   * Feature name <-> license change callback mapping.
+   * @type {Map<string, Function>}
+   * @private
+   */
+  _featureLicenseChangeCallbacks = new Map();
+
   /**
    * Cache that may contain last xpack info API response or error, json representation
    * of xpack info and xpack info signature.
@@ -116,7 +123,8 @@ export class XPackInfo {
         path: '/_xpack'
       });
 
-      if (this._hasLicenseInfoChanged(response)) {
+      const hasLicenseInfoChanged = this._hasLicenseInfoChanged(response);
+      if (hasLicenseInfoChanged) {
         const licenseInfoParts = [
           `mode: ${get(response, 'license.mode')}`,
           `status: ${get(response, 'license.status')}`,
@@ -132,16 +140,39 @@ export class XPackInfo {
         this._log(
           ['license', 'info', 'xpack'],
           `Imported ${this._cache.response ? 'changed ' : ''}license information` +
-            ` from Elasticsearch for the [${this._clusterSource}] cluster: ${licenseInfo}`
+          ` from Elasticsearch for the [${this._clusterSource}] cluster: ${licenseInfo}`
         );
       }
 
       this._cache = { response };
-    } catch(error) {
+
+      if (hasLicenseInfoChanged) {
+
+        // Invoke all registered license change callbacks after this instance receives the update
+        for (const [feature, callback] of this._featureLicenseChangeCallbacks) {
+          this._log(
+            ['license', 'debug', 'xpack'],
+            `Invoking license change callback for ${feature}`
+          );
+
+          const previousLicense = this._license;
+          const newLicense = new XPackInfoLicense(() => response && response.license);
+
+          try {
+            callback(previousLicense, newLicense);
+          } catch (error) {
+            this._log(
+              ['license', 'error', 'xpack'],
+              `Error during invocation of license change callback for ${feature}. ${error}`
+            );
+          }
+        }
+      }
+    } catch (error) {
       this._log(
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [${this._clusterSource}] cluster. ${error}`
+        ` for the [${this._clusterSource}] cluster. ${error}`
       );
 
       this._cache = { error };
@@ -191,6 +222,16 @@ export class XPackInfo {
         this._cache.signature = undefined;
       },
 
+      /**
+       * Registers a callback function that will be called whenever the XPack license changes.
+       * Callback will be invoked after the license change have been applied to this XPack Info instance.
+       * Callbacks may be asynchronous, but will not be awaited.
+       * @param {Function} callback Function to call whenever the XPack license changes.
+       */
+      registerLicenseChangeCallback: (callback) => {
+        this._featureLicenseChangeCallbacks.set(name, callback);
+      },
+
       /**
        * Returns license check results that were previously produced by the `generator` function.
        * @returns {Object}

From 7ef58501a07b72183b2c7026bf8359e434886746 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Wed, 13 Jun 2018 16:25:00 -0400
Subject: [PATCH 043/183] RBAC Legacy Fallback (#19818)

* Basic implementation, rather sloppy

* Cleaning stuff up a bit

* Beginning to write tests, going to refactor how we build the privileges

* Making the buildPrivilegesMap no longer return application name as the
main key

* Using real privileges since we need to use them for the legacy fallback

* Adding more tests

* Fixing spelling

* Fixing test description

* Fixing comment description

* Adding similar line breaks in the has privilege calls

* No more settings

* No more rbac enabled setting, we just do RBAC

* Using describe to cleanup the test cases

* Logging deprecations when using the legacy fallback

* Cleaning up a bit...

* Using the privilegeMap for the legacy fallback tests

* Now with even less duplication

* Removing stray `rbacEnabled` from angularjs
---
 x-pack/plugins/security/index.js              |  68 +-
 .../public/views/management/edit_role.html    |   2 +-
 .../public/views/management/edit_role.js      |   3 +-
 .../lib/authorization/has_privileges.js       | 134 +++-
 .../lib/authorization/has_privileges.test.js  | 707 +++++++++++++-----
 .../security/server/lib/privileges/index.js   |   2 +-
 .../privileges/privilege_action_registry.js   |   4 +-
 .../privilege_action_registry.test.js         |   6 +-
 .../server/lib/privileges/privileges.js       |   4 +-
 .../server/routes/api/v1/privileges.js        |   2 +-
 .../apis/saved_objects/bulk_get.js            |  26 +
 .../apis/saved_objects/create.js              |  26 +
 .../apis/saved_objects/delete.js              |  34 +
 .../apis/saved_objects/find.js                |  68 ++
 .../apis/saved_objects/get.js                 |  34 +
 .../apis/saved_objects/index.js               |  48 +-
 .../apis/saved_objects/lib/authentication.js  |   8 +
 .../apis/saved_objects/update.js              |  34 +
 x-pack/test/rbac_api_integration/config.js    |   1 -
 19 files changed, 961 insertions(+), 250 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 0c60bd282b9e4d..e0449711f31fc6 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -44,7 +44,6 @@ export const security = (kibana) => new kibana.Plugin({
         port: Joi.number().integer().min(0).max(65535)
       }).default(),
       rbac: Joi.object({
-        enabled: Joi.boolean().default(false),
         application: Joi.string().default('kibana').regex(
           /[a-zA-Z0-9-_]+/,
           `may contain alphanumeric characters (a-z, A-Z, 0-9), underscores and hyphens`
@@ -81,7 +80,6 @@ export const security = (kibana) => new kibana.Plugin({
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
         sessionTimeout: config.get('xpack.security.sessionTimeout'),
-        rbacEnabled: config.get('xpack.security.rbac.enabled'),
         rbacApplication: config.get('xpack.security.rbac.application'),
       };
     }
@@ -116,50 +114,48 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
-    if (config.get('xpack.security.rbac.enabled')) {
-      const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
-      const { savedObjects } = server;
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
+    const { savedObjects } = server;
 
-      savedObjects.setScopedSavedObjectsClientFactory(({
-        request,
-        index,
-        mappings,
-        onBeforeWrite
-      }) => {
-        const adminCluster = server.plugins.elasticsearch.getCluster('admin');
-
-        if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
-          const { callWithRequest } = adminCluster;
-          const callCluster = (...args) => callWithRequest(request, ...args);
-
-          const repository = new savedObjects.SavedObjectsRepository({
-            index,
-            mappings,
-            onBeforeWrite,
-            callCluster,
-          });
-
-          return new savedObjects.SavedObjectsClient(repository);
-        }
+    savedObjects.setScopedSavedObjectsClientFactory(({
+      request,
+      index,
+      mappings,
+      onBeforeWrite
+    }) => {
+      const adminCluster = server.plugins.elasticsearch.getCluster('admin');
 
-        const hasPrivileges = hasPrivilegesWithRequest(request);
-        const { callWithInternalUser } = adminCluster;
+      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
+        const { callWithRequest } = adminCluster;
+        const callCluster = (...args) => callWithRequest(request, ...args);
 
         const repository = new savedObjects.SavedObjectsRepository({
           index,
           mappings,
           onBeforeWrite,
-          callCluster: callWithInternalUser
+          callCluster,
         });
 
-        return new SecureSavedObjectsClient({
-          repository,
-          errors: savedObjects.SavedObjectsClient.errors,
-          hasPrivileges,
-          auditLogger,
-        });
+        return new savedObjects.SavedObjectsClient(repository);
+      }
+
+      const hasPrivileges = hasPrivilegesWithRequest(request);
+      const { callWithInternalUser } = adminCluster;
+
+      const repository = new savedObjects.SavedObjectsRepository({
+        index,
+        mappings,
+        onBeforeWrite,
+        callCluster: callWithInternalUser
       });
-    }
+
+      return new SecureSavedObjectsClient({
+        repository,
+        errors: savedObjects.SavedObjectsClient.errors,
+        hasPrivileges,
+        auditLogger,
+      });
+    });
 
     getUserProvider(server);
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index 8c8c5d692cce21..da03371ae6cbd4 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -111,7 +111,7 @@ <h1 class="kuiTitle">
         </div>
 
         <!-- Kibana custom privileges -->
-        <div class="kuiFormSection" ng-if="rbacEnabled">
+        <div class="kuiFormSection">
           <label class="kuiFormLabel">
             Kibana Privileges
           </label>
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 77316db93bbd26..0aaebc83e6f72f 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -118,7 +118,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope, rbacEnabled, rbacApplication) {
+  controller($injector, $scope, rbacApplication) {
     const $route = $injector.get('$route');
     const kbnUrl = $injector.get('kbnUrl');
     const shieldPrivileges = $injector.get('shieldPrivileges');
@@ -132,7 +132,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
 
-    $scope.rbacEnabled = rbacEnabled;
     const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
     const role = $route.current.locals.role;
     $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivilege, role, rbacApplication);
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index 5f119db027cb6f..fdb00e63d29f25 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -6,11 +6,87 @@
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
+import { buildPrivilegeMap, getVersionPrivilege, getLoginPrivilege } from '../privileges';
 
-const getMissingPrivileges = (resource, application, privilegeCheck) => {
-  const privileges = privilegeCheck.application[application][resource];
-  return Object.keys(privileges).filter(key => privileges[key] === false);
+const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion, application, privileges) => {
+  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application,
+        resources: [DEFAULT_RESOURCE],
+        privileges
+      }]
+    }
+  });
+
+  const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
+
+  // We include the login action in all privileges, so the existence of it and not the version privilege
+  // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
+  // know whether the user just wasn't authorized for this instance of Kibana in general
+  if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
+    throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+  }
+
+  return {
+    username: privilegeCheck.username,
+    hasAllRequested: privilegeCheck.has_all_requested,
+    privileges: hasPrivileges
+  };
+};
+
+const hasLegacyPrivileges = async (deprecationLogger, callWithRequest, request, kibanaVersion, application, kibanaIndex, privileges) => {
+  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+    body: {
+      index: [{
+        names: [ kibanaIndex ],
+        privileges: ['read', 'index']
+      }]
+    }
+  });
+
+  const createPrivileges = (cb) => {
+    return privileges.reduce((acc, name) => {
+      acc[name] = cb(name);
+      return acc;
+    }, {});
+  };
+
+  const logDeprecation = () => {
+    deprecationLogger(
+      `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in the next major version`
+    );
+  };
+
+  // if they have the index privilege, then we grant them all actions
+  if (privilegeCheck.index[kibanaIndex].index) {
+    logDeprecation();
+    const implicitPrivileges = createPrivileges(() => true);
+    return {
+      username: privilegeCheck.username,
+      hasAllRequested: true,
+      privileges: implicitPrivileges
+    };
+  }
+
+  // if they have the read privilege, then we only grant them the read actions
+  if (privilegeCheck.index[kibanaIndex].read) {
+    logDeprecation();
+    const privilegeMap = buildPrivilegeMap(application, kibanaVersion);
+    const implicitPrivileges = createPrivileges(name => privilegeMap.read.actions.includes(name));
+
+    return {
+      username: privilegeCheck.username,
+      hasAllRequested: Object.values(implicitPrivileges).every(x => x),
+      privileges: implicitPrivileges,
+    };
+  }
+
+  return {
+    username: privilegeCheck.username,
+    hasAllRequested: false,
+    privileges: createPrivileges(() => false)
+  };
 };
 
 export function hasPrivilegesWithServer(server) {
@@ -19,38 +95,44 @@ export function hasPrivilegesWithServer(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
+  const kibanaIndex = config.get('kibana.index');
+  const deprecationLogger = (msg) => server.log(['warning', 'deprecated', 'security'], msg);
 
   return function hasPrivilegesWithRequest(request) {
     return async function hasPrivileges(privileges) {
-
-      const versionPrivilege = getVersionPrivilege(kibanaVersion);
       const loginPrivilege = getLoginPrivilege();
+      const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
-      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-        body: {
-          applications: [{
-            application,
-            resources: [DEFAULT_RESOURCE],
-            privileges: [versionPrivilege, loginPrivilege, ...privileges]
-          }]
-        }
-      });
-
-      const success = privilegeCheck.has_all_requested;
-      const missingPrivileges = getMissingPrivileges(DEFAULT_RESOURCE, application, privilegeCheck);
-
-      // We include the login privilege on all privileges, so the existence of it and not the version privilege
-      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
-      // know whether the user just wasn't authorized for this instance of Kibana in general
-      if (missingPrivileges.includes(versionPrivilege) && !missingPrivileges.includes(loginPrivilege)) {
-        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges];
+      let privilegesCheck = await hasApplicationPrivileges(
+        callWithRequest,
+        request,
+        kibanaVersion,
+        application,
+        allPrivileges
+      );
+
+      if (!privilegesCheck.privileges[loginPrivilege]) {
+        privilegesCheck = await hasLegacyPrivileges(
+          deprecationLogger,
+          callWithRequest,
+          request,
+          kibanaVersion,
+          application,
+          kibanaIndex,
+          allPrivileges
+        );
       }
 
+      const success = privilegesCheck.hasAllRequested;
+
       return {
         success,
         // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-        missing: missingPrivileges.filter(p => p !== versionPrivilege),
-        username: privilegeCheck.username,
+        missing: Object.keys(privilegesCheck.privileges)
+          .filter(key => privilegesCheck.privileges[key] === false)
+          .filter(p => p !== versionPrivilege),
+        username: privilegesCheck.username,
       };
     };
   };
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index b2e2759c3419b3..2462b0a4434607 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -4,23 +4,17 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { sample } from 'lodash';
 import { hasPrivilegesWithServer } from './has_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getLoginPrivilege, getVersionPrivilege } from '../privileges';
+import { getLoginPrivilege, getVersionPrivilege, buildPrivilegeMap } from '../privileges';
 
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
   getClient: jest.fn()
 }));
 
-let mockCallWithRequest;
-beforeEach(() => {
-  mockCallWithRequest = jest.fn();
-  getClient.mockReturnValue({
-    callWithRequest: mockCallWithRequest
-  });
-});
-
+const defaultKibanaIndex = 'default-kibana-index';
 const defaultVersion = 'default-version';
 const defaultApplication = 'default-application';
 
@@ -28,10 +22,12 @@ const createMockServer = ({ settings = {} } = {}) => {
   const mockServer = {
     config: jest.fn().mockReturnValue({
       get: jest.fn()
-    })
+    }),
+    log: jest.fn()
   };
 
   const defaultSettings = {
+    'kibana.index': defaultKibanaIndex,
     'pkg.version': defaultVersion,
     'xpack.security.rbac.application': defaultApplication
   };
@@ -43,8 +39,8 @@ const createMockServer = ({ settings = {} } = {}) => {
   return mockServer;
 };
 
-const mockResponse = (hasAllRequested, privileges, application = defaultApplication, username = '') => {
-  mockCallWithRequest.mockImplementationOnce(async () => ({
+const mockApplicationPrivilegeResponse = ({ hasAllRequested, privileges, application = defaultApplication, username = '' }) =>{
+  return {
     username: username,
     has_all_requested: hasAllRequested,
     application: {
@@ -52,215 +48,578 @@ const mockResponse = (hasAllRequested, privileges, application = defaultApplicat
         [DEFAULT_RESOURCE]: privileges
       }
     }
-  }));
+  };
 };
 
-
-test(`calls shield.hasPrivileges with request`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(true, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
-  });
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const request = {};
-  const hasPrivileges = hasPrivilegesWithRequest(request);
-  await hasPrivileges(['foo']);
-
-  expect(mockCallWithRequest).toHaveBeenCalledWith(request, expect.anything(), expect.anything());
-});
-
-test(`calls shield.hasPrivileges with clientParams`, async () => {
-  const application = 'foo-application';
-  const version = 'foo-version';
-  const mockServer = createMockServer({
-    settings: {
-      'xpack.security.rbac.application': application,
-      'pkg.version': version
+const mockLegacyResponse = ({ hasAllRequested, privileges, index = defaultKibanaIndex, username = '' }) => {
+  return {
+    username: username,
+    has_all_requested: hasAllRequested,
+    index: {
+      [index]: privileges
     }
+  };
+};
+
+const createMockCallWithRequest = (responses) => {
+  const mockCallWithRequest = jest.fn();
+  getClient.mockReturnValue({
+    callWithRequest: mockCallWithRequest
   });
 
-  mockResponse(true, {
-    [getVersionPrivilege(version)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
-  }, application);
+  for (const response of responses) {
+    mockCallWithRequest.mockImplementationOnce(async () => response);
+  }
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
+  return mockCallWithRequest;
+};
 
-  const privilege = 'foo';
-  await hasPrivileges([privilege]);
+const expectNoDeprecationLogged = (mockServer) => {
+  expect(mockServer.log).not.toHaveBeenCalled();
+};
 
-  const clientParams = mockCallWithRequest.mock.calls[0][2];
-  const applicationParam = clientParams.body.applications[0];
-  expect(applicationParam).toHaveProperty('application', application);
-  expect(applicationParam).toHaveProperty('resources', [DEFAULT_RESOURCE]);
-  expect(applicationParam).toHaveProperty('privileges');
-  expect(applicationParam.privileges).toContain(privilege);
-});
+const expectDeprecationLogged = (mockServer) => {
+  expect(mockServer.log).toHaveBeenCalledWith(['warning', 'deprecated', 'security'], expect.stringContaining('deprecated'));
+};
 
-test(`includes version privilege when checking privileges`, async () => {
+test(`returns success of true if they have all application privileges`, async () => {
+  const privilege = 'action:saved_objects/config/get';
+  const username = 'foo-username';
   const mockServer = createMockServer();
-  mockResponse(true, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
-  });
+  const mockCallWithRequest = createMockCallWithRequest([
+    mockApplicationPrivilegeResponse({
+      hasAllRequested: true,
+      privileges: {
+        [getVersionPrivilege(defaultVersion)]: true,
+        [getLoginPrivilege()]: true,
+        [privilege]: true,
+      },
+      application: defaultApplication,
+      username,
+    })
+  ]);
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const request = {};
+  const request = Symbol();
   const hasPrivileges = hasPrivilegesWithRequest(request);
-  await hasPrivileges(['foo']);
-
-  const clientParams = mockCallWithRequest.mock.calls[0][2];
-  const applicationParam = clientParams.body.applications[0];
-  expect(applicationParam.privileges).toContain(getVersionPrivilege(defaultVersion));
+  const privileges = [privilege];
+  const result = await hasPrivileges(privileges);
+
+  expectNoDeprecationLogged(mockServer);
+  expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application: defaultApplication,
+        resources: [DEFAULT_RESOURCE],
+        privileges: [
+          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+        ]
+      }]
+    }
+  });
+  expect(result).toEqual({
+    success: true,
+    missing: [],
+    username
+  });
 });
 
-test(`includes login privilege when checking privileges`, async () => {
+test(`returns success of false if they have only one application privilege`, async () => {
+  const privilege1 = 'action:saved_objects/config/get';
+  const privilege2 = 'action:saved_objects/config/create';
+  const username = 'foo-username';
   const mockServer = createMockServer();
-  mockResponse(true, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
-  });
+  const mockCallWithRequest = createMockCallWithRequest([
+    mockApplicationPrivilegeResponse({
+      hasAllRequested: false,
+      privileges: {
+        [getVersionPrivilege(defaultVersion)]: true,
+        [getLoginPrivilege()]: true,
+        [privilege1]: true,
+        [privilege2]: false,
+      },
+      application: defaultApplication,
+      username,
+    })
+  ]);
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const request = {};
+  const request = Symbol();
   const hasPrivileges = hasPrivilegesWithRequest(request);
-  await hasPrivileges(['foo']);
-
-  const clientParams = mockCallWithRequest.mock.calls[0][2];
-  const applicationParam = clientParams.body.applications[0];
-  expect(applicationParam.privileges).toContain(getLoginPrivilege());
-});
-
-test(`returns success when has_all_requested`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(true, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
+  const privileges = [privilege1, privilege2];
+  const result = await hasPrivileges(privileges);
+
+  expectNoDeprecationLogged(mockServer);
+  expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application: defaultApplication,
+        resources: [DEFAULT_RESOURCE],
+        privileges: [
+          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+        ]
+      }]
+    }
+  });
+  expect(result).toEqual({
+    success: false,
+    missing: [privilege2],
+    username
   });
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.success).toBe(true);
 });
 
-test(`returns username from has_privileges response when has_all_requested`, async () => {
+test(`throws error if missing version privilege and has login privilege`, async () => {
+  const privilege = 'action:saved_objects/config/get';
   const mockServer = createMockServer();
-  const username = 'foo-username';
-  mockResponse(true, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: true,
-  }, defaultApplication, username);
+  createMockCallWithRequest([
+    mockApplicationPrivilegeResponse({
+      hasAllRequested: false,
+      privileges: {
+        [getVersionPrivilege(defaultVersion)]: false,
+        [getLoginPrivilege()]: true,
+        [privilege]: true,
+      }
+    })
+  ]);
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
   const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.username).toBe(username);
-});
 
-test(`returns false success when has_all_requested is false`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: false,
-  });
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.success).toBe(false);
+  await expect(hasPrivileges([privilege])).rejects.toThrowErrorMatchingSnapshot();
+  expectNoDeprecationLogged(mockServer);
 });
 
-test(`returns username from has_privileges when has_all_requested is false`, async () => {
+test(`uses application privileges if the user has the login privilege`, async () => {
+  const privilege = 'action:saved_objects/config/get';
   const username = 'foo-username';
   const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: false,
-  }, defaultApplication, username);
+  const callWithRequest = createMockCallWithRequest([
+    mockApplicationPrivilegeResponse({
+      hasAllRequested: false,
+      privileges: {
+        [getVersionPrivilege(defaultVersion)]: true,
+        [getLoginPrivilege()]: true,
+        [privilege]: false,
+      },
+      username,
+    }),
+  ]);
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({ });
-  const result = await hasPrivileges(['foo']);
-  expect(result.username).toBe(username);
-});
-
-test(`returns missing privileges`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: false,
+  const request = Symbol();
+  const hasPrivileges = hasPrivilegesWithRequest(request);
+  const privileges = [privilege];
+  const result = await hasPrivileges(privileges);
+
+  expectNoDeprecationLogged(mockServer);
+  expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application: defaultApplication,
+        resources: [DEFAULT_RESOURCE],
+        privileges: [
+          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+        ]
+      }]
+    }
+  });
+  expect(result).toEqual({
+    success: false,
+    missing: [...privileges],
+    username,
   });
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.missing).toEqual(['foo']);
 });
 
-test(`excludes granted privileges from missing privileges`, async () => {
+test(`returns success of false using application privileges if the user has the login privilege`, async () => {
+  const privilege = 'action:saved_objects/config/get';
+  const username = 'foo-username';
   const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: true,
-    [getLoginPrivilege()]: true,
-    foo: false,
-    bar: true,
-  });
+  const callWithRequest = createMockCallWithRequest([
+    mockApplicationPrivilegeResponse({
+      hasAllRequested: false,
+      privileges: {
+        [getVersionPrivilege(defaultVersion)]: true,
+        [getLoginPrivilege()]: true,
+        [privilege]: false,
+      },
+      username,
+    }),
+  ]);
 
   const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.missing).toEqual(['foo']);
+  const request = Symbol();
+  const hasPrivileges = hasPrivilegesWithRequest(request);
+  const privileges = [privilege];
+  const result = await hasPrivileges(privileges);
+
+  expectNoDeprecationLogged(mockServer);
+  expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application: defaultApplication,
+        resources: [DEFAULT_RESOURCE],
+        privileges: [
+          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+        ]
+      }]
+    }
+  });
+  expect(result).toEqual({
+    success: false,
+    missing: [...privileges],
+    username,
+  });
 });
 
-test(`throws error if missing version privilege and has login privilege`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: false,
-    [getLoginPrivilege()]: true,
-    foo: true,
+describe('legacy fallback with no application privileges', () => {
+  test(`returns success of false if the user has no legacy privileges`, async () => {
+    const privilege = 'action:saved_objects/config/get';
+    const username = 'foo-username';
+    const mockServer = createMockServer();
+    const callWithRequest = createMockCallWithRequest([
+      mockApplicationPrivilegeResponse({
+        hasAllRequested: false,
+        privileges: {
+          [getVersionPrivilege(defaultVersion)]: false,
+          [getLoginPrivilege()]: false,
+          [privilege]: false,
+        },
+        username,
+      }),
+      mockLegacyResponse({
+        hasAllRequested: false,
+        privileges: {
+          read: false,
+          index: false,
+        },
+        username,
+      })
+    ]);
+
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const request = Symbol();
+    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const privileges = [privilege];
+    const result = await hasPrivileges(privileges);
+
+    expectNoDeprecationLogged(mockServer);
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [DEFAULT_RESOURCE],
+          privileges: [
+            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          ]
+        }]
+      }
+    });
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['read', 'index']
+        }]
+      }
+    });
+    expect(result).toEqual({
+      success: false,
+      missing: [getLoginPrivilege(), ...privileges],
+      username,
+    });
   });
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  await expect(hasPrivileges(['foo'])).rejects.toThrowErrorMatchingSnapshot();
-});
+  test(`returns success of true if the user has index privilege on kibana index`, async () => {
+    const privilege = 'something-completely-arbitrary';
+    const username = 'foo-username';
+    const mockServer = createMockServer();
+    const callWithRequest = createMockCallWithRequest([
+      mockApplicationPrivilegeResponse({
+        hasAllRequested: false,
+        privileges: {
+          [getVersionPrivilege(defaultVersion)]: false,
+          [getLoginPrivilege()]: false,
+          [privilege]: false,
+        },
+        username,
+      }),
+      mockLegacyResponse({
+        hasAllRequested: false,
+        privileges: {
+          read: false,
+          index: true,
+        },
+        username,
+      })
+    ]);
+
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const request = Symbol();
+    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const privileges = ['foo'];
+    const result = await hasPrivileges(privileges);
+
+    expectDeprecationLogged(mockServer);
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [DEFAULT_RESOURCE],
+          privileges: [
+            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          ]
+        }]
+      }
+    });
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['read', 'index']
+        }]
+      }
+    });
+    expect(result).toEqual({
+      success: true,
+      missing: [],
+      username,
+    });
+  });
 
-test(`doesn't throw error if missing version privilege and missing login privilege`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: false,
-    [getLoginPrivilege()]: false,
-    foo: true,
+  test(`returns success of false if the user has the read privilege on kibana index but the privilege isn't a read action`, async () => {
+    const privilege = 'something-completely-arbitrary';
+    const username = 'foo-username';
+    const mockServer = createMockServer();
+    const callWithRequest = createMockCallWithRequest([
+      mockApplicationPrivilegeResponse({
+        hasAllRequested: false,
+        privileges: {
+          [getVersionPrivilege(defaultVersion)]: false,
+          [getLoginPrivilege()]: false,
+          [privilege]: false,
+        },
+        username,
+      }),
+      mockLegacyResponse({
+        hasAllRequested: false,
+        privileges: {
+          read: true,
+          index: false,
+        },
+        username,
+      })
+    ]);
+
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const request = Symbol();
+    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const privileges = [privilege];
+    const result = await hasPrivileges(privileges);
+
+    expectDeprecationLogged(mockServer);
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [DEFAULT_RESOURCE],
+          privileges: [
+            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          ]
+        }]
+      }
+    });
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['read', 'index']
+        }]
+      }
+    });
+    expect(result).toEqual({
+      success: false,
+      missing: [ privilege ],
+      username,
+    });
   });
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  await hasPrivileges(['foo']);
-});
+  test(`returns success of false if the user has the read privilege on kibana index but one privilege isn't a read action`, async () => {
+    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    const privilege1 = 'something-completely-arbitrary';
+    const privilege2 = sample(privilegeMap.read.actions);
+    const username = 'foo-username';
+    const mockServer = createMockServer();
+    const callWithRequest = createMockCallWithRequest([
+      mockApplicationPrivilegeResponse({
+        hasAllRequested: false,
+        privileges: {
+          [getVersionPrivilege(defaultVersion)]: false,
+          [getLoginPrivilege()]: false,
+          [privilege1]: false,
+          [privilege2]: true
+        },
+        username,
+      }),
+      mockLegacyResponse({
+        hasAllRequested: false,
+        privileges: {
+          read: true,
+          index: false,
+        },
+        username,
+      })
+    ]);
+
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const request = Symbol();
+    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const privileges = [privilege1, privilege2];
+    const result = await hasPrivileges(privileges);
+
+    expectDeprecationLogged(mockServer);
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [DEFAULT_RESOURCE],
+          privileges: [
+            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          ]
+        }]
+      }
+    });
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['read', 'index']
+        }]
+      }
+    });
+    expect(result).toEqual({
+      success: false,
+      missing: [ privilege1 ],
+      username,
+    });
+  });
 
-test(`excludes version privilege when missing version privilege and missing login privilege`, async () => {
-  const mockServer = createMockServer();
-  mockResponse(false, {
-    [getVersionPrivilege(defaultVersion)]: false,
-    [getLoginPrivilege()]: false,
-    foo: true,
+  test(`returns success of true if the user has the read privilege on kibana index and the privilege is a read action`, async () => {
+    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    for (const action of privilegeMap.read.actions) {
+      const privilege = action;
+      const username = 'foo-username';
+      const mockServer = createMockServer();
+      const callWithRequest = createMockCallWithRequest([
+        mockApplicationPrivilegeResponse({
+          hasAllRequested: false,
+          privileges: {
+            [getVersionPrivilege(defaultVersion)]: false,
+            [getLoginPrivilege()]: false,
+            [privilege]: false,
+          },
+          username,
+        }),
+        mockLegacyResponse({
+          hasAllRequested: false,
+          privileges: {
+            read: true,
+            index: false,
+          },
+          username,
+        })
+      ]);
+
+      const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+      const request = Symbol();
+      const hasPrivileges = hasPrivilegesWithRequest(request);
+      const privileges = [privilege];
+      const result = await hasPrivileges(privileges);
+
+      expectDeprecationLogged(mockServer);
+      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application: defaultApplication,
+            resources: [DEFAULT_RESOURCE],
+            privileges: [
+              getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+            ]
+          }]
+        }
+      });
+      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          index: [{
+            names: [ defaultKibanaIndex ],
+            privileges: ['read', 'index']
+          }]
+        }
+      });
+      expect(result).toEqual({
+        success: true,
+        missing: [],
+        username,
+      });
+    }
   });
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
-  const result = await hasPrivileges(['foo']);
-  expect(result.missing).toEqual([getLoginPrivilege()]);
+  test(`returns success of true if the user has the read privilege on kibana index and all privileges are read actions`, async () => {
+    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    const privileges = privilegeMap.read.actions;
+    const username = 'foo-username';
+    const mockServer = createMockServer();
+    const callWithRequest = createMockCallWithRequest([
+      mockApplicationPrivilegeResponse({
+        hasAllRequested: false,
+        privileges: {
+          [getVersionPrivilege(defaultVersion)]: false,
+          [getLoginPrivilege()]: false,
+          ...privileges.reduce((acc, name) => {
+            acc[name] = false;
+            return acc;
+          }, {})
+        },
+        username,
+      }),
+      mockLegacyResponse({
+        hasAllRequested: false,
+        privileges: {
+          read: true,
+          index: false,
+        },
+        username,
+      })
+    ]);
+
+    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const request = Symbol();
+    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const result = await hasPrivileges(privileges);
+
+    expectDeprecationLogged(mockServer);
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [DEFAULT_RESOURCE],
+          privileges: [
+            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          ]
+        }]
+      }
+    });
+    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['read', 'index']
+        }]
+      }
+    });
+    expect(result).toEqual({
+      success: true,
+      missing: [],
+      username,
+    });
+  });
 });
diff --git a/x-pack/plugins/security/server/lib/privileges/index.js b/x-pack/plugins/security/server/lib/privileges/index.js
index a270b8a60331e9..a7a2455d5ec3b0 100644
--- a/x-pack/plugins/security/server/lib/privileges/index.js
+++ b/x-pack/plugins/security/server/lib/privileges/index.js
@@ -5,4 +5,4 @@
  */
 
 export { registerPrivilegesWithCluster } from './privilege_action_registry';
-export { getLoginPrivilege, getVersionPrivilege } from './privileges';
+export { buildPrivilegeMap, getLoginPrivilege, getVersionPrivilege } from './privileges';
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 7d31b287fe664c..c91a8e097f6916 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -16,7 +16,9 @@ export async function registerPrivilegesWithCluster(server) {
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
 
-  const expectedPrivileges = buildPrivilegeMap(application, kibanaVersion);
+  const expectedPrivileges = {
+    [application]: buildPrivilegeMap(application, kibanaVersion)
+  };
 
   server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
 
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index 398a68a097ed94..74949536eb943c 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -55,7 +55,9 @@ const registerPrivilegesWithClusterTest = (description, { settings = {}, expecte
       expect(mockCallWithInternalUser).toHaveBeenCalledWith(
         'shield.postPrivileges',
         {
-          body: privileges,
+          body: {
+            [defaultApplication]: privileges
+          },
         }
       );
 
@@ -93,7 +95,7 @@ const registerPrivilegesWithClusterTest = (description, { settings = {}, expecte
   test(description, async () => {
     const mockServer = createMockServer();
     const mockCallWithInternalUser = registerMockCallWithInternalUser();
-    mockCallWithInternalUser.mockImplementationOnce(async () => (existingPrivileges));
+    mockCallWithInternalUser.mockImplementationOnce(async () => ({ [defaultApplication]: existingPrivileges }));
     buildPrivilegeMap.mockReturnValue(expectedPrivileges);
 
     await registerPrivilegesWithCluster(mockServer);
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index 8c11014b4ae14f..e70d30f2e87fa6 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -35,9 +35,7 @@ export function buildPrivilegeMap(application, kibanaVersion) {
     metadata: {}
   };
 
-  return {
-    [application]: privilegeActions
-  };
+  return privilegeActions;
 }
 
 function buildSavedObjectsReadPrivileges() {
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index f7d6e7c6a00394..6c095da482dce4 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -23,7 +23,7 @@ export function initPrivilegesApi(server) {
       // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
       // into a different structure for enforcement within Elasticsearch
       const privileges = buildPrivilegeMap(application, kibanaVersion);
-      reply(Object.values(privileges[application]));
+      reply(Object.values(privileges));
     }
   });
 }
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
index 18fe5a015dc785..12a25607a92acd 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
@@ -120,6 +120,32 @@ export default function ({ getService }) {
       }
     });
 
+    bulkGetTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
     bulkGetTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
index 0db0fc41b5c4a6..c8ca5be09b6ad4 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
@@ -82,6 +82,32 @@ export default function ({ getService }) {
       }
     });
 
+    createTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+      }
+    });
+
     createTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
index ea73c927b869e5..f89073acca7fda 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -90,6 +90,40 @@ export default function ({ getService }) {
       }
     });
 
+    deleteTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        }
+      }
+    });
+
     deleteTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index e00dd1aa907155..59cc3dc12d5389 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -217,6 +217,74 @@ export default function ({ getService }) {
       },
     });
 
+    findTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults,
+        },
+      },
+    });
+
+    findTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectActionForbidden(true, 'wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectActionForbidden(true, 'wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults,
+        },
+      }
+    });
+
     findTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
index e5a462d30d30cb..029a44475b12e6 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -106,6 +106,40 @@ export default function ({ getService }) {
       }
     });
 
+    getTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
     getTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index 1199bd5986e66d..05f06088751ea3 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -11,6 +11,30 @@ export default function ({ loadTestFile, getService }) {
 
   describe('saved_objects', () => {
     before(async () => {
+      await es.shield.putRole({
+        name: 'kibana_legacy_user',
+        body: {
+          cluster: [],
+          index: [{
+            names: ['.kibana'],
+            privileges: ['manage', 'read', 'index', 'delete']
+          }],
+          applications: []
+        }
+      });
+
+      await es.shield.putRole({
+        name: 'kibana_legacy_dashboard_only_user',
+        body: {
+          cluster: [],
+          index: [{
+            names: ['.kibana'],
+            privileges: ['read', 'view_index_metadata']
+          }],
+          applications: []
+        }
+      });
+
       await es.shield.putRole({
         name: 'kibana_rbac_user',
         body: {
@@ -51,13 +75,33 @@ export default function ({ loadTestFile, getService }) {
         }
       });
 
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+          roles: ['kibana_legacy_user'],
+          full_name: 'a kibana legacy user',
+          email: 'a_kibana_legacy_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+          roles: ["kibana_legacy_dashboard_only_user"],
+          full_name: 'a kibana legacy dashboard only user',
+          email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
+        }
+      });
+
       await es.shield.putUser({
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         body: {
           password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
           roles: ['kibana_rbac_user'],
           full_name: 'a kibana user',
-          email: 'a_kibana_user@elastic.co',
+          email: 'a_kibana_rbac_user@elastic.co',
         }
       });
 
@@ -67,7 +111,7 @@ export default function ({ loadTestFile, getService }) {
           password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
           roles: ["kibana_rbac_dashboard_only_user"],
           full_name: 'a kibana dashboard only user',
-          email: 'a_kibana_dashboard_only_user@elastic.co',
+          email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
         }
       });
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
index e095a032934eaf..8b140fd3b2a30c 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
@@ -13,6 +13,14 @@ export const AUTHENTICATION = {
     USERNAME: 'elastic',
     PASSWORD: 'changeme'
   },
+  KIBANA_LEGACY_USER: {
+    USERNAME: 'a_kibana_legacy_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_legacy_dashboard_only_user',
+    PASSWORD: 'password'
+  },
   KIBANA_RBAC_USER: {
     USERNAME: 'a_kibana_rbac_user',
     PASSWORD: 'password'
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
index a9f5f0ab81aaba..ae299348847d69 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -114,6 +114,40 @@ export default function ({ getService }) {
       }
     });
 
+    updateTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectForbidden(true),
+        },
+      }
+    });
+
     updateTest(`kibana rbac user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
index b9f3f19b0576c9..c2ff96adcff559 100644
--- a/x-pack/test/rbac_api_integration/config.js
+++ b/x-pack/test/rbac_api_integration/config.js
@@ -54,7 +54,6 @@ export default async function ({ readConfigFile }) {
       serverArgs: [
         ...config.xpack.api.get('kbnTestServer.serverArgs'),
         '--optimize.enabled=false',
-        '--xpack.security.rbac.enabled=true',
         '--server.xsrf.disableProtection=true',
       ],
     },

From 9941eb2b32dcfc6604ab88ad5b054d2f54474d47 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 13 Jun 2018 16:55:41 -0400
Subject: [PATCH 044/183] Fixing checkLicenses tests since we added RBAC

---
 .../server/lib/__tests__/check_license.js     | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/__tests__/check_license.js b/x-pack/plugins/security/server/lib/__tests__/check_license.js
index 63f25022267745..53e3eb09eefdfa 100644
--- a/x-pack/plugins/security/server/lib/__tests__/check_license.js
+++ b/x-pack/plugins/security/server/lib/__tests__/check_license.js
@@ -35,6 +35,7 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       loginMessage: 'Login is currently disabled. Administrators should consult the Kibana logs for more details.'
     });
   });
@@ -53,6 +54,7 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: 'Your Basic license does not support Security. Please upgrade your license.'
     });
   });
@@ -71,6 +73,7 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: 'Access is denied because Security is disabled in Elasticsearch.'
     });
   });
@@ -94,7 +97,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: false,
-      allowRoleFieldLevelSecurity: false
+      allowRoleFieldLevelSecurity: false,
+      allowRbac: true,
     });
 
     mockXPackInfo.license.isActive.returns(false);
@@ -103,7 +107,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: false,
-      allowRoleFieldLevelSecurity: false
+      allowRoleFieldLevelSecurity: false,
+      allowRbac: true,
     });
   });
 
@@ -121,7 +126,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
+      allowRoleFieldLevelSecurity: true,
+      allowRbac: true,
     });
 
     mockXPackInfo.license.isActive.returns(false);
@@ -130,7 +136,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
+      allowRoleFieldLevelSecurity: true,
+      allowRbac: true,
     });
   });
 
@@ -148,7 +155,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
+      allowRoleFieldLevelSecurity: true,
+      allowRbac: true,
     });
 
     mockXPackInfo.license.isActive.returns(false);
@@ -157,7 +165,8 @@ describe('check_license', function () {
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
+      allowRoleFieldLevelSecurity: true,
+      allowRbac: true,
     });
   });
 });

From 8667ebd816e1f4c2522fba625e64abc3932bdbf1 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 14 Jun 2018 08:15:23 -0400
Subject: [PATCH 045/183] [Flaky Test] - wait for page load to complete
 (#19895)

@kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine.
---
 x-pack/test/functional/apps/monitoring/elasticsearch/shards.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js b/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
index e2557bf4b4de13..ea5fd1ad227303 100644
--- a/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
+++ b/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
@@ -33,6 +33,8 @@ export default function ({ getService, getPageObjects }) {
         // start on cluster overview
         await PageObjects.monitoring.clickBreadcrumb('breadcrumbClusters');
 
+        await PageObjects.header.waitUntilLoadingHasFinished();
+
         // go to nodes listing
         await overview.clickEsNodes();
         expect(await nodesList.isOnListing()).to.be(true);

From b0e699899915a2a7c53993fe55cbed8f56e1ff3e Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 14 Jun 2018 10:01:45 -0400
Subject: [PATCH 046/183] [Flaky Test] Fixes flaky role test (#19899)

Here's a fix for the latest flaky test @kobelb
---
 x-pack/test/functional/apps/security/management.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/x-pack/test/functional/apps/security/management.js b/x-pack/test/functional/apps/security/management.js
index b05e5f39098fba..d01d5e2b99d5df 100644
--- a/x-pack/test/functional/apps/security/management.js
+++ b/x-pack/test/functional/apps/security/management.js
@@ -136,6 +136,9 @@ export default function ({ getService, getPageObjects }) {
         });
 
         it('Reserved roles are not editable', async () => {
+          // wait for role tab to finish loading from previous test
+          await PageObjects.header.waitUntilLoadingHasFinished();
+
           const allInputs = await find.allByCssSelector('input');
           for (let i = 0; i < allInputs.length; i++) {
             const input = allInputs[i];

From 91899182134854d17804fe517b1e2d70291d4720 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 14 Jun 2018 11:22:30 -0400
Subject: [PATCH 047/183] updates from merge

---
 .../__snapshots__/space_selector.test.js.snap |  5 +-
 .../spaces/server/lib/create_default_space.js | 14 ++--
 .../server/lib/create_default_space.test.js   | 57 +++++++++------
 x-pack/yarn.lock                              | 69 +++----------------
 4 files changed, 55 insertions(+), 90 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 7de6fd437aabc2..766dda7129df20 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -2,7 +2,8 @@
 
 exports[`it renders without crashing 1`] = `
 <div
-  className="euiPage"
+  className="euiPage euiPage--widthIsNotRestricted"
+  style={undefined}
 >
   <div
     className="euiPageHeader"
@@ -12,12 +13,14 @@ exports[`it renders without crashing 1`] = `
     >
       <svg
         className="euiIcon euiIcon--xxLarge"
+        focusable="false"
         height="40"
         style={
           Object {
             "fill": undefined,
           }
         }
+        tabIndex={undefined}
         viewBox="0 0 30 40"
         width="30"
         xmlns="http://www.w3.org/2000/svg"
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.js
index a58307152412a2..0408105a6944c8 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.js
@@ -10,9 +10,11 @@ import { DEFAULT_SPACE_ID } from '../../common/constants';
 export async function createDefaultSpace(server) {
   const { callWithInternalUser: callCluster } = getClient(server);
 
-  const savedObjectsClient = server.savedObjectsClientFactory({ callCluster });
+  const { getSavedObjectsRepository, SavedObjectsClient } = server.savedObjects;
 
-  const defaultSpaceExists = await doesDefaultSpaceExist(savedObjectsClient);
+  const savedObjectsRepository = getSavedObjectsRepository(callCluster);
+
+  const defaultSpaceExists = await doesDefaultSpaceExist(SavedObjectsClient, savedObjectsRepository);
 
   if (defaultSpaceExists) {
     return;
@@ -22,7 +24,7 @@ export async function createDefaultSpace(server) {
     id: DEFAULT_SPACE_ID
   };
 
-  await savedObjectsClient.create('space', {
+  await savedObjectsRepository.create('space', {
     name: 'Default Space',
     description: 'This is your Default Space!',
     urlContext: '',
@@ -30,12 +32,12 @@ export async function createDefaultSpace(server) {
   }, options);
 }
 
-async function doesDefaultSpaceExist(savedObjectsClient) {
+async function doesDefaultSpaceExist(SavedObjectsClient, savedObjectsRepository) {
   try {
-    await savedObjectsClient.get('space', DEFAULT_SPACE_ID);
+    await savedObjectsRepository.get('space', DEFAULT_SPACE_ID);
     return true;
   } catch (e) {
-    if (savedObjectsClient.errors.isNotFoundError(e)) {
+    if (SavedObjectsClient.errors.isNotFoundError(e)) {
       return false;
     }
     throw e;
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
index 1d127955b9e1a7..d2b4df363eb78b 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
@@ -22,25 +22,40 @@ beforeEach(() => {
 const createMockServer = (settings = {}) => {
 
   const {
-    defaultExists = false
+    defaultExists = false,
+    simulateErrorCondition = false
   } = settings;
 
+  const mockGet = jest.fn().mockImplementation(() => {
+    if (simulateErrorCondition) {
+      throw new Error('unit test: unexpected exception condition');
+    }
+
+    if (defaultExists) {
+      return;
+    }
+    throw Boom.notFound('unit test: default space not found');
+  });
+
+  const mockCreate = jest.fn().mockReturnValue();
+
   const mockServer = {
     config: jest.fn().mockReturnValue({
       get: jest.fn()
     }),
-    savedObjectsClientFactory: jest.fn().mockReturnValue({
-      get: jest.fn().mockImplementation(() => {
-        if (defaultExists) {
-          return;
+    savedObjects: {
+      SavedObjectsClient: {
+        errors: {
+          isNotFoundError: (e) => e.message === 'unit test: default space not found'
         }
-        throw Boom.notFound('unit test: default space not found');
-      }),
-      create: jest.fn().mockReturnValue(),
-      errors: {
-        isNotFoundError: (e) => e.message === 'unit test: default space not found'
-      }
-    })
+      },
+      getSavedObjectsRepository: jest.fn().mockImplementation(() => {
+        return {
+          get: mockGet,
+          create: mockCreate,
+        };
+      })
+    }
   };
 
   mockServer.config().get.mockImplementation(key => {
@@ -57,11 +72,11 @@ test(`it creates the default space when one does not exist`, async () => {
 
   await createDefaultSpace(server);
 
-  const client = server.savedObjectsClientFactory();
+  const repository = server.savedObjects.getSavedObjectsRepository();
 
-  expect(client.get).toHaveBeenCalledTimes(1);
-  expect(client.create).toHaveBeenCalledTimes(1);
-  expect(client.create).toHaveBeenCalledWith(
+  expect(repository.get).toHaveBeenCalledTimes(1);
+  expect(repository.create).toHaveBeenCalledTimes(1);
+  expect(repository.create).toHaveBeenCalledWith(
     'space',
     { "_reserved": true, "description": "This is your Default Space!", "name": "Default Space", "urlContext": "" },
     { "id": "default" }
@@ -75,20 +90,18 @@ test(`it does not attempt to recreate the default space if it already exists`, a
 
   await createDefaultSpace(server);
 
-  const client = server.savedObjectsClientFactory();
+  const repository = server.savedObjects.getSavedObjectsRepository();
 
-  expect(client.get).toHaveBeenCalledTimes(1);
-  expect(client.create).toHaveBeenCalledTimes(0);
+  expect(repository.get).toHaveBeenCalledTimes(1);
+  expect(repository.create).toHaveBeenCalledTimes(0);
 });
 
 test(`it throws all other errors from the saved objects client`, async () => {
   const server = createMockServer({
     defaultExists: true,
+    simulateErrorCondition: true,
   });
 
-  const client = server.savedObjectsClientFactory();
-  client.get = () => { throw new Error('unit test: unexpected exception condition'); };
-
   try {
     await createDefaultSpace(server);
     throw new Error(`Expected error to be thrown!`);
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index bc2e273b5d3c4b..298f2bfb168528 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -10,15 +10,9 @@
     esutils "^2.0.2"
     js-tokens "^3.0.0"
 
-<<<<<<< HEAD
-"@elastic/eui@v0.0.51":
-  version "0.0.51"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.51.tgz#5d809af270dd9994a609fd01eaa84e21a62fff98"
-=======
 "@elastic/eui@0.0.52":
   version "0.0.52"
   resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.52.tgz#c34c6cd482b458015e0d2b410f98652053994138"
->>>>>>> master
   dependencies:
     classnames "^2.2.5"
     core-js "^2.5.1"
@@ -1323,8 +1317,6 @@ chalk@^2.0.0, chalk@^2.0.1, chalk@^2.3.0:
     escape-string-regexp "^1.0.5"
     supports-color "^4.0.0"
 
-<<<<<<< HEAD
-=======
 chalk@^2.3.1, chalk@^2.4.1:
   version "2.4.1"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e"
@@ -1333,7 +1325,6 @@ chalk@^2.3.1, chalk@^2.4.1:
     escape-string-regexp "^1.0.5"
     supports-color "^5.3.0"
 
->>>>>>> master
 chalk@^2.3.2:
   version "2.3.2"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.3.2.tgz#250dc96b07491bfd601e648d66ddf5f60c7a5c65"
@@ -1873,9 +1864,6 @@ debug@2.2.0:
   dependencies:
     ms "0.7.1"
 
-<<<<<<< HEAD
-debug@2.X, debug@^2.2.0, debug@^2.3.3, debug@^2.6.8:
-=======
 debug@2.6.0:
   version "2.6.0"
   resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.0.tgz#bc596bcabe7617f11d9fa15361eded5608b8499b"
@@ -1883,7 +1871,6 @@ debug@2.6.0:
     ms "0.7.2"
 
 debug@^2.2.0, debug@^2.3.3, debug@^2.6.8:
->>>>>>> master
   version "2.6.9"
   resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f"
   dependencies:
@@ -2146,8 +2133,6 @@ elasticsearch@13.0.1:
     lodash.isempty "^4.4.0"
     lodash.trimend "^4.5.1"
 
-<<<<<<< HEAD
-=======
 elasticsearch@^14.1.0:
   version "14.2.2"
   resolved "https://registry.yarnpkg.com/elasticsearch/-/elasticsearch-14.2.2.tgz#6bbb63b19b17fa97211b22eeacb0f91197f4d6b6"
@@ -2159,7 +2144,6 @@ elasticsearch@^14.1.0:
     lodash.isempty "^4.4.0"
     lodash.trimend "^4.5.1"
 
->>>>>>> master
 encoding@^0.1.11:
   version "0.1.12"
   resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
@@ -2336,13 +2320,10 @@ esutils@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/esutils/-/esutils-1.0.0.tgz#8151d358e20c8acc7fb745e7472c0025fe496570"
 
-<<<<<<< HEAD
-=======
 eventemitter3@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-3.1.0.tgz#090b4d6cdbd645ed10bf750d4b5407942d7ba163"
 
->>>>>>> master
 exec-sh@^0.2.0:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/exec-sh/-/exec-sh-0.2.1.tgz#163b98a6e89e6b65b47c2a28d215bc1f63989c38"
@@ -2739,8 +2720,6 @@ fragment-cache@^0.2.1:
   dependencies:
     map-cache "^0.2.2"
 
-<<<<<<< HEAD
-=======
 from2@^2.1.1:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/from2/-/from2-2.3.0.tgz#8bfb5502bde4a4d36cfdeea007fcca21d7e382af"
@@ -2748,7 +2727,6 @@ from2@^2.1.1:
     inherits "^2.0.1"
     readable-stream "^2.0.0"
 
->>>>>>> master
 from@^0.1.3:
   version "0.1.7"
   resolved "https://registry.yarnpkg.com/from/-/from-0.1.7.tgz#83c60afc58b9c56997007ed1a768b3ab303a44fe"
@@ -2839,11 +2817,7 @@ get-stdin@^4.0.1:
   version "4.0.1"
   resolved "https://registry.yarnpkg.com/get-stdin/-/get-stdin-4.0.1.tgz#b968c6b0a04384324902e8bf1a5df32579a450fe"
 
-<<<<<<< HEAD
-get-stream@^3.0.0:
-=======
 get-stream@3.0.0, get-stream@^3.0.0:
->>>>>>> master
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/get-stream/-/get-stream-3.0.0.tgz#8e943d1358dc37555054ecbe2edb05aa174ede14"
 
@@ -3480,13 +3454,10 @@ htmlparser2@^3.9.1:
     inherits "^2.0.1"
     readable-stream "^2.0.2"
 
-<<<<<<< HEAD
-=======
 http-cache-semantics@3.8.1:
   version "3.8.1"
   resolved "https://registry.yarnpkg.com/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz#39b0e16add9b605bf0a9ef3d9daaf4843b4cacd2"
 
->>>>>>> master
 http-errors@~1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.4.0.tgz#6c0242dea6b3df7afda153c71089b31c6e82aabf"
@@ -3847,13 +3818,10 @@ is-relative@^1.0.0:
   dependencies:
     is-unc-path "^1.0.0"
 
-<<<<<<< HEAD
-=======
 is-retry-allowed@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/is-retry-allowed/-/is-retry-allowed-1.1.0.tgz#11a060568b67339444033d0125a61a20d564fb34"
 
->>>>>>> master
 is-stream@^1.0.1, is-stream@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
@@ -4916,11 +4884,7 @@ methods@^1.1.1, methods@~1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
 
-<<<<<<< HEAD
-micromatch@^2.1.5, micromatch@^2.3.11, micromatch@^2.3.7:
-=======
 micromatch@^2.1.5, micromatch@^2.3.11:
->>>>>>> master
   version "2.3.11"
   resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-2.3.11.tgz#86677c97d1720b363431d04d0d15293bd38c1565"
   dependencies:
@@ -5244,13 +5208,10 @@ node-pre-gyp@^0.6.39:
     tar "^2.2.1"
     tar-pack "^3.4.0"
 
-<<<<<<< HEAD
-=======
 nodemailer@^4.6.4:
   version "4.6.4"
   resolved "https://registry.yarnpkg.com/nodemailer/-/nodemailer-4.6.4.tgz#f0d72d0c6a6ec5f4369fa8f4bf5127a31baa2014"
 
->>>>>>> master
 nomnom@~1.6.2:
   version "1.6.2"
   resolved "https://registry.yarnpkg.com/nomnom/-/nomnom-1.6.2.tgz#84a66a260174408fc5b77a18f888eccc44fb6971"
@@ -5739,6 +5700,10 @@ pify@^2.0.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/pify/-/pify-2.3.0.tgz#ed141a6ac043a849ea588498e7dca8b15330e90c"
 
+pify@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/pify/-/pify-3.0.0.tgz#e5a4acd2c101fdf3d9a4d07f0dbc4db49dd28176"
+
 pinkie-promise@^2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/pinkie-promise/-/pinkie-promise-2.0.1.tgz#2135d6dfa7a358c069ac9b178776288228450ffa"
@@ -6747,27 +6712,6 @@ rxjs@5.3.0:
   dependencies:
     symbol-observable "^1.0.1"
 
-<<<<<<< HEAD
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
-  version "5.1.1"
-  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
-
-safe-buffer@~5.1.0, safe-buffer@~5.1.1:
-  version "5.1.2"
-  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
-
-"safer-buffer@>= 2.1.2 < 3":
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
-
-samsam@1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.2.tgz#bec11fdc83a9fda063401210e40176c3024d1567"
-
-samsam@~1.1:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.3.tgz#9f5087419b4d091f232571e7fa52e90b0f552621"
-=======
 rxjs@^5.4.3:
   version "5.5.10"
   resolved "https://registry.yarnpkg.com/rxjs/-/rxjs-5.5.10.tgz#fde02d7a614f6c8683d0d1957827f492e09db045"
@@ -6778,10 +6722,13 @@ safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0,
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
+"safer-buffer@>= 2.1.2 < 3":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+
 samsam@1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.3.0.tgz#8d1d9350e25622da30de3e44ba692b5221ab7c50"
->>>>>>> master
 
 sane@^2.0.0:
   version "2.2.0"

From 3dd4b3b3aeb9755bd14ab12ceb6d016015f824e9 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 14 Jun 2018 11:25:17 -0400
Subject: [PATCH 048/183] updates from merge -- add missing files

---
 .../saved_objects/saved_objects_mixin.js      |  1 -
 yarn.lock                                     | 76 ++-----------------
 2 files changed, 5 insertions(+), 72 deletions(-)

diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index bc5d625551a1e3..ed51f920176f67 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -64,7 +64,6 @@ export function savedObjectsMixin(kbnServer, server) {
 
     const savedObjectsClient = server.savedObjects.getScopedSavedObjectsClient(request);
 
-
     savedObjectsClientCache.set(request, savedObjectsClient);
     return savedObjectsClient;
   });
diff --git a/yarn.lock b/yarn.lock
index 57f46584ab63ca..a1bcbf1ac7e7fa 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -77,15 +77,9 @@
   version "0.0.0"
   uid ""
 
-<<<<<<< HEAD
-"@elastic/eui@v0.0.51":
-  version "0.0.51"
-  resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.51.tgz#5d809af270dd9994a609fd01eaa84e21a62fff98"
-=======
 "@elastic/eui@0.0.52", "@elastic/eui@v0.0.52":
   version "0.0.52"
   resolved "https://registry.yarnpkg.com/@elastic/eui/-/eui-0.0.52.tgz#c34c6cd482b458015e0d2b410f98652053994138"
->>>>>>> master
   dependencies:
     classnames "^2.2.5"
     core-js "^2.5.1"
@@ -311,8 +305,6 @@
   version "9.4.7"
   resolved "https://registry.yarnpkg.com/@types/node/-/node-9.4.7.tgz#57d81cd98719df2c9de118f2d5f3b1120dcd7275"
 
-<<<<<<< HEAD
-=======
 "@types/node@^9.4.7":
   version "9.6.18"
   resolved "https://registry.yarnpkg.com/@types/node/-/node-9.6.18.tgz#092e13ef64c47e986802c9c45a61c1454813b31d"
@@ -363,7 +355,6 @@
     "@types/events" "*"
     "@types/node" "*"
 
->>>>>>> master
 JSONStream@1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/JSONStream/-/JSONStream-1.1.1.tgz#c98bfd88c8f1e1e8694e53c5baa6c8691553e59a"
@@ -1796,19 +1787,11 @@ bluebird@3.4.6:
   version "3.4.6"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.4.6.tgz#01da8d821d87813d158967e743d5fe6c62cf8c0f"
 
-<<<<<<< HEAD
-bluebird@^2.10.0, bluebird@^2.9.24:
-  version "2.11.0"
-  resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-2.11.0.tgz#534b9033c022c9579c56ba3b3e5a5caafbb650e1"
-
-bluebird@^3.3.0:
-=======
 bluebird@^2.10.0:
   version "2.11.0"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-2.11.0.tgz#534b9033c022c9579c56ba3b3e5a5caafbb650e1"
 
 bluebird@^3.3.0, bluebird@^3.3.1:
->>>>>>> master
   version "3.5.1"
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.5.1.tgz#d9551f9de98f1fcda1e683d17ee91a0602ee2eb9"
 
@@ -2083,13 +2066,8 @@ buffer-equal@^1.0.0:
   resolved "https://registry.yarnpkg.com/buffer-equal/-/buffer-equal-1.0.0.tgz#59616b498304d556abd466966b22eeda3eca5fbe"
 
 buffer-from@^1.0.0:
-<<<<<<< HEAD
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.0.tgz#87fcaa3a298358e0ade6e442cfce840740d1ad04"
-=======
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.0.0.tgz#4cb8832d23612589b0406e9e2956c17f06fdf531"
->>>>>>> master
 
 buffer-xor@^1.0.3:
   version "1.0.3"
@@ -2364,8 +2342,6 @@ chalk@^2.0.0, chalk@^2.0.1, chalk@^2.1.0, chalk@^2.3.0, chalk@^2.3.1, chalk@^2.3
     escape-string-regexp "^1.0.5"
     supports-color "^5.3.0"
 
-<<<<<<< HEAD
-=======
 chalk@^2.4.1:
   version "2.4.1"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e"
@@ -2374,7 +2350,6 @@ chalk@^2.4.1:
     escape-string-regexp "^1.0.5"
     supports-color "^5.3.0"
 
->>>>>>> master
 chalk@~0.5.1:
   version "0.5.1"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-0.5.1.tgz#663b3a648b68b55d04690d49167aa837858f2174"
@@ -2847,20 +2822,7 @@ concat-stream@1.6.0:
     readable-stream "^2.2.2"
     typedarray "^0.0.6"
 
-<<<<<<< HEAD
-concat-stream@^1.4.7:
-  version "1.6.2"
-  resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.2.tgz#904bdf194cd3122fc675c77fc4ac3d4ff0fd1a34"
-  dependencies:
-    buffer-from "^1.0.0"
-    inherits "^2.0.3"
-    readable-stream "^2.2.2"
-    typedarray "^0.0.6"
-
-concat-stream@^1.5.2, concat-stream@^1.6.0, concat-stream@~1.6.0:
-=======
 concat-stream@^1.4.7, concat-stream@^1.6.0, concat-stream@~1.6.0:
->>>>>>> master
   version "1.6.1"
   resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.1.tgz#261b8f518301f1d834e36342b9fea095d2620a26"
   dependencies:
@@ -5134,8 +5096,6 @@ fragment-cache@^0.2.1:
   dependencies:
     map-cache "^0.2.2"
 
-<<<<<<< HEAD
-=======
 from2@^2.1.1:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/from2/-/from2-2.3.0.tgz#8bfb5502bde4a4d36cfdeea007fcca21d7e382af"
@@ -5143,7 +5103,6 @@ from2@^2.1.1:
     inherits "^2.0.1"
     readable-stream "^2.0.0"
 
->>>>>>> master
 from@^0.1.3, from@~0:
   version "0.1.7"
   resolved "https://registry.yarnpkg.com/from/-/from-0.1.7.tgz#83c60afc58b9c56997007ed1a768b3ab303a44fe"
@@ -5158,15 +5117,9 @@ fs-exists-sync@^0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/fs-exists-sync/-/fs-exists-sync-0.1.0.tgz#982d6893af918e72d08dec9e8673ff2b5a8d6add"
 
-<<<<<<< HEAD
-fs-extra@4.0.3, fs-extra@^4.0.1:
-  version "4.0.3"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-4.0.3.tgz#0d852122e5bc5beb453fb028e9c0c9bf36340c94"
-=======
 fs-extra@6.0.0:
   version "6.0.0"
   resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-6.0.0.tgz#0f0afb290bb3deb87978da816fcd3c7797f3a817"
->>>>>>> master
   dependencies:
     graceful-fs "^4.1.2"
     jsonfile "^4.0.0"
@@ -8974,13 +8927,10 @@ node-status-codes@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/node-status-codes/-/node-status-codes-1.0.0.tgz#5ae5541d024645d32a58fcddc9ceecea7ae3ac2f"
 
-<<<<<<< HEAD
-=======
 nodemailer@^4.6.4:
   version "4.6.4"
   resolved "https://registry.yarnpkg.com/nodemailer/-/nodemailer-4.6.4.tgz#f0d72d0c6a6ec5f4369fa8f4bf5127a31baa2014"
 
->>>>>>> master
 nomnom@~1.6.2:
   version "1.6.2"
   resolved "https://registry.yarnpkg.com/nomnom/-/nomnom-1.6.2.tgz#84a66a260174408fc5b77a18f888eccc44fb6971"
@@ -10465,15 +10415,13 @@ react-input-range@^1.3.0:
     autobind-decorator "^1.3.4"
     prop-types "^15.5.8"
 
-<<<<<<< HEAD
-react-lifecycles-compat@^3.0.4:
-  version "3.0.4"
-  resolved "https://registry.yarnpkg.com/react-lifecycles-compat/-/react-lifecycles-compat-3.0.4.tgz#4f1a273afdfc8f3488a8c516bfda78f872352362"
-=======
 react-is@^16.4.0:
   version "16.4.0"
   resolved "https://registry.yarnpkg.com/react-is/-/react-is-16.4.0.tgz#cc9fdc855ac34d2e7d9d2eb7059bbc240d35ffcf"
->>>>>>> master
+
+react-lifecycles-compat@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/react-lifecycles-compat/-/react-lifecycles-compat-3.0.4.tgz#4f1a273afdfc8f3488a8c516bfda78f872352362"
 
 react-markdown-renderer@^1.4.0:
   version "1.4.0"
@@ -11309,9 +11257,6 @@ rxjs@5.4.3:
   dependencies:
     symbol-observable "^1.0.1"
 
-<<<<<<< HEAD
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
-=======
 rxjs@^5.4.3:
   version "5.5.10"
   resolved "https://registry.yarnpkg.com/rxjs/-/rxjs-5.5.10.tgz#fde02d7a614f6c8683d0d1957827f492e09db045"
@@ -11330,8 +11275,7 @@ rxjs@^6.1.0:
   dependencies:
     tslib "^1.9.0"
 
-safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
->>>>>>> master
+safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
@@ -11356,23 +11300,13 @@ safefs@^4.0.0:
     editions "^1.1.1"
     graceful-fs "^4.1.4"
 
-<<<<<<< HEAD
 "safer-buffer@>= 2.1.2 < 3":
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
 
-samsam@1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.2.tgz#bec11fdc83a9fda063401210e40176c3024d1567"
-
-samsam@~1.1:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.3.tgz#9f5087419b4d091f232571e7fa52e90b0f552621"
-=======
 samsam@1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.3.0.tgz#8d1d9350e25622da30de3e44ba692b5221ab7c50"
->>>>>>> master
 
 sane@^2.0.0:
   version "2.5.0"

From b464f03e65fa6dd41bc4445a851552fa89b37537 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 14 Jun 2018 11:37:43 -0400
Subject: [PATCH 049/183] Now with even easier repository access

---
 x-pack/plugins/security/index.js | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index e0449711f31fc6..9bc4d34697c022 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -119,9 +119,6 @@ export const security = (kibana) => new kibana.Plugin({
 
     savedObjects.setScopedSavedObjectsClientFactory(({
       request,
-      index,
-      mappings,
-      onBeforeWrite
     }) => {
       const adminCluster = server.plugins.elasticsearch.getCluster('admin');
 
@@ -129,12 +126,7 @@ export const security = (kibana) => new kibana.Plugin({
         const { callWithRequest } = adminCluster;
         const callCluster = (...args) => callWithRequest(request, ...args);
 
-        const repository = new savedObjects.SavedObjectsRepository({
-          index,
-          mappings,
-          onBeforeWrite,
-          callCluster,
-        });
+        const repository = savedObjects.getSavedObjectsRepository(callCluster);
 
         return new savedObjects.SavedObjectsClient(repository);
       }
@@ -142,12 +134,7 @@ export const security = (kibana) => new kibana.Plugin({
       const hasPrivileges = hasPrivilegesWithRequest(request);
       const { callWithInternalUser } = adminCluster;
 
-      const repository = new savedObjects.SavedObjectsRepository({
-        index,
-        mappings,
-        onBeforeWrite,
-        callCluster: callWithInternalUser
-      });
+      const repository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
 
       return new SecureSavedObjectsClient({
         repository,

From e02c5bbbf72bc9d5d2795fb15476209597baf348 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Thu, 14 Jun 2018 13:38:29 -0400
Subject: [PATCH 050/183] Sample was including login/version privileges, which
 was occasionally (#19915)

causing issues that were really hard to replicate
---
 .../lib/authorization/has_privileges.test.js  | 112 +++++++++---------
 1 file changed, 57 insertions(+), 55 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index 2462b0a4434607..98ed3713922fd2 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -4,7 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { sample } from 'lodash';
 import { hasPrivilegesWithServer } from './has_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
@@ -445,62 +444,65 @@ describe('legacy fallback with no application privileges', () => {
 
   test(`returns success of false if the user has the read privilege on kibana index but one privilege isn't a read action`, async () => {
     const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
-    const privilege1 = 'something-completely-arbitrary';
-    const privilege2 = sample(privilegeMap.read.actions);
-    const username = 'foo-username';
-    const mockServer = createMockServer();
-    const callWithRequest = createMockCallWithRequest([
-      mockApplicationPrivilegeResponse({
-        hasAllRequested: false,
-        privileges: {
-          [getVersionPrivilege(defaultVersion)]: false,
-          [getLoginPrivilege()]: false,
-          [privilege1]: false,
-          [privilege2]: true
-        },
-        username,
-      }),
-      mockLegacyResponse({
-        hasAllRequested: false,
-        privileges: {
-          read: true,
-          index: false,
-        },
-        username,
-      })
-    ]);
 
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-    const request = Symbol();
-    const hasPrivileges = hasPrivilegesWithRequest(request);
-    const privileges = [privilege1, privilege2];
-    const result = await hasPrivileges(privileges);
+    const actions = privilegeMap.read.actions.filter(a => a !== getVersionPrivilege(defaultVersion) && a !== getLoginPrivilege());
+    for (const action of actions) {
+      const privilege1 = 'something-completely-arbitrary';
+      const privilege2 = action;
+      const username = 'foo-username';
+      const mockServer = createMockServer();
+      const callWithRequest = createMockCallWithRequest([
+        mockApplicationPrivilegeResponse({
+          hasAllRequested: false,
+          privileges: {
+            [getVersionPrivilege(defaultVersion)]: false,
+            [getLoginPrivilege()]: false,
+            [privilege1]: false,
+            [privilege2]: true
+          },
+          username,
+        }),
+        mockLegacyResponse({
+          hasAllRequested: false,
+          privileges: {
+            read: true,
+            index: false,
+          },
+          username,
+        })
+      ]);
+      const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+      const request = Symbol();
+      const hasPrivileges = hasPrivilegesWithRequest(request);
+      const privileges = [privilege1, privilege2];
+      const result = await hasPrivileges(privileges);
 
-    expectDeprecationLogged(mockServer);
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: defaultApplication,
-          resources: [DEFAULT_RESOURCE],
-          privileges: [
-            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-          ]
-        }]
-      }
-    });
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        index: [{
-          names: [ defaultKibanaIndex ],
-          privileges: ['read', 'index']
-        }]
-      }
-    });
-    expect(result).toEqual({
-      success: false,
-      missing: [ privilege1 ],
-      username,
-    });
+      expectDeprecationLogged(mockServer);
+      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application: defaultApplication,
+            resources: [DEFAULT_RESOURCE],
+            privileges: [
+              getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+            ]
+          }]
+        }
+      });
+      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          index: [{
+            names: [ defaultKibanaIndex ],
+            privileges: ['read', 'index']
+          }]
+        }
+      });
+      expect(result).toEqual({
+        success: false,
+        missing: [ privilege1 ],
+        username,
+      });
+    }
   });
 
   test(`returns success of true if the user has the read privilege on kibana index and the privilege is a read action`, async () => {

From 9cdf641130bfedcaa906349f06e8d816a94cabb8 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 15 Jun 2018 09:16:41 -0400
Subject: [PATCH 051/183] Dynamic types (#19925)

No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work.
---
 .../service/create_saved_objects_service.js   |  7 +-
 .../saved_objects/service/lib/repository.js   |  6 +-
 .../service/lib/repository.test.js            | 77 -------------------
 x-pack/plugins/security/index.js              |  1 +
 .../lib/authorization/has_privileges.js       | 15 +++-
 .../lib/authorization/has_privileges.test.js  | 25 +++---
 .../privileges/privilege_action_registry.js   |  3 +-
 .../privilege_action_registry.test.js         | 20 ++++-
 .../server/lib/privileges/privileges.js       | 13 ++--
 .../secure_saved_objects_client.js            |  4 +-
 .../secure_saved_objects_client.test.js       | 14 ++--
 .../server/routes/api/v1/privileges.js        |  3 +-
 12 files changed, 71 insertions(+), 117 deletions(-)

diff --git a/src/server/saved_objects/service/create_saved_objects_service.js b/src/server/saved_objects/service/create_saved_objects_service.js
index ff68b5eaee2833..fd471cad2dd23d 100644
--- a/src/server/saved_objects/service/create_saved_objects_service.js
+++ b/src/server/saved_objects/service/create_saved_objects_service.js
@@ -17,6 +17,7 @@
  * under the License.
  */
 
+import { getRootPropertiesObjects } from '../../mappings';
 import { SavedObjectsRepository, ScopedSavedObjectsClientProvider, SavedObjectsRepositoryProvider } from './lib';
 import { SavedObjectsClient } from './saved_objects_client';
 
@@ -58,15 +59,16 @@ export function createSavedObjectsService(server) {
     }
   };
 
+  const mappings = server.getKibanaIndexMappingsDsl();
   const repositoryProvider = new SavedObjectsRepositoryProvider({
     index: server.config().get('kibana.index'),
-    mappings: server.getKibanaIndexMappingsDsl(),
+    mappings,
     onBeforeWrite,
   });
 
   const scopedClientProvider = new ScopedSavedObjectsClientProvider({
     index: server.config().get('kibana.index'),
-    mappings: server.getKibanaIndexMappingsDsl(),
+    mappings,
     onBeforeWrite,
     defaultClientFactory({
       request,
@@ -81,6 +83,7 @@ export function createSavedObjectsService(server) {
   });
 
   return {
+    types: Object.keys(getRootPropertiesObjects(mappings)),
     SavedObjectsClient,
     SavedObjectsRepository,
     getSavedObjectsRepository: (...args) =>
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index b7675adb5239af..6f3b4fffb21586 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -19,7 +19,7 @@
 
 import uuid from 'uuid';
 
-import { getRootType, getRootPropertiesObjects } from '../../../mappings';
+import { getRootType } from '../../../mappings';
 import { getSearchDsl } from './search_dsl';
 import { trimIdPrefix } from './trim_id_prefix';
 import { includedFields } from './included_fields';
@@ -406,10 +406,6 @@ export class SavedObjectsRepository {
     };
   }
 
-  getTypes() {
-    return Object.keys(getRootPropertiesObjects(this._mappings));
-  }
-
   async _writeToCluster(method, params) {
     try {
       await this._onBeforeWrite();
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index d3e66c0554e438..a02bfb9abb6194 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -632,83 +632,6 @@ describe('SavedObjectsRepository', () => {
     });
   });
 
-  describe('#getTypes', () => {
-    it(`returns no types if mappings have no types`, () => {
-      const mappings = {
-        doc: {
-          properties: {
-            'updated_at': {
-              type: 'date'
-            },
-          }
-        }
-      };
-
-      savedObjectsRepository = new SavedObjectsRepository({
-        index: '.kibana-test',
-        mappings,
-        callCluster: callAdminCluster,
-        onBeforeWrite
-      });
-
-      const types = savedObjectsRepository.getTypes();
-      expect(types).toEqual([]);
-    });
-
-    it(`returns single type defined in mappings`, () => {
-      const mappings = {
-        doc: {
-          properties: {
-            'updated_at': {
-              type: 'date'
-            },
-            'index-pattern': {
-              properties: {}
-            }
-          }
-        }
-      };
-
-      savedObjectsRepository = new SavedObjectsRepository({
-        index: '.kibana-test',
-        mappings,
-        callCluster: callAdminCluster,
-        onBeforeWrite
-      });
-
-      const types = savedObjectsRepository.getTypes();
-      expect(types).toEqual(['index-pattern']);
-    });
-
-    it(`returns multiple types defined in mappings`, () => {
-      const mappings = {
-        doc: {
-          properties: {
-            'updated_at': {
-              type: 'date'
-            },
-            'index-pattern': {
-              properties: {}
-            },
-            'visualization': {
-              properties: {}
-            },
-          }
-        }
-      };
-
-      savedObjectsRepository = new SavedObjectsRepository({
-        index: '.kibana-test',
-        mappings,
-        callCluster: callAdminCluster,
-        onBeforeWrite
-      });
-
-      const types = savedObjectsRepository.getTypes();
-      expect(types).toEqual(['index-pattern', 'visualization']);
-    });
-  });
-
   describe('onBeforeWrite', () => {
     it('blocks calls to callCluster of requests', async () => {
       onBeforeWrite.returns(delay(500));
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 9bc4d34697c022..8e8ef10a9e2736 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -141,6 +141,7 @@ export const security = (kibana) => new kibana.Plugin({
         errors: savedObjects.SavedObjectsClient.errors,
         hasPrivileges,
         auditLogger,
+        savedObjectTypes: savedObjects.types,
       });
     });
 
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index fdb00e63d29f25..79907d4e7b1e4e 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -35,7 +35,16 @@ const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion,
   };
 };
 
-const hasLegacyPrivileges = async (deprecationLogger, callWithRequest, request, kibanaVersion, application, kibanaIndex, privileges) => {
+const hasLegacyPrivileges = async (
+  savedObjectTypes,
+  deprecationLogger,
+  callWithRequest,
+  request,
+  kibanaVersion,
+  application,
+  kibanaIndex,
+  privileges
+) => {
   const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
     body: {
       index: [{
@@ -72,7 +81,7 @@ const hasLegacyPrivileges = async (deprecationLogger, callWithRequest, request,
   // if they have the read privilege, then we only grant them the read actions
   if (privilegeCheck.index[kibanaIndex].read) {
     logDeprecation();
-    const privilegeMap = buildPrivilegeMap(application, kibanaVersion);
+    const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, kibanaVersion);
     const implicitPrivileges = createPrivileges(name => privilegeMap.read.actions.includes(name));
 
     return {
@@ -96,6 +105,7 @@ export function hasPrivilegesWithServer(server) {
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
+  const savedObjectTypes = server.savedObjects.types;
   const deprecationLogger = (msg) => server.log(['warning', 'deprecated', 'security'], msg);
 
   return function hasPrivilegesWithRequest(request) {
@@ -114,6 +124,7 @@ export function hasPrivilegesWithServer(server) {
 
       if (!privilegesCheck.privileges[loginPrivilege]) {
         privilegesCheck = await hasLegacyPrivileges(
+          savedObjectTypes,
           deprecationLogger,
           callWithRequest,
           request,
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index 98ed3713922fd2..5203d477b16c81 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -16,6 +16,7 @@ jest.mock('../../../../../server/lib/get_client_shield', () => ({
 const defaultKibanaIndex = 'default-kibana-index';
 const defaultVersion = 'default-version';
 const defaultApplication = 'default-application';
+const savedObjectTypes = ['foo-type', 'bar-type'];
 
 const createMockServer = ({ settings = {} } = {}) => {
   const mockServer = {
@@ -35,6 +36,10 @@ const createMockServer = ({ settings = {} } = {}) => {
     return key in settings ? settings[key] : defaultSettings[key];
   });
 
+  mockServer.savedObjects = {
+    types: savedObjectTypes
+  };
+
   return mockServer;
 };
 
@@ -82,7 +87,7 @@ const expectDeprecationLogged = (mockServer) => {
 };
 
 test(`returns success of true if they have all application privileges`, async () => {
-  const privilege = 'action:saved_objects/config/get';
+  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const username = 'foo-username';
   const mockServer = createMockServer();
   const mockCallWithRequest = createMockCallWithRequest([
@@ -124,8 +129,8 @@ test(`returns success of true if they have all application privileges`, async ()
 });
 
 test(`returns success of false if they have only one application privilege`, async () => {
-  const privilege1 = 'action:saved_objects/config/get';
-  const privilege2 = 'action:saved_objects/config/create';
+  const privilege1 = `action:saved_objects/${savedObjectTypes[0]}/get`;
+  const privilege2 = `action:saved_objects/${savedObjectTypes[0]}/create`;
   const username = 'foo-username';
   const mockServer = createMockServer();
   const mockCallWithRequest = createMockCallWithRequest([
@@ -168,7 +173,7 @@ test(`returns success of false if they have only one application privilege`, asy
 });
 
 test(`throws error if missing version privilege and has login privilege`, async () => {
-  const privilege = 'action:saved_objects/config/get';
+  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const mockServer = createMockServer();
   createMockCallWithRequest([
     mockApplicationPrivilegeResponse({
@@ -189,7 +194,7 @@ test(`throws error if missing version privilege and has login privilege`, async
 });
 
 test(`uses application privileges if the user has the login privilege`, async () => {
-  const privilege = 'action:saved_objects/config/get';
+  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const username = 'foo-username';
   const mockServer = createMockServer();
   const callWithRequest = createMockCallWithRequest([
@@ -230,7 +235,7 @@ test(`uses application privileges if the user has the login privilege`, async ()
 });
 
 test(`returns success of false using application privileges if the user has the login privilege`, async () => {
-  const privilege = 'action:saved_objects/config/get';
+  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const username = 'foo-username';
   const mockServer = createMockServer();
   const callWithRequest = createMockCallWithRequest([
@@ -272,7 +277,7 @@ test(`returns success of false using application privileges if the user has the
 
 describe('legacy fallback with no application privileges', () => {
   test(`returns success of false if the user has no legacy privileges`, async () => {
-    const privilege = 'action:saved_objects/config/get';
+    const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
     const username = 'foo-username';
     const mockServer = createMockServer();
     const callWithRequest = createMockCallWithRequest([
@@ -443,7 +448,7 @@ describe('legacy fallback with no application privileges', () => {
   });
 
   test(`returns success of false if the user has the read privilege on kibana index but one privilege isn't a read action`, async () => {
-    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
 
     const actions = privilegeMap.read.actions.filter(a => a !== getVersionPrivilege(defaultVersion) && a !== getLoginPrivilege());
     for (const action of actions) {
@@ -506,7 +511,7 @@ describe('legacy fallback with no application privileges', () => {
   });
 
   test(`returns success of true if the user has the read privilege on kibana index and the privilege is a read action`, async () => {
-    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
     for (const action of privilegeMap.read.actions) {
       const privilege = action;
       const username = 'foo-username';
@@ -566,7 +571,7 @@ describe('legacy fallback with no application privileges', () => {
   });
 
   test(`returns success of true if the user has the read privilege on kibana index and all privileges are read actions`, async () => {
-    const privilegeMap = buildPrivilegeMap(defaultApplication, defaultVersion);
+    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
     const privileges = privilegeMap.read.actions;
     const username = 'foo-username';
     const mockServer = createMockServer();
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index c91a8e097f6916..27a00a56202132 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -15,9 +15,10 @@ export async function registerPrivilegesWithCluster(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
+  const savedObjectTypes = server.savedObjects.types;
 
   const expectedPrivileges = {
-    [application]: buildPrivilegeMap(application, kibanaVersion)
+    [application]: buildPrivilegeMap(savedObjectTypes, application, kibanaVersion)
   };
 
   server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index 74949536eb943c..c7aaa752eaa83b 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -14,7 +14,13 @@ jest.mock('./privileges', () => ({
   buildPrivilegeMap: jest.fn(),
 }));
 
-const registerPrivilegesWithClusterTest = (description, { settings = {}, expectedPrivileges, existingPrivileges, assert }) => {
+const registerPrivilegesWithClusterTest = (description, {
+  settings = {},
+  savedObjectTypes,
+  expectedPrivileges,
+  existingPrivileges,
+  assert
+}) => {
   const registerMockCallWithInternalUser = () => {
     const callWithInternalUser = jest.fn();
     getClient.mockReturnValue({
@@ -43,6 +49,10 @@ const registerPrivilegesWithClusterTest = (description, { settings = {}, expecte
       return key in settings ? settings[key] : defaultSettings[key];
     });
 
+    mockServer.savedObjects = {
+      types: savedObjectTypes
+    };
+
     return mockServer;
   };
 
@@ -110,13 +120,17 @@ const registerPrivilegesWithClusterTest = (description, { settings = {}, expecte
   });
 };
 
-registerPrivilegesWithClusterTest(`passes application and kibanaVersion to buildPrivilegeMap`, {
+registerPrivilegesWithClusterTest(`passes saved object types, application and kibanaVersion to buildPrivilegeMap`, {
   settings: {
     'pkg.version': 'foo-version',
     'xpack.security.rbac.application': 'foo-application',
   },
+  savedObjectTypes: [
+    'foo-type',
+    'bar-type',
+  ],
   assert: ({ mocks }) => {
-    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith('foo-application', 'foo-version');
+    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(['foo-type', 'bar-type'], 'foo-application', 'foo-version');
   },
 });
 
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index e70d30f2e87fa6..4045b3e83da036 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -16,8 +16,8 @@ export function getLoginPrivilege() {
   return `action:login`;
 }
 
-export function buildPrivilegeMap(application, kibanaVersion) {
-  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges();
+export function buildPrivilegeMap(savedObjectTypes, application, kibanaVersion) {
+  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges(savedObjectTypes);
 
   const privilegeActions = {};
 
@@ -38,14 +38,13 @@ export function buildPrivilegeMap(application, kibanaVersion) {
   return privilegeActions;
 }
 
-function buildSavedObjectsReadPrivileges() {
+function buildSavedObjectsReadPrivileges(savedObjectTypes) {
   const readActions = ['get', 'bulk_get', 'find'];
-  return buildSavedObjectsPrivileges(readActions);
+  return buildSavedObjectsPrivileges(savedObjectTypes, readActions);
 }
 
-function buildSavedObjectsPrivileges(actions) {
-  const objectTypes = ['config', 'dashboard', 'graph-workspace', 'index-pattern', 'search', 'timelion-sheet', 'url', 'visualization'];
-  return objectTypes
+function buildSavedObjectsPrivileges(savedObjectTypes, actions) {
+  return savedObjectTypes
     .map(type => actions.map(action => `action:saved_objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 53d8dadeb180b0..83e6123f06df5f 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -17,12 +17,14 @@ export class SecureSavedObjectsClient {
       repository,
       hasPrivileges,
       auditLogger,
+      savedObjectTypes,
     } = options;
 
     this.errors = errors;
     this._repository = repository;
     this._hasPrivileges = hasPrivileges;
     this._auditLogger = auditLogger;
+    this._savedObjectTypes = savedObjectTypes;
   }
 
   async create(type, attributes = {}, options = {}) {
@@ -64,7 +66,7 @@ export class SecureSavedObjectsClient {
     }
 
     // otherwise, we have to filter for only their authorized types
-    const types = this._repository.getTypes();
+    const types = this._savedObjectTypes;
     const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
     const hasPrivilegesResult = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
     const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 036ed7a5e0c3af..0f9fa6610f683f 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -490,9 +490,7 @@ describe('#find', () => {
     test(`throws decorated ForbiddenError when user has no authorized types`, async () => {
       const type = 'foo';
       const username = Symbol();
-      const mockRepository = {
-        getTypes: jest.fn().mockReturnValue([type])
-      };
+      const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
         success: false,
@@ -507,6 +505,7 @@ describe('#find', () => {
         repository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
+        savedObjectTypes: [type]
       });
       const options = Symbol();
 
@@ -529,9 +528,7 @@ describe('#find', () => {
     test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
       const type1 = 'foo';
       const type2 = 'bar';
-      const mockRepository = {
-        getTypes: jest.fn().mockReturnValue([type1, type2])
-      };
+      const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => {
         throw new Error();
@@ -542,6 +539,7 @@ describe('#find', () => {
         repository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
+        savedObjectTypes: [type1, type2]
       });
 
       await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
@@ -556,7 +554,6 @@ describe('#find', () => {
       const type1 = 'foo';
       const type2 = 'bar';
       const mockRepository = {
-        getTypes: jest.fn().mockReturnValue([type1, type2]),
         find: jest.fn(),
       };
       const mockErrors = createMockErrors();
@@ -572,6 +569,7 @@ describe('#find', () => {
         repository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
+        savedObjectTypes: [type1, type2]
       });
 
       await client.find();
@@ -587,7 +585,6 @@ describe('#find', () => {
       const username = Symbol();
       const returnValue = Symbol();
       const mockRepository = {
-        getTypes: jest.fn().mockReturnValue([type]),
         find: jest.fn().mockReturnValue(returnValue)
       };
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
@@ -600,6 +597,7 @@ describe('#find', () => {
         repository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
+        savedObjectTypes: [type]
       });
       const options = Symbol();
 
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 6c095da482dce4..54ce1f97110355 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -13,6 +13,7 @@ export function initPrivilegesApi(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
+  const savedObjectTypes = server.savedObjects.types;
 
   server.route({
     method: 'GET',
@@ -22,7 +23,7 @@ export function initPrivilegesApi(server) {
       // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
       // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
       // into a different structure for enforcement within Elasticsearch
-      const privileges = buildPrivilegeMap(application, kibanaVersion);
+      const privileges = buildPrivilegeMap(savedObjectTypes, application, kibanaVersion);
       reply(Object.values(privileges));
     }
   });

From 50411b456664d1c14b7c13753880f2ac1005872b Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 15 Jun 2018 14:06:40 -0400
Subject: [PATCH 052/183] [Spaces] Allow Space Avatar to be customized (#19952)

---
 x-pack/plugins/spaces/common/constants.js     |   2 +
 x-pack/plugins/spaces/common/index.js         |   8 +-
 .../plugins/spaces/common/space_attributes.js |  54 ++++++
 .../spaces/common/space_attributes.test.js    |  81 ++++++++
 x-pack/plugins/spaces/mappings.json           |   6 +
 .../spaces/public/views/components/index.js   |   7 +
 .../public/views/components/space_avatar.js   |  24 +++
 .../__snapshots__/page_header.test.js.snap    |  20 +-
 .../components/delete_spaces_button.js        |  14 +-
 .../views/management/components/index.js      |   4 +-
 .../management/components/page_header.js      |  14 +-
 .../customize_space_avatar.test.js.snap       |  23 +++
 .../__snapshots__/url_context.test.js.snap    |  42 ++++
 .../edit_space/customize_space_avatar.js      | 131 +++++++++++++
 .../edit_space/customize_space_avatar.test.js |  49 +++++
 .../views/management/edit_space/index.js      |   7 +
 .../manage_space_page.js                      | 181 +++++++++++-------
 .../reserved_space_badge.js                   |  11 +-
 .../reserved_space_badge.test.js              |   4 +-
 .../{components => edit_space}/url_context.js |   4 +-
 .../management/edit_space/url_context.test.js |  22 +++
 .../public/views/management/lib/index.js      |  14 ++
 .../views/management/lib/spaces_data_store.js |  35 ----
 .../management/lib/spaces_data_store.test.js  |  44 -----
 .../views/management/lib/validate_space.js    |  86 +++++++++
 .../management/lib/validate_space.test.js     |  84 ++++++++
 .../views/management/manage_spaces.less       |  13 +-
 .../public/views/management/page_routes.js    |  16 +-
 .../views/management/spaces_grid/index.js     |   6 +
 .../spaces_grid_page.js                       | 117 +++--------
 .../plugins/spaces/server/lib/space_schema.js |   5 +-
 .../spaces/server/routes/api/v1/spaces.js     |  10 +-
 32 files changed, 853 insertions(+), 285 deletions(-)
 create mode 100644 x-pack/plugins/spaces/common/space_attributes.js
 create mode 100644 x-pack/plugins/spaces/common/space_attributes.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/index.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_avatar.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/index.js
 rename x-pack/plugins/spaces/public/views/management/{components => edit_space}/manage_space_page.js (62%)
 rename x-pack/plugins/spaces/public/views/management/{components => edit_space}/reserved_space_badge.js (70%)
 rename x-pack/plugins/spaces/public/views/management/{components => edit_space}/reserved_space_badge.test.js (92%)
 rename x-pack/plugins/spaces/public/views/management/{components => edit_space}/url_context.js (94%)
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/index.js
 delete mode 100644 x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
 delete mode 100644 x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/validate_space.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/spaces_grid/index.js
 rename x-pack/plugins/spaces/public/views/management/{components => spaces_grid}/spaces_grid_page.js (50%)

diff --git a/x-pack/plugins/spaces/common/constants.js b/x-pack/plugins/spaces/common/constants.js
index 40e064ef983593..d539fafd71044b 100644
--- a/x-pack/plugins/spaces/common/constants.js
+++ b/x-pack/plugins/spaces/common/constants.js
@@ -5,3 +5,5 @@
  */
 
 export const DEFAULT_SPACE_ID = `default`;
+
+export const MAX_SPACE_INITIALS = 2;
diff --git a/x-pack/plugins/spaces/common/index.js b/x-pack/plugins/spaces/common/index.js
index 1cd6907d3d64c1..05320f110f4c76 100644
--- a/x-pack/plugins/spaces/common/index.js
+++ b/x-pack/plugins/spaces/common/index.js
@@ -4,4 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { isReservedSpace } from './is_reserved_space';
\ No newline at end of file
+export { isReservedSpace } from './is_reserved_space';
+export { MAX_SPACE_INITIALS } from './constants';
+
+export {
+  getSpaceInitials,
+  getSpaceColor,
+} from './space_attributes';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/common/space_attributes.js b/x-pack/plugins/spaces/common/space_attributes.js
new file mode 100644
index 00000000000000..2b0cee34023a3c
--- /dev/null
+++ b/x-pack/plugins/spaces/common/space_attributes.js
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { VISUALIZATION_COLORS } from '@elastic/eui';
+import { MAX_SPACE_INITIALS } from './constants';
+
+/**
+ * Determines the color for the provided space.
+ * If a color is present on the Space itself, then that is used.
+ * Otherwise, a color is provided from EUI's Visualization Colors based on the space name.
+ *
+ * @param {Space} space
+ */
+export function getSpaceColor(space = {}) {
+  const {
+    color,
+    name = '',
+  } = space;
+
+  if (color) {
+    return color;
+  }
+
+  return VISUALIZATION_COLORS[name.codePointAt(0) % VISUALIZATION_COLORS.length];
+}
+
+/**
+ * Determines the initials for the provided space.
+ * If initials are present on the Space itself, then that is used.
+ * Otherwise, the initials are calculated based off the words in the space name, with a max length of 2 characters.
+ *
+ * @param {Space} space
+ */
+export function getSpaceInitials(space = {}) {
+  const {
+    initials,
+    name = ''
+  } = space;
+
+  if (initials) {
+    return initials;
+  }
+
+  const words = name.split(" ");
+
+  const numInitials = Math.min(MAX_SPACE_INITIALS, words.length);
+
+  words.splice(numInitials, words.length);
+
+  return words.map(word => word.substring(0, 1)).join('');
+}
diff --git a/x-pack/plugins/spaces/common/space_attributes.test.js b/x-pack/plugins/spaces/common/space_attributes.test.js
new file mode 100644
index 00000000000000..8ed03ab21c4139
--- /dev/null
+++ b/x-pack/plugins/spaces/common/space_attributes.test.js
@@ -0,0 +1,81 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getSpaceInitials, getSpaceColor } from "./space_attributes";
+
+describe("getSpaceColor", () => {
+  test('uses color on the space, when provided', () => {
+    const space = {
+      name: 'Foo',
+      color: '#aabbcc'
+    };
+
+    expect(getSpaceColor(space)).toEqual('#aabbcc');
+  });
+
+  test('derives color from space name if necessary', () => {
+    const space = {
+      name: 'Foo',
+    };
+
+    expect(getSpaceColor(space)).toMatch(/^#[a-f0-9]{6}$/i);
+  });
+
+  test('derives the same color for the same name', () => {
+    const space = {
+      name: 'FooBar',
+    };
+
+    const expectedColor = getSpaceColor(space);
+
+    for (let i = 0; i < 100; i++) {
+      expect(getSpaceColor(space)).toEqual(expectedColor);
+    }
+  });
+});
+
+describe("getSpaceInitials", () => {
+  test('uses initials on the space, when provided', () => {
+    const space = {
+      name: 'Foo',
+      initials: 'JK'
+    };
+
+    expect(getSpaceInitials(space)).toEqual('JK');
+  });
+
+  test('derives initials from space name if necessary', () => {
+    const space = {
+      name: 'Foo',
+    };
+
+    expect(getSpaceInitials(space)).toEqual('F');
+  });
+
+  test('uses words from the space name when deriving initials', () => {
+    const space = {
+      name: 'Foo Bar',
+    };
+
+    expect(getSpaceInitials(space)).toEqual('FB');
+  });
+
+  test('only uses the first two words of the space name when deriving initials', () => {
+    const space = {
+      name: 'Very Special Name',
+    };
+
+    expect(getSpaceInitials(space)).toEqual('VS');
+  });
+
+  test('maintains case when deriving initials', () => {
+    const space = {
+      name: 'some Space',
+    };
+
+    expect(getSpaceInitials(space)).toEqual('sS');
+  });
+});
diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
index 0f7ea917e12ef8..77e0c47c00ddd8 100644
--- a/x-pack/plugins/spaces/mappings.json
+++ b/x-pack/plugins/spaces/mappings.json
@@ -19,6 +19,12 @@
       "description": {
         "type": "text"
       },
+      "initials": {
+        "type": "keyword"
+      },
+      "color": {
+        "type": "keyword"
+      },
       "_reserved": {
         "type": "boolean"
       }
diff --git a/x-pack/plugins/spaces/public/views/components/index.js b/x-pack/plugins/spaces/public/views/components/index.js
new file mode 100644
index 00000000000000..81c7e9aea1c036
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { SpaceAvatar } from './space_avatar';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.js b/x-pack/plugins/spaces/public/views/components/space_avatar.js
new file mode 100644
index 00000000000000..ccbb2996bad105
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_avatar.js
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import {
+  EuiAvatar
+} from '@elastic/eui';
+import { MAX_SPACE_INITIALS, getSpaceInitials, getSpaceColor } from '../../../common';
+
+export const SpaceAvatar = (props) => {
+  return (
+    <EuiAvatar
+      type="space"
+      name={props.space.name || ''}
+      size={props.size || "m"}
+      initialsLength={MAX_SPACE_INITIALS}
+      initials={getSpaceInitials(props.space)}
+      color={getSpaceColor(props.space)}
+    />
+  );
+};
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
index c7cbfdb53fd737..628a5c068f83a0 100644
--- a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
@@ -1,13 +1,15 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`it renders without crashing 1`] = `
-<EuiHeader>
-  <EuiHeaderSection
-    side="left"
-  >
-    <EuiHeaderBreadcrumbs
-      breadcrumbs={Array []}
-    />
-  </EuiHeaderSection>
-</EuiHeader>
+<div>
+  <EuiBreadcrumbs
+    breadcrumbs={Array []}
+    max={5}
+    responsive={true}
+    truncate={true}
+  />
+  <EuiSpacer
+    size="l"
+  />
+</div>
 `;
diff --git a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
index f1b403671fa955..bfd38f1749dd83 100644
--- a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
+++ b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
@@ -60,18 +60,11 @@ export class DeleteSpacesButton extends Component {
 
   deleteSpaces = () => {
     const {
-      httpAgent,
-      chrome,
+      spacesManager,
       spaces
     } = this.props;
 
-    console.log(this.props, spaces);
-
-    const deleteOperations = spaces.map(space => {
-      return httpAgent.delete(
-        chrome.addBasePath(`/api/spaces/v1/spaces/${encodeURIComponent(space.id)}`)
-      );
-    });
+    const deleteOperations = spaces.map(space => spacesManager.deleteSpace(space));
 
     Promise.all(deleteOperations)
       .then(() => {
@@ -101,7 +94,6 @@ export class DeleteSpacesButton extends Component {
 
 DeleteSpacesButton.propTypes = {
   spaces: PropTypes.array.isRequired,
-  httpAgent: PropTypes.func.isRequired,
-  chrome: PropTypes.object.isRequired,
+  spacesManager: PropTypes.object.isRequired,
   onDelete: PropTypes.func
 };
diff --git a/x-pack/plugins/spaces/public/views/management/components/index.js b/x-pack/plugins/spaces/public/views/management/components/index.js
index 5da70aad9e8e58..1d158d623b503a 100644
--- a/x-pack/plugins/spaces/public/views/management/components/index.js
+++ b/x-pack/plugins/spaces/public/views/management/components/index.js
@@ -4,5 +4,5 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { SpacesGridPage } from './spaces_grid_page';
-export { ManageSpacePage } from './manage_space_page';
+export { PageHeader } from './page_header';
+export { DeleteSpacesButton } from './delete_spaces_button';
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.js b/x-pack/plugins/spaces/public/views/management/components/page_header.js
index 19a76b3d6ccf55..ff81942abb49ce 100644
--- a/x-pack/plugins/spaces/public/views/management/components/page_header.js
+++ b/x-pack/plugins/spaces/public/views/management/components/page_header.js
@@ -8,19 +8,17 @@ import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 
 import {
-  EuiHeader,
-  EuiHeaderSection,
-  EuiHeaderBreadcrumbs
+  EuiBreadcrumbs,
+  EuiSpacer,
 } from '@elastic/eui';
 
 export class PageHeader extends Component {
   render() {
     return (
-      <EuiHeader>
-        <EuiHeaderSection>
-          <EuiHeaderBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
-        </EuiHeaderSection>
-      </EuiHeader>
+      <div>
+        <EuiBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
+        <EuiSpacer />
+      </div>
     );
   }
 
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap
new file mode 100644
index 00000000000000..cbc3efafff90e4
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap
@@ -0,0 +1,23 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`renders without crashing 1`] = `
+<EuiFlexItem
+  component="div"
+  grow={false}
+>
+  <EuiFormRow
+    describedByIds={Array []}
+    fullWidth={false}
+    hasEmptyLabelSpace={true}
+  >
+    <EuiLink
+      color="primary"
+      name="customize_space_link"
+      onClick={[Function]}
+      type="button"
+    >
+      Customize
+    </EuiLink>
+  </EuiFormRow>
+</EuiFlexItem>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap
new file mode 100644
index 00000000000000..363f3951202c6d
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap
@@ -0,0 +1,42 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`renders without crashing 1`] = `
+<React.Fragment>
+  <EuiFormRow
+    describedByIds={Array []}
+    fullWidth={false}
+    hasEmptyLabelSpace={false}
+    helpText={
+      <p>
+        Links within Kibana will include this space identifier
+      </p>
+    }
+    isInvalid={false}
+    label={
+      <p>
+        URL Context 
+        <EuiLink
+          color="primary"
+          onClick={[Function]}
+          type="button"
+        >
+          [edit]
+        </EuiLink>
+      </p>
+    }
+  >
+    <div>
+      <EuiFieldText
+        compressed={false}
+        fullWidth={false}
+        inputRef={[Function]}
+        isLoading={false}
+        onChange={[Function]}
+        placeholder="give your space a name to see its URL Context"
+        readOnly={true}
+        value=""
+      />
+    </div>
+  </EuiFormRow>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js
new file mode 100644
index 00000000000000..7d6240d6a2c0a3
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js
@@ -0,0 +1,131 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component, Fragment } from 'react';
+import PropTypes from 'prop-types';
+import {
+  EuiFlexItem,
+  EuiColorPicker,
+  EuiFormRow,
+  EuiFieldText,
+  EuiLink,
+} from '@elastic/eui';
+import { getSpaceInitials, getSpaceColor } from '../../../../common/space_attributes';
+import { MAX_SPACE_INITIALS } from '../../../../common/constants';
+
+export class CustomizeSpaceAvatar extends Component {
+  static propTypes = {
+    space: PropTypes.object.isRequired,
+    onChange: PropTypes.func.isRequired,
+  }
+
+  state = {
+    expanded: false,
+    initialsHasFocus: false,
+    pendingInitials: null
+  }
+
+  render() {
+    return this.state.expanded ? this.getCustomizeFields() : this.getCustomizeLink();
+  }
+
+  getCustomizeFields = () => {
+    const {
+      space
+    } = this.props;
+
+    const {
+      initialsHasFocus,
+      pendingInitials,
+    } = this.state;
+
+    return (
+      <Fragment>
+        <EuiFlexItem grow={false}>
+          <EuiFormRow label={'Initials (2 max)'}>
+            <EuiFieldText
+              inputRef={this.initialsInputRef}
+              name="spaceInitials"
+              // allows input to be cleared or otherwise invalidated while user is editing the initials,
+              // without defaulting to the derived initials provided by `getSpaceInitials`
+              value={initialsHasFocus ? pendingInitials : getSpaceInitials(space)}
+              onChange={this.onInitialsChange}
+            />
+          </EuiFormRow>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiFormRow label={'Color'}>
+            <EuiColorPicker color={getSpaceColor(space)} onChange={this.onColorChange} />
+          </EuiFormRow>
+        </EuiFlexItem>
+      </Fragment>
+    );
+  }
+
+  initialsInputRef = (ref) => {
+    if (ref) {
+      this.initialsRef = ref;
+      this.initialsRef.addEventListener('focus', this.onInitialsFocus);
+      this.initialsRef.addEventListener('blur', this.onInitialsBlur);
+    } else {
+      if (this.initialsRef) {
+        this.initialsRef.removeEventListener('focus', this.onInitialsFocus);
+        this.initialsRef.removeEventListener('blur', this.onInitialsBlur);
+        this.initialsRef = null;
+      }
+    }
+  }
+
+  onInitialsFocus = () => {
+    this.setState({
+      initialsHasFocus: true,
+      pendingInitials: getSpaceInitials(this.props.space)
+    });
+  }
+
+  onInitialsBlur = () => {
+    this.setState({
+      initialsHasFocus: false,
+      pendingInitials: null,
+    });
+  }
+
+  getCustomizeLink = () => {
+    return (
+      <EuiFlexItem grow={false}>
+        <EuiFormRow hasEmptyLabelSpace={true}>
+          <EuiLink name="customize_space_link" onClick={this.showFields}>Customize</EuiLink>
+        </EuiFormRow>
+      </EuiFlexItem>
+    );
+  }
+
+  showFields = () => {
+    this.setState({
+      expanded: true
+    });
+  }
+
+  onInitialsChange = (e) => {
+    const initials = (e.target.value || '').substring(0, MAX_SPACE_INITIALS);
+
+    this.setState({
+      pendingInitials: initials,
+    });
+
+    this.props.onChange({
+      ...this.props.space,
+      initials
+    });
+  };
+
+  onColorChange = (color) => {
+    this.props.onChange({
+      ...this.props.space,
+      color
+    });
+  }
+}
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js
new file mode 100644
index 00000000000000..dfd1c85d19e3ea
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { CustomizeSpaceAvatar } from './customize_space_avatar';
+import { EuiLink, EuiFieldText, EuiColorPicker } from '@elastic/eui';
+
+test('renders without crashing', () => {
+  const wrapper = shallow(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  expect(wrapper).toMatchSnapshot();
+});
+
+test('renders a "customize" link by default', () => {
+  const wrapper = mount(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  expect(wrapper.find(EuiLink)).toHaveLength(1);
+});
+
+test('shows customization fields when the "customize" link is clicked', () => {
+  const wrapper = mount(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  wrapper.find(EuiLink).simulate('click');
+
+  expect(wrapper.find(EuiLink)).toHaveLength(0);
+  expect(wrapper.find(EuiFieldText)).toHaveLength(1);
+  expect(wrapper.find(EuiColorPicker)).toHaveLength(1);
+});
+
+test('invokes onChange callback when avatar is customized', () => {
+  const space = {
+    name: "Unit Test Space",
+    initials: "SP",
+    color: "#ABCDEF"
+  };
+
+  const changeHandler = jest.fn();
+
+  const wrapper = mount(<CustomizeSpaceAvatar space={space} onChange={changeHandler} />);
+  wrapper.find(EuiLink).simulate('click');
+
+  wrapper.find(EuiFieldText).find('input').simulate('change', { target: { value: 'NV' } });
+
+  expect(changeHandler).toHaveBeenCalledWith({
+    ...space,
+    initials: 'NV'
+  });
+});
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/index.js b/x-pack/plugins/spaces/public/views/management/edit_space/index.js
new file mode 100644
index 00000000000000..0d5429ca5ed55a
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { ManageSpacePage } from './manage_space_page';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
similarity index 62%
rename from x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 2207076c3e695b..e1eb2de37e69fa 100644
--- a/x-pack/plugins/spaces/public/views/management/components/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -4,36 +4,43 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
+import React, { Fragment, Component } from 'react';
 import PropTypes from 'prop-types';
 import {
-  EuiText,
+  EuiTitle,
+  EuiButtonEmpty,
   EuiSpacer,
   EuiPage,
-  EuiPageContent,
   EuiForm,
   EuiFormRow,
   EuiFieldText,
   EuiFlexGroup,
   EuiFlexItem,
   EuiButton,
+  EuiPanel,
 } from '@elastic/eui';
 
-import { PageHeader } from './page_header';
-import { DeleteSpacesButton } from './delete_spaces_button';
+import { DeleteSpacesButton, PageHeader } from '../components';
+import { SpaceAvatar } from '../../components';
 
 import { Notifier, toastNotifications } from 'ui/notify';
 import { UrlContext } from './url_context';
 import { toUrlContext, isValidUrlContext } from '../lib/url_context_utils';
+import { CustomizeSpaceAvatar } from './customize_space_avatar';
 import { isReservedSpace } from '../../../../common';
 import { ReservedSpaceBadge } from './reserved_space_badge';
+import { SpaceValidator } from '../lib/validate_space';
 
-export class ManageSpacePage extends React.Component {
+export class ManageSpacePage extends Component {
   state = {
     space: {},
-    validate: false
   };
 
+  constructor(props) {
+    super(props);
+    this.validator = new SpaceValidator({ shouldValidate: false });
+  }
+
   componentDidMount() {
     this.notifier = new Notifier({ location: 'Spaces' });
 
@@ -65,34 +72,68 @@ export class ManageSpacePage extends React.Component {
   render() {
     const {
       name = '',
-      description = ''
+      description = '',
     } = this.state.space;
 
     return (
-      <EuiPage>
-        <PageHeader breadcrumbs={this.props.breadcrumbs}/>
-        <EuiPageContent>
-          <EuiForm>
-            {this.getFormHeading()}
+      <EuiPage className="editSpacePage">
+        <PageHeader breadcrumbs={this.props.breadcrumbs} />
+        <EuiForm>
+          {this.getFormHeading()}
+
+          <EuiSpacer />
+
+          <EuiPanel>
+            <EuiFlexGroup>
+              <EuiFlexItem style={{ maxWidth: '400px' }}>
+                <EuiFormRow
+                  label="Name"
+                  {...this.validator.validateSpaceName(this.state.space)}
+                >
+                  <EuiFieldText
+                    name="name"
+                    placeholder={'Awesome space'}
+                    value={name}
+                    onChange={this.onNameChange}
+                  />
+                </EuiFormRow>
+              </EuiFlexItem>
+              {
+                name && (
+                  <EuiFlexItem grow={false}>
+                    <EuiFlexGroup responsive={false}>
+                      <EuiFlexItem grow={false}>
+                        <EuiFormRow hasEmptyLabelSpace={true}>
+                          <SpaceAvatar space={this.state.space} />
+                        </EuiFormRow>
+                      </EuiFlexItem>
+                      <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
+                    </EuiFlexGroup>
+                  </EuiFlexItem>
+                )
+              }
+            </EuiFlexGroup>
 
             <EuiSpacer />
 
-            <EuiFormRow
-              label="Name"
-              helpText="Name your space"
-              {...this.validateName()}
-            >
-              <EuiFieldText
-                name="name"
-                placeholder={'Awesome space'}
-                value={name}
-                onChange={this.onNameChange}
-              />
-            </EuiFormRow>
+            {isReservedSpace(this.state.space)
+              ? null
+              : (
+                <Fragment>
+                  <UrlContext
+                    space={this.state.space}
+                    editingExistingSpace={this.editingExistingSpace()}
+                    editable={true}
+                    onChange={this.onUrlContextChange}
+                    validator={this.validator}
+                  />
+                </Fragment>
+              )
+            }
+
             <EuiFormRow
               label="Description"
-              helpText="Describe your space"
-              {...this.validateDescription()}
+              {...this.validator.validateSpaceDescription(this.state.space)}
             >
               <EuiFieldText
                 name="description"
@@ -102,39 +143,20 @@ export class ManageSpacePage extends React.Component {
               />
             </EuiFormRow>
 
-            <UrlContext
-              space={this.state.space}
-              editingExistingSpace={this.editingExistingSpace()}
-              editable={!isReservedSpace(this.state.space)}
-              onChange={this.onUrlContextChange}
-            />
+          </EuiPanel>
 
-            <EuiFlexGroup>
-              <EuiFlexItem grow={false}>
-                <EuiButton fill onClick={this.saveSpace}>Save</EuiButton>
-              </EuiFlexItem>
-              <EuiFlexItem grow={false}>
-                <EuiButton onClick={this.backToSpacesList}>
-                  Cancel
-                </EuiButton>
-              </EuiFlexItem>
-            </EuiFlexGroup>
-          </EuiForm>
-        </EuiPageContent>
+          <EuiSpacer />
+
+          {this.getFormButtons()}
+
+        </EuiForm>
       </EuiPage>
     );
   }
 
   getFormHeading = () => {
-    const isReserved = isReservedSpace(this.state.space);
-
     return (
-      <EuiFlexGroup justifyContent={'spaceBetween'}>
-        <EuiFlexItem grow={false}>
-          <EuiText><h1>{this.getTitle()}</h1></EuiText>
-        </EuiFlexItem>
-        {isReserved ? this.getReservedBadge() : this.getActionButton()}
-      </EuiFlexGroup>
+      <EuiTitle size="l"><h1>{this.getTitle()} <ReservedSpaceBadge space={this.state.space} /></h1></EuiTitle>
     );
   };
 
@@ -142,10 +164,27 @@ export class ManageSpacePage extends React.Component {
     if (this.editingExistingSpace()) {
       return `Edit space`;
     }
-    return `Create a space`;
+    return `Create space`;
   };
 
-  getReservedBadge = () => <ReservedSpaceBadge space={this.state.space} />;
+  getFormButtons = () => {
+    const saveText = this.editingExistingSpace() ? 'Update space' : 'Create space';
+    return (
+      <EuiFlexGroup responsive={false}>
+        <EuiFlexItem grow={false}>
+          <EuiButton fill onClick={this.saveSpace}>{saveText}</EuiButton>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiButtonEmpty onClick={this.backToSpacesList}>
+            Cancel
+          </EuiButtonEmpty>
+        </EuiFlexItem>
+        <EuiFlexItem grow={true} />
+        {this.getActionButton()}
+      </EuiFlexGroup>
+    );
+  }
+
 
   getActionButton = () => {
     if (this.editingExistingSpace() && !isReservedSpace(this.state.space)) {
@@ -153,8 +192,7 @@ export class ManageSpacePage extends React.Component {
         <EuiFlexItem grow={false}>
           <DeleteSpacesButton
             spaces={[this.state.space]}
-            httpAgent={this.props.httpAgent}
-            chrome={this.props.chrome}
+            spacesManager={this.props.spacesManager}
             onDelete={this.backToSpacesList}
           />
         </EuiFlexItem>
@@ -202,14 +240,25 @@ export class ManageSpacePage extends React.Component {
     });
   };
 
-  saveSpace = () => {
+  onAvatarChange = (space) => {
     this.setState({
-      validate: true
-    }, () => {
-      const { isInvalid } = this.validateForm();
-      if (isInvalid) return;
-      this._performSave();
+      space
     });
+  }
+
+  saveSpace = () => {
+    this.validator.enableValidation();
+
+    const result = this.validator.validateForSave(this.state.space);
+    if (result.isInvalid) {
+      this.setState({
+        formError: result
+      });
+
+      return;
+    }
+
+    this._performSave();
   };
 
   _performSave = () => {
@@ -217,6 +266,8 @@ export class ManageSpacePage extends React.Component {
       name = '',
       id = toUrlContext(name),
       description,
+      initials,
+      color,
       urlContext
     } = this.state.space;
 
@@ -224,6 +275,8 @@ export class ManageSpacePage extends React.Component {
       name,
       id,
       description,
+      initials,
+      color,
       urlContext
     };
 
@@ -340,7 +393,5 @@ export class ManageSpacePage extends React.Component {
 ManageSpacePage.propTypes = {
   space: PropTypes.string,
   spacesManager: PropTypes.object,
-  httpAgent: PropTypes.func.isRequired,
-  chrome: PropTypes.object,
   breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js
similarity index 70%
rename from x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js
index 0ea7e05d77e12a..2f0f96377fcb4d 100644
--- a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js
@@ -9,9 +9,8 @@ import PropTypes from 'prop-types';
 
 import { isReservedSpace } from '../../../../common';
 import {
-  EuiBadge,
+  EuiIcon,
   EuiToolTip,
-  EuiFlexItem,
 } from '@elastic/eui';
 
 
@@ -22,11 +21,9 @@ export const ReservedSpaceBadge = (props) => {
 
   if (isReservedSpace(space)) {
     return (
-      <EuiFlexItem grow={false}>
-        <EuiToolTip content={'Reserved spaces are built-in and can only be partially changed.'}>
-          <EuiBadge iconType={'lock'}>Reserved Space</EuiBadge>
-        </EuiToolTip>
-      </EuiFlexItem>
+      <EuiToolTip content={'Reserved spaces are built-in and can only be partially modified.'}>
+        <EuiIcon style={{ verticalAlign: "super" }} type={'lock'} />
+      </EuiToolTip>
     );
   }
   return null;
diff --git a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js
similarity index 92%
rename from x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js
index e45926b8598246..755e6e4bf011e0 100644
--- a/x-pack/plugins/spaces/public/views/management/components/reserved_space_badge.test.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js
@@ -6,7 +6,7 @@
 
 import React from 'react';
 import {
-  EuiBadge
+  EuiIcon
 } from '@elastic/eui';
 import { ReservedSpaceBadge } from './reserved_space_badge';
 import {
@@ -21,7 +21,7 @@ const unreservedSpace = {};
 
 test('it renders without crashing', () => {
   const wrapper = shallow(<ReservedSpaceBadge space={reservedSpace} />);
-  expect(wrapper.find(EuiBadge)).toHaveLength(1);
+  expect(wrapper.find(EuiIcon)).toHaveLength(1);
 });
 
 test('it renders nothing for an unreserved space', () => {
diff --git a/x-pack/plugins/spaces/public/views/management/components/url_context.js b/x-pack/plugins/spaces/public/views/management/edit_space/url_context.js
similarity index 94%
rename from x-pack/plugins/spaces/public/views/management/components/url_context.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/url_context.js
index 6253e36d0f9e2e..853c0abde745e5 100644
--- a/x-pack/plugins/spaces/public/views/management/components/url_context.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/url_context.js
@@ -31,6 +31,7 @@ export class UrlContext extends Component {
         <EuiFormRow
           label={this.getLabel()}
           helpText={this.getHelpText()}
+          {...this.props.validator.validateUrlContext(this.props.space)}
         >
           <div>
             <EuiFieldText
@@ -97,5 +98,6 @@ UrlContext.propTypes = {
   space: PropTypes.object.isRequired,
   editable: PropTypes.bool.isRequired,
   editingExistingSpace: PropTypes.bool.isRequired,
-  onChange: PropTypes.func
+  onChange: PropTypes.func,
+  validator: PropTypes.object.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js
new file mode 100644
index 00000000000000..13c1caca899878
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow } from 'enzyme';
+import { UrlContext } from './url_context';
+import { SpaceValidator } from '../lib';
+
+test('renders without crashing', () => {
+  const props = {
+    space: {},
+    editable: true,
+    editingExistingSpace: false,
+    onChange: jest.fn(),
+    validator: new SpaceValidator()
+  };
+  const wrapper = shallow(<UrlContext {...props} />);
+  expect(wrapper).toMatchSnapshot();
+});
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/lib/index.js b/x-pack/plugins/spaces/public/views/management/lib/index.js
new file mode 100644
index 00000000000000..0d213ec10b93c1
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/index.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export {
+  toUrlContext,
+  isValidUrlContext
+} from './url_context_utils';
+
+export {
+  SpaceValidator
+} from './validate_space';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
deleted file mode 100644
index 64e7f6c5fa6354..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.js
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export class SpacesDataStore {
-  constructor(spaces = []) {
-    this.loadSpaces(spaces);
-  }
-
-  loadSpaces(spaces = []) {
-    this._spaces = [...spaces];
-    this._matchedSpaces = [...spaces];
-  }
-
-  search(searchCriteria, caseSensitive = false) {
-    const criteria = caseSensitive ? searchCriteria : searchCriteria.toLowerCase();
-
-    this._matchedSpaces = this._spaces.filter(space => {
-      const spaceName = caseSensitive ? space.name : space.name.toLowerCase();
-
-      return spaceName.indexOf(criteria) >= 0;
-    });
-
-    return this._matchedSpaces;
-  }
-
-  getPage(pageIndex, pageSize) {
-    const startIndex = Math.min(pageIndex * pageSize, this._matchedSpaces.length);
-    const endIndex = Math.min(startIndex + pageSize, this._matchedSpaces.length);
-
-    return this._matchedSpaces.slice(startIndex, endIndex);
-  }
-}
diff --git a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js b/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js
deleted file mode 100644
index eac71d490902d2..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/lib/spaces_data_store.test.js
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { SpacesDataStore } from './spaces_data_store';
-
-const spaces = [{
-  id: 1,
-  name: 'foo',
-  description: 'foo'
-}, {
-  id: 2,
-  name: 'bar',
-  description: 'bar'
-}, {
-  id: 3,
-  name: 'sample text',
-  description: 'some sample text'
-}];
-
-test(`it doesn't filter results with no search applied`, () => {
-  const store = new SpacesDataStore(spaces);
-  expect(store.getPage(0, 3)).toEqual(spaces);
-});
-
-test(`it filters results when search is applied`, () => {
-  const store = new SpacesDataStore(spaces);
-  const filteredResults = store.search('bar');
-
-  expect(filteredResults).toEqual([spaces[1]]);
-
-  expect(store.getPage(0, 3)).toEqual([spaces[1]]);
-});
-
-test(`it filters based on a partial match`, () => {
-  const store = new SpacesDataStore(spaces);
-  const filteredResults = store.search('mpl');
-
-  expect(filteredResults).toEqual([spaces[2]]);
-
-  expect(store.getPage(0, 3)).toEqual([spaces[2]]);
-});
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
new file mode 100644
index 00000000000000..a59a5ee0ef6f81
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { isValidUrlContext } from './url_context_utils';
+import { isReservedSpace } from '../../../../common/is_reserved_space';
+
+export class SpaceValidator {
+  constructor(options = {}) {
+    this._shouldValidate = options.shouldValidate;
+  }
+
+  enableValidation() {
+    this._shouldValidate = true;
+  }
+
+  disableValidation() {
+    this._shouldValidate = false;
+  }
+
+  validateSpaceName(space) {
+    if (!this._shouldValidate) return valid();
+
+    if (!space.name) {
+      return invalid(`Please provide a space name`);
+    }
+
+    if (space.name.length > 1024) {
+      return invalid(`Name must not exceed 1024 characters`);
+    }
+
+    return valid();
+  }
+
+  validateSpaceDescription(space) {
+    if (!this._shouldValidate) return valid();
+
+    if (!space.description) {
+      return invalid(`Please provide a space description`);
+    }
+
+    return valid();
+  }
+
+  validateUrlContext(space) {
+    if (!this._shouldValidate) return valid();
+
+    if (isReservedSpace(space)) return valid();
+
+    if (!space.urlContext) {
+      return invalid(`URL Context is required`);
+    }
+
+    if (!isValidUrlContext(space.urlContext)) {
+      return invalid('URL Context only allows a-z, 0-9, and the "-" character');
+    }
+
+    return valid();
+  }
+
+  validateForSave(space) {
+    const { isInvalid: isNameInvalid } = this.validateSpaceName(space);
+    const { isInvalid: isDescriptionInvalid } = this.validateSpaceDescription(space);
+    const { isInvalid: isContextInvalid } = this.validateUrlContext(space);
+
+    if (isNameInvalid || isDescriptionInvalid || isContextInvalid) {
+      return invalid();
+    }
+
+    return valid();
+  }
+}
+
+function invalid(error) {
+  return {
+    isInvalid: true,
+    error
+  };
+}
+
+function valid() {
+  return {
+    isInvalid: false
+  };
+}
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
new file mode 100644
index 00000000000000..6c0f2c2bcc10e1
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
@@ -0,0 +1,84 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpaceValidator } from './validate_space';
+
+let validator;
+
+describe('validateSpaceName', () => {
+  beforeEach(() => {
+    validator = new SpaceValidator({ shouldValidate: true });
+  });
+
+  test('it allows a name with special characters', () => {
+    const space = {
+      name: 'This is the name of my Space! @#$%^&*()_+-='
+    };
+
+    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: false });
+  });
+
+  test('it requires a non-empty value', () => {
+    const space = {
+      name: ''
+    };
+
+    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Please provide a space name` });
+  });
+
+  test('it cannot exceed 1024 characters', () => {
+    const space = {
+      name: new Array(1026).join('A')
+    };
+
+    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Name must not exceed 1024 characters` });
+  });
+});
+
+describe('validateSpaceDescription', () => {
+  test('it requires a non-empty value', () => {
+    const space = {
+      description: ''
+    };
+
+    expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: true, error: `Please provide a space description` });
+  });
+});
+
+describe('validateUrlContext', () => {
+  test('it does not validate reserved spaces', () => {
+    const space = {
+      _reserved: true
+    };
+
+    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: false });
+  });
+
+  test('it requires a non-empty value', () => {
+    const space = {
+      urlContext: ''
+    };
+
+    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: true, error: `URL Context is required` });
+  });
+
+  test('it requires a valid URL Context', () => {
+    const space = {
+      urlContext: 'invalid context'
+    };
+
+    expect(validator.validateUrlContext(space))
+      .toEqual({ isInvalid: true, error: 'URL Context only allows a-z, 0-9, and the "-" character' });
+  });
+
+  test('it allows a valid URL Context', () => {
+    const space = {
+      urlContext: '01-valid-context-01'
+    };
+
+    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: false });
+  });
+});
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
index ae515cbb829fa1..48bfea9b424d95 100644
--- a/x-pack/plugins/spaces/public/views/management/manage_spaces.less
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -1,5 +1,14 @@
-.manageSpaces__application, .manageSpaces__.euiPanel {
-  background: #f5f5f5
+.manageSpaces__application, .manageSpaces__.euiPanel, #manageSpacesReactRoot, .editSpacePage, .editSpacePage__content {
+  background: #f5f5f5;
+}
+
+#manageSpacesReactRoot{
+  flex-grow: 1;
+}
+
+.editSpacePage__content {
+  border: none;
+  box-shadow: none;
 }
 
 .manageSpaces__euiPage {
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index e07a5b95aeb239..e037ec46923c8f 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -10,7 +10,8 @@ import template from 'plugins/spaces/views/management/template.html';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
-import { SpacesGridPage, ManageSpacePage } from './components';
+import { SpacesGridPage } from './spaces_grid';
+import { ManageSpacePage } from './edit_space';
 import { SpacesManager } from '../../lib/spaces_manager';
 
 import routes from 'ui/routes';
@@ -22,10 +23,11 @@ routes.when('/management/spaces/list', {
   controller: function ($scope, $http, chrome) {
     const domNode = document.getElementById(reactRootNodeId);
 
+    const spacesManager = new SpacesManager($http, chrome);
+
     render(<SpacesGridPage
-      httpAgent={$http}
-      chrome={chrome}
       breadcrumbs={routes.getBreadcrumbs()}
+      spacesManager={spacesManager}
     />, domNode);
 
     // unmount react on controller destroy
@@ -43,8 +45,6 @@ routes.when('/management/spaces/create', {
     const spacesManager = new SpacesManager($http, chrome);
 
     render(<ManageSpacePage
-      httpAgent={$http}
-      chrome={chrome}
       breadcrumbs={routes.getBreadcrumbs()}
       spacesManager={spacesManager}
     />, domNode);
@@ -73,7 +73,7 @@ routes.when('/management/spaces/edit/:space', {
       httpAgent={$http}
       space={space}
       chrome={chrome}
-      breadcrumbs={routes.getBreadcrumbs()}
+      breadcrumbs={transformBreadcrumbs(routes.getBreadcrumbs())}
       spacesManager={spacesManager}
     />, domNode);
 
@@ -83,3 +83,7 @@ routes.when('/management/spaces/edit/:space', {
     });
   }
 });
+
+function transformBreadcrumbs(routeBreadcrumbs) {
+  return routeBreadcrumbs.filter(b => b.id !== 'edit');
+}
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/index.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/index.js
new file mode 100644
index 00000000000000..ec688bbf260a60
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/index.js
@@ -0,0 +1,6 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+export { SpacesGridPage } from './spaces_grid_page';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
similarity index 50%
rename from x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
rename to x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
index c89ae778afbc5b..a039864aff3949 100644
--- a/x-pack/plugins/spaces/public/views/management/components/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
@@ -10,8 +10,7 @@ import PropTypes from 'prop-types';
 import {
   EuiPage,
   EuiPageContent,
-  EuiBasicTable,
-  EuiSearchBar,
+  EuiInMemoryTable,
   EuiFlexGroup,
   EuiFlexItem,
   EuiText,
@@ -20,45 +19,24 @@ import {
   EuiLink,
 } from '@elastic/eui';
 
-import { PageHeader } from './page_header';
-import { SpacesDataStore } from '../lib/spaces_data_store';
-import { DeleteSpacesButton } from './delete_spaces_button';
-
+import { DeleteSpacesButton, PageHeader } from '../components';
+import { isReservedSpace } from '../../../../common';
 
 export class SpacesGridPage extends Component {
   state = {
     selectedSpaces: [],
-    displayedSpaces: [],
-    loading: true,
-    searchCriteria: '',
-    pagination: {
-      pageIndex: 0,
-      pageSize: 10,
-      totalItemCount: 0,
-      pageSizeOptions: [10, 25, 50]
-    }
+    spaces: [],
+    loading: true
   };
 
-  constructor(props) {
-    super(props);
-    this.dataStore = new SpacesDataStore();
-  }
-
   componentDidMount() {
     this.loadGrid();
   }
 
   render() {
-    const filteredSpaces = this.dataStore.search(this.state.searchCriteria);
-
-    const pagination = {
-      ...this.state.pagination,
-      totalItemCount: filteredSpaces.length
-    };
-
     return (
       <EuiPage>
-        <PageHeader breadcrumbs={this.props.breadcrumbs}/>
+        <PageHeader breadcrumbs={this.props.breadcrumbs} />
         <EuiPageContent>
           <EuiFlexGroup justifyContent={'spaceBetween'}>
             <EuiFlexItem grow={false}>
@@ -67,20 +45,19 @@ export class SpacesGridPage extends Component {
             <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
           </EuiFlexGroup>
           <EuiSpacer size={'xl'} />
-          <EuiSearchBar
-            box={{
-              placeholder: 'Search for a space...',
-              incremental: true
-            }}
-            onChange={this.onSearchChange}
-          />
-          <EuiSpacer size={'xl'} />
-          <EuiBasicTable
-            items={this.state.displayedSpaces}
+
+          <EuiInMemoryTable
+            itemId={"id"}
+            items={this.state.spaces}
             columns={this.getColumnConfig()}
-            selection={this.getSelectionConfig()}
-            pagination={pagination}
-            onChange={this.onTableChange}
+            selection={{
+              selectable: (space) => !isReservedSpace(space),
+              onSelectionChange: this.onSelectionChange
+            }}
+            pagination={true}
+            search={true}
+            loading={this.state.loading}
+            message={this.state.loading ? "loading..." : undefined}
           />
         </EuiPageContent>
       </EuiPage>
@@ -92,8 +69,7 @@ export class SpacesGridPage extends Component {
       return (
         <DeleteSpacesButton
           spaces={this.state.selectedSpaces}
-          httpAgent={this.props.httpAgent}
-          chrome={this.props.chrome}
+          spacesManager={this.props.spacesManager}
           onDelete={this.loadGrid}
         />
       );
@@ -106,30 +82,25 @@ export class SpacesGridPage extends Component {
 
   loadGrid = () => {
     const {
-      httpAgent,
-      chrome
+      spacesManager
     } = this.props;
 
     this.setState({
       loading: true,
-      displayedSpaces: [],
-      selectedSpaces: []
+      selectedSpaces: [],
+      spaces: []
     });
 
-    this.dataStore.loadSpaces([]);
-
     const setSpaces = (spaces) => {
-      this.dataStore.loadSpaces(spaces);
       this.setState({
         loading: false,
-        displayedSpaces: this.dataStore.getPage(this.state.pagination.pageIndex, this.state.pagination.pageSize)
+        spaces,
       });
     };
 
-    httpAgent
-      .get(chrome.addBasePath(`/api/spaces/v1/spaces`))
-      .then(response => {
-        setSpaces(response.data);
+    spacesManager.getSpaces()
+      .then(spaces => {
+        setSpaces(spaces);
       })
       .catch(error => {
         this.setState({
@@ -162,44 +133,12 @@ export class SpacesGridPage extends Component {
     }];
   }
 
-  getSelectionConfig() {
-    return {
-      itemId: 'id',
-      selectable: (space) => space.id,
-      onSelectionChange: this.onSelectionChange
-    };
-  }
-
- onTableChange = ({ page = {} }) => {
-   const {
-     index: pageIndex,
-     size: pageSize
-   } = page;
-
-   this.setState({
-     pagination: {
-       ...this.state.pagination,
-       pageIndex,
-       pageSize
-     }
-   });
- };
-
   onSelectionChange = (selectedSpaces) => {
     this.setState({ selectedSpaces });
   };
-
-  onSearchChange = ({ text = '' }) => {
-    this.dataStore.search(text);
-    this.setState({
-      searchCriteria: text,
-      displayedSpaces: this.dataStore.getPage(this.state.pagination.pageIndex, this.state.pagination.pageSize)
-    });
-  };
 }
 
 SpacesGridPage.propTypes = {
-  chrome: PropTypes.object.isRequired,
-  httpAgent: PropTypes.func.isRequired,
-  breadcrumbs: PropTypes.array.isRequired
+  spacesManager: PropTypes.object.isRequired,
+  breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.js
index 88c134ca6f82b9..82dd81ee1705ec 100644
--- a/x-pack/plugins/spaces/server/lib/space_schema.js
+++ b/x-pack/plugins/spaces/server/lib/space_schema.js
@@ -5,11 +5,14 @@
  */
 
 import Joi from 'joi';
+import { MAX_SPACE_INITIALS } from '../../common/constants';
 
 export const spaceSchema = Joi.object({
   id: Joi.string(),
   name: Joi.string().required(),
   description: Joi.string().required(),
-  urlContext: Joi.string().regex(/[a-z0-9\-]+/, `lower case, a-z, 0-9, and "-" are allowed`).required(),
+  urlContext: Joi.string().regex(/[a-z0-9\-]*/, `lower case, a-z, 0-9, and "-" are allowed`),
+  initials: Joi.string().max(MAX_SPACE_INITIALS),
+  color: Joi.string().regex(/^#[a-z0-9]{6}$/, `6 digit hex color, starting with a #`),
   _reserved: Joi.boolean()
 }).default();
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 64b893b93239d5..653b566a012e39 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -63,7 +63,7 @@ export function initSpacesApi(server) {
         });
 
         spaces = result.saved_objects.map(convertSavedObjectToSpace);
-      } catch(e) {
+      } catch (e) {
         return reply(wrapError(e));
       }
 
@@ -131,6 +131,12 @@ export function initSpacesApi(server) {
       }
 
       return reply(convertSavedObjectToSpace(result));
+    },
+    config: {
+      validate: {
+        payload: spaceSchema
+      },
+      pre: [routePreCheckLicenseFn]
     }
   });
 
@@ -156,7 +162,7 @@ export function initSpacesApi(server) {
       let result;
       try {
         result = await client.create('space', { ...space }, { id, overwrite });
-      } catch(e) {
+      } catch (e) {
         return reply(wrapError(e));
       }
 

From a53e7d06caeefe88f53fd2df0cb243cedf46aa26 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 19 Jun 2018 11:43:06 -0400
Subject: [PATCH 053/183] start to address feedback

---
 .../public/services/application_privilege.js        |  3 ---
 .../security/public/views/management/edit_role.js   |  8 +++++---
 .../server/lib/authorization/has_privileges.js      |  4 ++--
 .../lib/privileges/privilege_action_registry.js     |  3 ---
 .../security/server/lib/privileges/privileges.js    |  3 ---
 .../watch_status_and_license_to_initialize.test.js  | 13 +++++--------
 .../security/server/routes/api/v1/privileges.js     |  3 ---
 7 files changed, 12 insertions(+), 25 deletions(-)

diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
index 57d2871ecbad39..91e8d52a84a726 100644
--- a/x-pack/plugins/security/public/services/application_privilege.js
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -4,9 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
 import 'angular-resource';
 import { uiModules } from 'ui/modules';
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 0aaebc83e6f72f..94e04a30a37db5 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -5,6 +5,7 @@
  */
 
 import _ from 'lodash';
+import chrome from 'ui/chrome';
 import routes from 'ui/routes';
 import { fatalError, toastNotifications } from 'ui/notify';
 import { toggle } from 'plugins/security/lib/util';
@@ -38,7 +39,7 @@ const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
   const applications = role.applications
     .filter(x => x.application === application && x.resources.every(r => r === DEFAULT_RESOURCE));
 
-  const assigned =  _.uniq(_.flatten(_.pluck(applications, 'privileges')));
+  const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
   assigned.forEach(a => {
     kibanaPrivileges[a] = true;
   });
@@ -63,7 +64,7 @@ const setApplicationPrivileges = (kibanaPrivileges, role, application) => {
     role.applications = [...role.applications, {
       application,
       privileges,
-      resources: [ DEFAULT_RESOURCE ]
+      resources: [DEFAULT_RESOURCE]
     }];
   }
 };
@@ -118,7 +119,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope, rbacApplication) {
+  controller($injector, $scope) {
     const $route = $injector.get('$route');
     const kbnUrl = $injector.get('kbnUrl');
     const shieldPrivileges = $injector.get('shieldPrivileges');
@@ -126,6 +127,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const Private = $injector.get('Private');
     const confirmModal = $injector.get('confirmModal');
     const shieldIndices = $injector.get('shieldIndices');
+    const rbacApplication = chrome.getInjected('rbacApplication');
 
     $scope.role = $route.current.locals.role;
     $scope.users = $route.current.locals.users;
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index 79907d4e7b1e4e..67de50730959c0 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -48,7 +48,7 @@ const hasLegacyPrivileges = async (
   const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
     body: {
       index: [{
-        names: [ kibanaIndex ],
+        names: [kibanaIndex],
         privileges: ['read', 'index']
       }]
     }
@@ -63,7 +63,7 @@ const hasLegacyPrivileges = async (
 
   const logDeprecation = () => {
     deprecationLogger(
-      `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in the next major version`
+      `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`
     );
   };
 
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 27a00a56202132..822447dbcecedd 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -4,9 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { equivalentPrivileges } from './equivalent_privileges';
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index 4045b3e83da036..96600013887944 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -4,9 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
 export function getVersionPrivilege(kibanaVersion) {
   // TODO: Remove the .toLowerCase() once the capitalization with app privileges is fixed
   return `version:${kibanaVersion.toLowerCase()}`;
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
index 3826edf6767617..55c2d83ab48f60 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -4,8 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 import { EventEmitter } from 'events';
 import { watchStatusAndLicenseToInitialize } from './watch_status_and_license_to_initialize';
 
@@ -29,7 +27,7 @@ const createMockXpackMainPluginAndFeature = (featureId) => {
     }
   };
 
-  const mockXpackMainPlugin =  {
+  const mockXpackMainPlugin = {
     info: {
       feature: (id) => {
         if (id === featureId) {
@@ -64,7 +62,7 @@ const createMockDownstreamPlugin = (id) => {
   };
 };
 
-['red', 'yellow', 'disabled' ].forEach(state => {
+['red', 'yellow', 'disabled'].forEach(state => {
   test(`mirrors ${state} immediately`, () => {
     const pluginId = 'foo-plugin';
     const message = `${state} is now the state`;
@@ -72,7 +70,7 @@ const createMockDownstreamPlugin = (id) => {
     mockXpackMainPlugin.mock.setStatus(state, message);
     const downstreamPlugin = createMockDownstreamPlugin(pluginId);
     const initializeMock = jest.fn();
-    downstreamPlugin.status[state].mockImplementation(() => {});
+    downstreamPlugin.status[state].mockImplementation(() => { });
 
     watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
 
@@ -89,7 +87,7 @@ test(`calls initialize and doesn't immediately set downstream status when the in
   const licenseCheckResults = Symbol();
   mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
   const downstreamPlugin = createMockDownstreamPlugin(pluginId);
-  const initializeMock = jest.fn().mockImplementation(() => new Promise(() => {}));
+  const initializeMock = jest.fn().mockImplementation(() => new Promise(() => { }));
 
   watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
 
@@ -111,8 +109,7 @@ test(`sets downstream plugin's status to green when initialize resolves`, (done)
 
   expect(initializeMock).toHaveBeenCalledTimes(1);
   expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
-  downstreamPlugin.status.green.mockImplementation(actualMessage =>
-  {
+  downstreamPlugin.status.green.mockImplementation(actualMessage => {
     expect(actualMessage).toBe('Ready');
     done();
   });
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 54ce1f97110355..273994b25e562b 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -4,9 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements.
- * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
-
 import { buildPrivilegeMap } from '../../../lib/privileges/privileges';
 
 export function initPrivilegesApi(server) {

From b7d2514c15bdcbeb6c8e6d56354fa47100188214 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 19 Jun 2018 17:03:10 -0400
Subject: [PATCH 054/183] fix merge

---
 .../public/views/management/edit_role/index.js         |  6 ++++--
 yarn.lock                                              | 10 ----------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index e356b9d7c01b6e..8f373f966f2a14 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -5,6 +5,7 @@
  */
 
 import _ from 'lodash';
+import chrome from 'ui/chrome';
 import routes from 'ui/routes';
 import { fatalError } from 'ui/notify';
 import template from 'plugins/security/views/management/edit_role/edit_role.html';
@@ -76,7 +77,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope, $http, rbacEnabled, rbacApplication) {
+  controller($injector, $scope, $http) {
     const $route = $injector.get('$route');
     const Private = $injector.get('Private');
 
@@ -88,6 +89,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const xpackInfo = Private(XPackInfoProvider);
     const allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
     const allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
+    const rbacApplication = chrome.getInjected('rbacApplication');
 
     const domNode = document.getElementById('editRoleReactRoot');
 
@@ -103,7 +105,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       role={role}
       kibanaAppPrivileges={kibanaApplicationPrivilege}
       indexPatterns={indexPatterns}
-      rbacEnabled={rbacEnabled}
+      rbacEnabled={true}
       rbacApplication={rbacApplication}
       httpClient={$http}
       breadcrumbs={transformBreadcrumbs(routeBreadcrumbs)}
diff --git a/yarn.lock b/yarn.lock
index a1bcbf1ac7e7fa..71756fd6c6e2ea 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1900,12 +1900,6 @@ brace-expansion@^1.0.0, brace-expansion@^1.1.7:
     balanced-match "^1.0.0"
     concat-map "0.0.1"
 
-brace@0.10.0:
-  version "0.10.0"
-  resolved "https://registry.yarnpkg.com/brace/-/brace-0.10.0.tgz#edef4eb9b0928ba1ee5f717ffc157749a6dd5d76"
-  dependencies:
-    w3c-blob "0.0.1"
-
 brace@0.11.1, brace@^0.11.0:
   version "0.11.1"
   resolved "https://registry.yarnpkg.com/brace/-/brace-0.11.1.tgz#4896fcc9d544eef45f4bb7660db320d3b379fe58"
@@ -13446,10 +13440,6 @@ void-elements@^2.0.0, void-elements@~2.0.1:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/void-elements/-/void-elements-2.0.1.tgz#c066afb582bb1cb4128d60ea92392e94d5e9dbec"
 
-w3c-blob@0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/w3c-blob/-/w3c-blob-0.0.1.tgz#b0cd352a1a50f515563420ffd5861f950f1d85b8"
-
 w3c-hr-time@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/w3c-hr-time/-/w3c-hr-time-1.0.1.tgz#82ac2bff63d950ea9e3189a58a65625fedf19045"

From 1bc85f98636cde05c6d67395197c00a82fc7c7f2 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 20 Jun 2018 17:39:48 -0400
Subject: [PATCH 055/183] [Spaces] - Redesign space selector (#19964)

---
 x-pack/plugins/spaces/common/constants.js     |   8 +
 .../spaces/public/views/components/index.js   |   3 +-
 .../public/views/components/space_avatar.js   |  17 +-
 .../public/views/components/space_card.js     |  25 ++-
 .../public/views/components/space_card.less   |  11 +-
 .../public/views/components/space_cards.js    |  26 +--
 .../public/views/components/space_cards.less  |   4 +
 .../views/components/space_cards.test.js      |  31 +--
 .../views/nav_control/nav_control_modal.js    | 198 +++++++++---------
 .../__snapshots__/space_selector.test.js.snap | 125 +++++++----
 .../views/space_selector/space_selector.html  |   2 +-
 .../views/space_selector/space_selector.js    |  83 ++++++--
 .../views/space_selector/space_selector.less  |  50 +++--
 .../spaces/server/routes/api/v1/spaces.js     |   1 -
 14 files changed, 337 insertions(+), 247 deletions(-)
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_cards.less

diff --git a/x-pack/plugins/spaces/common/constants.js b/x-pack/plugins/spaces/common/constants.js
index d539fafd71044b..c4d8931871b97d 100644
--- a/x-pack/plugins/spaces/common/constants.js
+++ b/x-pack/plugins/spaces/common/constants.js
@@ -6,4 +6,12 @@
 
 export const DEFAULT_SPACE_ID = `default`;
 
+/**
+ * The minimum number of spaces required to show a search control.
+ */
+export const SPACE_SEARCH_COUNT_THRESHOLD = 8;
+
+/**
+ * The maximum number of characters allowed in the Space Avatar's initials
+ */
 export const MAX_SPACE_INITIALS = 2;
diff --git a/x-pack/plugins/spaces/public/views/components/index.js b/x-pack/plugins/spaces/public/views/components/index.js
index 81c7e9aea1c036..16d03e0d129bc1 100644
--- a/x-pack/plugins/spaces/public/views/components/index.js
+++ b/x-pack/plugins/spaces/public/views/components/index.js
@@ -4,4 +4,5 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { SpaceAvatar } from './space_avatar';
\ No newline at end of file
+export { SpaceAvatar } from './space_avatar';
+export { SpaceCards } from './space_cards';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.js b/x-pack/plugins/spaces/public/views/components/space_avatar.js
index ccbb2996bad105..b7908d00f2dde8 100644
--- a/x-pack/plugins/spaces/public/views/components/space_avatar.js
+++ b/x-pack/plugins/spaces/public/views/components/space_avatar.js
@@ -5,20 +5,27 @@
  */
 
 import React from 'react';
+import PropTypes from 'prop-types';
 import {
   EuiAvatar
 } from '@elastic/eui';
 import { MAX_SPACE_INITIALS, getSpaceInitials, getSpaceColor } from '../../../common';
 
-export const SpaceAvatar = (props) => {
+export const SpaceAvatar = ({ space, size, ...rest }) => {
   return (
     <EuiAvatar
       type="space"
-      name={props.space.name || ''}
-      size={props.size || "m"}
+      name={space.name || ''}
+      size={size || "m"}
       initialsLength={MAX_SPACE_INITIALS}
-      initials={getSpaceInitials(props.space)}
-      color={getSpaceColor(props.space)}
+      initials={getSpaceInitials(space)}
+      color={getSpaceColor(space)}
+      {...rest}
     />
   );
 };
+
+SpaceAvatar.propTypes = {
+  space: PropTypes.object.isRequired,
+  size: PropTypes.string,
+};
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.js b/x-pack/plugins/spaces/public/views/components/space_card.js
index 12cc3555175559..7441366d9206ed 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.js
+++ b/x-pack/plugins/spaces/public/views/components/space_card.js
@@ -7,9 +7,12 @@
 import React from 'react';
 import {
   EuiCard,
-  EuiText
+  EuiTextColor,
 } from '@elastic/eui';
 import './space_card.less';
+import {
+  SpaceAvatar
+} from './space_avatar';
 
 export const SpaceCard = (props) => {
   const {
@@ -20,21 +23,25 @@ export const SpaceCard = (props) => {
   return (
     <EuiCard
       className="spaceCard"
-      title={renderSpaceTitle(space)}
+      icon={renderSpaceAvatar(space)}
+      title={space.name}
       description={renderSpaceDescription(space)}
       onClick={onClick}
     />
   );
 };
 
-function renderSpaceTitle(space) {
-  return (
-    <div className="spaceCardTitle">
-      <EuiText><h3>{space.name}</h3></EuiText>
-    </div>
-  );
+function renderSpaceAvatar(space) {
+  return <SpaceAvatar space={space} size={"l"} />;
 }
 
 function renderSpaceDescription(space) {
-  return space.description;
+  let description = space.description;
+  const needsTruncation = space.description.length > 120;
+  if (needsTruncation) {
+    description = (
+      <span title={description}>{space.description.substr(0, 120) + '…'}</span>
+    );
+  }
+  return <EuiTextColor className="eui-textBreakWord" color={"subdued"}>{description}</EuiTextColor>;
 }
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.less b/x-pack/plugins/spaces/public/views/components/space_card.less
index a75fbfaa2f3430..8245a16b9f43c6 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.less
+++ b/x-pack/plugins/spaces/public/views/components/space_card.less
@@ -1,9 +1,8 @@
-.spaceCard, .euiCard.euiCard--isClickable.spaceCard {
-    width: 310px;
-    height: 230px;
-    min-height: 200px;
+.euiCard.euiCard--isClickable.spaceCard {
+  width: 240px;
+  min-height: 200px;
 }
 
-.spaceCardDescription {
-  margin-bottom: 10px;
+.spaceCard .euiCard__content{
+  overflow: hidden;
 }
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.js b/x-pack/plugins/spaces/public/views/components/space_cards.js
index 2e92ce4a290eab..5e96bc50cc4e20 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
+import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 import chrome from 'ui/chrome';
 import { SpaceCard } from './space_card';
@@ -12,29 +12,17 @@ import { stripSpaceUrlContext } from '../../../common/spaces_url_parser';
 import {
   EuiFlexGroup,
   EuiFlexItem,
-  EuiSpacer,
 } from '@elastic/eui';
-import { chunk } from 'lodash';
+import './space_cards.less';
 
 export class SpaceCards extends Component {
   render() {
-    const maxSpacesPerRow = 3;
-    const rows = chunk(this.props.spaces, maxSpacesPerRow);
-
     return (
-      <Fragment>
-        {
-          rows.map((row, idx) => (
-            <Fragment key={idx}>
-              <EuiFlexGroup gutterSize="l" justifyContent="spaceEvenly">
-                {row.map(this.renderSpace)}
-              </EuiFlexGroup>
-              <EuiSpacer />
-            </Fragment>
-          ))
-        }
-      </Fragment>
-
+      <div className="spaceCards">
+        <EuiFlexGroup gutterSize="l" justifyContent="center" wrap responsive={false}>
+          {this.props.spaces.map(this.renderSpace)}
+        </EuiFlexGroup>
+      </div>
     );
   }
 
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.less b/x-pack/plugins/spaces/public/views/components/space_cards.less
new file mode 100644
index 00000000000000..8108285e3dce76
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.less
@@ -0,0 +1,4 @@
+.spaceCards {
+  max-width: 1200px;
+  margin: auto;
+}
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.test.js b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
index b221e6f337afc3..e970c379960361 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.test.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
@@ -5,10 +5,8 @@
  */
 
 import React from 'react';
-import { shallow, mount } from 'enzyme';
+import { shallow } from 'enzyme';
 import { SpaceCards } from './space_cards';
-import { EuiFlexGroup } from '@elastic/eui';
-import { SpaceCard } from './space_card';
 
 test('it renders without crashing', () => {
   const space = {
@@ -18,29 +16,4 @@ test('it renders without crashing', () => {
   };
 
   shallow(<SpaceCards spaces={[space]} />);
-});
-
-test('it renders spaces in groups of 3', () => {
-  function buildSpace(name) {
-    return {
-      id: `id-${name}`,
-      name,
-      description: `desc-${name}`
-    };
-  }
-
-  const spaces = [
-    buildSpace(1),
-    buildSpace(2),
-    buildSpace(3),
-    buildSpace(4)
-  ];
-
-  const wrapper = mount(<SpaceCards spaces={spaces} />);
-
-  const groups = wrapper.find(EuiFlexGroup);
-  expect(groups).toHaveLength(2);
-
-  expect(groups.at(0).find(SpaceCard)).toHaveLength(3);
-  expect(groups.at(1).find(SpaceCard)).toHaveLength(1);
-});
+});
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
index 1827d5bf8519da..8de5ded601092e 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
@@ -14,120 +14,120 @@ import {
   EuiOverlayMask,
   EuiAvatar,
 } from '@elastic/eui';
-import { SpaceCards } from '../components/space_cards';
+import { SpaceCards, SpaceAvatar } from '../components';
 import { Notifier } from 'ui/notify';
 
 export class NavControlModal extends Component {
-    state = {
-      isOpen: false,
-      loading: false,
-      spaces: []
-    };
-
-    notifier = new Notifier(`Spaces`);
-
-    async loadSpaces() {
-      const {
-        spacesManager
-      } = this.props;
-
-      this.setState({
-        loading: true
-      });
-
-      const spaces = await spacesManager.getSpaces();
-      this.setState({
-        spaces,
-        loading: false
-      });
-    }
-
-    componentDidMount() {
-      const {
-        activeSpace
-      } = this.props;
-
-      if (activeSpace && !activeSpace.valid) {
-        const { error = {} } = activeSpace;
-        if (error.message) {
-          this.notifier.error(error.message);
-        }
+  state = {
+    isOpen: false,
+    loading: false,
+    spaces: []
+  };
+
+  notifier = new Notifier(`Spaces`);
+
+  async loadSpaces() {
+    const {
+      spacesManager
+    } = this.props;
+
+    this.setState({
+      loading: true
+    });
+
+    const spaces = await spacesManager.getSpaces();
+    this.setState({
+      spaces,
+      loading: false
+    });
+  }
+
+  componentDidMount() {
+    const {
+      activeSpace
+    } = this.props;
+
+    if (activeSpace && !activeSpace.valid) {
+      const { error = {} } = activeSpace;
+      if (error.message) {
+        this.notifier.error(error.message);
       }
     }
-
-    render() {
-      let modal;
-      if (this.state.isOpen) {
-        modal = (
-          <EuiOverlayMask>
-            <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
-              <EuiModalHeader>
-                <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
-              </EuiModalHeader>
-              <EuiModalBody>
-                <SpaceCards spaces={this.state.spaces} />
-              </EuiModalBody>
-            </EuiModal>
-          </EuiOverlayMask>
-        );
-      }
-
-      return (
-        <div>{this.getActiveSpaceButton()}{modal}</div>
+  }
+
+  render() {
+    let modal;
+    if (this.state.isOpen) {
+      modal = (
+        <EuiOverlayMask>
+          <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
+            <EuiModalHeader>
+              <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
+            </EuiModalHeader>
+            <EuiModalBody>
+              <SpaceCards spaces={this.state.spaces} />
+            </EuiModalBody>
+          </EuiModal>
+        </EuiOverlayMask>
       );
     }
 
-    getActiveSpaceButton = () => {
-      const {
-        activeSpace
-      } = this.props;
-
-      if (!activeSpace) {
-        return null;
-      }
+    return (
+      <div>{this.getActiveSpaceButton()}{modal}</div>
+    );
+  }
 
-      if (activeSpace.valid && activeSpace.space) {
-        return this.getButton(
-          <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={activeSpace.space.name} />,
-          activeSpace.space.name
-        );
-      } else if (activeSpace.error) {
-        return this.getButton(
-          <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
-          'error'
-        );
-      }
+  getActiveSpaceButton = () => {
+    const {
+      activeSpace
+    } = this.props;
 
+    if (!activeSpace) {
       return null;
-    };
-
-    getButton = (linkIcon, linkTitle) => {
-      return (
-        <div className="global-nav-link">
-          <a className="global-nav-link__anchor" onClick={this.togglePortal}>
-            <div className="global-nav-link__icon">{linkIcon}</div>
-            <div className="global-nav-link__title">{linkTitle}</div>
-          </a>
-        </div>
+    }
+
+    if (activeSpace.valid && activeSpace.space) {
+      return this.getButton(
+        <SpaceAvatar space={activeSpace.space} size={'s'} className={'spaceNavGraphic'} />,
+        activeSpace.space.name
+      );
+    } else if (activeSpace.error) {
+      return this.getButton(
+        <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
+        'error'
       );
-    };
+    }
 
-    togglePortal = () => {
-      const isOpening = !this.state.isOpen;
-      if (isOpening) {
-        this.loadSpaces();
-      }
+    return null;
+  };
+
+  getButton = (linkIcon, linkTitle) => {
+    return (
+      <div className="global-nav-link">
+        <a className="global-nav-link__anchor" onClick={this.togglePortal}>
+          <div className="global-nav-link__icon">{linkIcon}</div>
+          <div className="global-nav-link__title">{linkTitle}</div>
+        </a>
+      </div>
+    );
+  };
+
+  togglePortal = () => {
+    const isOpening = !this.state.isOpen;
+    if (isOpening) {
+      this.loadSpaces();
+    }
 
-      this.setState({
-        isOpen: !this.state.isOpen
-      });
-    };
+    this.setState({
+      isOpen: !this.state.isOpen
+    });
+  };
 
-    closePortal = () => {
-      this.setState({
-        isOpen: false
-      });
-    }
+  closePortal = () => {
+    this.setState({
+      isOpen: false
+    });
+  }
 }
 
 NavControlModal.propTypes = {
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 766dda7129df20..a9a69385339a27 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -2,74 +2,109 @@
 
 exports[`it renders without crashing 1`] = `
 <div
-  className="euiPage euiPage--widthIsNotRestricted"
+  className="euiPage euiPage--widthIsNotRestricted spaceSelector__page"
   style={undefined}
 >
   <div
-    className="euiPageHeader"
+    className="euiPageHeader spaceSelector__heading"
   >
     <div
-      className="euiPageHeaderSection logoHeader"
+      className="euiPageHeaderSection spaceSelector__logoHeader"
     >
-      <svg
-        className="euiIcon euiIcon--xxLarge"
-        focusable="false"
-        height="40"
-        style={
-          Object {
-            "fill": undefined,
+      <div
+        className="spaceSelector__logoCircle"
+      >
+        <svg
+          className="euiIcon euiIcon--xxLarge"
+          focusable="false"
+          height="40"
+          style={
+            Object {
+              "fill": undefined,
+            }
           }
-        }
-        tabIndex={undefined}
-        viewBox="0 0 30 40"
-        width="30"
-        xmlns="http://www.w3.org/2000/svg"
+          tabIndex={undefined}
+          viewBox="0 0 30 40"
+          width="30"
+          xmlns="http://www.w3.org/2000/svg"
+        >
+          <path
+            d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
+            fill="#3EBEB0"
+          />
+          <path
+            d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
+            fill="#37A595"
+          />
+          <path
+            d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
+            fill="#353535"
+          />
+          <path
+            d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
+            fill="#E9478B"
+          />
+        </svg>
+      </div>
+      <div
+        className="euiSpacer euiSpacer--l"
+      />
+      <span
+        className="euiTextColor euiTextColor--ghost euiTitle euiTitle--large"
       >
-        <path
-          d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
-          fill="#3EBEB0"
-        />
-        <path
-          d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
-          fill="#37A595"
-        />
-        <path
-          d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
-          fill="#353535"
-        />
-        <path
-          d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
-          fill="#E9478B"
-        />
-      </svg>
+        <p>
+          Select your space
+        </p>
+      </span>
     </div>
   </div>
   <div
     className="euiPageBody"
   >
     <div
-      className="euiPanel euiPanel--paddingLarge euiPageContent spaceSelectorPageContent"
+      className="euiPanel euiPanel--paddingLarge euiPageContent spaceSelector__pageContent"
     >
       <div
-        className="euiText spaceWelcomeText"
+        className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--alignItemsCenter euiFlexGroup--directionColumn"
       >
-        <p
-          className="welcomeLarge"
+        <div
+          className="euiFlexItem"
         >
-          Welcome to Kibana.
-        </p>
-        <p
-          className="welcomeMedium"
-        >
-          Select a space to begin.
-        </p>
+          <div
+            className="euiText euiText--extraSmall"
+          >
+            <p>
+              You can change your space at anytime from within Kibana.
+            </p>
+          </div>
+        </div>
       </div>
-      <hr
-        className="euiHorizontalRule euiHorizontalRule--full euiHorizontalRule--marginLarge"
+      <div
+        className="euiSpacer euiSpacer--xl"
       />
+      <div
+        className="spaceCards"
+      >
+        <div
+          className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--justifyContentCenter euiFlexGroup--directionRow euiFlexGroup--wrap"
+        />
+      </div>
       <div
         className="euiSpacer euiSpacer--l"
       />
+      <div
+        className="euiText"
+      >
+        <div
+          className="euiTextAlign euiTextAlign--center"
+        >
+          <span
+            className="euiTextColor euiTextColor--subdued"
+          >
+            No spaces match search criteria
+          </span>
+        </div>
+      </div>
     </div>
   </div>
 </div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.html b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
index 73bf9f23236f7c..2dbf9fac3f68b0 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.html
@@ -1,3 +1,3 @@
-<div ng-controller="spacesSelectorController">
+<div ng-controller="spacesSelectorController" id="spaceSelectorRootWrap">
   <div id="spaceSelectorRoot" />
 </div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index 805dff7546decb..d0dbc65d4566a9 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component } from 'react';
+import React, { Component, Fragment } from 'react';
 import PropTypes from 'prop-types';
 import {
   EuiPage,
@@ -15,13 +15,19 @@ import {
   EuiIcon,
   EuiSpacer,
   EuiText,
-  EuiHorizontalRule,
+  EuiTextColor,
+  EuiTitle,
+  EuiFieldSearch,
+  EuiFlexGroup,
+  EuiFlexItem,
 } from '@elastic/eui';
 import { SpaceCards } from '../components/space_cards';
+import { SPACE_SEARCH_COUNT_THRESHOLD } from '../../../common/constants';
 
 export class SpaceSelector extends Component {
   state = {
     loading: false,
+    searchTerm: '',
     spaces: []
   };
 
@@ -53,34 +59,81 @@ export class SpaceSelector extends Component {
 
   render() {
     const {
-      spaces
+      spaces,
+      searchTerm,
     } = this.state;
 
+    let filteredSpaces = spaces;
+    if (searchTerm) {
+      filteredSpaces = spaces
+        .filter(s => s.name.toLowerCase().indexOf(searchTerm) >= 0 || s.description.toLowerCase().indexOf(searchTerm) >= 0);
+    }
+
     return (
-      <EuiPage>
-        <EuiPageHeader>
-          <EuiPageHeaderSection className="logoHeader">
-            <EuiIcon size="xxl" type={`logoKibana`} />
+      <EuiPage className="spaceSelector__page">
+        <EuiPageHeader className="spaceSelector__heading">
+          <EuiPageHeaderSection className="spaceSelector__logoHeader">
+            <div className="spaceSelector__logoCircle">
+              <EuiIcon size="xxl" type={`logoKibana`} />
+            </div>
+
+            <EuiSpacer />
+
+            <EuiTitle size="l">
+              <EuiTextColor color="ghost"><p>Select your space</p></EuiTextColor>
+            </EuiTitle>
           </EuiPageHeaderSection>
         </EuiPageHeader>
         <EuiPageBody>
-          <EuiPageContent className="spaceSelectorPageContent">
-            <EuiText className="spaceWelcomeText">
-              <p className="welcomeLarge">Welcome to Kibana.</p>
-              <p className="welcomeMedium">Select a space to begin.</p>
-            </EuiText>
+          <EuiPageContent className="spaceSelector__pageContent">
 
-            <EuiHorizontalRule />
+            <EuiFlexGroup direction="column" alignItems="center" responsive={false}>
+              {this.getSearchField()}
 
-            <SpaceCards spaces={spaces} />
+              <EuiFlexItem>
+                <EuiText size="xs"><p>You can change your space at anytime from within Kibana.</p></EuiText>
+              </EuiFlexItem>
+            </EuiFlexGroup>
 
-            <EuiSpacer />
+            <EuiSpacer size="xl" />
+
+            <SpaceCards spaces={filteredSpaces} />
+
+            {
+              filteredSpaces.length === 0 &&
+              <Fragment>
+                <EuiSpacer />
+                <EuiText color="subdued" textAlign="center">No spaces match search criteria</EuiText>
+              </Fragment>
+            }
 
           </EuiPageContent>
         </EuiPageBody>
       </EuiPage>
     );
   }
+
+  getSearchField = () => {
+    if (!this.props.spaces || this.props.spaces.length < SPACE_SEARCH_COUNT_THRESHOLD) {
+      return null;
+    }
+    return (
+      <EuiFlexItem className="spaceSelector__searchHolder">
+        <EuiFieldSearch
+          className="spaceSelector__searchField"
+          placeholder="Find a space"
+          incremental={true}
+          onSearch={this.onSearch}
+        />
+      </EuiFlexItem>
+    );
+  }
+
+  onSearch = (searchTerm = '') => {
+    this.setState({
+      searchTerm: searchTerm.trim().toLowerCase()
+    });
+  }
 }
 
 SpaceSelector.propTypes = {
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.less b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
index 4dcf7fad24b80c..33191ad976b44b 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.less
@@ -1,30 +1,46 @@
-.application, .euiPanel {
-  background: #f5f5f5
+@import "~ui/styles/variables";
+
+#spaceSelectorRootWrap, #spaceSelectorRoot {
+  background-color: @globalColorLightestGray;
 }
 
-.logoHeader {
-  width: 100%;
-  text-align: center;
+#spaceSelectorRootWrap {
+  flex-grow: 1;
+}
+.spaceSelector__page {
+  padding: 0;
 }
 
-.spaceWelcomeText, .spaceProfileText {
+.spaceSelector__pageContent {
+  background-color: transparent;
+  box-shadow: none;
+  border: none;
   text-align: center;
 }
 
-.spacesGroup {
-  margin: 30px 0 50px 0;
+.spaceSelector__heading {
+  padding: 40px 16px;
+  background-image: linear-gradient(-194deg, #027AA5 0%, #24A1AB 75%, #3BBBAF 100%, #3EBEB0 100%);
+  justify-content: center;
+  text-align: center;
 }
 
-.euiText .welcomeLarge {
-  font-size: 2em;
-  margin-bottom: 15px;
+.spaceSelector__logoCircle {
+  margin: 0 auto;
+  width: 80px;
+  height: 80px;
+  line-height: 80px;
+  text-align: center;
+  background-color: @globalColorWhite;
+  border-radius: 50%;
+  box-shadow:
+    0 6px 12px -1px fadeout(darken(@globalColorBlue, 10%), 80%),
+    0 4px 4px -1px fadeout(darken(@globalColorBlue, 10%), 80%),
+    0 2px 2px 0 fadeout(darken(@globalColorBlue, 10%), 80%);
 }
 
-.welcomeMedium {
-  font-size: 1.4em;
-}
 
-.spaceSelectorPageContent {
-  box-shadow: none;
-  border: none;
+.spaceSelector__searchHolder {
+  width: 400px; // make sure it's as wide as our default form element width
+  max-width: 100%;
 }
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 653b566a012e39..01ce98f97cf4f9 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -207,7 +207,6 @@ export function initSpacesApi(server) {
   async function getSpaceById(client, spaceId) {
     try {
       const existingSpace = await client.get('space', spaceId);
-      console.log(existingSpace);
       return {
         id: existingSpace.id,
         ...existingSpace.attributes

From f875cec8a40b3053a85d5624cbc9d466e22f1f4b Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Tue, 26 Jun 2018 09:51:04 -0400
Subject: [PATCH 056/183] Fix RBAC Phase 1 merge from master (#20226)

This updates RBAC Phase 1 to work against the latest master. Specifically:
1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master
2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6
---
 .../watch_status_and_license_to_initialize.js | 60 +++++++++--------
 ...h_status_and_license_to_initialize.test.js |  6 +-
 .../server/lib/__tests__/xpack_info.js        | 66 -------------------
 .../xpack_main/server/lib/xpack_info.js       | 16 -----
 .../apis/saved_objects/delete.js              |  2 +-
 .../apis/saved_objects/get.js                 |  2 +-
 .../apis/saved_objects/update.js              |  2 +-
 7 files changed, 37 insertions(+), 117 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
index 6e68a4e404705c..14aa3b3ed365ea 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
@@ -3,53 +3,55 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { Observable } from 'rxjs';
+import * as Rx from 'rxjs';
+import { map, switchMap, tap } from 'rxjs/operators';
 
 export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlugin, initialize) {
   const xpackInfo = xpackMainPlugin.info;
   const xpackInfoFeature = xpackInfo.feature(downstreamPlugin.id);
 
   const upstreamStatus = xpackMainPlugin.status;
-  const currentStatus$ = Observable
+  const currentStatus$ = Rx
     .of({
       state: upstreamStatus.state,
       message: upstreamStatus.message,
     });
-  const newStatus$ = Observable
+  const newStatus$ = Rx
     .fromEvent(upstreamStatus, 'change', null, (previousState, previousMsg, state, message) => {
       return {
         state,
         message,
       };
     });
-  const status$ = Observable.merge(currentStatus$, newStatus$);
+  const status$ = Rx.merge(currentStatus$, newStatus$);
 
-  const currentLicense$ = Observable
-    .of(xpackInfoFeature.getLicenseCheckResults());
-  const newLicense$ = Observable
-    .fromEventPattern(xpackInfoFeature.registerLicenseChangeCallback)
-    .map(() => xpackInfoFeature.getLicenseCheckResults());
-  const license$ = Observable.merge(currentLicense$, newLicense$);
+  const currentLicense$ = Rx.of(xpackInfoFeature.getLicenseCheckResults());
+  const newLicense$ = Rx
+    .fromEventPattern(xpackInfo.onLicenseInfoChange.bind(xpackInfo))
+    .pipe(map(() => xpackInfoFeature.getLicenseCheckResults()));
+  const license$ = Rx.merge(currentLicense$, newLicense$);
 
-  Observable.combineLatest(status$, license$)
-    .map(([status, license]) => ({ status, license }))
-    .switchMap(({ status, license }) => {
-      if (status.state !== 'green') {
-        return Observable.of({ state: status.state, message: status.message });
-      }
+  Rx.combineLatest(status$, license$)
+    .pipe(
+      map(([status, license]) => ({ status, license })),
+      switchMap(({ status, license }) => {
+        if (status.state !== 'green') {
+          return Rx.of({ state: status.state, message: status.message });
+        }
 
-      return initialize(license)
-        .then(() => ({
-          state: 'green',
-          message: 'Ready',
-        }))
-        .catch((err) => ({
-          state: 'red',
-          message: err.message
-        }));
-    })
-    .do(({ state, message }) => {
-      downstreamPlugin.status[state](message);
-    })
+        return initialize(license)
+          .then(() => ({
+            state: 'green',
+            message: 'Ready',
+          }))
+          .catch((err) => ({
+            state: 'red',
+            message: err.message
+          }));
+      }),
+      tap(({ state, message }) => {
+        downstreamPlugin.status[state](message);
+      })
+    )
     .subscribe();
 }
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
index 55c2d83ab48f60..7fa66cd5b3d77f 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -12,9 +12,6 @@ const createMockXpackMainPluginAndFeature = (featureId) => {
 
   const mockFeature = {
     getLicenseCheckResults: jest.fn(),
-    registerLicenseChangeCallback: (callback) => {
-      licenseChangeCallbacks.push(callback);
-    },
     mock: {
       triggerLicenseChange: () => {
         for (const callback of licenseChangeCallbacks) {
@@ -29,6 +26,9 @@ const createMockXpackMainPluginAndFeature = (featureId) => {
 
   const mockXpackMainPlugin = {
     info: {
+      onLicenseInfoChange: (callback) => {
+        licenseChangeCallbacks.push(callback);
+      },
       feature: (id) => {
         if (id === featureId) {
           return mockFeature;
diff --git a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
index ded2fe0e5eab6e..260b86d03f17a2 100644
--- a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
@@ -462,72 +462,6 @@ describe('XPackInfo', () => {
       });
     });
 
-    it('registerLicenseChangeCallback() does not invoke callbacks if license has not changed', async () => {
-      const securityFeature = xPackInfo.feature('security');
-      const watcherFeature = xPackInfo.feature('watcher');
-
-      const securityChangeCallback = sinon.stub();
-      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
-
-      const watcherChangeCallback = sinon.stub();
-      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
-
-      mockElasticsearchCluster.callWithInternalUser.returns(
-        getMockXPackInfoAPIResponse({ mode: 'gold' })
-      );
-
-      await xPackInfo.refreshNow();
-
-      sinon.assert.notCalled(securityChangeCallback);
-      sinon.assert.notCalled(watcherChangeCallback);
-    });
-
-    it('registerLicenseChangeCallback() invokes callbacks on license change', async () => {
-      const securityFeature = xPackInfo.feature('security');
-      const watcherFeature = xPackInfo.feature('watcher');
-
-      const securityChangeCallback = sinon.stub();
-      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
-
-      const watcherChangeCallback = sinon.stub();
-      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
-
-      mockElasticsearchCluster.callWithInternalUser.returns(
-        getMockXPackInfoAPIResponse({ mode: 'platinum' })
-      );
-
-      await xPackInfo.refreshNow();
-
-      sinon.assert.calledOnce(securityChangeCallback);
-      sinon.assert.calledOnce(watcherChangeCallback);
-    });
-
-    it('registerLicenseChangeCallback() gracefully handles callbacks that throw errors', async () => {
-      const securityFeature = xPackInfo.feature('security');
-      const watcherFeature = xPackInfo.feature('watcher');
-
-      const securityChangeCallback = sinon.stub().throws(new Error(`Something happened`));
-      securityFeature.registerLicenseChangeCallback(securityChangeCallback);
-
-      const watcherChangeCallback = sinon.stub();
-      watcherFeature.registerLicenseChangeCallback(watcherChangeCallback);
-
-      mockElasticsearchCluster.callWithInternalUser.returns(
-        getMockXPackInfoAPIResponse({ mode: 'platinum' })
-      );
-
-      await xPackInfo.refreshNow();
-
-      sinon.assert.calledOnce(securityChangeCallback);
-      sinon.assert.calledOnce(watcherChangeCallback);
-
-      sinon.assert.calledWithExactly(
-        mockServer.log,
-        ['license', 'error', 'xpack'],
-        `Error during invocation of license change callback for security. Error: Something happened`
-      );
-    });
-
     it('getLicenseCheckResults() correctly returns feature specific info.', async () => {
       const securityFeature = xPackInfo.feature('security');
       const watcherFeature = xPackInfo.feature('watcher');
diff --git a/x-pack/plugins/xpack_main/server/lib/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
index 52f5c5e14d13af..39766c0ac8156c 100644
--- a/x-pack/plugins/xpack_main/server/lib/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
@@ -36,12 +36,6 @@ export class XPackInfo {
    */
   _licenseInfoChangedListeners = new Set();
 
-  /**
-   * Feature name <-> license change callback mapping.
-   * @type {Map<string, Function>}
-   * @private
-   */
-  _featureLicenseChangeCallbacks = new Map();
 
   /**
    * Cache that may contain last xpack info API response or error, json representation
@@ -224,16 +218,6 @@ export class XPackInfo {
         this._cache.signature = undefined;
       },
 
-      /**
-       * Registers a callback function that will be called whenever the XPack license changes.
-       * Callback will be invoked after the license change have been applied to this XPack Info instance.
-       * Callbacks may be asynchronous, but will not be awaited.
-       * @param {Function} callback Function to call whenever the XPack license changes.
-       */
-      registerLicenseChangeCallback: (callback) => {
-        this._featureLicenseChangeCallbacks.set(name, callback);
-      },
-
       /**
        * Returns license check results that were previously produced by the `generator` function.
        * @returns {Object}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
index f89073acca7fda..d6bd0d61dd646a 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -21,7 +21,7 @@ export default function ({ getService }) {
       expect(resp.body).to.eql({
         statusCode: 404,
         error: 'Not Found',
-        message: 'Not Found'
+        message: 'Saved object [dashboard/not-a-real-id] not found'
       });
     };
 
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
index 029a44475b12e6..e055d9ef75e483 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -34,7 +34,7 @@ export default function ({ getService }) {
     const expectNotFound = (resp) => {
       expect(resp.body).to.eql({
         error: 'Not Found',
-        message: 'Not Found',
+        message: 'Saved object [visualization/foobar] not found',
         statusCode: 404,
       });
     };
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
index ae299348847d69..e3740ede1aaafb 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -34,7 +34,7 @@ export default function ({ getService }) {
       expect(resp.body).eql({
         statusCode: 404,
         error: 'Not Found',
-        message: 'Not Found'
+        message: 'Saved object [visualization/not an id] not found'
       });
     };
 

From be6445cb1404276d262e30fe137b959ba7b7a830 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Thu, 28 Jun 2018 13:57:19 -0400
Subject: [PATCH 057/183] Retrying initialize 20 times with a scaling backoff
 (#20297)

* Retrying initialize 20 times with a scaling backoff

* Logging error when we are registering the privileges
---
 .../privileges/privilege_action_registry.js   | 27 ++++---
 .../privilege_action_registry.test.js         | 79 +++++++++++++++++--
 .../watch_status_and_license_to_initialize.js | 40 +++++++---
 ...h_status_and_license_to_initialize.test.js | 59 +++++++++++++-
 4 files changed, 175 insertions(+), 30 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 822447dbcecedd..3112265a9b928e 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -22,16 +22,21 @@ export async function registerPrivilegesWithCluster(server) {
 
   const callCluster = getClient(server).callWithInternalUser;
 
-  // we only want to post the privileges when they're going to change as Elasticsearch has
-  // to clear the role cache to get these changes reflected in the _has_privileges API
-  const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
-  if (equivalentPrivileges(existingPrivileges, expectedPrivileges)) {
-    server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
-    return;
-  }
+  try {
+    // we only want to post the privileges when they're going to change as Elasticsearch has
+    // to clear the role cache to get these changes reflected in the _has_privileges API
+    const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
+    if (equivalentPrivileges(existingPrivileges, expectedPrivileges)) {
+      server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
+      return;
+    }
 
-  server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
-  await callCluster('shield.postPrivileges', {
-    body: expectedPrivileges
-  });
+    server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
+    await callCluster('shield.postPrivileges', {
+      body: expectedPrivileges
+    });
+  } catch (err) {
+    server.log(['security', 'error'], `Error registering Kibana Privileges with Elasticsearch for ${application}: ${err.message}`);
+    throw err;
+  }
 }
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index c7aaa752eaa83b..8e2eac429724b1 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -19,6 +19,8 @@ const registerPrivilegesWithClusterTest = (description, {
   savedObjectTypes,
   expectedPrivileges,
   existingPrivileges,
+  throwErrorWhenGettingPrivileges,
+  throwErrorWhenPuttingPrivileges,
   assert
 }) => {
   const registerMockCallWithInternalUser = () => {
@@ -56,8 +58,9 @@ const registerPrivilegesWithClusterTest = (description, {
     return mockServer;
   };
 
-  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, privileges) => {
+  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, privileges, error) => {
     return () => {
+      expect(error).toBeUndefined();
       expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
       expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
         privilege: defaultApplication,
@@ -83,8 +86,9 @@ const registerPrivilegesWithClusterTest = (description, {
     };
   };
 
-  const createExpectDidntUpdatePrivileges = (mockServer, mockCallWithInternalUser) => {
+  const createExpectDidntUpdatePrivileges = (mockServer, mockCallWithInternalUser, error) => {
     return () => {
+      expect(error).toBeUndefined();
       expect(mockCallWithInternalUser).toHaveBeenCalledTimes(1);
       expect(mockCallWithInternalUser).toHaveBeenLastCalledWith('shield.getPrivilege', {
         privilege: defaultApplication
@@ -102,17 +106,49 @@ const registerPrivilegesWithClusterTest = (description, {
     };
   };
 
+  const createExpectErrorThrown = (mockServer, actualError) => {
+    return (expectedError) => {
+      expect(actualError).toBe(expectedError);
+
+      const application = settings['xpack.security.rbac.application'] || defaultApplication;
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'error'],
+        `Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedError.message}`
+      );
+    };
+  };
+
   test(description, async () => {
     const mockServer = createMockServer();
-    const mockCallWithInternalUser = registerMockCallWithInternalUser();
-    mockCallWithInternalUser.mockImplementationOnce(async () => ({ [defaultApplication]: existingPrivileges }));
+    const mockCallWithInternalUser = registerMockCallWithInternalUser()
+      .mockImplementationOnce(async () => {
+        if (throwErrorWhenGettingPrivileges) {
+          throw throwErrorWhenGettingPrivileges;
+        }
+
+        return {
+          [defaultApplication]: existingPrivileges
+        };
+      })
+      .mockImplementationOnce(async () => {
+        if (throwErrorWhenPuttingPrivileges) {
+          throw throwErrorWhenPuttingPrivileges;
+        }
+      });
+
     buildPrivilegeMap.mockReturnValue(expectedPrivileges);
 
-    await registerPrivilegesWithCluster(mockServer);
+    let error;
+    try {
+      await registerPrivilegesWithCluster(mockServer);
+    } catch (err) {
+      error = err;
+    }
 
     assert({
-      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, expectedPrivileges),
-      expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser),
+      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, expectedPrivileges, error),
+      expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser, error),
+      expectErrorThrown: createExpectErrorThrown(mockServer, error),
       mocks: {
         buildPrivilegeMap
       }
@@ -223,3 +259,32 @@ registerPrivilegesWithClusterTest(`doesn't update privileges when nested propert
     expectDidntUpdatePrivileges();
   }
 });
+
+const gettingPrivilegesError = new Error('Error getting privileges');
+registerPrivilegesWithClusterTest(`throws and logs error when errors getting privileges`, {
+  throwErrorWhenGettingPrivileges: gettingPrivilegesError,
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown(gettingPrivilegesError);
+  }
+});
+
+const puttingPrivilegesError = new Error('Error putting privileges');
+registerPrivilegesWithClusterTest(`throws and logs error when errors putting privileges`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: false,
+      bar: false
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      foo: true,
+      bar: true
+    }
+  },
+  throwErrorWhenPuttingPrivileges: puttingPrivilegesError,
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown(puttingPrivilegesError);
+  }
+});
+
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
index 14aa3b3ed365ea..c0f54b8b2fbf1f 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
@@ -4,7 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import * as Rx from 'rxjs';
-import { map, switchMap, tap } from 'rxjs/operators';
+import { catchError, mergeMap, map, retryWhen, switchMap, tap } from 'rxjs/operators';
+
+export const retryStrategy = ({
+  maxAttempts,
+  scalingDuration,
+}) => (errors) => {
+  return errors.pipe(
+    mergeMap((error, i) => {
+      const attempt = i + 1;
+
+      if (attempt >= maxAttempts) {
+        return Rx.throwError(error);
+      }
+
+      return Rx.timer(attempt * scalingDuration);
+    })
+  );
+};
 
 export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlugin, initialize) {
   const xpackInfo = xpackMainPlugin.info;
@@ -39,15 +56,18 @@ export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlu
           return Rx.of({ state: status.state, message: status.message });
         }
 
-        return initialize(license)
-          .then(() => ({
-            state: 'green',
-            message: 'Ready',
-          }))
-          .catch((err) => ({
-            state: 'red',
-            message: err.message
-          }));
+        return Rx.defer(() => initialize(license))
+          .pipe(
+            retryWhen(retryStrategy({ maxAttempts: 20, scalingDuration: 100 })),
+            map(() => ({
+              state: 'green',
+              message: 'Ready',
+            })),
+            catchError(err => Rx.of({
+              state: 'red',
+              message: err.message
+            }))
+          );
       }),
       tap(({ state, message }) => {
         downstreamPlugin.status[state](message);
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
index 7fa66cd5b3d77f..6964255c535610 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -115,7 +115,9 @@ test(`sets downstream plugin's status to green when initialize resolves`, (done)
   });
 });
 
-test(`sets downstream plugin's status to red when initialize rejects`, (done) => {
+test(`sets downstream plugin's status to red when initialize rejects 20 times`, (done) => {
+  jest.useFakeTimers();
+
   const pluginId = 'foo-plugin';
   const errorMessage = 'the error message';
   const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
@@ -123,18 +125,71 @@ test(`sets downstream plugin's status to red when initialize rejects`, (done) =>
   const licenseCheckResults = Symbol();
   mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
   const downstreamPlugin = createMockDownstreamPlugin(pluginId);
-  const initializeMock = jest.fn().mockImplementation(() => Promise.reject(new Error(errorMessage)));
+
+  let initializeCount = 0;
+  const initializeMock = jest.fn().mockImplementation(() => {
+    ++initializeCount;
+
+    // everytime this is called, we have to wait for a new promise to be resolved
+    // allowing the Promise the we return below to run, and then advance the timers
+    setImmediate(async () => {
+      await Promise.resolve();
+      jest.advanceTimersByTime(initializeCount * 100);
+    });
+    return Promise.reject(new Error(errorMessage));
+  });
 
   watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
 
   expect(initializeMock).toHaveBeenCalledTimes(1);
   expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
   downstreamPlugin.status.red.mockImplementation(message => {
+    expect(initializeCount).toBe(20);
     expect(message).toBe(errorMessage);
     done();
   });
 });
 
+test(`sets downstream plugin's status to green when initialize resolves after rejecting 10 times`, (done) => {
+  jest.useFakeTimers();
+
+  const pluginId = 'foo-plugin';
+  const errorMessage = 'the error message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+
+  let initializeCount = 0;
+  const initializeMock = jest.fn().mockImplementation(() => {
+    ++initializeCount;
+
+    // everytime this is called, we have to wait for a new promise to be resolved
+    // allowing the Promise the we return below to run, and then advance the timers
+    setImmediate(async () => {
+      await Promise.resolve();
+      jest.advanceTimersByTime(initializeCount * 100);
+    });
+
+    if (initializeCount >= 10) {
+      return Promise.resolve();
+    }
+
+    return Promise.reject(new Error(errorMessage));
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(initializeCount).toBe(10);
+    expect(message).toBe('Ready');
+    done();
+  });
+});
+
 test(`calls initialize twice when it gets a new license and the status is green`, (done) => {
   const pluginId = 'foo-plugin';
   const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);

From e3c1a991e44c0b1087ad11663180e90145e2b17b Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 29 Jun 2018 11:18:58 -0400
Subject: [PATCH 058/183] Alternate legacy fallback (#20322)

* Beginning to use alternate callWithRequest fallback

* Only use legacy fallback when user has "some" privileges on index

* Logging useLegacyFallback when there's an authorization failure

* Adding tests, logging failure during find no types fallback

* Switching to using an enum instead of success/useLegacyFallback

* Using _execute to share some of the structure

* Moving comment to where it belongs

* No longer audit logging when we use the legacy fallback
---
 x-pack/plugins/security/index.js              |  18 +-
 .../lib/authorization/has_privileges.js       | 197 +++---
 .../lib/authorization/has_privileges.test.js  | 385 +----------
 .../secure_saved_objects_client.js            | 170 ++---
 .../secure_saved_objects_client.test.js       | 603 +++++++++++++-----
 .../apis/saved_objects/bulk_get.js            |   4 +-
 .../apis/saved_objects/create.js              |  17 +-
 .../apis/saved_objects/delete.js              |  23 +-
 .../apis/saved_objects/find.js                |  82 ++-
 .../apis/saved_objects/get.js                 |   6 +-
 .../apis/saved_objects/update.js              |  23 +-
 11 files changed, 757 insertions(+), 771 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 8e8ef10a9e2736..c72ebfa74e1c04 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -121,23 +121,21 @@ export const security = (kibana) => new kibana.Plugin({
       request,
     }) => {
       const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+      const { callWithRequest, callWithInternalUser } = adminCluster;
+      const callCluster = (...args) => callWithRequest(request, ...args);
 
-      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
-        const { callWithRequest } = adminCluster;
-        const callCluster = (...args) => callWithRequest(request, ...args);
-
-        const repository = savedObjects.getSavedObjectsRepository(callCluster);
+      const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
 
-        return new savedObjects.SavedObjectsClient(repository);
+      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
+        return new savedObjects.SavedObjectsClient(callWithRequestRepository);
       }
 
       const hasPrivileges = hasPrivilegesWithRequest(request);
-      const { callWithInternalUser } = adminCluster;
-
-      const repository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+      const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
 
       return new SecureSavedObjectsClient({
-        repository,
+        internalRepository,
+        callWithRequestRepository,
         errors: savedObjects.SavedObjectsClient.errors,
         hasPrivileges,
         auditLogger,
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index 67de50730959c0..2f68c7fadaf95d 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -6,96 +6,12 @@
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { buildPrivilegeMap, getVersionPrivilege, getLoginPrivilege } from '../privileges';
-
-const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion, application, privileges) => {
-  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application,
-        resources: [DEFAULT_RESOURCE],
-        privileges
-      }]
-    }
-  });
-
-  const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
-
-  // We include the login action in all privileges, so the existence of it and not the version privilege
-  // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
-  // know whether the user just wasn't authorized for this instance of Kibana in general
-  if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
-    throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
-  }
-
-  return {
-    username: privilegeCheck.username,
-    hasAllRequested: privilegeCheck.has_all_requested,
-    privileges: hasPrivileges
-  };
-};
-
-const hasLegacyPrivileges = async (
-  savedObjectTypes,
-  deprecationLogger,
-  callWithRequest,
-  request,
-  kibanaVersion,
-  application,
-  kibanaIndex,
-  privileges
-) => {
-  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-    body: {
-      index: [{
-        names: [kibanaIndex],
-        privileges: ['read', 'index']
-      }]
-    }
-  });
-
-  const createPrivileges = (cb) => {
-    return privileges.reduce((acc, name) => {
-      acc[name] = cb(name);
-      return acc;
-    }, {});
-  };
+import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
 
-  const logDeprecation = () => {
-    deprecationLogger(
-      `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`
-    );
-  };
-
-  // if they have the index privilege, then we grant them all actions
-  if (privilegeCheck.index[kibanaIndex].index) {
-    logDeprecation();
-    const implicitPrivileges = createPrivileges(() => true);
-    return {
-      username: privilegeCheck.username,
-      hasAllRequested: true,
-      privileges: implicitPrivileges
-    };
-  }
-
-  // if they have the read privilege, then we only grant them the read actions
-  if (privilegeCheck.index[kibanaIndex].read) {
-    logDeprecation();
-    const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, kibanaVersion);
-    const implicitPrivileges = createPrivileges(name => privilegeMap.read.actions.includes(name));
-
-    return {
-      username: privilegeCheck.username,
-      hasAllRequested: Object.values(implicitPrivileges).every(x => x),
-      privileges: implicitPrivileges,
-    };
-  }
-
-  return {
-    username: privilegeCheck.username,
-    hasAllRequested: false,
-    privileges: createPrivileges(() => false)
-  };
+export const HAS_PRIVILEGES_RESULT = {
+  UNAUTHORIZED: Symbol(),
+  AUTHORIZED: Symbol(),
+  LEGACY: Symbol(),
 };
 
 export function hasPrivilegesWithServer(server) {
@@ -105,45 +21,86 @@ export function hasPrivilegesWithServer(server) {
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
-  const savedObjectTypes = server.savedObjects.types;
-  const deprecationLogger = (msg) => server.log(['warning', 'deprecated', 'security'], msg);
+
+  const loginPrivilege = getLoginPrivilege();
+  const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
   return function hasPrivilegesWithRequest(request) {
-    return async function hasPrivileges(privileges) {
-      const loginPrivilege = getLoginPrivilege();
-      const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
+    const hasApplicationPrivileges = async (privileges) => {
+      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [DEFAULT_RESOURCE],
+            privileges
+          }]
+        }
+      });
+
+      const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
+
+      // We include the login action in all privileges, so the existence of it and not the version privilege
+      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
+      // know whether the user just wasn't authorized for this instance of Kibana in general
+      if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
+        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      }
+
+      return {
+        username: privilegeCheck.username,
+        hasAllRequested: privilegeCheck.has_all_requested,
+        privileges: hasPrivileges
+      };
+    };
+
+    const hasPrivilegesOnKibanaIndex = async () => {
+      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          index: [{
+            names: [kibanaIndex],
+            privileges: ['create', 'delete', 'read', 'view_index_metadata']
+          }]
+        }
+      });
+
+      return Object.values(privilegeCheck.index[kibanaIndex]).includes(true);
+    };
+
+    return async function hasPrivileges(privileges) {
       const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges];
-      let privilegesCheck = await hasApplicationPrivileges(
-        callWithRequest,
-        request,
-        kibanaVersion,
-        application,
-        allPrivileges
-      );
-
-      if (!privilegesCheck.privileges[loginPrivilege]) {
-        privilegesCheck = await hasLegacyPrivileges(
-          savedObjectTypes,
-          deprecationLogger,
-          callWithRequest,
-          request,
-          kibanaVersion,
-          application,
-          kibanaIndex,
-          allPrivileges
-        );
+      const privilegesCheck = await hasApplicationPrivileges(allPrivileges);
+
+      const username = privilegesCheck.username;
+
+      // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
+      const missing = Object.keys(privilegesCheck.privileges)
+        .filter(p => !privilegesCheck.privileges[p])
+        .filter(p => p !== versionPrivilege);
+
+      if (privilegesCheck.hasAllRequested) {
+        return {
+          result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+          username,
+          missing,
+        };
       }
 
-      const success = privilegesCheck.hasAllRequested;
+      if (!privilegesCheck.privileges[loginPrivilege] && await hasPrivilegesOnKibanaIndex()) {
+        const msg = `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`;
+        server.log(['warning', 'deprecated', 'security'], msg);
+
+        return {
+          result: HAS_PRIVILEGES_RESULT.LEGACY,
+          username,
+          missing,
+        };
+      }
 
       return {
-        success,
-        // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-        missing: Object.keys(privilegesCheck.privileges)
-          .filter(key => privilegesCheck.privileges[key] === false)
-          .filter(p => p !== versionPrivilege),
-        username: privilegesCheck.username,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
+        missing,
       };
     };
   };
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index 5203d477b16c81..7f38ba3965b786 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -4,18 +4,18 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { hasPrivilegesWithServer } from './has_privileges';
+import { hasPrivilegesWithServer, HAS_PRIVILEGES_RESULT } from './has_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getLoginPrivilege, getVersionPrivilege, buildPrivilegeMap } from '../privileges';
+import { getLoginPrivilege, getVersionPrivilege } from '../privileges';
 
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
   getClient: jest.fn()
 }));
 
-const defaultKibanaIndex = 'default-kibana-index';
 const defaultVersion = 'default-version';
 const defaultApplication = 'default-application';
+const defaultKibanaIndex = 'default-index';
 const savedObjectTypes = ['foo-type', 'bar-type'];
 
 const createMockServer = ({ settings = {} } = {}) => {
@@ -27,9 +27,9 @@ const createMockServer = ({ settings = {} } = {}) => {
   };
 
   const defaultSettings = {
-    'kibana.index': defaultKibanaIndex,
     'pkg.version': defaultVersion,
-    'xpack.security.rbac.application': defaultApplication
+    'xpack.security.rbac.application': defaultApplication,
+    'kibana.index': defaultKibanaIndex,
   };
 
   mockServer.config().get.mockImplementation(key => {
@@ -55,10 +55,8 @@ const mockApplicationPrivilegeResponse = ({ hasAllRequested, privileges, applica
   };
 };
 
-const mockLegacyResponse = ({ hasAllRequested, privileges, index = defaultKibanaIndex, username = '' }) => {
+const mockKibanaIndexPrivilegesResponse = ({ privileges, index = defaultKibanaIndex }) => {
   return {
-    username: username,
-    has_all_requested: hasAllRequested,
     index: {
       [index]: privileges
     }
@@ -86,7 +84,7 @@ const expectDeprecationLogged = (mockServer) => {
   expect(mockServer.log).toHaveBeenCalledWith(['warning', 'deprecated', 'security'], expect.stringContaining('deprecated'));
 };
 
-test(`returns success of true if they have all application privileges`, async () => {
+test(`returns authorized if they have all application privileges`, async () => {
   const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const username = 'foo-username';
   const mockServer = createMockServer();
@@ -122,13 +120,13 @@ test(`returns success of true if they have all application privileges`, async ()
     }
   });
   expect(result).toEqual({
-    success: true,
+    result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    username,
     missing: [],
-    username
   });
 });
 
-test(`returns success of false if they have only one application privilege`, async () => {
+test(`returns unauthorized they have only one application privilege`, async () => {
   const privilege1 = `action:saved_objects/${savedObjectTypes[0]}/get`;
   const privilege2 = `action:saved_objects/${savedObjectTypes[0]}/create`;
   const username = 'foo-username';
@@ -166,9 +164,9 @@ test(`returns success of false if they have only one application privilege`, asy
     }
   });
   expect(result).toEqual({
-    success: false,
+    result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    username,
     missing: [privilege2],
-    username
   });
 });
 
@@ -193,90 +191,8 @@ test(`throws error if missing version privilege and has login privilege`, async
   expectNoDeprecationLogged(mockServer);
 });
 
-test(`uses application privileges if the user has the login privilege`, async () => {
-  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-  const username = 'foo-username';
-  const mockServer = createMockServer();
-  const callWithRequest = createMockCallWithRequest([
-    mockApplicationPrivilegeResponse({
-      hasAllRequested: false,
-      privileges: {
-        [getVersionPrivilege(defaultVersion)]: true,
-        [getLoginPrivilege()]: true,
-        [privilege]: false,
-      },
-      username,
-    }),
-  ]);
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const request = Symbol();
-  const hasPrivileges = hasPrivilegesWithRequest(request);
-  const privileges = [privilege];
-  const result = await hasPrivileges(privileges);
-
-  expectNoDeprecationLogged(mockServer);
-  expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application: defaultApplication,
-        resources: [DEFAULT_RESOURCE],
-        privileges: [
-          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-        ]
-      }]
-    }
-  });
-  expect(result).toEqual({
-    success: false,
-    missing: [...privileges],
-    username,
-  });
-});
-
-test(`returns success of false using application privileges if the user has the login privilege`, async () => {
-  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-  const username = 'foo-username';
-  const mockServer = createMockServer();
-  const callWithRequest = createMockCallWithRequest([
-    mockApplicationPrivilegeResponse({
-      hasAllRequested: false,
-      privileges: {
-        [getVersionPrivilege(defaultVersion)]: true,
-        [getLoginPrivilege()]: true,
-        [privilege]: false,
-      },
-      username,
-    }),
-  ]);
-
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const request = Symbol();
-  const hasPrivileges = hasPrivilegesWithRequest(request);
-  const privileges = [privilege];
-  const result = await hasPrivileges(privileges);
-
-  expectNoDeprecationLogged(mockServer);
-  expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application: defaultApplication,
-        resources: [DEFAULT_RESOURCE],
-        privileges: [
-          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-        ]
-      }]
-    }
-  });
-  expect(result).toEqual({
-    success: false,
-    missing: [...privileges],
-    username,
-  });
-});
-
 describe('legacy fallback with no application privileges', () => {
-  test(`returns success of false if the user has no legacy privileges`, async () => {
+  test(`returns unauthorized if they have no privileges on the kibana index`, async () => {
     const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
     const username = 'foo-username';
     const mockServer = createMockServer();
@@ -290,13 +206,13 @@ describe('legacy fallback with no application privileges', () => {
         },
         username,
       }),
-      mockLegacyResponse({
-        hasAllRequested: false,
+      mockKibanaIndexPrivilegesResponse({
         privileges: {
+          create: false,
+          delete: false,
           read: false,
-          index: false,
+          view_index_metadata: false,
         },
-        username,
       })
     ]);
 
@@ -322,198 +238,20 @@ describe('legacy fallback with no application privileges', () => {
       body: {
         index: [{
           names: [ defaultKibanaIndex ],
-          privileges: ['read', 'index']
-        }]
-      }
-    });
-    expect(result).toEqual({
-      success: false,
-      missing: [getLoginPrivilege(), ...privileges],
-      username,
-    });
-  });
-
-  test(`returns success of true if the user has index privilege on kibana index`, async () => {
-    const privilege = 'something-completely-arbitrary';
-    const username = 'foo-username';
-    const mockServer = createMockServer();
-    const callWithRequest = createMockCallWithRequest([
-      mockApplicationPrivilegeResponse({
-        hasAllRequested: false,
-        privileges: {
-          [getVersionPrivilege(defaultVersion)]: false,
-          [getLoginPrivilege()]: false,
-          [privilege]: false,
-        },
-        username,
-      }),
-      mockLegacyResponse({
-        hasAllRequested: false,
-        privileges: {
-          read: false,
-          index: true,
-        },
-        username,
-      })
-    ]);
-
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-    const request = Symbol();
-    const hasPrivileges = hasPrivilegesWithRequest(request);
-    const privileges = ['foo'];
-    const result = await hasPrivileges(privileges);
-
-    expectDeprecationLogged(mockServer);
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: defaultApplication,
-          resources: [DEFAULT_RESOURCE],
-          privileges: [
-            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-          ]
-        }]
-      }
-    });
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        index: [{
-          names: [ defaultKibanaIndex ],
-          privileges: ['read', 'index']
-        }]
-      }
-    });
-    expect(result).toEqual({
-      success: true,
-      missing: [],
-      username,
-    });
-  });
-
-  test(`returns success of false if the user has the read privilege on kibana index but the privilege isn't a read action`, async () => {
-    const privilege = 'something-completely-arbitrary';
-    const username = 'foo-username';
-    const mockServer = createMockServer();
-    const callWithRequest = createMockCallWithRequest([
-      mockApplicationPrivilegeResponse({
-        hasAllRequested: false,
-        privileges: {
-          [getVersionPrivilege(defaultVersion)]: false,
-          [getLoginPrivilege()]: false,
-          [privilege]: false,
-        },
-        username,
-      }),
-      mockLegacyResponse({
-        hasAllRequested: false,
-        privileges: {
-          read: true,
-          index: false,
-        },
-        username,
-      })
-    ]);
-
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-    const request = Symbol();
-    const hasPrivileges = hasPrivilegesWithRequest(request);
-    const privileges = [privilege];
-    const result = await hasPrivileges(privileges);
-
-    expectDeprecationLogged(mockServer);
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: defaultApplication,
-          resources: [DEFAULT_RESOURCE],
-          privileges: [
-            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-          ]
-        }]
-      }
-    });
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        index: [{
-          names: [ defaultKibanaIndex ],
-          privileges: ['read', 'index']
+          privileges: ['create', 'delete', 'read', 'view_index_metadata']
         }]
       }
     });
     expect(result).toEqual({
-      success: false,
-      missing: [ privilege ],
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
+      missing: [getLoginPrivilege(), ...privileges],
     });
   });
 
-  test(`returns success of false if the user has the read privilege on kibana index but one privilege isn't a read action`, async () => {
-    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
-
-    const actions = privilegeMap.read.actions.filter(a => a !== getVersionPrivilege(defaultVersion) && a !== getLoginPrivilege());
-    for (const action of actions) {
-      const privilege1 = 'something-completely-arbitrary';
-      const privilege2 = action;
-      const username = 'foo-username';
-      const mockServer = createMockServer();
-      const callWithRequest = createMockCallWithRequest([
-        mockApplicationPrivilegeResponse({
-          hasAllRequested: false,
-          privileges: {
-            [getVersionPrivilege(defaultVersion)]: false,
-            [getLoginPrivilege()]: false,
-            [privilege1]: false,
-            [privilege2]: true
-          },
-          username,
-        }),
-        mockLegacyResponse({
-          hasAllRequested: false,
-          privileges: {
-            read: true,
-            index: false,
-          },
-          username,
-        })
-      ]);
-      const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-      const request = Symbol();
-      const hasPrivileges = hasPrivilegesWithRequest(request);
-      const privileges = [privilege1, privilege2];
-      const result = await hasPrivileges(privileges);
-
-      expectDeprecationLogged(mockServer);
-      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-        body: {
-          applications: [{
-            application: defaultApplication,
-            resources: [DEFAULT_RESOURCE],
-            privileges: [
-              getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-            ]
-          }]
-        }
-      });
-      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-        body: {
-          index: [{
-            names: [ defaultKibanaIndex ],
-            privileges: ['read', 'index']
-          }]
-        }
-      });
-      expect(result).toEqual({
-        success: false,
-        missing: [ privilege1 ],
-        username,
-      });
-    }
-  });
-
-  test(`returns success of true if the user has the read privilege on kibana index and the privilege is a read action`, async () => {
-    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
-    for (const action of privilegeMap.read.actions) {
-      const privilege = action;
+  ['create', 'delete', 'read', 'view_index_metadata'].forEach(indexPrivilege => {
+    test(`returns legacy if they have ${indexPrivilege} privilege on the kibana index`, async () => {
+      const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
       const username = 'foo-username';
       const mockServer = createMockServer();
       const callWithRequest = createMockCallWithRequest([
@@ -526,13 +264,14 @@ describe('legacy fallback with no application privileges', () => {
           },
           username,
         }),
-        mockLegacyResponse({
-          hasAllRequested: false,
+        mockKibanaIndexPrivilegesResponse({
           privileges: {
-            read: true,
-            index: false,
+            create: false,
+            delete: false,
+            read: false,
+            view_index_metadata: false,
+            [indexPrivilege]: true
           },
-          username,
         })
       ]);
 
@@ -558,75 +297,15 @@ describe('legacy fallback with no application privileges', () => {
         body: {
           index: [{
             names: [ defaultKibanaIndex ],
-            privileges: ['read', 'index']
+            privileges: ['create', 'delete', 'read', 'view_index_metadata']
           }]
         }
       });
       expect(result).toEqual({
-        success: true,
-        missing: [],
+        result: HAS_PRIVILEGES_RESULT.LEGACY,
         username,
+        missing: [getLoginPrivilege(), ...privileges],
       });
-    }
-  });
-
-  test(`returns success of true if the user has the read privilege on kibana index and all privileges are read actions`, async () => {
-    const privilegeMap = buildPrivilegeMap(savedObjectTypes, defaultApplication, defaultVersion);
-    const privileges = privilegeMap.read.actions;
-    const username = 'foo-username';
-    const mockServer = createMockServer();
-    const callWithRequest = createMockCallWithRequest([
-      mockApplicationPrivilegeResponse({
-        hasAllRequested: false,
-        privileges: {
-          [getVersionPrivilege(defaultVersion)]: false,
-          [getLoginPrivilege()]: false,
-          ...privileges.reduce((acc, name) => {
-            acc[name] = false;
-            return acc;
-          }, {})
-        },
-        username,
-      }),
-      mockLegacyResponse({
-        hasAllRequested: false,
-        privileges: {
-          read: true,
-          index: false,
-        },
-        username,
-      })
-    ]);
-
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-    const request = Symbol();
-    const hasPrivileges = hasPrivilegesWithRequest(request);
-    const result = await hasPrivileges(privileges);
-
-    expectDeprecationLogged(mockServer);
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: defaultApplication,
-          resources: [DEFAULT_RESOURCE],
-          privileges: [
-            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
-          ]
-        }]
-      }
-    });
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        index: [{
-          names: [ defaultKibanaIndex ],
-          privileges: ['read', 'index']
-        }]
-      }
-    });
-    expect(result).toEqual({
-      success: true,
-      missing: [],
-      username,
     });
   });
 });
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 83e6123f06df5f..fce39c03d6e06d 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -5,6 +5,7 @@
  */
 
 import { get, uniq } from 'lodash';
+import { HAS_PRIVILEGES_RESULT } from '../authorization/has_privileges';
 
 const getPrivilege = (type, action) => {
   return `action:saved_objects/${type}/${action}`;
@@ -14,124 +15,147 @@ export class SecureSavedObjectsClient {
   constructor(options) {
     const {
       errors,
-      repository,
+      internalRepository,
+      callWithRequestRepository,
       hasPrivileges,
       auditLogger,
       savedObjectTypes,
     } = options;
 
     this.errors = errors;
-    this._repository = repository;
+    this._internalRepository = internalRepository;
+    this._callWithRequestRepository = callWithRequestRepository;
     this._hasPrivileges = hasPrivileges;
     this._auditLogger = auditLogger;
     this._savedObjectTypes = savedObjectTypes;
   }
 
   async create(type, attributes = {}, options = {}) {
-    await this._performAuthorizationCheck(type, 'create', {
+    return await this._execute(
       type,
-      attributes,
-      options,
-    });
-
-    return await this._repository.create(type, attributes, options);
+      'create',
+      { type, attributes, options },
+      repository => repository.create(type, attributes, options),
+    );
   }
 
   async bulkCreate(objects, options = {}) {
     const types = uniq(objects.map(o => o.type));
-    await this._performAuthorizationCheck(types, 'bulk_create', {
-      objects,
-      options,
-    });
-
-    return await this._repository.bulkCreate(objects, options);
+    return await this._execute(
+      types,
+      'bulk_create',
+      { objects, options },
+      repository => repository.bulkCreate(objects, options),
+    );
   }
 
   async delete(type, id) {
-    await this._performAuthorizationCheck(type, 'delete', {
+    return await this._execute(
       type,
-      id,
-    });
-
-    return await this._repository.delete(type, id);
+      'delete',
+      { type, id },
+      repository => repository.delete(type, id),
+    );
   }
 
   async find(options = {}) {
-    const action = 'find';
-
-    // when we have the type or types, it makes our life easy
     if (options.type) {
-      await this._performAuthorizationCheck(options.type, action, { options });
-      return await this._repository.find(options);
+      return await this._findWithTypes(options);
     }
 
-    // otherwise, we have to filter for only their authorized types
-    const types = this._savedObjectTypes;
-    const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
-    const hasPrivilegesResult = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
-    const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
-      .filter(([ , privilege]) => !hasPrivilegesResult.missing.includes(privilege))
-      .map(([type]) => type);
-
-    if (authorizedTypes.length === 0) {
-      this._auditLogger.savedObjectsAuthorizationFailure(
-        hasPrivilegesResult.username,
-        action,
-        types,
-        hasPrivilegesResult.missing,
-        { options }
-      );
-      throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
-    }
-    this._auditLogger.savedObjectsAuthorizationSuccess(hasPrivilegesResult.username, action, authorizedTypes, { options });
+    return await this._findAcrossAllTypes(options);
+  }
 
-    return await this._repository.find({
-      ...options,
-      type: authorizedTypes
-    });
+  async _findWithTypes(options) {
+    return await this._execute(
+      options.type,
+      'find',
+      { options },
+      repository => repository.find(options)
+    );
   }
 
   async bulkGet(objects = []) {
     const types = uniq(objects.map(o => o.type));
-    await this._performAuthorizationCheck(types, 'bulk_get', {
-      objects,
-    });
-
-    return await this._repository.bulkGet(objects);
+    return await this._execute(
+      types,
+      'bulk_get',
+      { objects },
+      repository => repository.bulkGet(objects)
+    );
   }
 
   async get(type, id) {
-    await this._performAuthorizationCheck(type, 'get', {
+    return await this._execute(
       type,
-      id,
-    });
-
-    return await this._repository.get(type, id);
+      'get',
+      { type, id },
+      repository => repository.get(type, id)
+    );
   }
 
   async update(type, id, attributes, options = {}) {
-    await this._performAuthorizationCheck(type, 'update', {
+    return await this._execute(
       type,
-      id,
-      attributes,
-      options,
-    });
-
-    return await this._repository.update(type, id, attributes, options);
+      'update',
+      { type, id, attributes, options },
+      repository => repository.update(type, id, attributes, options)
+    );
   }
 
-  async _performAuthorizationCheck(typeOrTypes, action, args) {
+  async _execute(typeOrTypes, action, args, fn) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const privileges = types.map(type => getPrivilege(type, action));
-    const result = await this._hasSavedObjectPrivileges(privileges);
-
-    if (result.success) {
-      this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
-    } else {
-      this._auditLogger.savedObjectsAuthorizationFailure(result.username, action, types, result.missing, args);
-      const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${result.missing.sort().join(',')}`;
-      throw this.errors.decorateForbiddenError(new Error(msg));
+    const { result, username, missing } = await this._hasSavedObjectPrivileges(privileges);
+
+    switch (result) {
+      case HAS_PRIVILEGES_RESULT.AUTHORIZED:
+        this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
+        return await fn(this._internalRepository);
+      case HAS_PRIVILEGES_RESULT.LEGACY:
+        return await fn(this._callWithRequestRepository);
+      case HAS_PRIVILEGES_RESULT.UNAUTHORIZED:
+        this._auditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
+        const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${missing.sort().join(',')}`;
+        throw this.errors.decorateForbiddenError(new Error(msg));
+      default:
+        throw new Error('Unexpected result from hasPrivileges');
+    }
+  }
+
+  async _findAcrossAllTypes(options) {
+    const action = 'find';
+
+    // we have to filter for only their authorized types
+    const types = this._savedObjectTypes;
+    const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
+    const { result, username, missing } = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
+
+    if (result === HAS_PRIVILEGES_RESULT.LEGACY) {
+      return await this._callWithRequestRepository.find(options);
+    }
+
+    const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
+      .filter(([ , privilege]) => !missing.includes(privilege))
+      .map(([type]) => type);
+
+    if (authorizedTypes.length === 0) {
+      this._auditLogger.savedObjectsAuthorizationFailure(
+        username,
+        action,
+        types,
+        missing,
+        { options }
+      );
+      throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
     }
+
+    this._auditLogger.savedObjectsAuthorizationSuccess(username, action, authorizedTypes, { options });
+
+    return await this._internalRepository.find({
+      ...options,
+      type: authorizedTypes
+    });
   }
 
   async _hasSavedObjectPrivileges(privileges) {
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 0f9fa6610f683f..4d77c48c56b950 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -5,6 +5,7 @@
  */
 
 import { SecureSavedObjectsClient } from './secure_saved_objects_client';
+import { HAS_PRIVILEGES_RESULT } from '../authorization/has_privileges';
 
 const createMockErrors = () => {
   const forbiddenError = new Error('Mock ForbiddenError');
@@ -36,16 +37,37 @@ describe('#errors', () => {
 });
 
 describe('#create', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         `action:saved_objects/${type}/create`
       ],
-      username
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -74,28 +96,39 @@ describe('#create', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+  test(`returns result of internalRepository.create when authorized`, async () => {
     const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      create: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const attributes = Symbol();
+    const options = Symbol();
 
-    await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.create(type, attributes, options);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
+      type,
+      attributes,
+      options,
+    });
   });
 
-  test(`calls and returns result of repository.create`, async () => {
+  test(`returns result of callWithRequestRepository.create when legacy`, async () => {
     const type = 'foo';
     const username = Symbol();
     const returnValue = Symbol();
@@ -103,12 +136,15 @@ describe('#create', () => {
       create: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        `action:saved_objects/${type}/create`
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -119,27 +155,44 @@ describe('#create', () => {
 
     expect(result).toBe(returnValue);
     expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
-      type,
-      attributes,
-      options,
-    });
   });
 });
 
 describe('#bulkCreate', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type1 = 'foo';
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         `action:saved_objects/${type1}/bulk_create`
       ],
-      username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -173,28 +226,42 @@ describe('#bulkCreate', () => {
     );
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+  test(`returns result of internalRepository.bulkCreate when authorized`, async () => {
+    const username = Symbol();
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkCreate: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const objects = [
+      { type: type1, otherThing: 'sup' },
+      { type: type2, otherThing: 'everyone' },
+    ];
+    const options = Symbol();
 
-    await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.bulkCreate(objects, options);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
+      objects,
+      options,
+    });
   });
 
-  test(`calls and returns result of repository.bulkCreate`, async () => {
+  test(`returns result of callWithRequestRepository.bulkCreate when legacy`, async () => {
     const username = Symbol();
     const type1 = 'foo';
     const type2 = 'bar';
@@ -203,12 +270,16 @@ describe('#bulkCreate', () => {
       bulkCreate: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        `action:saved_objects/${type1}/bulk_create`,
+        `action:saved_objects/${type2}/bulk_create`,
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -223,24 +294,42 @@ describe('#bulkCreate', () => {
     expect(result).toBe(returnValue);
     expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
-      objects,
-      options,
-    });
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 });
 
 describe('#delete', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         `action:saved_objects/${type}/delete`
       ],
-      username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -267,28 +356,37 @@ describe('#delete', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+  test(`returns result of internalRepository.delete when authorized`, async () => {
     const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      delete: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const id = Symbol();
 
-    await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.delete(type, id);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
+      type,
+      id,
+    });
   });
 
-  test(`calls and returns result of repository.delete`, async () => {
+  test(`returns result of internalRepository.delete when legacy`, async () => {
     const type = 'foo';
     const username = Symbol();
     const returnValue = Symbol();
@@ -296,12 +394,15 @@ describe('#delete', () => {
       delete: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        `action:saved_objects/${type}/delete`
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -312,31 +413,49 @@ describe('#delete', () => {
     expect(result).toBe(returnValue);
     expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
-      type,
-      id,
-    });
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 });
 
 describe('#find', () => {
   describe('type', () => {
-    test(`throws decorated ForbiddenError when type is sinuglar and user isn't authorized`, async () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+      });
+
+      await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when type's singular and unauthorized`, async () => {
       const type = 'foo';
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: false,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
         missing: [
           `action:saved_objects/${type}/find`
         ],
-        username,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        repository: mockRepository,
+        internalRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
       });
@@ -358,23 +477,21 @@ describe('#find', () => {
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
 
-    test(`throws decorated ForbiddenError when type is an array and user isn't authorized for one type`, async () => {
+    test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
       const type1 = 'foo';
       const type2 = 'bar';
       const username = Symbol();
-      const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: false,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
         missing: [
           `action:saved_objects/${type1}/find`
         ],
-        username,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        repository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
       });
@@ -396,19 +513,19 @@ describe('#find', () => {
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
 
-    test(`throws decorated ForbiddenError when type is an array and user isn't authorized for either type`, async () => {
+    test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
       const type1 = 'foo';
       const type2 = 'bar';
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: false,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
         missing: [
           `action:saved_objects/${type1}/find`,
           `action:saved_objects/${type2}/find`
         ],
-        username,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
@@ -435,28 +552,36 @@ describe('#find', () => {
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
 
-    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    test(`returns result of internalRepository.find when authorized`, async () => {
       const type = 'foo';
-      const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-        throw new Error();
-      });
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+        username,
+      }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
+        internalRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
       });
+      const options = { type };
 
-      await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+      const result = await client.find(options);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
-      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type });
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+        options,
+      });
     });
 
-    test(`calls and returns result of repository.find`, async () => {
+    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
       const type = 'foo';
       const username = Symbol();
       const returnValue = Symbol();
@@ -464,12 +589,15 @@ describe('#find', () => {
         find: jest.fn().mockReturnValue(returnValue)
       };
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: true,
+        result: HAS_PRIVILEGES_RESULT.LEGACY,
         username,
+        missing: [
+          `action:saved_objects/${type}/find`
+        ],
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
-        repository: mockRepository,
+        callWithRequestRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
       });
@@ -480,24 +608,47 @@ describe('#find', () => {
       expect(result).toBe(returnValue);
       expect(mockRepository.find).toHaveBeenCalledWith({ type });
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
-        options,
-      });
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
   });
 
   describe('no type', () => {
-    test(`throws decorated ForbiddenError when user has no authorized types`, async () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        hasPrivileges: mockHasPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type1, type2]
+      });
+
+      await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
       const type = 'foo';
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: false,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
         missing: [
           `action:saved_objects/${type}/find`
         ],
-        username,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
@@ -525,27 +676,36 @@ describe('#find', () => {
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
 
-    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-      const type1 = 'foo';
-      const type2 = 'bar';
-      const mockRepository = {};
+    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-        throw new Error();
-      });
+      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+        result: HAS_PRIVILEGES_RESULT.LEGACY,
+        username,
+        missing: [
+          `action:saved_objects/${type}/find`
+        ],
+      }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        repository: mockRepository,
+        callWithRequestRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type1, type2]
+        savedObjectTypes: [type]
       });
+      const options = Symbol();
 
-      await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+      const result = await client.find(options);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
-      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(result).toBe(returnValue);
+      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockRepository.find).toHaveBeenCalledWith(options);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
     });
@@ -558,7 +718,7 @@ describe('#find', () => {
       };
       const mockErrors = createMockErrors();
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: false,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
         missing: [
           `action:saved_objects/${type1}/find`
         ]
@@ -566,7 +726,7 @@ describe('#find', () => {
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        repository: mockRepository,
+        internalRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type1, type2]
@@ -580,7 +740,7 @@ describe('#find', () => {
       }));
     });
 
-    test(`calls and returns result of repository.find`, async () => {
+    test(`returns result of repository.find`, async () => {
       const type = 'foo';
       const username = Symbol();
       const returnValue = Symbol();
@@ -588,13 +748,13 @@ describe('#find', () => {
         find: jest.fn().mockReturnValue(returnValue)
       };
       const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        success: true,
-        missing: [],
+        result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
         username,
+        missing: [],
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
-        repository: mockRepository,
+        internalRepository: mockRepository,
         hasPrivileges: mockHasPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type]
@@ -614,17 +774,38 @@ describe('#find', () => {
 });
 
 describe('#bulkGet', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type1 = 'foo';
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         `action:saved_objects/${type1}/bulk_get`
       ],
-      username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -654,28 +835,40 @@ describe('#bulkGet', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+  test(`returns result of internalRepository.bulkGet when authorized`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkGet: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const objects = [
+      { type: type1, id: 'foo-id' },
+      { type: type2, id: 'bar-id' },
+    ];
 
-    await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.bulkGet(objects);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
+      objects,
+    });
   });
 
-  test(`calls and returns result of repository.bulkGet`, async () => {
+  test(`returns result of callWithRequestRepository.bulkGet when legacy`, async () => {
     const type1 = 'foo';
     const type2 = 'bar';
     const username = Symbol();
@@ -684,12 +877,16 @@ describe('#bulkGet', () => {
       bulkGet: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        `action:saved_objects/${type1}/bulk_get`,
+        `action:saved_objects/${type2}/bulk_get`
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -703,23 +900,42 @@ describe('#bulkGet', () => {
     expect(result).toBe(returnValue);
     expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
-      objects,
-    });
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 });
 
 describe('#get', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         `action:saved_objects/${type}/get`
       ],
-      username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -746,28 +962,37 @@ describe('#get', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+  test(`returns result of internalRepository.get when authorized`, async () => {
     const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      get: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const id = Symbol();
 
-    await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.get(type, id);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
+      type,
+      id,
+    });
   });
 
-  test(`calls and returns result of repository.get`, async () => {
+  test(`returns result of callWithRequestRepository.get when user isn't authorized and has legacy fallback`, async () => {
     const type = 'foo';
     const username = Symbol();
     const returnValue = Symbol();
@@ -775,12 +1000,15 @@ describe('#get', () => {
       get: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        `action:saved_objects/${type}/get`
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -791,24 +1019,42 @@ describe('#get', () => {
     expect(result).toBe(returnValue);
     expect(mockRepository.get).toHaveBeenCalledWith(type, id);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
-      type,
-      id,
-    });
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 });
 
 describe('#update', () => {
-  test(`throws decorated ForbiddenError when user doesn't have privileges`, async () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      hasPrivileges: mockHasPrivileges,
+      auditLogger: mockAuditLogger,
+    });
+
+    await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: false,
+      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
       missing: [
         'action:saved_objects/foo/update'
       ],
-      username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
@@ -839,28 +1085,41 @@ describe('#update', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+  test(`returns result of repository.update when authorized`, async () => {
     const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      update: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
+      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
+      internalRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
 
-    await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+    const result = await client.update(type, id, attributes, options);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(result).toBe(returnValue);
+    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
+      type,
+      id,
+      attributes,
+      options,
+    });
   });
 
-  test(`calls and returns result of repository.update`, async () => {
+  test(`returns result of repository.update when legacy`, async () => {
     const type = 'foo';
     const username = Symbol();
     const returnValue = Symbol();
@@ -868,12 +1127,15 @@ describe('#update', () => {
       update: jest.fn().mockReturnValue(returnValue)
     };
     const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      success: true,
+      result: HAS_PRIVILEGES_RESULT.LEGACY,
       username,
+      missing: [
+        'action:saved_objects/foo/update'
+      ],
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
-      repository: mockRepository,
+      callWithRequestRepository: mockRepository,
       hasPrivileges: mockHasPrivileges,
       auditLogger: mockAuditLogger,
     });
@@ -886,11 +1148,6 @@ describe('#update', () => {
     expect(result).toBe(returnValue);
     expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
-      type,
-      id,
-      attributes,
-      options,
-    });
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
 });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
index 12a25607a92acd..6089aec5d89d02 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
@@ -68,7 +68,7 @@ export default function ({ getService }) {
       });
     };
 
-    const expectForbidden = resp => {
+    const expectRbacForbidden = resp => {
       //eslint-disable-next-line max-len
       const missingActions = `action:login,action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
       expect(resp.body).to.eql({
@@ -102,7 +102,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: expectForbidden,
+          response: expectRbacForbidden,
         }
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
index c8ca5be09b6ad4..cff5da3502838c 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
@@ -29,7 +29,7 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectForbidden = canLogin => resp => {
+    const createExpectRbacForbidden = canLogin => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -37,6 +37,15 @@ export default function ({ getService }) {
       });
     };
 
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`
+      });
+    };
+
     const createTest = (description, { auth, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/basic'));
@@ -64,7 +73,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectForbidden(false),
+          response: createExpectRbacForbidden(false),
         },
       }
     });
@@ -103,7 +112,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
         },
       }
     });
@@ -129,7 +138,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectRbacForbidden(true),
         },
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
index d6bd0d61dd646a..b75ab5342c6baa 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -25,7 +25,7 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectForbidden = canLogin => resp => {
+    const createExpectRbacForbidden = canLogin => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -33,6 +33,15 @@ export default function ({ getService }) {
       });
     };
 
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`
+      });
+    };
+
     const deleteTest = (description, { auth, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/basic'));
@@ -64,11 +73,11 @@ export default function ({ getService }) {
       tests: {
         actualId: {
           statusCode: 403,
-          response: createExpectForbidden(false),
+          response: createExpectRbacForbidden(false),
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectForbidden(false),
+          response: createExpectRbacForbidden(false),
         }
       }
     });
@@ -115,11 +124,11 @@ export default function ({ getService }) {
       tests: {
         actualId: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
         }
       }
     });
@@ -149,11 +158,11 @@ export default function ({ getService }) {
       tests: {
         actualId: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectRbacForbidden(true),
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectRbacForbidden(true),
         }
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index 59cc3dc12d5389..0498021e5daae2 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -31,7 +31,7 @@ export default function ({ getService }) {
       });
     };
 
-    const expectAllResults = (resp) => {
+    const expectResultsWithValidTypes = (resp) => {
       expect(resp.body).to.eql({
         page: 1,
         per_page: 20,
@@ -69,6 +69,50 @@ export default function ({ getService }) {
       });
     };
 
+    const expectAllResultsIncludingInvalidTypes = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 5,
+        saved_objects: [
+          {
+            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            type: 'index-pattern',
+            updated_at: '2017-09-21T18:49:16.270Z',
+            version: 1,
+            attributes: resp.body.saved_objects[0].attributes
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: 1,
+            attributes: resp.body.saved_objects[1].attributes
+          },
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1,
+            attributes: resp.body.saved_objects[2].attributes
+          },
+          {
+            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
+            type: 'dashboard',
+            updated_at: '2017-09-21T18:57:40.826Z',
+            version: 1,
+            attributes: resp.body.saved_objects[3].attributes
+          },
+          {
+            id: 'visualization:dd7caf20-9efd-11e7-acb3-3dab96693faa',
+            type: 'not-a-visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1
+          },
+        ]
+      });
+    };
+
     const createExpectEmpty = (page, perPage, total) => (resp) => {
       expect(resp.body).to.eql({
         page: page,
@@ -78,7 +122,7 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectActionForbidden = (canLogin, type) => resp => {
+    const createExpectRbacForbidden = (canLogin, type) => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -158,22 +202,22 @@ export default function ({ getService }) {
         normal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectActionForbidden(false, 'visualization'),
+          response: createExpectRbacForbidden(false, 'visualization'),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectActionForbidden(false, 'wigwags'),
+          response: createExpectRbacForbidden(false, 'wigwags'),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectActionForbidden(false, 'visualization'),
+          response: createExpectRbacForbidden(false, 'visualization'),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectActionForbidden(false, 'wigwags'),
+          response: createExpectRbacForbidden(false, 'wigwags'),
         },
         noType: {
           description: `forbidded can't find any types`,
@@ -212,7 +256,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResults,
+          response: expectResultsWithValidTypes,
         },
       },
     });
@@ -246,7 +290,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResults,
+          response: expectAllResultsIncludingInvalidTypes,
         },
       },
     });
@@ -263,9 +307,9 @@ export default function ({ getService }) {
           response: expectVisualizationResults,
         },
         unknownType: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectActionForbidden(true, 'wigwags'),
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
         },
         pageBeyondTotal: {
           description: 'empty result',
@@ -273,14 +317,14 @@ export default function ({ getService }) {
           response: createExpectEmpty(100, 100, 1),
         },
         unknownSearchField: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectActionForbidden(true, 'wigwags'),
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
         },
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResults,
+          response: expectAllResultsIncludingInvalidTypes,
         },
       }
     });
@@ -314,7 +358,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResults,
+          response: expectResultsWithValidTypes,
         },
       },
     });
@@ -333,7 +377,7 @@ export default function ({ getService }) {
         unknownType: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectActionForbidden(true, 'wigwags'),
+          response: createExpectRbacForbidden(true, 'wigwags'),
         },
         pageBeyondTotal: {
           description: 'empty result',
@@ -343,12 +387,12 @@ export default function ({ getService }) {
         unknownSearchField: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectActionForbidden(true, 'wigwags'),
+          response: createExpectRbacForbidden(true, 'wigwags'),
         },
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResults,
+          response: expectResultsWithValidTypes,
         },
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
index e055d9ef75e483..ac7cc6b70f50a8 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -39,7 +39,7 @@ export default function ({ getService }) {
       });
     };
 
-    const expectForbidden = resp => {
+    const expectRbacForbidden = resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -80,11 +80,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: expectForbidden,
+          response: expectRbacForbidden,
         },
         doesntExist: {
           statusCode: 403,
-          response: expectForbidden,
+          response: expectRbacForbidden,
         },
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
index e3740ede1aaafb..edcec1ffb61246 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -38,7 +38,7 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectForbidden = canLogin => resp => {
+    const createExpectRbacForbidden = canLogin => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
@@ -46,6 +46,15 @@ export default function ({ getService }) {
       });
     };
 
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`
+      });
+    };
+
     const updateTest = (description, { auth, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/basic'));
@@ -88,11 +97,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: createExpectForbidden(false),
+          response: createExpectRbacForbidden(false),
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectForbidden(false),
+          response: createExpectRbacForbidden(false),
         },
       }
     });
@@ -139,11 +148,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
         },
       }
     });
@@ -173,11 +182,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectRbacForbidden(true),
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectForbidden(true),
+          response: createExpectRbacForbidden(true),
         },
       }
     });

From b8a110b0cca42ac67c559ba8d99e600b50781178 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Mon, 2 Jul 2018 07:28:00 -0400
Subject: [PATCH 059/183] Setting the status to red on the first error then
 continually (#20343)

initializing
---
 .../watch_status_and_license_to_initialize.js | 42 ++++++++++---------
 ...h_status_and_license_to_initialize.test.js | 41 +++++++++++++-----
 2 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
index c0f54b8b2fbf1f..28cbbbb04c93d4 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
@@ -4,23 +4,31 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import * as Rx from 'rxjs';
-import { catchError, mergeMap, map, retryWhen, switchMap, tap } from 'rxjs/operators';
+import { catchError, mergeMap, map, switchMap, tap } from 'rxjs/operators';
 
-export const retryStrategy = ({
-  maxAttempts,
-  scalingDuration,
-}) => (errors) => {
-  return errors.pipe(
-    mergeMap((error, i) => {
-      const attempt = i + 1;
+export const RETRY_SCALE_DURATION = 100;
+export const RETRY_DURATION_MAX = 10000;
 
-      if (attempt >= maxAttempts) {
-        return Rx.throwError(error);
-      }
+const calculateDuration = i => {
+  const duration = i * RETRY_SCALE_DURATION;
+  if (duration > RETRY_DURATION_MAX) {
+    return RETRY_DURATION_MAX;
+  }
 
-      return Rx.timer(attempt * scalingDuration);
-    })
-  );
+  return duration;
+};
+
+// we can't use a retryWhen here, because we want to propagate the red status and then retry
+const propagateRedStatusAndScaleRetry = () => {
+  let i = 0;
+  return (err, caught) =>
+    Rx.concat(
+      Rx.of({
+        state: 'red',
+        message: err.message
+      }),
+      Rx.timer(calculateDuration(++i)).pipe(mergeMap(() => caught))
+    );
 };
 
 export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlugin, initialize) {
@@ -58,15 +66,11 @@ export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlu
 
         return Rx.defer(() => initialize(license))
           .pipe(
-            retryWhen(retryStrategy({ maxAttempts: 20, scalingDuration: 100 })),
             map(() => ({
               state: 'green',
               message: 'Ready',
             })),
-            catchError(err => Rx.of({
-              state: 'red',
-              message: err.message
-            }))
+            catchError(propagateRedStatusAndScaleRetry())
           );
       }),
       tap(({ state, message }) => {
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
index 6964255c535610..d56598b9d01111 100644
--- a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -5,7 +5,7 @@
  */
 
 import { EventEmitter } from 'events';
-import { watchStatusAndLicenseToInitialize } from './watch_status_and_license_to_initialize';
+import { watchStatusAndLicenseToInitialize, RETRY_SCALE_DURATION, RETRY_DURATION_MAX } from './watch_status_and_license_to_initialize';
 
 const createMockXpackMainPluginAndFeature = (featureId) => {
   const licenseChangeCallbacks = [];
@@ -62,6 +62,15 @@ const createMockDownstreamPlugin = (id) => {
   };
 };
 
+const advanceRetry = async (initializeCount) => {
+  await Promise.resolve();
+  let duration = initializeCount * RETRY_SCALE_DURATION;
+  if (duration > RETRY_DURATION_MAX) {
+    duration = RETRY_DURATION_MAX;
+  }
+  jest.advanceTimersByTime(duration);
+};
+
 ['red', 'yellow', 'disabled'].forEach(state => {
   test(`mirrors ${state} immediately`, () => {
     const pluginId = 'foo-plugin';
@@ -115,7 +124,7 @@ test(`sets downstream plugin's status to green when initialize resolves`, (done)
   });
 });
 
-test(`sets downstream plugin's status to red when initialize rejects 20 times`, (done) => {
+test(`sets downstream plugin's status to red when initialize initially rejects, and continually polls initialize`, (done) => {
   jest.useFakeTimers();
 
   const pluginId = 'foo-plugin';
@@ -126,15 +135,25 @@ test(`sets downstream plugin's status to red when initialize rejects 20 times`,
   mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
   const downstreamPlugin = createMockDownstreamPlugin(pluginId);
 
+  let isRed = false;
   let initializeCount = 0;
   const initializeMock = jest.fn().mockImplementation(() => {
     ++initializeCount;
 
+    // on the second retry, ensure we already set the status to red
+    if (initializeCount === 2) {
+      expect(isRed).toBe(true);
+    }
+
+    // this should theoretically continue indefinitely, but we only have so long to run the tests
+    if (initializeCount === 100) {
+      done();
+    }
+
     // everytime this is called, we have to wait for a new promise to be resolved
     // allowing the Promise the we return below to run, and then advance the timers
-    setImmediate(async () => {
-      await Promise.resolve();
-      jest.advanceTimersByTime(initializeCount * 100);
+    setImmediate(() => {
+      advanceRetry(initializeCount);
     });
     return Promise.reject(new Error(errorMessage));
   });
@@ -144,9 +163,8 @@ test(`sets downstream plugin's status to red when initialize rejects 20 times`,
   expect(initializeMock).toHaveBeenCalledTimes(1);
   expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
   downstreamPlugin.status.red.mockImplementation(message => {
-    expect(initializeCount).toBe(20);
+    isRed = true;
     expect(message).toBe(errorMessage);
-    done();
   });
 });
 
@@ -167,9 +185,8 @@ test(`sets downstream plugin's status to green when initialize resolves after re
 
     // everytime this is called, we have to wait for a new promise to be resolved
     // allowing the Promise the we return below to run, and then advance the timers
-    setImmediate(async () => {
-      await Promise.resolve();
-      jest.advanceTimersByTime(initializeCount * 100);
+    setImmediate(() => {
+      advanceRetry(initializeCount);
     });
 
     if (initializeCount >= 10) {
@@ -183,6 +200,10 @@ test(`sets downstream plugin's status to green when initialize resolves after re
 
   expect(initializeMock).toHaveBeenCalledTimes(1);
   expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.red.mockImplementation(message => {
+    expect(initializeCount).toBeLessThan(10);
+    expect(message).toBe(errorMessage);
+  });
   downstreamPlugin.status.green.mockImplementation(message => {
     expect(initializeCount).toBe(10);
     expect(message).toBe('Ready');

From 8696030258c5b9c3afddd42247b0f23b7ec414a0 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 09:37:57 -0400
Subject: [PATCH 060/183] Renaming get*Privilege to get*Action

---
 .../lib/authorization/has_privileges.js       | 14 +++---
 .../lib/authorization/has_privileges.test.js  | 34 +++++++-------
 .../security/server/lib/privileges/index.js   |  2 +-
 .../server/lib/privileges/privileges.js       | 46 +++++++++----------
 4 files changed, 46 insertions(+), 50 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
index 2f68c7fadaf95d..224ba8c44ec841 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -6,7 +6,7 @@
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
+import { getVersionAction, getLoginAction } from '../privileges';
 
 export const HAS_PRIVILEGES_RESULT = {
   UNAUTHORIZED: Symbol(),
@@ -22,8 +22,8 @@ export function hasPrivilegesWithServer(server) {
   const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
 
-  const loginPrivilege = getLoginPrivilege();
-  const versionPrivilege = getVersionPrivilege(kibanaVersion);
+  const loginAction = getLoginAction();
+  const versionAction = getVersionAction(kibanaVersion);
 
   return function hasPrivilegesWithRequest(request) {
 
@@ -43,7 +43,7 @@ export function hasPrivilegesWithServer(server) {
       // We include the login action in all privileges, so the existence of it and not the version privilege
       // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
       // know whether the user just wasn't authorized for this instance of Kibana in general
-      if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
+      if (!hasPrivileges[getVersionAction(kibanaVersion)] && hasPrivileges[getLoginAction()]) {
         throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
       }
 
@@ -68,7 +68,7 @@ export function hasPrivilegesWithServer(server) {
     };
 
     return async function hasPrivileges(privileges) {
-      const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges];
+      const allPrivileges = [versionAction, loginAction, ...privileges];
       const privilegesCheck = await hasApplicationPrivileges(allPrivileges);
 
       const username = privilegesCheck.username;
@@ -76,7 +76,7 @@ export function hasPrivilegesWithServer(server) {
       // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
       const missing = Object.keys(privilegesCheck.privileges)
         .filter(p => !privilegesCheck.privileges[p])
-        .filter(p => p !== versionPrivilege);
+        .filter(p => p !== versionAction);
 
       if (privilegesCheck.hasAllRequested) {
         return {
@@ -86,7 +86,7 @@ export function hasPrivilegesWithServer(server) {
         };
       }
 
-      if (!privilegesCheck.privileges[loginPrivilege] && await hasPrivilegesOnKibanaIndex()) {
+      if (!privilegesCheck.privileges[loginAction] && await hasPrivilegesOnKibanaIndex()) {
         const msg = `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`;
         server.log(['warning', 'deprecated', 'security'], msg);
 
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
index 7f38ba3965b786..5942e0058691b9 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
@@ -7,7 +7,7 @@
 import { hasPrivilegesWithServer, HAS_PRIVILEGES_RESULT } from './has_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getLoginPrivilege, getVersionPrivilege } from '../privileges';
+import { getLoginAction, getVersionAction } from '../privileges';
 
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
   getClient: jest.fn()
@@ -92,8 +92,8 @@ test(`returns authorized if they have all application privileges`, async () => {
     mockApplicationPrivilegeResponse({
       hasAllRequested: true,
       privileges: {
-        [getVersionPrivilege(defaultVersion)]: true,
-        [getLoginPrivilege()]: true,
+        [getVersionAction(defaultVersion)]: true,
+        [getLoginAction()]: true,
         [privilege]: true,
       },
       application: defaultApplication,
@@ -114,7 +114,7 @@ test(`returns authorized if they have all application privileges`, async () => {
         application: defaultApplication,
         resources: [DEFAULT_RESOURCE],
         privileges: [
-          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          getVersionAction(defaultVersion), getLoginAction(), ...privileges
         ]
       }]
     }
@@ -135,8 +135,8 @@ test(`returns unauthorized they have only one application privilege`, async () =
     mockApplicationPrivilegeResponse({
       hasAllRequested: false,
       privileges: {
-        [getVersionPrivilege(defaultVersion)]: true,
-        [getLoginPrivilege()]: true,
+        [getVersionAction(defaultVersion)]: true,
+        [getLoginAction()]: true,
         [privilege1]: true,
         [privilege2]: false,
       },
@@ -158,7 +158,7 @@ test(`returns unauthorized they have only one application privilege`, async () =
         application: defaultApplication,
         resources: [DEFAULT_RESOURCE],
         privileges: [
-          getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+          getVersionAction(defaultVersion), getLoginAction(), ...privileges
         ]
       }]
     }
@@ -177,8 +177,8 @@ test(`throws error if missing version privilege and has login privilege`, async
     mockApplicationPrivilegeResponse({
       hasAllRequested: false,
       privileges: {
-        [getVersionPrivilege(defaultVersion)]: false,
-        [getLoginPrivilege()]: true,
+        [getVersionAction(defaultVersion)]: false,
+        [getLoginAction()]: true,
         [privilege]: true,
       }
     })
@@ -200,8 +200,8 @@ describe('legacy fallback with no application privileges', () => {
       mockApplicationPrivilegeResponse({
         hasAllRequested: false,
         privileges: {
-          [getVersionPrivilege(defaultVersion)]: false,
-          [getLoginPrivilege()]: false,
+          [getVersionAction(defaultVersion)]: false,
+          [getLoginAction()]: false,
           [privilege]: false,
         },
         username,
@@ -229,7 +229,7 @@ describe('legacy fallback with no application privileges', () => {
           application: defaultApplication,
           resources: [DEFAULT_RESOURCE],
           privileges: [
-            getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+            getVersionAction(defaultVersion), getLoginAction(), ...privileges
           ]
         }]
       }
@@ -245,7 +245,7 @@ describe('legacy fallback with no application privileges', () => {
     expect(result).toEqual({
       result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
-      missing: [getLoginPrivilege(), ...privileges],
+      missing: [getLoginAction(), ...privileges],
     });
   });
 
@@ -258,8 +258,8 @@ describe('legacy fallback with no application privileges', () => {
         mockApplicationPrivilegeResponse({
           hasAllRequested: false,
           privileges: {
-            [getVersionPrivilege(defaultVersion)]: false,
-            [getLoginPrivilege()]: false,
+            [getVersionAction(defaultVersion)]: false,
+            [getLoginAction()]: false,
             [privilege]: false,
           },
           username,
@@ -288,7 +288,7 @@ describe('legacy fallback with no application privileges', () => {
             application: defaultApplication,
             resources: [DEFAULT_RESOURCE],
             privileges: [
-              getVersionPrivilege(defaultVersion), getLoginPrivilege(), ...privileges
+              getVersionAction(defaultVersion), getLoginAction(), ...privileges
             ]
           }]
         }
@@ -304,7 +304,7 @@ describe('legacy fallback with no application privileges', () => {
       expect(result).toEqual({
         result: HAS_PRIVILEGES_RESULT.LEGACY,
         username,
-        missing: [getLoginPrivilege(), ...privileges],
+        missing: [getLoginAction(), ...privileges],
       });
     });
   });
diff --git a/x-pack/plugins/security/server/lib/privileges/index.js b/x-pack/plugins/security/server/lib/privileges/index.js
index a7a2455d5ec3b0..f888dffa922dd6 100644
--- a/x-pack/plugins/security/server/lib/privileges/index.js
+++ b/x-pack/plugins/security/server/lib/privileges/index.js
@@ -5,4 +5,4 @@
  */
 
 export { registerPrivilegesWithCluster } from './privilege_action_registry';
-export { buildPrivilegeMap, getLoginPrivilege, getVersionPrivilege } from './privileges';
+export { buildPrivilegeMap, getLoginAction, getVersionAction } from './privileges';
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
index 96600013887944..ea22f6e276594f 100644
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ b/x-pack/plugins/security/server/lib/privileges/privileges.js
@@ -4,43 +4,39 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export function getVersionPrivilege(kibanaVersion) {
-  // TODO: Remove the .toLowerCase() once the capitalization with app privileges is fixed
-  return `version:${kibanaVersion.toLowerCase()}`;
+export function getVersionAction(kibanaVersion) {
+  return `version:${kibanaVersion}`;
 }
 
-export function getLoginPrivilege() {
+export function getLoginAction() {
   return `action:login`;
 }
 
 export function buildPrivilegeMap(savedObjectTypes, application, kibanaVersion) {
-  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges(savedObjectTypes);
-
-  const privilegeActions = {};
-
-  privilegeActions.all = {
-    application,
-    name: 'all',
-    actions: [getVersionPrivilege(kibanaVersion), 'action:*'],
-    metadata: {}
+  const readSavedObjectsActions = buildSavedObjectsReadActions(savedObjectTypes);
+
+  return {
+    all: {
+      application,
+      name: 'all',
+      actions: [getVersionAction(kibanaVersion), 'action:*'],
+      metadata: {}
+    },
+    read: {
+      application,
+      name: 'read',
+      actions: [getVersionAction(kibanaVersion), getLoginAction(), ...readSavedObjectsActions],
+      metadata: {}
+    }
   };
-
-  privilegeActions.read = {
-    application,
-    name: 'read',
-    actions: [getVersionPrivilege(kibanaVersion), getLoginPrivilege(), ...readSavedObjectsPrivileges],
-    metadata: {}
-  };
-
-  return privilegeActions;
 }
 
-function buildSavedObjectsReadPrivileges(savedObjectTypes) {
+function buildSavedObjectsReadActions(savedObjectTypes) {
   const readActions = ['get', 'bulk_get', 'find'];
-  return buildSavedObjectsPrivileges(savedObjectTypes, readActions);
+  return buildSavedObjectsActions(savedObjectTypes, readActions);
 }
 
-function buildSavedObjectsPrivileges(savedObjectTypes, actions) {
+function buildSavedObjectsActions(savedObjectTypes, actions) {
   return savedObjectTypes
     .map(type => actions.map(action => `action:saved_objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);

From a56af65f44d476c90cb2dacb36267a9a8b1140d3 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 09:46:48 -0400
Subject: [PATCH 061/183] Adding "instance" to alert about other application
 privileges

---
 x-pack/plugins/security/public/views/management/edit_role.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index da03371ae6cbd4..3b5c7a13412a74 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -47,7 +47,7 @@ <h1 class="kuiTitle">
           <span class="kuiInfoPanelHeader__icon kuiIcon kuiIcon--warning fa-warning"></span>
           <span class="kuiInfoPanelHeader__title">
             This role contains application privileges for the {{ otherApplications.join(', ') }} application(s) that can't be edited.
-            If they are for other instances of Kibana, you must manage those privileges on that Kibana.
+            If they are for other instances of Kibana, you must manage those privileges on that Kibana instance.
           </span>
         </div>
       </div>

From 19a7d6f32bc7c3b531d969c8573e4ead231589c8 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 10:40:10 -0400
Subject: [PATCH 062/183] Revising some of the naming for the edit roles screen

---
 .../public/services/application_privilege.js  |  2 +-
 .../public/views/management/edit_role.js      | 59 ++++++++++---------
 2 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
index 91e8d52a84a726..615188cad33d7f 100644
--- a/x-pack/plugins/security/public/services/application_privilege.js
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -8,7 +8,7 @@ import 'angular-resource';
 import { uiModules } from 'ui/modules';
 
 const module = uiModules.get('security', ['ngResource']);
-module.service('ApplicationPrivilege', ($resource, chrome) => {
+module.service('ApplicationPrivileges', ($resource, chrome) => {
   const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
   return $resource(baseUrl);
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 94e04a30a37db5..ead331647e7f44 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -24,57 +24,58 @@ import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
 
-const getKibanaPrivileges = (kibanaApplicationPrivilege, role, application) => {
-  const kibanaPrivileges = kibanaApplicationPrivilege.reduce((acc, p) => {
+const getKibanaPrivileges = (kibanaApplicationPrivileges, roleApplications, application) => {
+  const kibanaPrivileges = kibanaApplicationPrivileges.reduce((acc, p) => {
     acc[p.name] = false;
     return acc;
   }, {});
 
-  if (!role.applications || role.applications.length === 0) {
+  if (!roleApplications || roleApplications.length === 0) {
     return kibanaPrivileges;
   }
 
   // we're filtering out privileges for non-default resources as well incase
   // the roles were created in a future version
-  const applications = role.applications
-    .filter(x => x.application === application && x.resources.every(r => r === DEFAULT_RESOURCE));
+  const applications = roleApplications
+    .filter(roleApplication => roleApplication.application === application && roleApplication.resources.every(r => r === DEFAULT_RESOURCE));
 
   const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
   assigned.forEach(a => {
-    kibanaPrivileges[a] = true;
+    // we don't want to display privileges that aren't in our expected list of privileges
+    if (a in kibanaPrivileges) {
+      kibanaPrivileges[a] = true;
+    }
   });
 
   return kibanaPrivileges;
 };
 
-const setApplicationPrivileges = (kibanaPrivileges, role, application) => {
-  if (!role.applications) {
-    role.applications = [];
-  }
-
-  // we first remove the matching application entries
-  role.applications = role.applications.filter(x => {
-    return x.application !== application;
+const getRoleApplications = (kibanaPrivileges, currentRoleApplications = [], application) => {
+  // we keep any other applications
+  const newRoleApplications = currentRoleApplications.filter(roleApplication => {
+    return roleApplication.application !== application;
   });
 
-  const privileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
+  const selectedPrivileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
 
-  // if we still have them, put the application entry back
-  if (privileges.length > 0) {
-    role.applications = [...role.applications, {
+  // if we have any selected privileges, add a single application entry
+  if (selectedPrivileges.length > 0) {
+    newRoleApplications.push({
       application,
-      privileges,
+      privileges: selectedPrivileges,
       resources: [DEFAULT_RESOURCE]
-    }];
+    });
   }
+
+  return newRoleApplications;
 };
 
-const getOtherApplications = (kibanaPrivileges, role, application) => {
-  if (!role.applications || role.applications.length === 0) {
+const getOtherApplications = (roleApplications, application) => {
+  if (!roleApplications || roleApplications.length === 0) {
     return [];
   }
 
-  return role.applications.map(x => x.application).filter(x => x !== application);
+  return roleApplications.map(roleApplication => roleApplication.application).filter(app =>app !== application);
 };
 
 routes.when(`${EDIT_ROLES_PATH}/:name?`, {
@@ -103,8 +104,8 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
         applications: []
       });
     },
-    kibanaApplicationPrivilege(ApplicationPrivilege, kbnUrl, Promise, Private) {
-      return ApplicationPrivilege.query().$promise
+    kibanaApplicationPrivileges(ApplicationPrivileges, kbnUrl, Promise, Private) {
+      return ApplicationPrivileges.query().$promise
         .catch(checkLicenseError(kbnUrl, Promise, Private));
     },
     users(ShieldUser, kbnUrl, Promise, Private) {
@@ -134,10 +135,10 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
 
-    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
+    const kibanaApplicationPrivileges = $route.current.locals.kibanaApplicationPrivileges;
     const role = $route.current.locals.role;
-    $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivilege, role, rbacApplication);
-    $scope.otherApplications = getOtherApplications(kibanaApplicationPrivilege, role, rbacApplication);
+    $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivileges, role.applications, rbacApplication);
+    $scope.otherApplications = getOtherApplications(role.applications, rbacApplication);
 
     $scope.rolesHref = `#${ROLES_PATH}`;
 
@@ -164,7 +165,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       role.indices = role.indices.filter((index) => index.names.length);
       role.indices.forEach((index) => index.query || delete index.query);
 
-      setApplicationPrivileges($scope.kibanaPrivileges, role, rbacApplication);
+      role.applications = getRoleApplications($scope.kibanaPrivileges, role.applications, rbacApplication);
 
       return role.$save()
         .then(() => toastNotifications.addSuccess('Updated role'))

From 33a153dd8a29b329b6e92733d0add897c90c9c02 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 10:46:06 -0400
Subject: [PATCH 063/183] One more edit role variable renamed

---
 .../security/public/views/management/edit_role.js      | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index ead331647e7f44..49caf22228fee6 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -24,8 +24,8 @@ import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
 
-const getKibanaPrivileges = (kibanaApplicationPrivileges, roleApplications, application) => {
-  const kibanaPrivileges = kibanaApplicationPrivileges.reduce((acc, p) => {
+const getKibanaPrivileges = (applicationPrivileges, roleApplications, application) => {
+  const kibanaPrivileges = applicationPrivileges.reduce((acc, p) => {
     acc[p.name] = false;
     return acc;
   }, {});
@@ -104,7 +104,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
         applications: []
       });
     },
-    kibanaApplicationPrivileges(ApplicationPrivileges, kbnUrl, Promise, Private) {
+    applicationPrivileges(ApplicationPrivileges, kbnUrl, Promise, Private) {
       return ApplicationPrivileges.query().$promise
         .catch(checkLicenseError(kbnUrl, Promise, Private));
     },
@@ -135,9 +135,9 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
 
-    const kibanaApplicationPrivileges = $route.current.locals.kibanaApplicationPrivileges;
+    const applicationPrivileges = $route.current.locals.applicationPrivileges;
     const role = $route.current.locals.role;
-    $scope.kibanaPrivileges = getKibanaPrivileges(kibanaApplicationPrivileges, role.applications, rbacApplication);
+    $scope.kibanaPrivileges = getKibanaPrivileges(applicationPrivileges, role.applications, rbacApplication);
     $scope.otherApplications = getOtherApplications(role.applications, rbacApplication);
 
     $scope.rolesHref = `#${ROLES_PATH}`;

From 5d8745fe2640d0d7aa75fc567b172da5f424e649 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 12:29:33 -0400
Subject: [PATCH 064/183] hasPrivileges is now checkPrivileges

---
 x-pack/plugins/security/index.js              |   8 +-
 ....js.snap => check_privileges.test.js.snap} |   0
 ...{has_privileges.js => check_privileges.js} |  30 +--
 ...leges.test.js => check_privileges.test.js} |  46 ++--
 .../secure_saved_objects_client.js            |  22 +-
 .../secure_saved_objects_client.test.js       | 236 +++++++++---------
 6 files changed, 171 insertions(+), 171 deletions(-)
 rename x-pack/plugins/security/server/lib/authorization/__snapshots__/{has_privileges.test.js.snap => check_privileges.test.js.snap} (100%)
 rename x-pack/plugins/security/server/lib/authorization/{has_privileges.js => check_privileges.js} (74%)
 rename x-pack/plugins/security/server/lib/authorization/{has_privileges.test.js => check_privileges.test.js} (84%)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index c72ebfa74e1c04..6bcaf4e7aec46f 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -17,7 +17,7 @@ import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
-import { hasPrivilegesWithServer } from './server/lib/authorization/has_privileges';
+import { checkPrivilegesWithRequestFactory } from './server/lib/authorization/check_privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
 import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
@@ -114,7 +114,7 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(server);
+    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(server);
     const { savedObjects } = server;
 
     savedObjects.setScopedSavedObjectsClientFactory(({
@@ -130,14 +130,14 @@ export const security = (kibana) => new kibana.Plugin({
         return new savedObjects.SavedObjectsClient(callWithRequestRepository);
       }
 
-      const hasPrivileges = hasPrivilegesWithRequest(request);
+      const checkPrivileges = checkPrivilegesWithRequest(request);
       const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
 
       return new SecureSavedObjectsClient({
         internalRepository,
         callWithRequestRepository,
         errors: savedObjects.SavedObjectsClient.errors,
-        hasPrivileges,
+        checkPrivileges,
         auditLogger,
         savedObjectTypes: savedObjects.types,
       });
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
similarity index 100%
rename from x-pack/plugins/security/server/lib/authorization/__snapshots__/has_privileges.test.js.snap
rename to x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
similarity index 74%
rename from x-pack/plugins/security/server/lib/authorization/has_privileges.js
rename to x-pack/plugins/security/server/lib/authorization/check_privileges.js
index 224ba8c44ec841..2ccc0f3e6e0ce9 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -8,13 +8,13 @@ import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
 import { getVersionAction, getLoginAction } from '../privileges';
 
-export const HAS_PRIVILEGES_RESULT = {
+export const CHECK_PRIVILEGES_RESULT = {
   UNAUTHORIZED: Symbol(),
   AUTHORIZED: Symbol(),
   LEGACY: Symbol(),
 };
 
-export function hasPrivilegesWithServer(server) {
+export function checkPrivilegesWithRequestFactory(server) {
   const callWithRequest = getClient(server).callWithRequest;
 
   const config = server.config();
@@ -25,9 +25,9 @@ export function hasPrivilegesWithServer(server) {
   const loginAction = getLoginAction();
   const versionAction = getVersionAction(kibanaVersion);
 
-  return function hasPrivilegesWithRequest(request) {
+  return function checkPrivilegesWithRequest(request) {
 
-    const hasApplicationPrivileges = async (privileges) => {
+    const checkApplicationPrivileges = async (privileges) => {
       const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
         body: {
           applications: [{
@@ -67,38 +67,38 @@ export function hasPrivilegesWithServer(server) {
       return Object.values(privilegeCheck.index[kibanaIndex]).includes(true);
     };
 
-    return async function hasPrivileges(privileges) {
+    return async function checkPrivileges(privileges) {
       const allPrivileges = [versionAction, loginAction, ...privileges];
-      const privilegesCheck = await hasApplicationPrivileges(allPrivileges);
+      const applicationPrivilegesCheck = await checkApplicationPrivileges(allPrivileges);
 
-      const username = privilegesCheck.username;
+      const username = applicationPrivilegesCheck.username;
 
       // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-      const missing = Object.keys(privilegesCheck.privileges)
-        .filter(p => !privilegesCheck.privileges[p])
+      const missing = Object.keys(applicationPrivilegesCheck.privileges)
+        .filter(p => !applicationPrivilegesCheck.privileges[p])
         .filter(p => p !== versionAction);
 
-      if (privilegesCheck.hasAllRequested) {
+      if (applicationPrivilegesCheck.hasAllRequested) {
         return {
-          result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+          result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
           username,
           missing,
         };
       }
 
-      if (!privilegesCheck.privileges[loginAction] && await hasPrivilegesOnKibanaIndex()) {
-        const msg = `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`;
+      if (!applicationPrivilegesCheck.privileges[loginAction] && await hasPrivilegesOnKibanaIndex()) {
+        const msg = 'Relying on index privileges is deprecated and will be removed in Kibana 7.0';
         server.log(['warning', 'deprecated', 'security'], msg);
 
         return {
-          result: HAS_PRIVILEGES_RESULT.LEGACY,
+          result: CHECK_PRIVILEGES_RESULT.LEGACY,
           username,
           missing,
         };
       }
 
       return {
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing,
       };
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
similarity index 84%
rename from x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
rename to x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index 5942e0058691b9..13299709577f04 100644
--- a/x-pack/plugins/security/server/lib/authorization/has_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { hasPrivilegesWithServer, HAS_PRIVILEGES_RESULT } from './has_privileges';
+import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './check_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
 import { getLoginAction, getVersionAction } from '../privileges';
@@ -76,12 +76,12 @@ const createMockCallWithRequest = (responses) => {
   return mockCallWithRequest;
 };
 
+const deprecationMessage = 'Relying on index privileges is deprecated and will be removed in Kibana 7.0';
 const expectNoDeprecationLogged = (mockServer) => {
-  expect(mockServer.log).not.toHaveBeenCalled();
+  expect(mockServer.log).not.toHaveBeenCalledWith(['warning', 'deprecated', 'security'], deprecationMessage);
 };
-
 const expectDeprecationLogged = (mockServer) => {
-  expect(mockServer.log).toHaveBeenCalledWith(['warning', 'deprecated', 'security'], expect.stringContaining('deprecated'));
+  expect(mockServer.log).toHaveBeenCalledWith(['warning', 'deprecated', 'security'], deprecationMessage);
 };
 
 test(`returns authorized if they have all application privileges`, async () => {
@@ -101,11 +101,11 @@ test(`returns authorized if they have all application privileges`, async () => {
     })
   ]);
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
   const request = Symbol();
-  const hasPrivileges = hasPrivilegesWithRequest(request);
+  const checkPrivileges = checkPrivilegesWithRequest(request);
   const privileges = [privilege];
-  const result = await hasPrivileges(privileges);
+  const result = await checkPrivileges(privileges);
 
   expectNoDeprecationLogged(mockServer);
   expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
@@ -120,7 +120,7 @@ test(`returns authorized if they have all application privileges`, async () => {
     }
   });
   expect(result).toEqual({
-    result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
     username,
     missing: [],
   });
@@ -145,11 +145,11 @@ test(`returns unauthorized they have only one application privilege`, async () =
     })
   ]);
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
   const request = Symbol();
-  const hasPrivileges = hasPrivilegesWithRequest(request);
+  const checkPrivileges = checkPrivilegesWithRequest(request);
   const privileges = [privilege1, privilege2];
-  const result = await hasPrivileges(privileges);
+  const result = await checkPrivileges(privileges);
 
   expectNoDeprecationLogged(mockServer);
   expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
@@ -164,7 +164,7 @@ test(`returns unauthorized they have only one application privilege`, async () =
     }
   });
   expect(result).toEqual({
-    result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
     username,
     missing: [privilege2],
   });
@@ -184,10 +184,10 @@ test(`throws error if missing version privilege and has login privilege`, async
     })
   ]);
 
-  const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
-  const hasPrivileges = hasPrivilegesWithRequest({});
+  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
+  const checkPrivileges = checkPrivilegesWithRequest({});
 
-  await expect(hasPrivileges([privilege])).rejects.toThrowErrorMatchingSnapshot();
+  await expect(checkPrivileges([privilege])).rejects.toThrowErrorMatchingSnapshot();
   expectNoDeprecationLogged(mockServer);
 });
 
@@ -216,11 +216,11 @@ describe('legacy fallback with no application privileges', () => {
       })
     ]);
 
-    const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
     const request = Symbol();
-    const hasPrivileges = hasPrivilegesWithRequest(request);
+    const checkPrivileges = checkPrivilegesWithRequest(request);
     const privileges = [privilege];
-    const result = await hasPrivileges(privileges);
+    const result = await checkPrivileges(privileges);
 
     expectNoDeprecationLogged(mockServer);
     expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
@@ -243,7 +243,7 @@ describe('legacy fallback with no application privileges', () => {
       }
     });
     expect(result).toEqual({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [getLoginAction(), ...privileges],
     });
@@ -275,11 +275,11 @@ describe('legacy fallback with no application privileges', () => {
         })
       ]);
 
-      const hasPrivilegesWithRequest = hasPrivilegesWithServer(mockServer);
+      const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
       const request = Symbol();
-      const hasPrivileges = hasPrivilegesWithRequest(request);
+      const checkPrivileges = checkPrivilegesWithRequest(request);
       const privileges = [privilege];
-      const result = await hasPrivileges(privileges);
+      const result = await checkPrivileges(privileges);
 
       expectDeprecationLogged(mockServer);
       expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
@@ -302,7 +302,7 @@ describe('legacy fallback with no application privileges', () => {
         }
       });
       expect(result).toEqual({
-        result: HAS_PRIVILEGES_RESULT.LEGACY,
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
         username,
         missing: [getLoginAction(), ...privileges],
       });
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index fce39c03d6e06d..969990593f0c47 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -5,7 +5,7 @@
  */
 
 import { get, uniq } from 'lodash';
-import { HAS_PRIVILEGES_RESULT } from '../authorization/has_privileges';
+import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
 
 const getPrivilege = (type, action) => {
   return `action:saved_objects/${type}/${action}`;
@@ -17,7 +17,7 @@ export class SecureSavedObjectsClient {
       errors,
       internalRepository,
       callWithRequestRepository,
-      hasPrivileges,
+      checkPrivileges,
       auditLogger,
       savedObjectTypes,
     } = options;
@@ -25,7 +25,7 @@ export class SecureSavedObjectsClient {
     this.errors = errors;
     this._internalRepository = internalRepository;
     this._callWithRequestRepository = callWithRequestRepository;
-    this._hasPrivileges = hasPrivileges;
+    this._checkPrivileges = checkPrivileges;
     this._auditLogger = auditLogger;
     this._savedObjectTypes = savedObjectTypes;
   }
@@ -106,15 +106,15 @@ export class SecureSavedObjectsClient {
   async _execute(typeOrTypes, action, args, fn) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const privileges = types.map(type => getPrivilege(type, action));
-    const { result, username, missing } = await this._hasSavedObjectPrivileges(privileges);
+    const { result, username, missing } = await this._checkSavedObjectPrivileges(privileges);
 
     switch (result) {
-      case HAS_PRIVILEGES_RESULT.AUTHORIZED:
+      case CHECK_PRIVILEGES_RESULT.AUTHORIZED:
         this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
         return await fn(this._internalRepository);
-      case HAS_PRIVILEGES_RESULT.LEGACY:
+      case CHECK_PRIVILEGES_RESULT.LEGACY:
         return await fn(this._callWithRequestRepository);
-      case HAS_PRIVILEGES_RESULT.UNAUTHORIZED:
+      case CHECK_PRIVILEGES_RESULT.UNAUTHORIZED:
         this._auditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
         const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${missing.sort().join(',')}`;
         throw this.errors.decorateForbiddenError(new Error(msg));
@@ -129,9 +129,9 @@ export class SecureSavedObjectsClient {
     // we have to filter for only their authorized types
     const types = this._savedObjectTypes;
     const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
-    const { result, username, missing } = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
+    const { result, username, missing } = await this._checkSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
 
-    if (result === HAS_PRIVILEGES_RESULT.LEGACY) {
+    if (result === CHECK_PRIVILEGES_RESULT.LEGACY) {
       return await this._callWithRequestRepository.find(options);
     }
 
@@ -158,9 +158,9 @@ export class SecureSavedObjectsClient {
     });
   }
 
-  async _hasSavedObjectPrivileges(privileges) {
+  async _checkSavedObjectPrivileges(privileges) {
     try {
-      return await this._hasPrivileges(privileges);
+      return await this._checkPrivileges(privileges);
     } catch(error) {
       const { reason } = get(error, 'body.error', {});
       throw this.errors.decorateGeneralError(error, reason);
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 4d77c48c56b950..5e1b1f71165246 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -5,7 +5,7 @@
  */
 
 import { SecureSavedObjectsClient } from './secure_saved_objects_client';
-import { HAS_PRIVILEGES_RESULT } from '../authorization/has_privileges';
+import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
 
 const createMockErrors = () => {
   const forbiddenError = new Error('Mock ForbiddenError');
@@ -40,19 +40,19 @@ describe('#create', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -62,8 +62,8 @@ describe('#create', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         `action:saved_objects/${type}/create`
@@ -72,7 +72,7 @@ describe('#create', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const attributes = Symbol();
@@ -80,7 +80,7 @@ describe('#create', () => {
 
     await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
@@ -103,14 +103,14 @@ describe('#create', () => {
     const mockRepository = {
       create: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const attributes = Symbol();
@@ -135,8 +135,8 @@ describe('#create', () => {
     const mockRepository = {
       create: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         `action:saved_objects/${type}/create`
@@ -145,7 +145,7 @@ describe('#create', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const attributes = Symbol();
@@ -164,19 +164,19 @@ describe('#bulkCreate', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -187,8 +187,8 @@ describe('#bulkCreate', () => {
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         `action:saved_objects/${type1}/bulk_create`
@@ -197,7 +197,7 @@ describe('#bulkCreate', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -209,7 +209,7 @@ describe('#bulkCreate', () => {
 
     await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([
       `action:saved_objects/${type1}/bulk_create`,
       `action:saved_objects/${type2}/bulk_create`
     ]);
@@ -234,14 +234,14 @@ describe('#bulkCreate', () => {
     const mockRepository = {
       bulkCreate: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -269,8 +269,8 @@ describe('#bulkCreate', () => {
     const mockRepository = {
       bulkCreate: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         `action:saved_objects/${type1}/bulk_create`,
@@ -280,7 +280,7 @@ describe('#bulkCreate', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -302,19 +302,19 @@ describe('#delete', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -324,8 +324,8 @@ describe('#delete', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         `action:saved_objects/${type}/delete`
@@ -334,14 +334,14 @@ describe('#delete', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
 
     await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
@@ -363,14 +363,14 @@ describe('#delete', () => {
     const mockRepository = {
       delete: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -393,8 +393,8 @@ describe('#delete', () => {
     const mockRepository = {
       delete: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         `action:saved_objects/${type}/delete`
@@ -403,7 +403,7 @@ describe('#delete', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -422,19 +422,19 @@ describe('#find', () => {
     test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
       const type = 'foo';
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
         throw new Error();
       });
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
 
       await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
       expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -445,8 +445,8 @@ describe('#find', () => {
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing: [
           `action:saved_objects/${type}/find`
@@ -456,14 +456,14 @@ describe('#find', () => {
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         internalRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
       const options = { type };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
@@ -482,8 +482,8 @@ describe('#find', () => {
       const type2 = 'bar';
       const username = Symbol();
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing: [
           `action:saved_objects/${type1}/find`
@@ -492,14 +492,14 @@ describe('#find', () => {
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
       const options = { type: [ type1, type2 ] };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
@@ -519,8 +519,8 @@ describe('#find', () => {
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing: [
           `action:saved_objects/${type1}/find`,
@@ -531,14 +531,14 @@ describe('#find', () => {
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         repository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
       const options = { type: [ type1, type2 ] };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
@@ -559,14 +559,14 @@ describe('#find', () => {
       const mockRepository = {
         find: jest.fn().mockReturnValue(returnValue)
       };
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
         username,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         internalRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
       const options = { type };
@@ -588,8 +588,8 @@ describe('#find', () => {
       const mockRepository = {
         find: jest.fn().mockReturnValue(returnValue)
       };
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.LEGACY,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
         username,
         missing: [
           `action:saved_objects/${type}/find`
@@ -598,7 +598,7 @@ describe('#find', () => {
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         callWithRequestRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
       });
       const options = { type };
@@ -618,21 +618,21 @@ describe('#find', () => {
       const type2 = 'bar';
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
         throw new Error();
       });
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         repository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type1, type2]
       });
 
       await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
       expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -643,8 +643,8 @@ describe('#find', () => {
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing: [
           `action:saved_objects/${type}/find`
@@ -654,7 +654,7 @@ describe('#find', () => {
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         repository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type]
       });
@@ -662,7 +662,7 @@ describe('#find', () => {
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
@@ -684,8 +684,8 @@ describe('#find', () => {
         find: jest.fn().mockReturnValue(returnValue)
       };
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.LEGACY,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
         username,
         missing: [
           `action:saved_objects/${type}/find`
@@ -695,7 +695,7 @@ describe('#find', () => {
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         callWithRequestRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type]
       });
@@ -704,7 +704,7 @@ describe('#find', () => {
       const result = await client.find(options);
 
       expect(result).toBe(returnValue);
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
       expect(mockRepository.find).toHaveBeenCalledWith(options);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -717,8 +717,8 @@ describe('#find', () => {
         find: jest.fn(),
       };
       const mockErrors = createMockErrors();
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         missing: [
           `action:saved_objects/${type1}/find`
         ]
@@ -727,14 +727,14 @@ describe('#find', () => {
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         internalRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type1, type2]
       });
 
       await client.find();
 
-      expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
       expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
         type: [type2]
       }));
@@ -747,15 +747,15 @@ describe('#find', () => {
       const mockRepository = {
         find: jest.fn().mockReturnValue(returnValue)
       };
-      const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-        result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
         username,
         missing: [],
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         internalRepository: mockRepository,
-        hasPrivileges: mockHasPrivileges,
+        checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
         savedObjectTypes: [type]
       });
@@ -777,19 +777,19 @@ describe('#bulkGet', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -800,8 +800,8 @@ describe('#bulkGet', () => {
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         `action:saved_objects/${type1}/bulk_get`
@@ -810,7 +810,7 @@ describe('#bulkGet', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -821,7 +821,7 @@ describe('#bulkGet', () => {
 
     await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/bulk_get`, `action:saved_objects/${type2}/bulk_get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/bulk_get`, `action:saved_objects/${type2}/bulk_get`]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
@@ -843,14 +843,14 @@ describe('#bulkGet', () => {
     const mockRepository = {
       bulkGet: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -876,8 +876,8 @@ describe('#bulkGet', () => {
     const mockRepository = {
       bulkGet: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         `action:saved_objects/${type1}/bulk_get`,
@@ -887,7 +887,7 @@ describe('#bulkGet', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const objects = [
@@ -908,19 +908,19 @@ describe('#get', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -930,8 +930,8 @@ describe('#get', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         `action:saved_objects/${type}/get`
@@ -940,14 +940,14 @@ describe('#get', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
 
     await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
@@ -969,14 +969,14 @@ describe('#get', () => {
     const mockRepository = {
       get: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -999,8 +999,8 @@ describe('#get', () => {
     const mockRepository = {
       get: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         `action:saved_objects/${type}/get`
@@ -1009,7 +1009,7 @@ describe('#get', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -1027,19 +1027,19 @@ describe('#update', () => {
   test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
     const type = 'foo';
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => {
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
 
     await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -1049,8 +1049,8 @@ describe('#update', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
         'action:saved_objects/foo/update'
@@ -1059,7 +1059,7 @@ describe('#update', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -1068,7 +1068,7 @@ describe('#update', () => {
 
     await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockHasPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
@@ -1092,14 +1092,14 @@ describe('#update', () => {
     const mockRepository = {
       update: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
       username,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       internalRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();
@@ -1126,8 +1126,8 @@ describe('#update', () => {
     const mockRepository = {
       update: jest.fn().mockReturnValue(returnValue)
     };
-    const mockHasPrivileges = jest.fn().mockImplementation(async () => ({
-      result: HAS_PRIVILEGES_RESULT.LEGACY,
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
       missing: [
         'action:saved_objects/foo/update'
@@ -1136,7 +1136,7 @@ describe('#update', () => {
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
-      hasPrivileges: mockHasPrivileges,
+      checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
     });
     const id = Symbol();

From c1689f7f315a6726c9295bbb66b29a3cb2dd31fa Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 14:22:44 -0400
Subject: [PATCH 065/183] Revising check_license tests

---
 .../server/lib/__tests__/check_license.js     | 68 ++-----------------
 1 file changed, 5 insertions(+), 63 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/__tests__/check_license.js b/x-pack/plugins/security/server/lib/__tests__/check_license.js
index 53e3eb09eefdfa..bd5420af37d00e 100644
--- a/x-pack/plugins/security/server/lib/__tests__/check_license.js
+++ b/x-pack/plugins/security/server/lib/__tests__/check_license.js
@@ -18,7 +18,6 @@ describe('check_license', function () {
       feature: sinon.stub(),
       license: sinon.stub({
         isOneOf() {},
-        isActive() {}
       })
     };
 
@@ -42,7 +41,6 @@ describe('check_license', function () {
 
   it('should not show login page or other security elements if license is basic.', () => {
     mockXPackInfo.license.isOneOf.withArgs(['basic']).returns(true);
-    mockXPackInfo.license.isActive.returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
@@ -61,7 +59,6 @@ describe('check_license', function () {
 
   it('should not show login page or other security elements if security is disabled in Elasticsearch.', () => {
     mockXPackInfo.license.isOneOf.withArgs(['basic']).returns(false);
-    mockXPackInfo.license.isActive.returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return false; }
     });
@@ -78,30 +75,14 @@ describe('check_license', function () {
     });
   });
 
-  it('should allow to login but forbid document level security if license is not platinum, trial or basic.', () => {
-    const isBasicOrTrialOrPlatinumMatcher = sinon.match(
-      (licenses) => licenses.includes('basic')
-        || licenses.includes('trial')
-        || licenses.includes('platinum')
-    );
+  it('should allow to login and allow RBAC but forbid document level security if license is not platinum or trial.', () => {
     mockXPackInfo.license.isOneOf
-      .returns(true)
-      .withArgs(isBasicOrTrialOrPlatinumMatcher).returns(false);
+      .returns(false)
+      .withArgs(['platinum', 'trial']).returns(false);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
 
-    mockXPackInfo.license.isActive.returns(true);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: false,
-      allowRoleFieldLevelSecurity: false,
-      allowRbac: true,
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
     expect(checkLicense(mockXPackInfo)).to.be.eql({
       showLogin: true,
       allowLogin: true,
@@ -112,25 +93,14 @@ describe('check_license', function () {
     });
   });
 
-  it('should allow to login and document level security if license is platinum.', () => {
+  it('should allow to login, allow RBAC and document level security if license is platinum or trial.', () => {
     mockXPackInfo.license.isOneOf
       .returns(false)
-      .withArgs(sinon.match((licenses) => licenses.includes('platinum'))).returns(true);
+      .withArgs(['platinum', 'trial']).returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
 
-    mockXPackInfo.license.isActive.returns(true);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true,
-      allowRbac: true,
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
     expect(checkLicense(mockXPackInfo)).to.be.eql({
       showLogin: true,
       allowLogin: true,
@@ -141,32 +111,4 @@ describe('check_license', function () {
     });
   });
 
-  it('should allow to login and document level security if license is trial.', () => {
-    mockXPackInfo.license.isOneOf
-      .returns(false)
-      .withArgs(sinon.match((licenses) => licenses.includes('trial'))).returns(true);
-    mockXPackInfo.feature.withArgs('security').returns({
-      isEnabled: () => { return true; }
-    });
-
-    mockXPackInfo.license.isActive.returns(true);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true,
-      allowRbac: true,
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true,
-      allowRbac: true,
-    });
-  });
 });

From c7ae3e89e2dcb358b1267cc04764d720a64c4405 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 14:44:46 -0400
Subject: [PATCH 066/183] Adding 2 more privileges tests

---
 .../privilege_action_registry.test.js         | 32 +++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index 8e2eac429724b1..59b354fc247712 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -170,7 +170,7 @@ registerPrivilegesWithClusterTest(`passes saved object types, application and ki
   },
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges don't match`, {
+registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges values don't match`, {
   expectedPrivileges: {
     expected: true
   },
@@ -182,7 +182,19 @@ registerPrivilegesWithClusterTest(`updates privileges when simple top-level priv
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when nested privileges don't match`, {
+registerPrivilegesWithClusterTest(`updates privileges when we have two different simple top-level privileges`, {
+  expectedPrivileges: {
+    notExpected: true
+  },
+  existingPrivileges: {
+    expected: true
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested privileges values don't match`, {
   expectedPrivileges: {
     kibana: {
       expected: true
@@ -198,6 +210,22 @@ registerPrivilegesWithClusterTest(`updates privileges when nested privileges don
   }
 });
 
+registerPrivilegesWithClusterTest(`updates privileges when we have two different nested privileges`, {
+  expectedPrivileges: {
+    kibana: {
+      notExpected: true
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: false
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
 registerPrivilegesWithClusterTest(`updates privileges when nested privileges arrays don't match`, {
   expectedPrivileges: {
     kibana: {

From 03f7931a6ae03dbdce01f08e760c769bdf806f74 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 14:46:32 -0400
Subject: [PATCH 067/183] Moving the other _find method to be near his friend

---
 .../secure_saved_objects_client.js            | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 969990593f0c47..419a379f7d0239 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -66,15 +66,6 @@ export class SecureSavedObjectsClient {
     return await this._findAcrossAllTypes(options);
   }
 
-  async _findWithTypes(options) {
-    return await this._execute(
-      options.type,
-      'find',
-      { options },
-      repository => repository.find(options)
-    );
-  }
-
   async bulkGet(objects = []) {
     const types = uniq(objects.map(o => o.type));
     return await this._execute(
@@ -103,6 +94,15 @@ export class SecureSavedObjectsClient {
     );
   }
 
+  async _checkSavedObjectPrivileges(privileges) {
+    try {
+      return await this._checkPrivileges(privileges);
+    } catch(error) {
+      const { reason } = get(error, 'body.error', {});
+      throw this.errors.decorateGeneralError(error, reason);
+    }
+  }
+
   async _execute(typeOrTypes, action, args, fn) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const privileges = types.map(type => getPrivilege(type, action));
@@ -158,12 +158,12 @@ export class SecureSavedObjectsClient {
     });
   }
 
-  async _checkSavedObjectPrivileges(privileges) {
-    try {
-      return await this._checkPrivileges(privileges);
-    } catch(error) {
-      const { reason } = get(error, 'body.error', {});
-      throw this.errors.decorateGeneralError(error, reason);
-    }
+  async _findWithTypes(options) {
+    return await this._execute(
+      options.type,
+      'find',
+      { options },
+      repository => repository.find(options)
+    );
   }
 }

From 98acdc00b22731cd7f7d5bdd1273d3e4a0f344d1 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 14:49:08 -0400
Subject: [PATCH 068/183] Spelling "returning" correctly, whoops

---
 x-pack/plugins/security/server/routes/api/v1/privileges.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 273994b25e562b..e3c830bf176885 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -16,7 +16,7 @@ export function initPrivilegesApi(server) {
     method: 'GET',
     path: '/api/security/v1/privileges',
     handler(request, reply) {
-      // we're returing our representation of the privileges, as opposed to the ones that are stored
+      // we're returning our representation of the privileges, as opposed to the ones that are stored
       // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
       // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
       // into a different structure for enforcement within Elasticsearch

From 3a95af31f6a030344e04d76e128c5e320dd18f3b Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 2 Jul 2018 15:14:20 -0400
Subject: [PATCH 069/183] Adding Privileges tests

---
 .../test/rbac_api_integration/apis/index.js   |  1 +
 .../apis/privileges/index.js                  | 64 +++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 x-pack/test/rbac_api_integration/apis/privileges/index.js

diff --git a/x-pack/test/rbac_api_integration/apis/index.js b/x-pack/test/rbac_api_integration/apis/index.js
index eff74e5f38dbe2..0d89728aa04ff6 100644
--- a/x-pack/test/rbac_api_integration/apis/index.js
+++ b/x-pack/test/rbac_api_integration/apis/index.js
@@ -6,6 +6,7 @@
 
 export default function ({ loadTestFile }) {
   describe('apis RBAC', () => {
+    loadTestFile(require.resolve('./privileges'));
     loadTestFile(require.resolve('./saved_objects'));
   });
 }
diff --git a/x-pack/test/rbac_api_integration/apis/privileges/index.js b/x-pack/test/rbac_api_integration/apis/privileges/index.js
new file mode 100644
index 00000000000000..bc5bc62f608384
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/privileges/index.js
@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+  describe('privileges', () => {
+    it(`get should return privileges`, async () => {
+      const supertest = getService('supertest');
+
+      await supertest
+        .get(`/api/security/v1/privileges`)
+        .expect(200)
+        .then(resp => {
+          expect(resp.body).to.eql([
+            {
+              application: 'kibana',
+              name: 'all',
+              actions: ['version:7.0.0-alpha1', 'action:*'],
+              metadata: {},
+            },
+            {
+              application: 'kibana',
+              name: 'read',
+              actions: [
+                'version:7.0.0-alpha1',
+                'action:login',
+                'action:saved_objects/config/get',
+                'action:saved_objects/config/bulk_get',
+                'action:saved_objects/config/find',
+                'action:saved_objects/timelion-sheet/get',
+                'action:saved_objects/timelion-sheet/bulk_get',
+                'action:saved_objects/timelion-sheet/find',
+                'action:saved_objects/graph-workspace/get',
+                'action:saved_objects/graph-workspace/bulk_get',
+                'action:saved_objects/graph-workspace/find',
+                'action:saved_objects/index-pattern/get',
+                'action:saved_objects/index-pattern/bulk_get',
+                'action:saved_objects/index-pattern/find',
+                'action:saved_objects/visualization/get',
+                'action:saved_objects/visualization/bulk_get',
+                'action:saved_objects/visualization/find',
+                'action:saved_objects/search/get',
+                'action:saved_objects/search/bulk_get',
+                'action:saved_objects/search/find',
+                'action:saved_objects/dashboard/get',
+                'action:saved_objects/dashboard/bulk_get',
+                'action:saved_objects/dashboard/find',
+                'action:saved_objects/url/get',
+                'action:saved_objects/url/bulk_get',
+                'action:saved_objects/url/find',
+                'action:saved_objects/server/get',
+                'action:saved_objects/server/bulk_get',
+                'action:saved_objects/server/find',
+              ],
+              metadata: {},
+            },
+          ]);
+        });
+    });
+  });
+}

From 3299a0a34bc69f5b32b06f5d723f2c7b288d3a94 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 5 Jul 2018 11:21:38 -0400
Subject: [PATCH 070/183] tests for Elasticsearch's privileges APIs

---
 x-pack/test/api_integration/config.js         |   2 +
 .../services/es_supertest_without_auth.js     |  23 +++
 x-pack/test/api_integration/services/index.js |   1 +
 .../apis/es/has_privileges.js                 | 140 ++++++++++++++++++
 .../rbac_api_integration/apis/es/index.js     |  12 ++
 .../apis/es/post_privileges.js                |  98 ++++++++++++
 .../test/rbac_api_integration/apis/index.js   |   1 +
 x-pack/test/rbac_api_integration/config.js    |   1 +
 8 files changed, 278 insertions(+)
 create mode 100644 x-pack/test/api_integration/services/es_supertest_without_auth.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/es/has_privileges.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/es/index.js
 create mode 100644 x-pack/test/rbac_api_integration/apis/es/post_privileges.js

diff --git a/x-pack/test/api_integration/config.js b/x-pack/test/api_integration/config.js
index e68fafa3597682..ac1d8225e294e8 100644
--- a/x-pack/test/api_integration/config.js
+++ b/x-pack/test/api_integration/config.js
@@ -5,6 +5,7 @@
  */
 
 import {
+  EsSupertestWithoutAuthProvider,
   SupertestWithoutAuthProvider,
   UsageAPIProvider,
 } from './services';
@@ -22,6 +23,7 @@ export default async function ({ readConfigFile }) {
       supertest: kibanaAPITestsConfig.get('services.supertest'),
       esSupertest: kibanaAPITestsConfig.get('services.esSupertest'),
       supertestWithoutAuth: SupertestWithoutAuthProvider,
+      esSupertestWithoutAuth: EsSupertestWithoutAuthProvider,
       es: kibanaCommonConfig.get('services.es'),
       esArchiver: kibanaCommonConfig.get('services.esArchiver'),
       usageAPI: UsageAPIProvider,
diff --git a/x-pack/test/api_integration/services/es_supertest_without_auth.js b/x-pack/test/api_integration/services/es_supertest_without_auth.js
new file mode 100644
index 00000000000000..7f0f051bbdfbb7
--- /dev/null
+++ b/x-pack/test/api_integration/services/es_supertest_without_auth.js
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import supertestAsPromised from 'supertest-as-promised';
+
+/**
+ * Supertest provider that doesn't include user credentials into base URL that is passed
+ * to the supertest.
+ */
+export function EsSupertestWithoutAuthProvider({ getService }) {
+  const config = getService('config');
+  const elasticsearchServerConfig = config.get('servers.elasticsearch');
+
+  return supertestAsPromised(formatUrl({
+    ...elasticsearchServerConfig,
+    auth: false
+  }));
+}
diff --git a/x-pack/test/api_integration/services/index.js b/x-pack/test/api_integration/services/index.js
index 52ec6ba95586af..9caab94932a1c1 100644
--- a/x-pack/test/api_integration/services/index.js
+++ b/x-pack/test/api_integration/services/index.js
@@ -4,5 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { EsSupertestWithoutAuthProvider } from './es_supertest_without_auth';
 export { SupertestWithoutAuthProvider } from './supertest_without_auth';
 export { UsageAPIProvider } from './usage_api';
diff --git a/x-pack/test/rbac_api_integration/apis/es/has_privileges.js b/x-pack/test/rbac_api_integration/apis/es/has_privileges.js
new file mode 100644
index 00000000000000..1e30eb774cc029
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/has_privileges.js
@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+const application = 'has_privileges_test';
+
+export default function ({ getService }) {
+
+  describe('has_privileges', () => {
+    before(async () => {
+      const es = getService('es');
+
+      await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      await es.shield.putRole({
+        name: 'hp_read_user',
+        body: {
+          cluster: [],
+          index: [],
+          applications: [{
+            application,
+            privileges: ['read'],
+            resources: ['*']
+          }]
+        }
+      });
+
+      await es.shield.putUser({
+        username: 'testuser',
+        body: {
+          password: 'testpassword',
+          roles: ['hp_read_user'],
+          full_name: 'a kibana user',
+          email: 'a_kibana_rbac_user@elastic.co',
+        }
+      });
+    });
+
+    function createHasPrivilegesRequest(privileges) {
+      const supertest = getService('esSupertestWithoutAuth');
+      return supertest
+        .post(`/_xpack/security/user/_has_privileges`)
+        .auth('testuser', 'testpassword')
+        .send({
+          applications: [{
+            application,
+            privileges,
+            resources: ['*']
+          }]
+        })
+        .expect(200);
+    }
+
+    it('should return true when user has the requested privilege', async () => {
+      await createHasPrivilegesRequest(['read'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: true,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  read: true
+                }
+              },
+            }
+          });
+        });
+    });
+
+    it('should return true when user has a newly created privilege', async () => {
+      // verify user does not have privilege yet
+      await createHasPrivilegesRequest(['action:a_new_privilege'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: false,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  'action:a_new_privilege': false
+                }
+              },
+            }
+          });
+        });
+
+      // Create privilege
+      const es = getService('es');
+      await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2', 'action:a_new_privilege'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      // verify user has new privilege
+      await createHasPrivilegesRequest(['action:a_new_privilege'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: true,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  'action:a_new_privilege': true
+                }
+              },
+            }
+          });
+        });
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/es/index.js b/x-pack/test/rbac_api_integration/apis/es/index.js
new file mode 100644
index 00000000000000..6317d6b93878fc
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/index.js
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('rbac es', () => {
+    loadTestFile(require.resolve('./has_privileges'));
+    loadTestFile(require.resolve('./post_privileges'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/es/post_privileges.js b/x-pack/test/rbac_api_integration/apis/es/post_privileges.js
new file mode 100644
index 00000000000000..bf2266575d3b1f
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/post_privileges.js
@@ -0,0 +1,98 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+
+  describe('post_privileges', () => {
+    it('should allow privileges to be updated', async () => {
+      const es = getService('es');
+      const application = 'foo';
+      const response = await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            all: {
+              application,
+              name: 'all',
+              actions: ['action:*'],
+              metadata: {},
+            },
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      expect(response).to.eql({
+        foo: {
+          all: { created: true },
+          read: { created: true }
+        }
+      });
+
+
+      // Update privileges:
+      // 1. Not specifying the "all" privilege that we created above
+      // 2. Specifying a different collection of "read" actions
+      // 3. Adding a new "other" privilege
+      const updateResponse = await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction4'],
+              metadata: {}
+            },
+            other: {
+              application,
+              name: 'other',
+              actions: ['action:otherAction1'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      expect(updateResponse).to.eql({
+        foo: {
+          other: { created: true },
+          read: { created: false }
+        }
+      });
+
+      const retrievedPrivilege = await es.shield.getPrivilege({ privilege: application });
+      expect(retrievedPrivilege).to.eql({
+        foo: {
+          // "all" is maintained even though the subsequent update did not specify this privilege
+          all: {
+            application,
+            name: 'all',
+            actions: ['action:*'],
+            metadata: {},
+          },
+          read: {
+            application,
+            name: 'read',
+            // actions should only contain what was present in the update. The original actions are not persisted or merged here.
+            actions: ['action:readAction1', 'action:readAction4'],
+            metadata: {},
+          },
+          other: {
+            application,
+            name: 'other',
+            actions: ['action:otherAction1'],
+            metadata: {},
+          }
+        }
+      });
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/index.js b/x-pack/test/rbac_api_integration/apis/index.js
index 0d89728aa04ff6..cf26e2e7cf4d85 100644
--- a/x-pack/test/rbac_api_integration/apis/index.js
+++ b/x-pack/test/rbac_api_integration/apis/index.js
@@ -6,6 +6,7 @@
 
 export default function ({ loadTestFile }) {
   describe('apis RBAC', () => {
+    loadTestFile(require.resolve('./es'));
     loadTestFile(require.resolve('./privileges'));
     loadTestFile(require.resolve('./saved_objects'));
   });
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
index c2ff96adcff559..771d119c4385ab 100644
--- a/x-pack/test/rbac_api_integration/config.js
+++ b/x-pack/test/rbac_api_integration/config.js
@@ -25,6 +25,7 @@ export default async function ({ readConfigFile }) {
     servers: config.xpack.api.get('servers'),
     services: {
       es: EsProvider,
+      esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'),
       supertest: config.kibana.api.get('services.supertest'),
       supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
       esArchiver: config.kibana.functional.get('services.esArchiver'),

From 69420349298d61acb69cfac23584af55069b908b Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 5 Jul 2018 14:12:40 -0400
Subject: [PATCH 071/183] Switching the hard-coded resource from 'default' to *

---
 x-pack/plugins/security/common/constants.js          |  2 +-
 .../security/public/views/management/edit_role.js    | 10 +++++-----
 .../server/lib/authorization/check_privileges.js     |  6 +++---
 .../lib/authorization/check_privileges.test.js       | 12 ++++++------
 .../rbac_api_integration/apis/saved_objects/index.js |  4 ++--
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/x-pack/plugins/security/common/constants.js b/x-pack/plugins/security/common/constants.js
index 2786acb56b0571..1b762d5f15acc6 100644
--- a/x-pack/plugins/security/common/constants.js
+++ b/x-pack/plugins/security/common/constants.js
@@ -4,4 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export const DEFAULT_RESOURCE = 'default';
+export const ALL_RESOURCE = '*';
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index 49caf22228fee6..226d04b7309964 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -22,7 +22,7 @@ import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
+import { ALL_RESOURCE } from '../../../common/constants';
 
 const getKibanaPrivileges = (applicationPrivileges, roleApplications, application) => {
   const kibanaPrivileges = applicationPrivileges.reduce((acc, p) => {
@@ -34,10 +34,10 @@ const getKibanaPrivileges = (applicationPrivileges, roleApplications, applicatio
     return kibanaPrivileges;
   }
 
-  // we're filtering out privileges for non-default resources as well incase
-  // the roles were created in a future version
+  // we're filtering out privileges for non-all resources incase the roles were created in a future version
   const applications = roleApplications
-    .filter(roleApplication => roleApplication.application === application && roleApplication.resources.every(r => r === DEFAULT_RESOURCE));
+    .filter(roleApplication => roleApplication.application === application)
+    .filter(roleApplication => !roleApplication.resources.some(resource => resource !== ALL_RESOURCE));
 
   const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
   assigned.forEach(a => {
@@ -63,7 +63,7 @@ const getRoleApplications = (kibanaPrivileges, currentRoleApplications = [], app
     newRoleApplications.push({
       application,
       privileges: selectedPrivileges,
-      resources: [DEFAULT_RESOURCE]
+      resources: [ALL_RESOURCE]
     });
   }
 
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index 2ccc0f3e6e0ce9..a84b1cecdac792 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -5,7 +5,7 @@
  */
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
+import { ALL_RESOURCE } from '../../../common/constants';
 import { getVersionAction, getLoginAction } from '../privileges';
 
 export const CHECK_PRIVILEGES_RESULT = {
@@ -32,13 +32,13 @@ export function checkPrivilegesWithRequestFactory(server) {
         body: {
           applications: [{
             application,
-            resources: [DEFAULT_RESOURCE],
+            resources: [ALL_RESOURCE],
             privileges
           }]
         }
       });
 
-      const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
+      const hasPrivileges = privilegeCheck.application[application][ALL_RESOURCE];
 
       // We include the login action in all privileges, so the existence of it and not the version privilege
       // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index 13299709577f04..80d7ea6b2b5fd3 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -6,7 +6,7 @@
 
 import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './check_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
-import { DEFAULT_RESOURCE } from '../../../common/constants';
+import { ALL_RESOURCE } from '../../../common/constants';
 import { getLoginAction, getVersionAction } from '../privileges';
 
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
@@ -49,7 +49,7 @@ const mockApplicationPrivilegeResponse = ({ hasAllRequested, privileges, applica
     has_all_requested: hasAllRequested,
     application: {
       [application]: {
-        [DEFAULT_RESOURCE]: privileges
+        [ALL_RESOURCE]: privileges
       }
     }
   };
@@ -112,7 +112,7 @@ test(`returns authorized if they have all application privileges`, async () => {
     body: {
       applications: [{
         application: defaultApplication,
-        resources: [DEFAULT_RESOURCE],
+        resources: [ALL_RESOURCE],
         privileges: [
           getVersionAction(defaultVersion), getLoginAction(), ...privileges
         ]
@@ -156,7 +156,7 @@ test(`returns unauthorized they have only one application privilege`, async () =
     body: {
       applications: [{
         application: defaultApplication,
-        resources: [DEFAULT_RESOURCE],
+        resources: [ALL_RESOURCE],
         privileges: [
           getVersionAction(defaultVersion), getLoginAction(), ...privileges
         ]
@@ -227,7 +227,7 @@ describe('legacy fallback with no application privileges', () => {
       body: {
         applications: [{
           application: defaultApplication,
-          resources: [DEFAULT_RESOURCE],
+          resources: [ALL_RESOURCE],
           privileges: [
             getVersionAction(defaultVersion), getLoginAction(), ...privileges
           ]
@@ -286,7 +286,7 @@ describe('legacy fallback with no application privileges', () => {
         body: {
           applications: [{
             application: defaultApplication,
-            resources: [DEFAULT_RESOURCE],
+            resources: [ALL_RESOURCE],
             privileges: [
               getVersionAction(defaultVersion), getLoginAction(), ...privileges
             ]
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index 05f06088751ea3..6336d4bcd47ecc 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -44,7 +44,7 @@ export default function ({ loadTestFile, getService }) {
             {
               application: 'kibana',
               privileges: [ 'all' ],
-              resources: [ 'default' ]
+              resources: [ '*' ]
             }
           ]
         }
@@ -59,7 +59,7 @@ export default function ({ loadTestFile, getService }) {
             {
               application: 'kibana',
               privileges: [ 'read' ],
-              resources: [ 'default' ]
+              resources: [ '*' ]
             }
           ]
         }

From 19ddaea35e19d98f131ba1664d0302bfbdfd8e78 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 5 Jul 2018 15:08:57 -0400
Subject: [PATCH 072/183] Throw error before we  execute a POST privilege call
 that won't work

---
 .../lib/privileges/equivalent_privileges.js   | 11 ------
 .../privileges/privilege_action_registry.js   | 12 +++++--
 .../privilege_action_registry.test.js         | 34 +++++++++++++------
 3 files changed, 33 insertions(+), 24 deletions(-)
 delete mode 100644 x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js

diff --git a/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js b/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js
deleted file mode 100644
index 35e2fd12af6d71..00000000000000
--- a/x-pack/plugins/security/server/lib/privileges/equivalent_privileges.js
+++ /dev/null
@@ -1,11 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { isEqual } from 'lodash';
-
-export function equivalentPrivileges(p1, p2) {
-  return isEqual(p1, p2);
-}
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 3112265a9b928e..87ca2105ff1b06 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -4,9 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { difference, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
-import { equivalentPrivileges } from './equivalent_privileges';
 
 export async function registerPrivilegesWithCluster(server) {
   const config = server.config();
@@ -26,11 +26,19 @@ export async function registerPrivilegesWithCluster(server) {
     // we only want to post the privileges when they're going to change as Elasticsearch has
     // to clear the role cache to get these changes reflected in the _has_privileges API
     const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
-    if (equivalentPrivileges(existingPrivileges, expectedPrivileges)) {
+    if (isEqual(existingPrivileges, expectedPrivileges)) {
       server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
       return;
     }
 
+    // The ES privileges POST endpoint only allows us to add new privileges, or update specified privileges; it doesn't
+    // remove unspecified privileges. We don't currently have a need to remove privileges, as this would be a
+    // backwards compatibility issue, and we'd have to figure out how to migrate roles, so we're throwing an Error if we
+    // unintentionally get ourselves in this position.
+    if (difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0) {
+      throw new Error(`Privileges are missing and can't be removed, currently.`);
+    }
+
     server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
     await callCluster('shield.postPrivileges', {
       body: expectedPrivileges
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index 59b354fc247712..bd2a1ee552e168 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -107,13 +107,15 @@ const registerPrivilegesWithClusterTest = (description, {
   };
 
   const createExpectErrorThrown = (mockServer, actualError) => {
-    return (expectedError) => {
-      expect(actualError).toBe(expectedError);
+    return (expectedErrorMessage) => {
+      expect(actualError).toBeDefined();
+      expect(actualError).toBeInstanceOf(Error);
+      expect(actualError.message).toEqual(expectedErrorMessage);
 
       const application = settings['xpack.security.rbac.application'] || defaultApplication;
       expect(mockServer.log).toHaveBeenCalledWith(
         ['security', 'error'],
-        `Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedError.message}`
+        `Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedErrorMessage}`
       );
     };
   };
@@ -182,13 +184,26 @@ registerPrivilegesWithClusterTest(`updates privileges when simple top-level priv
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when we have two different simple top-level privileges`, {
+registerPrivilegesWithClusterTest(`throws error when we have two different top-level privileges`, {
   expectedPrivileges: {
     notExpected: true
   },
   existingPrivileges: {
     expected: true
   },
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown(`Privileges are missing and can't be removed, currently.`);
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when we want to add a top-level privilege`, {
+  expectedPrivileges: {
+    expected: true,
+    new: false,
+  },
+  existingPrivileges: {
+    expected: true,
+  },
   assert: ({ expectUpdatedPrivileges }) => {
     expectUpdatedPrivileges();
   }
@@ -288,15 +303,13 @@ registerPrivilegesWithClusterTest(`doesn't update privileges when nested propert
   }
 });
 
-const gettingPrivilegesError = new Error('Error getting privileges');
 registerPrivilegesWithClusterTest(`throws and logs error when errors getting privileges`, {
-  throwErrorWhenGettingPrivileges: gettingPrivilegesError,
+  throwErrorWhenGettingPrivileges: new Error('Error getting privileges'),
   assert: ({ expectErrorThrown }) => {
-    expectErrorThrown(gettingPrivilegesError);
+    expectErrorThrown('Error getting privileges');
   }
 });
 
-const puttingPrivilegesError = new Error('Error putting privileges');
 registerPrivilegesWithClusterTest(`throws and logs error when errors putting privileges`, {
   expectedPrivileges: {
     kibana: {
@@ -310,9 +323,8 @@ registerPrivilegesWithClusterTest(`throws and logs error when errors putting pri
       bar: true
     }
   },
-  throwErrorWhenPuttingPrivileges: puttingPrivilegesError,
+  throwErrorWhenPuttingPrivileges: new Error('Error putting privileges'),
   assert: ({ expectErrorThrown }) => {
-    expectErrorThrown(puttingPrivilegesError);
+    expectErrorThrown('Error putting privileges');
   }
 });
-

From 1f4804122ee3678d7115a800c1b40af48875523b Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 5 Jul 2018 16:38:30 -0400
Subject: [PATCH 073/183] Resolving issue when initially registering privileges

---
 .../lib/privileges/privilege_action_registry.js   | 14 ++++++++++++--
 .../privileges/privilege_action_registry.test.js  | 15 +++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
index 87ca2105ff1b06..93166fe28dd096 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -4,16 +4,26 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { difference, isEqual } from 'lodash';
+import { difference, isEmpty, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 
+
+
 export async function registerPrivilegesWithCluster(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const savedObjectTypes = server.savedObjects.types;
 
+  const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
+    if (isEmpty(existingPrivileges)) {
+      return false;
+    }
+
+    return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0;
+  };
+
   const expectedPrivileges = {
     [application]: buildPrivilegeMap(savedObjectTypes, application, kibanaVersion)
   };
@@ -35,7 +45,7 @@ export async function registerPrivilegesWithCluster(server) {
     // remove unspecified privileges. We don't currently have a need to remove privileges, as this would be a
     // backwards compatibility issue, and we'd have to figure out how to migrate roles, so we're throwing an Error if we
     // unintentionally get ourselves in this position.
-    if (difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0) {
+    if (shouldRemovePrivileges(existingPrivileges, expectedPrivileges)) {
       throw new Error(`Privileges are missing and can't be removed, currently.`);
     }
 
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
index bd2a1ee552e168..c6e3428c563d01 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -128,6 +128,11 @@ const registerPrivilegesWithClusterTest = (description, {
           throw throwErrorWhenGettingPrivileges;
         }
 
+        // ES returns an empty object if we don't have any privileges
+        if (!existingPrivileges) {
+          return {};
+        }
+
         return {
           [defaultApplication]: existingPrivileges
         };
@@ -172,6 +177,16 @@ registerPrivilegesWithClusterTest(`passes saved object types, application and ki
   },
 });
 
+registerPrivilegesWithClusterTest(`inserts privileges when we don't have any existing privileges`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: null,
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
 registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges values don't match`, {
   expectedPrivileges: {
     expected: true

From a1720afb8bb64f1599fd5328d401411b7fa3f2ff Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 5 Jul 2018 16:45:40 -0400
Subject: [PATCH 074/183] fix merge 'conflict'

---
 .../security/public/views/management/edit_role/index.js       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 8f373f966f2a14..bd166e16a658ed 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -60,8 +60,8 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
       return role.then(res => res.toJSON());
     },
-    kibanaApplicationPrivilege(ApplicationPrivilege, kbnUrl, Promise, Private) {
-      return ApplicationPrivilege.query().$promise
+    kibanaApplicationPrivilege(ApplicationPrivileges, kbnUrl, Promise, Private) {
+      return ApplicationPrivileges.query().$promise
         .then(privileges => privileges.map(p => p.toJSON()))
         .catch(checkLicenseError(kbnUrl, Promise, Private));
     },

From 98ea1b57783f0f78266c92c6dcaca88c4526353c Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 6 Jul 2018 16:29:28 -0400
Subject: [PATCH 075/183] Logging legacy fallback deprecation warning on login
 (#20493)

* Logging legacy fallback deprecation on login

* Consolidation the privileges/authorization folder

* Exposing rudimentary authorization service and fixing authenticate tests

* Moving authorization services configuration to initAuthorization

* Adding "actions" service exposed by the authorization

* Fixing misspelling

* Removing invalid and unused exports

* Adding note about only adding privileges

* Calling it initAuthorizationService

* Throwing explicit validation  error in actions.getSavedObjectAction

* Deep freezing authorization service

* Adding deepFreeze tests

* Checking privileges in one call and cleaning up tests
---
 x-pack/plugins/security/index.js              |  13 +-
 .../lib/__tests__/__fixtures__/server.js      |   8 +-
 .../__snapshots__/actions.test.js.snap        |  25 +
 .../check_privileges.test.js.snap             |   4 +-
 .../__snapshots__/init.test.js.snap           |   7 +
 .../server/lib/authorization/actions.js       |  26 +
 .../server/lib/authorization/actions.test.js  |  69 +++
 .../lib/authorization/check_privileges.js     | 121 ++--
 .../authorization/check_privileges.test.js    | 524 +++++++++---------
 .../server/lib/authorization/deep_freeze.js   |  20 +
 .../lib/authorization/deep_freeze.test.js     |  97 ++++
 .../server/lib/authorization/index.js         |  10 +
 .../security/server/lib/authorization/init.js |  22 +
 .../server/lib/authorization/init.test.js     |  64 +++
 .../server/lib/authorization/privileges.js    |  30 +
 .../register_privileges_with_cluster.js}      |   6 +-
 .../register_privileges_with_cluster.test.js} |  19 +-
 .../security/server/lib/privileges/index.js   |   8 -
 .../server/lib/privileges/privileges.js       |  43 --
 .../secure_saved_objects_client.js            |  18 +-
 .../secure_saved_objects_client.test.js       | 296 +++++-----
 .../routes/api/v1/__tests__/authenticate.js   |  68 ++-
 .../server/routes/api/v1/authenticate.js      |  10 +
 .../server/routes/api/v1/privileges.js        |   6 +-
 .../apis/saved_objects/bulk_get.js            |   2 +-
 .../apis/saved_objects/create.js              |   8 +-
 .../apis/saved_objects/delete.js              |  12 +-
 .../apis/saved_objects/find.js                |  16 +-
 .../apis/saved_objects/get.js                 |   2 +-
 .../apis/saved_objects/update.js              |  12 +-
 30 files changed, 988 insertions(+), 578 deletions(-)
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/actions.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/actions.test.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/deep_freeze.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/index.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/init.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/init.test.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/privileges.js
 rename x-pack/plugins/security/server/lib/{privileges/privilege_action_registry.js => authorization/register_privileges_with_cluster.js} (96%)
 rename x-pack/plugins/security/server/lib/{privileges/privilege_action_registry.test.js => authorization/register_privileges_with_cluster.test.js} (94%)
 delete mode 100644 x-pack/plugins/security/server/lib/privileges/index.js
 delete mode 100644 x-pack/plugins/security/server/lib/privileges/privileges.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 6bcaf4e7aec46f..0e521589ac1410 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -17,11 +17,10 @@ import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
-import { checkPrivilegesWithRequestFactory } from './server/lib/authorization/check_privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
 import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
-import { registerPrivilegesWithCluster } from './server/lib/privileges';
+import { initAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
 import { watchStatusAndLicenseToInitialize } from './server/lib/watch_status_and_license_to_initialize';
 
 export const security = (kibana) => new kibana.Plugin({
@@ -114,9 +113,11 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
-    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(server);
-    const { savedObjects } = server;
 
+    // exposes server.plugins.security.authorization
+    initAuthorizationService(server);
+
+    const { savedObjects } = server;
     savedObjects.setScopedSavedObjectsClientFactory(({
       request,
     }) => {
@@ -130,7 +131,8 @@ export const security = (kibana) => new kibana.Plugin({
         return new savedObjects.SavedObjectsClient(callWithRequestRepository);
       }
 
-      const checkPrivileges = checkPrivilegesWithRequest(request);
+      const { authorization } = server.plugins.security;
+      const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
       const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
 
       return new SecureSavedObjectsClient({
@@ -140,6 +142,7 @@ export const security = (kibana) => new kibana.Plugin({
         checkPrivileges,
         auditLogger,
         savedObjectTypes: savedObjects.types,
+        actions: authorization.actions,
       });
     });
 
diff --git a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
index acc211eb0647ea..78a015bc141058 100644
--- a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
+++ b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
@@ -35,7 +35,13 @@ export function serverFixture() {
       security: {
         getUser: stub(),
         authenticate: stub(),
-        deauthenticate: stub()
+        deauthenticate: stub(),
+        authorization: {
+          checkPrivilegesWithRequest: stub(),
+          actions: {
+            login: 'stub-login-action',
+          },
+        },
       },
 
       xpack_main: {
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap
new file mode 100644
index 00000000000000..d65733feb37d46
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap
@@ -0,0 +1,25 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#getSavedObjectAction() action of "" throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of {} throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of 1 throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of null throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of true throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of undefined throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of "" throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of {} throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of 1 throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of null throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of true throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of undefined throws error 1`] = `"type is required and must be a string"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
index e191d4b14b6f00..4c0c88a8f8313c 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
@@ -1,3 +1,5 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`throws error if missing version privilege and has login privilege 1`] = `"Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user."`;
+exports[`with index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
+
+exports[`with no index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
new file mode 100644
index 00000000000000..fd944032d2930f
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
@@ -0,0 +1,7 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`deep freezes exposed service 1`] = `"Cannot delete property 'checkPrivilegesWithRequest' of #<Object>"`;
+
+exports[`deep freezes exposed service 2`] = `"Cannot add property foo, object is not extensible"`;
+
+exports[`deep freezes exposed service 3`] = `"Cannot assign to read only property 'login' of object '#<Object>'"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.js b/x-pack/plugins/security/server/lib/authorization/actions.js
new file mode 100644
index 00000000000000..432698a003cb35
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/actions.js
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { isString } from 'lodash';
+
+export function actionsFactory(config) {
+  const kibanaVersion = config.get('pkg.version');
+
+  return {
+    getSavedObjectAction(type, action) {
+      if (!type || !isString(type)) {
+        throw new Error('type is required and must be a string');
+      }
+
+      if (!action || !isString(action)) {
+        throw new Error('action is required and must be a string');
+      }
+
+      return `action:saved_objects/${type}/${action}`;
+    },
+    login: `action:login`,
+    version: `version:${kibanaVersion}`,
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.test.js b/x-pack/plugins/security/server/lib/authorization/actions.test.js
new file mode 100644
index 00000000000000..17834438e17814
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/actions.test.js
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { actionsFactory } from './actions';
+
+const createMockConfig = (settings = {}) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => settings[key]);
+
+  return mockConfig;
+};
+
+describe('#login', () => {
+  test('returns action:login', () => {
+    const mockConfig = createMockConfig();
+
+    const actions = actionsFactory(mockConfig);
+
+    expect(actions.login).toEqual('action:login');
+  });
+});
+
+describe('#version', () => {
+  test(`returns version:\${config.get('pkg.version')}`, () => {
+    const version = 'mock-version';
+    const mockConfig = createMockConfig({ 'pkg.version': version });
+
+    const actions = actionsFactory(mockConfig);
+
+    expect(actions.version).toEqual(`version:${version}`);
+  });
+});
+
+describe('#getSavedObjectAction()', () => {
+  test('uses type and action to build action', () => {
+    const mockConfig = createMockConfig();
+    const actions = actionsFactory(mockConfig);
+    const type = 'saved-object-type';
+    const action = 'saved-object-action';
+
+    const result = actions.getSavedObjectAction(type, action);
+
+    expect(result).toEqual(`action:saved_objects/${type}/${action}`);
+  });
+
+  [null, undefined, '', 1, true, {}].forEach(type => {
+    test(`type of ${JSON.stringify(type)} throws error`, () => {
+      const mockConfig = createMockConfig();
+      const actions = actionsFactory(mockConfig);
+
+      expect(() => actions.getSavedObjectAction(type, 'saved-object-action')).toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  [null, undefined, '', 1, true, {}].forEach(action => {
+    test(`action of ${JSON.stringify(action)} throws error`, () => {
+      const mockConfig = createMockConfig();
+      const actions = actionsFactory(mockConfig);
+
+      expect(() => actions.getSavedObjectAction('saved-object-type', action)).toThrowErrorMatchingSnapshot();
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index a84b1cecdac792..df8ee33ec29029 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -4,103 +4,82 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getClient } from '../../../../../server/lib/get_client_shield';
+import { uniq } from 'lodash';
 import { ALL_RESOURCE } from '../../../common/constants';
-import { getVersionAction, getLoginAction } from '../privileges';
 
 export const CHECK_PRIVILEGES_RESULT = {
-  UNAUTHORIZED: Symbol(),
-  AUTHORIZED: Symbol(),
-  LEGACY: Symbol(),
+  UNAUTHORIZED: Symbol('Unauthorized'),
+  AUTHORIZED: Symbol('Authorized'),
+  LEGACY: Symbol('Legacy'),
 };
 
-export function checkPrivilegesWithRequestFactory(server) {
-  const callWithRequest = getClient(server).callWithRequest;
+export function checkPrivilegesWithRequestFactory(shieldClient, config, actions) {
+  const { callWithRequest } = shieldClient;
 
-  const config = server.config();
-  const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
 
-  const loginAction = getLoginAction();
-  const versionAction = getVersionAction(kibanaVersion);
+  const hasIncompatibileVersion = (applicationPrivilegesResponse) => {
+    return !applicationPrivilegesResponse[actions.version] && applicationPrivilegesResponse[actions.login];
+  };
 
-  return function checkPrivilegesWithRequest(request) {
+  const hasAllApplicationPrivileges = (applicationPrivilegesResponse) => {
+    return Object.values(applicationPrivilegesResponse).every(val => val === true);
+  };
 
-    const checkApplicationPrivileges = async (privileges) => {
-      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-        body: {
-          applications: [{
-            application,
-            resources: [ALL_RESOURCE],
-            privileges
-          }]
-        }
-      });
+  const hasNoApplicationPrivileges = (applicationPrivilegesResponse) => {
+    return Object.values(applicationPrivilegesResponse).every(val => val === false);
+  };
 
-      const hasPrivileges = privilegeCheck.application[application][ALL_RESOURCE];
+  const hasLegacyPrivileges = (indexPrivilegesResponse) => {
+    return Object.values(indexPrivilegesResponse).includes(true);
+  };
 
-      // We include the login action in all privileges, so the existence of it and not the version privilege
-      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
-      // know whether the user just wasn't authorized for this instance of Kibana in general
-      if (!hasPrivileges[getVersionAction(kibanaVersion)] && hasPrivileges[getLoginAction()]) {
-        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
-      }
+  const determineResult = (applicationPrivilegesResponse, indexPrivilegesResponse) => {
+    if (hasAllApplicationPrivileges(applicationPrivilegesResponse)) {
+      return CHECK_PRIVILEGES_RESULT.AUTHORIZED;
+    }
 
-      return {
-        username: privilegeCheck.username,
-        hasAllRequested: privilegeCheck.has_all_requested,
-        privileges: hasPrivileges
-      };
-    };
+    if (hasNoApplicationPrivileges(applicationPrivilegesResponse) && hasLegacyPrivileges(indexPrivilegesResponse)) {
+      return CHECK_PRIVILEGES_RESULT.LEGACY;
+    }
 
-    const hasPrivilegesOnKibanaIndex = async () => {
-      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+    return CHECK_PRIVILEGES_RESULT.UNAUTHORIZED;
+  };
+
+  return function checkPrivilegesWithRequest(request) {
+
+    return async function checkPrivileges(privileges) {
+      const allApplicationPrivileges = uniq([actions.version, actions.login, ...privileges]);
+      const hasPrivilegesResponse = await callWithRequest(request, 'shield.hasPrivileges', {
         body: {
+          applications: [{
+            application,
+            resources: [ALL_RESOURCE],
+            privileges: allApplicationPrivileges
+          }],
           index: [{
             names: [kibanaIndex],
             privileges: ['create', 'delete', 'read', 'view_index_metadata']
-          }]
+          }],
         }
       });
 
-      return Object.values(privilegeCheck.index[kibanaIndex]).includes(true);
-    };
-
-    return async function checkPrivileges(privileges) {
-      const allPrivileges = [versionAction, loginAction, ...privileges];
-      const applicationPrivilegesCheck = await checkApplicationPrivileges(allPrivileges);
-
-      const username = applicationPrivilegesCheck.username;
-
-      // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-      const missing = Object.keys(applicationPrivilegesCheck.privileges)
-        .filter(p => !applicationPrivilegesCheck.privileges[p])
-        .filter(p => p !== versionAction);
-
-      if (applicationPrivilegesCheck.hasAllRequested) {
-        return {
-          result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-          username,
-          missing,
-        };
-      }
+      const applicationPrivilegesResponse = hasPrivilegesResponse.application[application][ALL_RESOURCE];
+      const indexPrivilegesResponse =  hasPrivilegesResponse.index[kibanaIndex];
 
-      if (!applicationPrivilegesCheck.privileges[loginAction] && await hasPrivilegesOnKibanaIndex()) {
-        const msg = 'Relying on index privileges is deprecated and will be removed in Kibana 7.0';
-        server.log(['warning', 'deprecated', 'security'], msg);
-
-        return {
-          result: CHECK_PRIVILEGES_RESULT.LEGACY,
-          username,
-          missing,
-        };
+      if (hasIncompatibileVersion(applicationPrivilegesResponse)) {
+        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
       }
 
       return {
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        username,
-        missing,
+        result: determineResult(applicationPrivilegesResponse, indexPrivilegesResponse),
+        username: hasPrivilegesResponse.username,
+
+        // we only return missing privileges that they're specifically checking for
+        missing: Object.keys(applicationPrivilegesResponse)
+          .filter(privilege => privileges.includes(privilege))
+          .filter(privilege => !applicationPrivilegesResponse[privilege])
       };
     };
   };
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index 80d7ea6b2b5fd3..3c414665c8258d 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -4,26 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { uniq } from 'lodash';
 import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './check_privileges';
-import { getClient } from '../../../../../server/lib/get_client_shield';
-import { ALL_RESOURCE } from '../../../common/constants';
-import { getLoginAction, getVersionAction } from '../privileges';
 
-jest.mock('../../../../../server/lib/get_client_shield', () => ({
-  getClient: jest.fn()
-}));
+import { ALL_RESOURCE } from '../../../common/constants';
 
 const defaultVersion = 'default-version';
 const defaultApplication = 'default-application';
 const defaultKibanaIndex = 'default-index';
 const savedObjectTypes = ['foo-type', 'bar-type'];
 
-const createMockServer = ({ settings = {} } = {}) => {
-  const mockServer = {
-    config: jest.fn().mockReturnValue({
-      get: jest.fn()
-    }),
-    log: jest.fn()
+const mockActions = {
+  login: 'mock-action:login',
+  version: 'mock-action:version',
+};
+
+const createMockConfig = ({ settings = {} } = {}) => {
+  const mockConfig = {
+    get: jest.fn()
   };
 
   const defaultSettings = {
@@ -32,280 +30,302 @@ const createMockServer = ({ settings = {} } = {}) => {
     'kibana.index': defaultKibanaIndex,
   };
 
-  mockServer.config().get.mockImplementation(key => {
+  mockConfig.get.mockImplementation(key => {
     return key in settings ? settings[key] : defaultSettings[key];
   });
 
-  mockServer.savedObjects = {
-    types: savedObjectTypes
-  };
 
-  return mockServer;
+  return mockConfig;
 };
 
-const mockApplicationPrivilegeResponse = ({ hasAllRequested, privileges, application = defaultApplication, username = '' }) =>{
+const createMockShieldClient = (response) => {
+  const mockCallWithRequest = jest.fn();
+
+  mockCallWithRequest.mockImplementationOnce(async () => response);
+
   return {
-    username: username,
-    has_all_requested: hasAllRequested,
-    application: {
-      [application]: {
-        [ALL_RESOURCE]: privileges
-      }
-    }
+    callWithRequest: mockCallWithRequest,
   };
 };
 
-const mockKibanaIndexPrivilegesResponse = ({ privileges, index = defaultKibanaIndex }) => {
-  return {
-    index: {
-      [index]: privileges
+const checkPrivilegesTest = (
+  description, {
+    privileges,
+    applicationPrivilegesResponse,
+    indexPrivilegesResponse,
+    expectedResult,
+    expectErrorThrown,
+  }) => {
+
+  test(description, async () => {
+    const username = 'foo-username';
+    const mockConfig = createMockConfig();
+    const mockShieldClient = createMockShieldClient({
+      username,
+      application: {
+        [defaultApplication]: {
+          [ALL_RESOURCE]: applicationPrivilegesResponse
+        }
+      },
+      index: {
+        [defaultKibanaIndex]: indexPrivilegesResponse
+      },
+    });
+
+    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockShieldClient, mockConfig, mockActions);
+    const request = Symbol();
+    const checkPrivileges = checkPrivilegesWithRequest(request);
+
+    let actualResult;
+    let errorThrown = null;
+    try {
+      actualResult = await checkPrivileges(privileges);
+    } catch (err) {
+      errorThrown = err;
     }
-  };
-};
 
-const createMockCallWithRequest = (responses) => {
-  const mockCallWithRequest = jest.fn();
-  getClient.mockReturnValue({
-    callWithRequest: mockCallWithRequest
-  });
 
-  for (const response of responses) {
-    mockCallWithRequest.mockImplementationOnce(async () => response);
-  }
+    expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application: defaultApplication,
+          resources: [ALL_RESOURCE],
+          privileges: uniq([
+            mockActions.version, mockActions.login, ...privileges
+          ])
+        }],
+        index: [{
+          names: [ defaultKibanaIndex ],
+          privileges: ['create', 'delete', 'read', 'view_index_metadata']
+        }],
+      }
+    });
 
-  return mockCallWithRequest;
-};
+    if (expectedResult) {
+      expect(errorThrown).toBeNull();
+      expect(actualResult).toEqual(expectedResult);
+    }
 
-const deprecationMessage = 'Relying on index privileges is deprecated and will be removed in Kibana 7.0';
-const expectNoDeprecationLogged = (mockServer) => {
-  expect(mockServer.log).not.toHaveBeenCalledWith(['warning', 'deprecated', 'security'], deprecationMessage);
-};
-const expectDeprecationLogged = (mockServer) => {
-  expect(mockServer.log).toHaveBeenCalledWith(['warning', 'deprecated', 'security'], deprecationMessage);
+    if (expectErrorThrown) {
+      expect(errorThrown).toMatchSnapshot();
+    }
+  });
 };
 
-test(`returns authorized if they have all application privileges`, async () => {
-  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-  const username = 'foo-username';
-  const mockServer = createMockServer();
-  const mockCallWithRequest = createMockCallWithRequest([
-    mockApplicationPrivilegeResponse({
-      hasAllRequested: true,
-      privileges: {
-        [getVersionAction(defaultVersion)]: true,
-        [getLoginAction()]: true,
-        [privilege]: true,
-      },
-      application: defaultApplication,
-      username,
-    })
-  ]);
-
-  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
-  const request = Symbol();
-  const checkPrivileges = checkPrivilegesWithRequest(request);
-  const privileges = [privilege];
-  const result = await checkPrivileges(privileges);
-
-  expectNoDeprecationLogged(mockServer);
-  expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application: defaultApplication,
-        resources: [ALL_RESOURCE],
-        privileges: [
-          getVersionAction(defaultVersion), getLoginAction(), ...privileges
-        ]
-      }]
+describe(`with no index privileges`, () => {
+  const indexPrivilegesResponse = {
+    create: false,
+    delete: false,
+    read: false,
+    view_index_metadata: false,
+  };
+
+  checkPrivilegesTest('returns authorized if they have all application privileges', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username: 'foo-username',
+      missing: [],
     }
   });
-  expect(result).toEqual({
-    result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-    username,
-    missing: [],
+
+  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+      `action:saved_objects/${savedObjectTypes[0]}/create`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
+    }
   });
-});
 
-test(`returns unauthorized they have only one application privilege`, async () => {
-  const privilege1 = `action:saved_objects/${savedObjectTypes[0]}/get`;
-  const privilege2 = `action:saved_objects/${savedObjectTypes[0]}/create`;
-  const username = 'foo-username';
-  const mockServer = createMockServer();
-  const mockCallWithRequest = createMockCallWithRequest([
-    mockApplicationPrivilegeResponse({
-      hasAllRequested: false,
-      privileges: {
-        [getVersionAction(defaultVersion)]: true,
-        [getLoginAction()]: true,
-        [privilege1]: true,
-        [privilege2]: false,
-      },
-      application: defaultApplication,
-      username,
-    })
-  ]);
-
-  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
-  const request = Symbol();
-  const checkPrivileges = checkPrivilegesWithRequest(request);
-  const privileges = [privilege1, privilege2];
-  const result = await checkPrivileges(privileges);
-
-  expectNoDeprecationLogged(mockServer);
-  expect(mockCallWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application: defaultApplication,
-        resources: [ALL_RESOURCE],
-        privileges: [
-          getVersionAction(defaultVersion), getLoginAction(), ...privileges
-        ]
-      }]
+  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.version],
     }
   });
-  expect(result).toEqual({
-    result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-    username,
-    missing: [privilege2],
+
+  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: true,
+      [mockActions.version]: false,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true
   });
 });
 
-test(`throws error if missing version privilege and has login privilege`, async () => {
-  const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-  const mockServer = createMockServer();
-  createMockCallWithRequest([
-    mockApplicationPrivilegeResponse({
-      hasAllRequested: false,
-      privileges: {
-        [getVersionAction(defaultVersion)]: false,
-        [getLoginAction()]: true,
-        [privilege]: true,
-      }
-    })
-  ]);
+describe(`with index privileges`, () => {
+  const indexPrivilegesResponse = {
+    create: true,
+    delete: true,
+    read: true,
+    view_index_metadata: true,
+  };
 
-  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
-  const checkPrivileges = checkPrivilegesWithRequest({});
+  checkPrivilegesTest('returns authorized if they have all application privileges', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username: 'foo-username',
+      missing: [],
+    }
+  });
 
-  await expect(checkPrivileges([privilege])).rejects.toThrowErrorMatchingSnapshot();
-  expectNoDeprecationLogged(mockServer);
-});
+  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+      `action:saved_objects/${savedObjectTypes[0]}/create`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
+    }
+  });
 
-describe('legacy fallback with no application privileges', () => {
-  test(`returns unauthorized if they have no privileges on the kibana index`, async () => {
-    const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-    const username = 'foo-username';
-    const mockServer = createMockServer();
-    const callWithRequest = createMockCallWithRequest([
-      mockApplicationPrivilegeResponse({
-        hasAllRequested: false,
-        privileges: {
-          [getVersionAction(defaultVersion)]: false,
-          [getLoginAction()]: false,
-          [privilege]: false,
-        },
-        username,
-      }),
-      mockKibanaIndexPrivilegesResponse({
-        privileges: {
-          create: false,
-          delete: false,
-          read: false,
-          view_index_metadata: false,
-        },
-      })
-    ]);
-
-    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
-    const request = Symbol();
-    const checkPrivileges = checkPrivilegesWithRequest(request);
-    const privileges = [privilege];
-    const result = await checkPrivileges(privileges);
+  checkPrivilegesTest('returns legacy and missing login when checking missing login action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
 
-    expectNoDeprecationLogged(mockServer);
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application: defaultApplication,
-          resources: [ALL_RESOURCE],
-          privileges: [
-            getVersionAction(defaultVersion), getLoginAction(), ...privileges
-          ]
-        }]
-      }
-    });
-    expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        index: [{
-          names: [ defaultKibanaIndex ],
-          privileges: ['create', 'delete', 'read', 'view_index_metadata']
-        }]
-      }
-    });
-    expect(result).toEqual({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: [getLoginAction(), ...privileges],
-    });
+  checkPrivilegesTest('returns legacy and missing version if checking missing version action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username: 'foo-username',
+      missing: [mockActions.version],
+    }
   });
 
+  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: true,
+      [mockActions.version]: false,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true
+  });
+});
+
+describe('with no application privileges', () => {
   ['create', 'delete', 'read', 'view_index_metadata'].forEach(indexPrivilege => {
-    test(`returns legacy if they have ${indexPrivilege} privilege on the kibana index`, async () => {
-      const privilege = `action:saved_objects/${savedObjectTypes[0]}/get`;
-      const username = 'foo-username';
-      const mockServer = createMockServer();
-      const callWithRequest = createMockCallWithRequest([
-        mockApplicationPrivilegeResponse({
-          hasAllRequested: false,
-          privileges: {
-            [getVersionAction(defaultVersion)]: false,
-            [getLoginAction()]: false,
-            [privilege]: false,
-          },
-          username,
-        }),
-        mockKibanaIndexPrivilegesResponse({
-          privileges: {
-            create: false,
-            delete: false,
-            read: false,
-            view_index_metadata: false,
-            [indexPrivilege]: true
-          },
-        })
-      ]);
-
-      const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockServer);
-      const request = Symbol();
-      const checkPrivileges = checkPrivilegesWithRequest(request);
-      const privileges = [privilege];
-      const result = await checkPrivileges(privileges);
-
-      expectDeprecationLogged(mockServer);
-      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-        body: {
-          applications: [{
-            application: defaultApplication,
-            resources: [ALL_RESOURCE],
-            privileges: [
-              getVersionAction(defaultVersion), getLoginAction(), ...privileges
-            ]
-          }]
-        }
-      });
-      expect(callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-        body: {
-          index: [{
-            names: [ defaultKibanaIndex ],
-            privileges: ['create', 'delete', 'read', 'view_index_metadata']
-          }]
-        }
-      });
-      expect(result).toEqual({
+    checkPrivilegesTest(`returns legacy if they have ${indexPrivilege} privilege on the kibana index`, {
+      username: 'foo-username',
+      privileges: [
+        `action:saved_objects/${savedObjectTypes[0]}/get`
+      ],
+      applicationPrivilegesResponse: {
+        [mockActions.version]: false,
+        [mockActions.login]: false,
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+      },
+      indexPrivilegesResponse: {
+        create: false,
+        delete: false,
+        read: false,
+        view_index_metadata: false,
+        [indexPrivilege]: true
+      },
+      expectedResult: {
         result: CHECK_PRIVILEGES_RESULT.LEGACY,
-        username,
-        missing: [getLoginAction(), ...privileges],
-      });
+        username: 'foo-username',
+        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      }
     });
   });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.js b/x-pack/plugins/security/server/lib/authorization/deep_freeze.js
new file mode 100644
index 00000000000000..0f9363cb410f6c
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/deep_freeze.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isObject } from 'lodash';
+
+export function deepFreeze(object) {
+  // for any properties that reference an object, makes sure that object is
+  // recursively frozen as well
+  Object.keys(object).forEach(key => {
+    const value = object[key];
+    if (isObject(value)) {
+      deepFreeze(value);
+    }
+  });
+
+  return Object.freeze(object);
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js b/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
new file mode 100644
index 00000000000000..dd227fa6269bff
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { deepFreeze } from './deep_freeze';
+
+test(`freezes result and input`, () => {
+  const input = {};
+  const result = deepFreeze(input);
+
+  Object.isFrozen(input);
+  Object.isFrozen(result);
+});
+
+test(`freezes top-level properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {},
+    array: [],
+    fn: () => {},
+    number: 1,
+    string: '',
+  });
+
+  Object.isFrozen(result.object);
+  Object.isFrozen(result.array);
+  Object.isFrozen(result.fn);
+  Object.isFrozen(result.number);
+  Object.isFrozen(result.string);
+});
+
+test(`freezes child properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {
+      object: {
+      },
+      array: [],
+      fn: () => {},
+      number: 1,
+      string: '',
+    },
+    array: [
+      {},
+      [],
+      () => {},
+      1,
+      '',
+    ],
+  });
+
+  Object.isFrozen(result.object.object);
+  Object.isFrozen(result.object.array);
+  Object.isFrozen(result.object.fn);
+  Object.isFrozen(result.object.number);
+  Object.isFrozen(result.object.string);
+  Object.isFrozen(result.array[0]);
+  Object.isFrozen(result.array[1]);
+  Object.isFrozen(result.array[2]);
+  Object.isFrozen(result.array[3]);
+  Object.isFrozen(result.array[4]);
+});
+
+test(`freezes grand-child properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {
+      object: {
+        object: {
+        },
+        array: [],
+        fn: () => {},
+        number: 1,
+        string: '',
+      },
+    },
+    array: [
+      [
+        {},
+        [],
+        () => {},
+        1,
+        '',
+      ],
+    ],
+  });
+
+  Object.isFrozen(result.object.object.object);
+  Object.isFrozen(result.object.object.array);
+  Object.isFrozen(result.object.object.fn);
+  Object.isFrozen(result.object.object.number);
+  Object.isFrozen(result.object.object.string);
+  Object.isFrozen(result.array[0][0]);
+  Object.isFrozen(result.array[0][1]);
+  Object.isFrozen(result.array[0][2]);
+  Object.isFrozen(result.array[0][3]);
+  Object.isFrozen(result.array[0][4]);
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/index.js b/x-pack/plugins/security/server/lib/authorization/index.js
new file mode 100644
index 00000000000000..e0029a3caeafd1
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/index.js
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { CHECK_PRIVILEGES_RESULT } from './check_privileges';
+export { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
+export { buildPrivilegeMap } from './privileges';
+export { initAuthorizationService } from './init';
diff --git a/x-pack/plugins/security/server/lib/authorization/init.js b/x-pack/plugins/security/server/lib/authorization/init.js
new file mode 100644
index 00000000000000..27ca3f7e84b556
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/init.js
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { actionsFactory } from './actions';
+import { checkPrivilegesWithRequestFactory } from './check_privileges';
+import { deepFreeze } from './deep_freeze';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+export function initAuthorizationService(server) {
+  const shieldClient = getClient(server);
+  const config = server.config();
+
+  const actions = actionsFactory(config);
+
+  server.expose('authorization', deepFreeze({
+    checkPrivilegesWithRequest: checkPrivilegesWithRequestFactory(shieldClient, config, actions),
+    actions
+  }));
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/init.test.js b/x-pack/plugins/security/server/lib/authorization/init.test.js
new file mode 100644
index 00000000000000..b72813809896f0
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/init.test.js
@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { initAuthorizationService } from './init';
+import { actionsFactory } from './actions';
+import { checkPrivilegesWithRequestFactory } from './check_privileges';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+jest.mock('./check_privileges', () => ({
+  checkPrivilegesWithRequestFactory: jest.fn(),
+}));
+
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn(),
+}));
+
+jest.mock('./actions', () => ({
+  actionsFactory: jest.fn(),
+}));
+
+test(`calls server.expose with exposed services`, () => {
+  const mockConfig = Symbol();
+  const mockServer = {
+    expose: jest.fn(),
+    config: jest.fn().mockReturnValue(mockConfig)
+  };
+  const mockShieldClient = Symbol();
+  getClient.mockReturnValue(mockShieldClient);
+  const mockCheckPrivilegesWithRequest = Symbol();
+  checkPrivilegesWithRequestFactory.mockReturnValue(mockCheckPrivilegesWithRequest);
+  const mockActions = Symbol();
+  actionsFactory.mockReturnValue(mockActions);
+
+  initAuthorizationService(mockServer);
+
+  expect(getClient).toHaveBeenCalledWith(mockServer);
+  expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
+  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockShieldClient, mockConfig, mockActions);
+  expect(mockServer.expose).toHaveBeenCalledWith('authorization', {
+    checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+    actions: mockActions,
+  });
+});
+
+test(`deep freezes exposed service`, () => {
+  const mockConfig = Symbol();
+  const mockServer = {
+    expose: jest.fn(),
+    config: jest.fn().mockReturnValue(mockConfig)
+  };
+  actionsFactory.mockReturnValue({
+    login: 'login',
+  });
+
+  initAuthorizationService(mockServer);
+
+  const exposed = mockServer.expose.mock.calls[0][1];
+  expect(() => delete exposed.checkPrivilegesWithRequest).toThrowErrorMatchingSnapshot();
+  expect(() => exposed.foo = 'bar').toThrowErrorMatchingSnapshot();
+  expect(() => exposed.actions.login = 'not-login').toThrowErrorMatchingSnapshot();
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/privileges.js b/x-pack/plugins/security/server/lib/authorization/privileges.js
new file mode 100644
index 00000000000000..9ded71662ed51c
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/privileges.js
@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function buildPrivilegeMap(savedObjectTypes, application, actions) {
+  const buildSavedObjectsActions = (savedObjectActions) => {
+    return savedObjectTypes
+      .map(type => savedObjectActions.map(savedObjectAction => actions.getSavedObjectAction(type, savedObjectAction)))
+      .reduce((acc, types) => [...acc, ...types], []);
+  };
+
+  // the following list of privileges should only be added to, you can safely remove actions, but not privileges as
+  // it's a backwards compatibility issue and we'll have to at least adjust registerPrivilegesWithCluster to support it
+  return {
+    all: {
+      application,
+      name: 'all',
+      actions: [actions.version, 'action:*'],
+      metadata: {}
+    },
+    read: {
+      application,
+      name: 'read',
+      actions: [actions.version, actions.login, ...buildSavedObjectsActions(['get', 'bulk_get', 'find'])],
+      metadata: {}
+    }
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
similarity index 96%
rename from x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
rename to x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
index 93166fe28dd096..432d4647dc1ee7 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
@@ -7,12 +7,14 @@
 import { difference, isEmpty, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
+import { actionsFactory } from './actions';
 
 
 
 export async function registerPrivilegesWithCluster(server) {
   const config = server.config();
-  const kibanaVersion = config.get('pkg.version');
+
+  const actions = actionsFactory(config);
   const application = config.get('xpack.security.rbac.application');
   const savedObjectTypes = server.savedObjects.types;
 
@@ -25,7 +27,7 @@ export async function registerPrivilegesWithCluster(server) {
   };
 
   const expectedPrivileges = {
-    [application]: buildPrivilegeMap(savedObjectTypes, application, kibanaVersion)
+    [application]: buildPrivilegeMap(savedObjectTypes, application, actions)
   };
 
   server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
similarity index 94%
rename from x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
rename to x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
index c6e3428c563d01..9e4f2fa237e7a8 100644
--- a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
@@ -4,19 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { registerPrivilegesWithCluster } from './privilege_action_registry';
+import { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { buildPrivilegeMap } from './privileges';
+import { actionsFactory } from './actions';
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
   getClient: jest.fn(),
 }));
 jest.mock('./privileges', () => ({
   buildPrivilegeMap: jest.fn(),
 }));
+jest.mock('./actions', () => ({
+  actionsFactory: jest.fn(),
+}));
 
 const registerPrivilegesWithClusterTest = (description, {
   settings = {},
   savedObjectTypes,
+  actions,
   expectedPrivileges,
   existingPrivileges,
   throwErrorWhenGettingPrivileges,
@@ -143,6 +148,7 @@ const registerPrivilegesWithClusterTest = (description, {
         }
       });
 
+    actionsFactory.mockReturnValue(actions);
     buildPrivilegeMap.mockReturnValue(expectedPrivileges);
 
     let error;
@@ -163,7 +169,7 @@ const registerPrivilegesWithClusterTest = (description, {
   });
 };
 
-registerPrivilegesWithClusterTest(`passes saved object types, application and kibanaVersion to buildPrivilegeMap`, {
+registerPrivilegesWithClusterTest(`passes saved object types, application and actions to buildPrivilegeMap`, {
   settings: {
     'pkg.version': 'foo-version',
     'xpack.security.rbac.application': 'foo-application',
@@ -172,8 +178,15 @@ registerPrivilegesWithClusterTest(`passes saved object types, application and ki
     'foo-type',
     'bar-type',
   ],
+  actions: {
+    login: 'mock-action:login',
+    version: 'mock-action:version',
+  },
   assert: ({ mocks }) => {
-    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(['foo-type', 'bar-type'], 'foo-application', 'foo-version');
+    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(['foo-type', 'bar-type'], 'foo-application', {
+      login: 'mock-action:login',
+      version: 'mock-action:version',
+    });
   },
 });
 
diff --git a/x-pack/plugins/security/server/lib/privileges/index.js b/x-pack/plugins/security/server/lib/privileges/index.js
deleted file mode 100644
index f888dffa922dd6..00000000000000
--- a/x-pack/plugins/security/server/lib/privileges/index.js
+++ /dev/null
@@ -1,8 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export { registerPrivilegesWithCluster } from './privilege_action_registry';
-export { buildPrivilegeMap, getLoginAction, getVersionAction } from './privileges';
diff --git a/x-pack/plugins/security/server/lib/privileges/privileges.js b/x-pack/plugins/security/server/lib/privileges/privileges.js
deleted file mode 100644
index ea22f6e276594f..00000000000000
--- a/x-pack/plugins/security/server/lib/privileges/privileges.js
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export function getVersionAction(kibanaVersion) {
-  return `version:${kibanaVersion}`;
-}
-
-export function getLoginAction() {
-  return `action:login`;
-}
-
-export function buildPrivilegeMap(savedObjectTypes, application, kibanaVersion) {
-  const readSavedObjectsActions = buildSavedObjectsReadActions(savedObjectTypes);
-
-  return {
-    all: {
-      application,
-      name: 'all',
-      actions: [getVersionAction(kibanaVersion), 'action:*'],
-      metadata: {}
-    },
-    read: {
-      application,
-      name: 'read',
-      actions: [getVersionAction(kibanaVersion), getLoginAction(), ...readSavedObjectsActions],
-      metadata: {}
-    }
-  };
-}
-
-function buildSavedObjectsReadActions(savedObjectTypes) {
-  const readActions = ['get', 'bulk_get', 'find'];
-  return buildSavedObjectsActions(savedObjectTypes, readActions);
-}
-
-function buildSavedObjectsActions(savedObjectTypes, actions) {
-  return savedObjectTypes
-    .map(type => actions.map(action => `action:saved_objects/${type}/${action}`))
-    .reduce((acc, types) => [...acc, ...types], []);
-}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 419a379f7d0239..eb19f59c296932 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -7,10 +7,6 @@
 import { get, uniq } from 'lodash';
 import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
 
-const getPrivilege = (type, action) => {
-  return `action:saved_objects/${type}/${action}`;
-};
-
 export class SecureSavedObjectsClient {
   constructor(options) {
     const {
@@ -20,6 +16,7 @@ export class SecureSavedObjectsClient {
       checkPrivileges,
       auditLogger,
       savedObjectTypes,
+      actions,
     } = options;
 
     this.errors = errors;
@@ -28,6 +25,7 @@ export class SecureSavedObjectsClient {
     this._checkPrivileges = checkPrivileges;
     this._auditLogger = auditLogger;
     this._savedObjectTypes = savedObjectTypes;
+    this._actions = actions;
   }
 
   async create(type, attributes = {}, options = {}) {
@@ -94,9 +92,9 @@ export class SecureSavedObjectsClient {
     );
   }
 
-  async _checkSavedObjectPrivileges(privileges) {
+  async _checkSavedObjectPrivileges(actions) {
     try {
-      return await this._checkPrivileges(privileges);
+      return await this._checkPrivileges(actions);
     } catch(error) {
       const { reason } = get(error, 'body.error', {});
       throw this.errors.decorateGeneralError(error, reason);
@@ -105,8 +103,8 @@ export class SecureSavedObjectsClient {
 
   async _execute(typeOrTypes, action, args, fn) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
-    const privileges = types.map(type => getPrivilege(type, action));
-    const { result, username, missing } = await this._checkSavedObjectPrivileges(privileges);
+    const actions = types.map(type => this._actions.getSavedObjectAction(type, action));
+    const { result, username, missing } = await this._checkSavedObjectPrivileges(actions);
 
     switch (result) {
       case CHECK_PRIVILEGES_RESULT.AUTHORIZED:
@@ -116,7 +114,7 @@ export class SecureSavedObjectsClient {
         return await fn(this._callWithRequestRepository);
       case CHECK_PRIVILEGES_RESULT.UNAUTHORIZED:
         this._auditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
-        const msg = `Unable to ${action} ${types.sort().join(',')}, missing ${missing.sort().join(',')}`;
+        const msg = `Unable to ${action} ${[...types].sort().join(',')}, missing ${[...missing].sort().join(',')}`;
         throw this.errors.decorateForbiddenError(new Error(msg));
       default:
         throw new Error('Unexpected result from hasPrivileges');
@@ -128,7 +126,7 @@ export class SecureSavedObjectsClient {
 
     // we have to filter for only their authorized types
     const types = this._savedObjectTypes;
-    const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
+    const typesToPrivilegesMap = new Map(types.map(type => [type, this._actions.getSavedObjectAction(type, action)]));
     const { result, username, missing } = await this._checkSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
 
     if (result === CHECK_PRIVILEGES_RESULT.LEGACY) {
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 5e1b1f71165246..99656772c0df79 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -26,6 +26,14 @@ const createMockAuditLogger = () => {
   };
 };
 
+const createMockActions = () => {
+  return {
+    getSavedObjectAction(type, action) {
+      return `mock-action:saved_objects/${type}/${action}`;
+    }
+  };
+};
+
 describe('#errors', () => {
   test(`assigns errors from constructor to .errors`, () => {
     const errors = Symbol();
@@ -44,15 +52,17 @@ describe('#create', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -62,31 +72,31 @@ describe('#create', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
-      missing: [
-        `action:saved_objects/${type}/create`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const attributes = Symbol();
     const options = Symbol();
 
     await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'create',
       [type],
-      [`action:saved_objects/${type}/create`],
+      [mockActions.getSavedObjectAction(type, 'create')],
       {
         type,
         attributes,
@@ -112,6 +122,7 @@ describe('#create', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const attributes = Symbol();
     const options = Symbol();
@@ -135,18 +146,17 @@ describe('#create', () => {
     const mockRepository = {
       create: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        `action:saved_objects/${type}/create`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const attributes = Symbol();
     const options = Symbol();
@@ -168,15 +178,17 @@ describe('#bulkCreate', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/bulk_create`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_create')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -187,18 +199,20 @@ describe('#bulkCreate', () => {
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
-        `action:saved_objects/${type1}/bulk_create`
+        privileges[0]
       ],
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const objects = [
       { type: type1 },
@@ -210,15 +224,15 @@ describe('#bulkCreate', () => {
     await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([
-      `action:saved_objects/${type1}/bulk_create`,
-      `action:saved_objects/${type2}/bulk_create`
+      mockActions.getSavedObjectAction(type1, 'bulk_create'),
+      mockActions.getSavedObjectAction(type2, 'bulk_create'),
     ]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'bulk_create',
-      [type2, type1],
-      [`action:saved_objects/${type1}/bulk_create`],
+      [type1, type2],
+      [mockActions.getSavedObjectAction(type1, 'bulk_create')],
       {
         objects,
         options,
@@ -243,6 +257,7 @@ describe('#bulkCreate', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const objects = [
       { type: type1, otherThing: 'sup' },
@@ -269,19 +284,17 @@ describe('#bulkCreate', () => {
     const mockRepository = {
       bulkCreate: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        `action:saved_objects/${type1}/bulk_create`,
-        `action:saved_objects/${type2}/bulk_create`,
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const objects = [
       { type: type1, otherThing: 'sup' },
@@ -306,15 +319,17 @@ describe('#delete', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -324,30 +339,30 @@ describe('#delete', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
-      missing: [
-        `action:saved_objects/${type}/delete`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const id = Symbol();
 
     await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/delete`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'delete',
       [type],
-      [`action:saved_objects/${type}/delete`],
+      [mockActions.getSavedObjectAction(type, 'delete')],
       {
         type,
         id,
@@ -372,6 +387,7 @@ describe('#delete', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
 
@@ -393,18 +409,17 @@ describe('#delete', () => {
     const mockRepository = {
       delete: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        `action:saved_objects/${type}/delete`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
 
@@ -426,15 +441,17 @@ describe('#find', () => {
         throw new Error();
       });
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
+        actions: mockActions,
       });
 
       await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
       expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -445,31 +462,31 @@ describe('#find', () => {
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
         result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
-        missing: [
-          `action:saved_objects/${type}/find`
-        ],
+        missing: privileges,
       }));
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         internalRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
+        actions: mockActions,
       });
       const options = { type };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
         'find',
         [type],
-        [`action:saved_objects/${type}/find`],
+        [mockActions.getSavedObjectAction(type, 'find')],
         {
           options
         }
@@ -482,69 +499,37 @@ describe('#find', () => {
       const type2 = 'bar';
       const username = Symbol();
       const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        username,
-        missing: [
-          `action:saved_objects/${type1}/find`
-        ],
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => {
+        return {
+          result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+          username,
+          missing: [
+            privileges[0]
+          ],
+        };
       });
-      const options = { type: [ type1, type2 ] };
-
-      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
-      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-        username,
-        'find',
-        [type2, type1],
-        [`action:saved_objects/${type1}/find`],
-        {
-          options
-        }
-      );
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
-      const type1 = 'foo';
-      const type2 = 'bar';
-      const username = Symbol();
-      const mockRepository = {};
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        username,
-        missing: [
-          `action:saved_objects/${type1}/find`,
-          `action:saved_objects/${type2}/find`
-        ],
-      }));
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
-        repository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
+        actions: mockActions,
       });
       const options = { type: [ type1, type2 ] };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find')
+      ]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
         'find',
-        [type2, type1],
-        [`action:saved_objects/${type2}/find`, `action:saved_objects/${type1}/find`],
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'find')],
         {
           options
         }
@@ -568,6 +553,7 @@ describe('#find', () => {
         internalRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
+        actions: createMockActions(),
       });
       const options = { type };
 
@@ -588,18 +574,17 @@ describe('#find', () => {
       const mockRepository = {
         find: jest.fn().mockReturnValue(returnValue)
       };
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
         result: CHECK_PRIVILEGES_RESULT.LEGACY,
         username,
-        missing: [
-          `action:saved_objects/${type}/find`
-        ],
+        missing: privileges,
       }));
       const mockAuditLogger = createMockAuditLogger();
       const client = new SecureSavedObjectsClient({
         callWithRequestRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
+        actions: createMockActions(),
       });
       const options = { type };
 
@@ -622,17 +607,22 @@ describe('#find', () => {
         throw new Error();
       });
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         repository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type1, type2]
+        savedObjectTypes: [type1, type2],
+        actions: mockActions,
       });
 
       await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find'),
+      ]);
       expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -643,32 +633,34 @@ describe('#find', () => {
       const username = Symbol();
       const mockRepository = {};
       const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
         result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         username,
         missing: [
-          `action:saved_objects/${type}/find`
+          privileges[0]
         ],
       }));
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         repository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type]
+        savedObjectTypes: [type],
+        actions: mockActions,
       });
       const options = Symbol();
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
       expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
         username,
         'find',
         [type],
-        [`action:saved_objects/${type}/find`],
+        [mockActions.getSavedObjectAction(type, 'find')],
         {
           options
         }
@@ -684,27 +676,27 @@ describe('#find', () => {
         find: jest.fn().mockReturnValue(returnValue)
       };
       const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
         result: CHECK_PRIVILEGES_RESULT.LEGACY,
         username,
-        missing: [
-          `action:saved_objects/${type}/find`
-        ],
+        missing: privileges,
       }));
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         callWithRequestRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type]
+        savedObjectTypes: [type],
+        actions: mockActions,
       });
       const options = Symbol();
 
       const result = await client.find(options);
 
       expect(result).toBe(returnValue);
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
       expect(mockRepository.find).toHaveBeenCalledWith(options);
       expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -717,24 +709,29 @@ describe('#find', () => {
         find: jest.fn(),
       };
       const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
         result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
         missing: [
-          `action:saved_objects/${type1}/find`
+          privileges[0]
         ]
       }));
       const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
         errors: mockErrors,
         internalRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type1, type2]
+        savedObjectTypes: [type1, type2],
+        actions: mockActions,
       });
 
       await client.find();
 
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/find`, `action:saved_objects/${type2}/find`]);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find'),
+      ]);
       expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
         type: [type2]
       }));
@@ -757,7 +754,8 @@ describe('#find', () => {
         internalRepository: mockRepository,
         checkPrivileges: mockCheckPrivileges,
         auditLogger: mockAuditLogger,
-        savedObjectTypes: [type]
+        savedObjectTypes: [type],
+        actions: createMockActions(),
       });
       const options = Symbol();
 
@@ -781,15 +779,17 @@ describe('#bulkGet', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith(['action:saved_objects/foo/bulk_get']);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_get')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -800,18 +800,20 @@ describe('#bulkGet', () => {
     const type2 = 'bar';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
       missing: [
-        `action:saved_objects/${type1}/bulk_get`
+        privileges[0]
       ],
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const objects = [
       { type: type1 },
@@ -821,13 +823,16 @@ describe('#bulkGet', () => {
 
     await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type1}/bulk_get`, `action:saved_objects/${type2}/bulk_get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([
+      mockActions.getSavedObjectAction(type1, 'bulk_get'),
+      mockActions.getSavedObjectAction(type2, 'bulk_get'),
+    ]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'bulk_get',
-      [type2, type1],
-      [`action:saved_objects/${type1}/bulk_get`],
+      [type1, type2],
+      [mockActions.getSavedObjectAction(type1, 'bulk_get')],
       {
         objects
       }
@@ -852,6 +857,7 @@ describe('#bulkGet', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const objects = [
       { type: type1, id: 'foo-id' },
@@ -876,19 +882,17 @@ describe('#bulkGet', () => {
     const mockRepository = {
       bulkGet: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        `action:saved_objects/${type1}/bulk_get`,
-        `action:saved_objects/${type2}/bulk_get`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const objects = [
       { type: type1, id: 'foo-id' },
@@ -912,15 +916,17 @@ describe('#get', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -930,30 +936,30 @@ describe('#get', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
-      missing: [
-        `action:saved_objects/${type}/get`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const id = Symbol();
 
     await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/get`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'get',
       [type],
-      [`action:saved_objects/${type}/get`],
+      [mockActions.getSavedObjectAction(type, 'get')],
       {
         type,
         id,
@@ -978,6 +984,7 @@ describe('#get', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
 
@@ -999,18 +1006,17 @@ describe('#get', () => {
     const mockRepository = {
       get: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        `action:saved_objects/${type}/get`
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
 
@@ -1031,15 +1037,17 @@ describe('#update', () => {
       throw new Error();
     });
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
 
     await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
     expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -1049,18 +1057,18 @@ describe('#update', () => {
     const type = 'foo';
     const username = Symbol();
     const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
       username,
-      missing: [
-        'action:saved_objects/foo/update'
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
     const client = new SecureSavedObjectsClient({
       errors: mockErrors,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: mockActions,
     });
     const id = Symbol();
     const attributes = Symbol();
@@ -1068,13 +1076,13 @@ describe('#update', () => {
 
     await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([`action:saved_objects/${type}/update`]);
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
       username,
       'update',
       [type],
-      [`action:saved_objects/${type}/update`],
+      [mockActions.getSavedObjectAction(type, 'update')],
       {
         type,
         id,
@@ -1101,6 +1109,7 @@ describe('#update', () => {
       internalRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
     const attributes = Symbol();
@@ -1126,18 +1135,17 @@ describe('#update', () => {
     const mockRepository = {
       update: jest.fn().mockReturnValue(returnValue)
     };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
       result: CHECK_PRIVILEGES_RESULT.LEGACY,
       username,
-      missing: [
-        'action:saved_objects/foo/update'
-      ],
+      missing: privileges,
     }));
     const mockAuditLogger = createMockAuditLogger();
     const client = new SecureSavedObjectsClient({
       callWithRequestRepository: mockRepository,
       checkPrivileges: mockCheckPrivileges,
       auditLogger: mockAuditLogger,
+      actions: createMockActions(),
     });
     const id = Symbol();
     const attributes = Symbol();
diff --git a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
index 0e4bcbf2f6a066..7604f4eff7b85d 100644
--- a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
@@ -15,6 +15,7 @@ import { AuthenticationResult } from '../../../../../server/lib/authentication/a
 import { BasicCredentials } from '../../../../../server/lib/authentication/providers/basic';
 import { initAuthenticateApi } from '../authenticate';
 import { DeauthenticationResult } from '../../../../lib/authentication/deauthentication_result';
+import { CHECK_PRIVILEGES_RESULT } from '../../../../lib/authorization';
 
 describe('Authentication routes', () => {
   let serverStub;
@@ -33,6 +34,7 @@ describe('Authentication routes', () => {
     let loginRoute;
     let request;
     let authenticateStub;
+    let checkPrivilegesWithRequestStub;
 
     beforeEach(() => {
       loginRoute = serverStub.route
@@ -48,6 +50,7 @@ describe('Authentication routes', () => {
       authenticateStub = serverStub.plugins.security.authenticate.withArgs(
         sinon.match(BasicCredentials.decorateRequest({ headers: {} }, 'user', 'password'))
       );
+      checkPrivilegesWithRequestStub = serverStub.plugins.security.authorization.checkPrivilegesWithRequest;
     });
 
     it('correctly defines route.', async () => {
@@ -124,18 +127,65 @@ describe('Authentication routes', () => {
       );
     });
 
-    it('returns user data if authentication succeed.', async () => {
-      const user = { username: 'user' };
-      authenticateStub.returns(
-        Promise.resolve(AuthenticationResult.succeeded(user))
-      );
+    describe('authentication succeeds', () => {
+      const getDeprecationMessage = username =>
+        `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
 
-      await loginRoute.handler(request, replyStub);
+      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is authorized.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.AUTHORIZED });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
 
-      sinon.assert.notCalled(replyStub);
-      sinon.assert.calledOnce(replyStub.continue);
-      sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
+
+      it(`returns user data and logs deprecation warning if checkPrivileges result is legacy.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.LEGACY });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.calledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
+
+      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is unauthorized.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
     });
+
   });
 
   describe('logout', () => {
diff --git a/x-pack/plugins/security/server/routes/api/v1/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
index 9697774bfe8919..4b5d847b724b21 100644
--- a/x-pack/plugins/security/server/routes/api/v1/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
@@ -9,8 +9,10 @@ import Joi from 'joi';
 import { wrapError } from '../../../lib/errors';
 import { BasicCredentials } from '../../../../server/lib/authentication/providers/basic';
 import { canRedirectRequest } from '../../../lib/can_redirect_request';
+import { CHECK_PRIVILEGES_RESULT } from '../../../../server/lib/authorization';
 
 export function initAuthenticateApi(server) {
+
   server.route({
     method: 'POST',
     path: '/api/security/v1/login',
@@ -35,6 +37,14 @@ export function initAuthenticateApi(server) {
           return reply(Boom.unauthorized(authenticationResult.error));
         }
 
+        const { authorization } = server.plugins.security;
+        const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
+        const privilegeCheck = await checkPrivileges([authorization.actions.login]);
+        if (privilegeCheck.result === CHECK_PRIVILEGES_RESULT.LEGACY) {
+          const msg = `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
+          server.log(['warning', 'deprecated', 'security'], msg);
+        }
+
         return reply.continue({ credentials: authenticationResult.user });
       } catch(err) {
         return reply(wrapError(err));
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index e3c830bf176885..375f6879972701 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -4,11 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { buildPrivilegeMap } from '../../../lib/privileges/privileges';
+import { buildPrivilegeMap } from '../../../lib/authorization';
 
 export function initPrivilegesApi(server) {
   const config = server.config();
-  const kibanaVersion = config.get('pkg.version');
+  const { authorization } = server.plugins.security;
   const application = config.get('xpack.security.rbac.application');
   const savedObjectTypes = server.savedObjects.types;
 
@@ -20,7 +20,7 @@ export function initPrivilegesApi(server) {
       // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
       // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
       // into a different structure for enforcement within Elasticsearch
-      const privileges = buildPrivilegeMap(savedObjectTypes, application, kibanaVersion);
+      const privileges = buildPrivilegeMap(savedObjectTypes, application, authorization.actions);
       reply(Object.values(privileges));
     }
   });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
index 6089aec5d89d02..a89f2b23f8f72e 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
@@ -70,7 +70,7 @@ export default function ({ getService }) {
 
     const expectRbacForbidden = resp => {
       //eslint-disable-next-line max-len
-      const missingActions = `action:login,action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
+      const missingActions = `action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
index cff5da3502838c..0a37bf5a47a382 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
@@ -29,11 +29,11 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectRbacForbidden = canLogin => resp => {
+    const expectRbacForbidden = resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
-        message: `Unable to create visualization, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/visualization/create`
+        message: `Unable to create visualization, missing action:saved_objects/visualization/create`
       });
     };
 
@@ -73,7 +73,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectRbacForbidden(false),
+          response: expectRbacForbidden,
         },
       }
     });
@@ -138,7 +138,7 @@ export default function ({ getService }) {
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectRbacForbidden(true),
+          response: expectRbacForbidden,
         },
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
index b75ab5342c6baa..f1f693046f74be 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -25,11 +25,11 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectRbacForbidden = canLogin => resp => {
+    const expectRbacForbidden = resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
-        message: `Unable to delete dashboard, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/dashboard/delete`
+        message: `Unable to delete dashboard, missing action:saved_objects/dashboard/delete`
       });
     };
 
@@ -73,11 +73,11 @@ export default function ({ getService }) {
       tests: {
         actualId: {
           statusCode: 403,
-          response: createExpectRbacForbidden(false),
+          response: expectRbacForbidden,
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectRbacForbidden(false),
+          response: expectRbacForbidden,
         }
       }
     });
@@ -158,11 +158,11 @@ export default function ({ getService }) {
       tests: {
         actualId: {
           statusCode: 403,
-          response: createExpectRbacForbidden(true),
+          response: expectRbacForbidden,
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectRbacForbidden(true),
+          response: expectRbacForbidden,
         }
       }
     });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index 0498021e5daae2..26e43bba21cf05 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -122,11 +122,11 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectRbacForbidden = (canLogin, type) => resp => {
+    const createExpectRbacForbidden = (type) => resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
-        message: `Unable to find ${type}, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/${type}/find`
+        message: `Unable to find ${type}, missing action:saved_objects/${type}/find`
       });
     };
 
@@ -202,22 +202,22 @@ export default function ({ getService }) {
         normal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectRbacForbidden(false, 'visualization'),
+          response: createExpectRbacForbidden('visualization'),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectRbacForbidden(false, 'wigwags'),
+          response: createExpectRbacForbidden('wigwags'),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectRbacForbidden(false, 'visualization'),
+          response: createExpectRbacForbidden('visualization'),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectRbacForbidden(false, 'wigwags'),
+          response: createExpectRbacForbidden('wigwags'),
         },
         noType: {
           description: `forbidded can't find any types`,
@@ -377,7 +377,7 @@ export default function ({ getService }) {
         unknownType: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectRbacForbidden(true, 'wigwags'),
+          response: createExpectRbacForbidden('wigwags'),
         },
         pageBeyondTotal: {
           description: 'empty result',
@@ -387,7 +387,7 @@ export default function ({ getService }) {
         unknownSearchField: {
           description: 'forbidden find wigwags message',
           statusCode: 403,
-          response: createExpectRbacForbidden(true, 'wigwags'),
+          response: createExpectRbacForbidden('wigwags'),
         },
         noType: {
           description: 'all objects',
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
index ac7cc6b70f50a8..23c3c0b5aaa35c 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -43,7 +43,7 @@ export default function ({ getService }) {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
-        message: `Unable to get visualization, missing action:login,action:saved_objects/visualization/get`
+        message: `Unable to get visualization, missing action:saved_objects/visualization/get`
       });
     };
 
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
index edcec1ffb61246..4b50600ba60c16 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -38,11 +38,11 @@ export default function ({ getService }) {
       });
     };
 
-    const createExpectRbacForbidden = canLogin => resp => {
+    const expectRbacForbidden = resp => {
       expect(resp.body).to.eql({
         statusCode: 403,
         error: 'Forbidden',
-        message: `Unable to update visualization, missing ${canLogin ? '' : 'action:login,'}action:saved_objects/visualization/update`
+        message: `Unable to update visualization, missing action:saved_objects/visualization/update`
       });
     };
 
@@ -97,11 +97,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: createExpectRbacForbidden(false),
+          response: expectRbacForbidden,
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectRbacForbidden(false),
+          response: expectRbacForbidden,
         },
       }
     });
@@ -182,11 +182,11 @@ export default function ({ getService }) {
       tests: {
         exists: {
           statusCode: 403,
-          response: createExpectRbacForbidden(true),
+          response: expectRbacForbidden,
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectRbacForbidden(true),
+          response: expectRbacForbidden,
         },
       }
     });

From 3c872341d718bfb12561f20b51dccf1f85eb930b Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 9 Jul 2018 09:43:27 -0400
Subject: [PATCH 076/183] improve space selector in left nav

---
 .../spaces/public/lib/spaces_manager.js       |  9 ++-
 .../components/delete_spaces_button.js        |  7 +-
 .../edit_space/manage_space_page.js           |  3 +
 .../public/views/management/page_routes.js    | 11 +--
 .../spaces_grid/spaces_grid_page.js           |  2 +
 .../public/views/nav_control/nav_control.js   | 16 ++++-
 .../views/nav_control/nav_control_modal.js    | 69 ++++++++++++++++---
 .../spaces/server/lib/get_active_space.js     | 57 +++++++++------
 8 files changed, 135 insertions(+), 39 deletions(-)

diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.js b/x-pack/plugins/spaces/public/lib/spaces_manager.js
index 77b1ea9b514caf..475f8c1b03b722 100644
--- a/x-pack/plugins/spaces/public/lib/spaces_manager.js
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.js
@@ -4,8 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export class SpacesManager {
+import { EventEmitter } from 'events';
+
+export class SpacesManager extends EventEmitter {
   constructor(httpAgent, chrome) {
+    super();
     this._httpAgent = httpAgent;
     this._baseUrl = chrome.addBasePath(`/api/spaces/v1`);
   }
@@ -35,4 +38,8 @@ export class SpacesManager {
     return await this._httpAgent
       .delete(`${this._baseUrl}/space/${space.id}`);
   }
+
+  async requestRefresh() {
+    this.emit('request_refresh');
+  }
 }
diff --git a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
index bfd38f1749dd83..6cb6d596a19964 100644
--- a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
+++ b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
@@ -61,7 +61,8 @@ export class DeleteSpacesButton extends Component {
   deleteSpaces = () => {
     const {
       spacesManager,
-      spaces
+      spaces,
+      spacesNavState,
     } = this.props;
 
     const deleteOperations = spaces.map(space => spacesManager.deleteSpace(space));
@@ -81,6 +82,9 @@ export class DeleteSpacesButton extends Component {
         if (this.props.onDelete) {
           this.props.onDelete();
         }
+
+        spacesNavState.refreshSpacesList();
+
       })
       .catch(error => {
         const {
@@ -95,5 +99,6 @@ export class DeleteSpacesButton extends Component {
 DeleteSpacesButton.propTypes = {
   spaces: PropTypes.array.isRequired,
   spacesManager: PropTypes.object.isRequired,
+  spacesNavState: PropTypes.object.isRequired,
   onDelete: PropTypes.func
 };
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index e1eb2de37e69fa..10e7c4040b76ad 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -193,6 +193,7 @@ export class ManageSpacePage extends Component {
           <DeleteSpacesButton
             spaces={[this.state.space]}
             spacesManager={this.props.spacesManager}
+            spacesNavState={this.props.spacesNavState}
             onDelete={this.backToSpacesList}
           />
         </EuiFlexItem>
@@ -290,6 +291,7 @@ export class ManageSpacePage extends Component {
 
       action
         .then(result => {
+          this.props.spacesNavState.refreshSpacesList();
           toastNotifications.addSuccess(`Saved '${result.data.name}'`);
           window.location.hash = `#/management/spaces/list`;
         })
@@ -393,5 +395,6 @@ export class ManageSpacePage extends Component {
 ManageSpacePage.propTypes = {
   space: PropTypes.string,
   spacesManager: PropTypes.object,
+  spacesNavState: PropTypes.object.isRequired,
   breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index e037ec46923c8f..4367d2b9282a6e 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -20,7 +20,7 @@ const reactRootNodeId = 'manageSpacesReactRoot';
 
 routes.when('/management/spaces/list', {
   template,
-  controller: function ($scope, $http, chrome) {
+  controller: function ($scope, $http, chrome, spacesNavState) {
     const domNode = document.getElementById(reactRootNodeId);
 
     const spacesManager = new SpacesManager($http, chrome);
@@ -28,6 +28,7 @@ routes.when('/management/spaces/list', {
     render(<SpacesGridPage
       breadcrumbs={routes.getBreadcrumbs()}
       spacesManager={spacesManager}
+      spacesNavState={spacesNavState}
     />, domNode);
 
     // unmount react on controller destroy
@@ -39,7 +40,7 @@ routes.when('/management/spaces/list', {
 
 routes.when('/management/spaces/create', {
   template,
-  controller: function ($scope,  $http, chrome) {
+  controller: function ($scope, $http, chrome, spacesNavState) {
     const domNode = document.getElementById(reactRootNodeId);
 
     const spacesManager = new SpacesManager($http, chrome);
@@ -47,6 +48,7 @@ routes.when('/management/spaces/create', {
     render(<ManageSpacePage
       breadcrumbs={routes.getBreadcrumbs()}
       spacesManager={spacesManager}
+      spacesNavState={spacesNavState}
     />, domNode);
 
     // unmount react on controller destroy
@@ -62,7 +64,7 @@ routes.when('/management/spaces/edit', {
 
 routes.when('/management/spaces/edit/:space', {
   template,
-  controller: function ($scope, $http, $route, chrome) {
+  controller: function ($scope, $http, $route, chrome, spacesNavState) {
     const domNode = document.getElementById(reactRootNodeId);
 
     const { space } = $route.current.params;
@@ -75,6 +77,7 @@ routes.when('/management/spaces/edit/:space', {
       chrome={chrome}
       breadcrumbs={transformBreadcrumbs(routes.getBreadcrumbs())}
       spacesManager={spacesManager}
+      spacesNavState={spacesNavState}
     />, domNode);
 
     // unmount react on controller destroy
@@ -86,4 +89,4 @@ routes.when('/management/spaces/edit/:space', {
 
 function transformBreadcrumbs(routeBreadcrumbs) {
   return routeBreadcrumbs.filter(b => b.id !== 'edit');
-}
\ No newline at end of file
+}
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
index a039864aff3949..bb68e235053fea 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
@@ -70,6 +70,7 @@ export class SpacesGridPage extends Component {
         <DeleteSpacesButton
           spaces={this.state.selectedSpaces}
           spacesManager={this.props.spacesManager}
+          spacesNavState={this.props.spacesNavState}
           onDelete={this.loadGrid}
         />
       );
@@ -140,5 +141,6 @@ export class SpacesGridPage extends Component {
 
 SpacesGridPage.propTypes = {
   spacesManager: PropTypes.object.isRequired,
+  spacesNavState: PropTypes.object.isRequired,
   breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index 74be5a7f627dd5..4011fc47fc7dc6 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -21,12 +21,14 @@ chromeNavControlsRegistry.register(constant({
   template
 }));
 
-const module = uiModules.get('spaces', ['kibana']);
+const module = uiModules.get('spaces_nav', ['kibana']);
+
+let spacesManager;
 
 module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) => {
   const domNode = document.getElementById(`spacesNavReactRoot`);
 
-  const spacesManager = new SpacesManager($http, chrome);
+  spacesManager = new SpacesManager($http, chrome);
 
   render(<NavControlModal spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
 
@@ -36,3 +38,13 @@ module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) =>
   });
 
 });
+
+module.service('spacesNavState', () => {
+  return {
+    refreshSpacesList: () => {
+      if (spacesManager) {
+        spacesManager.requestRefresh();
+      }
+    }
+  };
+});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
index 8de5ded601092e..5157621d2727e3 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
@@ -4,15 +4,18 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component } from 'react';
+import React, { Component, Fragment } from 'react';
 import PropTypes from 'prop-types';
 import {
+  EuiCallOut,
+  EuiText,
   EuiModal,
   EuiModalHeader,
   EuiModalHeaderTitle,
   EuiModalBody,
   EuiOverlayMask,
   EuiAvatar,
+  EuiSpacer,
 } from '@elastic/eui';
 import { SpaceCards, SpaceAvatar } from '../components';
 import { Notifier } from 'ui/notify';
@@ -21,6 +24,7 @@ export class NavControlModal extends Component {
   state = {
     isOpen: false,
     loading: false,
+    activeSpaceExists: true,
     spaces: []
   };
 
@@ -28,7 +32,8 @@ export class NavControlModal extends Component {
 
   async loadSpaces() {
     const {
-      spacesManager
+      spacesManager,
+      activeSpace,
     } = this.props;
 
     this.setState({
@@ -36,8 +41,16 @@ export class NavControlModal extends Component {
     });
 
     const spaces = await spacesManager.getSpaces();
+
+    let activeSpaceExists = this.state.activeSpaceExists;
+    if (activeSpace.valid) {
+      activeSpaceExists = !!spaces.find(space => space.id === this.props.activeSpace.space.id);
+    }
+
     this.setState({
       spaces,
+      activeSpaceExists,
+      isOpen: this.state.isOpen || !activeSpaceExists,
       loading: false
     });
   }
@@ -53,6 +66,14 @@ export class NavControlModal extends Component {
         this.notifier.error(error.message);
       }
     }
+
+    this.loadSpaces();
+
+    if (this.props.spacesManager) {
+      this.props.spacesManager.on('request_refresh', () => {
+        this.loadSpaces();
+      });
+    }
   }
 
   render() {
@@ -60,14 +81,7 @@ export class NavControlModal extends Component {
     if (this.state.isOpen) {
       modal = (
         <EuiOverlayMask>
-          <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
-            <EuiModalHeader>
-              <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
-            </EuiModalHeader>
-            <EuiModalBody>
-              <SpaceCards spaces={this.state.spaces} />
-            </EuiModalBody>
-          </EuiModal>
+          {this.getActivePortal()}
         </EuiOverlayMask>
       );
     }
@@ -86,6 +100,11 @@ export class NavControlModal extends Component {
       return null;
     }
 
+    // 0 or 1 spaces are available. Either either way, there is no need to render a space selection button
+    if (this.state.spaces.length < 2) {
+      return null;
+    }
+
     if (activeSpace.valid && activeSpace.space) {
       return this.getButton(
         <SpaceAvatar space={activeSpace.space} size={'s'} className={'spaceNavGraphic'} />,
@@ -112,6 +131,36 @@ export class NavControlModal extends Component {
     );
   };
 
+  getActivePortal = () => {
+    let callout;
+
+    if (!this.state.activeSpaceExists) {
+      callout = (
+        <Fragment>
+          <EuiCallOut title={'Your space is no longer available'}>
+            <EuiText>
+              Please choose a new Space to continue using Kibana
+            </EuiText>
+          </EuiCallOut>
+          <EuiSpacer />
+        </Fragment>
+      );
+
+    }
+
+    return (
+      <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
+        <EuiModalHeader>
+          <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
+        </EuiModalHeader>
+        <EuiModalBody>
+          {callout}
+          <SpaceCards spaces={this.state.spaces} />
+        </EuiModalBody>
+      </EuiModal>
+    );
+  }
+
   togglePortal = () => {
     const isOpening = !this.state.isOpen;
     if (isOpening) {
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.js
index 7fb7821e752741..c57957b1a6f938 100644
--- a/x-pack/plugins/spaces/server/lib/get_active_space.js
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.js
@@ -7,45 +7,60 @@
 import Boom from 'boom';
 import { wrapError } from './errors';
 import { getSpaceUrlContext } from '../../common/spaces_url_parser';
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 
 export async function getActiveSpace(savedObjectsClient, basePath) {
   const spaceContext = getSpaceUrlContext(basePath);
 
-  if (!spaceContext) {
-    return null;
-  }
+  let space;
 
-  let spaces;
   try {
-    const {
-      saved_objects: savedObjects
-    } = await savedObjectsClient.find({
-      type: 'space',
-      search: `"${spaceContext}"`,
-      search_fields: ['urlContext'],
-    });
-
-    spaces = savedObjects || [];
-  } catch(e) {
+    if (spaceContext) {
+      space = await getSpaceByUrlContext(savedObjectsClient, spaceContext);
+    } else {
+      space = await getDefaultSpace(savedObjectsClient);
+    }
+  }
+  catch (e) {
     throw wrapError(e);
   }
 
-  if (spaces.length === 0) {
+  if (!space) {
     throw Boom.notFound(
       `The Space you requested could not be found. Please select a different Space to continue.`
     );
   }
 
-  if (spaces.length > 1) {
-    const spaceNames = spaces.map(s => s.attributes.name).join(', ');
+  return {
+    id: space.id,
+    ...space.attributes
+  };
+}
+
+async function getDefaultSpace(savedObjectsClient) {
+  return savedObjectsClient.get('space', DEFAULT_SPACE_ID);
+}
+
+async function getSpaceByUrlContext(savedObjectsClient, urlContext) {
+  const {
+    saved_objects: savedObjects
+  } = await savedObjectsClient.find({
+    type: 'space',
+    search: `"${urlContext}"`,
+    search_fields: ['urlContext'],
+  });
+
+  if (savedObjects.length === 0) {
+    return null;
+  }
+
+  if (savedObjects.length > 1) {
+    const spaceNames = savedObjects.map(s => s.attributes.name).join(', ');
 
     throw Boom.badRequest(
       `Multiple Spaces share this URL Context: (${spaceNames}). Please correct this in the Management Section.`
     );
   }
 
-  return {
-    id: spaces[0].id,
-    ...spaces[0].attributes
-  };
+  return savedObjects[0];
 }

From 7cef6061ab9deeb016f047d3fb7da774d6f8d546 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 10 Jul 2018 11:06:38 -0400
Subject: [PATCH 077/183] Deriving application from Kibana index (#20614)

* Specifying the application on the "authorization service"

* Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService

* Using short-hand propery assignment
---
 x-pack/plugins/security/index.js              | 19 ++++----
 .../server/lib/__tests__/validate_config.js   | 16 -------
 .../__snapshots__/init.test.js.snap           |  2 +
 .../lib/authorization/check_privileges.js     |  3 +-
 .../authorization/check_privileges.test.js    |  9 ++--
 .../security/server/lib/authorization/init.js |  6 ++-
 .../server/lib/authorization/init.test.js     | 27 +++++++++--
 .../register_privileges_with_cluster.js       | 10 ++--
 .../register_privileges_with_cluster.test.js  | 47 +++++++++----------
 .../security/server/lib/validate_config.js    |  8 ----
 .../server/routes/api/v1/privileges.js        |  4 +-
 .../apis/privileges/index.js                  |  4 +-
 .../apis/saved_objects/index.js               |  5 +-
 13 files changed, 74 insertions(+), 86 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 0e521589ac1410..8e0c5ad68c64c7 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -76,10 +76,11 @@ export const security = (kibana) => new kibana.Plugin({
     injectDefaultVars: function (server) {
       const config = server.config();
 
+      const { authorization } = server.plugins.security;
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
         sessionTimeout: config.get('xpack.security.sessionTimeout'),
-        rbacApplication: config.get('xpack.security.rbac.application'),
+        rbacApplication: authorization.application,
       };
     }
   },
@@ -97,12 +98,6 @@ export const security = (kibana) => new kibana.Plugin({
     // to re-compute the license check results for this plugin
     xpackInfoFeature.registerLicenseCheckResultsGenerator(checkLicense);
 
-    watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
-      if (license.allowRbac) {
-        await registerPrivilegesWithCluster(server);
-      }
-    });
-
     validateConfig(config, message => server.log(['security', 'warning'], message));
 
     // Create a Hapi auth scheme that should be applied to each request.
@@ -112,11 +107,17 @@ export const security = (kibana) => new kibana.Plugin({
     // automatically assigned to all routes that don't contain an auth config.
     server.auth.strategy('session', 'login', 'required');
 
-    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
-
     // exposes server.plugins.security.authorization
     initAuthorizationService(server);
 
+    watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
+      if (license.allowRbac) {
+        await registerPrivilegesWithCluster(server);
+      }
+    });
+
+    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
+
     const { savedObjects } = server;
     savedObjects.setScopedSavedObjectsClientFactory(({
       request,
diff --git a/x-pack/plugins/security/server/lib/__tests__/validate_config.js b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
index e8ba58cf23aec3..26d84f6f5559b4 100644
--- a/x-pack/plugins/security/server/lib/__tests__/validate_config.js
+++ b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
@@ -75,20 +75,4 @@ describe('Validate config', function () {
     sinon.assert.calledWith(config.set, 'xpack.security.secureCookies', true);
     sinon.assert.notCalled(log);
   });
-
-  it('should throw error if xpack.security.rbac.application is the default when kibana.index is set', function () {
-    // other valid keys that we need
-    config.get.withArgs('server.ssl.key').returns('foo');
-    config.get.withArgs('server.ssl.certificate').returns('bar');
-    config.get.withArgs('xpack.security.encryptionKey').returns(validKey);
-
-    config.get.withArgs('kibana.index').returns('notDefaultIndex');
-    config.get.withArgs('xpack.security.rbac.application').returns('defaultApplication');
-    config.getDefault.withArgs('kibana.index').returns('defaultIndex');
-    config.getDefault.withArgs('xpack.security.rbac.application').returns('defaultApplication');
-
-    expect(() => validateConfig(config, log)).to.throwError();
-
-    sinon.assert.notCalled(log);
-  });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
index fd944032d2930f..c65b0d2d6ae391 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
@@ -5,3 +5,5 @@ exports[`deep freezes exposed service 1`] = `"Cannot delete property 'checkPrivi
 exports[`deep freezes exposed service 2`] = `"Cannot add property foo, object is not extensible"`;
 
 exports[`deep freezes exposed service 3`] = `"Cannot assign to read only property 'login' of object '#<Object>'"`;
+
+exports[`deep freezes exposed service 4`] = `"Cannot assign to read only property 'application' of object '#<Object>'"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index df8ee33ec29029..594966e5b3e4ef 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -13,10 +13,9 @@ export const CHECK_PRIVILEGES_RESULT = {
   LEGACY: Symbol('Legacy'),
 };
 
-export function checkPrivilegesWithRequestFactory(shieldClient, config, actions) {
+export function checkPrivilegesWithRequestFactory(shieldClient, config, actions, application) {
   const { callWithRequest } = shieldClient;
 
-  const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
 
   const hasIncompatibileVersion = (applicationPrivilegesResponse) => {
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index 3c414665c8258d..edf3b42d11c28f 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -9,8 +9,8 @@ import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './ch
 
 import { ALL_RESOURCE } from '../../../common/constants';
 
+const application = 'kibana-our_application';
 const defaultVersion = 'default-version';
-const defaultApplication = 'default-application';
 const defaultKibanaIndex = 'default-index';
 const savedObjectTypes = ['foo-type', 'bar-type'];
 
@@ -26,7 +26,6 @@ const createMockConfig = ({ settings = {} } = {}) => {
 
   const defaultSettings = {
     'pkg.version': defaultVersion,
-    'xpack.security.rbac.application': defaultApplication,
     'kibana.index': defaultKibanaIndex,
   };
 
@@ -63,7 +62,7 @@ const checkPrivilegesTest = (
     const mockShieldClient = createMockShieldClient({
       username,
       application: {
-        [defaultApplication]: {
+        [application]: {
           [ALL_RESOURCE]: applicationPrivilegesResponse
         }
       },
@@ -72,7 +71,7 @@ const checkPrivilegesTest = (
       },
     });
 
-    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockShieldClient, mockConfig, mockActions);
+    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockShieldClient, mockConfig, mockActions, application);
     const request = Symbol();
     const checkPrivileges = checkPrivilegesWithRequest(request);
 
@@ -88,7 +87,7 @@ const checkPrivilegesTest = (
     expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
       body: {
         applications: [{
-          application: defaultApplication,
+          application,
           resources: [ALL_RESOURCE],
           privileges: uniq([
             mockActions.version, mockActions.login, ...privileges
diff --git a/x-pack/plugins/security/server/lib/authorization/init.js b/x-pack/plugins/security/server/lib/authorization/init.js
index 27ca3f7e84b556..f99bf6d25d26fe 100644
--- a/x-pack/plugins/security/server/lib/authorization/init.js
+++ b/x-pack/plugins/security/server/lib/authorization/init.js
@@ -14,9 +14,11 @@ export function initAuthorizationService(server) {
   const config = server.config();
 
   const actions = actionsFactory(config);
+  const application = `kibana-${config.get('kibana.index')}`;
 
   server.expose('authorization', deepFreeze({
-    checkPrivilegesWithRequest: checkPrivilegesWithRequestFactory(shieldClient, config, actions),
-    actions
+    actions,
+    application,
+    checkPrivilegesWithRequest: checkPrivilegesWithRequestFactory(shieldClient, config, actions, application),
   }));
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/init.test.js b/x-pack/plugins/security/server/lib/authorization/init.test.js
index b72813809896f0..d70e08934c131f 100644
--- a/x-pack/plugins/security/server/lib/authorization/init.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/init.test.js
@@ -21,8 +21,21 @@ jest.mock('./actions', () => ({
   actionsFactory: jest.fn(),
 }));
 
+const createMockConfig = (settings = {}) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => settings[key]);
+
+  return mockConfig;
+};
+
 test(`calls server.expose with exposed services`, () => {
-  const mockConfig = Symbol();
+  const kibanaIndex = '.a-kibana-index';
+  const mockConfig = createMockConfig({
+    'kibana.index': kibanaIndex
+  });
   const mockServer = {
     expose: jest.fn(),
     config: jest.fn().mockReturnValue(mockConfig)
@@ -33,20 +46,25 @@ test(`calls server.expose with exposed services`, () => {
   checkPrivilegesWithRequestFactory.mockReturnValue(mockCheckPrivilegesWithRequest);
   const mockActions = Symbol();
   actionsFactory.mockReturnValue(mockActions);
+  mockConfig.get.mock;
 
   initAuthorizationService(mockServer);
 
+  const application = `kibana-${kibanaIndex}`;
   expect(getClient).toHaveBeenCalledWith(mockServer);
   expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
-  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockShieldClient, mockConfig, mockActions);
+  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockShieldClient, mockConfig, mockActions, application);
   expect(mockServer.expose).toHaveBeenCalledWith('authorization', {
-    checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
     actions: mockActions,
+    application,
+    checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
   });
 });
 
 test(`deep freezes exposed service`, () => {
-  const mockConfig = Symbol();
+  const mockConfig = createMockConfig({
+    'kibana.index': ''
+  });
   const mockServer = {
     expose: jest.fn(),
     config: jest.fn().mockReturnValue(mockConfig)
@@ -61,4 +79,5 @@ test(`deep freezes exposed service`, () => {
   expect(() => delete exposed.checkPrivilegesWithRequest).toThrowErrorMatchingSnapshot();
   expect(() => exposed.foo = 'bar').toThrowErrorMatchingSnapshot();
   expect(() => exposed.actions.login = 'not-login').toThrowErrorMatchingSnapshot();
+  expect(() => exposed.application = 'changed').toThrowErrorMatchingSnapshot();
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
index 432d4647dc1ee7..826cdab4b42040 100644
--- a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
@@ -7,16 +7,12 @@
 import { difference, isEmpty, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
-import { actionsFactory } from './actions';
-
-
 
 export async function registerPrivilegesWithCluster(server) {
-  const config = server.config();
 
-  const actions = actionsFactory(config);
-  const application = config.get('xpack.security.rbac.application');
-  const savedObjectTypes = server.savedObjects.types;
+  const { authorization } = server.plugins.security;
+  const { types: savedObjectTypes } = server.savedObjects;
+  const { actions, application } = authorization;
 
   const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
     if (isEmpty(existingPrivileges)) {
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
index 9e4f2fa237e7a8..f326d85fdeee3f 100644
--- a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
@@ -7,21 +7,16 @@
 import { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { buildPrivilegeMap } from './privileges';
-import { actionsFactory } from './actions';
 jest.mock('../../../../../server/lib/get_client_shield', () => ({
   getClient: jest.fn(),
 }));
 jest.mock('./privileges', () => ({
   buildPrivilegeMap: jest.fn(),
 }));
-jest.mock('./actions', () => ({
-  actionsFactory: jest.fn(),
-}));
 
 const registerPrivilegesWithClusterTest = (description, {
   settings = {},
   savedObjectTypes,
-  actions,
   expectedPrivileges,
   existingPrivileges,
   throwErrorWhenGettingPrivileges,
@@ -37,7 +32,7 @@ const registerPrivilegesWithClusterTest = (description, {
   };
 
   const defaultVersion = 'default-version';
-  const defaultApplication = 'default-application';
+  const application = 'default-application';
 
   const createMockServer = () => {
     const mockServer = {
@@ -45,11 +40,18 @@ const registerPrivilegesWithClusterTest = (description, {
         get: jest.fn(),
       }),
       log: jest.fn(),
+      plugins: {
+        security: {
+          authorization: {
+            actions: Symbol(),
+            application
+          }
+        }
+      }
     };
 
     const defaultSettings = {
       'pkg.version': defaultVersion,
-      'xpack.security.rbac.application': defaultApplication,
     };
 
     mockServer.config().get.mockImplementation(key => {
@@ -68,18 +70,17 @@ const registerPrivilegesWithClusterTest = (description, {
       expect(error).toBeUndefined();
       expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
       expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
-        privilege: defaultApplication,
+        privilege: application,
       });
       expect(mockCallWithInternalUser).toHaveBeenCalledWith(
         'shield.postPrivileges',
         {
           body: {
-            [defaultApplication]: privileges
+            [application]: privileges
           },
         }
       );
 
-      const application = settings['xpack.security.rbac.application'] || defaultApplication;
       expect(mockServer.log).toHaveBeenCalledWith(
         ['security', 'debug'],
         `Registering Kibana Privileges with Elasticsearch for ${application}`
@@ -96,10 +97,9 @@ const registerPrivilegesWithClusterTest = (description, {
       expect(error).toBeUndefined();
       expect(mockCallWithInternalUser).toHaveBeenCalledTimes(1);
       expect(mockCallWithInternalUser).toHaveBeenLastCalledWith('shield.getPrivilege', {
-        privilege: defaultApplication
+        privilege: application
       });
 
-      const application = settings['xpack.security.rbac.application'] || defaultApplication;
       expect(mockServer.log).toHaveBeenCalledWith(
         ['security', 'debug'],
         `Registering Kibana Privileges with Elasticsearch for ${application}`
@@ -117,7 +117,6 @@ const registerPrivilegesWithClusterTest = (description, {
       expect(actualError).toBeInstanceOf(Error);
       expect(actualError.message).toEqual(expectedErrorMessage);
 
-      const application = settings['xpack.security.rbac.application'] || defaultApplication;
       expect(mockServer.log).toHaveBeenCalledWith(
         ['security', 'error'],
         `Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedErrorMessage}`
@@ -139,7 +138,7 @@ const registerPrivilegesWithClusterTest = (description, {
         }
 
         return {
-          [defaultApplication]: existingPrivileges
+          [application]: existingPrivileges
         };
       })
       .mockImplementationOnce(async () => {
@@ -148,7 +147,6 @@ const registerPrivilegesWithClusterTest = (description, {
         }
       });
 
-    actionsFactory.mockReturnValue(actions);
     buildPrivilegeMap.mockReturnValue(expectedPrivileges);
 
     let error;
@@ -163,7 +161,8 @@ const registerPrivilegesWithClusterTest = (description, {
       expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser, error),
       expectErrorThrown: createExpectErrorThrown(mockServer, error),
       mocks: {
-        buildPrivilegeMap
+        buildPrivilegeMap,
+        server: mockServer,
       }
     });
   });
@@ -171,22 +170,18 @@ const registerPrivilegesWithClusterTest = (description, {
 
 registerPrivilegesWithClusterTest(`passes saved object types, application and actions to buildPrivilegeMap`, {
   settings: {
-    'pkg.version': 'foo-version',
-    'xpack.security.rbac.application': 'foo-application',
+    'pkg.version': 'foo-version'
   },
   savedObjectTypes: [
     'foo-type',
     'bar-type',
   ],
-  actions: {
-    login: 'mock-action:login',
-    version: 'mock-action:version',
-  },
   assert: ({ mocks }) => {
-    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(['foo-type', 'bar-type'], 'foo-application', {
-      login: 'mock-action:login',
-      version: 'mock-action:version',
-    });
+    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(
+      ['foo-type', 'bar-type'],
+      mocks.server.plugins.security.authorization.application,
+      mocks.server.plugins.security.authorization.actions,
+    );
   },
 });
 
diff --git a/x-pack/plugins/security/server/lib/validate_config.js b/x-pack/plugins/security/server/lib/validate_config.js
index d1f80cb65b7ac9..49c9ba94ffd57f 100644
--- a/x-pack/plugins/security/server/lib/validate_config.js
+++ b/x-pack/plugins/security/server/lib/validate_config.js
@@ -6,10 +6,6 @@
 
 const crypto = require('crypto');
 
-const isDefault = (config, key) => {
-  return config.getDefault(key) === config.get(key);
-};
-
 export function validateConfig(config, log) {
   if (config.get('xpack.security.encryptionKey') == null) {
     log('Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on ' +
@@ -31,8 +27,4 @@ export function validateConfig(config, log) {
   } else {
     config.set('xpack.security.secureCookies', true);
   }
-
-  if (!isDefault(config, 'kibana.index') && isDefault(config, 'xpack.security.rbac.application')) {
-    throw new Error('When setting kibana.index, xpack.security.rbac.application must be set as well.');
-  }
 }
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
index 375f6879972701..4bf1b2c5cc7a5e 100644
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -7,9 +7,7 @@
 import { buildPrivilegeMap } from '../../../lib/authorization';
 
 export function initPrivilegesApi(server) {
-  const config = server.config();
   const { authorization } = server.plugins.security;
-  const application = config.get('xpack.security.rbac.application');
   const savedObjectTypes = server.savedObjects.types;
 
   server.route({
@@ -20,7 +18,7 @@ export function initPrivilegesApi(server) {
       // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
       // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
       // into a different structure for enforcement within Elasticsearch
-      const privileges = buildPrivilegeMap(savedObjectTypes, application, authorization.actions);
+      const privileges = buildPrivilegeMap(savedObjectTypes, authorization.application, authorization.actions);
       reply(Object.values(privileges));
     }
   });
diff --git a/x-pack/test/rbac_api_integration/apis/privileges/index.js b/x-pack/test/rbac_api_integration/apis/privileges/index.js
index bc5bc62f608384..74e30e5616c039 100644
--- a/x-pack/test/rbac_api_integration/apis/privileges/index.js
+++ b/x-pack/test/rbac_api_integration/apis/privileges/index.js
@@ -16,13 +16,13 @@ export default function ({ getService }) {
         .then(resp => {
           expect(resp.body).to.eql([
             {
-              application: 'kibana',
+              application: 'kibana-.kibana',
               name: 'all',
               actions: ['version:7.0.0-alpha1', 'action:*'],
               metadata: {},
             },
             {
-              application: 'kibana',
+              application: 'kibana-.kibana',
               name: 'read',
               actions: [
                 'version:7.0.0-alpha1',
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index 6336d4bcd47ecc..2c11949d8bb473 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -6,6 +6,7 @@
 
 import { AUTHENTICATION } from "./lib/authentication";
 
+const application = 'kibana-.kibana';
 export default function ({ loadTestFile, getService }) {
   const es = getService('es');
 
@@ -42,7 +43,7 @@ export default function ({ loadTestFile, getService }) {
           index: [],
           applications: [
             {
-              application: 'kibana',
+              application,
               privileges: [ 'all' ],
               resources: [ '*' ]
             }
@@ -57,7 +58,7 @@ export default function ({ loadTestFile, getService }) {
           index: [],
           applications: [
             {
-              application: 'kibana',
+              application,
               privileges: [ 'read' ],
               resources: [ '*' ]
             }

From fb724d2ca09ddc8f22175e357a0ea227399df519 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 12 Jul 2018 13:35:20 -0400
Subject: [PATCH 078/183] Validate ES has_privileges response before trusting
 it (#20682)

* validate elasticsearch has_privileges response before trusting it

* address feedback
---
 .../check_privileges.test.js.snap             |   8 +
 .../validate_es_response.test.js.snap         |  43 +++
 .../lib/authorization/check_privileges.js     |   8 +-
 .../authorization/check_privileges.test.js    |  74 +++-
 .../server/lib/authorization/privileges.js    |   4 +
 .../lib/authorization/validate_es_response.js |  65 ++++
 .../validate_es_response.test.js              | 357 ++++++++++++++++++
 7 files changed, 556 insertions(+), 3 deletions(-)
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/validate_es_response.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js

diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
index 4c0c88a8f8313c..7609d57b702faf 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
@@ -1,5 +1,13 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`with a malformed Elasticsearch response throws a validation error when an extra index privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because ["oopsAnExtraPrivilege" is not allowed]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because ["oops-an-unexpected-privilege" is not allowed]]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when index privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because [child "read" fails because ["read" is required]]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+
 exports[`with index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
 exports[`with no index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
new file mode 100644
index 00000000000000..5e1e26a9023ae7
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
@@ -0,0 +1,43 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`validateEsPrivilegeResponse fails validation when an action is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action3\\" fails because [\\"action3\\" must be a boolean]]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an action is missing in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action2\\" fails because [\\"action2\\" is required]]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an extra action is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"action4\\" is not allowed]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an extra application is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"otherApplication\\" is not allowed]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an unexpected resource property is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the "application" property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"application\\" is required]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the expected resource property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the requested application is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [\\"foo-application\\" is required]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the resource propertry is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" must be an object]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response contains an extra privilege 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\"foo-permission\\" is not allowed]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response returns an extra index 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"anotherIndex\\" is not allowed]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index property is missing 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"index\\" is required]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the kibana index is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\".kibana\\" is required]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" is required]]]"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index 594966e5b3e4ef..2f5c58293d15f2 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -6,6 +6,8 @@
 
 import { uniq } from 'lodash';
 import { ALL_RESOURCE } from '../../../common/constants';
+import { buildLegacyIndexPrivileges } from './privileges';
+import { validateEsPrivilegeResponse } from './validate_es_response';
 
 export const CHECK_PRIVILEGES_RESULT = {
   UNAUTHORIZED: Symbol('Unauthorized'),
@@ -59,13 +61,15 @@ export function checkPrivilegesWithRequestFactory(shieldClient, config, actions,
           }],
           index: [{
             names: [kibanaIndex],
-            privileges: ['create', 'delete', 'read', 'view_index_metadata']
+            privileges: buildLegacyIndexPrivileges()
           }],
         }
       });
 
+      validateEsPrivilegeResponse(hasPrivilegesResponse, application, allApplicationPrivileges, [ALL_RESOURCE], kibanaIndex);
+
       const applicationPrivilegesResponse = hasPrivilegesResponse.application[application][ALL_RESOURCE];
-      const indexPrivilegesResponse =  hasPrivilegesResponse.index[kibanaIndex];
+      const indexPrivilegesResponse = hasPrivilegesResponse.index[kibanaIndex];
 
       if (hasIncompatibileVersion(applicationPrivilegesResponse)) {
         throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index edf3b42d11c28f..a64110515e803c 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -94,7 +94,7 @@ const checkPrivilegesTest = (
           ])
         }],
         index: [{
-          names: [ defaultKibanaIndex ],
+          names: [defaultKibanaIndex],
           privileges: ['create', 'delete', 'read', 'view_index_metadata']
         }],
       }
@@ -328,3 +328,75 @@ describe('with no application privileges', () => {
     });
   });
 });
+
+describe('with a malformed Elasticsearch response', () => {
+  const indexPrivilegesResponse = {
+    create: true,
+    delete: true,
+    read: true,
+    view_index_metadata: true,
+  };
+
+  checkPrivilegesTest('throws a validation error when an extra privilege is present in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      ['oops-an-unexpected-privilege']: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true,
+  });
+
+  checkPrivilegesTest('throws a validation error when privileges are missing in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true,
+  });
+
+  checkPrivilegesTest('throws a validation error when an extra index privilege is present in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse: {
+      ...indexPrivilegesResponse,
+      oopsAnExtraPrivilege: true,
+    },
+    expectErrorThrown: true,
+  });
+
+  const missingIndexPrivileges = {
+    ...indexPrivilegesResponse
+  };
+  delete missingIndexPrivileges.read;
+
+  checkPrivilegesTest('throws a validation error when index privileges are missing in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse: missingIndexPrivileges,
+    expectErrorThrown: true,
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/privileges.js b/x-pack/plugins/security/server/lib/authorization/privileges.js
index 9ded71662ed51c..6f64871ed75566 100644
--- a/x-pack/plugins/security/server/lib/authorization/privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/privileges.js
@@ -28,3 +28,7 @@ export function buildPrivilegeMap(savedObjectTypes, application, actions) {
     }
   };
 }
+
+export function buildLegacyIndexPrivileges() {
+  return ['create', 'delete', 'read', 'view_index_metadata'];
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
new file mode 100644
index 00000000000000..34d618398bc3d3
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Joi from 'joi';
+import { buildLegacyIndexPrivileges } from './privileges';
+
+const legacyIndexPrivilegesSchema = Joi.object({
+  ...buildLegacyIndexPrivileges().reduce((acc, privilege) => {
+    return {
+      ...acc,
+      [privilege]: Joi.bool().required()
+    };
+  }, {})
+}).required();
+
+export function validateEsPrivilegeResponse(response, application, actions, resources, kibanaIndex) {
+  const schema = buildValidationSchema(application, actions, resources, kibanaIndex);
+  const { error, value } = schema.validate(response);
+
+  if (error) {
+    throw new Error(`Invalid response received from Elasticsearch has_privilege endpoint. ${error}`);
+  }
+
+  return value;
+}
+
+function buildActionsValidationSchema(actions) {
+  return Joi.object({
+    ...actions.reduce((acc, action) => {
+      return {
+        ...acc,
+        [action]: Joi.bool().required()
+      };
+    }, {})
+  }).required();
+}
+
+function buildValidationSchema(application, actions, resources, kibanaIndex) {
+
+  const actionValidationSchema = buildActionsValidationSchema(actions);
+
+  const resourceValidationSchema = Joi.object({
+    ...resources.reduce((acc, resource) => {
+      return {
+        ...acc,
+        [resource]: actionValidationSchema
+      };
+    }, {})
+  }).required();
+
+  return Joi.object({
+    username: Joi.string().required(),
+    has_all_requested: Joi.bool(),
+    cluster: Joi.object(),
+    application: Joi.object({
+      [application]: resourceValidationSchema,
+    }).required(),
+    index: Joi.object({
+      [kibanaIndex]: legacyIndexPrivilegesSchema
+    }).required()
+  }).required();
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
new file mode 100644
index 00000000000000..f3dbad1b56ac95
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
@@ -0,0 +1,357 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { validateEsPrivilegeResponse } from "./validate_es_response";
+import { buildLegacyIndexPrivileges } from "./privileges";
+
+const resource = 'foo-resource';
+const application = 'foo-application';
+const kibanaIndex = '.kibana';
+
+const commonResponse = {
+  username: 'user',
+  has_all_requested: true,
+};
+
+describe('validateEsPrivilegeResponse', () => {
+  const legacyIndexResponse = {
+    [kibanaIndex]: {
+      'create': true,
+      'delete': true,
+      'read': true,
+      'view_index_metadata': true,
+    }
+  };
+
+  it('should validate a proper response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    const result = validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex);
+    expect(result).toEqual(response);
+  });
+
+  it('fails validation when an action is missing in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action3: true
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an extra action is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+            action4: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an action is malformed in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: 'not a boolean',
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an extra application is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        },
+        otherApplication: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the requested application is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {},
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the "application" property is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      index: {}
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the expected resource property is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {}
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an unexpected resource property is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          'other-resource': {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the resource propertry is malformed in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: 'not-an-object'
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  describe('legacy', () => {
+    it('should validate a proper response', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: legacyIndexResponse
+      };
+
+      const result = validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex);
+      expect(result).toEqual(response);
+    });
+
+    it('should fail if the index property is missing', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the kibana index is missing from the response', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {}
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the index privilege response returns an extra index', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {
+          ...legacyIndexResponse,
+          'anotherIndex': {
+            foo: true
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the index privilege response contains an extra privilege', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {
+          [kibanaIndex]: {
+            ...legacyIndexResponse[kibanaIndex],
+            'foo-permission': true
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    buildLegacyIndexPrivileges().forEach(privilege => {
+      test(`should fail if the ${privilege} index privilege is missing from the response`, () => {
+        const response = {
+          ...commonResponse,
+          application: {
+            [application]: {
+              [resource]: {
+                action1: true
+              }
+            }
+          },
+          index: {
+            [kibanaIndex]: {
+              ...legacyIndexResponse[kibanaIndex]
+            }
+          }
+        };
+
+        delete response.index[kibanaIndex][privilege];
+
+        expect(() =>
+          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+        ).toThrowErrorMatchingSnapshot();
+      });
+
+      test(`should fail if the ${privilege} index privilege is malformed`, () => {
+        const response = {
+          ...commonResponse,
+          application: {
+            [application]: {
+              [resource]: {
+                action1: true
+              }
+            }
+          },
+          index: {
+            [kibanaIndex]: {
+              ...legacyIndexResponse[kibanaIndex]
+            }
+          }
+        };
+
+        response.index[kibanaIndex][privilege] = 'not a boolean';
+
+        expect(() =>
+          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+        ).toThrowErrorMatchingSnapshot();
+      });
+    });
+  });
+});

From c65908b38cdebdcdfb06e4e30eb228fd38f0fcef Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 12 Jul 2018 15:21:30 -0400
Subject: [PATCH 079/183] Removing unused setting

---
 x-pack/plugins/security/index.js | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 8e0c5ad68c64c7..9cf76e3b354e46 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -42,12 +42,6 @@ export const security = (kibana) => new kibana.Plugin({
         hostname: Joi.string().hostname(),
         port: Joi.number().integer().min(0).max(65535)
       }).default(),
-      rbac: Joi.object({
-        application: Joi.string().default('kibana').regex(
-          /[a-zA-Z0-9-_]+/,
-          `may contain alphanumeric characters (a-z, A-Z, 0-9), underscores and hyphens`
-        ),
-      }).default(),
       audit: Joi.object({
         enabled: Joi.boolean().default(false)
       }).default(),

From a597976cd1f9115248a4ddc0bed11645b8cd1906 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 13 Jul 2018 12:38:37 -0400
Subject: [PATCH 080/183] Public Role APIs (#20732)

* Beginning to work on external role management APIs

* Refactoring GET tests and adding more permutations

* Adding test for excluding other resources

* Adding get role tests

* Splitting out the endpoints, or else it's gonna get overwhelming

* Splitting out the post and delete actions

* Beginning to work on POST and the tests

* Posting the updated role

* Adding update tests

* Modifying the UI to use the new public APIs

* Removing internal roles API

* Moving the rbac api integration setup tests to use the public role apis

* Testing field_security and query

* Adding create role tests

* We can't update the transient_metadata...

* Removing debugger

* Update and delete tests

* Returning a 204 when POSTing a Role.

* Switching POST to PUT and roles to role

* We don't need the rbacApplication client-side anymore

* Adding delete route tests

* Using not found instead of not acceptable, as that's more likely

* Only allowing us to PUT known Kibana privileges

* Removing transient_metadata

* Removing one letter variable names

* Using PUT instead of POST when saving roles

* Fixing broken tests
---
 x-pack/plugins/security/index.js              |   6 +-
 .../security/public/services/shield_role.js   |  11 +-
 .../public/views/management/edit_role.html    |  14 +-
 .../public/views/management/edit_role.js      |  80 +--
 .../server/routes/api/public/roles/delete.js  |  33 +
 .../routes/api/public/roles/delete.test.js    | 125 ++++
 .../server/routes/api/public/roles/get.js     |  78 +++
 .../routes/api/public/roles/get.test.js       | 577 ++++++++++++++++++
 .../server/routes/api/public/roles/index.js   |  25 +
 .../server/routes/api/public/roles/put.js     | 110 ++++
 .../routes/api/public/roles/put.test.js       | 503 +++++++++++++++
 .../security/server/routes/api/v1/roles.js    |  84 ---
 .../api_integration/apis/security/index.js    |   1 +
 .../api_integration/apis/security/roles.js    | 221 +++++++
 x-pack/test/api_integration/config.js         |   3 +-
 x-pack/test/api_integration/services/es.js    |  20 +
 x-pack/test/api_integration/services/index.js |   1 +
 .../apis/saved_objects/index.js               |  74 +--
 18 files changed, 1775 insertions(+), 191 deletions(-)
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/delete.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/delete.test.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/get.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/get.test.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/index.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/put.js
 create mode 100644 x-pack/plugins/security/server/routes/api/public/roles/put.test.js
 delete mode 100644 x-pack/plugins/security/server/routes/api/v1/roles.js
 create mode 100644 x-pack/test/api_integration/apis/security/roles.js
 create mode 100644 x-pack/test/api_integration/services/es.js

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 9cf76e3b354e46..f0c76daf393a3e 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -8,7 +8,7 @@ import { resolve } from 'path';
 import { getUserProvider } from './server/lib/get_user';
 import { initAuthenticateApi } from './server/routes/api/v1/authenticate';
 import { initUsersApi } from './server/routes/api/v1/users';
-import { initRolesApi } from './server/routes/api/v1/roles';
+import { initPublicRolesApi } from './server/routes/api/public/roles';
 import { initIndicesApi } from './server/routes/api/v1/indices';
 import { initLoginView } from './server/routes/views/login';
 import { initLogoutView } from './server/routes/views/logout';
@@ -70,11 +70,9 @@ export const security = (kibana) => new kibana.Plugin({
     injectDefaultVars: function (server) {
       const config = server.config();
 
-      const { authorization } = server.plugins.security;
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
         sessionTimeout: config.get('xpack.security.sessionTimeout'),
-        rbacApplication: authorization.application,
       };
     }
   },
@@ -146,7 +144,7 @@ export const security = (kibana) => new kibana.Plugin({
     await initAuthenticator(server);
     initAuthenticateApi(server);
     initUsersApi(server);
-    initRolesApi(server);
+    initPublicRolesApi(server);
     initIndicesApi(server);
     initPrivilegesApi(server);
     initLoginView(server, xpackMainPlugin);
diff --git a/x-pack/plugins/security/public/services/shield_role.js b/x-pack/plugins/security/public/services/shield_role.js
index 1954415f0384bd..3ee73dbad57dbb 100644
--- a/x-pack/plugins/security/public/services/shield_role.js
+++ b/x-pack/plugins/security/public/services/shield_role.js
@@ -5,11 +5,20 @@
  */
 
 import 'angular-resource';
+import { omit } from 'lodash';
+import angular from 'angular';
 import { uiModules } from 'ui/modules';
 
 const module = uiModules.get('security', ['ngResource']);
 module.service('ShieldRole', ($resource, chrome) => {
-  return $resource(chrome.addBasePath('/api/security/v1/roles/:name'), {
+  return $resource(chrome.addBasePath('/api/security/role/:name'), {
     name: '@name'
+  }, {
+    save: {
+      method: 'PUT',
+      transformRequest(data) {
+        return angular.toJson(omit(data, 'name', 'transient_metadata', '_unrecognized_applications'));
+      }
+    }
   });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index 3b5c7a13412a74..a2f51552403d4b 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -101,8 +101,8 @@ <h1 class="kuiTitle">
               <input
                 class="kuiCheckBox"
                 type="checkbox"
-                ng-checked="includes(role.cluster, privilege)"
-                ng-click="toggle(role.cluster, privilege)"
+                ng-checked="includes(role.elasticsearch.cluster, privilege)"
+                ng-click="toggle(role.elasticsearch.cluster, privilege)"
                 ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
               />
               <span class="kuiOptionLabel">{{privilege}}</span>
@@ -116,12 +116,12 @@ <h1 class="kuiTitle">
             Kibana Privileges
           </label>
 
-          <div ng-repeat="(key, value) in kibanaPrivileges">
+          <div ng-repeat="(key, value) in kibanaPrivilegesViewModel">
             <label>
               <input
                 class="kuiCheckBox"
                 type="checkbox"
-                ng-model="kibanaPrivileges[key]"
+                ng-model="kibanaPrivilegesViewModel[key]"
                 ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
               />
               <span class="kuiOptionLabel">{{key}}</span>
@@ -136,7 +136,7 @@ <h1 class="kuiTitle">
           </label>
           <ui-select
             multiple
-            ng-model="role.run_as"
+            ng-model="role.elasticsearch.run_as"
             ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
           >
             <ui-select-match placeholder="Add a user...">
@@ -152,7 +152,7 @@ <h1 class="kuiTitle">
         <div class="kuiFormSection">
           <kbn-index-privileges-form
             is-new-role="editRole.isNewRole"
-            indices="role.indices"
+            indices="role.elasticsearch.indices"
             index-patterns="indexPatterns"
             privileges="privileges"
             field-options="editRole.fieldOptions"
@@ -173,7 +173,7 @@ <h1 class="kuiTitle">
             class="kuiButton kuiButton--primary"
             ng-click="saveRole(role)"
             ng-if="!role.metadata._reserved && isRoleEnabled(role)"
-            ng-disabled="form.$invalid || !areIndicesValid(role.indices)"
+            ng-disabled="form.$invalid || !areIndicesValid(role.elasticsearch.indices)"
             data-test-subj="roleFormSaveButton"
           >
             Save
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index caa686ffd00f26..6a3f3a79573ffc 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -5,7 +5,6 @@
  */
 
 import _ from 'lodash';
-import chrome from 'ui/chrome';
 import routes from 'ui/routes';
 import { fatalError, toastNotifications } from 'ui/notify';
 import { toggle } from 'plugins/security/lib/util';
@@ -22,60 +21,41 @@ import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
-import { ALL_RESOURCE } from '../../../common/constants';
 
-const getKibanaPrivileges = (applicationPrivileges, roleApplications, application) => {
-  const kibanaPrivileges = applicationPrivileges.reduce((acc, p) => {
-    acc[p.name] = false;
+const getKibanaPrivilegesViewModel = (applicationPrivileges, roleKibanaPrivileges) => {
+  const viewModel = applicationPrivileges.reduce((acc, applicationPrivilege) => {
+    acc[applicationPrivilege.name] = false;
     return acc;
   }, {});
 
-  if (!roleApplications || roleApplications.length === 0) {
-    return kibanaPrivileges;
+  if (!roleKibanaPrivileges || roleKibanaPrivileges.length === 0) {
+    return viewModel;
   }
 
-  // we're filtering out privileges for non-all resources incase the roles were created in a future version
-  const applications = roleApplications
-    .filter(roleApplication => roleApplication.application === application)
-    .filter(roleApplication => !roleApplication.resources.some(resource => resource !== ALL_RESOURCE));
-
-  const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
-  assigned.forEach(a => {
+  const assignedPrivileges = _.uniq(_.flatten(_.pluck(roleKibanaPrivileges, 'privileges')));
+  assignedPrivileges.forEach(assignedPrivilege => {
     // we don't want to display privileges that aren't in our expected list of privileges
-    if (a in kibanaPrivileges) {
-      kibanaPrivileges[a] = true;
+    if (assignedPrivilege in viewModel) {
+      viewModel[assignedPrivilege] = true;
     }
   });
 
-  return kibanaPrivileges;
+  return viewModel;
 };
 
-const getRoleApplications = (kibanaPrivileges, currentRoleApplications = [], application) => {
-  // we keep any other applications
-  const newRoleApplications = currentRoleApplications.filter(roleApplication => {
-    return roleApplication.application !== application;
-  });
-
-  const selectedPrivileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
+const getKibanaPrivileges = (kibanaPrivilegesViewModel) => {
+  const selectedPrivileges = Object.keys(kibanaPrivilegesViewModel).filter(key => kibanaPrivilegesViewModel[key]);
 
   // if we have any selected privileges, add a single application entry
   if (selectedPrivileges.length > 0) {
-    newRoleApplications.push({
-      application,
-      privileges: selectedPrivileges,
-      resources: [ALL_RESOURCE]
-    });
-  }
-
-  return newRoleApplications;
-};
-
-const getOtherApplications = (roleApplications, application) => {
-  if (!roleApplications || roleApplications.length === 0) {
-    return [];
+    return [
+      {
+        privileges: selectedPrivileges
+      }
+    ];
   }
 
-  return roleApplications.map(roleApplication => roleApplication.application).filter(app =>app !== application);
+  return [];
 };
 
 routes.when(`${EDIT_ROLES_PATH}/:name?`, {
@@ -97,10 +77,13 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
           });
       }
       return new ShieldRole({
-        cluster: [],
-        indices: [],
-        run_as: [],
-        applications: []
+        elasticsearch: {
+          cluster: [],
+          indices: [],
+          run_as: [],
+        },
+        kibana: [],
+        _unrecognized_applications: []
       });
     },
     applicationPrivileges(ApplicationPrivileges, kbnUrl, Promise, Private) {
@@ -126,7 +109,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const Private = $injector.get('Private');
     const confirmModal = $injector.get('confirmModal');
     const shieldIndices = $injector.get('shieldIndices');
-    const rbacApplication = chrome.getInjected('rbacApplication');
 
     $scope.role = $route.current.locals.role;
     $scope.users = $route.current.locals.users;
@@ -135,8 +117,8 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
     const applicationPrivileges = $route.current.locals.applicationPrivileges;
     const role = $route.current.locals.role;
-    $scope.kibanaPrivileges = getKibanaPrivileges(applicationPrivileges, role.applications, rbacApplication);
-    $scope.otherApplications = getOtherApplications(role.applications, rbacApplication);
+    $scope.kibanaPrivilegesViewModel = getKibanaPrivilegesViewModel(applicationPrivileges, role.kibana);
+    $scope.otherApplications = role._unrecognized_applications;
 
     $scope.rolesHref = `#${ROLES_PATH}`;
 
@@ -158,10 +140,10 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     };
 
     $scope.saveRole = (role) => {
-      role.indices = role.indices.filter((index) => index.names.length);
-      role.indices.forEach((index) => index.query || delete index.query);
+      role.elasticsearch.indices = role.elasticsearch.indices.filter((index) => index.names.length);
+      role.elasticsearch.indices.forEach((index) => index.query || delete index.query);
 
-      role.applications = getRoleApplications($scope.kibanaPrivileges, role.applications, rbacApplication);
+      role.kibana = getKibanaPrivileges($scope.kibanaPrivilegesViewModel);
 
       return role.$save()
         .then(() => toastNotifications.addSuccess('Updated role'))
@@ -199,7 +181,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
     $scope.allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
 
-    $scope.$watch('role.indices', (indices) => {
+    $scope.$watch('role.elasticsearch.indices', (indices) => {
       if (!indices.length) $scope.addIndex(indices);
       else indices.forEach($scope.fetchFieldOptions);
     }, true);
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/delete.js b/x-pack/plugins/security/server/routes/api/public/roles/delete.js
new file mode 100644
index 00000000000000..697a9bd32df1b9
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/delete.js
@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import _ from 'lodash';
+import Joi from 'joi';
+import { wrapError } from '../../../../lib/errors';
+
+export function initDeleteRolesApi(server, callWithRequest, routePreCheckLicenseFn) {
+  server.route({
+    method: 'DELETE',
+    path: '/api/security/role/{name}',
+    handler(request, reply) {
+      const name = request.params.name;
+      return callWithRequest(request, 'shield.deleteRole', { name }).then(
+        () => reply().code(204),
+        _.flow(wrapError, reply));
+    },
+    config: {
+      validate: {
+        params: Joi.object()
+          .keys({
+            name: Joi.string()
+              .required(),
+          })
+          .required(),
+      },
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js b/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js
new file mode 100644
index 00000000000000..0337b8e8b9f661
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js
@@ -0,0 +1,125 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initDeleteRolesApi } from './delete';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+const defaultPreCheckLicenseImpl = (request, reply) => reply();
+
+describe('DELETE role', () => {
+  const deleteRoleTest = (
+    description,
+    {
+      name,
+      preCheckLicenseImpl,
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initDeleteRolesApi(mockServer, mockCallWithRequest, pre);
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'DELETE',
+        url: `/api/security/role/${name}`,
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      if (preCheckLicenseImpl) {
+        expect(pre).toHaveBeenCalled();
+      } else {
+        expect(pre).not.toHaveBeenCalled();
+      }
+
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.deleteRole',
+          { name },
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    deleteRoleTest(`requires name in params`, {
+      name: '',
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+        },
+      },
+    });
+
+    deleteRoleTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    deleteRoleTest(`returns error from callWithRequest`, {
+      name: 'foo-role',
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpl: async () => {
+        throw Boom.notFound('test not found message');
+      },
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+          message: 'test not found message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    deleteRoleTest(`deletes role`, {
+      name: 'foo-role',
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpl: async () => {},
+      asserts: {
+        statusCode: 204,
+        result: null
+      }
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.js b/x-pack/plugins/security/server/routes/api/public/roles/get.js
new file mode 100644
index 00000000000000..9ae89a97c36f1a
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.js
@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import _ from 'lodash';
+import Boom from 'boom';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+import { wrapError } from '../../../../lib/errors';
+
+export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application) {
+
+  const transformKibanaApplicationsFromEs = (roleApplications) => {
+    return roleApplications
+      .filter(roleApplication => roleApplication.application === application)
+      .filter(roleApplication => roleApplication.resources.length > 0)
+      .filter(roleApplication => roleApplication.resources.every(resource => resource === ALL_RESOURCE))
+      .map(roleApplication => ({ privileges: roleApplication.privileges }));
+  };
+
+  const transformUnrecognizedApplicationsFromEs = (roleApplications) => {
+    return _.uniq(roleApplications
+      .filter(roleApplication => roleApplication.application !== application)
+      .map(roleApplication => roleApplication.application));
+  };
+
+  const transformRoleFromEs = (role, name) => {
+    return {
+      name,
+      metadata: role.metadata,
+      transient_metadata: role.transient_metadata,
+      elasticsearch: {
+        cluster: role.cluster,
+        indices: role.indices,
+        run_as: role.run_as,
+      },
+      kibana: transformKibanaApplicationsFromEs(role.applications),
+      _unrecognized_applications: transformUnrecognizedApplicationsFromEs(role.applications),
+    };
+  };
+
+  const transformRolesFromEs = (roles) => {
+    return _.map(roles, (role, name) => transformRoleFromEs(role, name));
+  };
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/role',
+    handler(request, reply) {
+      return callWithRequest(request, 'shield.getRole').then(
+        (response) => {
+          return reply(transformRolesFromEs(response));
+        },
+        _.flow(wrapError, reply)
+      );
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/role/{name}',
+    handler(request, reply) {
+      const name = request.params.name;
+      return callWithRequest(request, 'shield.getRole', { name }).then(
+        (response) => {
+          if (response[name]) return reply(transformRoleFromEs(response[name], name));
+          return reply(Boom.notFound());
+        },
+        _.flow(wrapError, reply));
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
new file mode 100644
index 00000000000000..a8dd3a38bdeb91
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
@@ -0,0 +1,577 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initGetRolesApi } from './get';
+
+const application = 'kibana-.kibana';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+describe('GET roles', () => {
+  const getRolesTest = (
+    description,
+    {
+      preCheckLicenseImpl = (request, reply) => reply(),
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initGetRolesApi(mockServer, mockCallWithRequest, pre, application);
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'GET',
+        url: '/api/security/role',
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      expect(pre).toHaveBeenCalled();
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.getRole'
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    getRolesTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    getRolesTest(`returns error from callWithRequest`, {
+      callWithRequestImpl: async () => {
+        throw Boom.notAcceptable('test not acceptable message');
+      },
+      asserts: {
+        statusCode: 406,
+        result: {
+          error: 'Not Acceptable',
+          statusCode: 406,
+          message: 'test not acceptable message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    getRolesTest(`transforms elasticsearch privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: ['manage_watcher'],
+          indices: [
+            {
+              names: ['.kibana*'],
+              privileges: ['read', 'view_index_metadata'],
+            },
+          ],
+          applications: [],
+          run_as: ['other_user'],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: ['manage_watcher'],
+              indices: [
+                {
+                  names: ['.kibana*'],
+                  privileges: ['read', 'view_index_metadata'],
+                },
+              ],
+              run_as: ['other_user'],
+            },
+            kibana: [],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`transforms matching applications to kibana privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['*'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [
+              {
+                privileges: ['read'],
+              },
+              {
+                privileges: ['all'],
+              },
+            ],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`excludes resources other than * from kibana privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              // Elasticsearch should prevent this from happening
+              resources: [],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default', '*'],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['some-other-space'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`transforms unrecognized applications`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application: 'kibana-.another-kibana',
+              privileges: ['read'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [],
+            _unrecognized_applications: ['kibana-.another-kibana']
+          },
+        ],
+      },
+    });
+  });
+});
+
+describe('GET role', () => {
+  const getRoleTest = (
+    description,
+    {
+      name,
+      preCheckLicenseImpl = (request, reply) => reply(),
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initGetRolesApi(mockServer, mockCallWithRequest, pre, 'kibana-.kibana');
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'GET',
+        url: `/api/security/role/${name}`,
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      expect(pre).toHaveBeenCalled();
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.getRole',
+          { name }
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    getRoleTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    getRoleTest(`returns error from callWithRequest`, {
+      name: 'foo-role',
+      callWithRequestImpl: async () => {
+        throw Boom.notAcceptable('test not acceptable message');
+      },
+      asserts: {
+        statusCode: 406,
+        result: {
+          error: 'Not Acceptable',
+          statusCode: 406,
+          message: 'test not acceptable message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    getRoleTest(`transforms elasticsearch privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: ['manage_watcher'],
+          indices: [
+            {
+              names: ['.kibana*'],
+              privileges: ['read', 'view_index_metadata'],
+            },
+          ],
+          applications: [],
+          run_as: ['other_user'],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: ['manage_watcher'],
+            indices: [
+              {
+                names: ['.kibana*'],
+                privileges: ['read', 'view_index_metadata'],
+              },
+            ],
+            run_as: ['other_user'],
+          },
+          kibana: [],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`transforms matching applications to kibana privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['*'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [
+            {
+              privileges: ['read'],
+            },
+            {
+              privileges: ['all'],
+            },
+          ],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`excludes resources other than * from kibana privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              // Elasticsearch should prevent this from happening
+              resources: [],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default', '*'],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['some-other-space'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`transforms unrecognized applications`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application: 'kibana-.another-kibana',
+              privileges: ['read'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [],
+          _unrecognized_applications: ['kibana-.another-kibana'],
+        },
+      },
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/index.js b/x-pack/plugins/security/server/routes/api/public/roles/index.js
new file mode 100644
index 00000000000000..5425af0a1202d3
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/index.js
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { buildPrivilegeMap } from '../../../../lib/authorization';
+import { getClient } from '../../../../../../../server/lib/get_client_shield';
+import { routePreCheckLicense } from '../../../../lib/route_pre_check_license';
+import { initGetRolesApi } from './get';
+import { initDeleteRolesApi } from './delete';
+import { initPutRolesApi } from './put';
+
+export function initPublicRolesApi(server) {
+  const callWithRequest = getClient(server).callWithRequest;
+  const routePreCheckLicenseFn = routePreCheckLicense(server);
+
+  const { application, actions } = server.plugins.security.authorization;
+  const savedObjectTypes = server.savedObjects.types;
+  const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, actions);
+
+  initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application);
+  initPutRolesApi(server, callWithRequest, routePreCheckLicenseFn, privilegeMap, application);
+  initDeleteRolesApi(server, callWithRequest, routePreCheckLicenseFn);
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.js b/x-pack/plugins/security/server/routes/api/public/roles/put.js
new file mode 100644
index 00000000000000..123ce128e15099
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.js
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { pick, identity } from 'lodash';
+import Joi from 'joi';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+import { wrapError } from '../../../../lib/errors';
+
+const transformKibanaPrivilegeToEs = (application, kibanaPrivilege) => {
+  return {
+    privileges: kibanaPrivilege.privileges,
+    application,
+    resources: [ALL_RESOURCE],
+  };
+};
+
+const transformRolesToEs = (
+  application,
+  payload,
+  existingApplications = []
+) => {
+  const { elasticsearch = {}, kibana = [] } = payload;
+  const otherApplications = existingApplications.filter(
+    roleApplication => roleApplication.application !== application
+  );
+
+  return pick({
+    metadata: payload.metadata,
+    cluster: elasticsearch.cluster || [],
+    indices: elasticsearch.indices || [],
+    run_as: elasticsearch.run_as || [],
+    applications: [
+      ...kibana.map(kibanaPrivilege =>
+        transformKibanaPrivilegeToEs(application, kibanaPrivilege)
+      ),
+      ...otherApplications,
+    ],
+  }, identity);
+};
+
+export function initPutRolesApi(
+  server,
+  callWithRequest,
+  routePreCheckLicenseFn,
+  privilegeMap,
+  application
+) {
+
+  const schema = Joi.object().keys({
+    metadata: Joi.object().optional(),
+    elasticsearch: Joi.object().keys({
+      cluster: Joi.array().items(Joi.string()),
+      indices: Joi.array().items({
+        names: Joi.array().items(Joi.string()),
+        field_security: Joi.object().keys({
+          grant: Joi.array().items(Joi.string()),
+          except: Joi.array().items(Joi.string()),
+        }),
+        privileges: Joi.array().items(Joi.string()),
+        query: Joi.string().allow(''),
+      }),
+      run_as: Joi.array().items(Joi.string()),
+    }),
+    kibana: Joi.array().items({
+      privileges: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))),
+    }),
+  });
+
+  server.route({
+    method: 'PUT',
+    path: '/api/security/role/{name}',
+    async handler(request, reply) {
+      const name = request.params.name;
+      try {
+        const existingRoleResponse = await callWithRequest(request, 'shield.getRole', {
+          name,
+          ignore: [404],
+        });
+
+        const body = transformRolesToEs(
+          application,
+          request.payload,
+          existingRoleResponse[name] ? existingRoleResponse[name].applications : []
+        );
+
+        await callWithRequest(request, 'shield.putRole', { name, body });
+        reply().code(204);
+      } catch (err) {
+        reply(wrapError(err));
+      }
+    },
+    config: {
+      validate: {
+        params: Joi.object()
+          .keys({
+            name: Joi.string()
+              .required()
+              .min(1)
+              .max(1024),
+          })
+          .required(),
+        payload: schema,
+      },
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
new file mode 100644
index 00000000000000..d6c32ce00ac563
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
@@ -0,0 +1,503 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initPutRolesApi } from './put';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+
+const application = 'kibana-.kibana';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+const defaultPreCheckLicenseImpl = (request, reply) => reply();
+
+const privilegeMap = {
+  'test-kibana-privilege-1': {},
+  'test-kibana-privilege-2': {},
+  'test-kibana-privilege-3': {},
+};
+
+const putRoleTest = (
+  description,
+  { name, payload, preCheckLicenseImpl, callWithRequestImpls = [], asserts }
+) => {
+  test(description, async () => {
+    const mockServer = createMockServer();
+    const mockPreCheckLicense = jest
+      .fn()
+      .mockImplementation(preCheckLicenseImpl);
+    const mockCallWithRequest = jest.fn();
+    for (const impl of callWithRequestImpls) {
+      mockCallWithRequest.mockImplementationOnce(impl);
+    }
+    initPutRolesApi(
+      mockServer,
+      mockCallWithRequest,
+      mockPreCheckLicense,
+      privilegeMap,
+      application,
+    );
+    const headers = {
+      authorization: 'foo',
+    };
+
+    const request = {
+      method: 'PUT',
+      url: `/api/security/role/${name}`,
+      headers,
+      payload,
+    };
+    const { result, statusCode } = await mockServer.inject(request);
+
+    expect(result).toEqual(asserts.result);
+    expect(statusCode).toBe(asserts.statusCode);
+    if (preCheckLicenseImpl) {
+      expect(mockPreCheckLicense).toHaveBeenCalled();
+    } else {
+      expect(mockPreCheckLicense).not.toHaveBeenCalled();
+    }
+    if (asserts.callWithRequests) {
+      for (const args of asserts.callWithRequests) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          ...args
+        );
+      }
+    } else {
+      expect(mockCallWithRequest).not.toHaveBeenCalled();
+    }
+  });
+};
+
+describe('PUT role', () => {
+  describe('failure', () => {
+    putRoleTest(`requires name in params`, {
+      name: '',
+      payload: {},
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+        },
+      },
+    });
+
+    putRoleTest(`requires name in params to not exceed 1024 characters`, {
+      name: 'a'.repeat(1025),
+      payload: {},
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          message: `child "name" fails because ["name" length must be less than or equal to 1024 characters long]`,
+          statusCode: 400,
+          validation: {
+            keys: ['name'],
+            source: 'params',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`only allows known Kibana privileges`, {
+      name: 'foo-role',
+      payload: {
+        kibana: [
+          {
+            privileges: ['foo']
+          }
+        ]
+      },
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          //eslint-disable-next-line max-len
+          message: `child "kibana" fails because ["kibana" at position 0 fails because [child "privileges" fails because ["privileges" at position 0 fails because ["0" must be one of [test-kibana-privilege-1, test-kibana-privilege-2, test-kibana-privilege-3]]]]]`,
+          statusCode: 400,
+          validation: {
+            keys: ['kibana.0.privileges.0'],
+            source: 'payload',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`returns result of routePreCheckLicense`, {
+      name: 'foo-role',
+      payload: {},
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    putRoleTest(`creates empty role`, {
+      name: 'foo-role',
+      payload: {},
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [async () => ({}), async () => {}],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                cluster: [],
+                indices: [],
+                run_as: [],
+                applications: [],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(`creates role with everything`, {
+      name: 'foo-role',
+      payload: {
+        metadata: {
+          foo: 'test-metadata',
+        },
+        elasticsearch: {
+          cluster: ['test-cluster-privilege'],
+          indices: [
+            {
+              field_security: {
+                grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+              },
+              names: ['test-index-name-1', 'test-index-name-2'],
+              privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+              query: `{ "match": { "title": "foo" } }`,
+            },
+          ],
+          run_as: ['test-run-as-1', 'test-run-as-2'],
+        },
+        kibana: [
+          {
+            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+          },
+          {
+            privileges: ['test-kibana-privilege-3'],
+          },
+        ],
+      },
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [async () => ({}), async () => {}],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                applications: [
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2',
+                    ],
+                    resources: [ALL_RESOURCE],
+                  },
+                  {
+                    application,
+                    privileges: ['test-kibana-privilege-3'],
+                    resources: [ALL_RESOURCE],
+                  },
+                ],
+                cluster: ['test-cluster-privilege'],
+                indices: [
+                  {
+                    field_security: {
+                      grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                    },
+                    names: ['test-index-name-1', 'test-index-name-2'],
+                    privileges: [
+                      'test-index-privilege-1',
+                      'test-index-privilege-2',
+                    ],
+                    query: `{ "match": { "title": "foo" } }`,
+                  },
+                ],
+                metadata: { foo: 'test-metadata' },
+                run_as: ['test-run-as-1', 'test-run-as-2'],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(`updates role which has existing kibana privileges`, {
+      name: 'foo-role',
+      payload: {
+        metadata: {
+          foo: 'test-metadata',
+        },
+        elasticsearch: {
+          cluster: ['test-cluster-privilege'],
+          indices: [
+            {
+              field_security: {
+                grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+              },
+              names: ['test-index-name-1', 'test-index-name-2'],
+              privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+              query: `{ "match": { "title": "foo" } }`,
+            },
+          ],
+          run_as: ['test-run-as-1', 'test-run-as-2'],
+        },
+        kibana: [
+          {
+            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+          },
+          {
+            privileges: ['test-kibana-privilege-3'],
+          },
+        ],
+      },
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [
+        async () => ({
+          'foo-role': {
+            metadata: {
+              bar: 'old-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            cluster: ['old-cluster-privilege'],
+            indices: [
+              {
+                field_security: {
+                  grant: ['old-field-security-grant-1', 'old-field-security-grant-2'],
+                  except: [ 'old-field-security-except-1', 'old-field-security-except-2' ]
+                },
+                names: ['old-index-name'],
+                privileges: ['old-privilege'],
+                query: `{ "match": { "old-title": "foo" } }`,
+              },
+            ],
+            run_as: ['old-run-as'],
+            applications: [
+              {
+                application,
+                privileges: ['old-kibana-privilege'],
+                resources: ['old-resource'],
+              },
+            ],
+          },
+        }),
+        async () => {},
+      ],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                applications: [
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2',
+                    ],
+                    resources: [ALL_RESOURCE],
+                  },
+                  {
+                    application,
+                    privileges: ['test-kibana-privilege-3'],
+                    resources: [ALL_RESOURCE],
+                  },
+                ],
+                cluster: ['test-cluster-privilege'],
+                indices: [
+                  {
+                    field_security: {
+                      grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                    },
+                    names: ['test-index-name-1', 'test-index-name-2'],
+                    privileges: [
+                      'test-index-privilege-1',
+                      'test-index-privilege-2',
+                    ],
+                    query: `{ "match": { "title": "foo" } }`,
+                  },
+                ],
+                metadata: { foo: 'test-metadata' },
+                run_as: ['test-run-as-1', 'test-run-as-2'],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(
+      `updates role which has existing other application privileges`,
+      {
+        name: 'foo-role',
+        payload: {
+          metadata: {
+            foo: 'test-metadata',
+          },
+          elasticsearch: {
+            cluster: ['test-cluster-privilege'],
+            indices: [
+              {
+                names: ['test-index-name-1', 'test-index-name-2'],
+                privileges: [
+                  'test-index-privilege-1',
+                  'test-index-privilege-2',
+                ],
+              },
+            ],
+            run_as: ['test-run-as-1', 'test-run-as-2'],
+          },
+          kibana: [
+            {
+              privileges: [
+                'test-kibana-privilege-1',
+                'test-kibana-privilege-2',
+              ],
+            },
+            {
+              privileges: ['test-kibana-privilege-3'],
+            },
+          ],
+        },
+        preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+        callWithRequestImpls: [
+          async () => ({
+            'foo-role': {
+              metadata: {
+                bar: 'old-metadata',
+              },
+              transient_metadata: {
+                enabled: true,
+              },
+              cluster: ['old-cluster-privilege'],
+              indices: [
+                {
+                  names: ['old-index-name'],
+                  privileges: ['old-privilege'],
+                },
+              ],
+              run_as: ['old-run-as'],
+              applications: [
+                {
+                  application,
+                  privileges: ['old-kibana-privilege'],
+                  resources: ['old-resource'],
+                },
+                {
+                  application: 'logstash-foo',
+                  privileges: ['logstash-privilege'],
+                  resources: ['logstash-resource'],
+                },
+                {
+                  application: 'beats-foo',
+                  privileges: ['beats-privilege'],
+                  resources: ['beats-resource'],
+                },
+              ],
+            },
+          }),
+          async () => {},
+        ],
+        asserts: {
+          callWithRequests: [
+            ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+            [
+              'shield.putRole',
+              {
+                name: 'foo-role',
+                body: {
+                  applications: [
+                    {
+                      application,
+                      privileges: [
+                        'test-kibana-privilege-1',
+                        'test-kibana-privilege-2',
+                      ],
+                      resources: [ALL_RESOURCE],
+                    },
+                    {
+                      application,
+                      privileges: ['test-kibana-privilege-3'],
+                      resources: [ALL_RESOURCE],
+                    },
+                    {
+                      application: 'logstash-foo',
+                      privileges: ['logstash-privilege'],
+                      resources: ['logstash-resource'],
+                    },
+                    {
+                      application: 'beats-foo',
+                      privileges: ['beats-privilege'],
+                      resources: ['beats-resource'],
+                    },
+                  ],
+                  cluster: ['test-cluster-privilege'],
+                  indices: [
+                    {
+                      names: ['test-index-name-1', 'test-index-name-2'],
+                      privileges: [
+                        'test-index-privilege-1',
+                        'test-index-privilege-2',
+                      ],
+                    },
+                  ],
+                  metadata: { foo: 'test-metadata' },
+                  run_as: ['test-run-as-1', 'test-run-as-2'],
+                },
+              },
+            ],
+          ],
+          statusCode: 204,
+          result: null,
+        },
+      }
+    );
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles.js b/x-pack/plugins/security/server/routes/api/v1/roles.js
deleted file mode 100644
index 180160cb85a17e..00000000000000
--- a/x-pack/plugins/security/server/routes/api/v1/roles.js
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import _ from 'lodash';
-import Boom from 'boom';
-import { getClient } from '../../../../../../server/lib/get_client_shield';
-import { roleSchema } from '../../../lib/role_schema';
-import { wrapError } from '../../../lib/errors';
-import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
-
-export function initRolesApi(server) {
-  const callWithRequest = getClient(server).callWithRequest;
-  const routePreCheckLicenseFn = routePreCheckLicense(server);
-
-  server.route({
-    method: 'GET',
-    path: '/api/security/v1/roles',
-    handler(request, reply) {
-      return callWithRequest(request, 'shield.getRole').then(
-        (response) => {
-          const roles = _.map(response, (role, name) => _.assign(role, { name }));
-
-          return reply(roles);
-        },
-        _.flow(wrapError, reply)
-      );
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'GET',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      return callWithRequest(request, 'shield.getRole', { name }).then(
-        (response) => {
-          if (response[name]) return reply(_.assign(response[name], { name }));
-          return reply(Boom.notFound());
-        },
-        _.flow(wrapError, reply));
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'POST',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      const body = _.omit(request.payload, 'name');
-      return callWithRequest(request, 'shield.putRole', { name, body }).then(
-        () => reply(request.payload),
-        _.flow(wrapError, reply));
-    },
-    config: {
-      validate: {
-        payload: roleSchema
-      },
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'DELETE',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      return callWithRequest(request, 'shield.deleteRole', { name }).then(
-        () => reply().code(204),
-        _.flow(wrapError, reply));
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-}
diff --git a/x-pack/test/api_integration/apis/security/index.js b/x-pack/test/api_integration/apis/security/index.js
index 08d020da311f48..ff3e5b33e832b7 100644
--- a/x-pack/test/api_integration/apis/security/index.js
+++ b/x-pack/test/api_integration/apis/security/index.js
@@ -7,5 +7,6 @@
 export default function ({ loadTestFile }) {
   describe('security', () => {
     loadTestFile(require.resolve('./basic_login'));
+    loadTestFile(require.resolve('./roles'));
   });
 }
diff --git a/x-pack/test/api_integration/apis/security/roles.js b/x-pack/test/api_integration/apis/security/roles.js
new file mode 100644
index 00000000000000..f77ea88bde2c8a
--- /dev/null
+++ b/x-pack/test/api_integration/apis/security/roles.js
@@ -0,0 +1,221 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('Roles', () => {
+    describe('Create Role', () => {
+      it('should allow us to create an empty role', async () => {
+        await supertest.put('/api/security/role/empty_role')
+          .set('kbn-xsrf', 'xxx')
+          .send({})
+          .expect(204);
+      });
+
+      it('should create a role with kibana and elasticsearch privileges', async () => {
+        await supertest.put('/api/security/role/role_with_privileges')
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            metadata: {
+              foo: 'test-metadata',
+            },
+            elasticsearch: {
+              cluster: ['manage'],
+              indices: [
+                {
+                  field_security: {
+                    grant: ['*'],
+                    except: [ 'geo.*' ]
+                  },
+                  names: ['logstash-*'],
+                  privileges: ['read', 'view_index_metadata'],
+                  query: `{ "match": { "geo.src": "CN" } }`,
+                },
+              ],
+              run_as: ['watcher_user'],
+            },
+            kibana: [
+              {
+                privileges: ['all'],
+              },
+              {
+                privileges: ['read'],
+              },
+            ],
+          })
+          .expect(204);
+
+        const role = await es.shield.getRole({ name: 'role_with_privileges' });
+        expect(role).to.eql({
+          role_with_privileges: {
+            cluster: ['manage'],
+            indices: [
+              {
+                names: ['logstash-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: {
+                  grant: ['*'],
+                  except: [ 'geo.*' ]
+                },
+                query: `{ "match": { "geo.src": "CN" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['all'],
+                resources: ['*'],
+              },
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              }
+            ],
+            run_as: ['watcher_user'],
+            metadata: {
+              foo: 'test-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+          }
+        });
+      });
+    });
+
+    describe('Update Role', () => {
+      it('should update a role with elasticsearch, kibana and other applications privileges', async () => {
+        await es.shield.putRole({
+          name: 'role_to_update',
+          body: {
+            cluster: ['monitor'],
+            indices: [
+              {
+                names: ['beats-*'],
+                privileges: ['write'],
+                field_security: {
+                  grant: [ 'request.*' ],
+                  except: [ 'response.*' ]
+                },
+                query: `{ "match": { "host.name": "localhost" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              },
+              {
+                application: 'logstash-default',
+                privileges: ['logstash-privilege'],
+                resources: ['*'],
+              },
+            ],
+            run_as: ['reporting_user'],
+            metadata: {
+              bar: 'old-metadata',
+            },
+          }
+        });
+
+        await supertest.put('/api/security/role/role_to_update')
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            metadata: {
+              foo: 'test-metadata',
+            },
+            elasticsearch: {
+              cluster: ['manage'],
+              indices: [
+                {
+                  field_security: {
+                    grant: ['*'],
+                    except: [ 'geo.*' ]
+                  },
+                  names: ['logstash-*'],
+                  privileges: ['read', 'view_index_metadata'],
+                  query: `{ "match": { "geo.src": "CN" } }`,
+                },
+              ],
+              run_as: ['watcher_user'],
+            },
+            kibana: [
+              {
+                privileges: ['all'],
+              },
+              {
+                privileges: ['read'],
+              },
+            ],
+          })
+          .expect(204);
+
+        const role = await es.shield.getRole({ name: 'role_to_update' });
+        expect(role).to.eql({
+          role_to_update: {
+            cluster: ['manage'],
+            indices: [
+              {
+                names: ['logstash-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: {
+                  grant: ['*'],
+                  except: [ 'geo.*' ]
+                },
+                query: `{ "match": { "geo.src": "CN" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['all'],
+                resources: ['*'],
+              },
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              },
+              {
+                application: 'logstash-default',
+                privileges: ['logstash-privilege'],
+                resources: ['*'],
+              },
+            ],
+            run_as: ['watcher_user'],
+            metadata: {
+              foo: 'test-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+          }
+        });
+      });
+    });
+
+    describe('Delete Role', () => {
+      it('should delete the three roles we created', async () => {
+        await supertest.delete('/api/security/role/empty_role').set('kbn-xsrf', 'xxx').expect(204);
+        await supertest.delete('/api/security/role/role_with_privileges').set('kbn-xsrf', 'xxx').expect(204);
+        await supertest.delete('/api/security/role/role_to_update').set('kbn-xsrf', 'xxx').expect(204);
+
+        const emptyRole = await es.shield.getRole({ name: 'empty_role', ignore: [404] });
+        expect(emptyRole).to.eql({});
+        const roleWithPrivileges = await es.shield.getRole({ name: 'role_with_privileges', ignore: [404] });
+        expect(roleWithPrivileges).to.eql({});
+        const roleToUpdate = await es.shield.getRole({ name: 'role_to_update', ignore: [404] });
+        expect(roleToUpdate).to.eql({});
+      });
+    });
+  });
+}
diff --git a/x-pack/test/api_integration/config.js b/x-pack/test/api_integration/config.js
index ac1d8225e294e8..3368562972cb8a 100644
--- a/x-pack/test/api_integration/config.js
+++ b/x-pack/test/api_integration/config.js
@@ -5,6 +5,7 @@
  */
 
 import {
+  EsProvider,
   EsSupertestWithoutAuthProvider,
   SupertestWithoutAuthProvider,
   UsageAPIProvider,
@@ -24,7 +25,7 @@ export default async function ({ readConfigFile }) {
       esSupertest: kibanaAPITestsConfig.get('services.esSupertest'),
       supertestWithoutAuth: SupertestWithoutAuthProvider,
       esSupertestWithoutAuth: EsSupertestWithoutAuthProvider,
-      es: kibanaCommonConfig.get('services.es'),
+      es: EsProvider,
       esArchiver: kibanaCommonConfig.get('services.esArchiver'),
       usageAPI: UsageAPIProvider,
       kibanaServer: kibanaCommonConfig.get('services.kibanaServer'),
diff --git a/x-pack/test/api_integration/services/es.js b/x-pack/test/api_integration/services/es.js
new file mode 100644
index 00000000000000..420541fa7ec5f6
--- /dev/null
+++ b/x-pack/test/api_integration/services/es.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import elasticsearch from 'elasticsearch';
+import shieldPlugin from '../../../server/lib/esjs_shield_plugin';
+
+export function EsProvider({ getService }) {
+  const config = getService('config');
+
+  return new elasticsearch.Client({
+    host: formatUrl(config.get('servers.elasticsearch')),
+    requestTimeout: config.get('timeouts.esRequestTimeout'),
+    plugins: [shieldPlugin]
+  });
+}
diff --git a/x-pack/test/api_integration/services/index.js b/x-pack/test/api_integration/services/index.js
index 9caab94932a1c1..2ae5ceef22496f 100644
--- a/x-pack/test/api_integration/services/index.js
+++ b/x-pack/test/api_integration/services/index.js
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { EsProvider } from './es';
 export { EsSupertestWithoutAuthProvider } from './es_supertest_without_auth';
 export { SupertestWithoutAuthProvider } from './supertest_without_auth';
 export { UsageAPIProvider } from './usage_api';
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index 2c11949d8bb473..013c0df3436019 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -6,65 +6,49 @@
 
 import { AUTHENTICATION } from "./lib/authentication";
 
-const application = 'kibana-.kibana';
 export default function ({ loadTestFile, getService }) {
   const es = getService('es');
+  const supertest = getService('supertest');
 
   describe('saved_objects', () => {
     before(async () => {
-      await es.shield.putRole({
-        name: 'kibana_legacy_user',
-        body: {
-          cluster: [],
-          index: [{
-            names: ['.kibana'],
-            privileges: ['manage', 'read', 'index', 'delete']
-          }],
-          applications: []
-        }
-      });
+      await supertest.put('/api/security/role/kibana_legacy_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['manage', 'read', 'index', 'delete']
+            }]
+          }
+        });
 
-      await es.shield.putRole({
-        name: 'kibana_legacy_dashboard_only_user',
-        body: {
-          cluster: [],
-          index: [{
-            names: ['.kibana'],
-            privileges: ['read', 'view_index_metadata']
-          }],
-          applications: []
-        }
-      });
+      await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['read', 'view_index_metadata']
+            }]
+          }
+        });
 
-      await es.shield.putRole({
-        name: 'kibana_rbac_user',
-        body: {
-          cluster: [],
-          index: [],
-          applications: [
+      await supertest.put('/api/security/role/kibana_rbac_user')
+        .send({
+          kibana: [
             {
-              application,
-              privileges: [ 'all' ],
-              resources: [ '*' ]
+              privileges: ['all']
             }
           ]
-        }
-      });
+        });
 
-      await es.shield.putRole({
-        name: 'kibana_rbac_dashboard_only_user',
-        body: {
-          cluster: [],
-          index: [],
-          applications: [
+      await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user')
+        .send({
+          kibana: [
             {
-              application,
-              privileges: [ 'read' ],
-              resources: [ '*' ]
+              privileges: ['read']
             }
           ]
-        }
-      });
+        });
 
       await es.shield.putUser({
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,

From 36f4b2ff98f7b451e45e20fa81e9da400cb759be Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 13 Jul 2018 12:39:05 -0400
Subject: [PATCH 081/183] Adding setting to allow the user to turn off the
 legacy fallback (#20766)

---
 x-pack/plugins/security/index.js              |  5 ++
 .../lib/authorization/check_privileges.js     | 10 ++-
 .../authorization/check_privileges.test.js    | 80 +++++++++++++++++--
 3 files changed, 88 insertions(+), 7 deletions(-)

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index f0c76daf393a3e..b86489171ff269 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -42,6 +42,11 @@ export const security = (kibana) => new kibana.Plugin({
         hostname: Joi.string().hostname(),
         port: Joi.number().integer().min(0).max(65535)
       }).default(),
+      authorization: Joi.object({
+        legacyFallback: Joi.object({
+          enabled: Joi.boolean().default(true)
+        }).default()
+      }).default(),
       audit: Joi.object({
         enabled: Joi.boolean().default(false)
       }).default(),
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index 2f5c58293d15f2..b12658708f2d37 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -32,6 +32,10 @@ export function checkPrivilegesWithRequestFactory(shieldClient, config, actions,
     return Object.values(applicationPrivilegesResponse).every(val => val === false);
   };
 
+  const isLegacyFallbackEnabled = () => {
+    return config.get('xpack.security.authorization.legacyFallback.enabled');
+  };
+
   const hasLegacyPrivileges = (indexPrivilegesResponse) => {
     return Object.values(indexPrivilegesResponse).includes(true);
   };
@@ -41,7 +45,11 @@ export function checkPrivilegesWithRequestFactory(shieldClient, config, actions,
       return CHECK_PRIVILEGES_RESULT.AUTHORIZED;
     }
 
-    if (hasNoApplicationPrivileges(applicationPrivilegesResponse) && hasLegacyPrivileges(indexPrivilegesResponse)) {
+    if (
+      isLegacyFallbackEnabled() &&
+      hasNoApplicationPrivileges(applicationPrivilegesResponse) &&
+      hasLegacyPrivileges(indexPrivilegesResponse)
+    ) {
       return CHECK_PRIVILEGES_RESULT.LEGACY;
     }
 
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index a64110515e803c..510ec3e4852b72 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -19,7 +19,7 @@ const mockActions = {
   version: 'mock-action:version',
 };
 
-const createMockConfig = ({ settings = {} } = {}) => {
+const createMockConfig = (settings = {}) => {
   const mockConfig = {
     get: jest.fn()
   };
@@ -27,13 +27,13 @@ const createMockConfig = ({ settings = {} } = {}) => {
   const defaultSettings = {
     'pkg.version': defaultVersion,
     'kibana.index': defaultKibanaIndex,
+    'xpack.security.authorization.legacyFallback.enabled': true,
   };
 
   mockConfig.get.mockImplementation(key => {
     return key in settings ? settings[key] : defaultSettings[key];
   });
 
-
   return mockConfig;
 };
 
@@ -49,6 +49,7 @@ const createMockShieldClient = (response) => {
 
 const checkPrivilegesTest = (
   description, {
+    settings,
     privileges,
     applicationPrivilegesResponse,
     indexPrivilegesResponse,
@@ -58,7 +59,7 @@ const checkPrivilegesTest = (
 
   test(description, async () => {
     const username = 'foo-username';
-    const mockConfig = createMockConfig();
+    const mockConfig = createMockConfig(settings);
     const mockShieldClient = createMockShieldClient({
       username,
       application: {
@@ -252,7 +253,7 @@ describe(`with index privileges`, () => {
     }
   });
 
-  checkPrivilegesTest('returns legacy and missing login when checking missing login action', {
+  checkPrivilegesTest('returns legacy and missing login when checking missing login action and fallback is enabled', {
     username: 'foo-username',
     privileges: [
       mockActions.login
@@ -269,7 +270,27 @@ describe(`with index privileges`, () => {
     }
   });
 
-  checkPrivilegesTest('returns legacy and missing version if checking missing version action', {
+  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action and fallback is disabled', {
+    settings: {
+      'xpack.security.authorization.legacyFallback.enabled': false,
+    },
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
+
+  checkPrivilegesTest('returns legacy and missing version if checking missing version action and fallback is enabled', {
     username: 'foo-username',
     privileges: [
       mockActions.version
@@ -286,6 +307,26 @@ describe(`with index privileges`, () => {
     }
   });
 
+  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action and fallback is disabled', {
+    settings: {
+      'xpack.security.authorization.legacyFallback.enabled': false,
+    },
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.version],
+    }
+  });
+
   checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
     username: 'foo-username',
     privileges: [
@@ -303,7 +344,7 @@ describe(`with index privileges`, () => {
 
 describe('with no application privileges', () => {
   ['create', 'delete', 'read', 'view_index_metadata'].forEach(indexPrivilege => {
-    checkPrivilegesTest(`returns legacy if they have ${indexPrivilege} privilege on the kibana index`, {
+    checkPrivilegesTest(`returns legacy if they have ${indexPrivilege} privilege on the kibana index and fallback is enabled`, {
       username: 'foo-username',
       privileges: [
         `action:saved_objects/${savedObjectTypes[0]}/get`
@@ -326,6 +367,33 @@ describe('with no application privileges', () => {
         missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
       }
     });
+
+    checkPrivilegesTest(`returns unauthorized if they have ${indexPrivilege} privilege on the kibana index and fallback is disabled`, {
+      settings: {
+        'xpack.security.authorization.legacyFallback.enabled': false,
+      },
+      username: 'foo-username',
+      privileges: [
+        `action:saved_objects/${savedObjectTypes[0]}/get`
+      ],
+      applicationPrivilegesResponse: {
+        [mockActions.version]: false,
+        [mockActions.login]: false,
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+      },
+      indexPrivilegesResponse: {
+        create: false,
+        delete: false,
+        read: false,
+        view_index_metadata: false,
+        [indexPrivilege]: true
+      },
+      expectedResult: {
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username: 'foo-username',
+        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      }
+    });
   });
 });
 

From b6d9ec2c8e056e088b0457e09b7900f2f6e564e1 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 20 Jul 2018 12:15:36 -0400
Subject: [PATCH 082/183] [Spaces] - Update Roles screen to use public API
 (#21031)

This PR updates the new Role Management screen to use the public role API introduced as part of https://github.com/elastic/kibana/pull/20732.

Additionally, this updates the breadcrumb nav for Spaces and Role management screens to be consistent with the nav introduced in https://github.com/elastic/kibana/pull/20739.

There are a couple of visual glitches in this PR which are a result of current defects on master, so they can be safely ignored for the time being.
---
 x-pack/plugins/security/public/lib/api.js     |  2 +-
 .../security/public/objects/lib/roles.js      |  6 +-
 .../__snapshots__/page_header.test.js.snap    | 15 ----
 .../edit_role/components/edit_role_page.js    |  8 +-
 .../edit_role/components/page_header.js       | 35 ---------
 .../edit_role/components/page_header.test.js  | 32 --------
 .../elasticsearch_privileges.test.js.snap     | 16 ++--
 .../privileges/cluster_privileges.js          |  4 +-
 .../privileges/cluster_privileges.test.js     |  4 +-
 .../privileges/elasticsearch_privileges.js    | 19 +++--
 .../elasticsearch_privileges.test.js          | 26 ++++---
 .../components/privileges/index_privileges.js | 25 ++++--
 .../privileges/index_privileges.test.js       | 32 ++++----
 .../privileges/kibana_privileges.js           | 14 ++--
 .../views/management/edit_role/edit_role.html |  4 +-
 .../views/management/edit_role/index.js       | 66 +++++++---------
 .../__snapshots__/validate_role.test.js.snap  |  2 +-
 .../lib/get_application_privileges.js         | 38 +++++++---
 .../management/edit_role/lib/validate_role.js |  6 +-
 .../edit_role/lib/validate_role.test.js       | 26 ++++---
 .../__snapshots__/page_header.test.js.snap    | 15 ----
 .../views/management/components/index.js      |  1 -
 .../management/components/page_header.js      | 35 ---------
 .../management/components/page_header.test.js | 33 --------
 .../edit_space/manage_space_page.js           |  4 +-
 .../public/views/management/page_routes.js    | 76 +++++++++----------
 .../spaces_grid/spaces_grid_page.js           |  4 +-
 .../public/views/management/template.html     |  4 +-
 28 files changed, 213 insertions(+), 339 deletions(-)
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
 delete mode 100644 x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
 delete mode 100644 x-pack/plugins/spaces/public/views/management/components/page_header.js
 delete mode 100644 x-pack/plugins/spaces/public/views/management/components/page_header.test.js

diff --git a/x-pack/plugins/security/public/lib/api.js b/x-pack/plugins/security/public/lib/api.js
index 908a0ceaf31035..a41afcc0d4a3f8 100644
--- a/x-pack/plugins/security/public/lib/api.js
+++ b/x-pack/plugins/security/public/lib/api.js
@@ -6,7 +6,7 @@
 import chrome from 'ui/chrome';
 
 const usersUrl = chrome.addBasePath('/api/security/v1/users');
-const rolesUrl = chrome.addBasePath('/api/security/v1/roles');
+const rolesUrl = chrome.addBasePath('/api/security/role');
 
 export const createApiClient = (httpClient) => {
   return {
diff --git a/x-pack/plugins/security/public/objects/lib/roles.js b/x-pack/plugins/security/public/objects/lib/roles.js
index 5fdd95a7ccb64e..7f0bbdbb30dc5f 100644
--- a/x-pack/plugins/security/public/objects/lib/roles.js
+++ b/x-pack/plugins/security/public/objects/lib/roles.js
@@ -4,11 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import chrome from 'ui/chrome';
+import { omit } from 'lodash';
 
-const apiBase = chrome.addBasePath(`/api/security/v1/roles`);
+const apiBase = chrome.addBasePath(`/api/security/role`);
 
 export async function saveRole($http, role) {
-  return await $http.post(`${apiBase}/${role.name}`, role);
+  const data = omit(role, 'name', 'transient_metadata', '_unrecognized_applications');
+  return await $http.put(`${apiBase}/${role.name}`, data);
 }
 
 export async function deleteRole($http, name) {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
deleted file mode 100644
index 628a5c068f83a0..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/page_header.test.js.snap
+++ /dev/null
@@ -1,15 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`it renders without crashing 1`] = `
-<div>
-  <EuiBreadcrumbs
-    breadcrumbs={Array []}
-    max={5}
-    responsive={true}
-    truncate={true}
-  />
-  <EuiSpacer
-    size="l"
-  />
-</div>
-`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
index 13cd7a4f1823b8..6beb467f06f5ce 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
@@ -20,7 +20,6 @@ import {
   EuiFlexItem,
   EuiButton,
 } from '@elastic/eui';
-import { PageHeader } from './page_header';
 import { saveRole, deleteRole } from '../../../../objects';
 import { isReservedRole } from '../../../../lib/role';
 import { RoleValidator } from '../lib/validate_role';
@@ -36,7 +35,6 @@ export class EditRolePage extends Component {
     indexPatterns: PropTypes.array.isRequired,
     httpClient: PropTypes.func.isRequired,
     rbacEnabled: PropTypes.bool.isRequired,
-    rbacApplication: PropTypes.string,
     allowDocumentLevelSecurity: PropTypes.bool.isRequired,
     allowFieldLevelSecurity: PropTypes.bool.isRequired,
     kibanaAppPrivileges: PropTypes.array.isRequired,
@@ -55,7 +53,6 @@ export class EditRolePage extends Component {
   render() {
     return (
       <EuiPage className="editRolePage">
-        <PageHeader breadcrumbs={this.props.breadcrumbs} />
         <EuiForm {...this.state.formError}>
           {this.getFormTitle()}
 
@@ -172,7 +169,6 @@ export class EditRolePage extends Component {
         <EuiSpacer />
         <KibanaPrivileges
           kibanaAppPrivileges={this.props.kibanaAppPrivileges}
-          rbacApplication={this.props.rbacApplication}
           role={this.state.role}
           onChange={this.onRoleChange}
         />
@@ -237,8 +233,8 @@ export class EditRolePage extends Component {
         ...this.state.role
       };
 
-      role.indices = role.indices.filter(i => !this.isPlaceholderPrivilege(i));
-      role.indices.forEach((index) => index.query || delete index.query);
+      role.elasticsearch.indices = role.elasticsearch.indices.filter(i => !this.isPlaceholderPrivilege(i));
+      role.elasticsearch.indices.forEach((index) => index.query || delete index.query);
 
       saveRole(httpClient, role)
         .then(() => {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
deleted file mode 100644
index 87aac824908179..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.js
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
-
-import {
-  EuiBreadcrumbs,
-  EuiSpacer,
-} from '@elastic/eui';
-
-export class PageHeader extends Component {
-  render() {
-    return (
-      <div>
-        <EuiBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
-        <EuiSpacer />
-      </div>
-    );
-  }
-
-  buildBreadcrumb = (breadcrumb) => {
-    return {
-      text: breadcrumb.display,
-      href: breadcrumb.href,
-    };
-  }
-}
-
-PageHeader.propTypes = {
-  breadcrumbs: PropTypes.array.isRequired
-};
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
deleted file mode 100644
index 99f6994ea98981..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/components/page_header.test.js
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import { shallow, mount } from 'enzyme';
-import { PageHeader } from './page_header';
-import { EuiBreadcrumbs } from '@elastic/eui';
-
-test('it renders without crashing', () => {
-  const wrapper = shallow(<PageHeader breadcrumbs={[]} />);
-  expect(wrapper.find(EuiBreadcrumbs)).toHaveLength(1);
-  expect(wrapper).toMatchSnapshot();
-});
-
-test('it renders breadcrumbs', () => {
-  const breadcrumbs = [{
-    display: 'item-1',
-    href: '#item-1',
-  }, {
-    display: 'item-2',
-    href: '#item-2',
-  }, {
-    display: 'item-3',
-    href: '#item-3',
-  }];
-
-  const wrapper = mount(<PageHeader breadcrumbs={breadcrumbs} />);
-  expect(wrapper.find(EuiBreadcrumbs)).toHaveLength(1);
-});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
index dfc6b43dff6364..cfb36fa9580903 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
@@ -39,9 +39,11 @@ exports[`it renders without crashing 1`] = `
           onChange={[Function]}
           role={
             Object {
-              "cluster": Array [],
-              "indices": Array [],
-              "run_as": Array [],
+              "elasticsearch": Object {
+                "cluster": Array [],
+                "indices": Array [],
+                "run_as": Array [],
+              },
             }
           }
         />
@@ -129,9 +131,11 @@ exports[`it renders without crashing 1`] = `
       onChange={[MockFunction]}
       role={
         Object {
-          "cluster": Array [],
-          "indices": Array [],
-          "run_as": Array [],
+          "elasticsearch": Object {
+            "cluster": Array [],
+            "indices": Array [],
+            "run_as": Array [],
+          },
         }
       }
       validator={
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
index e67ddd16a7fb3c..400e674f3ca7a2 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
@@ -41,7 +41,7 @@ export class ClusterPrivileges extends Component {
       label: i
     }));
 
-    const selectionMap = (role.cluster || [])
+    const selectionMap = (role.elasticsearch.cluster || [])
       .map(k => ({ [k]: true }))
       .reduce((acc, o) => ({ ...acc, ...o }), {});
 
@@ -58,7 +58,7 @@ export class ClusterPrivileges extends Component {
   };
 
   onClusterPrivilegesChange = (privilege) => {
-    const { cluster } = this.props.role;
+    const { cluster } = this.props.role.elasticsearch;
     const indexOfExistingPrivilege = cluster.indexOf(privilege);
 
     const shouldRemove = indexOfExistingPrivilege >= 0;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
index f75cf0ade71a9f..20bb0846e5b1c8 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
@@ -10,11 +10,11 @@ import { ClusterPrivileges } from './cluster_privileges';
 import { EuiCheckboxGroup } from '@elastic/eui';
 
 test('it renders without crashing', () => {
-  const wrapper = shallow(<ClusterPrivileges role={{}} onChange={jest.fn()} />);
+  const wrapper = shallow(<ClusterPrivileges role={{ elasticsearch: {} }} onChange={jest.fn()} />);
   expect(wrapper).toMatchSnapshot();
 });
 
 test('it renders 2 checkbox groups of privileges', () => {
-  const wrapper = mount(<ClusterPrivileges role={{}} onChange={jest.fn()} />);
+  const wrapper = mount(<ClusterPrivileges role={{ elasticsearch: {} }} onChange={jest.fn()} />);
   expect(wrapper.find(EuiCheckboxGroup)).toHaveLength(2);
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
index a0c6eca6f0c6e7..2a71803a7a2145 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
@@ -94,7 +94,7 @@ export class ElasticsearchPrivileges extends Component {
             <EuiComboBox
               placeholder={this.props.editable ? 'Add a user...' : null}
               options={this.props.runAsUsers.map(username => ({ id: username, label: username }))}
-              selectedOptions={this.props.role.run_as.map(u => ({ label: u }))}
+              selectedOptions={this.props.role.elasticsearch.run_as.map(u => ({ label: u }))}
               onChange={this.onRunAsUserChange}
               isDisabled={!this.props.editable}
             />
@@ -129,7 +129,7 @@ export class ElasticsearchPrivileges extends Component {
   addIndexPrivilege = () => {
     const { role } = this.props;
 
-    const newIndices = [...role.indices, {
+    const newIndices = [...role.elasticsearch.indices, {
       names: [],
       privileges: [],
       field_security: {
@@ -139,14 +139,20 @@ export class ElasticsearchPrivileges extends Component {
 
     this.props.onChange({
       ...this.props.role,
-      indices: newIndices
+      elasticsearch: {
+        ...this.props.role.elasticsearch,
+        indices: newIndices
+      }
     });
   };
 
   onClusterPrivilegesChange = (cluster) => {
     const role = {
       ...this.props.role,
-      cluster
+      elasticsearch: {
+        ...this.props.role.elasticsearch,
+        cluster,
+      },
     };
 
     this.props.onChange(role);
@@ -155,7 +161,10 @@ export class ElasticsearchPrivileges extends Component {
   onRunAsUserChange = (users) => {
     const role = {
       ...this.props.role,
-      run_as: users.map(u => u.label)
+      elasticsearch: {
+        ...this.props.role.elasticsearch,
+        run_as: users.map(u => u.label),
+      },
     };
 
     this.props.onChange(role);
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
index 7a2af5723e543d..fdcec4223e708d 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
@@ -14,9 +14,11 @@ import { RoleValidator } from '../../lib/validate_role';
 test('it renders without crashing', () => {
   const props = {
     role: {
-      cluster: [],
-      indices: [],
-      run_as: []
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
     },
     editable: true,
     httpClient: jest.fn(),
@@ -34,9 +36,11 @@ test('it renders without crashing', () => {
 test('it renders ClusterPrivileges', () => {
   const props = {
     role: {
-      cluster: [],
-      indices: [],
-      run_as: []
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
     },
     editable: true,
     httpClient: jest.fn(),
@@ -54,9 +58,11 @@ test('it renders ClusterPrivileges', () => {
 test('it renders IndexPrivileges', () => {
   const props = {
     role: {
-      cluster: [],
-      indices: [],
-      run_as: []
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
     },
     editable: true,
     httpClient: jest.fn(),
@@ -69,4 +75,4 @@ test('it renders IndexPrivileges', () => {
   };
   const wrapper = mount(<ElasticsearchPrivileges {...props} />);
   expect(wrapper.find(IndexPrivileges)).toHaveLength(1);
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
index cb72ecd7aa4bfd..601c855c760769 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
@@ -26,11 +26,11 @@ export class IndexPrivileges extends Component {
   }
 
   componentDidMount() {
-    this.loadAvailableFields(this.props.role.indices);
+    this.loadAvailableFields(this.props.role.elasticsearch.indices);
   }
 
   render() {
-    const { indices = [] } = this.props.role;
+    const { indices = [] } = this.props.role.elasticsearch;
 
     const {
       indexPatterns,
@@ -67,7 +67,7 @@ export class IndexPrivileges extends Component {
   addIndexPrivilege = () => {
     const { role } = this.props;
 
-    const newIndices = [...role.indices, {
+    const newIndices = [...role.elasticsearch.indices, {
       names: [],
       privileges: [],
       field_security: {
@@ -77,21 +77,27 @@ export class IndexPrivileges extends Component {
 
     this.props.onChange({
       ...this.props.role,
-      indices: newIndices
+      elasticsearch: {
+        ...this.props.role.elasticsearch,
+        indices: newIndices,
+      },
     });
   };
 
   onIndexPrivilegeChange = (privilegeIndex) => {
     return (updatedPrivilege) => {
       const { role } = this.props;
-      const { indices } = role;
+      const { indices } = role.elasticsearch;
 
       const newIndices = [...indices];
       newIndices[privilegeIndex] = updatedPrivilege;
 
       this.props.onChange({
         ...this.props.role,
-        indices: newIndices
+        elasticsearch: {
+          ...this.props.role.elasticsearch,
+          indices: newIndices,
+        },
       });
 
       this.loadAvailableFields(newIndices);
@@ -102,12 +108,15 @@ export class IndexPrivileges extends Component {
     return () => {
       const { role } = this.props;
 
-      const newIndices = [...role.indices];
+      const newIndices = [...role.elasticsearch.indices];
       newIndices.splice(privilegeIndex, 1);
 
       this.props.onChange({
         ...this.props.role,
-        indices: newIndices
+        elasticsearch: {
+          ...this.props.role.elasticsearch,
+          indices: newIndices
+        },
       });
     };
   }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
index 221d301ceef0f3..3a4fb950e555d5 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
@@ -13,9 +13,11 @@ import { RoleValidator } from '../../lib/validate_role';
 test('it renders without crashing', () => {
   const props = {
     role: {
-      cluster: [],
-      indices: [],
-      run_as: []
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
     },
     httpClient: jest.fn(),
     onChange: jest.fn(),
@@ -31,16 +33,18 @@ test('it renders without crashing', () => {
 test('it renders a IndexPrivilegeForm for each privilege on the role', () => {
   const props = {
     role: {
-      cluster: [],
-      indices: [{
-        names: ['foo*'],
-        privileges: ['all'],
-        query: '*',
-        field_security: {
-          grant: ['some_field']
-        }
-      }],
-      run_as: []
+      elasticsearch: {
+        cluster: [],
+        indices: [{
+          names: ['foo*'],
+          privileges: ['all'],
+          query: '*',
+          field_security: {
+            grant: ['some_field']
+          }
+        }],
+        run_as: [],
+      },
     },
     httpClient: jest.fn(),
     onChange: jest.fn(),
@@ -51,4 +55,4 @@ test('it renders a IndexPrivilegeForm for each privilege on the role', () => {
   };
   const wrapper = mount(<IndexPrivileges {...props} />);
   expect(wrapper.find(IndexPrivilegeForm)).toHaveLength(1);
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
index a8c2a2c52cbe00..e5e9ddb2bff473 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
@@ -7,8 +7,7 @@
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 import { isReservedRole } from '../../../../../lib/role';
-import { getKibanaPrivileges } from '../../lib/get_application_privileges';
-import { setApplicationPrivileges } from '../../lib/set_application_privileges';
+import { getKibanaPrivilegesViewModel, getKibanaPrivileges } from '../../lib/get_application_privileges';
 
 import { CollapsiblePanel } from '../collapsible_panel';
 import {
@@ -27,7 +26,7 @@ export class KibanaPrivileges extends Component {
     onChange: PropTypes.func.isRequired,
   };
 
-  idPrefix = () => `${this.props.rbacApplication}_`;
+  idPrefix = () => `id_`;
 
   privilegeToId = (privilege) => `${this.idPrefix()}${privilege}`;
 
@@ -45,10 +44,9 @@ export class KibanaPrivileges extends Component {
     const {
       kibanaAppPrivileges,
       role,
-      rbacApplication
     } = this.props;
 
-    const kibanaPrivileges = getKibanaPrivileges(kibanaAppPrivileges, role, rbacApplication);
+    const kibanaPrivileges = getKibanaPrivilegesViewModel(kibanaAppPrivileges, role.kibana);
 
     const options = [
       { value: noPrivilegeValue, text: 'none' },
@@ -80,7 +78,7 @@ export class KibanaPrivileges extends Component {
   onKibanaPrivilegesChange = (e) => {
     const role = {
       ...this.props.role,
-      applications: [...this.props.role.applications]
+      kibana: [...this.props.role.kibana]
     };
 
     const privilege = e.target.value;
@@ -88,12 +86,12 @@ export class KibanaPrivileges extends Component {
     if (privilege === noPrivilegeValue) {
       // unsetting all privileges -- only necessary until RBAC Phase 3
       const noPrivileges = {};
-      setApplicationPrivileges(noPrivileges, role, this.props.rbacApplication);
+      role.kibana = getKibanaPrivileges(noPrivileges);
     } else {
       const newPrivileges = {
         [privilege]: true
       };
-      setApplicationPrivileges(newPrivileges, role, this.props.rbacApplication);
+      role.kibana = getKibanaPrivileges(newPrivileges);
     }
 
     this.props.onChange(role);
diff --git a/x-pack/plugins/security/public/views/management/edit_role/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role/edit_role.html
index 5539f0521dd79c..292b1e517a69a9 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role/edit_role.html
@@ -1 +1,3 @@
-<div id="editRoleReactRoot" />
+<kbn-management-app section="security" omit-breadcrumb-pages="['edit']">
+  <div id="editRoleReactRoot" />
+</kbn-management-app>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index bd166e16a658ed..45b124167815c1 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -51,10 +51,13 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
       } else {
         role = Promise.resolve(new ShieldRole({
-          cluster: [],
-          indices: [],
-          run_as: [],
-          applications: []
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [],
+          _unrecognized_applications: [],
         }));
       }
 
@@ -91,46 +94,31 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
     const rbacApplication = chrome.getInjected('rbacApplication');
 
-    const domNode = document.getElementById('editRoleReactRoot');
-
     const {
       users,
       indexPatterns,
     } = $route.current.locals;
 
-    const routeBreadcrumbs = routes.getBreadcrumbs();
-
-    render(<EditRolePage
-      runAsUsers={users}
-      role={role}
-      kibanaAppPrivileges={kibanaApplicationPrivilege}
-      indexPatterns={indexPatterns}
-      rbacEnabled={true}
-      rbacApplication={rbacApplication}
-      httpClient={$http}
-      breadcrumbs={transformBreadcrumbs(routeBreadcrumbs)}
-      allowDocumentLevelSecurity={allowDocumentLevelSecurity}
-      allowFieldLevelSecurity={allowFieldLevelSecurity}
-      notifier={Notifier}
-    />, domNode);
-
-    // unmount react on controller destroy
-    $scope.$on('$destroy', () => {
-      unmountComponentAtNode(domNode);
+    $scope.$$postDigest(() => {
+      const domNode = document.getElementById('editRoleReactRoot');
+
+      render(<EditRolePage
+        runAsUsers={users}
+        role={role}
+        kibanaAppPrivileges={kibanaApplicationPrivilege}
+        indexPatterns={indexPatterns}
+        rbacEnabled={true}
+        rbacApplication={rbacApplication}
+        httpClient={$http}
+        allowDocumentLevelSecurity={allowDocumentLevelSecurity}
+        allowFieldLevelSecurity={allowFieldLevelSecurity}
+        notifier={Notifier}
+      />, domNode);
+
+      // unmount react on controller destroy
+      $scope.$on('$destroy', () => {
+        unmountComponentAtNode(domNode);
+      });
     });
   }
 });
-
-function transformBreadcrumbs(routeBreadcrumbs) {
-  const indexOfEdit = routeBreadcrumbs.findIndex(b => b.id === 'edit');
-
-  const hasEntryAfterEdit = indexOfEdit >= 0 && indexOfEdit < (routeBreadcrumbs.length - 1);
-
-  if (hasEntryAfterEdit) {
-    // The entry after 'edit' is the name of the role being edited (if any). We don't want to use the "humanized" version of the role name here
-    const roleName = routeBreadcrumbs[indexOfEdit + 1];
-    roleName.display = roleName.id;
-  }
-
-  return routeBreadcrumbs.filter(b => b.id !== 'edit');
-}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
index 20b4280b7f493b..1f4837b07d0b90 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
@@ -1,3 +1,3 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`validateIndexPrivileges it throws when indices is not an array 1`] = `"Expected role.indices to be an array"`;
+exports[`validateIndexPrivileges it throws when indices is not an array 1`] = `"Expected role.elasticsearch.indices to be an array"`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
index 1ee8d201806b69..078dfc1dae0ea5 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
@@ -5,22 +5,38 @@
  */
 import _ from 'lodash';
 
-export function getKibanaPrivileges(kibanaApplicationPrivilege, role, application) {
-  const kibanaPrivileges = kibanaApplicationPrivilege.reduce((acc, p) => {
-    acc[p.name] = false;
+export function getKibanaPrivilegesViewModel(applicationPrivileges, roleKibanaPrivileges) {
+  const viewModel = applicationPrivileges.reduce((acc, applicationPrivilege) => {
+    acc[applicationPrivilege.name] = false;
     return acc;
   }, {});
 
-  if (!role.applications || role.applications.length === 0) {
-    return kibanaPrivileges;
+  if (!roleKibanaPrivileges || roleKibanaPrivileges.length === 0) {
+    return viewModel;
   }
 
-  const applications = role.applications.filter(x => x.application === application);
-
-  const assigned = _.uniq(_.flatten(_.pluck(applications, 'privileges')));
-  assigned.forEach(a => {
-    kibanaPrivileges[a] = true;
+  const assignedPrivileges = _.uniq(_.flatten(_.pluck(roleKibanaPrivileges, 'privileges')));
+  assignedPrivileges.forEach(assignedPrivilege => {
+    // we don't want to display privileges that aren't in our expected list of privileges
+    if (assignedPrivilege in viewModel) {
+      viewModel[assignedPrivilege] = true;
+    }
   });
 
-  return kibanaPrivileges;
+  return viewModel;
+}
+
+export function getKibanaPrivileges(kibanaPrivilegesViewModel) {
+  const selectedPrivileges = Object.keys(kibanaPrivilegesViewModel).filter(key => kibanaPrivilegesViewModel[key]);
+
+  // if we have any selected privileges, add a single application entry
+  if (selectedPrivileges.length > 0) {
+    return [
+      {
+        privileges: selectedPrivileges
+      }
+    ];
+  }
+
+  return [];
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
index 3fc638a83782cb..29160173363b46 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
@@ -35,11 +35,11 @@ export class RoleValidator {
   validateIndexPrivileges(role) {
     if (!this._shouldValidate) return valid();
 
-    if (!Array.isArray(role.indices)) {
-      throw new TypeError(`Expected role.indices to be an array`);
+    if (!Array.isArray(role.elasticsearch.indices)) {
+      throw new TypeError(`Expected role.elasticsearch.indices to be an array`);
     }
 
-    const areIndicesValid = role.indices
+    const areIndicesValid = role.elasticsearch.indices
       .map(this.validateIndexPrivilege.bind(this))
       .find((result) => result.isInvalid) == null;
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
index 47d2bfe59a37e6..75fc8341fc639c 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
@@ -60,10 +60,13 @@ describe('validateIndexPrivileges', () => {
 
   test('it ignores privilegs with no indices defined', () => {
     const role = {
-      indices: [{
-        names: [],
-        privileges: []
-      }]
+      elasticsearch: {
+        indices: [{
+          names: [],
+          privileges: []
+        }]
+      }
+
     };
 
     expect(validator.validateIndexPrivileges(role)).toEqual({
@@ -73,10 +76,13 @@ describe('validateIndexPrivileges', () => {
 
   test('it requires privilges when an index is defined', () => {
     const role = {
-      indices: [{
-        names: ['index-*'],
-        privileges: []
-      }]
+      elasticsearch: {
+        indices: [{
+          names: ['index-*'],
+          privileges: []
+        }]
+      }
+
     };
 
     expect(validator.validateIndexPrivileges(role)).toEqual({
@@ -86,7 +92,9 @@ describe('validateIndexPrivileges', () => {
 
   test('it throws when indices is not an array', () => {
     const role = {
-      indices: null
+      elasticsearch: {
+        indices: null
+      }
     };
 
     expect(() => validator.validateIndexPrivileges(role)).toThrowErrorMatchingSnapshot();
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
deleted file mode 100644
index 628a5c068f83a0..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/page_header.test.js.snap
+++ /dev/null
@@ -1,15 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`it renders without crashing 1`] = `
-<div>
-  <EuiBreadcrumbs
-    breadcrumbs={Array []}
-    max={5}
-    responsive={true}
-    truncate={true}
-  />
-  <EuiSpacer
-    size="l"
-  />
-</div>
-`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/index.js b/x-pack/plugins/spaces/public/views/management/components/index.js
index 1d158d623b503a..e134461ee43a66 100644
--- a/x-pack/plugins/spaces/public/views/management/components/index.js
+++ b/x-pack/plugins/spaces/public/views/management/components/index.js
@@ -4,5 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { PageHeader } from './page_header';
 export { DeleteSpacesButton } from './delete_spaces_button';
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.js b/x-pack/plugins/spaces/public/views/management/components/page_header.js
deleted file mode 100644
index ff81942abb49ce..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/components/page_header.js
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
-
-import {
-  EuiBreadcrumbs,
-  EuiSpacer,
-} from '@elastic/eui';
-
-export class PageHeader extends Component {
-  render() {
-    return (
-      <div>
-        <EuiBreadcrumbs breadcrumbs={this.props.breadcrumbs.map(this.buildBreadcrumb)} />
-        <EuiSpacer />
-      </div>
-    );
-  }
-
-  buildBreadcrumb = (breadcrumb) => {
-    return {
-      text: breadcrumb.display,
-      href: breadcrumb.href,
-    };
-  }
-}
-
-PageHeader.propTypes = {
-  breadcrumbs: PropTypes.array.isRequired
-};
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/management/components/page_header.test.js b/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
deleted file mode 100644
index 706a6de4a0abc1..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/components/page_header.test.js
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import { PageHeader } from './page_header';
-import { mount, shallow } from 'enzyme';
-
-test('it renders without crashing', () => {
-  const component = shallow(
-    <PageHeader breadcrumbs={[]}/>
-  );
-  expect(component).toMatchSnapshot();
-});
-
-test('it renders breadcrumbs', () => {
-  const component = mount(
-    <PageHeader breadcrumbs={[{
-      display: 'id-1',
-      href: 'myhref-1',
-    }, {
-      display: 'id-2',
-      href: 'myhref-2',
-    }]}
-    />
-  );
-
-  expect(component.find('a.euiBreadcrumb')).toHaveLength(1);
-  expect(component.find('span.euiBreadcrumb')).toHaveLength(1);
-
-});
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 10e7c4040b76ad..68c6e3b3d1967f 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -20,7 +20,7 @@ import {
   EuiPanel,
 } from '@elastic/eui';
 
-import { DeleteSpacesButton, PageHeader } from '../components';
+import { DeleteSpacesButton } from '../components';
 import { SpaceAvatar } from '../../components';
 
 import { Notifier, toastNotifications } from 'ui/notify';
@@ -77,7 +77,6 @@ export class ManageSpacePage extends Component {
 
     return (
       <EuiPage className="editSpacePage">
-        <PageHeader breadcrumbs={this.props.breadcrumbs} />
         <EuiForm>
           {this.getFormHeading()}
 
@@ -396,5 +395,4 @@ ManageSpacePage.propTypes = {
   space: PropTypes.string,
   spacesManager: PropTypes.object,
   spacesNavState: PropTypes.object.isRequired,
-  breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index 4367d2b9282a6e..5a16ff72ffbcb0 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -21,19 +21,20 @@ const reactRootNodeId = 'manageSpacesReactRoot';
 routes.when('/management/spaces/list', {
   template,
   controller: function ($scope, $http, chrome, spacesNavState) {
-    const domNode = document.getElementById(reactRootNodeId);
+    $scope.$$postDigest(() => {
+      const domNode = document.getElementById(reactRootNodeId);
 
-    const spacesManager = new SpacesManager($http, chrome);
+      const spacesManager = new SpacesManager($http, chrome);
 
-    render(<SpacesGridPage
-      breadcrumbs={routes.getBreadcrumbs()}
-      spacesManager={spacesManager}
-      spacesNavState={spacesNavState}
-    />, domNode);
+      render(<SpacesGridPage
+        spacesManager={spacesManager}
+        spacesNavState={spacesNavState}
+      />, domNode);
 
-    // unmount react on controller destroy
-    $scope.$on('$destroy', () => {
-      unmountComponentAtNode(domNode);
+      // unmount react on controller destroy
+      $scope.$on('$destroy', () => {
+        unmountComponentAtNode(domNode);
+      });
     });
   }
 });
@@ -41,19 +42,20 @@ routes.when('/management/spaces/list', {
 routes.when('/management/spaces/create', {
   template,
   controller: function ($scope, $http, chrome, spacesNavState) {
-    const domNode = document.getElementById(reactRootNodeId);
+    $scope.$$postDigest(() => {
+      const domNode = document.getElementById(reactRootNodeId);
 
-    const spacesManager = new SpacesManager($http, chrome);
+      const spacesManager = new SpacesManager($http, chrome);
 
-    render(<ManageSpacePage
-      breadcrumbs={routes.getBreadcrumbs()}
-      spacesManager={spacesManager}
-      spacesNavState={spacesNavState}
-    />, domNode);
+      render(<ManageSpacePage
+        spacesManager={spacesManager}
+        spacesNavState={spacesNavState}
+      />, domNode);
 
-    // unmount react on controller destroy
-    $scope.$on('$destroy', () => {
-      unmountComponentAtNode(domNode);
+      // unmount react on controller destroy
+      $scope.$on('$destroy', () => {
+        unmountComponentAtNode(domNode);
+      });
     });
   }
 });
@@ -65,28 +67,26 @@ routes.when('/management/spaces/edit', {
 routes.when('/management/spaces/edit/:space', {
   template,
   controller: function ($scope, $http, $route, chrome, spacesNavState) {
-    const domNode = document.getElementById(reactRootNodeId);
+    $scope.$$postDigest(() => {
 
-    const { space } = $route.current.params;
+      const domNode = document.getElementById(reactRootNodeId);
 
-    const spacesManager = new SpacesManager($http, chrome);
+      const { space } = $route.current.params;
 
-    render(<ManageSpacePage
-      httpAgent={$http}
-      space={space}
-      chrome={chrome}
-      breadcrumbs={transformBreadcrumbs(routes.getBreadcrumbs())}
-      spacesManager={spacesManager}
-      spacesNavState={spacesNavState}
-    />, domNode);
+      const spacesManager = new SpacesManager($http, chrome);
 
-    // unmount react on controller destroy
-    $scope.$on('$destroy', () => {
-      unmountComponentAtNode(domNode);
+      render(<ManageSpacePage
+        httpAgent={$http}
+        space={space}
+        chrome={chrome}
+        spacesManager={spacesManager}
+        spacesNavState={spacesNavState}
+      />, domNode);
+
+      // unmount react on controller destroy
+      $scope.$on('$destroy', () => {
+        unmountComponentAtNode(domNode);
+      });
     });
   }
 });
-
-function transformBreadcrumbs(routeBreadcrumbs) {
-  return routeBreadcrumbs.filter(b => b.id !== 'edit');
-}
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
index bb68e235053fea..f18db68dc5a74b 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
@@ -19,7 +19,7 @@ import {
   EuiLink,
 } from '@elastic/eui';
 
-import { DeleteSpacesButton, PageHeader } from '../components';
+import { DeleteSpacesButton } from '../components';
 import { isReservedSpace } from '../../../../common';
 
 export class SpacesGridPage extends Component {
@@ -36,7 +36,6 @@ export class SpacesGridPage extends Component {
   render() {
     return (
       <EuiPage>
-        <PageHeader breadcrumbs={this.props.breadcrumbs} />
         <EuiPageContent>
           <EuiFlexGroup justifyContent={'spaceBetween'}>
             <EuiFlexItem grow={false}>
@@ -142,5 +141,4 @@ export class SpacesGridPage extends Component {
 SpacesGridPage.propTypes = {
   spacesManager: PropTypes.object.isRequired,
   spacesNavState: PropTypes.object.isRequired,
-  breadcrumbs: PropTypes.array.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/template.html b/x-pack/plugins/spaces/public/views/management/template.html
index 8da58b1e3a5471..8e7851095e903f 100644
--- a/x-pack/plugins/spaces/public/views/management/template.html
+++ b/x-pack/plugins/spaces/public/views/management/template.html
@@ -1 +1,3 @@
-<div id="manageSpacesReactRoot" />
+<kbn-management-app section="spaces" omit-breadcrumb-pages="['edit']">
+  <div id="manageSpacesReactRoot" />
+</kbn-management-app>

From fe9e7fe578384750cb10b648d77cd142a479b17d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 23 Jul 2018 08:23:31 -0400
Subject: [PATCH 083/183] fix visual regressions from EUI upgrade

---
 .../edit_space/manage_space_page.js           | 136 +++++++++---------
 .../views/management/manage_spaces.less       |  16 ++-
 .../views/space_selector/space_selector.js    |  26 ++--
 x-pack/yarn.lock                              |   4 +
 4 files changed, 100 insertions(+), 82 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 68c6e3b3d1967f..c5e26244664122 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -11,13 +11,16 @@ import {
   EuiButtonEmpty,
   EuiSpacer,
   EuiPage,
+  EuiPageBody,
+  EuiPageContent,
   EuiForm,
   EuiFormRow,
   EuiFieldText,
   EuiFlexGroup,
   EuiFlexItem,
   EuiButton,
-  EuiPanel,
+  EuiPageContentBody,
+  EuiHorizontalRule,
 } from '@elastic/eui';
 
 import { DeleteSpacesButton } from '../components';
@@ -76,79 +79,84 @@ export class ManageSpacePage extends Component {
     } = this.state.space;
 
     return (
-      <EuiPage className="editSpacePage">
-        <EuiForm>
-          {this.getFormHeading()}
-
-          <EuiSpacer />
+      <EuiPage className="manageSpacePage">
+        <EuiPageBody>
+          <EuiPageContent className="manageSpacePage__content">
+            <EuiPageContentBody>
+              <EuiForm>
+                {this.getFormHeading()}
+
+                <EuiSpacer />
+
+                <EuiFlexGroup>
+                  <EuiFlexItem style={{ maxWidth: '400px' }}>
+                    <EuiFormRow
+                      label="Name"
+                      {...this.validator.validateSpaceName(this.state.space)}
+                    >
+                      <EuiFieldText
+                        name="name"
+                        placeholder={'Awesome space'}
+                        value={name}
+                        onChange={this.onNameChange}
+                      />
+                    </EuiFormRow>
+                  </EuiFlexItem>
+                  {
+                    name && (
+                      <EuiFlexItem grow={false}>
+                        <EuiFlexGroup responsive={false}>
+                          <EuiFlexItem grow={false}>
+                            <EuiFormRow hasEmptyLabelSpace={true}>
+                              <SpaceAvatar space={this.state.space} />
+                            </EuiFormRow>
+                          </EuiFlexItem>
+                          <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
+                        </EuiFlexGroup>
+                      </EuiFlexItem>
+                    )
+                  }
+                </EuiFlexGroup>
+
+                <EuiSpacer />
+
+                {isReservedSpace(this.state.space)
+                  ? null
+                  : (
+                    <Fragment>
+                      <UrlContext
+                        space={this.state.space}
+                        editingExistingSpace={this.editingExistingSpace()}
+                        editable={true}
+                        onChange={this.onUrlContextChange}
+                        validator={this.validator}
+                      />
+                    </Fragment>
+                  )
+                }
 
-          <EuiPanel>
-            <EuiFlexGroup>
-              <EuiFlexItem style={{ maxWidth: '400px' }}>
                 <EuiFormRow
-                  label="Name"
-                  {...this.validator.validateSpaceName(this.state.space)}
+                  label="Description"
+                  {...this.validator.validateSpaceDescription(this.state.space)}
                 >
                   <EuiFieldText
-                    name="name"
-                    placeholder={'Awesome space'}
-                    value={name}
-                    onChange={this.onNameChange}
+                    name="description"
+                    placeholder={'This is where the magic happens'}
+                    value={description}
+                    onChange={this.onDescriptionChange}
                   />
                 </EuiFormRow>
-              </EuiFlexItem>
-              {
-                name && (
-                  <EuiFlexItem grow={false}>
-                    <EuiFlexGroup responsive={false}>
-                      <EuiFlexItem grow={false}>
-                        <EuiFormRow hasEmptyLabelSpace={true}>
-                          <SpaceAvatar space={this.state.space} />
-                        </EuiFormRow>
-                      </EuiFlexItem>
-                      <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
-                    </EuiFlexGroup>
-                  </EuiFlexItem>
-                )
-              }
-            </EuiFlexGroup>
-
-            <EuiSpacer />
-
-            {isReservedSpace(this.state.space)
-              ? null
-              : (
-                <Fragment>
-                  <UrlContext
-                    space={this.state.space}
-                    editingExistingSpace={this.editingExistingSpace()}
-                    editable={true}
-                    onChange={this.onUrlContextChange}
-                    validator={this.validator}
-                  />
-                </Fragment>
-              )
-            }
-
-            <EuiFormRow
-              label="Description"
-              {...this.validator.validateSpaceDescription(this.state.space)}
-            >
-              <EuiFieldText
-                name="description"
-                placeholder={'This is where the magic happens'}
-                value={description}
-                onChange={this.onDescriptionChange}
-              />
-            </EuiFormRow>
 
-          </EuiPanel>
+                <EuiSpacer />
 
-          <EuiSpacer />
+                <EuiHorizontalRule />
 
-          {this.getFormButtons()}
+                {this.getFormButtons()}
 
-        </EuiForm>
+              </EuiForm>
+            </EuiPageContentBody>
+          </EuiPageContent>
+        </EuiPageBody>
       </EuiPage>
     );
   }
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
index 48bfea9b424d95..4254ed90810027 100644
--- a/x-pack/plugins/spaces/public/views/management/manage_spaces.less
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -6,11 +6,17 @@
   flex-grow: 1;
 }
 
-.editSpacePage__content {
-  border: none;
-  box-shadow: none;
+.manageSpace__euiPage {
+  padding: 0;
 }
 
-.manageSpaces__euiPage {
-  padding: 0;
+.manageSpacePage {
+  min-height: ~"calc(100vh - 70px)";
+}
+
+.manageSpacePage__content {
+  max-width: 760px;
+  margin-left: auto;
+  margin-right: auto;
+  flex-grow: 0;
 }
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index d0dbc65d4566a9..57fd8d8e4b4882 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -71,20 +71,20 @@ export class SpaceSelector extends Component {
 
     return (
       <EuiPage className="spaceSelector__page">
-        <EuiPageHeader className="spaceSelector__heading">
-          <EuiPageHeaderSection className="spaceSelector__logoHeader">
-            <div className="spaceSelector__logoCircle">
-              <EuiIcon size="xxl" type={`logoKibana`} />
-            </div>
-
-            <EuiSpacer />
-
-            <EuiTitle size="l">
-              <EuiTextColor color="ghost"><p>Select your space</p></EuiTextColor>
-            </EuiTitle>
-          </EuiPageHeaderSection>
-        </EuiPageHeader>
         <EuiPageBody>
+          <EuiPageHeader className="spaceSelector__heading">
+            <EuiPageHeaderSection className="spaceSelector__logoHeader">
+              <div className="spaceSelector__logoCircle">
+                <EuiIcon size="xxl" type={`logoKibana`} />
+              </div>
+
+              <EuiSpacer />
+
+              <EuiTitle size="l">
+                <EuiTextColor color="ghost"><p>Select your space</p></EuiTextColor>
+              </EuiTitle>
+            </EuiPageHeaderSection>
+          </EuiPageHeader>
           <EuiPageContent className="spaceSelector__pageContent">
 
             <EuiFlexGroup direction="column" alignItems="center" responsive={false}>
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index e91f45bfb7e4f6..161582996d587b 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -7267,6 +7267,10 @@ safe-buffer@5.1.2:
   version "5.1.2"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
 
+"safer-buffer@>= 2.1.2 < 3":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+
 samsam@1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.3.0.tgz#8d1d9350e25622da30de3e44ba692b5221ab7c50"

From 88b51da36022cccb47bfc165a4662138d72c787d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 23 Jul 2018 16:03:55 -0400
Subject: [PATCH 084/183] fix lint errors

---
 src/server/http/setup_base_path_provider.js   | 19 +++++++++++++++++++
 .../lib/set_application_privileges.js         |  8 ++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/server/http/setup_base_path_provider.js b/src/server/http/setup_base_path_provider.js
index a1655d0124dbc4..caba48c765b022 100644
--- a/src/server/http/setup_base_path_provider.js
+++ b/src/server/http/setup_base_path_provider.js
@@ -1,3 +1,22 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
 export function setupBasePathProvider(server, config) {
 
   server.decorate('request', 'setBasePath', function (basePath) {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
index e6e133fbf69bd5..d900c13743a14c 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { DEFAULT_RESOURCE } from '../../../../../common/constants';
+import { ALL_RESOURCE } from '../../../../../common/constants';
 
 export function setApplicationPrivileges(kibanaPrivileges, role, application) {
   if (!role.applications) {
@@ -23,20 +23,20 @@ export function setApplicationPrivileges(kibanaPrivileges, role, application) {
     role.applications = [...role.applications, {
       application,
       privileges,
-      resources: [DEFAULT_RESOURCE]
+      resources: [ALL_RESOURCE]
     }];
   }
 }
 
 export function togglePrivilege(role, application, permission) {
   const appPermissions = role.applications
-    .find(a => a.application === application && a.resources[0] === DEFAULT_RESOURCE);
+    .find(a => a.application === application && a.resources[0] === ALL_RESOURCE);
 
   if (!appPermissions) {
     role.applications.push({
       application,
       privileges: [permission],
-      resources: [DEFAULT_RESOURCE]
+      resources: [ALL_RESOURCE]
     });
   } else {
     const indexOfExisting = appPermissions.privileges.indexOf(permission);

From 3d8b9b9a4716b12396bcf9ec88cd0627cd0b7226 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 25 Jul 2018 09:14:14 -0400
Subject: [PATCH 085/183] fix merge

---
 .../__snapshots__/space_selector.test.js.snap | 96 +++++++++----------
 yarn.lock                                     |  4 +-
 2 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index a9a69385339a27..debc9de08283d4 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -6,61 +6,61 @@ exports[`it renders without crashing 1`] = `
   style={undefined}
 >
   <div
-    className="euiPageHeader spaceSelector__heading"
+    className="euiPageBody"
   >
     <div
-      className="euiPageHeaderSection spaceSelector__logoHeader"
+      className="euiPageHeader euiPageHeader--responsive spaceSelector__heading"
     >
       <div
-        className="spaceSelector__logoCircle"
+        className="euiPageHeaderSection spaceSelector__logoHeader"
       >
-        <svg
-          className="euiIcon euiIcon--xxLarge"
-          focusable="false"
-          height="40"
-          style={
-            Object {
-              "fill": undefined,
+        <div
+          className="spaceSelector__logoCircle"
+        >
+          <svg
+            className="euiIcon euiIcon--xxLarge"
+            focusable="false"
+            height="40"
+            style={
+              Object {
+                "fill": undefined,
+              }
             }
-          }
-          tabIndex={undefined}
-          viewBox="0 0 30 40"
-          width="30"
-          xmlns="http://www.w3.org/2000/svg"
+            tabIndex={undefined}
+            viewBox="0 0 30 40"
+            width="30"
+            xmlns="http://www.w3.org/2000/svg"
+          >
+            <path
+              d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
+              fill="#3EBEB0"
+            />
+            <path
+              d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
+              fill="#37A595"
+            />
+            <path
+              d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
+              fill="#353535"
+            />
+            <path
+              d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
+              fill="#E9478B"
+            />
+          </svg>
+        </div>
+        <div
+          className="euiSpacer euiSpacer--l"
+        />
+        <span
+          className="euiTextColor euiTextColor--ghost euiTitle euiTitle--large"
         >
-          <path
-            d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
-            fill="#3EBEB0"
-          />
-          <path
-            d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
-            fill="#37A595"
-          />
-          <path
-            d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
-            fill="#353535"
-          />
-          <path
-            d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
-            fill="#E9478B"
-          />
-        </svg>
+          <p>
+            Select your space
+          </p>
+        </span>
       </div>
-      <div
-        className="euiSpacer euiSpacer--l"
-      />
-      <span
-        className="euiTextColor euiTextColor--ghost euiTitle euiTitle--large"
-      >
-        <p>
-          Select your space
-        </p>
-      </span>
     </div>
-  </div>
-  <div
-    className="euiPageBody"
-  >
     <div
       className="euiPanel euiPanel--paddingLarge euiPageContent spaceSelector__pageContent"
     >
@@ -98,11 +98,11 @@ exports[`it renders without crashing 1`] = `
         <div
           className="euiTextAlign euiTextAlign--center"
         >
-          <span
+          <div
             className="euiTextColor euiTextColor--subdued"
           >
             No spaces match search criteria
-          </span>
+          </div>
         </div>
       </div>
     </div>
diff --git a/yarn.lock b/yarn.lock
index 6d78892c31aa26..0ffae9fb637a5d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6624,7 +6624,7 @@ iconv-lite@0.4.7:
   version "0.4.7"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.7.tgz#89d32fec821bf8597f44609b4bc09bed5c209a23"
 
-iconv-lite@^0.4.22:
+iconv-lite@^0.4.22, iconv-lite@~0.4.13:
   version "0.4.23"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.23.tgz#297871f63be507adcfbfca715d0cd0eed84e9a63"
   dependencies:
@@ -12038,7 +12038,7 @@ rxjs@^6.2.1:
   dependencies:
     tslib "^1.9.0"
 
-safe-buffer@5.1.1, safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+safe-buffer@5.1.1, safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 

From 252e407441119cf2449b321ea13f3cc2f6380419 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 26 Jul 2018 12:14:26 -0400
Subject: [PATCH 086/183] [Spaces] Space-Aware Saved Objects (#18862)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**This is an updated description that incorperates some of the discussions below**

This PR introduces changes which allow the Spaces plugin to make saved objects "space aware". Effectively, this means wrapping the Saved Objects Client to alter or filter requests/responses.

**Note** Advanced UI Settings (i.e., saved objects of type `config`) are not in scope for this PR, and will be addressed separately.


### Terminology:
- SOC: Saved Objects Client

## Saved Objects Client
### `get`
The response from the base SOC is checked to see if the object belongs to the current space. If not, a 404 is thrown to indicate the object does not exist.

### `bulk_get`
The response from the base SOC is checked to see if each object belongs to the current space. For each object that does not belong, its contents are replaced with a 404 response, which looks identical to the base SOC's 404 response for a missing object.

### `create`
The `spaceId` is appended to the create request, so the base SOC will write the new object into the correct space.

### `bulk_create`
The `spaceId` is appended to each space-aware object in the request, so the base SOC will write the new objects into the correct space.

### `update`
Before allowing an update to be processed by the base SOC, we check to ensure that it belongs to the current space. If not, a 404 is thrown. We also ensure that the `spaceId` is not changed as a result of an update.

### `delete`
Before allowing a delete to be processed by the base SOC, we check to ensure that it belongs to the current space. If not, a 404 is thrown.

### `find`
Searching is arguably the most complex case for this PR, and is responsible for a bulk of the LOC (other than tests). When performing a find, we augment the ES query to ensure that each object belongs to the current space.


## * Belonging to the current space
To figure out if an object belongs to the current space, the following check is performed:
### 1. Is the object's type space-aware?
Most saved object types are space-aware. There are a couple of exceptions as of this PR: space and config.
If the type is not space-aware, then ✅ this object belongs to the current space. This implies that objects that are not space aware belong to every space.

If the type is space-aware, then processing continues to step 2
### 2. Check the object's `spaceId`
Each saved object may have a `spaceId` assigned. This `spaceId` is compared against the `spaceId` that the user's request is executed within. If they match, then the object belongs to the current space.

**caveat** The Default Space is a special-case space that does not assign a `spaceId` to its underlying objects. This is done to maintain backwards compatibility, and makes bootstrapping Spaces much easier for upgrading installations. Given this, there is logic in place which accounts for this special-case. The most interesting example is when we build the query for the SOC's `find` operation. Rather than checking that the object has a particular `spaceId`, we have to check that the object does not have a `spaceId` assigned.
---
 .../kibana/ui_setting_defaults.js             |    2 +-
 .../saved_objects/service/lib/repository.js   |   59 +-
 .../service/lib/repository.test.js            |  301 +++-
 .../service/lib/search_dsl/query_params.js    |   22 +-
 .../lib/search_dsl/query_params.test.js       |  186 ++-
 .../service/lib/search_dsl/search_dsl.js      |    9 +-
 .../service/lib/search_dsl/search_dsl.test.js |    4 +-
 .../service/saved_objects_client.js           |   17 +-
 .../service/saved_objects_client.test.js      |   10 +-
 .../create_or_upgrade_integration.js          |    2 +-
 .../create_or_upgrade_saved_config.js         |    2 +-
 .../create_or_upgrade_saved_config.js         |    2 +-
 src/ui/ui_settings/ui_settings_service.js     |    2 +-
 .../ui_settings_service_factory.js            |    2 +-
 x-pack/plugins/security/index.js              |    2 +-
 .../secure_saved_objects_client.js            |   14 +-
 .../secure_saved_objects_client.test.js       |   35 +-
 .../spaces/common/spaces_url_parser.js        |   44 -
 .../spaces/common/spaces_url_parser.test.js   |   39 -
 x-pack/plugins/spaces/index.js                |   23 +-
 .../spaces/public/lib/spaces_manager.js       |   21 +
 .../__snapshots__/space_avatar.test.js.snap   |   11 +
 .../views/components/space_avatar.test.js     |   14 +
 .../public/views/components/space_cards.js    |    7 +-
 .../views/components/space_cards.test.js      |    4 +-
 .../views/nav_control/nav_control_modal.js    |    6 +-
 .../views/space_selector/space_selector.js    |    8 +-
 .../spaces_url_parser.test.js.snap            |    3 +
 .../server/lib/create_spaces_service.js       |   35 +
 .../server/lib/create_spaces_service.test.js  |   52 +
 .../spaces/server/lib/get_active_space.js     |    6 +-
 .../spaces_saved_objects_client.test.js.snap  |   13 +
 .../__snapshots__/query_filters.test.js.snap  |    5 +
 .../lib/is_type_space_aware.js                |   14 +
 .../lib/is_type_space_aware.test.js           |   29 +
 .../saved_objects_client/lib/query_filters.js |   70 +
 .../lib/query_filters.test.js                 |  139 ++
 .../saved_objects_client_wrapper_factory.js   |   16 +
 .../spaces_saved_objects_client.js            |  282 ++++
 .../spaces_saved_objects_client.test.js       | 1340 +++++++++++++++++
 .../server/lib/space_request_interceptors.js  |   43 +-
 .../lib/space_request_interceptors.test.js    |   34 +-
 .../spaces/server/lib/spaces_url_parser.js    |   35 +
 .../server/lib/spaces_url_parser.test.js      |   67 +
 .../spaces/server/routes/api/v1/spaces.js     |   56 +-
 .../server/routes/api/v1/spaces.test.js       |   45 +-
 x-pack/scripts/functional_tests.js            |    1 +
 .../watch_status_and_license_to_initialize.js |    0
 ...h_status_and_license_to_initialize.test.js |    0
 .../test/spaces_api_integration/apis/index.js |   11 +
 .../apis/saved_objects/bulk_get.js            |  146 ++
 .../apis/saved_objects/create.js              |  143 ++
 .../apis/saved_objects/delete.js              |   93 ++
 .../apis/saved_objects/find.js                |  202 +++
 .../apis/saved_objects/get.js                 |  110 ++
 .../apis/saved_objects/index.js               |   18 +
 .../apis/saved_objects/lib/authentication.js  |   32 +
 .../saved_objects/lib/space_test_utils.js     |   23 +
 .../apis/saved_objects/lib/spaces.js          |   20 +
 .../apis/saved_objects/update.js              |  158 ++
 x-pack/test/spaces_api_integration/config.js  |   57 +
 .../saved_objects/spaces/data.json.gz         |  Bin 0 -> 2459 bytes
 .../saved_objects/spaces/mappings.json        |  314 ++++
 63 files changed, 4221 insertions(+), 239 deletions(-)
 delete mode 100644 x-pack/plugins/spaces/common/spaces_url_parser.js
 delete mode 100644 x-pack/plugins/spaces/common/spaces_url_parser.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_avatar.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
 create mode 100644 x-pack/plugins/spaces/server/lib/create_spaces_service.js
 create mode 100644 x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_url_parser.js
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
 rename x-pack/{plugins/security => }/server/lib/watch_status_and_license_to_initialize.js (100%)
 rename x-pack/{plugins/security => }/server/lib/watch_status_and_license_to_initialize.test.js (100%)
 create mode 100644 x-pack/test/spaces_api_integration/apis/index.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/create.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/find.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/get.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/index.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
 create mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/update.js
 create mode 100644 x-pack/test/spaces_api_integration/config.js
 create mode 100644 x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
 create mode 100644 x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json

diff --git a/src/core_plugins/kibana/ui_setting_defaults.js b/src/core_plugins/kibana/ui_setting_defaults.js
index dc00edaad0b27c..2965f0624c3477 100644
--- a/src/core_plugins/kibana/ui_setting_defaults.js
+++ b/src/core_plugins/kibana/ui_setting_defaults.js
@@ -511,4 +511,4 @@ export function getUiSettingDefaults() {
       category: ['discover'],
     },
   };
-}
+}
\ No newline at end of file
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 4ff8eaa8d6b6e9..6ede707c1819a0 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -36,7 +36,7 @@ export class SavedObjectsRepository {
       index,
       mappings,
       callCluster,
-      onBeforeWrite = () => {},
+      onBeforeWrite = () => { },
     } = options;
 
     this._index = index;
@@ -54,11 +54,13 @@ export class SavedObjectsRepository {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
+   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
     const {
       id,
+      extraDocumentProperties = {},
       overwrite = false
     } = options;
 
@@ -72,9 +74,10 @@ export class SavedObjectsRepository {
         index: this._index,
         refresh: 'wait_for',
         body: {
+          ...extraDocumentProperties,
           type,
           updated_at: time,
-          [type]: attributes
+          [type]: attributes,
         },
       });
 
@@ -98,7 +101,7 @@ export class SavedObjectsRepository {
   /**
    * Creates multiple documents at once
    *
-   * @param {array} objects - [{ type, id, attributes }]
+   * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
    * @returns {promise} -  {saved_objects: [[{ id, type, version, attributes, error: { message } }]}
@@ -119,9 +122,10 @@ export class SavedObjectsRepository {
           }
         },
         {
+          ...object.extraDocumentProperties,
           type: object.type,
           updated_at: time,
-          [object.type]: object.attributes
+          [object.type]: object.attributes,
         }
       ];
     };
@@ -216,6 +220,7 @@ export class SavedObjectsRepository {
    * @property {string} [options.search]
    * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
    *                                        Query field argument for more information
+   * @property {object} [options.filters] - ES Query filters to append
    * @property {integer} [options.page=1]
    * @property {integer} [options.perPage=20]
    * @property {string} [options.sortField]
@@ -233,6 +238,7 @@ export class SavedObjectsRepository {
       sortField,
       sortOrder,
       fields,
+      filters,
     } = options;
 
     if (searchFields && !Array.isArray(searchFields)) {
@@ -243,6 +249,10 @@ export class SavedObjectsRepository {
       throw new TypeError('options.searchFields must be an array');
     }
 
+    if (filters && !Array.isArray(filters)) {
+      throw new TypeError('options.filters must be an array');
+    }
+
     const esOptions = {
       index: this._index,
       size: perPage,
@@ -256,7 +266,8 @@ export class SavedObjectsRepository {
           searchFields,
           type,
           sortField,
-          sortOrder
+          sortOrder,
+          filters
         })
       }
     };
@@ -295,6 +306,8 @@ export class SavedObjectsRepository {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
+   * @param {object} [options = {}]
+   * @param {array} [options.extraDocumentProperties = []] - an array of extra properties to return from the underlying document
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -303,7 +316,7 @@ export class SavedObjectsRepository {
    *   { id: 'foo', type: 'index-pattern' }
    * ])
    */
-  async bulkGet(objects = []) {
+  async bulkGet(objects = [], options = {}) {
     if (objects.length === 0) {
       return { saved_objects: [] };
     }
@@ -318,8 +331,12 @@ export class SavedObjectsRepository {
       }
     });
 
+    const { docs } = response;
+
+    const { extraDocumentProperties = [] } = options;
+
     return {
-      saved_objects: response.docs.map((doc, i) => {
+      saved_objects: docs.map((doc, i) => {
         const { id, type } = objects[i];
 
         if (!doc.found) {
@@ -331,13 +348,20 @@ export class SavedObjectsRepository {
         }
 
         const time = doc._source.updated_at;
-        return {
+        const savedObject = {
           id,
           type,
           ...time && { updated_at: time },
           version: doc._version,
-          attributes: doc._source[type]
+          ...extraDocumentProperties
+            .map(s => ({ [s]: doc._source[s] }))
+            .reduce((acc, prop) => ({ ...acc, ...prop }), {}),
+          attributes: {
+            ...doc._source[type],
+          }
         };
+
+        return savedObject;
       })
     };
   }
@@ -347,9 +371,11 @@ export class SavedObjectsRepository {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options = {}]
+   * @param {array} [options.extraDocumentProperties = []] - an array of extra properties to return from the underlying document
    * @returns {promise} - { id, type, version, attributes }
    */
-  async get(type, id) {
+  async get(type, id, options = {}) {
     const response = await this._callCluster('get', {
       id: this._generateEsId(type, id),
       type: this._type,
@@ -364,6 +390,8 @@ export class SavedObjectsRepository {
       throw errors.createGenericNotFoundError(type, id);
     }
 
+    const { extraDocumentProperties = [] } = options;
+
     const { updated_at: updatedAt } = response._source;
 
     return {
@@ -371,7 +399,12 @@ export class SavedObjectsRepository {
       type,
       ...updatedAt && { updated_at: updatedAt },
       version: response._version,
-      attributes: response._source[type]
+      ...extraDocumentProperties
+        .map(s => ({ [s]: response._source[s] }))
+        .reduce((acc, prop) => ({ ...acc, ...prop }), {}),
+      attributes: {
+        ...response._source[type],
+      }
     };
   }
 
@@ -382,6 +415,7 @@ export class SavedObjectsRepository {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
+   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
@@ -395,8 +429,9 @@ export class SavedObjectsRepository {
       ignore: [404],
       body: {
         doc: {
+          ...options.extraDocumentProperties,
           updated_at: time,
-          [type]: attributes
+          [type]: attributes,
         }
       },
     });
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 39174d204a1465..2b84e773e02767 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -155,11 +155,12 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('should use create action if ID defined and overwrite=false', async () => {
-      await savedObjectsRepository.create('index-pattern', {
-        title: 'Logstash'
-      }, {
-        id: 'logstash-*',
-      });
+      await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        }, {
+          id: 'logstash-*',
+        });
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWith(callAdminCluster, 'create');
@@ -191,6 +192,64 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it('appends extraDocumentProperties to the document', async () => {
+      await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        },
+        {
+          extraDocumentProperties: {
+            myExtraProp: 'myExtraValue',
+            myOtherExtraProp: true,
+          }
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        body: {
+          [`index-pattern`]: { title: 'Logstash' },
+          myExtraProp: 'myExtraValue',
+          myOtherExtraProp: true,
+          type: 'index-pattern',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
+      await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        },
+        {
+          extraDocumentProperties: {
+            myExtraProp: 'myExtraValue',
+            myOtherExtraProp: true,
+            updated_at: 'should_not_be_used',
+            'index-pattern': {
+              title: 'should_not_be_used'
+            }
+          }
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        body: {
+          [`index-pattern`]: { title: 'Logstash' },
+          myExtraProp: 'myExtraValue',
+          myOtherExtraProp: true,
+          type: 'index-pattern',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#bulkCreate', () => {
@@ -329,10 +388,77 @@ describe('SavedObjectsRepository', () => {
         ]
       });
     });
+
+    it('appends extraDocumentProperties to each created object', async () => {
+      callAdminCluster.returns({ items: [] });
+
+      await savedObjectsRepository.bulkCreate(
+        [
+          { type: 'config', id: 'one', attributes: { title: 'Test One' }, extraDocumentProperties: { extraConfigValue: true } },
+          { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' }, extraDocumentProperties: { extraIndexValue: true } }
+        ]);
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'config:one' } },
+          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' }, extraConfigValue: true },
+          { create: { _type: 'doc', _id: 'index-pattern:two' } },
+          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' }, extraIndexValue: true }
+        ]
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
+
+      callAdminCluster.returns({ items: [] });
+
+      const extraDocumentProperties = {
+        extraProp: 'extraVal',
+        updated_at: 'should_not_be_used',
+      };
+      const configExtraDocumentProperties = {
+        ...extraDocumentProperties,
+        'config': { newIgnoredProp: 'should_not_be_used' }
+      };
+      const indexPatternExtraDocumentProperties = {
+        ...extraDocumentProperties,
+        'index-pattern': { title: 'should_not_be_used', newIgnoredProp: 'should_not_be_used' }
+      };
+
+      await savedObjectsRepository.bulkCreate(
+        [{
+          type: 'config',
+          id: 'one',
+          attributes: { title: 'Test One' },
+          extraDocumentProperties: configExtraDocumentProperties
+        },
+        {
+          type: 'index-pattern',
+          id: 'two',
+          attributes: { title: 'Test Two' },
+          extraDocumentProperties: indexPatternExtraDocumentProperties
+        }]
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'config:one' } },
+          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' }, extraProp: 'extraVal' },
+          { create: { _type: 'doc', _id: 'index-pattern:two' } },
+          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' }, extraProp: 'extraVal' }
+        ]
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#delete', () => {
-    it('throws notFound when ES is unable to find the document',  async () => {
+    it('throws notFound when ES is unable to find the document', async () => {
       expect.assertions(1);
 
       callAdminCluster.returns(Promise.resolve({
@@ -341,7 +467,7 @@ describe('SavedObjectsRepository', () => {
 
       try {
         await savedObjectsRepository.delete('index-pattern', 'logstash-*');
-      } catch(e) {
+      } catch (e) {
         expect(e.output.statusCode).toEqual(404);
       }
     });
@@ -392,13 +518,25 @@ describe('SavedObjectsRepository', () => {
       }
     });
 
-    it('passes mappings, search, searchFields, type, sortField, and sortOrder to getSearchDsl', async () => {
+    it('requires filters to be an array if defined', async () => {
+      try {
+        await savedObjectsRepository.find({ filters: 'string' });
+        throw new Error('expected find() to reject');
+      } catch (error) {
+        sinon.assert.notCalled(callAdminCluster);
+        sinon.assert.notCalled(onBeforeWrite);
+        expect(error.message).toMatch('must be an array');
+      }
+    });
+
+    it('passes mappings, search, searchFields, type, sortField, filters, and sortOrder to getSearchDsl', async () => {
       const relevantOpts = {
         search: 'foo*',
         searchFields: ['foo'],
         type: 'bar',
         sortField: 'name',
         sortOrder: 'desc',
+        filters: [{ bool: {} }],
       };
 
       await savedObjectsRepository.find(relevantOpts);
@@ -472,6 +610,7 @@ describe('SavedObjectsRepository', () => {
         _version: 2,
         _source: {
           type: 'index-pattern',
+          specialProperty: 'specialValue',
           ...mockTimestampFields,
           'index-pattern': {
             title: 'Testing'
@@ -504,6 +643,24 @@ describe('SavedObjectsRepository', () => {
         type: 'doc'
       }));
     });
+
+    it('includes the requested extraDocumentProperties in the response for the requested object', async () => {
+      const response = await savedObjectsRepository.get('index-pattern', 'logstash-*', {
+        extraDocumentProperties: ['specialProperty', 'undefinedProperty']
+      });
+
+      expect(response).toEqual({
+        id: 'logstash-*',
+        type: 'index-pattern',
+        updated_at: mockTimestamp,
+        version: 2,
+        specialProperty: 'specialValue',
+        undefinedProperty: undefined,
+        attributes: {
+          title: 'Testing'
+        }
+      });
+    });
   });
 
   describe('#bulkGet', () => {
@@ -574,6 +731,80 @@ describe('SavedObjectsRepository', () => {
         error: { statusCode: 404, message: 'Not found' }
       });
     });
+
+    it('includes the requested extraDocumentProperties in the response for each requested object', async () => {
+      callAdminCluster.returns(Promise.resolve({
+        docs: [{
+          _type: 'doc',
+          _id: 'config:good',
+          found: true,
+          _version: 2,
+          _source: {
+            ...mockTimestampFields,
+            type: 'config',
+            specialProperty: 'specialValue',
+            config: { title: 'Test' }
+          }
+        }, {
+          _type: 'doc',
+          _id: 'config:bad',
+          found: false
+        }, {
+          _id: 'index-pattern:logstash-*',
+          _type: 'doc',
+          found: true,
+          _version: 2,
+          _source: {
+            type: 'index-pattern',
+            specialProperty: 'anotherSpecialValue',
+            ...mockTimestampFields,
+            'index-pattern': {
+              title: 'Testing'
+            }
+          }
+        }]
+      }));
+
+      const { saved_objects: savedObjects } = await savedObjectsRepository.bulkGet(
+        [
+          { id: 'good', type: 'config' },
+          { id: 'bad', type: 'config' },
+          { id: 'logstash-*', type: 'index-pattern' }
+        ], {
+          extraDocumentProperties: ['specialProperty', 'undefinedProperty']
+        }
+      );
+
+      expect(savedObjects).toHaveLength(3);
+
+      expect(savedObjects[0]).toEqual({
+        id: 'good',
+        type: 'config',
+        ...mockTimestampFields,
+        version: 2,
+        specialProperty: 'specialValue',
+        undefinedProperty: undefined,
+        attributes: { title: 'Test' }
+      });
+
+      expect(savedObjects[1]).toEqual({
+        id: 'bad',
+        type: 'config',
+        error: { statusCode: 404, message: 'Not found' }
+      });
+
+      expect(savedObjects[2]).toEqual({
+        id: 'logstash-*',
+        type: 'index-pattern',
+        ...mockTimestampFields,
+        version: 2,
+        specialProperty: 'anotherSpecialValue',
+        undefinedProperty: undefined,
+        attributes: {
+          title: 'Testing'
+        }
+      });
+    });
   });
 
   describe('#update', () => {
@@ -634,6 +865,60 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it('updates the document including all provided extraDocumentProperties', async () => {
+      await savedObjectsRepository.update(
+        'index-pattern',
+        'logstash-*',
+        { title: 'Testing' },
+        { extraDocumentProperties: { extraProp: 'extraVal' } }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'update', {
+        type: 'doc',
+        id: 'index-pattern:logstash-*',
+        version: undefined,
+        body: {
+          doc: { updated_at: mockTimestamp, extraProp: 'extraVal', 'index-pattern': { title: 'Testing' } }
+        },
+        ignore: [404],
+        refresh: 'wait_for',
+        index: '.kibana-test'
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
+      await savedObjectsRepository.update(
+        'index-pattern',
+        'logstash-*',
+        { title: 'Testing' },
+        {
+          extraDocumentProperties: {
+            extraProp: 'extraVal',
+            updated_at: 'should_not_be_used',
+            'index-pattern': { title: 'should_not_be_used', newIgnoredProp: 'should_not_be_used' }
+          }
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'update', {
+        type: 'doc',
+        id: 'index-pattern:logstash-*',
+        version: undefined,
+        body: {
+          doc: { updated_at: mockTimestamp, extraProp: 'extraVal', 'index-pattern': { title: 'Testing' } }
+        },
+        ignore: [404],
+        refresh: 'wait_for',
+        index: '.kibana-test'
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('onBeforeWrite', () => {
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.js b/src/server/saved_objects/service/lib/search_dsl/query_params.js
index bcf62f21ef4158..c5ca55f985bddc 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.js
@@ -65,24 +65,21 @@ function getFieldsForTypes(searchFields, types) {
  *  @param  {(string|Array<string>)} type
  *  @param  {String} search
  *  @param  {Array<string>} searchFields
+ *  @param {Array<object>} filters additional query filters
  *  @return {Object}
  */
-export function getQueryParams(mappings, type, search, searchFields) {
-  if (!type && !search) {
-    return {};
-  }
+export function getQueryParams(mappings, type, search, searchFields, filters = []) {
 
-  const bool = {};
+  const bool = {
+    filter: [...filters],
+  };
 
   if (type) {
-    bool.filter = [
-      { [Array.isArray(type) ? 'terms' : 'term']: { type } }
-    ];
+    bool.filter.push({ [Array.isArray(type) ? 'terms' : 'term']: { type } });
   }
 
   if (search) {
     bool.must = [
-      ...bool.must || [],
       {
         simple_query_string: {
           query: search,
@@ -95,5 +92,12 @@ export function getQueryParams(mappings, type, search, searchFields) {
     ];
   }
 
+  // Don't construct a query if there is nothing to search on.
+  if (bool.filter.length === 0 && !search) {
+    return {};
+  }
+
   return { query: { bool } };
 }
+
+
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
index 53b943ee6793bd..e3e261db1e77e6 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
@@ -64,7 +64,7 @@ describe('searchDsl/queryParams', () => {
   });
 
   describe('{type}', () => {
-    it('adds a term filter when a string', () => {
+    it('includes just a terms filter', () => {
       expect(getQueryParams(MAPPINGS, 'saved'))
         .toEqual({
           query: {
@@ -78,15 +78,18 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
+  });
 
-    it('adds a terms filter when an array', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis']))
+  describe('{type,filters}', () => {
+    it('includes filters and a term filter for type', () => {
+      expect(getQueryParams(MAPPINGS, 'saved', null, null, [{ terms: { foo: ['bar', 'baz'] } }]))
         .toEqual({
           query: {
             bool: {
               filter: [
+                { terms: { foo: ['bar', 'baz'] } },
                 {
-                  terms: { type: ['saved', 'vis'] }
+                  term: { type: 'saved' }
                 }
               ]
             }
@@ -101,6 +104,30 @@ describe('searchDsl/queryParams', () => {
         .toEqual({
           query: {
             bool: {
+              filter: [],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'us*',
+                    all_fields: true
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+  });
+
+  describe('{search,filters}', () => {
+    it('includes filters and a sqs query', () => {
+      expect(getQueryParams(MAPPINGS, null, 'us*', null, [{ terms: { foo: ['bar', 'baz'] } }]))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { terms: { foo: ['bar', 'baz'] } }
+              ],
               must: [
                 {
                   simple_query_string: {
@@ -136,13 +163,17 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('includes bool with sqs query and terms filter for type', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis'], 'y*'))
+  });
+
+  describe('{type,search,filters}', () => {
+    it('includes bool with sqs query, filters and term filter for type', () => {
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', null, [{ terms: { foo: ['bar', 'baz'] } }]))
         .toEqual({
           query: {
             bool: {
               filter: [
-                { terms: { type: ['saved', 'vis'] } }
+                { terms: { foo: ['bar', 'baz'] } },
+                { term: { type: 'saved' } }
               ],
               must: [
                 {
@@ -164,6 +195,7 @@ describe('searchDsl/queryParams', () => {
         .toEqual({
           query: {
             bool: {
+              filter: [],
               must: [
                 {
                   simple_query_string: {
@@ -184,6 +216,7 @@ describe('searchDsl/queryParams', () => {
         .toEqual({
           query: {
             bool: {
+              filter: [],
               must: [
                 {
                   simple_query_string: {
@@ -204,6 +237,81 @@ describe('searchDsl/queryParams', () => {
         .toEqual({
           query: {
             bool: {
+              filter: [],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'pending.title',
+                      'saved.title',
+                      'pending.title.raw',
+                      'saved.title.raw',
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+  });
+
+  describe('{search,searchFields,filters}', () => {
+    it('specifies filters and includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, null, 'y*', ['title'], [{ terms: { foo: ['bar', 'baz'] } }]))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { terms: { foo: ['bar', 'baz'] } },
+              ],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'pending.title',
+                      'saved.title'
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('specifies filters and supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, null, 'y*', ['title^3'], [{ terms: { foo: ['bar', 'baz'] } }]))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { terms: { foo: ['bar', 'baz'] } },
+              ],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'pending.title^3',
+                      'saved.title^3'
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('specifies filters and supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, null, 'y*', ['title', 'title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { terms: { foo: ['bar', 'baz'] } },
+              ],
               must: [
                 {
                   simple_query_string: {
@@ -224,7 +332,7 @@ describe('searchDsl/queryParams', () => {
   });
 
   describe('{type,search,searchFields}', () => {
-    it('includes bool, with term filter and sqs with field list', () => {
+    it('includes bool, and sqs with field list', () => {
       expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title']))
         .toEqual({
           query: {
@@ -246,13 +354,35 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('includes bool, with terms filter and sqs with field list', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis'], 'y*', ['title']))
+    it('supports fields pointing to multi-fields', () => {
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw']))
         .toEqual({
           query: {
             bool: {
               filter: [
-                { terms: { type: ['saved', 'vis'] } }
+                { term: { type: 'saved' } }
+              ],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'saved.title.raw'
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('supports multiple search fields', () => {
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { term: { type: 'saved' } }
               ],
               must: [
                 {
@@ -260,7 +390,33 @@ describe('searchDsl/queryParams', () => {
                     query: 'y*',
                     fields: [
                       'saved.title',
-                      'vis.title'
+                      'saved.title.raw'
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+  });
+
+  describe('{type,search,searchFields,filters}', () => {
+    it('includes specified filters, type filter and sqs with field list', () => {
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title'], [{ terms: { foo: ['bar', 'baz'] } }]))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [
+                { terms: { foo: ['bar', 'baz'] } },
+                { term: { type: 'saved' } }
+              ],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'saved.title'
                     ]
                   }
                 }
@@ -270,11 +426,12 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports fields pointing to multi-fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw']))
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
         .toEqual({
           query: {
             bool: {
               filter: [
+                { terms: { foo: ['bar', 'baz'] } },
                 { term: { type: 'saved' } }
               ],
               must: [
@@ -292,11 +449,12 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports multiple search fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw']))
+      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
         .toEqual({
           query: {
             bool: {
               filter: [
+                { terms: { foo: ['bar', 'baz'] } },
                 { term: { type: 'saved' } }
               ],
               must: [
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
index ea34c127e98549..94f938c921ed07 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
@@ -28,7 +28,8 @@ export function getSearchDsl(mappings, options = {}) {
     search,
     searchFields,
     sortField,
-    sortOrder
+    sortOrder,
+    filters,
   } = options;
 
   if (!type && sortField) {
@@ -39,8 +40,12 @@ export function getSearchDsl(mappings, options = {}) {
     throw Boom.notAcceptable('sortOrder requires a sortField');
   }
 
+  if (filters && !Array.isArray(filters)) {
+    throw Boom.notAcceptable('filters must be an array');
+  }
+
   return {
-    ...getQueryParams(mappings, type, search, searchFields),
+    ...getQueryParams(mappings, type, search, searchFields, filters),
     ...getSortingParams(mappings, type, sortField, sortOrder),
   };
 }
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
index 85302b5e257222..6ed40a7929dcff 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
@@ -46,13 +46,14 @@ describe('getSearchDsl', () => {
   });
 
   describe('passes control', () => {
-    it('passes (mappings, type, search, searchFields) to getQueryParams', () => {
+    it('passes (mappings, type, search, searchFields, filters) to getQueryParams', () => {
       const spy = sandbox.spy(queryParamsNS, 'getQueryParams');
       const mappings = { type: { properties: {} } };
       const opts = {
         type: 'foo',
         search: 'bar',
         searchFields: ['baz'],
+        filters: [{ bool: {} }],
       };
 
       getSearchDsl(mappings, opts);
@@ -63,6 +64,7 @@ describe('getSearchDsl', () => {
         opts.type,
         opts.search,
         opts.searchFields,
+        opts.filters,
       );
     });
 
diff --git a/src/server/saved_objects/service/saved_objects_client.js b/src/server/saved_objects/service/saved_objects_client.js
index 7741800fc2e272..1d69d55f9f4aee 100644
--- a/src/server/saved_objects/service/saved_objects_client.js
+++ b/src/server/saved_objects/service/saved_objects_client.js
@@ -102,6 +102,7 @@ export class SavedObjectsClient {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
+   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
@@ -111,7 +112,7 @@ export class SavedObjectsClient {
   /**
    * Creates multiple documents at once
    *
-   * @param {array} objects - [{ type, id, attributes }]
+   * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
@@ -137,6 +138,7 @@ export class SavedObjectsClient {
    * @property {string} [options.search]
    * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
    *                                        Query field argument for more information
+   * @property {object} [options.filters] - ES Query filters to append
    * @property {integer} [options.page=1]
    * @property {integer} [options.perPage=20]
    * @property {string} [options.sortField]
@@ -152,6 +154,8 @@ export class SavedObjectsClient {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
+   * @param {object} [options = {}]
+   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -160,8 +164,8 @@ export class SavedObjectsClient {
    *   { id: 'foo', type: 'index-pattern' }
    * ])
    */
-  async bulkGet(objects = []) {
-    return this._repository.bulkGet(objects);
+  async bulkGet(objects = [], options = {}) {
+    return this._repository.bulkGet(objects, options);
   }
 
   /**
@@ -169,10 +173,12 @@ export class SavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options = {}]
+   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
    * @returns {promise} - { id, type, version, attributes }
    */
-  async get(type, id) {
-    return this._repository.get(type, id);
+  async get(type, id, options = {}) {
+    return this._repository.get(type, id, options);
   }
 
   /**
@@ -182,6 +188,7 @@ export class SavedObjectsClient {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
+   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
diff --git a/src/server/saved_objects/service/saved_objects_client.test.js b/src/server/saved_objects/service/saved_objects_client.test.js
index a7189f5a39898b..56127023dd1fe9 100644
--- a/src/server/saved_objects/service/saved_objects_client.test.js
+++ b/src/server/saved_objects/service/saved_objects_client.test.js
@@ -87,9 +87,10 @@ test(`#bulkGet`, async () => {
   const client = new SavedObjectsClient(mockRepository);
 
   const objects = {};
-  const result = await client.bulkGet(objects);
+  const options = Symbol();
+  const result = await client.bulkGet(objects, options);
 
-  expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+  expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
   expect(result).toBe(returnValue);
 });
 
@@ -102,9 +103,10 @@ test(`#get`, async () => {
 
   const type = 'foo';
   const id = 1;
-  const result = await client.get(type, id);
+  const options = Symbol();
+  const result = await client.get(type, id, options);
 
-  expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+  expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
   expect(result).toBe(returnValue);
 });
 
diff --git a/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_integration.js b/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_integration.js
index 2fb7a325d61c1a..e5ce9b9ea3b703 100644
--- a/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_integration.js
+++ b/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_integration.js
@@ -224,4 +224,4 @@ describe('createOrUpgradeSavedConfig()', () => {
         '5.4.0-rc1': true,
       });
   });
-});
+});
\ No newline at end of file
diff --git a/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_saved_config.js b/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_saved_config.js
index e25002e9c9c1c1..b0b823800a660a 100644
--- a/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_saved_config.js
+++ b/src/ui/ui_settings/create_or_upgrade_saved_config/__tests__/create_or_upgrade_saved_config.js
@@ -135,4 +135,4 @@ describe('uiSettings/createOrUpgradeSavedConfig', function () {
       );
     });
   });
-});
+});
\ No newline at end of file
diff --git a/src/ui/ui_settings/create_or_upgrade_saved_config/create_or_upgrade_saved_config.js b/src/ui/ui_settings/create_or_upgrade_saved_config/create_or_upgrade_saved_config.js
index bf3a49fcbdc3ea..4bd4d8e86b73a9 100644
--- a/src/ui/ui_settings/create_or_upgrade_saved_config/create_or_upgrade_saved_config.js
+++ b/src/ui/ui_settings/create_or_upgrade_saved_config/create_or_upgrade_saved_config.js
@@ -55,4 +55,4 @@ export async function createOrUpgradeSavedConfig(options) {
     attributes,
     { id: version }
   );
-}
+}
\ No newline at end of file
diff --git a/src/ui/ui_settings/ui_settings_service.js b/src/ui/ui_settings/ui_settings_service.js
index bf9b12133999ac..c6a65ce2f05014 100644
--- a/src/ui/ui_settings/ui_settings_service.js
+++ b/src/ui/ui_settings/ui_settings_service.js
@@ -167,4 +167,4 @@ export class UiSettingsService {
       throw error;
     }
   }
-}
+}
\ No newline at end of file
diff --git a/src/ui/ui_settings/ui_settings_service_factory.js b/src/ui/ui_settings/ui_settings_service_factory.js
index 4b9859abf6bdb3..1eae6146502629 100644
--- a/src/ui/ui_settings/ui_settings_service_factory.js
+++ b/src/ui/ui_settings/ui_settings_service_factory.js
@@ -47,4 +47,4 @@ export function uiSettingsServiceFactory(server, options) {
     getDefaults,
     log: (...args) => server.log(...args),
   });
-}
+}
\ No newline at end of file
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 9843892d8ca0f4..32be38c740b0f1 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -21,7 +21,7 @@ import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
 import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
 import { initAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
-import { watchStatusAndLicenseToInitialize } from './server/lib/watch_status_and_license_to_initialize';
+import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index eb19f59c296932..f246088f87cdc8 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -64,22 +64,22 @@ export class SecureSavedObjectsClient {
     return await this._findAcrossAllTypes(options);
   }
 
-  async bulkGet(objects = []) {
+  async bulkGet(objects = [], options = {}) {
     const types = uniq(objects.map(o => o.type));
     return await this._execute(
       types,
       'bulk_get',
-      { objects },
-      repository => repository.bulkGet(objects)
+      { objects, options },
+      repository => repository.bulkGet(objects, options)
     );
   }
 
-  async get(type, id) {
+  async get(type, id, options = {}) {
     return await this._execute(
       type,
       'get',
-      { type, id },
-      repository => repository.get(type, id)
+      { type, id, options },
+      repository => repository.get(type, id, options)
     );
   }
 
@@ -134,7 +134,7 @@ export class SecureSavedObjectsClient {
     }
 
     const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
-      .filter(([ , privilege]) => !missing.includes(privilege))
+      .filter(([, privilege]) => !missing.includes(privilege))
       .map(([type]) => type);
 
     if (authorizedTypes.length === 0) {
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 99656772c0df79..e9ac730f5831b4 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -508,6 +508,7 @@ describe('#find', () => {
           ],
         };
       });
+
       const mockAuditLogger = createMockAuditLogger();
       const mockActions = createMockActions();
       const client = new SecureSavedObjectsClient({
@@ -516,7 +517,7 @@ describe('#find', () => {
         auditLogger: mockAuditLogger,
         actions: mockActions,
       });
-      const options = { type: [ type1, type2 ] };
+      const options = { type: [type1, type2] };
 
       await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
 
@@ -820,8 +821,9 @@ describe('#bulkGet', () => {
       { type: type1 },
       { type: type2 },
     ];
+    const options = Symbol();
 
-    await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.bulkGet(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([
       mockActions.getSavedObjectAction(type1, 'bulk_get'),
@@ -834,7 +836,8 @@ describe('#bulkGet', () => {
       [type1, type2],
       [mockActions.getSavedObjectAction(type1, 'bulk_get')],
       {
-        objects
+        objects,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -863,14 +866,16 @@ describe('#bulkGet', () => {
       { type: type1, id: 'foo-id' },
       { type: type2, id: 'bar-id' },
     ];
+    const options = Symbol();
 
-    const result = await client.bulkGet(objects);
+    const result = await client.bulkGet(objects, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
       objects,
+      options,
     });
   });
 
@@ -898,11 +903,12 @@ describe('#bulkGet', () => {
       { type: type1, id: 'foo-id' },
       { type: type2, id: 'bar-id' },
     ];
+    const options = Symbol();
 
-    const result = await client.bulkGet(objects);
+    const result = await client.bulkGet(objects, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
@@ -950,8 +956,9 @@ describe('#get', () => {
       actions: mockActions,
     });
     const id = Symbol();
+    const options = Symbol();
 
-    await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.get(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
@@ -963,6 +970,7 @@ describe('#get', () => {
       {
         type,
         id,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -987,15 +995,17 @@ describe('#get', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.get(type, id);
+    const result = await client.get(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
       type,
       id,
+      options
     });
   });
 
@@ -1019,11 +1029,12 @@ describe('#get', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.get(type, id);
+    const result = await client.get(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
diff --git a/x-pack/plugins/spaces/common/spaces_url_parser.js b/x-pack/plugins/spaces/common/spaces_url_parser.js
deleted file mode 100644
index 075f09eea03a3f..00000000000000
--- a/x-pack/plugins/spaces/common/spaces_url_parser.js
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export function getSpaceUrlContext(basePath = '/', defaultContext = null) {
-  // Look for `/s/space-url-context` in the base path
-  const matchResult = basePath.match(/\/s\/([a-z0-9\-]+)/);
-
-  if (!matchResult || matchResult.length === 0) {
-    return defaultContext;
-  }
-
-  // Ignoring first result, we only want the capture group result at index 1
-  const [, urlContext = defaultContext] = matchResult;
-
-  return urlContext;
-}
-
-export function stripSpaceUrlContext(basePath = '/') {
-  const currentSpaceUrlContext = getSpaceUrlContext(basePath);
-
-  let basePathWithoutSpace;
-  if (currentSpaceUrlContext) {
-    const indexOfSpaceContext = basePath.indexOf(`/s/${currentSpaceUrlContext}`);
-
-    const startsWithSpace = indexOfSpaceContext === 0;
-
-    if (startsWithSpace) {
-      basePathWithoutSpace = '/';
-    } else {
-      basePathWithoutSpace = basePath.substring(0, indexOfSpaceContext);
-    }
-  } else {
-    basePathWithoutSpace = basePath;
-  }
-
-  if (basePathWithoutSpace.endsWith('/')) {
-    return basePathWithoutSpace.substr(0, -1);
-  }
-
-  return basePathWithoutSpace;
-}
diff --git a/x-pack/plugins/spaces/common/spaces_url_parser.test.js b/x-pack/plugins/spaces/common/spaces_url_parser.test.js
deleted file mode 100644
index ee0813b2f70acb..00000000000000
--- a/x-pack/plugins/spaces/common/spaces_url_parser.test.js
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-import { stripSpaceUrlContext, getSpaceUrlContext } from './spaces_url_parser';
-
-test('it removes the space url context from the base path when the space is not at the root', () => {
-  const basePath = `/foo/s/my-space`;
-  expect(stripSpaceUrlContext(basePath)).toEqual('/foo');
-});
-
-test('it removes the space url context from the base path when the space is the root', () => {
-  const basePath = `/s/my-space`;
-  expect(stripSpaceUrlContext(basePath)).toEqual('');
-});
-
-test(`it doesn't change base paths without a space url context`, () => {
-  const basePath = `/this/is/a-base-path/ok`;
-  expect(stripSpaceUrlContext(basePath)).toEqual(basePath);
-});
-
-test('it accepts no parameters', () => {
-  expect(stripSpaceUrlContext()).toEqual('');
-});
-
-test('it remove the trailing slash', () => {
-  expect(stripSpaceUrlContext('/')).toEqual('');
-});
-
-test('it identifies the space url context', () => {
-  const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
-  expect(getSpaceUrlContext(basePath)).toEqual('my-awesome-space-lives-here');
-});
-
-test('it handles base url without a space url context', () => {
-  const basePath = `/this/is/a/crazy/path/s`;
-  expect(getSpaceUrlContext(basePath)).toEqual(null);
-});
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 38d2e84cc992f9..480641cc792f2c 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -10,10 +10,12 @@ import { checkLicense } from './server/lib/check_license';
 import { initSpacesApi } from './server/routes/api/v1/spaces';
 import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
 import { createDefaultSpace } from './server/lib/create_default_space';
-import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+import { createSpacesService } from './server/lib/create_spaces_service';
 import { getActiveSpace } from './server/lib/get_active_space';
 import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
+import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
+import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
 
 export const spaces = (kibana) => new kibana.Plugin({
   id: 'spaces',
@@ -46,11 +48,11 @@ export const spaces = (kibana) => new kibana.Plugin({
         activeSpace: null
       };
     },
-    replaceInjectedVars: async function (vars, request) {
+    replaceInjectedVars: async function (vars, request, server) {
       try {
         vars.activeSpace = {
           valid: true,
-          space: await getActiveSpace(request.getSavedObjectsClient(), request.getBasePath())
+          space: await getActiveSpace(request.getSavedObjectsClient(), request.getBasePath(), server.config().get('server.basePath'))
         };
       } catch (e) {
         vars.activeSpace = {
@@ -65,7 +67,10 @@ export const spaces = (kibana) => new kibana.Plugin({
   async init(server) {
     const thisPlugin = this;
     const xpackMainPlugin = server.plugins.xpack_main;
-    mirrorPluginStatus(xpackMainPlugin, thisPlugin);
+
+    watchStatusAndLicenseToInitialize(xpackMainPlugin, thisPlugin, async () => {
+      await createDefaultSpace(server);
+    });
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
@@ -74,10 +79,16 @@ export const spaces = (kibana) => new kibana.Plugin({
     const config = server.config();
     validateConfig(config, message => server.log(['spaces', 'warning'], message));
 
+    const spacesService = createSpacesService(server);
+    server.decorate('server', 'spaces', spacesService);
+
+    const { addScopedSavedObjectsClientWrapperFactory, types } = server.savedObjects;
+    addScopedSavedObjectsClientWrapperFactory(
+      spacesSavedObjectsClientWrapperFactory(spacesService, types)
+    );
+
     initSpacesApi(server);
 
     initSpacesRequestInterceptors(server);
-
-    await createDefaultSpace(server);
   }
 });
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.js b/x-pack/plugins/spaces/public/lib/spaces_manager.js
index 475f8c1b03b722..7d0243dc038c44 100644
--- a/x-pack/plugins/spaces/public/lib/spaces_manager.js
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.js
@@ -3,6 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { toastNotifications } from 'ui/notify';
 
 import { EventEmitter } from 'events';
 
@@ -39,7 +40,27 @@ export class SpacesManager extends EventEmitter {
       .delete(`${this._baseUrl}/space/${space.id}`);
   }
 
+  async changeSelectedSpace(space) {
+    return await this._httpAgent
+      .post(`${this._baseUrl}/space/${space.id}/select`)
+      .then(response => {
+        if (response.data && response.data.location) {
+          window.location = response.data.location;
+        } else {
+          this._displayError();
+        }
+      })
+      .catch(() => this._displayError());
+  }
+
   async requestRefresh() {
     this.emit('request_refresh');
   }
+
+  _displayError() {
+    toastNotifications.addDanger({
+      title: 'Unable to change your Space',
+      text: 'please try again later'
+    });
+  }
 }
diff --git a/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap b/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
new file mode 100644
index 00000000000000..14a898d7e66d6d
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
@@ -0,0 +1,11 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`renders without crashing 1`] = `
+<EuiAvatar
+  initials=""
+  initialsLength={2}
+  name=""
+  size="m"
+  type="space"
+/>
+`;
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.test.js b/x-pack/plugins/spaces/public/views/components/space_avatar.test.js
new file mode 100644
index 00000000000000..d63d3b393940d0
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_avatar.test.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow } from 'enzyme';
+import { SpaceAvatar } from './space_avatar';
+
+test('renders without crashing', () => {
+  const wrapper = shallow(<SpaceAvatar space={{}} />);
+  expect(wrapper).toMatchSnapshot();
+});
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.js b/x-pack/plugins/spaces/public/views/components/space_cards.js
index 5e96bc50cc4e20..7a96485d7c1756 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.js
@@ -6,9 +6,7 @@
 
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
-import chrome from 'ui/chrome';
 import { SpaceCard } from './space_card';
-import { stripSpaceUrlContext } from '../../../common/spaces_url_parser';
 import {
   EuiFlexGroup,
   EuiFlexItem,
@@ -34,13 +32,12 @@ export class SpaceCards extends Component {
 
   createSpaceClickHandler = (space) => {
     return () => {
-      const baseUrlWithoutSpace = stripSpaceUrlContext(chrome.getBasePath());
-
-      window.location = `${baseUrlWithoutSpace}/s/${space.urlContext}`;
+      this.props.onSpaceSelect(space);
     };
   };
 }
 
 SpaceCards.propTypes = {
   spaces: PropTypes.array.isRequired,
+  onSpaceSelect: PropTypes.func.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.test.js b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
index e970c379960361..0a7fdd79d2059f 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.test.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.test.js
@@ -15,5 +15,5 @@ test('it renders without crashing', () => {
     description: 'space description'
   };
 
-  shallow(<SpaceCards spaces={[space]} />);
-});
\ No newline at end of file
+  shallow(<SpaceCards spaces={[space]} onSpaceSelect={jest.fn()} />);
+});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
index 5157621d2727e3..6ef9b338645ecc 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
@@ -155,7 +155,7 @@ export class NavControlModal extends Component {
         </EuiModalHeader>
         <EuiModalBody>
           {callout}
-          <SpaceCards spaces={this.state.spaces} />
+          <SpaceCards spaces={this.state.spaces} onSpaceSelect={this.onSelectSpace} />
         </EuiModalBody>
       </EuiModal>
     );
@@ -177,6 +177,10 @@ export class NavControlModal extends Component {
       isOpen: false
     });
   }
+
+  onSelectSpace = (space) => {
+    this.props.spacesManager.changeSelectedSpace(space);
+  }
 }
 
 NavControlModal.propTypes = {
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index 57fd8d8e4b4882..b0ac621ce845db 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -66,7 +66,7 @@ export class SpaceSelector extends Component {
     let filteredSpaces = spaces;
     if (searchTerm) {
       filteredSpaces = spaces
-        .filter(s => s.name.toLowerCase().indexOf(searchTerm) >= 0 || s.description.toLowerCase().indexOf(searchTerm) >= 0);
+        .filter(space => space.name.toLowerCase().indexOf(searchTerm) >= 0 || space.description.toLowerCase().indexOf(searchTerm) >= 0);
     }
 
     return (
@@ -97,7 +97,7 @@ export class SpaceSelector extends Component {
 
             <EuiSpacer size="xl" />
 
-            <SpaceCards spaces={filteredSpaces} />
+            <SpaceCards spaces={filteredSpaces} onSpaceSelect={this.onSelectSpace} />
 
             {
               filteredSpaces.length === 0 &&
@@ -134,6 +134,10 @@ export class SpaceSelector extends Component {
       searchTerm: searchTerm.trim().toLowerCase()
     });
   }
+
+  onSelectSpace = (space) => {
+    this.props.spacesManager.changeSelectedSpace(space);
+  }
 }
 
 SpaceSelector.propTypes = {
diff --git a/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
new file mode 100644
index 00000000000000..a42d029097b670
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`addSpaceUrlContext it throws an error when the requested path does not start with a slash 1`] = `"path must start with a /"`;
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.js
new file mode 100644
index 00000000000000..d393a6937ef504
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getSpaceUrlContext } from './spaces_url_parser';
+
+export function createSpacesService(server) {
+
+  const serverBasePath = server.config().get('server.basePath');
+
+  const contextCache = new WeakMap();
+
+  function getUrlContext(request) {
+    if (!contextCache.has(request)) {
+      populateCache(request);
+    }
+
+    const { urlContext } = contextCache.get(request);
+    return urlContext;
+  }
+
+  function populateCache(request) {
+    const urlContext = getSpaceUrlContext(request.getBasePath(), serverBasePath);
+
+    contextCache.set(request, {
+      urlContext
+    });
+  }
+
+  return {
+    getUrlContext,
+  };
+}
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
new file mode 100644
index 00000000000000..578a161229c41b
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createSpacesService } from "./create_spaces_service";
+
+const createRequest = (urlContext, serverBasePath = '') => ({
+  getBasePath: () => urlContext ? `${serverBasePath}/s/${urlContext}` : serverBasePath
+});
+
+const createMockServer = (config) => {
+  return {
+    config: jest.fn(() => {
+      return {
+        get: jest.fn((key) => {
+          return config[key];
+        })
+      };
+    })
+  };
+};
+
+test('returns empty string for the default space', () => {
+  const server = createMockServer({
+    'server.basePath': ''
+  });
+
+  const service = createSpacesService(server);
+  expect(service.getUrlContext(createRequest())).toEqual('');
+});
+
+test('returns the urlContext for the current space', () => {
+  const request = createRequest('my-space-context');
+  const server = createMockServer({
+    'server.basePath': ''
+  });
+
+  const service = createSpacesService(server);
+  expect(service.getUrlContext(request)).toEqual('my-space-context');
+});
+
+test(`returns the urlContext for the current space when a server basepath is defined`, () => {
+  const request = createRequest('my-space-context', '/foo');
+  const server = createMockServer({
+    'server.basePath': '/foo'
+  });
+
+  const service = createSpacesService(server);
+  expect(service.getUrlContext(request)).toEqual('my-space-context');
+});
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.js
index c57957b1a6f938..834682228eaa40 100644
--- a/x-pack/plugins/spaces/server/lib/get_active_space.js
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.js
@@ -6,11 +6,11 @@
 
 import Boom from 'boom';
 import { wrapError } from './errors';
-import { getSpaceUrlContext } from '../../common/spaces_url_parser';
+import { getSpaceUrlContext } from './spaces_url_parser';
 import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-export async function getActiveSpace(savedObjectsClient, basePath) {
-  const spaceContext = getSpaceUrlContext(basePath);
+export async function getActiveSpace(savedObjectsClient, requestBasePath, serverBasePath) {
+  const spaceContext = getSpaceUrlContext(requestBasePath, serverBasePath);
 
   let space;
 
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
new file mode 100644
index 00000000000000..861b170685f993
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
@@ -0,0 +1,13 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`current space (space_1) #create #delete does not allow an object to be deleted via a different space 1`] = `"not found"`;
+
+exports[`current space (space_1) #create #update does not allow an object to be updated via a different space 1`] = `"not found"`;
+
+exports[`current space (space_1) #get returns error when the object belongs to a different space 1`] = `"not found"`;
+
+exports[`default space #delete does not allow an object to be deleted via a different space 1`] = `"not found"`;
+
+exports[`default space #get returns error when the object belongs to a different space 1`] = `"not found"`;
+
+exports[`default space #update does not allow an object to be updated via a different space 1`] = `"not found"`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
new file mode 100644
index 00000000000000..d3b95886e83535
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
@@ -0,0 +1,5 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`throws if types contains an empty entry 1`] = `"type is required to build filter clause"`;
+
+exports[`throws when no types are provided 1`] = `"At least one type must be provided to \\"getSpacesQueryFilters\\""`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
new file mode 100644
index 00000000000000..720fb7e28e1175
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/**
+ * Returns if the provided Saved Object type is "space aware".
+ * Most types should be space-aware, and those that aren't should typically strive to become space-aware.
+ * Types that are not space-aware will appear in every space, and are not bound by any space-specific access controls.
+ */
+export function isTypeSpaceAware(type) {
+  return type !== 'space' && type !== 'config';
+}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
new file mode 100644
index 00000000000000..a88d4c35125f79
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isTypeSpaceAware } from "./is_type_space_aware";
+
+const knownSpaceAwareTypes = [
+  'dashboard',
+  'visualization',
+  'saved_search',
+  'timelion_sheet',
+  'index_pattern'
+];
+
+const unawareTypes = ['space'];
+
+knownSpaceAwareTypes.forEach(type => test(`${type} should be space-aware`, () => {
+  expect(isTypeSpaceAware(type)).toBe(true);
+}));
+
+unawareTypes.forEach(type => test(`${type} should not be space-aware`, () => {
+  expect(isTypeSpaceAware(type)).toBe(false);
+}));
+
+test(`unknown types should default to space-aware`, () => {
+  expect(isTypeSpaceAware('an-unknown-type')).toBe(true);
+});
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
new file mode 100644
index 00000000000000..cf1754c056c3fe
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DEFAULT_SPACE_ID } from "../../../../common/constants";
+import { isTypeSpaceAware } from "./is_type_space_aware";
+
+function getClauseForType(spaceId, type) {
+  const shouldFilterOnSpace = isTypeSpaceAware(type) && spaceId;
+  const isDefaultSpace = spaceId === DEFAULT_SPACE_ID;
+
+  const bool = {
+    must: []
+  };
+
+  if (!type) {
+    throw new Error(`type is required to build filter clause`);
+  }
+
+  bool.must.push({
+    term: {
+      type
+    }
+  });
+
+  if (shouldFilterOnSpace) {
+    if (isDefaultSpace) {
+      // The default space does not add its spaceId to the objects that belong to it, in order
+      // to be compatible with installations that are not always space-aware.
+      bool.must_not = [{
+        exists: {
+          field: "spaceId"
+        }
+      }];
+    } else {
+      bool.must.push({
+        term: {
+          spaceId
+        }
+      });
+    }
+  }
+
+  return {
+    bool
+  };
+}
+
+export function getSpacesQueryFilters(spaceId, types = []) {
+  if (types.length === 0) {
+    throw new Error(`At least one type must be provided to "getSpacesQueryFilters"`);
+  }
+
+  const filters = [];
+
+  const typeClauses = types.map((type) => getClauseForType(spaceId, type));
+
+  if (typeClauses.length > 0) {
+    filters.push({
+      bool: {
+        should: typeClauses,
+        minimum_should_match: 1
+      }
+    });
+  }
+
+  return filters;
+}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js
new file mode 100644
index 00000000000000..a7bcacc524caac
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js
@@ -0,0 +1,139 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getSpacesQueryFilters } from './query_filters';
+
+test('throws when no types are provided', () => {
+  expect(() => getSpacesQueryFilters('space_1', [])).toThrowErrorMatchingSnapshot();
+});
+
+test('throws if types contains an empty entry', () => {
+  expect(() => getSpacesQueryFilters('space_1', ['dashboard', ''])).toThrowErrorMatchingSnapshot();
+});
+
+test('creates a query that filters on type, but not on space, for types that are not space-aware', () => {
+  const spaceId = 'space_1';
+  const type = 'space';
+
+  const expectedTypeClause = {
+    bool: {
+      must: [{
+        term: {
+          type
+        }
+      }]
+    }
+  };
+  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
+    bool: {
+      should: [expectedTypeClause],
+      minimum_should_match: 1
+    }
+  }]);
+});
+
+test('creates a query that restricts a space-aware type to the provided space (space_1)', () => {
+  const spaceId = 'space_1';
+  const type = 'dashboard';
+
+  const expectedTypeClause = {
+    bool: {
+      must: [{
+        term: {
+          type
+        }
+      }, {
+        term: {
+          spaceId
+        }
+      }]
+    }
+  };
+
+  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
+    bool: {
+      should: [expectedTypeClause],
+      minimum_should_match: 1
+    }
+  }]);
+});
+
+test('creates a query that restricts a space-aware type to the provided space (default)', () => {
+  const spaceId = 'default';
+  const type = 'dashboard';
+
+  const expectedTypeClause = {
+    bool: {
+      must: [{
+        term: {
+          type
+        }
+      }],
+      // The default space does not add its spaceId to the objects that belong to it, in order
+      // to be compatible with installations that are not always space-aware.
+      must_not: [{
+        exists: {
+          field: 'spaceId'
+        }
+      }]
+    }
+  };
+
+  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
+    bool: {
+      should: [expectedTypeClause],
+      minimum_should_match: 1
+    }
+  }]);
+});
+
+test('creates a query supporting a find operation on multiple types', () => {
+  const spaceId = 'space_1';
+  const types = [
+    'dashboard',
+    'space',
+    'visualization',
+  ];
+
+  const expectedSpaceClause = {
+    term: {
+      spaceId
+    }
+  };
+
+  const expectedTypeClauses = [{
+    bool: {
+      must: [{
+        term: {
+          type: 'dashboard'
+        }
+      }, expectedSpaceClause]
+    }
+  }, {
+    bool: {
+      must: [{
+        term: {
+          type: 'space'
+        }
+      }]
+    }
+  }, {
+    bool: {
+      must: [{
+        term: {
+          type: 'visualization'
+        }
+      }, expectedSpaceClause]
+    }
+  }];
+
+  expect(getSpacesQueryFilters(spaceId, types)).toEqual([{
+    bool: {
+      should: expectedTypeClauses,
+      minimum_should_match: 1
+    }
+  }]);
+});
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
new file mode 100644
index 00000000000000..da7a448d86d2d7
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
+
+export function spacesSavedObjectsClientWrapperFactory(spacesService, types) {
+  return ({ client, request }) => new SpacesSavedObjectsClient({
+    baseClient: client,
+    request,
+    spacesService,
+    types,
+  });
+}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
new file mode 100644
index 00000000000000..28471c3d928ba6
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
@@ -0,0 +1,282 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DEFAULT_SPACE_ID } from '../../../common/constants';
+import { isTypeSpaceAware } from './lib/is_type_space_aware';
+import { getSpacesQueryFilters } from './lib/query_filters';
+import uniq from 'lodash';
+
+export class SpacesSavedObjectsClient {
+  constructor(options) {
+    const {
+      request,
+      baseClient,
+      spacesService,
+      types,
+    } = options;
+
+    this.errors = baseClient.errors;
+
+    this._client = baseClient;
+    this._types = types;
+
+    this._spaceUrlContext = spacesService.getUrlContext(request);
+  }
+
+  /**
+   * Persists an object
+   *
+   * @param {string} type
+   * @param {object} attributes
+   * @param {object} [options={}]
+   * @property {string} [options.id] - force id on creation, not recommended
+   * @property {boolean} [options.overwrite=false]
+   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
+   * @returns {promise} - { id, type, version, attributes }
+  */
+  async create(type, attributes = {}, options = {}) {
+
+    const spaceId = await this._getSpaceId();
+
+    const createOptions = {
+      ...options,
+      extraDocumentProperties: {
+        ...options.extraDocumentProperties
+      }
+    };
+
+    if (this._shouldAssignSpaceId(type, spaceId)) {
+      createOptions.extraDocumentProperties.spaceId = spaceId;
+    } else {
+      delete createOptions.extraDocumentProperties.spaceId;
+    }
+
+    return await this._client.create(type, attributes, createOptions);
+  }
+
+  /**
+   * Creates multiple documents at once
+   *
+   * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
+   * @param {object} [options={}]
+   * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
+   */
+  async bulkCreate(objects, options = {}) {
+    const spaceId = await this._getSpaceId();
+    const objectsToCreate = objects.map(object => {
+
+      const objectToCreate = {
+        ...object,
+        extraDocumentProperties: {
+          ...object.extraDocumentProperties
+        }
+      };
+
+      if (this._shouldAssignSpaceId(object.type, spaceId)) {
+        objectToCreate.extraDocumentProperties.spaceId = spaceId;
+      } else {
+        delete objectToCreate.extraDocumentProperties.spaceId;
+      }
+
+      return objectToCreate;
+    });
+
+    return await this._client.bulkCreate(objectsToCreate, options);
+  }
+
+  /**
+   * Deletes an object
+   *
+   * @param {string} type
+   * @param {string} id
+   * @returns {promise}
+   */
+  async delete(type, id) {
+    // attempt to retrieve document before deleting.
+    // this ensures that the document belongs to the current space.
+    await this.get(type, id);
+
+    return await this._client.delete(type, id);
+  }
+
+  /**
+   * @param {object} [options={}]
+   * @property {(string|Array<string>)} [options.type]
+   * @property {string} [options.search]
+   * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
+   *                                        Query field argument for more information
+   * @property {object} [options.filters] - ES Query filters to append
+   * @property {integer} [options.page=1]
+   * @property {integer} [options.perPage=20]
+   * @property {string} [options.sortField]
+   * @property {string} [options.sortOrder]
+   * @property {Array<string>} [options.fields]
+   * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
+   */
+  async find(options = {}) {
+    const spaceOptions = {};
+
+    let types = options.type || this._types;
+    if (!Array.isArray(types)) {
+      types = [types];
+    }
+
+    const filters = options.filters || [];
+
+    const spaceId = await this._getSpaceId();
+
+    spaceOptions.filters = [...filters, ...getSpacesQueryFilters(spaceId, types)];
+
+    return await this._client.find({ ...options, ...spaceOptions });
+  }
+
+  /**
+   * Returns an array of objects by id
+   *
+   * @param {array} objects - an array ids, or an array of objects containing id and optionally type
+   * @param {object} [options = {}]
+   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
+   * @example
+   *
+   * bulkGet([
+   *   { id: 'one', type: 'config' },
+   *   { id: 'foo', type: 'index-pattern' }
+   * ])
+   */
+  async bulkGet(objects = [], options = {}) {
+    // ES 'mget' does not support queries, so we have to filter results after the fact.
+    const thisSpaceId = await this._getSpaceId();
+
+    const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId', 'type'], options.extraDocumentProperties);
+
+    const result = await this._client.bulkGet(objects, {
+      ...options,
+      extraDocumentProperties
+    });
+
+    result.saved_objects = result.saved_objects.map(savedObject => {
+      const { id, type, spaceId = DEFAULT_SPACE_ID } = savedObject;
+
+      if (isTypeSpaceAware(type)) {
+        if (spaceId !== thisSpaceId) {
+          return {
+            id,
+            type,
+            error: { statusCode: 404, message: 'Not found' }
+          };
+        }
+      }
+
+      return savedObject;
+    });
+
+    return result;
+  }
+
+  /**
+   * Gets a single object
+   *
+   * @param {string} type
+   * @param {string} id
+   * @param {object} [options = {}]
+   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @returns {promise} - { id, type, version, attributes }
+   */
+  async get(type, id, options = {}) {
+    // ES 'get' does not support queries, so we have to filter results after the fact.
+
+    const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId'], options.extraDocumentProperties);
+
+    const response = await this._client.get(type, id, {
+      ...options,
+      extraDocumentProperties
+    });
+
+    const { spaceId: objectSpaceId = DEFAULT_SPACE_ID } = response;
+
+    if (isTypeSpaceAware(type)) {
+      const thisSpaceId = await this._getSpaceId();
+      if (objectSpaceId !== thisSpaceId) {
+        throw this._client.errors.createGenericNotFoundError();
+      }
+    }
+
+    return response;
+  }
+
+  /**
+   * Updates an object
+   *
+   * @param {string} type
+   * @param {string} id
+   * @param {object} [options={}]
+   * @property {integer} options.version - ensures version matches that of persisted object
+   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
+   * @returns {promise}
+   */
+  async update(type, id, attributes, options = {}) {
+    const updateOptions = {
+      ...options,
+      extraDocumentProperties: {
+        ...options.extraDocumentProperties
+      }
+    };
+
+    // attempt to retrieve document before updating.
+    // this ensures that the document belongs to the current space.
+    if (isTypeSpaceAware(type)) {
+      await this.get(type, id);
+
+      const spaceId = await this._getSpaceId();
+
+      if (this._shouldAssignSpaceId(type, spaceId)) {
+        updateOptions.extraDocumentProperties.spaceId = spaceId;
+      } else {
+        delete updateOptions.extraDocumentProperties.spaceId;
+      }
+    }
+
+    return await this._client.update(type, id, attributes, updateOptions);
+  }
+
+  async _getSpaceId() {
+    if (!this._spaceUrlContext) {
+      return DEFAULT_SPACE_ID;
+    }
+
+    if (!this._spaceId) {
+      this._spaceId = await this._findSpace(this._spaceUrlContext);
+    }
+
+    return this._spaceId;
+  }
+
+  async _findSpace(urlContext) {
+    const {
+      saved_objects: spaces = []
+    } = await this._client.find({
+      type: 'space',
+      search: `${urlContext}`,
+      search_fields: ['urlContext']
+    });
+
+    if (spaces.length > 0) {
+      return spaces[0].id;
+    }
+
+    return null;
+  }
+
+  _collectExtraDocumentProperties(thisClientProperties, optionalProperties = []) {
+    return uniq([...thisClientProperties, ...optionalProperties]).value();
+  }
+
+  _shouldAssignSpaceId(type, spaceId) {
+    return spaceId !== DEFAULT_SPACE_ID && isTypeSpaceAware(type);
+  }
+}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
new file mode 100644
index 00000000000000..4c7454d43f5da1
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
@@ -0,0 +1,1340 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
+import { createSpacesService } from '../create_spaces_service';
+
+const createObjectEntry = (type, id, spaceId) => ({
+  [id]: {
+    id,
+    type,
+    spaceId
+  }
+});
+
+const SAVED_OBJECTS = {
+  ...createObjectEntry('foo', 'object_0'),
+  ...createObjectEntry('foo', 'object_1', 'space_1'),
+  ...createObjectEntry('foo', 'object_2', 'space_2'),
+  ...createObjectEntry('space', 'space_1'),
+};
+
+const config = {
+  'server.basePath': '/'
+};
+
+const server = {
+  config: () => ({
+    get: (key) => {
+      return config[key];
+    }
+  })
+};
+
+const createMockRequest = (space) => ({
+  getBasePath: () => space.urlContext ? `/s/${space.urlContext}` : '',
+});
+
+const createMockClient = (space) => {
+  return {
+    get: jest.fn((type, id) => {
+      return SAVED_OBJECTS[id];
+    }),
+    bulkGet: jest.fn((objects) => {
+      return {
+        saved_objects: objects.map(object => SAVED_OBJECTS[object.id])
+      };
+    }),
+    find: jest.fn(({ type }) => {
+      // used to locate spaces when type is `space` within these tests
+      if (type === 'space') {
+        return {
+          saved_objects: [space]
+        };
+      }
+      return {
+        saved_objects: []
+      };
+    }),
+    create: jest.fn(),
+    bulkCreate: jest.fn(),
+    update: jest.fn(),
+    delete: jest.fn(),
+    errors: {
+      createGenericNotFoundError: jest.fn(() => {
+        return new Error('not found');
+      })
+    }
+  };
+};
+
+describe('default space', () => {
+  const currentSpace = {
+    id: 'default',
+    urlContext: ''
+  };
+
+  describe('#get', () => {
+    test(`returns the object when it belongs to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_0';
+      const options = {};
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(SAVED_OBJECTS[id]);
+    });
+
+    test(`returns global objects that don't belong to a specific space`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'space';
+      const id = 'space_1';
+      const options = {};
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(SAVED_OBJECTS[id]);
+    });
+
+    test(`merges options.extraDocumentProperties`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_0';
+      const options = {
+        extraDocumentProperties: ['otherSourceProp']
+      };
+
+      await client.get(type, id, options);
+
+      expect(baseClient.get).toHaveBeenCalledWith(type, id, {
+        extraDocumentProperties: ['spaceId', 'otherSourceProp']
+      });
+    });
+
+    test(`returns error when the object belongs to a different space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_2';
+      const options = {};
+
+      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  describe('#bulk_get', () => {
+    test(`only returns objects belonging to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+
+      const result = await client.bulkGet([{
+        type,
+        id: 'object_0'
+      }, {
+        type,
+        id: 'object_2'
+      }], options);
+
+      expect(result).toEqual({
+        saved_objects: [{
+          id: 'object_0',
+          type: 'foo',
+        }, {
+          id: 'object_2',
+          type: 'foo',
+          error: {
+            message: 'Not found',
+            statusCode: 404
+          }
+        }]
+      });
+    });
+
+    test(`returns global objects that don't belong to a specific space`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+
+      const result = await client.bulkGet([{
+        type,
+        id: 'object_0'
+      }, {
+        type,
+        id: 'space_1'
+      }], options);
+
+      expect(result).toEqual({
+        saved_objects: [{
+          id: 'object_0',
+          type: 'foo',
+        }, {
+          id: 'space_1',
+          type: 'space',
+        }]
+      });
+    });
+
+    test(`merges options.extraDocumentProperties`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+
+      const objects = [{
+        type,
+        id: 'object_1'
+      }, {
+        type,
+        id: 'object_2'
+      }];
+
+      const options = {
+        extraDocumentProperties: ['otherSourceProp']
+      };
+
+      await client.bulkGet(objects, options);
+
+      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, {
+        extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
+      });
+    });
+  });
+
+  describe('#find', () => {
+    test(`creates ES query filters restricting objects to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = ['foo', 'space'];
+      const options = {
+        type
+      };
+
+      await client.find(options);
+
+      expect(baseClient.find).toHaveBeenCalledWith({
+        type,
+        filters: [{
+          bool: {
+            minimum_should_match: 1,
+            should: [{
+              bool: {
+                must: [{
+                  term: {
+                    type: 'foo'
+                  },
+                }],
+                must_not: [{
+                  exists: {
+                    field: "spaceId"
+                  }
+                }]
+              }
+            }, {
+              bool: {
+                must: [{
+                  term: {
+                    type: 'space'
+                  },
+                }],
+              }
+            }]
+          }
+        }]
+      });
+    });
+
+    test(`merges incoming filters with filters generated by Spaces Saved Objects Client`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const otherFilters = [{
+        bool: {
+          must: [{
+            term: {
+              foo: 'bar'
+            }
+          }]
+        }
+      }];
+
+      const options = {
+        type,
+        filters: otherFilters
+      };
+
+      await client.find(options);
+
+      expect(baseClient.find).toHaveBeenCalledWith({
+        type,
+        filters: [...otherFilters, {
+          bool: {
+            minimum_should_match: 1,
+            should: [{
+              bool: {
+                must: [{
+                  term: {
+                    type
+                  },
+                }],
+                must_not: [{
+                  exists: {
+                    field: "spaceId"
+                  }
+                }]
+              }
+            }]
+          }
+        }]
+      });
+    });
+  });
+
+  describe('#create', () => {
+
+    test('does not assign a space-unaware (global) object to a space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'space';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.create(type, attributes);
+
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+    });
+
+    test('does not assign a spaceId to space-aware objects belonging to the default space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.create(type, attributes);
+
+      // called without extraDocumentProperties
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+    });
+  });
+
+  describe('#bulk_create', () => {
+    test('allows for bulk creation when all types are space-aware', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+      const objects = [{
+        type: 'foo',
+        attributes
+      }, {
+        type: 'bar',
+        attributes
+      }];
+
+      await client.bulkCreate(objects, {});
+
+      const expectedCalledWithObjects = objects.map(object => ({
+        ...object,
+        extraDocumentProperties: {}
+      }));
+
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+    });
+
+    test('allows for bulk creation when all types are not space-aware (global)', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      const objects = [{
+        type: 'space',
+        attributes
+      }, {
+        type: 'space',
+        attributes
+      }];
+
+      await client.bulkCreate(objects, {});
+
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
+        return { ...o, extraDocumentProperties: {} };
+      }), {});
+    });
+
+    test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      const objects = [{
+        type: 'space',
+        attributes
+      }, {
+        type: 'foo',
+        attributes
+      }];
+
+      await client.bulkCreate(objects, {});
+
+      const expectedCalledWithObjects = [...objects];
+      expectedCalledWithObjects[0] = {
+        ...expectedCalledWithObjects[0],
+        extraDocumentProperties: {}
+      };
+      expectedCalledWithObjects[1] = {
+        ...expectedCalledWithObjects[1],
+        extraDocumentProperties: {}
+      };
+
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+    });
+
+    test('does not assign a spaceId to space-aware objects that belong to the default space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+      const objects = [{
+        type: 'foo',
+        attributes
+      }, {
+        type: 'bar',
+        attributes
+      }];
+
+      await client.bulkCreate(objects, {});
+
+      // called with empty extraDocumentProperties
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => ({
+        ...o,
+        extraDocumentProperties: {}
+      })), {});
+    });
+  });
+
+  describe('#update', () => {
+    test('allows an object to be updated if it exists in the same space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'object_0';
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.update(type, id, attributes);
+
+      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
+    });
+
+    test('allows a global object to be updated', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'space_1';
+      const type = 'space';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.update(type, id, attributes);
+
+      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
+    });
+
+    test('does not allow an object to be updated via a different space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'object_2';
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  describe('#delete', () => {
+    test('allows an object to be deleted if it exists in the same space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'object_0';
+      const type = 'foo';
+
+      await client.delete(type, id);
+
+      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+    });
+
+    test(`allows a global object to be deleted`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'space_1';
+      const type = 'space';
+
+      await client.delete(type, id);
+
+      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+    });
+
+    test('does not allow an object to be deleted via a different space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'object_2';
+      const type = 'foo';
+
+      await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
+});
+
+describe('current space (space_1)', () => {
+  const currentSpace = {
+    id: 'space_1',
+    urlContext: 'space-1'
+  };
+
+  describe('#get', () => {
+    test(`returns the object when it belongs to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_1';
+      const options = {};
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(SAVED_OBJECTS[id]);
+    });
+
+    test(`returns global objects that don't belong to a specific space`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'space';
+      const id = 'space_1';
+      const options = {};
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(SAVED_OBJECTS[id]);
+    });
+
+    test(`merges options.extraDocumentProperties`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_1';
+      const options = {
+        extraDocumentProperties: ['otherSourceProp']
+      };
+
+      await client.get(type, id, options);
+
+      expect(baseClient.get).toHaveBeenCalledWith(type, id, {
+        extraDocumentProperties: ['spaceId', 'otherSourceProp']
+      });
+    });
+
+    test(`returns error when the object belongs to a different space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_2';
+      const options = {};
+
+      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  describe('#bulk_get', () => {
+    test(`only returns objects belonging to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+
+      const result = await client.bulkGet([{
+        type,
+        id: 'object_1'
+      }, {
+        type,
+        id: 'object_2'
+      }], options);
+
+      expect(result).toEqual({
+        saved_objects: [{
+          id: 'object_1',
+          spaceId: 'space_1',
+          type: 'foo',
+        }, {
+          id: 'object_2',
+          type: 'foo',
+          error: {
+            message: 'Not found',
+            statusCode: 404
+          }
+        }]
+      });
+    });
+
+    test(`returns global objects that don't belong to a specific space`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+
+      const result = await client.bulkGet([{
+        type,
+        id: 'object_1'
+      }, {
+        type,
+        id: 'space_1'
+      }], options);
+
+      expect(result).toEqual({
+        saved_objects: [{
+          id: 'object_1',
+          spaceId: 'space_1',
+          type: 'foo',
+        }, {
+          id: 'space_1',
+          type: 'space',
+        }]
+      });
+    });
+
+    test(`merges options.extraDocumentProperties`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+
+      const objects = [{
+        type,
+        id: 'object_1'
+      }, {
+        type,
+        id: 'object_2'
+      }];
+
+      const options = {
+        extraDocumentProperties: ['otherSourceProp']
+      };
+
+      await client.bulkGet(objects, options);
+
+      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, {
+        extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
+      });
+    });
+  });
+
+  describe('#find', () => {
+    test(`creates ES query filters restricting objects to the current space`, async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = ['foo', 'space'];
+      const options = {
+        type
+      };
+
+      await client.find(options);
+
+      expect(baseClient.find).toHaveBeenCalledWith({
+        type,
+        filters: [{
+          bool: {
+            minimum_should_match: 1,
+            should: [{
+              bool: {
+                must: [{
+                  term: {
+                    type: 'foo'
+                  },
+                }, {
+                  term: {
+                    spaceId: 'space_1'
+                  }
+                }],
+              }
+            }, {
+              bool: {
+                must: [{
+                  term: {
+                    type: 'space'
+                  },
+                }],
+              }
+            }]
+          }
+        }]
+      });
+    });
+
+    test(`merges incoming filters with filters generated by Spaces Saved Objects Client`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const otherFilters = [{
+        bool: {
+          must: [{
+            term: {
+              foo: 'bar'
+            }
+          }]
+        }
+      }];
+
+      const options = {
+        type,
+        filters: otherFilters
+      };
+
+      await client.find(options);
+
+      expect(baseClient.find).toHaveBeenCalledWith({
+        type,
+        filters: [...otherFilters, {
+          bool: {
+            minimum_should_match: 1,
+            should: [{
+              bool: {
+                must: [{
+                  term: {
+                    type
+                  },
+                }, {
+                  term: {
+                    spaceId: 'space_1'
+                  }
+                }]
+              }
+            }]
+          }
+        }]
+      });
+    });
+  });
+
+  describe('#create', () => {
+    test('automatically assigns the object to the current space via extraDocumentProperties', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.create(type, attributes);
+
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, {
+        extraDocumentProperties: {
+          spaceId: 'space_1'
+        }
+      });
+    });
+
+    test('does not assign a space-unaware (global) object to a space', async () => {
+
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'space';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.create(type, attributes);
+
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+    });
+
+    describe('#bulk_create', () => {
+      test('allows for bulk creation when all types are space-aware', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+        const objects = [{
+          type: 'foo',
+          attributes
+        }, {
+          type: 'bar',
+          attributes
+        }];
+
+        await client.bulkCreate(objects, {});
+
+        const expectedCalledWithObjects = objects.map(object => ({
+          ...object,
+          extraDocumentProperties: {
+            spaceId: 'space_1'
+          }
+        }));
+
+        expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+      });
+
+      test('allows for bulk creation when all types are not space-aware', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+
+        const objects = [{
+          type: 'space',
+          attributes
+        }, {
+          type: 'space',
+          attributes
+        }];
+
+        await client.bulkCreate(objects, {});
+
+        expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
+          return { ...o, extraDocumentProperties: {} };
+        }), {});
+      });
+
+      test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+
+        const objects = [{
+          type: 'space',
+          attributes
+        }, {
+          type: 'foo',
+          attributes
+        }];
+
+        await client.bulkCreate(objects, {});
+
+        const expectedCalledWithObjects = [...objects];
+        expectedCalledWithObjects[0] = {
+          ...expectedCalledWithObjects[0],
+          extraDocumentProperties: {}
+        };
+        expectedCalledWithObjects[1] = {
+          ...expectedCalledWithObjects[1],
+          extraDocumentProperties: {
+            spaceId: 'space_1'
+          }
+        };
+
+        expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+      });
+    });
+
+    describe('#update', () => {
+      test('allows an object to be updated if it exists in the same space', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'object_1';
+        const type = 'foo';
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+
+        await client.update(type, id, attributes);
+
+        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: { spaceId: 'space_1' } });
+      });
+
+      test('allows a global object to be updated', async () => {
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'space_1';
+        const type = 'space';
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+
+        await client.update(type, id, attributes);
+
+        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
+      });
+
+      test('does not allow an object to be updated via a different space', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'object_2';
+        const type = 'foo';
+        const attributes = {
+          prop1: 'value 1',
+          prop2: 'value 2'
+        };
+
+        await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
+      });
+    });
+
+    describe('#delete', () => {
+      test('allows an object to be deleted if it exists in the same space', async () => {
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'object_1';
+        const type = 'foo';
+
+        await client.delete(type, id);
+
+        expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+      });
+
+      test('allows a global object to be deleted', async () => {
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'space_1';
+        const type = 'space';
+
+        await client.delete(type, id);
+
+        expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+      });
+
+      test('does not allow an object to be deleted via a different space', async () => {
+
+        const request = createMockRequest(currentSpace);
+        const baseClient = createMockClient(currentSpace);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types: [],
+        });
+
+        const id = 'object_2';
+        const type = 'foo';
+
+        await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
index 6f4330ba283cc2..a5ec62b2f7e76d 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
@@ -5,33 +5,33 @@
  */
 
 import { wrapError } from './errors';
+import { addSpaceUrlContext, getSpaceUrlContext } from './spaces_url_parser';
 
 export function initSpacesRequestInterceptors(server) {
-  const contextCache = new WeakMap();
+
+  const serverBasePath = server.config().get('server.basePath');
 
   server.ext('onRequest', async function spacesOnRequestHandler(request, reply) {
     const path = request.path;
 
     // If navigating within the context of a space, then we store the Space's URL Context on the request,
     // and rewrite the request to not include the space identifier in the URL.
+    const spaceUrlContext = getSpaceUrlContext(path, serverBasePath);
 
-    if (path.startsWith('/s/')) {
-      const pathParts = path.split('/');
-
-      const spaceUrlContext = pathParts[2];
-
+    if (spaceUrlContext) {
       const reqBasePath = `/s/${spaceUrlContext}`;
       request.setBasePath(reqBasePath);
 
+      const newLocation = path.substr(reqBasePath.length) || '/';
+
       const newUrl = {
         ...request.url,
-        path: path.substr(reqBasePath.length) || '/',
-        pathname: path.substr(reqBasePath.length) || '/',
-        href: path.substr(reqBasePath.length) || '/'
+        path: newLocation,
+        pathname: newLocation,
+        href: newLocation,
       };
 
       request.setUrl(newUrl);
-      contextCache.set(request, spaceUrlContext);
     }
 
     return reply.continue();
@@ -41,7 +41,8 @@ export function initSpacesRequestInterceptors(server) {
     const path = request.path;
 
     const isRequestingKibanaRoot = path === '/';
-    const urlContext = contextCache.get(request);
+    const { spaces } = server;
+    const urlContext = await spaces.getUrlContext(request);
 
     // if requesting the application root, then show the Space Selector UI to allow the user to choose which space
     // they wish to visit. This is done "onPostAuth" to allow the Saved Objects Client to use the request's auth scope,
@@ -53,6 +54,10 @@ export function initSpacesRequestInterceptors(server) {
           type: 'space'
         });
 
+        const config = server.config();
+        const basePath = config.get('server.basePath');
+        const defaultRoute = config.get('server.defaultRoute');
+
         if (total === 1) {
           // If only one space is available, then send user there directly.
           // No need for an interstitial screen where there is only one possible outcome.
@@ -61,17 +66,7 @@ export function initSpacesRequestInterceptors(server) {
             urlContext
           } = space.attributes;
 
-          const config = server.config();
-          const basePath = config.get('server.basePath');
-          const defaultRoute = config.get('server.defaultRoute');
-
-          let destination;
-          if (urlContext) {
-            destination = `${basePath}/s/${urlContext}${defaultRoute}`;
-          } else {
-            destination = `${basePath}${defaultRoute}`;
-          }
-
+          const destination = addSpaceUrlContext(basePath, urlContext, defaultRoute);
           return reply.redirect(destination);
         }
 
@@ -83,8 +78,8 @@ export function initSpacesRequestInterceptors(server) {
           });
         }
 
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
     }
 
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
index 434ec530ba6f31..05fddbe43fbbab 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
@@ -6,6 +6,7 @@
 import sinon from 'sinon';
 import { Server } from 'hapi';
 import { initSpacesRequestInterceptors } from './space_request_interceptors';
+import { createSpacesService } from './create_spaces_service';
 
 describe('interceptors', () => {
   const sandbox = sinon.sandbox.create();
@@ -14,12 +15,28 @@ describe('interceptors', () => {
 
   beforeEach(() => {
     teardowns.push(() => sandbox.restore());
-    request = async (path, setupFn = () => { }) => {
+    request = async (path, setupFn = () => { }, testConfig = {}) => {
 
       const server = new Server();
 
       server.connection({ port: 0 });
 
+      const config = {
+        'server.basePath': '/foo',
+        ...testConfig,
+      };
+
+      server.decorate('server', 'config', jest.fn(() => {
+        return {
+          get: jest.fn(key => {
+            return config[key];
+          })
+        };
+      }));
+
+      const spacesService = createSpacesService(server);
+      server.decorate('server', 'spaces', spacesService);
+
       initSpacesRequestInterceptors(server);
 
       server.route({
@@ -115,15 +132,6 @@ describe('interceptors', () => {
     };
 
     const setupTest = (server, spaces, testHandler) => {
-      // Mock server.config()
-      server.decorate('server', 'config', () => {
-        return {
-          get: (key) => {
-            return config[key];
-          }
-        };
-      });
-
       // Mock server.getSavedObjectsClient()
       server.decorate('request', 'getSavedObjectsClient', () => {
         return {
@@ -165,7 +173,7 @@ describe('interceptors', () => {
 
         await request('/', (server) => {
           setupTest(server, spaces, testHandler);
-        });
+        }, config);
 
         expect(testHandler).toHaveBeenCalledTimes(1);
       });
@@ -198,7 +206,7 @@ describe('interceptors', () => {
 
         await request('/', (server) => {
           setupTest(server, spaces, testHandler);
-        });
+        }, config);
 
         expect(testHandler).toHaveBeenCalledTimes(1);
       });
@@ -243,7 +251,7 @@ describe('interceptors', () => {
           });
 
           setupTest(server, spaces, testHandler);
-        });
+        }, config);
 
         expect(getHiddenUiAppHandler).toHaveBeenCalledTimes(1);
         expect(getHiddenUiAppHandler).toHaveBeenCalledWith('space_selector');
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
new file mode 100644
index 00000000000000..7c0cf5d32776be
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function getSpaceUrlContext(requestBasePath = '/', serverBasePath = '/') {
+  let pathToCheck = requestBasePath;
+
+  if (serverBasePath && serverBasePath !== '/' && requestBasePath.startsWith(serverBasePath)) {
+    pathToCheck = requestBasePath.substr(serverBasePath.length);
+  }
+  // Look for `/s/space-url-context` in the base path
+  const matchResult = pathToCheck.match(/^\/s\/([a-z0-9\-]+)/);
+
+  if (!matchResult || matchResult.length === 0) {
+    return '';
+  }
+
+  // Ignoring first result, we only want the capture group result at index 1
+  const [, urlContext = ''] = matchResult;
+
+  return urlContext;
+}
+
+export function addSpaceUrlContext(basePath = '/', urlContext = '', requestedPath = '') {
+  if (requestedPath && !requestedPath.startsWith('/')) {
+    throw new Error(`path must start with a /`);
+  }
+
+  if (urlContext) {
+    return `${basePath}/s/${urlContext}${requestedPath}`;
+  }
+  return `${basePath}${requestedPath}`;
+}
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
new file mode 100644
index 00000000000000..3d2ddaee6137fb
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { getSpaceUrlContext, addSpaceUrlContext } from './spaces_url_parser';
+
+describe('getSpaceUrlContext', () => {
+  describe('without a serverBasePath defined', () => {
+    test('it identifies the space url context', () => {
+      const basePath = `/s/my-awesome-space-lives-here`;
+      expect(getSpaceUrlContext(basePath)).toEqual('my-awesome-space-lives-here');
+    });
+
+    test('ignores space identifiers in the middle of the path', () => {
+      const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
+      expect(getSpaceUrlContext(basePath)).toEqual('');
+    });
+
+    test('it handles base url without a space url context', () => {
+      const basePath = `/this/is/a/crazy/path/s`;
+      expect(getSpaceUrlContext(basePath)).toEqual('');
+    });
+  });
+
+  describe('with a serverBasePath defined', () => {
+    test('it identifies the space url context', () => {
+      const basePath = `/s/my-awesome-space-lives-here`;
+      expect(getSpaceUrlContext(basePath, '/')).toEqual('my-awesome-space-lives-here');
+    });
+
+    test('it identifies the space url context following the server base path', () => {
+      const basePath = `/server-base-path-here/s/my-awesome-space-lives-here`;
+      expect(getSpaceUrlContext(basePath, '/server-base-path-here')).toEqual('my-awesome-space-lives-here');
+    });
+
+    test('ignores space identifiers in the middle of the path', () => {
+      const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
+      expect(getSpaceUrlContext(basePath, '/this/is/a')).toEqual('');
+    });
+
+    test('it handles base url without a space url context', () => {
+      const basePath = `/this/is/a/crazy/path/s`;
+      expect(getSpaceUrlContext(basePath, basePath)).toEqual('');
+    });
+  });
+});
+
+describe('addSpaceUrlContext', () => {
+  test('handles no parameters', () => {
+    expect(addSpaceUrlContext()).toEqual(`/`);
+  });
+
+  test('it adds to the basePath correctly', () => {
+    expect(addSpaceUrlContext('/my/base/path', 'url-context')).toEqual('/my/base/path/s/url-context');
+  });
+
+  test('it appends the requested path to the end of the url context', () => {
+    expect(addSpaceUrlContext('/base', 'context', '/final/destination')).toEqual('/base/s/context/final/destination');
+  });
+
+  test('it throws an error when the requested path does not start with a slash', () => {
+    expect(() => {
+      addSpaceUrlContext('', '', 'foo');
+    }).toThrowErrorMatchingSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 01ce98f97cf4f9..60a60c01088ee5 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -12,6 +12,7 @@ import { spaceSchema } from '../../../lib/space_schema';
 import { wrapError } from '../../../lib/errors';
 import { isReservedSpace } from '../../../../common/is_reserved_space';
 import { createDuplicateContextQuery } from '../../../lib/check_duplicate_context';
+import { addSpaceUrlContext } from '../../../lib/spaces_url_parser';
 
 export function initSpacesApi(server) {
   const routePreCheckLicenseFn = routePreCheckLicense(server);
@@ -63,8 +64,8 @@ export function initSpacesApi(server) {
         });
 
         spaces = result.saved_objects.map(convertSavedObjectToSpace);
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
 
       return reply(spaces);
@@ -86,8 +87,8 @@ export function initSpacesApi(server) {
         const response = await client.get('space', spaceId);
 
         return reply(convertSavedObjectToSpace(response));
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
     },
     config: {
@@ -107,10 +108,10 @@ export function initSpacesApi(server) {
 
       const space = omit(request.payload, ['id', '_reserved']);
 
-      const { error } = await checkForDuplicateContext(space);
+      const { error: contextError } = await checkForDuplicateContext(space);
 
-      if (error) {
-        return reply(wrapError(error));
+      if (contextError) {
+        return reply(wrapError(contextError));
       }
 
       const id = request.params.id;
@@ -126,8 +127,8 @@ export function initSpacesApi(server) {
         }
 
         result = await client.create('space', { ...space }, { id, overwrite });
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
 
       return reply(convertSavedObjectToSpace(result));
@@ -162,8 +163,8 @@ export function initSpacesApi(server) {
       let result;
       try {
         result = await client.create('space', { ...space }, { id, overwrite });
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
 
       return reply(convertSavedObjectToSpace(result));
@@ -193,8 +194,8 @@ export function initSpacesApi(server) {
         }
 
         result = await client.delete('space', id);
-      } catch (e) {
-        return reply(wrapError(e));
+      } catch (error) {
+        return reply(wrapError(error));
       }
 
       return reply(result).code(204);
@@ -204,6 +205,29 @@ export function initSpacesApi(server) {
     }
   });
 
+  server.route({
+    method: 'POST',
+    path: '/api/spaces/v1/space/{id}/select',
+    async handler(request, reply) {
+      const client = request.getSavedObjectsClient();
+
+      const id = request.params.id;
+
+      try {
+        const existingSpace = await getSpaceById(client, id);
+
+        const config = server.config();
+
+        return reply({
+          location: addSpaceUrlContext(config.get('server.basePath'), existingSpace.urlContext, config.get('server.defaultRoute'))
+        });
+
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+    }
+  });
+
   async function getSpaceById(client, spaceId) {
     try {
       const existingSpace = await client.get('space', spaceId);
@@ -211,11 +235,11 @@ export function initSpacesApi(server) {
         id: existingSpace.id,
         ...existingSpace.attributes
       };
-    } catch (e) {
-      if (client.errors.isNotFoundError(e)) {
+    } catch (error) {
+      if (client.errors.isNotFoundError(error)) {
         return null;
       }
-      throw e;
+      throw error;
     }
   }
 }
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
index 2318b4cd243195..cd3910e5398731 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
@@ -17,7 +17,7 @@ jest.mock('../../../../../../server/lib/get_client_shield', () => {
   return {
     getClient: () => {
       return {
-        callWithInternalUser: jest.fn(() => {})
+        callWithInternalUser: jest.fn(() => { })
       };
     }
   };
@@ -48,18 +48,27 @@ describe('Spaces API', () => {
   const teardowns = [];
   let request;
 
+  const baseConfig = {
+    'server.basePath': ''
+  };
+
   beforeEach(() => {
-    request = async (method, path, setupFn = () => { }) => {
+    request = async (method, path, setupFn = () => { }, testConfig = {}) => {
 
       const server = new Server();
 
+      const config = {
+        ...baseConfig,
+        ...testConfig
+      };
+
       server.connection({ port: 0 });
 
       await setupFn(server);
 
       server.decorate('server', 'config', jest.fn(() => {
         return {
-          get: () => ''
+          get: (key) => config[key]
         };
       }));
 
@@ -148,4 +157,34 @@ describe('Spaces API', () => {
       message: "This Space cannot be deleted because it is reserved."
     });
   });
+
+  test('POST space/{id}/select should respond with the new space location', async () => {
+    const response = await request('POST', '/api/spaces/v1/space/a-space/select');
+
+    const {
+      statusCode,
+      payload
+    } = response;
+
+    expect(statusCode).toEqual(200);
+
+    const result = JSON.parse(payload);
+    expect(result.location).toEqual('/s/a-space');
+  });
+
+  test('POST space/{id}/select should respond with the new space location when a baseUrl is provided', async () => {
+    const response = await request('POST', '/api/spaces/v1/space/a-space/select', () => { }, {
+      'server.basePath': '/my/base/path'
+    });
+
+    const {
+      statusCode,
+      payload
+    } = response;
+
+    expect(statusCode).toEqual(200);
+
+    const result = JSON.parse(payload);
+    expect(result.location).toEqual('/my/base/path/s/a-space');
+  });
 });
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 0658878996ec2e..e86b73182b9439 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -15,4 +15,5 @@ require('@kbn/test').runTestsCli([
   require.resolve('../test/api_integration/config.js'),
   require.resolve('../test/saml_api_integration/config.js'),
   require.resolve('../test/rbac_api_integration/config.js'),
+  require.resolve('../test/spaces_api_integration/config.js'),
 ]);
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/server/lib/watch_status_and_license_to_initialize.js
similarity index 100%
rename from x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
rename to x-pack/server/lib/watch_status_and_license_to_initialize.js
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/server/lib/watch_status_and_license_to_initialize.test.js
similarity index 100%
rename from x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
rename to x-pack/server/lib/watch_status_and_license_to_initialize.test.js
diff --git a/x-pack/test/spaces_api_integration/apis/index.js b/x-pack/test/spaces_api_integration/apis/index.js
new file mode 100644
index 00000000000000..3c747f65541329
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/index.js
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('apis spaces', () => {
+    loadTestFile(require.resolve('./saved_objects'));
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
new file mode 100644
index 00000000000000..3d747051d8c432
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
@@ -0,0 +1,146 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SPACES } from './lib/spaces';
+import { getIdPrefix, getUrlPrefix, getExpectedSpaceIdProperty } from './lib/space_test_utils';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  const BULK_REQUESTS = [
+    {
+      type: 'visualization',
+      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+    },
+    {
+      type: 'dashboard',
+      id: 'does not exist',
+    },
+    {
+      type: 'config',
+      id: '7.0.0-alpha1',
+    },
+  ];
+
+  const createBulkRequests = (spaceId) => BULK_REQUESTS.map(r => ({
+    ...r,
+    id: `${getIdPrefix(spaceId)}${r.id}`
+  }));
+
+  describe('_bulk_get', () => {
+    const expectNotFoundResults = (spaceId) => resp => {
+      expect(resp.body).to.eql({
+        saved_objects: [
+          {
+            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+            type: 'visualization',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+          {
+            id: `${getIdPrefix(spaceId)}does not exist`,
+            type: 'dashboard',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+          //todo(legrego) fix when config is space aware
+          {
+            id: `${getIdPrefix(spaceId)}7.0.0-alpha1`,
+            type: 'config',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+        ],
+      });
+    };
+
+    const expectResults = (spaceId) => resp => {
+      expect(resp.body).to.eql({
+        saved_objects: [
+          {
+            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: resp.body.saved_objects[0].version,
+            ...getExpectedSpaceIdProperty(spaceId),
+            attributes: {
+              title: 'Count of requests',
+              description: '',
+              version: 1,
+              // cheat for some of the more complex attributes
+              visState: resp.body.saved_objects[0].attributes.visState,
+              uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
+              kibanaSavedObjectMeta:
+                resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
+            },
+          },
+          {
+            id: `${getIdPrefix(spaceId)}does not exist`,
+            type: 'dashboard',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+          //todo(legrego) fix when config is space aware
+          {
+            id: `${getIdPrefix(spaceId)}7.0.0-alpha1`,
+            type: 'config',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+        ],
+      });
+    };
+
+    const bulkGetTest = (description, { spaceId, urlContext, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/spaces'));
+        after(() => esArchiver.unload('saved_objects/spaces'));
+
+        it(`should return ${tests.default.statusCode}`, async () => {
+          await supertest
+            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/_bulk_get`)
+            .send(createBulkRequests(spaceId))
+            .expect(tests.default.statusCode)
+            .then(tests.default.response);
+        });
+      });
+    };
+
+    bulkGetTest(`objects within the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults(SPACES.SPACE_1.spaceId),
+        },
+      }
+    });
+
+    bulkGetTest(`objects within another space`, {
+      ...SPACES.SPACE_1,
+      urlContext: SPACES.SPACE_2.urlContext,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectNotFoundResults(SPACES.SPACE_1.spaceId)
+        },
+      }
+    });
+
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
new file mode 100644
index 00000000000000..2eee219f739f6b
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
@@ -0,0 +1,143 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { getUrlPrefix } from './lib/space_test_utils';
+import { SPACES } from './lib/spaces';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const es = getService('es');
+  const esArchiver = getService('esArchiver');
+
+  describe('create', () => {
+    const expectSpaceAwareResults = (spaceId) => async (resp) => {
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 1,
+        attributes: {
+          title: 'My favorite vis'
+        }
+      });
+
+      // query ES directory to assert on space id
+      const { _source } = await es.get({
+        id: `visualization:${resp.body.id}`,
+        type: 'doc',
+        index: '.kibana'
+      });
+
+      const {
+        spaceId: actualSpaceId = '**not defined**'
+      } = _source;
+
+      if (spaceId === DEFAULT_SPACE_ID) {
+        expect(actualSpaceId).to.eql('**not defined**');
+      } else {
+        expect(actualSpaceId).to.eql(spaceId);
+      }
+    };
+
+    const expectNotSpaceAwareResults = () => async (resp) => {
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'space',
+        updated_at: resp.body.updated_at,
+        version: 1,
+        attributes: {
+          name: 'My favorite space',
+          urlContext: 'my-favorite-space'
+        }
+      });
+
+      // query ES directory to assert on space id
+      const { _source } = await es.get({
+        id: `space:${resp.body.id}`,
+        type: 'doc',
+        index: '.kibana'
+      });
+
+      const {
+        spaceId: actualSpaceId = '**not defined**'
+      } = _source;
+
+      expect(actualSpaceId).to.eql('**not defined**');
+    };
+
+    const createTest = (description, { urlContext, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/spaces'));
+        after(() => esArchiver.unload('saved_objects/spaces'));
+        it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
+          await supertest
+            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization`)
+            .send({
+              attributes: {
+                title: 'My favorite vis'
+              }
+            })
+            .expect(tests.spaceAware.statusCode)
+            .then(tests.spaceAware.response);
+        });
+
+        it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
+          await supertest
+            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/space`)
+            .send({
+              attributes: {
+                name: 'My favorite space',
+                urlContext: 'my-favorite-space'
+              }
+            })
+            .expect(tests.notSpaceAware.statusCode)
+            .then(tests.notSpaceAware.response);
+        });
+
+      });
+    };
+
+    createTest('in the current space (space_1)', {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        }
+      }
+    });
+
+    createTest('in the default space', {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults(SPACES.DEFAULT.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        }
+      }
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
new file mode 100644
index 00000000000000..dc1efb057d4e7b
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SPACES } from './lib/spaces';
+import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+
+    const expectEmpty = (resp) => {
+      expect(resp.body).to.eql({});
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Not Found'
+      });
+    };
+
+    const deleteTest = (description, { urlContext, spaceId, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/spaces'));
+        after(() => esArchiver.unload('saved_objects/spaces'));
+
+        it(`should return ${tests.spaceAware.statusCode} when deleting a space-aware doc`, async () => (
+          await supertest
+            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/dashboard/${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .expect(tests.spaceAware.statusCode)
+            .then(tests.spaceAware.response)
+        ));
+
+        it(`should return ${tests.notSpaceAware.statusCode} when deleting a non-space-aware doc`, async () => (
+          await supertest
+            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/space/space_2`)
+            .expect(tests.notSpaceAware.statusCode)
+            .then(tests.notSpaceAware.response)
+        ));
+
+        it(`should return ${tests.inOtherSpace.statusCode} when deleting a doc belonging to another space`, async () => {
+          await supertest
+            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/dashboard/${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .expect(tests.inOtherSpace.statusCode)
+            .then(tests.inOtherSpace.response);
+        });
+      });
+    };
+
+    deleteTest(`in the default space`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty
+        },
+        inOtherSpace: {
+          statusCode: 404,
+          response: expectNotFound
+        }
+      }
+    });
+
+    deleteTest(`in the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty
+        },
+        inOtherSpace: {
+          statusCode: 404,
+          response: expectNotFound
+        }
+      }
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
new file mode 100644
index 00000000000000..1daa2b2d04f4e0
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
@@ -0,0 +1,202 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SPACES } from './lib/spaces';
+import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('find', () => {
+
+    const expectVisualizationResults = (spaceId) => (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 1,
+        saved_objects: [
+          {
+            type: 'visualization',
+            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+            // no space id on the saved object because the field is not requested as part of a find operation
+            version: 1,
+            attributes: {
+              'title': 'Count of requests'
+            }
+          }
+        ]
+      });
+    };
+
+    const expectAllResults = (spaceId) => (resp) => {
+      // TODO(legrego): update once config is space-aware
+
+      const sortById = ({ id: id1 }, { id: id2 }) => id1 < id2 ? -1 : 1;
+
+      resp.body.saved_objects.sort(sortById);
+
+      const expectedSavedObjects = [{
+        id: '7.0.0-alpha1',
+        type: 'config',
+        updated_at: '2017-09-21T18:49:16.302Z',
+        version: 3,
+      }, {
+        id: `default`,
+        type: 'space',
+        updated_at: '2017-09-21T18:49:16.270Z',
+        version: 1,
+      },
+      {
+        id: `space_1`,
+        type: 'space',
+        updated_at: '2017-09-21T18:49:16.270Z',
+        version: 1,
+      },
+      {
+        id: `space_2`,
+        type: 'space',
+        updated_at: '2017-09-21T18:49:16.270Z',
+        version: 1,
+      },
+      {
+        id: `${getIdPrefix(spaceId)}91200a00-9efd-11e7-acb3-3dab96693fab`,
+        type: 'index-pattern',
+        updated_at: '2017-09-21T18:49:16.270Z',
+        version: 1,
+      },
+
+      {
+        id: `${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`,
+        type: 'dashboard',
+        updated_at: '2017-09-21T18:57:40.826Z',
+        version: 1,
+      },
+      {
+        id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+        type: 'visualization',
+        updated_at: '2017-09-21T18:51:23.794Z',
+        version: 1,
+      }]
+        .sort(sortById);
+
+      expectedSavedObjects.forEach((object, index) => {
+        object.attributes = resp.body.saved_objects[index].attributes;
+      });
+
+
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: expectedSavedObjects.length,
+        saved_objects: expectedSavedObjects,
+      });
+    };
+
+    const createExpectEmpty = (page, perPage, total) => (resp) => {
+      expect(resp.body).to.eql({
+        page: page,
+        per_page: perPage,
+        total: total,
+        saved_objects: []
+      });
+    };
+
+    const findTest = (description, { urlContext, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/spaces'));
+        after(() => esArchiver.unload('saved_objects/spaces'));
+
+        it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
+          await supertest
+            .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=visualization&fields=title`)
+            .expect(tests.normal.statusCode)
+            .then(tests.normal.response)
+        ));
+
+        describe('page beyond total', () => {
+          it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
+            await supertest
+              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=visualization&page=100&per_page=100`)
+              .expect(tests.pageBeyondTotal.statusCode)
+              .then(tests.pageBeyondTotal.response)
+          ));
+        });
+
+        describe('unknown search field', () => {
+          it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
+            await supertest
+              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
+              .expect(tests.unknownSearchField.statusCode)
+              .then(tests.unknownSearchField.response)
+          ));
+        });
+
+        describe('no type', () => {
+          it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
+            await supertest
+              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find`)
+              .expect(tests.noType.statusCode)
+              .then(tests.noType.response)
+          ));
+        });
+      });
+    };
+
+    findTest(`objects only within the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults(SPACES.SPACE_1.spaceId),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults(SPACES.SPACE_1.spaceId),
+        },
+      }
+    });
+
+    findTest(`objects only within the current space (default)`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults(SPACES.DEFAULT.spaceId),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResults(SPACES.DEFAULT.spaceId),
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
new file mode 100644
index 00000000000000..2516752cbff17d
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
+import { SPACES } from './lib/spaces';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('get', () => {
+
+    const expectResults = (spaceId) => (resp) => {
+
+      // The default space does not assign a space id.
+      const expectedSpaceId = spaceId === 'default' ? undefined : spaceId;
+
+      const expectedBody = {
+        id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+        type: 'visualization',
+        updated_at: '2017-09-21T18:51:23.794Z',
+        version: resp.body.version,
+
+        attributes: {
+          title: 'Count of requests',
+          description: '',
+          version: 1,
+          // cheat for some of the more complex attributes
+          visState: resp.body.attributes.visState,
+          uiStateJSON: resp.body.attributes.uiStateJSON,
+          kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta
+        }
+      };
+
+      if (expectedSpaceId) {
+        expectedBody.spaceId = expectedSpaceId;
+      }
+
+      expect(resp.body).to.eql(expectedBody);
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        error: 'Not Found',
+        message: 'Not Found',
+        statusCode: 404,
+      });
+    };
+
+    const getTest = (description, { spaceId, urlContext = '', tests }) => {
+      describe(description, () => {
+        before(async () => esArchiver.load(`saved_objects/spaces`));
+        after(async () => esArchiver.unload(`saved_objects/spaces`));
+
+        it(`should return ${tests.exists.statusCode}`, async () => {
+          return supertest
+            .get(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .expect(tests.exists.statusCode)
+            .then(tests.exists.response);
+        });
+      });
+    };
+
+    getTest(`can access objects belonging to the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults(SPACES.SPACE_1.spaceId),
+        },
+      }
+    });
+
+    getTest(`cannot access objects belonging to a different space (space_1)`, {
+      ...SPACES.SPACE_1,
+      urlContext: 'space-2',
+      tests: {
+        exists: {
+          statusCode: 404,
+          response: expectNotFound
+        },
+      }
+    });
+
+    getTest(`can access objects belonging to the current space (default)`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults(SPACES.DEFAULT.spaceId),
+        },
+      }
+    });
+
+    getTest(`cannot access objects belonging to a different space (default)`, {
+      ...SPACES.DEFAULT,
+      urlContext: 'space-1',
+      tests: {
+        exists: {
+          statusCode: 404,
+          response: expectNotFound
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/index.js b/x-pack/test/spaces_api_integration/apis/saved_objects/index.js
new file mode 100644
index 00000000000000..c74b03792ba034
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/index.js
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+
+export default function ({ loadTestFile }) {
+
+  describe('saved_objects', () => {
+    loadTestFile(require.resolve('./bulk_get'));
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
new file mode 100644
index 00000000000000..8b140fd3b2a30c
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const AUTHENTICATION = {
+  NOT_A_KIBANA_USER: {
+    USERNAME: 'not_a_kibana_user',
+    PASSWORD: 'password'
+  },
+  SUPERUSER: {
+    USERNAME: 'elastic',
+    PASSWORD: 'changeme'
+  },
+  KIBANA_LEGACY_USER: {
+    USERNAME: 'a_kibana_legacy_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_legacy_dashboard_only_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_RBAC_USER: {
+    USERNAME: 'a_kibana_rbac_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_RBAC_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_rbac_dashboard_only_user',
+    PASSWORD: 'password'
+  }
+};
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
new file mode 100644
index 00000000000000..186b75ccacf883
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function getUrlPrefix(urlContext) {
+  return urlContext ? `/s/${urlContext}` : ``;
+}
+
+// Spaces do not actually prefix the ID, but this simplifies testing positive and negative flows.
+export function getIdPrefix(spaceId) {
+  return spaceId === 'default' ? '' : `${spaceId}-`;
+}
+
+export function getExpectedSpaceIdProperty(spaceId) {
+  if (spaceId === 'default') {
+    return {};
+  }
+  return {
+    spaceId
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
new file mode 100644
index 00000000000000..f5cd9109c9a9e0
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const SPACES = {
+  SPACE_1: {
+    spaceId: 'space_1',
+    urlContext: 'space-1'
+  },
+  SPACE_2: {
+    spaceId: 'space_2',
+    urlContext: 'space-2'
+  },
+  DEFAULT: {
+    spaceId: 'default',
+    urlContext: ''
+  }
+};
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
new file mode 100644
index 00000000000000..d87d03d9b7250e
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
@@ -0,0 +1,158 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SPACES } from './lib/spaces';
+import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const expectSpaceAwareResults = resp => {
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 2,
+        attributes: {
+          title: 'My second favorite vis'
+        }
+      });
+    };
+
+    const expectNonSpaceAwareResults = resp => {
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'space',
+        updated_at: resp.body.updated_at,
+        version: 2,
+        attributes: {
+          name: 'My second favorite space'
+        }
+      });
+    };
+
+    const expectNotFound = resp => {
+      expect(resp.body).eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Not Found'
+      });
+    };
+
+    const updateTest = (description, { urlContext, spaceId, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/spaces'));
+        after(() => esArchiver.unload('saved_objects/spaces'));
+        it(`should return ${tests.spaceAware.statusCode} for a space-aware doc`, async () => {
+          await supertest
+            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .send({
+              attributes: {
+                title: 'My second favorite vis'
+              }
+            })
+            .expect(tests.spaceAware.statusCode)
+            .then(tests.spaceAware.response);
+        });
+
+        it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware doc`, async () => {
+          await supertest
+            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/space/space_1`)
+            .send({
+              attributes: {
+                name: 'My second favorite space'
+              }
+            })
+            .expect(tests.notSpaceAware.statusCode)
+            .then(tests.notSpaceAware.response);
+        });
+
+        it(`should return ${tests.inOtherSpace.statusCode} for a doc in another space`, async () => {
+          const id = `${getIdPrefix('space_2')}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
+          await supertest
+            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${id}`)
+            .send({
+              attributes: {
+                title: 'My second favorite vis'
+              }
+            })
+            .expect(tests.inOtherSpace.statusCode)
+            .then(tests.inOtherSpace.response);
+        });
+
+        describe('unknown id', () => {
+          it(`should return ${tests.doesntExist.statusCode}`, async () => {
+            await supertest
+              .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/not an id`)
+              .send({
+                attributes: {
+                  title: 'My second favorite vis'
+                }
+              })
+              .expect(tests.doesntExist.statusCode)
+              .then(tests.doesntExist.response);
+          });
+        });
+      });
+    };
+
+    updateTest(`in the default space`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNonSpaceAwareResults,
+        },
+        inOtherSpace: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest('in the current space (space_1)', {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNonSpaceAwareResults,
+        },
+        inOtherSpace: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/config.js b/x-pack/test/spaces_api_integration/config.js
new file mode 100644
index 00000000000000..d93381cbd76db9
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/config.js
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import path from 'path';
+import { resolveKibanaPath } from '@kbn/plugin-helpers';
+
+export default async function ({ readConfigFile }) {
+
+  const config = {
+    kibana: {
+      api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
+      common: await readConfigFile(require.resolve('../../../test/common/config.js')),
+      functional: await readConfigFile(require.resolve('../../../test/functional/config.js'))
+    },
+    xpack: {
+      api: await readConfigFile(require.resolve('../api_integration/config.js')),
+      functional: await readConfigFile(require.resolve('../functional/config.js'))
+    }
+  };
+
+  return {
+    testFiles: [require.resolve('./apis')],
+    servers: config.xpack.api.get('servers'),
+    services: {
+      es: config.kibana.common.get('services.es'),
+      supertest: config.kibana.api.get('services.supertest'),
+      supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
+      esArchiver: config.kibana.functional.get('services.esArchiver'),
+    },
+    junit: {
+      reportName: 'X-Pack Spaces API Integration Tests',
+    },
+
+    esArchiver: {
+      directory: path.join(__dirname, 'fixtures', 'es_archiver')
+    },
+
+    esTestCluster: {
+      ...config.xpack.api.get('esTestCluster'),
+      serverArgs: [
+        ...config.xpack.api.get('esTestCluster.serverArgs'),
+      ],
+    },
+
+    kbnTestServer: {
+      ...config.xpack.api.get('kbnTestServer'),
+      serverArgs: [
+        ...config.xpack.api.get('kbnTestServer.serverArgs'),
+        '--optimize.enabled=false',
+        '--server.xsrf.disableProtection=true',
+      ],
+    },
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
new file mode 100644
index 0000000000000000000000000000000000000000..33586e3642245682fc862650efa6eabe1ca9bc8e
GIT binary patch
literal 2459
zcmYjLc{~%09~M$1$`~a%nlU*iCFg|9T*F+IbB>wSNUogA`;z-UHb;(;t;mogIdVjf
zy=3mDQjQ#vt6X`@ug~ZG{quaE=lML(_xlx%JAPbsT=6Cgo2&CZXL+nI{tnCXEie41
z%fS77M`za-ITzhjWuGFmWmBa%$n4)>4B;|cWF{s?J+&+qb^heudn1cf$?-(M75|VX
zUxE&J+9-N%ZK@YO9i+OjnK&G3nzTRV(;fK<VCk)!+Lo>{e<JivRq_;(BNC6h26YiG
zpZ6d|mBMC01!3^VWH`!RGD!S^JHtAB@+G!3E=~g!8-*@1E}5$@ZuTAg{_f)UciK&>
z%xc1wyJ7f=EM|_6pZRqQ^))lezoy*gcxKN_1obNGuPkX!sEB6}oEls-l&x%((lqzY
zI%{l9%A^Dhgipv&>I>c15d1Y%qR6nehe365akR+Y+u@1K(7U&<er-sq#_et~JyJE@
zu2J)gs%C>7$@h1qhJ#~KD?~El?5gZL!6&u4+ENJflx@L^In@rI9l?8Nx9qbLcR<<P
zyY0!w@^rd<lqEEXv_sE6c*o9kRx3psOKw?nCXpqeUk@7lYh56rT^PPFs_|ANWbowB
zOC}CWf?FPRwLe!`*`$Ss?nT~_F(fOPRxIb@D5wW+DRL(QQy}*9^Y4wS-y$7N4J9a$
zB0Y8`BB->OQ}ac<UP{4fb1P3K3dz?D(AbYT)^b+2=fxfWDy~6T@}x)+6=6ewTAj$|
zj{%9ra-Xx^V;EJ$b^mD9T8+1>7sXl&dExAZdCr~jrhWKomttBrCS+>=qpDLw9_=M)
z-ssJnj5r6AEkzeLh^Bu)e}r*qr3LHHSOYhJt?Zmb8<l^n+S<23fla!_L`I{cYMciT
z=UdiTX;JpvxMVk1Pso=ZAG+NPAsAK~Fx0s5GvOQjG)p8~OrdSv+d7UKyQimh*6OoY
z7%n+b@*vE`!)N_P3$Avtd@(Aj${S|KrI&AJyLA%TO7j-8gGlQ1LDfD)z_E%tu83rQ
z#BqdYPp9U&OR?M=5v=i@++sQa7d)H0pD^lgvWwHBqO6(KR!LWZ+Wqnh4Z5>jfX-tS
zQZcUS#@yDjZYhVJG!Vov3+gV7k3z5W^Sx&4Hb|cB1UW;s*vnEmxERHeo2ue&g9gbm
zd;||mG<zQ?X>X)aztYv;xotMBq`={)ChIDT>IS-}NNB(^VN;ctFnAM471AmMf^k}s
zmiM^51e-ZPIQiu{q2!<%7J_g6<o72EkCE*U`klo2y4kUT5!;q^eIXt*$Mjh4W2!hl
zAMp-4F1#*a%Nt=gc5{QLhs|kd3EG<G2|Le{RatjUBt2sMuiTzjGvBo1m|;saC41m0
z*+f^mGG~v1kzTTGRWvV46R-R?m<uNSeXBhBh=2s4v*X&)h$%4B5N2BPYH8fU(Qz}x
zvb7o#w>Q{&Mm03`vr^D&!po{5uvAu5;;32!YIEhB9f@C-Q(J%{uc@sm>_?9pzYxE&
zNYPw8HR5$Qu-#RMZ%a@qTx7>tm8+W({P7Hpp8XGcCt)$T{nh+*P3OIU>|u|NDUu}f
z(~!e+<&<S*r~45`C3w%XSZzw}%7j$reLwrC`OVu#cO~Fh;P-aw1Uy?o(8Rs~&*$TF
zKyXXIpG~s(zLi+YX;xpkf1pp1&*?WMg=tTX-<c(oL@X}kjw+4^G_Ec<Na|G_1Xl5i
z-|PSDVrQ=z(X|gR9G%BTv>TODp>Ai#T))%2rnJdP93YeY0)+M*fn)H+#zgeQNUm0&
zyW?hweL`>b_H)^MGq>|JtpUmn6@7L3+8!TsPqKPw7{c3I6(5%lGV8bXwxW-A^g)c$
zx7A$lyjKaCcl?rvwa%gaun~4WTD)e|RQVJ06%$>Y^t9tDjsjmT-`O&31VC2Yqz0PD
z-{c0@<+_vsBJJ}J3KufpF2!xXcC1xph)qFHgKDhGa*!$O<Xo5NuAB*SFGuY<$T_ex
z$R#PNFU?RWtl)HiTd6c{)N$fEus>Mew}+mL;w^io&G)UG_Ufsz`H9~0TgI1^4WIZu
zdrg=<_eQJ~(omt5#wTm*y-PHy9Il)Kw3Fs9ClXN_RBdTof`VuI$g!LWpU(5B=W;+(
zfg5XhxTm#+w8QM`wWLSQ_|c#lqxN(+w8&JKUuJ+AbzQ13u>oK&WNk?b&GVyQQ5FV;
zH}CCHxYD653N))H72{}E{nYft<USL{obs#OOwKM;ch%VKjLe{g)OQ1`>z~6fAw?+?
zc^LfN1SaX$MEnrzjnHT1R|8EQp3C-!j>*f2?CYzH?u;&?C*{TMP-DkZ+?j$$`f&qV
z`NgCr_e`Fcc&Xfn1CItiVpKu?MH`|X^V@;{^wBRIFwW!#dz3G|<EE)8A5=+*cNr5e
zjMLXgj7*^-8D74V@Han;(CF3bw1qZX97YpS7wRZ?tS${P(fH8cDTMCuc;d3ua6uaf
z)&}o;Q?cQw!p&YNLumn_{xjr6%gB3ov)zZB+$|VrLqW!L=d~GuE4od9rvZlR`N2~|
zTfsxVn(x&&qvx6q!d@<@U+A(^GkErWwe%DIlB{}uhKS}r;h(m@V%!XL9zW=*=h2C)
zI1438eV*dp4N|-9R|AwI6LpB%lPb?6RTIK*L$2c%rj3*&Mz*Duu6{8P-k_E_o}vD1
z_b~G*e6os+N!`$aXxbuIgfo(SF2EnioGN3b9nmjiB^)w!_#gI5YEfYYTpibwkw;mr
z#2k8f4kcLnP}cVH|Ca3k0e_voz(X4+fR$J+418$Y%9#IdI#tEUoSOW2dWT|wB8;&{
z7SQzzxjJ}k^#mT~nco*`^hFV10>{U0wM}vT@_VncXLTL+YG3jF*^U!ENri>rWlk-c
zs_Z*n)MI$`!65oit2wCff>`$d2b2t-AMjW)m?j@t{8sNMAOno_oc=QQE!F~X-kZY7
zTLR8}#9P2%N0_|i=S7$tvL*13!&$)SSQL*0ks~Ys(ke88OeB`I1bq1lKf>gx9^ufl
zFFo}BgMxawUz=ESe&vrs&41@xEn<F0kEEHTlg4<G29m6c7#%<%cE2B7C1C$n353Z~
z{M+`iyyD+Kw9fKvSsyO}JJ7}JH4+a`oc!NeB-UjYgTziZW|1&?*c~1+SmT2QK+fyW
pqrbX;n4ST)jZIc%u;+uciuo%&3THYg5bD2o(ujT8roV@U<zEvulm`F+

literal 0
HcmV?d00001

diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
new file mode 100644
index 00000000000000..2e1a6d1f65fd91
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
@@ -0,0 +1,314 @@
+{
+  "type": "index",
+  "value": {
+    "index": ".kibana",
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "auto_expand_replicas": "0-1",
+        "number_of_replicas": "0"
+      }
+    },
+    "mappings": {
+      "doc": {
+        "dynamic": "strict",
+        "properties": {
+          "config": {
+            "dynamic": "true",
+            "properties": {
+              "buildNum": {
+                "type": "keyword"
+              },
+              "defaultIndex": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 256
+                  }
+                }
+              }
+            }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "urlContext": {
+                "type": "keyword"
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
+          },
+          "dashboard": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "optionsJSON": {
+                "type": "text"
+              },
+              "panelsJSON": {
+                "type": "text"
+              },
+              "refreshInterval": {
+                "properties": {
+                  "display": {
+                    "type": "keyword"
+                  },
+                  "pause": {
+                    "type": "boolean"
+                  },
+                  "section": {
+                    "type": "integer"
+                  },
+                  "value": {
+                    "type": "integer"
+                  }
+                }
+              },
+              "timeFrom": {
+                "type": "keyword"
+              },
+              "timeRestore": {
+                "type": "boolean"
+              },
+              "timeTo": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "graph-workspace": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "numLinks": {
+                "type": "integer"
+              },
+              "numVertices": {
+                "type": "integer"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "wsState": {
+                "type": "text"
+              }
+            }
+          },
+          "index-pattern": {
+            "properties": {
+              "fieldFormatMap": {
+                "type": "text"
+              },
+              "fields": {
+                "type": "text"
+              },
+              "intervalName": {
+                "type": "keyword"
+              },
+              "notExpandable": {
+                "type": "boolean"
+              },
+              "sourceFilters": {
+                "type": "text"
+              },
+              "timeFieldName": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              }
+            }
+          },
+          "search": {
+            "properties": {
+              "columns": {
+                "type": "keyword"
+              },
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "sort": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "server": {
+            "properties": {
+              "uuid": {
+                "type": "keyword"
+              }
+            }
+          },
+          "timelion-sheet": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "timelion_chart_height": {
+                "type": "integer"
+              },
+              "timelion_columns": {
+                "type": "integer"
+              },
+              "timelion_interval": {
+                "type": "keyword"
+              },
+              "timelion_other_interval": {
+                "type": "keyword"
+              },
+              "timelion_rows": {
+                "type": "integer"
+              },
+              "timelion_sheet": {
+                "type": "text"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "type": {
+            "type": "keyword"
+          },
+          "updated_at": {
+            "type": "date"
+          },
+          "url": {
+            "properties": {
+              "accessCount": {
+                "type": "long"
+              },
+              "accessDate": {
+                "type": "date"
+              },
+              "createDate": {
+                "type": "date"
+              },
+              "url": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              }
+            }
+          },
+          "visualization": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "savedSearchId": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "visState": {
+                "type": "text"
+              }
+            }
+          }
+        }
+      }
+    },
+    "aliases": {}
+  }
+}

From e526f5ba4c45b1dba3bd2437f56b9e6e01ae1772 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 27 Jul 2018 08:53:00 -0400
Subject: [PATCH 087/183] [Spaces] - Introducing Space Identifier, Forgetting
 URL Context (#21295)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From the end-user perspective, this is a simple rebranding of the URL Context.

Internally, the space identifier is now used to represent both the url path of the space, as well as that space's document id in the kibana index.

This provides the following benefits:
1) Eliminates the need to query ES to determine the active space id.
2) Prevents two spaces from sharing the same url path, which we had to manually check for in the past
3) Simplifies using the role management API


As an added bonus, the Space Description is now optional 🎉
---
 x-pack/plugins/spaces/mappings.json           |   3 -
 .../public/views/components/space_card.js     |   6 +-
 ....js.snap => space_identifier.test.js.snap} |  24 +-
 .../edit_space/manage_space_page.js           | 311 +++++++-----------
 .../{url_context.js => space_identifier.js}   |  49 +--
 ...ntext.test.js => space_identifier.test.js} |   7 +-
 .../public/views/management/lib/index.js      |   8 +-
 ...ext_utils.js => space_identifier_utils.js} |   8 +-
 ...test.js => space_identifier_utils.test.js} |  12 +-
 .../views/management/lib/validate_space.js    |  20 +-
 .../management/lib/validate_space.test.js     |  37 ++-
 .../spaces_grid/spaces_grid_page.js           |   8 +-
 .../space_selector/space_selector.test.js     |   8 +-
 .../spaces_url_parser.test.js.snap            |   2 +-
 .../server/lib/check_duplicate_context.js     |  36 --
 .../spaces/server/lib/create_default_space.js |   1 -
 .../server/lib/create_default_space.test.js   |   2 +-
 .../server/lib/create_spaces_service.js       |  14 +-
 .../server/lib/create_spaces_service.test.js  |  17 +-
 .../spaces/server/lib/get_active_space.js     |  39 +--
 .../spaces_saved_objects_client.js            |  42 +--
 .../spaces_saved_objects_client.test.js       |   5 +-
 .../server/lib/space_request_interceptors.js  |  18 +-
 .../lib/space_request_interceptors.test.js    |  12 +-
 .../plugins/spaces/server/lib/space_schema.js |   5 +-
 .../spaces/server/lib/spaces_url_parser.js    |  21 +-
 .../server/lib/spaces_url_parser.test.js      |  29 +-
 .../spaces/server/routes/api/v1/spaces.js     |  71 +---
 .../server/routes/api/v1/spaces.test.js       | 159 +++++++--
 .../apis/saved_objects/bulk_get.js            |  10 +-
 .../apis/saved_objects/create.js              |   8 +-
 .../apis/saved_objects/delete.js              |   8 +-
 .../apis/saved_objects/find.js                |  10 +-
 .../apis/saved_objects/get.js                 |   9 +-
 .../saved_objects/lib/space_test_utils.js     |  10 +-
 .../apis/saved_objects/lib/spaces.js          |   3 -
 .../apis/saved_objects/update.js              |  10 +-
 .../saved_objects/spaces/data.json.gz         | Bin 2459 -> 2440 bytes
 .../saved_objects/spaces/mappings.json        |   3 -
 39 files changed, 449 insertions(+), 596 deletions(-)
 rename x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/{url_context.test.js.snap => space_identifier.test.js.snap} (63%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{url_context.js => space_identifier.js} (54%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{url_context.test.js => space_identifier.test.js} (80%)
 rename x-pack/plugins/spaces/public/views/management/lib/{url_context_utils.js => space_identifier_utils.js} (54%)
 rename x-pack/plugins/spaces/public/views/management/lib/{url_context_utils.test.js => space_identifier_utils.test.js} (56%)
 delete mode 100644 x-pack/plugins/spaces/server/lib/check_duplicate_context.js

diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
index 77e0c47c00ddd8..91c6e324e197e9 100644
--- a/x-pack/plugins/spaces/mappings.json
+++ b/x-pack/plugins/spaces/mappings.json
@@ -13,9 +13,6 @@
           }
         }
       },
-      "urlContext": {
-        "type": "keyword"
-      },
       "description": {
         "type": "text"
       },
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.js b/x-pack/plugins/spaces/public/views/components/space_card.js
index 7441366d9206ed..f83f009bdb728f 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.js
+++ b/x-pack/plugins/spaces/public/views/components/space_card.js
@@ -36,11 +36,11 @@ function renderSpaceAvatar(space) {
 }
 
 function renderSpaceDescription(space) {
-  let description = space.description;
-  const needsTruncation = space.description.length > 120;
+  let description = space.description || '';
+  const needsTruncation = description.length > 120;
   if (needsTruncation) {
     description = (
-      <span title={description}>{space.description.substr(0, 120) + '…'}</span>
+      <span title={description}>{description.substr(0, 120) + '…'}</span>
     );
   }
   return <EuiTextColor className="eui-textBreakWord" color={"subdued"}>{description}</EuiTextColor>;
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
similarity index 63%
rename from x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap
rename to x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
index 363f3951202c6d..db250113e044da 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/url_context.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
@@ -14,7 +14,7 @@ exports[`renders without crashing 1`] = `
     isInvalid={false}
     label={
       <p>
-        URL Context 
+        Space Identifier 
         <EuiLink
           color="primary"
           onClick={[Function]}
@@ -25,18 +25,16 @@ exports[`renders without crashing 1`] = `
       </p>
     }
   >
-    <div>
-      <EuiFieldText
-        compressed={false}
-        fullWidth={false}
-        inputRef={[Function]}
-        isLoading={false}
-        onChange={[Function]}
-        placeholder="give your space a name to see its URL Context"
-        readOnly={true}
-        value=""
-      />
-    </div>
+    <EuiFieldText
+      compressed={false}
+      fullWidth={false}
+      inputRef={[Function]}
+      isLoading={false}
+      onChange={[Function]}
+      placeholder="give your space a name to see its identifier"
+      readOnly={true}
+      value=""
+    />
   </EuiFormRow>
 </React.Fragment>
 `;
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index c5e26244664122..8e4da3e399541c 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -21,14 +21,15 @@ import {
   EuiButton,
   EuiPageContentBody,
   EuiHorizontalRule,
+  EuiLoadingSpinner,
 } from '@elastic/eui';
 
 import { DeleteSpacesButton } from '../components';
 import { SpaceAvatar } from '../../components';
 
 import { Notifier, toastNotifications } from 'ui/notify';
-import { UrlContext } from './url_context';
-import { toUrlContext, isValidUrlContext } from '../lib/url_context_utils';
+import { SpaceIdentifier } from './space_identifier';
+import { toSpaceIdentifier } from '../lib';
 import { CustomizeSpaceAvatar } from './customize_space_avatar';
 import { isReservedSpace } from '../../../../common';
 import { ReservedSpaceBadge } from './reserved_space_badge';
@@ -37,6 +38,7 @@ import { SpaceValidator } from '../lib/validate_space';
 export class ManageSpacePage extends Component {
   state = {
     space: {},
+    isLoading: true,
   };
 
   constructor(props) {
@@ -57,7 +59,8 @@ export class ManageSpacePage extends Component {
         .then(result => {
           if (result.data) {
             this.setState({
-              space: result.data
+              space: result.data,
+              isLoading: false
             });
           }
         })
@@ -69,91 +72,21 @@ export class ManageSpacePage extends Component {
           toastNotifications.addDanger(`Error loading space: ${message}`);
           this.backToSpacesList();
         });
+    } else {
+      this.setState({ isLoading: false });
     }
   }
 
   render() {
-    const {
-      name = '',
-      description = '',
-    } = this.state.space;
+
+    const content = this.state.isLoading ? this.getLoadingIndicator() : this.getForm();
 
     return (
       <EuiPage className="manageSpacePage">
         <EuiPageBody>
           <EuiPageContent className="manageSpacePage__content">
             <EuiPageContentBody>
-              <EuiForm>
-                {this.getFormHeading()}
-
-                <EuiSpacer />
-
-                <EuiFlexGroup>
-                  <EuiFlexItem style={{ maxWidth: '400px' }}>
-                    <EuiFormRow
-                      label="Name"
-                      {...this.validator.validateSpaceName(this.state.space)}
-                    >
-                      <EuiFieldText
-                        name="name"
-                        placeholder={'Awesome space'}
-                        value={name}
-                        onChange={this.onNameChange}
-                      />
-                    </EuiFormRow>
-                  </EuiFlexItem>
-                  {
-                    name && (
-                      <EuiFlexItem grow={false}>
-                        <EuiFlexGroup responsive={false}>
-                          <EuiFlexItem grow={false}>
-                            <EuiFormRow hasEmptyLabelSpace={true}>
-                              <SpaceAvatar space={this.state.space} />
-                            </EuiFormRow>
-                          </EuiFlexItem>
-                          <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
-                        </EuiFlexGroup>
-                      </EuiFlexItem>
-                    )
-                  }
-                </EuiFlexGroup>
-
-                <EuiSpacer />
-
-                {isReservedSpace(this.state.space)
-                  ? null
-                  : (
-                    <Fragment>
-                      <UrlContext
-                        space={this.state.space}
-                        editingExistingSpace={this.editingExistingSpace()}
-                        editable={true}
-                        onChange={this.onUrlContextChange}
-                        validator={this.validator}
-                      />
-                    </Fragment>
-                  )
-                }
-
-                <EuiFormRow
-                  label="Description"
-                  {...this.validator.validateSpaceDescription(this.state.space)}
-                >
-                  <EuiFieldText
-                    name="description"
-                    placeholder={'This is where the magic happens'}
-                    value={description}
-                    onChange={this.onDescriptionChange}
-                  />
-                </EuiFormRow>
-
-                <EuiSpacer />
-
-                <EuiHorizontalRule />
-
-                {this.getFormButtons()}
-
-              </EuiForm>
+              {content}
             </EuiPageContentBody>
           </EuiPageContent>
         </EuiPageBody>
@@ -161,6 +94,90 @@ export class ManageSpacePage extends Component {
     );
   }
 
+  getLoadingIndicator = () => {
+    return <div><EuiLoadingSpinner size={'xl'} /> <EuiTitle><h1>Loading...</h1></EuiTitle></div>;
+  }
+
+  getForm = () => {
+    const {
+      name = '',
+      description = '',
+    } = this.state.space;
+
+    return (
+      <EuiForm>
+        {this.getFormHeading()}
+
+        <EuiSpacer />
+
+        <EuiFlexGroup>
+          <EuiFlexItem style={{ maxWidth: '400px' }}>
+            <EuiFormRow
+              label="Name"
+              {...this.validator.validateSpaceName(this.state.space)}
+            >
+              <EuiFieldText
+                name="name"
+                placeholder={'Awesome space'}
+                value={name}
+                onChange={this.onNameChange}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          {
+            name && (
+              <EuiFlexItem grow={false}>
+                <EuiFlexGroup responsive={false}>
+                  <EuiFlexItem grow={false}>
+                    <EuiFormRow hasEmptyLabelSpace={true}>
+                      <SpaceAvatar space={this.state.space} />
+                    </EuiFormRow>
+                  </EuiFlexItem>
+                  <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
+                </EuiFlexGroup>
+              </EuiFlexItem>
+            )
+          }
+        </EuiFlexGroup>
+
+        <EuiSpacer />
+
+        {isReservedSpace(this.state.space)
+          ? null
+          : (
+            <Fragment>
+              <SpaceIdentifier
+                space={this.state.space}
+                editable={!this.editingExistingSpace()}
+                onChange={this.onSpaceIdentifierChange}
+                validator={this.validator}
+              />
+            </Fragment>
+          )
+        }
+
+        <EuiFormRow
+          label="Description (optional)"
+          {...this.validator.validateSpaceDescription(this.state.space)}
+        >
+          <EuiFieldText
+            name="description"
+            placeholder={'This is where the magic happens'}
+            value={description}
+            onChange={this.onDescriptionChange}
+          />
+        </EuiFormRow>
+
+        <EuiSpacer />
+
+        <EuiHorizontalRule />
+
+        {this.getFormButtons()}
+
+      </EuiForm>
+    );
+  }
+
   getFormHeading = () => {
     return (
       <EuiTitle size="l"><h1>{this.getTitle()} <ReservedSpaceBadge space={this.state.space} /></h1></EuiTitle>
@@ -211,21 +228,21 @@ export class ManageSpacePage extends Component {
   };
 
   onNameChange = (e) => {
-    const canUpdateContext = !this.editingExistingSpace();
+    const canUpdateId = !this.editingExistingSpace();
 
     let {
-      urlContext
+      id
     } = this.state.space;
 
-    if (canUpdateContext) {
-      urlContext = toUrlContext(e.target.value);
+    if (canUpdateId) {
+      id = toSpaceIdentifier(e.target.value);
     }
 
     this.setState({
       space: {
         ...this.state.space,
         name: e.target.value,
-        urlContext
+        id
       }
     });
   };
@@ -239,11 +256,11 @@ export class ManageSpacePage extends Component {
     });
   };
 
-  onUrlContextChange = (e) => {
+  onSpaceIdentifierChange = (e) => {
     this.setState({
       space: {
         ...this.state.space,
-        urlContext: toUrlContext(e.target.value)
+        id: toSpaceIdentifier(e.target.value)
       }
     });
   };
@@ -272,11 +289,10 @@ export class ManageSpacePage extends Component {
   _performSave = () => {
     const {
       name = '',
-      id = toUrlContext(name),
+      id = toSpaceIdentifier(name),
       description,
       initials,
       color,
-      urlContext
     } = this.state.space;
 
     const params = {
@@ -285,117 +301,34 @@ export class ManageSpacePage extends Component {
       description,
       initials,
       color,
-      urlContext
     };
 
-    if (name && description) {
-      let action;
-      if (this.editingExistingSpace()) {
-        action = this.props.spacesManager.updateSpace(params);
-      } else {
-        action = this.props.spacesManager.createSpace(params);
-      }
-
-      action
-        .then(result => {
-          this.props.spacesNavState.refreshSpacesList();
-          toastNotifications.addSuccess(`Saved '${result.data.name}'`);
-          window.location.hash = `#/management/spaces/list`;
-        })
-        .catch(error => {
-          const {
-            message = ''
-          } = error.data || {};
-
-          toastNotifications.addDanger(`Error saving space: ${message}`);
-        });
+    let action;
+    if (this.editingExistingSpace()) {
+      action = this.props.spacesManager.updateSpace(params);
+    } else {
+      action = this.props.spacesManager.createSpace(params);
     }
+
+    action
+      .then(result => {
+        this.props.spacesNavState.refreshSpacesList();
+        toastNotifications.addSuccess(`Saved '${result.data.name}'`);
+        window.location.hash = `#/management/spaces/list`;
+      })
+      .catch(error => {
+        const {
+          message = ''
+        } = error.data || {};
+
+        toastNotifications.addDanger(`Error saving space: ${message}`);
+      });
   };
 
   backToSpacesList = () => {
     window.location.hash = `#/management/spaces/list`;
   };
 
-  validateName = () => {
-    if (!this.state.validate) {
-      return {};
-    }
-
-    const {
-      name
-    } = this.state.space;
-
-    if (!name) {
-      return {
-        isInvalid: true,
-        error: 'Name is required'
-      };
-    }
-
-    return {};
-  };
-
-  validateDescription = () => {
-    if (!this.state.validate) {
-      return {};
-    }
-
-    const {
-      description
-    } = this.state.space;
-
-    if (!description) {
-      return {
-        isInvalid: true,
-        error: 'Description is required'
-      };
-    }
-
-    return {};
-  };
-
-  validateUrlContext = () => {
-    if (!this.state.validate) {
-      return {};
-    }
-
-    const {
-      urlContext
-    } = this.state.space;
-
-    if (!urlContext) {
-      return {
-        isInvalid: true,
-        error: 'URL Context is required'
-      };
-    }
-
-    if (!isValidUrlContext(urlContext)) {
-      return {
-        isInvalid: true,
-        error: 'URL Context only allows a-z, 0-9, and the "-" character'
-      };
-    }
-
-    return {};
-
-  };
-
-  validateForm = () => {
-    if (!this.state.validate) {
-      return {};
-    }
-
-    const validations = [this.validateName(), this.validateDescription(), this.validateUrlContext()];
-    if (validations.some(validation => validation.isInvalid)) {
-      return {
-        isInvalid: true
-      };
-    }
-
-    return {};
-  };
-
   editingExistingSpace = () => !!this.props.space;
 }
 
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/url_context.js b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
similarity index 54%
rename from x-pack/plugins/spaces/public/views/management/edit_space/url_context.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
index 853c0abde745e5..9fcd7460114b06 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/url_context.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
@@ -10,11 +10,9 @@ import {
   EuiFormRow,
   EuiLink,
   EuiFieldText,
-  EuiCallOut,
-  EuiSpacer
 } from '@elastic/eui';
 
-export class UrlContext extends Component {
+export class SpaceIdentifier extends Component {
   textFieldRef = null;
 
   state = {
@@ -23,7 +21,7 @@ export class UrlContext extends Component {
 
   render() {
     const {
-      urlContext = ''
+      id = ''
     } = this.props.space;
 
     return (
@@ -31,18 +29,15 @@ export class UrlContext extends Component {
         <EuiFormRow
           label={this.getLabel()}
           helpText={this.getHelpText()}
-          {...this.props.validator.validateUrlContext(this.props.space)}
+          {...this.props.validator.validateSpaceIdentifier(this.props.space)}
         >
-          <div>
-            <EuiFieldText
-              readOnly={!this.state.editing}
-              placeholder={this.state.editing || !this.props.editable ? null : 'give your space a name to see its URL Context'}
-              value={urlContext}
-              onChange={this.onChange}
-              inputRef={(ref) => this.textFieldRef = ref}
-            />
-            {this.getCallOut()}
-          </div>
+          <EuiFieldText
+            readOnly={!this.state.editing}
+            placeholder={this.state.editing || !this.props.editable ? null : 'give your space a name to see its identifier'}
+            value={id}
+            onChange={this.onChange}
+            inputRef={(ref) => this.textFieldRef = ref}
+          />
         </EuiFormRow>
       </Fragment>
     );
@@ -50,34 +45,17 @@ export class UrlContext extends Component {
 
   getLabel = () => {
     if (!this.props.editable) {
-      return (<p>URL Context</p>);
+      return (<p>Space Identifier</p>);
     }
 
     const editLinkText = this.state.editing ? `[stop editing]` : `[edit]`;
-    return (<p>URL Context <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
+    return (<p>Space Identifier <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
   };
 
   getHelpText = () => {
     return (<p>Links within Kibana will include this space identifier</p>);
   };
 
-  getCallOut = () => {
-    if (this.props.editingExistingSpace && this.state.editing) {
-      return (
-        <Fragment>
-          <EuiSpacer />
-          <EuiCallOut
-            color={'warning'}
-            size={'s'}
-            title={'Changing the URL Context will invalidate all existing links and bookmarks to this space'}
-          />
-        </Fragment>
-      );
-    }
-
-    return null;
-  };
-
   onEditClick = () => {
     this.setState({
       editing: !this.state.editing
@@ -94,10 +72,9 @@ export class UrlContext extends Component {
   };
 }
 
-UrlContext.propTypes = {
+SpaceIdentifier.propTypes = {
   space: PropTypes.object.isRequired,
   editable: PropTypes.bool.isRequired,
-  editingExistingSpace: PropTypes.bool.isRequired,
   onChange: PropTypes.func,
   validator: PropTypes.object.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js
similarity index 80%
rename from x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js
index 13c1caca899878..7970b2633ca855 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/url_context.test.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js
@@ -6,17 +6,16 @@
 
 import React from 'react';
 import { shallow } from 'enzyme';
-import { UrlContext } from './url_context';
+import { SpaceIdentifier } from './space_identifier';
 import { SpaceValidator } from '../lib';
 
 test('renders without crashing', () => {
   const props = {
     space: {},
     editable: true,
-    editingExistingSpace: false,
     onChange: jest.fn(),
     validator: new SpaceValidator()
   };
-  const wrapper = shallow(<UrlContext {...props} />);
+  const wrapper = shallow(<SpaceIdentifier {...props} />);
   expect(wrapper).toMatchSnapshot();
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/spaces/public/views/management/lib/index.js b/x-pack/plugins/spaces/public/views/management/lib/index.js
index 0d213ec10b93c1..ab5331a58a7424 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/index.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/index.js
@@ -5,10 +5,10 @@
  */
 
 export {
-  toUrlContext,
-  isValidUrlContext
-} from './url_context_utils';
+  toSpaceIdentifier,
+  isValidSpaceIdentifier,
+} from './space_identifier_utils';
 
 export {
   SpaceValidator
-} from './validate_space';
\ No newline at end of file
+} from './validate_space';
diff --git a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.js
similarity index 54%
rename from x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js
rename to x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.js
index bf9fe48d4037ac..d7defc266b715c 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.js
@@ -4,10 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export function toUrlContext(value = '') {
-  return value.toLowerCase().replace(/[^a-z0-9]/g, '-');
+export function toSpaceIdentifier(value = '') {
+  return value.toLowerCase().replace(/[^a-z0-9_]/g, '-');
 }
 
-export function isValidUrlContext(value = '') {
-  return value === toUrlContext(value);
+export function isValidSpaceIdentifier(value = '') {
+  return value === toSpaceIdentifier(value);
 }
diff --git a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js
similarity index 56%
rename from x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js
rename to x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js
index 522436163271fb..1a3cd091bb8614 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/url_context_utils.test.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js
@@ -3,22 +3,22 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { toUrlContext } from './url_context_utils';
+import { toSpaceIdentifier } from './space_identifier_utils';
 
 test('it converts whitespace to dashes', () => {
   const input = `this is a test`;
-  expect(toUrlContext(input)).toEqual('this-is-a-test');
+  expect(toSpaceIdentifier(input)).toEqual('this-is-a-test');
 });
 
 test('it converts everything to lowercase', () => {
   const input = `THIS IS A TEST`;
-  expect(toUrlContext(input)).toEqual('this-is-a-test');
+  expect(toSpaceIdentifier(input)).toEqual('this-is-a-test');
 });
 
-test('it converts non-alphanumeric characters to dashes', () => {
-  const input = `~!@#$%^&*()_+-=[]{}\|';:"/.,<>?` + "`";
+test('it converts non-alphanumeric characters except for "_" to dashes', () => {
+  const input = `~!@#$%^&*()+-=[]{}\|';:"/.,<>?` + "`";
 
   const expectedResult = new Array(input.length + 1).join('-');
 
-  expect(toUrlContext(input)).toEqual(expectedResult);
+  expect(toSpaceIdentifier(input)).toEqual(expectedResult);
 });
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
index a59a5ee0ef6f81..56d22ca39aad5c 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { isValidUrlContext } from './url_context_utils';
+import { isValidSpaceIdentifier } from './space_identifier_utils';
 import { isReservedSpace } from '../../../../common/is_reserved_space';
 
 export class SpaceValidator {
@@ -36,24 +36,24 @@ export class SpaceValidator {
   validateSpaceDescription(space) {
     if (!this._shouldValidate) return valid();
 
-    if (!space.description) {
-      return invalid(`Please provide a space description`);
+    if (space.description && space.description.length > 2000) {
+      return invalid(`Description must not exceed 2000 characters`);
     }
 
     return valid();
   }
 
-  validateUrlContext(space) {
+  validateSpaceIdentifier(space) {
     if (!this._shouldValidate) return valid();
 
     if (isReservedSpace(space)) return valid();
 
-    if (!space.urlContext) {
-      return invalid(`URL Context is required`);
+    if (!space.id) {
+      return invalid(`Space Identifier is required`);
     }
 
-    if (!isValidUrlContext(space.urlContext)) {
-      return invalid('URL Context only allows a-z, 0-9, and the "-" character');
+    if (!isValidSpaceIdentifier(space.id)) {
+      return invalid('Space Identifier only allows a-z, 0-9, "_", and the "-" character');
     }
 
     return valid();
@@ -62,9 +62,9 @@ export class SpaceValidator {
   validateForSave(space) {
     const { isInvalid: isNameInvalid } = this.validateSpaceName(space);
     const { isInvalid: isDescriptionInvalid } = this.validateSpaceDescription(space);
-    const { isInvalid: isContextInvalid } = this.validateUrlContext(space);
+    const { isInvalid: isIdentifierInvalid } = this.validateSpaceIdentifier(space);
 
-    if (isNameInvalid || isDescriptionInvalid || isContextInvalid) {
+    if (isNameInvalid || isDescriptionInvalid || isIdentifierInvalid) {
       return invalid();
     }
 
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
index 6c0f2c2bcc10e1..5adbb2ec5090e1 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
@@ -39,46 +39,53 @@ describe('validateSpaceName', () => {
 });
 
 describe('validateSpaceDescription', () => {
-  test('it requires a non-empty value', () => {
+  test('is optional', () => {
     const space = {
-      description: ''
     };
 
-    expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: true, error: `Please provide a space description` });
+    expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: false });
+  });
+
+  test('it cannot exceed 2000 characters', () => {
+    const space = {
+      description: new Array(2002).join('A')
+    };
+
+    expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: true, error: `Description must not exceed 2000 characters` });
   });
 });
 
-describe('validateUrlContext', () => {
+describe('validateSpaceIdentifier', () => {
   test('it does not validate reserved spaces', () => {
     const space = {
       _reserved: true
     };
 
-    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: false });
+    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: false });
   });
 
   test('it requires a non-empty value', () => {
     const space = {
-      urlContext: ''
+      id: ''
     };
 
-    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: true, error: `URL Context is required` });
+    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: true, error: `Space Identifier is required` });
   });
 
-  test('it requires a valid URL Context', () => {
+  test('it requires a valid Space Identifier', () => {
     const space = {
-      urlContext: 'invalid context'
+      id: 'invalid identifier'
     };
 
-    expect(validator.validateUrlContext(space))
-      .toEqual({ isInvalid: true, error: 'URL Context only allows a-z, 0-9, and the "-" character' });
+    expect(validator.validateSpaceIdentifier(space))
+      .toEqual({ isInvalid: true, error: 'Space Identifier only allows a-z, 0-9, "_", and the "-" character' });
   });
 
-  test('it allows a valid URL Context', () => {
+  test('it allows a valid Space Identifier', () => {
     const space = {
-      urlContext: '01-valid-context-01'
+      id: '01-valid-context-01'
     };
 
-    expect(validator.validateUrlContext(space)).toEqual({ isInvalid: false });
+    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: false });
   });
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
index f18db68dc5a74b..8a5c3ecd9ae81b 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
@@ -123,12 +123,12 @@ export class SpacesGridPage extends Component {
         );
       }
     }, {
-      field: 'description',
-      name: 'Description',
+      field: 'id',
+      name: 'Identifier',
       sortable: true
     }, {
-      field: 'urlContext',
-      name: 'URL Context',
+      field: 'description',
+      name: 'Description',
       sortable: true
     }];
   }
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
index 2277ec4757a7e9..eccdddb16c1e7e 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
@@ -13,7 +13,7 @@ import { SpacesManager } from '../../lib/spaces_manager';
 
 
 function getHttpAgent(spaces = []) {
-  const httpAgent = () => {};
+  const httpAgent = () => { };
   httpAgent.get = jest.fn(() => Promise.resolve({ data: spaces }));
 
   return httpAgent;
@@ -32,7 +32,7 @@ function getSpacesManager(spaces = []) {
 test('it renders without crashing', () => {
   const spacesManager = getSpacesManager();
   const component = renderer.create(
-    <SpaceSelector spaces={[]} spacesManager={spacesManager}/>
+    <SpaceSelector spaces={[]} spacesManager={spacesManager} />
   );
   expect(component).toMatchSnapshot();
 });
@@ -44,7 +44,6 @@ test('it uses the spaces on props, when provided', () => {
     id: 'space-1',
     name: 'Space 1',
     description: 'This is the first space',
-    urlContext: 'space-1-context'
   }];
 
   const component = render(
@@ -64,13 +63,12 @@ test('it queries for spaces when not provided on props', () => {
     id: 'space-1',
     name: 'Space 1',
     description: 'This is the first space',
-    urlContext: 'space-1-context'
   }];
 
   const spacesManager = getSpacesManager(spaces);
 
   shallow(
-    <SpaceSelector spacesManager={spacesManager}/>
+    <SpaceSelector spacesManager={spacesManager} />
   );
 
   return Promise
diff --git a/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
index a42d029097b670..d08be39f9282ea 100644
--- a/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
+++ b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
@@ -1,3 +1,3 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`addSpaceUrlContext it throws an error when the requested path does not start with a slash 1`] = `"path must start with a /"`;
+exports[`addSpaceIdToPath it throws an error when the requested path does not start with a slash 1`] = `"path must start with a /"`;
diff --git a/x-pack/plugins/spaces/server/lib/check_duplicate_context.js b/x-pack/plugins/spaces/server/lib/check_duplicate_context.js
deleted file mode 100644
index a3f0125fb777ce..00000000000000
--- a/x-pack/plugins/spaces/server/lib/check_duplicate_context.js
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export function createDuplicateContextQuery(index, { id, urlContext }) {
-  let mustNotClause = {};
-
-  if (id) {
-    mustNotClause = {
-      must_not: {
-        term: {
-          '_id': `space:${id}`
-        }
-      }
-    };
-  }
-
-  return {
-    index,
-    ignore: [404],
-    body: {
-      query: {
-        bool: {
-          must: {
-            term: {
-              [`space.urlContext`]: urlContext
-            }
-          },
-          ...mustNotClause
-        }
-      }
-    }
-  };
-}
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.js
index 0408105a6944c8..fc19ee325d14f3 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.js
@@ -27,7 +27,6 @@ export async function createDefaultSpace(server) {
   await savedObjectsRepository.create('space', {
     name: 'Default Space',
     description: 'This is your Default Space!',
-    urlContext: '',
     _reserved: true
   }, options);
 }
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
index d2b4df363eb78b..1d5a243315e928 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
@@ -78,7 +78,7 @@ test(`it creates the default space when one does not exist`, async () => {
   expect(repository.create).toHaveBeenCalledTimes(1);
   expect(repository.create).toHaveBeenCalledWith(
     'space',
-    { "_reserved": true, "description": "This is your Default Space!", "name": "Default Space", "urlContext": "" },
+    { "_reserved": true, "description": "This is your Default Space!", "name": "Default Space" },
     { "id": "default" }
   );
 });
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.js
index d393a6937ef504..3ee55354da8dcc 100644
--- a/x-pack/plugins/spaces/server/lib/create_spaces_service.js
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getSpaceUrlContext } from './spaces_url_parser';
+import { getSpaceIdFromPath } from './spaces_url_parser';
 
 export function createSpacesService(server) {
 
@@ -12,24 +12,24 @@ export function createSpacesService(server) {
 
   const contextCache = new WeakMap();
 
-  function getUrlContext(request) {
+  function getSpaceId(request) {
     if (!contextCache.has(request)) {
       populateCache(request);
     }
 
-    const { urlContext } = contextCache.get(request);
-    return urlContext;
+    const { spaceId } = contextCache.get(request);
+    return spaceId;
   }
 
   function populateCache(request) {
-    const urlContext = getSpaceUrlContext(request.getBasePath(), serverBasePath);
+    const spaceId = getSpaceIdFromPath(request.getBasePath(), serverBasePath);
 
     contextCache.set(request, {
-      urlContext
+      spaceId
     });
   }
 
   return {
-    getUrlContext,
+    getSpaceId,
   };
 }
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
index 578a161229c41b..c27a505616018b 100644
--- a/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
@@ -5,9 +5,10 @@
  */
 
 import { createSpacesService } from "./create_spaces_service";
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-const createRequest = (urlContext, serverBasePath = '') => ({
-  getBasePath: () => urlContext ? `${serverBasePath}/s/${urlContext}` : serverBasePath
+const createRequest = (spaceId, serverBasePath = '') => ({
+  getBasePath: () => spaceId && spaceId !== DEFAULT_SPACE_ID ? `${serverBasePath}/s/${spaceId}` : serverBasePath
 });
 
 const createMockServer = (config) => {
@@ -22,31 +23,31 @@ const createMockServer = (config) => {
   };
 };
 
-test('returns empty string for the default space', () => {
+test('returns the default space ID', () => {
   const server = createMockServer({
     'server.basePath': ''
   });
 
   const service = createSpacesService(server);
-  expect(service.getUrlContext(createRequest())).toEqual('');
+  expect(service.getSpaceId(createRequest())).toEqual(DEFAULT_SPACE_ID);
 });
 
-test('returns the urlContext for the current space', () => {
+test('returns the id for the current space', () => {
   const request = createRequest('my-space-context');
   const server = createMockServer({
     'server.basePath': ''
   });
 
   const service = createSpacesService(server);
-  expect(service.getUrlContext(request)).toEqual('my-space-context');
+  expect(service.getSpaceId(request)).toEqual('my-space-context');
 });
 
-test(`returns the urlContext for the current space when a server basepath is defined`, () => {
+test(`returns the id for the current space when a server basepath is defined`, () => {
   const request = createRequest('my-space-context', '/foo');
   const server = createMockServer({
     'server.basePath': '/foo'
   });
 
   const service = createSpacesService(server);
-  expect(service.getUrlContext(request)).toEqual('my-space-context');
+  expect(service.getSpaceId(request)).toEqual('my-space-context');
 });
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.js
index 834682228eaa40..5ab9bb744b3c66 100644
--- a/x-pack/plugins/spaces/server/lib/get_active_space.js
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.js
@@ -6,20 +6,15 @@
 
 import Boom from 'boom';
 import { wrapError } from './errors';
-import { getSpaceUrlContext } from './spaces_url_parser';
-import { DEFAULT_SPACE_ID } from '../../common/constants';
+import { getSpaceIdFromPath } from './spaces_url_parser';
 
 export async function getActiveSpace(savedObjectsClient, requestBasePath, serverBasePath) {
-  const spaceContext = getSpaceUrlContext(requestBasePath, serverBasePath);
+  const spaceId = getSpaceIdFromPath(requestBasePath, serverBasePath);
 
   let space;
 
   try {
-    if (spaceContext) {
-      space = await getSpaceByUrlContext(savedObjectsClient, spaceContext);
-    } else {
-      space = await getDefaultSpace(savedObjectsClient);
-    }
+    space = await getSpaceById(savedObjectsClient, spaceId);
   }
   catch (e) {
     throw wrapError(e);
@@ -37,30 +32,6 @@ export async function getActiveSpace(savedObjectsClient, requestBasePath, server
   };
 }
 
-async function getDefaultSpace(savedObjectsClient) {
-  return savedObjectsClient.get('space', DEFAULT_SPACE_ID);
-}
-
-async function getSpaceByUrlContext(savedObjectsClient, urlContext) {
-  const {
-    saved_objects: savedObjects
-  } = await savedObjectsClient.find({
-    type: 'space',
-    search: `"${urlContext}"`,
-    search_fields: ['urlContext'],
-  });
-
-  if (savedObjects.length === 0) {
-    return null;
-  }
-
-  if (savedObjects.length > 1) {
-    const spaceNames = savedObjects.map(s => s.attributes.name).join(', ');
-
-    throw Boom.badRequest(
-      `Multiple Spaces share this URL Context: (${spaceNames}). Please correct this in the Management Section.`
-    );
-  }
-
-  return savedObjects[0];
+async function getSpaceById(savedObjectsClient, spaceId) {
+  return savedObjectsClient.get('space', spaceId);
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
index 28471c3d928ba6..9fc4064723184a 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
@@ -23,7 +23,7 @@ export class SpacesSavedObjectsClient {
     this._client = baseClient;
     this._types = types;
 
-    this._spaceUrlContext = spacesService.getUrlContext(request);
+    this._spaceId = spacesService.getSpaceId(request);
   }
 
   /**
@@ -39,7 +39,7 @@ export class SpacesSavedObjectsClient {
   */
   async create(type, attributes = {}, options = {}) {
 
-    const spaceId = await this._getSpaceId();
+    const spaceId = this._spaceId;
 
     const createOptions = {
       ...options,
@@ -66,7 +66,7 @@ export class SpacesSavedObjectsClient {
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
-    const spaceId = await this._getSpaceId();
+    const spaceId = this._spaceId;
     const objectsToCreate = objects.map(object => {
 
       const objectToCreate = {
@@ -127,7 +127,7 @@ export class SpacesSavedObjectsClient {
 
     const filters = options.filters || [];
 
-    const spaceId = await this._getSpaceId();
+    const spaceId = this._spaceId;
 
     spaceOptions.filters = [...filters, ...getSpacesQueryFilters(spaceId, types)];
 
@@ -150,7 +150,7 @@ export class SpacesSavedObjectsClient {
    */
   async bulkGet(objects = [], options = {}) {
     // ES 'mget' does not support queries, so we have to filter results after the fact.
-    const thisSpaceId = await this._getSpaceId();
+    const thisSpaceId = this._spaceId;
 
     const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId', 'type'], options.extraDocumentProperties);
 
@@ -200,7 +200,7 @@ export class SpacesSavedObjectsClient {
     const { spaceId: objectSpaceId = DEFAULT_SPACE_ID } = response;
 
     if (isTypeSpaceAware(type)) {
-      const thisSpaceId = await this._getSpaceId();
+      const thisSpaceId = this._spaceId;
       if (objectSpaceId !== thisSpaceId) {
         throw this._client.errors.createGenericNotFoundError();
       }
@@ -232,7 +232,7 @@ export class SpacesSavedObjectsClient {
     if (isTypeSpaceAware(type)) {
       await this.get(type, id);
 
-      const spaceId = await this._getSpaceId();
+      const spaceId = this._spaceId;
 
       if (this._shouldAssignSpaceId(type, spaceId)) {
         updateOptions.extraDocumentProperties.spaceId = spaceId;
@@ -244,34 +244,6 @@ export class SpacesSavedObjectsClient {
     return await this._client.update(type, id, attributes, updateOptions);
   }
 
-  async _getSpaceId() {
-    if (!this._spaceUrlContext) {
-      return DEFAULT_SPACE_ID;
-    }
-
-    if (!this._spaceId) {
-      this._spaceId = await this._findSpace(this._spaceUrlContext);
-    }
-
-    return this._spaceId;
-  }
-
-  async _findSpace(urlContext) {
-    const {
-      saved_objects: spaces = []
-    } = await this._client.find({
-      type: 'space',
-      search: `${urlContext}`,
-      search_fields: ['urlContext']
-    });
-
-    if (spaces.length > 0) {
-      return spaces[0].id;
-    }
-
-    return null;
-  }
-
   _collectExtraDocumentProperties(thisClientProperties, optionalProperties = []) {
     return uniq([...thisClientProperties, ...optionalProperties]).value();
   }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
index 4c7454d43f5da1..7e9fab3116d70a 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
@@ -6,6 +6,7 @@
 
 import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 import { createSpacesService } from '../create_spaces_service';
+import { DEFAULT_SPACE_ID } from '../../../common/constants';
 
 const createObjectEntry = (type, id, spaceId) => ({
   [id]: {
@@ -35,7 +36,7 @@ const server = {
 };
 
 const createMockRequest = (space) => ({
-  getBasePath: () => space.urlContext ? `/s/${space.urlContext}` : '',
+  getBasePath: () => space.id !== DEFAULT_SPACE_ID ? `/s/${space.id}` : '',
 });
 
 const createMockClient = (space) => {
@@ -74,7 +75,6 @@ const createMockClient = (space) => {
 describe('default space', () => {
   const currentSpace = {
     id: 'default',
-    urlContext: ''
   };
 
   describe('#get', () => {
@@ -723,7 +723,6 @@ describe('default space', () => {
 describe('current space (space_1)', () => {
   const currentSpace = {
     id: 'space_1',
-    urlContext: 'space-1'
   };
 
   describe('#get', () => {
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
index a5ec62b2f7e76d..5f0612f821b65c 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
@@ -5,7 +5,8 @@
  */
 
 import { wrapError } from './errors';
-import { addSpaceUrlContext, getSpaceUrlContext } from './spaces_url_parser';
+import { addSpaceIdToPath, getSpaceIdFromPath } from './spaces_url_parser';
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 
 export function initSpacesRequestInterceptors(server) {
 
@@ -16,10 +17,10 @@ export function initSpacesRequestInterceptors(server) {
 
     // If navigating within the context of a space, then we store the Space's URL Context on the request,
     // and rewrite the request to not include the space identifier in the URL.
-    const spaceUrlContext = getSpaceUrlContext(path, serverBasePath);
+    const spaceId = getSpaceIdFromPath(path, serverBasePath);
 
-    if (spaceUrlContext) {
-      const reqBasePath = `/s/${spaceUrlContext}`;
+    if (spaceId !== DEFAULT_SPACE_ID) {
+      const reqBasePath = `/s/${spaceId}`;
       request.setBasePath(reqBasePath);
 
       const newLocation = path.substr(reqBasePath.length) || '/';
@@ -41,13 +42,11 @@ export function initSpacesRequestInterceptors(server) {
     const path = request.path;
 
     const isRequestingKibanaRoot = path === '/';
-    const { spaces } = server;
-    const urlContext = await spaces.getUrlContext(request);
 
     // if requesting the application root, then show the Space Selector UI to allow the user to choose which space
     // they wish to visit. This is done "onPostAuth" to allow the Saved Objects Client to use the request's auth scope,
     // which is not available at the time of "onRequest".
-    if (isRequestingKibanaRoot && !urlContext) {
+    if (isRequestingKibanaRoot) {
       try {
         const client = request.getSavedObjectsClient();
         const { total, saved_objects: spaceObjects } = await client.find({
@@ -62,11 +61,8 @@ export function initSpacesRequestInterceptors(server) {
           // If only one space is available, then send user there directly.
           // No need for an interstitial screen where there is only one possible outcome.
           const space = spaceObjects[0];
-          const {
-            urlContext
-          } = space.attributes;
 
-          const destination = addSpaceUrlContext(basePath, urlContext, defaultRoute);
+          const destination = addSpaceIdToPath(basePath, space.id, defaultRoute);
           return reply.redirect(destination);
         }
 
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
index 05fddbe43fbbab..feb6bebeef5f15 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
@@ -164,10 +164,9 @@ describe('interceptors', () => {
         });
 
         const spaces = [{
-          id: 'space:a-space',
+          id: 'a-space',
           attributes: {
             name: 'a space',
-            urlContext: 'a-space',
           }
         }];
 
@@ -197,10 +196,9 @@ describe('interceptors', () => {
         });
 
         const spaces = [{
-          id: 'space:default',
+          id: 'default',
           attributes: {
             name: 'Default Space',
-            urlContext: '',
           }
         }];
 
@@ -216,16 +214,14 @@ describe('interceptors', () => {
       test('it redirects to the Space Selector App when navigating to Kibana root', async () => {
 
         const spaces = [{
-          id: 'space:a-space',
+          id: 'a-space',
           attributes: {
             name: 'a space',
-            urlContext: 'a-space',
           }
         }, {
-          id: 'space:b-space',
+          id: 'b-space',
           attributes: {
             name: 'b space',
-            urlContext: 'b-space',
           }
         }];
 
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.js
index 82dd81ee1705ec..dc60c10a36bc2b 100644
--- a/x-pack/plugins/spaces/server/lib/space_schema.js
+++ b/x-pack/plugins/spaces/server/lib/space_schema.js
@@ -8,10 +8,9 @@ import Joi from 'joi';
 import { MAX_SPACE_INITIALS } from '../../common/constants';
 
 export const spaceSchema = Joi.object({
-  id: Joi.string(),
+  id: Joi.string().regex(/[a-z0-9_\-]*/, `lower case, a-z, 0-9, "_", and "-" are allowed`),
   name: Joi.string().required(),
-  description: Joi.string().required(),
-  urlContext: Joi.string().regex(/[a-z0-9\-]*/, `lower case, a-z, 0-9, and "-" are allowed`),
+  description: Joi.string(),
   initials: Joi.string().max(MAX_SPACE_INITIALS),
   color: Joi.string().regex(/^#[a-z0-9]{6}$/, `6 digit hex color, starting with a #`),
   _reserved: Joi.boolean()
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
index 7c0cf5d32776be..397863785e86c7 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
@@ -3,33 +3,38 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-export function getSpaceUrlContext(requestBasePath = '/', serverBasePath = '/') {
+export function getSpaceIdFromPath(requestBasePath = '/', serverBasePath = '/') {
   let pathToCheck = requestBasePath;
 
   if (serverBasePath && serverBasePath !== '/' && requestBasePath.startsWith(serverBasePath)) {
     pathToCheck = requestBasePath.substr(serverBasePath.length);
   }
   // Look for `/s/space-url-context` in the base path
-  const matchResult = pathToCheck.match(/^\/s\/([a-z0-9\-]+)/);
+  const matchResult = pathToCheck.match(/^\/s\/([a-z0-9_\-]+)/);
 
   if (!matchResult || matchResult.length === 0) {
-    return '';
+    return DEFAULT_SPACE_ID;
   }
 
   // Ignoring first result, we only want the capture group result at index 1
-  const [, urlContext = ''] = matchResult;
+  const [, spaceId] = matchResult;
 
-  return urlContext;
+  if (!spaceId) {
+    throw new Error(`Unable to determine Space ID from request path: ${requestBasePath}`);
+  }
+
+  return spaceId;
 }
 
-export function addSpaceUrlContext(basePath = '/', urlContext = '', requestedPath = '') {
+export function addSpaceIdToPath(basePath = '/', spaceId = '', requestedPath = '') {
   if (requestedPath && !requestedPath.startsWith('/')) {
     throw new Error(`path must start with a /`);
   }
 
-  if (urlContext) {
-    return `${basePath}/s/${urlContext}${requestedPath}`;
+  if (spaceId && spaceId !== DEFAULT_SPACE_ID) {
+    return `${basePath}/s/${spaceId}${requestedPath}`;
   }
   return `${basePath}${requestedPath}`;
 }
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
index 3d2ddaee6137fb..68234b3ba48fb6 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
@@ -3,65 +3,66 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { getSpaceUrlContext, addSpaceUrlContext } from './spaces_url_parser';
+import { getSpaceIdFromPath, addSpaceIdToPath } from './spaces_url_parser';
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-describe('getSpaceUrlContext', () => {
+describe('getSpaceIdFromPath', () => {
   describe('without a serverBasePath defined', () => {
     test('it identifies the space url context', () => {
       const basePath = `/s/my-awesome-space-lives-here`;
-      expect(getSpaceUrlContext(basePath)).toEqual('my-awesome-space-lives-here');
+      expect(getSpaceIdFromPath(basePath)).toEqual('my-awesome-space-lives-here');
     });
 
     test('ignores space identifiers in the middle of the path', () => {
       const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
-      expect(getSpaceUrlContext(basePath)).toEqual('');
+      expect(getSpaceIdFromPath(basePath)).toEqual(DEFAULT_SPACE_ID);
     });
 
     test('it handles base url without a space url context', () => {
       const basePath = `/this/is/a/crazy/path/s`;
-      expect(getSpaceUrlContext(basePath)).toEqual('');
+      expect(getSpaceIdFromPath(basePath)).toEqual(DEFAULT_SPACE_ID);
     });
   });
 
   describe('with a serverBasePath defined', () => {
     test('it identifies the space url context', () => {
       const basePath = `/s/my-awesome-space-lives-here`;
-      expect(getSpaceUrlContext(basePath, '/')).toEqual('my-awesome-space-lives-here');
+      expect(getSpaceIdFromPath(basePath, '/')).toEqual('my-awesome-space-lives-here');
     });
 
     test('it identifies the space url context following the server base path', () => {
       const basePath = `/server-base-path-here/s/my-awesome-space-lives-here`;
-      expect(getSpaceUrlContext(basePath, '/server-base-path-here')).toEqual('my-awesome-space-lives-here');
+      expect(getSpaceIdFromPath(basePath, '/server-base-path-here')).toEqual('my-awesome-space-lives-here');
     });
 
     test('ignores space identifiers in the middle of the path', () => {
       const basePath = `/this/is/a/crazy/path/s/my-awesome-space-lives-here`;
-      expect(getSpaceUrlContext(basePath, '/this/is/a')).toEqual('');
+      expect(getSpaceIdFromPath(basePath, '/this/is/a')).toEqual(DEFAULT_SPACE_ID);
     });
 
     test('it handles base url without a space url context', () => {
       const basePath = `/this/is/a/crazy/path/s`;
-      expect(getSpaceUrlContext(basePath, basePath)).toEqual('');
+      expect(getSpaceIdFromPath(basePath, basePath)).toEqual(DEFAULT_SPACE_ID);
     });
   });
 });
 
-describe('addSpaceUrlContext', () => {
+describe('addSpaceIdToPath', () => {
   test('handles no parameters', () => {
-    expect(addSpaceUrlContext()).toEqual(`/`);
+    expect(addSpaceIdToPath()).toEqual(`/`);
   });
 
   test('it adds to the basePath correctly', () => {
-    expect(addSpaceUrlContext('/my/base/path', 'url-context')).toEqual('/my/base/path/s/url-context');
+    expect(addSpaceIdToPath('/my/base/path', 'url-context')).toEqual('/my/base/path/s/url-context');
   });
 
   test('it appends the requested path to the end of the url context', () => {
-    expect(addSpaceUrlContext('/base', 'context', '/final/destination')).toEqual('/base/s/context/final/destination');
+    expect(addSpaceIdToPath('/base', 'context', '/final/destination')).toEqual('/base/s/context/final/destination');
   });
 
   test('it throws an error when the requested path does not start with a slash', () => {
     expect(() => {
-      addSpaceUrlContext('', '', 'foo');
+      addSpaceIdToPath('', '', 'foo');
     }).toThrowErrorMatchingSnapshot();
   });
 });
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 60a60c01088ee5..740b444e65e695 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -6,13 +6,11 @@
 
 import Boom from 'boom';
 import { omit } from 'lodash';
-import { getClient } from '../../../../../../server/lib/get_client_shield';
 import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
 import { spaceSchema } from '../../../lib/space_schema';
 import { wrapError } from '../../../lib/errors';
 import { isReservedSpace } from '../../../../common/is_reserved_space';
-import { createDuplicateContextQuery } from '../../../lib/check_duplicate_context';
-import { addSpaceUrlContext } from '../../../lib/spaces_url_parser';
+import { addSpaceIdToPath } from '../../../lib/spaces_url_parser';
 
 export function initSpacesApi(server) {
   const routePreCheckLicenseFn = routePreCheckLicense(server);
@@ -24,32 +22,6 @@ export function initSpacesApi(server) {
     };
   }
 
-  const callWithInternalUser = getClient(server).callWithInternalUser;
-
-  const config = server.config();
-
-  async function checkForDuplicateContext(space) {
-    const query = createDuplicateContextQuery(config.get('kibana.index'), space);
-
-    // TODO(legrego): Once the SOC is split into a client & repository, this "callWithInternalUser" call should
-    // be replaced to use the repository instead.
-    const { hits } = await callWithInternalUser('search', query);
-
-    const { total, hits: conflicts } = hits;
-
-    let error;
-
-    if (total > 0) {
-      const firstConflictName = conflicts[0]._source.space.name;
-
-      error = Boom.badRequest(
-        `Another Space (${firstConflictName}) already uses this URL Context. Please choose a different URL Context.`
-      );
-    }
-
-    return { error };
-  }
-
   server.route({
     method: 'GET',
     path: '/api/spaces/v1/spaces',
@@ -102,36 +74,21 @@ export function initSpacesApi(server) {
     async handler(request, reply) {
       const client = request.getSavedObjectsClient();
 
-      const {
-        overwrite = false
-      } = request.query;
-
       const space = omit(request.payload, ['id', '_reserved']);
 
-      const { error: contextError } = await checkForDuplicateContext(space);
+      const id = request.payload.id;
 
-      if (contextError) {
-        return reply(wrapError(contextError));
+      const existingSpace = await getSpaceById(client, id);
+      if (existingSpace) {
+        return reply(Boom.conflict(`A space with the identifier ${id} already exists. Please choose a different identifier`));
       }
 
-      const id = request.params.id;
-
-      let result;
       try {
-        const existingSpace = await getSpaceById(client, id);
-
-        // Reserved Spaces cannot have their _reserved or urlContext properties altered.
-        if (isReservedSpace(existingSpace)) {
-          space._reserved = true;
-          space.urlContext = existingSpace.urlContext;
-        }
-
-        result = await client.create('space', { ...space }, { id, overwrite });
+        return reply(await client.create('space', { ...space }, { id, overwrite: false }));
       } catch (error) {
         return reply(wrapError(error));
       }
 
-      return reply(convertSavedObjectToSpace(result));
     },
     config: {
       validate: {
@@ -147,22 +104,20 @@ export function initSpacesApi(server) {
     async handler(request, reply) {
       const client = request.getSavedObjectsClient();
 
-      const {
-        overwrite = false
-      } = request.query;
-
       const space = omit(request.payload, ['id']);
       const id = request.params.id;
 
-      const { error } = await checkForDuplicateContext({ ...space, id });
+      const existingSpace = await getSpaceById(client, id);
 
-      if (error) {
-        return reply(wrapError(error));
+      if (existingSpace) {
+        space._reserved = existingSpace._reserved;
+      } else {
+        return reply(Boom.notFound(`Unable to find space with ID ${id}`));
       }
 
       let result;
       try {
-        result = await client.create('space', { ...space }, { id, overwrite });
+        result = await client.update('space', id, { ...space });
       } catch (error) {
         return reply(wrapError(error));
       }
@@ -219,7 +174,7 @@ export function initSpacesApi(server) {
         const config = server.config();
 
         return reply({
-          location: addSpaceUrlContext(config.get('server.basePath'), existingSpace.urlContext, config.get('server.defaultRoute'))
+          location: addSpaceIdToPath(config.get('server.basePath'), existingSpace.id, config.get('server.defaultRoute'))
         });
 
       } catch (error) {
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
index cd3910e5398731..fb957e4586343a 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
@@ -24,22 +24,19 @@ jest.mock('../../../../../../server/lib/get_client_shield', () => {
 });
 
 const spaces = [{
-  id: 'space:a-space',
+  id: 'a-space',
   attributes: {
     name: 'a space',
-    urlContext: 'a-space',
   }
 }, {
-  id: 'space:b-space',
+  id: 'b-space',
   attributes: {
     name: 'b space',
-    urlContext: 'b-space',
   }
 }, {
-  id: 'space:default',
+  id: 'default',
   attributes: {
     name: 'Default Space',
-    urlContext: '',
     _reserved: true
   }
 }];
@@ -53,7 +50,13 @@ describe('Spaces API', () => {
   };
 
   beforeEach(() => {
-    request = async (method, path, setupFn = () => { }, testConfig = {}) => {
+    request = async (method, path, options = {}) => {
+
+      const {
+        setupFn = () => { },
+        testConfig = {},
+        payload,
+      } = options;
 
       const server = new Server();
 
@@ -78,27 +81,37 @@ describe('Spaces API', () => {
       server.decorate('request', 'setBasePath', jest.fn());
 
       // Mock server.getSavedObjectsClient()
-      server.decorate('request', 'getSavedObjectsClient', () => {
-        return {
-          get: jest.fn((type, id) => {
-            return spaces.filter(s => s.id === `${type}:${id}`)[0];
-          }),
-          find: jest.fn(() => {
-            return {
-              total: spaces.length,
-              saved_objects: spaces
-            };
-          }),
-          delete: jest.fn()
-        };
-      });
+      const mockSavedObjectsClient = {
+        get: jest.fn((type, id) => {
+          return spaces.filter(s => s.id === id)[0];
+        }),
+        find: jest.fn(() => {
+          return {
+            total: spaces.length,
+            saved_objects: spaces
+          };
+        }),
+        create: jest.fn(() => ({})),
+        update: jest.fn(() => ({})),
+        delete: jest.fn(),
+        errors: {
+          isNotFoundError: jest.fn(() => true)
+        }
+      };
+
+      server.decorate('request', 'getSavedObjectsClient', () => mockSavedObjectsClient);
 
       teardowns.push(() => server.stop());
 
-      return await server.inject({
-        method,
-        url: path,
-      });
+      return {
+        server,
+        mockSavedObjectsClient,
+        response: await server.inject({
+          method,
+          url: path,
+          payload,
+        })
+      };
     };
   });
 
@@ -107,7 +120,7 @@ describe('Spaces API', () => {
   });
 
   test(`'GET spaces' returns all available spaces`, async () => {
-    const response = await request('GET', '/api/spaces/v1/spaces');
+    const { response } = await request('GET', '/api/spaces/v1/spaces');
 
     const {
       statusCode,
@@ -120,7 +133,7 @@ describe('Spaces API', () => {
   });
 
   test(`'GET spaces/{id}' returns the space with that id`, async () => {
-    const response = await request('GET', '/api/spaces/v1/space/default');
+    const { response } = await request('GET', '/api/spaces/v1/space/default');
 
     const {
       statusCode,
@@ -129,11 +142,11 @@ describe('Spaces API', () => {
 
     expect(statusCode).toEqual(200);
     const resultSpace = JSON.parse(payload);
-    expect(resultSpace.id).toEqual('space:default');
+    expect(resultSpace.id).toEqual('default');
   });
 
   test(`'DELETE spaces/{id}' deletes the space`, async () => {
-    const response = await request('DELETE', '/api/spaces/v1/space/a-space');
+    const { response } = await request('DELETE', '/api/spaces/v1/space/a-space');
 
     const {
       statusCode
@@ -143,7 +156,7 @@ describe('Spaces API', () => {
   });
 
   test(`'DELETE spaces/{id}' cannot delete reserved spaces`, async () => {
-    const response = await request('DELETE', '/api/spaces/v1/space/default');
+    const { response } = await request('DELETE', '/api/spaces/v1/space/default');
 
     const {
       statusCode,
@@ -158,8 +171,84 @@ describe('Spaces API', () => {
     });
   });
 
+  test('POST /space should create a new space with the provided ID', async () => {
+    const payload = {
+      id: 'my-space-id',
+      name: 'my new space',
+      description: 'with a description',
+    };
+
+    const { mockSavedObjectsClient, response } = await request('POST', '/api/spaces/v1/space', { payload });
+
+    const {
+      statusCode,
+    } = response;
+
+    expect(statusCode).toEqual(200);
+    expect(mockSavedObjectsClient.create).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsClient.create)
+      .toHaveBeenCalledWith('space', { name: 'my new space', description: 'with a description' }, { id: 'my-space-id', overwrite: false });
+  });
+
+  test('POST /space should not allow a space to be updated', async () => {
+    const payload = {
+      id: 'a-space',
+      name: 'my updated space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('POST', '/api/spaces/v1/space', { payload });
+
+    const {
+      statusCode,
+      payload: responsePayload,
+    } = response;
+
+    expect(statusCode).toEqual(409);
+    expect(JSON.parse(responsePayload)).toEqual({
+      error: 'Conflict',
+      message: "A space with the identifier a-space already exists. Please choose a different identifier",
+      statusCode: 409
+    });
+  });
+
+  test('PUT /space should update an existing space with the provided ID', async () => {
+    const payload = {
+      id: 'a-space',
+      name: 'my updated space',
+      description: 'with a description',
+    };
+
+    const { mockSavedObjectsClient, response } = await request('PUT', '/api/spaces/v1/space/a-space', { payload });
+
+    const {
+      statusCode,
+    } = response;
+
+    expect(statusCode).toEqual(200);
+    expect(mockSavedObjectsClient.update).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsClient.update)
+      .toHaveBeenCalledWith('space', 'a-space', { name: 'my updated space', description: 'with a description' });
+  });
+
+  test('PUT /space should not allow a new space to be created', async () => {
+    const payload = {
+      id: 'a-new-space',
+      name: 'my new space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('PUT', '/api/spaces/v1/space/a-new-space', { payload });
+
+    const {
+      statusCode,
+    } = response;
+
+    expect(statusCode).toEqual(404);
+  });
+
   test('POST space/{id}/select should respond with the new space location', async () => {
-    const response = await request('POST', '/api/spaces/v1/space/a-space/select');
+    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select');
 
     const {
       statusCode,
@@ -172,10 +261,12 @@ describe('Spaces API', () => {
     expect(result.location).toEqual('/s/a-space');
   });
 
-  test('POST space/{id}/select should respond with the new space location when a baseUrl is provided', async () => {
-    const response = await request('POST', '/api/spaces/v1/space/a-space/select', () => { }, {
+  test('POST space/{id}/select should respond with the new space location when a server.basePath is in use', async () => {
+    const testConfig = {
       'server.basePath': '/my/base/path'
-    });
+    };
+
+    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select', { testConfig });
 
     const {
       statusCode,
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
index 3d747051d8c432..37bd80f56a5c83 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
@@ -106,15 +106,15 @@ export default function ({ getService }) {
       });
     };
 
-    const bulkGetTest = (description, { spaceId, urlContext, tests }) => {
+    const bulkGetTest = (description, { spaceId, tests, otherSpaceId = spaceId }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/spaces'));
         after(() => esArchiver.unload('saved_objects/spaces'));
 
         it(`should return ${tests.default.statusCode}`, async () => {
           await supertest
-            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/_bulk_get`)
-            .send(createBulkRequests(spaceId))
+            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
+            .send(createBulkRequests(otherSpaceId))
             .expect(tests.default.statusCode)
             .then(tests.default.response);
         });
@@ -133,11 +133,11 @@ export default function ({ getService }) {
 
     bulkGetTest(`objects within another space`, {
       ...SPACES.SPACE_1,
-      urlContext: SPACES.SPACE_2.urlContext,
+      otherSpaceId: SPACES.SPACE_2.spaceId,
       tests: {
         default: {
           statusCode: 200,
-          response: expectNotFoundResults(SPACES.SPACE_1.spaceId)
+          response: expectNotFoundResults(SPACES.SPACE_2.spaceId)
         },
       }
     });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
index 2eee219f739f6b..59f18c131b1eca 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
@@ -62,7 +62,6 @@ export default function ({ getService }) {
         version: 1,
         attributes: {
           name: 'My favorite space',
-          urlContext: 'my-favorite-space'
         }
       });
 
@@ -80,13 +79,13 @@ export default function ({ getService }) {
       expect(actualSpaceId).to.eql('**not defined**');
     };
 
-    const createTest = (description, { urlContext, tests }) => {
+    const createTest = (description, { spaceId, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/spaces'));
         after(() => esArchiver.unload('saved_objects/spaces'));
         it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
           await supertest
-            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization`)
+            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization`)
             .send({
               attributes: {
                 title: 'My favorite vis'
@@ -98,11 +97,10 @@ export default function ({ getService }) {
 
         it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
           await supertest
-            .post(`${getUrlPrefix(urlContext)}/api/saved_objects/space`)
+            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/space`)
             .send({
               attributes: {
                 name: 'My favorite space',
-                urlContext: 'my-favorite-space'
               }
             })
             .expect(tests.notSpaceAware.statusCode)
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
index dc1efb057d4e7b..0e7b72a5553f25 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
@@ -26,28 +26,28 @@ export default function ({ getService }) {
       });
     };
 
-    const deleteTest = (description, { urlContext, spaceId, tests }) => {
+    const deleteTest = (description, { spaceId, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/spaces'));
         after(() => esArchiver.unload('saved_objects/spaces'));
 
         it(`should return ${tests.spaceAware.statusCode} when deleting a space-aware doc`, async () => (
           await supertest
-            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/dashboard/${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`)
             .expect(tests.spaceAware.statusCode)
             .then(tests.spaceAware.response)
         ));
 
         it(`should return ${tests.notSpaceAware.statusCode} when deleting a non-space-aware doc`, async () => (
           await supertest
-            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/space/space_2`)
+            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/space/space_2`)
             .expect(tests.notSpaceAware.statusCode)
             .then(tests.notSpaceAware.response)
         ));
 
         it(`should return ${tests.inOtherSpace.statusCode} when deleting a doc belonging to another space`, async () => {
           await supertest
-            .delete(`${getUrlPrefix(urlContext)}/api/saved_objects/dashboard/${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`)
             .expect(tests.inOtherSpace.statusCode)
             .then(tests.inOtherSpace.response);
         });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
index 1daa2b2d04f4e0..01383433774ef9 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
@@ -106,14 +106,14 @@ export default function ({ getService }) {
       });
     };
 
-    const findTest = (description, { urlContext, tests }) => {
+    const findTest = (description, { spaceId, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/spaces'));
         after(() => esArchiver.unload('saved_objects/spaces'));
 
         it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
           await supertest
-            .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=visualization&fields=title`)
+            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&fields=title`)
             .expect(tests.normal.statusCode)
             .then(tests.normal.response)
         ));
@@ -121,7 +121,7 @@ export default function ({ getService }) {
         describe('page beyond total', () => {
           it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
             await supertest
-              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=visualization&page=100&per_page=100`)
+              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&page=100&per_page=100`)
               .expect(tests.pageBeyondTotal.statusCode)
               .then(tests.pageBeyondTotal.response)
           ));
@@ -130,7 +130,7 @@ export default function ({ getService }) {
         describe('unknown search field', () => {
           it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
             await supertest
-              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
+              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
               .expect(tests.unknownSearchField.statusCode)
               .then(tests.unknownSearchField.response)
           ));
@@ -139,7 +139,7 @@ export default function ({ getService }) {
         describe('no type', () => {
           it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
             await supertest
-              .get(`${getUrlPrefix(urlContext)}/api/saved_objects/_find`)
+              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find`)
               .expect(tests.noType.statusCode)
               .then(tests.noType.response)
           ));
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
index 2516752cbff17d..092b9ae499b5c2 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
@@ -51,14 +51,15 @@ export default function ({ getService }) {
       });
     };
 
-    const getTest = (description, { spaceId, urlContext = '', tests }) => {
+    const getTest = (description, { spaceId, tests, otherSpaceId = spaceId }) => {
       describe(description, () => {
         before(async () => esArchiver.load(`saved_objects/spaces`));
         after(async () => esArchiver.unload(`saved_objects/spaces`));
 
         it(`should return ${tests.exists.statusCode}`, async () => {
+          const objectId = `${getIdPrefix(otherSpaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
           return supertest
-            .get(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${objectId}`)
             .expect(tests.exists.statusCode)
             .then(tests.exists.response);
         });
@@ -77,7 +78,7 @@ export default function ({ getService }) {
 
     getTest(`cannot access objects belonging to a different space (space_1)`, {
       ...SPACES.SPACE_1,
-      urlContext: 'space-2',
+      otherSpaceId: SPACES.SPACE_2.spaceId,
       tests: {
         exists: {
           statusCode: 404,
@@ -98,7 +99,7 @@ export default function ({ getService }) {
 
     getTest(`cannot access objects belonging to a different space (default)`, {
       ...SPACES.DEFAULT,
-      urlContext: 'space-1',
+      otherSpaceId: SPACES.SPACE_1.spaceId,
       tests: {
         exists: {
           statusCode: 404,
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
index 186b75ccacf883..73df273c6e6e9f 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
@@ -4,17 +4,19 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export function getUrlPrefix(urlContext) {
-  return urlContext ? `/s/${urlContext}` : ``;
+import { DEFAULT_SPACE_ID } from '../../../../../plugins/spaces/common/constants';
+
+export function getUrlPrefix(spaceId) {
+  return spaceId && spaceId !== DEFAULT_SPACE_ID ? `/s/${spaceId}` : ``;
 }
 
 // Spaces do not actually prefix the ID, but this simplifies testing positive and negative flows.
 export function getIdPrefix(spaceId) {
-  return spaceId === 'default' ? '' : `${spaceId}-`;
+  return spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}-`;
 }
 
 export function getExpectedSpaceIdProperty(spaceId) {
-  if (spaceId === 'default') {
+  if (spaceId === DEFAULT_SPACE_ID) {
     return {};
   }
   return {
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
index f5cd9109c9a9e0..905b360c999497 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
@@ -7,14 +7,11 @@
 export const SPACES = {
   SPACE_1: {
     spaceId: 'space_1',
-    urlContext: 'space-1'
   },
   SPACE_2: {
     spaceId: 'space_2',
-    urlContext: 'space-2'
   },
   DEFAULT: {
     spaceId: 'default',
-    urlContext: ''
   }
 };
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
index d87d03d9b7250e..409e4b9db549e5 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
@@ -53,13 +53,13 @@ export default function ({ getService }) {
       });
     };
 
-    const updateTest = (description, { urlContext, spaceId, tests }) => {
+    const updateTest = (description, { spaceId, tests }) => {
       describe(description, () => {
         before(() => esArchiver.load('saved_objects/spaces'));
         after(() => esArchiver.unload('saved_objects/spaces'));
         it(`should return ${tests.spaceAware.statusCode} for a space-aware doc`, async () => {
           await supertest
-            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
             .send({
               attributes: {
                 title: 'My second favorite vis'
@@ -71,7 +71,7 @@ export default function ({ getService }) {
 
         it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware doc`, async () => {
           await supertest
-            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/space/space_1`)
+            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/space/space_1`)
             .send({
               attributes: {
                 name: 'My second favorite space'
@@ -84,7 +84,7 @@ export default function ({ getService }) {
         it(`should return ${tests.inOtherSpace.statusCode} for a doc in another space`, async () => {
           const id = `${getIdPrefix('space_2')}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
           await supertest
-            .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/${id}`)
+            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${id}`)
             .send({
               attributes: {
                 title: 'My second favorite vis'
@@ -97,7 +97,7 @@ export default function ({ getService }) {
         describe('unknown id', () => {
           it(`should return ${tests.doesntExist.statusCode}`, async () => {
             await supertest
-              .put(`${getUrlPrefix(urlContext)}/api/saved_objects/visualization/not an id`)
+              .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/not an id`)
               .send({
                 attributes: {
                   title: 'My second favorite vis'
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
index 33586e3642245682fc862650efa6eabe1ca9bc8e..4c2d63913ebe0d2595f95f252d1ef79f0c448b30 100644
GIT binary patch
delta 2397
zcmYjRX*?9{9yRvuTE^JTWG`c>mq84fFwroU$q3o^m_m8ImKZzZE!!Y_*0EoPP)$;y
zvQ1$IV@X-EWPP(F$;GeVz4y!cpYwmtbDs0*DG*8)!k_t@le1sK;RX|nr(3X_n%~`k
z+e~YYlegzC0wdpF7h|*|ai({4Ew*7T`b)_3KN7EA;90G3`v6o8x&dsJ&+cdawI`$0
zn~7`puv~re+zBBE-Xe7w*$T_mP)Dvd{#6UP8@{q<VFW2G&WnX-f=KgMU6#yp61HE#
z#O`?rW#R=VeUSzuFc_QqS-_5wt^%@b1=`Ca2rF;<G5H0n;p8|kV-1rM@`CEW1@9Eq
zy;%JC<l(RV><wq$=NaD~ks=u#;@3sJ<Xh#AFosJ`f325D#@n#RE~IP?Jf;xxR+sTm
zQU`a4rP{7I547e<xpxW*^td*!h-Tn(wuMNn!t1O1;ZvuL)cx{SpGw}*@iMF}E^8)z
zvnmWrS{#^6*SN}3oRB0t7_ziztOQj*>f4b@x@d8fV$t>D>#+4BR-zkTEVGy1(?btL
zDZba36#v$!F$E@dJ$8qZ+fkwN!WltF8@Jko&6eR;h@011WexIx(-#IO2T3FXY^T!z
zKRrRG=<ftr;)l@+gzX+iLlIFm8`Y%J>;*WlUdaPKjCfiPqdmNqY3i49PVln1B4OEA
zDoIVwTHe>#2J4_LoE5*pYKi~+D!^OD%Sju4Bf(et-66ypTUm$5t7S7!F$M}C+4)qW
zR#eB3p14l}p>I_5cr}$p{BdYWJ}JC-AlY@@KEtAVT*AWXd-I^4TBN_IHD!}29VLaZ
zH9s)CYjBSG_I1qsJ;k(?z9QTbIGPJcT6W`!YI+vsrLui_$b99RSmB^X66;MCWEMX&
z75PrR`Ehpe!o|h<=9eteBUQ_h4o9P*6`awpV!EyBZ!F(n(N!5umbP~s*n5U|pH#0H
zLb&^EZH7PbZQCgSn#1GuIod%<An1}CLmR<&{Pbg#5|?|<5P-uN6UQZcEw;kS(F%1<
z4f46f+OvcM<Z3&>1cb@#YPp8AU&fk3*>`2a?D_Z|4Q<`vQ|o<mQllZF!6-Ji7Dip<
zuN<E~y*Oz@vUF)wpOKaq3@=qsm3{$&h~l{EYz|bM^N5DtEJ5h&+NB9$K!<!7r0gcn
z?|yXNe8x<8J7>;-n)&#>W)Q8vbAw5bneQ;S`5gPUjfXzf!*#nj0h(x8oxoLK*$V=9
z=_WJ+xC+b;bl5#1s)$cg>wAYQ{YtbZR}H&lR`nPOi0dz!zQzpRejgwh4au(ugt0n8
zx?bI58<lev*%j=F`-gKJR>iyNDUojSQem~+ibKIwOD5?~V9-x|Pn5y#c)l7Br-+IA
zVjip4Lj_q=6~;UZVk6E>FI`M`O1r7w4)N5~^%B_%P||*tADC`^^8$x+O=DyJ3}_SA
zCyR##vRgco4>QMWnN}&oZxNruf}h)d!O%O2%`hc9U=$SN6do4!$I5&ngSC5aho*&k
z9ggPP$W<|Y{Y&~wqmcox2_P^0{D9!s`%lG30vu-~`L0}FR3%Zm>ZyVe{%yf&mJ#$`
z<F>mmx0%LJGs7@i2nIaUidNZK$>$w9n9P|sPN(74t5mVA85dmC@}D7Q<Y#BMSo$R<
zVIq}~H85JJIMD6j=mEw_tDs2pFe<8P+MGmeXFbEYAsJW1l4n0c{KzUQVQ2Z3lIk%r
zT6k&D+hwP6`ayroeuGM}rPn%<pG^Y)e$XxuOC9?@pk$V{uj~2Zh5z>tox>dTRjrm;
zmj<Hn{l4=%Z+>(<EeEGY`JAP?nIU5X=<Svhg{EQW;W4{|)Gt$%1&|R~Y<2f12X-&Z
z+hsueS94D(`&JG?y0pP?IzFZF>;ed`_mOV)?D@-(VtL+xi<UUQcY3+;pE)G(Ln^ow
zV8mf%$GftyM&IUD-m5#&KYqvw&g5(6X3O}wQL+mN-ip4h>vXXXg>vHEFokxy4<?q4
z$J?L<&?Ye&;cYiJ{pJs1ipdT~Lc^BAgJE5A&DwQbS?w)yI@Y(hQ*NO-({M{YQ8fJL
zb|i(W>>@!@k@VlY^zZWL5w;8XNAVMj7Qt?I=$pHLj_zi%wOIV)GWN&-n~M38rqJd$
zrs;FP-ZXPqAafr$;O(DT3SZCVwilr^469o>5#bV1#XldiugGC5=GM^lWD}ylWRL@*
zZlhI`qo5nxKRlJVMjHO;Vsp0v-=W{S2FyezL<-#8jTHPapu0ArQ_H~nUs+Cn7y6pO
zdB_D$O*C>pi#oa!U!2zN77W>6q<$Kv_#zj*lj#}zW5NI(@4gC8c){AkLeB~1vHn~7
z3I}nigRw4!SW)ku#L=?g$vt{VAiT69GQ}7E22ItalXYs?g-5L^KXNBydsRaj6FH^3
z*4h)BizeS&ceNruUcuk@_>Lv^vNdc&MW6vs#8--3JN)zaruvJWJGJ%4zIEKihcXTp
z-xj>kxKmiE7ap0Y4L(A5HP0a#L*IUC7jLB6hJb>h)%X2HAN$tI5W@^1gH4aBMr=(e
zWeG5ib8|ivl9oUfxe>gdd<%WA*Q8q)qM)dFh%0hl*r`jX#UE|zq`NFZ^=vX_Bdt*U
zBD8}m-5yg*4@$UMYZ181g0+ZKw#pCu%}TiA)1U&?%w%DCn;3*}^26r1Q~59MQ#q}k
za3W*=3xFP+HQTK4xUq0DIGu2^2IQbltem;HGH!hL?a=t*on)v0+*QEF8B~i{jX~PP
zj7wI&4bn9c=Cp~49z6bA1Zok_3ylJUq_EOfZ0@2er6=u5xVzVfjv<Z2OjfH~K5~#L
zqyE8C2_oOtv_djt<^LbbFd5b57sWIQe+o)vD?)RtVKFG7_Xnx?>sk4m(Prq-bDHFz
z_n0abt^8&yL#_OnPnf#_mE&X{3uk_Dc^S5>d_)bQs3{&JbZkE~ETwg$K<6}LFhUeB
z?%&4WSD8~7WwdVPCIUtXE-iF=rjmVXy}&T8Axv*_>bC+b6+^;bN>|S-XXTHx{Cym$
zjY^vfPCZEn6qt>h$YkY*>Lh)dy@*1W(7M&^3~RVf8%&p9t|6Rp_AAS#Z?l-9Ltj=Z
pI@BGvIL-ebfNQw;n`p+$vE?*lw$l!?_A^^&V{$rEg8G=4{sRqYWwrnS

literal 2459
zcmYjLc{~%09~M$1$`~a%nlU*iCFg|9T*F+IbB>wSNUogA`;z-UHb;(;t;mogIdVjf
zy=3mDQjQ#vt6X`@ug~ZG{quaE=lML(_xlx%JAPbsT=6Cgo2&CZXL+nI{tnCXEie41
z%fS77M`za-ITzhjWuGFmWmBa%$n4)>4B;|cWF{s?J+&+qb^heudn1cf$?-(M75|VX
zUxE&J+9-N%ZK@YO9i+OjnK&G3nzTRV(;fK<VCk)!+Lo>{e<JivRq_;(BNC6h26YiG
zpZ6d|mBMC01!3^VWH`!RGD!S^JHtAB@+G!3E=~g!8-*@1E}5$@ZuTAg{_f)UciK&>
z%xc1wyJ7f=EM|_6pZRqQ^))lezoy*gcxKN_1obNGuPkX!sEB6}oEls-l&x%((lqzY
zI%{l9%A^Dhgipv&>I>c15d1Y%qR6nehe365akR+Y+u@1K(7U&<er-sq#_et~JyJE@
zu2J)gs%C>7$@h1qhJ#~KD?~El?5gZL!6&u4+ENJflx@L^In@rI9l?8Nx9qbLcR<<P
zyY0!w@^rd<lqEEXv_sE6c*o9kRx3psOKw?nCXpqeUk@7lYh56rT^PPFs_|ANWbowB
zOC}CWf?FPRwLe!`*`$Ss?nT~_F(fOPRxIb@D5wW+DRL(QQy}*9^Y4wS-y$7N4J9a$
zB0Y8`BB->OQ}ac<UP{4fb1P3K3dz?D(AbYT)^b+2=fxfWDy~6T@}x)+6=6ewTAj$|
zj{%9ra-Xx^V;EJ$b^mD9T8+1>7sXl&dExAZdCr~jrhWKomttBrCS+>=qpDLw9_=M)
z-ssJnj5r6AEkzeLh^Bu)e}r*qr3LHHSOYhJt?Zmb8<l^n+S<23fla!_L`I{cYMciT
z=UdiTX;JpvxMVk1Pso=ZAG+NPAsAK~Fx0s5GvOQjG)p8~OrdSv+d7UKyQimh*6OoY
z7%n+b@*vE`!)N_P3$Avtd@(Aj${S|KrI&AJyLA%TO7j-8gGlQ1LDfD)z_E%tu83rQ
z#BqdYPp9U&OR?M=5v=i@++sQa7d)H0pD^lgvWwHBqO6(KR!LWZ+Wqnh4Z5>jfX-tS
zQZcUS#@yDjZYhVJG!Vov3+gV7k3z5W^Sx&4Hb|cB1UW;s*vnEmxERHeo2ue&g9gbm
zd;||mG<zQ?X>X)aztYv;xotMBq`={)ChIDT>IS-}NNB(^VN;ctFnAM471AmMf^k}s
zmiM^51e-ZPIQiu{q2!<%7J_g6<o72EkCE*U`klo2y4kUT5!;q^eIXt*$Mjh4W2!hl
zAMp-4F1#*a%Nt=gc5{QLhs|kd3EG<G2|Le{RatjUBt2sMuiTzjGvBo1m|;saC41m0
z*+f^mGG~v1kzTTGRWvV46R-R?m<uNSeXBhBh=2s4v*X&)h$%4B5N2BPYH8fU(Qz}x
zvb7o#w>Q{&Mm03`vr^D&!po{5uvAu5;;32!YIEhB9f@C-Q(J%{uc@sm>_?9pzYxE&
zNYPw8HR5$Qu-#RMZ%a@qTx7>tm8+W({P7Hpp8XGcCt)$T{nh+*P3OIU>|u|NDUu}f
z(~!e+<&<S*r~45`C3w%XSZzw}%7j$reLwrC`OVu#cO~Fh;P-aw1Uy?o(8Rs~&*$TF
zKyXXIpG~s(zLi+YX;xpkf1pp1&*?WMg=tTX-<c(oL@X}kjw+4^G_Ec<Na|G_1Xl5i
z-|PSDVrQ=z(X|gR9G%BTv>TODp>Ai#T))%2rnJdP93YeY0)+M*fn)H+#zgeQNUm0&
zyW?hweL`>b_H)^MGq>|JtpUmn6@7L3+8!TsPqKPw7{c3I6(5%lGV8bXwxW-A^g)c$
zx7A$lyjKaCcl?rvwa%gaun~4WTD)e|RQVJ06%$>Y^t9tDjsjmT-`O&31VC2Yqz0PD
z-{c0@<+_vsBJJ}J3KufpF2!xXcC1xph)qFHgKDhGa*!$O<Xo5NuAB*SFGuY<$T_ex
z$R#PNFU?RWtl)HiTd6c{)N$fEus>Mew}+mL;w^io&G)UG_Ufsz`H9~0TgI1^4WIZu
zdrg=<_eQJ~(omt5#wTm*y-PHy9Il)Kw3Fs9ClXN_RBdTof`VuI$g!LWpU(5B=W;+(
zfg5XhxTm#+w8QM`wWLSQ_|c#lqxN(+w8&JKUuJ+AbzQ13u>oK&WNk?b&GVyQQ5FV;
zH}CCHxYD653N))H72{}E{nYft<USL{obs#OOwKM;ch%VKjLe{g)OQ1`>z~6fAw?+?
zc^LfN1SaX$MEnrzjnHT1R|8EQp3C-!j>*f2?CYzH?u;&?C*{TMP-DkZ+?j$$`f&qV
z`NgCr_e`Fcc&Xfn1CItiVpKu?MH`|X^V@;{^wBRIFwW!#dz3G|<EE)8A5=+*cNr5e
zjMLXgj7*^-8D74V@Han;(CF3bw1qZX97YpS7wRZ?tS${P(fH8cDTMCuc;d3ua6uaf
z)&}o;Q?cQw!p&YNLumn_{xjr6%gB3ov)zZB+$|VrLqW!L=d~GuE4od9rvZlR`N2~|
zTfsxVn(x&&qvx6q!d@<@U+A(^GkErWwe%DIlB{}uhKS}r;h(m@V%!XL9zW=*=h2C)
zI1438eV*dp4N|-9R|AwI6LpB%lPb?6RTIK*L$2c%rj3*&Mz*Duu6{8P-k_E_o}vD1
z_b~G*e6os+N!`$aXxbuIgfo(SF2EnioGN3b9nmjiB^)w!_#gI5YEfYYTpibwkw;mr
z#2k8f4kcLnP}cVH|Ca3k0e_voz(X4+fR$J+418$Y%9#IdI#tEUoSOW2dWT|wB8;&{
z7SQzzxjJ}k^#mT~nco*`^hFV10>{U0wM}vT@_VncXLTL+YG3jF*^U!ENri>rWlk-c
zs_Z*n)MI$`!65oit2wCff>`$d2b2t-AMjW)m?j@t{8sNMAOno_oc=QQE!F~X-kZY7
zTLR8}#9P2%N0_|i=S7$tvL*13!&$)SSQL*0ks~Ys(ke88OeB`I1bq1lKf>gx9^ufl
zFFo}BgMxawUz=ESe&vrs&41@xEn<F0kEEHTlg4<G29m6c7#%<%cE2B7C1C$n353Z~
z{M+`iyyD+Kw9fKvSsyO}JJ7}JH4+a`oc!NeB-UjYgTziZW|1&?*c~1+SmT2QK+fyW
pqrbX;n4ST)jZIc%u;+uciuo%&3THYg5bD2o(ujT8roV@U<zEvulm`F+

diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
index 2e1a6d1f65fd91..9cca6b52a1caa9 100644
--- a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
+++ b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
@@ -44,9 +44,6 @@
                   }
                 }
               },
-              "urlContext": {
-                "type": "keyword"
-              },
               "description": {
                 "type": "text"
               },

From 3159a1570509ac777b4d34367f8438645f4b615f Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 30 Jul 2018 13:09:33 -0400
Subject: [PATCH 088/183] fix snapshot

---
 .../space_selector/__snapshots__/space_selector.test.js.snap   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index debc9de08283d4..2d0f768c35777d 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -6,7 +6,8 @@ exports[`it renders without crashing 1`] = `
   style={undefined}
 >
   <div
-    className="euiPageBody"
+    className="euiPageBody euiPage--widthIsNotRestricted"
+    style={undefined}
   >
     <div
       className="euiPageHeader euiPageHeader--responsive spaceSelector__heading"

From 200725c2c7698ea371fc4504c2333bdfa1288b2d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 30 Jul 2018 13:16:08 -0400
Subject: [PATCH 089/183] revert unnecessary changes from #18664

---
 src/server/config/complete.test.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/server/config/complete.test.js b/src/server/config/complete.test.js
index cff1de913e1de3..2a1620f4cbb2cd 100644
--- a/src/server/config/complete.test.js
+++ b/src/server/config/complete.test.js
@@ -59,15 +59,16 @@ describe('server/config completeMixin()', function () {
   };
 
   describe('server decoration', () => {
-    it('adds several server/request decorations', () => {
-      const { callCompleteMixin, server } = setup({
+    it('adds a config() function to the server', () => {
+      const { config, callCompleteMixin, server } = setup({
         settings: {},
         configValues: {}
       });
 
       callCompleteMixin();
-      sinon.assert.callCount(server.decorate, 2);
-      sinon.assert.calledWithExactly(server.decorate, 'server', 'config', sinon.match.func);
+      sinon.assert.calledOnce(server.decorate);
+      sinon.assert.calledWith(server.decorate, 'server', 'config', sinon.match.func);
+      expect(server.decorate.firstCall.args[2]()).toBe(config);
     });
   });
 

From 0a9b02758f63c1118fa7143f0d33023173d5c932 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 31 Jul 2018 10:32:02 -0400
Subject: [PATCH 090/183] yarn.lock update

---
 x-pack/yarn.lock | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index 80b673aa376ca4..001cfd120f60dc 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -6953,6 +6953,10 @@ safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@~5.1.0,
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
+"safer-buffer@>= 2.1.2 < 3":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+
 samsam@1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.3.0.tgz#8d1d9350e25622da30de3e44ba692b5221ab7c50"

From 69ab612df9c34ee93ea223adec35b175a33c9d6c Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 1 Aug 2018 15:10:11 -0400
Subject: [PATCH 091/183] [Spaces] - prepend space id to document id (#21372)

Saved Objects that are space-aware will have their space id appended to their document id. This is similar to how each object's type is part of their document id.


Objects that are not space-aware do not have their space id appended.

Objects that exist in the default space do not have their space id appended. This maintains backward compatibility.


### Motivation
Appending the space id greatly simplifies space-aware advanced settings, and it also simplifies importing/exporting objects between different spaces (by avoiding id conflicts).

### Tradeoffs
Once objects exist in a user-created space (i.e., not the default space), then the Spaces plugin should not be removed or disabled from the Kibana installation.
---
 x-pack/package.json                           |   1 +
 .../spaces_saved_objects_client.test.js.snap  |  36 +-
 .../spaces_saved_objects_client.js            |  68 +-
 .../spaces_saved_objects_client.test.js       | 873 +++++++++++++-----
 .../apis/saved_objects/create.js              |   4 +-
 .../apis/saved_objects/delete.js              |  23 +-
 .../apis/saved_objects/get.js                 |  17 +-
 .../saved_objects/lib/space_test_utils.js     |   1 -
 .../apis/saved_objects/update.js              |  17 +-
 .../saved_objects/spaces/data.json.gz         | Bin 2440 -> 2448 bytes
 .../saved_objects/spaces/mappings.json        |   2 +-
 11 files changed, 781 insertions(+), 261 deletions(-)

diff --git a/x-pack/package.json b/x-pack/package.json
index b49af4fd67a89f..d268e382bf5de0 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -73,6 +73,7 @@
     "tmp": "0.0.31",
     "tree-kill": "^1.1.0",
     "typescript": "^2.9.2",
+    "uuid": "3.0.1",
     "vinyl-fs": "^3.0.2",
     "xml-crypto": "^0.10.1",
     "xml2js": "^0.4.19",
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
index 861b170685f993..9bd6165f8d057c 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
@@ -1,13 +1,37 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`current space (space_1) #create #delete does not allow an object to be deleted via a different space 1`] = `"not found"`;
+exports[`current space (space_1) #bulk_create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/mock-id] is missing its expected space identifier."`;
 
-exports[`current space (space_1) #create #update does not allow an object to be updated via a different space 1`] = `"not found"`;
+exports[`current space (space_1) #bulk_get throws when base client returns documents with malformed ids 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
 
-exports[`current space (space_1) #get returns error when the object belongs to a different space 1`] = `"not found"`;
+exports[`current space (space_1) #create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/mock-id] is missing its expected space identifier."`;
 
-exports[`default space #delete does not allow an object to be deleted via a different space 1`] = `"not found"`;
+exports[`current space (space_1) #delete does not allow an object to be deleted via a different space 1`] = `"not found: foo space_1:object_2"`;
 
-exports[`default space #get returns error when the object belongs to a different space 1`] = `"not found"`;
+exports[`current space (space_1) #find throws when base client returns documents with malformed ids 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
 
-exports[`default space #update does not allow an object to be updated via a different space 1`] = `"not found"`;
+exports[`current space (space_1) #get returns error when the object belongs to a different space 1`] = `"not found: foo space_1:object_2"`;
+
+exports[`current space (space_1) #get returns error when the object has a malformed identifier 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+
+exports[`current space (space_1) #update does not allow an object to be updated via a different space 1`] = `"not found: foo space_1:object_2"`;
+
+exports[`current space (space_1) #update throws when the base client returns a malformed document id 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+
+exports[`default space #bulk_create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+
+exports[`default space #bulk_get throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+
+exports[`default space #create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+
+exports[`default space #delete does not allow an object to be deleted via a different space 1`] = `"not found: foo object_2"`;
+
+exports[`default space #find throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+
+exports[`default space #get returns error when the object belongs to a different space 1`] = `"not found: foo object_2"`;
+
+exports[`default space #get throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+
+exports[`default space #update does not allow an object to be updated via a different space 1`] = `"not found: foo object_2"`;
+
+exports[`default space #update throws when the base client returns a malformed document id 1`] = `"Saved object [space/default:default] has an unexpected space identifier [default]."`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
index 9fc4064723184a..c9fd34a60b6d8e 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
@@ -8,6 +8,7 @@ import { DEFAULT_SPACE_ID } from '../../../common/constants';
 import { isTypeSpaceAware } from './lib/is_type_space_aware';
 import { getSpacesQueryFilters } from './lib/query_filters';
 import uniq from 'lodash';
+import uuid from 'uuid';
 
 export class SpacesSavedObjectsClient {
   constructor(options) {
@@ -45,7 +46,8 @@ export class SpacesSavedObjectsClient {
       ...options,
       extraDocumentProperties: {
         ...options.extraDocumentProperties
-      }
+      },
+      id: this._prependSpaceId(type, options.id)
     };
 
     if (this._shouldAssignSpaceId(type, spaceId)) {
@@ -54,7 +56,8 @@ export class SpacesSavedObjectsClient {
       delete createOptions.extraDocumentProperties.spaceId;
     }
 
-    return await this._client.create(type, attributes, createOptions);
+    const result = await this._client.create(type, attributes, createOptions);
+    return this._trimSpaceId(result);
   }
 
   /**
@@ -73,7 +76,8 @@ export class SpacesSavedObjectsClient {
         ...object,
         extraDocumentProperties: {
           ...object.extraDocumentProperties
-        }
+        },
+        id: this._prependSpaceId(object.type, object.id)
       };
 
       if (this._shouldAssignSpaceId(object.type, spaceId)) {
@@ -85,7 +89,10 @@ export class SpacesSavedObjectsClient {
       return objectToCreate;
     });
 
-    return await this._client.bulkCreate(objectsToCreate, options);
+    const result = await this._client.bulkCreate(objectsToCreate, options);
+    result.saved_objects.forEach(this._trimSpaceId.bind(this));
+
+    return result;
   }
 
   /**
@@ -96,11 +103,13 @@ export class SpacesSavedObjectsClient {
    * @returns {promise}
    */
   async delete(type, id) {
+    const objectId = this._prependSpaceId(type, id);
+
     // attempt to retrieve document before deleting.
     // this ensures that the document belongs to the current space.
     await this.get(type, id);
 
-    return await this._client.delete(type, id);
+    return await this._client.delete(type, objectId);
   }
 
   /**
@@ -131,7 +140,9 @@ export class SpacesSavedObjectsClient {
 
     spaceOptions.filters = [...filters, ...getSpacesQueryFilters(spaceId, types)];
 
-    return await this._client.find({ ...options, ...spaceOptions });
+    const result = await this._client.find({ ...options, ...spaceOptions });
+    result.saved_objects.forEach(this._trimSpaceId.bind(this));
+    return result;
   }
 
   /**
@@ -154,13 +165,18 @@ export class SpacesSavedObjectsClient {
 
     const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId', 'type'], options.extraDocumentProperties);
 
-    const result = await this._client.bulkGet(objects, {
+    const objectsToRetrieve = objects.map(object => ({
+      ...object,
+      id: this._prependSpaceId(object.type, object.id)
+    }));
+
+    const result = await this._client.bulkGet(objectsToRetrieve, {
       ...options,
       extraDocumentProperties
     });
 
     result.saved_objects = result.saved_objects.map(savedObject => {
-      const { id, type, spaceId = DEFAULT_SPACE_ID } = savedObject;
+      const { id, type, spaceId = DEFAULT_SPACE_ID } = this._trimSpaceId(savedObject);
 
       if (isTypeSpaceAware(type)) {
         if (spaceId !== thisSpaceId) {
@@ -190,9 +206,11 @@ export class SpacesSavedObjectsClient {
   async get(type, id, options = {}) {
     // ES 'get' does not support queries, so we have to filter results after the fact.
 
+    const objectId = this._prependSpaceId(type, id);
+
     const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId'], options.extraDocumentProperties);
 
-    const response = await this._client.get(type, id, {
+    const response = await this._client.get(type, objectId, {
       ...options,
       extraDocumentProperties
     });
@@ -206,7 +224,7 @@ export class SpacesSavedObjectsClient {
       }
     }
 
-    return response;
+    return this._trimSpaceId(response);
   }
 
   /**
@@ -227,6 +245,8 @@ export class SpacesSavedObjectsClient {
       }
     };
 
+    const objectId = this._prependSpaceId(type, id);
+
     // attempt to retrieve document before updating.
     // this ensures that the document belongs to the current space.
     if (isTypeSpaceAware(type)) {
@@ -241,7 +261,8 @@ export class SpacesSavedObjectsClient {
       }
     }
 
-    return await this._client.update(type, id, attributes, updateOptions);
+    const result = await this._client.update(type, objectId, attributes, updateOptions);
+    return this._trimSpaceId(result);
   }
 
   _collectExtraDocumentProperties(thisClientProperties, optionalProperties = []) {
@@ -251,4 +272,29 @@ export class SpacesSavedObjectsClient {
   _shouldAssignSpaceId(type, spaceId) {
     return spaceId !== DEFAULT_SPACE_ID && isTypeSpaceAware(type);
   }
+
+  _prependSpaceId(type, id = uuid.v1()) {
+    if (this._spaceId === DEFAULT_SPACE_ID || !isTypeSpaceAware(type)) {
+      return id;
+    }
+    return `${this._spaceId}:${id}`;
+  }
+
+  _trimSpaceId(savedObject) {
+    const prefix = `${this._spaceId}:`;
+
+    const idHasPrefix = savedObject.id.startsWith(prefix);
+
+    if (this._shouldAssignSpaceId(savedObject.type, this._spaceId)) {
+      if (idHasPrefix) {
+        savedObject.id = savedObject.id.slice(prefix.length);
+      } else {
+        throw new Error(`Saved object [${savedObject.type}/${savedObject.id}] is missing its expected space identifier.`);
+      }
+    } else if (idHasPrefix) {
+      throw new Error(`Saved object [${savedObject.type}/${savedObject.id}] has an unexpected space identifier [${this._spaceId}].`);
+    }
+
+    return savedObject;
+  }
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
index 7e9fab3116d70a..e7dbffa413c9e0 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
@@ -6,7 +6,12 @@
 
 import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 import { createSpacesService } from '../create_spaces_service';
+
+jest.mock('uuid', () => ({
+  v1: jest.fn(() => `mock-id`)
+}));
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
+import { cloneDeep } from 'lodash';
 
 const createObjectEntry = (type, id, spaceId) => ({
   [id]: {
@@ -18,11 +23,13 @@ const createObjectEntry = (type, id, spaceId) => ({
 
 const SAVED_OBJECTS = {
   ...createObjectEntry('foo', 'object_0'),
-  ...createObjectEntry('foo', 'object_1', 'space_1'),
-  ...createObjectEntry('foo', 'object_2', 'space_2'),
+  ...createObjectEntry('foo', 'space_1:object_1', 'space_1'),
+  ...createObjectEntry('foo', 'space_2:object_2', 'space_2'),
   ...createObjectEntry('space', 'space_1'),
 };
 
+const createSavedObjects = () => cloneDeep(SAVED_OBJECTS);
+
 const config = {
   'server.basePath': '/'
 };
@@ -39,14 +46,48 @@ const createMockRequest = (space) => ({
   getBasePath: () => space.id !== DEFAULT_SPACE_ID ? `/s/${space.id}` : '',
 });
 
-const createMockClient = (space) => {
+const createMockClient = (space, { mangleSpaceIdentifier = false } = {}) => {
+  const errors = {
+    createGenericNotFoundError: jest.fn((type, id) => {
+      return new Error(`not found: ${type} ${id}`);
+    })
+  };
+
+  const maybeTransformSavedObject = (savedObject) => {
+    if (!mangleSpaceIdentifier) {
+      return savedObject;
+    }
+    if (space.id === DEFAULT_SPACE_ID) {
+      savedObject.id = `default:${space.id}`;
+    } else {
+      savedObject.id = savedObject.id.split(':')[1];
+    }
+
+    return savedObject;
+  };
+
   return {
     get: jest.fn((type, id) => {
-      return SAVED_OBJECTS[id];
+      const result = createSavedObjects()[id];
+      if (!result) {
+        throw errors.createGenericNotFoundError(type, id);
+      }
+
+      return maybeTransformSavedObject(result);
     }),
     bulkGet: jest.fn((objects) => {
       return {
-        saved_objects: objects.map(object => SAVED_OBJECTS[object.id])
+        saved_objects: objects.map(object => {
+          const result = createSavedObjects()[object.id];
+          if (!result) {
+            return {
+              id: object.id,
+              type: object.type,
+              error: { statusCode: 404, message: 'Not found' }
+            };
+          }
+          return maybeTransformSavedObject(result);
+        })
       };
     }),
     find: jest.fn(({ type }) => {
@@ -56,19 +97,36 @@ const createMockClient = (space) => {
           saved_objects: [space]
         };
       }
+      const objects = createSavedObjects();
+      const result = Object.keys(objects)
+        .filter(key => objects[key].spaceId === space.id || (space.id === DEFAULT_SPACE_ID && !objects[key].spaceId))
+        .map(key => maybeTransformSavedObject(objects[key]));
+
+      return {
+        saved_objects: result
+      };
+    }),
+    create: jest.fn((type, attributes, options) => {
+      return maybeTransformSavedObject({
+        id: options.id || 'foo-id',
+        type,
+        attributes
+      });
+    }),
+    bulkCreate: jest.fn((objects) => {
       return {
-        saved_objects: []
+        saved_objects: cloneDeep(objects).map(maybeTransformSavedObject)
       };
     }),
-    create: jest.fn(),
-    bulkCreate: jest.fn(),
-    update: jest.fn(),
+    update: jest.fn((type, id, attributes) => {
+      return maybeTransformSavedObject({
+        id,
+        type,
+        attributes
+      });
+    }),
     delete: jest.fn(),
-    errors: {
-      createGenericNotFoundError: jest.fn(() => {
-        return new Error('not found');
-      })
-    }
+    errors,
   };
 };
 
@@ -97,7 +155,28 @@ describe('default space', () => {
 
       const result = await client.get(type, id, options);
 
-      expect(result).toBe(SAVED_OBJECTS[id]);
+      expect(result).toEqual(SAVED_OBJECTS[id]);
+    });
+
+    test(`does not append the space id to the document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_0';
+      const options = {};
+
+      await client.get(type, id, options);
+
+      expect(baseClient.get).toHaveBeenCalledWith(type, id, { extraDocumentProperties: ['spaceId'] });
     });
 
     test(`returns global objects that don't belong to a specific space`, async () => {
@@ -118,7 +197,7 @@ describe('default space', () => {
 
       const result = await client.get(type, id, options);
 
-      expect(result).toBe(SAVED_OBJECTS[id]);
+      expect(result).toEqual(SAVED_OBJECTS[id]);
     });
 
     test(`merges options.extraDocumentProperties`, async () => {
@@ -166,6 +245,25 @@ describe('default space', () => {
 
       await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
     });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_0';
+      const options = {};
+
+      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#bulk_get', () => {
@@ -208,6 +306,34 @@ describe('default space', () => {
       });
     });
 
+    test(`does not append the space id to the document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+
+      const objects = [{
+        type,
+        id: 'object_0'
+      }, {
+        type,
+        id: 'object_2'
+      }];
+
+      await client.bulkGet(objects, options);
+
+      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, { ...options, extraDocumentProperties: ["spaceId", "type"] });
+    });
+
     test(`returns global objects that don't belong to a specific space`, async () => {
       const request = createMockRequest(currentSpace);
       const baseClient = createMockClient(currentSpace);
@@ -274,6 +400,25 @@ describe('default space', () => {
         extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
       });
     });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_0';
+      const options = {};
+
+      await expect(client.bulkGet([{ type, id }], options)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#find', () => {
@@ -382,6 +527,24 @@ describe('default space', () => {
         }]
       });
     });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = { type };
+
+      await expect(client.find(options)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#create', () => {
@@ -407,7 +570,7 @@ describe('default space', () => {
 
       await client.create(type, attributes);
 
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
     });
 
     test('does not assign a spaceId to space-aware objects belonging to the default space', async () => {
@@ -432,7 +595,28 @@ describe('default space', () => {
       await client.create(type, attributes);
 
       // called without extraDocumentProperties
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
+    });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await expect(client.create(type, attributes)).rejects.toThrowErrorMatchingSnapshot();
     });
   });
 
@@ -467,7 +651,8 @@ describe('default space', () => {
 
       const expectedCalledWithObjects = objects.map(object => ({
         ...object,
-        extraDocumentProperties: {}
+        extraDocumentProperties: {},
+        id: 'mock-id'
       }));
 
       expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
@@ -502,7 +687,7 @@ describe('default space', () => {
       await client.bulkCreate(objects, {});
 
       expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
-        return { ...o, extraDocumentProperties: {} };
+        return { ...o, extraDocumentProperties: {}, id: 'mock-id' };
       }), {});
     });
 
@@ -537,11 +722,13 @@ describe('default space', () => {
       const expectedCalledWithObjects = [...objects];
       expectedCalledWithObjects[0] = {
         ...expectedCalledWithObjects[0],
-        extraDocumentProperties: {}
+        extraDocumentProperties: {},
+        id: 'mock-id'
       };
       expectedCalledWithObjects[1] = {
         ...expectedCalledWithObjects[1],
-        extraDocumentProperties: {}
+        extraDocumentProperties: {},
+        id: 'mock-id'
       };
 
       expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
@@ -578,9 +765,37 @@ describe('default space', () => {
       // called with empty extraDocumentProperties
       expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => ({
         ...o,
-        extraDocumentProperties: {}
+        extraDocumentProperties: {},
+        id: 'mock-id'
       })), {});
     });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+      const objects = [{
+        type: 'foo',
+        attributes
+      }, {
+        type: 'bar',
+        attributes
+      }];
+
+      await expect(client.bulkCreate(objects, {})).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#update', () => {
@@ -655,6 +870,28 @@ describe('default space', () => {
 
       await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
     });
+
+    test(`throws when the base client returns a malformed document id`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'space_1';
+      const type = 'space';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#delete', () => {
@@ -745,7 +982,32 @@ describe('current space (space_1)', () => {
 
       const result = await client.get(type, id, options);
 
-      expect(result).toBe(SAVED_OBJECTS[id]);
+      expect(result).toEqual({
+        id,
+        type,
+        spaceId: currentSpace.id
+      });
+    });
+
+    test('appends the space id to the document id', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_1';
+      const options = {};
+
+      await client.get(type, id, options);
+
+      expect(baseClient.get).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, { ...options, extraDocumentProperties: ['spaceId'] });
     });
 
     test(`returns global objects that don't belong to a specific space`, async () => {
@@ -766,7 +1028,7 @@ describe('current space (space_1)', () => {
 
       const result = await client.get(type, id, options);
 
-      expect(result).toBe(SAVED_OBJECTS[id]);
+      expect(result).toEqual(SAVED_OBJECTS[id]);
     });
 
     test(`merges options.extraDocumentProperties`, async () => {
@@ -790,7 +1052,7 @@ describe('current space (space_1)', () => {
 
       await client.get(type, id, options);
 
-      expect(baseClient.get).toHaveBeenCalledWith(type, id, {
+      expect(baseClient.get).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, {
         extraDocumentProperties: ['spaceId', 'otherSourceProp']
       });
     });
@@ -814,6 +1076,25 @@ describe('current space (space_1)', () => {
 
       await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
     });
+
+    test(`returns error when the object has a malformed identifier`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const id = 'object_1';
+      const options = {};
+
+      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#bulk_get', () => {
@@ -857,6 +1138,35 @@ describe('current space (space_1)', () => {
       });
     });
 
+    test('appends the space id to the document id', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {};
+      const objects = [{
+        type,
+        id: 'object_1'
+      }, {
+        type,
+        id: 'object_2'
+      }];
+
+      await client.bulkGet(objects, options);
+
+      const expectedObjects = objects.map(o => ({ ...o, id: `${currentSpace.id}:${o.id}` }));
+      expect(baseClient.bulkGet)
+        .toHaveBeenCalledWith(expectedObjects, { ...options, extraDocumentProperties: ["spaceId", "type"] });
+    });
+
     test(`returns global objects that don't belong to a specific space`, async () => {
       const request = createMockRequest(currentSpace);
       const baseClient = createMockClient(currentSpace);
@@ -876,7 +1186,7 @@ describe('current space (space_1)', () => {
         type,
         id: 'object_1'
       }, {
-        type,
+        type: 'space',
         id: 'space_1'
       }], options);
 
@@ -920,14 +1230,44 @@ describe('current space (space_1)', () => {
 
       await client.bulkGet(objects, options);
 
-      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, {
+      const expectedCalledWithObjects = objects.map(object => {
+        const id = `${currentSpace.id}:${object.id}`;
+        return {
+          ...object,
+          id
+        };
+      });
+
+      expect(baseClient.bulkGet).toHaveBeenCalledWith(expectedCalledWithObjects, {
         extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
       });
     });
-  });
-
-  describe('#find', () => {
-    test(`creates ES query filters restricting objects to the current space`, async () => {
+
+    test(`throws when base client returns documents with malformed ids`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const objects = [{
+        type,
+        id: 'object_1'
+      }];
+      const options = {};
+
+      await expect(client.bulkGet(objects, options)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  describe('#find', () => {
+    test(`creates ES query filters restricting objects to the current space`, async () => {
 
       const request = createMockRequest(currentSpace);
       const baseClient = createMockClient(currentSpace);
@@ -1030,6 +1370,26 @@ describe('current space (space_1)', () => {
         }]
       });
     });
+
+    test(`throws when base client returns documents with malformed ids`, async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const type = 'foo';
+      const options = {
+        type,
+      };
+
+      await expect(client.find(options)).rejects.toThrowErrorMatchingSnapshot();
+    });
   });
 
   describe('#create', () => {
@@ -1055,6 +1415,7 @@ describe('current space (space_1)', () => {
       await client.create(type, attributes);
 
       expect(baseClient.create).toHaveBeenCalledWith(type, attributes, {
+        id: `${currentSpace.id}:mock-id`,
         extraDocumentProperties: {
           spaceId: 'space_1'
         }
@@ -1082,258 +1443,326 @@ describe('current space (space_1)', () => {
 
       await client.create(type, attributes);
 
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {} });
+      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
     });
 
-    describe('#bulk_create', () => {
-      test('allows for bulk creation when all types are space-aware', async () => {
-
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+    test('throws when the base client returns a malformed document id', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
 
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
 
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
-        const objects = [{
-          type: 'foo',
-          attributes
-        }, {
-          type: 'bar',
-          attributes
-        }];
+      await expect(client.create(type, attributes)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
 
-        await client.bulkCreate(objects, {});
+  describe('#bulk_create', () => {
+    test('allows for bulk creation when all types are space-aware', async () => {
 
-        const expectedCalledWithObjects = objects.map(object => ({
-          ...object,
-          extraDocumentProperties: {
-            spaceId: 'space_1'
-          }
-        }));
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('allows for bulk creation when all types are not space-aware', async () => {
 
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+      const objects = [{
+        type: 'foo',
+        attributes
+      }, {
+        type: 'bar',
+        attributes
+      }];
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      await client.bulkCreate(objects, {});
 
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
+      const expectedCalledWithObjects = objects.map(object => ({
+        ...object,
+        extraDocumentProperties: {
+          spaceId: 'space_1'
+        },
+        id: `${currentSpace.id}:mock-id`
+      }));
 
-        const objects = [{
-          type: 'space',
-          attributes
-        }, {
-          type: 'space',
-          attributes
-        }];
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+    });
 
-        await client.bulkCreate(objects, {});
+    test('allows for bulk creation when all types are not space-aware', async () => {
 
-        expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
-          return { ...o, extraDocumentProperties: {} };
-        }), {});
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      const objects = [{
+        type: 'space',
+        attributes
+      }, {
+        type: 'space',
+        attributes
+      }];
+
+      await client.bulkCreate(objects, {});
 
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
+        return { ...o, extraDocumentProperties: {}, id: 'mock-id' };
+      }), {});
+    });
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+    test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
 
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        const objects = [{
-          type: 'space',
-          attributes
-        }, {
-          type: 'foo',
-          attributes
-        }];
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
 
-        await client.bulkCreate(objects, {});
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
 
-        const expectedCalledWithObjects = [...objects];
-        expectedCalledWithObjects[0] = {
-          ...expectedCalledWithObjects[0],
-          extraDocumentProperties: {}
-        };
-        expectedCalledWithObjects[1] = {
-          ...expectedCalledWithObjects[1],
-          extraDocumentProperties: {
-            spaceId: 'space_1'
-          }
-        };
+      const objects = [{
+        type: 'space',
+        attributes
+      }, {
+        type: 'foo',
+        attributes
+      }];
 
-        expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+      await client.bulkCreate(objects, {});
+
+      const expectedCalledWithObjects = [...objects];
+      expectedCalledWithObjects[0] = {
+        ...expectedCalledWithObjects[0],
+        extraDocumentProperties: {},
+        id: 'mock-id'
+      };
+      expectedCalledWithObjects[1] = {
+        ...expectedCalledWithObjects[1],
+        extraDocumentProperties: {
+          spaceId: 'space_1'
+        },
+        id: `${currentSpace.id}:mock-id`
+      };
+
+      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
+    });
+
+    test('throws when the base client returns a malformed document id', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
+
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await expect(client.bulkCreate([{ type, attributes }])).rejects.toThrowErrorMatchingSnapshot();
     });
+  });
 
-    describe('#update', () => {
-      test('allows an object to be updated if it exists in the same space', async () => {
-
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
-
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
-
-        const id = 'object_1';
-        const type = 'foo';
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
+  describe('#update', () => {
+    test('allows an object to be updated if it exists in the same space', async () => {
 
-        await client.update(type, id, attributes);
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: { spaceId: 'space_1' } });
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('allows a global object to be updated', async () => {
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      const id = 'object_1';
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      await client.update(type, id, attributes);
 
-        const id = 'space_1';
-        const type = 'space';
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
+      expect(baseClient.update)
+        .toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, attributes, { extraDocumentProperties: { spaceId: 'space_1' } });
+    });
 
-        await client.update(type, id, attributes);
+    test('allows a global object to be updated', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('does not allow an object to be updated via a different space', async () => {
+      const id = 'space_1';
+      const type = 'space';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await client.update(type, id, attributes);
 
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
+    });
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+    test('does not allow an object to be updated via a different space', async () => {
 
-        const id = 'object_2';
-        const type = 'foo';
-        const attributes = {
-          prop1: 'value 1',
-          prop2: 'value 2'
-        };
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
+
+      const id = 'object_2';
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
+
+      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
     });
 
-    describe('#delete', () => {
-      test('allows an object to be deleted if it exists in the same space', async () => {
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+    test('throws when the base client returns a malformed document id', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
+      const spacesService = createSpacesService(server);
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
+      });
+
+      const id = 'object_1';
+      const type = 'foo';
+      const attributes = {
+        prop1: 'value 1',
+        prop2: 'value 2'
+      };
 
-        const id = 'object_1';
-        const type = 'foo';
+      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
+    });
+  });
 
-        await client.delete(type, id);
+  describe('#delete', () => {
+    test('allows an object to be deleted if it exists in the same space', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('allows a global object to be deleted', async () => {
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      const id = 'object_1';
+      const type = 'foo';
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      await client.delete(type, id);
 
-        const id = 'space_1';
-        const type = 'space';
+      expect(baseClient.delete).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`);
+    });
 
-        await client.delete(type, id);
+    test('allows a global object to be deleted', async () => {
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
 
-        expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
 
-      test('does not allow an object to be deleted via a different space', async () => {
+      const id = 'space_1';
+      const type = 'space';
 
-        const request = createMockRequest(currentSpace);
-        const baseClient = createMockClient(currentSpace);
-        const spacesService = createSpacesService(server);
+      await client.delete(type, id);
 
-        const client = new SpacesSavedObjectsClient({
-          request,
-          baseClient,
-          spacesService,
-          types: [],
-        });
+      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
+    });
 
-        const id = 'object_2';
-        const type = 'foo';
+    test('does not allow an object to be deleted via a different space', async () => {
 
-        await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
+      const request = createMockRequest(currentSpace);
+      const baseClient = createMockClient(currentSpace);
+      const spacesService = createSpacesService(server);
+
+      const client = new SpacesSavedObjectsClient({
+        request,
+        baseClient,
+        spacesService,
+        types: [],
       });
+
+      const id = 'object_2';
+      const type = 'foo';
+
+      await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
     });
   });
 });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
index 59f18c131b1eca..14d6ba54de2e86 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
@@ -31,9 +31,11 @@ export default function ({ getService }) {
         }
       });
 
+      const expectedDocumentId = spaceId === DEFAULT_SPACE_ID ? resp.body.id : `${spaceId}:${resp.body.id}`;
+
       // query ES directory to assert on space id
       const { _source } = await es.get({
-        id: `visualization:${resp.body.id}`,
+        id: `visualization:${expectedDocumentId}`,
         type: 'doc',
         index: '.kibana'
       });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
index 0e7b72a5553f25..fe3cb7bb2be06f 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
@@ -7,6 +7,7 @@
 import expect from 'expect.js';
 import { SPACES } from './lib/spaces';
 import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -14,15 +15,15 @@ export default function ({ getService }) {
 
   describe('delete', () => {
 
-    const expectEmpty = (resp) => {
+    const expectEmpty = () => (resp) => {
       expect(resp.body).to.eql({});
     };
 
-    const expectNotFound = (resp) => {
+    const expectNotFound = (type, id) => (resp) => {
       expect(resp.body).to.eql({
         statusCode: 404,
         error: 'Not Found',
-        message: 'Not Found'
+        message: `Saved object [${type}/${id}] not found`
       });
     };
 
@@ -35,21 +36,29 @@ export default function ({ getService }) {
           await supertest
             .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`)
             .expect(tests.spaceAware.statusCode)
-            .then(tests.spaceAware.response)
+            .then(tests.spaceAware.response())
         ));
 
         it(`should return ${tests.notSpaceAware.statusCode} when deleting a non-space-aware doc`, async () => (
           await supertest
             .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/space/space_2`)
             .expect(tests.notSpaceAware.statusCode)
-            .then(tests.notSpaceAware.response)
+            .then(tests.notSpaceAware.response())
         ));
 
         it(`should return ${tests.inOtherSpace.statusCode} when deleting a doc belonging to another space`, async () => {
+          const documentId = `${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`;
+
+          let expectedObjectId = documentId;
+
+          if (spaceId !== DEFAULT_SPACE_ID) {
+            expectedObjectId = `${spaceId}:${expectedObjectId}`;
+          }
+
           await supertest
-            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${documentId}`)
             .expect(tests.inOtherSpace.statusCode)
-            .then(tests.inOtherSpace.response);
+            .then(tests.inOtherSpace.response('dashboard', expectedObjectId));
         });
       });
     };
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
index 092b9ae499b5c2..6a8e21e9b5c999 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
@@ -7,6 +7,7 @@
 import expect from 'expect.js';
 import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
 import { SPACES } from './lib/spaces';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -14,7 +15,7 @@ export default function ({ getService }) {
 
   describe('get', () => {
 
-    const expectResults = (spaceId) => (resp) => {
+    const expectResults = (spaceId) => () => (resp) => {
 
       // The default space does not assign a space id.
       const expectedSpaceId = spaceId === 'default' ? undefined : spaceId;
@@ -43,10 +44,10 @@ export default function ({ getService }) {
       expect(resp.body).to.eql(expectedBody);
     };
 
-    const expectNotFound = (resp) => {
+    const expectNotFound = (type, id) => (resp) => {
       expect(resp.body).to.eql({
         error: 'Not Found',
-        message: 'Not Found',
+        message: `Saved object [${type}/${id}] not found`,
         statusCode: 404,
       });
     };
@@ -58,10 +59,18 @@ export default function ({ getService }) {
 
         it(`should return ${tests.exists.statusCode}`, async () => {
           const objectId = `${getIdPrefix(otherSpaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
+
+          let expectedObjectId = objectId;
+          const testingMismatchedSpaces = spaceId !== otherSpaceId;
+
+          if (testingMismatchedSpaces && spaceId !== DEFAULT_SPACE_ID) {
+            expectedObjectId = `${spaceId}:${expectedObjectId}`;
+          }
+
           return supertest
             .get(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${objectId}`)
             .expect(tests.exists.statusCode)
-            .then(tests.exists.response);
+            .then(tests.exists.response('visualization', expectedObjectId));
         });
       });
     };
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
index 73df273c6e6e9f..fab201a5b3c003 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
@@ -10,7 +10,6 @@ export function getUrlPrefix(spaceId) {
   return spaceId && spaceId !== DEFAULT_SPACE_ID ? `/s/${spaceId}` : ``;
 }
 
-// Spaces do not actually prefix the ID, but this simplifies testing positive and negative flows.
 export function getIdPrefix(spaceId) {
   return spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}-`;
 }
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
index 409e4b9db549e5..3aea0aadde82e2 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
@@ -7,13 +7,14 @@
 import expect from 'expect.js';
 import { SPACES } from './lib/spaces';
 import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
   const esArchiver = getService('esArchiver');
 
   describe('update', () => {
-    const expectSpaceAwareResults = resp => {
+    const expectSpaceAwareResults = () => resp => {
 
       // loose ISO8601 UTC time with milliseconds validation
       expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
@@ -29,7 +30,7 @@ export default function ({ getService }) {
       });
     };
 
-    const expectNonSpaceAwareResults = resp => {
+    const expectNonSpaceAwareResults = () => resp => {
 
       // loose ISO8601 UTC time with milliseconds validation
       expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
@@ -45,11 +46,11 @@ export default function ({ getService }) {
       });
     };
 
-    const expectNotFound = resp => {
+    const expectNotFound = (type, id) => resp => {
       expect(resp.body).eql({
         statusCode: 404,
         error: 'Not Found',
-        message: 'Not Found'
+        message: `Saved object [${type}/${id}] not found`
       });
     };
 
@@ -66,7 +67,7 @@ export default function ({ getService }) {
               }
             })
             .expect(tests.spaceAware.statusCode)
-            .then(tests.spaceAware.response);
+            .then(tests.spaceAware.response());
         });
 
         it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware doc`, async () => {
@@ -78,7 +79,7 @@ export default function ({ getService }) {
               }
             })
             .expect(tests.notSpaceAware.statusCode)
-            .then(tests.notSpaceAware.response);
+            .then(tests.notSpaceAware.response());
         });
 
         it(`should return ${tests.inOtherSpace.statusCode} for a doc in another space`, async () => {
@@ -91,7 +92,7 @@ export default function ({ getService }) {
               }
             })
             .expect(tests.inOtherSpace.statusCode)
-            .then(tests.inOtherSpace.response);
+            .then(tests.inOtherSpace.response(`visualization`, `${spaceId === DEFAULT_SPACE_ID ? '' : (spaceId + ':')}${id}`));
         });
 
         describe('unknown id', () => {
@@ -104,7 +105,7 @@ export default function ({ getService }) {
                 }
               })
               .expect(tests.doesntExist.statusCode)
-              .then(tests.doesntExist.response);
+              .then(tests.doesntExist.response(`visualization`, `${spaceId === DEFAULT_SPACE_ID ? '' : (spaceId + ':')}not an id`));
           });
         });
       });
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
index 4c2d63913ebe0d2595f95f252d1ef79f0c448b30..0be0d4c12010a325540585af33a8a1f8cc877883 100644
GIT binary patch
delta 2240
zcmYjLc_0(~A9gdW$=vUp*_eBU5Hi=?O~}<DXR*R7bETQ1n0goHzG=mVT)n;IKEiUR
z*l$TG5f(z4^M~L2$M2u#`#jI*^Lf5cGWao=S2mT8Pb<bVjn|r^9GrHMj5`={@K;j0
z5aT<se;x}OsPL<wzuiAa0#rs5XnDhCq2Hv7&IFqcD*_|MWC+@f(qb^VqJLL)G7K`S
zx2I|V+^Mle#R}Wq-@9%Fa}^hN?S|(Xj$i@?+lNCUa!$M@RQ7yS`JCo#{(7(dCH;~b
zc}2p$>%u$2uCL9VZtdW+xcofW_{72fogmkhUlZ*{d)8+&701N`USb{oc2?=E@6Y0H
z=_hI2*;tvYA4gwvuvVyqmzi@RauuJJheDbknx~bVbac5n?Ti*~0~_uo@wVqCk;12!
zF`{L7xvdy;m&_UtKZ=+ZT-e$~L{hKzcje2=;%Rkwvrm!@t6CFPIJc@gom+Y#z8$^s
zO#v1LrQSh$;h*2=uK%-9eZ`#F#c84v%I1z>3JmR)=*bH3rmyE3s;ETNmqxI`ta6?{
zQ2*VzxSd%y%4>0^^1}5H-4TfJ6QGErF`u5e{G0yqOXHbe3L0n}pg6nYr&~AoJinwV
zu<`H;o7LSW2Ll&s-EgPkeM1p5ON3i*9$Rvz6!vy6eJ-Q75o<g(NJ*T5WRo6NqTdXg
zK16_bT!pNd>~6^m5wZrtlI;NLrlCl<eN$v&f@K<B1|8>);ItY|oMOb$r+HlDD<!5L
zeD%{e3<0<&F+*Od62sgWS4QEYB7^?Vf3ZA^;Om0%e7*6w#BDf;P8tir6q$BKvazI}
zL?Ntm9unCpPw*U@3tmPJR*oCztVB~f8Y&SS{^_WDOVbK&r(bDZUmv)L);wtAT;<c-
z@S&ASj5<Bq)Fa}@V#FvC#-(B~j4{;dj^L6=8;>GJgE=qpII58iANJ487FF{Zx;uWz
zOJ2C2D-ahM$8y>lyc;mbYt9yZqn_vM$&e^P-gQwoVx0RFYU2d$l-JvW(;XQ%O=Q@!
zYl)`Pq&Rvagx1-+b|AX5H{}!5tS09M87K%4CSA!&maFs40I{`#G}cVK7eZz_G<?|S
z6!5GbQ|`ErFe57yOL8Y9lHAr7c+aV$0iL=$hU<{ji%tKEpvx83EH~PJ8y{Ws$hCDj
zaG;Gp@v{D1X%+r`j@4U{@rOTHXlBxhp$u5k(Qomomjmo1<g}mI(}HmOF1Bi+s?L1#
zw`&iL4c3#mQus3G$B705)N(a_+{l>eq6DT7v%lrMtQu?k7R|5@zdNa0H$e?LZN3uh
ziAx6~FE%t4UwUWRb+_rpB1ddSa%vw)EeP}0jTGG&p=}@8mBc(aYZFe#VBc@-usX44
zas#nek3z0?`_3@Cs4<yBP5WO4j1xz7z%?S8=l#+V?ZJZB6TbfT#S<0Zd|*;dELz`$
zlCNn-;QQ(88$`9*qW2NfeT~)nv3WynxJBDne`E)&d%7DI(?0mbmN>l#Bw!2XSkPvc
zt^YHslT4PMq&VEVD8KF#rQrEmu2YusdU*fc*vZvW92rER-}3Km_fS%m$h@}rXfq}Z
zbq=yO>`>61Mc|sD1Q$2zr~SN&<zVI)4mCx*f!{aKnqsm*lppY+ww&Nyzf?0Ea8@0R
zH1$ks28ilkpuw?`E!6BgQFx}IwZzAeqN$0;QCfg*kan5-lnC_KwrxzB#roATU%F)a
zBKzhhN})|BNK4ghq6@2f7CdA(8aPcwl<1>QC*QQWO&xi{B_K9<&z}>cQ?)f%`})-*
zADAd{5ybEL#a4<O?(M{QK7})PVR*|^N7HdAnjbW2)=yA#<M;O+Y@utLww=4~`ya8F
zQBhk}wDW)$BZUiHwRz*qOI1v$fPdlF_L}oJ3WPi;Ym0eT6ErO0o~B5aS6qkY482!0
zi}-*LtyjZ(lKl#rVG-K9hAd6s1d3wS$H;f{A;KngXB*=#%>)JEPUxmkv&c<AhCR8p
zz2ck4L3B(Y1FD$HzauxkyrWQ(8~&eXVa^Sc569)x))K)dx4{Mw;Da6q(*7Kuk!*1H
zg5l4R!cKC;7-4uwh<a-Mxhlt>gCy$#tS&=Sf1uH|CYup$^NUwHpSxX;sxe3aR$F}k
zdxgsUgf+F^5gEf_ALbW?Q+&cM0#&NYv73mO+!>y$^)J-TnB}({KaUVsgP6B|wLFsO
zTcyG>1U$aGs5yTOIWuvtGkQ{cr77E}^<Hpv&3w%K{%ZZ!2=Q!ez*jxnsEuvGV1xbq
z`+j|?_2u)dV8a>d>Sg5xXSC#`#*Hy&GuV2fVczxg7oJt){=!-a-1JAk9>Ln*l5_C6
zcJAj%M&9pqVsf~ljh)>#-Jq4W<SO8D@HtGbebgngLeXNeI2KI+iB0TS4*Gmp_^U*U
zi-N=;Pg0P_Y#Ai{FDsEsBnApq@YIPaIwzRuBxlzr97`bov7A1gbSQB=_#^We*n2UK
zz**5LbDd=A$0<iPdzQ`7E?*9&OseO0WMa`?a-h&TFCpi9A{68@-oiOy>JM^Xr~yic
z&p9D(2)bM@L_xL`n1zHw-pQeX-r{PdN9{_adVY)@0`VzNod)&$fd||hF)2v;v!~ew
zhjalrXPW#Uq}aH4Bk~d)bKS%T9PwrGDf}W8CTlIAC<_4p^L@bO_%1U5VQ!vB8HpDb
z(d<nS7CB}+p~lCrGIA}tUk;#F!o_WaUQUFPN=yI*rZ_)T`BIq)fS*({rSA0a;^DnA
z?kEL4C<ax&inl);vgaNTy(-O*cH;(MhavY-3-D}ZWF03D66#mV)hpv>4j{BTMnj&3
z9i{V6UG6gGKlI<|bBXsk#&bZGv7N#;=>Ij40otH<SA|8YtDef5#Fq`|B&Z|DJVcKV
s4?*SVo8w*!R%q=pNDY^TYI-@B1veO~jE<jmm;I?EQKzm^N@HXDFHQ9wy8r+H

delta 2232
zcmYLJc{tSTAGHtaXBqo4u6-Gkia`vSFlZRdWQ5AT#Z;7BOMLB&WE;d-vW?wkMz}Q<
z6_ss@X6#ayM7GM3kc+41`TcV~=X~Dtp7;FqW(Xw<f&RM7&D|^MoC!M5rU1#rk^v)M
zm1ZKb%23lENSid#^v_><Bz05I+qky4j9U4_wlFMdzHdB3>pXjLLXv!c$d`FjHK^u(
z&xUl;8SDKN>zB{I4%$87Ai4wMS>4R8E@mKF`K{Kt#E(X;2}tG3haON$8#+``Br|A#
z^;)Zl<pRQtxOSmM-Y6eDd8&WBAE>M(z&F~BCdZgG!;Kp@z#vA6u--M=P((bDgKmOR
zy;)Ccl8-_5A|BPl8TT(_S@@@@3ZAo4CM@_#Cuu0yDf*e(<D7Lxvg21dY=BSCZ}`Z0
zU(rQeO7N3?vnOMRBiAAGYdNh_Ou+&uE<RY);)!9D7yhF_=qs4Pacy-#Gysp0;**vL
zq`0j(Wm;E{NLpX{N$oe#hzt<3qph)Iprw%xRy)SGj8y5bU&PGbQBF_kDZ+n&MDu_v
z7u=6UH9d~<hOM6)uv)wzUf8dd#Br4!mCesaN4?RcKFkT8J2PKT?O>OEU$qeFygw9L
z!5#fPrqj0m(!wQneb^9?EbDZ+Z|kwgxMsxw(!=-LTKK<yt*hl<bB}p{igs2L2s-ON
zs*B`1c={n)jmIN*fE8qljpLEO5L;n;*%p04L*`S7omUA+*v+Aj1q_$l)Nu=GJBPD?
za&5|mIq~sdHg<4FOsw?GNDqaG1*17Rn@8&+f9Lx47{tjMQ)GeCs2&p?Z@6?pRmLe9
zWEAMCixpUT#xojvwFGIX@0c!x72e~+qU6``{;ARVvzb%jZQQwi8df8BsKSii_Ei=G
zHom<)sw&sIy{94F(`~&t0h(x2oxoFI(=7~nsh`lu%2QyuqsQeXa{~EMdSz>Gu~&`J
z<fi4A%%K@03COtpW*BNsIc>8FM$3@uS;IIk%e;JkhjU25O>|T6Y20`25qQ<{H805w
z^A4q@a$As+n~q%4&A^~tpexE~bA+UEj9b)Pb3UKL`@WLA1#EPd9l083X^<hVKcU;y
z>xg`0;dYi{%UaTQo*$fHcl8v=rKYiwG$p)-?~w=KKp>a(1H~{a9g8Y;#5Lk0c<>X4
z&sb(VkqTFH1V=%!SHi=hPA|?Tj&gKvZ7_7uFTyc=t9dYs7r$jcH<}n7H)qWcKiMbv
zHT99i`x}?1r1;D(&Y!5Hy{xATMg+75r`tp@yG>hfb*!@tqo)Spj1Vkjss#hvSR@@E
z*cs0SW=%5~_?0SLOXew84bo%el;ZUCH}+o1akwa1W*LGJDh_nt*}sRqqEk?$y%!bL
zG-*{yf?yR2hfj_EO<P-ZQ8N8!Ka|QZ7u+AO-qmZ9@71>|6<5Tb@AO_pyLLN|V0Qi4
z_tP6Z`R^)7xBnL3a}{;8`ASRk92+V;+wbEFY>+4K^)_!ez>00WS14!S)i`UT5cKc6
z;K^O3=J!lB{$6V8-E76T{f>b+`tZ*_HOuU6eXnQF0)D=09|SR%begAK8;ByQJtsF_
z{d)SS9Fi90t3r3TM8)1<w%LpoT7;cM#BBD{KTpu+giRpgOPjkO+*Y=aYoG3KYF8=1
z^(~hmTiRee8J|+9GAE2M_`tM${G=nKSn>FcGd6htHwJm}pFolWFnkI)VvqdvO<7o@
zA9d;Y`HkpbzZ3+gNZNTha{lhLoC1Q6vR}&zQ~X__f<z}=sg3E2jpaP%W7N#rDmfJ4
z<2W<<>NGLMd;^rw@J;F7pgyH$`63=DtG!0a!1;BzE6h=|jK66niiPj4N7Cr(u9B57
zserAs|CB$8aF}}#KQ?b2?CyxUx_NtOGmEp?`n&7!10!4-_H(*YtN*aJZ)&|o)}TPv
zHn`6xAgdIylE>>LN^2O@w7x<_NJbU!-sf6Wz*WpFW9lj9!~m%vXJp-Ki#7l%=*0C7
zP9!c@4t{X8ztsRdHEdZ1XQ2`z1+H#J3cl;pUw*GwI~riNkntw;1%Z2y2a=X(;-P}x
zzZqYg-sT=GvprA$I7stD&HE%XGq;CDSoM5*D!dQ{%l8Yt#?*&<uNf-s#HIDex)$QZ
ze7X{c%7VwYm?43P(u&9wKLGIxL)T|g^lG?7hU{p+^2TGkPlS$+<(6*R>5i?<oBwRt
z)QR|Dmg@NvN9^WoSci&2Z~QB<SmgFJfV4HyTkO)VYdHMl=`A31bZ7o`!85I!g=B;9
z$V6SpKISEL1~oeHV^_C$HO(PJI2c-;8X)%2uU3v2W-Qa+^q}g!17J=oOMq*s&iK+Q
zbp)y?jgal+YnVIT=AHU7O3KQ6_#&6Njk<)|{WZM|*Dp{5`z-lLTQt8YW5=x1bK=Xr
z5?+p4B>tRWE%Jyh@q_=c65jZ9s6aIvMMTj)1}Tz!pBi^0|HpeICp8leWejkHhrrr}
zx8s}^88H<}hGY<qHo53SFLxfkjJNZ8XngTTGE@NJCSdO(T#H<aLD|QQNReL$>6?pi
z+s8!rAN)=Nwa6!hCV@fHI9Xdx4>4HjVY?FE&Xs`!NUvn0Xw)t2JIj^PPqUMSDc7}a
zQ2-lG(H8Z8D8pt}m!A>WCfpX3&QXTuRl{S@LT`7{E@qR~qAf9@s@jy@J1k^nTmNZt
zsI5QSA@eYzgAV6`aN(Cwl;g}MA!`UlP4QTv1N)wFDWelDtg0P@6{30b{xSZ!$_Av2
zmN7cjn+RATgsjlfAuQ*}dur6QhA_FtZP)@PD~EK*R?n(ulSbI@9z^P*(`SOy4%1l+
zEJw`cvPq$ONgt=rpfM$kP7O!n8lIyDljY}X2!FZwm*p_m*)1@k9b{$ax`P%+@qa-6
iKtpPH_?sA}>apbvQ_iCf(@s<0RAO@5Q-XR}SpEa?TpLIL

diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
index 9cca6b52a1caa9..bb9b0c33b7394d 100644
--- a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
+++ b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
@@ -308,4 +308,4 @@
     },
     "aliases": {}
   }
-}
+}
\ No newline at end of file

From f618f1aa12f94e200f7439cf74b06e932b82c65b Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 15 Aug 2018 14:34:26 -0400
Subject: [PATCH 092/183] use new spaces icon

---
 x-pack/plugins/spaces/public/register_feature.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/spaces/public/register_feature.js b/x-pack/plugins/spaces/public/register_feature.js
index b386ffbf829102..09b896c9caa35c 100644
--- a/x-pack/plugins/spaces/public/register_feature.js
+++ b/x-pack/plugins/spaces/public/register_feature.js
@@ -12,8 +12,8 @@ FeatureCatalogueRegistryProvider.register(() => {
   return {
     id: 'spaces',
     title: 'Spaces',
-    description: 'You know, for space.',
-    icon: '/plugins/kibana/assets/app_security.svg',
+    description: 'Organize your dashboards, visualizations, and other saved objects',
+    icon: 'spacesApp',
     path: '/app/kibana#/management/spaces/list',
     showOnHomePage: true,
     category: FeatureCatalogueCategory.ADMIN

From efb8f0696196e0c15cfb9e9a93578112aa0171bc Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 16 Aug 2018 08:20:26 -0400
Subject: [PATCH 093/183] [Spaces] move Spaces management into Kibana section
 (#21665)

This moves the spaces management link into the Kibana section, rather than a dedicated Spaces section
---
 .../spaces/public/views/management/index.js   | 21 ++++++++++---------
 .../public/views/management/template.html     |  2 +-
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/management/index.js b/x-pack/plugins/spaces/public/views/management/index.js
index 2f711925fb4439..d3c161c89f1743 100644
--- a/x-pack/plugins/spaces/public/views/management/index.js
+++ b/x-pack/plugins/spaces/public/views/management/index.js
@@ -9,28 +9,29 @@ import routes from 'ui/routes';
 
 import { management } from 'ui/management';
 
+const MANAGE_SPACES_KEY = 'manage_spaces';
+
 routes.defaults(/\/management/, {
   resolve: {
     spacesManagementSection: function () {
 
+      function getKibanaSection() {
+        return management.getSection('kibana');
+      }
+
       function deregisterSpaces() {
-        management.deregister('spaces');
+        getKibanaSection().deregister(MANAGE_SPACES_KEY);
       }
 
       function ensureSpagesRegistered() {
-        const registerSpaces = () => management.register('spaces', {
-          display: 'Spaces',
-          order: 10
-        });
-        const getSpaces = () => management.getSection('spaces');
 
-        const spaces = (management.hasItem('spaces')) ? getSpaces() : registerSpaces();
+        const kibanaSection = getKibanaSection();
 
-        if (!spaces.hasItem('manage_spaces')) {
-          spaces.register('manage_spaces', {
+        if (!kibanaSection.hasItem(MANAGE_SPACES_KEY)) {
+          kibanaSection.register(MANAGE_SPACES_KEY, {
             name: 'spacesManagementLink',
             order: 10,
-            display: 'Spaces Management',
+            display: 'Spaces',
             url: `#/management/spaces/list`,
           });
         }
diff --git a/x-pack/plugins/spaces/public/views/management/template.html b/x-pack/plugins/spaces/public/views/management/template.html
index 8e7851095e903f..b6df9d36f8cb02 100644
--- a/x-pack/plugins/spaces/public/views/management/template.html
+++ b/x-pack/plugins/spaces/public/views/management/template.html
@@ -1,3 +1,3 @@
-<kbn-management-app section="spaces" omit-breadcrumb-pages="['edit']">
+<kbn-management-app section="kibana" omit-breadcrumb-pages="['edit']">
   <div id="manageSpacesReactRoot" />
 </kbn-management-app>

From 0dd9ccd38425e7f22a28b085033cbec3e7b80c74 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 16 Aug 2018 09:29:09 -0400
Subject: [PATCH 094/183] [Spaces] - Reporting updates (#21457)

@kobelb -- this PR in its current state is just enough to get the reporting API tests passing again.

This doesn't account for space-awareness, and I'll need to pick your brain as to how to do that for reporting, but I figured that would be better addressed when we tackle space-aware advanced settings (it appears that reporting is only using the SOC via the UISettingsService below)
---
 .../csv/server/__tests__/execute_job.js       | 26 ++++++++++-
 .../export_types/csv/server/create_job.js     |  1 +
 .../export_types/csv/server/execute_job.js    | 15 ++++++-
 .../printable_pdf/server/create_job/index.js  |  3 +-
 .../server/execute_job/compatibility_shim.js  | 22 ++++-----
 .../execute_job/compatibility_shim.test.js    | 24 +++++++++-
 .../server/execute_job/get_absolute_url.js    |  3 +-
 .../execute_job/get_absolute_url.test.js      | 10 +++++
 .../printable_pdf/server/execute_job/index.js |  6 +++
 .../server/execute_job/index.test.js          | 45 ++++++++++++++++---
 10 files changed, 130 insertions(+), 25 deletions(-)

diff --git a/x-pack/plugins/reporting/export_types/csv/server/__tests__/execute_job.js b/x-pack/plugins/reporting/export_types/csv/server/__tests__/execute_job.js
index 1f0504db3681d9..1d409e45c092ca 100644
--- a/x-pack/plugins/reporting/export_types/csv/server/__tests__/execute_job.js
+++ b/x-pack/plugins/reporting/export_types/csv/server/__tests__/execute_job.js
@@ -109,13 +109,35 @@ describe('CSV Execute Job', function () {
     mockServer.config().get.withArgs('xpack.reporting.csv.scroll').returns({});
   });
 
-  describe('savedObjects', function () {
-    it('calls getScopedSavedObjectsClient with request containing decrypted headers', async function () {
+  describe('calls getScopedSavedObjectsClient with request', function () {
+    it('containing decrypted headers', async function () {
       const executeJob = executeJobFactory(mockServer);
       await executeJob({ headers: encryptedHeaders, fields: [], searchRequest: { index: null, body: null } }, cancellationToken);
       expect(mockServer.savedObjects.getScopedSavedObjectsClient.calledOnce).to.be(true);
       expect(mockServer.savedObjects.getScopedSavedObjectsClient.firstCall.args[0].headers).to.be.eql(headers);
     });
+
+    it(`containing getBasePath() returning server's basePath if the job doesn't have one`, async function () {
+      const serverBasePath = '/foo-server/basePath/';
+      mockServer.config().get.withArgs('server.basePath').returns(serverBasePath);
+      const executeJob = executeJobFactory(mockServer);
+      await executeJob({ headers: encryptedHeaders, fields: [], searchRequest: { index: null, body: null } }, cancellationToken);
+      expect(mockServer.savedObjects.getScopedSavedObjectsClient.calledOnce).to.be(true);
+      expect(mockServer.savedObjects.getScopedSavedObjectsClient.firstCall.args[0].getBasePath()).to.be.eql(serverBasePath);
+    });
+
+    it(`containing getBasePath() returning job's basePath if the job has one`, async function () {
+      const serverBasePath = '/foo-server/basePath/';
+      mockServer.config().get.withArgs('server.basePath').returns(serverBasePath);
+      const executeJob = executeJobFactory(mockServer);
+      const jobBasePath = 'foo-job/basePath/';
+      await executeJob(
+        { headers: encryptedHeaders, fields: [], searchRequest: { index: null, body: null }, basePath: jobBasePath },
+        cancellationToken
+      );
+      expect(mockServer.savedObjects.getScopedSavedObjectsClient.calledOnce).to.be(true);
+      expect(mockServer.savedObjects.getScopedSavedObjectsClient.firstCall.args[0].getBasePath()).to.be.eql(jobBasePath);
+    });
   });
 
   describe('uiSettings', function () {
diff --git a/x-pack/plugins/reporting/export_types/csv/server/create_job.js b/x-pack/plugins/reporting/export_types/csv/server/create_job.js
index 02d78a97ef9bee..f116cbb763014b 100644
--- a/x-pack/plugins/reporting/export_types/csv/server/create_job.js
+++ b/x-pack/plugins/reporting/export_types/csv/server/create_job.js
@@ -21,6 +21,7 @@ function createJobFn(server) {
     return {
       headers: serializedEncryptedHeaders,
       indexPatternSavedObject: indexPatternSavedObject,
+      basePath: request.getBasePath(),
       ...jobParams
     };
   };
diff --git a/x-pack/plugins/reporting/export_types/csv/server/execute_job.js b/x-pack/plugins/reporting/export_types/csv/server/execute_job.js
index a407cacc63fefd..baa1cd458c8a02 100644
--- a/x-pack/plugins/reporting/export_types/csv/server/execute_job.js
+++ b/x-pack/plugins/reporting/export_types/csv/server/execute_job.js
@@ -16,9 +16,18 @@ function executeJobFn(server) {
   const config = server.config();
   const logger = createTaggedLogger(server, ['reporting', 'csv', 'debug']);
   const generateCsv = createGenerateCsv(logger);
+  const serverBasePath = config.get('server.basePath');
 
   return async function executeJob(job, cancellationToken) {
-    const { searchRequest, fields, indexPatternSavedObject, metaFields, conflictedTypesFields, headers: serializedEncryptedHeaders } = job;
+    const {
+      searchRequest,
+      fields,
+      indexPatternSavedObject,
+      metaFields,
+      conflictedTypesFields,
+      headers: serializedEncryptedHeaders,
+      basePath
+    } = job;
 
     let decryptedHeaders;
     try {
@@ -31,6 +40,10 @@ function executeJobFn(server) {
 
     const fakeRequest = {
       headers: decryptedHeaders,
+      // This is used by the spaces SavedObjectClientWrapper to determine the existing space.
+      // We use the basePath from the saved job, which we'll have post spaces being implemented;
+      // or we use the server base path, which uses the default space
+      getBasePath: () => basePath || serverBasePath,
     };
 
     const callEndpoint = (endpoint, clientParams = {}, options = {}) => {
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/create_job/index.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/create_job/index.js
index bfd3cb6eaa9d56..bab11f10045522 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/create_job/index.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/create_job/index.js
@@ -18,7 +18,7 @@ function createJobFn(server) {
     relativeUrls,
     browserTimezone,
     layout
-  }, headers) {
+  }, headers, request) {
     const serializedEncryptedHeaders = await crypto.encrypt(headers);
 
     return {
@@ -28,6 +28,7 @@ function createJobFn(server) {
       headers: serializedEncryptedHeaders,
       browserTimezone,
       layout,
+      basePath: request.getBasePath(),
       forceNow: new Date().toISOString(),
     };
   });
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.js
index f2d5430f9e1fcf..df55bb75d2621b 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.js
@@ -10,28 +10,28 @@ import { getAbsoluteUrlFactory } from './get_absolute_url';
 export function compatibilityShimFactory(server) {
   const getAbsoluteUrl = getAbsoluteUrlFactory(server);
 
-  const getSavedObjectAbsoluteUrl = (savedObj) => {
-    if (savedObj.urlHash) {
-      return getAbsoluteUrl({ hash: savedObj.urlHash });
+  const getSavedObjectAbsoluteUrl = (job, savedObject) => {
+    if (savedObject.urlHash) {
+      return getAbsoluteUrl({ hash: savedObject.urlHash });
     }
 
-    if (savedObj.relativeUrl) {
-      const { pathname: path, hash, search } = url.parse(savedObj.relativeUrl);
-      return getAbsoluteUrl({ path, hash, search });
+    if (savedObject.relativeUrl) {
+      const { pathname: path, hash, search } = url.parse(savedObject.relativeUrl);
+      return getAbsoluteUrl({ basePath: job.basePath, path, hash, search });
     }
 
-    if (savedObj.url.startsWith(getAbsoluteUrl())) {
-      return savedObj.url;
+    if (savedObject.url.startsWith(getAbsoluteUrl())) {
+      return savedObject.url;
     }
 
-    throw new Error(`Unable to generate report for url ${savedObj.url}, it's not a Kibana URL`);
+    throw new Error(`Unable to generate report for url ${savedObject.url}, it's not a Kibana URL`);
   };
 
   return function (executeJob) {
     return async function (job, cancellationToken) {
-      const urls = job.objects.map(getSavedObjectAbsoluteUrl);
+      const urls = job.objects.map(savedObject => getSavedObjectAbsoluteUrl(job, savedObject));
 
       return await executeJob({ ...job, urls }, cancellationToken);
     };
   };
-}
\ No newline at end of file
+}
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.test.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.test.js
index 7552ebc665cba1..f60bc0d83e1550 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.test.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/compatibility_shim.test.js
@@ -54,7 +54,7 @@ test(`it generates the absolute url if a urlHash is provided`, async () => {
   expect(mockCreateJob.mock.calls[0][0].urls[0]).toBe('http://localhost:5601/app/kibana#visualize');
 });
 
-test(`it generates the absolute url if a relativeUrl is provided`, async () => {
+test(`it generates the absolute url using server's basePath if a relativeUrl is provided`, async () => {
   const mockCreateJob = jest.fn();
   const compatibilityShim = compatibilityShimFactory(createMockServer());
 
@@ -64,7 +64,17 @@ test(`it generates the absolute url if a relativeUrl is provided`, async () => {
   expect(mockCreateJob.mock.calls[0][0].urls[0]).toBe('http://localhost:5601/app/kibana#/visualize?');
 });
 
-test(`it generates the absolute url if a relativeUrl with querystring is provided`, async () => {
+test(`it generates the absolute url using job's basePath if a relativeUrl is provided`, async () => {
+  const mockCreateJob = jest.fn();
+  const compatibilityShim = compatibilityShimFactory(createMockServer());
+
+  const relativeUrl = '/app/kibana#/visualize?';
+  await compatibilityShim(mockCreateJob)({ basePath: '/s/marketing', objects: [ { relativeUrl } ] });
+  expect(mockCreateJob.mock.calls.length).toBe(1);
+  expect(mockCreateJob.mock.calls[0][0].urls[0]).toBe('http://localhost:5601/s/marketing/app/kibana#/visualize?');
+});
+
+test(`it generates the absolute url using server's basePath if a relativeUrl with querystring is provided`, async () => {
   const mockCreateJob = jest.fn();
   const compatibilityShim = compatibilityShimFactory(createMockServer());
 
@@ -74,6 +84,16 @@ test(`it generates the absolute url if a relativeUrl with querystring is provide
   expect(mockCreateJob.mock.calls[0][0].urls[0]).toBe('http://localhost:5601/app/kibana?_t=123456789#/visualize?_g=()');
 });
 
+test(`it generates the absolute url using job's basePath if a relativeUrl with querystring is provided`, async () => {
+  const mockCreateJob = jest.fn();
+  const compatibilityShim = compatibilityShimFactory(createMockServer());
+
+  const relativeUrl = '/app/kibana?_t=123456789#/visualize?_g=()';
+  await compatibilityShim(mockCreateJob)({ basePath: '/s/marketing', objects: [ { relativeUrl } ] });
+  expect(mockCreateJob.mock.calls.length).toBe(1);
+  expect(mockCreateJob.mock.calls[0][0].urls[0]).toBe('http://localhost:5601/s/marketing/app/kibana?_t=123456789#/visualize?_g=()');
+});
+
 test(`it passes the provided browserTimezone through`, async () => {
   const mockCreateJob = jest.fn();
   const compatibilityShim = compatibilityShimFactory(createMockServer());
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.js
index e2f594eec609fb..b224d0835fa945 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.js
@@ -11,6 +11,7 @@ function getAbsoluteUrlFn(server) {
   const config = server.config();
 
   return function getAbsoluteUrl({
+    basePath = config.get('server.basePath'),
     hash,
     path = '/app/kibana',
     search
@@ -19,7 +20,7 @@ function getAbsoluteUrlFn(server) {
       protocol: config.get('xpack.reporting.kibanaServer.protocol') || server.info.protocol,
       hostname: config.get('xpack.reporting.kibanaServer.hostname') || config.get('server.host'),
       port: config.get('xpack.reporting.kibanaServer.port') || config.get('server.port'),
-      pathname: config.get('server.basePath') + path,
+      pathname: basePath + path,
       hash: hash,
       search
     });
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.test.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.test.js
index 1391d4665cb509..39ca6fd52f51e1 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.test.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/get_absolute_url.test.js
@@ -92,6 +92,14 @@ test(`uses the provided hash with queryString`, () => {
   expect(absoluteUrl).toBe(`http://something:8080/tst/app/kibana#${hash}`);
 });
 
+test(`uses the provided basePath`, () => {
+  const mockServer = createMockServer();
+
+  const getAbsoluteUrl = getAbsoluteUrlFactory(mockServer);
+  const absoluteUrl = getAbsoluteUrl({ basePath: '/s/marketing' });
+  expect(absoluteUrl).toBe(`http://something:8080/s/marketing/app/kibana`);
+});
+
 test(`uses the path`, () => {
   const mockServer = createMockServer();
 
@@ -109,3 +117,5 @@ test(`uses the search`, () => {
   const absoluteUrl = getAbsoluteUrl({ search });
   expect(absoluteUrl).toBe(`http://something:8080/tst/app/kibana?${search}`);
 });
+
+
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
index 103e3b4c3293d3..72969083d98e3b 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.js
@@ -31,6 +31,8 @@ function executeJobFn(server) {
   const crypto = cryptoFactory(server);
   const compatibilityShim = compatibilityShimFactory(server);
 
+  const serverBasePath = server.config().get('server.basePath');
+
   const decryptJobHeaders = async (job) => {
     const decryptedHeaders = await crypto.decrypt(job.headers);
     return { job, decryptedHeaders };
@@ -44,6 +46,10 @@ function executeJobFn(server) {
   const getCustomLogo = async ({ job, filteredHeaders }) => {
     const fakeRequest = {
       headers: filteredHeaders,
+      // This is used by the spaces SavedObjectClientWrapper to determine the existing space.
+      // We use the basePath from the saved job, which we'll have post spaces being implemented;
+      // or we use the server base path, which uses the default space
+      getBasePath: () => job.basePath || serverBasePath
     };
 
     const savedObjects = server.savedObjects;
diff --git a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.test.js b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.test.js
index 2b4ea67d5895c9..10c68f508a7369 100644
--- a/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.test.js
+++ b/x-pack/plugins/reporting/export_types/printable_pdf/server/execute_job/index.test.js
@@ -42,7 +42,7 @@ beforeEach(() => {
       'xpack.reporting.kibanaServer.protocol': 'http',
       'xpack.reporting.kibanaServer.hostname': 'localhost',
       'xpack.reporting.kibanaServer.port': 5601,
-      'server.basePath': ''
+      'server.basePath': '/sbp'
     }[key];
   });
 
@@ -106,6 +106,37 @@ test(`omits blacklisted headers`, async () => {
   expect(generatePdfObservable).toBeCalledWith(undefined, [], undefined, permittedHeaders, undefined, undefined);
 });
 
+test('uses basePath from job when creating saved object service', async () => {
+  const encryptedHeaders = await encryptHeaders({});
+
+  const logo = 'custom-logo';
+  mockServer.uiSettingsServiceFactory().get.mockReturnValue(logo);
+
+  const generatePdfObservable = generatePdfObservableFactory();
+  generatePdfObservable.mockReturnValue(Rx.of(Buffer.from('')));
+
+  const executeJob = executeJobFactory(mockServer);
+  const jobBasePath = '/sbp/s/marketing';
+  await executeJob({ objects: [], headers: encryptedHeaders, basePath: jobBasePath }, cancellationToken);
+
+  expect(mockServer.savedObjects.getScopedSavedObjectsClient.mock.calls[0][0].getBasePath()).toBe(jobBasePath);
+});
+
+test(`uses basePath from server if job doesn't have a basePath when creating saved object service`, async () => {
+  const encryptedHeaders = await encryptHeaders({});
+
+  const logo = 'custom-logo';
+  mockServer.uiSettingsServiceFactory().get.mockReturnValue(logo);
+
+  const generatePdfObservable = generatePdfObservableFactory();
+  generatePdfObservable.mockReturnValue(Rx.of(Buffer.from('')));
+
+  const executeJob = executeJobFactory(mockServer);
+  await executeJob({ objects: [], headers: encryptedHeaders }, cancellationToken);
+
+  expect(mockServer.savedObjects.getScopedSavedObjectsClient.mock.calls[0][0].getBasePath()).toBe('/sbp');
+});
+
 test(`gets logo from uiSettings`, async () => {
   const encryptedHeaders = await encryptHeaders({});
 
@@ -145,9 +176,9 @@ test(`adds forceNow to hash's query, if it exists`, async () => {
   const executeJob = executeJobFactory(mockServer);
   const forceNow = '2000-01-01T00:00:00.000Z';
 
-  await executeJob({ objects: [{ relativeUrl: 'app/kibana#/something' }], forceNow, headers: encryptedHeaders }, cancellationToken);
+  await executeJob({ objects: [{ relativeUrl: '/app/kibana#/something' }], forceNow, headers: encryptedHeaders }, cancellationToken);
 
-  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/app/kibana#/something?forceNow=2000-01-01T00%3A00%3A00.000Z'], undefined, {}, undefined, undefined);
+  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/sbp/app/kibana#/something?forceNow=2000-01-01T00%3A00%3A00.000Z'], undefined, {}, undefined, undefined);
 });
 
 test(`appends forceNow to hash's query, if it exists`, async () => {
@@ -160,12 +191,12 @@ test(`appends forceNow to hash's query, if it exists`, async () => {
   const forceNow = '2000-01-01T00:00:00.000Z';
 
   await executeJob({
-    objects: [{ relativeUrl: 'app/kibana#/something?_g=something' }],
+    objects: [{ relativeUrl: '/app/kibana#/something?_g=something' }],
     forceNow,
     headers: encryptedHeaders
   }, cancellationToken);
 
-  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/app/kibana#/something?_g=something&forceNow=2000-01-01T00%3A00%3A00.000Z'], undefined, {}, undefined, undefined);
+  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/sbp/app/kibana#/something?_g=something&forceNow=2000-01-01T00%3A00%3A00.000Z'], undefined, {}, undefined, undefined);
 });
 
 test(`doesn't append forceNow query to url, if it doesn't exists`, async () => {
@@ -176,9 +207,9 @@ test(`doesn't append forceNow query to url, if it doesn't exists`, async () => {
 
   const executeJob = executeJobFactory(mockServer);
 
-  await executeJob({ objects: [{ relativeUrl: 'app/kibana#/something' }], headers: encryptedHeaders }, cancellationToken);
+  await executeJob({ objects: [{ relativeUrl: '/app/kibana#/something' }], headers: encryptedHeaders }, cancellationToken);
 
-  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/app/kibana#/something'], undefined, {}, undefined, undefined);
+  expect(generatePdfObservable).toBeCalledWith(undefined, ['http://localhost:5601/sbp/app/kibana#/something'], undefined, {}, undefined, undefined);
 });
 
 test(`returns content_type of application/pdf`, async () => {

From 7734701ef6697110473b46ce11bb951467b0332e Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 16 Aug 2018 12:30:31 -0400
Subject: [PATCH 095/183] snapshot updates

---
 .../__snapshots__/elasticsearch_privileges.test.js.snap       | 1 +
 .../__snapshots__/index_privilege_form.test.js.snap           | 3 +++
 .../space_selector/__snapshots__/space_selector.test.js.snap  | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
index cfb36fa9580903..5c8de223b641bf 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
@@ -82,6 +82,7 @@ exports[`it renders without crashing 1`] = `
         hasEmptyLabelSpace={true}
       >
         <EuiComboBox
+          fullWidth={false}
           isClearable={true}
           isDisabled={false}
           onChange={[Function]}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
index b84dcc659d5f96..cba78af4f996bd 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
@@ -42,6 +42,7 @@ exports[`it renders without crashing 1`] = `
               label="Indices"
             >
               <EuiComboBox
+                fullWidth={false}
                 isClearable={true}
                 isDisabled={false}
                 onChange={[Function]}
@@ -63,6 +64,7 @@ exports[`it renders without crashing 1`] = `
               label="Privileges"
             >
               <EuiComboBox
+                fullWidth={false}
                 isClearable={true}
                 isDisabled={false}
                 onChange={[Function]}
@@ -125,6 +127,7 @@ exports[`it renders without crashing 1`] = `
             >
               <React.Fragment>
                 <EuiComboBox
+                  fullWidth={false}
                   isClearable={true}
                   isDisabled={false}
                   onChange={[Function]}
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 2d0f768c35777d..03ffdc5550e8cb 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -2,11 +2,11 @@
 
 exports[`it renders without crashing 1`] = `
 <div
-  className="euiPage euiPage--widthIsNotRestricted spaceSelector__page"
+  className="euiPage spaceSelector__page"
   style={undefined}
 >
   <div
-    className="euiPageBody euiPage--widthIsNotRestricted"
+    className="euiPageBody"
     style={undefined}
   >
     <div

From 69fe9a739909e4394343a47f405b95462cedaf66 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 16 Aug 2018 15:38:10 -0400
Subject: [PATCH 096/183] [Spaces] Replace Space Selector modal with a less
 intrusive popover (#19497)

This replaces the existing Modal with a smaller Popover which is less intrusive. The popover also features a search bar for finding the desired Space when there are 8 or more Spaces to choose from.

### Details
When there are less than 8 spaces available, the selector will render a simple list of spaces.

When there are >= 8 spaces available, the selector will also render a search bar to let users search for their space.


### Prerequisites
- [x] Merge #18862 into `spaces-phase-1`

### Known Issues
- https://github.com/elastic/eui/issues/1043 (fixed in `v3.2.0`)
- https://github.com/elastic/eui/issues/1052 (fixed in `v3.2.1`)
- Missing typdefs (not a blocker to merge): https://github.com/elastic/eui/pull/1120
---
 .../common/{constants.js => constants.ts}     |   0
 .../spaces/common/{index.js => index.ts}      |   5 +-
 ...reserved_space.js => is_reserved_space.ts} |   3 +-
 x-pack/plugins/spaces/common/model/space.ts   |  14 ++
 ...pace_attributes.js => space_attributes.ts} |  24 +--
 x-pack/plugins/spaces/public/lib/constants.ts |   9 +
 .../spaces/public/lib/spaces_manager.js       |  66 ------
 .../spaces/public/lib/spaces_manager.ts       |  67 +++++++
 .../views/components/{index.js => index.ts}   |   3 +-
 .../views/components/manage_spaces_button.tsx |  35 ++++
 .../{space_avatar.js => space_avatar.tsx}     |  25 +--
 .../nav_control_popover.test.js.snap          |   3 +
 .../spaces_description.test.tsx.snap          |  32 +++
 .../components/spaces_description.less        |   8 +
 .../components/spaces_description.test.tsx    |  15 ++
 .../components/spaces_description.tsx         |  31 +++
 .../nav_control/components/spaces_menu.less   |   9 +
 .../nav_control/components/spaces_menu.tsx    | 159 +++++++++++++++
 .../views/nav_control/{index.js => index.ts}  |   0
 .../public/views/nav_control/nav_control.js   |   4 +-
 .../public/views/nav_control/nav_control.less |   5 -
 .../views/nav_control/nav_control_modal.js    | 189 ------------------
 .../nav_control/nav_control_popover.test.js   |  69 +++++++
 .../views/nav_control/nav_control_popover.tsx | 153 ++++++++++++++
 .../spaces/server/routes/api/v1/spaces.js     |   3 +-
 25 files changed, 638 insertions(+), 293 deletions(-)
 rename x-pack/plugins/spaces/common/{constants.js => constants.ts} (100%)
 rename x-pack/plugins/spaces/common/{index.js => index.ts} (82%)
 rename x-pack/plugins/spaces/common/{is_reserved_space.js => is_reserved_space.ts} (81%)
 create mode 100644 x-pack/plugins/spaces/common/model/space.ts
 rename x-pack/plugins/spaces/common/{space_attributes.js => space_attributes.ts} (69%)
 create mode 100644 x-pack/plugins/spaces/public/lib/constants.ts
 delete mode 100644 x-pack/plugins/spaces/public/lib/spaces_manager.js
 create mode 100644 x-pack/plugins/spaces/public/lib/spaces_manager.ts
 rename x-pack/plugins/spaces/public/views/components/{index.js => index.ts} (73%)
 create mode 100644 x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
 rename x-pack/plugins/spaces/public/views/components/{space_avatar.js => space_avatar.tsx} (59%)
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.less
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.less
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
 rename x-pack/plugins/spaces/public/views/nav_control/{index.js => index.ts} (100%)
 delete mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx

diff --git a/x-pack/plugins/spaces/common/constants.js b/x-pack/plugins/spaces/common/constants.ts
similarity index 100%
rename from x-pack/plugins/spaces/common/constants.js
rename to x-pack/plugins/spaces/common/constants.ts
diff --git a/x-pack/plugins/spaces/common/index.js b/x-pack/plugins/spaces/common/index.ts
similarity index 82%
rename from x-pack/plugins/spaces/common/index.js
rename to x-pack/plugins/spaces/common/index.ts
index 05320f110f4c76..0e605562ea3ea4 100644
--- a/x-pack/plugins/spaces/common/index.js
+++ b/x-pack/plugins/spaces/common/index.ts
@@ -7,7 +7,4 @@
 export { isReservedSpace } from './is_reserved_space';
 export { MAX_SPACE_INITIALS } from './constants';
 
-export {
-  getSpaceInitials,
-  getSpaceColor,
-} from './space_attributes';
\ No newline at end of file
+export { getSpaceInitials, getSpaceColor } from './space_attributes';
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.js b/x-pack/plugins/spaces/common/is_reserved_space.ts
similarity index 81%
rename from x-pack/plugins/spaces/common/is_reserved_space.js
rename to x-pack/plugins/spaces/common/is_reserved_space.ts
index 7fe0a647268863..0889686aa77f59 100644
--- a/x-pack/plugins/spaces/common/is_reserved_space.js
+++ b/x-pack/plugins/spaces/common/is_reserved_space.ts
@@ -5,6 +5,7 @@
  */
 
 import { get } from 'lodash';
+import { Space } from './model/space';
 
 /**
  * Returns whether the given Space is reserved or not.
@@ -12,6 +13,6 @@ import { get } from 'lodash';
  * @param space the space
  * @returns boolean
  */
-export function isReservedSpace(space) {
+export function isReservedSpace(space: Space): boolean {
   return get(space, '_reserved', false);
 }
diff --git a/x-pack/plugins/spaces/common/model/space.ts b/x-pack/plugins/spaces/common/model/space.ts
new file mode 100644
index 00000000000000..15148231984fc3
--- /dev/null
+++ b/x-pack/plugins/spaces/common/model/space.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface Space {
+  id: string;
+  name: string;
+  description?: string;
+  color?: string;
+  initials?: string;
+  _reserved?: boolean;
+}
diff --git a/x-pack/plugins/spaces/common/space_attributes.js b/x-pack/plugins/spaces/common/space_attributes.ts
similarity index 69%
rename from x-pack/plugins/spaces/common/space_attributes.js
rename to x-pack/plugins/spaces/common/space_attributes.ts
index 2b0cee34023a3c..c73a4b5aca7aaf 100644
--- a/x-pack/plugins/spaces/common/space_attributes.js
+++ b/x-pack/plugins/spaces/common/space_attributes.ts
@@ -6,6 +6,10 @@
 
 import { VISUALIZATION_COLORS } from '@elastic/eui';
 import { MAX_SPACE_INITIALS } from './constants';
+import { Space } from './model/space';
+
+// code point for lowercase "a"
+const FALLBACK_CODE_POINT = 97;
 
 /**
  * Determines the color for the provided space.
@@ -14,17 +18,16 @@ import { MAX_SPACE_INITIALS } from './constants';
  *
  * @param {Space} space
  */
-export function getSpaceColor(space = {}) {
-  const {
-    color,
-    name = '',
-  } = space;
+export function getSpaceColor(space: Partial<Space> = {}) {
+  const { color, name = '' } = space;
 
   if (color) {
     return color;
   }
 
-  return VISUALIZATION_COLORS[name.codePointAt(0) % VISUALIZATION_COLORS.length];
+  const firstCodePoint = name.codePointAt(0) || FALLBACK_CODE_POINT;
+
+  return VISUALIZATION_COLORS[firstCodePoint % VISUALIZATION_COLORS.length];
 }
 
 /**
@@ -34,17 +37,14 @@ export function getSpaceColor(space = {}) {
  *
  * @param {Space} space
  */
-export function getSpaceInitials(space = {}) {
-  const {
-    initials,
-    name = ''
-  } = space;
+export function getSpaceInitials(space: Partial<Space> = {}) {
+  const { initials, name = '' } = space;
 
   if (initials) {
     return initials;
   }
 
-  const words = name.split(" ");
+  const words = name.split(' ');
 
   const numInitials = Math.min(MAX_SPACE_INITIALS, words.length);
 
diff --git a/x-pack/plugins/spaces/public/lib/constants.ts b/x-pack/plugins/spaces/public/lib/constants.ts
new file mode 100644
index 00000000000000..59ac4b3aa64c37
--- /dev/null
+++ b/x-pack/plugins/spaces/public/lib/constants.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import chrome from 'ui/chrome';
+
+export const MANAGE_SPACES_URL = chrome.addBasePath(`/app/kibana#/management/spaces/list`);
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.js b/x-pack/plugins/spaces/public/lib/spaces_manager.js
deleted file mode 100644
index 7d0243dc038c44..00000000000000
--- a/x-pack/plugins/spaces/public/lib/spaces_manager.js
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-import { toastNotifications } from 'ui/notify';
-
-import { EventEmitter } from 'events';
-
-export class SpacesManager extends EventEmitter {
-  constructor(httpAgent, chrome) {
-    super();
-    this._httpAgent = httpAgent;
-    this._baseUrl = chrome.addBasePath(`/api/spaces/v1`);
-  }
-
-  async getSpaces() {
-    return await this._httpAgent
-      .get(`${this._baseUrl}/spaces`)
-      .then(response => response.data);
-  }
-
-  async getSpace(id) {
-    return await this._httpAgent
-      .get(`${this._baseUrl}/space/${id}`);
-  }
-
-  async createSpace(space) {
-    return await this._httpAgent
-      .post(`${this._baseUrl}/space`, space);
-  }
-
-  async updateSpace(space) {
-    return await this._httpAgent
-      .put(`${this._baseUrl}/space/${space.id}?overwrite=true`, space);
-  }
-
-  async deleteSpace(space) {
-    return await this._httpAgent
-      .delete(`${this._baseUrl}/space/${space.id}`);
-  }
-
-  async changeSelectedSpace(space) {
-    return await this._httpAgent
-      .post(`${this._baseUrl}/space/${space.id}/select`)
-      .then(response => {
-        if (response.data && response.data.location) {
-          window.location = response.data.location;
-        } else {
-          this._displayError();
-        }
-      })
-      .catch(() => this._displayError());
-  }
-
-  async requestRefresh() {
-    this.emit('request_refresh');
-  }
-
-  _displayError() {
-    toastNotifications.addDanger({
-      title: 'Unable to change your Space',
-      text: 'please try again later'
-    });
-  }
-}
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.ts b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
new file mode 100644
index 00000000000000..a6b21f2fa5229f
--- /dev/null
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { toastNotifications } from 'ui/notify';
+
+import { IHttpResponse } from 'angular';
+import { EventEmitter } from 'events';
+import { Space } from '../../common/model/space';
+
+export class SpacesManager extends EventEmitter {
+  private httpAgent: any;
+  private baseUrl: any;
+
+  constructor(httpAgent: any, chrome: any) {
+    super();
+    this.httpAgent = httpAgent;
+    this.baseUrl = chrome.addBasePath(`/api/spaces/v1`);
+  }
+
+  public async getSpaces(): Promise<Space[]> {
+    return await this.httpAgent
+      .get(`${this.baseUrl}/spaces`)
+      .then((response: IHttpResponse<Space[]>) => response.data);
+  }
+
+  public async getSpace(id: string): Promise<Space> {
+    return await this.httpAgent.get(`${this.baseUrl}/space/${id}`);
+  }
+
+  public async createSpace(space: Space) {
+    return await this.httpAgent.post(`${this.baseUrl}/space`, space);
+  }
+
+  public async updateSpace(space: Space) {
+    return await this.httpAgent.put(`${this.baseUrl}/space/${space.id}?overwrite=true`, space);
+  }
+
+  public async deleteSpace(space: Space) {
+    return await this.httpAgent.delete(`${this.baseUrl}/space/${space.id}`);
+  }
+
+  public async changeSelectedSpace(space: Space) {
+    return await this.httpAgent
+      .post(`${this.baseUrl}/space/${space.id}/select`)
+      .then((response: IHttpResponse<any>) => {
+        if (response.data && response.data.location) {
+          window.location = response.data.location;
+        } else {
+          this._displayError();
+        }
+      })
+      .catch(() => this._displayError());
+  }
+
+  public async requestRefresh() {
+    this.emit('request_refresh');
+  }
+
+  public _displayError() {
+    toastNotifications.addDanger({
+      title: 'Unable to change your Space',
+      text: 'please try again later',
+    });
+  }
+}
diff --git a/x-pack/plugins/spaces/public/views/components/index.js b/x-pack/plugins/spaces/public/views/components/index.ts
similarity index 73%
rename from x-pack/plugins/spaces/public/views/components/index.js
rename to x-pack/plugins/spaces/public/views/components/index.ts
index 16d03e0d129bc1..cb41cc6e31e0d8 100644
--- a/x-pack/plugins/spaces/public/views/components/index.js
+++ b/x-pack/plugins/spaces/public/views/components/index.ts
@@ -5,4 +5,5 @@
  */
 
 export { SpaceAvatar } from './space_avatar';
-export { SpaceCards } from './space_cards';
\ No newline at end of file
+export { SpaceCards } from './space_cards';
+export { ManageSpacesButton } from './manage_spaces_button';
diff --git a/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx b/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
new file mode 100644
index 00000000000000..4f84b573b1da01
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiButton } from '@elastic/eui';
+import React, { Component } from 'react';
+import { MANAGE_SPACES_URL } from '../../lib/constants';
+
+interface Props {
+  isDisabled?: boolean;
+  size?: 's' | 'l';
+  style?: CSSProperties;
+}
+
+export class ManageSpacesButton extends Component<Props, {}> {
+  public render() {
+    return (
+      <EuiButton
+        size={this.props.size || 's'}
+        className="manage-spaces-button"
+        isDisabled={this.props.isDisabled}
+        onClick={this.navigateToManageSpaces}
+        style={this.props.style}
+      >
+        Manage Spaces
+      </EuiButton>
+    );
+  }
+
+  private navigateToManageSpaces = () => {
+    window.location.replace(MANAGE_SPACES_URL);
+  };
+}
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.js b/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
similarity index 59%
rename from x-pack/plugins/spaces/public/views/components/space_avatar.js
rename to x-pack/plugins/spaces/public/views/components/space_avatar.tsx
index b7908d00f2dde8..375c13f51ffe32 100644
--- a/x-pack/plugins/spaces/public/views/components/space_avatar.js
+++ b/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
@@ -4,19 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { EuiAvatar } from '@elastic/eui';
 import React from 'react';
-import PropTypes from 'prop-types';
-import {
-  EuiAvatar
-} from '@elastic/eui';
-import { MAX_SPACE_INITIALS, getSpaceInitials, getSpaceColor } from '../../../common';
+import { getSpaceColor, getSpaceInitials, MAX_SPACE_INITIALS } from '../../../common';
+import { Space } from '../../../common/model/space';
+
+interface Props {
+  space: Space;
+  size?: string;
+  className?: string;
+}
+
+export const SpaceAvatar = (props: Props) => {
+  const { space, size, ...rest } = props;
 
-export const SpaceAvatar = ({ space, size, ...rest }) => {
   return (
     <EuiAvatar
       type="space"
       name={space.name || ''}
-      size={size || "m"}
+      size={size || 'm'}
       initialsLength={MAX_SPACE_INITIALS}
       initials={getSpaceInitials(space)}
       color={getSpaceColor(space)}
@@ -24,8 +30,3 @@ export const SpaceAvatar = ({ space, size, ...rest }) => {
     />
   );
 };
-
-SpaceAvatar.propTypes = {
-  space: PropTypes.object.isRequired,
-  size: PropTypes.string,
-};
diff --git a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
new file mode 100644
index 00000000000000..a1092de10c954c
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`NavControlPopover renders without crashing 1`] = `""`;
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
new file mode 100644
index 00000000000000..5f439351549c1d
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
@@ -0,0 +1,32 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`SpacesDescription renders without crashing 1`] = `
+<EuiContextMenuPanel
+  className="spacesDescription"
+  hasFocus={true}
+  items={Array []}
+  title="Spaces"
+>
+  <EuiText
+    className="spacesDescription__text"
+    grow={true}
+  >
+    <p>
+      Use Spaces within Kibana to organize your Dashboards, Visualizations, and other saved objects.
+    </p>
+  </EuiText>
+  <div
+    className="spacesDescription__manageButtonWrapper"
+    key="manageSpacesButton"
+  >
+    <ManageSpacesButton
+      size="s"
+      style={
+        Object {
+          "width": "100%",
+        }
+      }
+    />
+  </div>
+</EuiContextMenuPanel>
+`;
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.less b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.less
new file mode 100644
index 00000000000000..ceff24115bcf34
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.less
@@ -0,0 +1,8 @@
+.spacesDescription {
+  max-width: 300px;
+}
+
+.spacesDescription__text,
+.spacesDescription__manageButtonWrapper {
+  padding: 12px;
+}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
new file mode 100644
index 00000000000000..0308b8b5a4d210
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { shallow } from 'enzyme';
+import React from 'react';
+import { SpacesDescription } from './spaces_description';
+
+describe('SpacesDescription', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<SpacesDescription />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
new file mode 100644
index 00000000000000..4f700113437dcc
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiContextMenuPanel, EuiText } from '@elastic/eui';
+import React, { SFC } from 'react';
+import { ManageSpacesButton } from '../../components';
+import './spaces_description.less';
+
+export const SpacesDescription: SFC = () => {
+  const panelProps = {
+    className: 'spacesDescription',
+    title: 'Spaces',
+  };
+
+  return (
+    <EuiContextMenuPanel {...panelProps}>
+      <EuiText className="spacesDescription__text">
+        <p>
+          Use Spaces within Kibana to organize your Dashboards, Visualizations, and other saved
+          objects.
+        </p>
+      </EuiText>
+      <div key="manageSpacesButton" className="spacesDescription__manageButtonWrapper">
+        <ManageSpacesButton size="s" style={{ width: `100%` }} />
+      </div>
+    </EuiContextMenuPanel>
+  );
+};
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.less b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.less
new file mode 100644
index 00000000000000..4ae51c954b00ac
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.less
@@ -0,0 +1,9 @@
+.spacesMenu__spacesList {
+  max-height: 320px;
+  overflow-y: auto;
+}
+
+.spacesMenu__searchFieldWrapper,
+.spacesMenu__manageButtonWrapper {
+  padding: 12px;
+}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
new file mode 100644
index 00000000000000..829820e3290ad9
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
@@ -0,0 +1,159 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiContextMenuItem, EuiContextMenuPanel, EuiFieldSearch, EuiText } from '@elastic/eui';
+import React, { Component } from 'react';
+import { SPACE_SEARCH_COUNT_THRESHOLD } from '../../../../common/constants';
+import { Space } from '../../../../common/model/space';
+import { ManageSpacesButton, SpaceAvatar } from '../../components';
+import './spaces_menu.less';
+
+interface Props {
+  spaces: Space[];
+  onSelectSpace: (space: Space) => void;
+}
+
+interface State {
+  searchTerm: string;
+  allowSpacesListFocus: boolean;
+}
+
+export class SpacesMenu extends Component<Props, State> {
+  public state = {
+    searchTerm: '',
+    allowSpacesListFocus: false,
+  };
+
+  public render() {
+    const { searchTerm } = this.state;
+
+    const items = this.getVisibleSpaces(searchTerm).map(this.renderSpaceMenuItem);
+
+    const panelProps = {
+      className: 'spacesMenu',
+      title: 'Change current space',
+      watchedItemProps: ['data-search-term'],
+    };
+
+    if (this.props.spaces.length >= SPACE_SEARCH_COUNT_THRESHOLD) {
+      return (
+        <EuiContextMenuPanel {...panelProps}>
+          {this.renderSearchField()}
+          {this.renderSpacesListPanel(items, searchTerm)}
+          {this.renderManageButton()}
+        </EuiContextMenuPanel>
+      );
+    }
+
+    items.push(this.renderManageButton());
+
+    return <EuiContextMenuPanel {...panelProps} items={items} />;
+  }
+
+  private getVisibleSpaces = (searchTerm: string): Space[] => {
+    const { spaces } = this.props;
+
+    let filteredSpaces = spaces;
+    if (searchTerm) {
+      filteredSpaces = spaces.filter(space => {
+        const { name, description = '' } = space;
+        return (
+          name.toLowerCase().indexOf(searchTerm) >= 0 ||
+          description.toLowerCase().indexOf(searchTerm) >= 0
+        );
+      });
+    }
+
+    return filteredSpaces;
+  };
+
+  private renderSpacesListPanel = (items: JSX.Element[], searchTerm: string) => {
+    if (items.length === 0) {
+      return (
+        <EuiText color="subdued" className="eui-textCenter">
+          {' '}
+          no spaces found{' '}
+        </EuiText>
+      );
+    }
+
+    return (
+      <EuiContextMenuPanel
+        key={`spacesMenuList`}
+        data-search-term={searchTerm}
+        className="spacesMenu__spacesList"
+        hasFocus={this.state.allowSpacesListFocus}
+        initialFocusedItemIndex={this.state.allowSpacesListFocus ? 0 : undefined}
+        items={items}
+      />
+    );
+  };
+
+  private renderSearchField = () => {
+    return (
+      <div key="manageSpacesSearchField" className="spacesMenu__searchFieldWrapper">
+        <EuiFieldSearch
+          placeholder="Find a space"
+          incremental={true}
+          onSearch={this.onSearch}
+          onKeyDown={this.onSearchKeyDown}
+          onFocus={this.onSearchFocus}
+          compressed
+        />
+      </div>
+    );
+  };
+
+  private onSearchKeyDown = (e: any) => {
+    //  9: tab
+    // 13: enter
+    // 40: arrow-down
+    const focusableKeyCodes = [9, 13, 40];
+
+    const keyCode = e.keyCode;
+    if (focusableKeyCodes.includes(keyCode)) {
+      // Allows the spaces list panel to recieve focus. This enables keyboard and screen reader navigation
+      this.setState({
+        allowSpacesListFocus: true,
+      });
+    }
+  };
+
+  private onSearchFocus = () => {
+    this.setState({
+      allowSpacesListFocus: false,
+    });
+  };
+
+  private renderManageButton = () => {
+    return (
+      <div key="manageSpacesButton" className="spacesMenu__manageButtonWrapper">
+        <ManageSpacesButton size="s" style={{ width: `100%` }} />
+      </div>
+    );
+  };
+
+  private onSearch = (searchTerm: string) => {
+    this.setState({
+      searchTerm: searchTerm.trim().toLowerCase(),
+    });
+  };
+
+  private renderSpaceMenuItem = (space: Space): JSX.Element => {
+    const icon = <SpaceAvatar space={space} size={'s'} />;
+    return (
+      <EuiContextMenuItem
+        key={space.id}
+        icon={icon}
+        onClick={this.props.onSelectSpace.bind(this, space)}
+        toolTipTitle={space.description && space.name}
+        toolTipContent={space.description}
+      >
+        {space.name}
+      </EuiContextMenuItem>
+    );
+  };
+}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/index.js b/x-pack/plugins/spaces/public/views/nav_control/index.ts
similarity index 100%
rename from x-pack/plugins/spaces/public/views/nav_control/index.js
rename to x-pack/plugins/spaces/public/views/nav_control/index.ts
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index 4011fc47fc7dc6..9dfcaf8ede84a9 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -13,7 +13,7 @@ import 'plugins/spaces/views/nav_control/nav_control.less';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
-import { NavControlModal } from 'plugins/spaces/views/nav_control/nav_control_modal';
+import { NavControlPopover } from 'plugins/spaces/views/nav_control/nav_control_popover';
 
 chromeNavControlsRegistry.register(constant({
   name: 'spaces',
@@ -30,7 +30,7 @@ module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) =>
 
   spacesManager = new SpacesManager($http, chrome);
 
-  render(<NavControlModal spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
+  render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
 
   // unmount react on controller destroy
   $scope.$on('$destroy', () => {
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.less b/x-pack/plugins/spaces/public/views/nav_control/nav_control.less
index 19f56c5ea10776..6feccde1080a2b 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.less
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.less
@@ -1,8 +1,3 @@
 .global-nav-link__icon .spaceNavGraphic {
     margin-top: 0.5em;
 }
-
-.selectSpaceModal {
-  min-width: 450px;
-  max-width: 1200px;
-}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
deleted file mode 100644
index 6ef9b338645ecc..00000000000000
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_modal.js
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
-import {
-  EuiCallOut,
-  EuiText,
-  EuiModal,
-  EuiModalHeader,
-  EuiModalHeaderTitle,
-  EuiModalBody,
-  EuiOverlayMask,
-  EuiAvatar,
-  EuiSpacer,
-} from '@elastic/eui';
-import { SpaceCards, SpaceAvatar } from '../components';
-import { Notifier } from 'ui/notify';
-
-export class NavControlModal extends Component {
-  state = {
-    isOpen: false,
-    loading: false,
-    activeSpaceExists: true,
-    spaces: []
-  };
-
-  notifier = new Notifier(`Spaces`);
-
-  async loadSpaces() {
-    const {
-      spacesManager,
-      activeSpace,
-    } = this.props;
-
-    this.setState({
-      loading: true
-    });
-
-    const spaces = await spacesManager.getSpaces();
-
-    let activeSpaceExists = this.state.activeSpaceExists;
-    if (activeSpace.valid) {
-      activeSpaceExists = !!spaces.find(space => space.id === this.props.activeSpace.space.id);
-    }
-
-    this.setState({
-      spaces,
-      activeSpaceExists,
-      isOpen: this.state.isOpen || !activeSpaceExists,
-      loading: false
-    });
-  }
-
-  componentDidMount() {
-    const {
-      activeSpace
-    } = this.props;
-
-    if (activeSpace && !activeSpace.valid) {
-      const { error = {} } = activeSpace;
-      if (error.message) {
-        this.notifier.error(error.message);
-      }
-    }
-
-    this.loadSpaces();
-
-    if (this.props.spacesManager) {
-      this.props.spacesManager.on('request_refresh', () => {
-        this.loadSpaces();
-      });
-    }
-  }
-
-  render() {
-    let modal;
-    if (this.state.isOpen) {
-      modal = (
-        <EuiOverlayMask>
-          {this.getActivePortal()}
-        </EuiOverlayMask>
-      );
-    }
-
-    return (
-      <div>{this.getActiveSpaceButton()}{modal}</div>
-    );
-  }
-
-  getActiveSpaceButton = () => {
-    const {
-      activeSpace
-    } = this.props;
-
-    if (!activeSpace) {
-      return null;
-    }
-
-    // 0 or 1 spaces are available. Either either way, there is no need to render a space selection button
-    if (this.state.spaces.length < 2) {
-      return null;
-    }
-
-    if (activeSpace.valid && activeSpace.space) {
-      return this.getButton(
-        <SpaceAvatar space={activeSpace.space} size={'s'} className={'spaceNavGraphic'} />,
-        activeSpace.space.name
-      );
-    } else if (activeSpace.error) {
-      return this.getButton(
-        <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
-        'error'
-      );
-    }
-
-    return null;
-  };
-
-  getButton = (linkIcon, linkTitle) => {
-    return (
-      <div className="global-nav-link">
-        <a className="global-nav-link__anchor" onClick={this.togglePortal}>
-          <div className="global-nav-link__icon">{linkIcon}</div>
-          <div className="global-nav-link__title">{linkTitle}</div>
-        </a>
-      </div>
-    );
-  };
-
-  getActivePortal = () => {
-    let callout;
-
-    if (!this.state.activeSpaceExists) {
-      callout = (
-        <Fragment>
-          <EuiCallOut title={'Your space is no longer available'}>
-            <EuiText>
-              Please choose a new Space to continue using Kibana
-            </EuiText>
-          </EuiCallOut>
-          <EuiSpacer />
-        </Fragment>
-      );
-
-    }
-
-    return (
-      <EuiModal onClose={this.closePortal} className={'selectSpaceModal'}>
-        <EuiModalHeader>
-          <EuiModalHeaderTitle>Select a space</EuiModalHeaderTitle>
-        </EuiModalHeader>
-        <EuiModalBody>
-          {callout}
-          <SpaceCards spaces={this.state.spaces} onSpaceSelect={this.onSelectSpace} />
-        </EuiModalBody>
-      </EuiModal>
-    );
-  }
-
-  togglePortal = () => {
-    const isOpening = !this.state.isOpen;
-    if (isOpening) {
-      this.loadSpaces();
-    }
-
-    this.setState({
-      isOpen: !this.state.isOpen
-    });
-  };
-
-  closePortal = () => {
-    this.setState({
-      isOpen: false
-    });
-  }
-
-  onSelectSpace = (space) => {
-    this.props.spacesManager.changeSelectedSpace(space);
-  }
-}
-
-NavControlModal.propTypes = {
-  activeSpace: PropTypes.object,
-  spacesManager: PropTypes.object.isRequired
-};
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
new file mode 100644
index 00000000000000..09dd22d0b1ac47
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+import { NavControlPopover } from './nav_control_popover';
+import { SpacesManager } from '../../lib/spaces_manager';
+import { SpaceAvatar } from '../components/space_avatar';
+
+const mockChrome = {
+  addBasePath: jest.fn((a) => a)
+};
+
+const createMockHttpAgent = (withSpaces = false) => {
+
+  const mockHttpAgent = {
+    get: async () => {
+      const result = withSpaces ? [{
+        name: 'space 1'
+      }, {
+        name: 'space 2'
+      }] : [];
+
+      return {
+        data: result
+      };
+    }
+  };
+  return mockHttpAgent;
+};
+
+describe('NavControlPopover', () => {
+  it('renders without crashing', () => {
+    const activeSpace = {
+      space: { name: 'foo' },
+      valid: true
+    };
+
+    const spacesManager = new SpacesManager(createMockHttpAgent(), mockChrome);
+
+    const wrapper = shallow(<NavControlPopover activeSpace={activeSpace} spacesManager={spacesManager} />);
+    expect(wrapper).toMatchSnapshot();
+  });
+
+  it('renders a SpaceAvatar with the active space', async () => {
+    const activeSpace = {
+      space: { name: 'foo' },
+      valid: true
+    };
+
+    const mockAgent = createMockHttpAgent(true);
+
+    const spacesManager = new SpacesManager(mockAgent, mockChrome);
+
+    const wrapper = mount(<NavControlPopover activeSpace={activeSpace} spacesManager={spacesManager} />);
+
+    return new Promise((resolve) => {
+      setTimeout(() => {
+        expect(wrapper.state().spaces).toHaveLength(2);
+        wrapper.update();
+        expect(wrapper.find(SpaceAvatar)).toHaveLength(1);
+        resolve();
+      }, 20);
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
new file mode 100644
index 00000000000000..1345d3013000ea
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -0,0 +1,153 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiAvatar, EuiPopover } from '@elastic/eui';
+import React, { Component } from 'react';
+import { Space } from '../../../common/model/space';
+import { SpacesManager } from '../../lib/spaces_manager';
+import { SpaceAvatar } from '../components';
+import { SpacesDescription } from './components/spaces_description';
+import { SpacesMenu } from './components/spaces_menu';
+
+interface Props {
+  spacesManager: SpacesManager;
+  activeSpace: {
+    valid: boolean;
+    error: string;
+    space: Space;
+  };
+}
+
+interface State {
+  isOpen: boolean;
+  loading: boolean;
+  activeSpaceExists: boolean;
+  spaces: Space[];
+}
+
+export class NavControlPopover extends Component<Props, State> {
+  public state = {
+    isOpen: false,
+    loading: false,
+    activeSpaceExists: true,
+    spaces: [],
+  };
+
+  public componentDidMount() {
+    this.loadSpaces();
+
+    if (this.props.spacesManager) {
+      this.props.spacesManager.on('request_refresh', () => {
+        this.loadSpaces();
+      });
+    }
+  }
+
+  public render() {
+    const button = this.getActiveSpaceButton();
+    if (!button) {
+      return null;
+    }
+
+    let element: React.ReactNode;
+    if (this.state.spaces.length < 2) {
+      element = <SpacesDescription />;
+    } else {
+      element = <SpacesMenu spaces={this.state.spaces} onSelectSpace={this.onSelectSpace} />;
+    }
+
+    return (
+      <EuiPopover
+        id={'spacesMenuPopover'}
+        button={button}
+        isOpen={this.state.isOpen}
+        closePopover={this.closePortal}
+        anchorPosition={'rightCenter'}
+        panelPaddingSize="none"
+        ownFocus
+      >
+        {element}
+      </EuiPopover>
+    );
+  }
+
+  private async loadSpaces() {
+    const { spacesManager, activeSpace } = this.props;
+
+    this.setState({
+      loading: true,
+    });
+
+    const spaces = await spacesManager.getSpaces();
+
+    let activeSpaceExists = this.state.activeSpaceExists;
+    if (activeSpace.valid) {
+      activeSpaceExists = !!spaces.find(space => space.id === this.props.activeSpace.space.id);
+    }
+
+    this.setState({
+      spaces,
+      activeSpaceExists,
+      isOpen: this.state.isOpen || !activeSpaceExists,
+      loading: false,
+    });
+  }
+
+  private getActiveSpaceButton = () => {
+    const { activeSpace } = this.props;
+
+    if (!activeSpace) {
+      return null;
+    }
+
+    if (activeSpace.valid && activeSpace.space) {
+      return this.getButton(
+        <SpaceAvatar space={activeSpace.space} size={'s'} className={'spaceNavGraphic'} />,
+        activeSpace.space.name
+      );
+    } else if (activeSpace.error) {
+      return this.getButton(
+        <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
+        'error'
+      );
+    }
+
+    return null;
+  };
+
+  private getButton = (linkIcon: JSX.Element, linkTitle: string) => {
+    // Mimics the current angular-based navigation link
+    return (
+      <div className="global-nav-link">
+        <a className="global-nav-link__anchor" onClick={this.togglePortal}>
+          <div className="global-nav-link__icon"> {linkIcon} </div>
+          <div className="global-nav-link__title"> {linkTitle} </div>
+        </a>
+      </div>
+    );
+  };
+
+  private togglePortal = () => {
+    const isOpening = !this.state.isOpen;
+    if (isOpening) {
+      this.loadSpaces();
+    }
+
+    this.setState({
+      isOpen: !this.state.isOpen,
+    });
+  };
+
+  private closePortal = () => {
+    this.setState({
+      isOpen: false,
+    });
+  };
+
+  private onSelectSpace = (space: Space) => {
+    this.props.spacesManager.changeSelectedSpace(space);
+  };
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index 740b444e65e695..ad0bab30ccc90f 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -32,7 +32,8 @@ export function initSpacesApi(server) {
 
       try {
         const result = await client.find({
-          type: 'space'
+          type: 'space',
+          sortField: 'name.keyword',
         });
 
         spaces = result.saved_objects.map(convertSavedObjectToSpace);

From e9ee8f87fb22221456ffed3b6d7660c0b8ac3233 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 17 Aug 2018 13:17:35 -0400
Subject: [PATCH 097/183] Updating the Role API to work better spaces (#22080)

* Moving global privileges to it's new designated location

* Adjusting get to be new structure

* Updating PUT

* Updating UI to work with the new API
---
 .../privileges/kibana_privileges.js           |  14 +-
 .../views/management/edit_role/index.js       |   5 +-
 .../lib/get_application_privileges.js         |  19 +-
 .../server/routes/api/public/roles/get.js     |  62 +++--
 .../routes/api/public/roles/get.test.js       | 238 +++++++++++++++---
 .../server/routes/api/public/roles/put.js     |  40 ++-
 .../routes/api/public/roles/put.test.js       |  96 +++----
 7 files changed, 338 insertions(+), 136 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
index e5e9ddb2bff473..37795c4c02575e 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
@@ -7,7 +7,7 @@
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
 import { isReservedRole } from '../../../../../lib/role';
-import { getKibanaPrivilegesViewModel, getKibanaPrivileges } from '../../lib/get_application_privileges';
+import { getKibanaPrivilegesViewModel } from '../../lib/get_application_privileges';
 
 import { CollapsiblePanel } from '../collapsible_panel';
 import {
@@ -78,20 +78,18 @@ export class KibanaPrivileges extends Component {
   onKibanaPrivilegesChange = (e) => {
     const role = {
       ...this.props.role,
-      kibana: [...this.props.role.kibana]
+      kibana: {
+        ...this.props.role.kibana
+      }
     };
 
     const privilege = e.target.value;
 
     if (privilege === noPrivilegeValue) {
       // unsetting all privileges -- only necessary until RBAC Phase 3
-      const noPrivileges = {};
-      role.kibana = getKibanaPrivileges(noPrivileges);
+      role.kibana.global = [];
     } else {
-      const newPrivileges = {
-        [privilege]: true
-      };
-      role.kibana = getKibanaPrivileges(newPrivileges);
+      role.kibana.global = [privilege];
     }
 
     this.props.onChange(role);
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 45b124167815c1..765dca06665f6c 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -56,7 +56,10 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
             indices: [],
             run_as: [],
           },
-          kibana: [],
+          kibana: {
+            global: [],
+            space: {},
+          },
           _unrecognized_applications: [],
         }));
       }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
index 078dfc1dae0ea5..138fbaff51d921 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
@@ -3,8 +3,6 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import _ from 'lodash';
-
 export function getKibanaPrivilegesViewModel(applicationPrivileges, roleKibanaPrivileges) {
   const viewModel = applicationPrivileges.reduce((acc, applicationPrivilege) => {
     acc[applicationPrivilege.name] = false;
@@ -15,7 +13,7 @@ export function getKibanaPrivilegesViewModel(applicationPrivileges, roleKibanaPr
     return viewModel;
   }
 
-  const assignedPrivileges = _.uniq(_.flatten(_.pluck(roleKibanaPrivileges, 'privileges')));
+  const assignedPrivileges = roleKibanaPrivileges.global;
   assignedPrivileges.forEach(assignedPrivilege => {
     // we don't want to display privileges that aren't in our expected list of privileges
     if (assignedPrivilege in viewModel) {
@@ -25,18 +23,3 @@ export function getKibanaPrivilegesViewModel(applicationPrivileges, roleKibanaPr
 
   return viewModel;
 }
-
-export function getKibanaPrivileges(kibanaPrivilegesViewModel) {
-  const selectedPrivileges = Object.keys(kibanaPrivilegesViewModel).filter(key => kibanaPrivilegesViewModel[key]);
-
-  // if we have any selected privileges, add a single application entry
-  if (selectedPrivileges.length > 0) {
-    return [
-      {
-        privileges: selectedPrivileges
-      }
-    ];
-  }
-
-  return [];
-}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.js b/x-pack/plugins/security/server/routes/api/public/roles/get.js
index 9ae89a97c36f1a..88d096fda39063 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/get.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.js
@@ -11,11 +11,31 @@ import { wrapError } from '../../../../lib/errors';
 export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application) {
 
   const transformKibanaApplicationsFromEs = (roleApplications) => {
-    return roleApplications
-      .filter(roleApplication => roleApplication.application === application)
-      .filter(roleApplication => roleApplication.resources.length > 0)
-      .filter(roleApplication => roleApplication.resources.every(resource => resource === ALL_RESOURCE))
-      .map(roleApplication => ({ privileges: roleApplication.privileges }));
+    const roleKibanaApplications = roleApplications
+      .filter(roleApplication => roleApplication.application === application);
+
+    const resourcePrivileges = _.flatten(roleKibanaApplications
+      .map(({ resources, privileges }) => resources.map(resource => ({ resource, privileges })))
+    );
+
+    return resourcePrivileges.reduce((result, { resource, privileges }) => {
+      if (resource === ALL_RESOURCE) {
+        result.global = _.uniq([...result.global, ...privileges]);
+        return result;
+      }
+
+      const spacePrefix = 'space:';
+      if (resource.startsWith(spacePrefix)) {
+        const spaceId = resource.slice(spacePrefix.length);
+        result.space[spaceId] = _.uniq([...result.space[spaceId] || [], ...privileges]);
+        return result;
+      }
+
+      throw new Error(`Unknown application privilege resource: ${resource}`);
+    }, {
+      global: [],
+      space: {},
+    });
   };
 
   const transformUnrecognizedApplicationsFromEs = (roleApplications) => {
@@ -46,13 +66,13 @@ export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn,
   server.route({
     method: 'GET',
     path: '/api/security/role',
-    handler(request, reply) {
-      return callWithRequest(request, 'shield.getRole').then(
-        (response) => {
-          return reply(transformRolesFromEs(response));
-        },
-        _.flow(wrapError, reply)
-      );
+    async handler(request, reply) {
+      try {
+        const response = await callWithRequest(request, 'shield.getRole');
+        return reply(transformRolesFromEs(response));
+      } catch (error) {
+        reply(wrapError(error));
+      }
     },
     config: {
       pre: [routePreCheckLicenseFn]
@@ -62,14 +82,18 @@ export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn,
   server.route({
     method: 'GET',
     path: '/api/security/role/{name}',
-    handler(request, reply) {
+    async handler(request, reply) {
       const name = request.params.name;
-      return callWithRequest(request, 'shield.getRole', { name }).then(
-        (response) => {
-          if (response[name]) return reply(transformRoleFromEs(response[name], name));
-          return reply(Boom.notFound());
-        },
-        _.flow(wrapError, reply));
+      try {
+        const response = await callWithRequest(request, 'shield.getRole', { name });
+        if (response[name]) {
+          return reply(transformRoleFromEs(response[name], name));
+        }
+
+        return reply(Boom.notFound());
+      } catch(error) {
+        reply(wrapError(error));
+      }
     },
     config: {
       pre: [routePreCheckLicenseFn]
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
index a8dd3a38bdeb91..f0f3511e32497a 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
@@ -88,6 +88,37 @@ describe('GET roles', () => {
         },
       },
     });
+
+    getRolesTest(`throws error if resource isn't * and doesn't have the space: prefix`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 500,
+        result: {
+          error: 'Internal Server Error',
+          message: 'An internal server error occurred',
+          statusCode: 500
+        }
+      },
+    });
   });
 
   describe('success', () => {
@@ -132,14 +163,17 @@ describe('GET roles', () => {
               ],
               run_as: ['other_user'],
             },
-            kibana: [],
+            kibana: {
+              global: [],
+              space: {},
+            },
             _unrecognized_applications: [],
           },
         ],
       },
     });
 
-    getRolesTest(`transforms matching applications to kibana privileges`, {
+    getRolesTest(`transforms matching applications with * resource to kibana global privileges`, {
       callWithRequestImpl: async () => ({
         first_role: {
           cluster: [],
@@ -181,21 +215,17 @@ describe('GET roles', () => {
               indices: [],
               run_as: [],
             },
-            kibana: [
-              {
-                privileges: ['read'],
-              },
-              {
-                privileges: ['all'],
-              },
-            ],
+            kibana: {
+              global: ['read', 'all'],
+              space: {},
+            },
             _unrecognized_applications: [],
           },
         ],
       },
     });
 
-    getRolesTest(`excludes resources other than * from kibana privileges`, {
+    getRolesTest(`transforms matching applications with space resources to kibana space privileges`, {
       callWithRequestImpl: async () => ({
         first_role: {
           cluster: [],
@@ -204,18 +234,67 @@ describe('GET roles', () => {
             {
               application,
               privileges: ['read'],
-              // Elasticsearch should prevent this from happening
-              resources: [],
+              resources: ['space:marketing'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['space:marketing'],
             },
             {
               application,
               privileges: ['read'],
-              resources: ['default', '*'],
+              resources: ['space:engineering'],
             },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: {
+              global: [],
+              space: {
+                marketing: ['read', 'all'],
+                engineering: ['read'],
+              }
+            },
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`ignores empty resources even though this shouldn't happen`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
             {
               application,
               privileges: ['read'],
-              resources: ['some-other-space'],
+              resources: [],
             },
           ],
           run_as: [],
@@ -243,7 +322,10 @@ describe('GET roles', () => {
               indices: [],
               run_as: [],
             },
-            kibana: [],
+            kibana: {
+              global: [],
+              space: {}
+            },
             _unrecognized_applications: [],
           },
         ],
@@ -287,7 +369,10 @@ describe('GET roles', () => {
               indices: [],
               run_as: [],
             },
-            kibana: [],
+            kibana: {
+              global: [],
+              space: {},
+            },
             _unrecognized_applications: ['kibana-.another-kibana']
           },
         ],
@@ -372,6 +457,38 @@ describe('GET role', () => {
         },
       },
     });
+
+    getRoleTest(`throws error if resource isn't * and doesn't have the space: prefix`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 500,
+        result: {
+          error: 'Internal Server Error',
+          message: 'An internal server error occurred',
+          statusCode: 500
+        }
+      },
+    });
   });
 
   describe('success', () => {
@@ -416,13 +533,16 @@ describe('GET role', () => {
             ],
             run_as: ['other_user'],
           },
-          kibana: [],
+          kibana: {
+            global: [],
+            space: {},
+          },
           _unrecognized_applications: [],
         },
       },
     });
 
-    getRoleTest(`transforms matching applications to kibana privileges`, {
+    getRoleTest(`transforms matching applications with * resource to kibana global privileges`, {
       name: 'first_role',
       callWithRequestImpl: async () => ({
         first_role: {
@@ -464,20 +584,16 @@ describe('GET role', () => {
             indices: [],
             run_as: [],
           },
-          kibana: [
-            {
-              privileges: ['read'],
-            },
-            {
-              privileges: ['all'],
-            },
-          ],
+          kibana: {
+            global: ['read', 'all'],
+            space: {},
+          },
           _unrecognized_applications: [],
         },
       },
     });
 
-    getRoleTest(`excludes resources other than * from kibana privileges`, {
+    getRoleTest(`transforms matching applications with space resource to kibana space privileges`, {
       name: 'first_role',
       callWithRequestImpl: async () => ({
         first_role: {
@@ -487,18 +603,66 @@ describe('GET role', () => {
             {
               application,
               privileges: ['read'],
-              // Elasticsearch should prevent this from happening
-              resources: [],
+              resources: ['space:marketing'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['space:marketing'],
             },
             {
               application,
               privileges: ['read'],
-              resources: ['default', '*'],
+              resources: ['space:engineering'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: {
+            global: [],
+            space: {
+              marketing: ['read', 'all'],
+              engineering: ['read']
             },
+          },
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`ignores empty resources even though this shouldn't happen`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
             {
               application,
               privileges: ['read'],
-              resources: ['some-other-space'],
+              resources: [],
             },
           ],
           run_as: [],
@@ -525,7 +689,10 @@ describe('GET role', () => {
             indices: [],
             run_as: [],
           },
-          kibana: [],
+          kibana: {
+            global: [],
+            space: {},
+          },
           _unrecognized_applications: [],
         },
       },
@@ -568,7 +735,10 @@ describe('GET role', () => {
             indices: [],
             run_as: [],
           },
-          kibana: [],
+          kibana: {
+            global: [],
+            space: {},
+          },
           _unrecognized_applications: ['kibana-.another-kibana'],
         },
       },
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.js b/x-pack/plugins/security/server/routes/api/public/roles/put.js
index 123ce128e15099..5c464bbe9fd54c 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.js
@@ -9,12 +9,27 @@ import Joi from 'joi';
 import { ALL_RESOURCE } from '../../../../../common/constants';
 import { wrapError } from '../../../../lib/errors';
 
-const transformKibanaPrivilegeToEs = (application, kibanaPrivilege) => {
-  return {
-    privileges: kibanaPrivilege.privileges,
-    application,
-    resources: [ALL_RESOURCE],
-  };
+const transformKibanaPrivilegesToEs = (application, kibanaPrivileges) => {
+  const kibanaApplicationPrivileges = [];
+  if (kibanaPrivileges.global && kibanaPrivileges.global.length) {
+    kibanaApplicationPrivileges.push({
+      privileges: kibanaPrivileges.global,
+      application,
+      resources: [ALL_RESOURCE],
+    });
+  }
+
+  if (kibanaPrivileges.space) {
+    for(const [spaceId, privileges] of Object.entries(kibanaPrivileges.space)) {
+      kibanaApplicationPrivileges.push({
+        privileges: privileges,
+        application,
+        resources: [`space:${spaceId}`]
+      });
+    }
+  }
+
+  return kibanaApplicationPrivileges;
 };
 
 const transformRolesToEs = (
@@ -22,7 +37,7 @@ const transformRolesToEs = (
   payload,
   existingApplications = []
 ) => {
-  const { elasticsearch = {}, kibana = [] } = payload;
+  const { elasticsearch = {}, kibana = {} } = payload;
   const otherApplications = existingApplications.filter(
     roleApplication => roleApplication.application !== application
   );
@@ -33,9 +48,7 @@ const transformRolesToEs = (
     indices: elasticsearch.indices || [],
     run_as: elasticsearch.run_as || [],
     applications: [
-      ...kibana.map(kibanaPrivilege =>
-        transformKibanaPrivilegeToEs(application, kibanaPrivilege)
-      ),
+      ...transformKibanaPrivilegesToEs(application, kibana),
       ...otherApplications,
     ],
   }, identity);
@@ -64,9 +77,10 @@ export function initPutRolesApi(
       }),
       run_as: Joi.array().items(Joi.string()),
     }),
-    kibana: Joi.array().items({
-      privileges: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))),
-    }),
+    kibana: Joi.object().keys({
+      global: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))),
+      space: Joi.object().pattern(/^/, Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))))
+    })
   });
 
   server.route({
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
index d6c32ce00ac563..67ebe5ae017a06 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
@@ -115,21 +115,19 @@ describe('PUT role', () => {
     putRoleTest(`only allows known Kibana privileges`, {
       name: 'foo-role',
       payload: {
-        kibana: [
-          {
-            privileges: ['foo']
-          }
-        ]
+        kibana: {
+          global: ['foo']
+        }
       },
       asserts: {
         statusCode: 400,
         result: {
           error: 'Bad Request',
           //eslint-disable-next-line max-len
-          message: `child "kibana" fails because ["kibana" at position 0 fails because [child "privileges" fails because ["privileges" at position 0 fails because ["0" must be one of [test-kibana-privilege-1, test-kibana-privilege-2, test-kibana-privilege-3]]]]]`,
+          message: `child \"kibana\" fails because [child \"global\" fails because [\"global\" at position 0 fails because [\"0\" must be one of [test-kibana-privilege-1, test-kibana-privilege-2, test-kibana-privilege-3]]]]`,
           statusCode: 400,
           validation: {
-            keys: ['kibana.0.privileges.0'],
+            keys: ['kibana.global.0'],
             source: 'payload',
           },
         },
@@ -200,14 +198,13 @@ describe('PUT role', () => {
           ],
           run_as: ['test-run-as-1', 'test-run-as-2'],
         },
-        kibana: [
-          {
-            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
-          },
-          {
-            privileges: ['test-kibana-privilege-3'],
-          },
-        ],
+        kibana: {
+          global: ['test-kibana-privilege-1', 'test-kibana-privilege-2', 'test-kibana-privilege-3'],
+          space: {
+            'test-space-1': ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+            'test-space-2': ['test-kibana-privilege-3'],
+          }
+        },
       },
       preCheckLicenseImpl: defaultPreCheckLicenseImpl,
       callWithRequestImpls: [async () => ({}), async () => {}],
@@ -225,13 +222,24 @@ describe('PUT role', () => {
                     privileges: [
                       'test-kibana-privilege-1',
                       'test-kibana-privilege-2',
+                      'test-kibana-privilege-3'
                     ],
                     resources: [ALL_RESOURCE],
                   },
                   {
                     application,
-                    privileges: ['test-kibana-privilege-3'],
-                    resources: [ALL_RESOURCE],
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2'
+                    ],
+                    resources: ['space:test-space-1']
+                  },
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-3',
+                    ],
+                    resources: ['space:test-space-2']
                   },
                 ],
                 cluster: ['test-cluster-privilege'],
@@ -281,14 +289,13 @@ describe('PUT role', () => {
           ],
           run_as: ['test-run-as-1', 'test-run-as-2'],
         },
-        kibana: [
-          {
-            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
-          },
-          {
-            privileges: ['test-kibana-privilege-3'],
-          },
-        ],
+        kibana: {
+          global: ['test-kibana-privilege-1', 'test-kibana-privilege-2', 'test-kibana-privilege-3'],
+          space: {
+            'test-space-1': ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+            'test-space-2': ['test-kibana-privilege-3'],
+          }
+        },
       },
       preCheckLicenseImpl: defaultPreCheckLicenseImpl,
       callWithRequestImpls: [
@@ -338,13 +345,24 @@ describe('PUT role', () => {
                     privileges: [
                       'test-kibana-privilege-1',
                       'test-kibana-privilege-2',
+                      'test-kibana-privilege-3'
                     ],
                     resources: [ALL_RESOURCE],
                   },
                   {
                     application,
-                    privileges: ['test-kibana-privilege-3'],
-                    resources: [ALL_RESOURCE],
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2'
+                    ],
+                    resources: ['space:test-space-1']
+                  },
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-3',
+                    ],
+                    resources: ['space:test-space-2']
                   },
                 ],
                 cluster: ['test-cluster-privilege'],
@@ -394,17 +412,13 @@ describe('PUT role', () => {
             ],
             run_as: ['test-run-as-1', 'test-run-as-2'],
           },
-          kibana: [
-            {
-              privileges: [
-                'test-kibana-privilege-1',
-                'test-kibana-privilege-2',
-              ],
-            },
-            {
-              privileges: ['test-kibana-privilege-3'],
-            },
-          ],
+          kibana: {
+            global: [
+              'test-kibana-privilege-1',
+              'test-kibana-privilege-2',
+              'test-kibana-privilege-3'
+            ],
+          },
         },
         preCheckLicenseImpl: defaultPreCheckLicenseImpl,
         callWithRequestImpls: [
@@ -459,14 +473,10 @@ describe('PUT role', () => {
                       privileges: [
                         'test-kibana-privilege-1',
                         'test-kibana-privilege-2',
+                        'test-kibana-privilege-3'
                       ],
                       resources: [ALL_RESOURCE],
                     },
-                    {
-                      application,
-                      privileges: ['test-kibana-privilege-3'],
-                      resources: [ALL_RESOURCE],
-                    },
                     {
                       application: 'logstash-foo',
                       privileges: ['logstash-privilege'],

From 72a1526db559fd34f00bd2b7185c8acdef45f131 Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Fri, 17 Aug 2018 14:08:04 -0400
Subject: [PATCH 098/183] Creating the roles properly (#22152)

---
 .../apis/saved_objects/index.js               | 33 ++++++++-----------
 1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
index bdbd23f6dabdf4..f5ec186a2e4b2d 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -40,11 +40,9 @@ export default function ({ loadTestFile, getService }) {
               privileges: ['manage', 'read', 'index', 'delete']
             }]
           },
-          kibana: [
-            {
-              privileges: ['all']
-            }
-          ]
+          kibana: {
+            global: ['all']
+          }
         });
 
       await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user')
@@ -55,29 +53,24 @@ export default function ({ loadTestFile, getService }) {
               privileges: ['read', 'view_index_metadata']
             }]
           },
-          kibana: [
-            {
-              privileges: ['read']
-            }
-          ]
+          kibana: {
+            global: ['read']
+          }
         });
 
       await supertest.put('/api/security/role/kibana_rbac_user')
         .send({
-          kibana: [
-            {
-              privileges: ['all']
-            }
-          ]
+          kibana: {
+            global: ['all']
+          }
+
         });
 
       await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user')
         .send({
-          kibana: [
-            {
-              privileges: ['read']
-            }
-          ]
+          kibana: {
+            global: ['read']
+          }
         });
 
       await es.shield.putUser({

From 4f2eb00be1cb8e82e7199ca3dca72d2d8d1a153f Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 24 Aug 2018 08:01:56 -0400
Subject: [PATCH 099/183] fix and ignore some typedefs, for now

---
 .../views/components/manage_spaces_button.tsx |  2 +-
 .../public/views/components/space_avatar.tsx  |  2 +-
 .../public/views/components/space_card.js     | 47 ----------------
 .../public/views/components/space_card.tsx    | 56 +++++++++++++++++++
 .../{space_cards.js => space_cards.tsx}       | 25 ++++-----
 .../nav_control/components/spaces_menu.tsx    |  2 +
 6 files changed, 71 insertions(+), 63 deletions(-)
 delete mode 100644 x-pack/plugins/spaces/public/views/components/space_card.js
 create mode 100644 x-pack/plugins/spaces/public/views/components/space_card.tsx
 rename x-pack/plugins/spaces/public/views/components/{space_cards.js => space_cards.tsx} (69%)

diff --git a/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx b/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
index 4f84b573b1da01..42c11948aecd30 100644
--- a/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
+++ b/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
@@ -5,7 +5,7 @@
  */
 
 import { EuiButton } from '@elastic/eui';
-import React, { Component } from 'react';
+import React, { Component, CSSProperties } from 'react';
 import { MANAGE_SPACES_URL } from '../../lib/constants';
 
 interface Props {
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.tsx b/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
index 375c13f51ffe32..5e78a5e32b7f18 100644
--- a/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
+++ b/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
@@ -11,7 +11,7 @@ import { Space } from '../../../common/model/space';
 
 interface Props {
   space: Space;
-  size?: string;
+  size?: 's' | 'm' | 'l' | 'xl';
   className?: string;
 }
 
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.js b/x-pack/plugins/spaces/public/views/components/space_card.js
deleted file mode 100644
index f83f009bdb728f..00000000000000
--- a/x-pack/plugins/spaces/public/views/components/space_card.js
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import {
-  EuiCard,
-  EuiTextColor,
-} from '@elastic/eui';
-import './space_card.less';
-import {
-  SpaceAvatar
-} from './space_avatar';
-
-export const SpaceCard = (props) => {
-  const {
-    space,
-    onClick
-  } = props;
-
-  return (
-    <EuiCard
-      className="spaceCard"
-      icon={renderSpaceAvatar(space)}
-      title={space.name}
-      description={renderSpaceDescription(space)}
-      onClick={onClick}
-    />
-  );
-};
-
-function renderSpaceAvatar(space) {
-  return <SpaceAvatar space={space} size={"l"} />;
-}
-
-function renderSpaceDescription(space) {
-  let description = space.description || '';
-  const needsTruncation = description.length > 120;
-  if (needsTruncation) {
-    description = (
-      <span title={description}>{description.substr(0, 120) + '…'}</span>
-    );
-  }
-  return <EuiTextColor className="eui-textBreakWord" color={"subdued"}>{description}</EuiTextColor>;
-}
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.tsx b/x-pack/plugins/spaces/public/views/components/space_card.tsx
new file mode 100644
index 00000000000000..07d4464df8e047
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/components/space_card.tsx
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+// @ts-nocheck
+
+import {
+  // FIXME: need updated typedefs
+  // @ts-ignore
+  EuiCard,
+  // @ts-ignore
+  EuiTextColor,
+} from '@elastic/eui';
+import React from 'react';
+import { Space } from '../../../common/model/space';
+import { SpaceAvatar } from './space_avatar';
+import './space_card.less';
+
+interface Props {
+  space: Space;
+  onClick: () => void;
+}
+export const SpaceCard = (props: Props) => {
+  const { space, onClick } = props;
+
+  return (
+    <EuiCard
+      className="spaceCard"
+      icon={renderSpaceAvatar(space)}
+      title={space.name}
+      description={renderSpaceDescription(space)}
+      onClick={onClick}
+    />
+  );
+};
+
+function renderSpaceAvatar(space: Space) {
+  return <SpaceAvatar space={space} size={'l'} />;
+}
+
+function renderSpaceDescription(space: Space) {
+  let description: JSX.Element | string = space.description || '';
+  const needsTruncation = description.length > 120;
+  if (needsTruncation) {
+    description = <span title={description}>{description.substr(0, 120) + '…'}</span>;
+  }
+
+  return (
+    // @ts-ignore
+    <EuiTextColor className="eui-textBreakWord" color={'subdued'}>
+      {description}
+      // @ts-ignore
+    </EuiTextColor>
+  );
+}
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.js b/x-pack/plugins/spaces/public/views/components/space_cards.tsx
similarity index 69%
rename from x-pack/plugins/spaces/public/views/components/space_cards.js
rename to x-pack/plugins/spaces/public/views/components/space_cards.tsx
index 7a96485d7c1756..20f93030d79075 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.tsx
@@ -4,17 +4,19 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import React, { Component } from 'react';
-import PropTypes from 'prop-types';
+import { Space } from '../../../common/model/space';
 import { SpaceCard } from './space_card';
-import {
-  EuiFlexGroup,
-  EuiFlexItem,
-} from '@elastic/eui';
 import './space_cards.less';
 
-export class SpaceCards extends Component {
-  render() {
+interface Props {
+  spaces: Space[];
+  onSpaceSelect: (space: Space) => void;
+}
+
+export class SpaceCards extends Component<Props, {}> {
+  public render() {
     return (
       <div className="spaceCards">
         <EuiFlexGroup gutterSize="l" justifyContent="center" wrap responsive={false}>
@@ -24,20 +26,15 @@ export class SpaceCards extends Component {
     );
   }
 
-  renderSpace = (space) => (
+  public renderSpace = (space: Space) => (
     <EuiFlexItem key={space.id} grow={false}>
       <SpaceCard space={space} onClick={this.createSpaceClickHandler(space)} />
     </EuiFlexItem>
   );
 
-  createSpaceClickHandler = (space) => {
+  public createSpaceClickHandler = (space: Space) => {
     return () => {
       this.props.onSpaceSelect(space);
     };
   };
 }
-
-SpaceCards.propTypes = {
-  spaces: PropTypes.array.isRequired,
-  onSpaceSelect: PropTypes.func.isRequired,
-};
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
index 829820e3290ad9..b5c805c8e2782f 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
@@ -98,6 +98,8 @@ export class SpacesMenu extends Component<Props, State> {
         <EuiFieldSearch
           placeholder="Find a space"
           incremental={true}
+          // FIXME needs updated typedef
+          // @ts-ignore
           onSearch={this.onSearch}
           onKeyDown={this.onSearchKeyDown}
           onFocus={this.onSearchFocus}

From bfd3746d87a7dd08f2424f21baf357991c07585c Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 24 Aug 2018 09:52:53 -0400
Subject: [PATCH 100/183] update snapshots

---
 .../__snapshots__/space_avatar.test.js.snap   |  1 +
 .../nav_control_popover.test.js.snap          | 47 ++++++++++++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap b/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
index 14a898d7e66d6d..617d9522c0da5e 100644
--- a/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
@@ -2,6 +2,7 @@
 
 exports[`renders without crashing 1`] = `
 <EuiAvatar
+  color="#BFA180"
   initials=""
   initialsLength={2}
   name=""
diff --git a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
index a1092de10c954c..4871c46dcdedcc 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
@@ -1,3 +1,48 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`NavControlPopover renders without crashing 1`] = `""`;
+exports[`NavControlPopover renders without crashing 1`] = `
+<EuiPopover
+  anchorPosition="rightCenter"
+  button={
+    <div
+      className="global-nav-link"
+    >
+      <a
+        className="global-nav-link__anchor"
+        onClick={[Function]}
+      >
+        <div
+          className="global-nav-link__icon"
+        >
+           
+          <Unknown
+            className="spaceNavGraphic"
+            size="s"
+            space={
+              Object {
+                "name": "foo",
+              }
+            }
+          />
+           
+        </div>
+        <div
+          className="global-nav-link__title"
+        >
+           
+          foo
+           
+        </div>
+      </a>
+    </div>
+  }
+  closePopover={[Function]}
+  hasArrow={true}
+  id="spacesMenuPopover"
+  isOpen={false}
+  ownFocus={true}
+  panelPaddingSize="none"
+>
+  <Component />
+</EuiPopover>
+`;

From 8c42a68be06a655dc2bbe3f357963b48aa8ca0a2 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 24 Aug 2018 10:32:22 -0400
Subject: [PATCH 101/183] fix space card rendering

---
 .../spaces/public/views/components/space_card.tsx      | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/components/space_card.tsx b/x-pack/plugins/spaces/public/views/components/space_card.tsx
index 07d4464df8e047..956c270be39609 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.tsx
+++ b/x-pack/plugins/spaces/public/views/components/space_card.tsx
@@ -46,11 +46,13 @@ function renderSpaceDescription(space: Space) {
     description = <span title={description}>{description.substr(0, 120) + '…'}</span>;
   }
 
+  // FIXME: workaround for missing typedefs
+  // @ts-ignore
+  const TextColorCmp: ComponentClass = EuiTextColor;
+
   return (
-    // @ts-ignore
-    <EuiTextColor className="eui-textBreakWord" color={'subdued'}>
+    <TextColorCmp className="eui-textBreakWord" color={'subdued'}>
       {description}
-      // @ts-ignore
-    </EuiTextColor>
+    </TextColorCmp>
   );
 }

From 2f085906b3855af9abd8d284702851151dacf9d4 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Mon, 27 Aug 2018 10:11:17 -0400
Subject: [PATCH 102/183] [Spaces] - Space aware privileges UI (#21049)

This PR includes enhancements to the Role Management screen to allow users to specify Kibana Privileges on a per-space level.

This PR does not include changes to *enforce* space-aware privileges; this only includes the UI/API changes necessary to support editing a role's privileges.
---
 x-pack/index.js                               |   2 +-
 .../security/common/model/index_privilege.ts  |  14 +
 .../model/kibana_application_privilege.ts}    |  10 +-
 .../security/common/model/kibana_privilege.ts |   7 +
 x-pack/plugins/security/common/model/role.ts  |  29 ++
 x-pack/plugins/security/index.js              |   1 +
 .../public/lib/{role.test.js => role.test.ts} |  18 +-
 .../security/public/lib/{role.js => role.ts}  |   5 +-
 .../public/objects/{index.js => index.ts}     |   0
 .../lib/{get_fields.js => get_fields.ts}      |   5 +-
 .../public/objects/lib/{roles.js => roles.ts} |   7 +-
 ...s.snap => collapsible_panel.test.tsx.snap} |   1 -
 ...nel.test.js => collapsible_panel.test.tsx} |  19 +-
 ...apsible_panel.js => collapsible_panel.tsx} |  57 +--
 ...on.test.js => delete_role_button.test.tsx} |  14 +-
 ..._role_button.js => delete_role_button.tsx} |  59 +--
 .../{edit_role_page.js => edit_role_page.tsx} | 211 ++++++----
 .../components/{index.js => index.ts}         |   0
 .../privileges/cluster_privileges.js          |  75 ----
 .../cluster_privileges.test.tsx.snap}         |  38 +-
 .../elasticsearch_privileges.test.tsx.snap}   |  22 +-
 .../index_privilege_form.test.tsx.snap}       |   6 +
 .../index_privileges.test.tsx.snap}           |   0
 .../cluster_privileges.test.tsx}              |  24 +-
 .../privileges/es/cluster_privileges.tsx      |  54 +++
 .../{ => es}/elasticsearch_privileges.less    |   0
 .../elasticsearch_privileges.test.tsx}        |  21 +-
 .../elasticsearch_privileges.tsx}             | 109 ++---
 .../index_privilege_form.test.tsx}            |  79 ++--
 .../index_privilege_form.tsx}                 | 146 ++++---
 .../index_privileges.test.tsx}                |  34 +-
 .../index_privileges.tsx}                     | 124 +++---
 .../edit_role/components/privileges/index.ts  |   8 +
 .../impacted_spaces_flyout.test.tsx.snap      |  17 +
 .../kibana_privileges.test.tsx.snap           |  52 +++
 .../privilege_callout_warning.test.tsx.snap   |  94 +++++
 .../privilege_space_form.test.tsx.snap        |  88 ++++
 .../simple_privilege_form.test.tsx.snap       |  41 ++
 .../space_aware_privilege_form.test.tsx.snap  | 215 ++++++++++
 .../space_selector.test.tsx.snap              |  14 +
 .../kibana/impacted_spaces_flyout.less        |   3 +
 .../kibana/impacted_spaces_flyout.test.tsx    | 153 +++++++
 .../kibana/impacted_spaces_flyout.tsx         | 126 ++++++
 .../kibana/kibana_privileges.test.tsx         |  66 +++
 .../privileges/kibana/kibana_privileges.tsx   |  67 +++
 .../kibana/privilege_callout_warning.test.tsx |  17 +
 .../kibana/privilege_callout_warning.tsx      | 103 +++++
 .../privileges/kibana/privilege_selector.tsx  |  60 +++
 .../kibana/privilege_space_form.test.tsx      |  41 ++
 .../kibana/privilege_space_form.tsx           |  94 +++++
 .../kibana/privilege_space_table.tsx          | 191 +++++++++
 .../kibana/simple_privilege_form.test.tsx     |  89 ++++
 .../kibana/simple_privilege_form.tsx          |  72 ++++
 .../space_aware_privilege_form.test.tsx       | 239 +++++++++++
 .../kibana/space_aware_privilege_form.tsx     | 347 +++++++++++++++
 .../privileges/kibana/space_selector.test.tsx |  17 +
 .../privileges/kibana/space_selector.tsx      |  64 +++
 .../privileges/kibana_privileges.js           |  97 -----
 ...e.test.js => reserved_role_badge.test.tsx} |  38 +-
 ..._role_badge.js => reserved_role_badge.tsx} |  22 +-
 .../views/management/edit_role/edit_role.less |   8 +-
 .../views/management/edit_role/index.js       |  28 +-
 .../get_available_privileges.test.ts.snap     |   3 +
 ...est.js.snap => validate_role.test.ts.snap} |   0
 .../management/edit_role/lib/constants.ts     |  21 +
 .../edit_role/lib/copy_role.test.ts           |  33 ++
 .../management/edit_role/lib/copy_role.ts     |  12 +
 .../lib/get_application_privileges.js         |  25 --
 .../lib/get_available_privileges.test.ts      |  27 ++
 .../edit_role/lib/get_available_privileges.ts |  21 +
 .../lib/set_application_privileges.js         |  49 ---
 .../management/edit_role/lib/validate_role.js |  86 ----
 .../edit_role/lib/validate_role.test.js       | 102 -----
 .../edit_role/lib/validate_role.test.ts       | 397 ++++++++++++++++++
 .../management/edit_role/lib/validate_role.ts | 205 +++++++++
 ...{management_urls.js => management_urls.ts} |   0
 .../server/routes/api/public/roles/get.js     |   4 +-
 .../server/routes/api/public/roles/put.js     |   4 +-
 .../routes/api/public/roles/put.test.js       |  18 +-
 .../__snapshots__/space_avatar.test.js.snap   |   0
 .../plugins/spaces/public/components/index.ts |   8 +
 .../components/manage_spaces_button.tsx       |   2 +-
 .../components/space_avatar.test.js           |   0
 .../{views => }/components/space_avatar.tsx   |   4 +-
 .../privileges => spaces/public/lib}/index.js |   3 +-
 .../spaces/public/views/components/index.ts   |   2 -
 .../public/views/components/space_card.tsx    |   2 +-
 .../edit_space/manage_space_page.js           |   2 +-
 .../components/spaces_description.tsx         |   2 +-
 .../nav_control/components/spaces_menu.tsx    |   2 +-
 .../nav_control/nav_control_popover.test.js   |   2 +-
 .../views/nav_control/nav_control_popover.tsx |   2 +-
 .../spaces/server/routes/api/v1/spaces.js     |   3 +-
 .../apps/security/doc_level_security_roles.js |  22 +-
 .../apps/security/field_level_security.js     |  44 +-
 .../functional/apps/security/management.js    |  19 -
 .../functional/apps/security/rbac_phase1.js   |  40 +-
 .../apps/security/secure_roles_perm.js        |  19 +-
 .../dashboard_view_mode/data.json.gz          | Bin 1896 -> 1984 bytes
 .../dashboard_view_mode/mappings.json         |  30 +-
 .../es_archives/discover/data.json.gz         | Bin 1030 -> 1115 bytes
 .../es_archives/discover/mappings.json        |  30 +-
 .../es_archives/empty_kibana/data.json.gz     | Bin 158 -> 230 bytes
 .../es_archives/empty_kibana/mappings.json    |  30 +-
 .../functional/page_objects/security_page.js  |  84 ++--
 105 files changed, 3970 insertions(+), 1051 deletions(-)
 create mode 100644 x-pack/plugins/security/common/model/index_privilege.ts
 rename x-pack/plugins/security/{public/objects/role.js => common/model/kibana_application_privilege.ts} (64%)
 create mode 100644 x-pack/plugins/security/common/model/kibana_privilege.ts
 create mode 100644 x-pack/plugins/security/common/model/role.ts
 rename x-pack/plugins/security/public/lib/{role.test.js => role.test.ts} (87%)
 rename x-pack/plugins/security/public/lib/{role.js => role.ts} (81%)
 rename x-pack/plugins/security/public/objects/{index.js => index.ts} (100%)
 rename x-pack/plugins/security/public/objects/lib/{get_fields.js => get_fields.ts} (67%)
 rename x-pack/plugins/security/public/objects/lib/{roles.js => roles.ts} (77%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/{collapsible_panel.test.js.snap => collapsible_panel.test.tsx.snap} (98%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{collapsible_panel.test.js => collapsible_panel.test.tsx} (79%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{collapsible_panel.js => collapsible_panel.tsx} (60%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{delete_role_button.test.js => delete_role_button.test.tsx} (86%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{delete_role_button.js => delete_role_button.tsx} (63%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{edit_role_page.js => edit_role_page.tsx} (53%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{index.js => index.ts} (100%)
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{__snapshots__/cluster_privileges.test.js.snap => es/__snapshots__/cluster_privileges.test.tsx.snap} (62%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{__snapshots__/elasticsearch_privileges.test.js.snap => es/__snapshots__/elasticsearch_privileges.test.tsx.snap} (88%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{__snapshots__/index_privilege_form.test.js.snap => es/__snapshots__/index_privilege_form.test.tsx.snap} (95%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{__snapshots__/index_privileges.test.js.snap => es/__snapshots__/index_privileges.test.tsx.snap} (100%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{cluster_privileges.test.js => es/cluster_privileges.test.tsx} (50%)
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{ => es}/elasticsearch_privileges.less (100%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{elasticsearch_privileges.test.js => es/elasticsearch_privileges.test.tsx} (85%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{elasticsearch_privileges.js => es/elasticsearch_privileges.tsx} (66%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{index_privilege_form.test.js => es/index_privilege_form.test.tsx} (77%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{index_privilege_form.js => es/index_privilege_form.tsx} (62%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{index_privileges.test.js => es/index_privileges.test.tsx} (73%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/privileges/{index_privileges.js => es/index_privileges.tsx} (58%)
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.ts
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_callout_warning.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/simple_privilege_form.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.less
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_selector.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.test.tsx
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
 rename x-pack/plugins/security/public/views/management/edit_role/components/{reserved_role_badge.test.js => reserved_role_badge.test.tsx} (59%)
 rename x-pack/plugins/security/public/views/management/edit_role/components/{reserved_role_badge.js => reserved_role_badge.tsx} (62%)
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/get_available_privileges.test.ts.snap
 rename x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/{validate_role.test.js.snap => validate_role.test.ts.snap} (100%)
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/constants.ts
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.ts
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.test.ts
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.ts
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
 delete mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
 create mode 100644 x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
 rename x-pack/plugins/security/public/views/management/{management_urls.js => management_urls.ts} (100%)
 rename x-pack/plugins/spaces/public/{views => }/components/__snapshots__/space_avatar.test.js.snap (100%)
 create mode 100644 x-pack/plugins/spaces/public/components/index.ts
 rename x-pack/plugins/spaces/public/{views => }/components/manage_spaces_button.tsx (94%)
 rename x-pack/plugins/spaces/public/{views => }/components/space_avatar.test.js (100%)
 rename x-pack/plugins/spaces/public/{views => }/components/space_avatar.tsx (91%)
 rename x-pack/plugins/{security/public/views/management/edit_role/components/privileges => spaces/public/lib}/index.js (65%)

diff --git a/x-pack/index.js b/x-pack/index.js
index 2b9c71a1831890..a0c1f30b8d6e97 100644
--- a/x-pack/index.js
+++ b/x-pack/index.js
@@ -31,6 +31,7 @@ module.exports = function (kibana) {
     graph(kibana),
     monitoring(kibana),
     reporting(kibana),
+    spaces(kibana),
     security(kibana),
     searchprofiler(kibana),
     ml(kibana),
@@ -44,7 +45,6 @@ module.exports = function (kibana) {
     cloud(kibana),
     indexManagement(kibana),
     consoleExtensions(kibana),
-    spaces(kibana),
     notifications(kibana),
     kueryAutocomplete(kibana)
   ];
diff --git a/x-pack/plugins/security/common/model/index_privilege.ts b/x-pack/plugins/security/common/model/index_privilege.ts
new file mode 100644
index 00000000000000..560e8df5e126b2
--- /dev/null
+++ b/x-pack/plugins/security/common/model/index_privilege.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface IndexPrivilege {
+  names: string[];
+  privileges: string[];
+  field_security?: {
+    grant?: string[];
+  };
+  query?: string;
+}
diff --git a/x-pack/plugins/security/public/objects/role.js b/x-pack/plugins/security/common/model/kibana_application_privilege.ts
similarity index 64%
rename from x-pack/plugins/security/public/objects/role.js
rename to x-pack/plugins/security/common/model/kibana_application_privilege.ts
index 98448db207cea8..54350ec2abcef0 100644
--- a/x-pack/plugins/security/public/objects/role.js
+++ b/x-pack/plugins/security/common/model/kibana_application_privilege.ts
@@ -4,10 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export class Role {
-  name = null;
-  cluster = [];
-  indices = [];
-  run_as = []; //eslint-disable-line camelcase
-  applications = [];
+import { KibanaPrivilege } from './kibana_privilege';
+
+export interface KibanaApplicationPrivilege {
+  name: KibanaPrivilege;
 }
diff --git a/x-pack/plugins/security/common/model/kibana_privilege.ts b/x-pack/plugins/security/common/model/kibana_privilege.ts
new file mode 100644
index 00000000000000..834e62570fe263
--- /dev/null
+++ b/x-pack/plugins/security/common/model/kibana_privilege.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export type KibanaPrivilege = 'none' | 'read' | 'all';
diff --git a/x-pack/plugins/security/common/model/role.ts b/x-pack/plugins/security/common/model/role.ts
new file mode 100644
index 00000000000000..5b1094c8c3a0ab
--- /dev/null
+++ b/x-pack/plugins/security/common/model/role.ts
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IndexPrivilege } from './index_privilege';
+import { KibanaPrivilege } from './kibana_privilege';
+
+export interface Role {
+  name: string;
+  elasticsearch: {
+    cluster: string[];
+    indices: IndexPrivilege[];
+    run_as: string[];
+  };
+  kibana: {
+    global: KibanaPrivilege[];
+    space: {
+      [spaceId: string]: KibanaPrivilege[];
+    };
+  };
+  metadata?: {
+    [anyKey: string]: any;
+  };
+  transient_metadata?: {
+    [anyKey: string]: any;
+  };
+}
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 32be38c740b0f1..68601a5ef07bab 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -78,6 +78,7 @@ export const security = (kibana) => new kibana.Plugin({
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
         sessionTimeout: config.get('xpack.security.sessionTimeout'),
+        enableSpaceAwarePrivileges: config.get('xpack.spaces.enabled'),
       };
     }
   },
diff --git a/x-pack/plugins/security/public/lib/role.test.js b/x-pack/plugins/security/public/lib/role.test.ts
similarity index 87%
rename from x-pack/plugins/security/public/lib/role.test.js
rename to x-pack/plugins/security/public/lib/role.test.ts
index 4c6e9fb896dcf1..c86b250e034f6e 100644
--- a/x-pack/plugins/security/public/lib/role.test.js
+++ b/x-pack/plugins/security/public/lib/role.test.ts
@@ -4,15 +4,15 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { isRoleEnabled, isReservedRole } from './role';
+import { isReservedRole, isRoleEnabled } from './role';
 
 describe('role', () => {
   describe('isRoleEnabled', () => {
     test('should return false if role is explicitly not enabled', () => {
       const testRole = {
         transient_metadata: {
-          enabled: false
-        }
+          enabled: false,
+        },
       };
       expect(isRoleEnabled(testRole)).toBe(false);
     });
@@ -20,8 +20,8 @@ describe('role', () => {
     test('should return true if role is explicitly enabled', () => {
       const testRole = {
         transient_metadata: {
-          enabled: true
-        }
+          enabled: true,
+        },
       };
       expect(isRoleEnabled(testRole)).toBe(true);
     });
@@ -36,8 +36,8 @@ describe('role', () => {
     test('should return false if role is explicitly not reserved', () => {
       const testRole = {
         metadata: {
-          _reserved: false
-        }
+          _reserved: false,
+        },
       };
       expect(isReservedRole(testRole)).toBe(false);
     });
@@ -45,8 +45,8 @@ describe('role', () => {
     test('should return true if role is explicitly reserved', () => {
       const testRole = {
         metadata: {
-          _reserved: true
-        }
+          _reserved: true,
+        },
       };
       expect(isReservedRole(testRole)).toBe(true);
     });
diff --git a/x-pack/plugins/security/public/lib/role.js b/x-pack/plugins/security/public/lib/role.ts
similarity index 81%
rename from x-pack/plugins/security/public/lib/role.js
rename to x-pack/plugins/security/public/lib/role.ts
index 96057aa55f5954..d6221f7aecb4c3 100644
--- a/x-pack/plugins/security/public/lib/role.js
+++ b/x-pack/plugins/security/public/lib/role.ts
@@ -5,6 +5,7 @@
  */
 
 import { get } from 'lodash';
+import { Role } from '../../common/model/role';
 
 /**
  * Returns whether given role is enabled or not
@@ -12,7 +13,7 @@ import { get } from 'lodash';
  * @param role Object Role JSON, as returned by roles API
  * @return Boolean true if role is enabled; false otherwise
  */
-export function isRoleEnabled(role) {
+export function isRoleEnabled(role: Partial<Role>) {
   return get(role, 'transient_metadata.enabled', true);
 }
 
@@ -21,6 +22,6 @@ export function isRoleEnabled(role) {
  *
  * @param {role} the Role as returned by roles API
  */
-export function isReservedRole(role) {
+export function isReservedRole(role: Partial<Role>) {
   return get(role, 'metadata._reserved', false);
 }
diff --git a/x-pack/plugins/security/public/objects/index.js b/x-pack/plugins/security/public/objects/index.ts
similarity index 100%
rename from x-pack/plugins/security/public/objects/index.js
rename to x-pack/plugins/security/public/objects/index.ts
diff --git a/x-pack/plugins/security/public/objects/lib/get_fields.js b/x-pack/plugins/security/public/objects/lib/get_fields.ts
similarity index 67%
rename from x-pack/plugins/security/public/objects/lib/get_fields.js
rename to x-pack/plugins/security/public/objects/lib/get_fields.ts
index a80f6bfe8eed1d..e0998eb8b8f6be 100644
--- a/x-pack/plugins/security/public/objects/lib/get_fields.js
+++ b/x-pack/plugins/security/public/objects/lib/get_fields.ts
@@ -3,12 +3,13 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { IHttpResponse } from 'angular';
 import chrome from 'ui/chrome';
 
 const apiBase = chrome.addBasePath(`/api/security/v1/fields`);
 
-export async function getFields($http, query) {
+export async function getFields($http: any, query: string): Promise<string[]> {
   return await $http
     .get(`${apiBase}/${query}`)
-    .then(response => response.data || []);
+    .then((response: IHttpResponse<string[]>) => response.data || []);
 }
diff --git a/x-pack/plugins/security/public/objects/lib/roles.js b/x-pack/plugins/security/public/objects/lib/roles.ts
similarity index 77%
rename from x-pack/plugins/security/public/objects/lib/roles.js
rename to x-pack/plugins/security/public/objects/lib/roles.ts
index 7f0bbdbb30dc5f..2551d7eabc4e71 100644
--- a/x-pack/plugins/security/public/objects/lib/roles.js
+++ b/x-pack/plugins/security/public/objects/lib/roles.ts
@@ -3,16 +3,17 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import chrome from 'ui/chrome';
 import { omit } from 'lodash';
+import chrome from 'ui/chrome';
+import { Role } from '../../../common/model/role';
 
 const apiBase = chrome.addBasePath(`/api/security/role`);
 
-export async function saveRole($http, role) {
+export async function saveRole($http: any, role: Role) {
   const data = omit(role, 'name', 'transient_metadata', '_unrecognized_applications');
   return await $http.put(`${apiBase}/${role.name}`, data);
 }
 
-export async function deleteRole($http, name) {
+export async function deleteRole($http: any, name: string) {
   return await $http.delete(`${apiBase}/${name}`);
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.tsx.snap
similarity index 98%
rename from x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.tsx.snap
index d946357354fe2c..75c5d914936452 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/__snapshots__/collapsible_panel.test.tsx.snap
@@ -40,7 +40,6 @@ exports[`it renders without blowing up 1`] = `
       <EuiLink
         color="primary"
         onClick={[Function]}
-        size="s"
         type="button"
       >
         hide
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.tsx
similarity index 79%
rename from x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.tsx
index ec0182101653ac..86f1e73b78e1b9 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.test.tsx
@@ -4,17 +4,14 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { EuiLink } from '@elastic/eui';
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
 import { CollapsiblePanel } from './collapsible_panel';
-import { EuiLink } from '@elastic/eui';
 
 test('it renders without blowing up', () => {
   const wrapper = shallow(
-    <CollapsiblePanel
-      iconType="logoElasticsearch"
-      title="Elasticsearch"
-    >
+    <CollapsiblePanel iconType="logoElasticsearch" title="Elasticsearch">
       <p>child</p>
     </CollapsiblePanel>
   );
@@ -24,10 +21,7 @@ test('it renders without blowing up', () => {
 
 test('it renders children by default', () => {
   const wrapper = mount(
-    <CollapsiblePanel
-      iconType="logoElasticsearch"
-      title="Elasticsearch"
-    >
+    <CollapsiblePanel iconType="logoElasticsearch" title="Elasticsearch">
       <p className="child">child 1</p>
       <p className="child">child 2</p>
     </CollapsiblePanel>
@@ -39,10 +33,7 @@ test('it renders children by default', () => {
 
 test('it hides children when the "hide" link is clicked', () => {
   const wrapper = mount(
-    <CollapsiblePanel
-      iconType="logoElasticsearch"
-      title="Elasticsearch"
-    >
+    <CollapsiblePanel iconType="logoElasticsearch" title="Elasticsearch">
       <p className="child">child 1</p>
       <p className="child">child 2</p>
     </CollapsiblePanel>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.tsx
similarity index 60%
rename from x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.tsx
index f2bac7a02b99c8..a58042fda96978 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/collapsible_panel.tsx
@@ -4,30 +4,33 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
-import './collapsible_panel.less';
 import {
-  EuiPanel,
-  EuiLink,
-  EuiIcon,
   EuiFlexGroup,
   EuiFlexItem,
-  EuiTitle,
+  EuiIcon,
+  EuiLink,
+  EuiPanel,
   EuiSpacer,
+  EuiTitle,
 } from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
+import './collapsible_panel.less';
 
-export class CollapsiblePanel extends Component {
-  static propTypes = {
-    iconType: PropTypes.string.isRequired,
-    title: PropTypes.string.isRequired,
-  }
+interface Props {
+  iconType: string | any;
+  title: string;
+}
 
-  state = {
-    collapsed: false
-  }
+interface State {
+  collapsed: boolean;
+}
 
-  render() {
+export class CollapsiblePanel extends Component<Props, State> {
+  public state = {
+    collapsed: false,
+  };
+
+  public render() {
     return (
       <EuiPanel>
         {this.getTitle()}
@@ -36,24 +39,30 @@ export class CollapsiblePanel extends Component {
     );
   }
 
-  getTitle = () => {
+  public getTitle = () => {
     return (
+      // @ts-ignore
       <EuiFlexGroup alignItems={'baseline'} gutterSize="s" responsive={false}>
         <EuiFlexItem grow={false}>
           <EuiTitle>
             <h2>
-              <EuiIcon type={this.props.iconType} size={'xl'} className={'collapsiblePanel__logo'} /> {this.props.title}
+              <EuiIcon
+                type={this.props.iconType}
+                size={'xl'}
+                className={'collapsiblePanel__logo'}
+              />{' '}
+              {this.props.title}
             </h2>
           </EuiTitle>
         </EuiFlexItem>
         <EuiFlexItem grow={false}>
-          <EuiLink size={'s'} onClick={this.toggleCollapsed}>{this.state.collapsed ? 'show' : 'hide'}</EuiLink>
+          <EuiLink onClick={this.toggleCollapsed}>{this.state.collapsed ? 'show' : 'hide'}</EuiLink>
         </EuiFlexItem>
       </EuiFlexGroup>
     );
   };
 
-  getForm = () => {
+  public getForm = () => {
     if (this.state.collapsed) {
       return null;
     }
@@ -64,11 +73,11 @@ export class CollapsiblePanel extends Component {
         {this.props.children}
       </Fragment>
     );
-  }
+  };
 
-  toggleCollapsed = () => {
+  public toggleCollapsed = () => {
     this.setState({
-      collapsed: !this.state.collapsed
+      collapsed: !this.state.collapsed,
     });
-  }
+  };
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.tsx
similarity index 86%
rename from x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.tsx
index 477ffbebf8699e..8a78748b462323 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.test.tsx
@@ -4,21 +4,19 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
 import {
-  EuiButton,
+  EuiButtonEmpty,
+  // @ts-ignore
   EuiConfirmModal,
 } from '@elastic/eui';
+import { mount, shallow } from 'enzyme';
+import React from 'react';
 import { DeleteRoleButton } from './delete_role_button';
-import {
-  shallow,
-  mount
-} from 'enzyme';
 
 test('it renders without crashing', () => {
   const deleteHandler = jest.fn();
   const wrapper = shallow(<DeleteRoleButton canDelete={true} onDelete={deleteHandler} />);
-  expect(wrapper.find(EuiButton)).toHaveLength(1);
+  expect(wrapper.find(EuiButtonEmpty)).toHaveLength(1);
   expect(deleteHandler).toHaveBeenCalledTimes(0);
 });
 
@@ -26,7 +24,7 @@ test('it shows a confirmation dialog when clicked', () => {
   const deleteHandler = jest.fn();
   const wrapper = mount(<DeleteRoleButton canDelete={true} onDelete={deleteHandler} />);
 
-  wrapper.find(EuiButton).simulate('click');
+  wrapper.find(EuiButtonEmpty).simulate('click');
 
   expect(wrapper.find(EuiConfirmModal)).toHaveLength(1);
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
similarity index 63%
rename from x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
index 805dfb232fff48..6bb0483456580e 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
@@ -4,40 +4,44 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
 import {
-  EuiButton,
-  EuiOverlayMask,
+  EuiButtonEmpty,
   EuiConfirmModal,
+  // @ts-ignore
+  EuiOverlayMask,
 } from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
 
-export class DeleteRoleButton extends Component {
-  static propTypes = {
-    canDelete: PropTypes.bool.isRequired,
-    onDelete: PropTypes.func.isRequired
-  }
+interface Props {
+  canDelete: boolean;
+  onDelete: () => void;
+}
 
-  state = {
-    showModal: false
-  }
+interface State {
+  showModal: boolean;
+}
+
+export class DeleteRoleButton extends Component<Props, State> {
+  public state = {
+    showModal: false,
+  };
 
-  render() {
+  public render() {
     if (!this.props.canDelete) {
       return null;
     }
 
     return (
       <Fragment>
-        <EuiButton color={'danger'} iconType={'trash'} onClick={this.showModal}>
-          Delete Role
-        </EuiButton>
+        <EuiButtonEmpty color={'danger'} onClick={this.showModal}>
+          Delete role
+        </EuiButtonEmpty>
         {this.maybeShowModal()}
       </Fragment>
     );
   }
 
-  maybeShowModal = () => {
+  public maybeShowModal = () => {
     if (!this.state.showModal) {
       return null;
     }
@@ -48,7 +52,7 @@ export class DeleteRoleButton extends Component {
           onCancel={this.closeModal}
           onConfirm={this.onConfirmDelete}
           cancelButtonText={"No, don't delete"}
-          confirmButtonText={"Yes, delete role"}
+          confirmButtonText={'Yes, delete role'}
           buttonColor={'danger'}
         >
           <p>Are you sure you want to delete this role?</p>
@@ -56,23 +60,22 @@ export class DeleteRoleButton extends Component {
         </EuiConfirmModal>
       </EuiOverlayMask>
     );
-  }
+  };
 
-  closeModal = () => {
+  public closeModal = () => {
     this.setState({
-      showModal: false
+      showModal: false,
     });
-  }
+  };
 
-  showModal = () => {
+  public showModal = () => {
     this.setState({
-      showModal: true
+      showModal: true,
     });
-  }
+  };
 
-  onConfirmDelete = () => {
+  public onConfirmDelete = () => {
     this.closeModal();
     this.props.onDelete();
-  }
+  };
 }
-
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
similarity index 53%
rename from x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
index 6beb467f06f5ce..b15221336f173a 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
@@ -3,79 +3,107 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
-import { get } from 'lodash';
-import { toastNotifications } from 'ui/notify';
 import {
-  EuiPanel,
-  EuiTitle,
-  EuiSpacer,
-  EuiPage,
+  EuiButton,
   EuiButtonEmpty,
-  EuiForm,
-  EuiFormRow,
   EuiFieldText,
   EuiFlexGroup,
   EuiFlexItem,
-  EuiButton,
+  // @ts-ignore
+  EuiForm,
+  EuiFormRow,
+  EuiPage,
+  EuiPageBody,
+  EuiPanel,
+  EuiSpacer,
+  EuiText,
+  EuiTitle,
 } from '@elastic/eui';
-import { saveRole, deleteRole } from '../../../../objects';
+import { get } from 'lodash';
+import React, { ChangeEvent, Component, HTMLProps } from 'react';
+import { toastNotifications } from 'ui/notify';
+import { Space } from '../../../../../../spaces/common/model/space';
+import { IndexPrivilege } from '../../../../../common/model/index_privilege';
+import { Role } from '../../../../../common/model/role';
 import { isReservedRole } from '../../../../lib/role';
-import { RoleValidator } from '../lib/validate_role';
-import { ReservedRoleBadge } from './reserved_role_badge';
+import { deleteRole, saveRole } from '../../../../objects';
 import { ROLES_PATH } from '../../management_urls';
+import { RoleValidationResult, RoleValidator } from '../lib/validate_role';
 import { DeleteRoleButton } from './delete_role_button';
 import { ElasticsearchPrivileges, KibanaPrivileges } from './privileges';
+import { ReservedRoleBadge } from './reserved_role_badge';
 
-export class EditRolePage extends Component {
-  static propTypes = {
-    role: PropTypes.object.isRequired,
-    runAsUsers: PropTypes.array.isRequired,
-    indexPatterns: PropTypes.array.isRequired,
-    httpClient: PropTypes.func.isRequired,
-    rbacEnabled: PropTypes.bool.isRequired,
-    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
-    allowFieldLevelSecurity: PropTypes.bool.isRequired,
-    kibanaAppPrivileges: PropTypes.array.isRequired,
-    notifier: PropTypes.func.isRequired,
-  };
+interface Props {
+  role: Role;
+  runAsUsers: string[];
+  indexPatterns: string[];
+  httpClient: any;
+  rbacEnabled: boolean;
+  allowDocumentLevelSecurity: boolean;
+  allowFieldLevelSecurity: boolean;
+  kibanaAppPrivileges: string[];
+  notifier: any;
+  spaces?: Space[];
+  spacesEnabled: boolean;
+}
 
-  constructor(props) {
+interface State {
+  role: Role;
+  formError: RoleValidationResult | null;
+}
+
+export class EditRolePage extends Component<Props, State> {
+  private validator: RoleValidator;
+
+  constructor(props: Props) {
     super(props);
     this.state = {
       role: props.role,
-      formError: null
+      formError: null,
     };
     this.validator = new RoleValidator({ shouldValidate: false });
   }
 
-  render() {
+  public render() {
     return (
-      <EuiPage className="editRolePage">
-        <EuiForm {...this.state.formError}>
-          {this.getFormTitle()}
+      <EuiPage className="editRolePage" restrictWidth>
+        <EuiPageBody>
+          <EuiForm {...this.state.formError}>
+            {this.getFormTitle()}
 
-          <EuiSpacer />
+            {isReservedRole(this.props.role) && (
+              <EuiText size="s" color="subdued">
+                <p id="reservedRoleDescription" tabIndex={1}>
+                  Reserved roles are built-in and cannot be removed or modified.
+                </p>
+              </EuiText>
+            )}
 
-          {this.getRoleName()}
+            <EuiSpacer />
 
-          {this.getElasticsearchPrivileges()}
+            {this.getRoleName()}
 
-          {this.getKibanaPrivileges()}
+            {this.getElasticsearchPrivileges()}
 
-          <EuiSpacer />
+            {this.getKibanaPrivileges()}
 
-          {this.getFormButtons()}
-        </EuiForm>
+            <EuiSpacer />
+
+            {this.getFormButtons()}
+          </EuiForm>
+        </EuiPageBody>
       </EuiPage>
     );
   }
 
-  getFormTitle = () => {
+  public getFormTitle = () => {
     let titleText;
+    const props: HTMLProps<HTMLDivElement> = {
+      tabIndex: 0,
+    };
     if (isReservedRole(this.props.role)) {
       titleText = 'Viewing role';
+      props['aria-describedby'] = 'reservedRoleDescription';
     } else if (this.editingExistingRole()) {
       titleText = 'Edit role';
     } else {
@@ -83,11 +111,15 @@ export class EditRolePage extends Component {
     }
 
     return (
-      <EuiTitle size="l"><h1>{titleText} <ReservedRoleBadge role={this.props.role} /></h1></EuiTitle>
+      <EuiTitle size="l">
+        <h1 {...props}>
+          {titleText} <ReservedRoleBadge role={this.props.role} />
+        </h1>
+      </EuiTitle>
     );
   };
 
-  getActionButton = () => {
+  public getActionButton = () => {
     if (this.editingExistingRole() && !isReservedRole(this.props.role)) {
       return (
         <EuiFlexItem grow={false}>
@@ -99,42 +131,43 @@ export class EditRolePage extends Component {
     return null;
   };
 
-  getRoleName = () => {
+  public getRoleName = () => {
     return (
       <EuiPanel>
         <EuiFormRow
           label={'Role name'}
           helpText={
-            !isReservedRole(this.props.role) && this.editingExistingRole() ?
-              "A role's name cannot be changed once it has been created." : undefined
+            !isReservedRole(this.props.role) && this.editingExistingRole()
+              ? "A role's name cannot be changed once it has been created."
+              : undefined
           }
           {...this.validator.validateRoleName(this.state.role)}
         >
-
           <EuiFieldText
             name={'name'}
             value={this.state.role.name || ''}
             onChange={this.onNameChange}
+            data-test-subj={'roleFormNameInput'}
             readOnly={isReservedRole(this.props.role) || this.editingExistingRole()}
           />
         </EuiFormRow>
       </EuiPanel>
     );
-  }
+  };
 
-  onNameChange = (e) => {
+  public onNameChange = (e: ChangeEvent<HTMLInputElement>) => {
     const rawValue = e.target.value;
-    const name = rawValue.replace(/\s/g, '-');
+    const name = rawValue.replace(/\s/g, '_');
 
     this.setState({
       role: {
         ...this.state.role,
-        name
-      }
+        name,
+      },
     });
-  }
+  };
 
-  getElasticsearchPrivileges() {
+  public getElasticsearchPrivileges() {
     return (
       <div>
         <EuiSpacer />
@@ -153,36 +186,32 @@ export class EditRolePage extends Component {
     );
   }
 
-  onRoleChange = (role) => {
+  public onRoleChange = (role: Role) => {
     this.setState({
-      role
+      role,
     });
-  }
-
-  getKibanaPrivileges = () => {
-    if (!this.props.rbacEnabled) {
-      return null;
-    }
+  };
 
+  public getKibanaPrivileges = () => {
     return (
       <div>
         <EuiSpacer />
         <KibanaPrivileges
           kibanaAppPrivileges={this.props.kibanaAppPrivileges}
+          spaces={this.props.spaces}
+          spacesEnabled={this.props.spacesEnabled}
+          editable={!isReservedRole(this.state.role)}
           role={this.state.role}
           onChange={this.onRoleChange}
+          validator={this.validator}
         />
       </div>
     );
   };
 
-  getFormButtons = () => {
+  public getFormButtons = () => {
     if (isReservedRole(this.props.role)) {
-      return (
-        <EuiButton onClick={this.backToRoleList}>
-          Return to role list
-        </EuiButton>
-      );
+      return <EuiButton onClick={this.backToRoleList}>Return to role list</EuiButton>;
     }
 
     const saveText = this.editingExistingRole() ? 'Update role' : 'Create role';
@@ -190,10 +219,17 @@ export class EditRolePage extends Component {
     return (
       <EuiFlexGroup responsive={false}>
         <EuiFlexItem grow={false}>
-          <EuiButton fill onClick={this.saveRole} disabled={isReservedRole(this.props.role)}>{saveText}</EuiButton>
+          <EuiButton
+            data-test-subj={`roleFormSaveButton`}
+            fill
+            onClick={this.saveRole}
+            disabled={isReservedRole(this.props.role)}
+          >
+            {saveText}
+          </EuiButton>
         </EuiFlexItem>
         <EuiFlexItem grow={false}>
-          <EuiButtonEmpty onClick={this.backToRoleList}>
+          <EuiButtonEmpty data-test-subj={`roleFormCancelButton`} onClick={this.backToRoleList}>
             Cancel
           </EuiButtonEmpty>
         </EuiFlexItem>
@@ -203,68 +239,63 @@ export class EditRolePage extends Component {
     );
   };
 
-  editingExistingRole = () => {
+  public editingExistingRole = () => {
     return !!this.props.role.name;
   };
 
-  isPlaceholderPrivilege = (indexPrivilege) => {
+  public isPlaceholderPrivilege = (indexPrivilege: IndexPrivilege) => {
     return indexPrivilege.names.length === 0;
   };
 
-  saveRole = () => {
+  public saveRole = () => {
     this.validator.enableValidation();
 
     const result = this.validator.validateForSave(this.state.role);
     if (result.isInvalid) {
       this.setState({
-        formError: result
+        formError: result,
       });
     } else {
       this.setState({
-        formError: null
+        formError: null,
       });
 
-      const {
-        httpClient,
-        notifier,
-      } = this.props;
+      const { httpClient, notifier } = this.props;
 
       const role = {
-        ...this.state.role
+        ...this.state.role,
       };
 
-      role.elasticsearch.indices = role.elasticsearch.indices.filter(i => !this.isPlaceholderPrivilege(i));
-      role.elasticsearch.indices.forEach((index) => index.query || delete index.query);
+      role.elasticsearch.indices = role.elasticsearch.indices.filter(
+        i => !this.isPlaceholderPrivilege(i)
+      );
+      role.elasticsearch.indices.forEach(index => index.query || delete index.query);
 
       saveRole(httpClient, role)
         .then(() => {
           toastNotifications.addSuccess('Saved role');
           this.backToRoleList();
         })
-        .catch(error => {
+        .catch((error: any) => {
           notifier.error(get(error, 'data.message'));
         });
     }
   };
 
-  handleDeleteRole = () => {
-    const {
-      httpClient,
-      role,
-      notifier,
-    } = this.props;
+  public handleDeleteRole = () => {
+    const { httpClient, role, notifier } = this.props;
 
     deleteRole(httpClient, role.name)
       .then(() => {
         toastNotifications.addSuccess('Deleted role');
         this.backToRoleList();
       })
-      .catch(error => {
+      .catch((error: any) => {
         notifier.error(get(error, 'data.message'));
       });
   };
 
-  backToRoleList = () => {
+  public backToRoleList = () => {
     window.location.hash = ROLES_PATH;
   };
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/index.js b/x-pack/plugins/security/public/views/management/edit_role/components/index.ts
similarity index 100%
rename from x-pack/plugins/security/public/views/management/edit_role/components/index.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/index.ts
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
deleted file mode 100644
index 400e674f3ca7a2..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.js
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component } from 'react';
-import _ from 'lodash';
-import PropTypes from 'prop-types';
-import { getClusterPrivileges } from '../../../../../services/role_privileges';
-import { isReservedRole } from '../../../../../lib/role';
-import {
-  EuiCheckboxGroup,
-  EuiFlexGroup,
-  EuiFlexItem,
-} from '@elastic/eui';
-
-export class ClusterPrivileges extends Component {
-  static propTypes = {
-    role: PropTypes.object.isRequired,
-    onChange: PropTypes.func.isRequired,
-  };
-
-  render() {
-
-    const clusterPrivileges = getClusterPrivileges();
-    const privilegeGroups = _.chunk(clusterPrivileges, clusterPrivileges.length / 2);
-
-    return (
-      <EuiFlexGroup>
-        {privilegeGroups.map(this.buildCheckboxGroup)}
-      </EuiFlexGroup>
-    );
-  }
-
-  buildCheckboxGroup = (items, key) => {
-    const role = this.props.role;
-
-    const checkboxes = items.map(i => ({
-      id: i,
-      label: i
-    }));
-
-    const selectionMap = (role.elasticsearch.cluster || [])
-      .map(k => ({ [k]: true }))
-      .reduce((acc, o) => ({ ...acc, ...o }), {});
-
-    return (
-      <EuiFlexItem key={key}>
-        <EuiCheckboxGroup
-          options={checkboxes}
-          idToSelectedMap={selectionMap}
-          onChange={this.onClusterPrivilegesChange}
-          disabled={isReservedRole(role)}
-        />
-      </EuiFlexItem>
-    );
-  };
-
-  onClusterPrivilegesChange = (privilege) => {
-    const { cluster } = this.props.role.elasticsearch;
-    const indexOfExistingPrivilege = cluster.indexOf(privilege);
-
-    const shouldRemove = indexOfExistingPrivilege >= 0;
-
-    const newClusterPrivs = [...cluster];
-    if (shouldRemove) {
-      newClusterPrivs.splice(indexOfExistingPrivilege, 1);
-    } else {
-      newClusterPrivs.push(privilege);
-    }
-
-    this.props.onChange(newClusterPrivs);
-  }
-}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
similarity index 62%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
index 5315e277468ed8..f8875d707b66fd 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/cluster_privileges.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
@@ -13,79 +13,55 @@ exports[`it renders without crashing 1`] = `
   <EuiFlexItem
     component="div"
     grow={true}
-    key="0"
+    key="clusterPrivs"
   >
-    <EuiCheckboxGroup
-      disabled={false}
-      idToSelectedMap={Object {}}
+    <EuiComboBox
+      fullWidth={false}
+      isClearable={true}
+      isDisabled={false}
       onChange={[Function]}
       options={
         Array [
           Object {
-            "id": "all",
             "label": "all",
           },
           Object {
-            "id": "monitor",
             "label": "monitor",
           },
           Object {
-            "id": "manage",
             "label": "manage",
           },
           Object {
-            "id": "manage_security",
             "label": "manage_security",
           },
           Object {
-            "id": "manage_index_templates",
             "label": "manage_index_templates",
           },
           Object {
-            "id": "manage_pipeline",
             "label": "manage_pipeline",
           },
-        ]
-      }
-    />
-  </EuiFlexItem>
-  <EuiFlexItem
-    component="div"
-    grow={true}
-    key="1"
-  >
-    <EuiCheckboxGroup
-      disabled={false}
-      idToSelectedMap={Object {}}
-      onChange={[Function]}
-      options={
-        Array [
           Object {
-            "id": "manage_ingest_pipelines",
             "label": "manage_ingest_pipelines",
           },
           Object {
-            "id": "transport_client",
             "label": "transport_client",
           },
           Object {
-            "id": "manage_ml",
             "label": "manage_ml",
           },
           Object {
-            "id": "monitor_ml",
             "label": "monitor_ml",
           },
           Object {
-            "id": "manage_watcher",
             "label": "manage_watcher",
           },
           Object {
-            "id": "monitor_watcher",
             "label": "monitor_watcher",
           },
         ]
       }
+      selectedOptions={Array []}
+      singleSelection={false}
     />
   </EuiFlexItem>
 </EuiFlexGroup>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap
similarity index 88%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap
index 5c8de223b641bf..5e65d164d59c71 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/elasticsearch_privileges.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap
@@ -9,7 +9,8 @@ exports[`it renders without crashing 1`] = `
     <EuiDescribedFormGroup
       description={
         <p>
-          Manage the actions this role can perform against your cluster. 
+          Manage the actions this role can perform against your cluster.
+           
           <EuiLink
             className="editRole__learnMore"
             color="primary"
@@ -44,6 +45,11 @@ exports[`it renders without crashing 1`] = `
                 "indices": Array [],
                 "run_as": Array [],
               },
+              "kibana": Object {
+                "global": Array [],
+                "space": Object {},
+              },
+              "name": "",
             }
           }
         />
@@ -55,7 +61,8 @@ exports[`it renders without crashing 1`] = `
     <EuiDescribedFormGroup
       description={
         <p>
-          Allow requests to be submitted on the behalf of other users. 
+          Allow requests to be submitted on the behalf of other users.
+           
           <EuiLink
             className="editRole__learnMore"
             color="primary"
@@ -112,7 +119,8 @@ exports[`it renders without crashing 1`] = `
       size="s"
     >
       <p>
-        Control access to the data in your cluster. 
+        Control access to the data in your cluster.
+         
         <EuiLink
           className="editRole__learnMore"
           color="primary"
@@ -137,11 +145,17 @@ exports[`it renders without crashing 1`] = `
             "indices": Array [],
             "run_as": Array [],
           },
+          "kibana": Object {
+            "global": Array [],
+            "space": Object {},
+          },
+          "name": "",
         }
       }
       validator={
         RoleValidator {
-          "_shouldValidate": undefined,
+          "inProgressSpacePrivileges": Array [],
+          "shouldValidate": undefined,
         }
       }
     />
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
similarity index 95%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
index cba78af4f996bd..d7426919a1f3b2 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privilege_form.test.js.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
@@ -42,6 +42,7 @@ exports[`it renders without crashing 1`] = `
               label="Indices"
             >
               <EuiComboBox
+                data-test-subj="indicesInput0"
                 fullWidth={false}
                 isClearable={true}
                 isDisabled={false}
@@ -64,6 +65,7 @@ exports[`it renders without crashing 1`] = `
               label="Privileges"
             >
               <EuiComboBox
+                data-test-subj="privilegesInput0"
                 fullWidth={false}
                 isClearable={true}
                 isDisabled={false}
@@ -127,6 +129,7 @@ exports[`it renders without crashing 1`] = `
             >
               <React.Fragment>
                 <EuiComboBox
+                  data-test-subj="fieldInput0"
                   fullWidth={false}
                   isClearable={true}
                   isDisabled={false}
@@ -158,8 +161,10 @@ exports[`it renders without crashing 1`] = `
           >
             <EuiSwitch
               compressed={true}
+              data-test-subj="restrictDocumentsQuery0"
               label="Restrict documents query"
               onChange={[Function]}
+              value={false}
             />
           </EuiFlexItem>
         </EuiFlexGroup>
@@ -178,6 +183,7 @@ exports[`it renders without crashing 1`] = `
           aria-label="Delete index privilege"
           color="danger"
           iconType="trash"
+          onClick={[MockFunction]}
           type="button"
         />
       </EuiFormRow>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privileges.test.tsx.snap
similarity index 100%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/__snapshots__/index_privileges.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privileges.test.tsx.snap
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.test.tsx
similarity index 50%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.test.tsx
index 20bb0846e5b1c8..a3a52a2fc511af 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/cluster_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.test.tsx
@@ -4,17 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
+import { Role } from '../../../../../../../common/model/role';
 import { ClusterPrivileges } from './cluster_privileges';
-import { EuiCheckboxGroup } from '@elastic/eui';
 
 test('it renders without crashing', () => {
-  const wrapper = shallow(<ClusterPrivileges role={{ elasticsearch: {} }} onChange={jest.fn()} />);
-  expect(wrapper).toMatchSnapshot();
-});
+  const role: Role = {
+    name: '',
+    elasticsearch: {
+      cluster: [],
+      indices: [],
+      run_as: [],
+    },
+    kibana: {
+      global: [],
+      space: {},
+    },
+  };
 
-test('it renders 2 checkbox groups of privileges', () => {
-  const wrapper = mount(<ClusterPrivileges role={{ elasticsearch: {} }} onChange={jest.fn()} />);
-  expect(wrapper.find(EuiCheckboxGroup)).toHaveLength(2);
+  const wrapper = shallow(<ClusterPrivileges role={role} onChange={jest.fn()} />);
+  expect(wrapper).toMatchSnapshot();
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
new file mode 100644
index 00000000000000..3dbac8c31ae9c5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  // @ts-ignore
+  EuiComboBox,
+  EuiFlexGroup,
+  EuiFlexItem,
+} from '@elastic/eui';
+import React, { Component } from 'react';
+import { Role } from '../../../../../../../common/model/role';
+import { isReservedRole } from '../../../../../../lib/role';
+import { getClusterPrivileges } from '../../../../../../services/role_privileges';
+
+interface Props {
+  role: Role;
+  onChange: (role: Role) => void;
+}
+
+export class ClusterPrivileges extends Component<Props, {}> {
+  public render() {
+    const clusterPrivileges = getClusterPrivileges();
+
+    return <EuiFlexGroup>{this.buildComboBox(clusterPrivileges)}</EuiFlexGroup>;
+  }
+
+  public buildComboBox = (items: string[]) => {
+    const role = this.props.role;
+
+    const options = items.map(i => ({
+      label: i,
+    }));
+
+    const selectedOptions = (role.elasticsearch.cluster || []).map(k => ({ label: k }));
+
+    return (
+      <EuiFlexItem key={'clusterPrivs'}>
+        <EuiComboBox
+          options={options}
+          selectedOptions={selectedOptions}
+          onChange={this.onClusterPrivilegesChange}
+          isDisabled={isReservedRole(role)}
+        />
+      </EuiFlexItem>
+    );
+  };
+
+  public onClusterPrivilegesChange = (selectedPrivileges: any) => {
+    this.props.onChange(selectedPrivileges.map((priv: any) => priv.label));
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.less
similarity index 100%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.less
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.less
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.test.tsx
similarity index 85%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.test.tsx
index fdcec4223e708d..3a948801102a57 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.test.tsx
@@ -4,21 +4,26 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
-import { IndexPrivileges } from './index_privileges';
+import { RoleValidator } from '../../../lib/validate_role';
 import { ClusterPrivileges } from './cluster_privileges';
 import { ElasticsearchPrivileges } from './elasticsearch_privileges';
-import { RoleValidator } from '../../lib/validate_role';
+import { IndexPrivileges } from './index_privileges';
 
 test('it renders without crashing', () => {
   const props = {
     role: {
+      name: '',
       elasticsearch: {
         cluster: [],
         indices: [],
         run_as: [],
       },
+      kibana: {
+        global: [],
+        space: {},
+      },
     },
     editable: true,
     httpClient: jest.fn(),
@@ -36,11 +41,16 @@ test('it renders without crashing', () => {
 test('it renders ClusterPrivileges', () => {
   const props = {
     role: {
+      name: '',
       elasticsearch: {
         cluster: [],
         indices: [],
         run_as: [],
       },
+      kibana: {
+        global: [],
+        space: {},
+      },
     },
     editable: true,
     httpClient: jest.fn(),
@@ -58,11 +68,16 @@ test('it renders ClusterPrivileges', () => {
 test('it renders IndexPrivileges', () => {
   const props = {
     role: {
+      name: '',
       elasticsearch: {
         cluster: [],
         indices: [],
         run_as: [],
       },
+      kibana: {
+        global: [],
+        space: {},
+      },
     },
     editable: true,
     httpClient: jest.fn(),
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
similarity index 66%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
index 2a71803a7a2145..88176d55ae7fd4 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/elasticsearch_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
@@ -4,39 +4,42 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
 import {
-  EuiText,
-  EuiSpacer,
-  EuiComboBox,
-  EuiFormRow,
   EuiButton,
+  // @ts-ignore
+  EuiComboBox,
+  // @ts-ignore
   EuiDescribedFormGroup,
-  EuiTitle,
+  EuiFormRow,
   EuiHorizontalRule,
   EuiLink,
+  EuiSpacer,
+  EuiText,
+  EuiTitle,
 } from '@elastic/eui';
-import './elasticsearch_privileges.less';
+import React, { Component, Fragment } from 'react';
+import { Role } from '../../../../../../../common/model/role';
+import { documentationLinks } from '../../../../../../documentation_links';
+import { RoleValidator } from '../../../lib/validate_role';
+import { CollapsiblePanel } from '../../collapsible_panel';
 import { ClusterPrivileges } from './cluster_privileges';
+
 import { IndexPrivileges } from './index_privileges';
-import { CollapsiblePanel } from '../collapsible_panel';
-import { documentationLinks } from '../../../../../documentation_links';
-
-export class ElasticsearchPrivileges extends Component {
-  static propTypes = {
-    role: PropTypes.object.isRequired,
-    editable: PropTypes.bool.isRequired,
-    httpClient: PropTypes.func.isRequired,
-    onChange: PropTypes.func.isRequired,
-    runAsUsers: PropTypes.array.isRequired,
-    validator: PropTypes.object.isRequired,
-    indexPatterns: PropTypes.array.isRequired,
-    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
-    allowFieldLevelSecurity: PropTypes.bool.isRequired,
-  };
 
-  render() {
+interface Props {
+  role: Role;
+  editable: boolean;
+  httpClient: any;
+  onChange: (role: Role) => void;
+  runAsUsers: string[];
+  validator: RoleValidator;
+  indexPatterns: string[];
+  allowDocumentLevelSecurity: boolean;
+  allowFieldLevelSecurity: boolean;
+}
+
+export class ElasticsearchPrivileges extends Component<Props, {}> {
+  public render() {
     return (
       <CollapsiblePanel iconType={'logoElasticsearch'} title={'Elasticsearch'}>
         {this.getForm()}
@@ -44,7 +47,7 @@ export class ElasticsearchPrivileges extends Component {
     );
   }
 
-  getForm = () => {
+  public getForm = () => {
     const {
       role,
       httpClient,
@@ -71,7 +74,8 @@ export class ElasticsearchPrivileges extends Component {
           title={<h3>Cluster privileges</h3>}
           description={
             <p>
-              Manage the actions this role can perform against your cluster. {this.learnMore(documentationLinks.esClusterPrivileges)}
+              Manage the actions this role can perform against your cluster.{' '}
+              {this.learnMore(documentationLinks.esClusterPrivileges)}
             </p>
           }
         >
@@ -86,7 +90,8 @@ export class ElasticsearchPrivileges extends Component {
           title={<h3>Run As privileges</h3>}
           description={
             <p>
-              Allow requests to be submitted on the behalf of other users. {this.learnMore(documentationLinks.esRunAsPrivileges)}
+              Allow requests to be submitted on the behalf of other users.{' '}
+              {this.learnMore(documentationLinks.esRunAsPrivileges)}
             </p>
           }
         >
@@ -103,10 +108,15 @@ export class ElasticsearchPrivileges extends Component {
 
         <EuiSpacer />
 
-        <EuiTitle size={'xs'}><h3>Index privileges</h3></EuiTitle>
+        <EuiTitle size={'xs'}>
+          <h3>Index privileges</h3>
+        </EuiTitle>
         <EuiSpacer size={'s'} />
         <EuiText size={'s'} color={'subdued'}>
-          <p>Control access to the data in your cluster. {this.learnMore(documentationLinks.esIndicesPrivileges)}</p>
+          <p>
+            Control access to the data in your cluster.{' '}
+            {this.learnMore(documentationLinks.esIndicesPrivileges)}
+          </p>
         </EuiText>
 
         <IndexPrivileges {...indexProps} />
@@ -114,39 +124,44 @@ export class ElasticsearchPrivileges extends Component {
         <EuiHorizontalRule />
 
         {this.props.editable && (
-          <EuiButton size={'s'} iconType={'plusInCircle'} onClick={this.addIndexPrivilege}>Add index privilege</EuiButton>
+          <EuiButton size={'s'} iconType={'plusInCircle'} onClick={this.addIndexPrivilege}>
+            Add index privilege
+          </EuiButton>
         )}
       </Fragment>
     );
-  }
+  };
 
-  learnMore = (href) => (
+  public learnMore = (href: string) => (
     <EuiLink className="editRole__learnMore" href={href} target={'_blank'}>
       Learn more
     </EuiLink>
   );
 
-  addIndexPrivilege = () => {
+  public addIndexPrivilege = () => {
     const { role } = this.props;
 
-    const newIndices = [...role.elasticsearch.indices, {
-      names: [],
-      privileges: [],
-      field_security: {
-        grant: ['*']
-      }
-    }];
+    const newIndices = [
+      ...role.elasticsearch.indices,
+      {
+        names: [],
+        privileges: [],
+        field_security: {
+          grant: ['*'],
+        },
+      },
+    ];
 
     this.props.onChange({
       ...this.props.role,
       elasticsearch: {
         ...this.props.role.elasticsearch,
-        indices: newIndices
-      }
+        indices: newIndices,
+      },
     });
   };
 
-  onClusterPrivilegesChange = (cluster) => {
+  public onClusterPrivilegesChange = (cluster: string[]) => {
     const role = {
       ...this.props.role,
       elasticsearch: {
@@ -156,17 +171,17 @@ export class ElasticsearchPrivileges extends Component {
     };
 
     this.props.onChange(role);
-  }
+  };
 
-  onRunAsUserChange = (users) => {
+  public onRunAsUserChange = (users: any) => {
     const role = {
       ...this.props.role,
       elasticsearch: {
         ...this.props.role.elasticsearch,
-        run_as: users.map(u => u.label),
+        run_as: users.map((u: any) => u.label),
       },
     };
 
     this.props.onChange(role);
-  }
+  };
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.test.tsx
similarity index 77%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.test.tsx
index 1fed539d2526dc..2d686766943044 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.test.tsx
@@ -3,22 +3,23 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { EuiButtonIcon, EuiSwitch, EuiTextArea } from '@elastic/eui';
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
+import { RoleValidator } from '../../../lib/validate_role';
 import { IndexPrivilegeForm } from './index_privilege_form';
-import { RoleValidator } from '../../lib/validate_role';
-import { EuiSwitch, EuiTextArea, EuiButtonIcon } from '@elastic/eui';
 
 test('it renders without crashing', () => {
   const props = {
     indexPrivilege: {
       names: [],
       privileges: [],
-      query: null,
+      query: '',
       field_security: {
-        grant: []
-      }
+        grant: [],
+      },
     },
+    formIndex: 0,
     indexPatterns: [],
     availableFields: [],
     isReservedRole: false,
@@ -26,7 +27,8 @@ test('it renders without crashing', () => {
     allowDocumentLevelSecurity: true,
     allowFieldLevelSecurity: true,
     validator: new RoleValidator(),
-    onChange: jest.fn()
+    onChange: jest.fn(),
+    onDelete: jest.fn(),
   };
 
   const wrapper = shallow(<IndexPrivilegeForm {...props} />);
@@ -38,11 +40,12 @@ describe('delete button', () => {
     indexPrivilege: {
       names: [],
       privileges: [],
-      query: null,
+      query: '',
       field_security: {
-        grant: []
-      }
+        grant: [],
+      },
     },
+    formIndex: 0,
     indexPatterns: [],
     availableFields: [],
     isReservedRole: false,
@@ -51,13 +54,13 @@ describe('delete button', () => {
     allowFieldLevelSecurity: true,
     validator: new RoleValidator(),
     onChange: jest.fn(),
-    onDelete: jest.fn()
+    onDelete: jest.fn(),
   };
 
   test('it is hidden when allowDelete is false', () => {
     const testProps = {
       ...props,
-      allowDelete: false
+      allowDelete: false,
     };
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
     expect(wrapper.find(EuiButtonIcon)).toHaveLength(0);
@@ -66,7 +69,7 @@ describe('delete button', () => {
   test('it is shown when allowDelete is true', () => {
     const testProps = {
       ...props,
-      allowDelete: true
+      allowDelete: true,
     };
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
     expect(wrapper.find(EuiButtonIcon)).toHaveLength(1);
@@ -75,7 +78,7 @@ describe('delete button', () => {
   test('it invokes onDelete when clicked', () => {
     const testProps = {
       ...props,
-      allowDelete: true
+      allowDelete: true,
     };
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
     wrapper.find(EuiButtonIcon).simulate('click');
@@ -88,11 +91,12 @@ describe(`document level security`, () => {
     indexPrivilege: {
       names: [],
       privileges: [],
-      query: "some query",
+      query: 'some query',
       field_security: {
-        grant: []
-      }
+        grant: [],
+      },
     },
+    formIndex: 0,
     indexPatterns: [],
     availableFields: [],
     isReservedRole: false,
@@ -100,13 +104,14 @@ describe(`document level security`, () => {
     allowDocumentLevelSecurity: true,
     allowFieldLevelSecurity: true,
     validator: new RoleValidator(),
-    onChange: jest.fn()
+    onChange: jest.fn(),
+    onDelete: jest.fn(),
   };
 
   test(`inputs are hidden when DLS is not allowed`, () => {
     const testProps = {
       ...props,
-      allowDocumentLevelSecurity: false
+      allowDocumentLevelSecurity: false,
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
@@ -119,8 +124,8 @@ describe(`document level security`, () => {
       ...props,
       indexPrivilege: {
         ...props.indexPrivilege,
-        query: null
-      }
+        query: '',
+      },
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
@@ -144,11 +149,12 @@ describe('field level security', () => {
     indexPrivilege: {
       names: [],
       privileges: [],
-      query: null,
+      query: '',
       field_security: {
-        grant: ["foo*"]
-      }
+        grant: ['foo*'],
+      },
     },
+    formIndex: 0,
     indexPatterns: [],
     availableFields: [],
     isReservedRole: false,
@@ -156,17 +162,18 @@ describe('field level security', () => {
     allowDocumentLevelSecurity: true,
     allowFieldLevelSecurity: true,
     validator: new RoleValidator(),
-    onChange: jest.fn()
+    onChange: jest.fn(),
+    onDelete: jest.fn(),
   };
 
   test(`input is hidden when FLS is not allowed`, () => {
     const testProps = {
       ...props,
-      allowFieldLevelSecurity: false
+      allowFieldLevelSecurity: false,
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
-    expect(wrapper.find(".indexPrivilegeForm__grantedFieldsRow")).toHaveLength(0);
+    expect(wrapper.find('.indexPrivilegeForm__grantedFieldsRow')).toHaveLength(0);
   });
 
   test('input is shown when allowed', () => {
@@ -175,7 +182,7 @@ describe('field level security', () => {
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
-    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
+    expect(wrapper.find('div.indexPrivilegeForm__grantedFieldsRow')).toHaveLength(1);
   });
 
   test('it displays a warning when no fields are granted', () => {
@@ -184,23 +191,23 @@ describe('field level security', () => {
       indexPrivilege: {
         ...props.indexPrivilege,
         field_security: {
-          grant: []
-        }
-      }
+          grant: [],
+        },
+      },
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
-    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
-    expect(wrapper.find(".euiFormHelpText")).toHaveLength(1);
+    expect(wrapper.find('div.indexPrivilegeForm__grantedFieldsRow')).toHaveLength(1);
+    expect(wrapper.find('.euiFormHelpText')).toHaveLength(1);
   });
 
   test('it does not display a warning when fields are granted', () => {
     const testProps = {
-      ...props
+      ...props,
     };
 
     const wrapper = mount(<IndexPrivilegeForm {...testProps} />);
-    expect(wrapper.find("div.indexPrivilegeForm__grantedFieldsRow")).toHaveLength(1);
-    expect(wrapper.find(".euiFormHelpText")).toHaveLength(0);
+    expect(wrapper.find('div.indexPrivilegeForm__grantedFieldsRow')).toHaveLength(1);
+    expect(wrapper.find('.euiFormHelpText')).toHaveLength(0);
   });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
similarity index 62%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
index ee62b80c5e282f..0468afdb6b9890 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privilege_form.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
@@ -3,57 +3,69 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
 import {
+  // @ts-ignore
+  EuiButtonIcon,
   EuiComboBox,
-  EuiTextArea,
-  EuiFormRow,
   EuiFlexGroup,
   EuiFlexItem,
-  EuiSwitch,
-  EuiSpacer,
+  EuiFormRow,
   EuiHorizontalRule,
-  EuiButtonIcon,
+  EuiSpacer,
+  EuiSwitch,
+  EuiTextArea,
 } from '@elastic/eui';
-import { getIndexPrivileges } from '../../../../../services/role_privileges';
+import React, { ChangeEvent, Component, Fragment } from 'react';
+import { IndexPrivilege } from '../../../../../../../common/model/index_privilege';
+import { getIndexPrivileges } from '../../../../../../services/role_privileges';
+import { RoleValidator } from '../../../lib/validate_role';
 
-const fromOption = (option) => option.label;
-const toOption = (value) => ({ label: value });
+const fromOption = (option: any) => option.label;
+const toOption = (value: string) => ({ label: value });
 
-export class IndexPrivilegeForm extends Component {
-  static propTypes = {
-    indexPrivilege: PropTypes.object.isRequired,
-    indexPatterns: PropTypes.array.isRequired,
-    availableFields: PropTypes.array,
-    onChange: PropTypes.func.isRequired,
-    isReservedRole: PropTypes.bool.isRequired,
-    allowDelete: PropTypes.bool.isRequired,
-    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
-    allowFieldLevelSecurity: PropTypes.bool.isRequired,
-    validator: PropTypes.object.isRequired,
-  };
+interface Props {
+  formIndex: number;
+  indexPrivilege: IndexPrivilege;
+  indexPatterns: string[];
+  availableFields: string[];
+  onChange: (indexPrivilege: IndexPrivilege) => void;
+  onDelete: () => void;
+  isReservedRole: boolean;
+  allowDelete: boolean;
+  allowDocumentLevelSecurity: boolean;
+  allowFieldLevelSecurity: boolean;
+  validator: RoleValidator;
+}
 
-  constructor(props) {
+interface State {
+  queryExpanded: boolean;
+  documentQuery?: string;
+}
+
+export class IndexPrivilegeForm extends Component<Props, State> {
+  constructor(props: Props) {
     super(props);
     this.state = {
       queryExpanded: !!props.indexPrivilege.query,
-      documentQuery: props.indexPrivilege.query
+      documentQuery: props.indexPrivilege.query,
     };
   }
 
-  render() {
+  public render() {
     return (
       <Fragment>
         <EuiHorizontalRule />
         <EuiFlexGroup className="index-privilege-form">
-          <EuiFlexItem>
-            {this.getPrivilegeForm()}
-          </EuiFlexItem>
+          <EuiFlexItem>{this.getPrivilegeForm()}</EuiFlexItem>
           {this.props.allowDelete && (
             <EuiFlexItem grow={false}>
               <EuiFormRow hasEmptyLabelSpace>
-                <EuiButtonIcon aria-label={'Delete index privilege'} color={'danger'} onClick={this.props.onDelete} iconType={'trash'} />
+                <EuiButtonIcon
+                  aria-label={'Delete index privilege'}
+                  color={'danger'}
+                  onClick={this.props.onDelete}
+                  iconType={'trash'}
+                />
               </EuiFormRow>
             </EuiFlexItem>
           )}
@@ -62,13 +74,18 @@ export class IndexPrivilegeForm extends Component {
     );
   }
 
-  getPrivilegeForm = () => {
+  public getPrivilegeForm = () => {
     return (
       <Fragment>
         <EuiFlexGroup>
           <EuiFlexItem>
-            <EuiFormRow label={'Indices'} fullWidth={true} {...this.props.validator.validateIndexPrivilege(this.props.indexPrivilege)}>
+            <EuiFormRow
+              label={'Indices'}
+              fullWidth={true}
+              {...this.props.validator.validateIndexPrivilege(this.props.indexPrivilege)}
+            >
               <EuiComboBox
+                data-test-subj={`indicesInput${this.props.formIndex}`}
                 options={this.props.indexPatterns.map(toOption)}
                 selectedOptions={this.props.indexPrivilege.names.map(toOption)}
                 onCreateOption={this.onCreateIndexPatternOption}
@@ -80,6 +97,7 @@ export class IndexPrivilegeForm extends Component {
           <EuiFlexItem>
             <EuiFormRow label={'Privileges'} fullWidth={true}>
               <EuiComboBox
+                data-test-subj={`privilegesInput${this.props.formIndex}`}
                 options={getIndexPrivileges().map(toOption)}
                 selectedOptions={this.props.indexPrivilege.privileges.map(toOption)}
                 onChange={this.onPrivilegeChange}
@@ -97,13 +115,8 @@ export class IndexPrivilegeForm extends Component {
     );
   };
 
-  getGrantedFieldsControl = () => {
-    const {
-      allowFieldLevelSecurity,
-      availableFields,
-      indexPrivilege,
-      isReservedRole,
-    } = this.props;
+  public getGrantedFieldsControl = () => {
+    const { allowFieldLevelSecurity, availableFields, indexPrivilege, isReservedRole } = this.props;
 
     if (!allowFieldLevelSecurity) {
       return null;
@@ -119,12 +132,14 @@ export class IndexPrivilegeForm extends Component {
             fullWidth={true}
             className="indexPrivilegeForm__grantedFieldsRow"
             helpText={
-              !isReservedRole && grant.length === 0 ?
-                'If no fields are granted, then users assigned to this role will not be able to see any data for this index.' : undefined
+              !isReservedRole && grant.length === 0
+                ? 'If no fields are granted, then users assigned to this role will not be able to see any data for this index.'
+                : undefined
             }
           >
             <Fragment>
               <EuiComboBox
+                data-test-subj={`fieldInput${this.props.formIndex}`}
                 options={availableFields ? availableFields.map(toOption) : []}
                 selectedOptions={grant.map(toOption)}
                 onCreateOption={this.onCreateGrantedField}
@@ -138,35 +153,37 @@ export class IndexPrivilegeForm extends Component {
     }
 
     return null;
-  }
+  };
 
-  getGrantedDocumentsControl = () => {
-    const {
-      allowDocumentLevelSecurity,
-      indexPrivilege,
-    } = this.props;
+  public getGrantedDocumentsControl = () => {
+    const { allowDocumentLevelSecurity, indexPrivilege } = this.props;
 
     if (!allowDocumentLevelSecurity) {
       return null;
     }
 
     return (
+      // @ts-ignore
       <EuiFlexGroup direction="column">
-        {!this.props.isReservedRole &&
+        {!this.props.isReservedRole && (
           <EuiFlexItem>
             <EuiSwitch
+              data-test-subj={`restrictDocumentsQuery${this.props.formIndex}`}
               label={'Restrict documents query'}
+              // @ts-ignore
               compressed={true}
-              value={this.state.queryExanded}
+              // @ts-ignore
+              value={this.state.queryExpanded}
               onChange={this.toggleDocumentQuery}
             />
           </EuiFlexItem>
-        }
-        {this.state.queryExpanded &&
+        )}
+        {this.state.queryExpanded && (
           <EuiFlexItem>
             <EuiFormRow label={'Granted documents query'} fullWidth={true}>
               <EuiTextArea
-                style={{ resize: "none" }}
+                data-test-subj={`queryInput${this.props.formIndex}`}
+                style={{ resize: 'none' }}
                 fullWidth={true}
                 value={indexPrivilege.query}
                 onChange={this.onQueryChange}
@@ -174,19 +191,19 @@ export class IndexPrivilegeForm extends Component {
               />
             </EuiFormRow>
           </EuiFlexItem>
-        }
+        )}
       </EuiFlexGroup>
     );
   };
 
-  toggleDocumentQuery = () => {
-    const willToggleOff = this.state.queryExanded;
+  public toggleDocumentQuery = () => {
+    const willToggleOff = this.state.queryExpanded;
     const willToggleOn = !willToggleOff;
 
     // If turning off, then save the current query in state so that we can restore it if the user changes their mind.
     this.setState({
       queryExpanded: !this.state.queryExpanded,
-      documentQuery: willToggleOff ? this.props.indexPrivilege.query : this.state.documentQuery
+      documentQuery: willToggleOff ? this.props.indexPrivilege.query : this.state.documentQuery,
     });
 
     // If turning off, then remove the query from the Index Privilege
@@ -206,7 +223,7 @@ export class IndexPrivilegeForm extends Component {
     }
   };
 
-  onCreateIndexPatternOption = (option) => {
+  public onCreateIndexPatternOption = (option: any) => {
     const newIndexPatterns = this.props.indexPrivilege.names.concat([option]);
 
     this.props.onChange({
@@ -215,28 +232,35 @@ export class IndexPrivilegeForm extends Component {
     });
   };
 
-  onIndexPatternsChange = (newPatterns) => {
+  public onIndexPatternsChange = (newPatterns: string[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       names: newPatterns.map(fromOption),
     });
   };
 
-  onPrivilegeChange = (newPrivileges) => {
+  public onPrivilegeChange = (newPrivileges: string[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       privileges: newPrivileges.map(fromOption),
     });
   };
 
-  onQueryChange = (e) => {
+  public onQueryChange = (e: ChangeEvent<HTMLTextAreaElement>) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       query: e.target.value,
     });
   };
 
-  onCreateGrantedField = (grant) => {
+  public onCreateGrantedField = (grant: string) => {
+    if (
+      !this.props.indexPrivilege.field_security ||
+      !this.props.indexPrivilege.field_security.grant
+    ) {
+      return;
+    }
+
     const newGrants = this.props.indexPrivilege.field_security.grant.concat([grant]);
 
     this.props.onChange({
@@ -248,7 +272,7 @@ export class IndexPrivilegeForm extends Component {
     });
   };
 
-  onGrantedFieldsChange = (grantedFields) => {
+  public onGrantedFieldsChange = (grantedFields: string[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       field_security: {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.test.tsx
similarity index 73%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.test.tsx
index 3a4fb950e555d5..7e8b71fd93ae21 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.test.tsx
@@ -4,20 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
-import { IndexPrivileges } from './index_privileges';
+import { RoleValidator } from '../../../lib/validate_role';
 import { IndexPrivilegeForm } from './index_privilege_form';
-import { RoleValidator } from '../../lib/validate_role';
+import { IndexPrivileges } from './index_privileges';
 
 test('it renders without crashing', () => {
   const props = {
     role: {
+      name: '',
       elasticsearch: {
         cluster: [],
         indices: [],
         run_as: [],
       },
+      kibana: {
+        global: [],
+        space: {},
+      },
     },
     httpClient: jest.fn(),
     onChange: jest.fn(),
@@ -33,16 +38,23 @@ test('it renders without crashing', () => {
 test('it renders a IndexPrivilegeForm for each privilege on the role', () => {
   const props = {
     role: {
+      name: '',
+      kibana: {
+        global: [],
+        space: {},
+      },
       elasticsearch: {
         cluster: [],
-        indices: [{
-          names: ['foo*'],
-          privileges: ['all'],
-          query: '*',
-          field_security: {
-            grant: ['some_field']
-          }
-        }],
+        indices: [
+          {
+            names: ['foo*'],
+            privileges: ['all'],
+            query: '*',
+            field_security: {
+              grant: ['some_field'],
+            },
+          },
+        ],
         run_as: [],
       },
     },
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.tsx
similarity index 58%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.tsx
index 601c855c760769..e5e5648db06ab9 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index_privileges.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privileges.tsx
@@ -3,40 +3,47 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
 import _ from 'lodash';
-import { isReservedRole, isRoleEnabled } from '../../../../../lib/role';
+import React, { Component } from 'react';
+import { IndexPrivilege } from '../../../../../../../common/model/index_privilege';
+import { Role } from '../../../../../../../common/model/role';
+import { isReservedRole, isRoleEnabled } from '../../../../../../lib/role';
+import { getFields } from '../../../../../../objects';
+import { RoleValidator } from '../../../lib/validate_role';
 import { IndexPrivilegeForm } from './index_privilege_form';
-import { getFields } from '../../../../../objects';
-
-export class IndexPrivileges extends Component {
-  static propTypes = {
-    role: PropTypes.object.isRequired,
-    indexPatterns: PropTypes.array.isRequired,
-    allowDocumentLevelSecurity: PropTypes.bool.isRequired,
-    allowFieldLevelSecurity: PropTypes.bool.isRequired,
-    httpClient: PropTypes.func.isRequired,
-    onChange: PropTypes.func.isRequired,
-    validator: PropTypes.object.isRequired,
-  }
 
-  state = {
-    availableFields: {}
+interface Props {
+  role: Role;
+  indexPatterns: string[];
+  allowDocumentLevelSecurity: boolean;
+  allowFieldLevelSecurity: boolean;
+  httpClient: any;
+  onChange: (role: Role) => void;
+  validator: RoleValidator;
+}
+
+interface State {
+  availableFields: {
+    [indexPrivKey: string]: string[];
+  };
+}
+
+export class IndexPrivileges extends Component<Props, State> {
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      availableFields: {},
+    };
   }
 
-  componentDidMount() {
+  public componentDidMount() {
     this.loadAvailableFields(this.props.role.elasticsearch.indices);
   }
 
-  render() {
+  public render() {
     const { indices = [] } = this.props.role.elasticsearch;
 
-    const {
-      indexPatterns,
-      allowDocumentLevelSecurity,
-      allowFieldLevelSecurity
-    } = this.props;
+    const { indexPatterns, allowDocumentLevelSecurity, allowFieldLevelSecurity } = this.props;
 
     const props = {
       indexPatterns,
@@ -45,13 +52,14 @@ export class IndexPrivileges extends Component {
       // doesn't permit FLS/DLS).
       allowDocumentLevelSecurity: allowDocumentLevelSecurity || !isRoleEnabled(this.props.role),
       allowFieldLevelSecurity: allowFieldLevelSecurity || !isRoleEnabled(this.props.role),
-      isReservedRole: isReservedRole(this.props.role)
+      isReservedRole: isReservedRole(this.props.role),
     };
 
-    const forms = indices.map((indexPrivilege, idx) => (
+    const forms = indices.map((indexPrivilege: IndexPrivilege, idx) => (
       <IndexPrivilegeForm
         key={idx}
         {...props}
+        formIndex={idx}
         validator={this.props.validator}
         allowDelete={!props.isReservedRole}
         indexPrivilege={indexPrivilege}
@@ -64,16 +72,19 @@ export class IndexPrivileges extends Component {
     return forms;
   }
 
-  addIndexPrivilege = () => {
+  public addIndexPrivilege = () => {
     const { role } = this.props;
 
-    const newIndices = [...role.elasticsearch.indices, {
-      names: [],
-      privileges: [],
-      field_security: {
-        grant: ['*']
-      }
-    }];
+    const newIndices = [
+      ...role.elasticsearch.indices,
+      {
+        names: [],
+        privileges: [],
+        field_security: {
+          grant: ['*'],
+        },
+      },
+    ];
 
     this.props.onChange({
       ...this.props.role,
@@ -84,8 +95,8 @@ export class IndexPrivileges extends Component {
     });
   };
 
-  onIndexPrivilegeChange = (privilegeIndex) => {
-    return (updatedPrivilege) => {
+  public onIndexPrivilegeChange = (privilegeIndex: number) => {
+    return (updatedPrivilege: IndexPrivilege) => {
       const { role } = this.props;
       const { indices } = role.elasticsearch;
 
@@ -104,7 +115,7 @@ export class IndexPrivileges extends Component {
     };
   };
 
-  onIndexPrivilegeDelete = (privilegeIndex) => {
+  public onIndexPrivilegeDelete = (privilegeIndex: number) => {
     return () => {
       const { role } = this.props;
 
@@ -115,53 +126,52 @@ export class IndexPrivileges extends Component {
         ...this.props.role,
         elasticsearch: {
           ...this.props.role.elasticsearch,
-          indices: newIndices
+          indices: newIndices,
         },
       });
     };
-  }
+  };
 
-  isPlaceholderPrivilege = (indexPrivilege) => {
+  public isPlaceholderPrivilege = (indexPrivilege: IndexPrivilege) => {
     return indexPrivilege.names.length === 0;
   };
 
-  loadAvailableFields(indices) {
+  public loadAvailableFields(privileges: IndexPrivilege[]) {
     // Reserved roles cannot be edited, and therefore do not need to fetch available fields.
     if (isReservedRole(this.props.role)) {
       return;
     }
 
-    const patterns = indices.map(index => index.names.join(','));
+    const patterns = privileges.map(index => index.names.join(','));
 
     const cachedPatterns = Object.keys(this.state.availableFields);
     const patternsToFetch = _.difference(patterns, cachedPatterns);
 
     const fetchRequests = patternsToFetch.map(this.loadFieldsForPattern);
 
-    Promise.all(fetchRequests)
-      .then(response => {
-
-        this.setState({
-          availableFields: {
-            ...this.state.availableFields,
-            ...response.reduce((acc, o) => ({ ...acc, ...o }), {})
-          }
-        });
+    Promise.all(fetchRequests).then(response => {
+      this.setState({
+        availableFields: {
+          ...this.state.availableFields,
+          ...response.reduce((acc, o) => ({ ...acc, ...o }), {}),
+        },
       });
+    });
   }
 
-  loadFieldsForPattern = async (pattern) => {
-    if (!pattern) return { [pattern]: [] };
+  public loadFieldsForPattern = async (pattern: string) => {
+    if (!pattern) {
+      return { [pattern]: [] };
+    }
 
     try {
       return {
-        [pattern]: await getFields(this.props.httpClient, pattern)
+        [pattern]: await getFields(this.props.httpClient, pattern),
       };
-
     } catch (e) {
       return {
-        [pattern]: []
+        [pattern]: [],
       };
     }
-  }
+  };
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.ts b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.ts
new file mode 100644
index 00000000000000..a06b14f80fa486
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { ElasticsearchPrivileges } from './es/elasticsearch_privileges';
+export { KibanaPrivileges } from './kibana/kibana_privileges';
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
new file mode 100644
index 00000000000000..a2723f68e1c1b9
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
@@ -0,0 +1,17 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`<ImpactedSpacesFlyout> renders without crashing 1`] = `
+<React.Fragment>
+  <div
+    className="showImpactedSpaces"
+  >
+    <EuiLink
+      color="primary"
+      onClick={[Function]}
+      type="button"
+    >
+      See summary of all spaces privileges
+    </EuiLink>
+  </div>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
new file mode 100644
index 00000000000000..8c8d75b4201bed
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
@@ -0,0 +1,52 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`<KibanaPrivileges> renders without crashing 1`] = `
+<CollapsiblePanel
+  iconType="logoKibana"
+  title="Kibana"
+>
+  <SpaceAwarePrivilegeForm
+    editable={true}
+    kibanaAppPrivileges={
+      Array [
+        "all",
+        "read",
+      ]
+    }
+    onChange={[MockFunction]}
+    role={
+      Object {
+        "elasticsearch": Object {
+          "cluster": Array [],
+          "indices": Array [],
+          "run_as": Array [],
+        },
+        "kibana": Object {
+          "global": Array [],
+          "space": Object {},
+        },
+        "name": "",
+      }
+    }
+    spaces={
+      Array [
+        Object {
+          "_reserved": true,
+          "id": "default",
+          "name": "Default Space",
+        },
+        Object {
+          "id": "marketing",
+          "name": "Marketing",
+        },
+      ]
+    }
+    validator={
+      RoleValidator {
+        "inProgressSpacePrivileges": Array [],
+        "shouldValidate": undefined,
+      }
+    }
+  />
+</CollapsiblePanel>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_callout_warning.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_callout_warning.test.tsx.snap
new file mode 100644
index 00000000000000..53f3fc716d65e8
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_callout_warning.test.tsx.snap
@@ -0,0 +1,94 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`PrivilegeCalloutWarning renders without crashing 1`] = `
+<PrivilegeCalloutWarning
+  basePrivilege="all"
+  isReservedRole={false}
+>
+  <EuiCallOut
+    color="warning"
+    iconType="iInCircle"
+    size="m"
+    title="Minimum privilege is too high to customize individual spaces"
+  >
+    <div
+      className="euiCallOut euiCallOut--warning"
+    >
+      <div
+        className="euiCallOutHeader"
+      >
+        <EuiIcon
+          aria-hidden="true"
+          className="euiCallOutHeader__icon"
+          size="m"
+          type="iInCircle"
+        >
+          <iInCircle
+            aria-hidden="true"
+            className="euiIcon euiIcon--medium euiCallOutHeader__icon"
+            focusable="false"
+            height="16"
+            style={
+              Object {
+                "fill": undefined,
+              }
+            }
+            viewBox="0 0 16 16"
+            width="16"
+            xmlns="http://www.w3.org/2000/svg"
+          >
+            <svg
+              aria-hidden="true"
+              className="euiIcon euiIcon--medium euiCallOutHeader__icon"
+              focusable="false"
+              height="16"
+              style={
+                Object {
+                  "fill": undefined,
+                }
+              }
+              viewBox="0 0 16 16"
+              width="16"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="M8.3 10.717H6.7v-4h1.6v4zm-1.6-5.71a.83.83 0 0 1 .207-.578c.137-.153.334-.229.59-.229.256 0 .454.076.594.23.14.152.209.345.209.576 0 .228-.07.417-.21.568-.14.15-.337.226-.593.226-.256 0-.453-.075-.59-.226a.81.81 0 0 1-.207-.568zM7.5 13A5.506 5.506 0 0 1 2 7.5C2 4.467 4.467 2 7.5 2S13 4.467 13 7.5 10.533 13 7.5 13m0-12a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13"
+                fillRule="evenodd"
+              />
+            </svg>
+          </iInCircle>
+        </EuiIcon>
+        <span
+          className="euiCallOutHeader__title"
+        >
+          Minimum privilege is too high to customize individual spaces
+        </span>
+      </div>
+      <EuiText
+        grow={true}
+        size="s"
+      >
+        <div
+          className="euiText euiText--small"
+        >
+          <p>
+            Setting the minimum privilege to 
+            <strong>
+              all
+            </strong>
+             grants full access to all spaces. To customize privileges for individual spaces, the minimum privilege must be either 
+            <strong>
+              read
+            </strong>
+             or 
+            <strong>
+              none
+            </strong>
+            .
+          </p>
+        </div>
+      </EuiText>
+    </div>
+  </EuiCallOut>
+</PrivilegeCalloutWarning>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
new file mode 100644
index 00000000000000..afce653a9c7f4e
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
@@ -0,0 +1,88 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`<PrivilegeSpaceForm> renders without crashing 1`] = `
+<EuiFlexGroup
+  alignItems="stretch"
+  component="div"
+  direction="row"
+  gutterSize="l"
+  justifyContent="flexStart"
+  responsive={false}
+  wrap={false}
+>
+  <EuiFlexItem
+    component="div"
+    grow={true}
+  >
+    <EuiFormRow
+      describedByIds={Array []}
+      fullWidth={false}
+      hasEmptyLabelSpace={false}
+      isInvalid={false}
+      label="Space(s)"
+    >
+      <SpaceSelector
+        onChange={[Function]}
+        selectedSpaceIds={Array []}
+        spaces={
+          Array [
+            Object {
+              "_reserved": true,
+              "description": "",
+              "id": "default",
+              "name": "Default Space",
+            },
+            Object {
+              "description": "",
+              "id": "marketing",
+              "name": "Marketing",
+            },
+          ]
+        }
+      />
+    </EuiFormRow>
+  </EuiFlexItem>
+  <EuiFlexItem
+    component="div"
+    grow={true}
+  >
+    <EuiFormRow
+      describedByIds={Array []}
+      fullWidth={false}
+      hasEmptyLabelSpace={false}
+      isInvalid={false}
+      label="Privilege"
+    >
+      <PrivilegeSelector
+        availablePrivileges={
+          Array [
+            "all",
+            "read",
+          ]
+        }
+        data-test-subj="space-form-priv-selector"
+        onChange={[Function]}
+        value="none"
+      />
+    </EuiFormRow>
+  </EuiFlexItem>
+  <EuiFlexItem
+    component="div"
+    grow={false}
+  >
+    <EuiFormRow
+      describedByIds={Array []}
+      fullWidth={false}
+      hasEmptyLabelSpace={true}
+    >
+      <EuiButtonIcon
+        aria-label="Delete space privilege"
+        color="danger"
+        iconType="trash"
+        onClick={[MockFunction]}
+        type="button"
+      />
+    </EuiFormRow>
+  </EuiFlexItem>
+</EuiFlexGroup>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/simple_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/simple_privilege_form.test.tsx.snap
new file mode 100644
index 00000000000000..addaf7437816cc
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/simple_privilege_form.test.tsx.snap
@@ -0,0 +1,41 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`<SimplePrivilegeForm> renders without crashing 1`] = `
+<React.Fragment>
+  <EuiDescribedFormGroup
+    description={
+      <p>
+        Specifies the Kibana privilege for this role.
+      </p>
+    }
+    fullWidth={false}
+    gutterSize="l"
+    title={
+      <h3>
+        Kibana privileges
+      </h3>
+    }
+    titleSize="xs"
+  >
+    <EuiFormRow
+      describedByIds={Array []}
+      fullWidth={false}
+      hasEmptyLabelSpace={true}
+    >
+      <PrivilegeSelector
+        allowNone={true}
+        availablePrivileges={
+          Array [
+            "all",
+            "read",
+          ]
+        }
+        data-test-subj="kibanaPrivilege"
+        disabled={false}
+        onChange={[Function]}
+        value="none"
+      />
+    </EuiFormRow>
+  </EuiDescribedFormGroup>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
new file mode 100644
index 00000000000000..55f9f818f45e76
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
@@ -0,0 +1,215 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`<SpaceAwarePrivilegeForm> hides the space table if there are no existing space privileges 1`] = `
+<PrivilegeSpaceTable
+  availablePrivileges={
+    Array [
+      "all",
+      "read",
+    ]
+  }
+  onChange={[Function]}
+  role={
+    Object {
+      "elasticsearch": Object {
+        "cluster": Array [
+          "manage",
+        ],
+        "indices": Array [],
+        "run_as": Array [],
+      },
+      "kibana": Object {
+        "global": Array [],
+        "space": Object {},
+      },
+      "name": "",
+    }
+  }
+  spacePrivileges={Object {}}
+  spaces={
+    Array [
+      Object {
+        "_reserved": true,
+        "id": "default",
+        "name": "Default Space",
+      },
+      Object {
+        "id": "marketing",
+        "name": "Marketing",
+      },
+    ]
+  }
+/>
+`;
+
+exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
+<React.Fragment>
+  <EuiDescribedFormGroup
+    description={
+      <p>
+        Specifies the lowest permission level for all spaces, unless a custom privilege is specified.
+      </p>
+    }
+    fullWidth={false}
+    gutterSize="l"
+    title={
+      <h3>
+        Minimum privilege
+      </h3>
+    }
+    titleSize="xs"
+  >
+    <EuiFormRow
+      describedByIds={Array []}
+      fullWidth={false}
+      hasEmptyLabelSpace={true}
+      helpText="No access"
+    >
+      <PrivilegeSelector
+        allowNone={true}
+        availablePrivileges={
+          Array [
+            "all",
+            "read",
+          ]
+        }
+        data-test-subj="kibanaMinimumPrivilege"
+        disabled={false}
+        onChange={[Function]}
+        value="none"
+      />
+    </EuiFormRow>
+  </EuiDescribedFormGroup>
+  <EuiSpacer
+    size="l"
+  />
+  <React.Fragment>
+    <EuiTitle
+      size="xs"
+    >
+      <h3>
+        Space privileges
+      </h3>
+    </EuiTitle>
+    <EuiSpacer
+      size="s"
+    />
+    <EuiText
+      color="subdued"
+      grow={false}
+      size="s"
+    >
+      <p>
+        Customize permission levels per space. If a space is not customized, its permissions will default to the minimum privilege specified above.
+      </p>
+      <p>
+        You can bulk-create space privileges though they will be saved individually upon saving the role.
+      </p>
+    </EuiText>
+    <React.Fragment>
+      <PrivilegeSpaceTable
+        availablePrivileges={
+          Array [
+            "all",
+            "read",
+          ]
+        }
+        onChange={[Function]}
+        role={
+          Object {
+            "elasticsearch": Object {
+              "cluster": Array [
+                "manage",
+              ],
+              "indices": Array [],
+              "run_as": Array [],
+            },
+            "kibana": Object {
+              "global": Array [],
+              "space": Object {},
+            },
+            "name": "",
+          }
+        }
+        spacePrivileges={Object {}}
+        spaces={
+          Array [
+            Object {
+              "_reserved": true,
+              "id": "default",
+              "name": "Default Space",
+            },
+            Object {
+              "id": "marketing",
+              "name": "Marketing",
+            },
+          ]
+        }
+      />
+    </React.Fragment>
+    <EuiFlexGroup
+      alignItems="baseline"
+      component="div"
+      direction="row"
+      gutterSize="l"
+      justifyContent="flexStart"
+      responsive={true}
+      wrap={false}
+    >
+      <EuiFlexItem
+        component="div"
+        grow={false}
+      >
+        <EuiButton
+          color="primary"
+          data-test-subj="addSpacePrivilegeButton"
+          fill={false}
+          iconSide="left"
+          iconType="plusInCircle"
+          onClick={[Function]}
+          size="s"
+          type="button"
+        >
+          Add space privilege
+        </EuiButton>
+      </EuiFlexItem>
+      <EuiFlexItem
+        component="div"
+        grow={true}
+      >
+        <ImpactedSpacesFlyout
+          role={
+            Object {
+              "elasticsearch": Object {
+                "cluster": Array [
+                  "manage",
+                ],
+                "indices": Array [],
+                "run_as": Array [],
+              },
+              "kibana": Object {
+                "global": Array [],
+                "space": Object {},
+              },
+              "name": "",
+            }
+          }
+          spaces={
+            Array [
+              Object {
+                "_reserved": true,
+                "id": "default",
+                "name": "Default Space",
+              },
+              Object {
+                "id": "marketing",
+                "name": "Marketing",
+              },
+            ]
+          }
+        />
+      </EuiFlexItem>
+    </EuiFlexGroup>
+  </React.Fragment>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
new file mode 100644
index 00000000000000..f22cf87c9c9d6f
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
@@ -0,0 +1,14 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`SpaceSelector renders without crashing 1`] = `
+<EuiComboBox
+  fullWidth={false}
+  isClearable={true}
+  onChange={[Function]}
+  options={Array []}
+  placeholder="choose space(s)"
+  renderOption={[Function]}
+  selectedOptions={Array []}
+  singleSelection={false}
+/>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.less b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.less
new file mode 100644
index 00000000000000..19f6c14a4a6f9b
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.less
@@ -0,0 +1,3 @@
+.showImpactedSpaces--flyout--footer, .showImpactedSpaces {
+  text-align: right;
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
new file mode 100644
index 00000000000000..674b44ef3dbf68
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
@@ -0,0 +1,153 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiFlyout, EuiLink } from '@elastic/eui';
+import { mount, shallow } from 'enzyme';
+import React from 'react';
+import { ImpactedSpacesFlyout } from './impacted_spaces_flyout';
+import { PrivilegeSpaceTable } from './privilege_space_table';
+
+const buildProps = (customProps = {}) => {
+  return {
+    role: {
+      name: '',
+      elasticsearch: {
+        cluster: ['manage'],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    },
+    spaces: [
+      {
+        id: 'default',
+        name: 'Default Space',
+        _reserved: true,
+      },
+      {
+        id: 'marketing',
+        name: 'Marketing',
+      },
+    ],
+    kibanaAppPrivileges: [
+      {
+        name: 'all',
+      },
+      {
+        name: 'read',
+      },
+    ],
+    ...customProps,
+  };
+};
+
+describe('<ImpactedSpacesFlyout>', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<ImpactedSpacesFlyout {...buildProps()} />)).toMatchSnapshot();
+  });
+
+  it('does not immediately show the flyout', () => {
+    const wrapper = mount(<ImpactedSpacesFlyout {...buildProps()} />);
+    expect(wrapper.find(EuiFlyout)).toHaveLength(0);
+  });
+
+  it('shows the flyout after clicking the link', () => {
+    const wrapper = mount(<ImpactedSpacesFlyout {...buildProps()} />);
+    wrapper.find(EuiLink).simulate('click');
+    expect(wrapper.find(EuiFlyout)).toHaveLength(1);
+  });
+
+  describe('with base privilege set to "all"', () => {
+    it('calculates the effective privileges correctly', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: ['all'],
+            space: {
+              marketing: ['read'],
+            },
+          },
+        },
+      });
+
+      const wrapper = shallow(<ImpactedSpacesFlyout {...props} />);
+      wrapper.find(EuiLink).simulate('click');
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table.props()).toMatchObject({
+        spacePrivileges: {
+          default: ['all'],
+          // base privilege of "all" supercedes specified privilege of "read" above
+          marketing: ['all'],
+        },
+      });
+    });
+  });
+
+  describe('with base privilege set to "read"', () => {
+    it('calculates the effective privileges correctly', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: ['read'],
+            space: {
+              marketing: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = shallow(<ImpactedSpacesFlyout {...props} />);
+      wrapper.find(EuiLink).simulate('click');
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table.props()).toMatchObject({
+        spacePrivileges: {
+          default: ['read'],
+          marketing: ['all'],
+        },
+      });
+    });
+  });
+
+  describe('with base privilege set to "none"', () => {
+    it('calculates the effective privileges correctly', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: [],
+            space: {
+              marketing: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = shallow(<ImpactedSpacesFlyout {...props} />);
+      wrapper.find(EuiLink).simulate('click');
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table.props()).toMatchObject({
+        spacePrivileges: {
+          default: ['none'],
+          marketing: ['all'],
+        },
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
new file mode 100644
index 00000000000000..8e50e6e3d0e3b3
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
@@ -0,0 +1,126 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  EuiFlyout,
+  EuiFlyoutBody,
+  EuiFlyoutFooter,
+  EuiFlyoutHeader,
+  EuiLink,
+  EuiTitle,
+} from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
+import { PrivilegeSpaceTable } from './privilege_space_table';
+
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { ManageSpacesButton } from '../../../../../../../../spaces/public/components';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { Role } from '../../../../../../../common/model/role';
+import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
+import './impacted_spaces_flyout.less';
+
+interface Props {
+  role: Role;
+  spaces: Space[];
+}
+
+interface State {
+  showImpactedSpaces: boolean;
+}
+
+export class ImpactedSpacesFlyout extends Component<Props, State> {
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      showImpactedSpaces: false,
+    };
+  }
+
+  public render() {
+    const flyout = this.getFlyout();
+    return (
+      <Fragment>
+        <div className="showImpactedSpaces">
+          <EuiLink onClick={this.toggleShowImpactedSpaces}>
+            See summary of all spaces privileges
+          </EuiLink>
+        </div>
+        {flyout}
+      </Fragment>
+    );
+  }
+
+  public toggleShowImpactedSpaces = () => {
+    this.setState({
+      showImpactedSpaces: !this.state.showImpactedSpaces,
+    });
+  };
+
+  public getHighestPrivilege(...privileges: KibanaPrivilege[]): KibanaPrivilege {
+    if (privileges.indexOf('all') >= 0) {
+      return 'all';
+    }
+    if (privileges.indexOf('read') >= 0) {
+      return 'read';
+    }
+    return 'none';
+  }
+
+  public getFlyout = () => {
+    if (!this.state.showImpactedSpaces) {
+      return null;
+    }
+
+    const { role, spaces } = this.props;
+
+    const assignedPrivileges = role.kibana;
+    const basePrivilege = assignedPrivileges.global.length
+      ? assignedPrivileges.global[0]
+      : NO_PRIVILEGE_VALUE;
+
+    const allSpacePrivileges = spaces.reduce(
+      (acc, space) => {
+        const spacePrivilege = assignedPrivileges.space[space.id]
+          ? assignedPrivileges.space[space.id][0]
+          : basePrivilege;
+        const actualPrivilege = this.getHighestPrivilege(spacePrivilege, basePrivilege);
+
+        return {
+          ...acc,
+          // Use the privilege assigned to the space, if provided. Otherwise, the baes privilege is used.
+          [space.id]: [actualPrivilege],
+        };
+      },
+      { ...role.kibana.space }
+    );
+
+    return (
+      <EuiFlyout
+        onClose={this.toggleShowImpactedSpaces}
+        aria-labelledby="showImpactedSpacesTitle"
+        size="s"
+      >
+        <EuiFlyoutHeader hasBorder>
+          <EuiTitle size="m">
+            <h1 id="showImpactedSpacesTitle">Summary of all space privileges</h1>
+          </EuiTitle>
+        </EuiFlyoutHeader>
+        <EuiFlyoutBody>
+          <PrivilegeSpaceTable
+            readonly={true}
+            role={role}
+            spaces={spaces}
+            spacePrivileges={allSpacePrivileges}
+          />
+        </EuiFlyoutBody>
+        <EuiFlyoutFooter className="showImpactedSpaces--flyout--footer">
+          {/* TODO: Hide footer if button is not available */}
+          <ManageSpacesButton />
+        </EuiFlyoutFooter>
+      </EuiFlyout>
+    );
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
new file mode 100644
index 00000000000000..24990ad1195cd4
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
@@ -0,0 +1,66 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { shallow } from 'enzyme';
+import React from 'react';
+import { RoleValidator } from '../../../lib/validate_role';
+import { KibanaPrivileges } from './kibana_privileges';
+import { SimplePrivilegeForm } from './simple_privilege_form';
+import { SpaceAwarePrivilegeForm } from './space_aware_privilege_form';
+
+const buildProps = (customProps = {}) => {
+  return {
+    role: {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    },
+    spacesEnabled: true,
+    spaces: [
+      {
+        id: 'default',
+        name: 'Default Space',
+        _reserved: true,
+      },
+      {
+        id: 'marketing',
+        name: 'Marketing',
+      },
+    ],
+    editable: true,
+    kibanaAppPrivileges: ['all', 'read'],
+    onChange: jest.fn(),
+    validator: new RoleValidator(),
+    ...customProps,
+  };
+};
+
+describe('<KibanaPrivileges>', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<KibanaPrivileges {...buildProps()} />)).toMatchSnapshot();
+  });
+
+  it('renders the simple privilege form when spaces is disabled', () => {
+    const props = buildProps({ spacesEnabled: false });
+    const wrapper = shallow(<KibanaPrivileges {...props} />);
+    expect(wrapper.find(SimplePrivilegeForm)).toHaveLength(1);
+    expect(wrapper.find(SpaceAwarePrivilegeForm)).toHaveLength(0);
+  });
+
+  it('renders the space-aware privilege form when spaces is enabled', () => {
+    const props = buildProps({ spacesEnabled: true });
+    const wrapper = shallow(<KibanaPrivileges {...props} />);
+    expect(wrapper.find(SimplePrivilegeForm)).toHaveLength(0);
+    expect(wrapper.find(SpaceAwarePrivilegeForm)).toHaveLength(1);
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
new file mode 100644
index 00000000000000..db74c810027fb0
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { Role } from '../../../../../../../common/model/role';
+import { RoleValidator } from '../../../lib/validate_role';
+import { CollapsiblePanel } from '../../collapsible_panel';
+import { SimplePrivilegeForm } from './simple_privilege_form';
+import { SpaceAwarePrivilegeForm } from './space_aware_privilege_form';
+
+interface Props {
+  role: Role;
+  spacesEnabled: boolean;
+  spaces?: Space[];
+  editable: boolean;
+  kibanaAppPrivileges: string[];
+  onChange: (role: Role) => void;
+  validator: RoleValidator;
+}
+
+export class KibanaPrivileges extends Component<Props, {}> {
+  public render() {
+    return (
+      <CollapsiblePanel iconType={'logoKibana'} title={'Kibana'}>
+        {this.getForm()}
+      </CollapsiblePanel>
+    );
+  }
+
+  public getForm = () => {
+    const {
+      kibanaAppPrivileges,
+      role,
+      spacesEnabled,
+      spaces = [],
+      onChange,
+      editable,
+      validator,
+    } = this.props;
+
+    if (spacesEnabled) {
+      return (
+        <SpaceAwarePrivilegeForm
+          kibanaAppPrivileges={kibanaAppPrivileges}
+          role={role}
+          spaces={spaces}
+          onChange={onChange}
+          editable={editable}
+          validator={validator}
+        />
+      );
+    } else {
+      return (
+        <SimplePrivilegeForm
+          kibanaAppPrivileges={kibanaAppPrivileges}
+          role={role}
+          onChange={onChange}
+          editable={editable}
+        />
+      );
+    }
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.test.tsx
new file mode 100644
index 00000000000000..1e8d3f3c391584
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.test.tsx
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { mount } from 'enzyme';
+import React from 'react';
+import { PrivilegeCalloutWarning } from './privilege_callout_warning';
+
+describe('PrivilegeCalloutWarning', () => {
+  it('renders without crashing', () => {
+    expect(
+      mount(<PrivilegeCalloutWarning basePrivilege={'all'} isReservedRole={false} />)
+    ).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
new file mode 100644
index 00000000000000..6641f43074cbe1
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
@@ -0,0 +1,103 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { EuiCallOut } from '@elastic/eui';
+import React, { Component } from 'react';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
+
+interface Props {
+  basePrivilege: KibanaPrivilege;
+  isReservedRole: boolean;
+}
+
+interface State {
+  showImpactedSpaces: boolean;
+}
+
+export class PrivilegeCalloutWarning extends Component<Props, State> {
+  public state = {
+    showImpactedSpaces: false,
+  };
+
+  public render() {
+    const { basePrivilege, isReservedRole } = this.props;
+
+    let callout = null;
+
+    if (basePrivilege === 'all') {
+      if (isReservedRole) {
+        callout = (
+          <EuiCallOut
+            color="warning"
+            iconType="iInCircle"
+            title={"Cannot customize a reserved role's space privileges"}
+          >
+            <p>
+              This role always grants full access to all spaces. To customize privileges for
+              individual spaces, you must create a new role.
+            </p>
+          </EuiCallOut>
+        );
+      } else {
+        callout = (
+          <EuiCallOut
+            color="warning"
+            iconType="iInCircle"
+            title={'Minimum privilege is too high to customize individual spaces'}
+          >
+            <p>
+              Setting the minimum privilege to <strong>all</strong> grants full access to all
+              spaces. To customize privileges for individual spaces, the minimum privilege must be
+              either <strong>read</strong> or <strong>none</strong>.
+            </p>
+          </EuiCallOut>
+        );
+      }
+    }
+
+    if (basePrivilege === 'read') {
+      if (isReservedRole) {
+        callout = (
+          <EuiCallOut
+            color="warning"
+            iconType="iInCircle"
+            title={"Cannot customize a reserved role's space privileges"}
+          >
+            <p>
+              This role always grants read access to all spaces. To customize privileges for
+              individual spaces, you must create a new role.
+            </p>
+          </EuiCallOut>
+        );
+      } else {
+        callout = (
+          <EuiCallOut
+            color="primary"
+            iconType="iInCircle"
+            title={"Lowest possible privilege is 'read'"}
+          />
+        );
+      }
+    }
+
+    if (basePrivilege === NO_PRIVILEGE_VALUE && isReservedRole) {
+      callout = (
+        <EuiCallOut
+          color="warning"
+          iconType="iInCircle"
+          title={"Cannot customize a reserved role's space privileges"}
+        >
+          <p>
+            This role never grants access to any spaces within Kibana. To customize privileges for
+            individual spaces, you must create a new role.
+          </p>
+        </EuiCallOut>
+      );
+    }
+
+    return callout;
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_selector.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_selector.tsx
new file mode 100644
index 00000000000000..5f7d902cb7459d
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_selector.tsx
@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  // @ts-ignore
+  EuiSelect,
+} from '@elastic/eui';
+import React, { ChangeEvent, Component } from 'react';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
+
+interface Props {
+  ['data-test-subj']: string;
+  availablePrivileges: KibanaPrivilege[];
+  onChange: (privilege: KibanaPrivilege) => void;
+  value: KibanaPrivilege | null;
+  allowNone?: boolean;
+  disabled?: boolean;
+  compressed?: boolean;
+}
+
+export class PrivilegeSelector extends Component<Props, {}> {
+  public state = {};
+
+  public render() {
+    const { availablePrivileges, value, disabled, allowNone, compressed } = this.props;
+
+    const options = [];
+
+    if (allowNone) {
+      options.push({ value: NO_PRIVILEGE_VALUE, text: 'none' });
+    }
+
+    options.push(
+      ...availablePrivileges.map(p => ({
+        value: p,
+        text: p,
+      }))
+    );
+
+    return (
+      <EuiSelect
+        data-test-subj={this.props['data-test-subj']}
+        options={options}
+        hasNoInitialSelection={!allowNone && !value}
+        value={value || undefined}
+        onChange={this.onChange}
+        disabled={disabled}
+        compressed={compressed}
+      />
+    );
+  }
+
+  public onChange = (e: ChangeEvent<HTMLSelectElement>) => {
+    this.props.onChange(e.target.value as KibanaPrivilege);
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
new file mode 100644
index 00000000000000..c51dd1786904fd
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { shallow } from 'enzyme';
+import React from 'react';
+import { RoleValidator } from '../../../lib/validate_role';
+import { PrivilegeSpaceForm } from './privilege_space_form';
+
+const buildProps = (customProps = {}) => {
+  return {
+    availableSpaces: [
+      {
+        id: 'default',
+        name: 'Default Space',
+        description: '',
+        _reserved: true,
+      },
+      {
+        id: 'marketing',
+        name: 'Marketing',
+        description: '',
+      },
+    ],
+    selectedSpaceIds: [],
+    availablePrivileges: ['all', 'read'],
+    selectedPrivilege: 'none',
+    onChange: jest.fn(),
+    onDelete: jest.fn(),
+    validator: new RoleValidator(),
+    ...customProps,
+  };
+};
+
+describe('<PrivilegeSpaceForm>', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<PrivilegeSpaceForm {...buildProps()} />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
new file mode 100644
index 00000000000000..5cd139c0f42e36
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
@@ -0,0 +1,94 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiButtonIcon, EuiFlexGroup, EuiFlexItem, EuiFormRow } from '@elastic/eui';
+import React, { Component } from 'react';
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { RoleValidator } from '../../../lib/validate_role';
+import { PrivilegeSelector } from './privilege_selector';
+import { SpaceSelector } from './space_selector';
+
+interface Props {
+  availableSpaces: Space[];
+  selectedSpaceIds: string[];
+  availablePrivileges: KibanaPrivilege[];
+  selectedPrivilege: KibanaPrivilege | null;
+  onChange: (
+    params: {
+      spaces: string[];
+      privilege: KibanaPrivilege | null;
+    }
+  ) => void;
+  onDelete: () => void;
+  validator: RoleValidator;
+}
+
+export class PrivilegeSpaceForm extends Component<Props, {}> {
+  public render() {
+    const {
+      availableSpaces,
+      selectedSpaceIds,
+      availablePrivileges,
+      selectedPrivilege,
+      validator,
+    } = this.props;
+
+    return (
+      <EuiFlexGroup responsive={false}>
+        <EuiFlexItem>
+          <EuiFormRow
+            label={'Space(s)'}
+            {...validator.validateSelectedSpaces(selectedSpaceIds, selectedPrivilege)}
+          >
+            <SpaceSelector
+              spaces={availableSpaces}
+              selectedSpaceIds={selectedSpaceIds}
+              onChange={this.onSelectedSpacesChange}
+            />
+          </EuiFormRow>
+        </EuiFlexItem>
+        <EuiFlexItem>
+          <EuiFormRow
+            label={'Privilege'}
+            {...validator.validateSelectedPrivilege(selectedSpaceIds, selectedPrivilege)}
+          >
+            <PrivilegeSelector
+              data-test-subj={'space-form-priv-selector'}
+              availablePrivileges={availablePrivileges}
+              value={selectedPrivilege}
+              onChange={this.onPrivilegeChange}
+            />
+          </EuiFormRow>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiFormRow hasEmptyLabelSpace>
+            <EuiButtonIcon
+              aria-label={'Delete space privilege'}
+              color={'danger'}
+              onClick={this.props.onDelete}
+              iconType={'trash'}
+            />
+          </EuiFormRow>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+    );
+  }
+
+  public onSelectedSpacesChange = (selectedSpaceIds: string[]) => {
+    this.props.onChange({
+      spaces: selectedSpaceIds,
+      privilege: this.props.selectedPrivilege,
+    });
+  };
+
+  public onPrivilegeChange = (privilege: KibanaPrivilege) => {
+    this.props.onChange({
+      spaces: this.props.selectedSpaceIds,
+      privilege,
+    });
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
new file mode 100644
index 00000000000000..0f206dcc1e17d6
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
@@ -0,0 +1,191 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  EuiButtonIcon,
+  EuiFlexGroup,
+  EuiFlexItem,
+  // @ts-ignore
+  EuiInMemoryTable,
+  EuiText,
+} from '@elastic/eui';
+import React, { Component } from 'react';
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { SpaceAvatar } from '../../../../../../../../spaces/public/components';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { Role } from '../../../../../../../common/model/role';
+import { isReservedRole } from '../../../../../../lib/role';
+import { PrivilegeSelector } from './privilege_selector';
+
+interface Props {
+  role: Role;
+  spaces: Space[];
+  availablePrivileges?: KibanaPrivilege[];
+  spacePrivileges: any;
+  onChange?: (privs: { [spaceId: string]: KibanaPrivilege[] }) => void;
+  readonly?: boolean;
+}
+
+interface State {
+  searchTerm: string;
+}
+
+interface DeletedSpace extends Space {
+  deleted: boolean;
+}
+
+export class PrivilegeSpaceTable extends Component<Props, State> {
+  public state = {
+    searchTerm: '',
+  };
+
+  public render() {
+    const { role, spaces, availablePrivileges, spacePrivileges } = this.props;
+
+    const { searchTerm } = this.state;
+
+    const allTableItems = Object.keys(spacePrivileges)
+      .map(spaceId => {
+        return {
+          space: spaces.find(s => s.id === spaceId) || { id: spaceId, name: '', deleted: true },
+          privilege: spacePrivileges[spaceId][0],
+        };
+      })
+      .sort(item1 => {
+        const isDeleted = 'deleted' in item1.space;
+        return isDeleted ? 1 : -1;
+      });
+
+    const visibleTableItems = allTableItems.filter(item => {
+      const isDeleted = 'deleted' in item.space;
+      const searchField = isDeleted ? item.space.id : item.space.name;
+      return searchField.toLowerCase().indexOf(searchTerm) >= 0;
+    });
+
+    if (allTableItems.length === 0) {
+      return null;
+    }
+
+    return (
+      <EuiInMemoryTable
+        hasActions
+        columns={this.getTableColumns(role, availablePrivileges)}
+        search={{
+          box: {
+            incremental: true,
+            placeholder: 'Filter...',
+          },
+          onChange: (search: any) => {
+            this.setState({
+              searchTerm: search.queryText.toLowerCase(),
+            });
+          },
+        }}
+        items={visibleTableItems}
+      />
+    );
+  }
+
+  public getTableColumns = (role: Role, availablePrivileges: KibanaPrivilege[] = []) => {
+    const columns: any[] = [
+      {
+        field: 'space',
+        name: 'Space',
+        width: this.props.readonly ? '75%' : '50%',
+        render: (space: Space | DeletedSpace) => {
+          let content;
+          if ('deleted' in space) {
+            content = [
+              <EuiFlexItem key={1}>
+                <EuiText color={'subdued'}>{space.id} (deleted)</EuiText>
+              </EuiFlexItem>,
+            ];
+          } else {
+            content = [
+              <EuiFlexItem key={1} grow={false}>
+                <SpaceAvatar space={space} size="s" />
+              </EuiFlexItem>,
+              <EuiFlexItem key={2}>
+                <EuiText>{space.name}</EuiText>
+              </EuiFlexItem>,
+            ];
+          }
+          return (
+            <EuiFlexGroup gutterSize="s" responsive={false} alignItems={'center'}>
+              {content}
+            </EuiFlexGroup>
+          );
+        },
+      },
+      {
+        field: 'privilege',
+        name: 'Privilege',
+        width: this.props.readonly ? '25%' : undefined,
+        render: (privilege: KibanaPrivilege, record: any) => {
+          if (this.props.readonly || record.space.deleted) {
+            return privilege;
+          }
+
+          return (
+            <PrivilegeSelector
+              data-test-subj={'privilege-space-table-priv'}
+              availablePrivileges={availablePrivileges}
+              value={privilege}
+              disabled={isReservedRole(role) || this.props.readonly}
+              onChange={this.onSpacePermissionChange(record)}
+              compressed
+            />
+          );
+        },
+      },
+    ];
+    if (!this.props.readonly) {
+      columns.push({
+        name: 'Actions',
+        actions: [
+          {
+            render: (record: any) => {
+              return (
+                <EuiButtonIcon
+                  aria-label={'Remove custom privileges for this space'}
+                  color={'danger'}
+                  onClick={() => this.onDeleteSpacePermissionsClick(record)}
+                  iconType={'trash'}
+                />
+              );
+            },
+          },
+        ],
+      });
+    }
+
+    return columns;
+  };
+
+  public onSpacePermissionChange = (record: any) => (selectedPrivilege: KibanaPrivilege) => {
+    const { id: spaceId } = record.space;
+
+    const updatedPrivileges = {
+      ...this.props.spacePrivileges,
+    };
+    updatedPrivileges[spaceId] = [selectedPrivilege];
+    if (this.props.onChange) {
+      this.props.onChange(updatedPrivileges);
+    }
+  };
+
+  public onDeleteSpacePermissionsClick = (record: any) => {
+    const { id: spaceId } = record.space;
+
+    const updatedPrivileges = {
+      ...this.props.spacePrivileges,
+    };
+    delete updatedPrivileges[spaceId];
+    if (this.props.onChange) {
+      this.props.onChange(updatedPrivileges);
+    }
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
new file mode 100644
index 00000000000000..018aed7df9bb18
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
@@ -0,0 +1,89 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { mount, shallow } from 'enzyme';
+import React from 'react';
+import { PrivilegeSelector } from './privilege_selector';
+import { SimplePrivilegeForm } from './simple_privilege_form';
+
+const buildProps = (customProps?: any) => {
+  return {
+    role: {
+      name: '',
+      elasticsearch: {
+        cluster: ['manage'],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    },
+    editable: true,
+    kibanaAppPrivileges: [
+      {
+        name: 'all',
+      },
+      {
+        name: 'read',
+      },
+    ],
+    onChange: jest.fn(),
+    ...customProps,
+  };
+};
+
+describe('<SimplePrivilegeForm>', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<SimplePrivilegeForm {...buildProps()} />)).toMatchSnapshot();
+  });
+
+  it('displays "none" when no privilege is selected', () => {
+    const props = buildProps();
+    const wrapper = shallow(<SimplePrivilegeForm {...props} />);
+    const selector = wrapper.find(PrivilegeSelector);
+    expect(selector.props()).toMatchObject({
+      value: 'none',
+    });
+  });
+
+  it('displays the selected privilege', () => {
+    const props = buildProps({
+      role: {
+        elasticsearch: {},
+        kibana: {
+          global: ['read'],
+        },
+      },
+    });
+    const wrapper = shallow(<SimplePrivilegeForm {...props} />);
+    const selector = wrapper.find(PrivilegeSelector);
+    expect(selector.props()).toMatchObject({
+      value: 'read',
+    });
+  });
+
+  it('fires its onChange callback when the privilege changes', () => {
+    const props = buildProps();
+    const wrapper = mount(<SimplePrivilegeForm {...props} />);
+    const selector = wrapper.find(PrivilegeSelector).find('select');
+    selector.simulate('change', { target: { value: 'all' } });
+
+    expect(props.onChange).toHaveBeenCalledWith({
+      name: '',
+      elasticsearch: {
+        cluster: ['manage'],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: ['all'],
+        space: {},
+      },
+    });
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
new file mode 100644
index 00000000000000..4d8892d88fce4d
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  // @ts-ignore
+  EuiDescribedFormGroup,
+  EuiFormRow,
+} from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
+import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { Role } from '../../../../../../../common/model/role';
+import { isReservedRole } from '../../../../../../lib/role';
+import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
+import { copyRole } from '../../../lib/copy_role';
+import { PrivilegeSelector } from './privilege_selector';
+
+interface Props {
+  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  role: Role;
+  onChange: (role: Role) => void;
+  editable: boolean;
+}
+
+export class SimplePrivilegeForm extends Component<Props, {}> {
+  public render() {
+    const { kibanaAppPrivileges, role } = this.props;
+
+    const assignedPrivileges = role.kibana;
+    const availablePrivileges = kibanaAppPrivileges.map(privilege => privilege.name);
+
+    const kibanaPrivilege: KibanaPrivilege =
+      assignedPrivileges.global.length > 0
+        ? (assignedPrivileges.global[0] as KibanaPrivilege)
+        : NO_PRIVILEGE_VALUE;
+
+    const description = <p>Specifies the Kibana privilege for this role.</p>;
+
+    return (
+      <Fragment>
+        <EuiDescribedFormGroup title={<h3>Kibana privileges</h3>} description={description}>
+          <EuiFormRow hasEmptyLabelSpace>
+            <PrivilegeSelector
+              data-test-subj={'kibanaPrivilege'}
+              availablePrivileges={availablePrivileges}
+              value={kibanaPrivilege}
+              disabled={isReservedRole(role)}
+              allowNone={true}
+              onChange={this.onKibanaPrivilegeChange}
+            />
+          </EuiFormRow>
+        </EuiDescribedFormGroup>
+      </Fragment>
+    );
+  }
+
+  public onKibanaPrivilegeChange = (privilege: KibanaPrivilege) => {
+    const role = copyRole(this.props.role);
+
+    // Remove base privilege value
+    role.kibana.global = [];
+
+    if (privilege !== NO_PRIVILEGE_VALUE) {
+      role.kibana.global = [privilege];
+    }
+
+    this.props.onChange(role);
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
new file mode 100644
index 00000000000000..5279f178709323
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
@@ -0,0 +1,239 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { mount, shallow } from 'enzyme';
+import React from 'react';
+import { RoleValidator } from '../../../lib/validate_role';
+import { PrivilegeCalloutWarning } from './privilege_callout_warning';
+import { PrivilegeSpaceForm } from './privilege_space_form';
+import { PrivilegeSpaceTable } from './privilege_space_table';
+import { SpaceAwarePrivilegeForm } from './space_aware_privilege_form';
+
+const buildProps = (customProps: any = {}) => {
+  return {
+    role: {
+      name: '',
+      elasticsearch: {
+        cluster: ['manage'],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    },
+    spaces: [
+      {
+        id: 'default',
+        name: 'Default Space',
+        _reserved: true,
+      },
+      {
+        id: 'marketing',
+        name: 'Marketing',
+      },
+    ],
+    editable: true,
+    kibanaAppPrivileges: [
+      {
+        name: 'all',
+      },
+      {
+        name: 'read',
+      },
+    ],
+    onChange: jest.fn(),
+    validator: new RoleValidator(),
+    ...customProps,
+  };
+};
+
+describe('<SpaceAwarePrivilegeForm>', () => {
+  it('renders without crashing', () => {
+    expect(shallow(<SpaceAwarePrivilegeForm {...buildProps()} />)).toMatchSnapshot();
+  });
+
+  it('shows the space table if exisitng space privileges are declared', () => {
+    const props = buildProps({
+      role: {
+        elasticsearch: {
+          cluster: ['manage'],
+        },
+        kibana: {
+          global: ['read'],
+          space: {
+            default: ['all'],
+          },
+        },
+      },
+    });
+
+    const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+    const table = wrapper.find(PrivilegeSpaceTable);
+    expect(table).toHaveLength(1);
+  });
+
+  it('hides the space table if there are no existing space privileges', () => {
+    const props = buildProps();
+
+    const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+    const table = wrapper.find(PrivilegeSpaceTable);
+    expect(table).toMatchSnapshot();
+  });
+
+  it('adds a form row when clicking the "Add Space Privilege" button', () => {
+    const props = buildProps({
+      role: {
+        elasticsearch: {
+          cluster: ['manage'],
+        },
+        kibana: {
+          global: ['read'],
+          space: {
+            default: ['all'],
+          },
+        },
+      },
+    });
+
+    const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+    expect(wrapper.find(PrivilegeSpaceForm)).toHaveLength(0);
+
+    wrapper.find('button[data-test-subj="addSpacePrivilegeButton"]').simulate('click');
+
+    expect(wrapper.find(PrivilegeSpaceForm)).toHaveLength(1);
+  });
+
+  describe('with minimum privilege set to "all"', () => {
+    it('does not allow space privileges to be customized', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: ['all'],
+            space: {
+              default: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+      const warning = wrapper.find(PrivilegeCalloutWarning);
+      expect(warning.props()).toMatchObject({
+        basePrivilege: 'all',
+      });
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table).toHaveLength(0);
+
+      const addPrivilegeButton = wrapper.find('[data-test-subj="addSpacePrivilegeButton"]');
+      expect(addPrivilegeButton).toHaveLength(0);
+    });
+  });
+
+  describe('with minimum privilege set to "read"', () => {
+    it('shows a warning about minimum privilege', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: ['read'],
+            space: {
+              default: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+      const warning = wrapper.find(PrivilegeCalloutWarning);
+      expect(warning.props()).toMatchObject({
+        basePrivilege: 'read',
+      });
+    });
+
+    it('allows space privileges to be customized', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: ['read'],
+            space: {
+              default: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table).toHaveLength(1);
+
+      const addPrivilegeButton = wrapper.find('button[data-test-subj="addSpacePrivilegeButton"]');
+      expect(addPrivilegeButton).toHaveLength(1);
+    });
+  });
+
+  describe('with minimum privilege set to "none"', () => {
+    it('does not show a warning about minimum privilege', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: [],
+            space: {
+              default: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+      const warning = wrapper.find(PrivilegeCalloutWarning);
+      expect(warning).toHaveLength(0);
+    });
+
+    it('allows space privileges to be customized', () => {
+      const props = buildProps({
+        role: {
+          elasticsearch: {
+            cluster: ['manage'],
+          },
+          kibana: {
+            global: [],
+            space: {
+              default: ['all'],
+            },
+          },
+        },
+      });
+
+      const wrapper = mount(<SpaceAwarePrivilegeForm {...props} />);
+
+      const table = wrapper.find(PrivilegeSpaceTable);
+      expect(table).toHaveLength(1);
+
+      const addPrivilegeButton = wrapper.find('button[data-test-subj="addSpacePrivilegeButton"]');
+      expect(addPrivilegeButton).toHaveLength(1);
+    });
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
new file mode 100644
index 00000000000000..af76691b060f59
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
@@ -0,0 +1,347 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  EuiButton,
+  // @ts-ignore
+  EuiDescribedFormGroup,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiFormRow,
+  EuiSpacer,
+  EuiText,
+  EuiTitle,
+} from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
+import { Role } from '../../../../../../../common/model/role';
+import { isReservedRole } from '../../../../../../lib/role';
+import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
+import { copyRole } from '../../../lib/copy_role';
+import { getAvailablePrivileges } from '../../../lib/get_available_privileges';
+import { RoleValidator } from '../../../lib/validate_role';
+import { ImpactedSpacesFlyout } from './impacted_spaces_flyout';
+import { PrivilegeCalloutWarning } from './privilege_callout_warning';
+import { PrivilegeSelector } from './privilege_selector';
+import { PrivilegeSpaceForm } from './privilege_space_form';
+import { PrivilegeSpaceTable } from './privilege_space_table';
+
+interface Props {
+  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  role: Role;
+  spaces: Space[];
+  onChange: (role: Role) => void;
+  editable: boolean;
+  validator: RoleValidator;
+}
+
+interface PrivilegeForm {
+  spaces: string[];
+  privilege: KibanaPrivilege | null;
+}
+
+interface SpacePrivileges {
+  [spaceId: string]: KibanaPrivilege[];
+}
+
+interface State {
+  spacePrivileges: SpacePrivileges;
+  privilegeForms: PrivilegeForm[];
+}
+
+export class SpaceAwarePrivilegeForm extends Component<Props, State> {
+  constructor(props: Props) {
+    super(props);
+    const { role } = props;
+
+    const assignedPrivileges = role.kibana;
+    const spacePrivileges = {
+      ...assignedPrivileges.space,
+    };
+
+    this.state = {
+      spacePrivileges,
+      privilegeForms: [],
+    };
+  }
+
+  public render() {
+    const { kibanaAppPrivileges, role } = this.props;
+
+    const assignedPrivileges = role.kibana;
+    const availablePrivileges = kibanaAppPrivileges.map(privilege => privilege.name);
+
+    const basePrivilege =
+      assignedPrivileges.global.length > 0 ? assignedPrivileges.global[0] : NO_PRIVILEGE_VALUE;
+
+    const description = (
+      <p>
+        Specifies the lowest permission level for all spaces, unless a custom privilege is
+        specified.
+      </p>
+    );
+
+    let helptext;
+    if (basePrivilege === NO_PRIVILEGE_VALUE) {
+      helptext = 'No access';
+    } else if (basePrivilege === 'all') {
+      helptext = 'View, edit, and share all objects and apps within all spaces';
+    } else if (basePrivilege === 'read') {
+      helptext = 'View only mode';
+    }
+
+    return (
+      <Fragment>
+        <EuiDescribedFormGroup title={<h3>Minimum privilege</h3>} description={description}>
+          <EuiFormRow hasEmptyLabelSpace helpText={helptext}>
+            <PrivilegeSelector
+              data-test-subj={'kibanaMinimumPrivilege'}
+              availablePrivileges={availablePrivileges}
+              value={basePrivilege}
+              disabled={isReservedRole(role)}
+              allowNone={true}
+              onChange={this.onKibanaBasePrivilegeChange}
+            />
+          </EuiFormRow>
+        </EuiDescribedFormGroup>
+
+        <EuiSpacer />
+
+        {this.renderSpacePrivileges(basePrivilege, availablePrivileges)}
+      </Fragment>
+    );
+  }
+
+  public renderSpacePrivileges = (
+    basePrivilege: KibanaPrivilege,
+    availablePrivileges: KibanaPrivilege[]
+  ) => {
+    const { role, spaces } = this.props;
+
+    const { spacePrivileges } = this.state;
+
+    const availableSpaces = this.getAvailableSpaces();
+
+    const canAssignSpacePrivileges = basePrivilege !== 'all';
+    const hasAssignedSpacePrivileges = Object.keys(this.state.spacePrivileges).length > 0;
+
+    const showAddPrivilegeButton =
+      canAssignSpacePrivileges && this.props.editable && availableSpaces.length > 0;
+
+    return (
+      <Fragment>
+        <EuiTitle size={'xs'}>
+          <h3>Space privileges</h3>
+        </EuiTitle>
+        <EuiSpacer size={'s'} />
+        <EuiText
+          // @ts-ignore
+          grow={false}
+          size={'s'}
+          color={'subdued'}
+        >
+          <p>
+            Customize permission levels per space. If a space is not customized, its permissions
+            will default to the minimum privilege specified above.
+          </p>
+          {basePrivilege !== 'all' &&
+            this.props.editable && (
+              <p>
+                You can bulk-create space privileges though they will be saved individually upon
+                saving the role.
+              </p>
+            )}
+        </EuiText>
+
+        {(basePrivilege !== NO_PRIVILEGE_VALUE || isReservedRole(this.props.role)) && (
+          <PrivilegeCalloutWarning
+            basePrivilege={basePrivilege}
+            isReservedRole={isReservedRole(this.props.role)}
+          />
+        )}
+
+        {basePrivilege === 'read' && this.props.editable && <EuiSpacer />}
+
+        {canAssignSpacePrivileges && (
+          <Fragment>
+            <PrivilegeSpaceTable
+              role={role}
+              spaces={spaces}
+              availablePrivileges={availablePrivileges}
+              spacePrivileges={spacePrivileges}
+              onChange={this.onExistingSpacePrivilegesChange}
+            />
+
+            {hasAssignedSpacePrivileges && <EuiSpacer />}
+
+            {this.getSpaceForms(basePrivilege)}
+          </Fragment>
+        )}
+
+        <EuiFlexGroup
+          // @ts-ignore
+          alignItems={'baseline'}
+        >
+          {showAddPrivilegeButton && (
+            <EuiFlexItem grow={false}>
+              <EuiButton
+                data-test-subj="addSpacePrivilegeButton"
+                size={'s'}
+                iconType={'plusInCircle'}
+                onClick={this.addSpacePrivilege}
+              >
+                Add space privilege
+              </EuiButton>
+            </EuiFlexItem>
+          )}
+          <EuiFlexItem>
+            <ImpactedSpacesFlyout role={role} spaces={spaces} />
+          </EuiFlexItem>
+        </EuiFlexGroup>
+      </Fragment>
+    );
+  };
+
+  public getSpaceForms = (basePrivilege: KibanaPrivilege) => {
+    if (!this.props.editable) {
+      return null;
+    }
+
+    return this.state.privilegeForms.map((form, index) =>
+      this.getSpaceForm(form, index, basePrivilege)
+    );
+  };
+
+  public addSpacePrivilege = () => {
+    this.setState({
+      privilegeForms: [
+        ...this.state.privilegeForms,
+        {
+          spaces: [],
+          privilege: null,
+        },
+      ],
+    });
+  };
+
+  public getAvailableSpaces = (omitIndex?: number): Space[] => {
+    const { spacePrivileges } = this.state;
+
+    return this.props.spaces.filter(space => {
+      const alreadyAssigned = Object.keys(spacePrivileges).indexOf(space.id) >= 0;
+
+      if (alreadyAssigned) {
+        return false;
+      }
+
+      const otherForms = [...this.state.privilegeForms];
+      if (typeof omitIndex === 'number') {
+        otherForms.splice(omitIndex, 1);
+      }
+
+      const inAnotherForm = otherForms.some(({ spaces }) => spaces.indexOf(space.id) >= 0);
+
+      return !inAnotherForm;
+    });
+  };
+
+  public getSpaceForm = (form: PrivilegeForm, index: number, basePrivilege: KibanaPrivilege) => {
+    const { spaces: selectedSpaceIds, privilege } = form;
+
+    const availableSpaces = this.getAvailableSpaces(index);
+
+    return (
+      <Fragment key={index}>
+        <PrivilegeSpaceForm
+          key={index}
+          availableSpaces={availableSpaces}
+          selectedSpaceIds={selectedSpaceIds}
+          availablePrivileges={getAvailablePrivileges(basePrivilege)}
+          selectedPrivilege={privilege}
+          onChange={this.onPrivilegeSpacePermissionChange(index)}
+          onDelete={this.onPrivilegeSpacePermissionDelete(index)}
+          validator={this.props.validator}
+        />
+        <EuiSpacer />
+      </Fragment>
+    );
+  };
+
+  public onPrivilegeSpacePermissionChange = (index: number) => (form: PrivilegeForm) => {
+    const existingPrivilegeForm = { ...this.state.privilegeForms[index] };
+    const updatedPrivileges = [...this.state.privilegeForms];
+    updatedPrivileges[index] = {
+      spaces: form.spaces,
+      privilege: form.privilege,
+    };
+
+    this.setState({
+      privilegeForms: updatedPrivileges,
+    });
+
+    const role = copyRole(this.props.role);
+
+    if (!form.spaces.length || !form.privilege) {
+      existingPrivilegeForm.spaces.forEach(spaceId => {
+        role.kibana.space[spaceId] = [];
+      });
+    } else {
+      const privilege = form.privilege;
+      if (privilege) {
+        form.spaces.forEach(spaceId => {
+          role.kibana.space[spaceId] = [privilege];
+        });
+      }
+    }
+
+    this.props.validator.setInProgressSpacePrivileges(updatedPrivileges);
+    this.props.onChange(role);
+  };
+
+  public onPrivilegeSpacePermissionDelete = (index: number) => () => {
+    const updatedPrivileges = [...this.state.privilegeForms];
+    const removedPrivilege = updatedPrivileges.splice(index, 1)[0];
+
+    this.setState({
+      privilegeForms: updatedPrivileges,
+    });
+
+    const role = copyRole(this.props.role);
+
+    removedPrivilege.spaces.forEach(spaceId => {
+      delete role.kibana.space[spaceId];
+    });
+
+    this.props.onChange(role);
+  };
+
+  public onExistingSpacePrivilegesChange = (assignedPrivileges: SpacePrivileges) => {
+    const role = copyRole(this.props.role);
+
+    role.kibana.space = assignedPrivileges;
+
+    this.setState({
+      spacePrivileges: assignedPrivileges,
+    });
+
+    this.props.onChange(role);
+  };
+
+  public onKibanaBasePrivilegeChange = (privilege: KibanaPrivilege) => {
+    const role = copyRole(this.props.role);
+
+    // Remove base privilege value
+    role.kibana.global = [];
+
+    if (privilege !== NO_PRIVILEGE_VALUE) {
+      role.kibana.global = [privilege];
+    }
+
+    this.props.onChange(role);
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.test.tsx
new file mode 100644
index 00000000000000..33579203e2f915
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.test.tsx
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { shallow } from 'enzyme';
+import React from 'react';
+import { SpaceSelector } from './space_selector';
+
+describe('SpaceSelector', () => {
+  it('renders without crashing', () => {
+    expect(
+      shallow(<SpaceSelector spaces={[]} selectedSpaceIds={[]} onChange={jest.fn()} />)
+    ).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
new file mode 100644
index 00000000000000..29b22fc32496f0
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  // @ts-ignore
+  EuiComboBox,
+  EuiHealth,
+  // @ts-ignore
+  EuiHighlight,
+} from '@elastic/eui';
+import React, { Component } from 'react';
+import { Space } from '../../../../../../../../spaces/common/model/space';
+import { getSpaceColor } from '../../../../../../../../spaces/common/space_attributes';
+
+const spaceToOption = (space?: Space) => {
+  if (!space) {
+    return;
+  }
+
+  return { id: space.id, label: space.name, color: getSpaceColor(space) };
+};
+
+const spaceIdToOption = (spaces: Space[]) => (s: string) =>
+  spaceToOption(spaces.find(space => space.id === s));
+
+interface Props {
+  spaces: Space[];
+  selectedSpaceIds: string[];
+  onChange: (spaceIds: string[]) => void;
+  disabled?: boolean;
+}
+
+export class SpaceSelector extends Component<Props, {}> {
+  public render() {
+    const renderOption = (option: any, searchValue: string, contentClassName: string) => {
+      const { color, label } = option;
+      return (
+        <EuiHealth color={color}>
+          <span className={contentClassName}>
+            <EuiHighlight search={searchValue}>{label}</EuiHighlight>
+          </span>
+        </EuiHealth>
+      );
+    };
+
+    return (
+      <EuiComboBox
+        placeholder={`choose space(s)`}
+        options={this.props.spaces.map(spaceToOption)}
+        renderOption={renderOption}
+        selectedOptions={this.props.selectedSpaceIds.map(spaceIdToOption(this.props.spaces))}
+        disabled={this.props.disabled}
+        onChange={this.onChange}
+      />
+    );
+  }
+
+  public onChange = (selectedSpaces: Space[]) => {
+    this.props.onChange(selectedSpaces.map(s => s.id));
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
deleted file mode 100644
index 37795c4c02575e..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana_privileges.js
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
-import { isReservedRole } from '../../../../../lib/role';
-import { getKibanaPrivilegesViewModel } from '../../lib/get_application_privileges';
-
-import { CollapsiblePanel } from '../collapsible_panel';
-import {
-  EuiSelect,
-  EuiDescribedFormGroup,
-  EuiFormRow,
-} from '@elastic/eui';
-
-const noPrivilegeValue = '-none-';
-
-export class KibanaPrivileges extends Component {
-  static propTypes = {
-    role: PropTypes.object.isRequired,
-    spaces: PropTypes.array,
-    kibanaAppPrivileges: PropTypes.array.isRequired,
-    onChange: PropTypes.func.isRequired,
-  };
-
-  idPrefix = () => `id_`;
-
-  privilegeToId = (privilege) => `${this.idPrefix()}${privilege}`;
-
-  idToPrivilege = (id) => id.split(this.idPrefix())[1];
-
-  render() {
-    return (
-      <CollapsiblePanel iconType={'logoKibana'} title={'Kibana'}>
-        {this.getForm()}
-      </CollapsiblePanel>
-    );
-  }
-
-  getForm = () => {
-    const {
-      kibanaAppPrivileges,
-      role,
-    } = this.props;
-
-    const kibanaPrivileges = getKibanaPrivilegesViewModel(kibanaAppPrivileges, role.kibana);
-
-    const options = [
-      { value: noPrivilegeValue, text: 'none' },
-      ...Object.keys(kibanaPrivileges).map(p => ({
-        value: p,
-        text: p
-      }))
-    ];
-
-    const value = Object.keys(kibanaPrivileges).find(p => kibanaPrivileges[p]) || noPrivilegeValue;
-
-    return (
-      <EuiDescribedFormGroup
-        title={<p>Application privileges</p>}
-        description={<p>Manage the actions this role can perform within Kibana.</p>}
-      >
-        <EuiFormRow hasEmptyLabelSpace>
-          <EuiSelect
-            options={options}
-            value={value}
-            onChange={this.onKibanaPrivilegesChange}
-            disabled={isReservedRole(role)}
-          />
-        </EuiFormRow>
-      </EuiDescribedFormGroup>
-    );
-  }
-
-  onKibanaPrivilegesChange = (e) => {
-    const role = {
-      ...this.props.role,
-      kibana: {
-        ...this.props.role.kibana
-      }
-    };
-
-    const privilege = e.target.value;
-
-    if (privilege === noPrivilegeValue) {
-      // unsetting all privileges -- only necessary until RBAC Phase 3
-      role.kibana.global = [];
-    } else {
-      role.kibana.global = [privilege];
-    }
-
-    this.props.onChange(role);
-  }
-}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.tsx
similarity index 59%
rename from x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.tsx
index 939348661a7417..91719960583a32 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.test.tsx
@@ -4,22 +4,40 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { EuiIcon } from '@elastic/eui';
+import { shallow } from 'enzyme';
 import React from 'react';
-import {
-  EuiIcon
-} from '@elastic/eui';
+import { Role } from '../../../../../common/model/role';
 import { ReservedRoleBadge } from './reserved_role_badge';
-import {
-  shallow
-} from 'enzyme';
 
-const reservedRole = {
+const reservedRole: Role = {
+  name: '',
+  elasticsearch: {
+    cluster: [],
+    indices: [],
+    run_as: [],
+  },
+  kibana: {
+    global: [],
+    space: {},
+  },
   metadata: {
-    _reserved: true
-  }
+    _reserved: true,
+  },
 };
 
-const unreservedRole = {};
+const unreservedRole = {
+  name: '',
+  elasticsearch: {
+    cluster: [],
+    indices: [],
+    run_as: [],
+  },
+  kibana: {
+    global: [],
+    space: {},
+  },
+};
 
 test('it renders without crashing', () => {
   const wrapper = shallow(<ReservedRoleBadge role={reservedRole} />);
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.tsx
similarity index 62%
rename from x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js
rename to x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.tsx
index 8b750b19338ed4..2966c78d2d92aa 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/reserved_role_badge.tsx
@@ -5,30 +5,24 @@
  */
 
 import React from 'react';
-import PropTypes from 'prop-types';
 
+import { EuiIcon, EuiToolTip } from '@elastic/eui';
+import { Role } from '../../../../../common/model/role';
 import { isReservedRole } from '../../../../lib/role';
-import {
-  EuiIcon,
-  EuiToolTip,
-} from '@elastic/eui';
 
+interface Props {
+  role: Role;
+}
 
-export const ReservedRoleBadge = (props) => {
-  const {
-    role
-  } = props;
+export const ReservedRoleBadge = (props: Props) => {
+  const { role } = props;
 
   if (isReservedRole(role)) {
     return (
       <EuiToolTip content={'Reserved roles are built-in and cannot be removed or modified.'}>
-        <EuiIcon style={{ verticalAlign: "super" }} type={'lock'} />
+        <EuiIcon style={{ verticalAlign: 'super' }} type={'lock'} />
       </EuiToolTip>
     );
   }
   return null;
 };
-
-ReservedRoleBadge.propTypes = {
-  role: PropTypes.object.isRequired
-};
diff --git a/x-pack/plugins/security/public/views/management/edit_role/edit_role.less b/x-pack/plugins/security/public/views/management/edit_role/edit_role.less
index d4f7ac04880d60..b3b4212bb1f1a9 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/edit_role.less
+++ b/x-pack/plugins/security/public/views/management/edit_role/edit_role.less
@@ -1,10 +1,4 @@
 #editRoleReactRoot {
   background: #f5f5f5;
-  flex-grow: 1;
-}
-
-.editRolePage {
-  max-width: 1000px;
-  margin-left: auto;
-  margin-right: auto;
+  min-height: ~"calc(100vh - 70px)";
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 765dca06665f6c..5b8b57d6c01013 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -19,6 +19,7 @@ import 'plugins/security/services/shield_indices';
 
 import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
+import { SpacesManager } from 'plugins/spaces/lib';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from '../management_urls';
 
@@ -80,10 +81,13 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     indexPatterns(Private) {
       const indexPatterns = Private(IndexPatternsProvider);
       return indexPatterns.getTitles();
+    },
+    spaces($http, chrome) {
+      return new SpacesManager($http, chrome).getSpaces();
     }
   },
   controllerAs: 'editRole',
-  controller($injector, $scope, $http) {
+  controller($injector, $scope, $http, enableSpaceAwarePrivileges) {
     const $route = $injector.get('$route');
     const Private = $injector.get('Private');
 
@@ -97,9 +101,29 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
     const rbacApplication = chrome.getInjected('rbacApplication');
 
+    if (role.elasticsearch.indices.length === 0) {
+      const emptyOption = {
+        names: [],
+        privileges: []
+      };
+
+      if (allowFieldLevelSecurity) {
+        emptyOption.field_security = {
+          grant: ['*']
+        };
+      }
+
+      if (allowDocumentLevelSecurity) {
+        emptyOption.query = '';
+      }
+
+      role.elasticsearch.indices.push(emptyOption);
+    }
+
     const {
       users,
       indexPatterns,
+      spaces,
     } = $route.current.locals;
 
     $scope.$$postDigest(() => {
@@ -116,6 +140,8 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
         allowDocumentLevelSecurity={allowDocumentLevelSecurity}
         allowFieldLevelSecurity={allowFieldLevelSecurity}
         notifier={Notifier}
+        spaces={spaces}
+        spacesEnabled={enableSpaceAwarePrivileges}
       />, domNode);
 
       // unmount react on controller destroy
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/get_available_privileges.test.ts.snap b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/get_available_privileges.test.ts.snap
new file mode 100644
index 00000000000000..177ffc17078363
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/get_available_privileges.test.ts.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`getAvailablePrivileges throws when given an unexpected minimum privilege 1`] = `"Unexpected minimumPrivilege value: idk"`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap b/x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.ts.snap
similarity index 100%
rename from x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.js.snap
rename to x-pack/plugins/security/public/views/management/edit_role/lib/__snapshots__/validate_role.test.ts.snap
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/constants.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/constants.ts
new file mode 100644
index 00000000000000..7378251fc84ac5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/constants.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*../../../../../common/model/kibana_privilege
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const NO_PRIVILEGE_VALUE: KibanaPrivilege = 'none';
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
new file mode 100644
index 00000000000000..992c67ba85e73b
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Role } from '../../../../../common/model/role';
+import { copyRole } from './copy_role';
+
+describe('copyRole', () => {
+  it('should perform a deep copy', () => {
+    const role: Role = {
+      elasticsearch: {
+        cluster: ['all'],
+        indices: [{ names: ['index*'], privileges: ['all'] }],
+        run_as: ['user'],
+      },
+      kibana: {
+        global: ['read'],
+        space: {
+          marketing: ['all'],
+        },
+      },
+    };
+
+    const result = copyRole(role);
+    expect(result).toEqual(role);
+
+    role.elasticsearch.indices[0].names = ['something else'];
+
+    expect(result).not.toEqual(role);
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.ts
new file mode 100644
index 00000000000000..395f14756c5470
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { cloneDeep } from 'lodash';
+import { Role } from '../../../../../common/model/role';
+
+export function copyRole(role: Role) {
+  return cloneDeep(role);
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
deleted file mode 100644
index 138fbaff51d921..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/get_application_privileges.js
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-export function getKibanaPrivilegesViewModel(applicationPrivileges, roleKibanaPrivileges) {
-  const viewModel = applicationPrivileges.reduce((acc, applicationPrivilege) => {
-    acc[applicationPrivilege.name] = false;
-    return acc;
-  }, {});
-
-  if (!roleKibanaPrivileges || roleKibanaPrivileges.length === 0) {
-    return viewModel;
-  }
-
-  const assignedPrivileges = roleKibanaPrivileges.global;
-  assignedPrivileges.forEach(assignedPrivilege => {
-    // we don't want to display privileges that aren't in our expected list of privileges
-    if (assignedPrivilege in viewModel) {
-      viewModel[assignedPrivilege] = true;
-    }
-  });
-
-  return viewModel;
-}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.test.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.test.ts
new file mode 100644
index 00000000000000..3f7e8b13308126
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.test.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
+import { NO_PRIVILEGE_VALUE } from './constants';
+import { getAvailablePrivileges } from './get_available_privileges';
+
+describe('getAvailablePrivileges', () => {
+  it('throws when given an unexpected minimum privilege', () => {
+    expect(() => getAvailablePrivileges('idk' as KibanaPrivilege)).toThrowErrorMatchingSnapshot();
+  });
+
+  it(`returns all privileges when the minimum privilege is none`, () => {
+    expect(getAvailablePrivileges(NO_PRIVILEGE_VALUE)).toEqual(['read', 'all']);
+  });
+
+  it(`returns all privileges when the minimum privilege is read`, () => {
+    expect(getAvailablePrivileges('read')).toEqual(['read', 'all']);
+  });
+
+  it(`returns just the "all" privilege when the minimum privilege is all`, () => {
+    expect(getAvailablePrivileges('all')).toEqual(['all']);
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.ts
new file mode 100644
index 00000000000000..89b6ff6cd8d80a
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/get_available_privileges.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
+import { NO_PRIVILEGE_VALUE } from './constants';
+
+export function getAvailablePrivileges(minimumPrivilege: KibanaPrivilege): KibanaPrivilege[] {
+  switch (minimumPrivilege) {
+    case NO_PRIVILEGE_VALUE:
+      return ['read', 'all'];
+    case 'read':
+      return ['read', 'all'];
+    case 'all':
+      return ['all'];
+    default:
+      throw new Error(`Unexpected minimumPrivilege value: ${minimumPrivilege}`);
+  }
+}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js b/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
deleted file mode 100644
index d900c13743a14c..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/set_application_privileges.js
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { ALL_RESOURCE } from '../../../../../common/constants';
-
-export function setApplicationPrivileges(kibanaPrivileges, role, application) {
-  if (!role.applications) {
-    role.applications = [];
-  }
-
-  // we first remove the matching application entries
-  role.applications = role.applications.filter(x => {
-    return x.application !== application;
-  });
-
-  const privileges = Object.keys(kibanaPrivileges).filter(key => kibanaPrivileges[key]);
-
-  // if we still have them, put the application entry back
-  if (privileges.length > 0) {
-    role.applications = [...role.applications, {
-      application,
-      privileges,
-      resources: [ALL_RESOURCE]
-    }];
-  }
-}
-
-export function togglePrivilege(role, application, permission) {
-  const appPermissions = role.applications
-    .find(a => a.application === application && a.resources[0] === ALL_RESOURCE);
-
-  if (!appPermissions) {
-    role.applications.push({
-      application,
-      privileges: [permission],
-      resources: [ALL_RESOURCE]
-    });
-  } else {
-    const indexOfExisting = appPermissions.privileges.indexOf(permission);
-    if (indexOfExisting >= 0) {
-      appPermissions.privileges.splice(indexOfExisting, 1);
-    } else {
-      appPermissions.privileges.push(permission);
-    }
-  }
-}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
deleted file mode 100644
index 29160173363b46..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.js
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export class RoleValidator {
-  constructor(options = {}) {
-    this._shouldValidate = options.shouldValidate;
-  }
-
-  enableValidation() {
-    this._shouldValidate = true;
-  }
-
-  disableValidation() {
-    this._shouldValidate = false;
-  }
-
-  validateRoleName(role) {
-    if (!this._shouldValidate) return valid();
-
-    if (!role.name) {
-      return invalid(`Please provide a role name`);
-    }
-    if (role.name.length > 1024) {
-      return invalid(`Name must not exceed 1024 characters`);
-    }
-    if (!role.name.match(/^[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*$/)) {
-      return invalid(`Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`);
-    }
-    return valid();
-  }
-
-  validateIndexPrivileges(role) {
-    if (!this._shouldValidate) return valid();
-
-    if (!Array.isArray(role.elasticsearch.indices)) {
-      throw new TypeError(`Expected role.elasticsearch.indices to be an array`);
-    }
-
-    const areIndicesValid = role.elasticsearch.indices
-      .map(this.validateIndexPrivilege.bind(this))
-      .find((result) => result.isInvalid) == null;
-
-    if (areIndicesValid) {
-      return valid();
-    }
-    return invalid();
-  }
-
-  validateIndexPrivilege(indexPrivilege) {
-    if (!this._shouldValidate) return valid();
-
-    if (indexPrivilege.names.length && !indexPrivilege.privileges.length) {
-      return invalid(`At least one privilege is required`);
-    }
-    return valid();
-  }
-
-  validateForSave(role) {
-    const { isInvalid: isNameInvalid } = this.validateRoleName(role);
-    const { isInvalid: areIndicesInvalid } = this.validateIndexPrivileges(role);
-
-    if (isNameInvalid || areIndicesInvalid) {
-      return invalid();
-    }
-
-    return valid();
-  }
-
-}
-
-function invalid(error) {
-  return {
-    isInvalid: true,
-    error
-  };
-}
-
-function valid() {
-  return {
-    isInvalid: false
-  };
-}
-
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
deleted file mode 100644
index 75fc8341fc639c..00000000000000
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.js
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-import { RoleValidator } from "./validate_role";
-
-let validator;
-
-describe('validateRoleName', () => {
-  beforeEach(() => {
-    validator = new RoleValidator({ shouldValidate: true });
-  });
-
-  test('it allows an alphanumeric role name', () => {
-    const role = {
-      name: 'This-is-30-character-role-name'
-    };
-
-    expect(validator.validateRoleName(role)).toEqual({ isInvalid: false });
-  });
-
-  test('it requires a non-empty value', () => {
-    const role = {
-      name: ''
-    };
-
-    expect(validator.validateRoleName(role)).toEqual({ isInvalid: true, error: `Please provide a role name` });
-  });
-
-  test('it cannot exceed 1024 characters', () => {
-    const role = {
-      name: new Array(1026).join('A')
-    };
-
-    expect(validator.validateRoleName(role)).toEqual({ isInvalid: true, error: `Name must not exceed 1024 characters` });
-  });
-
-  const charList = `!#%^&*()+=[]{}\|';:"/,<>?`.split('');
-  charList.forEach(element => {
-    test(`it cannot support the "${element}" character`, () => {
-      const role = {
-        name: `role-${element}`
-      };
-
-      expect(validator.validateRoleName(role)).toEqual(
-        {
-          isInvalid: true,
-          error: `Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`
-        }
-      );
-    });
-  });
-});
-
-describe('validateIndexPrivileges', () => {
-  beforeEach(() => {
-    validator = new RoleValidator({ shouldValidate: true });
-  });
-
-  test('it ignores privilegs with no indices defined', () => {
-    const role = {
-      elasticsearch: {
-        indices: [{
-          names: [],
-          privileges: []
-        }]
-      }
-
-    };
-
-    expect(validator.validateIndexPrivileges(role)).toEqual({
-      isInvalid: false
-    });
-  });
-
-  test('it requires privilges when an index is defined', () => {
-    const role = {
-      elasticsearch: {
-        indices: [{
-          names: ['index-*'],
-          privileges: []
-        }]
-      }
-
-    };
-
-    expect(validator.validateIndexPrivileges(role)).toEqual({
-      isInvalid: true
-    });
-  });
-
-  test('it throws when indices is not an array', () => {
-    const role = {
-      elasticsearch: {
-        indices: null
-      }
-    };
-
-    expect(() => validator.validateIndexPrivileges(role)).toThrowErrorMatchingSnapshot();
-  });
-});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
new file mode 100644
index 00000000000000..b6f6b4234335d5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
@@ -0,0 +1,397 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { Role } from '../../../../../common/model/role';
+import { RoleValidator } from './validate_role';
+
+let validator: RoleValidator;
+
+describe('validateRoleName', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  test('it allows an alphanumeric role name', () => {
+    const role: Role = {
+      name: 'This-is-30-character-role-name',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({ isInvalid: false });
+  });
+
+  test('it requires a non-empty value', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({
+      isInvalid: true,
+      error: `Please provide a role name`,
+    });
+  });
+
+  test('it cannot exceed 1024 characters', () => {
+    const role = {
+      name: new Array(1026).join('A'),
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateRoleName(role)).toEqual({
+      isInvalid: true,
+      error: `Name must not exceed 1024 characters`,
+    });
+  });
+
+  const charList = `!#%^&*()+=[]{}\|';:"/,<>?`.split('');
+  charList.forEach(element => {
+    test(`it cannot support the "${element}" character`, () => {
+      const role = {
+        name: `role-${element}`,
+        elasticsearch: {
+          cluster: [],
+          indices: [],
+          run_as: [],
+        },
+        kibana: {
+          global: [],
+          space: {},
+        },
+      };
+
+      expect(validator.validateRoleName(role)).toEqual({
+        isInvalid: true,
+        error: `Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`,
+      });
+    });
+  });
+});
+
+describe('validateIndexPrivileges', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  test('it ignores privilegs with no indices defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        indices: [
+          {
+            names: [],
+            privileges: [],
+          },
+        ],
+        cluster: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateIndexPrivileges(role)).toEqual({
+      isInvalid: false,
+    });
+  });
+
+  test('it requires privilges when an index is defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [
+          {
+            names: ['index-*'],
+            privileges: [],
+          },
+        ],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateIndexPrivileges(role)).toEqual({
+      isInvalid: true,
+    });
+  });
+
+  test('it throws when indices is not an array', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: 'asdf',
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    // @ts-ignore
+    expect(() => validator.validateIndexPrivileges(role)).toThrowErrorMatchingSnapshot();
+  });
+});
+
+describe('validateInProgressSpacePrivileges', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  it('should validate when both spaces and privilege is unassigned', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([{}, {}]);
+    expect(validator.validateInProgressSpacePrivileges(role)).toEqual({ isInvalid: false });
+  });
+
+  it('should invalidate when spaces are not assigned to a privilege', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([
+      {
+        privilege: 'all',
+      },
+    ]);
+
+    expect(validator.validateInProgressSpacePrivileges(role)).toMatchObject({
+      isInvalid: true,
+    });
+  });
+
+  it('should invalidate when a privilege is not assigned to a space', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([
+      {
+        spaces: ['marketing'],
+      },
+    ]);
+
+    expect(validator.validateInProgressSpacePrivileges(role)).toMatchObject({
+      isInvalid: true,
+    });
+  });
+
+  it('should validate when a privilege is assigned to a space', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([
+      {
+        spaces: ['marketing'],
+        privilege: 'all',
+      },
+    ]);
+
+    expect(validator.validateInProgressSpacePrivileges(role)).toEqual({
+      isInvalid: false,
+    });
+  });
+
+  it('should skip validation if the global privilege is set to "all"', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: ['all'],
+        space: {},
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([
+      {
+        spaces: ['marketing'],
+      },
+    ]);
+
+    expect(validator.validateInProgressSpacePrivileges(role)).toMatchObject({
+      isInvalid: false,
+    });
+  });
+});
+
+describe('validateSpacePrivileges', () => {
+  beforeEach(() => {
+    validator = new RoleValidator({ shouldValidate: true });
+  });
+
+  it('should validate when no privileges are defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {},
+      },
+    };
+
+    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+  });
+
+  it('should validate when a global privilege is defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: ['all'],
+        space: {},
+      },
+    };
+
+    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+  });
+
+  it('should validate when a space privilege is defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: [],
+        space: {
+          marketing: ['read'],
+        },
+      },
+    };
+
+    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+  });
+
+  it('should validate when both global and space privileges are defined', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: ['all'],
+        space: {
+          default: ['foo'],
+          marketing: ['read'],
+        },
+      },
+    };
+
+    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+  });
+
+  it('should invalidate when in-progress space privileges are not valid', () => {
+    const role = {
+      name: '',
+      elasticsearch: {
+        cluster: [],
+        indices: [],
+        run_as: [],
+      },
+      kibana: {
+        global: ['read'],
+        space: {
+          default: ['foo'],
+          marketing: ['read'],
+        },
+      },
+    };
+
+    validator.setInProgressSpacePrivileges([
+      {
+        spaces: ['marketing'],
+      },
+    ]);
+
+    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: true });
+  });
+});
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
new file mode 100644
index 00000000000000..4e8755cfae92c5
--- /dev/null
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
@@ -0,0 +1,205 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+/*
+ * Copyright Elasticsearch B.V. ../../../../../common/model/index_privileger one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IndexPrivilege } from '../../../../../common/model/IndexPrivilege';
+import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
+import { Role } from '../../../../../common/model/role';
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface RoleValidatorOptions {
+  shouldValidate?: boolean;
+}
+
+export interface RoleValidationResult {
+  isInvalid: boolean;
+  error?: string;
+}
+
+export class RoleValidator {
+  private shouldValidate?: boolean;
+
+  private inProgressSpacePrivileges: any[] = [];
+
+  constructor(options: RoleValidatorOptions = {}) {
+    this.shouldValidate = options.shouldValidate;
+  }
+
+  public enableValidation() {
+    this.shouldValidate = true;
+  }
+
+  public disableValidation() {
+    this.shouldValidate = false;
+  }
+
+  public validateRoleName(role: Role): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    if (!role.name) {
+      return invalid(`Please provide a role name`);
+    }
+    if (role.name.length > 1024) {
+      return invalid(`Name must not exceed 1024 characters`);
+    }
+    if (!role.name.match(/^[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*$/)) {
+      return invalid(
+        `Name must begin with a letter or underscore and contain only letters, underscores, and numbers.`
+      );
+    }
+    return valid();
+  }
+
+  public validateIndexPrivileges(role: Role): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    if (!Array.isArray(role.elasticsearch.indices)) {
+      throw new TypeError(`Expected role.elasticsearch.indices to be an array`);
+    }
+
+    const areIndicesValid =
+      role.elasticsearch.indices
+        .map(indexPriv => this.validateIndexPrivilege(indexPriv))
+        .find((result: RoleValidationResult) => result.isInvalid) == null;
+
+    if (areIndicesValid) {
+      return valid();
+    }
+    return invalid();
+  }
+
+  public validateIndexPrivilege(indexPrivilege: IndexPrivilege): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    if (indexPrivilege.names.length && !indexPrivilege.privileges.length) {
+      return invalid(`At least one privilege is required`);
+    }
+    return valid();
+  }
+
+  public validateSelectedSpaces(
+    spaceIds: string[],
+    privilege: KibanaPrivilege | null
+  ): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    // If no assigned privilege, then no spaces are OK
+    if (!privilege) {
+      return valid();
+    }
+
+    if (Array.isArray(spaceIds) && spaceIds.length > 0) {
+      return valid();
+    }
+    return invalid('At least one space is required');
+  }
+
+  public validateSelectedPrivilege(
+    spaceIds: string[],
+    privilege: KibanaPrivilege | null
+  ): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    // If no assigned spaces, then a missing privilege is OK
+    if (!spaceIds || spaceIds.length === 0) {
+      return valid();
+    }
+
+    if (privilege) {
+      return valid();
+    }
+    return invalid('Privilege is required');
+  }
+
+  public setInProgressSpacePrivileges(inProgressSpacePrivileges: any[]) {
+    this.inProgressSpacePrivileges = [...inProgressSpacePrivileges];
+  }
+
+  public validateInProgressSpacePrivileges(role: Role): RoleValidationResult {
+    const { global } = role.kibana;
+
+    // A Global privilege of "all" will ignore all in progress privileges,
+    // so the form should not block saving in this scenario.
+    const shouldValidate = this.shouldValidate && !global.includes('all');
+
+    if (!shouldValidate) {
+      return valid();
+    }
+
+    const allInProgressValid = this.inProgressSpacePrivileges.every(({ spaces, privilege }) => {
+      return (
+        !this.validateSelectedSpaces(spaces, privilege).isInvalid &&
+        !this.validateSelectedPrivilege(spaces, privilege).isInvalid
+      );
+    });
+
+    if (allInProgressValid) {
+      return valid();
+    }
+    return invalid();
+  }
+
+  public validateSpacePrivileges(role: Role): RoleValidationResult {
+    if (!this.shouldValidate) {
+      return valid();
+    }
+
+    const privileges = Object.values(role.kibana.space || {});
+
+    const arePrivilegesValid = privileges.every(assignedPrivilege => !!assignedPrivilege);
+    const areInProgressPrivilegesValid = !this.validateInProgressSpacePrivileges(role).isInvalid;
+
+    if (arePrivilegesValid && areInProgressPrivilegesValid) {
+      return valid();
+    }
+    return invalid();
+  }
+
+  public validateForSave(role: Role): RoleValidationResult {
+    const { isInvalid: isNameInvalid } = this.validateRoleName(role);
+    const { isInvalid: areIndicesInvalid } = this.validateIndexPrivileges(role);
+    const { isInvalid: areSpacePrivilegesInvalid } = this.validateSpacePrivileges(role);
+
+    if (isNameInvalid || areIndicesInvalid || areSpacePrivilegesInvalid) {
+      return invalid();
+    }
+
+    return valid();
+  }
+}
+
+function invalid(error?: string): RoleValidationResult {
+  return {
+    isInvalid: true,
+    error,
+  };
+}
+
+function valid(): RoleValidationResult {
+  return {
+    isInvalid: false,
+  };
+}
diff --git a/x-pack/plugins/security/public/views/management/management_urls.js b/x-pack/plugins/security/public/views/management/management_urls.ts
similarity index 100%
rename from x-pack/plugins/security/public/views/management/management_urls.js
rename to x-pack/plugins/security/public/views/management/management_urls.ts
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.js b/x-pack/plugins/security/server/routes/api/public/roles/get.js
index 88d096fda39063..a0c7fd0ec4f39c 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/get.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.js
@@ -5,8 +5,8 @@
  */
 import _ from 'lodash';
 import Boom from 'boom';
-import { ALL_RESOURCE } from '../../../../../common/constants';
 import { wrapError } from '../../../../lib/errors';
+import { ALL_RESOURCE } from '../../../../../common/constants';
 
 export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application) {
 
@@ -91,7 +91,7 @@ export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn,
         }
 
         return reply(Boom.notFound());
-      } catch(error) {
+      } catch (error) {
         reply(wrapError(error));
       }
     },
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.js b/x-pack/plugins/security/server/routes/api/public/roles/put.js
index 5c464bbe9fd54c..262e2259cbea3d 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.js
@@ -6,8 +6,8 @@
 
 import { pick, identity } from 'lodash';
 import Joi from 'joi';
-import { ALL_RESOURCE } from '../../../../../common/constants';
 import { wrapError } from '../../../../lib/errors';
+import { ALL_RESOURCE } from '../../../../../common/constants';
 
 const transformKibanaPrivilegesToEs = (application, kibanaPrivileges) => {
   const kibanaApplicationPrivileges = [];
@@ -20,7 +20,7 @@ const transformKibanaPrivilegesToEs = (application, kibanaPrivileges) => {
   }
 
   if (kibanaPrivileges.space) {
-    for(const [spaceId, privileges] of Object.entries(kibanaPrivileges.space)) {
+    for (const [spaceId, privileges] of Object.entries(kibanaPrivileges.space)) {
       kibanaApplicationPrivileges.push({
         privileges: privileges,
         application,
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
index 67ebe5ae017a06..d159c98c59eb4d 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
@@ -155,7 +155,7 @@ describe('PUT role', () => {
       name: 'foo-role',
       payload: {},
       preCheckLicenseImpl: defaultPreCheckLicenseImpl,
-      callWithRequestImpls: [async () => ({}), async () => {}],
+      callWithRequestImpls: [async () => ({}), async () => { }],
       asserts: {
         callWithRequests: [
           ['shield.getRole', { name: 'foo-role', ignore: [404] }],
@@ -189,7 +189,7 @@ describe('PUT role', () => {
             {
               field_security: {
                 grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
-                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                except: ['test-field-security-except-1', 'test-field-security-except-2']
               },
               names: ['test-index-name-1', 'test-index-name-2'],
               privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
@@ -207,7 +207,7 @@ describe('PUT role', () => {
         },
       },
       preCheckLicenseImpl: defaultPreCheckLicenseImpl,
-      callWithRequestImpls: [async () => ({}), async () => {}],
+      callWithRequestImpls: [async () => ({}), async () => { }],
       asserts: {
         callWithRequests: [
           ['shield.getRole', { name: 'foo-role', ignore: [404] }],
@@ -247,7 +247,7 @@ describe('PUT role', () => {
                   {
                     field_security: {
                       grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
-                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                      except: ['test-field-security-except-1', 'test-field-security-except-2']
                     },
                     names: ['test-index-name-1', 'test-index-name-2'],
                     privileges: [
@@ -280,7 +280,7 @@ describe('PUT role', () => {
             {
               field_security: {
                 grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
-                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                except: ['test-field-security-except-1', 'test-field-security-except-2']
               },
               names: ['test-index-name-1', 'test-index-name-2'],
               privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
@@ -312,7 +312,7 @@ describe('PUT role', () => {
               {
                 field_security: {
                   grant: ['old-field-security-grant-1', 'old-field-security-grant-2'],
-                  except: [ 'old-field-security-except-1', 'old-field-security-except-2' ]
+                  except: ['old-field-security-except-1', 'old-field-security-except-2']
                 },
                 names: ['old-index-name'],
                 privileges: ['old-privilege'],
@@ -329,7 +329,7 @@ describe('PUT role', () => {
             ],
           },
         }),
-        async () => {},
+        async () => { },
       ],
       asserts: {
         callWithRequests: [
@@ -370,7 +370,7 @@ describe('PUT role', () => {
                   {
                     field_security: {
                       grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
-                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                      except: ['test-field-security-except-1', 'test-field-security-except-2']
                     },
                     names: ['test-index-name-1', 'test-index-name-2'],
                     privileges: [
@@ -457,7 +457,7 @@ describe('PUT role', () => {
               ],
             },
           }),
-          async () => {},
+          async () => { },
         ],
         asserts: {
           callWithRequests: [
diff --git a/x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap b/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.js.snap
similarity index 100%
rename from x-pack/plugins/spaces/public/views/components/__snapshots__/space_avatar.test.js.snap
rename to x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.js.snap
diff --git a/x-pack/plugins/spaces/public/components/index.ts b/x-pack/plugins/spaces/public/components/index.ts
new file mode 100644
index 00000000000000..2e73f0c704f8c5
--- /dev/null
+++ b/x-pack/plugins/spaces/public/components/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { SpaceAvatar } from './space_avatar';
+export { ManageSpacesButton } from './manage_spaces_button';
diff --git a/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
similarity index 94%
rename from x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
rename to x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
index 42c11948aecd30..55b14b856ef42a 100644
--- a/x-pack/plugins/spaces/public/views/components/manage_spaces_button.tsx
+++ b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
@@ -6,7 +6,7 @@
 
 import { EuiButton } from '@elastic/eui';
 import React, { Component, CSSProperties } from 'react';
-import { MANAGE_SPACES_URL } from '../../lib/constants';
+import { MANAGE_SPACES_URL } from '../lib/constants';
 
 interface Props {
   isDisabled?: boolean;
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.test.js b/x-pack/plugins/spaces/public/components/space_avatar.test.js
similarity index 100%
rename from x-pack/plugins/spaces/public/views/components/space_avatar.test.js
rename to x-pack/plugins/spaces/public/components/space_avatar.test.js
diff --git a/x-pack/plugins/spaces/public/views/components/space_avatar.tsx b/x-pack/plugins/spaces/public/components/space_avatar.tsx
similarity index 91%
rename from x-pack/plugins/spaces/public/views/components/space_avatar.tsx
rename to x-pack/plugins/spaces/public/components/space_avatar.tsx
index 5e78a5e32b7f18..571cc083cb868d 100644
--- a/x-pack/plugins/spaces/public/views/components/space_avatar.tsx
+++ b/x-pack/plugins/spaces/public/components/space_avatar.tsx
@@ -6,8 +6,8 @@
 
 import { EuiAvatar } from '@elastic/eui';
 import React from 'react';
-import { getSpaceColor, getSpaceInitials, MAX_SPACE_INITIALS } from '../../../common';
-import { Space } from '../../../common/model/space';
+import { getSpaceColor, getSpaceInitials, MAX_SPACE_INITIALS } from '../../common';
+import { Space } from '../../common/model/space';
 
 interface Props {
   space: Space;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js b/x-pack/plugins/spaces/public/lib/index.js
similarity index 65%
rename from x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js
rename to x-pack/plugins/spaces/public/lib/index.js
index d142af394b1555..0a22964efbca39 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/index.js
+++ b/x-pack/plugins/spaces/public/lib/index.js
@@ -4,5 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { ElasticsearchPrivileges } from './elasticsearch_privileges';
-export { KibanaPrivileges } from './kibana_privileges';
+export { SpacesManager } from './spaces_manager';
\ No newline at end of file
diff --git a/x-pack/plugins/spaces/public/views/components/index.ts b/x-pack/plugins/spaces/public/views/components/index.ts
index cb41cc6e31e0d8..9a6f95a3d9ed91 100644
--- a/x-pack/plugins/spaces/public/views/components/index.ts
+++ b/x-pack/plugins/spaces/public/views/components/index.ts
@@ -4,6 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { SpaceAvatar } from './space_avatar';
 export { SpaceCards } from './space_cards';
-export { ManageSpacesButton } from './manage_spaces_button';
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.tsx b/x-pack/plugins/spaces/public/views/components/space_card.tsx
index 956c270be39609..1ea9461391b587 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.tsx
+++ b/x-pack/plugins/spaces/public/views/components/space_card.tsx
@@ -14,7 +14,7 @@ import {
 } from '@elastic/eui';
 import React from 'react';
 import { Space } from '../../../common/model/space';
-import { SpaceAvatar } from './space_avatar';
+import { SpaceAvatar } from '../../components';
 import './space_card.less';
 
 interface Props {
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 8e4da3e399541c..606c7d9ad1c7a2 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -25,7 +25,7 @@ import {
 } from '@elastic/eui';
 
 import { DeleteSpacesButton } from '../components';
-import { SpaceAvatar } from '../../components';
+import { SpaceAvatar } from '../../../components';
 
 import { Notifier, toastNotifications } from 'ui/notify';
 import { SpaceIdentifier } from './space_identifier';
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
index 4f700113437dcc..d85a9e82c7082a 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
@@ -6,7 +6,7 @@
 
 import { EuiContextMenuPanel, EuiText } from '@elastic/eui';
 import React, { SFC } from 'react';
-import { ManageSpacesButton } from '../../components';
+import { ManageSpacesButton } from '../../../components';
 import './spaces_description.less';
 
 export const SpacesDescription: SFC = () => {
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
index b5c805c8e2782f..2376914ec1b114 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
@@ -8,7 +8,7 @@ import { EuiContextMenuItem, EuiContextMenuPanel, EuiFieldSearch, EuiText } from
 import React, { Component } from 'react';
 import { SPACE_SEARCH_COUNT_THRESHOLD } from '../../../../common/constants';
 import { Space } from '../../../../common/model/space';
-import { ManageSpacesButton, SpaceAvatar } from '../../components';
+import { ManageSpacesButton, SpaceAvatar } from '../../../components';
 import './spaces_menu.less';
 
 interface Props {
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
index 09dd22d0b1ac47..0c35f175d930d9 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
@@ -8,7 +8,7 @@ import React from 'react';
 import { shallow, mount } from 'enzyme';
 import { NavControlPopover } from './nav_control_popover';
 import { SpacesManager } from '../../lib/spaces_manager';
-import { SpaceAvatar } from '../components/space_avatar';
+import { SpaceAvatar } from '../../components';
 
 const mockChrome = {
   addBasePath: jest.fn((a) => a)
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
index 1345d3013000ea..ea7a2d0ca4465c 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -7,8 +7,8 @@
 import { EuiAvatar, EuiPopover } from '@elastic/eui';
 import React, { Component } from 'react';
 import { Space } from '../../../common/model/space';
+import { SpaceAvatar } from '../../components';
 import { SpacesManager } from '../../lib/spaces_manager';
-import { SpaceAvatar } from '../components';
 import { SpacesDescription } from './components/spaces_description';
 import { SpacesMenu } from './components/spaces_menu';
 
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
index ad0bab30ccc90f..5d250c1c92c07a 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
@@ -123,7 +123,8 @@ export function initSpacesApi(server) {
         return reply(wrapError(error));
       }
 
-      return reply(convertSavedObjectToSpace(result));
+      const updatedSpace = convertSavedObjectToSpace(result);
+      return reply(updatedSpace);
     },
     config: {
       validate: {
diff --git a/x-pack/test/functional/apps/security/doc_level_security_roles.js b/x-pack/test/functional/apps/security/doc_level_security_roles.js
index 9a44d595367d4f..535a0c2c4164a8 100644
--- a/x-pack/test/functional/apps/security/doc_level_security_roles.js
+++ b/x-pack/test/functional/apps/security/doc_level_security_roles.js
@@ -34,12 +34,16 @@ export default function ({ getService, getPageObjects }) {
 
     it('should add new role myroleEast', async function () {
       await PageObjects.security.addRole('myroleEast', {
-
-        "indices": [{
-          "names": [ "dlstest" ],
-          "privileges": [ "read", "view_index_metadata" ],
-          "query": "{\"match\": {\"region\": \"EAST\"}}"
-        }]
+        elasticsearch: {
+          "indices": [{
+            "names": ["dlstest"],
+            "privileges": ["read", "view_index_metadata"],
+            "query": "{\"match\": {\"region\": \"EAST\"}}"
+          }]
+        },
+        kibana: {
+          global: ['all']
+        }
       });
       const roles = indexBy(await PageObjects.security.getElasticsearchRoles(), 'rolename');
       log.debug('actualRoles = %j', roles);
@@ -50,9 +54,11 @@ export default function ({ getService, getPageObjects }) {
 
     it('should add new user userEAST ', async function () {
       await PageObjects.security.clickElasticsearchUsers();
-      await PageObjects.security.addUser({ username: 'userEast', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'userEast', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'dls EAST',
-        email: 'dlstest@elastic.com', save: true, roles: ['kibana_user', 'myroleEast'] });
+        email: 'dlstest@elastic.com', save: true, roles: ['kibana_user', 'myroleEast']
+      });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
       expect(users.userEast.roles).to.eql(['kibana_user', 'myroleEast']);
diff --git a/x-pack/test/functional/apps/security/field_level_security.js b/x-pack/test/functional/apps/security/field_level_security.js
index 89f5416135c578..a0fc042f58540c 100644
--- a/x-pack/test/functional/apps/security/field_level_security.js
+++ b/x-pack/test/functional/apps/security/field_level_security.js
@@ -14,7 +14,7 @@ export default function ({ getService, getPageObjects }) {
   const log = getService('log');
   const PageObjects = getPageObjects(['security', 'settings', 'common', 'discover', 'header']);
 
-  describe('field_level_security',  () => {
+  describe('field_level_security', () => {
     before('initialize tests', async () => {
       await esArchiver.loadIfNeeded('security/flstest');
       await esArchiver.load('empty_kibana');
@@ -28,11 +28,16 @@ export default function ({ getService, getPageObjects }) {
       await PageObjects.settings.navigateTo();
       await PageObjects.security.clickElasticsearchRoles();
       await PageObjects.security.addRole('viewssnrole', {
-        "indices": [{
-          "names": [ "flstest" ],
-          "privileges": [ "read", "view_index_metadata" ],
-          "field_security": { "grant": ["customer_ssn", "customer_name", "customer_region", "customer_type"] }
-        }]
+        elasticsearch: {
+          "indices": [{
+            "names": ["flstest"],
+            "privileges": ["read", "view_index_metadata"],
+            "field_security": { "grant": ["customer_ssn", "customer_name", "customer_region", "customer_type"] }
+          }]
+        },
+        kibana: {
+          global: ['all']
+        }
       });
 
       await PageObjects.common.sleep(1000);
@@ -44,11 +49,16 @@ export default function ({ getService, getPageObjects }) {
 
     it('should add new role view_no_ssn_role', async function () {
       await PageObjects.security.addRole('view_no_ssn_role', {
-        "indices": [{
-          "names": [ "flstest" ],
-          "privileges": [ "read", "view_index_metadata" ],
-          "field_security": { "grant": ["customer_name", "customer_region", "customer_type"] }
-        }]
+        elasticsearch: {
+          "indices": [{
+            "names": ["flstest"],
+            "privileges": ["read", "view_index_metadata"],
+            "field_security": { "grant": ["customer_name", "customer_region", "customer_type"] }
+          }]
+        },
+        kibana: {
+          global: ['all']
+        }
       });
       await PageObjects.common.sleep(1000);
       const roles = indexBy(await PageObjects.security.getElasticsearchRoles(), 'rolename');
@@ -59,9 +69,11 @@ export default function ({ getService, getPageObjects }) {
 
     it('should add new user customer1 ', async function () {
       await PageObjects.security.clickElasticsearchUsers();
-      await PageObjects.security.addUser({ username: 'customer1', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'customer1', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'customer one', email: 'flstest@elastic.com', save: true,
-        roles: ['kibana_user', 'viewssnrole'] });
+        roles: ['kibana_user', 'viewssnrole']
+      });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
       expect(users.customer1.roles).to.eql(['kibana_user', 'viewssnrole']);
@@ -69,9 +81,11 @@ export default function ({ getService, getPageObjects }) {
 
     it('should add new user customer2 ', async function () {
       await PageObjects.security.clickElasticsearchUsers();
-      await PageObjects.security.addUser({ username: 'customer2', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'customer2', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'customer two', email: 'flstest@elastic.com', save: true,
-        roles: ['kibana_user', 'view_no_ssn_role'] });
+        roles: ['kibana_user', 'view_no_ssn_role']
+      });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
       expect(users.customer2.roles).to.eql(['kibana_user', 'view_no_ssn_role']);
diff --git a/x-pack/test/functional/apps/security/management.js b/x-pack/test/functional/apps/security/management.js
index 7b87cd4987a9b4..52821744f76652 100644
--- a/x-pack/test/functional/apps/security/management.js
+++ b/x-pack/test/functional/apps/security/management.js
@@ -16,8 +16,6 @@ export default function ({ getService, getPageObjects }) {
   const kibanaServer = getService('kibanaServer');
   const testSubjects = getService('testSubjects');
   const remote = getService('remote');
-  const retry = getService('retry');
-  const find = getService('find');
   const PageObjects = getPageObjects(['security', 'settings', 'common', 'header']);
 
   describe('Management', () => {
@@ -146,23 +144,6 @@ export default function ({ getService, getPageObjects }) {
           const currentUrl = await remote.getCurrentUrl();
           expect(currentUrl).to.contain(EDIT_ROLES_PATH);
         });
-
-        it('Reserved roles are not editable', async () => {
-          // wait for role tab to finish loading from previous test
-          await PageObjects.header.waitUntilLoadingHasFinished();
-
-          const allInputs = await find.allByCssSelector('input');
-          for (let i = 0; i < allInputs.length; i++) {
-            const input = allInputs[i];
-            // Angular can take a little bit to set the input to disabled,
-            // so this accounts for that delay
-            retry.try(async () => {
-              if (!(await input.getProperty('disabled'))) {
-                throw new Error('input is not disabled');
-              }
-            });
-          }
-        });
       });
     });
   });
diff --git a/x-pack/test/functional/apps/security/rbac_phase1.js b/x-pack/test/functional/apps/security/rbac_phase1.js
index 4b444cfbb79dd5..bc1b578ac2b10a 100644
--- a/x-pack/test/functional/apps/security/rbac_phase1.js
+++ b/x-pack/test/functional/apps/security/rbac_phase1.js
@@ -25,27 +25,37 @@ export default function ({ getService, getPageObjects }) {
       await PageObjects.settings.navigateTo();
       await PageObjects.security.clickElasticsearchRoles();
       await PageObjects.security.addRole('rbac_all', {
-        "kibana": ["all"],
-        "indices": [{
-          "names": [ "logstash-*" ],
-          "privileges": [ "read", "view_index_metadata" ]
-        }]
+        kibana: {
+          global: ['all']
+        },
+        elasticsearch: {
+          "indices": [{
+            "names": ["logstash-*"],
+            "privileges": ["read", "view_index_metadata"]
+          }]
+        }
       });
 
       await PageObjects.security.clickElasticsearchRoles();
       await PageObjects.security.addRole('rbac_read', {
-        "kibana": ["read"],
-        "indices": [{
-          "names": [ "logstash-*" ],
-          "privileges": [ "read", "view_index_metadata" ]
-        }]
+        kibana: {
+          global: ['read']
+        },
+        elasticsearch: {
+          "indices": [{
+            "names": ["logstash-*"],
+            "privileges": ["read", "view_index_metadata"]
+          }]
+        }
       });
       await PageObjects.security.clickElasticsearchUsers();
       log.debug('After Add user new: , userObj.userName');
-      await PageObjects.security.addUser({ username: 'kibanauser', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'kibanauser', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'kibanafirst kibanalast',
         email: 'kibanauser@myEmail.com', save: true,
-        roles: ['rbac_all'] });
+        roles: ['rbac_all']
+      });
       log.debug('After Add user: , userObj.userName');
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
@@ -55,10 +65,12 @@ export default function ({ getService, getPageObjects }) {
       expect(users.kibanauser.reserved).to.be(false);
       await PageObjects.security.clickElasticsearchUsers();
       log.debug('After Add user new: , userObj.userName');
-      await PageObjects.security.addUser({ username: 'kibanareadonly', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'kibanareadonly', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'kibanareadonlyFirst kibanareadonlyLast',
         email: 'kibanareadonly@myEmail.com', save: true,
-        roles: ['rbac_read'] });
+        roles: ['rbac_read']
+      });
       log.debug('After Add user: , userObj.userName');
       const users1 = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       const user = users1.kibanareadonly;
diff --git a/x-pack/test/functional/apps/security/secure_roles_perm.js b/x-pack/test/functional/apps/security/secure_roles_perm.js
index 5a693e74b9327a..01be29d7f32d6b 100644
--- a/x-pack/test/functional/apps/security/secure_roles_perm.js
+++ b/x-pack/test/functional/apps/security/secure_roles_perm.js
@@ -32,20 +32,27 @@ export default function ({ getService, getPageObjects }) {
     it('should add new role logstash_reader', async function () {
       await PageObjects.security.clickElasticsearchRoles();
       await PageObjects.security.addRole('logstash_reader', {
-        "indices": [{
-          "names": [ "logstash-*" ],
-          "privileges": [ "read", "view_index_metadata" ]
-        }]
+        elasticsearch: {
+          "indices": [{
+            "names": ["logstash-*"],
+            "privileges": ["read", "view_index_metadata"]
+          }]
+        },
+        kibana: {
+          global: ['all']
+        }
       });
     });
 
     it('should add new user', async function () {
       await PageObjects.security.clickElasticsearchUsers();
       log.debug('After Add user new: , userObj.userName');
-      await PageObjects.security.addUser({ username: 'Rashmi', password: 'changeme',
+      await PageObjects.security.addUser({
+        username: 'Rashmi', password: 'changeme',
         confirmPassword: 'changeme', fullname: 'RashmiFirst RashmiLast',
         email: 'rashmi@myEmail.com', save: true,
-        roles: ['logstash_reader', 'kibana_user'] });
+        roles: ['logstash_reader', 'kibana_user']
+      });
       log.debug('After Add user: , userObj.userName');
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
diff --git a/x-pack/test/functional/es_archives/dashboard_view_mode/data.json.gz b/x-pack/test/functional/es_archives/dashboard_view_mode/data.json.gz
index 583406fa4da4fac60c9a61b2200badfa15bee987..00e55c17876e9c6f11b90770936dd862b677d2e0 100644
GIT binary patch
literal 1984
zcmV;x2S4~9iwFpst9n}i17u-zVJ>QOZ*BnXT-|QlHWa?kQ)s>%5<AJZ0`*msW*as%
zX%J@}x;iju=~&`Ii7H9OaRWcccD?((z_6zousz2PDaw{?<)^h{3PpgThz_a4!}If<
zLsIn3mglw9B!yPjYX#hIZEM06VVS1f-~&F=B!Fw(p?yh*Bq63#&3n3Qpb0W1K6C>Z
zk&LOLN%BnibFQWLO?TVPD<0?lkd%<v^gODtG))0WU(i%hp6DLu5tSbPQxSMp0M9V|
zqGjKiZWaGex29WLH;<x$D=IU>=m(<Z>b@yI{qy@@|NZ^PzkmL=b3_z5CqoAJtEj?n
zuBs}zqB2DlGq2VU?kx^p@arj}%zHQeoJYUa?YB-~>{S@`TibmjooQB@ks+l-kXRxS
zUr#}tl2G^9+r=gs@$o4UiV}9l$GXpmFbTHh7!>v8fjVI96<h(EwNJ4F2}Aw-4w=%x
zjJQ`7z~@<_3`zPC#KaI|P=fjkVoj&pb1wT;F6cXohuCwG(=hWdK`l*iM1kduh7$$S
zw9`a^K=(oN{_d`xH(V<~{|N>|6f&?vOfRs7;dqdMu(YxzGHML*WAF8eF~;-`pRYG1
zvd!D~O4Qtad*lj&*TY}ISEzPUaUAW2K!hLlj5E#z=;uLTX3Kae6_L@-muAZEGZ2$p
zBj(S6M7<|riDKT$JLB+d@&N{8$^xGVtv)3(m})bRC`09GLtji=Gl{0n3EZ7Gfd1<f
zc1Xm_2z_~@k?Y+u`bwc&_4%@QOB@2;9$ZstZKSOi1m~PHMbirH6@=*GbCN_MbM}lT
z=uL)q%!8bUzJuWu<Z{p$OlV(N?)ZF6#HDeA0v{}pzx`H6lBysF)KMo^=$q*V!6QKB
z4{k*e31JM$T@doZs6vrAUBnTbLZ-N(`Wf<%e<-)@N4a)sGC*%0*vWMFHi0~MI^+`o
ztr>uJ&MCv-NH+&MUUkHkfJPy!K}^!65J1{_(W$3_Bk*2Q;WO}ZAh3B=9)Tn(6F77U
zY3cwe0-}z|^)H;qIuM=}B$~X&N{}k;4ZH0<OFkn3&9o@{-&o2a%d`*d70)MJ#ClSo
z6YYGMaWMf%bn*>K0F;S5HY24{+3j?OL?RHR?ZoJXF#UJPuR7@FA(b78(M)}iou7K&
z_s)6BJE-#>5<zr+KJMjz87*)VdUjkJVL7C=ziRKAE{sg_xbC-d!bpp+41va2k9ATV
z8rn31Bv=~@gG)1oDvX_BrV7R=iS$yzuP6eEH=KA{#vI+$gh4(~zct+?)P}$#jQ&9=
zXz=ksi*L7m&P71c9JXrH0DCIHr&gg>8EJ{MzgFa|3#=!={1m`6FYKh~w;+=4e4_WG
zWaZ5{N><7BD7iF@ZI0nP?Pn);y*kh7<!;6mrEb@OqSv-Y+X6-)Y@E+ry)ex7EOxqP
zEoFSEf;mR)3N+?+EBDa_g3)(T(wQKeNr2#BBWKOyTS{ekySS@rfN6Ap$rD}CwRzYz
zfYlw-Kt+v`E0@EWK-W^X1sOYZ70io>pP_3pmMv4lS%(I~lt$Va=JhrsQsv~bFi92<
zZK!WtNqP$gtE;Xep=0amOpNw=6v+8B-Ka6uu%F{ja}cL6nZ*2$j_ufNneqoZu`REE
z-5M<~PTa=49}$-s+-DRuLer`U_Spp-=LtLl8b&TFi-<oC$~@FHh#%1e+Qr6@n>@g1
zaw#2Zfd&pI{{qvU>uM#9(imc{S659b2Flp!SUXKat>&fwm<JRWkAd6lYj+izq8zi=
z))ZmTcO+FX(CyBbM(?pnIhW$LwTDBanSBn&iZLH0xXi}4Bm(We4cS|8sGLE*Ygm<_
zOnk5i1?4_9JbXLMc|;praal)d7LK)Gj#j1XO(w^+<X}yu!1`jOjAG5h)@JNYF2jo3
z5~}Vzu6)!tNIA8~5*x2qP&1B!#_TFtshZ<7g-4qMG3N<s>2#(MQpuDj(zO^bVvy2(
z(NJuF@dj1A3!CcA5iCb!#}>PmE=^^&DxF7gEv`7ulv4PPkIdZr=B)T`463<CdA+&q
z_;{sx(TZ|3;D8$g*7-J5<7`tt7Ib}@-K72Fnw4VXY&YBBZl2m)C+MQuZk}eEuyeR@
z!@<Sb)%>28tJBwfRp|ON74vD@h>E&z)0*?iXXBu+v9MgMWz%fPsEk}65f2tW_1N&P
z@L)aP=dL1w^tpi5k>=w>xM<2H=bcju8@?dvEeyHRWu=tnwp-JENGgwblBv0?xWCeT
z|2>(~@lxqB;@7(yy4753&ZjFfYYtTVQv|PQvgvrWzeBJ%@=9T=ZyT>OZuJin<aZHE
z@5-2S6=}K4caBYnq@0-~+pS!DuDuN%VEtft9D*7HB&Yh2t2Bx**Amb4B$4=h`*XS~
zjhc$(5+J3F-UUa?n|_jh(ERi@O)dhXhQ2`&(`rbElhP~%AI}hYok&&h!cS1O?waD*
z_}Qk*iseyPf~eYH!8}cpfWZkr1Bu~V!hsQ1_`TfGpY1*<MpHnQB<8xcAjKEo_l4^%
ziGNmKzI*=sVy!`Qn_8d3=5aFofdJwr!!M4!QutshCu_~{waL6TW8abCpMKipv-@e2
SdawP=(dmEeGM+yVP5=O?n&e6V

literal 1896
zcmV-u2bcICiwFP!000026YX5xZre5#zRyz_z8n%e$$o(Ps!6*I8=5qTvkqMy2()x8
zaiv6+q~f@NpJTh;{a#?$(+t?2V~3<<OSY1<i)Ru=ZrbSZ=Nz4%?;Mh%Z+1GJuA1f0
z9dx=854*dXa79?5DL43lk2H(mT6gHZrDKv2)2U^g?iy*r6_o{H^gU6OXM<Pur@wyv
z<DWl&`}_A__MQ_(F36ZcHCFOMgiE$H295d3?wwWga-1GX6*EKInRiy1SMv=OQD)rD
z$j&k94o2Nmn06Wyjk>!dBb{khdLl#0i6E&&A`Z_%oRL`fIM~M~negcu5sDIa&ZoN1
zgfIzZ%LynN$|H5e*bBG<wrHPY2NK8n`3+7=Bg65aDL}}JOc|046G(|6rl153SHzmn
zcbBsqHfKqwR6NF>t22#@@GYpd7o1RFcB1i2fi&$jQy|cNkbJnmuiqQ46`=n_!5D>%
zN+IT#*usz>WFSgf-4X>ghWLK?^3)ik(HMaY1<gyNciT;g)7tif8r8b*kX%9Za{M!d
z3e`>;j-%ZWhzOIRamIxJBO3(fZ5fZHA~M<g%)Iiu0>sQ}#QYgZ)O!}!C}x!HjO^L$
zJp@zAqL2u!J|zm6Yco$ML*;2hU(UM=iRL@?|MkD~o%znrjf245dj;sfAz{ZvJWJ4*
zw;H*fTev?cbele3_il+S;Pufpm8Ffe^`hv4bEatCpuK<?U3^KBD5Ra9(G0!G%$@Sc
z($IG>oFXd+O~HirWjQ-OpAhlZxIu*v5ll$I)a$QxB&h~+KpS;d3Vk!*B6vio{NPpu
zkr1bl-31{}jVcsL^Hm(dS11%W)Ud$$)9>nShl$lL%>wl1pnRFZ!8VZRPKSI1pbZ1i
z-UVeC9QpP@r_<#4uo?lU3R04<g#gkns!l@<98u>P6(NI;1%fiK%I6@7Dg?5Q?gpd;
zh&mzHKXIPwK=`U6(d=bTLaMYk?Dq~z@;QlUp+!0TvZNfdLi@l$^?b@js$U9pqFu6?
zRxbdVPQFnMfC^z_Gf^s+gMNQZBmzO+%Zy$K(|^bOs*i3SQ`wgo%`^nr|6%y;@Pg;O
zk2)VB5k&vTlcD{~Xn~v1EBTfYW+AQjd2iozVPt0GdepUqi56cO0!^_V>*qQ&v}pv%
zBwE7Y(n6sMV`p5bYGRZ`c5=b5C;~}mJnLu~ExM^01IuXCoo^FrW8eu!e-H~AeLT?O
z=w8UVh$xz)tlBido(TwPsnAjxd5v_qQRHk3tVh87FMw$V?B(dUAhN;oMej$+#>gc~
zHp%TMxyGh!PT?EvXQw1J-Ih7M-p#n8)a^P@GVE)#EnotojPr%7SBBYL#LmF1rHn5%
zFvp19fJSS#dLLaN7=2eIoe8pq1PBgg<ZPIKNolYz7k5n!Fpcidc&0159*+kGum)2a
zsl+R}tQ^h+x|Xsh$kd^$U|vN0j9rVdZkZa+Iy4ZbG}0?DulE>{%988CWJNkILw)N?
z(pxZCT@4h89a~RlVzig?$AQ$8YS_29;}7CgCX<-|(Xkzytx#d06WjXw*R9cPapE@S
z!-TlZ;31=^5t=teD4$)xu}$C!&^U2fStMM#WS^2Sp&9h5jUhLAfYI!&bf^UyIehu2
znC@IxD|wQqkaE4c@}(H4W2a;7_=Z~krT>&i6c>+?+w5EJD)^!tv)AU)(oj+bfo^xc
zG<t_k%C7}lZSCREXl9?ov0`LSLXiG=Zj}hM`+Bms;7~b%-8F1VP$zz{2o>c%HGKGX
zm>;;}vX0bKIM#wWT9vLhnH<-W!G=nK&BaI^#r(roKlUcqVa06;)pj0NKk5r|PRnD7
zt=B848OK0lc9lx0{PSpYAm-f}fFDxHoM+Ot7*A7>(tXiTZGds<?WVeKi0s&6*V3h_
z%vPnJxZ*fdN)b9fGIQ^ni{jfGRCA5;dUM<H@rr-ZigI{xz>NXxe4EKT+tiN*U7u$A
zw13>PQuNMtiw$m1mm?0vs;X`OG~>h0;mQpM7iU+?ds?neU+t>Ui%-)gRJ47Y=Fcae
zK7U;3=eb&5j2V@Q>m%ZTMoxEygUx)O`w$6a$i)Ue`usQ%F1x;5RXU@v<qMLX6_yXW
ztdvvO<b6mgpYyCxK3!?P|DH_kc&T<7@r(T}-D++%=i?Qb4F_uZQv@$)w(WQ=e}`a|
z^Mk@x-!|UpJ?4Z@?Onv$SebIJ5-qoEKsH)A=gcJ8=EdjM+t3l#4`z;IP*Z^HOdoR9
zxCnDC@m#+o5}$lhSEW%?sayl3oYA}BXnoU9()W5keNB^#$f#jtP{dx9)THBC?JWeK
zE)aN=NY(Dbk5IMgn&QOx*|y7yb*>MBsMcV?JWaBQ!6`oniQ!wrfeBXlL+j{Y?SD{=
z=71{6%ynx)sxQ9p3)fo`|DwKp^W@3pMuX-ywLXT;|C8a51Q0hFewFis!Ut11*=UAu
iP3El``;H9%_|qnz+)tadd+n!<PX7WbaKFY3O#lFvk-j_t

diff --git a/x-pack/test/functional/es_archives/dashboard_view_mode/mappings.json b/x-pack/test/functional/es_archives/dashboard_view_mode/mappings.json
index d8899a4dedb278..890f4be575fae6 100644
--- a/x-pack/test/functional/es_archives/dashboard_view_mode/mappings.json
+++ b/x-pack/test/functional/es_archives/dashboard_view_mode/mappings.json
@@ -268,9 +268,37 @@
                 "type": "integer"
               }
             }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
           }
         }
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/functional/es_archives/discover/data.json.gz b/x-pack/test/functional/es_archives/discover/data.json.gz
index 020ca814620a8546a0022c72ccc0fb8dc48411e2..df05dfd8998f4069c4e070b555e7421b5d5366da 100644
GIT binary patch
literal 1115
zcmV-h1f=^PiwFqDt9n}i17u-zVJ>QOZ*Bn1TTO4<I1s)2S7>!y#73Mfx~)zrw%9{~
zwukJk4g{JSTijBjN>ce)!~cDUq-0C6i>7VjArJ@Va7aGCA%~+OwV5PIY9AU%vm`AP
zPtTm-mdVyhHdw%-s0+Av3bQX_$!g}6j<j>Cg%g;DamWf-u~yo?%BWWJeXoP|UcFOG
z`r=*>MK!Cu=DSgszN!GjwP>tRwbS^g6ehtxTSC$SNPLICrCpotr2oI2Y$ub=i!k6D
zOdDn`=sJ^XZ7eh8^!M+RF>1LdWh@?%V}+Hz>A^5vbp?M5kj2N2#49I3#i|*qt(=N+
z^`AEjPxvCu7O936XwZxFY~dk#p|M)jYcJ!ftt|@A@p~`?6j)p_X#hnYwwGAlIsuX=
zAO0KZAbGjx+jMH%vmpYu1~<a<kKai~!~1sQ@ij<>o&Ke2i$G>-orwxDWp|>mWmLEV
z4l+RZ#>_OkBb+KFumVS;hH+?_fs-OMPz9FFS_66}nXy4U1XH)wvRmpWCy8k*xP;8I
zHL>;9pk`>V7jZd1$Bn%c&g}=k6OYH~O=f_*iA`*_*7DqKY-0!o0;V+@XS$$X^Soq~
zJ2;mD84=AGLRY46$6*66L99#4$f8s)<7J*YH5e~N4Y+PA!hJxB`imiCK@@~P{tCA{
z>S(1Yn+htWAL0oHhQ5=So!GoqeA|De3V{!g1?}$ZyNHLJR?B$6;M_67LhkCxAC10Z
zl_f{<t!EEHqxn1sF)=<<M!6e*V<T|WH<H`}Avt--8jcYRg-?diOTI_L)6-$(E86=N
z$~e+>LCgZ&qfHETl8HE$%%3R~c)m3<^kVV();MyLhi-*7gmPIxu9QZfkGLLreXPtI
zCAwpYlgBH_46&o}S)~qDJd>uM(f&Y;d_y`oorwaKX;f{fVO&*U41LhhC%{xh5$~g<
zdOW~_M<%w|y`eOfPgRny;G=$pc&9X)6Cat;&&^%%9gSC`_VO;dO?<o(-)co15gc&i
zf+bHgMQ5Agu^{znc1-!>BTtIa*>0EMj*m9#4Z4rE<6|a<%;EkvB-z>3^5G!EaN^U~
z@Ki{BO~qeLTM2#aZdyE7KBIGe(YodSS+;4HQkatZh&X?I)#Joj;rw~-=l%);!<B|#
z_cT8S;pU__?+q}`%Zx4O7jVhXr>l$0`E)*qSJO9tynZ$P^YU^zXZ+2@#hg9i%>>`s
z;MIgsK7RfFZF0?Sp-8UBjSk;Y7%L|42DO7mrLgWg{`o+}m29ipNk8v|DDI8`)1B;Q
z(8efjA2&Gq20(}NcrUl0O+Y^%NP|iIkNLFx7r6a^ZhXYfj<ahI@%{CukB))OqE2>q
zHZuIWe|5plL|0j26fRvP{#Ht-6PCTJSqW*~jKv>y6C__-a7Ru!@V=P$YilG8qwNOi
hCUAZyWDzcEhJmnh8$R1TAKRnT_<!~zModC8000(nCgA`8

literal 1030
zcmV+h1o`_PiwFP!000026U|%AZrd;nzUL_dABQGr+M!!>>abyl0b36}E`_1UOsq||
zJW1})g1q}E*-7jsKszied1w(+l=+2}D2ilOgW)joj};`-VUih{oCLz1&~>1!@BtrH
znZZL~82?mrQHscPU|wL&0wGQqRl<9)<y4!c^TOq$HybWzYAbgFI<M-@Y}toT$-8-B
zrt&&Y-4oLe7w}nu&c2BvvRwrVG8R>rZ4p>p82`SSB_;CClIbk5umB5omYmEY#7K1B
zs&W}=($u9#;wgT1(yGcshK~!O9Uv*fjuda}KtSc`$KO33R9+hO?OL|=Nf&`wLXdEL
z`7Na<KF;gQx1a^S^rI;~0vVg-R27J6dap8{v%=NjAOrN^+}MhH!ljaf$WR(JjD5>w
z&`46IBs5R~UW{u8cC3Z-4Y>=Ztc!WO)n8pn!g?h&OubkVTW<+wjP~+;7LdPJ!R<GG
zhmXhEn9P9;3!B(%wU=o)*!mDM1Wao*DQrf)=VdM^PjIOfYD86i2<<b4J8ll}9Mm$W
zj4X2FD8&~-=BfnTw*}!jpjG+P5o$qYgkSy&k2~sUrOK-U3S%Gn1Or{)Nvs`iUW?!H
zUzkkc<uRi@ed8<mD5tiX)z#1`4`~=DzZ(6*A<yfA*13BS8ZG8Ih!x{1A;IxkxtoI^
zEMF$M1w!SdP1dlFpi6u)gbn36HM~3>#>1~r#*yI_#9Dv{w27lmG7-m;>5)Q#<L!~I
z7vtw!dE_Sd-3o086|#WR7>hn1aXs<+IG9#OwPlG{k5^DL#EvFrm0DE%R&*?gv8w^_
zK;<e^I%*hK1vp0^G;9)J#<5MRbMwf=7JG1%ri!Ubo_>Y+q;ysim(1wb<~I0d<JG9W
zd`NB+msj}hR>Z-ez>OQ0Jk7+;Hr=uybv2t){`kO6k)7?f32vs>5kgp-Xq%sAIAjiY
z-H>FptNG(zhT)Z~ug$HHMQhqZ*+ac)d|Ey^Hy84(t5x+}E0<H3h*Oo3W`)z^^ymHy
z0w;|<LeuBpLAXuYF7x$Z^M5^94+g9M(s}PdSeZ}7d~yco@^rK~JD-du6Sx>%zI}f&
zdUt+4p9pz*b~X{uH{&-i+jZf$&xhOZKMZfg9c06s{v>4S?9hG2;it}MXHu?wXvaV8
zkfhOdQ3mSwEfL9W2{75xZaZ_FvHt0VgTDZ1aUOol9az_(pLD2=N#d8ep8o*pzoHxO
zX=kgmn+WmC&GomSfz_-WZhJPS_;L5sg|HICV2)9^4w3i=tpiW9?Ze1IX&+WBeyQ7r
z@~ehWazeqo$8@u|delbRR!F;m(|e_}rctvIgoEqmZ@tsU`p`1|1K)`44L>pf0Eqwq
AQvd(}

diff --git a/x-pack/test/functional/es_archives/discover/mappings.json b/x-pack/test/functional/es_archives/discover/mappings.json
index 724d6cdd018f8b..f72b7c5a91dc04 100644
--- a/x-pack/test/functional/es_archives/discover/mappings.json
+++ b/x-pack/test/functional/es_archives/discover/mappings.json
@@ -268,9 +268,37 @@
                 "type": "text"
               }
             }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
           }
         }
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/functional/es_archives/empty_kibana/data.json.gz b/x-pack/test/functional/es_archives/empty_kibana/data.json.gz
index bffef555b9bf347ab7c7bdb121e56d909cb9b51d..d9708ad59f56f10161c554f17528ce7737eef3a3 100644
GIT binary patch
literal 230
zcmV<C02%)uiwFo~ta@7j17u-zVJ>QOZ*Bm!kY5XeFcih#_bJw%O$@@q*P_Rs>;qi4
znIqjqx2VML-sYc75PAy6;GFxrhn+PDW1^oWClMx0QQ|q{4!LnoV}+GMGX8LYe-jBv
z=%9r?hcahSB~x*YLO<|>HRNRmn-Qp$spypbmC`Q_9RBEuv|eIF&d#Q=?tUBYylKKf
z^OLFy(2;(*xJ!H>!?;D`-J%wu<}aP=5-5)tPr>B+ciRr1%Jy>BRYK8`$5~`wme;fr
gr4~v$BF;pO?a>*>!vk;^xLW>!H(!t@zV!hB0C=fzk^lez

literal 158
zcmV;P0Ac?hiwFP!000026RYM@P*5tVEJ#(dQcz0CPgc?a36v$~l!8R6fgB(=GcP5z
z0;E7MJ2NRUFA=N=i$0Lj6p%o2eqLH;x|Nxpfu4bGVopIuq9IH{aeir0GQw;mQy`k4
z>J;F7gi4@TQfX#RieG6iP}IW2%v=W{lag4H>Xu)Wn^<C1QUx+DG{jj6DqYJ3BWt;8
M0jRek?D7Br0HWqRGXMYp

diff --git a/x-pack/test/functional/es_archives/empty_kibana/mappings.json b/x-pack/test/functional/es_archives/empty_kibana/mappings.json
index 81888c31185da8..aeea7f7bcea4b4 100644
--- a/x-pack/test/functional/es_archives/empty_kibana/mappings.json
+++ b/x-pack/test/functional/es_archives/empty_kibana/mappings.json
@@ -247,9 +247,37 @@
                 "type": "text"
               }
             }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
           }
         }
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index 96e30e152689f1..2581daef24f3da 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -142,7 +142,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
 
     async addIndexToRole(index) {
       log.debug(`Adding index ${index} to role`);
-      const indexInput = await retry.try(() => find.byCssSelector('[data-test-subj="indicesInput0"] > div > input'));
+      const indexInput = await retry.try(() => find.byCssSelector('[data-test-subj="indicesInput0"] input'));
       await indexInput.type(index);
       await indexInput.type('\n');
     }
@@ -150,9 +150,18 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
     async addPrivilegeToRole(privilege) {
       log.debug(`Adding privilege ${privilege} to role`);
       const privilegeInput =
-        await retry.try(() => find.byCssSelector('[data-test-subj="privilegesInput0"] > div > input'));
+        await retry.try(() => find.byCssSelector('[data-test-subj="privilegesInput0"] input'));
       await privilegeInput.type(privilege);
-      await privilegeInput.type('\n');
+
+      const btn = await find.byButtonText(privilege);
+      await btn.click();
+
+      // const options = await find.byCssSelector(`.euiComboBoxOption`);
+      // Object.entries(options).forEach(([key, prop]) => {
+      //   console.log({ key, proto: prop.__proto__ });
+      // });
+
+      // await options.click();
     }
 
     async assignRoleToUser(role) {
@@ -188,7 +197,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
         const fullnameElement = await user.findByCssSelector('[data-test-subj="userRowFullName"]');
         const usernameElement = await user.findByCssSelector('[data-test-subj="userRowUserName"]');
         const rolesElement = await user.findByCssSelector('[data-test-subj="userRowRoles"]');
-        const isReservedElementVisible =  await user.findByCssSelector('td:last-child');
+        const isReservedElementVisible = await user.findByCssSelector('td:last-child');
 
         return {
           username: await usernameElement.getVisibleText(),
@@ -203,9 +212,9 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       const users = await testSubjects.findAll('roleRow');
       return mapAsync(users, async role => {
         const rolenameElement = await role.findByCssSelector('[data-test-subj="roleRowName"]');
-        const isReservedElementVisible =  await role.findByCssSelector('td:nth-child(3)');
+        const isReservedElementVisible = await role.findByCssSelector('td:nth-child(3)');
 
-        return  {
+        return {
           rolename: await rolenameElement.getVisibleText(),
           reserved: (await isReservedElementVisible.getProperty('innerHTML')).includes('roleRowReserved')
         };
@@ -243,27 +252,25 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
     }
 
     addRole(roleName, userObj) {
+      const self = this;
+
       return this.clickNewRole()
         .then(function () {
           // We have to use non-test-subject selectors because this markup is generated by ui-select.
-          log.debug('userObj.indices[0].names = ' + userObj.indices[0].names);
+          log.debug('userObj.indices[0].names = ' + userObj.elasticsearch.indices[0].names);
           return testSubjects.append('roleFormNameInput', roleName);
         })
         .then(function () {
           return remote.setFindTimeout(defaultFindTimeout)
-          // We have to use non-test-subject selectors because this markup is generated by ui-select.
-            .findByCssSelector('[data-test-subj="indicesInput0"] .ui-select-search')
-            .type(userObj.indices[0].names);
+            .findByCssSelector('[data-test-subj="indicesInput0"] input')
+            .type(userObj.elasticsearch.indices[0].names + '\n');
         })
         .then(function () {
-          return remote.setFindTimeout(defaultFindTimeout)
-          // We have to use non-test-subject selectors because this markup is generated by ui-select.
-            .findByCssSelector('span.ui-select-choices-row-inner > div[ng-bind-html="indexPattern"]')
-            .click();
+          return testSubjects.click('restrictDocumentsQuery0');
         })
         .then(function () {
-          if (userObj.indices[0].query) {
-            return testSubjects.setValue('queryInput0', userObj.indices[0].query);
+          if (userObj.elasticsearch.indices[0].query) {
+            return testSubjects.setValue('queryInput0', userObj.elasticsearch.indices[0].query);
           }
         })
 
@@ -276,19 +283,17 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
               // We have to use non-test-subject selectors because this markup is generated by ui-select.
               return promise
 
-                .then(function () {
+                .then(async function () {
                   log.debug('priv item = ' + privName);
-                  remote.setFindTimeout(defaultFindTimeout)
-                    .findByCssSelector(`[data-test-subj="kibanaPrivileges-${privName}"]`)
-                    .click();
+                  return find.byCssSelector(`[data-test-subj="kibanaMinimumPrivilege"] option[value="${privName}"]`);
                 })
-                .then(function () {
-                  return PageObjects.common.sleep(500);
+                .then(function (element) {
+                  return element.click();
                 });
 
             }, Promise.resolve());
           }
-          return userObj.kibana ? addKibanaPriv(userObj.kibana) : Promise.resolve();
+          return userObj.kibana.global ? addKibanaPriv(userObj.kibana.global) : Promise.resolve();
         })
 
         .then(function () {
@@ -297,25 +302,10 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
 
             return priv.reduce(function (promise, privName) {
               // We have to use non-test-subject selectors because this markup is generated by ui-select.
-              return promise
-                .then(function () {
-                  return remote.setFindTimeout(defaultFindTimeout)
-                    .findByCssSelector('[data-test-subj="privilegesInput0"] .ui-select-search')
-                    .click();
-                })
-                .then(function () {
-                  log.debug('priv item = ' + privName);
-                  remote.setFindTimeout(defaultFindTimeout)
-                    .findByCssSelector(`[data-test-subj="privilegeOption-${privName}"]`)
-                    .click();
-                })
-                .then(function () {
-                  return PageObjects.common.sleep(500);
-                });
-
+              return promise.then(() => self.addPrivilegeToRole(privName)).then(() => PageObjects.common.sleep(250));
             }, Promise.resolve());
           }
-          return addPriv(userObj.indices[0].privileges);
+          return addPriv(userObj.elasticsearch.indices[0].privileges);
         })
         //clicking the Granted fields and removing the asterix
         .then(function () {
@@ -325,8 +315,8 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
               return promise
                 .then(function () {
                   return remote.setFindTimeout(defaultFindTimeout)
-                    .findByCssSelector('[data-test-subj="fieldInput0"] .ui-select-search')
-                    .type(fieldName + '\t');
+                    .findByCssSelector('[data-test-subj="fieldInput0"] input')
+                    .type(fieldName + '\n');
                 })
                 .then(function () {
                   return PageObjects.common.sleep(1000);
@@ -335,13 +325,13 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
             }, Promise.resolve());
           }
 
-          if (userObj.indices[0].field_security) {
+          if (userObj.elasticsearch.indices[0].field_security) {
             // have to remove the '*'
             return remote.setFindTimeout(defaultFindTimeout)
-              .findByCssSelector('div[data-test-subj="fieldInput0"] > div > span > span > span > span.ui-select-match-close')
+              .findByCssSelector('div[data-test-subj="fieldInput0"] .euiBadge[title="*"]')
               .click()
               .then(function () {
-                return addGrantedField(userObj.indices[0].field_security.grant);
+                return addGrantedField(userObj.elasticsearch.indices[0].field_security.grant);
               });
           }
         })    //clicking save button
@@ -377,10 +367,10 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
         .then(() => {
           return PageObjects.common.sleep(2000);
         })
-        .then (() => {
+        .then(() => {
           return testSubjects.getVisibleText('confirmModalBodyText');
         })
-        .then ((alert) => {
+        .then((alert) => {
           alertText = alert;
           log.debug('Delete user alert text = ' + alertText);
           return testSubjects.click('confirmModalConfirmButton');

From 0ecf9e788ee8ae3d187f79587af15fb5fe984f1e Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 27 Aug 2018 10:56:26 -0400
Subject: [PATCH 103/183] fix typescript errors

---
 .../edit_role/components/delete_role_button.tsx        |  1 +
 .../management/edit_role/components/edit_role_page.tsx |  3 ++-
 .../components/privileges/es/cluster_privileges.tsx    |  3 ++-
 .../privileges/es/elasticsearch_privileges.tsx         |  1 +
 .../components/privileges/es/index_privilege_form.tsx  |  2 ++
 .../privileges/kibana/kibana_privileges.test.tsx       |  3 ++-
 .../components/privileges/kibana/kibana_privileges.tsx |  3 ++-
 .../privileges/kibana/privilege_space_form.test.tsx    |  8 ++++++--
 .../views/management/edit_role/lib/copy_role.test.ts   |  1 +
 .../management/edit_role/lib/validate_role.test.ts     | 10 +++++-----
 .../views/management/edit_role/lib/validate_role.ts    |  2 +-
 11 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
index 6bb0483456580e..28b3107a96c42f 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/delete_role_button.tsx
@@ -6,6 +6,7 @@
 
 import {
   EuiButtonEmpty,
+  // @ts-ignore
   EuiConfirmModal,
   // @ts-ignore
   EuiOverlayMask,
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
index b15221336f173a..d4497582a75119 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
@@ -24,6 +24,7 @@ import React, { ChangeEvent, Component, HTMLProps } from 'react';
 import { toastNotifications } from 'ui/notify';
 import { Space } from '../../../../../../spaces/common/model/space';
 import { IndexPrivilege } from '../../../../../common/model/index_privilege';
+import { KibanaApplicationPrivilege } from '../../../../../common/model/kibana_application_privilege';
 import { Role } from '../../../../../common/model/role';
 import { isReservedRole } from '../../../../lib/role';
 import { deleteRole, saveRole } from '../../../../objects';
@@ -41,7 +42,7 @@ interface Props {
   rbacEnabled: boolean;
   allowDocumentLevelSecurity: boolean;
   allowFieldLevelSecurity: boolean;
-  kibanaAppPrivileges: string[];
+  kibanaAppPrivileges: KibanaApplicationPrivilege[];
   notifier: any;
   spaces?: Space[];
   spacesEnabled: boolean;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
index 3dbac8c31ae9c5..2bfa2f38419af6 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
@@ -13,11 +13,12 @@ import {
 import React, { Component } from 'react';
 import { Role } from '../../../../../../../common/model/role';
 import { isReservedRole } from '../../../../../../lib/role';
+// @ts-ignore
 import { getClusterPrivileges } from '../../../../../../services/role_privileges';
 
 interface Props {
   role: Role;
-  onChange: (role: Role) => void;
+  onChange: (privs: string[]) => void;
 }
 
 export class ClusterPrivileges extends Component<Props, {}> {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
index 88176d55ae7fd4..bd8958286a17fc 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
@@ -19,6 +19,7 @@ import {
 } from '@elastic/eui';
 import React, { Component, Fragment } from 'react';
 import { Role } from '../../../../../../../common/model/role';
+// @ts-ignore
 import { documentationLinks } from '../../../../../../documentation_links';
 import { RoleValidator } from '../../../lib/validate_role';
 import { CollapsiblePanel } from '../../collapsible_panel';
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
index 0468afdb6b9890..4072d3b2f90088 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
@@ -6,6 +6,7 @@
 import {
   // @ts-ignore
   EuiButtonIcon,
+  // @ts-ignore
   EuiComboBox,
   EuiFlexGroup,
   EuiFlexItem,
@@ -17,6 +18,7 @@ import {
 } from '@elastic/eui';
 import React, { ChangeEvent, Component, Fragment } from 'react';
 import { IndexPrivilege } from '../../../../../../../common/model/index_privilege';
+// @ts-ignore
 import { getIndexPrivileges } from '../../../../../../services/role_privileges';
 import { RoleValidator } from '../../../lib/validate_role';
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
index 24990ad1195cd4..400c2ab9e2b965 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
@@ -6,6 +6,7 @@
 
 import { shallow } from 'enzyme';
 import React from 'react';
+import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
 import { RoleValidator } from '../../../lib/validate_role';
 import { KibanaPrivileges } from './kibana_privileges';
 import { SimplePrivilegeForm } from './simple_privilege_form';
@@ -38,7 +39,7 @@ const buildProps = (customProps = {}) => {
       },
     ],
     editable: true,
-    kibanaAppPrivileges: ['all', 'read'],
+    kibanaAppPrivileges: [{ name: 'all' } as KibanaApplicationPrivilege],
     onChange: jest.fn(),
     validator: new RoleValidator(),
     ...customProps,
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
index db74c810027fb0..d9a4ba73af9639 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
@@ -6,6 +6,7 @@
 
 import React, { Component } from 'react';
 import { Space } from '../../../../../../../../spaces/common/model/space';
+import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { RoleValidator } from '../../../lib/validate_role';
 import { CollapsiblePanel } from '../../collapsible_panel';
@@ -17,7 +18,7 @@ interface Props {
   spacesEnabled: boolean;
   spaces?: Space[];
   editable: boolean;
-  kibanaAppPrivileges: string[];
+  kibanaAppPrivileges: KibanaApplicationPrivilege[];
   onChange: (role: Role) => void;
   validator: RoleValidator;
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
index c51dd1786904fd..95494567446b74 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.test.tsx
@@ -6,10 +6,14 @@
 
 import { shallow } from 'enzyme';
 import React from 'react';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { RoleValidator } from '../../../lib/validate_role';
 import { PrivilegeSpaceForm } from './privilege_space_form';
 
 const buildProps = (customProps = {}) => {
+  const availablePrivileges: KibanaPrivilege[] = ['all', 'read'];
+  const selectedPrivilege: KibanaPrivilege = 'none';
+
   return {
     availableSpaces: [
       {
@@ -25,8 +29,8 @@ const buildProps = (customProps = {}) => {
       },
     ],
     selectedSpaceIds: [],
-    availablePrivileges: ['all', 'read'],
-    selectedPrivilege: 'none',
+    availablePrivileges,
+    selectedPrivilege,
     onChange: jest.fn(),
     onDelete: jest.fn(),
     validator: new RoleValidator(),
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
index 992c67ba85e73b..5bd7aa8d6aeca0 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/copy_role.test.ts
@@ -10,6 +10,7 @@ import { copyRole } from './copy_role';
 describe('copyRole', () => {
   it('should perform a deep copy', () => {
     const role: Role = {
+      name: '',
       elasticsearch: {
         cluster: ['all'],
         indices: [{ names: ['index*'], privileges: ['all'] }],
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
index b6f6b4234335d5..162cd0cd2eab64 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.test.ts
@@ -285,7 +285,7 @@ describe('validateInProgressSpacePrivileges', () => {
       },
     ]);
 
-    expect(validator.validateInProgressSpacePrivileges(role)).toMatchObject({
+    expect(validator.validateInProgressSpacePrivileges(role as Role)).toMatchObject({
       isInvalid: false,
     });
   });
@@ -327,7 +327,7 @@ describe('validateSpacePrivileges', () => {
       },
     };
 
-    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+    expect(validator.validateSpacePrivileges(role as Role)).toEqual({ isInvalid: false });
   });
 
   it('should validate when a space privilege is defined', () => {
@@ -346,7 +346,7 @@ describe('validateSpacePrivileges', () => {
       },
     };
 
-    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+    expect(validator.validateSpacePrivileges(role as Role)).toEqual({ isInvalid: false });
   });
 
   it('should validate when both global and space privileges are defined', () => {
@@ -366,7 +366,7 @@ describe('validateSpacePrivileges', () => {
       },
     };
 
-    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: false });
+    expect(validator.validateSpacePrivileges(role as Role)).toEqual({ isInvalid: false });
   });
 
   it('should invalidate when in-progress space privileges are not valid', () => {
@@ -392,6 +392,6 @@ describe('validateSpacePrivileges', () => {
       },
     ]);
 
-    expect(validator.validateSpacePrivileges(role)).toEqual({ isInvalid: true });
+    expect(validator.validateSpacePrivileges(role as Role)).toEqual({ isInvalid: true });
   });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
index 4e8755cfae92c5..f4ada14fde8efa 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
+++ b/x-pack/plugins/security/public/views/management/edit_role/lib/validate_role.ts
@@ -10,7 +10,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IndexPrivilege } from '../../../../../common/model/IndexPrivilege';
+import { IndexPrivilege } from '../../../../../common/model/index_privilege';
 import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../common/model/role';
 

From e4f2c92cb388729df070760f3982ce4e595466ef Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 27 Aug 2018 12:00:28 -0400
Subject: [PATCH 104/183] fix snapshot

---
 .../kibana/__snapshots__/kibana_privileges.test.tsx.snap     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
index 8c8d75b4201bed..85f0acaf92a401 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
@@ -9,8 +9,9 @@ exports[`<KibanaPrivileges> renders without crashing 1`] = `
     editable={true}
     kibanaAppPrivileges={
       Array [
-        "all",
-        "read",
+        Object {
+          "name": "all",
+        },
       ]
     }
     onChange={[MockFunction]}

From d5288dd9c5160f6d5892cdd9309f7379017ed96d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 27 Aug 2018 14:56:36 -0400
Subject: [PATCH 105/183] fix dashboard mode functional tests

---
 .../dashboard_mode/dashboard_view_mode.js     |   2 +-
 .../es_archives/logstash/empty/data.json.gz   | Bin 178 -> 254 bytes
 .../es_archives/logstash/empty/mappings.json  |  28 ++++++++++++++++++
 .../logstash/example_pipelines/data.json.gz   | Bin 634 -> 689 bytes
 .../logstash/example_pipelines/mappings.json  |  28 ++++++++++++++++++
 5 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
index 7fb26877a4a6c0..0b3130bd53df04 100644
--- a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
+++ b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
@@ -115,7 +115,7 @@ export default function ({ getService, getPageObjects }) {
         expect(collapseLinkExists).to.be(true);
 
         const navLinks = await find.allByCssSelector('.global-nav-link');
-        expect(navLinks.length).to.equal(4);
+        expect(navLinks.length).to.equal(5);
       });
 
       it('shows the dashboard landing page by default', async () => {
diff --git a/x-pack/test/functional/es_archives/logstash/empty/data.json.gz b/x-pack/test/functional/es_archives/logstash/empty/data.json.gz
index 2ac732942acb2eb0580ea750977cf0656f68eb32..3b5fcac425b877d4731f4102837eefee1d586a81 100644
GIT binary patch
literal 254
zcmV<a00I9WiwFpZMub}c17u-zVJ>QOZ*Bm!kWXvFFbu`-{uEx$UFcw}BgfI}#typ=
z)m9o&R}TKub%cEP*>1YDP}pf;4DacuhonJBS%vQ&t43DZs%nvq1DKedA&Df3H6Ali
z?`Q)I1-j9fQJoECxutEhs+aZh9!%fC!x`{4IyGlsq@0>2PX6kdOx`Av(Qk2|+~>!q
z)ncw3-$CtOEmN?Lc-#2Se!T!Qy2Q3%JWlK=&i^PzA%=fBfbT(Jqp^i(!r!YGeBS&d
zuNG(67jk_SSxOqca?}U1oQaQ)yi6~2D5n8r3B0>(`gG{g9WYNDT)cUl9~i|75F7#k
E0Q3`iUjP6A

literal 178
zcmV;j08RfNiwFqw*MwOB17u-zVJ>QOZ*Bl>j6n{9Fc3xeoTBL(8%&ItF5OGK!q66I
zs8a$|F{F35RS*|$Ci!pP|8qhJ9iN?|oKR^6O(VF2agod+gs4%fDGIFBB_O<|KfS2R
z2!zE-*F0w#%XVP82KK8kSl5ef`)B1-T0HX2n;BT?w2_6o1$sIh^K|=6R}k&Rq8@Fp
gvF1Z#A7?;ReQ+x<gIZjltk)<01(1#XPX7P^0Q;LzQUCw|

diff --git a/x-pack/test/functional/es_archives/logstash/empty/mappings.json b/x-pack/test/functional/es_archives/logstash/empty/mappings.json
index b54e80bf19626f..8961a5608e5894 100644
--- a/x-pack/test/functional/es_archives/logstash/empty/mappings.json
+++ b/x-pack/test/functional/es_archives/logstash/empty/mappings.json
@@ -329,6 +329,34 @@
                 "type": "text"
               }
             }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
           }
         }
       }
diff --git a/x-pack/test/functional/es_archives/logstash/example_pipelines/data.json.gz b/x-pack/test/functional/es_archives/logstash/example_pipelines/data.json.gz
index 8ef6743e020913ec7b63c20f2b306712eda6244f..ab1126b826cf9f673c476d99f24ec27999f0d6cd 100644
GIT binary patch
delta 671
zcmV;Q0$~061hEAOABzYG_C|zTkq97vt6q9&wTC^mRFSa<ViD}fc9unmcdwlgNCfTf
zWm_MNK*;0y$DaAdmpKj)3iP3bAVmQcBp6!5GcGD?Ihuu8GEU*eI*bdkQ5vhfcDtjr
z&eR(89zd%MbDFIHYt`;5QAu(QZ7dWNk*w5Aa4Ted14^StkBlC5^~S%zN@qKNLD`x?
zeN-Gq$tawU!uTngr?W*GCgUWY{<um?RzkrzWINE9VvRfJ+iXFq=JaTIwYI6XDQ9hz
z;Ouj{#IF=cj(4>?*!wYZdw7#vS!r}!a=WAVOly$s(te2Gs@j3fws1fnKB8p++_+>1
zQ?;zSndKm18Qf7SAQJSAxG~><$V{lckW^X!pUZ$0qN2;-*VRGbO6QptTi`b_F(IH-
zvw0J_BmC2ydipyTJT-qc|8A8^A<w~P;dIjRHeXTcPKnPj6ktj6Zirkc-6s9@5q+Xm
znya8FwXvgRFho6jT-)Ot`{Yt9dwSCtr-A*Q27}`}JuTRk`f%ySEPC^Q)509pT6Ag2
zH$SQ*oy6lsm^l5Y41+Z*&QGe>3;zjC?9sT2X5!Jfie~E3xQb@x(YT7{!J}~%P2$nG
zie~Q7xQb@s(YT5x3OyTV+4y;YyKMYGz+E<eBH%6?KN4`4jh_j)%f=4{+-2jZ0`9W$
zV*z*B__=_yY+^qbaF>mLp9{P@n=M;mj$b81ggJkcCgX4%j&M=t_%CeQD2?cv*?HZo
z<*H%@{a)>ibv}JaI`w>c#AN$TaHfT1e3PnN>_219K^osRE)=wN{TBsLB_@zkSmUbD
zucuzSUo&r(y~JDoUwR?$_4ZTF6f$3(13F&-_2U~&Cc!k-bKT(%T2^;!^Bbi4Sq?cT
F002)1P4NH#

delta 615
zcmV-t0+{`=1^NUCABzYGFc-X8kq97vd+VXq9(rn1MaCY8MPf&`Qx+lKy*42b6t>;V
zsy-NjkjL}Sc;>S&a~vTQ=tB)biUKM~Ft&!@xNNNDXclJ4IE5GMFfGMaX{?H~+XJO_
zrq-bM09xgk(|iqBt8Q0`Mv_}-W1*mkWVL33TOs3HP#U#*Wb~-7H~uA7I<EwOWg7<P
zRB;$3lW;i+<L}WjU98eDnI`f4$4yeR8cN0?uRvppHSXoN)q+%Q_Go;wcBOSC=UtTG
z;&ZyjZxl$5tFt@U^D#0^-WFFk8XYrkcl4fV4YFI>4-s57707%C2lU}1$^ziVB|n(1
z<^9dP00~*}K&gO8&;xO69>`38sJ)O>S^u9|KuXcjEckVE5V+AruEh@cASNaRlxjBz
zk$b||&UB}LaKKahcjn*kQZ3{q*dm<Idfw(M8r^I01%?7FNzo5c2&KECzdWN)luC0H
z6s0zHlm%mSXOGYJcwnDhdu6k?7vnUtztd=Re5a=cRjm)#+n7ghep;A+qq7!WujHE_
zRg%u)=_*W|epH6RhLx8mb$1v36PnngaTU$Xqj43@+@o<7&BCK`70r`J<0_iOqj43@
z(xY(|&B~*36-^X+HqNr~^8k0*_<?}CZ2UyPT{eCs;4T|K6L6P}9}2k3#!m&@W#h*J
z?y~W70cY97elFlH8$TCTcy~5Cw#FR)lME3i|29pg;WV7!vM%sn*mO}^(XFz}`mUGj
zhL!YNQyJ@W{*?6k`SOg(?yKNT3(5F4RfX7p#+-vRz8hRB==yrsfInlQS+O1_002qh
BE^Gh*

diff --git a/x-pack/test/functional/es_archives/logstash/example_pipelines/mappings.json b/x-pack/test/functional/es_archives/logstash/example_pipelines/mappings.json
index b54e80bf19626f..8961a5608e5894 100644
--- a/x-pack/test/functional/es_archives/logstash/example_pipelines/mappings.json
+++ b/x-pack/test/functional/es_archives/logstash/example_pipelines/mappings.json
@@ -329,6 +329,34 @@
                 "type": "text"
               }
             }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
           }
         }
       }

From 29c7b8a9ddc0aea659a8b1acc972b1e236f90b8e Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 29 Aug 2018 10:33:53 -0400
Subject: [PATCH 106/183] [Spaces] - Support "Recently viewed" widget (#22492)

[skip ci]
This PR makes the "Recently viewed" widget on the Kibana home page space-aware. The widget will only show saved objects that were viewed within the user's current space.

This is accomplished by changing the way the `RecentlyAccessed` module creates its `PersistedLog`. Previously, the `PersistedLog` was using a hard-coded key, but now it is deriving its key based off of the current `basePath`, which contains the space identifier.

I chose this approach because this code lies completely within OSS Kibana, and I did not want to make this module aware of the Spaces plugin. Spaces augments the `basePath` in order to function and construct space-aware links within the UI, so this ends up being transparent to consumers of `chrome.getBasePath`


You'll notice that the `PersistedLog` key is partially hashed. We do this because we don't want the browser to store information about which spaces a particular user may or may not have access to (see this [earlier conversation](https://github.com/elastic/kibana/pull/19417#issuecomment-391833132))


### Important
Installations that have a configured `basePath` other than the default `''` will have their "Recently viewed" list cleared after upgrading to 6.5, because the basePath will become part of the `localStorage` key, when it previously wasn't. While this may _technically_ be a breaking change, I'm hoping this will be acceptable.

Fixes #21961
---
 src/ui/public/persisted_log/create_log_key.js | 31 ++++++++++++++++
 .../persisted_log/create_log_key.test.js      | 35 +++++++++++++++++++
 .../persisted_log/persisted_log.test.js       |  6 ++++
 .../public/persisted_log/recently_accessed.js |  6 ++--
 4 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 src/ui/public/persisted_log/create_log_key.js
 create mode 100644 src/ui/public/persisted_log/create_log_key.test.js

diff --git a/src/ui/public/persisted_log/create_log_key.js b/src/ui/public/persisted_log/create_log_key.js
new file mode 100644
index 00000000000000..bbc91d65f11127
--- /dev/null
+++ b/src/ui/public/persisted_log/create_log_key.js
@@ -0,0 +1,31 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { Sha256 } from '../crypto';
+
+export function createLogKey(type, optionalIdentifier) {
+  const baseKey = `kibana.history.${type}`;
+
+  if (!optionalIdentifier) {
+    return baseKey;
+  }
+
+  const protectedIdentifier = new Sha256().update(optionalIdentifier, 'utf8').digest('base64');
+  return `${baseKey}-${protectedIdentifier}`;
+}
\ No newline at end of file
diff --git a/src/ui/public/persisted_log/create_log_key.test.js b/src/ui/public/persisted_log/create_log_key.test.js
new file mode 100644
index 00000000000000..3f7f69a5271e0a
--- /dev/null
+++ b/src/ui/public/persisted_log/create_log_key.test.js
@@ -0,0 +1,35 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { createLogKey } from './create_log_key';
+
+describe('createLogKey', () => {
+  it('should create a key starting with "kibana.history"', () => {
+    expect(createLogKey('foo', 'bar')).toMatch(/^kibana\.history/);
+  });
+
+  it('should include a hashed suffix of the identifier when present', () => {
+    const expectedSuffix = `/N4rLtula/QIYB+3If6bXDONEO5CnqBPrlURto+/j7k=`;
+    expect(createLogKey('foo', 'bar')).toMatch(`kibana.history.foo-${expectedSuffix}`);
+  });
+
+  it('should not include a hashed suffix if the identifier is not present', () => {
+    expect(createLogKey('foo')).toEqual('kibana.history.foo');
+  });
+});
\ No newline at end of file
diff --git a/src/ui/public/persisted_log/persisted_log.test.js b/src/ui/public/persisted_log/persisted_log.test.js
index ec0a659d6d063a..5d5409a035a044 100644
--- a/src/ui/public/persisted_log/persisted_log.test.js
+++ b/src/ui/public/persisted_log/persisted_log.test.js
@@ -22,6 +22,12 @@ import sinon from 'sinon';
 import expect from 'expect.js';
 import { PersistedLog } from './';
 
+jest.mock('../chrome', () => {
+  return {
+    getBasePath: () => `/some/base/path`
+  };
+});
+
 const historyName = 'testHistory';
 const historyLimit = 10;
 const payload = [
diff --git a/src/ui/public/persisted_log/recently_accessed.js b/src/ui/public/persisted_log/recently_accessed.js
index af8280f6ab5b70..9392e276dbeb99 100644
--- a/src/ui/public/persisted_log/recently_accessed.js
+++ b/src/ui/public/persisted_log/recently_accessed.js
@@ -16,8 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
+import chrome from '../chrome';
 import { PersistedLog } from './';
+import { createLogKey } from './create_log_key';
 
 class RecentlyAccessed {
   constructor() {
@@ -28,7 +29,8 @@ class RecentlyAccessed {
         return oldItem.id === newItem.id;
       }
     };
-    this.history = new PersistedLog('kibana.history.recentlyAccessed', historyOptions);
+    const logKey = createLogKey('recentlyAccessed', chrome.getBasePath());
+    this.history = new PersistedLog(logKey, historyOptions);
   }
 
   add(link, label, id) {

From 156718afc9468cfe6027f231542bc161acaacf5b Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 29 Aug 2018 12:39:35 -0400
Subject: [PATCH 107/183] fix tests

---
 .../lib/__tests__/change_time_filter.test.js  |  3 +-
 .../persisted_log/persisted_log.test.js       |  2 +-
 .../public/persisted_log/recently_accessed.js |  2 +-
 src/ui/public/timefilter/timefilter.test.js   |  9 +++---
 .../utils/__tests__/brush_event.test.js       |  3 +-
 .../app/Main/__test__/Breadcrumbs.test.js     | 22 +++++++++++++++
 .../__jest__/TransactionOverview.test.js      | 28 +++++++++++++++++++
 7 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js b/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
index e3ad2ba72b418a..4ffc6e00bb0769 100644
--- a/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
+++ b/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
@@ -19,10 +19,11 @@
 
 jest.mock('ui/chrome',
   () => ({
+    getBasePath: () => `/some/base/path`,
     getUiSettingsClient: () => {
       return {
         get: (key) => {
-          switch(key) {
+          switch (key) {
             case 'timepicker:timeDefaults':
               return { from: 'now-15m', to: 'now', mode: 'quick' };
             case 'timepicker:refreshIntervalDefaults':
diff --git a/src/ui/public/persisted_log/persisted_log.test.js b/src/ui/public/persisted_log/persisted_log.test.js
index 5d5409a035a044..ee9c26d5735731 100644
--- a/src/ui/public/persisted_log/persisted_log.test.js
+++ b/src/ui/public/persisted_log/persisted_log.test.js
@@ -22,7 +22,7 @@ import sinon from 'sinon';
 import expect from 'expect.js';
 import { PersistedLog } from './';
 
-jest.mock('../chrome', () => {
+jest.mock('ui/chrome', () => {
   return {
     getBasePath: () => `/some/base/path`
   };
diff --git a/src/ui/public/persisted_log/recently_accessed.js b/src/ui/public/persisted_log/recently_accessed.js
index 9392e276dbeb99..aed82fbc648e59 100644
--- a/src/ui/public/persisted_log/recently_accessed.js
+++ b/src/ui/public/persisted_log/recently_accessed.js
@@ -16,7 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import chrome from '../chrome';
+import chrome from 'ui/chrome';
 import { PersistedLog } from './';
 import { createLogKey } from './create_log_key';
 
diff --git a/src/ui/public/timefilter/timefilter.test.js b/src/ui/public/timefilter/timefilter.test.js
index a7b3cb38d12393..7071a6c7f7a707 100644
--- a/src/ui/public/timefilter/timefilter.test.js
+++ b/src/ui/public/timefilter/timefilter.test.js
@@ -19,10 +19,11 @@
 
 jest.mock('ui/chrome',
   () => ({
+    getBasePath: () => `/some/base/path`,
     getUiSettingsClient: () => {
       return {
         get: (key) => {
-          switch(key) {
+          switch (key) {
             case 'timepicker:timeDefaults':
               return { from: 'now-15m', to: 'now', mode: 'quick' };
             case 'timepicker:refreshIntervalDefaults':
@@ -107,7 +108,7 @@ describe('setRefreshInterval', () => {
   let update;
   let fetch;
 
-  beforeEach(()  => {
+  beforeEach(() => {
     update = sinon.spy();
     fetch = sinon.spy();
     timefilter.setRefreshInterval({
@@ -191,7 +192,7 @@ describe('setRefreshInterval', () => {
 describe('isTimeRangeSelectorEnabled', () => {
   let update;
 
-  beforeEach(()  => {
+  beforeEach(() => {
     update = sinon.spy();
     timefilter.on('enabledUpdated', update);
   });
@@ -212,7 +213,7 @@ describe('isTimeRangeSelectorEnabled', () => {
 describe('isAutoRefreshSelectorEnabled', () => {
   let update;
 
-  beforeEach(()  => {
+  beforeEach(() => {
     update = sinon.spy();
     timefilter.on('enabledUpdated', update);
   });
diff --git a/src/ui/public/utils/__tests__/brush_event.test.js b/src/ui/public/utils/__tests__/brush_event.test.js
index 4f6c221b8650a9..701586bad92557 100644
--- a/src/ui/public/utils/__tests__/brush_event.test.js
+++ b/src/ui/public/utils/__tests__/brush_event.test.js
@@ -19,10 +19,11 @@
 
 jest.mock('ui/chrome',
   () => ({
+    getBasePath: () => `/some/base/path`,
     getUiSettingsClient: () => {
       return {
         get: (key) => {
-          switch(key) {
+          switch (key) {
             case 'timepicker:timeDefaults':
               return { from: 'now-15m', to: 'now', mode: 'quick' };
             case 'timepicker:refreshIntervalDefaults':
diff --git a/x-pack/plugins/apm/public/components/app/Main/__test__/Breadcrumbs.test.js b/x-pack/plugins/apm/public/components/app/Main/__test__/Breadcrumbs.test.js
index 24df0baec12afd..c69c320aace972 100644
--- a/x-pack/plugins/apm/public/components/app/Main/__test__/Breadcrumbs.test.js
+++ b/x-pack/plugins/apm/public/components/app/Main/__test__/Breadcrumbs.test.js
@@ -11,6 +11,28 @@ import { MemoryRouter } from 'react-router-dom';
 import Breadcrumbs from '../Breadcrumbs';
 import { toJson } from '../../../../utils/testHelpers';
 
+jest.mock(
+  'ui/chrome',
+  () => ({
+    getBasePath: () => `/some/base/path`,
+    getUiSettingsClient: () => {
+      return {
+        get: key => {
+          switch (key) {
+            case 'timepicker:timeDefaults':
+              return { from: 'now-15m', to: 'now', mode: 'quick' };
+            case 'timepicker:refreshIntervalDefaults':
+              return { display: 'Off', pause: false, value: 0 };
+            default:
+              throw new Error(`Unexpected config key: ${key}`);
+          }
+        }
+      };
+    }
+  }),
+  { virtual: true }
+);
+
 function expectBreadcrumbToMatchSnapshot(route) {
   const wrapper = mount(
     <MemoryRouter initialEntries={[`${route}?_g=myG&kuery=myKuery`]}>
diff --git a/x-pack/plugins/apm/public/components/app/TransactionOverview/__jest__/TransactionOverview.test.js b/x-pack/plugins/apm/public/components/app/TransactionOverview/__jest__/TransactionOverview.test.js
index 4fee02f2627633..0e3e5b64208257 100644
--- a/x-pack/plugins/apm/public/components/app/TransactionOverview/__jest__/TransactionOverview.test.js
+++ b/x-pack/plugins/apm/public/components/app/TransactionOverview/__jest__/TransactionOverview.test.js
@@ -9,6 +9,34 @@ import { shallow } from 'enzyme';
 import TransactionOverview from '../view';
 import { toJson } from '../../../../utils/testHelpers';
 
+jest.mock(
+  'ui/chrome',
+  () => ({
+    getBasePath: () => `/some/base/path`,
+    getInjected: key => {
+      if (key === 'mlEnabled') {
+        return true;
+      }
+      throw new Error(`inexpected key ${key}`);
+    },
+    getUiSettingsClient: () => {
+      return {
+        get: key => {
+          switch (key) {
+            case 'timepicker:timeDefaults':
+              return { from: 'now-15m', to: 'now', mode: 'quick' };
+            case 'timepicker:refreshIntervalDefaults':
+              return { display: 'Off', pause: false, value: 0 };
+            default:
+              throw new Error(`Unexpected config key: ${key}`);
+          }
+        }
+      };
+    }
+  }),
+  { virtual: true }
+);
+
 const setup = () => {
   const props = {
     license: {

From 2c50a9f3f467f127dc2d32cb8af69f28dd263f29 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 30 Aug 2018 11:46:02 -0400
Subject: [PATCH 108/183] remove use of EuiTextColor to fix build

---
 .../spaces/public/views/components/space_card.tsx    | 12 +++---------
 .../__snapshots__/space_selector.test.js.snap        | 10 ++++------
 .../public/views/space_selector/space_selector.js    |  5 ++---
 3 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/components/space_card.tsx b/x-pack/plugins/spaces/public/views/components/space_card.tsx
index 1ea9461391b587..3f72ffa271e83d 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.tsx
+++ b/x-pack/plugins/spaces/public/views/components/space_card.tsx
@@ -9,8 +9,6 @@ import {
   // FIXME: need updated typedefs
   // @ts-ignore
   EuiCard,
-  // @ts-ignore
-  EuiTextColor,
 } from '@elastic/eui';
 import React from 'react';
 import { Space } from '../../../common/model/space';
@@ -43,16 +41,12 @@ function renderSpaceDescription(space: Space) {
   let description: JSX.Element | string = space.description || '';
   const needsTruncation = description.length > 120;
   if (needsTruncation) {
-    description = <span title={description}>{description.substr(0, 120) + '…'}</span>;
+    description = description.substr(0, 120) + '…';
   }
 
-  // FIXME: workaround for missing typedefs
-  // @ts-ignore
-  const TextColorCmp: ComponentClass = EuiTextColor;
-
   return (
-    <TextColorCmp className="eui-textBreakWord" color={'subdued'}>
+    <span title={description} className="eui-textBreakWord euiTextColor--subdued">
       {description}
-    </TextColorCmp>
+    </span>
   );
 }
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 03ffdc5550e8cb..3f58530d7139bb 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -53,13 +53,11 @@ exports[`it renders without crashing 1`] = `
         <div
           className="euiSpacer euiSpacer--l"
         />
-        <span
-          className="euiTextColor euiTextColor--ghost euiTitle euiTitle--large"
+        <p
+          className="euiTitle euiTitle--large euiTextColor--ghost"
         >
-          <p>
-            Select your space
-          </p>
-        </span>
+          Select your space
+        </p>
       </div>
     </div>
     <div
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index b0ac621ce845db..f90d050fcf8602 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -15,7 +15,6 @@ import {
   EuiIcon,
   EuiSpacer,
   EuiText,
-  EuiTextColor,
   EuiTitle,
   EuiFieldSearch,
   EuiFlexGroup,
@@ -80,8 +79,8 @@ export class SpaceSelector extends Component {
 
               <EuiSpacer />
 
-              <EuiTitle size="l">
-                <EuiTextColor color="ghost"><p>Select your space</p></EuiTextColor>
+              <EuiTitle size="l" className="euiTextColor--ghost">
+                <p >Select your space</p>
               </EuiTitle>
             </EuiPageHeaderSection>
           </EuiPageHeader>

From e04dfd2f261dab90bcd99b7b36e2a3626a7ae49c Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 30 Aug 2018 14:06:56 -0400
Subject: [PATCH 109/183] attempt to fix test flakyness

---
 .../test/functional/apps/dashboard_mode/dashboard_view_mode.js   | 1 +
 x-pack/test/functional/page_objects/security_page.js             | 1 +
 2 files changed, 2 insertions(+)

diff --git a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
index 4740ac013d644c..eb411e70cc2449 100644
--- a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
+++ b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
@@ -178,6 +178,7 @@ export default function ({ getService, getPageObjects }) {
       });
 
       it('is loaded for a user who is assigned a non-dashboard mode role', async () => {
+        await PageObjects.common.waitForTopNavToBeVisible();
         await PageObjects.security.logout();
         await PageObjects.security.login('mixeduser', '123456');
 
diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index 2581daef24f3da..4d3df98024abef 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -87,6 +87,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       // long it takes the home screen to query Elastic to see if it's a
       // new Kibana instance.
       if (isWelcomeShowing) {
+        log.debug('welcome screen showing when attempting logout');
         await PageObjects.home.hideWelcomeScreen();
       }
 

From 278f7b8a2966ec959993a6613610f920e9fc9e23 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Tue, 4 Sep 2018 12:19:14 -0400
Subject: [PATCH 110/183] [Spaces] - basic telemetry (#20581)

Introduces basic telemetry for Spaces. Implementation inspired by Reporting's telemetry collector.

Reports the following:

`available`: Indicates of the current license allows for Spaces
`enabled`: Indicates if Spaces is enabled (also implies it is available)
`count`: The number of Spaces this installation has configured

Fixes #19260
---
 .../server/kibana_monitoring/bulk_uploader.js |   2 +-
 x-pack/plugins/spaces/common/constants.ts     |   6 +
 x-pack/plugins/spaces/index.js                |   4 +
 .../server/lib/get_spaces_usage_collector.js  |  75 +++++++++
 .../lib/get_spaces_usage_collector.test.js    | 149 ++++++++++++++++++
 5 files changed, 235 insertions(+), 1 deletion(-)
 create mode 100644 x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js
 create mode 100644 x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js

diff --git a/x-pack/plugins/monitoring/server/kibana_monitoring/bulk_uploader.js b/x-pack/plugins/monitoring/server/kibana_monitoring/bulk_uploader.js
index b838ada1a86ca0..6eeab649f0e0de 100644
--- a/x-pack/plugins/monitoring/server/kibana_monitoring/bulk_uploader.js
+++ b/x-pack/plugins/monitoring/server/kibana_monitoring/bulk_uploader.js
@@ -40,7 +40,7 @@ export class BulkUploader {
       throw new Error('interval number of milliseconds is required');
     }
 
-    this._timer =  null;
+    this._timer = null;
     this._interval = interval;
     this._log = {
       debug: message => server.log(['debug', ...LOGGING_TAGS], message),
diff --git a/x-pack/plugins/spaces/common/constants.ts b/x-pack/plugins/spaces/common/constants.ts
index c4d8931871b97d..50423517bc9184 100644
--- a/x-pack/plugins/spaces/common/constants.ts
+++ b/x-pack/plugins/spaces/common/constants.ts
@@ -15,3 +15,9 @@ export const SPACE_SEARCH_COUNT_THRESHOLD = 8;
  * The maximum number of characters allowed in the Space Avatar's initials
  */
 export const MAX_SPACE_INITIALS = 2;
+
+/**
+ * The type name used within the Monitoring index to publish spaces stats.
+ * @type {string}
+ */
+export const KIBANA_SPACES_STATS_TYPE = 'spaces';
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 480641cc792f2c..2ce815db27db65 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -12,6 +12,7 @@ import { initSpacesRequestInterceptors } from './server/lib/space_request_interc
 import { createDefaultSpace } from './server/lib/create_default_space';
 import { createSpacesService } from './server/lib/create_spaces_service';
 import { getActiveSpace } from './server/lib/get_active_space';
+import { getSpacesUsageCollector } from './server/lib/get_spaces_usage_collector';
 import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
 import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
@@ -90,5 +91,8 @@ export const spaces = (kibana) => new kibana.Plugin({
     initSpacesApi(server);
 
     initSpacesRequestInterceptors(server);
+
+    // Register a function with server to manage the collection of usage stats
+    server.usage.collectorSet.register(getSpacesUsageCollector(server));
   }
 });
diff --git a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js
new file mode 100644
index 00000000000000..455d2f0932b322
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js
@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { KIBANA_SPACES_STATS_TYPE } from '../../common/constants';
+import { KIBANA_STATS_TYPE_MONITORING } from '../../../monitoring/common/constants';
+
+/**
+ *
+ * @param callCluster
+ * @param server
+ * @param {boolean} spacesAvailable
+ * @param withinDayRange
+ * @return {ReportingUsageStats}
+ */
+async function getSpacesUsage(callCluster, server, spacesAvailable) {
+  if (!spacesAvailable) return {};
+
+  const { getSavedObjectsRepository } = server.savedObjects;
+
+  const savedObjectsRepository = getSavedObjectsRepository(callCluster);
+
+  const { saved_objects: spaces } = await savedObjectsRepository.find({ type: 'space' });
+
+  return {
+    count: spaces.length,
+  };
+}
+
+/*
+ * @param {Object} server
+ * @return {Object} kibana usage stats type collection object
+ */
+export function getSpacesUsageCollector(server) {
+  const { collectorSet } = server.usage;
+  return collectorSet.makeUsageCollector({
+    type: KIBANA_SPACES_STATS_TYPE,
+    fetch: async callCluster => {
+      const xpackInfo = server.plugins.xpack_main.info;
+      const config = server.config();
+      const available = xpackInfo && xpackInfo.isAvailable(); // some form of spaces is available for all valid licenses
+      const enabled = config.get('xpack.spaces.enabled');
+      const spacesAvailableAndEnabled = available && enabled;
+
+      const usageStats = await getSpacesUsage(callCluster, server, spacesAvailableAndEnabled);
+
+      return {
+        available,
+        enabled: spacesAvailableAndEnabled, // similar behavior as _xpack API in ES
+        ...usageStats,
+      };
+    },
+
+    /*
+     * Format the response data into a model for internal upload
+     * 1. Make this data part of the "kibana_stats" type
+     * 2. Organize the payload in the usage.xpack.spaces namespace of the data payload
+     */
+    formatForBulkUpload: result => {
+      return {
+        type: KIBANA_STATS_TYPE_MONITORING,
+        payload: {
+          usage: {
+            xpack: {
+              spaces: result
+            }
+          }
+        }
+      };
+
+    }
+  });
+}
diff --git a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js
new file mode 100644
index 00000000000000..490c1c13ec7abb
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js
@@ -0,0 +1,149 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getSpacesUsageCollector } from './get_spaces_usage_collector';
+
+function getServerMock(customization) {
+  class MockUsageCollector {
+    constructor(_server, { fetch }) {
+      this.fetch = fetch;
+    }
+  }
+
+  const getLicenseCheckResults = jest.fn().mockReturnValue({});
+  const defaultServerMock = {
+    plugins: {
+      security: {
+        isAuthenticated: jest.fn().mockReturnValue(true)
+      },
+      xpack_main: {
+        info: {
+          isAvailable: jest.fn().mockReturnValue(true),
+          feature: () => ({
+            getLicenseCheckResults
+          }),
+          license: {
+            isOneOf: jest.fn().mockReturnValue(false),
+            getType: jest.fn().mockReturnValue('platinum'),
+          },
+          toJSON: () => ({ b: 1 })
+        }
+      }
+    },
+    expose: () => { },
+    log: () => { },
+    config: () => ({
+      get: key => {
+        if (key === 'xpack.spaces.enabled') {
+          return true;
+        }
+      }
+    }),
+    usage: {
+      collectorSet: {
+        makeUsageCollector: options => {
+          return new MockUsageCollector(this, options);
+        }
+      }
+    },
+    savedObjects: {
+      getSavedObjectsRepository: jest.fn(() => {
+        return {
+          find() {
+            return {
+              saved_objects: ['a', 'b']
+            };
+          }
+        };
+      })
+    }
+  };
+  return Object.assign(defaultServerMock, customization);
+}
+
+test('sets enabled to false when spaces is turned off', async () => {
+  const mockConfigGet = jest.fn(key => {
+    if (key === 'xpack.spaces.enabled') {
+      return false;
+    } else if (key.indexOf('xpack.spaces') >= 0) {
+      throw new Error('Unknown config key!');
+    }
+  });
+  const serverMock = getServerMock({ config: () => ({ get: mockConfigGet }) });
+  const callClusterMock = jest.fn();
+  const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverMock);
+  const usageStats = await getSpacesUsage(callClusterMock);
+  expect(usageStats.enabled).toBe(false);
+});
+
+describe('with a basic license', async () => {
+  let usageStats;
+  beforeAll(async () => {
+    const serverWithBasicLicenseMock = getServerMock();
+    serverWithBasicLicenseMock.plugins.xpack_main.info.license.getType = jest.fn().mockReturnValue('basic');
+    const callClusterMock = jest.fn(() => Promise.resolve({}));
+    const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverWithBasicLicenseMock);
+    usageStats = await getSpacesUsage(callClusterMock);
+  });
+
+  test('sets enabled to true', async () => {
+    expect(usageStats.enabled).toBe(true);
+  });
+
+  test('sets available to true', async () => {
+    expect(usageStats.available).toBe(true);
+  });
+
+  test('sets the number of spaces', async () => {
+    expect(usageStats.count).toBe(2);
+  });
+});
+
+describe('with no license', async () => {
+  let usageStats;
+  beforeAll(async () => {
+    const serverWithNoLicenseMock = getServerMock();
+    serverWithNoLicenseMock.plugins.xpack_main.info.isAvailable = jest.fn().mockReturnValue(false);
+    const callClusterMock = jest.fn(() => Promise.resolve({}));
+    const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverWithNoLicenseMock);
+    usageStats = await getSpacesUsage(callClusterMock);
+  });
+
+  test('sets enabled to false', async () => {
+    expect(usageStats.enabled).toBe(false);
+  });
+
+  test('sets available to false', async () => {
+    expect(usageStats.available).toBe(false);
+  });
+
+  test('does not set the number of spaces', async () => {
+    expect(usageStats.count).toBeUndefined();
+  });
+});
+
+describe('with platinum license', async () => {
+  let usageStats;
+  beforeAll(async () => {
+    const serverWithPlatinumLicenseMock = getServerMock();
+    serverWithPlatinumLicenseMock.plugins.xpack_main.info.license.getType = jest.fn().mockReturnValue('platinum');
+    const callClusterMock = jest.fn(() => Promise.resolve({}));
+    const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverWithPlatinumLicenseMock);
+    usageStats = await getSpacesUsage(callClusterMock);
+  });
+
+  test('sets enabled to true', async () => {
+    expect(usageStats.enabled).toBe(true);
+  });
+
+  test('sets available to true', async () => {
+    expect(usageStats.available).toBe(true);
+  });
+
+  test('sets the number of spaces', async () => {
+    expect(usageStats.count).toBe(2);
+  });
+});

From 1fcfd4e9fc63861c324ea6d44e807a0af2ba8242 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 4 Sep 2018 13:37:46 -0400
Subject: [PATCH 111/183] diagnose flakyness

---
 .../apps/dashboard_mode/dashboard_view_mode.js         |  1 -
 x-pack/test/functional/page_objects/security_page.js   | 10 ++++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
index eb411e70cc2449..4740ac013d644c 100644
--- a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
+++ b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
@@ -178,7 +178,6 @@ export default function ({ getService, getPageObjects }) {
       });
 
       it('is loaded for a user who is assigned a non-dashboard mode role', async () => {
-        await PageObjects.common.waitForTopNavToBeVisible();
         await PageObjects.security.logout();
         await PageObjects.security.login('mixeduser', '123456');
 
diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index 4d3df98024abef..e01881e4115e66 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -94,8 +94,14 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       await find.clickByLinkText('Logout');
 
       await retry.try(async () => {
-        const logoutLinkExists = await find.existsByDisplayedByCssSelector('.login-form');
-        if (!logoutLinkExists) {
+        const loginFormExists = await find.existsByDisplayedByCssSelector('.login-form');
+
+        const logoutLinkExists = find.existsByLinkText('Logout');
+        if (logoutLinkExists) {
+          await find.clickByLinkText('Logout');
+        }
+
+        if (!loginFormExists) {
           throw new Error('Logout is not completed yet');
         }
       });

From e4ebd0b59f1e8bae33ff257ad67e8cfc21fcd153 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 4 Sep 2018 16:12:07 -0400
Subject: [PATCH 112/183] add missing await

---
 x-pack/test/functional/page_objects/security_page.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index e01881e4115e66..581af4b3f9bca3 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -96,7 +96,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       await retry.try(async () => {
         const loginFormExists = await find.existsByDisplayedByCssSelector('.login-form');
 
-        const logoutLinkExists = find.existsByLinkText('Logout');
+        const logoutLinkExists = await find.existsByLinkText('Logout');
         if (logoutLinkExists) {
           await find.clickByLinkText('Logout');
         }

From 8b77134877b87d1dca0bc6db9db9ea6a43a4adae Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Tue, 4 Sep 2018 17:58:26 -0400
Subject: [PATCH 113/183] Saved Object Namespaces (#22357)

* Adding a namespace

* Allowing the saved objects client wrappers to specify the namespace

* Moving namespace agnosticism to OSS

* Fixing rbac tests, spaces can be managed with the SOC temporarily

* Putting trimIdPrefix back to it's original name

* Removing unused code and debug statements

* Fixing some jsdocs

* Removing unused type parameter

* Another stray console.log...

* Fixing repository provider test

* Fixing repository tests

* No longer exposing the namespace in get and bulkGet

* Fixing SavedObjectClient tests, using more Symbols...

It ends up that two different instances of {} are considered to be
equal by jest's .toHaveBeenCalledWith, so for these white-box tests
we're just using Symbols...

* Fixing getSearchDsl tests

* Removing filters, we don't use them anymore

* Fixing query param tests

* Adding Schema tests

* Fixing secure saved objects client test

* Namespaces via options

* Removing duplicate test

* Removing spaceId from mappings

* Fixing test

* Registering the namespace agnostic types using uiExports

* Even better schema
---
 .../mappings/kibana_index_mappings_mixin.js   |    3 +
 .../saved_objects/saved_objects_mixin.js      |    2 +-
 .../service/create_saved_objects_service.js   |   10 +-
 src/server/saved_objects/service/lib/index.js |    1 +
 .../saved_objects/service/lib/repository.js   |   96 +-
 .../service/lib/repository.test.js            |  563 +++--
 .../service/lib/repository_provider.js        |    3 +
 .../service/lib/repository_provider.test.js   |   10 +-
 .../saved_objects/service/lib/schema.js       |   32 +
 .../saved_objects/service/lib/schema.test.js  |   49 +
 .../service/lib/search_dsl/query_params.js    |   58 +-
 .../lib/search_dsl/query_params.test.js       |  467 ++++-
 .../service/lib/search_dsl/search_dsl.js      |   10 +-
 .../service/lib/search_dsl/search_dsl.test.js |   17 +-
 .../service/lib/trim_id_prefix.js             |    7 +-
 .../service/saved_objects_client.js           |   21 +-
 .../service/saved_objects_client.test.js      |   35 +-
 src/ui/ui_exports/ui_export_types/index.js    |    3 +-
 ...ed_object_mappings.js => saved_objects.js} |    6 +-
 .../saved_objects/basic/data.json.gz          |  Bin 1803 -> 2107 bytes
 .../saved_objects/basic/mappings.json         |    5 +-
 .../secure_saved_objects_client.js            |   15 +-
 .../secure_saved_objects_client.test.js       |   27 +-
 x-pack/plugins/spaces/index.js                |    9 +-
 x-pack/plugins/spaces/mappings.json           |    3 -
 .../spaces_saved_objects_client.test.js.snap  |   36 +-
 .../__snapshots__/query_filters.test.js.snap  |    5 -
 .../lib/is_type_space_aware.js                |   14 -
 .../lib/is_type_space_aware.test.js           |   29 -
 .../saved_objects_client/lib/query_filters.js |   70 -
 .../lib/query_filters.test.js                 |  139 --
 .../saved_objects_client_wrapper_factory.js   |    3 +-
 .../spaces_saved_objects_client.js            |  232 +-
 .../spaces_saved_objects_client.test.js       | 1868 ++---------------
 .../apis/privileges/index.js                  |    3 +
 .../apis/saved_objects/find.js                |   48 +-
 .../apis/saved_objects/bulk_get.js            |    3 +-
 .../apis/saved_objects/create.js              |    8 +-
 .../apis/saved_objects/delete.js              |   11 +-
 .../apis/saved_objects/find.js                |    6 +-
 .../apis/saved_objects/get.js                 |   18 +-
 .../saved_objects/lib/space_test_utils.js     |    9 -
 .../apis/saved_objects/update.js              |    5 +-
 .../saved_objects/spaces/data.json.gz         |  Bin 2448 -> 2469 bytes
 .../saved_objects/spaces/mappings.json        |    5 +-
 45 files changed, 1283 insertions(+), 2681 deletions(-)
 create mode 100644 src/server/saved_objects/service/lib/schema.js
 create mode 100644 src/server/saved_objects/service/lib/schema.test.js
 rename src/ui/ui_exports/ui_export_types/{saved_object_mappings.js => saved_objects.js} (83%)
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js

diff --git a/src/server/mappings/kibana_index_mappings_mixin.js b/src/server/mappings/kibana_index_mappings_mixin.js
index 5b7d8fb683c580..be0202888d56ea 100644
--- a/src/server/mappings/kibana_index_mappings_mixin.js
+++ b/src/server/mappings/kibana_index_mappings_mixin.js
@@ -29,6 +29,9 @@ const BASE_SAVED_OBJECT_MAPPINGS = {
   doc: {
     dynamic: 'strict',
     properties: {
+      namespace: {
+        type: 'keyword'
+      },
       type: {
         type: 'keyword'
       },
diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index 086107953cf37a..61ee6d2a5e7626 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -54,7 +54,7 @@ export function savedObjectsMixin(kbnServer, server) {
   server.route(createGetRoute(prereqs));
   server.route(createUpdateRoute(prereqs));
 
-  server.decorate('server', 'savedObjects', createSavedObjectsService(server));
+  server.decorate('server', 'savedObjects', createSavedObjectsService(server, kbnServer.uiExports.savedObjectsSchema));
 
   const savedObjectsClientCache = new WeakMap();
   server.decorate('request', 'getSavedObjectsClient', function () {
diff --git a/src/server/saved_objects/service/create_saved_objects_service.js b/src/server/saved_objects/service/create_saved_objects_service.js
index edb6b0093b0ba3..35e2d385d435a5 100644
--- a/src/server/saved_objects/service/create_saved_objects_service.js
+++ b/src/server/saved_objects/service/create_saved_objects_service.js
@@ -17,11 +17,11 @@
  * under the License.
  */
 
-import { getRootPropertiesObjects } from '../..//mappings';
-import { SavedObjectsRepository, ScopedSavedObjectsClientProvider, SavedObjectsRepositoryProvider } from './lib';
+import { getRootPropertiesObjects } from '../../mappings';
+import { SavedObjectsRepository, ScopedSavedObjectsClientProvider, SavedObjectsRepositoryProvider, SavedObjectsSchema } from './lib';
 import { SavedObjectsClient } from './saved_objects_client';
 
-export function createSavedObjectsService(server) {
+export function createSavedObjectsService(server, uiExportsSchema) {
   const onBeforeWrite = async () => {
     const adminCluster = server.plugins.elasticsearch.getCluster('admin');
 
@@ -59,10 +59,13 @@ export function createSavedObjectsService(server) {
     }
   };
 
+  const schema = new SavedObjectsSchema(uiExportsSchema);
+
   const mappings = server.getKibanaIndexMappingsDsl();
   const repositoryProvider = new SavedObjectsRepositoryProvider({
     index: server.config().get('kibana.index'),
     mappings,
+    schema,
     onBeforeWrite,
   });
 
@@ -86,6 +89,7 @@ export function createSavedObjectsService(server) {
     types: Object.keys(getRootPropertiesObjects(mappings)),
     SavedObjectsClient,
     SavedObjectsRepository,
+    schema,
     getSavedObjectsRepository: (...args) =>
       repositoryProvider.getRepository(...args),
     getScopedSavedObjectsClient: (...args) =>
diff --git a/src/server/saved_objects/service/lib/index.js b/src/server/saved_objects/service/lib/index.js
index 30adefe7e47c1c..e773275b9dfa17 100644
--- a/src/server/saved_objects/service/lib/index.js
+++ b/src/server/saved_objects/service/lib/index.js
@@ -20,6 +20,7 @@
 export { SavedObjectsRepository } from './repository';
 export { ScopedSavedObjectsClientProvider } from './scoped_client_provider';
 export { SavedObjectsRepositoryProvider } from './repository_provider';
+export { SavedObjectsSchema } from './schema';
 
 import * as errors from './errors';
 export { errors };
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 6ede707c1819a0..d7fa6ac9e5188d 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -35,12 +35,14 @@ export class SavedObjectsRepository {
     const {
       index,
       mappings,
+      schema,
       callCluster,
       onBeforeWrite = () => { },
     } = options;
 
     this._index = index;
     this._mappings = mappings;
+    this._schema = schema;
     this._type = getRootType(this._mappings);
     this._onBeforeWrite = onBeforeWrite;
     this._unwrappedCallCluster = callCluster;
@@ -54,14 +56,14 @@ export class SavedObjectsRepository {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
-   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
     const {
       id,
-      extraDocumentProperties = {},
-      overwrite = false
+      overwrite = false,
+      namespace,
     } = options;
 
     const method = id && !overwrite ? 'create' : 'index';
@@ -69,12 +71,12 @@ export class SavedObjectsRepository {
 
     try {
       const response = await this._writeToCluster(method, {
-        id: this._generateEsId(type, id),
+        id: this._generateEsId(namespace, type, id),
         type: this._type,
         index: this._index,
         refresh: 'wait_for',
         body: {
-          ...extraDocumentProperties,
+          ...namespace && !this._schema.isNamespaceAgnostic(type) && { namespace },
           type,
           updated_at: time,
           [type]: attributes,
@@ -82,7 +84,7 @@ export class SavedObjectsRepository {
       });
 
       return {
-        id: trimIdPrefix(response._id, type),
+        id: trimIdPrefix(this._schema, response._id, namespace, type),
         type,
         updated_at: time,
         version: response._version,
@@ -101,14 +103,16 @@ export class SavedObjectsRepository {
   /**
    * Creates multiple documents at once
    *
-   * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
+   * @param {array} objects - [{ type, id, attributes }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @property {string} [options.namespace]
    * @returns {promise} -  {saved_objects: [[{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
     const {
-      overwrite = false
+      overwrite = false,
+      namespace
     } = options;
     const time = this._getCurrentTime();
     const objectToBulkRequest = (object) => {
@@ -117,12 +121,12 @@ export class SavedObjectsRepository {
       return [
         {
           [method]: {
-            _id: this._generateEsId(object.type, object.id),
+            _id: this._generateEsId(namespace, object.type, object.id),
             _type: this._type,
           }
         },
         {
-          ...object.extraDocumentProperties,
+          ... namespace && !this._schema.isNamespaceAgnostic(object.type) && { namespace },
           type: object.type,
           updated_at: time,
           [object.type]: object.attributes,
@@ -186,11 +190,17 @@ export class SavedObjectsRepository {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id) {
+  async delete(type, id, options = {}) {
+    const {
+      namespace
+    } = options;
+
     const response = await this._writeToCluster('delete', {
-      id: this._generateEsId(type, id),
+      id: this._generateEsId(namespace, type, id),
       type: this._type,
       index: this._index,
       refresh: 'wait_for',
@@ -220,12 +230,12 @@ export class SavedObjectsRepository {
    * @property {string} [options.search]
    * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
    *                                        Query field argument for more information
-   * @property {object} [options.filters] - ES Query filters to append
    * @property {integer} [options.page=1]
    * @property {integer} [options.perPage=20]
    * @property {string} [options.sortField]
    * @property {string} [options.sortOrder]
    * @property {Array<string>} [options.fields]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
@@ -238,7 +248,7 @@ export class SavedObjectsRepository {
       sortField,
       sortOrder,
       fields,
-      filters,
+      namespace,
     } = options;
 
     if (searchFields && !Array.isArray(searchFields)) {
@@ -249,10 +259,6 @@ export class SavedObjectsRepository {
       throw new TypeError('options.searchFields must be an array');
     }
 
-    if (filters && !Array.isArray(filters)) {
-      throw new TypeError('options.filters must be an array');
-    }
-
     const esOptions = {
       index: this._index,
       size: perPage,
@@ -261,13 +267,13 @@ export class SavedObjectsRepository {
       ignore: [404],
       body: {
         version: true,
-        ...getSearchDsl(this._mappings, {
+        ...getSearchDsl(this._mappings, this._schema, {
+          namespace,
           search,
           searchFields,
           type,
           sortField,
           sortOrder,
-          filters
         })
       }
     };
@@ -292,7 +298,7 @@ export class SavedObjectsRepository {
       saved_objects: response.hits.hits.map(hit => {
         const { type, updated_at: updatedAt } = hit._source;
         return {
-          id: trimIdPrefix(hit._id, type),
+          id: trimIdPrefix(this._schema, hit._id, namespace, type),
           type,
           ...updatedAt && { updated_at: updatedAt },
           version: hit._version,
@@ -306,8 +312,8 @@ export class SavedObjectsRepository {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
-   * @param {object} [options = {}]
-   * @param {array} [options.extraDocumentProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -317,6 +323,10 @@ export class SavedObjectsRepository {
    * ])
    */
   async bulkGet(objects = [], options = {}) {
+    const {
+      namespace
+    } = options;
+
     if (objects.length === 0) {
       return { saved_objects: [] };
     }
@@ -325,7 +335,7 @@ export class SavedObjectsRepository {
       index: this._index,
       body: {
         docs: objects.map(object => ({
-          _id: this._generateEsId(object.type, object.id),
+          _id: this._generateEsId(namespace, object.type, object.id),
           _type: this._type,
         }))
       }
@@ -333,8 +343,6 @@ export class SavedObjectsRepository {
 
     const { docs } = response;
 
-    const { extraDocumentProperties = [] } = options;
-
     return {
       saved_objects: docs.map((doc, i) => {
         const { id, type } = objects[i];
@@ -353,9 +361,6 @@ export class SavedObjectsRepository {
           type,
           ...time && { updated_at: time },
           version: doc._version,
-          ...extraDocumentProperties
-            .map(s => ({ [s]: doc._source[s] }))
-            .reduce((acc, prop) => ({ ...acc, ...prop }), {}),
           attributes: {
             ...doc._source[type],
           }
@@ -371,13 +376,17 @@ export class SavedObjectsRepository {
    *
    * @param {string} type
    * @param {string} id
-   * @param {object} [options = {}]
-   * @param {array} [options.extraDocumentProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id, options = {}) {
+    const {
+      namespace
+    } = options;
+
     const response = await this._callCluster('get', {
-      id: this._generateEsId(type, id),
+      id: this._generateEsId(namespace, type, id),
       type: this._type,
       index: this._index,
       ignore: [404]
@@ -390,8 +399,6 @@ export class SavedObjectsRepository {
       throw errors.createGenericNotFoundError(type, id);
     }
 
-    const { extraDocumentProperties = [] } = options;
-
     const { updated_at: updatedAt } = response._source;
 
     return {
@@ -399,9 +406,6 @@ export class SavedObjectsRepository {
       type,
       ...updatedAt && { updated_at: updatedAt },
       version: response._version,
-      ...extraDocumentProperties
-        .map(s => ({ [s]: response._source[s] }))
-        .reduce((acc, prop) => ({ ...acc, ...prop }), {}),
       attributes: {
         ...response._source[type],
       }
@@ -415,21 +419,26 @@ export class SavedObjectsRepository {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
-   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
+    const {
+      version,
+      namespace
+    } = options;
+
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
-      id: this._generateEsId(type, id),
+      id: this._generateEsId(namespace, type, id),
       type: this._type,
       index: this._index,
-      version: options.version,
+      version,
       refresh: 'wait_for',
       ignore: [404],
       body: {
         doc: {
-          ...options.extraDocumentProperties,
+          ...namespace && !this._schema.isNamespaceAgnostic(type) && { namespace },
           updated_at: time,
           [type]: attributes,
         }
@@ -467,8 +476,9 @@ export class SavedObjectsRepository {
     }
   }
 
-  _generateEsId(type, id) {
-    return `${type}:${id || uuid.v1()}`;
+  _generateEsId(namespace, type, id) {
+    const namespacePrefix = namespace && !this._schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
+    return `${namespacePrefix}${type}:${id || uuid.v1()}`;
   }
 
   _getCurrentTime() {
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 2b84e773e02767..8ed28ffa1b6b8e 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -36,9 +36,9 @@ describe('SavedObjectsRepository', () => {
   let savedObjectsRepository;
   const mockTimestamp = '2017-08-14T15:49:14.886Z';
   const mockTimestampFields = { updated_at: mockTimestamp };
-  const searchResults = {
+  const noNamespaceSearchResults = {
     hits: {
-      total: 3,
+      total: 4,
       hits: [{
         _index: '.kibana',
         _type: 'doc',
@@ -80,6 +80,81 @@ describe('SavedObjectsRepository', () => {
             notExpandable: true
           }
         }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'no-ns-type:something',
+        _score: 1,
+        _source: {
+          type: 'no-ns-type',
+          ...mockTimestampFields,
+          'no-ns-type': {
+            name: 'bar',
+          }
+        }
+      }]
+    }
+  };
+
+  const namespacedSearchResults = {
+    hits: {
+      total: 4,
+      hits: [{
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:index-pattern:logstash-*',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'index-pattern',
+          ...mockTimestampFields,
+          'index-pattern': {
+            title: 'logstash-*',
+            timeFieldName: '@timestamp',
+            notExpandable: true
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:config:6.0.0-alpha1',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'config',
+          ...mockTimestampFields,
+          config: {
+            buildNum: 8467,
+            defaultIndex: 'logstash-*'
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:index-pattern:stocks-*',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'index-pattern',
+          ...mockTimestampFields,
+          'index-pattern': {
+            title: 'stocks-*',
+            timeFieldName: '@timestamp',
+            notExpandable: true
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'no-ns-type:something',
+        _score: 1,
+        _source: {
+          type: 'no-ns-type',
+          ...mockTimestampFields,
+          'no-ns-type': {
+            name: 'bar',
+          }
+        }
       }]
     }
   };
@@ -98,6 +173,10 @@ describe('SavedObjectsRepository', () => {
     }
   };
 
+  const schema = {
+    isNamespaceAgnostic: type => type === 'no-ns-type',
+  };
+
   beforeEach(() => {
     callAdminCluster = sandbox.stub();
     onBeforeWrite = sandbox.stub();
@@ -105,6 +184,7 @@ describe('SavedObjectsRepository', () => {
     savedObjectsRepository = new SavedObjectsRepository({
       index: '.kibana-test',
       mappings,
+      schema,
       callCluster: callAdminCluster,
       onBeforeWrite
     });
@@ -120,17 +200,20 @@ describe('SavedObjectsRepository', () => {
 
   describe('#create', () => {
     beforeEach(() => {
-      callAdminCluster.returns(Promise.resolve({
+      callAdminCluster.callsFake((method, params) => ({
         _type: 'doc',
-        _id: 'index-pattern:logstash-*',
+        _id: params.id,
         _version: 2
       }));
     });
 
     it('formats Elasticsearch response', async () => {
-      const response = await savedObjectsRepository.create('index-pattern', {
-        title: 'Logstash'
-      });
+      const response = await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        }, {
+          id: 'logstash-*'
+        });
 
       expect(response).toEqual({
         type: 'index-pattern',
@@ -193,25 +276,23 @@ describe('SavedObjectsRepository', () => {
       sinon.assert.calledOnce(onBeforeWrite);
     });
 
-    it('appends extraDocumentProperties to the document', async () => {
+    it('prepends namespace to the id and adds namespace to body when providing namespace for namespaced type', async () => {
       await savedObjectsRepository.create('index-pattern',
         {
           title: 'Logstash'
         },
         {
-          extraDocumentProperties: {
-            myExtraProp: 'myExtraValue',
-            myOtherExtraProp: true,
-          }
-        }
+          id: 'foo-id',
+          namespace: 'foo-namespace',
+        },
       );
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `foo-namespace:index-pattern:foo-id`,
         body: {
           [`index-pattern`]: { title: 'Logstash' },
-          myExtraProp: 'myExtraValue',
-          myOtherExtraProp: true,
+          namespace: 'foo-namespace',
           type: 'index-pattern',
           updated_at: '2017-08-14T15:49:14.886Z'
         }
@@ -220,29 +301,21 @@ describe('SavedObjectsRepository', () => {
       sinon.assert.calledOnce(onBeforeWrite);
     });
 
-    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
       await savedObjectsRepository.create('index-pattern',
         {
           title: 'Logstash'
         },
         {
-          extraDocumentProperties: {
-            myExtraProp: 'myExtraValue',
-            myOtherExtraProp: true,
-            updated_at: 'should_not_be_used',
-            'index-pattern': {
-              title: 'should_not_be_used'
-            }
-          }
+          id: 'foo-id'
         }
       );
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `index-pattern:foo-id`,
         body: {
           [`index-pattern`]: { title: 'Logstash' },
-          myExtraProp: 'myExtraValue',
-          myOtherExtraProp: true,
           type: 'index-pattern',
           updated_at: '2017-08-14T15:49:14.886Z'
         }
@@ -250,6 +323,30 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
+      await savedObjectsRepository.create('no-ns-type',
+        {
+          title: 'Logstash'
+        },
+        {
+          id: 'foo-id',
+          namespace: 'foo-namespace',
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `no-ns-type:foo-id`,
+        body: {
+          [`no-ns-type`]: { title: 'Logstash' },
+          type: 'no-ns-type',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#bulkCreate', () => {
@@ -389,67 +486,70 @@ describe('SavedObjectsRepository', () => {
       });
     });
 
-    it('appends extraDocumentProperties to each created object', async () => {
+    it('prepends namespace to the id and adds namespace to body when providing namespace for namespaced type', async () => {
       callAdminCluster.returns({ items: [] });
 
       await savedObjectsRepository.bulkCreate(
         [
-          { type: 'config', id: 'one', attributes: { title: 'Test One' }, extraDocumentProperties: { extraConfigValue: true } },
-          { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' }, extraDocumentProperties: { extraIndexValue: true } }
-        ]);
+          { type: 'config', id: 'one', attributes: { title: 'Test One' } },
+          { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' } }
+        ],
+        {
+          namespace: 'foo-namespace',
+        },
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'foo-namespace:config:one' } },
+          { namespace: 'foo-namespace', type: 'config', ...mockTimestampFields, config: { title: 'Test One' } },
+          { create: { _type: 'doc', _id: 'foo-namespace:index-pattern:two' } },
+          { namespace: 'foo-namespace', type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' } }
+        ]
+      }));
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
+      callAdminCluster.returns({ items: [] });
+
+      await savedObjectsRepository.bulkCreate([
+        { type: 'config', id: 'one', attributes: { title: 'Test One' } },
+        { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' } }
+      ]);
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
         body: [
           { create: { _type: 'doc', _id: 'config:one' } },
-          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' }, extraConfigValue: true },
+          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' } },
           { create: { _type: 'doc', _id: 'index-pattern:two' } },
-          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' }, extraIndexValue: true }
+          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' } }
         ]
       }));
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
 
-    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
-
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
       callAdminCluster.returns({ items: [] });
 
-      const extraDocumentProperties = {
-        extraProp: 'extraVal',
-        updated_at: 'should_not_be_used',
-      };
-      const configExtraDocumentProperties = {
-        ...extraDocumentProperties,
-        'config': { newIgnoredProp: 'should_not_be_used' }
-      };
-      const indexPatternExtraDocumentProperties = {
-        ...extraDocumentProperties,
-        'index-pattern': { title: 'should_not_be_used', newIgnoredProp: 'should_not_be_used' }
-      };
-
       await savedObjectsRepository.bulkCreate(
-        [{
-          type: 'config',
-          id: 'one',
-          attributes: { title: 'Test One' },
-          extraDocumentProperties: configExtraDocumentProperties
-        },
+        [
+          { type: 'no-ns-type', id: 'one', attributes: { title: 'Test One' } },
+        ],
         {
-          type: 'index-pattern',
-          id: 'two',
-          attributes: { title: 'Test Two' },
-          extraDocumentProperties: indexPatternExtraDocumentProperties
-        }]
+          namespace: 'foo-namespace',
+        },
       );
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
         body: [
-          { create: { _type: 'doc', _id: 'config:one' } },
-          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' }, extraProp: 'extraVal' },
-          { create: { _type: 'doc', _id: 'index-pattern:two' } },
-          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' }, extraProp: 'extraVal' }
+          { create: { _type: 'doc', _id: 'no-ns-type:one' } },
+          { type: 'no-ns-type', ...mockTimestampFields, 'no-ns-type': { title: 'Test One' } },
         ]
       }));
 
@@ -472,7 +572,27 @@ describe('SavedObjectsRepository', () => {
       }
     });
 
-    it('passes the parameters to callAdminCluster', async () => {
+    it(`prepends namespace to the id when providing namespace for namespaced type`, async () => {
+      callAdminCluster.returns({
+        result: 'deleted'
+      });
+      await savedObjectsRepository.delete('index-pattern', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'delete', {
+        type: 'doc',
+        id: 'foo-namespace:index-pattern:logstash-*',
+        refresh: 'wait_for',
+        index: '.kibana-test',
+        ignore: [404],
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id when providing no namespace for namespaced type`, async () => {
       callAdminCluster.returns({
         result: 'deleted'
       });
@@ -489,14 +609,31 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
-  });
 
-  describe('#find', () => {
-    beforeEach(() => {
-      callAdminCluster.returns(searchResults);
+    it(`doesn't prepend namespace to the id when providing namespace for namespace agnostic type`, async () => {
+      callAdminCluster.returns({
+        result: 'deleted'
+      });
+      await savedObjectsRepository.delete('no-ns-type', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'delete', {
+        type: 'doc',
+        id: 'no-ns-type:logstash-*',
+        refresh: 'wait_for',
+        index: '.kibana-test',
+        ignore: [404],
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
     });
+  });
 
+  describe('#find', () => {
     it('requires searchFields be an array if defined', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       try {
         await savedObjectsRepository.find({ searchFields: 'string' });
         throw new Error('expected find() to reject');
@@ -508,6 +645,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('requires fields be an array if defined', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       try {
         await savedObjectsRepository.find({ fields: 'string' });
         throw new Error('expected find() to reject');
@@ -518,33 +656,24 @@ describe('SavedObjectsRepository', () => {
       }
     });
 
-    it('requires filters to be an array if defined', async () => {
-      try {
-        await savedObjectsRepository.find({ filters: 'string' });
-        throw new Error('expected find() to reject');
-      } catch (error) {
-        sinon.assert.notCalled(callAdminCluster);
-        sinon.assert.notCalled(onBeforeWrite);
-        expect(error.message).toMatch('must be an array');
-      }
-    });
-
-    it('passes mappings, search, searchFields, type, sortField, filters, and sortOrder to getSearchDsl', async () => {
+    it('passes mappings, schema, namespace, search, searchFields, type, sortField, and sortOrder to getSearchDsl', async () => {
+      callAdminCluster.returns(namespacedSearchResults);
       const relevantOpts = {
+        namespace: 'foo-namespace',
         search: 'foo*',
         searchFields: ['foo'],
         type: 'bar',
         sortField: 'name',
         sortOrder: 'desc',
-        filters: [{ bool: {} }],
       };
 
       await savedObjectsRepository.find(relevantOpts);
       sinon.assert.calledOnce(getSearchDsl);
-      sinon.assert.calledWithExactly(getSearchDsl, mappings, relevantOpts);
+      sinon.assert.calledWithExactly(getSearchDsl, mappings, schema, relevantOpts);
     });
 
     it('merges output of getSearchDsl into es request body', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       getSearchDsl.returns({ query: 1, aggregations: 2 });
       await savedObjectsRepository.find();
       sinon.assert.calledOnce(callAdminCluster);
@@ -557,17 +686,40 @@ describe('SavedObjectsRepository', () => {
       }));
     });
 
-    it('formats Elasticsearch response', async () => {
-      const count = searchResults.hits.hits.length;
+    it('formats Elasticsearch response when there is no namespace', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
+      const count = noNamespaceSearchResults.hits.hits.length;
 
       const response = await savedObjectsRepository.find();
 
       expect(response.total).toBe(count);
       expect(response.saved_objects).toHaveLength(count);
 
-      searchResults.hits.hits.forEach((doc, i) => {
+      noNamespaceSearchResults.hits.hits.forEach((doc, i) => {
         expect(response.saved_objects[i]).toEqual({
-          id: doc._id.replace(/(index-pattern|config)\:/, ''),
+          id: doc._id.replace(/(index-pattern|config|no-ns-type)\:/, ''),
+          type: doc._source.type,
+          ...mockTimestampFields,
+          version: doc._version,
+          attributes: doc._source[doc._source.type]
+        });
+      });
+    });
+
+    it('formats Elasticsearch response when there is a namespace', async () => {
+      callAdminCluster.returns(namespacedSearchResults);
+      const count = namespacedSearchResults.hits.hits.length;
+
+      const response = await savedObjectsRepository.find({
+        namespace: 'foo-namespace',
+      });
+
+      expect(response.total).toBe(count);
+      expect(response.saved_objects).toHaveLength(count);
+
+      namespacedSearchResults.hits.hits.forEach((doc, i) => {
+        expect(response.saved_objects[i]).toEqual({
+          id: doc._id.replace(/(foo-namespace\:)?(index-pattern|config|no-ns-type)\:/, ''),
           type: doc._source.type,
           ...mockTimestampFields,
           version: doc._version,
@@ -577,6 +729,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('accepts per_page/page', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       await savedObjectsRepository.find({ perPage: 10, page: 6 });
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -589,6 +742,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('can filter by fields', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       await savedObjectsRepository.find({ fields: ['title'] });
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -603,24 +757,37 @@ describe('SavedObjectsRepository', () => {
   });
 
   describe('#get', () => {
-    beforeEach(() => {
-      callAdminCluster.returns(Promise.resolve({
-        _id: 'index-pattern:logstash-*',
-        _type: 'doc',
-        _version: 2,
-        _source: {
-          type: 'index-pattern',
-          specialProperty: 'specialValue',
-          ...mockTimestampFields,
-          'index-pattern': {
-            title: 'Testing'
-          }
+    const noNamespaceResult = {
+      _id: 'index-pattern:logstash-*',
+      _type: 'doc',
+      _version: 2,
+      _source: {
+        type: 'index-pattern',
+        specialProperty: 'specialValue',
+        ...mockTimestampFields,
+        'index-pattern': {
+          title: 'Testing'
         }
-      }));
-    });
+      }
+    };
+    const namespacedResult = {
+      _id: 'foo-namespace:index-pattern:logstash-*',
+      _type: 'doc',
+      _version: 2,
+      _source: {
+        namespace: 'foo-namespace',
+        type: 'index-pattern',
+        specialProperty: 'specialValue',
+        ...mockTimestampFields,
+        'index-pattern': {
+          title: 'Testing'
+        }
+      }
+    };
 
     it('formats Elasticsearch response', async () => {
-      const response = await savedObjectsRepository.get('index-pattern', 'logstash-*');
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
+      const response = await savedObjectsRepository.get('index-pattern', 'logstash-*', 'foo-namespace');
       sinon.assert.notCalled(onBeforeWrite);
       expect(response).toEqual({
         id: 'logstash-*',
@@ -633,7 +800,22 @@ describe('SavedObjectsRepository', () => {
       });
     });
 
-    it('prepends type to the id', async () => {
+    it('prepends namespace and type to the id when providing namespace for namespaced type', async () => {
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
+      await savedObjectsRepository.get('index-pattern', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.notCalled(onBeforeWrite);
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: 'foo-namespace:index-pattern:logstash-*',
+        type: 'doc'
+      }));
+    });
+
+    it(`only prepends type to the id when providing no namespace for namespaced type`, async () => {
+      callAdminCluster.returns(Promise.resolve(noNamespaceResult));
       await savedObjectsRepository.get('index-pattern', 'logstash-*');
 
       sinon.assert.notCalled(onBeforeWrite);
@@ -644,32 +826,29 @@ describe('SavedObjectsRepository', () => {
       }));
     });
 
-    it('includes the requested extraDocumentProperties in the response for the requested object', async () => {
-      const response = await savedObjectsRepository.get('index-pattern', 'logstash-*', {
-        extraDocumentProperties: ['specialProperty', 'undefinedProperty']
+    it(`doesn't prepend namespace to the id when providing namespace for namespace agnostic type`, async () => {
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
+      await savedObjectsRepository.get('no-ns-type', 'logstash-*', {
+        namespace: 'foo-namespace',
       });
 
-      expect(response).toEqual({
-        id: 'logstash-*',
-        type: 'index-pattern',
-        updated_at: mockTimestamp,
-        version: 2,
-        specialProperty: 'specialValue',
-        undefinedProperty: undefined,
-        attributes: {
-          title: 'Testing'
-        }
-      });
+      sinon.assert.notCalled(onBeforeWrite);
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: 'no-ns-type:logstash-*',
+        type: 'doc'
+      }));
     });
   });
 
   describe('#bulkGet', () => {
-    it('accepts a array of mixed type and ids', async () => {
+    it('prepends type to id when getting objects when there is no namespace', async () => {
       callAdminCluster.returns({ docs: [] });
 
       await savedObjectsRepository.bulkGet([
         { id: 'one', type: 'config' },
-        { id: 'two', type: 'index-pattern' }
+        { id: 'two', type: 'index-pattern' },
+        { id: 'three', type: 'no-ns-type' },
       ]);
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -677,7 +856,35 @@ describe('SavedObjectsRepository', () => {
         body: {
           docs: [
             { _type: 'doc', _id: 'config:one' },
-            { _type: 'doc', _id: 'index-pattern:two' }
+            { _type: 'doc', _id: 'index-pattern:two' },
+            { _type: 'doc', _id: 'no-ns-type:three' },
+          ]
+        }
+      }));
+
+      sinon.assert.notCalled(onBeforeWrite);
+    });
+
+    it('prepends namespace and type appropriately to id when getting objects when there is a namespace', async () => {
+      callAdminCluster.returns({ docs: [] });
+
+      await savedObjectsRepository.bulkGet(
+        [
+          { id: 'one', type: 'config' },
+          { id: 'two', type: 'index-pattern' },
+          { id: 'three', type: 'no-ns-type' },
+        ], {
+          namespace: 'foo-namespace',
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        body: {
+          docs: [
+            { _type: 'doc', _id: 'foo-namespace:config:one' },
+            { _type: 'doc', _id: 'foo-namespace:index-pattern:two' },
+            { _type: 'doc', _id: 'no-ns-type:three' },
           ]
         }
       }));
@@ -731,80 +938,6 @@ describe('SavedObjectsRepository', () => {
         error: { statusCode: 404, message: 'Not found' }
       });
     });
-
-    it('includes the requested extraDocumentProperties in the response for each requested object', async () => {
-      callAdminCluster.returns(Promise.resolve({
-        docs: [{
-          _type: 'doc',
-          _id: 'config:good',
-          found: true,
-          _version: 2,
-          _source: {
-            ...mockTimestampFields,
-            type: 'config',
-            specialProperty: 'specialValue',
-            config: { title: 'Test' }
-          }
-        }, {
-          _type: 'doc',
-          _id: 'config:bad',
-          found: false
-        }, {
-          _id: 'index-pattern:logstash-*',
-          _type: 'doc',
-          found: true,
-          _version: 2,
-          _source: {
-            type: 'index-pattern',
-            specialProperty: 'anotherSpecialValue',
-            ...mockTimestampFields,
-            'index-pattern': {
-              title: 'Testing'
-            }
-          }
-        }]
-      }));
-
-      const { saved_objects: savedObjects } = await savedObjectsRepository.bulkGet(
-        [
-          { id: 'good', type: 'config' },
-          { id: 'bad', type: 'config' },
-          { id: 'logstash-*', type: 'index-pattern' }
-        ], {
-          extraDocumentProperties: ['specialProperty', 'undefinedProperty']
-        }
-      );
-
-      expect(savedObjects).toHaveLength(3);
-
-      expect(savedObjects[0]).toEqual({
-        id: 'good',
-        type: 'config',
-        ...mockTimestampFields,
-        version: 2,
-        specialProperty: 'specialValue',
-        undefinedProperty: undefined,
-        attributes: { title: 'Test' }
-      });
-
-      expect(savedObjects[1]).toEqual({
-        id: 'bad',
-        type: 'config',
-        error: { statusCode: 404, message: 'Not found' }
-      });
-
-      expect(savedObjects[2]).toEqual({
-        id: 'logstash-*',
-        type: 'index-pattern',
-        ...mockTimestampFields,
-        version: 2,
-        specialProperty: 'anotherSpecialValue',
-        undefinedProperty: undefined,
-        attributes: {
-          title: 'Testing'
-        }
-      });
-    });
   });
 
   describe('#update', () => {
@@ -847,16 +980,20 @@ describe('SavedObjectsRepository', () => {
       }));
     });
 
-    it('passes the parameters to callAdminCluster', async () => {
-      await savedObjectsRepository.update('index-pattern', 'logstash-*', { title: 'Testing' });
+    it('prepends namespace to the id and adds namespace to body when providing namespace for namespaced type', async () => {
+      await savedObjectsRepository.update('index-pattern', 'logstash-*', {
+        title: 'Testing',
+      }, {
+        namespace: 'foo-namespace',
+      });
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, 'update', {
         type: 'doc',
-        id: 'index-pattern:logstash-*',
+        id: 'foo-namespace:index-pattern:logstash-*',
         version: undefined,
         body: {
-          doc: { updated_at: mockTimestamp, 'index-pattern': { title: 'Testing' } }
+          doc: { namespace: 'foo-namespace', updated_at: mockTimestamp, 'index-pattern': { title: 'Testing' } }
         },
         ignore: [404],
         refresh: 'wait_for',
@@ -866,13 +1003,8 @@ describe('SavedObjectsRepository', () => {
       sinon.assert.calledOnce(onBeforeWrite);
     });
 
-    it('updates the document including all provided extraDocumentProperties', async () => {
-      await savedObjectsRepository.update(
-        'index-pattern',
-        'logstash-*',
-        { title: 'Testing' },
-        { extraDocumentProperties: { extraProp: 'extraVal' } }
-      );
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
+      await savedObjectsRepository.update('index-pattern', 'logstash-*', { title: 'Testing' });
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, 'update', {
@@ -880,7 +1012,7 @@ describe('SavedObjectsRepository', () => {
         id: 'index-pattern:logstash-*',
         version: undefined,
         body: {
-          doc: { updated_at: mockTimestamp, extraProp: 'extraVal', 'index-pattern': { title: 'Testing' } }
+          doc: { updated_at: mockTimestamp, 'index-pattern': { title: 'Testing' } }
         },
         ignore: [404],
         refresh: 'wait_for',
@@ -890,27 +1022,20 @@ describe('SavedObjectsRepository', () => {
       sinon.assert.calledOnce(onBeforeWrite);
     });
 
-    it('does not allow extraDocumentProperties to overwrite existing properties', async () => {
-      await savedObjectsRepository.update(
-        'index-pattern',
-        'logstash-*',
-        { title: 'Testing' },
-        {
-          extraDocumentProperties: {
-            extraProp: 'extraVal',
-            updated_at: 'should_not_be_used',
-            'index-pattern': { title: 'should_not_be_used', newIgnoredProp: 'should_not_be_used' }
-          }
-        }
-      );
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
+      await savedObjectsRepository.update('no-ns-type', 'foo', {
+        name: 'bar',
+      }, {
+        namespace: 'foo-namespace',
+      });
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, 'update', {
         type: 'doc',
-        id: 'index-pattern:logstash-*',
+        id: 'no-ns-type:foo',
         version: undefined,
         body: {
-          doc: { updated_at: mockTimestamp, extraProp: 'extraVal', 'index-pattern': { title: 'Testing' } }
+          doc: { updated_at: mockTimestamp, 'no-ns-type': { name: 'bar' } }
         },
         ignore: [404],
         refresh: 'wait_for',
diff --git a/src/server/saved_objects/service/lib/repository_provider.js b/src/server/saved_objects/service/lib/repository_provider.js
index 131eefd619a256..eabe1be09fed64 100644
--- a/src/server/saved_objects/service/lib/repository_provider.js
+++ b/src/server/saved_objects/service/lib/repository_provider.js
@@ -27,10 +27,12 @@ export class SavedObjectsRepositoryProvider {
   constructor({
     index,
     mappings,
+    schema,
     onBeforeWrite
   }) {
     this._index = index;
     this._mappings = mappings;
+    this._schema = schema;
     this._onBeforeWrite = onBeforeWrite;
   }
 
@@ -43,6 +45,7 @@ export class SavedObjectsRepositoryProvider {
     return new SavedObjectsRepository({
       index: this._index,
       mappings: this._mappings,
+      schema: this._schema,
       onBeforeWrite: this._onBeforeWrite,
       callCluster
     });
diff --git a/src/server/saved_objects/service/lib/repository_provider.test.js b/src/server/saved_objects/service/lib/repository_provider.test.js
index bc39fcecf9384e..41a8f72f2e6436 100644
--- a/src/server/saved_objects/service/lib/repository_provider.test.js
+++ b/src/server/saved_objects/service/lib/repository_provider.test.js
@@ -41,22 +41,26 @@ test('creates a valid Repository', async () => {
         }
       }
     },
+    schema: {
+      isNamespaceAgnostic: jest.fn(),
+    },
     onBeforeWrite: jest.fn()
   };
 
   const provider = new SavedObjectsRepositoryProvider(properties);
 
   const callCluster = jest.fn().mockReturnValue({
-    _id: 'new'
+    _id: 'ns:foo:new'
   });
 
   const repository = provider.getRepository(callCluster);
 
-  await repository.create('foo', {});
+  await repository.create('foo', {}, { namespace: 'ns' });
 
   expect(callCluster).toHaveBeenCalledTimes(1);
+  expect(properties.schema.isNamespaceAgnostic).toHaveBeenCalled();
   expect(properties.onBeforeWrite).toHaveBeenCalledTimes(1);
   expect(callCluster).toHaveBeenCalledWith('index', expect.objectContaining({
     index: properties.index
   }));
-});
\ No newline at end of file
+});
diff --git a/src/server/saved_objects/service/lib/schema.js b/src/server/saved_objects/service/lib/schema.js
new file mode 100644
index 00000000000000..02cbbc4271c6ca
--- /dev/null
+++ b/src/server/saved_objects/service/lib/schema.js
@@ -0,0 +1,32 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+export class SavedObjectsSchema {
+  constructor(uiExportsSchema) {
+    this._schema = uiExportsSchema;
+  }
+
+  isNamespaceAgnostic(type) {
+    const typeSchema = this._schema[type];
+    if (!typeSchema) {
+      return false;
+    }
+    return Boolean(typeSchema.isNamespaceAgnostic);
+  }
+}
diff --git a/src/server/saved_objects/service/lib/schema.test.js b/src/server/saved_objects/service/lib/schema.test.js
new file mode 100644
index 00000000000000..a524c4bb6bd848
--- /dev/null
+++ b/src/server/saved_objects/service/lib/schema.test.js
@@ -0,0 +1,49 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { SavedObjectsSchema } from './schema';
+
+describe('#isNamespaceAgnostic', () => {
+  it(`returns false for unknown types`, () => {
+    const schema = new SavedObjectsSchema({});
+    const result = schema.isNamespaceAgnostic('bar');
+    expect(result).toBe(false);
+  });
+
+  it(`returns true for explicitly namespace agnostic type`, () => {
+    const schema = new SavedObjectsSchema({
+      foo: {
+        isNamespaceAgnostic: true,
+      }
+    });
+    const result = schema.isNamespaceAgnostic('foo');
+    expect(result).toBe(true);
+  });
+
+  it(`returns false for explicitly namespaced type`, () => {
+    const schema = new SavedObjectsSchema({
+      foo: {
+        isNamespaceAgnostic: false,
+      }
+    });
+    const result = schema.isNamespaceAgnostic('foo');
+    expect(result).toBe(false);
+  });
+});
+
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.js b/src/server/saved_objects/service/lib/search_dsl/query_params.js
index c5ca55f985bddc..5bcff743c10824 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.js
@@ -59,25 +59,58 @@ function getFieldsForTypes(searchFields, types) {
   };
 }
 
+/**
+ *  Gets the clause that will filter for the type in the namespace.
+ *  Some types are namespace agnostic, so they must be treated differently.
+ *  @param  {SavedObjectsSchema} schema
+ *  @param  {string} namespace
+ *  @param  {string} type
+ *  @return {Object}
+ */
+function getClauseForType(schema, namespace, type) {
+  if (!type) {
+    throw new Error(`type is required to build filter clause`);
+  }
+
+  if (namespace && !schema.isNamespaceAgnostic(type)) {
+    return {
+      bool: {
+        must: [
+          { term: { type } },
+          { term: { namespace } },
+        ]
+      }
+    };
+  }
+
+  return {
+    bool: {
+      must: [{ term: { type } }],
+      must_not: [{ exists: { field: 'namespace' } }]
+    }
+  };
+}
+
 /**
  *  Get the "query" related keys for the search body
  *  @param  {EsMapping} mapping mappings from Ui
+ * *@param  {SavedObjectsSchema} schema
  *  @param  {(string|Array<string>)} type
  *  @param  {String} search
  *  @param  {Array<string>} searchFields
- *  @param {Array<object>} filters additional query filters
  *  @return {Object}
  */
-export function getQueryParams(mappings, type, search, searchFields, filters = []) {
-
+export function getQueryParams(mappings, schema, namespace, type, search, searchFields) {
+  const types = getTypes(mappings, type);
   const bool = {
-    filter: [...filters],
+    filter: [{
+      bool: {
+        should: types.map(type => getClauseForType(schema, namespace, type)),
+        minimum_should_match: 1
+      }
+    }],
   };
 
-  if (type) {
-    bool.filter.push({ [Array.isArray(type) ? 'terms' : 'term']: { type } });
-  }
-
   if (search) {
     bool.must = [
       {
@@ -85,19 +118,12 @@ export function getQueryParams(mappings, type, search, searchFields, filters = [
           query: search,
           ...getFieldsForTypes(
             searchFields,
-            getTypes(mappings, type)
+            types
           )
         }
       }
     ];
   }
 
-  // Don't construct a query if there is nothing to search on.
-  if (bool.filter.length === 0 && !search) {
-    return {};
-  }
-
   return { query: { bool } };
 }
-
-
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
index e3e261db1e77e6..45f241ba41883e 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
@@ -50,61 +50,189 @@ const MAPPINGS = {
             }
           }
         }
+      },
+      global: {
+        properties: {
+          name: {
+            type: 'keyword',
+          }
+        }
       }
     }
   }
 };
 
+const SCHEMA = {
+  isNamespaceAgnostic: type => type === 'global',
+};
+
+
+// create a type clause to be used within the "should", if a namespace is specified
+// the clause will ensure the namespace matches; otherwise, the clause will ensure
+// that there isn't a namespace field.
+const createTypeClause = (type, namespace) => {
+  if (namespace) {
+    return {
+      bool: {
+        must: [
+          { term: { type } },
+          { term: { namespace } },
+        ]
+      }
+    };
+  }
+
+  return {
+    bool: {
+      must: [{ term: { type } }],
+      must_not: [{ exists: { field: 'namespace' } }]
+    }
+  };
+};
+
 describe('searchDsl/queryParams', () => {
-  describe('{}', () => {
-    it('searches for everything', () => {
-      expect(getQueryParams(MAPPINGS))
-        .toEqual({});
+  describe('no parameters', () => {
+    it('searches for all known types without a namespace specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
     });
   });
 
-  describe('{type}', () => {
-    it('includes just a terms filter', () => {
-      expect(getQueryParams(MAPPINGS, 'saved'))
+  describe('namespace', () => {
+    it('filters namespaced types for namespace, and ensures namespace agnostic types have no namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                {
-                  term: { type: 'saved' }
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
                 }
-              ]
+              }]
             }
           }
         });
     });
   });
 
-  describe('{type,filters}', () => {
-    it('includes filters and a term filter for type', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', null, null, [{ terms: { foo: ['bar', 'baz'] } }]))
+  describe('type (singular, namespaced)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, 'saved'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-                {
-                  term: { type: 'saved' }
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                  ],
+                  minimum_should_match: 1
                 }
-              ]
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('type (singular, global)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, 'global'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
             }
           }
         });
     });
   });
 
-  describe('{search}', () => {
-    it('includes just a sqs query', () => {
-      expect(getQueryParams(MAPPINGS, null, 'us*'))
+  describe('type (plural, namespaced and global)', () => {
+    it('includes term filters for types and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global']))
         .toEqual({
           query: {
             bool: {
-              filter: [],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('namespace, type (plural, namespaced and global)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('search', () => {
+    it('includes a sqs query and all known types without a namespace specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'us*'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -119,15 +247,22 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{search,filters}', () => {
-    it('includes filters and a sqs query', () => {
-      expect(getQueryParams(MAPPINGS, null, 'us*', null, [{ terms: { foo: ['bar', 'baz'] } }]))
+  describe('namespace, search', () => {
+    it('includes a sqs query and namespaced types with the namespace and global types without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'us*'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -142,19 +277,25 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search}', () => {
-    it('includes bool with sqs query and term filter for type', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*'))
+  describe('type (plural, namespaced and global), search', () => {
+    it('includes a sqs query and types without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'us*'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
-                    query: 'y*',
+                    query: 'us*',
                     all_fields: true
                   }
                 }
@@ -165,20 +306,25 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search,filters}', () => {
-    it('includes bool with sqs query, filters and term filter for type', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', null, [{ terms: { foo: ['bar', 'baz'] } }]))
+  describe('namespace, type (plural, namespaced and global), search', () => {
+    it('includes a sqs query and namespace type with a namespace and global type without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'us*'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
-                    query: 'y*',
+                    query: 'us*',
                     all_fields: true
                   }
                 }
@@ -189,20 +335,30 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{search,searchFields}', () => {
+  describe('search, searchFields', () => {
     it('includes all types for field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title',
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -212,18 +368,28 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports field boosting', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title^3']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
-              filter: [],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title^3',
-                      'saved.title^3'
+                      'saved.title^3',
+                      'global.title^3',
                     ]
                   }
                 }
@@ -233,11 +399,20 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports field and multi-field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title', 'title.raw']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
-              filter: [],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -245,8 +420,10 @@ describe('searchDsl/queryParams', () => {
                     fields: [
                       'pending.title',
                       'saved.title',
+                      'global.title',
                       'pending.title.raw',
                       'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
@@ -257,22 +434,30 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{search,searchFields,filters}', () => {
-    it('specifies filters and includes all types for field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title'], [{ terms: { foo: ['bar', 'baz'] } }]))
+  describe('namespace, search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title',
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -281,21 +466,29 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('specifies filters and supports field boosting', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title^3'], [{ terms: { foo: ['bar', 'baz'] } }]))
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title^3',
-                      'saved.title^3'
+                      'saved.title^3',
+                      'global.title^3',
                     ]
                   }
                 }
@@ -304,14 +497,21 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('specifies filters and supports field and multi-field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title', 'title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -319,8 +519,10 @@ describe('searchDsl/queryParams', () => {
                     fields: [
                       'pending.title',
                       'saved.title',
+                      'global.title',
                       'pending.title.raw',
                       'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
@@ -331,21 +533,28 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search,searchFields}', () => {
-    it('includes bool, and sqs with field list', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title']))
+  describe('type (plural, namespaced and global), search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -354,20 +563,27 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports fields pointing to multi-fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw']))
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title.raw'
+                      'saved.title^3',
+                      'global.title^3',
                     ]
                   }
                 }
@@ -376,21 +592,29 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports multiple search fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw']))
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'saved.title',
-                      'saved.title.raw'
+                      'global.title',
+                      'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
@@ -401,22 +625,28 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search,searchFields,filters}', () => {
-    it('includes specified filters, type filter and sqs with field list', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title'], [{ terms: { foo: ['bar', 'baz'] } }]))
+  describe('namespace, type (plural, namespaced and global), search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -425,21 +655,27 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports fields pointing to multi-fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title.raw'
+                      'saved.title^3',
+                      'global.title^3',
                     ]
                   }
                 }
@@ -448,22 +684,29 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports multiple search fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw'], [{ terms: { foo: ['bar', 'baz'] } }]))
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { foo: ['bar', 'baz'] } },
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'saved.title',
-                      'saved.title.raw'
+                      'global.title',
+                      'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
index 94f938c921ed07..5bbe199a0e7e86 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
@@ -22,14 +22,14 @@ import Boom from 'boom';
 import { getQueryParams } from './query_params';
 import { getSortingParams } from './sorting_params';
 
-export function getSearchDsl(mappings, options = {}) {
+export function getSearchDsl(mappings, schema, options = {}) {
   const {
+    namespace,
     type,
     search,
     searchFields,
     sortField,
     sortOrder,
-    filters,
   } = options;
 
   if (!type && sortField) {
@@ -40,12 +40,8 @@ export function getSearchDsl(mappings, options = {}) {
     throw Boom.notAcceptable('sortOrder requires a sortField');
   }
 
-  if (filters && !Array.isArray(filters)) {
-    throw Boom.notAcceptable('filters must be an array');
-  }
-
   return {
-    ...getQueryParams(mappings, type, search, searchFields, filters),
+    ...getQueryParams(mappings, schema, namespace, type, search, searchFields),
     ...getSortingParams(mappings, type, sortField, sortOrder),
   };
 }
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
index 6ed40a7929dcff..7acdb6d7bd6ed1 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
@@ -29,7 +29,7 @@ describe('getSearchDsl', () => {
   describe('validation', () => {
     it('throws when sortField is passed without type', () => {
       expect(() => {
-        getSearchDsl({}, {
+        getSearchDsl({}, {}, {
           type: undefined,
           sortField: 'title'
         });
@@ -37,7 +37,7 @@ describe('getSearchDsl', () => {
     });
     it('throws when sortOrder without sortField', () => {
       expect(() => {
-        getSearchDsl({}, {
+        getSearchDsl({}, {}, {
           type: 'foo',
           sortOrder: 'desc'
         });
@@ -46,38 +46,41 @@ describe('getSearchDsl', () => {
   });
 
   describe('passes control', () => {
-    it('passes (mappings, type, search, searchFields, filters) to getQueryParams', () => {
+    it('passes (mappings, schema, namespace, type, search, searchFields) to getQueryParams', () => {
       const spy = sandbox.spy(queryParamsNS, 'getQueryParams');
       const mappings = { type: { properties: {} } };
+      const schema = { isNamespaceAgnostic: () => {} };
       const opts = {
+        namespace: 'foo-namespace',
         type: 'foo',
         search: 'bar',
         searchFields: ['baz'],
-        filters: [{ bool: {} }],
       };
 
-      getSearchDsl(mappings, opts);
+      getSearchDsl(mappings, schema, opts);
       sinon.assert.calledOnce(spy);
       sinon.assert.calledWithExactly(
         spy,
         mappings,
+        schema,
+        opts.namespace,
         opts.type,
         opts.search,
         opts.searchFields,
-        opts.filters,
       );
     });
 
     it('passes (mappings, type, sortField, sortOrder) to getSortingParams', () => {
       const spy = sandbox.stub(sortParamsNS, 'getSortingParams').returns({});
       const mappings = { type: { properties: {} } };
+      const schema = { isNamespaceAgnostic: () => {} };
       const opts = {
         type: 'foo',
         sortField: 'bar',
         sortOrder: 'baz'
       };
 
-      getSearchDsl(mappings, opts);
+      getSearchDsl(mappings, schema, opts);
       sinon.assert.calledOnce(spy);
       sinon.assert.calledWithExactly(
         spy,
diff --git a/src/server/saved_objects/service/lib/trim_id_prefix.js b/src/server/saved_objects/service/lib/trim_id_prefix.js
index e5a0bbf6497484..039ff0848159ce 100644
--- a/src/server/saved_objects/service/lib/trim_id_prefix.js
+++ b/src/server/saved_objects/service/lib/trim_id_prefix.js
@@ -30,14 +30,15 @@ function assertNonEmptyString(value, name) {
  *  @param  {string} type
  *  @return {string}
  */
-export function trimIdPrefix(id, type) {
+export function trimIdPrefix(schema, id, namespace, type) {
   assertNonEmptyString(id, 'document id');
   assertNonEmptyString(type, 'saved object type');
 
-  const prefix = `${type}:`;
+  const namespacePrefix = namespace && !schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
+  const prefix = `${namespacePrefix}${type}:`;
 
   if (!id.startsWith(prefix)) {
-    return id;
+    throw new Error(`Unable to trim id ${id}`);
   }
 
   return id.slice(prefix.length);
diff --git a/src/server/saved_objects/service/saved_objects_client.js b/src/server/saved_objects/service/saved_objects_client.js
index 1d69d55f9f4aee..25c252d195bf13 100644
--- a/src/server/saved_objects/service/saved_objects_client.js
+++ b/src/server/saved_objects/service/saved_objects_client.js
@@ -102,7 +102,7 @@ export class SavedObjectsClient {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
-   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
@@ -115,6 +115,7 @@ export class SavedObjectsClient {
    * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
@@ -126,10 +127,12 @@ export class SavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id) {
-    return this._repository.delete(type, id);
+  async delete(type, id, options = {}) {
+    return this._repository.delete(type, id, options);
   }
 
   /**
@@ -138,12 +141,12 @@ export class SavedObjectsClient {
    * @property {string} [options.search]
    * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
    *                                        Query field argument for more information
-   * @property {object} [options.filters] - ES Query filters to append
    * @property {integer} [options.page=1]
    * @property {integer} [options.perPage=20]
    * @property {string} [options.sortField]
    * @property {string} [options.sortOrder]
    * @property {Array<string>} [options.fields]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
@@ -154,8 +157,8 @@ export class SavedObjectsClient {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
-   * @param {object} [options = {}]
-   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -173,8 +176,8 @@ export class SavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
-   * @param {object} [options = {}]
-   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id, options = {}) {
@@ -188,7 +191,7 @@ export class SavedObjectsClient {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
-   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
diff --git a/src/server/saved_objects/service/saved_objects_client.test.js b/src/server/saved_objects/service/saved_objects_client.test.js
index 56127023dd1fe9..e69b12d1218cc4 100644
--- a/src/server/saved_objects/service/saved_objects_client.test.js
+++ b/src/server/saved_objects/service/saved_objects_client.test.js
@@ -26,9 +26,9 @@ test(`#create`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const attributes = {};
-  const options = {};
+  const type = Symbol();
+  const attributes = Symbol();
+  const options = Symbol();
   const result = await client.create(type, attributes, options);
 
   expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
@@ -42,8 +42,8 @@ test(`#bulkCreate`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const objects = [];
-  const options = {};
+  const objects = Symbol();
+  const options = Symbol();
   const result = await client.bulkCreate(objects, options);
 
   expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
@@ -57,11 +57,12 @@ test(`#delete`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
-  const result = await client.delete(type, id);
+  const type = Symbol();
+  const id = Symbol();
+  const options = Symbol();
+  const result = await client.delete(type, id, options);
 
-  expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+  expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
   expect(result).toBe(returnValue);
 });
 
@@ -72,7 +73,7 @@ test(`#find`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const options = {};
+  const options = Symbol();
   const result = await client.find(options);
 
   expect(mockRepository.find).toHaveBeenCalledWith(options);
@@ -86,7 +87,7 @@ test(`#bulkGet`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const objects = {};
+  const objects = Symbol();
   const options = Symbol();
   const result = await client.bulkGet(objects, options);
 
@@ -101,8 +102,8 @@ test(`#get`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
+  const type = Symbol();
+  const id = Symbol();
   const options = Symbol();
   const result = await client.get(type, id, options);
 
@@ -117,10 +118,10 @@ test(`#update`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
-  const attributes = {};
-  const options = {};
+  const type = Symbol();
+  const id = Symbol();
+  const attributes = Symbol();
+  const options = Symbol();
   const result = await client.update(type, id, attributes, options);
 
   expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
diff --git a/src/ui/ui_exports/ui_export_types/index.js b/src/ui/ui_exports/ui_export_types/index.js
index 2247b685bd0637..9f72ff9767f918 100644
--- a/src/ui/ui_exports/ui_export_types/index.js
+++ b/src/ui/ui_exports/ui_export_types/index.js
@@ -24,7 +24,8 @@ export {
 
 export {
   mappings,
-} from './saved_object_mappings';
+  savedObjectsSchema,
+} from './saved_objects';
 
 export {
   app,
diff --git a/src/ui/ui_exports/ui_export_types/saved_object_mappings.js b/src/ui/ui_exports/ui_export_types/saved_objects.js
similarity index 83%
rename from src/ui/ui_exports/ui_export_types/saved_object_mappings.js
rename to src/ui/ui_exports/ui_export_types/saved_objects.js
index de3570ce2e864b..025d3690912070 100644
--- a/src/ui/ui_exports/ui_export_types/saved_object_mappings.js
+++ b/src/ui/ui_exports/ui_export_types/saved_objects.js
@@ -17,8 +17,8 @@
  * under the License.
  */
 
-import { flatConcatAtType } from './reduce';
-import { alias, mapSpec, wrap } from './modify_reduce';
+import { flatConcatAtType, mergeAtType } from './reduce';
+import { alias, mapSpec, uniqueKeys, wrap } from './modify_reduce';
 
 // mapping types
 export const mappings = wrap(
@@ -29,3 +29,5 @@ export const mappings = wrap(
   })),
   flatConcatAtType
 );
+
+export const savedObjectsSchema = wrap(uniqueKeys(), mergeAtType);
diff --git a/test/api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz b/test/api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
index c07188439b0e07bf044e928e7f3a9346c2e46092..ac2a10f42f4dc92cbe2462e8e911fe5749a4e7f5 100644
GIT binary patch
literal 2107
zcmV-B2*mdviwFpldu>|)17u-zVJ>QOZ*BnXTw8D3HWYr(uQ0r~AvPpCjT1d>>(HS?
zZ)k!I*b*4DNJ(5NQ6s5b8u-7Dr0$NJI*St@1AIv=UO#^1Ifs_X@9tnQ7^>Tx41>WC
z^Kf`*60Q&{Ov;^p(2q33<i->jf1wMMAzNroJyR5$1Y2R0Bc+JQf>VFudC2odrzFB7
z-zT#X3K!GS6r;uI@$u<2LW{b-<b?>^t~;Id+N_G}>>|fV5j;oA6q<PcY~-DeCjPm9
z5*(cd{_%J+^Zshf_nT?^F+EYmY*&oOQX!d)er)R5?3BErgy9b;wZ(oiDY{^qcZ)@)
zh&1_s-(3tdUG`!aTnvBGMJ0;$!{LP;lTDRM&@8rTAulqe6FvP|hJxmLRQfSOOcIks
zkO&jBV5XuHg-JtkEJ%!0m0A}S1mQP=r@!*>4>OUn&RZU?Lo^oX`WaDGsp~+QtQAZO
z#S#!j1`aHK>Lu4lWNcs;c;*!EhMF~#HMgb>2aXK6STXmkNEbvr8cv<~w8cCxeQO_4
zH*p7$N*q9DO#4F99~9?f;Xraei(5tHRu=RYz=VuydgzKDte#&O3%OAwlayz07Ec2S
z(gKPJABUU^Ofz(EDe264&S_<VJ3xkYV1>k#6d^D;kQhpIDcv=o&0>uRlEo$bS!e9A
z3~4lw*je4Y?k<`=_ty216J_Cmnkf)*p3&?JActe&K$@i#g$d2bm;)lI#RQQlfl??g
zC?zQuw{XxXG}a9YFf(QV3Br)=2F&U<s0vBMIHE$TG94Z`hSp)*-RjDd9M*CdBqD-<
zS?tw1f6X&x-a#OtXvj#Aa!eyi@Z7wGgz*CM8%XnF!Kh630jeaS0`=<PVVsbn=r@om
z6oY3|V+713j|2T(-*yXmY4%~l=98wNe*F6ez&+qFNC=G+KyNi3#<>rSUQ?_R_=H-R
zu=$i!kvXhg_yZteb7_xbK<3c`1kT~}{=WKj3N<X)3>JbxCQ!oz%%8fZ=A2a!A_3^7
z$pawwfXjW@n6JUQ2h76WqW4hl0h?x*0iH|)au2wKy%p-A1k5JnP!2AR|64roVUI`C
zWdXtBNaj3~pzN|l1c@b?qj2@8*Dg6K@jzl|cV}SlV*%wNf%(Kjg@Ardx{-j4N`u+)
zOkEDE8#v2@`tR~!d2n#|Eccs2o<%ecW@B&cjS$Nd<bVGHQ(5UTH<zZ~q;qqrs^7b^
zv?wUUABt3`o*W&|I@gdeiBQ4R+j?jlUBY@v4zH*z5Tjp_`F0p!JPT1YdEy<hUYnaS
z{mKs})A8)|sKa!>ne}(XUYjL7;L)JknaJ)PFx|kJ(p{Q@+D@wNyS9mYwfZK5^!m0b
zIT9!}i~DX}ZY<2nMUxlmPGT-@-_fkKO=D5&*7j(MaK?qL{{ta9ZMi&b>-~IVtC^c>
zwn>e!$)R%O_u<vGN{C#4d9p7dbk2e+#ml2iGU3;)!8Sma*7Q-0s%evH<mQx*$!BOm
zST*W?Gx}c^T2CAJo@dI|oZc;$m-^AJ#`~lBqfBmw(s-<QBvR{!Xxq6zKBkL5Wpp|_
z<+x1CxJVKE-iQTP<#>(Hj3`s)bVxJ55AdNsk{i{oHZ$Xw*2xM=<fnRJ{oVFxn<L*?
zi4AP2Q23=f`=reYm3`R(bUQn2xcAE;VjURl^8AIUYeKS5=8V7WaHv7NrXpmdlc<Xj
zk#klKvB%?8J*D?2*p3rne9k$uS3{a$g7G^NlMJ^>%szkWPO@l!S2VZm3`uo^`uRN)
zU)niXmLY0oxs{8FWF}~J`f3fR;YfxFNzp}hOiIvj#q5_hz*fypzSFGnZu5jn#pC)w
zVW)jb;<Ucl)b%U&qN**ia;wmie}&3vMTO#J3@>#1>DzAJr2Nq^rP*A&_jw)V{ln`1
z3D!P$p%Za6q~+zZ>m>_no#gLlA3s!%Qs%cMwrbV2dyK4LtTY7HOu@3(TIXG(X|3mu
ziI8Qo-$^aw)ET-W_~YUq5~}w^p`N!lvBqvq&TPc#0IkkzYYsMvtCpq4hV7!#-d|K>
ztv_B2Z8?UrxUerG&AKl_l3AxcY)~y<GD>44lLbct2MaQtO{d5Xl>F}q-L$u1be;uA
z-uPs4+=<R@6YC@M=QRO2p~_sz_BLBDIm)zGuBY32O8S+|&4eExRu5*zrq-f#*|*hl
z@Oz=8yNl>L#!dD*)wY>cjSB0ieZ9@?z~mOZ>?}*Hebl)&{ALUPpuH`>ZzIMreAZ-g
zVW_o!r=NMwO;c|K9h{MT;GYci{Jk3ZlVEZbOiu>Cy+0p$Gtawsk6!QLO~pS6E-N0F
z6(^J6)g<s|Yby#82_lo)1+AJYrZQ*f)-?MuiaHhTj26<2pp2j0oZ3LV*1opnBOYtw
z_k2X6;}J74>1XToDz9HnRQ<(gM}8sVe3Z#xn?eu9)7!T*ZTqd!I~5400^w93oC<_f
zfp97iP6c9@&c~@hI28z|0`X#aoC<_ffp{`YP6fiLKs<h;oC?HR6ix-gsX%O(DW?MA
zR3MxRgj0cVDiBTu0*cu>6^IvL)2TpgflQ|Y;Zz{NQt4D6oC*X?Hk}H@c6fw->(Qw|
zY=J>g_oAE%#51tyR3M&>(*4+-I~5400s)&#*jpi|0`YVX!NqZ>0^w93w!xB9fp97i
zP6cB7Xq*bf4pktkJ5Y}jgV^YjlT(UV$MZG?BQ}}_rzTNbrc;x!tvfXdrzUae)Fhmm
lgj17vQY7D&sKiE5+$l~t#R;c4@q&sI{{gN*sXkML002`%2mAm4

literal 1803
zcmV+m2lV(KiwFP!000026V+Q=Z`(E$e$THkytg4XBs+~0J+<r5p+j$If(}>{7_@jK
zaiv6!q;hGX|2~qsC(dnY>f@I-IwTK2e&<F@<kik-G}f0njDyjbig3JZ1!sg8R&r$?
z%p=PvT-XlNZ)`;};ySGvXS-4>a04be(HdkH9QrfQBc3-ogosXj9~Ki5uI7_DC9A{z
z{lj@gR?T=N3K@1&_a+(Wth<}$BBw+HT@r0O%{+fG@eU_5|JXkW_6`Goe>z)ue|P<d
zYPxysOiXh(6&JD6L?x47+i|Wrg*Oa1{XkOJ?WL8Nj%nWS7TGS!wtu}k8E2;N$v8L}
zzcgJHiOs|AiCdGCDlJ(SJ6R}-OdFwR{#K!6xmlHYj0jg?ML=YjkQKKBwJfZR#Ib~!
z=vvxzl|bklDbn9X_{ADhHEreYIz&@R&YuxgEnNr7HeJJ{Nvsf2WZ~fAr*XL<A{zsn
zz_Vm@Gt{gx*3yMG9ylr#@>;lOMY;m{XgH1VY0kW?a_bOLU$_BC6%Hg8Gr7>thb8$q
zIGB>p>QaOHArAcmz=WI`df2r*SU>+{EO4PAQ%q!doTr6^$$?@J(@+RWSw?QSl4)G#
zg4GeY0c6w^R!mGO86ty&iJ`>wGE*bkEH;QRMO-2jqKanGU}ER`=5=$`?76qDk2I8n
zgUV7U>O5!JH$(}?!NFvul!OV(U@8!i)M3KNlq4yZ6qG_L<Ru<7noNyCiN<0UkOWTL
zG-$lrqAC=~X~d+`l^h>9PS#=DoOk6(j?3L8L?8i;v)6w9T4dV3gCJ6~kVB9P$|44I
zY2QNPcma6}(!5x4rjl)dsvy*;ULD+x6H^tv1*s-6dNvJ4#7v4fFu(QPw3uCU2opD-
zEJgM4?-qbtz+sR8ixZ8W${Oc3FnZ3YPVf`zVB+ReF%3&xyYM?e;^xvF$H2^^1Bjf%
z=l#C=bP5eD+zb|yV<ynRL(HE(XZD;`5E4nzve*Z?1zc{!#(WLdEnpV+7JYzn3)r-~
z4D@7LkXyhd?yb-OC1N%)mvVG<{NDl;svp@75H5~XE;5BGE-OTsSW-C&0nzv13J)fR
zHg^X0CKgmF5?M|xbcpC{(uG14R0hn3Ep<AsZ{U<W&A;VNxwCWiEccs2kwq*H7E^EP
zO$g5u;@^LPsT%Z{n@e+V*1Ne>j~`rFS{01b4@GLE2YdUA-Zdl&5h=KS+br!tm#}^&
zhi6O`gtPC&{yGdOU4$f>J@Jm%K<C4le&GkR`E+r(*JFC9X8j$p*Vd&+A{x~@6V<;1
zW)vK0Go|fl;-ucbo0zyUY8W!a__vefM3U4x_tm=ASlW||wk<T1#6n)aV_6rQHlp;U
zo6&X=Tu3+m7XTwG%iV6=s|z>G-c)lc4Z^mCsfj;?*Nmzl3iIR1y@aq=1BBM1I?ALH
zaoz=N3#4?RPa0IMPHvFfQ$DtxlNIoK)k8Jrzbtf_Ht;>q_H8)5D$7&z=)CdfYQ9wB
zb}4PfdIynSw?wDs=K8ql{*=|3=2X!7l!=fj;rFdr3SF(&=FEt3ZBK`^_Pv7-^Cw*B
z&fBcTPhFCg4AiH_vA%XQI(2Z1C$_MaCgHdG?2`#6QqAQS(4TC#<=(HBNKIjI?)e+&
zbAarVJ>#!>92yX>nG8Afgr*C~T<~g%10K&BlioD2TPLCPSP1T}hP1_m(svL;MmrIA
z&!756mfd$nd&|y})F?F1?}_}@*`TaS)HQdjoCz{pw0d)O0n~D&!UR&%9FvkPycYJQ
zE3mcN**$7)c3UP)X%ROE3VZq$#A$P}sh?NeMb&k;3LW`pq%tchw5V!$Vf3eO`)#x8
zqhZRjrAhD0rpo)f_5BlSa_-6qX}zTKwCrceg1IF5=h4Rxb)r=HWreNwx^9n=6`WUr
zz*`fP18u!`jaJ(r9fMSr*zZZJI(0<OfPP&41EGEonhdhNtu=0Ia^xyb4`_W}+i>uZ
zy6RYJW7s*B$^NolYxC#H*!ANiiwpN6()xW7Lgte8xJ6a|%qmTZN>+kM8mwTxn9qq@
zDE#jV-RgT_bzTH}-t=I$->c4@iuING^O}O3Fm117dk^!MoMa{|H|BPkl6{AzHTeE+
z{a`INcM)a!zOCKCAC!{*E~1|pAF|h}x6Qm(DqW)X%{I3OQ#kOd=a$susACiO?H2yd
zcq{LZ5t|r38#0Bo)VjPgY&;fL)f>r1N05*FgORb{i;+JIW_!W>VD!iP<B7NMyc_rE
z%^uzk{0nF`aK9Qjn*}dsfxlQgP(ma@B~1#t9;%e7oRdqd_G1+F20Dut%C4ZQpZ%65
tK)f!#eo&5hY>3~;5s9fs+}5O5F6q@-zcy6!!{?s7@E?V}G3DSv0085qc~bxY

diff --git a/test/api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json b/test/api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
index 26c62bca335d94..4f3ead9f47c679 100644
--- a/test/api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
+++ b/test/api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
@@ -188,6 +188,9 @@
               }
             }
           },
+          "namespace": {
+            "type": "keyword"
+          },
           "type": {
             "type": "keyword"
           },
@@ -249,4 +252,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index f246088f87cdc8..bd32c89614993d 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -47,12 +47,12 @@ export class SecureSavedObjectsClient {
     );
   }
 
-  async delete(type, id) {
+  async delete(type, id, options = {}) {
     return await this._execute(
       type,
       'delete',
-      { type, id },
-      repository => repository.delete(type, id),
+      { type, id, options },
+      repository => repository.delete(type, id, options),
     );
   }
 
@@ -150,10 +150,11 @@ export class SecureSavedObjectsClient {
 
     this._auditLogger.savedObjectsAuthorizationSuccess(username, action, authorizedTypes, { options });
 
-    return await this._internalRepository.find({
-      ...options,
-      type: authorizedTypes
-    });
+    return await this._internalRepository.find(
+      {
+        ...options,
+        type: authorizedTypes,
+      });
   }
 
   async _findWithTypes(options) {
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index e9ac730f5831b4..95a4e9aa0eaacc 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -353,8 +353,9 @@ describe('#delete', () => {
       actions: mockActions,
     });
     const id = Symbol();
+    const options = Symbol();
 
-    await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.delete(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
@@ -366,6 +367,7 @@ describe('#delete', () => {
       {
         type,
         id,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -390,15 +392,17 @@ describe('#delete', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.delete(type, id);
+    const result = await client.delete(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
       type,
       id,
+      options,
     });
   });
 
@@ -422,11 +426,12 @@ describe('#delete', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.delete(type, id);
+    const result = await client.delete(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
@@ -488,7 +493,7 @@ describe('#find', () => {
         [type],
         [mockActions.getSavedObjectAction(type, 'find')],
         {
-          options
+          options,
         }
       );
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -532,7 +537,7 @@ describe('#find', () => {
         [type1, type2],
         [mockActions.getSavedObjectAction(type1, 'find')],
         {
-          options
+          options,
         }
       );
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -663,7 +668,7 @@ describe('#find', () => {
         [type],
         [mockActions.getSavedObjectAction(type, 'find')],
         {
-          options
+          options,
         }
       );
       expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -727,14 +732,14 @@ describe('#find', () => {
         actions: mockActions,
       });
 
-      await client.find();
+      await client.find({});
 
       expect(mockCheckPrivileges).toHaveBeenCalledWith([
         mockActions.getSavedObjectAction(type1, 'find'),
         mockActions.getSavedObjectAction(type2, 'find'),
       ]);
       expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
-        type: [type2]
+        type: [type2],
       }));
     });
 
@@ -1005,7 +1010,7 @@ describe('#get', () => {
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
       type,
       id,
-      options
+      options,
     });
   });
 
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 2ce815db27db65..f03e8bde19afa6 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -42,6 +42,11 @@ export const spaces = (kibana) => new kibana.Plugin({
     }],
     hacks: [],
     mappings,
+    savedObjectsSchema: {
+      space: {
+        isNamespaceAgnostic: true,
+      },
+    },
     home: ['plugins/spaces/register_feature'],
     injectDefaultVars: function () {
       return {
@@ -83,9 +88,9 @@ export const spaces = (kibana) => new kibana.Plugin({
     const spacesService = createSpacesService(server);
     server.decorate('server', 'spaces', spacesService);
 
-    const { addScopedSavedObjectsClientWrapperFactory, types } = server.savedObjects;
+    const { addScopedSavedObjectsClientWrapperFactory } = server.savedObjects;
     addScopedSavedObjectsClientWrapperFactory(
-      spacesSavedObjectsClientWrapperFactory(spacesService, types)
+      spacesSavedObjectsClientWrapperFactory(spacesService)
     );
 
     initSpacesApi(server);
diff --git a/x-pack/plugins/spaces/mappings.json b/x-pack/plugins/spaces/mappings.json
index 91c6e324e197e9..6c91d9b020ff62 100644
--- a/x-pack/plugins/spaces/mappings.json
+++ b/x-pack/plugins/spaces/mappings.json
@@ -1,7 +1,4 @@
 {
-  "spaceId": {
-    "type": "keyword"
-  },
   "space": {
     "properties": {
       "name": {
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
index 9bd6165f8d057c..8b1a2581383555 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
@@ -1,37 +1,29 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`current space (space_1) #bulk_create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/mock-id] is missing its expected space identifier."`;
+exports[`default space #bulkCreate throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #bulk_get throws when base client returns documents with malformed ids 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+exports[`default space #bulkGet throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/mock-id] is missing its expected space identifier."`;
+exports[`default space #create throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #delete does not allow an object to be deleted via a different space 1`] = `"not found: foo space_1:object_2"`;
+exports[`default space #delete throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #find throws when base client returns documents with malformed ids 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+exports[`default space #find throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #get returns error when the object belongs to a different space 1`] = `"not found: foo space_1:object_2"`;
+exports[`default space #get throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #get returns error when the object has a malformed identifier 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+exports[`default space #update throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #update does not allow an object to be updated via a different space 1`] = `"not found: foo space_1:object_2"`;
+exports[`space_1 space #bulkCreate throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`current space (space_1) #update throws when the base client returns a malformed document id 1`] = `"Saved object [foo/object_1] is missing its expected space identifier."`;
+exports[`space_1 space #bulkGet throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`default space #bulk_create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+exports[`space_1 space #create throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`default space #bulk_get throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+exports[`space_1 space #delete throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`default space #create throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
+exports[`space_1 space #find throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`default space #delete does not allow an object to be deleted via a different space 1`] = `"not found: foo object_2"`;
+exports[`space_1 space #get throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
-exports[`default space #find throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
-
-exports[`default space #get returns error when the object belongs to a different space 1`] = `"not found: foo object_2"`;
-
-exports[`default space #get throws when the base client returns a malformed document id 1`] = `"Saved object [foo/default:default] has an unexpected space identifier [default]."`;
-
-exports[`default space #update does not allow an object to be updated via a different space 1`] = `"not found: foo object_2"`;
-
-exports[`default space #update throws when the base client returns a malformed document id 1`] = `"Saved object [space/default:default] has an unexpected space identifier [default]."`;
+exports[`space_1 space #update throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
deleted file mode 100644
index d3b95886e83535..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/__snapshots__/query_filters.test.js.snap
+++ /dev/null
@@ -1,5 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`throws if types contains an empty entry 1`] = `"type is required to build filter clause"`;
-
-exports[`throws when no types are provided 1`] = `"At least one type must be provided to \\"getSpacesQueryFilters\\""`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
deleted file mode 100644
index 720fb7e28e1175..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.js
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-/**
- * Returns if the provided Saved Object type is "space aware".
- * Most types should be space-aware, and those that aren't should typically strive to become space-aware.
- * Types that are not space-aware will appear in every space, and are not bound by any space-specific access controls.
- */
-export function isTypeSpaceAware(type) {
-  return type !== 'space' && type !== 'config';
-}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
deleted file mode 100644
index a88d4c35125f79..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/is_type_space_aware.test.js
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { isTypeSpaceAware } from "./is_type_space_aware";
-
-const knownSpaceAwareTypes = [
-  'dashboard',
-  'visualization',
-  'saved_search',
-  'timelion_sheet',
-  'index_pattern'
-];
-
-const unawareTypes = ['space'];
-
-knownSpaceAwareTypes.forEach(type => test(`${type} should be space-aware`, () => {
-  expect(isTypeSpaceAware(type)).toBe(true);
-}));
-
-unawareTypes.forEach(type => test(`${type} should not be space-aware`, () => {
-  expect(isTypeSpaceAware(type)).toBe(false);
-}));
-
-test(`unknown types should default to space-aware`, () => {
-  expect(isTypeSpaceAware('an-unknown-type')).toBe(true);
-});
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
deleted file mode 100644
index cf1754c056c3fe..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.js
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { DEFAULT_SPACE_ID } from "../../../../common/constants";
-import { isTypeSpaceAware } from "./is_type_space_aware";
-
-function getClauseForType(spaceId, type) {
-  const shouldFilterOnSpace = isTypeSpaceAware(type) && spaceId;
-  const isDefaultSpace = spaceId === DEFAULT_SPACE_ID;
-
-  const bool = {
-    must: []
-  };
-
-  if (!type) {
-    throw new Error(`type is required to build filter clause`);
-  }
-
-  bool.must.push({
-    term: {
-      type
-    }
-  });
-
-  if (shouldFilterOnSpace) {
-    if (isDefaultSpace) {
-      // The default space does not add its spaceId to the objects that belong to it, in order
-      // to be compatible with installations that are not always space-aware.
-      bool.must_not = [{
-        exists: {
-          field: "spaceId"
-        }
-      }];
-    } else {
-      bool.must.push({
-        term: {
-          spaceId
-        }
-      });
-    }
-  }
-
-  return {
-    bool
-  };
-}
-
-export function getSpacesQueryFilters(spaceId, types = []) {
-  if (types.length === 0) {
-    throw new Error(`At least one type must be provided to "getSpacesQueryFilters"`);
-  }
-
-  const filters = [];
-
-  const typeClauses = types.map((type) => getClauseForType(spaceId, type));
-
-  if (typeClauses.length > 0) {
-    filters.push({
-      bool: {
-        should: typeClauses,
-        minimum_should_match: 1
-      }
-    });
-  }
-
-  return filters;
-}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js
deleted file mode 100644
index a7bcacc524caac..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/lib/query_filters.test.js
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { getSpacesQueryFilters } from './query_filters';
-
-test('throws when no types are provided', () => {
-  expect(() => getSpacesQueryFilters('space_1', [])).toThrowErrorMatchingSnapshot();
-});
-
-test('throws if types contains an empty entry', () => {
-  expect(() => getSpacesQueryFilters('space_1', ['dashboard', ''])).toThrowErrorMatchingSnapshot();
-});
-
-test('creates a query that filters on type, but not on space, for types that are not space-aware', () => {
-  const spaceId = 'space_1';
-  const type = 'space';
-
-  const expectedTypeClause = {
-    bool: {
-      must: [{
-        term: {
-          type
-        }
-      }]
-    }
-  };
-  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
-    bool: {
-      should: [expectedTypeClause],
-      minimum_should_match: 1
-    }
-  }]);
-});
-
-test('creates a query that restricts a space-aware type to the provided space (space_1)', () => {
-  const spaceId = 'space_1';
-  const type = 'dashboard';
-
-  const expectedTypeClause = {
-    bool: {
-      must: [{
-        term: {
-          type
-        }
-      }, {
-        term: {
-          spaceId
-        }
-      }]
-    }
-  };
-
-  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
-    bool: {
-      should: [expectedTypeClause],
-      minimum_should_match: 1
-    }
-  }]);
-});
-
-test('creates a query that restricts a space-aware type to the provided space (default)', () => {
-  const spaceId = 'default';
-  const type = 'dashboard';
-
-  const expectedTypeClause = {
-    bool: {
-      must: [{
-        term: {
-          type
-        }
-      }],
-      // The default space does not add its spaceId to the objects that belong to it, in order
-      // to be compatible with installations that are not always space-aware.
-      must_not: [{
-        exists: {
-          field: 'spaceId'
-        }
-      }]
-    }
-  };
-
-  expect(getSpacesQueryFilters(spaceId, [type])).toEqual([{
-    bool: {
-      should: [expectedTypeClause],
-      minimum_should_match: 1
-    }
-  }]);
-});
-
-test('creates a query supporting a find operation on multiple types', () => {
-  const spaceId = 'space_1';
-  const types = [
-    'dashboard',
-    'space',
-    'visualization',
-  ];
-
-  const expectedSpaceClause = {
-    term: {
-      spaceId
-    }
-  };
-
-  const expectedTypeClauses = [{
-    bool: {
-      must: [{
-        term: {
-          type: 'dashboard'
-        }
-      }, expectedSpaceClause]
-    }
-  }, {
-    bool: {
-      must: [{
-        term: {
-          type: 'space'
-        }
-      }]
-    }
-  }, {
-    bool: {
-      must: [{
-        term: {
-          type: 'visualization'
-        }
-      }, expectedSpaceClause]
-    }
-  }];
-
-  expect(getSpacesQueryFilters(spaceId, types)).toEqual([{
-    bool: {
-      should: expectedTypeClauses,
-      minimum_should_match: 1
-    }
-  }]);
-});
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
index da7a448d86d2d7..3f7c0cbe2124ef 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
@@ -6,11 +6,10 @@
 
 import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 
-export function spacesSavedObjectsClientWrapperFactory(spacesService, types) {
+export function spacesSavedObjectsClientWrapperFactory(spacesService) {
   return ({ client, request }) => new SpacesSavedObjectsClient({
     baseClient: client,
     request,
     spacesService,
-    types,
   });
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
index c9fd34a60b6d8e..7f66b145e593e9 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
@@ -5,25 +5,17 @@
  */
 
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
-import { isTypeSpaceAware } from './lib/is_type_space_aware';
-import { getSpacesQueryFilters } from './lib/query_filters';
-import uniq from 'lodash';
-import uuid from 'uuid';
 
 export class SpacesSavedObjectsClient {
   constructor(options) {
     const {
-      request,
       baseClient,
+      request,
       spacesService,
-      types,
     } = options;
 
     this.errors = baseClient.errors;
-
     this._client = baseClient;
-    this._types = types;
-
     this._spaceId = spacesService.getSpaceId(request);
   }
 
@@ -35,29 +27,18 @@ export class SpacesSavedObjectsClient {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
-   * @property {object} [options.extraDocumentProperties={}] - extra properties to append to the document body, outside of the object's type property
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
-
-    const spaceId = this._spaceId;
-
-    const createOptions = {
-      ...options,
-      extraDocumentProperties: {
-        ...options.extraDocumentProperties
-      },
-      id: this._prependSpaceId(type, options.id)
-    };
-
-    if (this._shouldAssignSpaceId(type, spaceId)) {
-      createOptions.extraDocumentProperties.spaceId = spaceId;
-    } else {
-      delete createOptions.extraDocumentProperties.spaceId;
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
     }
 
-    const result = await this._client.create(type, attributes, createOptions);
-    return this._trimSpaceId(result);
+    return await this._client.create(type, attributes, {
+      ...options,
+      namespace: this._getNamespace(this._spaceId)
+    });
   }
 
   /**
@@ -66,33 +47,18 @@ export class SpacesSavedObjectsClient {
    * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
-    const spaceId = this._spaceId;
-    const objectsToCreate = objects.map(object => {
-
-      const objectToCreate = {
-        ...object,
-        extraDocumentProperties: {
-          ...object.extraDocumentProperties
-        },
-        id: this._prependSpaceId(object.type, object.id)
-      };
-
-      if (this._shouldAssignSpaceId(object.type, spaceId)) {
-        objectToCreate.extraDocumentProperties.spaceId = spaceId;
-      } else {
-        delete objectToCreate.extraDocumentProperties.spaceId;
-      }
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
+    }
 
-      return objectToCreate;
+    return await this._client.bulkCreate(objects, {
+      ...options,
+      namespace: this._getNamespace(this._spaceId)
     });
-
-    const result = await this._client.bulkCreate(objectsToCreate, options);
-    result.saved_objects.forEach(this._trimSpaceId.bind(this));
-
-    return result;
   }
 
   /**
@@ -100,16 +66,19 @@ export class SpacesSavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id) {
-    const objectId = this._prependSpaceId(type, id);
-
-    // attempt to retrieve document before deleting.
-    // this ensures that the document belongs to the current space.
-    await this.get(type, id);
+  async delete(type, id, options = {}) {
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
+    }
 
-    return await this._client.delete(type, objectId);
+    return await this._client.delete(type, id, {
+      ...options,
+      namespace: this._getNamespace(this._spaceId)
+    });
   }
 
   /**
@@ -118,39 +87,31 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.search]
    * @property {Array<string>} [options.searchFields] - see Elasticsearch Simple Query String
    *                                        Query field argument for more information
-   * @property {object} [options.filters] - ES Query filters to append
    * @property {integer} [options.page=1]
    * @property {integer} [options.perPage=20]
    * @property {string} [options.sortField]
    * @property {string} [options.sortOrder]
    * @property {Array<string>} [options.fields]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
-    const spaceOptions = {};
-
-    let types = options.type || this._types;
-    if (!Array.isArray(types)) {
-      types = [types];
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
     }
 
-    const filters = options.filters || [];
-
-    const spaceId = this._spaceId;
-
-    spaceOptions.filters = [...filters, ...getSpacesQueryFilters(spaceId, types)];
-
-    const result = await this._client.find({ ...options, ...spaceOptions });
-    result.saved_objects.forEach(this._trimSpaceId.bind(this));
-    return result;
+    return await this._client.find({
+      ...options,
+      namespace: this._getNamespace(this._spaceId)
+    });
   }
 
   /**
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
-   * @param {object} [options = {}]
-   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -160,38 +121,14 @@ export class SpacesSavedObjectsClient {
    * ])
    */
   async bulkGet(objects = [], options = {}) {
-    // ES 'mget' does not support queries, so we have to filter results after the fact.
-    const thisSpaceId = this._spaceId;
-
-    const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId', 'type'], options.extraDocumentProperties);
-
-    const objectsToRetrieve = objects.map(object => ({
-      ...object,
-      id: this._prependSpaceId(object.type, object.id)
-    }));
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
+    }
 
-    const result = await this._client.bulkGet(objectsToRetrieve, {
+    return await this._client.bulkGet(objects, {
       ...options,
-      extraDocumentProperties
-    });
-
-    result.saved_objects = result.saved_objects.map(savedObject => {
-      const { id, type, spaceId = DEFAULT_SPACE_ID } = this._trimSpaceId(savedObject);
-
-      if (isTypeSpaceAware(type)) {
-        if (spaceId !== thisSpaceId) {
-          return {
-            id,
-            type,
-            error: { statusCode: 404, message: 'Not found' }
-          };
-        }
-      }
-
-      return savedObject;
+      namespace: this._getNamespace(this._spaceId)
     });
-
-    return result;
   }
 
   /**
@@ -199,32 +136,19 @@ export class SpacesSavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
-   * @param {object} [options = {}]
-   * @param {array} [options.extraSourceProperties = []] - an array of extra properties to return from the underlying document
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id, options = {}) {
-    // ES 'get' does not support queries, so we have to filter results after the fact.
-
-    const objectId = this._prependSpaceId(type, id);
-
-    const extraDocumentProperties = this._collectExtraDocumentProperties(['spaceId'], options.extraDocumentProperties);
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
+    }
 
-    const response = await this._client.get(type, objectId, {
+    return await this._client.get(type, id, {
       ...options,
-      extraDocumentProperties
+      namespace: this._getNamespace(this._spaceId)
     });
-
-    const { spaceId: objectSpaceId = DEFAULT_SPACE_ID } = response;
-
-    if (isTypeSpaceAware(type)) {
-      const thisSpaceId = this._spaceId;
-      if (objectSpaceId !== thisSpaceId) {
-        throw this._client.errors.createGenericNotFoundError();
-      }
-    }
-
-    return this._trimSpaceId(response);
   }
 
   /**
@@ -234,67 +158,25 @@ export class SpacesSavedObjectsClient {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
-   * @param {array} [options.extraDocumentProperties = {}] - an object of extra properties to write into the underlying document
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
-    const updateOptions = {
-      ...options,
-      extraDocumentProperties: {
-        ...options.extraDocumentProperties
-      }
-    };
-
-    const objectId = this._prependSpaceId(type, id);
-
-    // attempt to retrieve document before updating.
-    // this ensures that the document belongs to the current space.
-    if (isTypeSpaceAware(type)) {
-      await this.get(type, id);
-
-      const spaceId = this._spaceId;
-
-      if (this._shouldAssignSpaceId(type, spaceId)) {
-        updateOptions.extraDocumentProperties.spaceId = spaceId;
-      } else {
-        delete updateOptions.extraDocumentProperties.spaceId;
-      }
+    if (options.namespace) {
+      throw new Error('Spaces currently determines the namespaces');
     }
 
-    const result = await this._client.update(type, objectId, attributes, updateOptions);
-    return this._trimSpaceId(result);
-  }
-
-  _collectExtraDocumentProperties(thisClientProperties, optionalProperties = []) {
-    return uniq([...thisClientProperties, ...optionalProperties]).value();
-  }
-
-  _shouldAssignSpaceId(type, spaceId) {
-    return spaceId !== DEFAULT_SPACE_ID && isTypeSpaceAware(type);
-  }
-
-  _prependSpaceId(type, id = uuid.v1()) {
-    if (this._spaceId === DEFAULT_SPACE_ID || !isTypeSpaceAware(type)) {
-      return id;
-    }
-    return `${this._spaceId}:${id}`;
+    return await this._client.update(type, id, attributes, {
+      ...options,
+      namespace: this._getNamespace(this._spaceId)
+    });
   }
 
-  _trimSpaceId(savedObject) {
-    const prefix = `${this._spaceId}:`;
-
-    const idHasPrefix = savedObject.id.startsWith(prefix);
-
-    if (this._shouldAssignSpaceId(savedObject.type, this._spaceId)) {
-      if (idHasPrefix) {
-        savedObject.id = savedObject.id.slice(prefix.length);
-      } else {
-        throw new Error(`Saved object [${savedObject.type}/${savedObject.id}] is missing its expected space identifier.`);
-      }
-    } else if (idHasPrefix) {
-      throw new Error(`Saved object [${savedObject.type}/${savedObject.id}] has an unexpected space identifier [${this._spaceId}].`);
+  _getNamespace(spaceId) {
+    if (spaceId === DEFAULT_SPACE_ID) {
+      return undefined;
     }
 
-    return savedObject;
+    return spaceId;
   }
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
index e7dbffa413c9e0..a25ccc2136de9b 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
@@ -6,29 +6,7 @@
 
 import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 import { createSpacesService } from '../create_spaces_service';
-
-jest.mock('uuid', () => ({
-  v1: jest.fn(() => `mock-id`)
-}));
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
-import { cloneDeep } from 'lodash';
-
-const createObjectEntry = (type, id, spaceId) => ({
-  [id]: {
-    id,
-    type,
-    spaceId
-  }
-});
-
-const SAVED_OBJECTS = {
-  ...createObjectEntry('foo', 'object_0'),
-  ...createObjectEntry('foo', 'space_1:object_1', 'space_1'),
-  ...createObjectEntry('foo', 'space_2:object_2', 'space_2'),
-  ...createObjectEntry('space', 'space_1'),
-};
-
-const createSavedObjects = () => cloneDeep(SAVED_OBJECTS);
 
 const config = {
   'server.basePath': '/'
@@ -46,1723 +24,289 @@ const createMockRequest = (space) => ({
   getBasePath: () => space.id !== DEFAULT_SPACE_ID ? `/s/${space.id}` : '',
 });
 
-const createMockClient = (space, { mangleSpaceIdentifier = false } = {}) => {
-  const errors = {
-    createGenericNotFoundError: jest.fn((type, id) => {
-      return new Error(`not found: ${type} ${id}`);
-    })
-  };
-
-  const maybeTransformSavedObject = (savedObject) => {
-    if (!mangleSpaceIdentifier) {
-      return savedObject;
-    }
-    if (space.id === DEFAULT_SPACE_ID) {
-      savedObject.id = `default:${space.id}`;
-    } else {
-      savedObject.id = savedObject.id.split(':')[1];
-    }
-
-    return savedObject;
-  };
+const createMockClient = () => {
+  const errors = Symbol();
 
   return {
-    get: jest.fn((type, id) => {
-      const result = createSavedObjects()[id];
-      if (!result) {
-        throw errors.createGenericNotFoundError(type, id);
-      }
-
-      return maybeTransformSavedObject(result);
-    }),
-    bulkGet: jest.fn((objects) => {
-      return {
-        saved_objects: objects.map(object => {
-          const result = createSavedObjects()[object.id];
-          if (!result) {
-            return {
-              id: object.id,
-              type: object.type,
-              error: { statusCode: 404, message: 'Not found' }
-            };
-          }
-          return maybeTransformSavedObject(result);
-        })
-      };
-    }),
-    find: jest.fn(({ type }) => {
-      // used to locate spaces when type is `space` within these tests
-      if (type === 'space') {
-        return {
-          saved_objects: [space]
-        };
-      }
-      const objects = createSavedObjects();
-      const result = Object.keys(objects)
-        .filter(key => objects[key].spaceId === space.id || (space.id === DEFAULT_SPACE_ID && !objects[key].spaceId))
-        .map(key => maybeTransformSavedObject(objects[key]));
-
-      return {
-        saved_objects: result
-      };
-    }),
-    create: jest.fn((type, attributes, options) => {
-      return maybeTransformSavedObject({
-        id: options.id || 'foo-id',
-        type,
-        attributes
-      });
-    }),
-    bulkCreate: jest.fn((objects) => {
-      return {
-        saved_objects: cloneDeep(objects).map(maybeTransformSavedObject)
-      };
-    }),
-    update: jest.fn((type, id, attributes) => {
-      return maybeTransformSavedObject({
-        id,
-        type,
-        attributes
-      });
-    }),
+    get: jest.fn(),
+    bulkGet: jest.fn(),
+    find: jest.fn(),
+    create: jest.fn(),
+    bulkCreate: jest.fn(),
+    update: jest.fn(),
     delete: jest.fn(),
     errors,
   };
 };
 
-describe('default space', () => {
-  const currentSpace = {
-    id: 'default',
-  };
-
-  describe('#get', () => {
-    test(`returns the object when it belongs to the current space`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_0';
-      const options = {};
-
-      const result = await client.get(type, id, options);
-
-      expect(result).toEqual(SAVED_OBJECTS[id]);
-    });
-
-    test(`does not append the space id to the document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_0';
-      const options = {};
-
-      await client.get(type, id, options);
-
-      expect(baseClient.get).toHaveBeenCalledWith(type, id, { extraDocumentProperties: ['spaceId'] });
-    });
-
-    test(`returns global objects that don't belong to a specific space`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'space';
-      const id = 'space_1';
-      const options = {};
-
-      const result = await client.get(type, id, options);
-
-      expect(result).toEqual(SAVED_OBJECTS[id]);
-    });
-
-    test(`merges options.extraDocumentProperties`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_0';
-      const options = {
-        extraDocumentProperties: ['otherSourceProp']
-      };
-
-      await client.get(type, id, options);
-
-      expect(baseClient.get).toHaveBeenCalledWith(type, id, {
-        extraDocumentProperties: ['spaceId', 'otherSourceProp']
-      });
-    });
-
-    test(`returns error when the object belongs to a different space`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_2';
-      const options = {};
-
-      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_0';
-      const options = {};
-
-      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#bulk_get', () => {
-    test(`only returns objects belonging to the current space`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = {};
-
-      const result = await client.bulkGet([{
-        type,
-        id: 'object_0'
-      }, {
-        type,
-        id: 'object_2'
-      }], options);
-
-      expect(result).toEqual({
-        saved_objects: [{
-          id: 'object_0',
-          type: 'foo',
-        }, {
-          id: 'object_2',
-          type: 'foo',
-          error: {
-            message: 'Not found',
-            statusCode: 404
-          }
-        }]
-      });
-    });
-
-    test(`does not append the space id to the document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = {};
-
-      const objects = [{
-        type,
-        id: 'object_0'
-      }, {
-        type,
-        id: 'object_2'
-      }];
-
-      await client.bulkGet(objects, options);
-
-      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, { ...options, extraDocumentProperties: ["spaceId", "type"] });
-    });
-
-    test(`returns global objects that don't belong to a specific space`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = {};
-
-      const result = await client.bulkGet([{
-        type,
-        id: 'object_0'
-      }, {
-        type,
-        id: 'space_1'
-      }], options);
-
-      expect(result).toEqual({
-        saved_objects: [{
-          id: 'object_0',
-          type: 'foo',
-        }, {
-          id: 'space_1',
-          type: 'space',
-        }]
-      });
-    });
-
-    test(`merges options.extraDocumentProperties`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-
-      const objects = [{
-        type,
-        id: 'object_1'
-      }, {
-        type,
-        id: 'object_2'
-      }];
-
-      const options = {
-        extraDocumentProperties: ['otherSourceProp']
-      };
-
-      await client.bulkGet(objects, options);
-
-      expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, {
-        extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
-      });
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_0';
-      const options = {};
-
-      await expect(client.bulkGet([{ type, id }], options)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#find', () => {
-    test(`creates ES query filters restricting objects to the current space`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = ['foo', 'space'];
-      const options = {
-        type
-      };
-
-      await client.find(options);
-
-      expect(baseClient.find).toHaveBeenCalledWith({
-        type,
-        filters: [{
-          bool: {
-            minimum_should_match: 1,
-            should: [{
-              bool: {
-                must: [{
-                  term: {
-                    type: 'foo'
-                  },
-                }],
-                must_not: [{
-                  exists: {
-                    field: "spaceId"
-                  }
-                }]
-              }
-            }, {
-              bool: {
-                must: [{
-                  term: {
-                    type: 'space'
-                  },
-                }],
-              }
-            }]
-          }
-        }]
-      });
-    });
-
-    test(`merges incoming filters with filters generated by Spaces Saved Objects Client`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const otherFilters = [{
-        bool: {
-          must: [{
-            term: {
-              foo: 'bar'
-            }
-          }]
-        }
-      }];
-
-      const options = {
-        type,
-        filters: otherFilters
-      };
-
-      await client.find(options);
-
-      expect(baseClient.find).toHaveBeenCalledWith({
-        type,
-        filters: [...otherFilters, {
-          bool: {
-            minimum_should_match: 1,
-            should: [{
-              bool: {
-                must: [{
-                  term: {
-                    type
-                  },
-                }],
-                must_not: [{
-                  exists: {
-                    field: "spaceId"
-                  }
-                }]
-              }
-            }]
-          }
-        }]
-      });
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = { type };
-
-      await expect(client.find(options)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#create', () => {
-
-    test('does not assign a space-unaware (global) object to a space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'space';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.create(type, attributes);
-
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
-    });
-
-    test('does not assign a spaceId to space-aware objects belonging to the default space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.create(type, attributes);
-
-      // called without extraDocumentProperties
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.create(type, attributes)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#bulk_create', () => {
-    test('allows for bulk creation when all types are space-aware', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-      const objects = [{
-        type: 'foo',
-        attributes
-      }, {
-        type: 'bar',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      const expectedCalledWithObjects = objects.map(object => ({
-        ...object,
-        extraDocumentProperties: {},
-        id: 'mock-id'
-      }));
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
-    });
-
-    test('allows for bulk creation when all types are not space-aware (global)', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      const objects = [{
-        type: 'space',
-        attributes
-      }, {
-        type: 'space',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
-        return { ...o, extraDocumentProperties: {}, id: 'mock-id' };
-      }), {});
-    });
-
-    test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      const objects = [{
-        type: 'space',
-        attributes
-      }, {
-        type: 'foo',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      const expectedCalledWithObjects = [...objects];
-      expectedCalledWithObjects[0] = {
-        ...expectedCalledWithObjects[0],
-        extraDocumentProperties: {},
-        id: 'mock-id'
-      };
-      expectedCalledWithObjects[1] = {
-        ...expectedCalledWithObjects[1],
-        extraDocumentProperties: {},
-        id: 'mock-id'
-      };
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
-    });
-
-    test('does not assign a spaceId to space-aware objects that belong to the default space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-      const objects = [{
-        type: 'foo',
-        attributes
-      }, {
-        type: 'bar',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      // called with empty extraDocumentProperties
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => ({
-        ...o,
-        extraDocumentProperties: {},
-        id: 'mock-id'
-      })), {});
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-      const objects = [{
-        type: 'foo',
-        attributes
-      }, {
-        type: 'bar',
-        attributes
-      }];
-
-      await expect(client.bulkCreate(objects, {})).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#update', () => {
-    test('allows an object to be updated if it exists in the same space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_0';
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
+[
+  { id: DEFAULT_SPACE_ID, expectedNamespace: undefined },
+  { id: 'space_1', expectedNamespace: 'space_1' }
+].forEach(currentSpace => {
+  describe(`${currentSpace.id} space`, () => {
 
-      await client.update(type, id, attributes);
+    describe('#get', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
-    });
-
-    test('allows a global object to be updated', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.get(null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const id = 'space_1';
-      const type = 'space';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.get.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      await client.update(type, id, attributes);
-
-      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
-    });
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+        const type = Symbol();
+        const id = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.get(type, id, options);
 
-    test('does not allow an object to be updated via a different space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.get).toHaveBeenCalledWith(type, id, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
-
-      const id = 'object_2';
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
-    });
-
-    test(`throws when the base client returns a malformed document id`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'space_1';
-      const type = 'space';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
     });
-  });
 
-  describe('#delete', () => {
-    test('allows an object to be deleted if it exists in the same space', async () => {
+    describe('#bulkGet', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.bulkGet(null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const id = 'object_0';
-      const type = 'foo';
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.bulkGet.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      await client.delete(type, id);
-
-      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
-    });
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-    test(`allows a global object to be deleted`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const objects = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.bulkGet(objects, options);
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
-
-      const id = 'space_1';
-      const type = 'space';
-
-      await client.delete(type, id);
-
-      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
     });
 
-    test('does not allow an object to be deleted via a different space', async () => {
+    describe('#find', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.find({ namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const id = 'object_2';
-      const type = 'foo';
-
-      await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-});
-
-describe('current space (space_1)', () => {
-  const currentSpace = {
-    id: 'space_1',
-  };
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.find.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-  describe('#get', () => {
-    test(`returns the object when it belongs to the current space`, async () => {
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.find(options);
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_1';
-      const options = {};
-
-      const result = await client.get(type, id, options);
-
-      expect(result).toEqual({
-        id,
-        type,
-        spaceId: currentSpace.id
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.find).toHaveBeenCalledWith({ foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
     });
 
-    test('appends the space id to the document id', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_1';
-      const options = {};
-
-      await client.get(type, id, options);
-
-      expect(baseClient.get).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, { ...options, extraDocumentProperties: ['spaceId'] });
-    });
-
-    test(`returns global objects that don't belong to a specific space`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'space';
-      const id = 'space_1';
-      const options = {};
-
-      const result = await client.get(type, id, options);
-
-      expect(result).toEqual(SAVED_OBJECTS[id]);
-    });
-
-    test(`merges options.extraDocumentProperties`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const id = 'object_1';
-      const options = {
-        extraDocumentProperties: ['otherSourceProp']
-      };
-
-      await client.get(type, id, options);
-
-      expect(baseClient.get).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, {
-        extraDocumentProperties: ['spaceId', 'otherSourceProp']
-      });
-    });
+    describe('#create', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-    test(`returns error when the object belongs to a different space`, async () => {
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
 
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        });
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.create('foo', {}, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const type = 'foo';
-      const id = 'object_2';
-      const options = {};
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.create.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
-    });
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-    test(`returns error when the object has a malformed identifier`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
+        const type = Symbol();
+        const attributes = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.create(type, attributes, options);
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
-
-      const type = 'foo';
-      const id = 'object_1';
-      const options = {};
-
-      await expect(client.get(type, id, options)).rejects.toThrowErrorMatchingSnapshot();
     });
-  });
 
-  describe('#bulk_get', () => {
-    test(`only returns objects belonging to the current space`, async () => {
+    describe('#bulkCreate', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.bulkCreate(null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const type = 'foo';
-      const options = {};
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.bulkCreate.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      const result = await client.bulkGet([{
-        type,
-        id: 'object_1'
-      }, {
-        type,
-        id: 'object_2'
-      }], options);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      expect(result).toEqual({
-        saved_objects: [{
-          id: 'object_1',
-          spaceId: 'space_1',
-          type: 'foo',
-        }, {
-          id: 'object_2',
-          type: 'foo',
-          error: {
-            message: 'Not found',
-            statusCode: 404
-          }
-        }]
-      });
-    });
+        const objects = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.bulkCreate(objects, options);
 
-    test('appends the space id to the document id', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
-
-      const type = 'foo';
-      const options = {};
-      const objects = [{
-        type,
-        id: 'object_1'
-      }, {
-        type,
-        id: 'object_2'
-      }];
-
-      await client.bulkGet(objects, options);
-
-      const expectedObjects = objects.map(o => ({ ...o, id: `${currentSpace.id}:${o.id}` }));
-      expect(baseClient.bulkGet)
-        .toHaveBeenCalledWith(expectedObjects, { ...options, extraDocumentProperties: ["spaceId", "type"] });
     });
 
-    test(`returns global objects that don't belong to a specific space`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = {};
+    describe('#update', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      const result = await client.bulkGet([{
-        type,
-        id: 'object_1'
-      }, {
-        type: 'space',
-        id: 'space_1'
-      }], options);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      expect(result).toEqual({
-        saved_objects: [{
-          id: 'object_1',
-          spaceId: 'space_1',
-          type: 'foo',
-        }, {
-          id: 'space_1',
-          type: 'space',
-        }]
+        await expect(client.update(null, null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
-    });
 
-    test(`merges options.extraDocumentProperties`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.update.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      const type = 'foo';
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      const objects = [{
-        type,
-        id: 'object_1'
-      }, {
-        type,
-        id: 'object_2'
-      }];
+        const type = Symbol();
+        const id = Symbol();
+        const attributes = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.update(type, id, attributes, options);
 
-      const options = {
-        extraDocumentProperties: ['otherSourceProp']
-      };
-
-      await client.bulkGet(objects, options);
-
-      const expectedCalledWithObjects = objects.map(object => {
-        const id = `${currentSpace.id}:${object.id}`;
-        return {
-          ...object,
-          id
-        };
-      });
-
-      expect(baseClient.bulkGet).toHaveBeenCalledWith(expectedCalledWithObjects, {
-        extraDocumentProperties: ['spaceId', 'type', 'otherSourceProp']
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
     });
 
-    test(`throws when base client returns documents with malformed ids`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const objects = [{
-        type,
-        id: 'object_1'
-      }];
-      const options = {};
+    describe('#delete', () => {
+      test(`throws error if options.namespace is specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
 
-      await expect(client.bulkGet(objects, options)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-  describe('#find', () => {
-    test(`creates ES query filters restricting objects to the current space`, async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
+        await expect(client.delete(null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
-      const type = ['foo', 'space'];
-      const options = {
-        type
-      };
+      test(`supplements options with undefined namespace`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.delete.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
 
-      await client.find(options);
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
 
-      expect(baseClient.find).toHaveBeenCalledWith({
-        type,
-        filters: [{
-          bool: {
-            minimum_should_match: 1,
-            should: [{
-              bool: {
-                must: [{
-                  term: {
-                    type: 'foo'
-                  },
-                }, {
-                  term: {
-                    spaceId: 'space_1'
-                  }
-                }],
-              }
-            }, {
-              bool: {
-                must: [{
-                  term: {
-                    type: 'space'
-                  },
-                }],
-              }
-            }]
-          }
-        }]
-      });
-    });
+        const type = Symbol();
+        const id = Symbol();
+        const options = Object.freeze({ foo: 'bar' });
+        const actualReturnValue = await client.delete(type, id, options);
 
-    test(`merges incoming filters with filters generated by Spaces Saved Objects Client`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const otherFilters = [{
-        bool: {
-          must: [{
-            term: {
-              foo: 'bar'
-            }
-          }]
-        }
-      }];
-
-      const options = {
-        type,
-        filters: otherFilters
-      };
-
-      await client.find(options);
-
-      expect(baseClient.find).toHaveBeenCalledWith({
-        type,
-        filters: [...otherFilters, {
-          bool: {
-            minimum_should_match: 1,
-            should: [{
-              bool: {
-                must: [{
-                  term: {
-                    type
-                  },
-                }, {
-                  term: {
-                    spaceId: 'space_1'
-                  }
-                }]
-              }
-            }]
-          }
-        }]
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.delete).toHaveBeenCalledWith(type, id, { foo: 'bar', namespace: currentSpace.expectedNamespace });
       });
     });
-
-    test(`throws when base client returns documents with malformed ids`, async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const options = {
-        type,
-      };
-
-      await expect(client.find(options)).rejects.toThrowErrorMatchingSnapshot();
-    });
   });
 
-  describe('#create', () => {
-    test('automatically assigns the object to the current space via extraDocumentProperties', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.create(type, attributes);
-
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, {
-        id: `${currentSpace.id}:mock-id`,
-        extraDocumentProperties: {
-          spaceId: 'space_1'
-        }
-      });
-    });
-
-    test('does not assign a space-unaware (global) object to a space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'space';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.create(type, attributes);
-
-      expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { extraDocumentProperties: {}, id: 'mock-id' });
-    });
-
-    test('throws when the base client returns a malformed document id', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.create(type, attributes)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#bulk_create', () => {
-    test('allows for bulk creation when all types are space-aware', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-      const objects = [{
-        type: 'foo',
-        attributes
-      }, {
-        type: 'bar',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      const expectedCalledWithObjects = objects.map(object => ({
-        ...object,
-        extraDocumentProperties: {
-          spaceId: 'space_1'
-        },
-        id: `${currentSpace.id}:mock-id`
-      }));
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
-    });
-
-    test('allows for bulk creation when all types are not space-aware', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      const objects = [{
-        type: 'space',
-        attributes
-      }, {
-        type: 'space',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects.map(o => {
-        return { ...o, extraDocumentProperties: {}, id: 'mock-id' };
-      }), {});
-    });
-
-    test('allows space-aware and non-space-aware (global) objects to be created at the same time', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      const objects = [{
-        type: 'space',
-        attributes
-      }, {
-        type: 'foo',
-        attributes
-      }];
-
-      await client.bulkCreate(objects, {});
-
-      const expectedCalledWithObjects = [...objects];
-      expectedCalledWithObjects[0] = {
-        ...expectedCalledWithObjects[0],
-        extraDocumentProperties: {},
-        id: 'mock-id'
-      };
-      expectedCalledWithObjects[1] = {
-        ...expectedCalledWithObjects[1],
-        extraDocumentProperties: {
-          spaceId: 'space_1'
-        },
-        id: `${currentSpace.id}:mock-id`
-      };
-
-      expect(baseClient.bulkCreate).toHaveBeenCalledWith(expectedCalledWithObjects, {});
-    });
-
-    test('throws when the base client returns a malformed document id', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.bulkCreate([{ type, attributes }])).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#update', () => {
-    test('allows an object to be updated if it exists in the same space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_1';
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.update(type, id, attributes);
-
-      expect(baseClient.update)
-        .toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`, attributes, { extraDocumentProperties: { spaceId: 'space_1' } });
-    });
-
-    test('allows a global object to be updated', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'space_1';
-      const type = 'space';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await client.update(type, id, attributes);
-
-      expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { extraDocumentProperties: {} });
-    });
-
-    test('does not allow an object to be updated via a different space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_2';
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
-    });
-
-    test('throws when the base client returns a malformed document id', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace, { mangleSpaceIdentifier: true });
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_1';
-      const type = 'foo';
-      const attributes = {
-        prop1: 'value 1',
-        prop2: 'value 2'
-      };
-
-      await expect(client.update(type, id, attributes)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
-
-  describe('#delete', () => {
-    test('allows an object to be deleted if it exists in the same space', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_1';
-      const type = 'foo';
-
-      await client.delete(type, id);
-
-      expect(baseClient.delete).toHaveBeenCalledWith(type, `${currentSpace.id}:${id}`);
-    });
-
-    test('allows a global object to be deleted', async () => {
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'space_1';
-      const type = 'space';
-
-      await client.delete(type, id);
-
-      expect(baseClient.delete).toHaveBeenCalledWith(type, id);
-    });
-
-    test('does not allow an object to be deleted via a different space', async () => {
-
-      const request = createMockRequest(currentSpace);
-      const baseClient = createMockClient(currentSpace);
-      const spacesService = createSpacesService(server);
-
-      const client = new SpacesSavedObjectsClient({
-        request,
-        baseClient,
-        spacesService,
-        types: [],
-      });
-
-      const id = 'object_2';
-      const type = 'foo';
-
-      await expect(client.delete(type, id)).rejects.toThrowErrorMatchingSnapshot();
-    });
-  });
 });
diff --git a/x-pack/test/rbac_api_integration/apis/privileges/index.js b/x-pack/test/rbac_api_integration/apis/privileges/index.js
index 9563a1b65540f0..aa66f8f7d2d964 100644
--- a/x-pack/test/rbac_api_integration/apis/privileges/index.js
+++ b/x-pack/test/rbac_api_integration/apis/privileges/index.js
@@ -38,6 +38,9 @@ export default function ({ getService }) {
                 'action:saved_objects/graph-workspace/get',
                 'action:saved_objects/graph-workspace/bulk_get',
                 'action:saved_objects/graph-workspace/find',
+                'action:saved_objects/space/get',
+                'action:saved_objects/space/bulk_get',
+                'action:saved_objects/space/find',
                 'action:saved_objects/index-pattern/get',
                 'action:saved_objects/index-pattern/bulk_get',
                 'action:saved_objects/index-pattern/find',
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index 5bb42acacd3920..ca9b9bb2ec1c22 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -69,50 +69,6 @@ export default function ({ getService }) {
       });
     };
 
-    const expectAllResultsIncludingInvalidTypes = (resp) => {
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: 5,
-        saved_objects: [
-          {
-            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
-            type: 'index-pattern',
-            updated_at: '2017-09-21T18:49:16.270Z',
-            version: 1,
-            attributes: resp.body.saved_objects[0].attributes
-          },
-          {
-            id: '7.0.0-alpha1',
-            type: 'config',
-            updated_at: '2017-09-21T18:49:16.302Z',
-            version: 1,
-            attributes: resp.body.saved_objects[1].attributes
-          },
-          {
-            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-            type: 'visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: 1,
-            attributes: resp.body.saved_objects[2].attributes
-          },
-          {
-            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
-            type: 'dashboard',
-            updated_at: '2017-09-21T18:57:40.826Z',
-            version: 1,
-            attributes: resp.body.saved_objects[3].attributes
-          },
-          {
-            id: 'visualization:dd7caf20-9efd-11e7-acb3-3dab96693faa',
-            type: 'not-a-visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: 1
-          },
-        ]
-      });
-    };
-
     const createExpectEmpty = (page, perPage, total) => (resp) => {
       expect(resp.body).to.eql({
         page: page,
@@ -290,7 +246,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResultsIncludingInvalidTypes,
+          response: expectResultsWithValidTypes,
         },
       },
     });
@@ -324,7 +280,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResultsIncludingInvalidTypes,
+          response: expectResultsWithValidTypes,
         },
       }
     });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
index 37bd80f56a5c83..517aab85312fac 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
@@ -6,7 +6,7 @@
 
 import expect from 'expect.js';
 import { SPACES } from './lib/spaces';
-import { getIdPrefix, getUrlPrefix, getExpectedSpaceIdProperty } from './lib/space_test_utils';
+import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -73,7 +73,6 @@ export default function ({ getService }) {
             type: 'visualization',
             updated_at: '2017-09-21T18:51:23.794Z',
             version: resp.body.saved_objects[0].version,
-            ...getExpectedSpaceIdProperty(spaceId),
             attributes: {
               title: 'Count of requests',
               description: '',
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
index 14d6ba54de2e86..4a7bfa30d40dc7 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
@@ -31,17 +31,17 @@ export default function ({ getService }) {
         }
       });
 
-      const expectedDocumentId = spaceId === DEFAULT_SPACE_ID ? resp.body.id : `${spaceId}:${resp.body.id}`;
+      const expectedSpacePrefix = spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}:`;
 
       // query ES directory to assert on space id
       const { _source } = await es.get({
-        id: `visualization:${expectedDocumentId}`,
+        id: `${expectedSpacePrefix}visualization:${resp.body.id}`,
         type: 'doc',
         index: '.kibana'
       });
 
       const {
-        spaceId: actualSpaceId = '**not defined**'
+        namespace: actualSpaceId = '**not defined**'
       } = _source;
 
       if (spaceId === DEFAULT_SPACE_ID) {
@@ -75,7 +75,7 @@ export default function ({ getService }) {
       });
 
       const {
-        spaceId: actualSpaceId = '**not defined**'
+        namespace: actualSpaceId = '**not defined**'
       } = _source;
 
       expect(actualSpaceId).to.eql('**not defined**');
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
index fe3cb7bb2be06f..07bb72a30e9820 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
@@ -7,7 +7,6 @@
 import expect from 'expect.js';
 import { SPACES } from './lib/spaces';
 import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
-import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -47,16 +46,10 @@ export default function ({ getService }) {
         ));
 
         it(`should return ${tests.inOtherSpace.statusCode} when deleting a doc belonging to another space`, async () => {
-          const documentId = `${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`;
-
-          let expectedObjectId = documentId;
-
-          if (spaceId !== DEFAULT_SPACE_ID) {
-            expectedObjectId = `${spaceId}:${expectedObjectId}`;
-          }
+          const expectedObjectId = `${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`;
 
           await supertest
-            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${documentId}`)
+            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${expectedObjectId}`)
             .expect(tests.inOtherSpace.statusCode)
             .then(tests.inOtherSpace.response('dashboard', expectedObjectId));
         });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
index 01383433774ef9..ea59e01eff96d7 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
@@ -44,7 +44,7 @@ export default function ({ getService }) {
         id: '7.0.0-alpha1',
         type: 'config',
         updated_at: '2017-09-21T18:49:16.302Z',
-        version: 3,
+        version: 1,
       }, {
         id: `default`,
         type: 'space',
@@ -85,7 +85,9 @@ export default function ({ getService }) {
         .sort(sortById);
 
       expectedSavedObjects.forEach((object, index) => {
-        object.attributes = resp.body.saved_objects[index].attributes;
+        if (resp.body.saved_objects[index]) {
+          object.attributes = resp.body.saved_objects[index].attributes;
+        }
       });
 
 
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
index 6a8e21e9b5c999..0369bffba26e5b 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
@@ -7,7 +7,6 @@
 import expect from 'expect.js';
 import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
 import { SPACES } from './lib/spaces';
-import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -16,10 +15,6 @@ export default function ({ getService }) {
   describe('get', () => {
 
     const expectResults = (spaceId) => () => (resp) => {
-
-      // The default space does not assign a space id.
-      const expectedSpaceId = spaceId === 'default' ? undefined : spaceId;
-
       const expectedBody = {
         id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
         type: 'visualization',
@@ -37,10 +32,6 @@ export default function ({ getService }) {
         }
       };
 
-      if (expectedSpaceId) {
-        expectedBody.spaceId = expectedSpaceId;
-      }
-
       expect(resp.body).to.eql(expectedBody);
     };
 
@@ -60,17 +51,10 @@ export default function ({ getService }) {
         it(`should return ${tests.exists.statusCode}`, async () => {
           const objectId = `${getIdPrefix(otherSpaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
 
-          let expectedObjectId = objectId;
-          const testingMismatchedSpaces = spaceId !== otherSpaceId;
-
-          if (testingMismatchedSpaces && spaceId !== DEFAULT_SPACE_ID) {
-            expectedObjectId = `${spaceId}:${expectedObjectId}`;
-          }
-
           return supertest
             .get(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${objectId}`)
             .expect(tests.exists.statusCode)
-            .then(tests.exists.response('visualization', expectedObjectId));
+            .then(tests.exists.response('visualization', objectId));
         });
       });
     };
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
index fab201a5b3c003..5d7f40f9c54b1b 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
@@ -13,12 +13,3 @@ export function getUrlPrefix(spaceId) {
 export function getIdPrefix(spaceId) {
   return spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}-`;
 }
-
-export function getExpectedSpaceIdProperty(spaceId) {
-  if (spaceId === DEFAULT_SPACE_ID) {
-    return {};
-  }
-  return {
-    spaceId
-  };
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
index 3aea0aadde82e2..4bc938ba7a4999 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
+++ b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
@@ -7,7 +7,6 @@
 import expect from 'expect.js';
 import { SPACES } from './lib/spaces';
 import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
-import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
 export default function ({ getService }) {
   const supertest = getService('supertest');
@@ -92,7 +91,7 @@ export default function ({ getService }) {
               }
             })
             .expect(tests.inOtherSpace.statusCode)
-            .then(tests.inOtherSpace.response(`visualization`, `${spaceId === DEFAULT_SPACE_ID ? '' : (spaceId + ':')}${id}`));
+            .then(tests.inOtherSpace.response(`visualization`, `${id}`));
         });
 
         describe('unknown id', () => {
@@ -105,7 +104,7 @@ export default function ({ getService }) {
                 }
               })
               .expect(tests.doesntExist.statusCode)
-              .then(tests.doesntExist.response(`visualization`, `${spaceId === DEFAULT_SPACE_ID ? '' : (spaceId + ':')}not an id`));
+              .then(tests.doesntExist.response(`visualization`, `not an id`));
           });
         });
       });
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
index 0be0d4c12010a325540585af33a8a1f8cc877883..a795be4f88ea3c0783f7268adf701f995cce6529 100644
GIT binary patch
literal 2469
zcmYL_dpr|t8^`B3(jLM~&SAqaVOdkoS!^gq)Psc4>l|~)xlk=<Ysw+zH0Q?5GmUyA
z=i?j~DUuvUsOUiG9etkn`R8}v_w~E(>-v4Z3Mm2t&MWcG03MussJoUgJ}3~d>f#qP
zhmhEP<mO&FBSBT{$wdyA)9w2`BsR>%LT?7}^TS3&Bf!H}*vJ!~;*X=zbX>G-Gj(od
zjgLQ<a9mFQ%XFV*(;~ZcRDV1}EL=MLTqWTg)4x>?E#&+Kr_~Q(LZj<IQ8PaXAKLZ)
z9A+ZObQ2rPcC+5jQp+$`vbkc(Rz=z#C33u9Tv7~kqU20*fY-aNL`uXsXh-Iku0hM8
z-IUAPpZ4HEZsCtJ{E|b6jI4O5VkpHqLK~!JpY=g(02Mg(7VHw%Z(LA!j<2~y;^$$A
zz4f%tX%tMzaoqa+^5fBa?4F)cd8shtJ9~;!Vb<Y0AcicyGSmWoVKh>0Frf`E;oqI>
zk=4yEvc$_Zi52VJi@ZJ$d}Luz8{N^_u=3M?2r^tTvudx~)b#Y}az@Wmq_?x@UfAua
zwuT&*OZl2(B_UfyoxNAmLtl`J?z)6AzM%1?1f~O`p=py72s`@T_j2dPsK)ZyRdz;M
zr4p5aY!1VRkTF(|x+t2WD2h$d)wtsivhDEtDwQ5|!VxJ5j`TX66`Z3h+C}UzcOr+`
z_XxzQqQ0dN;%GvZ%T4S_b#p`X+IK>gx+`C=Bkalu*zty1{k1Ef?SmKyB|n}!FW?_G
zwa02M))c`5kk=f*9}*agD1=9dA2MvV53y0V`6R%6;3bcVdNAOU&YaNdZXr?u2qbPu
z8Tyum*B3<qR4|O9JI8;tE^lX3>wp6xUgzAeA()3nOF`oB;gqCI(jv}BBe!?f{8KNt
z@Qwb5W#4^vo#*Uyx%q*jXYTrV1%j69E-EMBg6~eOBnR|mn)2K&=xAG+EuQ>4gW{}3
zO62h+o3w9{7H0tZvOwU7x)&I8eK3k!1dX>A$t8jl-zVta7u*s6rl}ah3wdcC5}7z?
za3dG38CGScGl>`O=?l634qJa{YBu~8IQPZtHDX#W?g}FMFXl|L%hXj7b6<I~W<T$|
z=it(i(XFJ<fG?*lRXfz?)%E!+l2OuQC5c~=im2iBW8+|cW?8F14*JNQw1|`|J^pP;
z1FB4u=Q}_Dc%l4G+xlpRn8|rP)|>(V*>(MK!5A|+>xme3%A^Pj8UwPNaA{)d9NSm|
za4%kKS$A?fS9FsvztyZPQ}Dzmz()BxV|P$JmB70>gadUezx#6Zj|Gi7c`jOA#uAKV
z@uJMo>xSxRf&sUdyTYwM)wpPa`lQ5^xnCOJep0(wq539uNUT_vhHdyIrG$2(l@Vam
z=xIC8-J-Twp5|0OQVQ>an2;P-RQ_fmKq{LH|1NubyK2iOtGmnK51?V~Vi@`qx|^RJ
z>Qx?~`(XR>P`69fb|d!wS-$h^awRzV!J=fMV_=SzNsQb1fD&-cs}G;js}o9hggt(p
zIt-OF$H_j^wy4ot@V0LG+*UXv<5F-kCs3Gn%Hrdbw<B^oYYwVn<NaK49v45n)zr`g
zIxOZSf;v_mpxgd2$Vpd`hzrLXKdDM1?}iMsPzx&5%nXI=MvXRpcH6^mhY?3AGbz7>
zQ*-OtoBq@5<-k`1-c<}m(9268C)XBG?b-!1@r4Z4?;<b9Qj=K4J0vvZeOzE2{FwdK
z?b5S)GH|`_RVO355k&dEBP~$abFWW%(dW#}hW}LFXgPbcni1L@9EoVj?x0on8?b-~
zR(07@=cPw(zIiRU@Ul~44Vrzo`YpHLq>_i`W1cW&HyoyF&v>si-xl7`h#uN_>+Q5t
zjjt!dzmlgfwlLS1ZhOv5-i1$K?kzcgUA?EHik<GWDU77iq`t@LqkOp&ryd!@W0@EC
zI^yPPrDdf>f*7e-mf8uMoQH&lhaM?i%~9wFk`n{>Y@?LTm$7HOTa!kFHNEu<B*|;r
zR`{&>o#({^^)&D}Pu@y~d0c*NYr|nXp{XZttTh`=tAlG9Tmwj~-AmmN=U5d;WW$wj
z_L5hs-4n0g{%blQ=NcL15^p<k)QyU)7R%3z>wr`>NeErKmA-QttEB;LQ1iU*-pQOk
zxsvdO?B2Oi6ujPcs`uyB3wwfkMiIC}K6+&KE1yv-i8uN^@viZE4*D3qNKNX6=D@hl
z?vxWSkYWL>HMB`Zs%btw*TIWAqXwHB(_?sUZY;HEjws}+z=DE2(@y8PG!sSvf5z4Z
zASb|-Q}?|Q9}(G~_v-Wfc2`y_{T>hvwB96IHm|1;<_CQq58B$e!7=v5#H?e)+sZ73
z&7bWyq}_P|Lz$qqB?AHG^J%YZ!-T;NMMsMTHz(c?Nq+gn)d0Gi3i#w@#^u08=$3;2
ze<gR`*EH2>up%V9UjJQ7Pn<af8L&4W)d>t?Ri+R4=v9QKzdqUZhTnSjMRg~=wA144
z(YD8Ov#(xHZAQva(`TK|lx5b8R9~!kb|kzaf*3)WES+-;@85pT{$YCb;ho*SL1W|T
z(C0T7Ve`ZJ@Mo((g3k7(OL}!36PV#GGQK!zS5L*MSGo=rS7IqD(8z|iIQa}2xwpv@
zy@Q3Rj|cKzn>=I0u6A4a`@Od^QquXX_LmM@b#YU@)(z&cdxv>*#|)w*O3#+B8qreg
z0Lqy9x~7fNe+Vv{7RvMfU)pu0#}Z8p1;!F5l+RZHZ$^nUCnQCQQ~*C?!)=ARzaFET
za%vSos&m=F^Is{<fi0Up<Id-JJi2!KtuL^5_glH{*>I+TGKMx3?1VjlhZA};%?t^K
zb%ZF9=#ow3xy6Gub&RA~aZddKUO+3oWIxfz1js*83^}2Yh4SVFpfC|v!q+XEc=$LW
zk4=v<FNomBpgeY)3Ojjyt^bvs$9~phI<XWzyDq$Tp4f_~zB<-H+b)ayKhQ_tm7>Fx
zTQTTlz%wxF22s3^dBm2;4S`-x211|*w{LSX2d6FZ{nt!WQ5O^RAyVmtpp_c>CQ*Fq
zxHtw|W6rs$q4z25fBjcD6fjs01&+s|u<vmw?6-0#aAt5Q*lXJn_bFgT%+Sdk3PkbW
z6b^>}rhrcVO##e@!Ez{&N`D71lqQuTpMp_<v&7=8naxI0semH}%li%jm0n5M-*J%X
hAJHm1&M^x)CRG*!RnIxFnNeBBT)7RDf!1CC;D33)r1$^;

literal 2448
zcmYjLc{~%0A9gb=Y;)C!GR(aijgXneoD)K*9HUr{SLRANi&gJ3_kA_7p&TXU$dw~E
z#eRF`t%$G?(g?rudq2O=`_J=zp6B~K-_Q5xT_GWzXg4=5ULVivo?8B)L4jOscUIsh
z6ewocS%%q&C0hJpV7q~=H(J1IZ{No0h%7(!906&DxPhK3WxV0r+fs!0QHhP-cFWJ3
zJxt2LYvrAo^ODCahsJS_!|C#&QHxu)82S9docPmJNck-8(t=fH(ndQ{=7u+zD#5yf
zJu{9(@}E%Q-ozNdu%(M?eIgRbvS-_@&rT;j+-DW-kx(!}&8SCivw+b$|NeQ_9w%ev
zqG)sKdQo`{vqjcfnxORb`2IQ51&{Er#YYky1>)z(YXc20Q*xHS+)^uV5hmGbeU}wc
zt9)MOOSXhG&~pkV_J?hKRaESveJ1wKki_~b2zB#;y>sb+$|!Pw?hq#Avs~fHAk2^w
zFhWY6jAWG*foT=JKh-Bgp&wDZ>IT4_8Y}Y{koE0dPYY#dX=&$9c#h#P(Qlw_C^$U(
z&^WoW>%H2CR7bPdyKRlk^BS}j8JiBfx8$Ebme)IxL8tO^mB%Lb_pS#xuY8|qGup+S
z%1|1U_G={BK66xSuj|d^Z|+Uky1ub8S2u>gWQ#ji2`@F{L*yuxmxVxI+%ropmauoa
zI_-!DwSo<IlLXsxlG4Mbmx+?4aSB_}W=<J3JOsLw4jhCtfykns{HSbnmrkvX!~88<
zzp67)<x*9vdkq!r^Qt?($q#E#;uU}j`|w6@{rN_<hZ(zr*F-IZ%N4;E8Qd*K9TgFz
zuICu4sfE{-gmWodWS8I3{L#L+ol!d?h&@?p=NYUw3<W&|LhOx&P|}KTddJR>Wqiu7
z@8=PVwJs{(y1MK3DfJkafFKA{8%PTRE<ABL9`6%^m{}rUd-LEdZ%RRT=hBB#W-Fz}
zO)EW#*Pmw6#YrU0aOp!u1jp29O3AKg1)<_NpmMS`fNC0ohTAknBqp3qjg!a6x*~Wj
zMiQr3vCL@!C&fycsXMa-eZydYYZ5#7r8*_lh2=2<mxK)XKK{;eD}=9$#tU`FCvL;V
znCYXz#6r`K2riD?!$<@!`yPdx{xFVbbK$a)t%d!@X$#4eSM`+$9$%{Y&86vME+<~<
zc&_)I!)x!i@~#S@HoW^wWkwwCZ=xu1qtQ}y8RHTuWuh_6;kxJ&q*XwPsKuU_c@Wva
z6&Lz^W{aWy2;Uh$cv%tD%jX{v%W>EmxZyV^XvP(FrA}a0A~;f1a9z@c66-o;zHzAk
z_~r5Z6R*;)n#gl!J)xM&rN=T8q5bXMYx|NryHnl)FEkWfpnds%pmdMSWQAIvG%>Cg
zF|9QduZ7^5S6bfObI0O1U8el8@0E=#OwQ8Up%Jv!R{xt0uj=7<e~!MAMa58O5ln@G
zn&k$Y&toHN7jmqe_HFye9$v=%sI&<CGRNtzNIT*S7N41PV5tI@boHCP>l6Sx3E6Fj
zc6FfqK8r0n=2a&@`&ze!!~~&aJPI1KzaFYLFkh}_ju{!Vom9ZgA?|Trcl8*naXbqb
zc4Jbnc7hRb!fYkTjS5Det8Xeg|MqOhjixJ$JTYm>cYDM%0*K=-=}`^gNSla`B=-I(
z%P=O9^loE^(@r{><4>}<AAGUXXNKLuh|Umi+WXXJoH(Kju7PNuAy5%*L87EXKE5_Z
z6BVDml@B*@`g<l+d`#2)-%WdNP&A$tz6+P@X{gqZ$sKH6w0e0Y%WvJy)v&1lFYlOQ
zho}BzQvMtV_JU*O`-tHnpGlCFhT{tJYX7F^KVHjm$W&bq>%9>(xmt3ICPrso^X+cC
zprS65acS}XW^}0eY3S~dZGLAanQw+3RMeoK`t2f#hn-h2*cAQ-e%nB2ip>$De}xaW
zW(WNw+{FMtYJ$<GZb>fylKOW2a8g7wBkOu(9NQ2l^FFw6YT`kp4xm#ES?W3kfqmb$
zicZC@UmW#e%2F4(H#g0Xwdw}wsADENNb0A+gVrPd(+othzWIsdtCoR`;fH)8QUf=A
zd5OAJTLVvCzr63QEJ;}u6L$M#b(j|B<-mG8W#+{4Qe=!!Z<+TKU`ZbdqS_ljzU+_+
zoLiCBu6pmj#<-hDZdLW40X!WpSm=0?JGQ)3#fFLa7R<KQoVi7Z(gu!N5#QDX49U2r
zD$x{`)?wL$@02j%e<396G)QhVLjDWoaO6)zjy7<@oNm#>%5(9iC{OBrY=}KS6A*An
zFNKjwYXY)tXf16OpD*l3Mf<a0N_T~K6vmc!juq#G{pV4rWBug4F~!uiM6kp**Z>N=
z(`B2!Hz#CtG^lgI@Y`@fJ1u;aJTxfIIKKW^o#&5%bX*@vkEN~O*Wg@}#fq~0E-07B
z--cpn4UmD=*e}mk80^1Ernnu*DCu5aei+?5^c+yFs*JRWXyi|GTdjMliD8!oHhdVS
ztOl^JeQ&-m)3eG@P7}HC#Yw~QeelVN)9q1{$d#rnqn4XNQ8n|?^LwjxTf>x7F@Ccs
ztH_OQ(IA7pyxWAHyLDyroFKy)x$0%r1xLK>q}G*DM~w1%qG7J*8M{Z-f0D2wSAFrX
zhe<Zq6l}dOo&F}l%Kbs5B!?MVT3c^34O;q_oJE}WKZGi@jW|VAC}9_iV(?@!sfnGl
z1Kxiv{8@aMkB%myCFtk_wk!tvhZP@Ar1*<h2-Hd{IVPCsCTG<p97v$>ft)^(^jpUL
zAGo`T_P~#lQ)ar!at~5|+uWI!zoSCg#L~lEff0#?yUG6Ir!R{;-h|N6%W+u8gsCI6
zo)80bT_MMW*g@EGnK&KYoR0|(fxcD11HGg*N`60Ae7NiD=r5p@3)E^czU*Isdm$!8
z)Bost;e>VqIA)mq3sNkdyb!qw_Bk%nefDvs@hQTP3X`>Fu}CaH`0*aVJ-!12AkWPU
zsG{RQ5bf>+5afXEgcu)8RrFd^uL3}$n2+BQznln5FE#;?+0w!=)$^q$0O9oFDNToe
zg1`C)3_l<RQ@t2x^J~YQbKqRAH2WQm?Nk1B<F@$%JWCZ_%PW9}5lZ;F<z37G<QDrV
z=%diz$AzcdJB)>Y`ET_3q<ie+d0?ufc913he-Fq5E%85BL6GXI@}nm4rG2^yn&{CB
qk_W|q!-54KISQ@e!>Uuu_^|w7m?}R0qwCRcDl)a2S|$BlT>k|Wri1bT

diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
index bb9b0c33b7394d..d8d4c52985bf56 100644
--- a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
+++ b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
@@ -30,9 +30,6 @@
               }
             }
           },
-          "spaceId": {
-            "type": "keyword"
-          },
           "space": {
             "properties": {
               "name": {
@@ -308,4 +305,4 @@
     },
     "aliases": {}
   }
-}
\ No newline at end of file
+}

From a2265211184235de329dbde065a9f0728b6fa70a Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 6 Sep 2018 08:30:35 -0400
Subject: [PATCH 114/183] [Spaces] - Experimental Public spaces api (#22501)

[skip ci]
---
 docs/api/spaces-management/delete.asciidoc    |  25 ++
 docs/api/spaces-management/get.asciidoc       |  77 +++++
 docs/api/spaces-management/post.asciidoc      |  50 ++++
 docs/api/spaces-management/put.asciidoc       |  50 ++++
 docs/api/spaces.asciidoc                      |  17 ++
 .../spaces/common/is_reserved_space.ts        |   2 +-
 x-pack/plugins/spaces/index.js                |   6 +-
 .../spaces/public/lib/spaces_manager.ts       |   6 +-
 .../server/lib/{errors.js => errors.ts}       |   4 +-
 ..._license.js => route_pre_check_license.ts} |   6 +-
 .../lib/{space_schema.js => space_schema.ts}  |   2 +-
 ...ces_url_parser.js => spaces_url_parser.ts} |  13 +-
 .../routes/api/__fixtures__/create_spaces.ts  |  29 ++
 .../api/__fixtures__/create_test_handler.ts   | 142 +++++++++
 .../server/routes/api/__fixtures__/index.ts   |  15 +
 .../server/routes/api/public/delete.test.ts   |  85 ++++++
 .../spaces/server/routes/api/public/delete.ts |  42 +++
 .../server/routes/api/public/get.test.ts      |  86 ++++++
 .../spaces/server/routes/api/public/get.ts    |  61 ++++
 .../spaces/server/routes/api/public/index.ts  |  20 ++
 .../server/routes/api/public/post.test.ts     | 106 +++++++
 .../spaces/server/routes/api/public/post.ts   |  46 +++
 .../server/routes/api/public/put.test.ts      |  97 ++++++
 .../spaces/server/routes/api/public/put.ts    |  49 +++
 .../spaces/server/routes/api/v1/index.ts      |  13 +
 .../spaces/server/routes/api/v1/spaces.js     | 202 -------------
 .../server/routes/api/v1/spaces.test.js       | 281 ------------------
 .../server/routes/api/v1/spaces.test.ts       |  93 ++++++
 .../spaces/server/routes/api/v1/spaces.ts     |  45 +++
 .../lib/convert_saved_object_to_space.test.ts |  27 ++
 .../lib/convert_saved_object_to_space.ts      |  20 ++
 .../server/routes/lib/get_space_by_id.ts      |  19 ++
 .../plugins/spaces/server/routes/lib/index.ts |   8 +
 33 files changed, 1246 insertions(+), 498 deletions(-)
 create mode 100644 docs/api/spaces-management/delete.asciidoc
 create mode 100644 docs/api/spaces-management/get.asciidoc
 create mode 100644 docs/api/spaces-management/post.asciidoc
 create mode 100644 docs/api/spaces-management/put.asciidoc
 create mode 100644 docs/api/spaces.asciidoc
 rename x-pack/plugins/spaces/server/lib/{errors.js => errors.ts} (85%)
 rename x-pack/plugins/spaces/server/lib/{route_pre_check_license.js => route_pre_check_license.ts} (80%)
 rename x-pack/plugins/spaces/server/lib/{space_schema.js => space_schema.ts} (96%)
 rename x-pack/plugins/spaces/server/lib/{spaces_url_parser.js => spaces_url_parser.ts} (80%)
 create mode 100644 x-pack/plugins/spaces/server/routes/api/__fixtures__/create_spaces.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/__fixtures__/index.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/delete.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/get.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/get.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/index.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/post.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/post.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/put.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/public/put.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/v1/index.ts
 delete mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.js
 delete mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
 create mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.test.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
 create mode 100644 x-pack/plugins/spaces/server/routes/lib/index.ts

diff --git a/docs/api/spaces-management/delete.asciidoc b/docs/api/spaces-management/delete.asciidoc
new file mode 100644
index 00000000000000..c5ae025dd9e2e9
--- /dev/null
+++ b/docs/api/spaces-management/delete.asciidoc
@@ -0,0 +1,25 @@
+[[spaces-api-delete]]
+=== Delete space
+
+experimental[This API is *experimental* and may be changed or removed completely in a future release. The underlying Spaces concepts are stable, but the APIs for managing Spaces are currently experimental.]
+
+[WARNING]
+==================================================
+Deleting a space will automatically delete all saved objects that belong to that space. This operation cannot be undone!
+==================================================
+
+==== Request
+
+To delete a space, submit a DELETE request to the `/api/spaces/space/<space_id>`
+endpoint:
+
+[source,js]
+--------------------------------------------------
+DELETE /api/spaces/space/marketing
+--------------------------------------------------
+// KIBANA
+
+==== Response
+
+If the space is successfully deleted, the response code is `204`; otherwise, the response
+code is 404.
diff --git a/docs/api/spaces-management/get.asciidoc b/docs/api/spaces-management/get.asciidoc
new file mode 100644
index 00000000000000..c79a883a80e4bb
--- /dev/null
+++ b/docs/api/spaces-management/get.asciidoc
@@ -0,0 +1,77 @@
+[[spaces-api-get]]
+=== Get Space
+
+experimental[This API is *experimental* and may be changed or removed completely in a future release. The underlying Spaces concepts are stable, but the APIs for managing Spaces are currently experimental.]
+
+Retrieves all {kib} spaces, or a specific space.
+
+==== Get all {kib} spaces
+
+===== Request
+
+To retrieve all spaces, issue a GET request to the
+/api/spaces/space endpoint.
+
+[source,js]
+--------------------------------------------------
+GET /api/spaces/space
+--------------------------------------------------
+// KIBANA
+
+===== Response
+
+A successful call returns a response code of `200` and a response body containing a JSON 
+representation of the spaces.
+
+[source,js]
+--------------------------------------------------
+[
+  {
+    "id": "default",
+    "name": "Default",
+    "description" : "This is the Default Space",
+    "_reserved": true
+  },
+  {
+    "id": "marketing",
+    "name": "Marketing",
+    "description" : "This is the Marketing Space",
+    "color": "#aabbcc",
+    "initials": "MK"
+  },
+  {
+    "id": "sales",
+    "name": "Sales",
+    "initials": "MK"
+  },
+]
+--------------------------------------------------
+
+==== Get a specific space
+
+===== Request
+
+To retrieve a specific space, issue a GET request to
+the `/api/spaces/space/<space_id>` endpoint:
+
+[source,js]
+--------------------------------------------------
+GET /api/spaces/space/marketing
+--------------------------------------------------
+// KIBANA
+
+===== Response
+
+A successful call returns a response code of `200` and a response body containing a JSON 
+representation of the space.
+
+[source,js]
+--------------------------------------------------
+{
+  "id": "marketing",
+  "name": "Marketing",
+  "description" : "This is the Marketing Space",
+  "color": "#aabbcc",
+  "initials": "MK"
+}
+--------------------------------------------------
diff --git a/docs/api/spaces-management/post.asciidoc b/docs/api/spaces-management/post.asciidoc
new file mode 100644
index 00000000000000..569835c78b2f80
--- /dev/null
+++ b/docs/api/spaces-management/post.asciidoc
@@ -0,0 +1,50 @@
+[[spaces-api-post]]
+=== Create Space
+
+experimental[This API is *experimental* and may be changed or removed completely in a future release. The underlying Spaces concepts are stable, but the APIs for managing Spaces are currently experimental.]
+
+Creates a new {kib} space. To update an existing space, use the PUT command.
+
+==== Request
+
+To create a space, issue a POST request to the 
+`/api/spaces/space` endpoint.
+
+[source,js]
+--------------------------------------------------
+PUT /api/spaces/space
+--------------------------------------------------
+
+==== Request Body
+
+The following parameters can be specified in the body of a POST request to create a space:
+
+`id`:: (string) Required identifier for the space. This identifier becomes part of Kibana's URL when inside the space. This cannot be changed by the update operation.
+
+`name`:: (string) Required display name for the space.
+
+`description`:: (string) Optional description for the space.
+
+`initials`:: (string) Optionally specify the initials shown in the Space Avatar for this space. By default, the initials will be automatically generated from the space name.
+If specified, initials should be either 1 or 2 characters.
+
+`color`:: (string) Optioanlly specify the hex color code used in the Space Avatar for this space. By default, the color will be automatically generated from the space name.
+
+===== Example
+
+[source,js]
+--------------------------------------------------
+POST /api/spaces/space
+{
+  "id": "marketing",
+  "name": "Marketing",
+  "description" : "This is the Marketing Space",
+  "color": "#aabbcc",
+  "initials": "MK"
+}
+--------------------------------------------------
+// KIBANA
+
+==== Response
+
+A successful call returns a response code of `200` with the created Space.
diff --git a/docs/api/spaces-management/put.asciidoc b/docs/api/spaces-management/put.asciidoc
new file mode 100644
index 00000000000000..529742bf2ce666
--- /dev/null
+++ b/docs/api/spaces-management/put.asciidoc
@@ -0,0 +1,50 @@
+[[spaces-api-put]]
+=== Update Space
+
+experimental[This API is *experimental* and may be changed or removed completely in a future release. The underlying Spaces concepts are stable, but the APIs for managing Spaces are currently experimental.]
+
+Updates an existing {kib} space. To create a new space, use the POST command.
+
+==== Request
+
+To update a space, issue a PUT request to the 
+`/api/spaces/space/<space_id>` endpoint.
+
+[source,js]
+--------------------------------------------------
+PUT /api/spaces/space/<space_id>
+--------------------------------------------------
+
+==== Request Body
+
+The following parameters can be specified in the body of a PUT request to update a space:
+
+`id`:: (string) Required identifier for the space. This identifier becomes part of Kibana's URL when inside the space. This cannot be changed by the update operation.
+
+`name`:: (string) Required display name for the space.
+
+`description`:: (string) Optional description for the space.
+
+`initials`:: (string) Optionally specify the initials shown in the Space Avatar for this space. By default, the initials will be automatically generated from the space name.
+If specified, initials should be either 1 or 2 characters.
+
+`color`:: (string) Optioanlly specify the hex color code used in the Space Avatar for this space. By default, the color will be automatically generated from the space name.
+
+===== Example
+
+[source,js]
+--------------------------------------------------
+PUT /api/spaces/space/marketing
+{
+  "id": "marketing",
+  "name": "Marketing",
+  "description" : "This is the Marketing Space",
+  "color": "#aabbcc",
+  "initials": "MK"
+}
+--------------------------------------------------
+// KIBANA
+
+==== Response
+
+A successful call returns a response code of `200` with the updated Space.
diff --git a/docs/api/spaces.asciidoc b/docs/api/spaces.asciidoc
new file mode 100644
index 00000000000000..ea66d50d396b99
--- /dev/null
+++ b/docs/api/spaces.asciidoc
@@ -0,0 +1,17 @@
+[role="xpack"]
+[[spaces-api]]
+== Kibana Spaces API
+
+experimental[This API is *experimental* and may be changed or removed completely in a future release. The underlying Spaces concepts are stable, but the APIs for managing Spaces are currently experimental.]
+
+The spaces API allows people to manage their spaces within {kib}.
+
+* <<spaces-api-put>>
+* <<spaces-api-post>>
+* <<spaces-api-get>>
+* <<spaces-api-delete>>
+
+include::spaces-management/put.asciidoc[]
+include::spaces-management/post.asciidoc[]
+include::spaces-management/get.asciidoc[]
+include::spaces-management/delete.asciidoc[]
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.ts b/x-pack/plugins/spaces/common/is_reserved_space.ts
index 0889686aa77f59..40acd7630b66c9 100644
--- a/x-pack/plugins/spaces/common/is_reserved_space.ts
+++ b/x-pack/plugins/spaces/common/is_reserved_space.ts
@@ -13,6 +13,6 @@ import { Space } from './model/space';
  * @param space the space
  * @returns boolean
  */
-export function isReservedSpace(space: Space): boolean {
+export function isReservedSpace(space: Space | null): boolean {
   return get(space, '_reserved', false);
 }
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index f03e8bde19afa6..3eafab6461f9e0 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -7,7 +7,8 @@
 import { resolve } from 'path';
 import { validateConfig } from './server/lib/validate_config';
 import { checkLicense } from './server/lib/check_license';
-import { initSpacesApi } from './server/routes/api/v1/spaces';
+import { initPublicSpacesApi } from './server/routes/api/public';
+import { initPrivateApis } from './server/routes/api/v1';
 import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
 import { createDefaultSpace } from './server/lib/create_default_space';
 import { createSpacesService } from './server/lib/create_spaces_service';
@@ -93,7 +94,8 @@ export const spaces = (kibana) => new kibana.Plugin({
       spacesSavedObjectsClientWrapperFactory(spacesService)
     );
 
-    initSpacesApi(server);
+    initPrivateApis(server);
+    initPublicSpacesApi(server);
 
     initSpacesRequestInterceptors(server);
 
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.ts b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
index a6b21f2fa5229f..53835ab122f87e 100644
--- a/x-pack/plugins/spaces/public/lib/spaces_manager.ts
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
@@ -16,12 +16,12 @@ export class SpacesManager extends EventEmitter {
   constructor(httpAgent: any, chrome: any) {
     super();
     this.httpAgent = httpAgent;
-    this.baseUrl = chrome.addBasePath(`/api/spaces/v1`);
+    this.baseUrl = chrome.addBasePath(`/api/spaces`);
   }
 
   public async getSpaces(): Promise<Space[]> {
     return await this.httpAgent
-      .get(`${this.baseUrl}/spaces`)
+      .get(`${this.baseUrl}/space`)
       .then((response: IHttpResponse<Space[]>) => response.data);
   }
 
@@ -43,7 +43,7 @@ export class SpacesManager extends EventEmitter {
 
   public async changeSelectedSpace(space: Space) {
     return await this.httpAgent
-      .post(`${this.baseUrl}/space/${space.id}/select`)
+      .post(`${this.baseUrl}/v1/space/${space.id}/select`)
       .then((response: IHttpResponse<any>) => {
         if (response.data && response.data.location) {
           window.location = response.data.location;
diff --git a/x-pack/plugins/spaces/server/lib/errors.js b/x-pack/plugins/spaces/server/lib/errors.ts
similarity index 85%
rename from x-pack/plugins/spaces/server/lib/errors.js
rename to x-pack/plugins/spaces/server/lib/errors.ts
index 6996faeaac8de6..4f95c175b0f159 100644
--- a/x-pack/plugins/spaces/server/lib/errors.js
+++ b/x-pack/plugins/spaces/server/lib/errors.ts
@@ -3,9 +3,9 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
+// @ts-ignore
 import { wrap as wrapBoom } from 'boom';
 
-export function wrapError(error) {
+export function wrapError(error: any) {
   return wrapBoom(error, error.status);
 }
diff --git a/x-pack/plugins/spaces/server/lib/route_pre_check_license.js b/x-pack/plugins/spaces/server/lib/route_pre_check_license.ts
similarity index 80%
rename from x-pack/plugins/spaces/server/lib/route_pre_check_license.js
rename to x-pack/plugins/spaces/server/lib/route_pre_check_license.ts
index 891e9fc4125a9b..449836633993c4 100644
--- a/x-pack/plugins/spaces/server/lib/route_pre_check_license.js
+++ b/x-pack/plugins/spaces/server/lib/route_pre_check_license.ts
@@ -4,12 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-const Boom = require('boom');
+import Boom from 'boom';
 
-export function routePreCheckLicense(server) {
+export function routePreCheckLicense(server: any) {
   const xpackMainPlugin = server.plugins.xpack_main;
   const pluginId = 'spaces';
-  return function forbidApiAccess(request, reply) {
+  return function forbidApiAccess(request: any, reply: any) {
     const licenseCheckResults = xpackMainPlugin.info.feature(pluginId).getLicenseCheckResults();
     if (!licenseCheckResults.showSpaces) {
       reply(Boom.forbidden(licenseCheckResults.linksMessage));
diff --git a/x-pack/plugins/spaces/server/lib/space_schema.js b/x-pack/plugins/spaces/server/lib/space_schema.ts
similarity index 96%
rename from x-pack/plugins/spaces/server/lib/space_schema.js
rename to x-pack/plugins/spaces/server/lib/space_schema.ts
index dc60c10a36bc2b..043856235acba1 100644
--- a/x-pack/plugins/spaces/server/lib/space_schema.js
+++ b/x-pack/plugins/spaces/server/lib/space_schema.ts
@@ -13,5 +13,5 @@ export const spaceSchema = Joi.object({
   description: Joi.string(),
   initials: Joi.string().max(MAX_SPACE_INITIALS),
   color: Joi.string().regex(/^#[a-z0-9]{6}$/, `6 digit hex color, starting with a #`),
-  _reserved: Joi.boolean()
+  _reserved: Joi.boolean(),
 }).default();
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.ts
similarity index 80%
rename from x-pack/plugins/spaces/server/lib/spaces_url_parser.js
rename to x-pack/plugins/spaces/server/lib/spaces_url_parser.ts
index 397863785e86c7..14113cbf9d8070 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_url_parser.js
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.ts
@@ -5,8 +5,11 @@
  */
 import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-export function getSpaceIdFromPath(requestBasePath = '/', serverBasePath = '/') {
-  let pathToCheck = requestBasePath;
+export function getSpaceIdFromPath(
+  requestBasePath: string = '/',
+  serverBasePath: string = '/'
+): string {
+  let pathToCheck: string = requestBasePath;
 
   if (serverBasePath && serverBasePath !== '/' && requestBasePath.startsWith(serverBasePath)) {
     pathToCheck = requestBasePath.substr(serverBasePath.length);
@@ -28,7 +31,11 @@ export function getSpaceIdFromPath(requestBasePath = '/', serverBasePath = '/')
   return spaceId;
 }
 
-export function addSpaceIdToPath(basePath = '/', spaceId = '', requestedPath = '') {
+export function addSpaceIdToPath(
+  basePath: string = '/',
+  spaceId: string = '',
+  requestedPath: string = ''
+): string {
   if (requestedPath && !requestedPath.startsWith('/')) {
     throw new Error(`path must start with a /`);
   }
diff --git a/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_spaces.ts b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_spaces.ts
new file mode 100644
index 00000000000000..85284e3fc3a1c0
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_spaces.ts
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function createSpaces() {
+  return [
+    {
+      id: 'a-space',
+      attributes: {
+        name: 'a space',
+      },
+    },
+    {
+      id: 'b-space',
+      attributes: {
+        name: 'b space',
+      },
+    },
+    {
+      id: 'default',
+      attributes: {
+        name: 'Default Space',
+        _reserved: true,
+      },
+    },
+  ];
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
new file mode 100644
index 00000000000000..a184f21076d4f6
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
@@ -0,0 +1,142 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+// @ts-ignore
+import { Server } from 'hapi';
+import { createSpaces } from './create_spaces';
+
+export interface TestConfig {
+  [configKey: string]: any;
+}
+
+export interface TestOptions {
+  setupFn?: (server: any) => void;
+  testConfig?: TestConfig;
+  payload?: any;
+  preCheckLicenseImpl?: (req: any, reply: any) => any;
+}
+
+export type TeardownFn = () => void;
+
+export interface RequestRunnerResult {
+  server: any;
+  mockSavedObjectsClient: any;
+  response: any;
+}
+
+export type RequestRunner = (
+  method: string,
+  path: string,
+  options?: TestOptions
+) => Promise<RequestRunnerResult>;
+
+export const defaultPreCheckLicenseImpl = (request: any, reply: any) => reply();
+
+const baseConfig: TestConfig = {
+  'server.basePath': '',
+};
+
+export function createTestHandler(initApiFn: (server: any, preCheckLicenseImpl: any) => void) {
+  const teardowns: TeardownFn[] = [];
+
+  const spaces = createSpaces();
+
+  const request: RequestRunner = async (
+    method: string,
+    path: string,
+    options: TestOptions = {}
+  ) => {
+    const {
+      setupFn = () => {
+        return;
+      },
+      testConfig = {},
+      payload,
+      preCheckLicenseImpl = defaultPreCheckLicenseImpl,
+    } = options;
+
+    let pre = jest.fn();
+    if (preCheckLicenseImpl) {
+      pre = pre.mockImplementation(preCheckLicenseImpl);
+    }
+
+    const server = new Server();
+
+    const config = {
+      ...baseConfig,
+      ...testConfig,
+    };
+
+    server.connection({ port: 0 });
+
+    await setupFn(server);
+
+    server.decorate(
+      'server',
+      'config',
+      jest.fn(() => {
+        return {
+          get: (key: string) => config[key],
+        };
+      })
+    );
+
+    initApiFn(server, pre);
+
+    server.decorate('request', 'getBasePath', jest.fn());
+    server.decorate('request', 'setBasePath', jest.fn());
+
+    // Mock server.getSavedObjectsClient()
+    const mockSavedObjectsClient = {
+      get: jest.fn((type, id) => {
+        return spaces.filter(s => s.id === id)[0];
+      }),
+      find: jest.fn(() => {
+        return {
+          total: spaces.length,
+          saved_objects: spaces,
+        };
+      }),
+      create: jest.fn(() => ({})),
+      update: jest.fn(() => ({})),
+      delete: jest.fn(),
+      errors: {
+        isNotFoundError: jest.fn(() => true),
+      },
+    };
+
+    server.decorate('request', 'getSavedObjectsClient', () => mockSavedObjectsClient);
+
+    teardowns.push(() => server.stop());
+
+    const testRun = async () => {
+      const response = await server.inject({
+        method,
+        url: path,
+        payload,
+      });
+
+      if (preCheckLicenseImpl) {
+        expect(pre).toHaveBeenCalled();
+      } else {
+        expect(pre).not.toHaveBeenCalled();
+      }
+
+      return response;
+    };
+
+    return {
+      server,
+      mockSavedObjectsClient,
+      response: await testRun(),
+    };
+  };
+
+  return {
+    request,
+    teardowns,
+  };
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/__fixtures__/index.ts b/x-pack/plugins/spaces/server/routes/api/__fixtures__/index.ts
new file mode 100644
index 00000000000000..37fe32c80032e5
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/__fixtures__/index.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { createSpaces } from './create_spaces';
+export {
+  createTestHandler,
+  TestConfig,
+  TestOptions,
+  TeardownFn,
+  RequestRunner,
+  RequestRunnerResult,
+} from './create_test_handler';
diff --git a/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts b/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
new file mode 100644
index 00000000000000..523b5a2cb2e7b0
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
@@ -0,0 +1,85 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request: any, reply: any) => reply.continue(),
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {
+          return;
+        }),
+      };
+    },
+  };
+});
+import Boom from 'boom';
+import { createTestHandler, RequestRunner, TeardownFn } from '../__fixtures__';
+import { initDeleteSpacesApi } from './delete';
+
+describe('Spaces Public API', () => {
+  let request: RequestRunner;
+  let teardowns: TeardownFn[];
+
+  beforeEach(() => {
+    const setup = createTestHandler(initDeleteSpacesApi);
+
+    request = setup.request;
+    teardowns = setup.teardowns;
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test(`'DELETE spaces/{id}' deletes the space`, async () => {
+    const { response } = await request('DELETE', '/api/spaces/space/a-space');
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(204);
+  });
+
+  test(`returns result of routePreCheckLicense`, async () => {
+    const { response } = await request('DELETE', '/api/spaces/space/a-space', {
+      preCheckLicenseImpl: (req: any, reply: any) =>
+        reply(Boom.forbidden('test forbidden message')),
+    });
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(403);
+    expect(JSON.parse(payload)).toMatchObject({
+      message: 'test forbidden message',
+    });
+  });
+
+  test('DELETE spaces/{id} pretends to delete a non-existent space', async () => {
+    const { response } = await request('DELETE', '/api/spaces/space/not-a-space');
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(204);
+  });
+
+  test(`'DELETE spaces/{id}' cannot delete reserved spaces`, async () => {
+    const { response } = await request('DELETE', '/api/spaces/space/default');
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(400);
+    expect(JSON.parse(payload)).toEqual({
+      statusCode: 400,
+      error: 'Bad Request',
+      message: 'This Space cannot be deleted because it is reserved.',
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/public/delete.ts b/x-pack/plugins/spaces/server/routes/api/public/delete.ts
new file mode 100644
index 00000000000000..9937b786ccfa71
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/delete.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { isReservedSpace } from '../../../../common/is_reserved_space';
+import { wrapError } from '../../../lib/errors';
+import { getSpaceById } from '../../lib';
+
+export function initDeleteSpacesApi(server: any, routePreCheckLicenseFn: any) {
+  server.route({
+    method: 'DELETE',
+    path: '/api/spaces/space/{id}',
+    async handler(request: any, reply: any) {
+      const client = request.getSavedObjectsClient();
+
+      const id = request.params.id;
+
+      let result;
+
+      try {
+        const existingSpace = await getSpaceById(client, id);
+        if (isReservedSpace(existingSpace)) {
+          return reply(
+            wrapError(Boom.badRequest('This Space cannot be deleted because it is reserved.'))
+          );
+        }
+
+        result = await client.delete('space', id);
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+
+      return reply(result).code(204);
+    },
+    config: {
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/public/get.test.ts b/x-pack/plugins/spaces/server/routes/api/public/get.test.ts
new file mode 100644
index 00000000000000..4d04759b283a8b
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/get.test.ts
@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request: any, reply: any) => reply.continue(),
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {
+          return;
+        }),
+      };
+    },
+  };
+});
+import Boom from 'boom';
+import { Space } from '../../../../common/model/space';
+import { createSpaces, createTestHandler, RequestRunner, TeardownFn } from '../__fixtures__';
+import { initGetSpacesApi } from './get';
+
+describe('GET spaces', () => {
+  let request: RequestRunner;
+  let teardowns: TeardownFn[];
+  const spaces = createSpaces();
+
+  beforeEach(() => {
+    const setup = createTestHandler(initGetSpacesApi);
+
+    request = setup.request;
+    teardowns = setup.teardowns;
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test(`'GET spaces' returns all available spaces`, async () => {
+    const { response } = await request('GET', '/api/spaces/space');
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(200);
+    const resultSpaces: Space[] = JSON.parse(payload);
+    expect(resultSpaces.map(s => s.id)).toEqual(spaces.map(s => s.id));
+  });
+
+  test(`returns result of routePreCheckLicense`, async () => {
+    const { response } = await request('GET', '/api/spaces/space', {
+      preCheckLicenseImpl: (req: any, reply: any) =>
+        reply(Boom.forbidden('test forbidden message')),
+    });
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(403);
+    expect(JSON.parse(payload)).toMatchObject({
+      message: 'test forbidden message',
+    });
+  });
+
+  test(`'GET spaces/{id}' returns the space with that id`, async () => {
+    const { response } = await request('GET', '/api/spaces/space/default');
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(200);
+    const resultSpace = JSON.parse(payload);
+    expect(resultSpace.id).toEqual('default');
+  });
+
+  test(`'GET spaces/{id}' returns 404 when retrieving a non-existent space`, async () => {
+    const { response } = await request('GET', '/api/spaces/space/not-a-space');
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(404);
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/public/get.ts b/x-pack/plugins/spaces/server/routes/api/public/get.ts
new file mode 100644
index 00000000000000..95f1d273a8f6b2
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/get.ts
@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { wrapError } from '../../../lib/errors';
+import { convertSavedObjectToSpace } from '../../lib';
+
+export function initGetSpacesApi(server: any, routePreCheckLicenseFn: any) {
+  server.route({
+    method: 'GET',
+    path: '/api/spaces/space',
+    async handler(request: any, reply: any) {
+      const client = request.getSavedObjectsClient();
+
+      let spaces;
+
+      try {
+        const result = await client.find({
+          type: 'space',
+          sortField: 'name.keyword',
+        });
+
+        spaces = result.saved_objects.map(convertSavedObjectToSpace);
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+
+      return reply(spaces);
+    },
+    config: {
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+
+  server.route({
+    method: 'GET',
+    path: '/api/spaces/space/{id}',
+    async handler(request: any, reply: any) {
+      const spaceId = request.params.id;
+
+      const client = request.getSavedObjectsClient();
+
+      try {
+        const response = await client.get('space', spaceId);
+
+        return reply(convertSavedObjectToSpace(response));
+      } catch (error) {
+        if (client.errors.isNotFoundError(error)) {
+          return reply(Boom.notFound());
+        }
+        return reply(wrapError(error));
+      }
+    },
+    config: {
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/public/index.ts b/x-pack/plugins/spaces/server/routes/api/public/index.ts
new file mode 100644
index 00000000000000..602b62ab26d06f
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/index.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
+import { initDeleteSpacesApi } from './delete';
+import { initGetSpacesApi } from './get';
+import { initPostSpacesApi } from './post';
+import { initPutSpacesApi } from './put';
+
+export function initPublicSpacesApi(server: any) {
+  const routePreCheckLicenseFn = routePreCheckLicense(server);
+
+  initDeleteSpacesApi(server, routePreCheckLicenseFn);
+  initGetSpacesApi(server, routePreCheckLicenseFn);
+  initPostSpacesApi(server, routePreCheckLicenseFn);
+  initPutSpacesApi(server, routePreCheckLicenseFn);
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/public/post.test.ts b/x-pack/plugins/spaces/server/routes/api/public/post.test.ts
new file mode 100644
index 00000000000000..f97931d36ed664
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/post.test.ts
@@ -0,0 +1,106 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request: any, reply: any) => reply.continue(),
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {
+          return;
+        }),
+      };
+    },
+  };
+});
+
+import Boom from 'boom';
+import { createTestHandler, RequestRunner, TeardownFn } from '../__fixtures__';
+import { initPostSpacesApi } from './post';
+
+describe('Spaces Public API', () => {
+  let request: RequestRunner;
+  let teardowns: TeardownFn[];
+
+  beforeEach(() => {
+    const setup = createTestHandler(initPostSpacesApi);
+
+    request = setup.request;
+    teardowns = setup.teardowns;
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test('POST /space should create a new space with the provided ID', async () => {
+    const payload = {
+      id: 'my-space-id',
+      name: 'my new space',
+      description: 'with a description',
+    };
+
+    const { mockSavedObjectsClient, response } = await request('POST', '/api/spaces/space', {
+      payload,
+    });
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(200);
+    expect(mockSavedObjectsClient.create).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsClient.create).toHaveBeenCalledWith(
+      'space',
+      { name: 'my new space', description: 'with a description' },
+      { id: 'my-space-id', overwrite: false }
+    );
+  });
+
+  test(`returns result of routePreCheckLicense`, async () => {
+    const payload = {
+      id: 'my-space-id',
+      name: 'my new space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('POST', '/api/spaces/space', {
+      preCheckLicenseImpl: (req: any, reply: any) =>
+        reply(Boom.forbidden('test forbidden message')),
+      payload,
+    });
+
+    const { statusCode, payload: responsePayload } = response;
+
+    expect(statusCode).toEqual(403);
+    expect(JSON.parse(responsePayload)).toMatchObject({
+      message: 'test forbidden message',
+    });
+  });
+
+  test('POST /space should not allow a space to be updated', async () => {
+    const payload = {
+      id: 'a-space',
+      name: 'my updated space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('POST', '/api/spaces/space', { payload });
+
+    const { statusCode, payload: responsePayload } = response;
+
+    expect(statusCode).toEqual(409);
+    expect(JSON.parse(responsePayload)).toEqual({
+      error: 'Conflict',
+      message:
+        'A space with the identifier a-space already exists. Please choose a different identifier',
+      statusCode: 409,
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/public/post.ts b/x-pack/plugins/spaces/server/routes/api/public/post.ts
new file mode 100644
index 00000000000000..fd51390af50230
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/post.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { omit } from 'lodash';
+import { wrapError } from '../../../lib/errors';
+import { spaceSchema } from '../../../lib/space_schema';
+import { getSpaceById } from '../../lib';
+
+export function initPostSpacesApi(server: any, routePreCheckLicenseFn: any) {
+  server.route({
+    method: 'POST',
+    path: '/api/spaces/space',
+    async handler(request: any, reply: any) {
+      const client = request.getSavedObjectsClient();
+
+      const space = omit(request.payload, ['id', '_reserved']);
+
+      const id = request.payload.id;
+
+      const existingSpace = await getSpaceById(client, id);
+      if (existingSpace) {
+        return reply(
+          Boom.conflict(
+            `A space with the identifier ${id} already exists. Please choose a different identifier`
+          )
+        );
+      }
+
+      try {
+        return reply(await client.create('space', { ...space }, { id, overwrite: false }));
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+    },
+    config: {
+      validate: {
+        payload: spaceSchema,
+      },
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/public/put.test.ts b/x-pack/plugins/spaces/server/routes/api/public/put.test.ts
new file mode 100644
index 00000000000000..2af4fc9bbeaf3b
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/put.test.ts
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request: any, reply: any) => reply.continue(),
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {
+          return;
+        }),
+      };
+    },
+  };
+});
+import Boom from 'boom';
+import { createTestHandler, RequestRunner, TeardownFn } from '../__fixtures__';
+import { initPutSpacesApi } from './put';
+
+describe('Spaces Public API', () => {
+  let request: RequestRunner;
+  let teardowns: TeardownFn[];
+
+  beforeEach(() => {
+    const setup = createTestHandler(initPutSpacesApi);
+
+    request = setup.request;
+    teardowns = setup.teardowns;
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test('PUT /space should update an existing space with the provided ID', async () => {
+    const payload = {
+      id: 'a-space',
+      name: 'my updated space',
+      description: 'with a description',
+    };
+
+    const { mockSavedObjectsClient, response } = await request('PUT', '/api/spaces/space/a-space', {
+      payload,
+    });
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(200);
+    expect(mockSavedObjectsClient.update).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsClient.update).toHaveBeenCalledWith('space', 'a-space', {
+      name: 'my updated space',
+      description: 'with a description',
+    });
+  });
+
+  test(`returns result of routePreCheckLicense`, async () => {
+    const payload = {
+      id: 'a-space',
+      name: 'my updated space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('PUT', '/api/spaces/space/a-space', {
+      preCheckLicenseImpl: (req: any, reply: any) =>
+        reply(Boom.forbidden('test forbidden message')),
+      payload,
+    });
+
+    const { statusCode, payload: responsePayload } = response;
+
+    expect(statusCode).toEqual(403);
+    expect(JSON.parse(responsePayload)).toMatchObject({
+      message: 'test forbidden message',
+    });
+  });
+
+  test('PUT /space should not allow a new space to be created', async () => {
+    const payload = {
+      id: 'a-new-space',
+      name: 'my new space',
+      description: 'with a description',
+    };
+
+    const { response } = await request('PUT', '/api/spaces/space/a-new-space', { payload });
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(404);
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/public/put.ts b/x-pack/plugins/spaces/server/routes/api/public/put.ts
new file mode 100644
index 00000000000000..093d7c777e7864
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/public/put.ts
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { omit } from 'lodash';
+import { Space } from '../../../../common/model/space';
+import { wrapError } from '../../../lib/errors';
+import { spaceSchema } from '../../../lib/space_schema';
+import { convertSavedObjectToSpace, getSpaceById } from '../../lib';
+
+export function initPutSpacesApi(server: any, routePreCheckLicenseFn: any) {
+  server.route({
+    method: 'PUT',
+    path: '/api/spaces/space/{id}',
+    async handler(request: any, reply: any) {
+      const client = request.getSavedObjectsClient();
+
+      const space: Space = omit(request.payload, ['id']);
+      const id = request.params.id;
+
+      const existingSpace = await getSpaceById(client, id);
+
+      if (existingSpace) {
+        space._reserved = existingSpace._reserved;
+      } else {
+        return reply(Boom.notFound(`Unable to find space with ID ${id}`));
+      }
+
+      let result;
+      try {
+        result = await client.update('space', id, { ...space });
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+
+      const updatedSpace = convertSavedObjectToSpace(result);
+      return reply(updatedSpace);
+    },
+    config: {
+      validate: {
+        payload: spaceSchema,
+      },
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/index.ts b/x-pack/plugins/spaces/server/routes/api/v1/index.ts
new file mode 100644
index 00000000000000..75659c14c03aee
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/v1/index.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
+import { initPrivateSpacesApi } from './spaces';
+
+export function initPrivateApis(server: any) {
+  const routePreCheckLicenseFn = routePreCheckLicense(server);
+  initPrivateSpacesApi(server, routePreCheckLicenseFn);
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
deleted file mode 100644
index 5d250c1c92c07a..00000000000000
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.js
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import Boom from 'boom';
-import { omit } from 'lodash';
-import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
-import { spaceSchema } from '../../../lib/space_schema';
-import { wrapError } from '../../../lib/errors';
-import { isReservedSpace } from '../../../../common/is_reserved_space';
-import { addSpaceIdToPath } from '../../../lib/spaces_url_parser';
-
-export function initSpacesApi(server) {
-  const routePreCheckLicenseFn = routePreCheckLicense(server);
-
-  function convertSavedObjectToSpace(savedObject) {
-    return {
-      id: savedObject.id,
-      ...savedObject.attributes
-    };
-  }
-
-  server.route({
-    method: 'GET',
-    path: '/api/spaces/v1/spaces',
-    async handler(request, reply) {
-      const client = request.getSavedObjectsClient();
-
-      let spaces;
-
-      try {
-        const result = await client.find({
-          type: 'space',
-          sortField: 'name.keyword',
-        });
-
-        spaces = result.saved_objects.map(convertSavedObjectToSpace);
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-
-      return reply(spaces);
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'GET',
-    path: '/api/spaces/v1/space/{id}',
-    async handler(request, reply) {
-      const spaceId = request.params.id;
-
-      const client = request.getSavedObjectsClient();
-
-      try {
-        const response = await client.get('space', spaceId);
-
-        return reply(convertSavedObjectToSpace(response));
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'POST',
-    path: '/api/spaces/v1/space',
-    async handler(request, reply) {
-      const client = request.getSavedObjectsClient();
-
-      const space = omit(request.payload, ['id', '_reserved']);
-
-      const id = request.payload.id;
-
-      const existingSpace = await getSpaceById(client, id);
-      if (existingSpace) {
-        return reply(Boom.conflict(`A space with the identifier ${id} already exists. Please choose a different identifier`));
-      }
-
-      try {
-        return reply(await client.create('space', { ...space }, { id, overwrite: false }));
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-
-    },
-    config: {
-      validate: {
-        payload: spaceSchema
-      },
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'PUT',
-    path: '/api/spaces/v1/space/{id}',
-    async handler(request, reply) {
-      const client = request.getSavedObjectsClient();
-
-      const space = omit(request.payload, ['id']);
-      const id = request.params.id;
-
-      const existingSpace = await getSpaceById(client, id);
-
-      if (existingSpace) {
-        space._reserved = existingSpace._reserved;
-      } else {
-        return reply(Boom.notFound(`Unable to find space with ID ${id}`));
-      }
-
-      let result;
-      try {
-        result = await client.update('space', id, { ...space });
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-
-      const updatedSpace = convertSavedObjectToSpace(result);
-      return reply(updatedSpace);
-    },
-    config: {
-      validate: {
-        payload: spaceSchema
-      },
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'DELETE',
-    path: '/api/spaces/v1/space/{id}',
-    async handler(request, reply) {
-      const client = request.getSavedObjectsClient();
-
-      const id = request.params.id;
-
-      let result;
-
-      try {
-        const existingSpace = await getSpaceById(client, id);
-        if (isReservedSpace(existingSpace)) {
-          return reply(wrapError(Boom.badRequest('This Space cannot be deleted because it is reserved.')));
-        }
-
-        result = await client.delete('space', id);
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-
-      return reply(result).code(204);
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'POST',
-    path: '/api/spaces/v1/space/{id}/select',
-    async handler(request, reply) {
-      const client = request.getSavedObjectsClient();
-
-      const id = request.params.id;
-
-      try {
-        const existingSpace = await getSpaceById(client, id);
-
-        const config = server.config();
-
-        return reply({
-          location: addSpaceIdToPath(config.get('server.basePath'), existingSpace.id, config.get('server.defaultRoute'))
-        });
-
-      } catch (error) {
-        return reply(wrapError(error));
-      }
-    }
-  });
-
-  async function getSpaceById(client, spaceId) {
-    try {
-      const existingSpace = await client.get('space', spaceId);
-      return {
-        id: existingSpace.id,
-        ...existingSpace.attributes
-      };
-    } catch (error) {
-      if (client.errors.isNotFoundError(error)) {
-        return null;
-      }
-      throw error;
-    }
-  }
-}
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
deleted file mode 100644
index fb957e4586343a..00000000000000
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.js
+++ /dev/null
@@ -1,281 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { Server } from 'hapi';
-import { initSpacesApi } from './spaces';
-
-jest.mock('../../../lib/route_pre_check_license', () => {
-  return {
-    routePreCheckLicense: () => (request, reply) => reply.continue()
-  };
-});
-
-jest.mock('../../../../../../server/lib/get_client_shield', () => {
-  return {
-    getClient: () => {
-      return {
-        callWithInternalUser: jest.fn(() => { })
-      };
-    }
-  };
-});
-
-const spaces = [{
-  id: 'a-space',
-  attributes: {
-    name: 'a space',
-  }
-}, {
-  id: 'b-space',
-  attributes: {
-    name: 'b space',
-  }
-}, {
-  id: 'default',
-  attributes: {
-    name: 'Default Space',
-    _reserved: true
-  }
-}];
-
-describe('Spaces API', () => {
-  const teardowns = [];
-  let request;
-
-  const baseConfig = {
-    'server.basePath': ''
-  };
-
-  beforeEach(() => {
-    request = async (method, path, options = {}) => {
-
-      const {
-        setupFn = () => { },
-        testConfig = {},
-        payload,
-      } = options;
-
-      const server = new Server();
-
-      const config = {
-        ...baseConfig,
-        ...testConfig
-      };
-
-      server.connection({ port: 0 });
-
-      await setupFn(server);
-
-      server.decorate('server', 'config', jest.fn(() => {
-        return {
-          get: (key) => config[key]
-        };
-      }));
-
-      initSpacesApi(server);
-
-      server.decorate('request', 'getBasePath', jest.fn());
-      server.decorate('request', 'setBasePath', jest.fn());
-
-      // Mock server.getSavedObjectsClient()
-      const mockSavedObjectsClient = {
-        get: jest.fn((type, id) => {
-          return spaces.filter(s => s.id === id)[0];
-        }),
-        find: jest.fn(() => {
-          return {
-            total: spaces.length,
-            saved_objects: spaces
-          };
-        }),
-        create: jest.fn(() => ({})),
-        update: jest.fn(() => ({})),
-        delete: jest.fn(),
-        errors: {
-          isNotFoundError: jest.fn(() => true)
-        }
-      };
-
-      server.decorate('request', 'getSavedObjectsClient', () => mockSavedObjectsClient);
-
-      teardowns.push(() => server.stop());
-
-      return {
-        server,
-        mockSavedObjectsClient,
-        response: await server.inject({
-          method,
-          url: path,
-          payload,
-        })
-      };
-    };
-  });
-
-  afterEach(async () => {
-    await Promise.all(teardowns.splice(0).map(fn => fn()));
-  });
-
-  test(`'GET spaces' returns all available spaces`, async () => {
-    const { response } = await request('GET', '/api/spaces/v1/spaces');
-
-    const {
-      statusCode,
-      payload
-    } = response;
-
-    expect(statusCode).toEqual(200);
-    const resultSpaces = JSON.parse(payload);
-    expect(resultSpaces.map(s => s.id)).toEqual(spaces.map(s => s.id));
-  });
-
-  test(`'GET spaces/{id}' returns the space with that id`, async () => {
-    const { response } = await request('GET', '/api/spaces/v1/space/default');
-
-    const {
-      statusCode,
-      payload
-    } = response;
-
-    expect(statusCode).toEqual(200);
-    const resultSpace = JSON.parse(payload);
-    expect(resultSpace.id).toEqual('default');
-  });
-
-  test(`'DELETE spaces/{id}' deletes the space`, async () => {
-    const { response } = await request('DELETE', '/api/spaces/v1/space/a-space');
-
-    const {
-      statusCode
-    } = response;
-
-    expect(statusCode).toEqual(204);
-  });
-
-  test(`'DELETE spaces/{id}' cannot delete reserved spaces`, async () => {
-    const { response } = await request('DELETE', '/api/spaces/v1/space/default');
-
-    const {
-      statusCode,
-      payload
-    } = response;
-
-    expect(statusCode).toEqual(400);
-    expect(JSON.parse(payload)).toEqual({
-      statusCode: 400,
-      error: "Bad Request",
-      message: "This Space cannot be deleted because it is reserved."
-    });
-  });
-
-  test('POST /space should create a new space with the provided ID', async () => {
-    const payload = {
-      id: 'my-space-id',
-      name: 'my new space',
-      description: 'with a description',
-    };
-
-    const { mockSavedObjectsClient, response } = await request('POST', '/api/spaces/v1/space', { payload });
-
-    const {
-      statusCode,
-    } = response;
-
-    expect(statusCode).toEqual(200);
-    expect(mockSavedObjectsClient.create).toHaveBeenCalledTimes(1);
-    expect(mockSavedObjectsClient.create)
-      .toHaveBeenCalledWith('space', { name: 'my new space', description: 'with a description' }, { id: 'my-space-id', overwrite: false });
-  });
-
-  test('POST /space should not allow a space to be updated', async () => {
-    const payload = {
-      id: 'a-space',
-      name: 'my updated space',
-      description: 'with a description',
-    };
-
-    const { response } = await request('POST', '/api/spaces/v1/space', { payload });
-
-    const {
-      statusCode,
-      payload: responsePayload,
-    } = response;
-
-    expect(statusCode).toEqual(409);
-    expect(JSON.parse(responsePayload)).toEqual({
-      error: 'Conflict',
-      message: "A space with the identifier a-space already exists. Please choose a different identifier",
-      statusCode: 409
-    });
-  });
-
-  test('PUT /space should update an existing space with the provided ID', async () => {
-    const payload = {
-      id: 'a-space',
-      name: 'my updated space',
-      description: 'with a description',
-    };
-
-    const { mockSavedObjectsClient, response } = await request('PUT', '/api/spaces/v1/space/a-space', { payload });
-
-    const {
-      statusCode,
-    } = response;
-
-    expect(statusCode).toEqual(200);
-    expect(mockSavedObjectsClient.update).toHaveBeenCalledTimes(1);
-    expect(mockSavedObjectsClient.update)
-      .toHaveBeenCalledWith('space', 'a-space', { name: 'my updated space', description: 'with a description' });
-  });
-
-  test('PUT /space should not allow a new space to be created', async () => {
-    const payload = {
-      id: 'a-new-space',
-      name: 'my new space',
-      description: 'with a description',
-    };
-
-    const { response } = await request('PUT', '/api/spaces/v1/space/a-new-space', { payload });
-
-    const {
-      statusCode,
-    } = response;
-
-    expect(statusCode).toEqual(404);
-  });
-
-  test('POST space/{id}/select should respond with the new space location', async () => {
-    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select');
-
-    const {
-      statusCode,
-      payload
-    } = response;
-
-    expect(statusCode).toEqual(200);
-
-    const result = JSON.parse(payload);
-    expect(result.location).toEqual('/s/a-space');
-  });
-
-  test('POST space/{id}/select should respond with the new space location when a server.basePath is in use', async () => {
-    const testConfig = {
-      'server.basePath': '/my/base/path'
-    };
-
-    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select', { testConfig });
-
-    const {
-      statusCode,
-      payload
-    } = response;
-
-    expect(statusCode).toEqual(200);
-
-    const result = JSON.parse(payload);
-    expect(result.location).toEqual('/my/base/path/s/a-space');
-  });
-});
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
new file mode 100644
index 00000000000000..bbdab1be349101
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+jest.mock('../../../lib/route_pre_check_license', () => {
+  return {
+    routePreCheckLicense: () => (request: any, reply: any) => reply.continue(),
+  };
+});
+
+jest.mock('../../../../../../server/lib/get_client_shield', () => {
+  return {
+    getClient: () => {
+      return {
+        callWithInternalUser: jest.fn(() => {
+          return;
+        }),
+      };
+    },
+  };
+});
+
+import Boom from 'boom';
+import { createTestHandler, RequestRunner, TeardownFn } from '../__fixtures__';
+import { initPrivateSpacesApi } from './spaces';
+
+describe('Spaces API', () => {
+  let request: RequestRunner;
+  let teardowns: TeardownFn[];
+
+  beforeEach(() => {
+    const setup = createTestHandler(initPrivateSpacesApi);
+
+    request = setup.request;
+    teardowns = setup.teardowns;
+  });
+
+  afterEach(async () => {
+    await Promise.all(teardowns.splice(0).map(fn => fn()));
+  });
+
+  test('POST space/{id}/select should respond with the new space location', async () => {
+    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select');
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(200);
+
+    const result = JSON.parse(payload);
+    expect(result.location).toEqual('/s/a-space');
+  });
+
+  test(`returns result of routePreCheckLicense`, async () => {
+    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select', {
+      preCheckLicenseImpl: (req: any, reply: any) =>
+        reply(Boom.forbidden('test forbidden message')),
+    });
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(403);
+    expect(JSON.parse(payload)).toMatchObject({
+      message: 'test forbidden message',
+    });
+  });
+
+  test('POST space/{id}/select should respond with 404 when the space is not found', async () => {
+    const { response } = await request('POST', '/api/spaces/v1/space/not-a-space/select');
+
+    const { statusCode } = response;
+
+    expect(statusCode).toEqual(404);
+  });
+
+  test('POST space/{id}/select should respond with the new space location when a server.basePath is in use', async () => {
+    const testConfig = {
+      'server.basePath': '/my/base/path',
+    };
+
+    const { response } = await request('POST', '/api/spaces/v1/space/a-space/select', {
+      testConfig,
+    });
+
+    const { statusCode, payload } = response;
+
+    expect(statusCode).toEqual(200);
+
+    const result = JSON.parse(payload);
+    expect(result.location).toEqual('/my/base/path/s/a-space');
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts b/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
new file mode 100644
index 00000000000000..0233cb76b96d85
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Boom from 'boom';
+import { Space } from '../../../../common/model/space';
+import { wrapError } from '../../../lib/errors';
+import { addSpaceIdToPath } from '../../../lib/spaces_url_parser';
+import { getSpaceById } from '../../lib';
+
+export function initPrivateSpacesApi(server: any, routePreCheckLicenseFn: any) {
+  server.route({
+    method: 'POST',
+    path: '/api/spaces/v1/space/{id}/select',
+    async handler(request: any, reply: any) {
+      const client = request.getSavedObjectsClient();
+
+      const id = request.params.id;
+
+      try {
+        const existingSpace: Space | null = await getSpaceById(client, id);
+        if (!existingSpace) {
+          return reply(Boom.notFound());
+        }
+
+        const config = server.config();
+
+        return reply({
+          location: addSpaceIdToPath(
+            config.get('server.basePath'),
+            existingSpace.id,
+            config.get('server.defaultRoute')
+          ),
+        });
+      } catch (error) {
+        return reply(wrapError(error));
+      }
+    },
+    config: {
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.test.ts b/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.test.ts
new file mode 100644
index 00000000000000..31738ff5628658
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.test.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { convertSavedObjectToSpace } from './convert_saved_object_to_space';
+
+describe('convertSavedObjectToSpace', () => {
+  it('converts a saved object representation to a Space object', () => {
+    const savedObject = {
+      id: 'foo',
+      attributes: {
+        name: 'Foo Space',
+        description: 'no fighting',
+        _reserved: false,
+      },
+    };
+
+    expect(convertSavedObjectToSpace(savedObject)).toEqual({
+      id: 'foo',
+      name: 'Foo Space',
+      description: 'no fighting',
+      _reserved: false,
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.ts b/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.ts
new file mode 100644
index 00000000000000..d3ee173a2e80fe
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/lib/convert_saved_object_to_space.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Space } from '../../../common/model/space';
+
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function convertSavedObjectToSpace(savedObject: any): Space {
+  return {
+    id: savedObject.id,
+    ...savedObject.attributes,
+  };
+}
diff --git a/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts b/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
new file mode 100644
index 00000000000000..4143c09a79a930
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { Space } from '../../../common/model/space';
+import { convertSavedObjectToSpace } from './convert_saved_object_to_space';
+
+export async function getSpaceById(client: any, spaceId: string): Promise<Space | null> {
+  try {
+    const existingSpace = await client.get('space', spaceId);
+    return convertSavedObjectToSpace(existingSpace);
+  } catch (error) {
+    if (client.errors.isNotFoundError(error)) {
+      return null;
+    }
+    throw error;
+  }
+}
diff --git a/x-pack/plugins/spaces/server/routes/lib/index.ts b/x-pack/plugins/spaces/server/routes/lib/index.ts
new file mode 100644
index 00000000000000..af673887925658
--- /dev/null
+++ b/x-pack/plugins/spaces/server/routes/lib/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { convertSavedObjectToSpace } from './convert_saved_object_to_space';
+export { getSpaceById } from './get_space_by_id';

From 125cc36baec2a52cae5f06375b7ecfbf3d8dc613 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 6 Sep 2018 10:21:33 -0400
Subject: [PATCH 115/183] supply space id to tutorial context (#22760)

---
 x-pack/plugins/spaces/index.js                |  5 ++
 ...es_service.js => create_spaces_service.ts} | 11 ++--
 .../spaces_tutorial_context_factory.test.ts   | 55 +++++++++++++++++++
 .../lib/spaces_tutorial_context_factory.ts    | 15 +++++
 4 files changed, 82 insertions(+), 4 deletions(-)
 rename x-pack/plugins/spaces/server/lib/{create_spaces_service.js => create_spaces_service.ts} (75%)
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.test.ts
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.ts

diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 3eafab6461f9e0..2679a894a66610 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -14,6 +14,7 @@ import { createDefaultSpace } from './server/lib/create_default_space';
 import { createSpacesService } from './server/lib/create_spaces_service';
 import { getActiveSpace } from './server/lib/get_active_space';
 import { getSpacesUsageCollector } from './server/lib/get_spaces_usage_collector';
+import { createSpacesTutorialContextFactory } from './server/lib/spaces_tutorial_context_factory';
 import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
 import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
@@ -94,6 +95,10 @@ export const spaces = (kibana) => new kibana.Plugin({
       spacesSavedObjectsClientWrapperFactory(spacesService)
     );
 
+    server.addScopedTutorialContextFactory(
+      createSpacesTutorialContextFactory(spacesService)
+    );
+
     initPrivateApis(server);
     initPublicSpacesApi(server);
 
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.ts
similarity index 75%
rename from x-pack/plugins/spaces/server/lib/create_spaces_service.js
rename to x-pack/plugins/spaces/server/lib/create_spaces_service.ts
index 3ee55354da8dcc..3269142a9cf17c 100644
--- a/x-pack/plugins/spaces/server/lib/create_spaces_service.js
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.ts
@@ -6,13 +6,16 @@
 
 import { getSpaceIdFromPath } from './spaces_url_parser';
 
-export function createSpacesService(server) {
+export interface SpacesService {
+  getSpaceId: (req: any) => string;
+}
 
+export function createSpacesService(server: any): SpacesService {
   const serverBasePath = server.config().get('server.basePath');
 
   const contextCache = new WeakMap();
 
-  function getSpaceId(request) {
+  function getSpaceId(request: any) {
     if (!contextCache.has(request)) {
       populateCache(request);
     }
@@ -21,11 +24,11 @@ export function createSpacesService(server) {
     return spaceId;
   }
 
-  function populateCache(request) {
+  function populateCache(request: any) {
     const spaceId = getSpaceIdFromPath(request.getBasePath(), serverBasePath);
 
     contextCache.set(request, {
-      spaceId
+      spaceId,
     });
   }
 
diff --git a/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.test.ts b/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.test.ts
new file mode 100644
index 00000000000000..4ed548d64b5748
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.test.ts
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DEFAULT_SPACE_ID } from '../../common/constants';
+import { createSpacesService } from './create_spaces_service';
+import { createSpacesTutorialContextFactory } from './spaces_tutorial_context_factory';
+
+const server = {
+  config: () => {
+    return {
+      get: (key: string) => {
+        if (key === 'server.basePath') {
+          return '/foo';
+        }
+        throw new Error('unexpected key ' + key);
+      },
+    };
+  },
+};
+
+describe('createSpacesTutorialContextFactory', () => {
+  it('should create a valid context factory', () => {
+    const spacesService = createSpacesService(server);
+    expect(typeof createSpacesTutorialContextFactory(spacesService)).toEqual('function');
+  });
+
+  it('should create context with the current space id for space my-space-id', () => {
+    const spacesService = createSpacesService(server);
+    const contextFactory = createSpacesTutorialContextFactory(spacesService);
+
+    const request = {
+      getBasePath: () => '/foo/s/my-space-id',
+    };
+
+    expect(contextFactory(request)).toEqual({
+      spaceId: 'my-space-id',
+    });
+  });
+
+  it('should create context with the current space id for the default space', () => {
+    const spacesService = createSpacesService(server);
+    const contextFactory = createSpacesTutorialContextFactory(spacesService);
+
+    const request = {
+      getBasePath: () => '/foo',
+    };
+
+    expect(contextFactory(request)).toEqual({
+      spaceId: DEFAULT_SPACE_ID,
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.ts b/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.ts
new file mode 100644
index 00000000000000..b3254fd3b3c07f
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_tutorial_context_factory.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesService } from './create_spaces_service';
+
+export function createSpacesTutorialContextFactory(spacesService: SpacesService) {
+  return function spacesTutorialContextFactory(request: any) {
+    return {
+      spaceId: spacesService.getSpaceId(request),
+    };
+  };
+}

From 81096fda70d0f32a6dec1ce64b434c2e7a04872f Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 6 Sep 2018 11:52:03 -0400
Subject: [PATCH 116/183] attempt to isolate test failure

---
 scripts/functional_tests.js        |  4 ++--
 x-pack/scripts/functional_tests.js | 16 ++++++++--------
 x-pack/test/functional/config.js   | 13 +++++++------
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/scripts/functional_tests.js b/scripts/functional_tests.js
index 9d73923704ce6d..88b89f84bcd175 100644
--- a/scripts/functional_tests.js
+++ b/scripts/functional_tests.js
@@ -19,7 +19,7 @@
 
 require('../src/setup_node_env');
 require('@kbn/test').runTestsCli([
-  require.resolve('../test/functional/config.js'),
+  // require.resolve('../test/functional/config.js'),
   require.resolve('../test/api_integration/config.js'),
-  require.resolve('../test/plugin_functional/config.js'),
+  // require.resolve('../test/plugin_functional/config.js'),
 ]);
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 1b05203e4dd096..742582e9b48b63 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -6,13 +6,13 @@
 
 require('@kbn/plugin-helpers').babelRegister();
 require('@kbn/test').runTestsCli([
-  require.resolve('../test/reporting/configs/chromium_api.js'),
-  require.resolve('../test/reporting/configs/chromium_functional.js'),
-  require.resolve('../test/reporting/configs/phantom_api.js'),
-  require.resolve('../test/reporting/configs/phantom_functional.js'),
+  // require.resolve('../test/reporting/configs/chromium_api.js'),
+  // require.resolve('../test/reporting/configs/chromium_functional.js'),
+  // require.resolve('../test/reporting/configs/phantom_api.js'),
+  // require.resolve('../test/reporting/configs/phantom_functional.js'),
   require.resolve('../test/functional/config.js'),
-  require.resolve('../test/api_integration/config.js'),
-  require.resolve('../test/saml_api_integration/config.js'),
-  require.resolve('../test/rbac_api_integration/config.js'),
-  require.resolve('../test/spaces_api_integration/config.js'),
+  // require.resolve('../test/api_integration/config.js'),
+  // require.resolve('../test/saml_api_integration/config.js'),
+  // require.resolve('../test/rbac_api_integration/config.js'),
+  // require.resolve('../test/spaces_api_integration/config.js'),
 ]);
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index 77c0aee49b83ef..1d2010c7f38f07 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -59,13 +59,13 @@ export default async function ({ readConfigFile }) {
   return {
     // list paths to the files that contain your plugins tests
     testFiles: [
-      resolve(__dirname, './apps/graph'),
-      resolve(__dirname, './apps/monitoring'),
-      resolve(__dirname, './apps/watcher'),
+      // resolve(__dirname, './apps/graph'),
+      // resolve(__dirname, './apps/monitoring'),
+      // resolve(__dirname, './apps/watcher'),
       resolve(__dirname, './apps/dashboard_mode'),
-      resolve(__dirname, './apps/security'),
-      resolve(__dirname, './apps/logstash'),
-      resolve(__dirname, './apps/grok_debugger'),
+      // resolve(__dirname, './apps/security'),
+      // resolve(__dirname, './apps/logstash'),
+      // resolve(__dirname, './apps/grok_debugger'),
     ],
 
     // define the name and providers for services that should be
@@ -133,6 +133,7 @@ export default async function ({ readConfigFile }) {
         '--server.uuid=5b2de169-2785-441b-ae8c-186a1936b17d',
         '--xpack.xpack_main.telemetry.enabled=false',
         '--xpack.security.encryptionKey="wuGNaIhoMpk5sO4UBxgr3NyW1sFcLgIf"', // server restarts should not invalidate active sessions
+        '--logging.verbose=true',
       ],
     },
 

From ec718838de85e6fbed3cc5c9de12c6e6a5427a70 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 6 Sep 2018 12:50:26 -0400
Subject: [PATCH 117/183] [Spaces] - copy edits (#22457)

---
 .../edit_role/components/edit_role_page.tsx   | 23 +++++++++----
 .../index_privilege_form.test.tsx.snap        |  2 +-
 .../privileges/es/index_privilege_form.tsx    |  2 +-
 .../impacted_spaces_flyout.test.tsx.snap      |  2 +-
 .../privilege_space_form.test.tsx.snap        |  2 +-
 .../space_aware_privilege_form.test.tsx.snap  | 26 +++++++++-----
 .../space_selector.test.tsx.snap              |  1 -
 .../kibana/impacted_spaces_flyout.tsx         |  4 +--
 .../kibana/privilege_callout_warning.tsx      |  6 +++-
 .../kibana/privilege_space_form.tsx           |  2 +-
 .../kibana/privilege_space_table.tsx          |  2 +-
 .../kibana/space_aware_privilege_form.tsx     | 34 +++++++------------
 .../privileges/kibana/space_selector.tsx      |  1 -
 .../components/manage_spaces_button.tsx       |  2 +-
 x-pack/plugins/spaces/public/lib/constants.ts |  2 ++
 .../plugins/spaces/public/register_feature.js |  3 +-
 .../space_identifier.test.js.snap             | 16 +++++++--
 .../edit_space/manage_space_page.js           |  4 +--
 .../management/edit_space/space_identifier.js | 14 +++++---
 .../views/management/lib/validate_space.js    | 10 +++---
 .../management/lib/validate_space.test.js     | 14 ++++----
 .../spaces_grid/spaces_grid_page.js           |  8 +++--
 .../spaces_description.test.tsx.snap          |  2 +-
 .../components/spaces_description.tsx         |  6 ++--
 .../__snapshots__/space_selector.test.js.snap |  2 +-
 .../views/space_selector/space_selector.js    |  2 +-
 .../spaces/server/lib/create_default_space.js |  4 +--
 .../server/lib/create_default_space.test.js   |  2 +-
 28 files changed, 116 insertions(+), 82 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
index d4497582a75119..ee1de5d99e191f 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
@@ -20,7 +20,7 @@ import {
   EuiTitle,
 } from '@elastic/eui';
 import { get } from 'lodash';
-import React, { ChangeEvent, Component, HTMLProps } from 'react';
+import React, { ChangeEvent, Component, Fragment, HTMLProps } from 'react';
 import { toastNotifications } from 'ui/notify';
 import { Space } from '../../../../../../spaces/common/model/space';
 import { IndexPrivilege } from '../../../../../common/model/index_privilege';
@@ -66,18 +66,29 @@ export class EditRolePage extends Component<Props, State> {
   }
 
   public render() {
+    const description = this.props.spacesEnabled
+      ? `Set privileges on your Elasticsearch data and control access to your Kibana spaces.`
+      : `Set privileges on your Elasticsearch data and control access to Kibana.`;
+
     return (
       <EuiPage className="editRolePage" restrictWidth>
         <EuiPageBody>
           <EuiForm {...this.state.formError}>
             {this.getFormTitle()}
 
+            <EuiSpacer />
+
+            <EuiText size="s">{description}</EuiText>
+
             {isReservedRole(this.props.role) && (
-              <EuiText size="s" color="subdued">
-                <p id="reservedRoleDescription" tabIndex={1}>
-                  Reserved roles are built-in and cannot be removed or modified.
-                </p>
-              </EuiText>
+              <Fragment>
+                <EuiSpacer size="s" />
+                <EuiText size="s" color="subdued">
+                  <p id="reservedRoleDescription" tabIndex={1}>
+                    Reserved roles are built-in and cannot be removed or modified.
+                  </p>
+                </EuiText>
+              </Fragment>
             )}
 
             <EuiSpacer />
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
index d7426919a1f3b2..c8a8f284b9bad9 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
@@ -162,7 +162,7 @@ exports[`it renders without crashing 1`] = `
             <EuiSwitch
               compressed={true}
               data-test-subj="restrictDocumentsQuery0"
-              label="Restrict documents query"
+              label="Grant read privileges to specific documents"
               onChange={[Function]}
               value={false}
             />
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
index 4072d3b2f90088..ccf5bd42722e08 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
@@ -171,7 +171,7 @@ export class IndexPrivilegeForm extends Component<Props, State> {
           <EuiFlexItem>
             <EuiSwitch
               data-test-subj={`restrictDocumentsQuery${this.props.formIndex}`}
-              label={'Restrict documents query'}
+              label={'Grant read privileges to specific documents'}
               // @ts-ignore
               compressed={true}
               // @ts-ignore
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
index a2723f68e1c1b9..c67cde88bb4447 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/impacted_spaces_flyout.test.tsx.snap
@@ -10,7 +10,7 @@ exports[`<ImpactedSpacesFlyout> renders without crashing 1`] = `
       onClick={[Function]}
       type="button"
     >
-      See summary of all spaces privileges
+      View summary of spaces privileges
     </EuiLink>
   </div>
 </React.Fragment>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
index afce653a9c7f4e..ad9c209ec52557 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
@@ -19,7 +19,7 @@ exports[`<PrivilegeSpaceForm> renders without crashing 1`] = `
       fullWidth={false}
       hasEmptyLabelSpace={false}
       isInvalid={false}
-      label="Space(s)"
+      label="Spaces"
     >
       <SpaceSelector
         onChange={[Function]}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
index 55f9f818f45e76..07e626b541350a 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
@@ -47,14 +47,14 @@ exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
   <EuiDescribedFormGroup
     description={
       <p>
-        Specifies the lowest permission level for all spaces, unless a custom privilege is specified.
+        Specify the minimum actions users can perform in your spaces.
       </p>
     }
     fullWidth={false}
     gutterSize="l"
     title={
       <h3>
-        Minimum privilege
+        Minimum privileges for all spaces
       </h3>
     }
     titleSize="xs"
@@ -63,7 +63,7 @@ exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
       describedByIds={Array []}
       fullWidth={false}
       hasEmptyLabelSpace={true}
-      helpText="No access"
+      helpText="No access to spaces"
     >
       <PrivilegeSelector
         allowNone={true}
@@ -88,7 +88,7 @@ exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
       size="xs"
     >
       <h3>
-        Space privileges
+        Higher privileges for individual spaces
       </h3>
     </EuiTitle>
     <EuiSpacer
@@ -100,12 +100,22 @@ exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
       size="s"
     >
       <p>
-        Customize permission levels per space. If a space is not customized, its permissions will default to the minimum privilege specified above.
-      </p>
-      <p>
-        You can bulk-create space privileges though they will be saved individually upon saving the role.
+        Grant more privileges on a per space basis. For example, if the privileges are
+         
+        <strong>
+          read
+        </strong>
+         for all spaces, you can set the privileges to 
+        <strong>
+          all
+        </strong>
+         
+        for an individual space.
       </p>
     </EuiText>
+    <EuiSpacer
+      size="s"
+    />
     <React.Fragment>
       <PrivilegeSpaceTable
         availablePrivileges={
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
index f22cf87c9c9d6f..8cc8767a5f89f7 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_selector.test.tsx.snap
@@ -6,7 +6,6 @@ exports[`SpaceSelector renders without crashing 1`] = `
   isClearable={true}
   onChange={[Function]}
   options={Array []}
-  placeholder="choose space(s)"
   renderOption={[Function]}
   selectedOptions={Array []}
   singleSelection={false}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
index 8e50e6e3d0e3b3..63c595314e24d6 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
@@ -45,7 +45,7 @@ export class ImpactedSpacesFlyout extends Component<Props, State> {
       <Fragment>
         <div className="showImpactedSpaces">
           <EuiLink onClick={this.toggleShowImpactedSpaces}>
-            See summary of all spaces privileges
+            View summary of spaces privileges
           </EuiLink>
         </div>
         {flyout}
@@ -105,7 +105,7 @@ export class ImpactedSpacesFlyout extends Component<Props, State> {
       >
         <EuiFlyoutHeader hasBorder>
           <EuiTitle size="m">
-            <h1 id="showImpactedSpacesTitle">Summary of all space privileges</h1>
+            <h1 id="showImpactedSpacesTitle">Summary of space privileges</h1>
           </EuiTitle>
         </EuiFlyoutHeader>
         <EuiFlyoutBody>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
index 6641f43074cbe1..0b5666f3915734 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_callout_warning.tsx
@@ -77,7 +77,11 @@ export class PrivilegeCalloutWarning extends Component<Props, State> {
           <EuiCallOut
             color="primary"
             iconType="iInCircle"
-            title={"Lowest possible privilege is 'read'"}
+            title={
+              <span>
+                The minimal possible privilege is <strong>read</strong>.
+              </span>
+            }
           />
         );
       }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
index 5cd139c0f42e36..cf7bcf8287b9d6 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_form.tsx
@@ -41,7 +41,7 @@ export class PrivilegeSpaceForm extends Component<Props, {}> {
       <EuiFlexGroup responsive={false}>
         <EuiFlexItem>
           <EuiFormRow
-            label={'Space(s)'}
+            label={'Spaces'}
             {...validator.validateSelectedSpaces(selectedSpaceIds, selectedPrivilege)}
           >
             <SpaceSelector
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
index 0f206dcc1e17d6..05600c3f0e2f7e 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/privilege_space_table.tsx
@@ -76,7 +76,7 @@ export class PrivilegeSpaceTable extends Component<Props, State> {
         search={{
           box: {
             incremental: true,
-            placeholder: 'Filter...',
+            placeholder: 'Filter',
           },
           onChange: (search: any) => {
             this.setState({
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
index af76691b060f59..060f89726bb721 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
@@ -79,25 +79,23 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
     const basePrivilege =
       assignedPrivileges.global.length > 0 ? assignedPrivileges.global[0] : NO_PRIVILEGE_VALUE;
 
-    const description = (
-      <p>
-        Specifies the lowest permission level for all spaces, unless a custom privilege is
-        specified.
-      </p>
-    );
+    const description = <p>Specify the minimum actions users can perform in your spaces.</p>;
 
     let helptext;
     if (basePrivilege === NO_PRIVILEGE_VALUE) {
-      helptext = 'No access';
+      helptext = 'No access to spaces';
     } else if (basePrivilege === 'all') {
-      helptext = 'View, edit, and share all objects and apps within all spaces';
+      helptext = 'View, edit, and share objects and apps within all spaces';
     } else if (basePrivilege === 'read') {
-      helptext = 'View only mode';
+      helptext = 'View objects and apps within all spaces';
     }
 
     return (
       <Fragment>
-        <EuiDescribedFormGroup title={<h3>Minimum privilege</h3>} description={description}>
+        <EuiDescribedFormGroup
+          title={<h3>Minimum privileges for all spaces</h3>}
+          description={description}
+        >
           <EuiFormRow hasEmptyLabelSpace helpText={helptext}>
             <PrivilegeSelector
               data-test-subj={'kibanaMinimumPrivilege'}
@@ -136,7 +134,7 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
     return (
       <Fragment>
         <EuiTitle size={'xs'}>
-          <h3>Space privileges</h3>
+          <h3>Higher privileges for individual spaces</h3>
         </EuiTitle>
         <EuiSpacer size={'s'} />
         <EuiText
@@ -146,18 +144,12 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
           color={'subdued'}
         >
           <p>
-            Customize permission levels per space. If a space is not customized, its permissions
-            will default to the minimum privilege specified above.
+            Grant more privileges on a per space basis. For example, if the privileges are{' '}
+            <strong>read</strong> for all spaces, you can set the privileges to <strong>all</strong>{' '}
+            for an individual space.
           </p>
-          {basePrivilege !== 'all' &&
-            this.props.editable && (
-              <p>
-                You can bulk-create space privileges though they will be saved individually upon
-                saving the role.
-              </p>
-            )}
         </EuiText>
-
+        <EuiSpacer size={'s'} />
         {(basePrivilege !== NO_PRIVILEGE_VALUE || isReservedRole(this.props.role)) && (
           <PrivilegeCalloutWarning
             basePrivilege={basePrivilege}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
index 29b22fc32496f0..4338d01c230e32 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
@@ -48,7 +48,6 @@ export class SpaceSelector extends Component<Props, {}> {
 
     return (
       <EuiComboBox
-        placeholder={`choose space(s)`}
         options={this.props.spaces.map(spaceToOption)}
         renderOption={renderOption}
         selectedOptions={this.props.selectedSpaceIds.map(spaceIdToOption(this.props.spaces))}
diff --git a/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
index 55b14b856ef42a..81113fd4cde874 100644
--- a/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
+++ b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
@@ -24,7 +24,7 @@ export class ManageSpacesButton extends Component<Props, {}> {
         onClick={this.navigateToManageSpaces}
         style={this.props.style}
       >
-        Manage Spaces
+        Manage spaces
       </EuiButton>
     );
   }
diff --git a/x-pack/plugins/spaces/public/lib/constants.ts b/x-pack/plugins/spaces/public/lib/constants.ts
index 59ac4b3aa64c37..93f21f0e466293 100644
--- a/x-pack/plugins/spaces/public/lib/constants.ts
+++ b/x-pack/plugins/spaces/public/lib/constants.ts
@@ -6,4 +6,6 @@
 
 import chrome from 'ui/chrome';
 
+export const SPACES_FEATURE_DESCRIPTION = `Organize your dashboards and other saved objects into meaningful categories.`;
+
 export const MANAGE_SPACES_URL = chrome.addBasePath(`/app/kibana#/management/spaces/list`);
diff --git a/x-pack/plugins/spaces/public/register_feature.js b/x-pack/plugins/spaces/public/register_feature.js
index 09b896c9caa35c..1a02313aa331d7 100644
--- a/x-pack/plugins/spaces/public/register_feature.js
+++ b/x-pack/plugins/spaces/public/register_feature.js
@@ -7,12 +7,13 @@
 
 
 import { FeatureCatalogueRegistryProvider, FeatureCatalogueCategory } from 'ui/registry/feature_catalogue';
+import { SPACES_FEATURE_DESCRIPTION } from './lib/constants';
 
 FeatureCatalogueRegistryProvider.register(() => {
   return {
     id: 'spaces',
     title: 'Spaces',
-    description: 'Organize your dashboards, visualizations, and other saved objects',
+    description: SPACES_FEATURE_DESCRIPTION,
     icon: 'spacesApp',
     path: '/app/kibana#/management/spaces/list',
     showOnHomePage: true,
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
index db250113e044da..a88906a10237e5 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
@@ -8,13 +8,23 @@ exports[`renders without crashing 1`] = `
     hasEmptyLabelSpace={false}
     helpText={
       <p>
-        Links within Kibana will include this space identifier
+        If the identifier is 
+        <strong>
+          engineering
+        </strong>
+        , the Kibana URL is 
+        <br />
+         https://my-kibana.example
+        <strong>
+          /s/engineering/
+        </strong>
+        app/kibana.
       </p>
     }
     isInvalid={false}
     label={
       <p>
-        Space Identifier 
+        URL identifier 
         <EuiLink
           color="primary"
           onClick={[Function]}
@@ -31,7 +41,7 @@ exports[`renders without crashing 1`] = `
       inputRef={[Function]}
       isLoading={false}
       onChange={[Function]}
-      placeholder="give your space a name to see its identifier"
+      placeholder="The URL identifier is generated from the space name."
       readOnly={true}
       value=""
     />
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 606c7d9ad1c7a2..a6afad557cc3e4 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -311,9 +311,9 @@ export class ManageSpacePage extends Component {
     }
 
     action
-      .then(result => {
+      .then(() => {
         this.props.spacesNavState.refreshSpacesList();
-        toastNotifications.addSuccess(`Saved '${result.data.name}'`);
+        toastNotifications.addSuccess(`'${name}' was saved`);
         window.location.hash = `#/management/spaces/list`;
       })
       .catch(error => {
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
index 9fcd7460114b06..4af9003678db11 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
@@ -29,11 +29,15 @@ export class SpaceIdentifier extends Component {
         <EuiFormRow
           label={this.getLabel()}
           helpText={this.getHelpText()}
-          {...this.props.validator.validateSpaceIdentifier(this.props.space)}
+          {...this.props.validator.validateURLIdentifier(this.props.space)}
         >
           <EuiFieldText
             readOnly={!this.state.editing}
-            placeholder={this.state.editing || !this.props.editable ? null : 'give your space a name to see its identifier'}
+            placeholder={
+              this.state.editing || !this.props.editable
+                ? null
+                : 'The URL identifier is generated from the space name.'
+            }
             value={id}
             onChange={this.onChange}
             inputRef={(ref) => this.textFieldRef = ref}
@@ -45,15 +49,15 @@ export class SpaceIdentifier extends Component {
 
   getLabel = () => {
     if (!this.props.editable) {
-      return (<p>Space Identifier</p>);
+      return (<p>URL identifier</p>);
     }
 
     const editLinkText = this.state.editing ? `[stop editing]` : `[edit]`;
-    return (<p>Space Identifier <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
+    return (<p>URL identifier <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
   };
 
   getHelpText = () => {
-    return (<p>Links within Kibana will include this space identifier</p>);
+    return (<p>If the identifier is <strong>engineering</strong>, the Kibana URL is <br /> https://my-kibana.example<strong>/s/engineering/</strong>app/kibana.</p>);
   };
 
   onEditClick = () => {
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
index 56d22ca39aad5c..1aa98aac8e5793 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
@@ -23,7 +23,7 @@ export class SpaceValidator {
     if (!this._shouldValidate) return valid();
 
     if (!space.name) {
-      return invalid(`Please provide a space name`);
+      return invalid(`Name is required`);
     }
 
     if (space.name.length > 1024) {
@@ -43,17 +43,17 @@ export class SpaceValidator {
     return valid();
   }
 
-  validateSpaceIdentifier(space) {
+  validateURLIdentifier(space) {
     if (!this._shouldValidate) return valid();
 
     if (isReservedSpace(space)) return valid();
 
     if (!space.id) {
-      return invalid(`Space Identifier is required`);
+      return invalid(`URL identifier is required`);
     }
 
     if (!isValidSpaceIdentifier(space.id)) {
-      return invalid('Space Identifier only allows a-z, 0-9, "_", and the "-" character');
+      return invalid('URL identifier can only contain a-z, 0-9, and the characters "_" and "-"');
     }
 
     return valid();
@@ -62,7 +62,7 @@ export class SpaceValidator {
   validateForSave(space) {
     const { isInvalid: isNameInvalid } = this.validateSpaceName(space);
     const { isInvalid: isDescriptionInvalid } = this.validateSpaceDescription(space);
-    const { isInvalid: isIdentifierInvalid } = this.validateSpaceIdentifier(space);
+    const { isInvalid: isIdentifierInvalid } = this.validateURLIdentifier(space);
 
     if (isNameInvalid || isDescriptionInvalid || isIdentifierInvalid) {
       return invalid();
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
index 5adbb2ec5090e1..dac3e417a371cd 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
@@ -26,7 +26,7 @@ describe('validateSpaceName', () => {
       name: ''
     };
 
-    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Please provide a space name` });
+    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Name is required` });
   });
 
   test('it cannot exceed 1024 characters', () => {
@@ -55,13 +55,13 @@ describe('validateSpaceDescription', () => {
   });
 });
 
-describe('validateSpaceIdentifier', () => {
+describe('validateURLIdentifier', () => {
   test('it does not validate reserved spaces', () => {
     const space = {
       _reserved: true
     };
 
-    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: false });
+    expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: false });
   });
 
   test('it requires a non-empty value', () => {
@@ -69,7 +69,7 @@ describe('validateSpaceIdentifier', () => {
       id: ''
     };
 
-    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: true, error: `Space Identifier is required` });
+    expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: true, error: `URL identifier is required` });
   });
 
   test('it requires a valid Space Identifier', () => {
@@ -77,8 +77,8 @@ describe('validateSpaceIdentifier', () => {
       id: 'invalid identifier'
     };
 
-    expect(validator.validateSpaceIdentifier(space))
-      .toEqual({ isInvalid: true, error: 'Space Identifier only allows a-z, 0-9, "_", and the "-" character' });
+    expect(validator.validateURLIdentifier(space))
+      .toEqual({ isInvalid: true, error: 'URL identifier can only contain a-z, 0-9, and the characters "_" and "-"' });
   });
 
   test('it allows a valid Space Identifier', () => {
@@ -86,6 +86,6 @@ describe('validateSpaceIdentifier', () => {
       id: '01-valid-context-01'
     };
 
-    expect(validator.validateSpaceIdentifier(space)).toEqual({ isInvalid: false });
+    expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: false });
   });
 });
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
index 8a5c3ecd9ae81b..93e2dbe722bf7e 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
@@ -54,7 +54,11 @@ export class SpacesGridPage extends Component {
               onSelectionChange: this.onSelectionChange
             }}
             pagination={true}
-            search={true}
+            search={{
+              box: {
+                placeholder: 'Search'
+              }
+            }}
             loading={this.state.loading}
             message={this.state.loading ? "loading..." : undefined}
           />
@@ -76,7 +80,7 @@ export class SpacesGridPage extends Component {
     }
 
     return (
-      <EuiButton fill onClick={() => { window.location.hash = `#/management/spaces/create`; }}>Create new space</EuiButton>
+      <EuiButton fill onClick={() => { window.location.hash = `#/management/spaces/create`; }}>Create space</EuiButton>
     );
   }
 
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
index 5f439351549c1d..b46ae0481840aa 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
@@ -12,7 +12,7 @@ exports[`SpacesDescription renders without crashing 1`] = `
     grow={true}
   >
     <p>
-      Use Spaces within Kibana to organize your Dashboards, Visualizations, and other saved objects.
+      Organize your dashboards and other saved objects into meaningful categories.
     </p>
   </EuiText>
   <div
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
index d85a9e82c7082a..127595c930ee42 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
@@ -7,6 +7,7 @@
 import { EuiContextMenuPanel, EuiText } from '@elastic/eui';
 import React, { SFC } from 'react';
 import { ManageSpacesButton } from '../../../components';
+import { SPACES_FEATURE_DESCRIPTION } from '../../../lib/constants';
 import './spaces_description.less';
 
 export const SpacesDescription: SFC = () => {
@@ -18,10 +19,7 @@ export const SpacesDescription: SFC = () => {
   return (
     <EuiContextMenuPanel {...panelProps}>
       <EuiText className="spacesDescription__text">
-        <p>
-          Use Spaces within Kibana to organize your Dashboards, Visualizations, and other saved
-          objects.
-        </p>
+        <p>{SPACES_FEATURE_DESCRIPTION}</p>
       </EuiText>
       <div key="manageSpacesButton" className="spacesDescription__manageButtonWrapper">
         <ManageSpacesButton size="s" style={{ width: `100%` }} />
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 3f58530d7139bb..21662970fe240d 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -73,7 +73,7 @@ exports[`it renders without crashing 1`] = `
             className="euiText euiText--extraSmall"
           >
             <p>
-              You can change your space at anytime from within Kibana.
+              You can change your space at anytime.
             </p>
           </div>
         </div>
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
index f90d050fcf8602..3508bdefe3b0b8 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
@@ -90,7 +90,7 @@ export class SpaceSelector extends Component {
               {this.getSearchField()}
 
               <EuiFlexItem>
-                <EuiText size="xs"><p>You can change your space at anytime from within Kibana.</p></EuiText>
+                <EuiText size="xs"><p>You can change your space at anytime.</p></EuiText>
               </EuiFlexItem>
             </EuiFlexGroup>
 
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.js
index fc19ee325d14f3..949e1fd8bbf2a1 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.js
@@ -25,8 +25,8 @@ export async function createDefaultSpace(server) {
   };
 
   await savedObjectsRepository.create('space', {
-    name: 'Default Space',
-    description: 'This is your Default Space!',
+    name: 'Default',
+    description: 'This is your default space!',
     _reserved: true
   }, options);
 }
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
index 1d5a243315e928..874c5023b197f2 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
@@ -78,7 +78,7 @@ test(`it creates the default space when one does not exist`, async () => {
   expect(repository.create).toHaveBeenCalledTimes(1);
   expect(repository.create).toHaveBeenCalledWith(
     'space',
-    { "_reserved": true, "description": "This is your Default Space!", "name": "Default Space" },
+    { "_reserved": true, "description": "This is your default space!", "name": "Default" },
     { "id": "default" }
   );
 });

From 557bbcd26d83c6e68e46f546d15a745a8cb2fc73 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 6 Sep 2018 14:04:33 -0400
Subject: [PATCH 118/183] don't render space selector on login screen

---
 .../spaces/public/views/nav_control/nav_control.js     | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index 9dfcaf8ede84a9..e0d3cfa90f4835 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -30,11 +30,19 @@ module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) =>
 
   spacesManager = new SpacesManager($http, chrome);
 
-  render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
+  let mounted = false;
+
+  $scope.$parent.$watch('isVisible', function (isVisible) {
+    if (isVisible && !mounted) {
+      render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
+      mounted = true;
+    }
+  });
 
   // unmount react on controller destroy
   $scope.$on('$destroy', () => {
     unmountComponentAtNode(domNode);
+    mounted = false;
   });
 
 });

From b6c5f115e69422a851a45631654ff7d8002e38bb Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 6 Sep 2018 17:56:45 -0400
Subject: [PATCH 119/183] run all tests again

---
 x-pack/scripts/functional_tests.js | 16 ++++++++--------
 x-pack/test/functional/config.js   | 12 ++++++------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 742582e9b48b63..1b05203e4dd096 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -6,13 +6,13 @@
 
 require('@kbn/plugin-helpers').babelRegister();
 require('@kbn/test').runTestsCli([
-  // require.resolve('../test/reporting/configs/chromium_api.js'),
-  // require.resolve('../test/reporting/configs/chromium_functional.js'),
-  // require.resolve('../test/reporting/configs/phantom_api.js'),
-  // require.resolve('../test/reporting/configs/phantom_functional.js'),
+  require.resolve('../test/reporting/configs/chromium_api.js'),
+  require.resolve('../test/reporting/configs/chromium_functional.js'),
+  require.resolve('../test/reporting/configs/phantom_api.js'),
+  require.resolve('../test/reporting/configs/phantom_functional.js'),
   require.resolve('../test/functional/config.js'),
-  // require.resolve('../test/api_integration/config.js'),
-  // require.resolve('../test/saml_api_integration/config.js'),
-  // require.resolve('../test/rbac_api_integration/config.js'),
-  // require.resolve('../test/spaces_api_integration/config.js'),
+  require.resolve('../test/api_integration/config.js'),
+  require.resolve('../test/saml_api_integration/config.js'),
+  require.resolve('../test/rbac_api_integration/config.js'),
+  require.resolve('../test/spaces_api_integration/config.js'),
 ]);
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index 1d2010c7f38f07..23fda2b6322634 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -59,13 +59,13 @@ export default async function ({ readConfigFile }) {
   return {
     // list paths to the files that contain your plugins tests
     testFiles: [
-      // resolve(__dirname, './apps/graph'),
-      // resolve(__dirname, './apps/monitoring'),
-      // resolve(__dirname, './apps/watcher'),
+      resolve(__dirname, './apps/graph'),
+      resolve(__dirname, './apps/monitoring'),
+      resolve(__dirname, './apps/watcher'),
       resolve(__dirname, './apps/dashboard_mode'),
-      // resolve(__dirname, './apps/security'),
-      // resolve(__dirname, './apps/logstash'),
-      // resolve(__dirname, './apps/grok_debugger'),
+      resolve(__dirname, './apps/security'),
+      resolve(__dirname, './apps/logstash'),
+      resolve(__dirname, './apps/grok_debugger'),
     ],
 
     // define the name and providers for services that should be

From ce6bd301788fdd6900570486fb4139f4d1859153 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 6 Sep 2018 18:05:32 -0400
Subject: [PATCH 120/183] run all oss tests again

---
 scripts/functional_tests.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/functional_tests.js b/scripts/functional_tests.js
index 88b89f84bcd175..9d73923704ce6d 100644
--- a/scripts/functional_tests.js
+++ b/scripts/functional_tests.js
@@ -19,7 +19,7 @@
 
 require('../src/setup_node_env');
 require('@kbn/test').runTestsCli([
-  // require.resolve('../test/functional/config.js'),
+  require.resolve('../test/functional/config.js'),
   require.resolve('../test/api_integration/config.js'),
-  // require.resolve('../test/plugin_functional/config.js'),
+  require.resolve('../test/plugin_functional/config.js'),
 ]);

From df74a824a5fec02f158d54dbb8dda989968fe3c1 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 6 Sep 2018 19:40:29 -0400
Subject: [PATCH 121/183] update role api tests

---
 .../api_integration/apis/security/roles.js    | 50 ++++++-------------
 x-pack/test/functional/config.js              |  1 -
 2 files changed, 16 insertions(+), 35 deletions(-)

diff --git a/x-pack/test/api_integration/apis/security/roles.js b/x-pack/test/api_integration/apis/security/roles.js
index f77ea88bde2c8a..7e05e11944a0ca 100644
--- a/x-pack/test/api_integration/apis/security/roles.js
+++ b/x-pack/test/api_integration/apis/security/roles.js
@@ -32,7 +32,7 @@ export default function ({ getService }) {
                 {
                   field_security: {
                     grant: ['*'],
-                    except: [ 'geo.*' ]
+                    except: ['geo.*']
                   },
                   names: ['logstash-*'],
                   privileges: ['read', 'view_index_metadata'],
@@ -41,14 +41,10 @@ export default function ({ getService }) {
               ],
               run_as: ['watcher_user'],
             },
-            kibana: [
-              {
-                privileges: ['all'],
-              },
-              {
-                privileges: ['read'],
-              },
-            ],
+            kibana: {
+              global: ['all', 'read'],
+              space: {}
+            }
           })
           .expect(204);
 
@@ -62,7 +58,7 @@ export default function ({ getService }) {
                 privileges: ['read', 'view_index_metadata'],
                 field_security: {
                   grant: ['*'],
-                  except: [ 'geo.*' ]
+                  except: ['geo.*']
                 },
                 query: `{ "match": { "geo.src": "CN" } }`,
               },
@@ -70,12 +66,7 @@ export default function ({ getService }) {
             applications: [
               {
                 application: 'kibana-.kibana',
-                privileges: ['all'],
-                resources: ['*'],
-              },
-              {
-                application: 'kibana-.kibana',
-                privileges: ['read'],
+                privileges: ['all', 'read'],
                 resources: ['*'],
               }
             ],
@@ -102,8 +93,8 @@ export default function ({ getService }) {
                 names: ['beats-*'],
                 privileges: ['write'],
                 field_security: {
-                  grant: [ 'request.*' ],
-                  except: [ 'response.*' ]
+                  grant: ['request.*'],
+                  except: ['response.*']
                 },
                 query: `{ "match": { "host.name": "localhost" } }`,
               },
@@ -139,7 +130,7 @@ export default function ({ getService }) {
                 {
                   field_security: {
                     grant: ['*'],
-                    except: [ 'geo.*' ]
+                    except: ['geo.*']
                   },
                   names: ['logstash-*'],
                   privileges: ['read', 'view_index_metadata'],
@@ -148,14 +139,10 @@ export default function ({ getService }) {
               ],
               run_as: ['watcher_user'],
             },
-            kibana: [
-              {
-                privileges: ['all'],
-              },
-              {
-                privileges: ['read'],
-              },
-            ],
+            kibana: {
+              global: ['all', 'read'],
+              space: {}
+            }
           })
           .expect(204);
 
@@ -169,7 +156,7 @@ export default function ({ getService }) {
                 privileges: ['read', 'view_index_metadata'],
                 field_security: {
                   grant: ['*'],
-                  except: [ 'geo.*' ]
+                  except: ['geo.*']
                 },
                 query: `{ "match": { "geo.src": "CN" } }`,
               },
@@ -177,12 +164,7 @@ export default function ({ getService }) {
             applications: [
               {
                 application: 'kibana-.kibana',
-                privileges: ['all'],
-                resources: ['*'],
-              },
-              {
-                application: 'kibana-.kibana',
-                privileges: ['read'],
+                privileges: ['all', 'read'],
                 resources: ['*'],
               },
               {
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index 23fda2b6322634..77c0aee49b83ef 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -133,7 +133,6 @@ export default async function ({ readConfigFile }) {
         '--server.uuid=5b2de169-2785-441b-ae8c-186a1936b17d',
         '--xpack.xpack_main.telemetry.enabled=false',
         '--xpack.security.encryptionKey="wuGNaIhoMpk5sO4UBxgr3NyW1sFcLgIf"', // server restarts should not invalidate active sessions
-        '--logging.verbose=true',
       ],
     },
 

From 06ee993e226831ddfb363a76611ca0831aa17484 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 7 Sep 2018 11:02:05 -0400
Subject: [PATCH 122/183] [Spaces] - Handle space renaming and deleting
 (#22586)

[skip ci]
This PR improves the Space management experience when updating or deleting the user's active space.

1) When a user updates the space they are currently in, the Space Avatar in the Kibana nav will automatically update to match after saving. Fixes #22537 (cc @alexfrancoeur)

2) When a user **deletes** the space they are currently in, a secondary confirmation modal is displayed, warning them that they are deleting their active space, and they will be redirected to select another space:

![test](https://user-images.githubusercontent.com/3493255/44916585-22caf180-ad04-11e8-87c1-24538d2d6c2a.gif)
---
 x-pack/plugins/spaces/index.js                |   5 +-
 .../spaces/public/lib/{index.js => index.ts}  |   2 +-
 .../spaces/public/lib/spaces_manager.ts       |   8 +-
 .../components/confirm_delete_modal.js        |  50 ----
 .../components/confirm_delete_modal.tsx       | 121 ++++++++
 .../components/delete_spaces_button.js        | 104 -------
 .../components/{index.js => index.ts}         |   2 +-
 .../edit_space/delete_spaces_button.tsx       | 113 ++++++++
 .../edit_space/manage_space_page.js           |   4 +-
 .../views/management/{index.js => index.ts}   |  13 +-
 .../views/management/manage_spaces.less       |   4 +-
 .../public/views/management/page_routes.js    |  12 +-
 .../spaces_grid/{index.js => index.ts}        |   2 +-
 .../spaces_grid/spaces_grid_page.js           | 148 ----------
 .../spaces_grid/spaces_grid_page.tsx          | 259 ++++++++++++++++++
 .../public/views/nav_control/nav_control.js   |   9 +-
 .../views/nav_control/nav_control_popover.tsx |  60 ++--
 .../public/views/space_selector/index.js      |   4 +-
 18 files changed, 559 insertions(+), 361 deletions(-)
 rename x-pack/plugins/spaces/public/lib/{index.js => index.ts} (82%)
 delete mode 100644 x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
 delete mode 100644 x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
 rename x-pack/plugins/spaces/public/views/management/components/{index.js => index.ts} (79%)
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
 rename x-pack/plugins/spaces/public/views/management/{index.js => index.ts} (93%)
 rename x-pack/plugins/spaces/public/views/management/spaces_grid/{index.js => index.ts} (82%)
 delete mode 100644 x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx

diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 2679a894a66610..9992dfd148301f 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -50,10 +50,11 @@ export const spaces = (kibana) => new kibana.Plugin({
       },
     },
     home: ['plugins/spaces/register_feature'],
-    injectDefaultVars: function () {
+    injectDefaultVars: function (server) {
       return {
         spaces: [],
-        activeSpace: null
+        activeSpace: null,
+        spaceSelectorURL: server.config().get('server.basePath') || '/',
       };
     },
     replaceInjectedVars: async function (vars, request, server) {
diff --git a/x-pack/plugins/spaces/public/lib/index.js b/x-pack/plugins/spaces/public/lib/index.ts
similarity index 82%
rename from x-pack/plugins/spaces/public/lib/index.js
rename to x-pack/plugins/spaces/public/lib/index.ts
index 0a22964efbca39..538dd77e053f57 100644
--- a/x-pack/plugins/spaces/public/lib/index.js
+++ b/x-pack/plugins/spaces/public/lib/index.ts
@@ -4,4 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { SpacesManager } from './spaces_manager';
\ No newline at end of file
+export { SpacesManager } from './spaces_manager';
diff --git a/x-pack/plugins/spaces/public/lib/spaces_manager.ts b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
index 53835ab122f87e..8a11e0137897f8 100644
--- a/x-pack/plugins/spaces/public/lib/spaces_manager.ts
+++ b/x-pack/plugins/spaces/public/lib/spaces_manager.ts
@@ -12,11 +12,13 @@ import { Space } from '../../common/model/space';
 export class SpacesManager extends EventEmitter {
   private httpAgent: any;
   private baseUrl: any;
+  private spaceSelectorURL: string;
 
-  constructor(httpAgent: any, chrome: any) {
+  constructor(httpAgent: any, chrome: any, spaceSelectorURL: string) {
     super();
     this.httpAgent = httpAgent;
     this.baseUrl = chrome.addBasePath(`/api/spaces`);
+    this.spaceSelectorURL = spaceSelectorURL;
   }
 
   public async getSpaces(): Promise<Space[]> {
@@ -54,6 +56,10 @@ export class SpacesManager extends EventEmitter {
       .catch(() => this._displayError());
   }
 
+  public redirectToSpaceSelector() {
+    window.location.href = this.spaceSelectorURL;
+  }
+
   public async requestRefresh() {
     this.emit('request_refresh');
   }
diff --git a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
deleted file mode 100644
index 587f32911a383d..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.js
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import PropTypes from 'prop-types';
-
-import {
-  EuiOverlayMask,
-  EuiConfirmModal,
-} from '@elastic/eui';
-
-export const ConfirmDeleteModal = (props) => {
-  const {
-    spaces
-  } = props;
-
-  const buttonText = spaces.length > 1
-    ? `Delete ${spaces.length} spaces`
-    : `Delete space`;
-
-  const bodyQuestion = spaces.length > 1
-    ? `Are you sure you want to delete these ${spaces.length} spaces?`
-    : `Are you sure you want to delete this space?`;
-
-  return (
-    <EuiOverlayMask>
-      <EuiConfirmModal
-        buttonColor={'danger'}
-        cancelButtonText={'Cancel'}
-        confirmButtonText={buttonText}
-        onCancel={props.onCancel}
-        onConfirm={props.onConfirm}
-        title={`Confirm Delete`}
-        defaultFocusedButton={'cancel'}
-      >
-        <p>{bodyQuestion}</p>
-        <p>This operation cannot be undone!</p>
-      </EuiConfirmModal>
-    </EuiOverlayMask>
-  );
-};
-
-ConfirmDeleteModal.propTypes = {
-  spaces: PropTypes.array.isRequired,
-  onCancel: PropTypes.func.isRequired,
-  onConfirm: PropTypes.func.isRequired
-};
diff --git a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
new file mode 100644
index 00000000000000..0810243a1d0354
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
@@ -0,0 +1,121 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  EuiCallOut,
+  // @ts-ignore
+  EuiConfirmModal,
+  EuiFieldText,
+  EuiFormRow,
+  EuiOverlayMask,
+  EuiText,
+} from '@elastic/eui';
+import React, { ChangeEvent, Component } from 'react';
+import { Space } from '../../../../common/model/space';
+import { SpacesManager } from '../../../lib';
+
+interface Props {
+  space: Space;
+  spacesManager: SpacesManager;
+  spacesNavState: any;
+  onCancel: () => void;
+  onConfirm: () => void;
+}
+
+interface State {
+  confirmSpaceName: string;
+  error: boolean | null;
+}
+
+export class ConfirmDeleteModal extends Component<Props, State> {
+  public state = {
+    confirmSpaceName: '',
+    error: null,
+  };
+
+  public render() {
+    const { space, spacesNavState, onCancel } = this.props;
+
+    let warning = null;
+    if (isDeletingCurrentSpace(space, spacesNavState)) {
+      const name = (
+        <span>
+          (<strong>{space.name}</strong>)
+        </span>
+      );
+      warning = (
+        <EuiCallOut color="warning">
+          <EuiText>
+            You are about to delete your current space {name}. You will be redirected to choose a
+            different space if you continue.
+          </EuiText>
+        </EuiCallOut>
+      );
+    }
+
+    return (
+      <EuiOverlayMask>
+        <EuiConfirmModal
+          buttonColor={'danger'}
+          cancelButtonText={'Cancel'}
+          confirmButtonText={'Delete space'}
+          onCancel={onCancel}
+          onConfirm={this.onConfirm}
+          title={`Delete space '${space.name}'`}
+          defaultFocusedButton={'cancel'}
+        >
+          <p>
+            Deleting a space permanently removes the space and all of its contents. You can't undo
+            this action.
+          </p>
+
+          <EuiFormRow
+            label={'Confirm space name'}
+            isInvalid={!!this.state.error}
+            error={'Space names do not match.'}
+          >
+            <EuiFieldText value={this.state.confirmSpaceName} onChange={this.onSpaceNameChange} />
+          </EuiFormRow>
+
+          {warning}
+        </EuiConfirmModal>
+      </EuiOverlayMask>
+    );
+  }
+
+  private onSpaceNameChange = (e: ChangeEvent<HTMLInputElement>) => {
+    if (typeof this.state.error === 'boolean') {
+      this.setState({
+        confirmSpaceName: e.target.value,
+        error: e.target.value !== this.props.space.name,
+      });
+    } else {
+      this.setState({
+        confirmSpaceName: e.target.value,
+      });
+    }
+  };
+
+  private onConfirm = async () => {
+    if (this.state.confirmSpaceName === this.props.space.name) {
+      const needsRedirect = isDeletingCurrentSpace(this.props.space, this.props.spacesNavState);
+      const spacesManager = this.props.spacesManager;
+
+      await this.props.onConfirm();
+      if (needsRedirect) {
+        spacesManager.redirectToSpaceSelector();
+      }
+    } else {
+      this.setState({
+        error: true,
+      });
+    }
+  };
+}
+
+function isDeletingCurrentSpace(space: Space, spacesNavState: any) {
+  return space.id === spacesNavState.getActiveSpace().id;
+}
diff --git a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js b/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
deleted file mode 100644
index 6cb6d596a19964..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/components/delete_spaces_button.js
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
-import { ConfirmDeleteModal } from './confirm_delete_modal';
-import {
-  EuiButton
-} from '@elastic/eui';
-import { toastNotifications } from 'ui/notify';
-
-export class DeleteSpacesButton extends Component {
-  state = {
-    showConfirmModal: false
-  };
-
-  render() {
-    const numSpaces = this.props.spaces.length;
-
-    const buttonText = numSpaces > 1
-      ? `Delete ${numSpaces} spaces`
-      : `Delete space`;
-
-    return (
-      <Fragment>
-        <EuiButton color={'danger'} onClick={this.onDeleteClick}>
-          {buttonText}
-        </EuiButton>
-        {this.getConfirmDeleteModal()}
-      </Fragment>
-    );
-  }
-
-  onDeleteClick = () => {
-    this.setState({
-      showConfirmModal: true
-    });
-  };
-
-  getConfirmDeleteModal = () => {
-    if (!this.state.showConfirmModal) {
-      return null;
-    }
-
-    return (
-      <ConfirmDeleteModal
-        spaces={this.props.spaces}
-        onCancel={() => {
-          this.setState({
-            showConfirmModal: false
-          });
-        }}
-        onConfirm={this.deleteSpaces}
-      />
-    );
-  };
-
-  deleteSpaces = () => {
-    const {
-      spacesManager,
-      spaces,
-      spacesNavState,
-    } = this.props;
-
-    const deleteOperations = spaces.map(space => spacesManager.deleteSpace(space));
-
-    Promise.all(deleteOperations)
-      .then(() => {
-        this.setState({
-          showConfirmModal: false
-        });
-
-        const message = spaces.length > 1
-          ? `Deleted ${spaces.length} spaces.`
-          : `Deleted "${spaces[0].name}" space.`;
-
-        toastNotifications.addSuccess(message);
-
-        if (this.props.onDelete) {
-          this.props.onDelete();
-        }
-
-        spacesNavState.refreshSpacesList();
-
-      })
-      .catch(error => {
-        const {
-          message = ''
-        } = error.data || {};
-
-        toastNotifications.addDanger(`Error deleting space: ${message}`);
-      });
-  };
-}
-
-DeleteSpacesButton.propTypes = {
-  spaces: PropTypes.array.isRequired,
-  spacesManager: PropTypes.object.isRequired,
-  spacesNavState: PropTypes.object.isRequired,
-  onDelete: PropTypes.func
-};
diff --git a/x-pack/plugins/spaces/public/views/management/components/index.js b/x-pack/plugins/spaces/public/views/management/components/index.ts
similarity index 79%
rename from x-pack/plugins/spaces/public/views/management/components/index.js
rename to x-pack/plugins/spaces/public/views/management/components/index.ts
index e134461ee43a66..651455d00e9f28 100644
--- a/x-pack/plugins/spaces/public/views/management/components/index.js
+++ b/x-pack/plugins/spaces/public/views/management/components/index.ts
@@ -4,4 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { DeleteSpacesButton } from './delete_spaces_button';
+export { ConfirmDeleteModal } from './confirm_delete_modal';
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
new file mode 100644
index 00000000000000..e255375baf85b8
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
@@ -0,0 +1,113 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiButton, EuiButtonIcon, EuiButtonIconProps } from '@elastic/eui';
+import React, { Component, Fragment } from 'react';
+import { toastNotifications } from 'ui/notify';
+import { Space } from '../../../../common/model/space';
+import { SpacesManager } from '../../../lib/spaces_manager';
+import { ConfirmDeleteModal } from '../components/confirm_delete_modal';
+
+interface Props {
+  style?: 'button' | 'icon';
+  space: Space;
+  spacesManager: SpacesManager;
+  spacesNavState: any;
+  onDelete: () => void;
+}
+
+interface State {
+  showConfirmDeleteModal: boolean;
+  showConfirmRedirectModal: boolean;
+}
+
+export class DeleteSpacesButton extends Component<Props, State> {
+  public state = {
+    showConfirmDeleteModal: false,
+    showConfirmRedirectModal: false,
+  };
+
+  public render() {
+    const buttonText = `Delete space`;
+
+    let ButtonComponent: any = EuiButton;
+
+    const extraProps: EuiButtonIconProps = {};
+
+    if (this.props.style === 'icon') {
+      ButtonComponent = EuiButtonIcon;
+      extraProps.iconType = 'trash';
+    }
+
+    return (
+      <Fragment>
+        <ButtonComponent
+          color={'danger'}
+          onClick={this.onDeleteClick}
+          aria-label={'Delete this space'}
+          {...extraProps}
+        >
+          {buttonText}
+        </ButtonComponent>
+        {this.getConfirmDeleteModal()}
+      </Fragment>
+    );
+  }
+
+  public onDeleteClick = () => {
+    this.setState({
+      showConfirmDeleteModal: true,
+    });
+  };
+
+  public getConfirmDeleteModal = () => {
+    if (!this.state.showConfirmDeleteModal) {
+      return null;
+    }
+
+    const { spacesNavState, spacesManager } = this.props;
+
+    return (
+      <ConfirmDeleteModal
+        space={this.props.space}
+        spacesNavState={spacesNavState}
+        spacesManager={spacesManager}
+        onCancel={() => {
+          this.setState({
+            showConfirmDeleteModal: false,
+          });
+        }}
+        onConfirm={this.deleteSpaces}
+      />
+    );
+  };
+
+  public deleteSpaces = async () => {
+    const { spacesManager, space, spacesNavState } = this.props;
+
+    try {
+      await spacesManager.deleteSpace(space);
+    } catch (error) {
+      const { message: errorMessage = '' } = error.data || {};
+
+      toastNotifications.addDanger(`Error deleting space: ${errorMessage}`);
+    }
+
+    this.setState({
+      showConfirmDeleteModal: false,
+    });
+
+    const message = `Deleted "${space.name}" space.`;
+
+    toastNotifications.addSuccess(message);
+
+    if (this.props.onDelete) {
+      this.props.onDelete();
+    }
+
+    spacesNavState.refreshSpacesList();
+  };
+}
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index a6afad557cc3e4..7524fa11dfd8d2 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -24,7 +24,7 @@ import {
   EuiLoadingSpinner,
 } from '@elastic/eui';
 
-import { DeleteSpacesButton } from '../components';
+import { DeleteSpacesButton } from './delete_spaces_button';
 import { SpaceAvatar } from '../../../components';
 
 import { Notifier, toastNotifications } from 'ui/notify';
@@ -215,7 +215,7 @@ export class ManageSpacePage extends Component {
       return (
         <EuiFlexItem grow={false}>
           <DeleteSpacesButton
-            spaces={[this.state.space]}
+            space={this.state.space}
             spacesManager={this.props.spacesManager}
             spacesNavState={this.props.spacesNavState}
             onDelete={this.backToSpacesList}
diff --git a/x-pack/plugins/spaces/public/views/management/index.js b/x-pack/plugins/spaces/public/views/management/index.ts
similarity index 93%
rename from x-pack/plugins/spaces/public/views/management/index.js
rename to x-pack/plugins/spaces/public/views/management/index.ts
index d3c161c89f1743..4e91aca8ef1305 100644
--- a/x-pack/plugins/spaces/public/views/management/index.js
+++ b/x-pack/plugins/spaces/public/views/management/index.ts
@@ -5,16 +5,16 @@
  */
 
 import 'plugins/spaces/views/management/page_routes';
-import routes from 'ui/routes';
-
+// @ts-ignore
 import { management } from 'ui/management';
+// @ts-ignore
+import routes from 'ui/routes';
 
 const MANAGE_SPACES_KEY = 'manage_spaces';
 
 routes.defaults(/\/management/, {
   resolve: {
-    spacesManagementSection: function () {
-
+    spacesManagementSection() {
       function getKibanaSection() {
         return management.getSection('kibana');
       }
@@ -24,7 +24,6 @@ routes.defaults(/\/management/, {
       }
 
       function ensureSpagesRegistered() {
-
         const kibanaSection = getKibanaSection();
 
         if (!kibanaSection.hasItem(MANAGE_SPACES_KEY)) {
@@ -40,6 +39,6 @@ routes.defaults(/\/management/, {
       deregisterSpaces();
 
       ensureSpagesRegistered();
-    }
-  }
+    },
+  },
 });
diff --git a/x-pack/plugins/spaces/public/views/management/manage_spaces.less b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
index 4254ed90810027..15f085df6d1b6f 100644
--- a/x-pack/plugins/spaces/public/views/management/manage_spaces.less
+++ b/x-pack/plugins/spaces/public/views/management/manage_spaces.less
@@ -1,4 +1,4 @@
-.manageSpaces__application, .manageSpaces__.euiPanel, #manageSpacesReactRoot, .editSpacePage, .editSpacePage__content {
+.manageSpaces__application, .manageSpaces__.euiPanel, #manageSpacesReactRoot {
   background: #f5f5f5;
 }
 
@@ -10,7 +10,7 @@
   padding: 0;
 }
 
-.manageSpacePage {
+.manageSpacePage, .spacesGridPage {
   min-height: ~"calc(100vh - 70px)";
 }
 
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index 5a16ff72ffbcb0..07f97439184fea 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -20,11 +20,11 @@ const reactRootNodeId = 'manageSpacesReactRoot';
 
 routes.when('/management/spaces/list', {
   template,
-  controller: function ($scope, $http, chrome, spacesNavState) {
+  controller: function ($scope, $http, chrome, spacesNavState, spaceSelectorURL) {
     $scope.$$postDigest(() => {
       const domNode = document.getElementById(reactRootNodeId);
 
-      const spacesManager = new SpacesManager($http, chrome);
+      const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
       render(<SpacesGridPage
         spacesManager={spacesManager}
@@ -41,11 +41,11 @@ routes.when('/management/spaces/list', {
 
 routes.when('/management/spaces/create', {
   template,
-  controller: function ($scope, $http, chrome, spacesNavState) {
+  controller: function ($scope, $http, chrome, spacesNavState, spaceSelectorURL) {
     $scope.$$postDigest(() => {
       const domNode = document.getElementById(reactRootNodeId);
 
-      const spacesManager = new SpacesManager($http, chrome);
+      const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
       render(<ManageSpacePage
         spacesManager={spacesManager}
@@ -66,14 +66,14 @@ routes.when('/management/spaces/edit', {
 
 routes.when('/management/spaces/edit/:space', {
   template,
-  controller: function ($scope, $http, $route, chrome, spacesNavState) {
+  controller: function ($scope, $http, $route, chrome, spacesNavState, spaceSelectorURL) {
     $scope.$$postDigest(() => {
 
       const domNode = document.getElementById(reactRootNodeId);
 
       const { space } = $route.current.params;
 
-      const spacesManager = new SpacesManager($http, chrome);
+      const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
       render(<ManageSpacePage
         httpAgent={$http}
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/index.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/index.ts
similarity index 82%
rename from x-pack/plugins/spaces/public/views/management/spaces_grid/index.js
rename to x-pack/plugins/spaces/public/views/management/spaces_grid/index.ts
index ec688bbf260a60..1aead143e5d572 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/index.js
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/index.ts
@@ -3,4 +3,4 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-export { SpacesGridPage } from './spaces_grid_page';
\ No newline at end of file
+export { SpacesGridPage } from './spaces_grid_page';
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
deleted file mode 100644
index 93e2dbe722bf7e..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.js
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React, { Component } from 'react';
-import PropTypes from 'prop-types';
-
-import {
-  EuiPage,
-  EuiPageContent,
-  EuiInMemoryTable,
-  EuiFlexGroup,
-  EuiFlexItem,
-  EuiText,
-  EuiButton,
-  EuiSpacer,
-  EuiLink,
-} from '@elastic/eui';
-
-import { DeleteSpacesButton } from '../components';
-import { isReservedSpace } from '../../../../common';
-
-export class SpacesGridPage extends Component {
-  state = {
-    selectedSpaces: [],
-    spaces: [],
-    loading: true
-  };
-
-  componentDidMount() {
-    this.loadGrid();
-  }
-
-  render() {
-    return (
-      <EuiPage>
-        <EuiPageContent>
-          <EuiFlexGroup justifyContent={'spaceBetween'}>
-            <EuiFlexItem grow={false}>
-              <EuiText><h1>Spaces</h1></EuiText>
-            </EuiFlexItem>
-            <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
-          </EuiFlexGroup>
-          <EuiSpacer size={'xl'} />
-
-          <EuiInMemoryTable
-            itemId={"id"}
-            items={this.state.spaces}
-            columns={this.getColumnConfig()}
-            selection={{
-              selectable: (space) => !isReservedSpace(space),
-              onSelectionChange: this.onSelectionChange
-            }}
-            pagination={true}
-            search={{
-              box: {
-                placeholder: 'Search'
-              }
-            }}
-            loading={this.state.loading}
-            message={this.state.loading ? "loading..." : undefined}
-          />
-        </EuiPageContent>
-      </EuiPage>
-    );
-  }
-
-  getPrimaryActionButton() {
-    if (this.state.selectedSpaces.length > 0) {
-      return (
-        <DeleteSpacesButton
-          spaces={this.state.selectedSpaces}
-          spacesManager={this.props.spacesManager}
-          spacesNavState={this.props.spacesNavState}
-          onDelete={this.loadGrid}
-        />
-      );
-    }
-
-    return (
-      <EuiButton fill onClick={() => { window.location.hash = `#/management/spaces/create`; }}>Create space</EuiButton>
-    );
-  }
-
-  loadGrid = () => {
-    const {
-      spacesManager
-    } = this.props;
-
-    this.setState({
-      loading: true,
-      selectedSpaces: [],
-      spaces: []
-    });
-
-    const setSpaces = (spaces) => {
-      this.setState({
-        loading: false,
-        spaces,
-      });
-    };
-
-    spacesManager.getSpaces()
-      .then(spaces => {
-        setSpaces(spaces);
-      })
-      .catch(error => {
-        this.setState({
-          loading: false,
-          error
-        });
-      });
-  };
-
-  getColumnConfig() {
-    return [{
-      field: 'name',
-      name: 'Space',
-      sortable: true,
-      render: (value, record) => {
-        return (
-          <EuiLink onClick={() => { window.location.hash = `#/management/spaces/edit/${encodeURIComponent(record.id)}`; }}>
-            {value}
-          </EuiLink>
-        );
-      }
-    }, {
-      field: 'id',
-      name: 'Identifier',
-      sortable: true
-    }, {
-      field: 'description',
-      name: 'Description',
-      sortable: true
-    }];
-  }
-
-  onSelectionChange = (selectedSpaces) => {
-    this.setState({ selectedSpaces });
-  };
-}
-
-SpacesGridPage.propTypes = {
-  spacesManager: PropTypes.object.isRequired,
-  spacesNavState: PropTypes.object.isRequired,
-};
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
new file mode 100644
index 00000000000000..83a7d4149a25d6
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
@@ -0,0 +1,259 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { Component } from 'react';
+
+import {
+  EuiButton,
+  EuiFlexGroup,
+  EuiFlexItem,
+  // @ts-ignore
+  EuiInMemoryTable,
+  EuiLink,
+  EuiPage,
+  EuiPageBody,
+  EuiPageContent,
+  EuiSpacer,
+  EuiText,
+} from '@elastic/eui';
+
+import { toastNotifications } from 'ui/notify';
+
+import { isReservedSpace } from '../../../../common';
+import { Space } from '../../../../common/model/space';
+import { SpaceAvatar } from '../../../components';
+import { SpacesManager } from '../../../lib/spaces_manager';
+import { ConfirmDeleteModal } from '../components/confirm_delete_modal';
+
+interface Props {
+  spacesManager: SpacesManager;
+  spacesNavState: any;
+}
+
+interface State {
+  spaces: Space[];
+  loading: boolean;
+  showConfirmDeleteModal: boolean;
+  selectedSpace: Space | null;
+  error: Error | null;
+}
+
+export class SpacesGridPage extends Component<Props, State> {
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      spaces: [],
+      loading: true,
+      showConfirmDeleteModal: false,
+      selectedSpace: null,
+      error: null,
+    };
+  }
+
+  public componentDidMount() {
+    this.loadGrid();
+  }
+
+  public render() {
+    return (
+      <EuiPage restrictWidth className="spacesGridPage">
+        <EuiPageBody>
+          <EuiPageContent horizontalPosition="center">
+            <EuiFlexGroup justifyContent={'spaceBetween'}>
+              <EuiFlexItem grow={false}>
+                <EuiText>
+                  <h1>Spaces</h1>
+                </EuiText>
+              </EuiFlexItem>
+              <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
+            </EuiFlexGroup>
+            <EuiSpacer size={'xl'} />
+
+            <EuiInMemoryTable
+              itemId={'id'}
+              items={this.state.spaces}
+              columns={this.getColumnConfig()}
+              hasActions
+              pagination={true}
+              search={{
+                box: {
+                  placeholder: 'Search',
+                },
+              }}
+              loading={this.state.loading}
+              message={this.state.loading ? 'loading...' : undefined}
+            />
+          </EuiPageContent>
+        </EuiPageBody>
+        {this.getConfirmDeleteModal()}
+      </EuiPage>
+    );
+  }
+
+  public getPrimaryActionButton() {
+    return (
+      <EuiButton
+        fill
+        onClick={() => {
+          window.location.hash = `#/management/spaces/create`;
+        }}
+      >
+        Create space
+      </EuiButton>
+    );
+  }
+
+  public getConfirmDeleteModal = () => {
+    if (!this.state.showConfirmDeleteModal || !this.state.selectedSpace) {
+      return null;
+    }
+
+    const { spacesNavState, spacesManager } = this.props;
+
+    return (
+      <ConfirmDeleteModal
+        space={this.state.selectedSpace}
+        spacesNavState={spacesNavState}
+        spacesManager={spacesManager}
+        onCancel={() => {
+          this.setState({
+            showConfirmDeleteModal: false,
+          });
+        }}
+        onConfirm={this.deleteSpace}
+      />
+    );
+  };
+
+  public deleteSpace = async () => {
+    const { spacesManager, spacesNavState } = this.props;
+
+    const space = this.state.selectedSpace;
+
+    if (!space) {
+      return;
+    }
+
+    try {
+      await spacesManager.deleteSpace(space);
+    } catch (error) {
+      const { message: errorMessage = '' } = error.data || {};
+
+      toastNotifications.addDanger(`Error deleting space: ${errorMessage}`);
+    }
+
+    this.setState({
+      showConfirmDeleteModal: false,
+    });
+
+    this.loadGrid();
+
+    const message = `Deleted "${space.name}" space.`;
+
+    toastNotifications.addSuccess(message);
+
+    spacesNavState.refreshSpacesList();
+  };
+
+  public loadGrid = () => {
+    const { spacesManager } = this.props;
+
+    this.setState({
+      loading: true,
+      spaces: [],
+    });
+
+    const setSpaces = (spaces: Space[]) => {
+      this.setState({
+        loading: false,
+        spaces,
+      });
+    };
+
+    spacesManager
+      .getSpaces()
+      .then(spaces => {
+        setSpaces(spaces);
+      })
+      .catch(error => {
+        this.setState({
+          loading: false,
+          error,
+        });
+      });
+  };
+
+  public getColumnConfig() {
+    return [
+      {
+        field: 'name',
+        name: 'Space',
+        sortable: true,
+        render: (value: string, record: Space) => {
+          return (
+            <EuiLink
+              onClick={() => {
+                this.onEditSpaceClick(record);
+              }}
+            >
+              <EuiFlexGroup gutterSize="s" responsive={false} alignItems={'center'}>
+                <EuiFlexItem grow={false}>
+                  <SpaceAvatar space={record} size="s" />
+                </EuiFlexItem>
+                <EuiFlexItem>
+                  <EuiText>{record.name}</EuiText>
+                </EuiFlexItem>
+              </EuiFlexGroup>
+            </EuiLink>
+          );
+        },
+      },
+      {
+        field: 'id',
+        name: 'Identifier',
+        sortable: true,
+      },
+      {
+        field: 'description',
+        name: 'Description',
+        sortable: true,
+      },
+      {
+        name: 'Actions',
+        actions: [
+          {
+            name: 'Edit',
+            description: 'Edit this space.',
+            onClick: this.onEditSpaceClick,
+            type: 'icon',
+            icon: 'pencil',
+            color: 'primary',
+          },
+          {
+            available: (record: Space) => !isReservedSpace(record),
+            name: 'Delete',
+            description: 'Delete this space.',
+            onClick: this.onDeleteSpaceClick,
+            type: 'icon',
+            icon: 'trash',
+            color: 'danger',
+          },
+        ],
+      },
+    ];
+  }
+
+  private onEditSpaceClick = (space: Space) => {
+    window.location.hash = `#/management/spaces/edit/${encodeURIComponent(space.id)}`;
+  };
+
+  private onDeleteSpaceClick = (space: Space) => {
+    this.setState({
+      selectedSpace: space,
+      showConfirmDeleteModal: true,
+    });
+  };
+}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index e0d3cfa90f4835..c1599ed1a6bc5a 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -25,10 +25,10 @@ const module = uiModules.get('spaces_nav', ['kibana']);
 
 let spacesManager;
 
-module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) => {
+module.controller('spacesNavController', ($scope, $http, chrome, activeSpace, spaceSelectorURL) => {
   const domNode = document.getElementById(`spacesNavReactRoot`);
 
-  spacesManager = new SpacesManager($http, chrome);
+  spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
   let mounted = false;
 
@@ -47,8 +47,11 @@ module.controller('spacesNavController', ($scope, $http, chrome, activeSpace) =>
 
 });
 
-module.service('spacesNavState', () => {
+module.service('spacesNavState', (activeSpace) => {
   return {
+    getActiveSpace: () => {
+      return activeSpace.space;
+    },
     refreshSpacesList: () => {
       if (spacesManager) {
         spacesManager.requestRefresh();
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
index ea7a2d0ca4465c..6bd643de0f3f1c 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -22,19 +22,22 @@ interface Props {
 }
 
 interface State {
-  isOpen: boolean;
+  showSpaceSelector: boolean;
   loading: boolean;
-  activeSpaceExists: boolean;
+  activeSpace: Space | null;
   spaces: Space[];
 }
 
 export class NavControlPopover extends Component<Props, State> {
-  public state = {
-    isOpen: false,
-    loading: false,
-    activeSpaceExists: true,
-    spaces: [],
-  };
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      showSpaceSelector: false,
+      loading: false,
+      activeSpace: props.activeSpace.space,
+      spaces: [],
+    };
+  }
 
   public componentDidMount() {
     this.loadSpaces();
@@ -63,8 +66,8 @@ export class NavControlPopover extends Component<Props, State> {
       <EuiPopover
         id={'spacesMenuPopover'}
         button={button}
-        isOpen={this.state.isOpen}
-        closePopover={this.closePortal}
+        isOpen={this.state.showSpaceSelector}
+        closePopover={this.closeSpaceSelector}
         anchorPosition={'rightCenter'}
         panelPaddingSize="none"
         ownFocus
@@ -83,46 +86,41 @@ export class NavControlPopover extends Component<Props, State> {
 
     const spaces = await spacesManager.getSpaces();
 
-    let activeSpaceExists = this.state.activeSpaceExists;
+    // Update the active space definition, if it changed since the last load operation
+    let activeSpaceEntry: Space | null = activeSpace.space;
+
     if (activeSpace.valid) {
-      activeSpaceExists = !!spaces.find(space => space.id === this.props.activeSpace.space.id);
+      activeSpaceEntry = spaces.find(space => space.id === this.props.activeSpace.space.id) || null;
     }
 
     this.setState({
       spaces,
-      activeSpaceExists,
-      isOpen: this.state.isOpen || !activeSpaceExists,
+      activeSpace: activeSpaceEntry,
       loading: false,
     });
   }
 
   private getActiveSpaceButton = () => {
-    const { activeSpace } = this.props;
+    const { activeSpace } = this.state;
 
     if (!activeSpace) {
-      return null;
-    }
-
-    if (activeSpace.valid && activeSpace.space) {
-      return this.getButton(
-        <SpaceAvatar space={activeSpace.space} size={'s'} className={'spaceNavGraphic'} />,
-        activeSpace.space.name
-      );
-    } else if (activeSpace.error) {
       return this.getButton(
         <EuiAvatar size={'s'} className={'spaceNavGraphic'} name={'error'} />,
         'error'
       );
     }
 
-    return null;
+    return this.getButton(
+      <SpaceAvatar space={activeSpace} size={'s'} className={'spaceNavGraphic'} />,
+      (activeSpace as Space).name
+    );
   };
 
   private getButton = (linkIcon: JSX.Element, linkTitle: string) => {
     // Mimics the current angular-based navigation link
     return (
       <div className="global-nav-link">
-        <a className="global-nav-link__anchor" onClick={this.togglePortal}>
+        <a className="global-nav-link__anchor" onClick={this.toggleSpaceSelector}>
           <div className="global-nav-link__icon"> {linkIcon} </div>
           <div className="global-nav-link__title"> {linkTitle} </div>
         </a>
@@ -130,20 +128,20 @@ export class NavControlPopover extends Component<Props, State> {
     );
   };
 
-  private togglePortal = () => {
-    const isOpening = !this.state.isOpen;
+  private toggleSpaceSelector = () => {
+    const isOpening = !this.state.showSpaceSelector;
     if (isOpening) {
       this.loadSpaces();
     }
 
     this.setState({
-      isOpen: !this.state.isOpen,
+      showSpaceSelector: !this.state.showSpaceSelector,
     });
   };
 
-  private closePortal = () => {
+  private closeSpaceSelector = () => {
     this.setState({
-      isOpen: false,
+      showSpaceSelector: false,
     });
   };
 
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.js
index 21bc86bee93c28..210e8ac8d5f829 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/index.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.js
@@ -16,10 +16,10 @@ import { render, unmountComponentAtNode } from 'react-dom';
 import { SpaceSelector } from './space_selector';
 
 const module = uiModules.get('spaces_selector', []);
-module.controller('spacesSelectorController', ($scope, $http, spaces) => {
+module.controller('spacesSelectorController', ($scope, $http, spaces, spaceSelectorURL) => {
   const domNode = document.getElementById('spaceSelectorRoot');
 
-  const spacesManager = new SpacesManager($http, chrome);
+  const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
   render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />, domNode);
 

From 2d0b1ed9d31d6a391121165540e10819e8f0f2e6 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 10 Sep 2018 07:40:15 -0400
Subject: [PATCH 123/183] update snapshot

---
 .../space_selector/__snapshots__/space_selector.test.js.snap   | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
index 21662970fe240d..9f747481e626ea 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
@@ -3,11 +3,9 @@
 exports[`it renders without crashing 1`] = `
 <div
   className="euiPage spaceSelector__page"
-  style={undefined}
 >
   <div
     className="euiPageBody"
-    style={undefined}
   >
     <div
       className="euiPageHeader euiPageHeader--responsive spaceSelector__heading"
@@ -27,7 +25,6 @@ exports[`it renders without crashing 1`] = `
                 "fill": undefined,
               }
             }
-            tabIndex={undefined}
             viewBox="0 0 30 40"
             width="30"
             xmlns="http://www.w3.org/2000/svg"

From 493b3dfae8d91cdc831b416d83b25413317bb71e Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 10 Sep 2018 09:45:10 -0400
Subject: [PATCH 124/183] fix failing test

---
 src/ui/public/chrome/api/__tests__/nav.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/ui/public/chrome/api/__tests__/nav.js b/src/ui/public/chrome/api/__tests__/nav.js
index 169c9546a4a37e..1ca5f2689590d5 100644
--- a/src/ui/public/chrome/api/__tests__/nav.js
+++ b/src/ui/public/chrome/api/__tests__/nav.js
@@ -27,6 +27,7 @@ const basePath = '/someBasePath';
 
 function init(customInternals = { basePath }) {
   const chrome = {
+    addBasePath: (path) => path,
     getBasePath: () => customInternals.basePath || '',
   };
   const internals = {
@@ -39,7 +40,7 @@ function init(customInternals = { basePath }) {
 
 describe('chrome nav apis', function () {
   describe('#getNavLinkById', () => {
-    it ('retrieves the correct nav link, given its ID', () => {
+    it('retrieves the correct nav link, given its ID', () => {
       const appUrlStore = new StubBrowserStorage();
       const nav = [
         { id: 'kibana:discover', title: 'Discover' }
@@ -52,7 +53,7 @@ describe('chrome nav apis', function () {
       expect(navLink).to.eql(nav[0]);
     });
 
-    it ('throws an error if the nav link with the given ID is not found', () => {
+    it('throws an error if the nav link with the given ID is not found', () => {
       const appUrlStore = new StubBrowserStorage();
       const nav = [
         { id: 'kibana:discover', title: 'Discover' }

From 778f69fb84559e1366a2e7ff5586f1b226bf5c89 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 10 Sep 2018 09:53:07 -0400
Subject: [PATCH 125/183] fix getSortingParameters when an array of length 1 is
 specified

---
 .../service/lib/search_dsl/sorting_params.js  | 33 +++++++++++--------
 .../lib/search_dsl/sorting_params.test.js     | 15 +++++++++
 2 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/src/server/saved_objects/service/lib/search_dsl/sorting_params.js b/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
index b977924ff62c50..bf22e2818939c6 100644
--- a/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
+++ b/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
@@ -26,24 +26,29 @@ export function getSortingParams(mappings, type, sortField, sortOrder) {
     return {};
   }
 
+  let typeField = type;
+
   if (Array.isArray(type)) {
-    const rootField = getProperty(mappings, sortField);
-    if (!rootField) {
-      throw Boom.badRequest(`Unable to sort multiple types by field ${sortField}, not a root property`);
-    }
+    if (type.length === 1) {
+      typeField = type[0];
+    } else {
+      const rootField = getProperty(mappings, sortField);
+      if (!rootField) {
+        throw Boom.badRequest(`Unable to sort multiple types by field ${sortField}, not a root property`);
+      }
 
-    return {
-      sort: [{
-        [sortField]: {
-          order: sortOrder,
-          unmapped_type: rootField.type
-        }
-      }]
-    };
+      return {
+        sort: [{
+          [sortField]: {
+            order: sortOrder,
+            unmapped_type: rootField.type
+          }
+        }]
+      };
+    }
   }
 
-
-  const key = `${type}.${sortField}`;
+  const key = `${typeField}.${sortField}`;
   const field = getProperty(mappings, key);
   if (!field) {
     throw Boom.badRequest(`Unknown sort field ${sortField}`);
diff --git a/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js b/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
index a7ff1041f313a5..71833f13956591 100644
--- a/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
@@ -138,6 +138,21 @@ describe('searchDsl/getSortParams', () => {
           });
       });
     });
+    describe('sortField is multi-field with single type as array', () => {
+      it('returns correct params', () => {
+        expect(getSortingParams(MAPPINGS, ['saved'], 'title.raw'))
+          .toEqual({
+            sort: [
+              {
+                'saved.title.raw': {
+                  order: undefined,
+                  unmapped_type: 'keyword'
+                }
+              }
+            ]
+          });
+      });
+    });
     describe('sortField is root multi-field with multiple types', () => {
       it('returns correct params', () => {
         expect(getSortingParams(MAPPINGS, ['saved', 'pending'], 'type.raw'))

From 1a76bfe31ea6de3f8d0234c6a4ba5bd998a4e64e Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 10 Sep 2018 10:47:42 -0400
Subject: [PATCH 126/183] make basePath space aware again

---
 src/ui/ui_render/ui_render_mixin.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ui/ui_render/ui_render_mixin.js b/src/ui/ui_render/ui_render_mixin.js
index e2f586921d2e45..4ee7c38db788f9 100644
--- a/src/ui/ui_render/ui_render_mixin.js
+++ b/src/ui/ui_render/ui_render_mixin.js
@@ -139,7 +139,7 @@ export function uiRenderMixin(kbnServer, server, config) {
     try {
       const request = reply.request;
       const translations = await server.getUiTranslations();
-      const basePath = config.get('server.basePath');
+      const basePath = request.getBasePath();
 
       return reply.view('ui_app', {
         uiPublicUrl: `${basePath}/ui`,

From 2c13b0ee1a6e66b139a2974d07b15a9539415f4b Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 10 Sep 2018 11:41:07 -0400
Subject: [PATCH 127/183] update tests

---
 .../public/explorer/explorer_charts/explorer_chart.test.js | 6 ++++++
 .../explorer_charts/explorer_charts_container.test.js      | 6 ++++++
 .../explorer_charts_container_service.test.js              | 7 +++++++
 .../telemetry/__snapshots__/telemetry_form.test.js.snap    | 4 ++--
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_chart.test.js b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_chart.test.js
index cf28917c47a9a3..2638a62275ac4b 100644
--- a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_chart.test.js
+++ b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_chart.test.js
@@ -21,6 +21,12 @@ jest.mock('../../services/field_format_service', () => ({
     getFieldFormat: jest.fn()
   }
 }));
+jest.mock('ui/chrome', () => ({
+  getBasePath: (path) => path,
+  getUiSettingsClient: () => ({
+    get: () => null
+  }),
+}));
 
 import { mount } from 'enzyme';
 import React from 'react';
diff --git a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container.test.js b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container.test.js
index 073cee8632ebd4..c91bfc43fc0266 100644
--- a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container.test.js
+++ b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container.test.js
@@ -21,6 +21,12 @@ jest.mock('../../services/field_format_service', () => ({
     getFieldFormat: jest.fn()
   }
 }));
+jest.mock('ui/chrome', () => ({
+  getBasePath: (path) => path,
+  getUiSettingsClient: () => ({
+    get: () => null
+  }),
+}));
 
 import { shallow } from 'enzyme';
 import React from 'react';
diff --git a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container_service.test.js b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container_service.test.js
index 6978494e151d21..df97ff35bd07b3 100644
--- a/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container_service.test.js
+++ b/x-pack/plugins/ml/public/explorer/explorer_charts/explorer_charts_container_service.test.js
@@ -34,6 +34,13 @@ jest.mock('../../util/string_utils', () => ({
   mlEscape(d) { return d; }
 }));
 
+jest.mock('ui/chrome', () => ({
+  getBasePath: (path) => path,
+  getUiSettingsClient: () => ({
+    get: () => null
+  }),
+}));
+
 const mockMlSelectSeverityService = {
   state: {
     get() { return { display: 'warning', val: 0 }; }
diff --git a/x-pack/plugins/xpack_main/public/components/telemetry/__snapshots__/telemetry_form.test.js.snap b/x-pack/plugins/xpack_main/public/components/telemetry/__snapshots__/telemetry_form.test.js.snap
index a24872ec6c4fdf..746077c03821c2 100644
--- a/x-pack/plugins/xpack_main/public/components/telemetry/__snapshots__/telemetry_form.test.js.snap
+++ b/x-pack/plugins/xpack_main/public/components/telemetry/__snapshots__/telemetry_form.test.js.snap
@@ -39,7 +39,7 @@ exports[`TelemetryForm renders as expected 1`] = `
         setting={
           Object {
             "defVal": false,
-            "description": <UNDEFINED>
+            "description": <React.Fragment>
               <p>
                 Help us improve the Elastic Stack by providing usage statistics for basic features. We will not share this data outside of Elastic.
               </p>
@@ -62,7 +62,7 @@ exports[`TelemetryForm renders as expected 1`] = `
                   Read our usage data privacy statement
                 </EuiLink>
               </p>
-            </UNDEFINED>,
+            </React.Fragment>,
             "type": "boolean",
             "value": false,
           }

From a582cb145ab1fd8e38deffb4360da4728bb05d2f Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 11 Sep 2018 12:55:04 -0400
Subject: [PATCH 128/183] improve default space color

---
 x-pack/plugins/spaces/server/lib/create_default_space.js      | 1 +
 x-pack/plugins/spaces/server/lib/create_default_space.test.js | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.js
index 949e1fd8bbf2a1..625b9229f9bd00 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.js
@@ -27,6 +27,7 @@ export async function createDefaultSpace(server) {
   await savedObjectsRepository.create('space', {
     name: 'Default',
     description: 'This is your default space!',
+    color: '#00bfb3',
     _reserved: true
   }, options);
 }
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
index 874c5023b197f2..a3afd24bb95fc7 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.js
@@ -78,7 +78,7 @@ test(`it creates the default space when one does not exist`, async () => {
   expect(repository.create).toHaveBeenCalledTimes(1);
   expect(repository.create).toHaveBeenCalledWith(
     'space',
-    { "_reserved": true, "description": "This is your default space!", "name": "Default" },
+    { "_reserved": true, "description": "This is your default space!", "name": "Default", "color": "#00bfb3" },
     { "id": "default" }
   );
 });

From e9542a6e85647c6588dad265fe552ba113011504 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 11 Sep 2018 17:11:29 -0400
Subject: [PATCH 129/183] add chrome mock

---
 .../plugins/ml/public/explorer/explorer_swimlane.test.js   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/x-pack/plugins/ml/public/explorer/explorer_swimlane.test.js b/x-pack/plugins/ml/public/explorer/explorer_swimlane.test.js
index 46ecaf020badb8..53900b5880c654 100644
--- a/x-pack/plugins/ml/public/explorer/explorer_swimlane.test.js
+++ b/x-pack/plugins/ml/public/explorer/explorer_swimlane.test.js
@@ -12,6 +12,13 @@ import React from 'react';
 
 import { ExplorerSwimlane } from './explorer_swimlane';
 
+jest.mock('ui/chrome', () => ({
+  getBasePath: path => path,
+  getUiSettingsClient: () => ({
+    get: jest.fn()
+  }),
+}));
+
 function getExplorerSwimlaneMocks() {
   const appState = {
     mlExplorerSwimlane: {},

From b90b30f37be9b67e9f0549283d218e62b066ceea Mon Sep 17 00:00:00 2001
From: Brandon Kobel <brandon.kobel@gmail.com>
Date: Wed, 12 Sep 2018 17:01:11 -0400
Subject: [PATCH 130/183] [WIP] Securing Spaces (#21995)

* Splitting to a client and a wrapper, integation tests are passing
without spaces

* Adding the spaces wrapper back in the mix using a priority collection

* Restructuring the secure wrapper as we don't need to switch between
repositories

* Checking authorization at the current space

* Beginning to make the rbac api integration tests run against spaces

* Adding identical data to the rbac esArchives for two more spaces

* Adding some space tests for find

* Beginning to work on the spaces client

* Fixing find and filtering out unrequested privileges from response

* Adding get code and test

* Introducing an RBAC Auth Scope

* Exposing the spacesClient a bit better

* Moving the server.expose to the security plugin init

* Moving checkPrivilegesAtAllResources to it's own thing

* No longer using the auth scope for RBAC, dashboard mode didn't work with
it

* Securing the create space method

* Adding secure update method

* Adding secured delete endpoints

* Restructuring some code in the spaces client

* Adding tests for the select endpoint

* Spaces can't be managed via the SavedObjectsClient now

* Creating separate space_all and space_read privileges

* Splitting out the spaces and global privileges

* Fixing edit role screen after API changes

* Revising comment, there is a Set in JavaScript now, but lodash can't
equal them

* Using authorization mode to log deprecation warning on login

* Changing the signature of checkPrivileges

We're now using the legacy fallback when there are no application
privileges. This improves performance at the sake of legacy 403s being
displayed to users who have no application privileges.

* Refactoring the way we specify resources when checking privileges

* Exposing the space service more intuitively

* Fixing comments

* Security defines all actions

* Renaming `response` returned by the checkPrivileges function

* Hard-coding the kibana app privileges teporarily

* Adding Authenticator authorization mode tests

* Adding actions.manageSpaces tests

* Adding check privileges tests

* Fixing checkPrivileges test snapshots

* Making sure tests fail until I correct this deficiency

* Adding stubbed out authorization mode tests

* Fixing tests for RegisterPrivilegesWithCluster

* Fixing service AuthorizationService tests

* Addinng serializer tests

* Adding validateEsResponse tests

* We don't need the SecureSavedObjectsClient anymore!

* Adding SecureSavedObjectsClientWrapper tests...

* Fixing a few stray tests

* Fixing issue when user isn't authenticated and check useRbacForRequest

* Validating spaces we're adding to roles

* Reusing hasAnyPrivileges from hasAnyResourcePrivileges

* Better variable name

* toArray -> toPrioritizedArray

* Using Space throughout the SpacesClient

* GetActiveSpace uses the SpacesClient now

* Squashed commit of the following:

commit 23515b1a5c0866c5d3d5ebf5115526b28deb8ebe
Author: kobelb <brandon.kobel@elastic.co>
Date:   Mon Sep 10 06:57:58 2018 -0400

    Adding more users to the spaces tests

commit 4bbde73764a51b042eb2dc2645c5380f9f0e8f16
Author: kobelb <brandon.kobel@elastic.co>
Date:   Mon Sep 10 06:09:35 2018 -0400

    Adding not space aware get tests

commit 5d11befe9bdd826ed5e09810cb7ed27e777dd12e
Author: kobelb <brandon.kobel@elastic.co>
Date:   Sat Sep 8 14:06:20 2018 -0400

    Adding not space aware test to find

commit f9383fdbe9f3e1376c5c635e44ca528a7e747b14
Author: kobelb <brandon.kobel@elastic.co>
Date:   Sat Sep 8 13:49:04 2018 -0400

    Adding bulk create tests and testing non space aware type with bulkGet

commit 5388b5aefdbb07d653005d6a973576d22ac1ef91
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 16:18:04 2018 -0400

    Adding bulk create test

commit 06742630d482989e215a7917be11662dfae74096
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 15:58:21 2018 -0400

    Ignoring some modules

commit 6b011d3b0721afc89f7c6c8b092f69fee325027d
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 15:55:58 2018 -0400

    Making the users match for saved objects security and spaces

commit de2f9943785601712ff491fd2331c4d78b69010d
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 14:18:53 2018 -0400

    Making the space suites define their own test expectations

commit 5407866259437c254b34d34bf31fc390c1b88723
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 13:15:46 2018 -0400

    Removing redundant spaces folder

commit 9913923d35101861cbee6a8cf7ddbb37bcd821c7
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 13:14:45 2018 -0400

    Removing unneeded objects from the esarchive

commit bc602b1dee1b5cfa8d3d323477ff7ccd2da8ce0e
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 13:08:12 2018 -0400

    Moving some tests around

commit 7fec3083da6dacb2a3819beda71d45847535d9dd
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 12:38:23 2018 -0400

    Deleting rbac_api_integration tests, they've been migrated elsewhere

commit 29c018ea12c1a6c2ecfd32c1b0b2d944e0737e44
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 10:01:16 2018 -0400

    Importing SuperTest where needed

commit 38d2e74fe8ea2dd00d589035fbae96793b8c568b
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 08:44:53 2018 -0400

    Removing the "saved_objects" folder

commit 70eada461d2f569f7477467f80a9ed579cfe8dda
Merge: 1b2708fb59 902343142d
Author: Brandon Kobel <brandon.kobel@gmail.com>
Date:   Fri Sep 7 10:04:03 2018 -0400

    Merge pull request #4 from legrego/spaces-api-tests

    Initial round of spaces api testing

commit 902343142d732119be28bdc088097380805fc64e
Merge: 6410f72693 1b2708fb59
Author: Larry Gregory <larry.gregory@elastic.co>
Date:   Fri Sep 7 09:37:57 2018 -0400

    Merge remote-tracking branch 'kobelb/spaces/securing-api-tests' into spaces-api-tests

commit 1b2708fb599dd6ed08025967f03b3bd4505c9cd6
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 08:17:25 2018 -0400

    Even more typescript

commit 369a4290e1721d693e697b9e89e7f69b6c8bf26c
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 08:08:28 2018 -0400

    Typescriptifying Get

commit f53f2aba059e82ee5534dce8c4d1269230addf0f
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 08:01:48 2018 -0400

    Typescriptifying Find

commit f707e03bd9db1445b56b85a182f18a3092affdba
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 07:55:10 2018 -0400

    Typescriptifying Create

commit 485d983bc25158c52948eadca788ad59bb89bf15
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 07:31:54 2018 -0400

    Changing the namespace agnostic type name

commit 71c21220a90131999927b8be41109ae4d0c4056b
Author: kobelb <brandon.kobel@elastic.co>
Date:   Fri Sep 7 07:25:15 2018 -0400

    Adding update tests

commit f60e953809bbf12ec167d957c7582e54410eed58
Author: kobelb <brandon.kobel@elastic.co>
Date:   Thu Sep 6 15:53:34 2018 -0400

    Delete tests

commit 94682e5ffd5cc16ee6cd832f3bb2af8957df03f9
Author: kobelb <brandon.kobel@elastic.co>
Date:   Thu Sep 6 12:07:39 2018 -0400

    Adding get security and spaces tests

commit 481943fa7971fa30efc2313767923447af65413e
Author: kobelb <brandon.kobel@elastic.co>
Date:   Thu Sep 6 11:58:42 2018 -0400

    Generalizing bulk get

commit 14d905847430ab3cf677201b0edf7cf8d2859d29
Merge: 6627127cd5 fc5f7faf3c
Author: Brandon Kobel <brandon.kobel@gmail.com>
Date:   Thu Sep 6 10:46:07 2018 -0400

    Merge pull request #3 from legrego/remove-privs-api

    Remove privs api and hardcoded privs list

commit 6410f7269332a2f7e225168f030462cd8f4c2f80
Author: Larry Gregory <larry.gregory@elastic.co>
Date:   Thu Sep 6 09:35:30 2018 -0400

    add missing superagent type

commit 4afacc049e5492bb11c050e8257a9d31b52e0ae3
Author: Larry Gregory <larry.gregory@elastic.co>
Date:   Wed Sep 5 20:19:15 2018 -0400

    initial round of spaces api testing

commit 6627127cd5832fa13f5d98db658f716705e3e03f
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 17:29:37 2018 -0400

    Adding GET test suite

commit 68a553745d059845f451e44979f306f56e65d289
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 13:32:49 2018 -0400

    Copying find to security and spaces

commit fc5f7faf3ce8fc6c0d8bbbf92af6e0619c760793
Author: Larry Gregory <larry.gregory@elastic.co>
Date:   Wed Sep 5 12:36:30 2018 -0400

    move es privilege tests to api_integration

commit 189fbe6eec8e7513b87673ec622ce5978f774cdf
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 12:24:41 2018 -0400

    Switching approach to dynamically enabling security

commit c72200fe9e0c982fc51aad8f1ae7fe00e8958932
Author: Larry Gregory <larry.gregory@elastic.co>
Date:   Wed Sep 5 11:57:26 2018 -0400

    remove get privileges api

commit 1607f807fd4ca9c40b621317b46f6c1e0c36d19c
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 11:47:19 2018 -0400

    Dynamically supplying users so we reduce some duplication

commit 9deec1b19c01a3647bee75ee78138357b3f51012
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 09:32:36 2018 -0400

    Security and Spaces create tests

commit a8232dd6c580a3d13712d8eeaca3c26d464a3fac
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 07:22:10 2018 -0400

    Using a create "test suite"

commit f07f66848b423290ab8a3a7a097d1b4777940c0c
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 05:54:46 2018 -0400

    Using the spaces esArchive always now

commit b2021ad90397d0f2c54ac270c511448e381258ad
Merge: d3babeabac 7b4575bc63
Author: kobelb <brandon.kobel@elastic.co>
Date:   Wed Sep 5 05:43:48 2018 -0400

    Merge branch 'spaces/securing' into spaces/securing-api-tests

commit d3babeabac4cf30832b42883d9b26f6f8ccd5f4d
Author: kobelb <brandon.kobel@elastic.co>
Date:   Tue Sep 4 17:43:38 2018 -0400

    Moving over the spaces only saved objects tests

commit 94054a286bb3fdc888cf086eca0db02cbe6e1e6f
Author: kobelb <brandon.kobel@elastic.co>
Date:   Tue Sep 4 17:26:43 2018 -0400

    Copying over the security only saved object api tests

* update public api to use SpacesClient

* fix

* test and api fixes

* fix tests

* Disallowing use of Spaces with the SpacesSavedObjectsClientWrapper

* Adding spaces audit logging

* Updating snapshots

* Adding get and getAll tests for the spaces client

* Adding update tests

* Adding create tests

* Adding SpacesClient delete tests

* Fixing authenticate tests

* Making tests more consistent

* Fixing kibana privileges tests

* Fixing a few type issues

* Making typescript ignore the .only test suites

* Switching to beforeEach and afterEach and removing the mocha types

* Switching to our own expect.js definitions

The definitions in @types/expect have expect being globally defined
which conflicts with the jest definitions, and expect isn't globally
defined in the mocha tests and we must use the module value

* Fixing more linting rules

* Removing test stubs and replacing with TODOs. Updating snapshots

* No longer shadowing application for the put role API

* Relying on the errors thrown by the SpacedClient when determining active
space

* Back to after/before... mocha doesn't have beforeAll/afterAll

* We got them types, thanks Spencer!!!

* Ignoring space type from the secure saved objects client find with no
type
---
 .../functional_tests/lib/run_elasticsearch.js |   11 +-
 src/dev/typescript/projects.ts                |    1 +
 .../priority_collection.test.ts.snap          |    3 +
 .../service/lib/priority_collection.test.ts   |   57 +
 .../service/lib/priority_collection.ts        |   47 +
 .../service/lib/scoped_client_provider.js     |   29 +-
 .../lib/scoped_client_provider.test.js        |   30 +-
 .../apis/saved_objects/bulk_create.js         |  121 +
 .../apis/saved_objects/index.js               |    1 +
 tsconfig.json                                 |    1 +
 x-pack/package.json                           |    7 +-
 x-pack/plugins/security/common/constants.js   |    3 +-
 .../security/common/model/kibana_privilege.ts |    2 +
 x-pack/plugins/security/index.js              |   49 +-
 .../public/services/application_privilege.js  |    6 +-
 .../edit_role/components/edit_role_page.tsx   |    4 +-
 .../kibana_privileges.test.tsx.snap           |    4 +-
 .../kibana/kibana_privileges.test.tsx         |    4 +-
 .../privileges/kibana/kibana_privileges.tsx   |    4 +-
 .../kibana/simple_privilege_form.test.tsx     |    9 +-
 .../kibana/simple_privilege_form.tsx          |    6 +-
 .../space_aware_privilege_form.test.tsx       |    9 +-
 .../kibana/space_aware_privilege_form.tsx     |    8 +-
 .../views/management/edit_role/index.js       |    9 +-
 .../lib/__tests__/__fixtures__/server.js      |    4 +-
 .../authentication/__tests__/authenticator.js |   26 +-
 .../lib/authentication/authenticator.js       |   10 +-
 .../check_privileges.test.js.snap             |   26 +-
 .../__snapshots__/init.test.js.snap           |    9 -
 .../__snapshots__/mode.test.js.snap           |    3 +
 ...ication_privileges_serializer.test.js.snap |    5 +
 .../validate_es_response.test.js.snap         |   30 +-
 .../server/lib/authorization/actions.js       |    1 +
 .../server/lib/authorization/actions.test.js  |   10 +
 .../lib/authorization/check_privileges.js     |  109 +-
 .../authorization/check_privileges.test.js    | 1097 ++++---
 .../server/lib/authorization/index.js         |    4 +-
 .../security/server/lib/authorization/mode.js |   81 +
 .../server/lib/authorization/mode.test.js     |   66 +
 .../server/lib/authorization/privileges.js    |   57 +-
 .../register_privileges_with_cluster.js       |   44 +-
 .../register_privileges_with_cluster.test.js  |  330 ++-
 .../lib/authorization/{init.js => service.js} |   20 +-
 .../{init.test.js => service.test.js}         |   50 +-
 ...space_application_privileges_serializer.js |   35 +
 ..._application_privileges_serializer.test.js |   51 +
 .../lib/authorization/validate_es_response.js |   20 +-
 .../validate_es_response.test.js              |  276 +-
 .../lib/{authorization => }/deep_freeze.js    |    0
 .../{authorization => }/deep_freeze.test.js   |    0
 .../secure_saved_objects_client.test.js       | 1177 --------
 ...=> secure_saved_objects_client_wrapper.js} |  130 +-
 ...ecure_saved_objects_client_wrapper.test.js | 2513 +++++++++++++++++
 .../server/routes/api/public/roles/get.js     |   19 +-
 .../routes/api/public/roles/get.test.js       |   12 +-
 .../server/routes/api/public/roles/index.js   |    2 +-
 .../server/routes/api/public/roles/put.js     |   93 +-
 .../routes/api/public/roles/put.test.js       |  143 +-
 .../routes/api/v1/__tests__/authenticate.js   |   39 +-
 .../server/routes/api/v1/authenticate.js      |    5 +-
 .../server/routes/api/v1/privileges.js        |   25 -
 x-pack/plugins/spaces/index.js                |   29 +-
 .../__snapshots__/spaces_client.test.ts.snap  |   17 +
 .../spaces/server/lib/audit_logger.test.ts    |  140 +
 .../plugins/spaces/server/lib/audit_logger.ts |   46 +
 .../spaces/server/lib/get_active_space.js     |   22 +-
 .../spaces_saved_objects_client.test.js.snap  |   36 +
 .../saved_objects_client_wrapper_factory.js   |    3 +-
 .../spaces_saved_objects_client.js            |   94 +-
 .../spaces_saved_objects_client.test.js       |  168 +-
 .../server/lib/space_request_interceptors.js  |   14 +-
 .../lib/space_request_interceptors.test.js    |   46 +-
 .../spaces/server/lib/spaces_client.test.ts   |  925 ++++++
 .../spaces/server/lib/spaces_client.ts        |  187 ++
 .../api/__fixtures__/create_test_handler.ts   |   76 +-
 .../server/routes/api/public/delete.test.ts   |    5 +-
 .../spaces/server/routes/api/public/delete.ts |   20 +-
 .../server/routes/api/public/get.test.ts      |    1 +
 .../spaces/server/routes/api/public/get.ts    |   27 +-
 .../server/routes/api/public/post.test.ts     |   12 +-
 .../spaces/server/routes/api/public/post.ts   |   26 +-
 .../server/routes/api/public/put.test.ts      |   15 +-
 .../spaces/server/routes/api/public/put.ts    |   28 +-
 .../server/routes/api/v1/spaces.test.ts       |    1 +
 .../spaces/server/routes/api/v1/spaces.ts     |   12 +-
 .../server/routes/lib/get_space_by_id.ts      |   11 +-
 x-pack/scripts/functional_tests.js            |    7 +-
 .../apis/es/has_privileges.js                 |    0
 .../apis/es/index.js                          |    0
 .../apis/es/post_privileges.js                |    0
 x-pack/test/api_integration/apis/index.js     |    1 +
 .../apis/privileges/index.js                  |   72 -
 .../apis/saved_objects/bulk_get.js            |  201 --
 .../apis/saved_objects/create.js              |  172 --
 .../apis/saved_objects/delete.js              |  204 --
 .../apis/saved_objects/find.js                |  424 ---
 .../apis/saved_objects/get.js                 |  211 --
 .../apis/saved_objects/index.js               |  153 -
 .../apis/saved_objects/update.js              |  229 --
 x-pack/test/rbac_api_integration/config.js    |   63 -
 .../saved_objects/basic/data.json.gz          |  Bin 1837 -> 0 bytes
 .../common/config.ts                          |   73 +
 .../saved_objects/spaces/data.json            |  349 +++
 .../saved_objects/spaces}/mappings.json       |   43 +-
 .../namespace_agnostic_type_plugin/index.js   |   24 +
 .../mappings.json                             |   15 +
 .../package.json                              |    7 +
 .../common/lib/authentication.ts}             |   34 +-
 .../common/lib/create_users_and_roles.ts      |  213 ++
 .../common/lib/space_test_utils.ts            |   24 +
 .../common/lib/spaces.ts}                     |    2 +-
 .../common/lib/types.ts                       |   24 +
 .../common/services/es.js                     |   21 +
 .../common/suites/bulk_create.ts              |  171 ++
 .../common/suites/bulk_get.ts                 |  165 ++
 .../common/suites/create.ts                   |  167 ++
 .../common/suites/delete.ts                   |  124 +
 .../common/suites/find.ts                     |  237 ++
 .../common/suites/get.ts                      |  174 ++
 .../common/suites/update.ts                   |  174 ++
 .../security_and_spaces/apis/bulk_create.ts   |  233 ++
 .../security_and_spaces/apis/bulk_get.ts      |  217 ++
 .../security_and_spaces/apis/create.ts        |  261 ++
 .../security_and_spaces/apis/delete.ts        |  305 ++
 .../security_and_spaces/apis/find.ts          |  503 ++++
 .../security_and_spaces/apis/get.ts           |  302 ++
 .../security_and_spaces/apis/index.ts         |   28 +
 .../security_and_spaces/apis/update.ts        |  306 ++
 .../security_and_spaces/config.ts}            |   11 +-
 .../security_only/apis/bulk_create.ts         |  191 ++
 .../security_only/apis/bulk_get.ts            |  186 ++
 .../security_only/apis/create.ts              |  251 ++
 .../security_only/apis/delete.ts              |  309 ++
 .../security_only/apis/find.ts                |  543 ++++
 .../security_only/apis/get.ts                 |  301 ++
 .../security_only/apis/index.ts               |   28 +
 .../security_only/apis/update.ts              |  310 ++
 .../security_only/config.ts                   |   10 +
 .../spaces_only/apis/bulk_create.ts           |   44 +
 .../spaces_only/apis/bulk_get.ts              |   43 +
 .../spaces_only/apis/create.ts                |   52 +
 .../spaces_only/apis/delete.ts                |   58 +
 .../spaces_only/apis/find.ts                  |   97 +
 .../spaces_only/apis/get.ts                   |   60 +
 .../spaces_only/apis/index.ts}                |    8 +-
 .../spaces_only/apis/update.ts                |   60 +
 .../spaces_only/config.ts                     |   10 +
 .../apis/saved_objects/bulk_get.js            |  145 -
 .../apis/saved_objects/create.js              |  143 -
 .../apis/saved_objects/delete.js              |   95 -
 .../apis/saved_objects/find.js                |  204 --
 .../apis/saved_objects/get.js                 |  104 -
 .../apis/saved_objects/lib/authentication.js  |   32 -
 .../apis/saved_objects/update.js              |  158 --
 .../spaces_api_integration/common/config.ts   |   73 +
 .../saved_objects/spaces/data.json            |   51 +
 .../saved_objects/spaces/mappings.json        |    0
 .../common/lib/authentication.ts              |   72 +
 .../common/lib/create_users_and_roles.ts      |  287 ++
 .../lib/space_test_utils.ts}                  |    6 +-
 .../common/lib/spaces.ts}                     |   16 +-
 .../common/lib/types.ts                       |   23 +
 .../common}/services/es.js                    |    2 +-
 .../common/suites/create.ts                   |  140 +
 .../common/suites/delete.ts                   |  119 +
 .../common/suites/get.ts                      |  110 +
 .../common/suites/get_all.ts                  |   89 +
 .../common/suites/select.ts                   |  129 +
 .../common/suites/update.ts                   |  143 +
 x-pack/test/spaces_api_integration/config.js  |   57 -
 .../saved_objects/spaces/data.json.gz         |  Bin 2469 -> 0 bytes
 .../security_and_spaces/apis/create.ts        |  252 ++
 .../security_and_spaces/apis/delete.ts        |  255 ++
 .../security_and_spaces/apis/get.ts           |  332 +++
 .../security_and_spaces/apis/get_all.ts       |  257 ++
 .../security_and_spaces/apis/index.ts         |   31 +
 .../security_and_spaces/apis/select.ts        |  356 +++
 .../security_and_spaces/apis/update.ts        |  308 ++
 .../security_and_spaces/config.ts             |   10 +
 .../spaces_only/apis/create.ts                |   51 +
 .../spaces_only/apis/delete.ts                |   51 +
 .../spaces_only/apis/get.ts                   |   74 +
 .../spaces_only/apis/get_all.ts               |   41 +
 .../spaces_only/apis/index.ts                 |   19 +
 .../spaces_only/apis/select.ts                |   74 +
 .../spaces_only/apis/update.ts                |   51 +
 .../{apis/index.js => spaces_only/config.ts}  |    8 +-
 x-pack/test/tsconfig.json                     |   14 +
 x-pack/tsconfig.json                          |   21 +-
 x-pack/yarn.lock                              |   27 +-
 190 files changed, 16618 insertions(+), 5225 deletions(-)
 create mode 100644 src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap
 create mode 100644 src/server/saved_objects/service/lib/priority_collection.test.ts
 create mode 100644 src/server/saved_objects/service/lib/priority_collection.ts
 create mode 100644 test/api_integration/apis/saved_objects/bulk_create.js
 delete mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/mode.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/__snapshots__/space_application_privileges_serializer.test.js.snap
 create mode 100644 x-pack/plugins/security/server/lib/authorization/mode.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/mode.test.js
 rename x-pack/plugins/security/server/lib/authorization/{init.js => service.js} (58%)
 rename x-pack/plugins/security/server/lib/authorization/{init.test.js => service.test.js} (60%)
 create mode 100644 x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.js
 create mode 100644 x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.test.js
 rename x-pack/plugins/security/server/lib/{authorization => }/deep_freeze.js (100%)
 rename x-pack/plugins/security/server/lib/{authorization => }/deep_freeze.test.js (100%)
 delete mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
 rename x-pack/plugins/security/server/lib/saved_objects_client/{secure_saved_objects_client.js => secure_saved_objects_client_wrapper.js} (51%)
 create mode 100644 x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.test.js
 delete mode 100644 x-pack/plugins/security/server/routes/api/v1/privileges.js
 create mode 100644 x-pack/plugins/spaces/server/lib/__snapshots__/spaces_client.test.ts.snap
 create mode 100644 x-pack/plugins/spaces/server/lib/audit_logger.test.ts
 create mode 100644 x-pack/plugins/spaces/server/lib/audit_logger.ts
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_client.test.ts
 create mode 100644 x-pack/plugins/spaces/server/lib/spaces_client.ts
 rename x-pack/test/{rbac_api_integration => api_integration}/apis/es/has_privileges.js (100%)
 rename x-pack/test/{rbac_api_integration => api_integration}/apis/es/index.js (100%)
 rename x-pack/test/{rbac_api_integration => api_integration}/apis/es/post_privileges.js (100%)
 delete mode 100644 x-pack/test/rbac_api_integration/apis/privileges/index.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/create.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/find.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/get.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/index.js
 delete mode 100644 x-pack/test/rbac_api_integration/apis/saved_objects/update.js
 delete mode 100644 x-pack/test/rbac_api_integration/config.js
 delete mode 100644 x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
 create mode 100644 x-pack/test/saved_object_api_integration/common/config.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
 rename x-pack/test/{rbac_api_integration/fixtures/es_archiver/saved_objects/basic => saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces}/mappings.json (87%)
 create mode 100644 x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/index.js
 create mode 100644 x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/mappings.json
 create mode 100644 x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/package.json
 rename x-pack/test/{rbac_api_integration/apis/saved_objects/lib/authentication.js => saved_object_api_integration/common/lib/authentication.ts} (56%)
 create mode 100644 x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/lib/space_test_utils.ts
 rename x-pack/test/{spaces_api_integration/apis/saved_objects/lib/spaces.js => saved_object_api_integration/common/lib/spaces.ts} (98%)
 create mode 100644 x-pack/test/saved_object_api_integration/common/lib/types.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/services/es.js
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/delete.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/find.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/common/suites/update.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
 rename x-pack/test/{rbac_api_integration/apis/index.js => saved_object_api_integration/security_and_spaces/config.ts} (51%)
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/find.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/index.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/apis/update.ts
 create mode 100644 x-pack/test/saved_object_api_integration/security_only/config.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_get.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
 rename x-pack/test/{spaces_api_integration/apis/saved_objects/index.js => saved_object_api_integration/spaces_only/apis/index.ts} (67%)
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
 create mode 100644 x-pack/test/saved_object_api_integration/spaces_only/config.ts
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/create.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/find.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/get.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
 delete mode 100644 x-pack/test/spaces_api_integration/apis/saved_objects/update.js
 create mode 100644 x-pack/test/spaces_api_integration/common/config.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
 rename x-pack/test/spaces_api_integration/{ => common}/fixtures/es_archiver/saved_objects/spaces/mappings.json (100%)
 create mode 100644 x-pack/test/spaces_api_integration/common/lib/authentication.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
 rename x-pack/test/spaces_api_integration/{apis/saved_objects/lib/space_test_utils.js => common/lib/space_test_utils.ts} (68%)
 rename x-pack/{plugins/security/common/model/kibana_application_privilege.ts => test/spaces_api_integration/common/lib/spaces.ts} (61%)
 create mode 100644 x-pack/test/spaces_api_integration/common/lib/types.ts
 rename x-pack/test/{rbac_api_integration => spaces_api_integration/common}/services/es.js (89%)
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/create.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/delete.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/get.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/get_all.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/select.ts
 create mode 100644 x-pack/test/spaces_api_integration/common/suites/update.ts
 delete mode 100644 x-pack/test/spaces_api_integration/config.js
 delete mode 100644 x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
 create mode 100644 x-pack/test/spaces_api_integration/security_and_spaces/config.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/create.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/get.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/get_all.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/index.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
 create mode 100644 x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
 rename x-pack/test/spaces_api_integration/{apis/index.js => spaces_only/config.ts} (60%)
 create mode 100644 x-pack/test/tsconfig.json

diff --git a/packages/kbn-test/src/functional_tests/lib/run_elasticsearch.js b/packages/kbn-test/src/functional_tests/lib/run_elasticsearch.js
index d0a3160018fead..d0cc7091d77679 100644
--- a/packages/kbn-test/src/functional_tests/lib/run_elasticsearch.js
+++ b/packages/kbn-test/src/functional_tests/lib/run_elasticsearch.js
@@ -25,12 +25,15 @@ import { setupUsers, DEFAULT_SUPERUSER_PASS } from './auth';
 
 export async function runElasticsearch({ config, options }) {
   const { log, esFrom } = options;
-  const isOss = config.get('esTestCluster.license') === 'oss';
+  const license = config.get('esTestCluster.license');
+  const isTrialLicense = config.get('esTestCluster.license') === 'trial';
 
   const cluster = createEsTestCluster({
     port: config.get('servers.elasticsearch.port'),
-    password: !isOss ? DEFAULT_SUPERUSER_PASS : config.get('servers.elasticsearch.password'),
-    license: config.get('esTestCluster.license'),
+    password: isTrialLicense
+      ? DEFAULT_SUPERUSER_PASS
+      : config.get('servers.elasticsearch.password'),
+    license,
     log,
     basePath: resolve(KIBANA_ROOT, '.es'),
     esFrom: esFrom || config.get('esTestCluster.from'),
@@ -40,7 +43,7 @@ export async function runElasticsearch({ config, options }) {
 
   await cluster.start(esArgs);
 
-  if (!isOss) {
+  if (isTrialLicense) {
     await setupUsers(log, config);
   }
 
diff --git a/src/dev/typescript/projects.ts b/src/dev/typescript/projects.ts
index f92ebae39e5173..b93d3a0ac53717 100644
--- a/src/dev/typescript/projects.ts
+++ b/src/dev/typescript/projects.ts
@@ -26,6 +26,7 @@ import { Project } from './project';
 export const PROJECTS = [
   new Project(resolve(REPO_ROOT, 'tsconfig.json')),
   new Project(resolve(REPO_ROOT, 'x-pack/tsconfig.json')),
+  new Project(resolve(REPO_ROOT, 'x-pack/test/tsconfig.json'), 'x-pack/test'),
 
   // NOTE: using glob.sync rather than glob-all or globby
   // because it takes less than 10 ms, while the other modules
diff --git a/src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap b/src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap
new file mode 100644
index 00000000000000..fd96c54450cf7e
--- /dev/null
+++ b/src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`1, 1 throws Error 1`] = `"Already have entry with this priority"`;
diff --git a/src/server/saved_objects/service/lib/priority_collection.test.ts b/src/server/saved_objects/service/lib/priority_collection.test.ts
new file mode 100644
index 00000000000000..9256b2e913931c
--- /dev/null
+++ b/src/server/saved_objects/service/lib/priority_collection.test.ts
@@ -0,0 +1,57 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { PriorityCollection } from './priority_collection';
+
+test(`1, 2, 3`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(1, 1);
+  priorityCollection.add(2, 2);
+  priorityCollection.add(3, 3);
+  expect(priorityCollection.toPrioritizedArray()).toEqual([1, 2, 3]);
+});
+
+test(`3, 2, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(3, 3);
+  priorityCollection.add(2, 2);
+  priorityCollection.add(1, 1);
+  expect(priorityCollection.toPrioritizedArray()).toEqual([1, 2, 3]);
+});
+
+test(`2, 3, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(2, 2);
+  priorityCollection.add(3, 3);
+  priorityCollection.add(1, 1);
+  expect(priorityCollection.toPrioritizedArray()).toEqual([1, 2, 3]);
+});
+
+test(`Number.MAX_VALUE, NUMBER.MIN_VALUE, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(Number.MAX_VALUE, 3);
+  priorityCollection.add(Number.MIN_VALUE, 1);
+  priorityCollection.add(1, 2);
+  expect(priorityCollection.toPrioritizedArray()).toEqual([1, 2, 3]);
+});
+
+test(`1, 1 throws Error`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(1, 1);
+  expect(() => priorityCollection.add(1, 1)).toThrowErrorMatchingSnapshot();
+});
diff --git a/src/server/saved_objects/service/lib/priority_collection.ts b/src/server/saved_objects/service/lib/priority_collection.ts
new file mode 100644
index 00000000000000..ab8edaaaea22fa
--- /dev/null
+++ b/src/server/saved_objects/service/lib/priority_collection.ts
@@ -0,0 +1,47 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+interface PriorityCollectionEntry<T> {
+  priority: number;
+  value: T;
+}
+
+export class PriorityCollection<T> {
+  private readonly array: Array<PriorityCollectionEntry<T>> = [];
+
+  public add(priority: number, value: T) {
+    let i = 0;
+    while (i < this.array.length) {
+      const current = this.array[i];
+      if (priority === current.priority) {
+        throw new Error('Already have entry with this priority');
+      }
+
+      if (priority < current.priority) {
+        break;
+      }
+      ++i;
+    }
+    this.array.splice(i, 0, { priority, value });
+  }
+
+  public toPrioritizedArray(): T[] {
+    return this.array.map(entry => entry.value);
+  }
+}
diff --git a/src/server/saved_objects/service/lib/scoped_client_provider.js b/src/server/saved_objects/service/lib/scoped_client_provider.js
index ddcc9c1c3ff560..05cc97945ef0bb 100644
--- a/src/server/saved_objects/service/lib/scoped_client_provider.js
+++ b/src/server/saved_objects/service/lib/scoped_client_provider.js
@@ -16,13 +16,14 @@
  * specific language governing permissions and limitations
  * under the License.
  */
+import { PriorityCollection } from './priority_collection';
 
 /**
  * Provider for the Scoped Saved Object Client.
  */
 export class ScopedSavedObjectsClientProvider {
 
-  _wrapperFactories = [];
+  _wrapperFactories = new PriorityCollection();
 
   constructor({
     defaultClientFactory
@@ -30,16 +31,8 @@ export class ScopedSavedObjectsClientProvider {
     this._originalClientFactory = this._clientFactory = defaultClientFactory;
   }
 
-  // the client wrapper factories are put at the front of the array, so that
-  // when we use `reduce` below they're invoked in LIFO order. This is so that
-  // if multiple plugins register their client wrapper factories, then we can use
-  // the plugin dependencies/optionalDependencies to implicitly control the order
-  // in which these are used. For example, if we have a plugin a that declares a
-  // dependency on plugin b, that means that plugin b's client wrapper would want
-  // to be able to run first when the SavedObjectClient methods are invoked to
-  // provide additional context to plugin a's client wrapper.
-  addClientWrapperFactory(wrapperFactory) {
-    this._wrapperFactories.unshift(wrapperFactory);
+  addClientWrapperFactory(priority, wrapperFactory) {
+    this._wrapperFactories.add(priority, wrapperFactory);
   }
 
   setClientFactory(customClientFactory) {
@@ -55,11 +48,13 @@ export class ScopedSavedObjectsClientProvider {
       request,
     });
 
-    return this._wrapperFactories.reduce((clientToWrap, wrapperFactory) => {
-      return wrapperFactory({
-        request,
-        client: clientToWrap,
-      });
-    }, client);
+    return this._wrapperFactories
+      .toPrioritizedArray()
+      .reduceRight((clientToWrap, wrapperFactory) => {
+        return wrapperFactory({
+          request,
+          client: clientToWrap,
+        });
+      }, client);
   }
 }
diff --git a/src/server/saved_objects/service/lib/scoped_client_provider.test.js b/src/server/saved_objects/service/lib/scoped_client_provider.test.js
index 219f35559c8849..52a98c08edde5c 100644
--- a/src/server/saved_objects/service/lib/scoped_client_provider.test.js
+++ b/src/server/saved_objects/service/lib/scoped_client_provider.test.js
@@ -64,40 +64,20 @@ test(`throws error when more than one scoped saved objects client factory is set
   }).toThrowErrorMatchingSnapshot();
 });
 
-test(`invokes and uses instance from single added wrapper factory`, () => {
+test(`invokes and uses wrappers in specified order`, () => {
   const defaultClient = Symbol();
   const defaultClientFactoryMock = jest.fn().mockReturnValue(defaultClient);
   const clientProvider = new ScopedSavedObjectsClientProvider({
     defaultClientFactory: defaultClientFactoryMock
   });
-  const wrappedClient = Symbol();
-  const clientWrapperFactoryMock = jest.fn().mockReturnValue(wrappedClient);
-  const request = Symbol();
-
-  clientProvider.addClientWrapperFactory(clientWrapperFactoryMock);
-  const actualClient = clientProvider.getClient(request);
-
-  expect(actualClient).toBe(wrappedClient);
-  expect(clientWrapperFactoryMock).toHaveBeenCalledWith({
-    request,
-    client: defaultClient
-  });
-});
-
-test(`invokes and uses wrappers in LIFO order`, () => {
-  const defaultClient = Symbol();
-  const defaultClientFactoryMock = jest.fn().mockReturnValue(defaultClient);
-  const clientProvider = new ScopedSavedObjectsClientProvider({
-    defaultClientFactory: defaultClientFactoryMock
-  });
-  const firstWrappedClient = Symbol();
+  const firstWrappedClient = Symbol('first client');
   const firstClientWrapperFactoryMock = jest.fn().mockReturnValue(firstWrappedClient);
-  const secondWrapperClient = Symbol();
+  const secondWrapperClient = Symbol('second client');
   const secondClientWrapperFactoryMock = jest.fn().mockReturnValue(secondWrapperClient);
   const request = Symbol();
 
-  clientProvider.addClientWrapperFactory(firstClientWrapperFactoryMock);
-  clientProvider.addClientWrapperFactory(secondClientWrapperFactoryMock);
+  clientProvider.addClientWrapperFactory(1, secondClientWrapperFactoryMock);
+  clientProvider.addClientWrapperFactory(0, firstClientWrapperFactoryMock);
   const actualClient = clientProvider.getClient(request);
 
   expect(actualClient).toBe(firstWrappedClient);
diff --git a/test/api_integration/apis/saved_objects/bulk_create.js b/test/api_integration/apis/saved_objects/bulk_create.js
new file mode 100644
index 00000000000000..153dda4691fa66
--- /dev/null
+++ b/test/api_integration/apis/saved_objects/bulk_create.js
@@ -0,0 +1,121 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+  const supertest = getService('supertest');
+  const es = getService('es');
+  const esArchiver = getService('esArchiver');
+
+  const BULK_REQUESTS = [
+    {
+      type: 'visualization',
+      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+      attributes: {
+        title: 'An existing visualization'
+      }
+    },
+    {
+      type: 'dashboard',
+      id: 'a01b2f57-fcfd-4864-b735-09e28f0d815e',
+      attributes: {
+        title: 'A great new dashboard'
+      }
+    },
+  ];
+
+  describe('_bulk_create', () => {
+    describe('with kibana index', () => {
+      before(() => esArchiver.load('saved_objects/basic'));
+      after(() => esArchiver.unload('saved_objects/basic'));
+
+      it('should return 200 with individual responses', async () => (
+        await supertest
+          .post(`/api/saved_objects/_bulk_create`)
+          .send(BULK_REQUESTS)
+          .expect(200)
+          .then(resp => {
+            expect(resp.body).to.eql({
+              saved_objects: [
+                {
+                  type: 'visualization',
+                  id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+                  error: {
+                    'message': 'version conflict, document already exists',
+                    'statusCode': 409
+                  }
+                },
+                {
+                  type: 'dashboard',
+                  id: 'a01b2f57-fcfd-4864-b735-09e28f0d815e',
+                  updated_at: resp.body.saved_objects[1].updated_at,
+                  version: 1,
+                  attributes: {
+                    title: 'A great new dashboard'
+                  }
+                },
+              ]
+            });
+          })
+      ));
+    });
+
+    describe('without kibana index', () => {
+      before(async () => (
+        // just in case the kibana server has recreated it
+        await es.indices.delete({
+          index: '.kibana',
+          ignore: [404],
+        })
+      ));
+
+      it('should return 200 with individual responses', async () => (
+        await supertest
+          .post('/api/saved_objects/_bulk_create')
+          .send(BULK_REQUESTS)
+          .expect(200)
+          .then(resp => {
+            expect(resp.body).to.eql({
+              saved_objects: [
+                {
+                  type: 'visualization',
+                  id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+                  updated_at: resp.body.saved_objects[0].updated_at,
+                  version: 1,
+                  attributes: {
+                    title: 'An existing visualization'
+                  }
+                },
+                {
+                  type: 'dashboard',
+                  id: 'a01b2f57-fcfd-4864-b735-09e28f0d815e',
+                  updated_at: resp.body.saved_objects[1].updated_at,
+                  version: 1,
+                  attributes: {
+                    title: 'A great new dashboard'
+                  }
+                },
+              ]
+            });
+          })
+      ));
+    });
+  });
+}
diff --git a/test/api_integration/apis/saved_objects/index.js b/test/api_integration/apis/saved_objects/index.js
index c7694557c836c9..fce7f9eba767e8 100644
--- a/test/api_integration/apis/saved_objects/index.js
+++ b/test/api_integration/apis/saved_objects/index.js
@@ -19,6 +19,7 @@
 
 export default function ({ loadTestFile }) {
   describe('saved_objects', () => {
+    loadTestFile(require.resolve('./bulk_create'));
     loadTestFile(require.resolve('./bulk_get'));
     loadTestFile(require.resolve('./create'));
     loadTestFile(require.resolve('./delete'));
diff --git a/tsconfig.json b/tsconfig.json
index da6008a67d8498..7a16f02128992e 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -46,6 +46,7 @@
 
     // Forbid unused local variables as the rule was deprecated by ts-lint
     "noUnusedLocals": true,
+
   },
   "include": [
     "src/**/*"
diff --git a/x-pack/package.json b/x-pack/package.json
index 375b5c390a8940..2068663468f62f 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -25,8 +25,11 @@
     "@kbn/es": "link:../packages/kbn-es",
     "@kbn/plugin-helpers": "link:../packages/kbn-plugin-helpers",
     "@kbn/test": "link:../packages/kbn-test",
+    "@types/expect.js": "^0.3.29",
     "@types/jest": "^23.3.1",
+    "@types/mocha": "^5.2.5",
     "@types/pngjs": "^3.3.1",
+    "@types/supertest": "^2.0.5",
     "abab": "^1.0.4",
     "ansi-colors": "^3.0.5",
     "ansicolors": "0.3.2",
@@ -42,7 +45,7 @@
     "enzyme": "3.2.0",
     "enzyme-adapter-react-16": "^1.1.1",
     "enzyme-to-json": "3.3.1",
-    "expect.js": "0.3.1",
+    "expect.js": "^0.3.1",
     "fancy-log": "^1.3.2",
     "fetch-mock": "^5.13.1",
     "gulp": "3.9.1",
@@ -166,4 +169,4 @@
   "engines": {
     "yarn": "^1.6.0"
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/plugins/security/common/constants.js b/x-pack/plugins/security/common/constants.js
index 1b762d5f15acc6..a62085787cd470 100644
--- a/x-pack/plugins/security/common/constants.js
+++ b/x-pack/plugins/security/common/constants.js
@@ -4,4 +4,5 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export const ALL_RESOURCE = '*';
+export const GLOBAL_RESOURCE = '*';
+export const IGNORED_TYPES = ['space'];
diff --git a/x-pack/plugins/security/common/model/kibana_privilege.ts b/x-pack/plugins/security/common/model/kibana_privilege.ts
index 834e62570fe263..20cac65b4ca792 100644
--- a/x-pack/plugins/security/common/model/kibana_privilege.ts
+++ b/x-pack/plugins/security/common/model/kibana_privilege.ts
@@ -5,3 +5,5 @@
  */
 
 export type KibanaPrivilege = 'none' | 'read' | 'all';
+
+export const KibanaAppPrivileges: KibanaPrivilege[] = ['read', 'all'];
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 68601a5ef07bab..7262eadb999c63 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -16,12 +16,12 @@ import { validateConfig } from './server/lib/validate_config';
 import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
-import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
-import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
-import { initAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
+import { createAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/secure_saved_objects_client_wrapper';
+import { deepFreeze } from './server/lib/deep_freeze';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -106,7 +106,8 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     // exposes server.plugins.security.authorization
-    initAuthorizationService(server);
+    const authorization = createAuthorizationService(server, xpackInfoFeature);
+    server.expose('authorization', deepFreeze(authorization));
 
     watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
       if (license.allowRbac) {
@@ -124,35 +125,41 @@ export const security = (kibana) => new kibana.Plugin({
       const { callWithRequest, callWithInternalUser } = adminCluster;
       const callCluster = (...args) => callWithRequest(request, ...args);
 
+      if (authorization.mode.useRbacForRequest(request)) {
+        const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+        return new savedObjects.SavedObjectsClient(internalRepository);
+      }
+
       const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
+      return new savedObjects.SavedObjectsClient(callWithRequestRepository);
+    });
 
-      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
-        return new savedObjects.SavedObjectsClient(callWithRequestRepository);
+    savedObjects.addScopedSavedObjectsClientWrapperFactory(Number.MIN_VALUE, ({ client, request }) => {
+      if (authorization.mode.useRbacForRequest(request)) {
+        const { spaces } = server.plugins;
+
+        return new SecureSavedObjectsClientWrapper({
+          actions: authorization.actions,
+          auditLogger,
+          baseClient: client,
+          checkPrivilegesWithRequest: authorization.checkPrivilegesWithRequest,
+          errors: savedObjects.SavedObjectsClient.errors,
+          request,
+          savedObjectTypes: savedObjects.types,
+          spaces,
+        });
       }
 
-      const { authorization } = server.plugins.security;
-      const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
-      const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
-
-      return new SecureSavedObjectsClient({
-        internalRepository,
-        callWithRequestRepository,
-        errors: savedObjects.SavedObjectsClient.errors,
-        checkPrivileges,
-        auditLogger,
-        savedObjectTypes: savedObjects.types,
-        actions: authorization.actions,
-      });
+      return client;
     });
 
     getUserProvider(server);
 
-    await initAuthenticator(server);
+    await initAuthenticator(server, authorization.mode);
     initAuthenticateApi(server);
     initUsersApi(server);
     initPublicRolesApi(server);
     initIndicesApi(server);
-    initPrivilegesApi(server);
     initLoginView(server, xpackMainPlugin);
     initLogoutView(server);
 
diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
index 615188cad33d7f..00db6cccfb13e4 100644
--- a/x-pack/plugins/security/public/services/application_privilege.js
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -10,5 +10,9 @@ import { uiModules } from 'ui/modules';
 const module = uiModules.get('security', ['ngResource']);
 module.service('ApplicationPrivileges', ($resource, chrome) => {
   const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
-  return $resource(baseUrl);
+  return $resource(baseUrl, null, {
+    query: {
+      isArray: false,
+    }
+  });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
index ee1de5d99e191f..0fd03481eec1d3 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
@@ -24,7 +24,7 @@ import React, { ChangeEvent, Component, Fragment, HTMLProps } from 'react';
 import { toastNotifications } from 'ui/notify';
 import { Space } from '../../../../../../spaces/common/model/space';
 import { IndexPrivilege } from '../../../../../common/model/index_privilege';
-import { KibanaApplicationPrivilege } from '../../../../../common/model/kibana_application_privilege';
+import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../common/model/role';
 import { isReservedRole } from '../../../../lib/role';
 import { deleteRole, saveRole } from '../../../../objects';
@@ -42,7 +42,7 @@ interface Props {
   rbacEnabled: boolean;
   allowDocumentLevelSecurity: boolean;
   allowFieldLevelSecurity: boolean;
-  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  kibanaAppPrivileges: KibanaPrivilege[];
   notifier: any;
   spaces?: Space[];
   spacesEnabled: boolean;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
index 85f0acaf92a401..373e62adca6ff4 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
@@ -9,9 +9,7 @@ exports[`<KibanaPrivileges> renders without crashing 1`] = `
     editable={true}
     kibanaAppPrivileges={
       Array [
-        Object {
-          "name": "all",
-        },
+        "all",
       ]
     }
     onChange={[MockFunction]}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
index 400c2ab9e2b965..82a1133f7aaa2b 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
@@ -6,7 +6,7 @@
 
 import { shallow } from 'enzyme';
 import React from 'react';
-import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
+import { KibanaPrivilege } from '../../../../../../../../security/common/model/kibana_privilege';
 import { RoleValidator } from '../../../lib/validate_role';
 import { KibanaPrivileges } from './kibana_privileges';
 import { SimplePrivilegeForm } from './simple_privilege_form';
@@ -39,7 +39,7 @@ const buildProps = (customProps = {}) => {
       },
     ],
     editable: true,
-    kibanaAppPrivileges: [{ name: 'all' } as KibanaApplicationPrivilege],
+    kibanaAppPrivileges: ['all' as KibanaPrivilege],
     onChange: jest.fn(),
     validator: new RoleValidator(),
     ...customProps,
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
index d9a4ba73af9639..1ff7b62f715a7a 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
@@ -6,7 +6,7 @@
 
 import React, { Component } from 'react';
 import { Space } from '../../../../../../../../spaces/common/model/space';
-import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
+import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { RoleValidator } from '../../../lib/validate_role';
 import { CollapsiblePanel } from '../../collapsible_panel';
@@ -18,7 +18,7 @@ interface Props {
   spacesEnabled: boolean;
   spaces?: Space[];
   editable: boolean;
-  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  kibanaAppPrivileges: KibanaPrivilege[];
   onChange: (role: Role) => void;
   validator: RoleValidator;
 }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
index 018aed7df9bb18..d6ecbdb705b746 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.test.tsx
@@ -24,14 +24,7 @@ const buildProps = (customProps?: any) => {
       },
     },
     editable: true,
-    kibanaAppPrivileges: [
-      {
-        name: 'all',
-      },
-      {
-        name: 'read',
-      },
-    ],
+    kibanaAppPrivileges: ['all', 'read'],
     onChange: jest.fn(),
     ...customProps,
   };
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
index 4d8892d88fce4d..71b881c4a85efe 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_form.tsx
@@ -10,7 +10,6 @@ import {
   EuiFormRow,
 } from '@elastic/eui';
 import React, { Component, Fragment } from 'react';
-import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
 import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { isReservedRole } from '../../../../../../lib/role';
@@ -19,7 +18,7 @@ import { copyRole } from '../../../lib/copy_role';
 import { PrivilegeSelector } from './privilege_selector';
 
 interface Props {
-  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  kibanaAppPrivileges: KibanaPrivilege[];
   role: Role;
   onChange: (role: Role) => void;
   editable: boolean;
@@ -30,7 +29,6 @@ export class SimplePrivilegeForm extends Component<Props, {}> {
     const { kibanaAppPrivileges, role } = this.props;
 
     const assignedPrivileges = role.kibana;
-    const availablePrivileges = kibanaAppPrivileges.map(privilege => privilege.name);
 
     const kibanaPrivilege: KibanaPrivilege =
       assignedPrivileges.global.length > 0
@@ -45,7 +43,7 @@ export class SimplePrivilegeForm extends Component<Props, {}> {
           <EuiFormRow hasEmptyLabelSpace>
             <PrivilegeSelector
               data-test-subj={'kibanaPrivilege'}
-              availablePrivileges={availablePrivileges}
+              availablePrivileges={kibanaAppPrivileges}
               value={kibanaPrivilege}
               disabled={isReservedRole(role)}
               allowNone={true}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
index 5279f178709323..bcc59637436100 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
@@ -38,14 +38,7 @@ const buildProps = (customProps: any = {}) => {
       },
     ],
     editable: true,
-    kibanaAppPrivileges: [
-      {
-        name: 'all',
-      },
-      {
-        name: 'read',
-      },
-    ],
+    kibanaAppPrivileges: ['all', 'read'],
     onChange: jest.fn(),
     validator: new RoleValidator(),
     ...customProps,
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
index 060f89726bb721..2801862cabf940 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
@@ -17,7 +17,6 @@ import {
 } from '@elastic/eui';
 import React, { Component, Fragment } from 'react';
 import { Space } from '../../../../../../../../spaces/common/model/space';
-import { KibanaApplicationPrivilege } from '../../../../../../../common/model/kibana_application_privilege';
 import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { isReservedRole } from '../../../../../../lib/role';
@@ -32,7 +31,7 @@ import { PrivilegeSpaceForm } from './privilege_space_form';
 import { PrivilegeSpaceTable } from './privilege_space_table';
 
 interface Props {
-  kibanaAppPrivileges: KibanaApplicationPrivilege[];
+  kibanaAppPrivileges: KibanaPrivilege[];
   role: Role;
   spaces: Space[];
   onChange: (role: Role) => void;
@@ -74,7 +73,6 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
     const { kibanaAppPrivileges, role } = this.props;
 
     const assignedPrivileges = role.kibana;
-    const availablePrivileges = kibanaAppPrivileges.map(privilege => privilege.name);
 
     const basePrivilege =
       assignedPrivileges.global.length > 0 ? assignedPrivileges.global[0] : NO_PRIVILEGE_VALUE;
@@ -99,7 +97,7 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
           <EuiFormRow hasEmptyLabelSpace helpText={helptext}>
             <PrivilegeSelector
               data-test-subj={'kibanaMinimumPrivilege'}
-              availablePrivileges={availablePrivileges}
+              availablePrivileges={kibanaAppPrivileges}
               value={basePrivilege}
               disabled={isReservedRole(role)}
               allowNone={true}
@@ -110,7 +108,7 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
 
         <EuiSpacer />
 
-        {this.renderSpacePrivileges(basePrivilege, availablePrivileges)}
+        {this.renderSpacePrivileges(basePrivilege, kibanaAppPrivileges)}
       </Fragment>
     );
   }
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 5b8b57d6c01013..5c744c908824cd 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -27,6 +27,7 @@ import { EditRolePage } from './components';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
+import { KibanaAppPrivileges } from '../../../../common/model/kibana_privilege';
 
 routes.when(`${EDIT_ROLES_PATH}/:name?`, {
   template,
@@ -67,11 +68,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
       return role.then(res => res.toJSON());
     },
-    kibanaApplicationPrivilege(ApplicationPrivileges, kbnUrl, Promise, Private) {
-      return ApplicationPrivileges.query().$promise
-        .then(privileges => privileges.map(p => p.toJSON()))
-        .catch(checkLicenseError(kbnUrl, Promise, Private));
-    },
     users(ShieldUser, kbnUrl, Promise, Private) {
       // $promise is used here because the result is an ngResource, not a promise itself
       return ShieldUser.query().$promise
@@ -93,7 +89,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
     const Notifier = $injector.get('Notifier');
 
-    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
     const role = $route.current.locals.role;
 
     const xpackInfo = Private(XPackInfoProvider);
@@ -132,7 +127,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       render(<EditRolePage
         runAsUsers={users}
         role={role}
-        kibanaAppPrivileges={kibanaApplicationPrivilege}
+        kibanaAppPrivileges={KibanaAppPrivileges}
         indexPatterns={indexPatterns}
         rbacEnabled={true}
         rbacApplication={rbacApplication}
diff --git a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
index 78a015bc141058..3814c282a911e1 100644
--- a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
+++ b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
@@ -37,7 +37,9 @@ export function serverFixture() {
         authenticate: stub(),
         deauthenticate: stub(),
         authorization: {
-          checkPrivilegesWithRequest: stub(),
+          mode: {
+            useRbacForRequest: stub(),
+          },
           actions: {
             login: 'stub-login-action',
           },
diff --git a/x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js b/x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js
index ab32f30c2e3156..7a11e694b8975f 100644
--- a/x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js
+++ b/x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js
@@ -22,6 +22,7 @@ describe('Authenticator', () => {
   let server;
   let session;
   let cluster;
+  let authorizationMode;
   beforeEach(() => {
     server = serverFixture();
     session = sinon.createStubInstance(Session);
@@ -34,6 +35,8 @@ describe('Authenticator', () => {
     cluster = sinon.stub({ callWithRequest() {} });
     sandbox.stub(ClientShield, 'getClient').returns(cluster);
 
+    authorizationMode = { initialize: sinon.stub() };
+
     server.config.returns(config);
     server.register.yields();
 
@@ -83,7 +86,7 @@ describe('Authenticator', () => {
       server.plugins.kibana.systemApi.isSystemApiRequest.returns(true);
       session.clear.throws(new Error('`Session.clear` is not supposed to be called!'));
 
-      await initAuthenticator(server);
+      await initAuthenticator(server, authorizationMode);
 
       // Second argument will be a method we'd like to test.
       authenticate = server.expose.withArgs('authenticate').firstCall.args[1];
@@ -112,6 +115,18 @@ describe('Authenticator', () => {
       expect(authenticationResult.error).to.be(failureReason);
     });
 
+    it(`doesn't initialize authorizationMode when authentication fails.`, async () => {
+      const request = requestFixture({ headers: { authorization: 'Basic ***' } });
+      session.get.withArgs(request).returns(Promise.resolve(null));
+
+      const failureReason = new Error('Not Authorized');
+      cluster.callWithRequest.withArgs(request).returns(Promise.reject(failureReason));
+
+      await authenticate(request);
+
+      sinon.assert.notCalled(authorizationMode.initialize);
+    });
+
     it('returns user that authentication provider returns.', async () => {
       const request = requestFixture({ headers: { authorization: 'Basic ***' } });
       const user = { username: 'user' };
@@ -125,6 +140,15 @@ describe('Authenticator', () => {
       });
     });
 
+    it('initiliazes authorizationMode when authentication succeeds.', async () => {
+      const request = requestFixture({ headers: { authorization: 'Basic ***' } });
+      const user = { username: 'user' };
+      cluster.callWithRequest.withArgs(request).returns(Promise.resolve(user));
+
+      await authenticate(request);
+      sinon.assert.calledWith(authorizationMode.initialize, request);
+    });
+
     it('creates session whenever authentication provider returns state to store.', async () => {
       const user = { username: 'user' };
       const systemAPIRequest = requestFixture({ headers: { authorization: 'Basic xxx' } });
diff --git a/x-pack/plugins/security/server/lib/authentication/authenticator.js b/x-pack/plugins/security/server/lib/authentication/authenticator.js
index 3f11f478921054..e731c6724e9d40 100644
--- a/x-pack/plugins/security/server/lib/authentication/authenticator.js
+++ b/x-pack/plugins/security/server/lib/authentication/authenticator.js
@@ -102,11 +102,13 @@ class Authenticator {
    * @param {Hapi.Server} server HapiJS Server instance.
    * @param {AuthScopeService} authScope AuthScopeService instance.
    * @param {Session} session Session instance.
+   * @param {AuthorizationMode} authorizationMode AuthorizationMode instance
    */
-  constructor(server, authScope, session) {
+  constructor(server, authScope, session, authorizationMode) {
     this._server = server;
     this._authScope = authScope;
     this._session = session;
+    this._authorizationMode = authorizationMode;
 
     const config = this._server.config();
     const authProviders = config.get('xpack.security.authProviders');
@@ -168,6 +170,8 @@ class Authenticator {
       }
 
       if (authenticationResult.succeeded()) {
+        // we have to do this here, as the auth scope's could be dependent on this
+        await this._authorizationMode.initialize(request);
         return AuthenticationResult.succeeded({
           ...authenticationResult.user,
           // Complement user returned from the provider with scopes.
@@ -269,10 +273,10 @@ class Authenticator {
   }
 }
 
-export async function initAuthenticator(server) {
+export async function initAuthenticator(server, authorizationMode) {
   const session = await Session.create(server);
   const authScope = new AuthScopeService();
-  const authenticator = new Authenticator(server, authScope, session);
+  const authenticator = new Authenticator(server, authScope, session, authorizationMode);
 
   server.expose('authenticate', (request) => authenticator.authenticate(request));
   server.expose('deauthenticate', (request) => authenticator.deauthenticate(request));
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
index 7609d57b702faf..634600a2549d62 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
@@ -1,13 +1,27 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`with a malformed Elasticsearch response throws a validation error when an extra index privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because ["oopsAnExtraPrivilege" is not allowed]]]`;
+exports[`#checkPrivilegesAtSpace throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
-exports[`with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because ["oops-an-unexpected-privilege" is not allowed]]]]`;
+exports[`#checkPrivilegesAtSpace with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because ["action:saved_objects&#x2f;bar-type&#x2f;get" is not allowed]]]]`;
 
-exports[`with a malformed Elasticsearch response throws a validation error when index privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because [child "read" fails because ["read" is required]]]]`;
+exports[`#checkPrivilegesAtSpace with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "action:saved_objects&#x2f;foo-type&#x2f;get" fails because ["action:saved_objects&#x2f;foo-type&#x2f;get" is required]]]]]`;
 
-exports[`with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+exports[`#checkPrivilegesAtSpaces throws error when Elasticsearch returns malformed response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
 
-exports[`with index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
+exports[`#checkPrivilegesAtSpaces throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
-exports[`with no index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
+exports[`#checkPrivilegesAtSpaces with a malformed Elasticsearch response throws a validation error when an a space is missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`;
+
+exports[`#checkPrivilegesAtSpaces with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`;
+
+exports[`#checkPrivilegesAtSpaces with a malformed Elasticsearch response throws a validation error when an extra space is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because ["space:space_3" is not allowed]]]`;
+
+exports[`#checkPrivilegesAtSpaces with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`;
+
+exports[`#checkPrivilegesGlobally throws error when Elasticsearch returns malformed response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+
+exports[`#checkPrivilegesGlobally throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
+
+exports[`#checkPrivilegesGlobally with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because ["action:saved_objects&#x2f;bar-type&#x2f;get" is not allowed]]]]`;
+
+exports[`#checkPrivilegesGlobally with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because [child "action:saved_objects&#x2f;foo-type&#x2f;get" fails because ["action:saved_objects&#x2f;foo-type&#x2f;get" is required]]]]]`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
deleted file mode 100644
index c65b0d2d6ae391..00000000000000
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
+++ /dev/null
@@ -1,9 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`deep freezes exposed service 1`] = `"Cannot delete property 'checkPrivilegesWithRequest' of #<Object>"`;
-
-exports[`deep freezes exposed service 2`] = `"Cannot add property foo, object is not extensible"`;
-
-exports[`deep freezes exposed service 3`] = `"Cannot assign to read only property 'login' of object '#<Object>'"`;
-
-exports[`deep freezes exposed service 4`] = `"Cannot assign to read only property 'application' of object '#<Object>'"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/mode.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/mode.test.js.snap
new file mode 100644
index 00000000000000..66840335528ce2
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/mode.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#initialize can't be initialized twice for the same request 1`] = `"Authorization mode is already intitialized"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/space_application_privileges_serializer.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/space_application_privileges_serializer.test.js.snap
new file mode 100644
index 00000000000000..0a943137989ecb
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/space_application_privileges_serializer.test.js.snap
@@ -0,0 +1,5 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#privilege #deserialize throws error if privilege doesn't start with space_ 1`] = `"Space privilege should have started with space_"`;
+
+exports[`#resource #deserialize throws error if resource doesn't start with space: 1`] = `"Resource should have started with space:"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
index 5e1e26a9023ae7..226002545a378f 100644
--- a/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
@@ -4,40 +4,18 @@ exports[`validateEsPrivilegeResponse fails validation when an action is malforme
 
 exports[`validateEsPrivilegeResponse fails validation when an action is missing in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action2\\" fails because [\\"action2\\" is required]]]]"`;
 
+exports[`validateEsPrivilegeResponse fails validation when an expected resource property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"bar-resource\\" fails because [\\"bar-resource\\" is required]]]"`;
+
 exports[`validateEsPrivilegeResponse fails validation when an extra action is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"action4\\" is not allowed]]]"`;
 
 exports[`validateEsPrivilegeResponse fails validation when an extra application is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"otherApplication\\" is not allowed]"`;
 
-exports[`validateEsPrivilegeResponse fails validation when an unexpected resource property is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+exports[`validateEsPrivilegeResponse fails validation when an unexpected resource property is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"bar-resource\\" fails because [\\"bar-resource\\" is required]]]"`;
 
 exports[`validateEsPrivilegeResponse fails validation when the "application" property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"application\\" is required]"`;
 
-exports[`validateEsPrivilegeResponse fails validation when the expected resource property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
-
 exports[`validateEsPrivilegeResponse fails validation when the requested application is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [\\"foo-application\\" is required]]"`;
 
 exports[`validateEsPrivilegeResponse fails validation when the resource propertry is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" must be an object]]]"`;
 
-exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" must be a boolean]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" is required]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" must be a boolean]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" is required]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response contains an extra privilege 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\"foo-permission\\" is not allowed]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response returns an extra index 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"anotherIndex\\" is not allowed]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the index property is missing 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"index\\" is required]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the kibana index is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\".kibana\\" is required]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" must be a boolean]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" is required]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" must be a boolean]]]"`;
-
-exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" is required]]]"`;
+exports[`validateEsPrivilegeResponse fails validation when there are no resource properties in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.js b/x-pack/plugins/security/server/lib/authorization/actions.js
index 432698a003cb35..e47e1edd5d4c40 100644
--- a/x-pack/plugins/security/server/lib/authorization/actions.js
+++ b/x-pack/plugins/security/server/lib/authorization/actions.js
@@ -22,5 +22,6 @@ export function actionsFactory(config) {
     },
     login: `action:login`,
     version: `version:${kibanaVersion}`,
+    manageSpaces: 'action:manage_spaces/*',
   };
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.test.js b/x-pack/plugins/security/server/lib/authorization/actions.test.js
index 17834438e17814..9ae2265557d21b 100644
--- a/x-pack/plugins/security/server/lib/authorization/actions.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/actions.test.js
@@ -66,4 +66,14 @@ describe('#getSavedObjectAction()', () => {
       expect(() => actions.getSavedObjectAction('saved-object-type', action)).toThrowErrorMatchingSnapshot();
     });
   });
+
+  describe('#manageSpaces', () => {
+    test('returns action:manage_spaces/*', () => {
+      const mockConfig = createMockConfig();
+
+      const actions = actionsFactory(mockConfig);
+
+      expect(actions.manageSpaces).toEqual('action:manage_spaces/*');
+    });
+  });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
index b12658708f2d37..bdd9781f977717 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -4,94 +4,85 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { uniq } from 'lodash';
-import { ALL_RESOURCE } from '../../../common/constants';
-import { buildLegacyIndexPrivileges } from './privileges';
+import { pick, transform, uniq } from 'lodash';
+import { GLOBAL_RESOURCE } from '../../../common/constants';
+import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
 import { validateEsPrivilegeResponse } from './validate_es_response';
 
-export const CHECK_PRIVILEGES_RESULT = {
-  UNAUTHORIZED: Symbol('Unauthorized'),
-  AUTHORIZED: Symbol('Authorized'),
-  LEGACY: Symbol('Legacy'),
-};
-
-export function checkPrivilegesWithRequestFactory(shieldClient, config, actions, application) {
+export function checkPrivilegesWithRequestFactory(actions, application, shieldClient) {
   const { callWithRequest } = shieldClient;
 
-  const kibanaIndex = config.get('kibana.index');
-
   const hasIncompatibileVersion = (applicationPrivilegesResponse) => {
-    return !applicationPrivilegesResponse[actions.version] && applicationPrivilegesResponse[actions.login];
-  };
-
-  const hasAllApplicationPrivileges = (applicationPrivilegesResponse) => {
-    return Object.values(applicationPrivilegesResponse).every(val => val === true);
-  };
-
-  const hasNoApplicationPrivileges = (applicationPrivilegesResponse) => {
-    return Object.values(applicationPrivilegesResponse).every(val => val === false);
-  };
-
-  const isLegacyFallbackEnabled = () => {
-    return config.get('xpack.security.authorization.legacyFallback.enabled');
-  };
-
-  const hasLegacyPrivileges = (indexPrivilegesResponse) => {
-    return Object.values(indexPrivilegesResponse).includes(true);
-  };
-
-  const determineResult = (applicationPrivilegesResponse, indexPrivilegesResponse) => {
-    if (hasAllApplicationPrivileges(applicationPrivilegesResponse)) {
-      return CHECK_PRIVILEGES_RESULT.AUTHORIZED;
-    }
-
-    if (
-      isLegacyFallbackEnabled() &&
-      hasNoApplicationPrivileges(applicationPrivilegesResponse) &&
-      hasLegacyPrivileges(indexPrivilegesResponse)
-    ) {
-      return CHECK_PRIVILEGES_RESULT.LEGACY;
-    }
-
-    return CHECK_PRIVILEGES_RESULT.UNAUTHORIZED;
+    return Object.values(applicationPrivilegesResponse).some(resource => !resource[actions.version] && resource[actions.login]);
   };
 
   return function checkPrivilegesWithRequest(request) {
 
-    return async function checkPrivileges(privileges) {
+    const checkPrivilegesAtResources = async (resources, privilegeOrPrivileges) => {
+      const privileges = Array.isArray(privilegeOrPrivileges) ? privilegeOrPrivileges : [privilegeOrPrivileges];
       const allApplicationPrivileges = uniq([actions.version, actions.login, ...privileges]);
+
       const hasPrivilegesResponse = await callWithRequest(request, 'shield.hasPrivileges', {
         body: {
           applications: [{
             application,
-            resources: [ALL_RESOURCE],
+            resources,
             privileges: allApplicationPrivileges
           }],
-          index: [{
-            names: [kibanaIndex],
-            privileges: buildLegacyIndexPrivileges()
-          }],
         }
       });
 
-      validateEsPrivilegeResponse(hasPrivilegesResponse, application, allApplicationPrivileges, [ALL_RESOURCE], kibanaIndex);
+      validateEsPrivilegeResponse(hasPrivilegesResponse, application, allApplicationPrivileges, resources);
 
-      const applicationPrivilegesResponse = hasPrivilegesResponse.application[application][ALL_RESOURCE];
-      const indexPrivilegesResponse = hasPrivilegesResponse.index[kibanaIndex];
+      const applicationPrivilegesResponse = hasPrivilegesResponse.application[application];
 
       if (hasIncompatibileVersion(applicationPrivilegesResponse)) {
         throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
       }
 
       return {
-        result: determineResult(applicationPrivilegesResponse, indexPrivilegesResponse),
+        hasAllRequested: hasPrivilegesResponse.has_all_requested,
         username: hasPrivilegesResponse.username,
+        // we need to filter out the non requested privileges from the response
+        resourcePrivileges: transform(applicationPrivilegesResponse, (result, value, key) => {
+          result[key] = pick(value, privileges);
+        }),
+      };
+    };
 
-        // we only return missing privileges that they're specifically checking for
-        missing: Object.keys(applicationPrivilegesResponse)
-          .filter(privilege => privileges.includes(privilege))
-          .filter(privilege => !applicationPrivilegesResponse[privilege])
+    const checkPrivilegesAtResource = async (resource, privilegeOrPrivileges) => {
+      const { hasAllRequested, username, resourcePrivileges } = await checkPrivilegesAtResources([resource], privilegeOrPrivileges);
+      return {
+        hasAllRequested,
+        username,
+        privileges: resourcePrivileges[resource],
       };
     };
+
+    return {
+      // TODO: checkPrivileges.atResources isn't necessary once we have the ES API to list all privileges
+      // this should be removed when we switch to this API, and is not covered by unit tests currently
+      atResources: checkPrivilegesAtResources,
+      async atSpace(spaceId, privilegeOrPrivileges) {
+        const spaceResource = spaceApplicationPrivilegesSerializer.resource.serialize(spaceId);
+        return await checkPrivilegesAtResource(spaceResource, privilegeOrPrivileges);
+      },
+      async atSpaces(spaceIds, privilegeOrPrivileges) {
+        const spaceResources = spaceIds.map(spaceId => spaceApplicationPrivilegesSerializer.resource.serialize(spaceId));
+        const { hasAllRequested, username, resourcePrivileges } = await checkPrivilegesAtResources(spaceResources, privilegeOrPrivileges);
+        return {
+          hasAllRequested,
+          username,
+          // we need to turn the resource responses back into the space ids
+          spacePrivileges: transform(resourcePrivileges, (result, value, key) => {
+            result[spaceApplicationPrivilegesSerializer.resource.deserialize(key)] = value;
+          }),
+        };
+
+      },
+      async globally(privilegeOrPrivileges) {
+        return await checkPrivilegesAtResource(GLOBAL_RESOURCE, privilegeOrPrivileges);
+      },
+    };
   };
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
index 510ec3e4852b72..f74528d4fd20d6 100644
--- a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -5,37 +5,17 @@
  */
 
 import { uniq } from 'lodash';
-import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './check_privileges';
-
-import { ALL_RESOURCE } from '../../../common/constants';
+import { checkPrivilegesWithRequestFactory } from './check_privileges';
+import { GLOBAL_RESOURCE } from '../../../common/constants';
 
 const application = 'kibana-our_application';
-const defaultVersion = 'default-version';
-const defaultKibanaIndex = 'default-index';
-const savedObjectTypes = ['foo-type', 'bar-type'];
 
 const mockActions = {
   login: 'mock-action:login',
   version: 'mock-action:version',
 };
 
-const createMockConfig = (settings = {}) => {
-  const mockConfig = {
-    get: jest.fn()
-  };
-
-  const defaultSettings = {
-    'pkg.version': defaultVersion,
-    'kibana.index': defaultKibanaIndex,
-    'xpack.security.authorization.legacyFallback.enabled': true,
-  };
-
-  mockConfig.get.mockImplementation(key => {
-    return key in settings ? settings[key] : defaultSettings[key];
-  });
-
-  return mockConfig;
-};
+const savedObjectTypes = ['foo-type', 'bar-type'];
 
 const createMockShieldClient = (response) => {
   const mockCallWithRequest = jest.fn();
@@ -47,424 +27,841 @@ const createMockShieldClient = (response) => {
   };
 };
 
-const checkPrivilegesTest = (
-  description, {
-    settings,
-    privileges,
-    applicationPrivilegesResponse,
-    indexPrivilegesResponse,
+describe('#checkPrivilegesAtSpace', () => {
+  const checkPrivilegesAtSpaceTest = (description, {
+    spaceId,
+    privilegeOrPrivileges,
+    esHasPrivilegesResponse,
     expectedResult,
-    expectErrorThrown,
+    expectErrorThrown
   }) => {
+    test(description, async () => {
+      const mockShieldClient = createMockShieldClient(esHasPrivilegesResponse);
+      const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockActions, application, mockShieldClient);
+      const request = Symbol();
+      const checkPrivileges = checkPrivilegesWithRequest(request);
+
+      let actualResult;
+      let errorThrown = null;
+      try {
+        actualResult = await checkPrivileges.atSpace(spaceId, privilegeOrPrivileges);
+      } catch (err) {
+        errorThrown = err;
+      }
 
-  test(description, async () => {
-    const username = 'foo-username';
-    const mockConfig = createMockConfig(settings);
-    const mockShieldClient = createMockShieldClient({
-      username,
-      application: {
-        [application]: {
-          [ALL_RESOURCE]: applicationPrivilegesResponse
+      expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [`space:${spaceId}`],
+            privileges: uniq([
+              mockActions.version,
+              mockActions.login,
+              ...Array.isArray(privilegeOrPrivileges) ? privilegeOrPrivileges : [privilegeOrPrivileges],
+            ])
+          }]
         }
-      },
-      index: {
-        [defaultKibanaIndex]: indexPrivilegesResponse
-      },
-    });
+      });
 
-    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockShieldClient, mockConfig, mockActions, application);
-    const request = Symbol();
-    const checkPrivileges = checkPrivilegesWithRequest(request);
-
-    let actualResult;
-    let errorThrown = null;
-    try {
-      actualResult = await checkPrivileges(privileges);
-    } catch (err) {
-      errorThrown = err;
-    }
-
-
-    expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
-      body: {
-        applications: [{
-          application,
-          resources: [ALL_RESOURCE],
-          privileges: uniq([
-            mockActions.version, mockActions.login, ...privileges
-          ])
-        }],
-        index: [{
-          names: [defaultKibanaIndex],
-          privileges: ['create', 'delete', 'read', 'view_index_metadata']
-        }],
+      if (expectedResult) {
+        expect(errorThrown).toBeNull();
+        expect(actualResult).toEqual(expectedResult);
       }
-    });
-
-    if (expectedResult) {
-      expect(errorThrown).toBeNull();
-      expect(actualResult).toEqual(expectedResult);
-    }
-
-    if (expectErrorThrown) {
-      expect(errorThrown).toMatchSnapshot();
-    }
-  });
-};
 
-describe(`with no index privileges`, () => {
-  const indexPrivilegesResponse = {
-    create: false,
-    delete: false,
-    read: false,
-    view_index_metadata: false,
+      if (expectErrorThrown) {
+        expect(errorThrown).toMatchSnapshot();
+      }
+    });
   };
 
-  checkPrivilegesTest('returns authorized if they have all application privileges', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+  checkPrivilegesAtSpaceTest('successful when checking for login and user has login', {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      hasAllRequested: true,
       username: 'foo-username',
-      missing: [],
-    }
+      privileges: {
+        [mockActions.login]: true
+      }
+    },
   });
 
-  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-      `action:saved_objects/${savedObjectTypes[0]}/create`,
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+  checkPrivilegesAtSpaceTest(`failure when checking for login and user doesn't have login`, {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: false,
+            [mockActions.version]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: false,
       username: 'foo-username',
-      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
-    }
+      privileges: {
+        [mockActions.login]: false
+      }
+    },
+  });
+
+  checkPrivilegesAtSpaceTest(`throws error when checking for login and user has login but doesn't have version`, {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: false,
+          }
+        }
+      }
+    },
+    expectErrorThrown: true,
   });
 
-  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action', {
-    username: 'foo-username',
-    privileges: [
-      mockActions.login
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
+  checkPrivilegesAtSpaceTest(`successful when checking for two actions and the user has both`, {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: true,
       username: 'foo-username',
-      missing: [mockActions.login],
-    }
+      privileges: {
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+        [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+      }
+    },
   });
 
-  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action', {
-    username: 'foo-username',
-    privileges: [
-      mockActions.version
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
+  checkPrivilegesAtSpaceTest(`failure when checking for two actions and the user has only one`, {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: false,
       username: 'foo-username',
-      missing: [mockActions.version],
-    }
+      privileges: {
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+        [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+      }
+    },
   });
 
-  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: true,
-      [mockActions.version]: false,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
-    },
-    indexPrivilegesResponse,
-    expectErrorThrown: true
+  describe('with a malformed Elasticsearch response', () => {
+    checkPrivilegesAtSpaceTest(`throws a validation error when an extra privilege is present in the response`, {
+      spaceId: 'space_1',
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+              [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+            }
+          }
+        }
+      },
+      expectErrorThrown: true,
+    });
+
+    checkPrivilegesAtSpaceTest(`throws a validation error when privileges are missing in the response`, {
+      spaceId: 'space_1',
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+            }
+          }
+        }
+      },
+      expectErrorThrown: true,
+    });
   });
 });
 
-describe(`with index privileges`, () => {
-  const indexPrivilegesResponse = {
-    create: true,
-    delete: true,
-    read: true,
-    view_index_metadata: true,
+describe('#checkPrivilegesAtSpaces', () => {
+  const checkPrivilegesAtSpacesTest = (description, {
+    spaceIds,
+    privilegeOrPrivileges,
+    esHasPrivilegesResponse,
+    expectedResult,
+    expectErrorThrown
+  }) => {
+    test(description, async () => {
+      const mockShieldClient = createMockShieldClient(esHasPrivilegesResponse);
+      const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockActions, application, mockShieldClient);
+      const request = Symbol();
+      const checkPrivileges = checkPrivilegesWithRequest(request);
+
+      let actualResult;
+      let errorThrown = null;
+      try {
+        actualResult = await checkPrivileges.atSpaces(spaceIds, privilegeOrPrivileges);
+      } catch (err) {
+        errorThrown = err;
+      }
+
+      expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: spaceIds.map(spaceId => `space:${spaceId}`),
+            privileges: uniq([
+              mockActions.version,
+              mockActions.login,
+              ...Array.isArray(privilegeOrPrivileges) ? privilegeOrPrivileges : [privilegeOrPrivileges],
+            ])
+          }]
+        }
+      });
+
+      if (expectedResult) {
+        expect(errorThrown).toBeNull();
+        expect(actualResult).toEqual(expectedResult);
+      }
+
+      if (expectErrorThrown) {
+        expect(errorThrown).toMatchSnapshot();
+      }
+    });
   };
 
-  checkPrivilegesTest('returns authorized if they have all application privileges', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+  checkPrivilegesAtSpacesTest('successful when checking for login and user has login at both spaces', {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+          },
+          'space:space_2': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      hasAllRequested: true,
       username: 'foo-username',
-      missing: [],
-    }
+      spacePrivileges: {
+        space_1: {
+          [mockActions.login]: true
+        },
+        space_2: {
+          [mockActions.login]: true
+        },
+      }
+    },
   });
 
-  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-      `action:saved_objects/${savedObjectTypes[0]}/create`,
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+  checkPrivilegesAtSpacesTest('failure when checking for login and user has login at only one space', {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+          },
+          'space:space_2': {
+            [mockActions.login]: false,
+            [mockActions.version]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: false,
       username: 'foo-username',
-      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
-    }
+      spacePrivileges: {
+        space_1: {
+          [mockActions.login]: true
+        },
+        space_2: {
+          [mockActions.login]: false
+        },
+      }
+    },
   });
 
-  checkPrivilegesTest('returns legacy and missing login when checking missing login action and fallback is enabled', {
-    username: 'foo-username',
-    privileges: [
-      mockActions.login
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
-    },
-    indexPrivilegesResponse,
-    expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+  checkPrivilegesAtSpacesTest(`throws error when checking for login and user has login but doesn't have version`, {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
       username: 'foo-username',
-      missing: [mockActions.login],
-    }
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: false,
+          },
+          'space:space_2': {
+            [mockActions.login]: true,
+            [mockActions.version]: false,
+          }
+        }
+      }
+    },
+    expectErrorThrown: true,
   });
 
-  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action and fallback is disabled', {
-    settings: {
-      'xpack.security.authorization.legacyFallback.enabled': false,
+  checkPrivilegesAtSpacesTest(`throws error when Elasticsearch returns malformed response`, {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          },
+          'space:space_2': {
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    username: 'foo-username',
-    privileges: [
-      mockActions.login
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
+    expectErrorThrown: true,
+  });
+
+  checkPrivilegesAtSpacesTest(`successful when checking for two actions at two spaces and user has it all`, {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          },
+          'space:space_2': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: true,
       username: 'foo-username',
-      missing: [mockActions.login],
-    }
+      spacePrivileges: {
+        space_1: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+        },
+        space_2: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+        }
+      }
+    },
   });
 
-  checkPrivilegesTest('returns legacy and missing version if checking missing version action and fallback is enabled', {
-    username: 'foo-username',
-    privileges: [
-      mockActions.version
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
+  checkPrivilegesAtSpacesTest(`failure when checking for two actions at two spaces and user has one action at one space`, {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+          },
+          'space:space_2': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      hasAllRequested: false,
       username: 'foo-username',
-      missing: [mockActions.version],
-    }
+      spacePrivileges: {
+        space_1: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+        },
+        space_2: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+        }
+      }
+    },
   });
 
-  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action and fallback is disabled', {
-    settings: {
-      'xpack.security.authorization.legacyFallback.enabled': false,
-    },
-    username: 'foo-username',
-    privileges: [
-      mockActions.version
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: false,
-      [mockActions.version]: false,
+  checkPrivilegesAtSpacesTest(`failure when checking for two actions at two spaces and user has two actions at one space`, {
+    spaceIds: ['space_1', 'space_2'],
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          'space:space_1': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          },
+          'space:space_2': {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectedResult: {
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      hasAllRequested: false,
       username: 'foo-username',
-      missing: [mockActions.version],
-    }
-  });
-
-  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.login]: true,
-      [mockActions.version]: false,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      spacePrivileges: {
+        space_1: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+        },
+        space_2: {
+          [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+          [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+        }
+      }
     },
-    indexPrivilegesResponse,
-    expectErrorThrown: true
   });
-});
 
-describe('with no application privileges', () => {
-  ['create', 'delete', 'read', 'view_index_metadata'].forEach(indexPrivilege => {
-    checkPrivilegesTest(`returns legacy if they have ${indexPrivilege} privilege on the kibana index and fallback is enabled`, {
-      username: 'foo-username',
-      privileges: [
-        `action:saved_objects/${savedObjectTypes[0]}/get`
-      ],
-      applicationPrivilegesResponse: {
-        [mockActions.version]: false,
-        [mockActions.login]: false,
-        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
-      },
-      indexPrivilegesResponse: {
-        create: false,
-        delete: false,
-        read: false,
-        view_index_metadata: false,
-        [indexPrivilege]: true
+  checkPrivilegesAtSpacesTest(
+    `failure when checking for two actions at two spaces and user has two actions at one space & one action at the other`, {
+      spaceIds: ['space_1', 'space_2'],
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+              [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+            },
+            'space:space_2': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+              [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+            }
+          }
+        }
       },
       expectedResult: {
-        result: CHECK_PRIVILEGES_RESULT.LEGACY,
+        hasAllRequested: false,
         username: 'foo-username',
-        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
-      }
+        spacePrivileges: {
+          space_1: {
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          },
+          space_2: {
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: false,
+          }
+        }
+      },
     });
 
-    checkPrivilegesTest(`returns unauthorized if they have ${indexPrivilege} privilege on the kibana index and fallback is disabled`, {
-      settings: {
-        'xpack.security.authorization.legacyFallback.enabled': false,
+  describe('with a malformed Elasticsearch response', () => {
+    checkPrivilegesAtSpacesTest(`throws a validation error when an extra privilege is present in the response`, {
+      spaceIds: ['space_1', 'space_2'],
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+              [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+            },
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            }
+          }
+        }
       },
-      username: 'foo-username',
-      privileges: [
-        `action:saved_objects/${savedObjectTypes[0]}/get`
-      ],
-      applicationPrivilegesResponse: {
-        [mockActions.version]: false,
-        [mockActions.login]: false,
-        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+      expectErrorThrown: true,
+    });
+
+    checkPrivilegesAtSpacesTest(`throws a validation error when privileges are missing in the response`, {
+      spaceIds: ['space_1', 'space_2'],
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+            },
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            }
+          }
+        }
       },
-      indexPrivilegesResponse: {
-        create: false,
-        delete: false,
-        read: false,
-        view_index_metadata: false,
-        [indexPrivilege]: true
+      expectErrorThrown: true,
+    });
+
+    checkPrivilegesAtSpacesTest(`throws a validation error when an extra space is present in the response`, {
+      spaceIds: ['space_1', 'space_2'],
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            },
+            'space:space_2': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            },
+            'space:space_3': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            },
+          }
+        }
       },
-      expectedResult: {
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      expectErrorThrown: true,
+    });
+
+    checkPrivilegesAtSpacesTest(`throws a validation error when an a space is missing in the response`, {
+      spaceIds: ['space_1', 'space_2'],
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
         username: 'foo-username',
-        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
-      }
+        application: {
+          [application]: {
+            'space:space_1': {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            }
+          }
+        }
+      },
+      expectErrorThrown: true,
     });
   });
 });
 
-describe('with a malformed Elasticsearch response', () => {
-  const indexPrivilegesResponse = {
-    create: true,
-    delete: true,
-    read: true,
-    view_index_metadata: true,
+describe('#checkPrivilegesGlobally', () => {
+  const checkPrivilegesGloballyTest = (description, {
+    privilegeOrPrivileges,
+    esHasPrivilegesResponse,
+    expectedResult,
+    expectErrorThrown
+  }) => {
+    test(description, async () => {
+      const mockShieldClient = createMockShieldClient(esHasPrivilegesResponse);
+      const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockActions, application, mockShieldClient);
+      const request = Symbol();
+      const checkPrivileges = checkPrivilegesWithRequest(request);
+
+      let actualResult;
+      let errorThrown = null;
+      try {
+        actualResult = await checkPrivileges.globally(privilegeOrPrivileges);
+      } catch (err) {
+        errorThrown = err;
+      }
+
+      expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [GLOBAL_RESOURCE],
+            privileges: uniq([
+              mockActions.version,
+              mockActions.login,
+              ...Array.isArray(privilegeOrPrivileges) ? privilegeOrPrivileges : [privilegeOrPrivileges],
+            ])
+          }]
+        }
+      });
+
+      if (expectedResult) {
+        expect(errorThrown).toBeNull();
+        expect(actualResult).toEqual(expectedResult);
+      }
+
+      if (expectErrorThrown) {
+        expect(errorThrown).toMatchSnapshot();
+      }
+    });
   };
 
-  checkPrivilegesTest('throws a validation error when an extra privilege is present in the response', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
-      ['oops-an-unexpected-privilege']: true,
+  checkPrivilegesGloballyTest('successful when checking for login and user has login', {
+    spaceId: 'space_1',
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+          }
+        }
+      }
+    },
+    expectedResult: {
+      hasAllRequested: true,
+      username: 'foo-username',
+      privileges: {
+        [mockActions.login]: true
+      }
+    },
+  });
+
+  checkPrivilegesGloballyTest(`failure when checking for login and user doesn't have login`, {
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [mockActions.login]: false,
+            [mockActions.version]: true,
+          }
+        }
+      }
+    },
+    expectedResult: {
+      hasAllRequested: false,
+      username: 'foo-username',
+      privileges: {
+        [mockActions.login]: false
+      }
+    },
+  });
+
+  checkPrivilegesGloballyTest(`throws error when checking for login and user has login but doesn't have version`, {
+    privilegeOrPrivileges: mockActions.login,
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [mockActions.login]: true,
+            [mockActions.version]: false,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectErrorThrown: true,
   });
 
-  checkPrivilegesTest('throws a validation error when privileges are missing in the response', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-    ],
-    applicationPrivilegesResponse: {
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+  checkPrivilegesGloballyTest(`throws error when Elasticsearch returns malformed response`, {
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse,
     expectErrorThrown: true,
   });
 
-  checkPrivilegesTest('throws a validation error when an extra index privilege is present in the response', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+  checkPrivilegesGloballyTest(`successful when checking for two actions and the user has both`, {
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: true,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse: {
-      ...indexPrivilegesResponse,
-      oopsAnExtraPrivilege: true,
+    expectedResult: {
+      hasAllRequested: true,
+      username: 'foo-username',
+      privileges: {
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+        [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+      }
     },
-    expectErrorThrown: true,
   });
 
-  const missingIndexPrivileges = {
-    ...indexPrivilegesResponse
-  };
-  delete missingIndexPrivileges.read;
-
-  checkPrivilegesTest('throws a validation error when index privileges are missing in the response', {
-    username: 'foo-username',
-    privileges: [
-      `action:saved_objects/${savedObjectTypes[0]}/get`,
-    ],
-    applicationPrivilegesResponse: {
-      [mockActions.version]: true,
-      [mockActions.login]: true,
-      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+  checkPrivilegesGloballyTest(`failure when checking for two actions and the user has only one`, {
+    privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`, `action:saved_objects/${savedObjectTypes[1]}/get`],
+    esHasPrivilegesResponse: {
+      has_all_requested: false,
+      username: 'foo-username',
+      application: {
+        [application]: {
+          [GLOBAL_RESOURCE]: {
+            [mockActions.login]: true,
+            [mockActions.version]: true,
+            [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+            [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+          }
+        }
+      }
     },
-    indexPrivilegesResponse: missingIndexPrivileges,
-    expectErrorThrown: true,
+    expectedResult: {
+      hasAllRequested: false,
+      username: 'foo-username',
+      privileges: {
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+        [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+      }
+    },
+  });
+
+  describe('with a malformed Elasticsearch response', () => {
+    checkPrivilegesGloballyTest(`throws a validation error when an extra privilege is present in the response`, {
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            [GLOBAL_RESOURCE]: {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+              [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+              [`action:saved_objects/${savedObjectTypes[1]}/get`]: true,
+            }
+          }
+        }
+      },
+      expectErrorThrown: true,
+    });
+
+    checkPrivilegesGloballyTest(`throws a validation error when privileges are missing in the response`, {
+      privilegeOrPrivileges: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      esHasPrivilegesResponse: {
+        has_all_requested: false,
+        username: 'foo-username',
+        application: {
+          [application]: {
+            [GLOBAL_RESOURCE]: {
+              [mockActions.login]: true,
+              [mockActions.version]: true,
+            }
+          }
+        }
+      },
+      expectErrorThrown: true,
+    });
   });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/index.js b/x-pack/plugins/security/server/lib/authorization/index.js
index e0029a3caeafd1..1fb754202832fa 100644
--- a/x-pack/plugins/security/server/lib/authorization/index.js
+++ b/x-pack/plugins/security/server/lib/authorization/index.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { CHECK_PRIVILEGES_RESULT } from './check_privileges';
 export { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
 export { buildPrivilegeMap } from './privileges';
-export { initAuthorizationService } from './init';
+export { createAuthorizationService } from './service';
+export { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
diff --git a/x-pack/plugins/security/server/lib/authorization/mode.js b/x-pack/plugins/security/server/lib/authorization/mode.js
new file mode 100644
index 00000000000000..37800ca4e39113
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/mode.js
@@ -0,0 +1,81 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { GLOBAL_RESOURCE } from '../../../common/constants';
+import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
+
+const hasAnyPrivileges = privileges => {
+  return Object.values(privileges).some(hasPrivilege => hasPrivilege === true);
+};
+
+const hasAnyResourcePrivileges = resourcePrivileges => {
+  return Object.values(resourcePrivileges).some(resource => hasAnyPrivileges(resource));
+};
+
+export function authorizationModeFactory(
+  actions,
+  checkPrivilegesWithRequest,
+  config,
+  plugins,
+  savedObjects,
+  xpackInfoFeature
+) {
+  const useRbacForRequestCache = new WeakMap();
+
+  // TODO: This logic will change once we have the ES API to list all privileges
+  // and is not covered by unit tests currently
+  const shouldUseRbacForRequest = async (request) => {
+    if (!config.get('xpack.security.authorization.legacyFallback.enabled')) {
+      return true;
+    }
+
+    const adminCluster = plugins.elasticsearch.getCluster('admin');
+    const { callWithInternalUser } = adminCluster;
+
+    const internalSavedObjectsRepository = savedObjects.getSavedObjectsRepository(
+      callWithInternalUser
+    );
+
+    const checkPrivileges = checkPrivilegesWithRequest(request);
+    if (!plugins.spaces) {
+      const { privileges } = await checkPrivileges.globally(actions.login);
+      return hasAnyPrivileges(privileges);
+    }
+
+    const { saved_objects: spaceSavedObjects } = await internalSavedObjectsRepository.find({ type: 'space' });
+    const spaceResources = spaceSavedObjects.map(space => spaceApplicationPrivilegesSerializer.resource.serialize(space.id));
+    const allResources = [GLOBAL_RESOURCE, ...spaceResources];
+    const { resourcePrivileges } = await checkPrivileges.atResources(allResources, actions.login);
+    return hasAnyResourcePrivileges(resourcePrivileges);
+  };
+
+  const isRbacEnabled = () => xpackInfoFeature.getLicenseCheckResults().allowRbac;
+
+  return {
+    async initialize(request) {
+      if (useRbacForRequestCache.has(request)) {
+        throw new Error('Authorization mode is already intitialized');
+      }
+
+      if (!isRbacEnabled()) {
+        useRbacForRequestCache.set(request, true);
+        return;
+      }
+
+      const result = await shouldUseRbacForRequest(request);
+      useRbacForRequestCache.set(request, result);
+    },
+
+    useRbacForRequest(request) {
+      // the following can happen when the user isn't authenticated. Either true or false would work here,
+      // but we're going to go with false as this is closer to the "legacy" behavior
+      if (!useRbacForRequestCache.has(request)) {
+        return false;
+      }
+
+      return useRbacForRequestCache.get(request);
+    },
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/mode.test.js b/x-pack/plugins/security/server/lib/authorization/mode.test.js
new file mode 100644
index 00000000000000..5f14842710b561
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/mode.test.js
@@ -0,0 +1,66 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { authorizationModeFactory } from './mode';
+
+const createMockConfig = (settings) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => {
+    return settings[key];
+  });
+
+  return mockConfig;
+};
+
+const createMockXpackInfoFeature = (allowRbac) => {
+  return {
+    getLicenseCheckResults() {
+      return {
+        allowRbac
+      };
+    }
+  };
+};
+
+describe(`#initialize`, () => {
+  test(`can't be initialized twice for the same request`, async () => {
+    const mockConfig = createMockConfig();
+    const mockXpackInfoFeature = createMockXpackInfoFeature();
+    const mode = authorizationModeFactory({}, {}, mockConfig, {}, {}, mockXpackInfoFeature);
+    const request = {};
+
+    await mode.initialize(request);
+    expect(mode.initialize(request)).rejects.toThrowErrorMatchingSnapshot();
+  });
+});
+
+describe(`#useRbacForRequest`, () => {
+  test(`return false if not initialized for request`, async () => {
+    const mockConfig = createMockConfig();
+    const mockXpackInfoFeature = createMockXpackInfoFeature();
+    const mode = authorizationModeFactory({}, {}, mockConfig, {}, {}, mockXpackInfoFeature);
+    const request = {};
+
+    const result = mode.useRbacForRequest(request);
+    expect(result).toBe(false);
+  });
+
+  test(`returns true if legacy fallback is disabled`, async () => {
+    const mockConfig = createMockConfig({
+      'xpack.security.authorization.legacyFallback.enabled': false,
+    });
+    const mockXpackInfoFeature = createMockXpackInfoFeature();
+    const mode = authorizationModeFactory({}, {}, mockConfig, {}, {}, mockXpackInfoFeature);
+    const request = {};
+
+    await mode.initialize(request);
+    const result = mode.useRbacForRequest(request);
+    expect(result).toBe(true);
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/privileges.js b/x-pack/plugins/security/server/lib/authorization/privileges.js
index 6f64871ed75566..7e9f53f873a0d0 100644
--- a/x-pack/plugins/security/server/lib/authorization/privileges.js
+++ b/x-pack/plugins/security/server/lib/authorization/privileges.js
@@ -4,9 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export function buildPrivilegeMap(savedObjectTypes, application, actions) {
+import { IGNORED_TYPES } from '../../../common/constants';
+
+export function buildPrivilegeMap(savedObjectTypes, actions) {
   const buildSavedObjectsActions = (savedObjectActions) => {
     return savedObjectTypes
+      .filter(type => !IGNORED_TYPES.includes(type))
       .map(type => savedObjectActions.map(savedObjectAction => actions.getSavedObjectAction(type, savedObjectAction)))
       .reduce((acc, types) => [...acc, ...types], []);
   };
@@ -14,21 +17,43 @@ export function buildPrivilegeMap(savedObjectTypes, application, actions) {
   // the following list of privileges should only be added to, you can safely remove actions, but not privileges as
   // it's a backwards compatibility issue and we'll have to at least adjust registerPrivilegesWithCluster to support it
   return {
-    all: {
-      application,
-      name: 'all',
-      actions: [actions.version, 'action:*'],
-      metadata: {}
+    global: {
+      all: [
+        actions.version,
+        'action:*'
+      ],
+      read: [
+        actions.version,
+        actions.login,
+        ...buildSavedObjectsActions([
+          'get',
+          'bulk_get',
+          'find'
+        ])
+      ],
+    },
+    space: {
+      all: [
+        actions.version,
+        actions.login,
+        ...buildSavedObjectsActions([
+          'create',
+          'bulk_create',
+          'delete',
+          'get',
+          'bulk_get',
+          'find',
+          'update'
+        ])
+      ],
+      read: [
+        actions.version,
+        actions.login,
+        ...buildSavedObjectsActions([
+          'get',
+          'bulk_get',
+          'find'])
+      ],
     },
-    read: {
-      application,
-      name: 'read',
-      actions: [actions.version, actions.login, ...buildSavedObjectsActions(['get', 'bulk_get', 'find'])],
-      metadata: {}
-    }
   };
 }
-
-export function buildLegacyIndexPrivileges() {
-  return ['create', 'delete', 'read', 'view_index_metadata'];
-}
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
index 826cdab4b42040..6845dd7590e2de 100644
--- a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
@@ -7,6 +7,33 @@
 import { difference, isEmpty, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
+import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
+
+const serializePrivileges = (application, privilegeMap) => {
+  return {
+    [application]: {
+      ...Object.entries(privilegeMap.global).reduce((acc, [privilegeName, privilegeActions]) => {
+        acc[privilegeName] = {
+          application,
+          name: privilegeName,
+          actions: privilegeActions,
+          metadata: {},
+        };
+        return acc;
+      }, {}),
+      ...Object.entries(privilegeMap.space).reduce((acc, [privilegeName, privilegeActions]) => {
+        const name = spaceApplicationPrivilegesSerializer.privilege.serialize(privilegeName);
+        acc[name] = {
+          application,
+          name,
+          actions: privilegeActions,
+          metadata: {},
+        };
+        return acc;
+      }, {})
+    }
+  };
+};
 
 export async function registerPrivilegesWithCluster(server) {
 
@@ -14,6 +41,16 @@ export async function registerPrivilegesWithCluster(server) {
   const { types: savedObjectTypes } = server.savedObjects;
   const { actions, application } = authorization;
 
+  const arePrivilegesEqual = (existingPrivileges, expectedPrivileges) => {
+    // when comparing privileges, the order of the actions doesn't matter, lodash's isEqual
+    // doesn't know how to compare Sets
+    return isEqual(existingPrivileges, expectedPrivileges, (value, other, key) => {
+      if (key === 'actions' && Array.isArray(value) && Array.isArray(other)) {
+        return isEqual(value.sort(), other.sort());
+      }
+    });
+  };
+
   const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
     if (isEmpty(existingPrivileges)) {
       return false;
@@ -22,9 +59,8 @@ export async function registerPrivilegesWithCluster(server) {
     return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0;
   };
 
-  const expectedPrivileges = {
-    [application]: buildPrivilegeMap(savedObjectTypes, application, actions)
-  };
+  const privilegeMap = buildPrivilegeMap(savedObjectTypes, actions);
+  const expectedPrivileges = serializePrivileges(application, privilegeMap);
 
   server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
 
@@ -34,7 +70,7 @@ export async function registerPrivilegesWithCluster(server) {
     // we only want to post the privileges when they're going to change as Elasticsearch has
     // to clear the role cache to get these changes reflected in the _has_privileges API
     const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
-    if (isEqual(existingPrivileges, expectedPrivileges)) {
+    if (arePrivilegesEqual(existingPrivileges, expectedPrivileges)) {
       server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
       return;
     }
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
index f326d85fdeee3f..b2a391aa495734 100644
--- a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
@@ -14,10 +14,12 @@ jest.mock('./privileges', () => ({
   buildPrivilegeMap: jest.fn(),
 }));
 
+const application = 'default-application';
+
 const registerPrivilegesWithClusterTest = (description, {
   settings = {},
   savedObjectTypes,
-  expectedPrivileges,
+  privilegeMap,
   existingPrivileges,
   throwErrorWhenGettingPrivileges,
   throwErrorWhenPuttingPrivileges,
@@ -32,7 +34,6 @@ const registerPrivilegesWithClusterTest = (description, {
   };
 
   const defaultVersion = 'default-version';
-  const application = 'default-application';
 
   const createMockServer = () => {
     const mockServer = {
@@ -65,8 +66,8 @@ const registerPrivilegesWithClusterTest = (description, {
     return mockServer;
   };
 
-  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, privileges, error) => {
-    return () => {
+  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, error) => {
+    return (postPrivilegesBody) => {
       expect(error).toBeUndefined();
       expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
       expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
@@ -75,9 +76,7 @@ const registerPrivilegesWithClusterTest = (description, {
       expect(mockCallWithInternalUser).toHaveBeenCalledWith(
         'shield.postPrivileges',
         {
-          body: {
-            [application]: privileges
-          },
+          body: postPrivilegesBody,
         }
       );
 
@@ -137,9 +136,7 @@ const registerPrivilegesWithClusterTest = (description, {
           return {};
         }
 
-        return {
-          [application]: existingPrivileges
-        };
+        return existingPrivileges;
       })
       .mockImplementationOnce(async () => {
         if (throwErrorWhenPuttingPrivileges) {
@@ -147,7 +144,7 @@ const registerPrivilegesWithClusterTest = (description, {
         }
       });
 
-    buildPrivilegeMap.mockReturnValue(expectedPrivileges);
+    buildPrivilegeMap.mockReturnValue(privilegeMap);
 
     let error;
     try {
@@ -157,7 +154,7 @@ const registerPrivilegesWithClusterTest = (description, {
     }
 
     assert({
-      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, expectedPrivileges, error),
+      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, error),
       expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser, error),
       expectErrorThrown: createExpectErrorThrown(mockServer, error),
       mocks: {
@@ -168,10 +165,7 @@ const registerPrivilegesWithClusterTest = (description, {
   });
 };
 
-registerPrivilegesWithClusterTest(`passes saved object types, application and actions to buildPrivilegeMap`, {
-  settings: {
-    'pkg.version': 'foo-version'
-  },
+registerPrivilegesWithClusterTest(`passes saved object types, and actions to buildPrivilegeMap`, {
   savedObjectTypes: [
     'foo-type',
     'bar-type',
@@ -179,146 +173,249 @@ registerPrivilegesWithClusterTest(`passes saved object types, application and ac
   assert: ({ mocks }) => {
     expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(
       ['foo-type', 'bar-type'],
-      mocks.server.plugins.security.authorization.application,
       mocks.server.plugins.security.authorization.actions,
     );
   },
 });
 
 registerPrivilegesWithClusterTest(`inserts privileges when we don't have any existing privileges`, {
-  expectedPrivileges: {
-    expected: true
+  privilegeMap: {
+    global: {
+      foo: ['action:foo']
+    },
+    space: {
+      bar: ['action:bar']
+    }
   },
   existingPrivileges: null,
   assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
-  }
-});
-
-registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges values don't match`, {
-  expectedPrivileges: {
-    expected: true
-  },
-  existingPrivileges: {
-    expected: false
-  },
-  assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
-  }
-});
-
-registerPrivilegesWithClusterTest(`throws error when we have two different top-level privileges`, {
-  expectedPrivileges: {
-    notExpected: true
-  },
-  existingPrivileges: {
-    expected: true
-  },
-  assert: ({ expectErrorThrown }) => {
-    expectErrorThrown(`Privileges are missing and can't be removed, currently.`);
-  }
-});
-
-registerPrivilegesWithClusterTest(`updates privileges when we want to add a top-level privilege`, {
-  expectedPrivileges: {
-    expected: true,
-    new: false,
-  },
-  existingPrivileges: {
-    expected: true,
-  },
-  assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
+    expectUpdatedPrivileges({
+      [application]: {
+        foo: {
+          application,
+          name: 'foo',
+          actions: ['action:foo'],
+          metadata: {},
+        },
+        space_bar: {
+          application,
+          name: 'space_bar',
+          actions: ['action:bar'],
+          metadata: {},
+        }
+      }
+    });
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when nested privileges values don't match`, {
-  expectedPrivileges: {
-    kibana: {
-      expected: true
+registerPrivilegesWithClusterTest(`throws error when we should be removing privilege`, {
+  privilegeMap: {
+    global: {
+      foo: ['action:foo'],
+    },
+    space: {
+      bar: ['action:bar']
     }
   },
   existingPrivileges: {
-    kibana: {
-      expected: false
+    [application]: {
+      foo: {
+        application,
+        name: 'foo',
+        actions: ['action:not-foo'],
+        metadata: {},
+      },
+      quz: {
+        application,
+        name: 'quz',
+        actions: ['action:not-quz'],
+        metadata: {},
+      },
+      space_bar: {
+        application,
+        name: 'space_bar',
+        actions: ['action:not-bar'],
+        metadata: {},
+      }
     }
   },
-  assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown(`Privileges are missing and can't be removed, currently.`);
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when we have two different nested privileges`, {
-  expectedPrivileges: {
-    kibana: {
-      notExpected: true
+registerPrivilegesWithClusterTest(`updates privileges when actions don't match`, {
+  privilegeMap: {
+    global: {
+      foo: ['action:foo']
+    },
+    space: {
+      bar: ['action:bar']
     }
   },
   existingPrivileges: {
-    kibana: {
-      expected: false
+    [application]: {
+      foo: {
+        application,
+        name: 'foo',
+        actions: ['action:not-foo'],
+        metadata: {},
+      },
+      space_bar: {
+        application,
+        name: 'space_bar',
+        actions: ['action:not-bar'],
+        metadata: {},
+      }
     }
   },
   assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
+    expectUpdatedPrivileges({
+      [application]: {
+        foo: {
+          application,
+          name: 'foo',
+          actions: ['action:foo'],
+          metadata: {},
+        },
+        space_bar: {
+          application,
+          name: 'space_bar',
+          actions: ['action:bar'],
+          metadata: {},
+        }
+      }
+    });
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when nested privileges arrays don't match`, {
-  expectedPrivileges: {
-    kibana: {
-      expected: ['one', 'two']
+registerPrivilegesWithClusterTest(`updates privileges when global privilege added`, {
+  privilegeMap: {
+    global: {
+      foo: ['action:foo'],
+      quz: ['action:quz']
+    },
+    space: {
+      bar: ['action:bar']
     }
   },
   existingPrivileges: {
-    kibana: {
-      expected: ['one']
+    [application]: {
+      foo: {
+        application,
+        name: 'foo',
+        actions: ['action:not-foo'],
+        metadata: {},
+      },
+      space_bar: {
+        application,
+        name: 'space_bar',
+        actions: ['action:not-bar'],
+        metadata: {},
+      }
     }
   },
   assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
+    expectUpdatedPrivileges({
+      [application]: {
+        foo: {
+          application,
+          name: 'foo',
+          actions: ['action:foo'],
+          metadata: {},
+        },
+        quz: {
+          application,
+          name: 'quz',
+          actions: ['action:quz'],
+          metadata: {},
+        },
+        space_bar: {
+          application,
+          name: 'space_bar',
+          actions: ['action:bar'],
+          metadata: {},
+        }
+      }
+    });
   }
 });
 
-registerPrivilegesWithClusterTest(`updates privileges when nested property array values are reordered`, {
-  expectedPrivileges: {
-    kibana: {
-      foo: ['one', 'two']
+registerPrivilegesWithClusterTest(`updates privileges when space privilege added`, {
+  privilegeMap: {
+    global: {
+      foo: ['action:foo'],
+    },
+    space: {
+      bar: ['action:bar'],
+      quz: ['action:quz']
     }
   },
   existingPrivileges: {
-    kibana: {
-      foo: ['two', 'one']
+    [application]: {
+      foo: {
+        application,
+        name: 'foo',
+        actions: ['action:not-foo'],
+        metadata: {},
+      },
+      space_bar: {
+        application,
+        name: 'space_bar',
+        actions: ['action:not-bar'],
+        metadata: {},
+      }
     }
   },
   assert: ({ expectUpdatedPrivileges }) => {
-    expectUpdatedPrivileges();
-  }
-});
-
-registerPrivilegesWithClusterTest(`doesn't update privileges when simple top-level privileges match`, {
-  expectedPrivileges: {
-    expected: true
-  },
-  existingPrivileges: {
-    expected: true
-  },
-  assert: ({ expectDidntUpdatePrivileges }) => {
-    expectDidntUpdatePrivileges();
+    expectUpdatedPrivileges({
+      [application]: {
+        foo: {
+          application,
+          name: 'foo',
+          actions: ['action:foo'],
+          metadata: {},
+        },
+        space_bar: {
+          application,
+          name: 'space_bar',
+          actions: ['action:bar'],
+          metadata: {},
+        },
+        space_quz: {
+          application,
+          name: 'space_quz',
+          actions: ['action:quz'],
+          metadata: {},
+        },
+      }
+    });
   }
 });
 
-registerPrivilegesWithClusterTest(`doesn't update privileges when nested properties are reordered`, {
-  expectedPrivileges: {
-    kibana: {
-      foo: true,
-      bar: false
+registerPrivilegesWithClusterTest(`doesn't update privileges when order of actions differ`, {
+  privilegeMap: {
+    global: {
+      foo: ['action:foo', 'action:quz']
+    },
+    space: {
+      bar: ['action:bar']
     }
   },
   existingPrivileges: {
-    kibana: {
-      bar: false,
-      foo: true
+    [application]: {
+      foo: {
+        application,
+        name: 'foo',
+        actions: ['action:quz', 'action:foo'],
+        metadata: {},
+      },
+      space_bar: {
+        application,
+        name: 'space_bar',
+        actions: ['action:bar'],
+        metadata: {},
+      }
     }
   },
   assert: ({ expectDidntUpdatePrivileges }) => {
@@ -327,6 +424,10 @@ registerPrivilegesWithClusterTest(`doesn't update privileges when nested propert
 });
 
 registerPrivilegesWithClusterTest(`throws and logs error when errors getting privileges`, {
+  privilegeMap: {
+    global: {},
+    space: {}
+  },
   throwErrorWhenGettingPrivileges: new Error('Error getting privileges'),
   assert: ({ expectErrorThrown }) => {
     expectErrorThrown('Error getting privileges');
@@ -334,18 +435,15 @@ registerPrivilegesWithClusterTest(`throws and logs error when errors getting pri
 });
 
 registerPrivilegesWithClusterTest(`throws and logs error when errors putting privileges`, {
-  expectedPrivileges: {
-    kibana: {
-      foo: false,
-      bar: false
-    }
-  },
-  existingPrivileges: {
-    kibana: {
-      foo: true,
-      bar: true
+  privilegeMap: {
+    global: {
+      foo: []
+    },
+    space: {
+      bar: []
     }
   },
+  existingPrivileges: null,
   throwErrorWhenPuttingPrivileges: new Error('Error putting privileges'),
   assert: ({ expectErrorThrown }) => {
     expectErrorThrown('Error putting privileges');
diff --git a/x-pack/plugins/security/server/lib/authorization/init.js b/x-pack/plugins/security/server/lib/authorization/service.js
similarity index 58%
rename from x-pack/plugins/security/server/lib/authorization/init.js
rename to x-pack/plugins/security/server/lib/authorization/service.js
index f99bf6d25d26fe..1d02330b9b199c 100644
--- a/x-pack/plugins/security/server/lib/authorization/init.js
+++ b/x-pack/plugins/security/server/lib/authorization/service.js
@@ -5,20 +5,30 @@
  */
 
 import { actionsFactory } from './actions';
+import { authorizationModeFactory } from './mode';
 import { checkPrivilegesWithRequestFactory } from './check_privileges';
-import { deepFreeze } from './deep_freeze';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 
-export function initAuthorizationService(server) {
+export function createAuthorizationService(server, xpackInfoFeature) {
   const shieldClient = getClient(server);
   const config = server.config();
 
   const actions = actionsFactory(config);
   const application = `kibana-${config.get('kibana.index')}`;
+  const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(actions, application, shieldClient);
+  const mode = authorizationModeFactory(
+    actions,
+    checkPrivilegesWithRequest,
+    config,
+    server.plugins,
+    server.savedObjects,
+    xpackInfoFeature
+  );
 
-  server.expose('authorization', deepFreeze({
+  return {
     actions,
     application,
-    checkPrivilegesWithRequest: checkPrivilegesWithRequestFactory(shieldClient, config, actions, application),
-  }));
+    checkPrivilegesWithRequest,
+    mode,
+  };
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/init.test.js b/x-pack/plugins/security/server/lib/authorization/service.test.js
similarity index 60%
rename from x-pack/plugins/security/server/lib/authorization/init.test.js
rename to x-pack/plugins/security/server/lib/authorization/service.test.js
index d70e08934c131f..f0bfe46c35b7c5 100644
--- a/x-pack/plugins/security/server/lib/authorization/init.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/service.test.js
@@ -4,10 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { initAuthorizationService } from './init';
+import { createAuthorizationService } from './service';
 import { actionsFactory } from './actions';
 import { checkPrivilegesWithRequestFactory } from './check_privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
+import { authorizationModeFactory } from './mode';
 
 jest.mock('./check_privileges', () => ({
   checkPrivilegesWithRequestFactory: jest.fn(),
@@ -21,6 +22,10 @@ jest.mock('./actions', () => ({
   actionsFactory: jest.fn(),
 }));
 
+jest.mock('./mode', () => ({
+  authorizationModeFactory: jest.fn(),
+}));
+
 const createMockConfig = (settings = {}) => {
   const mockConfig = {
     get: jest.fn()
@@ -38,7 +43,9 @@ test(`calls server.expose with exposed services`, () => {
   });
   const mockServer = {
     expose: jest.fn(),
-    config: jest.fn().mockReturnValue(mockConfig)
+    config: jest.fn().mockReturnValue(mockConfig),
+    plugins: Symbol(),
+    savedObjects: Symbol(),
   };
   const mockShieldClient = Symbol();
   getClient.mockReturnValue(mockShieldClient);
@@ -47,37 +54,20 @@ test(`calls server.expose with exposed services`, () => {
   const mockActions = Symbol();
   actionsFactory.mockReturnValue(mockActions);
   mockConfig.get.mock;
+  const mockXpackInfoFeature = Symbol();
 
-  initAuthorizationService(mockServer);
+  createAuthorizationService(mockServer, mockXpackInfoFeature);
 
   const application = `kibana-${kibanaIndex}`;
   expect(getClient).toHaveBeenCalledWith(mockServer);
   expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
-  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockShieldClient, mockConfig, mockActions, application);
-  expect(mockServer.expose).toHaveBeenCalledWith('authorization', {
-    actions: mockActions,
-    application,
-    checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
-  });
-});
-
-test(`deep freezes exposed service`, () => {
-  const mockConfig = createMockConfig({
-    'kibana.index': ''
-  });
-  const mockServer = {
-    expose: jest.fn(),
-    config: jest.fn().mockReturnValue(mockConfig)
-  };
-  actionsFactory.mockReturnValue({
-    login: 'login',
-  });
-
-  initAuthorizationService(mockServer);
-
-  const exposed = mockServer.expose.mock.calls[0][1];
-  expect(() => delete exposed.checkPrivilegesWithRequest).toThrowErrorMatchingSnapshot();
-  expect(() => exposed.foo = 'bar').toThrowErrorMatchingSnapshot();
-  expect(() => exposed.actions.login = 'not-login').toThrowErrorMatchingSnapshot();
-  expect(() => exposed.application = 'changed').toThrowErrorMatchingSnapshot();
+  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockActions, application, mockShieldClient);
+  expect(authorizationModeFactory).toHaveBeenCalledWith(
+    mockActions,
+    mockCheckPrivilegesWithRequest,
+    mockConfig,
+    mockServer.plugins,
+    mockServer.savedObjects,
+    mockXpackInfoFeature,
+  );
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.js b/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.js
new file mode 100644
index 00000000000000..2906f07e9f5ce4
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+const privilegePrefix = `space_`;
+const resourcePrefix = `space:`;
+
+export const spaceApplicationPrivilegesSerializer = {
+  privilege: {
+    serialize(privilege) {
+      return `${privilegePrefix}${privilege}`;
+    },
+    deserialize(privilege) {
+      if (!privilege.startsWith(privilegePrefix)) {
+        throw new Error(`Space privilege should have started with ${privilegePrefix}`);
+      }
+
+      return privilege.slice(privilegePrefix.length);
+    },
+  },
+  resource: {
+    serialize(spaceId) {
+      return `${resourcePrefix}${spaceId}`;
+    },
+    deserialize(resource) {
+      if (!resource.startsWith(resourcePrefix)) {
+        throw new Error(`Resource should have started with ${resourcePrefix}`);
+      }
+
+      return resource.slice(resourcePrefix.length);
+    }
+  },
+};
diff --git a/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.test.js b/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.test.js
new file mode 100644
index 00000000000000..2277d09e498db7
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/space_application_privileges_serializer.test.js
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
+
+describe('#privilege', () => {
+  describe('#serialize', () => {
+    test(`prepends privilege with space_`, () => {
+      const result = spaceApplicationPrivilegesSerializer.privilege.serialize('all');
+      expect(result).toBe('space_all');
+    });
+  });
+
+  describe('#deserialize', () => {
+    test(`throws error if privilege doesn't start with space_`, () => {
+      expect(
+        () => spaceApplicationPrivilegesSerializer.privilege.deserialize('foo_space_all')
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    test(`removes space_ from the start`, () => {
+      const result = spaceApplicationPrivilegesSerializer.privilege.deserialize('space_all');
+      expect(result).toBe('all');
+    });
+  });
+});
+
+describe('#resource', () => {
+  describe('#serialize', () => {
+    test(`prepends resource with space:`, () => {
+      const result = spaceApplicationPrivilegesSerializer.resource.serialize('marketing');
+      expect(result).toBe('space:marketing');
+    });
+  });
+
+  describe('#deserialize', () => {
+    test(`throws error if resource doesn't start with space:`, () => {
+      expect(
+        () => spaceApplicationPrivilegesSerializer.resource.deserialize('foo:space:something')
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    test(`removes space: from the start`, () => {
+      const result = spaceApplicationPrivilegesSerializer.resource.deserialize('space:marketing');
+      expect(result).toBe('marketing');
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
index 34d618398bc3d3..2819983cf43c8b 100644
--- a/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
@@ -5,19 +5,9 @@
  */
 
 import Joi from 'joi';
-import { buildLegacyIndexPrivileges } from './privileges';
 
-const legacyIndexPrivilegesSchema = Joi.object({
-  ...buildLegacyIndexPrivileges().reduce((acc, privilege) => {
-    return {
-      ...acc,
-      [privilege]: Joi.bool().required()
-    };
-  }, {})
-}).required();
-
-export function validateEsPrivilegeResponse(response, application, actions, resources, kibanaIndex) {
-  const schema = buildValidationSchema(application, actions, resources, kibanaIndex);
+export function validateEsPrivilegeResponse(response, application, actions, resources) {
+  const schema = buildValidationSchema(application, actions, resources);
   const { error, value } = schema.validate(response);
 
   if (error) {
@@ -38,7 +28,7 @@ function buildActionsValidationSchema(actions) {
   }).required();
 }
 
-function buildValidationSchema(application, actions, resources, kibanaIndex) {
+function buildValidationSchema(application, actions, resources) {
 
   const actionValidationSchema = buildActionsValidationSchema(actions);
 
@@ -58,8 +48,6 @@ function buildValidationSchema(application, actions, resources, kibanaIndex) {
     application: Joi.object({
       [application]: resourceValidationSchema,
     }).required(),
-    index: Joi.object({
-      [kibanaIndex]: legacyIndexPrivilegesSchema
-    }).required()
+    index: Joi.object(),
   }).required();
 }
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
index f3dbad1b56ac95..a7fba14229de28 100644
--- a/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
@@ -5,11 +5,10 @@
  */
 
 import { validateEsPrivilegeResponse } from "./validate_es_response";
-import { buildLegacyIndexPrivileges } from "./privileges";
 
-const resource = 'foo-resource';
+const resource1 = 'foo-resource';
+const resource2 = 'bar-resource';
 const application = 'foo-application';
-const kibanaIndex = '.kibana';
 
 const commonResponse = {
   username: 'user',
@@ -17,31 +16,27 @@ const commonResponse = {
 };
 
 describe('validateEsPrivilegeResponse', () => {
-  const legacyIndexResponse = {
-    [kibanaIndex]: {
-      'create': true,
-      'delete': true,
-      'read': true,
-      'view_index_metadata': true,
-    }
-  };
 
   it('should validate a proper response', () => {
     const response = {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: {
+          [resource1]: {
+            action1: true,
+            action2: true,
+            action3: true
+          },
+          [resource2]: {
             action1: true,
             action2: true,
             action3: true
           }
         }
-      },
-      index: legacyIndexResponse
+      }
     };
 
-    const result = validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex);
+    const result = validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2]);
     expect(result).toEqual(response);
   });
 
@@ -50,17 +45,21 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: {
+          [resource1]: {
             action1: true,
             action3: true
+          },
+          [resource2]: {
+            action1: true,
+            action2: true,
+            action3: true
           }
         }
-      },
-      index: legacyIndexResponse
+      }
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -69,19 +68,23 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: {
+          [resource1]: {
             action1: true,
             action2: true,
             action3: true,
             action4: true,
+          },
+          [resource2]: {
+            action1: true,
+            action2: true,
+            action3: true
           }
         }
-      },
-      index: legacyIndexResponse
+      }
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -90,18 +93,22 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: {
+          [resource1]: {
             action1: true,
             action2: true,
             action3: 'not a boolean',
+          },
+          [resource2]: {
+            action1: true,
+            action2: true,
+            action3: true,
           }
         }
       },
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -110,25 +117,34 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: {
+          [resource1]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          },
+          [resource2]: {
             action1: true,
             action2: true,
             action3: true,
           }
         },
         otherApplication: {
-          [resource]: {
+          [resource1]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          },
+          [resource2]: {
             action1: true,
             action2: true,
             action3: true,
           }
         }
       },
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -136,11 +152,10 @@ describe('validateEsPrivilegeResponse', () => {
     const response = {
       ...commonResponse,
       application: {},
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -151,21 +166,40 @@ describe('validateEsPrivilegeResponse', () => {
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an expected resource property is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource1]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          },
+        }
+      },
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
-  it('fails validation when the expected resource property is missing from the response', () => {
+  it('fails validation when there are no resource properties in the response', () => {
     const response = {
       ...commonResponse,
       application: {
-        [application]: {}
+        [application]: {
+        }
       },
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -174,6 +208,11 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
+          [resource1]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          },
           'other-resource': {
             action1: true,
             action2: true,
@@ -181,11 +220,10 @@ describe('validateEsPrivilegeResponse', () => {
           }
         }
       },
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
 
@@ -194,164 +232,18 @@ describe('validateEsPrivilegeResponse', () => {
       ...commonResponse,
       application: {
         [application]: {
-          [resource]: 'not-an-object'
+          [resource1]: 'not-an-object',
+          [resource2]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          },
         }
       },
-      index: legacyIndexResponse
     };
 
     expect(() =>
-      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource1, resource2])
     ).toThrowErrorMatchingSnapshot();
   });
-
-  describe('legacy', () => {
-    it('should validate a proper response', () => {
-      const response = {
-        ...commonResponse,
-        application: {
-          [application]: {
-            [resource]: {
-              action1: true
-            }
-          }
-        },
-        index: legacyIndexResponse
-      };
-
-      const result = validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex);
-      expect(result).toEqual(response);
-    });
-
-    it('should fail if the index property is missing', () => {
-      const response = {
-        ...commonResponse,
-        application: {
-          [application]: {
-            [resource]: {
-              action1: true
-            }
-          }
-        }
-      };
-
-      expect(() =>
-        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-      ).toThrowErrorMatchingSnapshot();
-    });
-
-    it('should fail if the kibana index is missing from the response', () => {
-      const response = {
-        ...commonResponse,
-        application: {
-          [application]: {
-            [resource]: {
-              action1: true
-            }
-          }
-        },
-        index: {}
-      };
-
-      expect(() =>
-        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-      ).toThrowErrorMatchingSnapshot();
-    });
-
-    it('should fail if the index privilege response returns an extra index', () => {
-      const response = {
-        ...commonResponse,
-        application: {
-          [application]: {
-            [resource]: {
-              action1: true
-            }
-          }
-        },
-        index: {
-          ...legacyIndexResponse,
-          'anotherIndex': {
-            foo: true
-          }
-        }
-      };
-
-      expect(() =>
-        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-      ).toThrowErrorMatchingSnapshot();
-    });
-
-    it('should fail if the index privilege response contains an extra privilege', () => {
-      const response = {
-        ...commonResponse,
-        application: {
-          [application]: {
-            [resource]: {
-              action1: true
-            }
-          }
-        },
-        index: {
-          [kibanaIndex]: {
-            ...legacyIndexResponse[kibanaIndex],
-            'foo-permission': true
-          }
-        }
-      };
-
-      expect(() =>
-        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-      ).toThrowErrorMatchingSnapshot();
-    });
-
-    buildLegacyIndexPrivileges().forEach(privilege => {
-      test(`should fail if the ${privilege} index privilege is missing from the response`, () => {
-        const response = {
-          ...commonResponse,
-          application: {
-            [application]: {
-              [resource]: {
-                action1: true
-              }
-            }
-          },
-          index: {
-            [kibanaIndex]: {
-              ...legacyIndexResponse[kibanaIndex]
-            }
-          }
-        };
-
-        delete response.index[kibanaIndex][privilege];
-
-        expect(() =>
-          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-        ).toThrowErrorMatchingSnapshot();
-      });
-
-      test(`should fail if the ${privilege} index privilege is malformed`, () => {
-        const response = {
-          ...commonResponse,
-          application: {
-            [application]: {
-              [resource]: {
-                action1: true
-              }
-            }
-          },
-          index: {
-            [kibanaIndex]: {
-              ...legacyIndexResponse[kibanaIndex]
-            }
-          }
-        };
-
-        response.index[kibanaIndex][privilege] = 'not a boolean';
-
-        expect(() =>
-          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
-        ).toThrowErrorMatchingSnapshot();
-      });
-    });
-  });
 });
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.js b/x-pack/plugins/security/server/lib/deep_freeze.js
similarity index 100%
rename from x-pack/plugins/security/server/lib/authorization/deep_freeze.js
rename to x-pack/plugins/security/server/lib/deep_freeze.js
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js b/x-pack/plugins/security/server/lib/deep_freeze.test.js
similarity index 100%
rename from x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
rename to x-pack/plugins/security/server/lib/deep_freeze.test.js
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
deleted file mode 100644
index 95a4e9aa0eaacc..00000000000000
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ /dev/null
@@ -1,1177 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { SecureSavedObjectsClient } from './secure_saved_objects_client';
-import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
-
-const createMockErrors = () => {
-  const forbiddenError = new Error('Mock ForbiddenError');
-  const generalError = new Error('Mock GeneralError');
-
-  return {
-    forbiddenError,
-    decorateForbiddenError: jest.fn().mockReturnValue(forbiddenError),
-    generalError,
-    decorateGeneralError: jest.fn().mockReturnValue(generalError)
-  };
-};
-
-const createMockAuditLogger = () => {
-  return {
-    savedObjectsAuthorizationFailure: jest.fn(),
-    savedObjectsAuthorizationSuccess: jest.fn(),
-  };
-};
-
-const createMockActions = () => {
-  return {
-    getSavedObjectAction(type, action) {
-      return `mock-action:saved_objects/${type}/${action}`;
-    }
-  };
-};
-
-describe('#errors', () => {
-  test(`assigns errors from constructor to .errors`, () => {
-    const errors = Symbol();
-
-    const client = new SecureSavedObjectsClient({ errors });
-
-    expect(client.errors).toBe(errors);
-  });
-});
-
-describe('#create', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const attributes = Symbol();
-    const options = Symbol();
-
-    await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'create',
-      [type],
-      [mockActions.getSavedObjectAction(type, 'create')],
-      {
-        type,
-        attributes,
-        options,
-      }
-    );
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`returns result of internalRepository.create when authorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      create: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const attributes = Symbol();
-    const options = Symbol();
-
-    const result = await client.create(type, attributes, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
-      type,
-      attributes,
-      options,
-    });
-  });
-
-  test(`returns result of callWithRequestRepository.create when legacy`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      create: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const attributes = Symbol();
-    const options = Symbol();
-
-    const result = await client.create(type, attributes, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-  });
-});
-
-describe('#bulkCreate', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_create')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: [
-        privileges[0]
-      ],
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const objects = [
-      { type: type1 },
-      { type: type1 },
-      { type: type2 },
-    ];
-    const options = Symbol();
-
-    await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([
-      mockActions.getSavedObjectAction(type1, 'bulk_create'),
-      mockActions.getSavedObjectAction(type2, 'bulk_create'),
-    ]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'bulk_create',
-      [type1, type2],
-      [mockActions.getSavedObjectAction(type1, 'bulk_create')],
-      {
-        objects,
-        options,
-      }
-    );
-  });
-
-  test(`returns result of internalRepository.bulkCreate when authorized`, async () => {
-    const username = Symbol();
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const returnValue = Symbol();
-    const mockRepository = {
-      bulkCreate: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const objects = [
-      { type: type1, otherThing: 'sup' },
-      { type: type2, otherThing: 'everyone' },
-    ];
-    const options = Symbol();
-
-    const result = await client.bulkCreate(objects, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
-      objects,
-      options,
-    });
-  });
-
-  test(`returns result of callWithRequestRepository.bulkCreate when legacy`, async () => {
-    const username = Symbol();
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const returnValue = Symbol();
-    const mockRepository = {
-      bulkCreate: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const objects = [
-      { type: type1, otherThing: 'sup' },
-      { type: type2, otherThing: 'everyone' },
-    ];
-    const options = Symbol();
-
-    const result = await client.bulkCreate(objects, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-});
-
-describe('#delete', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    await expect(client.delete(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'delete',
-      [type],
-      [mockActions.getSavedObjectAction(type, 'delete')],
-      {
-        type,
-        id,
-        options,
-      }
-    );
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`returns result of internalRepository.delete when authorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      delete: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    const result = await client.delete(type, id, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
-      type,
-      id,
-      options,
-    });
-  });
-
-  test(`returns result of internalRepository.delete when legacy`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      delete: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    const result = await client.delete(type, id, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-});
-
-describe('#find', () => {
-  describe('type', () => {
-    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-      const type = 'foo';
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-        throw new Error();
-      });
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        actions: mockActions,
-      });
-
-      await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
-      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`throws decorated ForbiddenError when type's singular and unauthorized`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const mockRepository = {};
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        username,
-        missing: privileges,
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        internalRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        actions: mockActions,
-      });
-      const options = { type };
-
-      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
-      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-        username,
-        'find',
-        [type],
-        [mockActions.getSavedObjectAction(type, 'find')],
-        {
-          options,
-        }
-      );
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
-      const type1 = 'foo';
-      const type2 = 'bar';
-      const username = Symbol();
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => {
-        return {
-          result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-          username,
-          missing: [
-            privileges[0]
-          ],
-        };
-      });
-
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        actions: mockActions,
-      });
-      const options = { type: [type1, type2] };
-
-      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([
-        mockActions.getSavedObjectAction(type1, 'find'),
-        mockActions.getSavedObjectAction(type2, 'find')
-      ]);
-      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-        username,
-        'find',
-        [type1, type2],
-        [mockActions.getSavedObjectAction(type1, 'find')],
-        {
-          options,
-        }
-      );
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`returns result of internalRepository.find when authorized`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const returnValue = Symbol();
-      const mockRepository = {
-        find: jest.fn().mockReturnValue(returnValue)
-      };
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-        username,
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const client = new SecureSavedObjectsClient({
-        internalRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        actions: createMockActions(),
-      });
-      const options = { type };
-
-      const result = await client.find(options);
-
-      expect(result).toBe(returnValue);
-      expect(mockRepository.find).toHaveBeenCalledWith({ type });
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
-        options,
-      });
-    });
-
-    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const returnValue = Symbol();
-      const mockRepository = {
-        find: jest.fn().mockReturnValue(returnValue)
-      };
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-        result: CHECK_PRIVILEGES_RESULT.LEGACY,
-        username,
-        missing: privileges,
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const client = new SecureSavedObjectsClient({
-        callWithRequestRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        actions: createMockActions(),
-      });
-      const options = { type };
-
-      const result = await client.find(options);
-
-      expect(result).toBe(returnValue);
-      expect(mockRepository.find).toHaveBeenCalledWith({ type });
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('no type', () => {
-    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-      const type1 = 'foo';
-      const type2 = 'bar';
-      const mockRepository = {};
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-        throw new Error();
-      });
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        repository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        savedObjectTypes: [type1, type2],
-        actions: mockActions,
-      });
-
-      await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([
-        mockActions.getSavedObjectAction(type1, 'find'),
-        mockActions.getSavedObjectAction(type2, 'find'),
-      ]);
-      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`throws decorated ForbiddenError when unauthorized`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const mockRepository = {};
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        username,
-        missing: [
-          privileges[0]
-        ],
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        repository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        savedObjectTypes: [type],
-        actions: mockActions,
-      });
-      const options = Symbol();
-
-      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
-      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-        username,
-        'find',
-        [type],
-        [mockActions.getSavedObjectAction(type, 'find')],
-        {
-          options,
-        }
-      );
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const returnValue = Symbol();
-      const mockRepository = {
-        find: jest.fn().mockReturnValue(returnValue)
-      };
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-        result: CHECK_PRIVILEGES_RESULT.LEGACY,
-        username,
-        missing: privileges,
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        callWithRequestRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        savedObjectTypes: [type],
-        actions: mockActions,
-      });
-      const options = Symbol();
-
-      const result = await client.find(options);
-
-      expect(result).toBe(returnValue);
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
-      expect(mockRepository.find).toHaveBeenCalledWith(options);
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-    });
-
-    test(`specifies authorized types when calling repository.find()`, async () => {
-      const type1 = 'foo';
-      const type2 = 'bar';
-      const mockRepository = {
-        find: jest.fn(),
-      };
-      const mockErrors = createMockErrors();
-      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-        missing: [
-          privileges[0]
-        ]
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const mockActions = createMockActions();
-      const client = new SecureSavedObjectsClient({
-        errors: mockErrors,
-        internalRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        savedObjectTypes: [type1, type2],
-        actions: mockActions,
-      });
-
-      await client.find({});
-
-      expect(mockCheckPrivileges).toHaveBeenCalledWith([
-        mockActions.getSavedObjectAction(type1, 'find'),
-        mockActions.getSavedObjectAction(type2, 'find'),
-      ]);
-      expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
-        type: [type2],
-      }));
-    });
-
-    test(`returns result of repository.find`, async () => {
-      const type = 'foo';
-      const username = Symbol();
-      const returnValue = Symbol();
-      const mockRepository = {
-        find: jest.fn().mockReturnValue(returnValue)
-      };
-      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-        username,
-        missing: [],
-      }));
-      const mockAuditLogger = createMockAuditLogger();
-      const client = new SecureSavedObjectsClient({
-        internalRepository: mockRepository,
-        checkPrivileges: mockCheckPrivileges,
-        auditLogger: mockAuditLogger,
-        savedObjectTypes: [type],
-        actions: createMockActions(),
-      });
-      const options = Symbol();
-
-      const result = await client.find(options);
-
-      expect(result).toBe(returnValue);
-      expect(mockRepository.find).toHaveBeenCalledWith({ type: [type] });
-      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
-        options,
-      });
-    });
-  });
-});
-
-describe('#bulkGet', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_get')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: [
-        privileges[0]
-      ],
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const objects = [
-      { type: type1 },
-      { type: type1 },
-      { type: type2 },
-    ];
-    const options = Symbol();
-
-    await expect(client.bulkGet(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([
-      mockActions.getSavedObjectAction(type1, 'bulk_get'),
-      mockActions.getSavedObjectAction(type2, 'bulk_get'),
-    ]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'bulk_get',
-      [type1, type2],
-      [mockActions.getSavedObjectAction(type1, 'bulk_get')],
-      {
-        objects,
-        options,
-      }
-    );
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`returns result of internalRepository.bulkGet when authorized`, async () => {
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      bulkGet: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const objects = [
-      { type: type1, id: 'foo-id' },
-      { type: type2, id: 'bar-id' },
-    ];
-    const options = Symbol();
-
-    const result = await client.bulkGet(objects, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
-      objects,
-      options,
-    });
-  });
-
-  test(`returns result of callWithRequestRepository.bulkGet when legacy`, async () => {
-    const type1 = 'foo';
-    const type2 = 'bar';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      bulkGet: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const objects = [
-      { type: type1, id: 'foo-id' },
-      { type: type2, id: 'bar-id' },
-    ];
-    const options = Symbol();
-
-    const result = await client.bulkGet(objects, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-});
-
-describe('#get', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    await expect(client.get(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'get',
-      [type],
-      [mockActions.getSavedObjectAction(type, 'get')],
-      {
-        type,
-        id,
-        options,
-      }
-    );
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`returns result of internalRepository.get when authorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      get: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    const result = await client.get(type, id, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
-      type,
-      id,
-      options,
-    });
-  });
-
-  test(`returns result of callWithRequestRepository.get when user isn't authorized and has legacy fallback`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      get: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const options = Symbol();
-
-    const result = await client.get(type, id, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-});
-
-describe('#update', () => {
-  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
-    const type = 'foo';
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
-      throw new Error();
-    });
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-
-    await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
-    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`throws decorated ForbiddenError when unauthorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const mockErrors = createMockErrors();
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const mockActions = createMockActions();
-    const client = new SecureSavedObjectsClient({
-      errors: mockErrors,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: mockActions,
-    });
-    const id = Symbol();
-    const attributes = Symbol();
-    const options = Symbol();
-
-    await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
-
-    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
-    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
-      username,
-      'update',
-      [type],
-      [mockActions.getSavedObjectAction(type, 'update')],
-      {
-        type,
-        id,
-        attributes,
-        options,
-      }
-    );
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-
-  test(`returns result of repository.update when authorized`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      update: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
-      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
-      username,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      internalRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const attributes = Symbol();
-    const options = Symbol();
-
-    const result = await client.update(type, id, attributes, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
-      type,
-      id,
-      attributes,
-      options,
-    });
-  });
-
-  test(`returns result of repository.update when legacy`, async () => {
-    const type = 'foo';
-    const username = Symbol();
-    const returnValue = Symbol();
-    const mockRepository = {
-      update: jest.fn().mockReturnValue(returnValue)
-    };
-    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
-      result: CHECK_PRIVILEGES_RESULT.LEGACY,
-      username,
-      missing: privileges,
-    }));
-    const mockAuditLogger = createMockAuditLogger();
-    const client = new SecureSavedObjectsClient({
-      callWithRequestRepository: mockRepository,
-      checkPrivileges: mockCheckPrivileges,
-      auditLogger: mockAuditLogger,
-      actions: createMockActions(),
-    });
-    const id = Symbol();
-    const attributes = Symbol();
-    const options = Symbol();
-
-    const result = await client.update(type, id, attributes, options);
-
-    expect(result).toBe(returnValue);
-    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
-    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
-    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
-  });
-});
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js
similarity index 51%
rename from x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
rename to x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js
index bd32c89614993d..d7c14d4a0aed71 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js
@@ -5,55 +5,60 @@
  */
 
 import { get, uniq } from 'lodash';
-import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
+import { IGNORED_TYPES } from '../../../common/constants';
 
-export class SecureSavedObjectsClient {
+export class SecureSavedObjectsClientWrapper {
   constructor(options) {
     const {
-      errors,
-      internalRepository,
-      callWithRequestRepository,
-      checkPrivileges,
+      actions,
       auditLogger,
+      baseClient,
+      checkPrivilegesWithRequest,
+      errors,
+      request,
       savedObjectTypes,
-      actions,
+      spaces,
     } = options;
 
     this.errors = errors;
-    this._internalRepository = internalRepository;
-    this._callWithRequestRepository = callWithRequestRepository;
-    this._checkPrivileges = checkPrivileges;
+    this._actions = actions;
     this._auditLogger = auditLogger;
+    this._baseClient = baseClient;
+    this._checkPrivileges = checkPrivilegesWithRequest(request);
+    this._request = request;
     this._savedObjectTypes = savedObjectTypes;
-    this._actions = actions;
+    this._spaces = spaces;
   }
 
   async create(type, attributes = {}, options = {}) {
-    return await this._execute(
+    await this._ensureAuthorized(
       type,
       'create',
       { type, attributes, options },
-      repository => repository.create(type, attributes, options),
     );
+
+    return await this._baseClient.create(type, attributes, options);
   }
 
   async bulkCreate(objects, options = {}) {
     const types = uniq(objects.map(o => o.type));
-    return await this._execute(
+    await this._ensureAuthorized(
       types,
       'bulk_create',
       { objects, options },
-      repository => repository.bulkCreate(objects, options),
     );
+
+    return await this._baseClient.bulkCreate(objects, options);
   }
 
-  async delete(type, id, options = {}) {
-    return await this._execute(
+  async delete(type, id, options) {
+    await this._ensureAuthorized(
       type,
       'delete',
       { type, id, options },
-      repository => repository.delete(type, id, options),
     );
+
+    return await this._baseClient.delete(type, id, options);
   }
 
   async find(options = {}) {
@@ -66,58 +71,68 @@ export class SecureSavedObjectsClient {
 
   async bulkGet(objects = [], options = {}) {
     const types = uniq(objects.map(o => o.type));
-    return await this._execute(
+    await this._ensureAuthorized(
       types,
       'bulk_get',
       { objects, options },
-      repository => repository.bulkGet(objects, options)
     );
+
+    return await this._baseClient.bulkGet(objects, options);
   }
 
   async get(type, id, options = {}) {
-    return await this._execute(
+    await this._ensureAuthorized(
       type,
       'get',
       { type, id, options },
-      repository => repository.get(type, id, options)
     );
+
+    return await this._baseClient.get(type, id, options);
   }
 
   async update(type, id, attributes, options = {}) {
-    return await this._execute(
+    await this._ensureAuthorized(
       type,
       'update',
       { type, id, attributes, options },
-      repository => repository.update(type, id, attributes, options)
     );
+
+    return await this._baseClient.update(type, id, attributes, options);
   }
 
   async _checkSavedObjectPrivileges(actions) {
     try {
-      return await this._checkPrivileges(actions);
+      if (this._spaces) {
+        const spaceId = this._spaces.getSpaceId(this._request);
+        return await this._checkPrivileges.atSpace(spaceId, actions);
+      }
+      else {
+        return await this._checkPrivileges.globally(actions);
+      }
     } catch(error) {
       const { reason } = get(error, 'body.error', {});
       throw this.errors.decorateGeneralError(error, reason);
     }
   }
 
-  async _execute(typeOrTypes, action, args, fn) {
+  async _ensureAuthorized(typeOrTypes, action, args) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const actions = types.map(type => this._actions.getSavedObjectAction(type, action));
-    const { result, username, missing } = await this._checkSavedObjectPrivileges(actions);
-
-    switch (result) {
-      case CHECK_PRIVILEGES_RESULT.AUTHORIZED:
-        this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
-        return await fn(this._internalRepository);
-      case CHECK_PRIVILEGES_RESULT.LEGACY:
-        return await fn(this._callWithRequestRepository);
-      case CHECK_PRIVILEGES_RESULT.UNAUTHORIZED:
-        this._auditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
-        const msg = `Unable to ${action} ${[...types].sort().join(',')}, missing ${[...missing].sort().join(',')}`;
-        throw this.errors.decorateForbiddenError(new Error(msg));
-      default:
-        throw new Error('Unexpected result from hasPrivileges');
+    const { hasAllRequested, username, privileges } = await this._checkSavedObjectPrivileges(actions);
+
+    if (hasAllRequested) {
+      this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
+    } else {
+      const missing = this._getMissingPrivileges(privileges);
+      this._auditLogger.savedObjectsAuthorizationFailure(
+        username,
+        action,
+        types,
+        missing,
+        args
+      );
+      const msg = `Unable to ${action} ${[...types].sort().join(',')}, missing ${[...missing].sort().join(',')}`;
+      throw this.errors.decorateForbiddenError(new Error(msg));
     }
   }
 
@@ -125,16 +140,12 @@ export class SecureSavedObjectsClient {
     const action = 'find';
 
     // we have to filter for only their authorized types
-    const types = this._savedObjectTypes;
+    const types = this._savedObjectTypes.filter(type => !IGNORED_TYPES.includes(type));
     const typesToPrivilegesMap = new Map(types.map(type => [type, this._actions.getSavedObjectAction(type, action)]));
-    const { result, username, missing } = await this._checkSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
-
-    if (result === CHECK_PRIVILEGES_RESULT.LEGACY) {
-      return await this._callWithRequestRepository.find(options);
-    }
+    const { username, privileges } = await this._checkSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
 
     const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
-      .filter(([, privilege]) => !missing.includes(privilege))
+      .filter(([, privilege]) => privileges[privilege])
       .map(([type]) => type);
 
     if (authorizedTypes.length === 0) {
@@ -142,27 +153,36 @@ export class SecureSavedObjectsClient {
         username,
         action,
         types,
-        missing,
+        this._getMissingPrivileges(privileges),
         { options }
       );
       throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
     }
 
-    this._auditLogger.savedObjectsAuthorizationSuccess(username, action, authorizedTypes, { options });
-
-    return await this._internalRepository.find(
-      {
+    this._auditLogger.savedObjectsAuthorizationSuccess(username, action, authorizedTypes, {
+      options: {
         ...options,
         type: authorizedTypes,
-      });
+      }
+    });
+
+    return await this._baseClient.find({
+      ...options,
+      type: authorizedTypes
+    });
   }
 
   async _findWithTypes(options) {
-    return await this._execute(
+    await this._ensureAuthorized(
       options.type,
       'find',
       { options },
-      repository => repository.find(options)
     );
+
+    return await this._baseClient.find(options);
+  }
+
+  _getMissingPrivileges(response) {
+    return Object.keys(response).filter(privilege => !response[privilege]);
   }
 }
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.test.js
new file mode 100644
index 00000000000000..df8c7770a47ce3
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.test.js
@@ -0,0 +1,2513 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SecureSavedObjectsClientWrapper } from './secure_saved_objects_client_wrapper';
+
+const createMockErrors = () => {
+  const forbiddenError = new Error('Mock ForbiddenError');
+  const generalError = new Error('Mock GeneralError');
+
+  return {
+    forbiddenError,
+    decorateForbiddenError: jest.fn().mockReturnValue(forbiddenError),
+    generalError,
+    decorateGeneralError: jest.fn().mockReturnValue(generalError)
+  };
+};
+
+const createMockAuditLogger = () => {
+  return {
+    savedObjectsAuthorizationFailure: jest.fn(),
+    savedObjectsAuthorizationSuccess: jest.fn(),
+  };
+};
+
+const createMockActions = () => {
+  return {
+    getSavedObjectAction(type, action) {
+      return `mock-action:saved_objects/${type}/${action}`;
+    }
+  };
+};
+
+describe('#errors', () => {
+  test(`assigns errors from constructor to .errors`, () => {
+    const errors = Symbol();
+
+    const client = new SecureSavedObjectsClientWrapper({
+      checkPrivilegesWithRequest: () => {},
+      errors
+    });
+
+    expect(client.errors).toBe(errors);
+  });
+});
+
+describe(`spaces disabled`, () => {
+  describe('#create', () => {
+    test(`throws decorated GeneralError when checkPrivileges.globally rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'create')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const attributes = Symbol();
+      const options = Symbol();
+
+      await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'create',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'create')],
+        {
+          type,
+          attributes,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.create when authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        create: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const attributes = Symbol();
+      const options = Symbol();
+
+      const result = await client.create(type, attributes, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockBaseClient.create).toHaveBeenCalledWith(type, attributes, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
+        type,
+        attributes,
+        options,
+      });
+    });
+  });
+
+  describe('#bulkCreate', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_create')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_create')]: false,
+            [mockActions.getSavedObjectAction(type2, 'bulk_create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const objects = [
+        { type: type1 },
+        { type: type1 },
+        { type: type2 },
+      ];
+      const options = Symbol();
+
+      await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'bulk_create'),
+        mockActions.getSavedObjectAction(type2, 'bulk_create'),
+      ]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'bulk_create',
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'bulk_create')],
+        {
+          objects,
+          options,
+        }
+      );
+    });
+
+    test(`returns result of baseClient.bulkCreate when authorized`, async () => {
+      const username = Symbol();
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const returnValue = Symbol();
+      const mockBaseClient = {
+        bulkCreate: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockActions = createMockActions();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_create')]: true,
+            [mockActions.getSavedObjectAction(type2, 'bulk_create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const objects = [
+        { type: type1, otherThing: 'sup' },
+        { type: type2, otherThing: 'everyone' },
+      ];
+      const options = Symbol();
+
+      const result = await client.bulkCreate(objects, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'bulk_create'),
+        mockActions.getSavedObjectAction(type2, 'bulk_create'),
+      ]);
+      expect(mockBaseClient.bulkCreate).toHaveBeenCalledWith(objects, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
+        objects,
+        options,
+      });
+    });
+  });
+
+  describe('#delete', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'delete')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+
+      await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'delete',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'delete')],
+        {
+          type,
+          id,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of internalRepository.delete when authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        delete: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'delete')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      const result = await client.delete(type, id, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockBaseClient.delete).toHaveBeenCalledWith(type, id, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
+        type,
+        id,
+        options,
+      });
+    });
+  });
+
+  describe('#find', () => {
+    describe('type', () => {
+      test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+        const type = 'foo';
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => {
+            throw new Error('An actual error would happen here');
+          })
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockActions = createMockActions();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: null,
+        });
+
+        await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when type's singular and unauthorized`, async () => {
+        const type = 'foo';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: false,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: null,
+        });
+        const options = { type };
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type],
+          [mockActions.getSavedObjectAction(type, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type1, 'find')]: false,
+              [mockActions.getSavedObjectAction(type2, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: null,
+        });
+        const options = { type: [type1, type2] };
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find')
+        ]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type1, type2],
+          [mockActions.getSavedObjectAction(type1, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`returns result of baseClient.find when authorized`, async () => {
+        const type = 'foo';
+        const username = Symbol();
+        const returnValue = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn().mockReturnValue(returnValue)
+        };
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: null,
+        });
+        const options = { type };
+
+        const result = await client.find(options);
+
+        expect(result).toBe(returnValue);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith({ type });
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+          options,
+        });
+      });
+    });
+
+    describe('no type', () => {
+      test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => {
+            throw new Error('An actual error would happen here');
+          })
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockActions = createMockActions();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [type1, type2],
+          spaces: null,
+        });
+
+        await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find'),
+        ]);
+        expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when unauthorized`, async () => {
+        const type = 'foo';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: false,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [type],
+          spaces: null,
+        });
+        const options = Symbol();
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type],
+          [mockActions.getSavedObjectAction(type, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`returns result of baseClient.find when authorized`, async () => {
+        const type = 'foo';
+        const spaceType = 'space';
+        const username = Symbol();
+        const returnValue = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn().mockReturnValue(returnValue)
+        };
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [type, spaceType],
+          spaces: null,
+        });
+        const options = {
+          bar: true,
+        };
+
+        const result = await client.find(options);
+
+        expect(result).toBe(returnValue);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith({ bar: true, type: ['foo'] });
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+          options: {
+            type: [type],
+            ...options,
+          }
+        });
+      });
+
+      test(`specifies authorized types when calling repository.find()`, async () => {
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const spaceType = 'space';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn(),
+        };
+        const mockCheckPrivileges = {
+          globally: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type1, 'find')]: false,
+              [mockActions.getSavedObjectAction(type2, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [type1, type2, spaceType],
+          spaces: null,
+        });
+
+        await client.find();
+
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find'),
+        ]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith(expect.objectContaining({
+          type: [type2]
+        }));
+      });
+    });
+  });
+
+  describe('#bulkGet', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_get')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_get')]: false,
+            [mockActions.getSavedObjectAction(type2, 'bulk_get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const objects = [
+        { type: type1 },
+        { type: type1 },
+        { type: type2 },
+      ];
+      const options = Symbol();
+
+      await expect(client.bulkGet(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'bulk_get'),
+        mockActions.getSavedObjectAction(type2, 'bulk_get'),
+      ]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'bulk_get',
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'bulk_get')],
+        {
+          objects,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.bulkGet when authorized`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        bulkGet: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_get')]: true,
+            [mockActions.getSavedObjectAction(type2, 'bulk_get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const objects = [
+        { type: type1, id: 'foo-id' },
+        { type: type2, id: 'bar-id' },
+      ];
+      const options = Symbol();
+
+      const result = await client.bulkGet(objects, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'bulk_get'),
+        mockActions.getSavedObjectAction(type2, 'bulk_get'),
+      ]);
+      expect(mockBaseClient.bulkGet).toHaveBeenCalledWith(objects, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
+        objects,
+        options,
+      });
+    });
+  });
+
+  describe('#get', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'get')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      await expect(client.get(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'get',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'get')],
+        {
+          type,
+          id,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.get when authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        get: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockBaseClient.get).toHaveBeenCalledWith(type, id, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
+        type,
+        id,
+        options
+      });
+    });
+  });
+
+  describe('#update', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+
+      await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'update')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+      const attributes = Symbol();
+      const options = Symbol();
+
+      await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'update',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'update')],
+        {
+          type,
+          id,
+          attributes,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.update when authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        update: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        globally: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'update')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: null,
+      });
+      const id = Symbol();
+      const attributes = Symbol();
+      const options = Symbol();
+
+      const result = await client.update(type, id, attributes, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.globally).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockBaseClient.update).toHaveBeenCalledWith(type, id, attributes, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
+        type,
+        id,
+        attributes,
+        options,
+      });
+    });
+  });
+});
+
+describe(`spaces enabled`, () => {
+  describe('#create', () => {
+    test(`throws decorated GeneralError when checkPrivileges.globally rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'create')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const attributes = Symbol();
+      const options = Symbol();
+
+      await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'create',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'create')],
+        {
+          type,
+          attributes,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.create when authorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        create: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const attributes = Symbol();
+      const options = Symbol();
+
+      const result = await client.create(type, attributes, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'create')]);
+      expect(mockBaseClient.create).toHaveBeenCalledWith(type, attributes, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
+        type,
+        attributes,
+        options,
+      });
+    });
+  });
+
+  describe('#bulkCreate', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'bulk_create')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_create')]: false,
+            [mockActions.getSavedObjectAction(type2, 'bulk_create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const objects = [
+        { type: type1 },
+        { type: type1 },
+        { type: type2 },
+      ];
+      const options = Symbol();
+
+      await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+        mockActions.getSavedObjectAction(type1, 'bulk_create'),
+        mockActions.getSavedObjectAction(type2, 'bulk_create'),
+      ]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'bulk_create',
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'bulk_create')],
+        {
+          objects,
+          options,
+        }
+      );
+    });
+
+    test(`returns result of baseClient.bulkCreate when authorized`, async () => {
+      const spaceId = 'space_1';
+      const username = Symbol();
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const returnValue = Symbol();
+      const mockBaseClient = {
+        bulkCreate: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockActions = createMockActions();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_create')]: true,
+            [mockActions.getSavedObjectAction(type2, 'bulk_create')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const objects = [
+        { type: type1, otherThing: 'sup' },
+        { type: type2, otherThing: 'everyone' },
+      ];
+      const options = Symbol();
+
+      const result = await client.bulkCreate(objects, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+        mockActions.getSavedObjectAction(type1, 'bulk_create'),
+        mockActions.getSavedObjectAction(type2, 'bulk_create'),
+      ]);
+      expect(mockBaseClient.bulkCreate).toHaveBeenCalledWith(objects, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
+        objects,
+        options,
+      });
+    });
+  });
+
+  describe('#delete', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'delete')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+
+      await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'delete',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'delete')],
+        {
+          type,
+          id,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of internalRepository.delete when authorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        delete: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'delete')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      const result = await client.delete(type, id, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'delete')]);
+      expect(mockBaseClient.delete).toHaveBeenCalledWith(type, id, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
+        type,
+        id,
+        options,
+      });
+    });
+  });
+
+  describe('#find', () => {
+    describe('type', () => {
+      test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+        const spaceId = 'space_1';
+        const type = 'foo';
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => {
+            throw new Error('An actual error would happen here');
+          })
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockActions = createMockActions();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: mockSpaces,
+        });
+
+        await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when type's singular and unauthorized`, async () => {
+        const spaceId = 'space_1';
+        const type = 'foo';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: false,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: mockSpaces,
+        });
+        const options = { type };
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type],
+          [mockActions.getSavedObjectAction(type, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
+        const spaceId = 'space_1';
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type1, 'find')]: false,
+              [mockActions.getSavedObjectAction(type2, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: mockSpaces,
+        });
+        const options = { type: [type1, type2] };
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find')
+        ]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type1, type2],
+          [mockActions.getSavedObjectAction(type1, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`returns result of baseClient.find when authorized`, async () => {
+        const spaceId = 'space_1';
+        const type = 'foo';
+        const username = Symbol();
+        const returnValue = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn().mockReturnValue(returnValue)
+        };
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [],
+          spaces: mockSpaces,
+        });
+        const options = { type };
+
+        const result = await client.find(options);
+
+        expect(result).toBe(returnValue);
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith({ type });
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+          options,
+        });
+      });
+    });
+
+    describe('no type', () => {
+      test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+        const spaceId = 'space_1';
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => {
+            throw new Error('An actual error would happen here');
+          })
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockActions = createMockActions();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [type1, type2],
+          spaces: mockSpaces,
+        });
+
+        await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find'),
+        ]);
+        expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`throws decorated ForbiddenError when unauthorized`, async () => {
+        const spaceId = 'space_1';
+        const type = 'foo';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockErrors = createMockErrors();
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: false,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: false,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: null,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: mockErrors,
+          request: mockRequest,
+          savedObjectTypes: [type],
+          spaces: mockSpaces,
+        });
+        const options = Symbol();
+
+        await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+          username,
+          'find',
+          [type],
+          [mockActions.getSavedObjectAction(type, 'find')],
+          {
+            options
+          }
+        );
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+      });
+
+      test(`returns result of baseClient.find when authorized`, async () => {
+        const spaceId = 'space_1';
+        const type = 'foo';
+        const username = Symbol();
+        const returnValue = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn().mockReturnValue(returnValue)
+        };
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [type],
+          spaces: mockSpaces,
+        });
+        const options = {
+          bar: true,
+        };
+
+        const result = await client.find(options);
+
+        expect(result).toBe(returnValue);
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'find')]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith({ bar: true, type: ['foo'] });
+        expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+        expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+          options: {
+            type: [type],
+            ...options,
+          }
+        });
+      });
+
+      test(`specifies authorized types when calling repository.find()`, async () => {
+        const spaceId = 'space_1';
+        const type1 = 'foo';
+        const type2 = 'bar';
+        const username = Symbol();
+        const mockActions = createMockActions();
+        const mockBaseClient = {
+          find: jest.fn(),
+        };
+        const mockCheckPrivileges = {
+          atSpace: jest.fn(async () => ({
+            hasAllRequested: true,
+            username,
+            privileges: {
+              [mockActions.getSavedObjectAction(type1, 'find')]: false,
+              [mockActions.getSavedObjectAction(type2, 'find')]: true,
+            }
+          }))
+        };
+        const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+        const mockRequest = Symbol();
+        const mockAuditLogger = createMockAuditLogger();
+        const mockSpaces = {
+          getSpaceId: jest.fn().mockReturnValue(spaceId)
+        };
+        const client = new SecureSavedObjectsClientWrapper({
+          actions: mockActions,
+          auditLogger: mockAuditLogger,
+          baseClient: mockBaseClient,
+          checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+          errors: null,
+          request: mockRequest,
+          savedObjectTypes: [type1, type2],
+          spaces: mockSpaces,
+        });
+
+        await client.find();
+
+        expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+        expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+          mockActions.getSavedObjectAction(type1, 'find'),
+          mockActions.getSavedObjectAction(type2, 'find'),
+        ]);
+        expect(mockBaseClient.find).toHaveBeenCalledWith(expect.objectContaining({
+          type: [type2]
+        }));
+      });
+    });
+  });
+
+  describe('#bulkGet', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'bulk_get')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_get')]: false,
+            [mockActions.getSavedObjectAction(type2, 'bulk_get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const objects = [
+        { type: type1 },
+        { type: type1 },
+        { type: type2 },
+      ];
+      const options = Symbol();
+
+      await expect(client.bulkGet(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+        mockActions.getSavedObjectAction(type1, 'bulk_get'),
+        mockActions.getSavedObjectAction(type2, 'bulk_get'),
+      ]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'bulk_get',
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'bulk_get')],
+        {
+          objects,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.bulkGet when authorized`, async () => {
+      const spaceId = 'space_1';
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        bulkGet: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type1, 'bulk_get')]: true,
+            [mockActions.getSavedObjectAction(type2, 'bulk_get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const objects = [
+        { type: type1, id: 'foo-id' },
+        { type: type2, id: 'bar-id' },
+      ];
+      const options = Symbol();
+
+      const result = await client.bulkGet(objects, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [
+        mockActions.getSavedObjectAction(type1, 'bulk_get'),
+        mockActions.getSavedObjectAction(type2, 'bulk_get'),
+      ]);
+      expect(mockBaseClient.bulkGet).toHaveBeenCalledWith(objects, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
+        objects,
+        options,
+      });
+    });
+  });
+
+  describe('#get', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'get')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      await expect(client.get(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'get',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'get')],
+        {
+          type,
+          id,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.get when authorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        get: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'get')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+      const options = Symbol();
+
+      const result = await client.get(type, id, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'get')]);
+      expect(mockBaseClient.get).toHaveBeenCalledWith(type, id, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
+        type,
+        id,
+        options
+      });
+    });
+  });
+
+  describe('#update', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => {
+          throw new Error('An actual error would happen here');
+        })
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+
+      await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const mockActions = createMockActions();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: false,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'update')]: false,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: null,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: mockErrors,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+      const attributes = Symbol();
+      const options = Symbol();
+
+      await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'update',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'update')],
+        {
+          type,
+          id,
+          attributes,
+          options,
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of baseClient.update when authorized`, async () => {
+      const spaceId = 'space_1';
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockActions = createMockActions();
+      const mockBaseClient = {
+        update: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = {
+        atSpace: jest.fn(async () => ({
+          hasAllRequested: true,
+          username,
+          privileges: {
+            [mockActions.getSavedObjectAction(type, 'update')]: true,
+          }
+        }))
+      };
+      const mockCheckPrivilegesWithRequest = jest.fn().mockReturnValue(mockCheckPrivileges);
+      const mockRequest = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const mockSpaces = {
+        getSpaceId: jest.fn().mockReturnValue(spaceId)
+      };
+      const client = new SecureSavedObjectsClientWrapper({
+        actions: mockActions,
+        auditLogger: mockAuditLogger,
+        baseClient: mockBaseClient,
+        checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+        errors: null,
+        request: mockRequest,
+        savedObjectTypes: [],
+        spaces: mockSpaces,
+      });
+      const id = Symbol();
+      const attributes = Symbol();
+      const options = Symbol();
+
+      const result = await client.update(type, id, attributes, options);
+
+      expect(result).toBe(returnValue);
+      expect(mockSpaces.getSpaceId).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivilegesWithRequest).toHaveBeenCalledWith(mockRequest);
+      expect(mockCheckPrivileges.atSpace).toHaveBeenCalledWith(spaceId, [mockActions.getSavedObjectAction(type, 'update')]);
+      expect(mockBaseClient.update).toHaveBeenCalledWith(type, id, attributes, options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
+        type,
+        id,
+        attributes,
+        options,
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.js b/x-pack/plugins/security/server/routes/api/public/roles/get.js
index a0c7fd0ec4f39c..797a76110d21af 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/get.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.js
@@ -5,8 +5,9 @@
  */
 import _ from 'lodash';
 import Boom from 'boom';
+import { GLOBAL_RESOURCE } from '../../../../../common/constants';
 import { wrapError } from '../../../../lib/errors';
-import { ALL_RESOURCE } from '../../../../../common/constants';
+import { spaceApplicationPrivilegesSerializer } from '../../../../lib/authorization';
 
 export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application) {
 
@@ -19,19 +20,17 @@ export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn,
     );
 
     return resourcePrivileges.reduce((result, { resource, privileges }) => {
-      if (resource === ALL_RESOURCE) {
+      if (resource === GLOBAL_RESOURCE) {
         result.global = _.uniq([...result.global, ...privileges]);
         return result;
       }
 
-      const spacePrefix = 'space:';
-      if (resource.startsWith(spacePrefix)) {
-        const spaceId = resource.slice(spacePrefix.length);
-        result.space[spaceId] = _.uniq([...result.space[spaceId] || [], ...privileges]);
-        return result;
-      }
-
-      throw new Error(`Unknown application privilege resource: ${resource}`);
+      const spaceId = spaceApplicationPrivilegesSerializer.resource.deserialize(resource);
+      result.space[spaceId] = _.uniq([
+        ...result.space[spaceId] || [],
+        ...privileges.map(privilege => spaceApplicationPrivilegesSerializer.privilege.deserialize(privilege))
+      ]);
+      return result;
     }, {
       global: [],
       space: {},
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
index f0f3511e32497a..28f754248d829e 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
@@ -233,17 +233,17 @@ describe('GET roles', () => {
           applications: [
             {
               application,
-              privileges: ['read'],
+              privileges: ['space_read'],
               resources: ['space:marketing'],
             },
             {
               application,
-              privileges: ['all'],
+              privileges: ['space_all'],
               resources: ['space:marketing'],
             },
             {
               application,
-              privileges: ['read'],
+              privileges: ['space_read'],
               resources: ['space:engineering'],
             },
           ],
@@ -602,17 +602,17 @@ describe('GET role', () => {
           applications: [
             {
               application,
-              privileges: ['read'],
+              privileges: ['space_read'],
               resources: ['space:marketing'],
             },
             {
               application,
-              privileges: ['all'],
+              privileges: ['space_all'],
               resources: ['space:marketing'],
             },
             {
               application,
-              privileges: ['read'],
+              privileges: ['space_read'],
               resources: ['space:engineering'],
             },
           ],
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/index.js b/x-pack/plugins/security/server/routes/api/public/roles/index.js
index 5425af0a1202d3..8bdde88123ee4f 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/index.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/index.js
@@ -17,7 +17,7 @@ export function initPublicRolesApi(server) {
 
   const { application, actions } = server.plugins.security.authorization;
   const savedObjectTypes = server.savedObjects.types;
-  const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, actions);
+  const privilegeMap = buildPrivilegeMap(savedObjectTypes, actions);
 
   initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application);
   initPutRolesApi(server, callWithRequest, routePreCheckLicenseFn, privilegeMap, application);
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.js b/x-pack/plugins/security/server/routes/api/public/roles/put.js
index 262e2259cbea3d..0152453a10a26d 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.js
@@ -6,61 +6,61 @@
 
 import { pick, identity } from 'lodash';
 import Joi from 'joi';
+import { GLOBAL_RESOURCE } from '../../../../../common/constants';
 import { wrapError } from '../../../../lib/errors';
-import { ALL_RESOURCE } from '../../../../../common/constants';
+import { spaceApplicationPrivilegesSerializer } from '../../../../lib/authorization';
 
-const transformKibanaPrivilegesToEs = (application, kibanaPrivileges) => {
-  const kibanaApplicationPrivileges = [];
-  if (kibanaPrivileges.global && kibanaPrivileges.global.length) {
-    kibanaApplicationPrivileges.push({
-      privileges: kibanaPrivileges.global,
-      application,
-      resources: [ALL_RESOURCE],
-    });
-  }
+export function initPutRolesApi(
+  server,
+  callWithRequest,
+  routePreCheckLicenseFn,
+  privilegeMap,
+  application
+) {
 
-  if (kibanaPrivileges.space) {
-    for (const [spaceId, privileges] of Object.entries(kibanaPrivileges.space)) {
+  const transformKibanaPrivilegesToEs = (kibanaPrivileges) => {
+    const kibanaApplicationPrivileges = [];
+    if (kibanaPrivileges.global && kibanaPrivileges.global.length) {
       kibanaApplicationPrivileges.push({
-        privileges: privileges,
+        privileges: kibanaPrivileges.global,
         application,
-        resources: [`space:${spaceId}`]
+        resources: [GLOBAL_RESOURCE],
       });
     }
-  }
 
-  return kibanaApplicationPrivileges;
-};
+    if (kibanaPrivileges.space) {
+      for(const [spaceId, privileges] of Object.entries(kibanaPrivileges.space)) {
+        kibanaApplicationPrivileges.push({
+          privileges: privileges.map(privilege => spaceApplicationPrivilegesSerializer.privilege.serialize(privilege)),
+          application,
+          resources: [spaceApplicationPrivilegesSerializer.resource.serialize(spaceId)]
+        });
+      }
+    }
 
-const transformRolesToEs = (
-  application,
-  payload,
-  existingApplications = []
-) => {
-  const { elasticsearch = {}, kibana = {} } = payload;
-  const otherApplications = existingApplications.filter(
-    roleApplication => roleApplication.application !== application
-  );
+    return kibanaApplicationPrivileges;
+  };
 
-  return pick({
-    metadata: payload.metadata,
-    cluster: elasticsearch.cluster || [],
-    indices: elasticsearch.indices || [],
-    run_as: elasticsearch.run_as || [],
-    applications: [
-      ...transformKibanaPrivilegesToEs(application, kibana),
-      ...otherApplications,
-    ],
-  }, identity);
-};
+  const transformRolesToEs = (
+    payload,
+    existingApplications = []
+  ) => {
+    const { elasticsearch = {}, kibana = {} } = payload;
+    const otherApplications = existingApplications.filter(
+      roleApplication => roleApplication.application !== application
+    );
 
-export function initPutRolesApi(
-  server,
-  callWithRequest,
-  routePreCheckLicenseFn,
-  privilegeMap,
-  application
-) {
+    return pick({
+      metadata: payload.metadata,
+      cluster: elasticsearch.cluster || [],
+      indices: elasticsearch.indices || [],
+      run_as: elasticsearch.run_as || [],
+      applications: [
+        ...transformKibanaPrivilegesToEs(kibana),
+        ...otherApplications,
+      ],
+    }, identity);
+  };
 
   const schema = Joi.object().keys({
     metadata: Joi.object().optional(),
@@ -78,8 +78,8 @@ export function initPutRolesApi(
       run_as: Joi.array().items(Joi.string()),
     }),
     kibana: Joi.object().keys({
-      global: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))),
-      space: Joi.object().pattern(/^/, Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))))
+      global: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap.global))),
+      space: Joi.object().pattern(/^[a-z0-9_-]+$/, Joi.array().items(Joi.string().valid(Object.keys(privilegeMap.space))))
     })
   });
 
@@ -95,7 +95,6 @@ export function initPutRolesApi(
         });
 
         const body = transformRolesToEs(
-          application,
           request.payload,
           existingRoleResponse[name] ? existingRoleResponse[name].applications : []
         );
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
index d159c98c59eb4d..ffa7b247f99d2b 100644
--- a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
@@ -7,7 +7,7 @@
 import Hapi from 'hapi';
 import Boom from 'boom';
 import { initPutRolesApi } from './put';
-import { ALL_RESOURCE } from '../../../../../common/constants';
+import { GLOBAL_RESOURCE } from '../../../../../common/constants';
 
 const application = 'kibana-.kibana';
 
@@ -20,9 +20,16 @@ const createMockServer = () => {
 const defaultPreCheckLicenseImpl = (request, reply) => reply();
 
 const privilegeMap = {
-  'test-kibana-privilege-1': {},
-  'test-kibana-privilege-2': {},
-  'test-kibana-privilege-3': {},
+  global: {
+    'test-global-privilege-1': [],
+    'test-global-privilege-2': [],
+    'test-global-privilege-3': [],
+  },
+  space: {
+    'test-space-privilege-1': [],
+    'test-space-privilege-2': [],
+    'test-space-privilege-3': [],
+  }
 };
 
 const putRoleTest = (
@@ -112,7 +119,7 @@ describe('PUT role', () => {
       },
     });
 
-    putRoleTest(`only allows known Kibana privileges`, {
+    putRoleTest(`only allows known Kibana global privileges`, {
       name: 'foo-role',
       payload: {
         kibana: {
@@ -124,7 +131,7 @@ describe('PUT role', () => {
         result: {
           error: 'Bad Request',
           //eslint-disable-next-line max-len
-          message: `child \"kibana\" fails because [child \"global\" fails because [\"global\" at position 0 fails because [\"0\" must be one of [test-kibana-privilege-1, test-kibana-privilege-2, test-kibana-privilege-3]]]]`,
+          message: `child \"kibana\" fails because [child \"global\" fails because [\"global\" at position 0 fails because [\"0\" must be one of [test-global-privilege-1, test-global-privilege-2, test-global-privilege-3]]]]`,
           statusCode: 400,
           validation: {
             keys: ['kibana.global.0'],
@@ -134,6 +141,76 @@ describe('PUT role', () => {
       },
     });
 
+    putRoleTest(`only allows known Kibana space privileges`, {
+      name: 'foo-role',
+      payload: {
+        kibana: {
+          space: {
+            quz: ['foo']
+          }
+        }
+      },
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          //eslint-disable-next-line max-len
+          message: `child \"kibana\" fails because [child \"space\" fails because [child \"quz\" fails because [\"quz\" at position 0 fails because [\"0\" must be one of [test-space-privilege-1, test-space-privilege-2, test-space-privilege-3]]]]]`,
+          statusCode: 400,
+          validation: {
+            keys: ['kibana.space.quz.0'],
+            source: 'payload',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`doesn't allow * space ID`, {
+      name: 'foo-role',
+      payload: {
+        kibana: {
+          space: {
+            '*': ['test-space-privilege-1']
+          }
+        }
+      },
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          message: `child \"kibana\" fails because [child \"space\" fails because [\"&#x2a;\" is not allowed]]`,
+          statusCode: 400,
+          validation: {
+            keys: ['kibana.space.&#x2a;'],
+            source: 'payload',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`doesn't allow * in a space ID`, {
+      name: 'foo-role',
+      payload: {
+        kibana: {
+          space: {
+            'foo-*': ['test-space-privilege-1']
+          }
+        }
+      },
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          message: `child \"kibana\" fails because [child \"space\" fails because [\"foo-&#x2a;\" is not allowed]]`,
+          statusCode: 400,
+          validation: {
+            keys: ['kibana.space.foo-&#x2a;'],
+            source: 'payload',
+          },
+        },
+      },
+    });
+
     putRoleTest(`returns result of routePreCheckLicense`, {
       name: 'foo-role',
       payload: {},
@@ -199,10 +276,10 @@ describe('PUT role', () => {
           run_as: ['test-run-as-1', 'test-run-as-2'],
         },
         kibana: {
-          global: ['test-kibana-privilege-1', 'test-kibana-privilege-2', 'test-kibana-privilege-3'],
+          global: ['test-global-privilege-1', 'test-global-privilege-2', 'test-global-privilege-3'],
           space: {
-            'test-space-1': ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
-            'test-space-2': ['test-kibana-privilege-3'],
+            'test-space-1': ['test-space-privilege-1', 'test-space-privilege-2'],
+            'test-space-2': ['test-space-privilege-3'],
           }
         },
       },
@@ -220,24 +297,24 @@ describe('PUT role', () => {
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-1',
-                      'test-kibana-privilege-2',
-                      'test-kibana-privilege-3'
+                      'test-global-privilege-1',
+                      'test-global-privilege-2',
+                      'test-global-privilege-3'
                     ],
-                    resources: [ALL_RESOURCE],
+                    resources: [GLOBAL_RESOURCE],
                   },
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-1',
-                      'test-kibana-privilege-2'
+                      'space_test-space-privilege-1',
+                      'space_test-space-privilege-2'
                     ],
                     resources: ['space:test-space-1']
                   },
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-3',
+                      'space_test-space-privilege-3',
                     ],
                     resources: ['space:test-space-2']
                   },
@@ -290,10 +367,10 @@ describe('PUT role', () => {
           run_as: ['test-run-as-1', 'test-run-as-2'],
         },
         kibana: {
-          global: ['test-kibana-privilege-1', 'test-kibana-privilege-2', 'test-kibana-privilege-3'],
+          global: ['test-global-privilege-1', 'test-global-privilege-2', 'test-global-privilege-3'],
           space: {
-            'test-space-1': ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
-            'test-space-2': ['test-kibana-privilege-3'],
+            'test-space-1': ['test-space-privilege-1', 'test-space-privilege-2'],
+            'test-space-2': ['test-space-privilege-3'],
           }
         },
       },
@@ -343,24 +420,24 @@ describe('PUT role', () => {
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-1',
-                      'test-kibana-privilege-2',
-                      'test-kibana-privilege-3'
+                      'test-global-privilege-1',
+                      'test-global-privilege-2',
+                      'test-global-privilege-3'
                     ],
-                    resources: [ALL_RESOURCE],
+                    resources: [GLOBAL_RESOURCE],
                   },
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-1',
-                      'test-kibana-privilege-2'
+                      'space_test-space-privilege-1',
+                      'space_test-space-privilege-2'
                     ],
                     resources: ['space:test-space-1']
                   },
                   {
                     application,
                     privileges: [
-                      'test-kibana-privilege-3',
+                      'space_test-space-privilege-3',
                     ],
                     resources: ['space:test-space-2']
                   },
@@ -414,9 +491,9 @@ describe('PUT role', () => {
           },
           kibana: {
             global: [
-              'test-kibana-privilege-1',
-              'test-kibana-privilege-2',
-              'test-kibana-privilege-3'
+              'test-global-privilege-1',
+              'test-global-privilege-2',
+              'test-global-privilege-3'
             ],
           },
         },
@@ -471,11 +548,11 @@ describe('PUT role', () => {
                     {
                       application,
                       privileges: [
-                        'test-kibana-privilege-1',
-                        'test-kibana-privilege-2',
-                        'test-kibana-privilege-3'
+                        'test-global-privilege-1',
+                        'test-global-privilege-2',
+                        'test-global-privilege-3'
                       ],
-                      resources: [ALL_RESOURCE],
+                      resources: [GLOBAL_RESOURCE],
                     },
                     {
                       application: 'logstash-foo',
diff --git a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
index 4139569e51b345..155fc041f24a55 100644
--- a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
@@ -15,7 +15,6 @@ import { AuthenticationResult } from '../../../../../server/lib/authentication/a
 import { BasicCredentials } from '../../../../../server/lib/authentication/providers/basic';
 import { initAuthenticateApi } from '../authenticate';
 import { DeauthenticationResult } from '../../../../lib/authentication/deauthentication_result';
-import { CHECK_PRIVILEGES_RESULT } from '../../../../lib/authorization';
 
 describe('Authentication routes', () => {
   let serverStub;
@@ -34,7 +33,7 @@ describe('Authentication routes', () => {
     let loginRoute;
     let request;
     let authenticateStub;
-    let checkPrivilegesWithRequestStub;
+    let authorizationModeStub;
 
     beforeEach(() => {
       loginRoute = serverStub.route
@@ -50,7 +49,7 @@ describe('Authentication routes', () => {
       authenticateStub = serverStub.plugins.security.authenticate.withArgs(
         sinon.match(BasicCredentials.decorateRequest({ headers: {} }, 'user', 'password'))
       );
-      checkPrivilegesWithRequestStub = serverStub.plugins.security.authorization.checkPrivilegesWithRequest;
+      authorizationModeStub = serverStub.plugins.security.authorization.mode;
     });
 
     it('correctly defines route.', async () => {
@@ -134,59 +133,37 @@ describe('Authentication routes', () => {
       const getDeprecationMessage = username =>
         `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
 
-      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is authorized.`, async () => {
+      it(`returns user data and doesn't log deprecation warning if authorization.mode.useRbacForRequest returns true.`, async () => {
         const user = { username: 'user' };
         authenticateStub.returns(
           Promise.resolve(AuthenticationResult.succeeded(user))
         );
-        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.AUTHORIZED });
-        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+        authorizationModeStub.useRbacForRequest.returns(true);
 
         await loginRoute.handler(request, replyStub);
 
-        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
-        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.calledWithExactly(authorizationModeStub.useRbacForRequest, request);
         sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
         sinon.assert.notCalled(replyStub);
         sinon.assert.calledOnce(replyStub.continue);
         sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
       });
 
-      it(`returns user data and logs deprecation warning if checkPrivileges result is legacy.`, async () => {
+      it(`returns user data and logs deprecation warning if authorization.mode.useRbacForRequest returns false.`, async () => {
         const user = { username: 'user' };
         authenticateStub.returns(
           Promise.resolve(AuthenticationResult.succeeded(user))
         );
-        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.LEGACY });
-        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+        authorizationModeStub.useRbacForRequest.returns(false);
 
         await loginRoute.handler(request, replyStub);
 
-        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
-        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.calledWithExactly(authorizationModeStub.useRbacForRequest, request);
         sinon.assert.calledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
         sinon.assert.notCalled(replyStub);
         sinon.assert.calledOnce(replyStub.continue);
         sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
       });
-
-      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is unauthorized.`, async () => {
-        const user = { username: 'user' };
-        authenticateStub.returns(
-          Promise.resolve(AuthenticationResult.succeeded(user))
-        );
-        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED });
-        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
-
-        await loginRoute.handler(request, replyStub);
-
-        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
-        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
-        sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
-        sinon.assert.notCalled(replyStub);
-        sinon.assert.calledOnce(replyStub.continue);
-        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
-      });
     });
 
   });
diff --git a/x-pack/plugins/security/server/routes/api/v1/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
index e92a0a2a9536c9..c791def49e9d25 100644
--- a/x-pack/plugins/security/server/routes/api/v1/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
@@ -9,7 +9,6 @@ import Joi from 'joi';
 import { wrapError } from '../../../lib/errors';
 import { BasicCredentials } from '../../../../server/lib/authentication/providers/basic';
 import { canRedirectRequest } from '../../../lib/can_redirect_request';
-import { CHECK_PRIVILEGES_RESULT } from '../../../../server/lib/authorization';
 
 export function initAuthenticateApi(server) {
 
@@ -41,9 +40,7 @@ export function initAuthenticateApi(server) {
         }
 
         const { authorization } = server.plugins.security;
-        const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
-        const privilegeCheck = await checkPrivileges([authorization.actions.login]);
-        if (privilegeCheck.result === CHECK_PRIVILEGES_RESULT.LEGACY) {
+        if (!authorization.mode.useRbacForRequest(request)) {
           const msg = `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
           server.log(['warning', 'deprecated', 'security'], msg);
         }
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
deleted file mode 100644
index 4bf1b2c5cc7a5e..00000000000000
--- a/x-pack/plugins/security/server/routes/api/v1/privileges.js
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { buildPrivilegeMap } from '../../../lib/authorization';
-
-export function initPrivilegesApi(server) {
-  const { authorization } = server.plugins.security;
-  const savedObjectTypes = server.savedObjects.types;
-
-  server.route({
-    method: 'GET',
-    path: '/api/security/v1/privileges',
-    handler(request, reply) {
-      // we're returning our representation of the privileges, as opposed to the ones that are stored
-      // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
-      // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
-      // into a different structure for enforcement within Elasticsearch
-      const privileges = buildPrivilegeMap(savedObjectTypes, authorization.application, authorization.actions);
-      reply(Object.values(privileges));
-    }
-  });
-}
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index 9992dfd148301f..b7cfeb94f958e7 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -19,6 +19,9 @@ import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
 import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { SpacesClient } from './server/lib/spaces_client';
+import { SpacesAuditLogger } from './server/lib/audit_logger';
+import { AuditLogger } from '../../server/lib/audit_logger';
 
 export const spaces = (kibana) => new kibana.Plugin({
   id: 'spaces',
@@ -58,10 +61,11 @@ export const spaces = (kibana) => new kibana.Plugin({
       };
     },
     replaceInjectedVars: async function (vars, request, server) {
+      const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
       try {
         vars.activeSpace = {
           valid: true,
-          space: await getActiveSpace(request.getSavedObjectsClient(), request.getBasePath(), server.config().get('server.basePath'))
+          space: await getActiveSpace(spacesClient, request.getBasePath(), server.config().get('server.basePath'))
         };
       } catch (e) {
         vars.activeSpace = {
@@ -89,11 +93,26 @@ export const spaces = (kibana) => new kibana.Plugin({
     validateConfig(config, message => server.log(['spaces', 'warning'], message));
 
     const spacesService = createSpacesService(server);
-    server.decorate('server', 'spaces', spacesService);
+    server.expose('getSpaceId', (request) => spacesService.getSpaceId(request));
 
-    const { addScopedSavedObjectsClientWrapperFactory } = server.savedObjects;
-    addScopedSavedObjectsClientWrapperFactory(
-      spacesSavedObjectsClientWrapperFactory(spacesService)
+    const spacesAuditLogger = new SpacesAuditLogger(config, new AuditLogger(server, 'spaces'));
+
+    server.expose('spacesClient', {
+      getScopedClient: (request) => {
+        const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+        const { callWithRequest, callWithInternalUser } = adminCluster;
+        const callCluster = (...args) => callWithRequest(request, ...args);
+        const { savedObjects } = server;
+        const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+        const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
+        const authorization = server.plugins.security ? server.plugins.security.authorization : null;
+        return new SpacesClient(spacesAuditLogger, authorization, callWithRequestRepository, internalRepository, request);
+      }
+    });
+
+    const { addScopedSavedObjectsClientWrapperFactory, types } = server.savedObjects;
+    addScopedSavedObjectsClientWrapperFactory(Number.MAX_VALUE,
+      spacesSavedObjectsClientWrapperFactory(spacesService, types)
     );
 
     server.addScopedTutorialContextFactory(
diff --git a/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_client.test.ts.snap b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_client.test.ts.snap
new file mode 100644
index 00000000000000..4b0c0274cedf98
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_client.test.ts.snap
@@ -0,0 +1,17 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#create useRbacForRequest is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to create spaces"`;
+
+exports[`#delete authorization is null throws Boom.badRequest when the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
+
+exports[`#delete authorization.mode.useRbacForRequest returns false throws Boom.badRequest when the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
+
+exports[`#delete authorization.mode.useRbacForRequest returns true throws Boom.badRequest if the user is authorized but the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
+
+exports[`#delete authorization.mode.useRbacForRequest returns true throws Boom.forbidden if the user isn't authorized 1`] = `"Unauthorized to delete spaces"`;
+
+exports[`#get useRbacForRequest is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to get foo-space space"`;
+
+exports[`#getAll useRbacForRequest is true throws Boom.forbidden when user isn't authorized for any spaces 1`] = `"Forbidden"`;
+
+exports[`#update useRbacForRequest is true throws Boom.forbidden when user isn't authorized at space 1`] = `"Unauthorized to update spaces"`;
diff --git a/x-pack/plugins/spaces/server/lib/audit_logger.test.ts b/x-pack/plugins/spaces/server/lib/audit_logger.test.ts
new file mode 100644
index 00000000000000..53d0befd01380f
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/audit_logger.test.ts
@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SpacesAuditLogger } from './audit_logger';
+
+const createMockConfig = (settings: any) => {
+  const mockConfig = {
+    get: jest.fn(),
+  };
+
+  mockConfig.get.mockImplementation(key => {
+    return settings[key];
+  });
+
+  return mockConfig;
+};
+
+const createMockAuditLogger = () => {
+  return {
+    log: jest.fn(),
+  };
+};
+
+describe(`#savedObjectsAuthorizationFailure`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false,
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    securityAuditLogger.spacesAuthorizationFailure('foo-user', 'foo-action');
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs with spaceIds via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true,
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const spaceIds = ['foo-space-1', 'foo-space-2'];
+
+    securityAuditLogger.spacesAuthorizationFailure(username, action, spaceIds);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'spaces_authorization_failure',
+      expect.stringContaining(`${username} unauthorized to ${action} ${spaceIds.join(',')} spaces`),
+      {
+        username,
+        action,
+        spaceIds,
+      }
+    );
+  });
+
+  test('logs without spaceIds via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true,
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+
+    securityAuditLogger.spacesAuthorizationFailure(username, action);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'spaces_authorization_failure',
+      expect.stringContaining(`${username} unauthorized to ${action} spaces`),
+      {
+        username,
+        action,
+      }
+    );
+  });
+});
+
+describe(`#savedObjectsAuthorizationSuccess`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false,
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    securityAuditLogger.spacesAuthorizationSuccess('foo-user', 'foo-action');
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs with spaceIds via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true,
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const spaceIds = ['foo-space-1', 'foo-space-2'];
+
+    securityAuditLogger.spacesAuthorizationSuccess(username, action, spaceIds);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'spaces_authorization_success',
+      expect.stringContaining(`${username} authorized to ${action} ${spaceIds.join(',')} spaces`),
+      {
+        username,
+        action,
+        spaceIds,
+      }
+    );
+  });
+
+  test('logs without spaceIds via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true,
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SpacesAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+
+    securityAuditLogger.spacesAuthorizationSuccess(username, action);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'spaces_authorization_success',
+      expect.stringContaining(`${username} authorized to ${action} spaces`),
+      {
+        username,
+        action,
+      }
+    );
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/audit_logger.ts b/x-pack/plugins/spaces/server/lib/audit_logger.ts
new file mode 100644
index 00000000000000..b9bd3f5fe03998
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/audit_logger.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SpacesAuditLogger {
+  private readonly enabled: boolean;
+  private readonly auditLogger: any;
+
+  constructor(config: any, auditLogger: any) {
+    this.enabled = config.get('xpack.security.audit.enabled');
+    this.auditLogger = auditLogger;
+  }
+  public spacesAuthorizationFailure(username: string, action: string, spaceIds?: string[]) {
+    if (!this.enabled) {
+      return;
+    }
+
+    this.auditLogger.log(
+      'spaces_authorization_failure',
+      `${username} unauthorized to ${action}${spaceIds ? ' ' + spaceIds.join(',') : ''} spaces`,
+      {
+        username,
+        action,
+        spaceIds,
+      }
+    );
+  }
+
+  public spacesAuthorizationSuccess(username: string, action: string, spaceIds?: string[]) {
+    if (!this.enabled) {
+      return;
+    }
+
+    this.auditLogger.log(
+      'spaces_authorization_success',
+      `${username} authorized to ${action}${spaceIds ? ' ' + spaceIds.join(',') : ''} spaces`,
+      {
+        username,
+        action,
+        spaceIds,
+      }
+    );
+  }
+}
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.js
index 5ab9bb744b3c66..143ed1b3e5dda4 100644
--- a/x-pack/plugins/spaces/server/lib/get_active_space.js
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.js
@@ -4,34 +4,16 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import Boom from 'boom';
 import { wrapError } from './errors';
 import { getSpaceIdFromPath } from './spaces_url_parser';
 
-export async function getActiveSpace(savedObjectsClient, requestBasePath, serverBasePath) {
+export async function getActiveSpace(spacesClient, requestBasePath, serverBasePath) {
   const spaceId = getSpaceIdFromPath(requestBasePath, serverBasePath);
 
-  let space;
-
   try {
-    space = await getSpaceById(savedObjectsClient, spaceId);
+    return spacesClient.get(spaceId);
   }
   catch (e) {
     throw wrapError(e);
   }
-
-  if (!space) {
-    throw Boom.notFound(
-      `The Space you requested could not be found. Please select a different Space to continue.`
-    );
-  }
-
-  return {
-    id: space.id,
-    ...space.attributes
-  };
-}
-
-async function getSpaceById(savedObjectsClient, spaceId) {
-  return savedObjectsClient.get('space', spaceId);
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
index 8b1a2581383555..e52af9a98001a0 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
@@ -1,29 +1,65 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`default space #bulkCreate throws error if objects type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #bulkCreate throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #bulkGet throws error if objects type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #bulkGet throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
 exports[`default space #create throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #create throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #delete throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #delete throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
+exports[`default space #find if options.type isn't provided specifies options.type based on the types excluding the space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #find throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #find throws error if options.type is array containing space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
+exports[`default space #find throws error if options.type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #get throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #get throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`default space #update throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`default space #update throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
+exports[`space_1 space #bulkCreate throws error if objects type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #bulkCreate throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`space_1 space #bulkGet throws error if objects type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #bulkGet throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
 exports[`space_1 space #create throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`space_1 space #create throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #delete throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`space_1 space #delete throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
+exports[`space_1 space #find if options.type isn't provided specifies options.type based on the types excluding the space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #find throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`space_1 space #find throws error if options.type is array containing space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
+exports[`space_1 space #find throws error if options.type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #get throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
 
+exports[`space_1 space #get throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
+
 exports[`space_1 space #update throws error if options.namespace is specified 1`] = `"Spaces currently determines the namespaces"`;
+
+exports[`space_1 space #update throws error if type is space 1`] = `"Spaces can not be accessed using the SavedObjectsClient"`;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
index 3f7c0cbe2124ef..da7a448d86d2d7 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
@@ -6,10 +6,11 @@
 
 import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 
-export function spacesSavedObjectsClientWrapperFactory(spacesService) {
+export function spacesSavedObjectsClientWrapperFactory(spacesService, types) {
   return ({ client, request }) => new SpacesSavedObjectsClient({
     baseClient: client,
     request,
     spacesService,
+    types,
   });
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
index 7f66b145e593e9..92c9385cdda257 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
@@ -6,17 +6,53 @@
 
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
 
+const coerceToArray = (param) => {
+  if (Array.isArray(param)) {
+    return param;
+  }
+
+  return [param];
+};
+
+const getNamespace = (spaceId) => {
+  if (spaceId === DEFAULT_SPACE_ID) {
+    return undefined;
+  }
+
+  return spaceId;
+};
+
+const throwErrorIfNamespaceSpecified = (options) => {
+  if (options.namespace) {
+    throw new Error('Spaces currently determines the namespaces');
+  }
+};
+
+const throwErrorIfTypeIsSpace = (type) => {
+  if (type === 'space') {
+    throw new Error('Spaces can not be accessed using the SavedObjectsClient');
+  }
+};
+
+const throwErrorIfTypesContainsSpace = (types) => {
+  for (const type of types) {
+    throwErrorIfTypeIsSpace(type);
+  }
+};
+
 export class SpacesSavedObjectsClient {
   constructor(options) {
     const {
       baseClient,
       request,
       spacesService,
+      types,
     } = options;
 
     this.errors = baseClient.errors;
     this._client = baseClient;
     this._spaceId = spacesService.getSpaceId(request);
+    this._types = types;
   }
 
   /**
@@ -31,13 +67,12 @@ export class SpacesSavedObjectsClient {
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypeIsSpace(type);
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.create(type, attributes, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -51,13 +86,12 @@ export class SpacesSavedObjectsClient {
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypesContainsSpace(objects.map(object => object.type));
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.bulkCreate(objects, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -71,13 +105,12 @@ export class SpacesSavedObjectsClient {
    * @returns {promise}
    */
   async delete(type, id, options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypeIsSpace(type);
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.delete(type, id, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -96,13 +129,13 @@ export class SpacesSavedObjectsClient {
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypesContainsSpace(coerceToArray(options.type));
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.find({
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      type: (options.type ? coerceToArray(options.type) : this._types).filter(type => type !== 'space'),
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -121,13 +154,12 @@ export class SpacesSavedObjectsClient {
    * ])
    */
   async bulkGet(objects = [], options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypesContainsSpace(objects.map(object => object.type));
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.bulkGet(objects, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -141,13 +173,12 @@ export class SpacesSavedObjectsClient {
    * @returns {promise} - { id, type, version, attributes }
    */
   async get(type, id, options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypeIsSpace(type);
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.get(type, id, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
 
@@ -162,21 +193,12 @@ export class SpacesSavedObjectsClient {
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
-    if (options.namespace) {
-      throw new Error('Spaces currently determines the namespaces');
-    }
+    throwErrorIfTypeIsSpace(type);
+    throwErrorIfNamespaceSpecified(options);
 
     return await this._client.update(type, id, attributes, {
       ...options,
-      namespace: this._getNamespace(this._spaceId)
+      namespace: getNamespace(this._spaceId)
     });
   }
-
-  _getNamespace(spaceId) {
-    if (spaceId === DEFAULT_SPACE_ID) {
-      return undefined;
-    }
-
-    return spaceId;
-  }
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
index a25ccc2136de9b..fe9e363b01ce3f 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
@@ -57,7 +57,21 @@ const createMockClient = () => {
           spacesService,
         });
 
-        await expect(client.get(null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(client.get('foo', null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
+      test(`throws error if type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.get('space', null)).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -94,7 +108,21 @@ const createMockClient = () => {
           spacesService,
         });
 
-        await expect(client.bulkGet(null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(client.bulkGet([{ type: 'foo' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
+      test(`throws error if objects type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.bulkGet([{ type: 'foo' }, { type: 'space' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -110,7 +138,7 @@ const createMockClient = () => {
           spacesService,
         });
 
-        const objects = Symbol();
+        const objects = [{ type: 'foo' }];
         const options = Object.freeze({ foo: 'bar' });
         const actualReturnValue = await client.bulkGet(objects, options);
 
@@ -134,6 +162,76 @@ const createMockClient = () => {
         await expect(client.find({ namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
+      test(`throws error if options.type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.find.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.find({ type: 'space' })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
+      test(`passes options.type to baseClient if valid singular type specified`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.find.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+        const options = Object.freeze({ type: 'foo' });
+
+        const actualReturnValue = await client.find(options);
+
+        expect(actualReturnValue).toBe(expectedReturnValue);
+        expect(baseClient.find).toHaveBeenCalledWith({ type: ['foo'], namespace: currentSpace.expectedNamespace });
+      });
+
+      test(`throws error if options.type is array containing space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.find.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.find({ type: ['space', 'foo'] })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
+      test(`if options.type isn't provided specifies options.type based on the types excluding the space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const expectedReturnValue = Symbol();
+        baseClient.find.mockReturnValue(expectedReturnValue);
+        const spacesService = createSpacesService(server);
+        const types = ['foo', 'bar', 'space'];
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+          types,
+        });
+
+        await expect(client.find({ type: ['space', 'foo'] })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
       test(`supplements options with undefined namespace`, async () => {
         const request = createMockRequest({ id: currentSpace.id });
         const baseClient = createMockClient();
@@ -147,11 +245,11 @@ const createMockClient = () => {
           spacesService,
         });
 
-        const options = Object.freeze({ foo: 'bar' });
+        const options = Object.freeze({ type: ['foo', 'bar'] });
         const actualReturnValue = await client.find(options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.find).toHaveBeenCalledWith({ foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.find).toHaveBeenCalledWith({ type: ['foo', 'bar'], namespace: currentSpace.expectedNamespace });
       });
     });
 
@@ -171,6 +269,20 @@ const createMockClient = () => {
         await expect(client.create('foo', {}, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
+      test(`throws error if type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.create('space', {})).rejects.toThrowErrorMatchingSnapshot();
+      });
+
       test(`supplements options with undefined namespace`, async () => {
         const request = createMockRequest({ id: currentSpace.id });
         const baseClient = createMockClient();
@@ -206,7 +318,21 @@ const createMockClient = () => {
           spacesService,
         });
 
-        await expect(client.bulkCreate(null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(client.bulkCreate([{ type: 'foo' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+      });
+
+      test(`throws error if objects type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.bulkCreate([{ type: 'foo' }, { type: 'space' }])).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -222,7 +348,7 @@ const createMockClient = () => {
           spacesService,
         });
 
-        const objects = Symbol();
+        const objects = [{ type: 'foo' }];
         const options = Object.freeze({ foo: 'bar' });
         const actualReturnValue = await client.bulkCreate(objects, options);
 
@@ -246,6 +372,20 @@ const createMockClient = () => {
         await expect(client.update(null, null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
+      test(`throws error if type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.update('space', null)).rejects.toThrowErrorMatchingSnapshot();
+      });
+
       test(`supplements options with undefined namespace`, async () => {
         const request = createMockRequest({ id: currentSpace.id });
         const baseClient = createMockClient();
@@ -285,6 +425,20 @@ const createMockClient = () => {
         await expect(client.delete(null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
       });
 
+      test(`throws error if type is space`, async () => {
+        const request = createMockRequest({ id: currentSpace.id });
+        const baseClient = createMockClient();
+        const spacesService = createSpacesService(server);
+
+        const client = new SpacesSavedObjectsClient({
+          request,
+          baseClient,
+          spacesService,
+        });
+
+        await expect(client.delete('space', 'foo')).rejects.toThrowErrorMatchingSnapshot();
+      });
+
       test(`supplements options with undefined namespace`, async () => {
         const request = createMockRequest({ id: currentSpace.id });
         const baseClient = createMockClient();
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
index 5f0612f821b65c..2f461d5fdf7b48 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
@@ -48,29 +48,27 @@ export function initSpacesRequestInterceptors(server) {
     // which is not available at the time of "onRequest".
     if (isRequestingKibanaRoot) {
       try {
-        const client = request.getSavedObjectsClient();
-        const { total, saved_objects: spaceObjects } = await client.find({
-          type: 'space'
-        });
+        const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
+        const spaces = await spacesClient.getAll();
 
         const config = server.config();
         const basePath = config.get('server.basePath');
         const defaultRoute = config.get('server.defaultRoute');
 
-        if (total === 1) {
+        if (spaces.length === 1) {
           // If only one space is available, then send user there directly.
           // No need for an interstitial screen where there is only one possible outcome.
-          const space = spaceObjects[0];
+          const space = spaces[0];
 
           const destination = addSpaceIdToPath(basePath, space.id, defaultRoute);
           return reply.redirect(destination);
         }
 
-        if (total > 0) {
+        if (spaces.length > 0) {
           // render spaces selector instead of home page
           const app = server.getHiddenUiAppById('space_selector');
           return reply.renderApp(app, {
-            spaces: spaceObjects.map(so => ({ ...so.attributes, id: so.id }))
+            spaces
           });
         }
 
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
index feb6bebeef5f15..0e7d47d2578cde 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
@@ -6,18 +6,21 @@
 import sinon from 'sinon';
 import { Server } from 'hapi';
 import { initSpacesRequestInterceptors } from './space_request_interceptors';
-import { createSpacesService } from './create_spaces_service';
 
 describe('interceptors', () => {
   const sandbox = sinon.sandbox.create();
   const teardowns = [];
+  const headers = {
+    authorization: 'foo',
+  };
+  let server;
   let request;
 
   beforeEach(() => {
     teardowns.push(() => sandbox.restore());
     request = async (path, setupFn = () => { }, testConfig = {}) => {
 
-      const server = new Server();
+      server = new Server();
 
       server.connection({ port: 0 });
 
@@ -34,8 +37,13 @@ describe('interceptors', () => {
         };
       }));
 
-      const spacesService = createSpacesService(server);
-      server.decorate('server', 'spaces', spacesService);
+      server.plugins = {
+        spaces: {
+          spacesClient: {
+            getScopedClient: jest.fn(),
+          }
+        }
+      };
 
       initSpacesRequestInterceptors(server);
 
@@ -57,6 +65,7 @@ describe('interceptors', () => {
       return await server.inject({
         method: 'GET',
         url: path,
+        headers,
       });
     };
   });
@@ -132,16 +141,10 @@ describe('interceptors', () => {
     };
 
     const setupTest = (server, spaces, testHandler) => {
-      // Mock server.getSavedObjectsClient()
-      server.decorate('request', 'getSavedObjectsClient', () => {
-        return {
-          find: jest.fn(() => {
-            return {
-              total: spaces.length,
-              saved_objects: spaces
-            };
-          })
-        };
+      server.plugins.spaces.spacesClient.getScopedClient.mockReturnValue({
+        getAll() {
+          return spaces;
+        }
       });
 
       // Register test inspector
@@ -175,6 +178,11 @@ describe('interceptors', () => {
         }, config);
 
         expect(testHandler).toHaveBeenCalledTimes(1);
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
+          headers: expect.objectContaining({
+            authorization: headers.authorization
+          })
+        }));
       });
 
       test('it redirects to the defaultRoute within the context of the Default Space when navigating to Kibana root', async () => {
@@ -207,6 +215,11 @@ describe('interceptors', () => {
         }, config);
 
         expect(testHandler).toHaveBeenCalledTimes(1);
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
+          headers: expect.objectContaining({
+            authorization: headers.authorization
+          })
+        }));
       });
     });
 
@@ -252,6 +265,11 @@ describe('interceptors', () => {
         expect(getHiddenUiAppHandler).toHaveBeenCalledTimes(1);
         expect(getHiddenUiAppHandler).toHaveBeenCalledWith('space_selector');
         expect(testHandler).toHaveBeenCalledTimes(1);
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
+          headers: expect.objectContaining({
+            authorization: headers.authorization
+          })
+        }));
       });
     });
   });
diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.test.ts b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
new file mode 100644
index 00000000000000..6aaed0bb9506c3
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
@@ -0,0 +1,925 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesClient } from './spaces_client';
+
+const createMockAuditLogger = () => {
+  return {
+    spacesAuthorizationFailure: jest.fn(),
+    spacesAuthorizationSuccess: jest.fn(),
+  };
+};
+
+const createMockAuthorization = () => {
+  const mockCheckPrivilegesAtSpace = jest.fn();
+  const mockCheckPrivilegesAtSpaces = jest.fn();
+  const mockCheckPrivilegesGlobally = jest.fn();
+
+  const mockAuthorization = {
+    actions: {
+      login: 'action:login',
+      manageSpaces: 'action:manageSpaces',
+    },
+    checkPrivilegesWithRequest: jest.fn(() => ({
+      atSpaces: mockCheckPrivilegesAtSpaces,
+      atSpace: mockCheckPrivilegesAtSpace,
+      globally: mockCheckPrivilegesGlobally,
+    })),
+    mode: {
+      useRbacForRequest: jest.fn(),
+    },
+  };
+
+  return {
+    mockCheckPrivilegesAtSpaces,
+    mockCheckPrivilegesAtSpace,
+    mockCheckPrivilegesGlobally,
+    mockAuthorization,
+  };
+};
+
+describe('#getAll', () => {
+  const savedObjects = [
+    {
+      id: 'foo',
+      attributes: {
+        name: 'foo-name',
+        description: 'foo-description',
+        bar: 'foo-bar',
+      },
+    },
+    {
+      id: 'bar',
+      attributes: {
+        name: 'bar-name',
+        description: 'bar-description',
+        bar: 'bar-bar',
+      },
+    },
+  ];
+
+  const expectedSpaces = [
+    {
+      id: 'foo',
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+    },
+    {
+      id: 'bar',
+      name: 'bar-name',
+      description: 'bar-description',
+      bar: 'bar-bar',
+    },
+  ];
+
+  describe('authorization is null', () => {
+    test(`finds spaces using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        find: jest.fn(),
+      };
+      mockCallWithRequestRepository.find.mockReturnValue({
+        saved_objects: savedObjects,
+      });
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const actualSpaces = await client.getAll();
+
+      expect(actualSpaces).toEqual(expectedSpaces);
+      expect(mockCallWithRequestRepository.find).toHaveBeenCalledWith({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe(`authorization.mode.useRbacForRequest returns false`, () => {
+    test(`finds spaces using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        find: jest.fn().mockReturnValue({
+          saved_objects: savedObjects,
+        }),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const actualSpaces = await client.getAll();
+
+      expect(actualSpaces).toEqual(expectedSpaces);
+      expect(mockCallWithRequestRepository.find).toHaveBeenCalledWith({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('useRbacForRequest is true', () => {
+    test(`throws Boom.forbidden when user isn't authorized for any spaces`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesAtSpaces } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesAtSpaces.mockReturnValue({
+        username,
+        spacePrivileges: {
+          [savedObjects[0].id]: {
+            [mockAuthorization.actions.login]: false,
+          },
+          [savedObjects[1].id]: {
+            [mockAuthorization.actions.login]: false,
+          },
+        },
+      });
+      const mockInternalRepository = {
+        find: jest.fn().mockReturnValue({
+          saved_objects: savedObjects,
+        }),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+      await expect(client.getAll()).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockInternalRepository.find).toHaveBeenCalledWith({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesAtSpaces).toHaveBeenCalledWith(
+        savedObjects.map(savedObject => savedObject.id),
+        mockAuthorization.actions.login
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledWith(username, 'getAll');
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`returns spaces that the user is authorized for`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesAtSpaces } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesAtSpaces.mockReturnValue({
+        username,
+        spacePrivileges: {
+          [savedObjects[0].id]: {
+            [mockAuthorization.actions.login]: true,
+          },
+          [savedObjects[1].id]: {
+            [mockAuthorization.actions.login]: false,
+          },
+        },
+      });
+      const mockInternalRepository = {
+        find: jest.fn().mockReturnValue({
+          saved_objects: savedObjects,
+        }),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+      const actualSpaces = await client.getAll();
+
+      expect(actualSpaces).toEqual([expectedSpaces[0]]);
+      expect(mockInternalRepository.find).toHaveBeenCalledWith({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesAtSpaces).toHaveBeenCalledWith(
+        savedObjects.map(savedObject => savedObject.id),
+        mockAuthorization.actions.login
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'getAll', [
+        savedObjects[0].id,
+      ]);
+    });
+  });
+});
+
+describe('#get', () => {
+  const savedObject = {
+    id: 'foo',
+    attributes: {
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+    },
+  };
+
+  const expectedSpace = {
+    id: 'foo',
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+  };
+
+  describe(`authorization is null`, () => {
+    test(`gets space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const id = savedObject.id;
+      const actualSpace = await client.get(id);
+
+      expect(actualSpace).toEqual(expectedSpace);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe(`authorization.mode.useRbacForRequest returns false`, () => {
+    test(`gets space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const id = savedObject.id;
+      const actualSpace = await client.get(id);
+
+      expect(actualSpace).toEqual(expectedSpace);
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('useRbacForRequest is true', () => {
+    test(`throws Boom.forbidden if the user isn't authorized at space`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesAtSpace } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesAtSpace.mockReturnValue({
+        username,
+        hasAllRequested: false,
+      });
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+      const id = 'foo-space';
+
+      await expect(client.get(id)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesAtSpace).toHaveBeenCalledWith(id, mockAuthorization.actions.login);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledWith(username, 'get', [
+        id,
+      ]);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`returns space using internalRepository if the user is authorized at space`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesAtSpace } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesAtSpace.mockReturnValue({
+        username,
+        hasAllRequested: true,
+      });
+      const request = Symbol();
+      const mockInternalRepository = {
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+      const id = savedObject.id;
+
+      const space = await client.get(id);
+
+      expect(space).toEqual(expectedSpace);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesAtSpace).toHaveBeenCalledWith(id, mockAuthorization.actions.login);
+      expect(mockInternalRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [
+        id,
+      ]);
+    });
+  });
+});
+
+describe('#create', () => {
+  const id = 'foo';
+
+  const spaceToCreate = {
+    id,
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+    _reserved: true,
+  };
+
+  const attributes = {
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+  };
+
+  const savedObject = {
+    id,
+    attributes: {
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+    },
+  };
+
+  const expectedReturnedSpace = {
+    id,
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+  };
+
+  describe(`authorization is null`, () => {
+    test(`creates space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        create: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      const actualSpace = await client.create(spaceToCreate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockCallWithRequestRepository.create).toHaveBeenCalledWith('space', attributes, {
+        id,
+      });
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe(`authorization.mode.useRbacForRequest returns false`, () => {
+    test(`creates space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        create: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      const actualSpace = await client.create(spaceToCreate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockCallWithRequestRepository.create).toHaveBeenCalledWith('space', attributes, {
+        id,
+      });
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('useRbacForRequest is true', () => {
+    test(`throws Boom.forbidden if the user isn't authorized at space`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: false,
+      });
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+
+      await expect(client.create(spaceToCreate)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledWith(username, 'create');
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`creates space using internalRepository if the user is authorized`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: true,
+      });
+      const mockInternalRepository = {
+        create: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+
+      const actualSpace = await client.create(spaceToCreate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'create');
+    });
+  });
+});
+
+describe('#update', () => {
+  const spaceToUpdate = {
+    id: 'foo',
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+    _reserved: false,
+  };
+
+  const attributes = {
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+  };
+
+  const savedObject = {
+    id: 'foo',
+    attributes: {
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+      _reserved: true,
+    },
+  };
+
+  const expectedReturnedSpace = {
+    id: 'foo',
+    name: 'foo-name',
+    description: 'foo-description',
+    bar: 'foo-bar',
+    _reserved: true,
+  };
+
+  describe(`authorization is null`, () => {
+    test(`updates space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        update: jest.fn(),
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const id = savedObject.id;
+      const actualSpace = await client.update(id, spaceToUpdate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockCallWithRequestRepository.update).toHaveBeenCalledWith('space', id, attributes);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+  describe(`authorization.mode.useRbacForRequest returns false`, () => {
+    test(`updates space using callWithRequestRepository`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        update: jest.fn(),
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+      const id = savedObject.id;
+      const actualSpace = await client.update(id, spaceToUpdate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockCallWithRequestRepository.update).toHaveBeenCalledWith('space', id, attributes);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('useRbacForRequest is true', () => {
+    test(`throws Boom.forbidden when user isn't authorized at space`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        hasAllRequested: false,
+        username,
+      });
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+      const id = savedObject.id;
+      await expect(client.update(id, spaceToUpdate)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledWith(username, 'update');
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`updates space using internalRepository if user is authorized`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        hasAllRequested: true,
+        username,
+      });
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      const mockInternalRepository = {
+        update: jest.fn(),
+        get: jest.fn().mockReturnValue(savedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+      const id = savedObject.id;
+      const actualSpace = await client.update(id, spaceToUpdate);
+
+      expect(actualSpace).toEqual(expectedReturnedSpace);
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockInternalRepository.update).toHaveBeenCalledWith('space', id, attributes);
+      expect(mockInternalRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'update');
+    });
+  });
+});
+
+describe('#delete', () => {
+  const id = 'foo';
+
+  const reservedSavedObject = {
+    id,
+    attributes: {
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+      _reserved: true,
+    },
+  };
+
+  const notReservedSavedObject = {
+    id,
+    attributes: {
+      name: 'foo-name',
+      description: 'foo-description',
+      bar: 'foo-bar',
+    },
+  };
+
+  describe(`authorization is null`, () => {
+    test(`throws Boom.badRequest when the space is reserved`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(reservedSavedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`deletes space using callWithRequestRepository when space isn't reserved`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(notReservedSavedObject),
+        delete: jest.fn(),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        authorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      await client.delete(id);
+
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockCallWithRequestRepository.delete).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe(`authorization.mode.useRbacForRequest returns false`, () => {
+    test(`throws Boom.badRequest when the space is reserved`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(reservedSavedObject),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`deletes space using callWithRequestRepository when space isn't reserved`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const mockCallWithRequestRepository = {
+        get: jest.fn().mockReturnValue(notReservedSavedObject),
+        delete: jest.fn(),
+      };
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        mockCallWithRequestRepository,
+        null,
+        request
+      );
+
+      await client.delete(id);
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockCallWithRequestRepository.delete).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('authorization.mode.useRbacForRequest returns true', () => {
+    test(`throws Boom.forbidden if the user isn't authorized`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: false,
+      });
+      const request = Symbol();
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+
+      await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledWith(username, 'delete');
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`throws Boom.badRequest if the user is authorized but the space is reserved`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: true,
+      });
+      const mockInternalRepository = {
+        get: jest.fn().mockReturnValue(reservedSavedObject),
+      };
+      const request = Symbol();
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+
+      await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockInternalRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete');
+    });
+
+    test(`deletes space using internalRepository if the user is authorized and the space isn't reserved`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: true,
+      });
+      const mockInternalRepository = {
+        get: jest.fn().mockReturnValue(notReservedSavedObject),
+        delete: jest.fn(),
+      };
+      const request = Symbol();
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        mockInternalRepository,
+        request
+      );
+
+      await client.delete(id);
+
+      expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+      expect(mockInternalRepository.get).toHaveBeenCalledWith('space', id);
+      expect(mockInternalRepository.delete).toHaveBeenCalledWith('space', id);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete');
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.ts b/x-pack/plugins/spaces/server/lib/spaces_client.ts
new file mode 100644
index 00000000000000..2942b5a019fcb8
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.ts
@@ -0,0 +1,187 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import Boom from 'boom';
+import { omit } from 'lodash';
+import { isReservedSpace } from '../../common/is_reserved_space';
+import { Space } from '../../common/model/space';
+import { SpacesAuditLogger } from './audit_logger';
+
+export class SpacesClient {
+  private readonly auditLogger: SpacesAuditLogger;
+  private readonly authorization: any;
+  private readonly callWithRequestSavedObjectRepository: any;
+  private readonly internalSavedObjectRepository: any;
+  private readonly request: any;
+
+  constructor(
+    auditLogger: SpacesAuditLogger,
+    authorization: any,
+    callWithRequestSavedObjectRepository: any,
+    internalSavedObjectRepository: any,
+    request: any
+  ) {
+    this.auditLogger = auditLogger;
+    this.authorization = authorization;
+    this.callWithRequestSavedObjectRepository = callWithRequestSavedObjectRepository;
+    this.internalSavedObjectRepository = internalSavedObjectRepository;
+    this.request = request;
+  }
+
+  public async getAll(): Promise<[Space]> {
+    if (this.useRbac()) {
+      const { saved_objects } = await this.internalSavedObjectRepository.find({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+
+      const spaces = saved_objects.map(this.transformSavedObjectToSpace);
+
+      const spaceIds = spaces.map((space: Space) => space.id);
+      const checkPrivileges = this.authorization.checkPrivilegesWithRequest(this.request);
+      const { username, spacePrivileges } = await checkPrivileges.atSpaces(
+        spaceIds,
+        this.authorization.actions.login
+      );
+
+      const authorized = Object.keys(spacePrivileges).filter(spaceId => {
+        return spacePrivileges[spaceId][this.authorization.actions.login];
+      });
+
+      if (authorized.length === 0) {
+        this.auditLogger.spacesAuthorizationFailure(username, 'getAll');
+        throw Boom.forbidden();
+      }
+
+      this.auditLogger.spacesAuthorizationSuccess(username, 'getAll', authorized);
+      return spaces.filter((space: any) => authorized.includes(space.id));
+    } else {
+      const { saved_objects } = await this.callWithRequestSavedObjectRepository.find({
+        type: 'space',
+        page: 1,
+        perPage: 1000,
+      });
+
+      return saved_objects.map(this.transformSavedObjectToSpace);
+    }
+  }
+
+  public async get(id: string): Promise<Space> {
+    if (this.useRbac()) {
+      await this.ensureAuthorizedAtSpace(
+        id,
+        this.authorization.actions.login,
+        'get',
+        `Unauthorized to get ${id} space`
+      );
+    }
+    const repository = this.useRbac()
+      ? this.internalSavedObjectRepository
+      : this.callWithRequestSavedObjectRepository;
+
+    const savedObject = await repository.get('space', id);
+    return this.transformSavedObjectToSpace(savedObject);
+  }
+
+  public async create(space: Space) {
+    if (this.useRbac()) {
+      await this.ensureAuthorizedGlobally(
+        this.authorization.actions.manageSpaces,
+        'create',
+        'Unauthorized to create spaces'
+      );
+    }
+    const repository = this.useRbac()
+      ? this.internalSavedObjectRepository
+      : this.callWithRequestSavedObjectRepository;
+
+    const attributes = omit(space, ['id', '_reserved']);
+    const id = space.id;
+    const createdSavedObject = await repository.create('space', attributes, { id });
+    return this.transformSavedObjectToSpace(createdSavedObject);
+  }
+
+  public async update(id: string, space: Space) {
+    if (this.useRbac()) {
+      await this.ensureAuthorizedGlobally(
+        this.authorization.actions.manageSpaces,
+        'update',
+        'Unauthorized to update spaces'
+      );
+    }
+    const repository = this.useRbac()
+      ? this.internalSavedObjectRepository
+      : this.callWithRequestSavedObjectRepository;
+
+    const attributes = omit(space, 'id', '_reserved');
+    await repository.update('space', id, attributes);
+    const updatedSavedObject = await repository.get('space', id);
+    return this.transformSavedObjectToSpace(updatedSavedObject);
+  }
+
+  public async delete(id: string) {
+    if (this.useRbac()) {
+      await this.ensureAuthorizedGlobally(
+        this.authorization.actions.manageSpaces,
+        'delete',
+        'Unauthorized to delete spaces'
+      );
+    }
+
+    const repository = this.useRbac()
+      ? this.internalSavedObjectRepository
+      : this.callWithRequestSavedObjectRepository;
+
+    const existingSavedObject = await repository.get('space', id);
+    if (isReservedSpace(this.transformSavedObjectToSpace(existingSavedObject))) {
+      throw Boom.badRequest('This Space cannot be deleted because it is reserved.');
+    }
+
+    await repository.delete('space', id);
+  }
+
+  private useRbac(): boolean {
+    return this.authorization && this.authorization.mode.useRbacForRequest(this.request);
+  }
+
+  private async ensureAuthorizedGlobally(action: string, method: string, forbiddenMessage: string) {
+    const checkPrivileges = this.authorization.checkPrivilegesWithRequest(this.request);
+    const { username, hasAllRequested } = await checkPrivileges.globally(action);
+
+    if (hasAllRequested) {
+      this.auditLogger.spacesAuthorizationSuccess(username, method);
+      return;
+    } else {
+      this.auditLogger.spacesAuthorizationFailure(username, method);
+      throw Boom.forbidden(forbiddenMessage);
+    }
+  }
+
+  private async ensureAuthorizedAtSpace(
+    spaceId: string,
+    action: string,
+    method: string,
+    forbiddenMessage: string
+  ) {
+    const checkPrivileges = this.authorization.checkPrivilegesWithRequest(this.request);
+    const { username, hasAllRequested } = await checkPrivileges.atSpace(spaceId, action);
+
+    if (hasAllRequested) {
+      this.auditLogger.spacesAuthorizationSuccess(username, method, [spaceId]);
+      return;
+    } else {
+      this.auditLogger.spacesAuthorizationFailure(username, method, [spaceId]);
+      throw Boom.forbidden(forbiddenMessage);
+    }
+  }
+
+  private transformSavedObjectToSpace(savedObject: any): Space {
+    return {
+      id: savedObject.id,
+      ...savedObject.attributes,
+    } as Space;
+  }
+}
diff --git a/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
index a184f21076d4f6..44c7f9a2e65004 100644
--- a/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
+++ b/x-pack/plugins/spaces/server/routes/api/__fixtures__/create_test_handler.ts
@@ -6,6 +6,7 @@
 
 // @ts-ignore
 import { Server } from 'hapi';
+import { SpacesClient } from '../../../lib/spaces_client';
 import { createSpaces } from './create_spaces';
 
 export interface TestConfig {
@@ -17,13 +18,14 @@ export interface TestOptions {
   testConfig?: TestConfig;
   payload?: any;
   preCheckLicenseImpl?: (req: any, reply: any) => any;
+  expectSpacesClientCall?: boolean;
 }
 
 export type TeardownFn = () => void;
 
 export interface RequestRunnerResult {
   server: any;
-  mockSavedObjectsClient: any;
+  mockSavedObjectsRepository: any;
   response: any;
 }
 
@@ -56,6 +58,7 @@ export function createTestHandler(initApiFn: (server: any, preCheckLicenseImpl:
       testConfig = {},
       payload,
       preCheckLicenseImpl = defaultPreCheckLicenseImpl,
+      expectSpacesClientCall = true,
     } = options;
 
     let pre = jest.fn();
@@ -89,10 +92,13 @@ export function createTestHandler(initApiFn: (server: any, preCheckLicenseImpl:
     server.decorate('request', 'getBasePath', jest.fn());
     server.decorate('request', 'setBasePath', jest.fn());
 
-    // Mock server.getSavedObjectsClient()
-    const mockSavedObjectsClient = {
+    const mockSavedObjectsRepository = {
       get: jest.fn((type, id) => {
-        return spaces.filter(s => s.id === id)[0];
+        const result = spaces.filter(s => s.id === id);
+        if (!result.length) {
+          throw new Error(`not found: [${type}:${id}]`);
+        }
+        return result[0];
       }),
       find: jest.fn(() => {
         return {
@@ -100,22 +106,57 @@ export function createTestHandler(initApiFn: (server: any, preCheckLicenseImpl:
           saved_objects: spaces,
         };
       }),
-      create: jest.fn(() => ({})),
-      update: jest.fn(() => ({})),
-      delete: jest.fn(),
-      errors: {
-        isNotFoundError: jest.fn(() => true),
+      create: jest.fn((type, attributes, { id }) => {
+        if (spaces.find(s => s.id === id)) {
+          throw new Error('conflict');
+        }
+        return {};
+      }),
+      update: jest.fn((type, id) => {
+        if (!spaces.find(s => s.id === id)) {
+          throw new Error('not found: during update');
+        }
+        return {};
+      }),
+      delete: jest.fn((type: string, id: string) => {
+        return {};
+      }),
+    };
+
+    server.savedObjects = {
+      SavedObjectsClient: {
+        errors: {
+          isNotFoundError: jest.fn((e: any) => e.message.startsWith('not found:')),
+          isConflictError: jest.fn((e: any) => e.message.startsWith('conflict')),
+        },
       },
     };
 
-    server.decorate('request', 'getSavedObjectsClient', () => mockSavedObjectsClient);
+    server.plugins.spaces = {
+      spacesClient: {
+        getScopedClient: jest.fn((req: any) => {
+          return new SpacesClient(
+            null as any,
+            null,
+            mockSavedObjectsRepository,
+            mockSavedObjectsRepository,
+            req
+          );
+        }),
+      },
+    };
 
     teardowns.push(() => server.stop());
 
+    const headers = {
+      authorization: 'foo',
+    };
+
     const testRun = async () => {
       const response = await server.inject({
         method,
         url: path,
+        headers,
         payload,
       });
 
@@ -125,12 +166,25 @@ export function createTestHandler(initApiFn: (server: any, preCheckLicenseImpl:
         expect(pre).not.toHaveBeenCalled();
       }
 
+      if (expectSpacesClientCall) {
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          })
+        );
+      } else {
+        expect(server.plugins.spaces.spacesClient.getScopedClient).not.toHaveBeenCalled();
+      }
+
       return response;
     };
 
     return {
       server,
-      mockSavedObjectsClient,
+      headers,
+      mockSavedObjectsRepository,
       response: await testRun(),
     };
   };
diff --git a/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts b/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
index 523b5a2cb2e7b0..21948e28c56d6a 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/delete.test.ts
@@ -52,6 +52,7 @@ describe('Spaces Public API', () => {
     const { response } = await request('DELETE', '/api/spaces/space/a-space', {
       preCheckLicenseImpl: (req: any, reply: any) =>
         reply(Boom.forbidden('test forbidden message')),
+      expectSpacesClientCall: false,
     });
 
     const { statusCode, payload } = response;
@@ -62,12 +63,12 @@ describe('Spaces Public API', () => {
     });
   });
 
-  test('DELETE spaces/{id} pretends to delete a non-existent space', async () => {
+  test('DELETE spaces/{id} throws when deleting a non-existent space', async () => {
     const { response } = await request('DELETE', '/api/spaces/space/not-a-space');
 
     const { statusCode } = response;
 
-    expect(statusCode).toEqual(204);
+    expect(statusCode).toEqual(404);
   });
 
   test(`'DELETE spaces/{id}' cannot delete reserved spaces`, async () => {
diff --git a/x-pack/plugins/spaces/server/routes/api/public/delete.ts b/x-pack/plugins/spaces/server/routes/api/public/delete.ts
index 9937b786ccfa71..080c765dd4a44d 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/delete.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/delete.ts
@@ -5,31 +5,29 @@
  */
 
 import Boom from 'boom';
-import { isReservedSpace } from '../../../../common/is_reserved_space';
 import { wrapError } from '../../../lib/errors';
-import { getSpaceById } from '../../lib';
+import { SpacesClient } from '../../../lib/spaces_client';
 
 export function initDeleteSpacesApi(server: any, routePreCheckLicenseFn: any) {
   server.route({
     method: 'DELETE',
     path: '/api/spaces/space/{id}',
     async handler(request: any, reply: any) {
-      const client = request.getSavedObjectsClient();
+      const { SavedObjectsClient } = server.savedObjects;
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
       const id = request.params.id;
 
       let result;
 
       try {
-        const existingSpace = await getSpaceById(client, id);
-        if (isReservedSpace(existingSpace)) {
-          return reply(
-            wrapError(Boom.badRequest('This Space cannot be deleted because it is reserved.'))
-          );
-        }
-
-        result = await client.delete('space', id);
+        result = await spacesClient.delete(id);
       } catch (error) {
+        if (SavedObjectsClient.errors.isNotFoundError(error)) {
+          return reply(Boom.notFound());
+        }
         return reply(wrapError(error));
       }
 
diff --git a/x-pack/plugins/spaces/server/routes/api/public/get.test.ts b/x-pack/plugins/spaces/server/routes/api/public/get.test.ts
index 4d04759b283a8b..ad3e758853e01d 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/get.test.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/get.test.ts
@@ -56,6 +56,7 @@ describe('GET spaces', () => {
     const { response } = await request('GET', '/api/spaces/space', {
       preCheckLicenseImpl: (req: any, reply: any) =>
         reply(Boom.forbidden('test forbidden message')),
+      expectSpacesClientCall: false,
     });
 
     const { statusCode, payload } = response;
diff --git a/x-pack/plugins/spaces/server/routes/api/public/get.ts b/x-pack/plugins/spaces/server/routes/api/public/get.ts
index 95f1d273a8f6b2..ae3a083c50123a 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/get.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/get.ts
@@ -5,25 +5,23 @@
  */
 
 import Boom from 'boom';
+import { Space } from '../../../../common/model/space';
 import { wrapError } from '../../../lib/errors';
-import { convertSavedObjectToSpace } from '../../lib';
+import { SpacesClient } from '../../../lib/spaces_client';
 
 export function initGetSpacesApi(server: any, routePreCheckLicenseFn: any) {
   server.route({
     method: 'GET',
     path: '/api/spaces/space',
     async handler(request: any, reply: any) {
-      const client = request.getSavedObjectsClient();
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
-      let spaces;
+      let spaces: Space[];
 
       try {
-        const result = await client.find({
-          type: 'space',
-          sortField: 'name.keyword',
-        });
-
-        spaces = result.saved_objects.map(convertSavedObjectToSpace);
+        spaces = await spacesClient.getAll();
       } catch (error) {
         return reply(wrapError(error));
       }
@@ -41,14 +39,15 @@ export function initGetSpacesApi(server: any, routePreCheckLicenseFn: any) {
     async handler(request: any, reply: any) {
       const spaceId = request.params.id;
 
-      const client = request.getSavedObjectsClient();
+      const { SavedObjectsClient } = server.savedObjects;
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
       try {
-        const response = await client.get('space', spaceId);
-
-        return reply(convertSavedObjectToSpace(response));
+        return reply(await spacesClient.get(spaceId));
       } catch (error) {
-        if (client.errors.isNotFoundError(error)) {
+        if (SavedObjectsClient.errors.isNotFoundError(error)) {
           return reply(Boom.notFound());
         }
         return reply(wrapError(error));
diff --git a/x-pack/plugins/spaces/server/routes/api/public/post.test.ts b/x-pack/plugins/spaces/server/routes/api/public/post.test.ts
index f97931d36ed664..b554d5fc67354a 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/post.test.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/post.test.ts
@@ -48,18 +48,18 @@ describe('Spaces Public API', () => {
       description: 'with a description',
     };
 
-    const { mockSavedObjectsClient, response } = await request('POST', '/api/spaces/space', {
+    const { mockSavedObjectsRepository, response } = await request('POST', '/api/spaces/space', {
       payload,
     });
 
     const { statusCode } = response;
 
     expect(statusCode).toEqual(200);
-    expect(mockSavedObjectsClient.create).toHaveBeenCalledTimes(1);
-    expect(mockSavedObjectsClient.create).toHaveBeenCalledWith(
+    expect(mockSavedObjectsRepository.create).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsRepository.create).toHaveBeenCalledWith(
       'space',
       { name: 'my new space', description: 'with a description' },
-      { id: 'my-space-id', overwrite: false }
+      { id: 'my-space-id' }
     );
   });
 
@@ -73,6 +73,7 @@ describe('Spaces Public API', () => {
     const { response } = await request('POST', '/api/spaces/space', {
       preCheckLicenseImpl: (req: any, reply: any) =>
         reply(Boom.forbidden('test forbidden message')),
+      expectSpacesClientCall: false,
       payload,
     });
 
@@ -98,8 +99,7 @@ describe('Spaces Public API', () => {
     expect(statusCode).toEqual(409);
     expect(JSON.parse(responsePayload)).toEqual({
       error: 'Conflict',
-      message:
-        'A space with the identifier a-space already exists. Please choose a different identifier',
+      message: 'A space with the identifier a-space already exists.',
       statusCode: 409,
     });
   });
diff --git a/x-pack/plugins/spaces/server/routes/api/public/post.ts b/x-pack/plugins/spaces/server/routes/api/public/post.ts
index fd51390af50230..a4c1e04a73831b 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/post.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/post.ts
@@ -5,34 +5,28 @@
  */
 
 import Boom from 'boom';
-import { omit } from 'lodash';
 import { wrapError } from '../../../lib/errors';
 import { spaceSchema } from '../../../lib/space_schema';
-import { getSpaceById } from '../../lib';
+import { SpacesClient } from '../../../lib/spaces_client';
 
 export function initPostSpacesApi(server: any, routePreCheckLicenseFn: any) {
   server.route({
     method: 'POST',
     path: '/api/spaces/space',
     async handler(request: any, reply: any) {
-      const client = request.getSavedObjectsClient();
+      const { SavedObjectsClient } = server.savedObjects;
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
-      const space = omit(request.payload, ['id', '_reserved']);
-
-      const id = request.payload.id;
-
-      const existingSpace = await getSpaceById(client, id);
-      if (existingSpace) {
-        return reply(
-          Boom.conflict(
-            `A space with the identifier ${id} already exists. Please choose a different identifier`
-          )
-        );
-      }
+      const space = request.payload;
 
       try {
-        return reply(await client.create('space', { ...space }, { id, overwrite: false }));
+        return reply(await spacesClient.create(space));
       } catch (error) {
+        if (SavedObjectsClient.errors.isConflictError(error)) {
+          return reply(Boom.conflict(`A space with the identifier ${space.id} already exists.`));
+        }
         return reply(wrapError(error));
       }
     },
diff --git a/x-pack/plugins/spaces/server/routes/api/public/put.test.ts b/x-pack/plugins/spaces/server/routes/api/public/put.test.ts
index 2af4fc9bbeaf3b..e02fb58da1d613 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/put.test.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/put.test.ts
@@ -46,15 +46,19 @@ describe('Spaces Public API', () => {
       description: 'with a description',
     };
 
-    const { mockSavedObjectsClient, response } = await request('PUT', '/api/spaces/space/a-space', {
-      payload,
-    });
+    const { mockSavedObjectsRepository, response } = await request(
+      'PUT',
+      '/api/spaces/space/a-space',
+      {
+        payload,
+      }
+    );
 
     const { statusCode } = response;
 
     expect(statusCode).toEqual(200);
-    expect(mockSavedObjectsClient.update).toHaveBeenCalledTimes(1);
-    expect(mockSavedObjectsClient.update).toHaveBeenCalledWith('space', 'a-space', {
+    expect(mockSavedObjectsRepository.update).toHaveBeenCalledTimes(1);
+    expect(mockSavedObjectsRepository.update).toHaveBeenCalledWith('space', 'a-space', {
       name: 'my updated space',
       description: 'with a description',
     });
@@ -70,6 +74,7 @@ describe('Spaces Public API', () => {
     const { response } = await request('PUT', '/api/spaces/space/a-space', {
       preCheckLicenseImpl: (req: any, reply: any) =>
         reply(Boom.forbidden('test forbidden message')),
+      expectSpacesClientCall: false,
       payload,
     });
 
diff --git a/x-pack/plugins/spaces/server/routes/api/public/put.ts b/x-pack/plugins/spaces/server/routes/api/public/put.ts
index 093d7c777e7864..dea7e3a79d5c0b 100644
--- a/x-pack/plugins/spaces/server/routes/api/public/put.ts
+++ b/x-pack/plugins/spaces/server/routes/api/public/put.ts
@@ -5,39 +5,35 @@
  */
 
 import Boom from 'boom';
-import { omit } from 'lodash';
 import { Space } from '../../../../common/model/space';
 import { wrapError } from '../../../lib/errors';
 import { spaceSchema } from '../../../lib/space_schema';
-import { convertSavedObjectToSpace, getSpaceById } from '../../lib';
+import { SpacesClient } from '../../../lib/spaces_client';
 
 export function initPutSpacesApi(server: any, routePreCheckLicenseFn: any) {
   server.route({
     method: 'PUT',
     path: '/api/spaces/space/{id}',
     async handler(request: any, reply: any) {
-      const client = request.getSavedObjectsClient();
+      const { SavedObjectsClient } = server.savedObjects;
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
-      const space: Space = omit(request.payload, ['id']);
+      const space: Space = request.payload;
       const id = request.params.id;
 
-      const existingSpace = await getSpaceById(client, id);
-
-      if (existingSpace) {
-        space._reserved = existingSpace._reserved;
-      } else {
-        return reply(Boom.notFound(`Unable to find space with ID ${id}`));
-      }
-
-      let result;
+      let result: Space;
       try {
-        result = await client.update('space', id, { ...space });
+        result = await spacesClient.update(id, { ...space });
       } catch (error) {
+        if (SavedObjectsClient.errors.isNotFoundError(error)) {
+          return reply(Boom.notFound());
+        }
         return reply(wrapError(error));
       }
 
-      const updatedSpace = convertSavedObjectToSpace(result);
-      return reply(updatedSpace);
+      return reply(result);
     },
     config: {
       validate: {
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
index bbdab1be349101..0758ceb32746ca 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.test.ts
@@ -56,6 +56,7 @@ describe('Spaces API', () => {
     const { response } = await request('POST', '/api/spaces/v1/space/a-space/select', {
       preCheckLicenseImpl: (req: any, reply: any) =>
         reply(Boom.forbidden('test forbidden message')),
+      expectSpacesClientCall: false,
     });
 
     const { statusCode, payload } = response;
diff --git a/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts b/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
index 0233cb76b96d85..6f09d1831bff9a 100644
--- a/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
+++ b/x-pack/plugins/spaces/server/routes/api/v1/spaces.ts
@@ -7,6 +7,7 @@
 import Boom from 'boom';
 import { Space } from '../../../../common/model/space';
 import { wrapError } from '../../../lib/errors';
+import { SpacesClient } from '../../../lib/spaces_client';
 import { addSpaceIdToPath } from '../../../lib/spaces_url_parser';
 import { getSpaceById } from '../../lib';
 
@@ -15,12 +16,19 @@ export function initPrivateSpacesApi(server: any, routePreCheckLicenseFn: any) {
     method: 'POST',
     path: '/api/spaces/v1/space/{id}/select',
     async handler(request: any, reply: any) {
-      const client = request.getSavedObjectsClient();
+      const { SavedObjectsClient } = server.savedObjects;
+      const spacesClient: SpacesClient = server.plugins.spaces.spacesClient.getScopedClient(
+        request
+      );
 
       const id = request.params.id;
 
       try {
-        const existingSpace: Space | null = await getSpaceById(client, id);
+        const existingSpace: Space | null = await getSpaceById(
+          spacesClient,
+          id,
+          SavedObjectsClient.errors
+        );
         if (!existingSpace) {
           return reply(Boom.notFound());
         }
diff --git a/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts b/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
index 4143c09a79a930..eaa789b32c39b2 100644
--- a/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
+++ b/x-pack/plugins/spaces/server/routes/lib/get_space_by_id.ts
@@ -4,14 +4,19 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import { Space } from '../../../common/model/space';
+import { SpacesClient } from '../../lib/spaces_client';
 import { convertSavedObjectToSpace } from './convert_saved_object_to_space';
 
-export async function getSpaceById(client: any, spaceId: string): Promise<Space | null> {
+export async function getSpaceById(
+  client: SpacesClient,
+  spaceId: string,
+  errors: any
+): Promise<Space | null> {
   try {
-    const existingSpace = await client.get('space', spaceId);
+    const existingSpace = await client.get(spaceId);
     return convertSavedObjectToSpace(existingSpace);
   } catch (error) {
-    if (client.errors.isNotFoundError(error)) {
+    if (errors.isNotFoundError(error)) {
       return null;
     }
     throw error;
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 1b05203e4dd096..65fa2787c09afc 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -13,6 +13,9 @@ require('@kbn/test').runTestsCli([
   require.resolve('../test/functional/config.js'),
   require.resolve('../test/api_integration/config.js'),
   require.resolve('../test/saml_api_integration/config.js'),
-  require.resolve('../test/rbac_api_integration/config.js'),
-  require.resolve('../test/spaces_api_integration/config.js'),
+  require.resolve('../test/spaces_api_integration/spaces_only/config'),
+  require.resolve('../test/spaces_api_integration/security_and_spaces/config'),
+  require.resolve('../test/saved_object_api_integration/security_and_spaces/config'),
+  require.resolve('../test/saved_object_api_integration/security_only/config'),
+  require.resolve('../test/saved_object_api_integration/spaces_only/config'),
 ]);
diff --git a/x-pack/test/rbac_api_integration/apis/es/has_privileges.js b/x-pack/test/api_integration/apis/es/has_privileges.js
similarity index 100%
rename from x-pack/test/rbac_api_integration/apis/es/has_privileges.js
rename to x-pack/test/api_integration/apis/es/has_privileges.js
diff --git a/x-pack/test/rbac_api_integration/apis/es/index.js b/x-pack/test/api_integration/apis/es/index.js
similarity index 100%
rename from x-pack/test/rbac_api_integration/apis/es/index.js
rename to x-pack/test/api_integration/apis/es/index.js
diff --git a/x-pack/test/rbac_api_integration/apis/es/post_privileges.js b/x-pack/test/api_integration/apis/es/post_privileges.js
similarity index 100%
rename from x-pack/test/rbac_api_integration/apis/es/post_privileges.js
rename to x-pack/test/api_integration/apis/es/post_privileges.js
diff --git a/x-pack/test/api_integration/apis/index.js b/x-pack/test/api_integration/apis/index.js
index 7f105650141d95..85b11bb9ef71eb 100644
--- a/x-pack/test/api_integration/apis/index.js
+++ b/x-pack/test/api_integration/apis/index.js
@@ -6,6 +6,7 @@
 
 export default function ({ loadTestFile }) {
   describe('apis', () => {
+    loadTestFile(require.resolve('./es'));
     loadTestFile(require.resolve('./security'));
     loadTestFile(require.resolve('./monitoring'));
     loadTestFile(require.resolve('./xpack_main'));
diff --git a/x-pack/test/rbac_api_integration/apis/privileges/index.js b/x-pack/test/rbac_api_integration/apis/privileges/index.js
deleted file mode 100644
index 6f62720a227cfd..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/privileges/index.js
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-import expect from 'expect.js';
-
-export default function ({ getService }) {
-  describe('privileges', () => {
-    it(`get should return privileges`, async () => {
-      const supertest = getService('supertest');
-      const kibanaServer = getService('kibanaServer');
-      const version = await kibanaServer.version.get();
-
-      await supertest
-        .get(`/api/security/v1/privileges`)
-        .expect(200)
-        .then(resp => {
-          expect(resp.body).to.eql([
-            {
-              application: 'kibana-.kibana',
-              name: 'all',
-              actions: [`version:${version}`, 'action:*'],
-              metadata: {},
-            },
-            {
-              application: 'kibana-.kibana',
-              name: 'read',
-              actions: [
-                `version:${version}`,
-                'action:login',
-                'action:saved_objects/config/get',
-                'action:saved_objects/config/bulk_get',
-                'action:saved_objects/config/find',
-                'action:saved_objects/timelion-sheet/get',
-                'action:saved_objects/timelion-sheet/bulk_get',
-                'action:saved_objects/timelion-sheet/find',
-                'action:saved_objects/telemetry/get',
-                'action:saved_objects/telemetry/bulk_get',
-                'action:saved_objects/telemetry/find',
-                'action:saved_objects/graph-workspace/get',
-                'action:saved_objects/graph-workspace/bulk_get',
-                'action:saved_objects/graph-workspace/find',
-                'action:saved_objects/space/get',
-                'action:saved_objects/space/bulk_get',
-                'action:saved_objects/space/find',
-                'action:saved_objects/index-pattern/get',
-                'action:saved_objects/index-pattern/bulk_get',
-                'action:saved_objects/index-pattern/find',
-                'action:saved_objects/visualization/get',
-                'action:saved_objects/visualization/bulk_get',
-                'action:saved_objects/visualization/find',
-                'action:saved_objects/search/get',
-                'action:saved_objects/search/bulk_get',
-                'action:saved_objects/search/find',
-                'action:saved_objects/dashboard/get',
-                'action:saved_objects/dashboard/bulk_get',
-                'action:saved_objects/dashboard/find',
-                'action:saved_objects/url/get',
-                'action:saved_objects/url/bulk_get',
-                'action:saved_objects/url/find',
-                'action:saved_objects/server/get',
-                'action:saved_objects/server/bulk_get',
-                'action:saved_objects/server/find',
-              ],
-              metadata: {},
-            },
-          ]);
-        });
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
deleted file mode 100644
index 6785859e42fbfb..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  const BULK_REQUESTS = [
-    {
-      type: 'visualization',
-      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-    },
-    {
-      type: 'dashboard',
-      id: 'does not exist',
-    },
-    {
-      type: 'config',
-      id: '7.0.0-alpha1',
-    },
-  ];
-
-  describe('_bulk_get', () => {
-    const expectResults = resp => {
-      expect(resp.body).to.eql({
-        saved_objects: [
-          {
-            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-            type: 'visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: resp.body.saved_objects[0].version,
-            attributes: {
-              title: 'Count of requests',
-              description: '',
-              version: 1,
-              // cheat for some of the more complex attributes
-              visState: resp.body.saved_objects[0].attributes.visState,
-              uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
-              kibanaSavedObjectMeta:
-                resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
-            },
-          },
-          {
-            id: 'does not exist',
-            type: 'dashboard',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-          {
-            id: '7.0.0-alpha1',
-            type: 'config',
-            updated_at: '2017-09-21T18:49:16.302Z',
-            version: resp.body.saved_objects[2].version,
-            attributes: {
-              buildNum: 8467,
-              defaultIndex: '91200a00-9efd-11e7-acb3-3dab96693fab',
-            },
-          },
-        ],
-      });
-    };
-
-    const expectRbacForbidden = resp => {
-      //eslint-disable-next-line max-len
-      const missingActions = `action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to bulk_get config,dashboard,visualization, missing ${missingActions}`
-      });
-    };
-
-    const bulkGetTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-
-        it(`should return ${tests.default.statusCode}`, async () => {
-          await supertest
-            .post(`/api/saved_objects/_bulk_get`)
-            .auth(auth.username, auth.password)
-            .send(BULK_REQUESTS)
-            .expect(tests.default.statusCode)
-            .then(tests.default.response);
-        });
-      });
-    };
-
-    bulkGetTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        }
-      }
-    });
-
-    bulkGetTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    bulkGetTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
deleted file mode 100644
index 6a949004371f8f..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  describe('create', () => {
-    const expectResults = (resp) => {
-      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'visualization',
-        updated_at: resp.body.updated_at,
-        version: 1,
-        attributes: {
-          title: 'My favorite vis'
-        }
-      });
-    };
-
-    const expectRbacForbidden = resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to create visualization, missing action:saved_objects/visualization/create`
-      });
-    };
-
-    const createExpectLegacyForbidden = username => resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        //eslint-disable-next-line max-len
-        message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`
-      });
-    };
-
-    const createTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-        it(`should return ${tests.default.statusCode}`, async () => {
-          await supertest
-            .post(`/api/saved_objects/visualization`)
-            .auth(auth.username, auth.password)
-            .send({
-              attributes: {
-                title: 'My favorite vis'
-              }
-            })
-            .expect(tests.default.statusCode)
-            .then(tests.default.response);
-        });
-      });
-    };
-
-    createTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-    createTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    createTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    createTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
-        },
-      }
-    });
-
-    createTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    createTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-    createTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults,
-        },
-      }
-    });
-
-    createTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        default: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
deleted file mode 100644
index 5885eb7919c7bd..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  describe('delete', () => {
-
-    const expectEmpty = (resp) => {
-      expect(resp.body).to.eql({});
-    };
-
-    const expectNotFound = (resp) => {
-      expect(resp.body).to.eql({
-        statusCode: 404,
-        error: 'Not Found',
-        message: 'Saved object [dashboard/not-a-real-id] not found'
-      });
-    };
-
-    const expectRbacForbidden = resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to delete dashboard, missing action:saved_objects/dashboard/delete`
-      });
-    };
-
-    const createExpectLegacyForbidden = username => resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        //eslint-disable-next-line max-len
-        message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`
-      });
-    };
-
-    const deleteTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-
-        it(`should return ${tests.actualId.statusCode} when deleting a doc`, async () => (
-          await supertest
-            .delete(`/api/saved_objects/dashboard/be3733a0-9efe-11e7-acb3-3dab96693fab`)
-            .auth(auth.username, auth.password)
-            .expect(tests.actualId.statusCode)
-            .then(tests.actualId.response)
-        ));
-
-        it(`should return ${tests.invalidId.statusCode} when deleting an unknown doc`, async () => (
-          await supertest
-            .delete(`/api/saved_objects/dashboard/not-a-real-id`)
-            .auth(auth.username, auth.password)
-            .expect(tests.invalidId.statusCode)
-            .then(tests.invalidId.response)
-        ));
-      });
-    };
-
-    deleteTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        invalidId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        }
-      }
-    });
-
-    deleteTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 200,
-          response: expectEmpty,
-        },
-        invalidId: {
-          statusCode: 404,
-          response: expectNotFound,
-        }
-      }
-    });
-
-    deleteTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 200,
-          response: expectEmpty,
-        },
-        invalidId: {
-          statusCode: 404,
-          response: expectNotFound,
-        }
-      }
-    });
-
-    deleteTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
-        },
-        invalidId: {
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
-        }
-      }
-    });
-
-    deleteTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 200,
-          response: expectEmpty,
-        },
-        invalidId: {
-          statusCode: 404,
-          response: expectNotFound,
-        }
-      }
-    });
-
-    deleteTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        invalidId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        }
-      }
-    });
-
-    deleteTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 200,
-          response: expectEmpty,
-        },
-        invalidId: {
-          statusCode: 404,
-          response: expectNotFound,
-        }
-      }
-    });
-
-    deleteTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        actualId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        invalidId: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        }
-      }
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
deleted file mode 100644
index ca9b9bb2ec1c22..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ /dev/null
@@ -1,424 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  describe('find', () => {
-
-    const expectVisualizationResults = (resp) => {
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: 1,
-        saved_objects: [
-          {
-            type: 'visualization',
-            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-            version: 1,
-            attributes: {
-              'title': 'Count of requests'
-            }
-          }
-        ]
-      });
-    };
-
-    const expectResultsWithValidTypes = (resp) => {
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: 4,
-        saved_objects: [
-          {
-            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
-            type: 'index-pattern',
-            updated_at: '2017-09-21T18:49:16.270Z',
-            version: 1,
-            attributes: resp.body.saved_objects[0].attributes
-          },
-          {
-            id: '7.0.0-alpha1',
-            type: 'config',
-            updated_at: '2017-09-21T18:49:16.302Z',
-            version: 1,
-            attributes: resp.body.saved_objects[1].attributes
-          },
-          {
-            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-            type: 'visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: 1,
-            attributes: resp.body.saved_objects[2].attributes
-          },
-          {
-            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
-            type: 'dashboard',
-            updated_at: '2017-09-21T18:57:40.826Z',
-            version: 1,
-            attributes: resp.body.saved_objects[3].attributes
-          },
-        ]
-      });
-    };
-
-    const createExpectEmpty = (page, perPage, total) => (resp) => {
-      expect(resp.body).to.eql({
-        page: page,
-        per_page: perPage,
-        total: total,
-        saved_objects: []
-      });
-    };
-
-    const createExpectRbacForbidden = (type) => resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to find ${type}, missing action:saved_objects/${type}/find`
-      });
-    };
-
-    const expectForbiddenCantFindAnyTypes = resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Not authorized to find saved_object`
-      });
-    };
-
-    const findTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-
-        it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
-          await supertest
-            .get('/api/saved_objects/_find?type=visualization&fields=title')
-            .auth(auth.username, auth.password)
-            .expect(tests.normal.statusCode)
-            .then(tests.normal.response)
-        ));
-
-        describe('unknown type', () => {
-          it(`should return ${tests.unknownType.statusCode} with ${tests.unknownType.description}`, async () => (
-            await supertest
-              .get('/api/saved_objects/_find?type=wigwags')
-              .auth(auth.username, auth.password)
-              .expect(tests.unknownType.statusCode)
-              .then(tests.unknownType.response)
-          ));
-        });
-
-        describe('page beyond total', () => {
-          it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
-            await supertest
-              .get('/api/saved_objects/_find?type=visualization&page=100&per_page=100')
-              .auth(auth.username, auth.password)
-              .expect(tests.pageBeyondTotal.statusCode)
-              .then(tests.pageBeyondTotal.response)
-          ));
-        });
-
-        describe('unknown search field', () => {
-          it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
-            await supertest
-              .get('/api/saved_objects/_find?type=wigwags&search_fields=a')
-              .auth(auth.username, auth.password)
-              .expect(tests.unknownSearchField.statusCode)
-              .then(tests.unknownSearchField.response)
-          ));
-        });
-
-        describe('no type', () => {
-          it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
-            await supertest
-              .get('/api/saved_objects/_find')
-              .auth(auth.username, auth.password)
-              .expect(tests.noType.statusCode)
-              .then(tests.noType.response)
-          ));
-        });
-      });
-    };
-
-    findTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'forbidden login and find visualization message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('visualization'),
-        },
-        unknownType: {
-          description: 'forbidden login and find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        pageBeyondTotal: {
-          description: 'forbidden login and find visualization message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('visualization'),
-        },
-        unknownSearchField: {
-          description: 'forbidden login and find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        noType: {
-          description: `forbidded can't find any types`,
-          statusCode: 403,
-          response: expectForbiddenCantFindAnyTypes,
-        }
-      }
-    });
-
-    findTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      },
-    });
-
-    findTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      },
-    });
-
-    findTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      }
-    });
-
-    findTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      },
-    });
-
-    findTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      }
-    });
-
-    findTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      },
-    });
-
-    findTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults,
-        },
-        unknownType: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'forbidden find wigwags message',
-          statusCode: 403,
-          response: createExpectRbacForbidden('wigwags'),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectResultsWithValidTypes,
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
deleted file mode 100644
index b640d120555932..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  describe('get', () => {
-
-    const expectResults = (resp) => {
-      expect(resp.body).to.eql({
-        id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-        type: 'visualization',
-        updated_at: '2017-09-21T18:51:23.794Z',
-        version: resp.body.version,
-        attributes: {
-          title: 'Count of requests',
-          description: '',
-          version: 1,
-          // cheat for some of the more complex attributes
-          visState: resp.body.attributes.visState,
-          uiStateJSON: resp.body.attributes.uiStateJSON,
-          kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta
-        }
-      });
-    };
-
-    const expectNotFound = (resp) => {
-      expect(resp.body).to.eql({
-        error: 'Not Found',
-        message: 'Saved object [visualization/foobar] not found',
-        statusCode: 404,
-      });
-    };
-
-    const expectRbacForbidden = resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to get visualization, missing action:saved_objects/visualization/get`
-      });
-    };
-
-    const getTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-
-        it(`should return ${tests.exists.statusCode}`, async () => (
-          await supertest
-            .get(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
-            .auth(auth.username, auth.password)
-            .expect(tests.exists.statusCode)
-            .then(tests.exists.response)
-        ));
-
-        describe('document does not exist', () => {
-          it(`should return ${tests.doesntExist.statusCode}`, async () => (
-            await supertest
-              .get(`/api/saved_objects/visualization/foobar`)
-              .auth(auth.username, auth.password)
-              .expect(tests.doesntExist.statusCode)
-              .then(tests.doesntExist.response)
-          ));
-        });
-      });
-    };
-
-    getTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        doesntExist: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-    getTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    getTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
deleted file mode 100644
index f5ec186a2e4b2d..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { AUTHENTICATION } from "./lib/authentication";
-
-export default function ({ loadTestFile, getService }) {
-  const es = getService('es');
-  const supertest = getService('supertest');
-
-  describe('saved_objects', () => {
-    before(async () => {
-      await supertest.put('/api/security/role/kibana_legacy_user')
-        .send({
-          elasticsearch: {
-            indices: [{
-              names: ['.kibana'],
-              privileges: ['manage', 'read', 'index', 'delete']
-            }]
-          }
-        });
-
-      await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user')
-        .send({
-          elasticsearch: {
-            indices: [{
-              names: ['.kibana'],
-              privileges: ['read', 'view_index_metadata']
-            }]
-          }
-        });
-
-      await supertest.put('/api/security/role/kibana_dual_privileges_user')
-        .send({
-          elasticsearch: {
-            indices: [{
-              names: ['.kibana'],
-              privileges: ['manage', 'read', 'index', 'delete']
-            }]
-          },
-          kibana: {
-            global: ['all']
-          }
-        });
-
-      await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user')
-        .send({
-          elasticsearch: {
-            indices: [{
-              names: ['.kibana'],
-              privileges: ['read', 'view_index_metadata']
-            }]
-          },
-          kibana: {
-            global: ['read']
-          }
-        });
-
-      await supertest.put('/api/security/role/kibana_rbac_user')
-        .send({
-          kibana: {
-            global: ['all']
-          }
-
-        });
-
-      await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user')
-        .send({
-          kibana: {
-            global: ['read']
-          }
-        });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-          roles: [],
-          full_name: 'not a kibana user',
-          email: 'not_a_kibana_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-          roles: ['kibana_legacy_user'],
-          full_name: 'a kibana legacy user',
-          email: 'a_kibana_legacy_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-          roles: ["kibana_legacy_dashboard_only_user"],
-          full_name: 'a kibana legacy dashboard only user',
-          email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-          roles: ['kibana_dual_privileges_user'],
-          full_name: 'a kibana dual_privileges user',
-          email: 'a_kibana_dual_privileges_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-          roles: ["kibana_dual_privileges_dashboard_only_user"],
-          full_name: 'a kibana dual_privileges dashboard only user',
-          email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-          roles: ['kibana_rbac_user'],
-          full_name: 'a kibana user',
-          email: 'a_kibana_rbac_user@elastic.co',
-        }
-      });
-
-      await es.shield.putUser({
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        body: {
-          password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-          roles: ["kibana_rbac_dashboard_only_user"],
-          full_name: 'a kibana dashboard only user',
-          email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
-        }
-      });
-    });
-    loadTestFile(require.resolve('./bulk_get'));
-    loadTestFile(require.resolve('./create'));
-    loadTestFile(require.resolve('./delete'));
-    loadTestFile(require.resolve('./find'));
-    loadTestFile(require.resolve('./get'));
-    loadTestFile(require.resolve('./update'));
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
deleted file mode 100644
index a4a17ba67fd5eb..00000000000000
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { AUTHENTICATION } from './lib/authentication';
-
-export default function ({ getService }) {
-  const supertest = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  describe('update', () => {
-    const expectResults = resp => {
-      // loose uuid validation
-      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'visualization',
-        updated_at: resp.body.updated_at,
-        version: 2,
-        attributes: {
-          title: 'My second favorite vis'
-        }
-      });
-    };
-
-    const expectNotFound = resp => {
-      expect(resp.body).eql({
-        statusCode: 404,
-        error: 'Not Found',
-        message: 'Saved object [visualization/not an id] not found'
-      });
-    };
-
-    const expectRbacForbidden = resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        message: `Unable to update visualization, missing action:saved_objects/visualization/update`
-      });
-    };
-
-    const createExpectLegacyForbidden = username => resp => {
-      expect(resp.body).to.eql({
-        statusCode: 403,
-        error: 'Forbidden',
-        //eslint-disable-next-line max-len
-        message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`
-      });
-    };
-
-    const updateTest = (description, { auth, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/basic'));
-        after(() => esArchiver.unload('saved_objects/basic'));
-        it(`should return ${tests.exists.statusCode}`, async () => {
-          await supertest
-            .put(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
-            .auth(auth.username, auth.password)
-            .send({
-              attributes: {
-                title: 'My second favorite vis'
-              }
-            })
-            .expect(tests.exists.statusCode)
-            .then(tests.exists.response);
-        });
-
-        describe('unknown id', () => {
-          it(`should return ${tests.doesntExist.statusCode}`, async () => {
-            await supertest
-              .put(`/api/saved_objects/visualization/not an id`)
-              .auth(auth.username, auth.password)
-              .send({
-                attributes: {
-                  title: 'My second favorite vis'
-                }
-              })
-              .expect(tests.doesntExist.statusCode)
-              .then(tests.doesntExist.response);
-          });
-        });
-      });
-    };
-
-    updateTest(`not a kibana user`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        doesntExist: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-    updateTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    updateTest(`kibana legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    updateTest(`kibana legacy dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
-        },
-        doesntExist: {
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
-        },
-      }
-    });
-
-    updateTest(`kibana dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    updateTest(`kibana dual-privileges dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        doesntExist: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-    updateTest(`kibana rbac user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    updateTest(`kibana rbac dashboard only user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
-      tests: {
-        exists: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-        doesntExist: {
-          statusCode: 403,
-          response: expectRbacForbidden,
-        },
-      }
-    });
-
-  });
-}
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
deleted file mode 100644
index 3ea5546f09cf10..00000000000000
--- a/x-pack/test/rbac_api_integration/config.js
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import path from 'path';
-import { resolveKibanaPath } from '@kbn/plugin-helpers';
-import { EsProvider } from './services/es';
-
-export default async function ({ readConfigFile }) {
-
-  const config = {
-    kibana: {
-      api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
-      functional: await readConfigFile(require.resolve('../../../test/functional/config.js'))
-    },
-    xpack: {
-      api: await readConfigFile(require.resolve('../api_integration/config.js'))
-    }
-  };
-
-  return {
-    testFiles: [require.resolve('./apis')],
-    servers: config.xpack.api.get('servers'),
-    services: {
-      es: EsProvider,
-      esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'),
-      supertest: config.kibana.api.get('services.supertest'),
-      supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
-      esArchiver: config.kibana.functional.get('services.esArchiver'),
-      kibanaServer: config.kibana.functional.get('services.kibanaServer'),
-    },
-    junit: {
-      reportName: 'X-Pack RBAC API Integration Tests',
-    },
-
-    // The saved_objects/basic archives are almost an exact replica of the ones in OSS
-    // with the exception of a bogus "not-a-visualization" type that I added to make sure
-    // the find filtering without a type specified worked correctly. Once we have the ability
-    // to specify more granular access to the objects via the Kibana privileges, this should
-    // no longer be necessary, and it's only required as long as we do read/all privileges.
-    esArchiver: {
-      directory: path.join(__dirname, 'fixtures', 'es_archiver')
-    },
-
-    esTestCluster: {
-      ...config.xpack.api.get('esTestCluster'),
-      serverArgs: [
-        ...config.xpack.api.get('esTestCluster.serverArgs'),
-      ],
-    },
-
-    kbnTestServer: {
-      ...config.xpack.api.get('kbnTestServer'),
-      serverArgs: [
-        ...config.xpack.api.get('kbnTestServer.serverArgs'),
-        '--optimize.enabled=false',
-        '--server.xsrf.disableProtection=true',
-      ],
-    },
-  };
-}
diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
deleted file mode 100644
index 910382479979df82f1c8d640cf8aba428bbb393f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1837
zcmV+|2h#W-iwFP!000026YX1DZ`(E$e$THkytg4XBs+~0J$38Qp+j$If(}>{7_@jK
zaiv6!q;hHC|2~qs$IfkO>SHV~ZFEQ;e*AcDmdLA}!C<H_a~KALAr;|p*9y)EFRbLs
zJeWt8QMj-j#$VZjWW;q^GtPFUR^SGVa-ucJEI9Nho<}@ybO;e0`991>BwS2KQ%V+x
z`}>E}h%D;yN)$3|r|wMB(^+*l%|%X$20AC&cA9wpY~&q|CjPO15bPZW{{DC}^Zsi4
z_tmuX*qNB-ZYnNfrHM*LKR4rCa|*8+aQdF4uG>p1F&)#q+byzPlx_cVbu!FM-;-f*
zGJI*eDiWKA-4nMaCskUqEOxR`6qz<c&-|@I$#SzQ^B57Xz>0v#Fd++W2WnYZ8Hr;F
zG0~N@?ka)M*HWaviSV=CNL9Bjch?~rOLG2%s4D3?P`2qBCQV|6h$0II7eBSh^$}Sg
z*aV(Aqnn{-&1TJ=YvX~VLLslYdsd_ikPn7a3m<39^D?&f5p{(dfK=i@vSTI|+WD{q
z9|s3h@L61HP~XL%zXO<%GeZx%76+^6AB+VqG-Qg243F_NkT4lg3}PG#At}qqiYb}K
zc`jJxfg3<ZO=88wl#(GbIG7kpOfNGvqGGW|gvsL)p%7&>iv|-r*NfN9WwWO)T_3nn
z4i2iFLXqb=%f2ECI1Ub`T}nxqunfim5lJm3j7&+AVhKShq(WZeL8HmoD3oY+%mR|Y
ziJJzEbz4-00y&PDRJxSo1INiaY@4&LJjrpHyMzcNpfUE!&R>a4+jkH|Y8G+`QbAe7
zfX?k(NE|O9Z$O$C3(i!s4Nw(?8r7?V+i_ybqBkJbBu3As!HAei5eMeCzMB@aY4%~_
z=98tUKK|VRa0@sL5@2zn(NkIB+y+L^8Py4XLLE%pd@814j;jj41te}R-Ej=eJUW2L
zIegmhtB<G9z{1U7AvtCO4LrpB>2qe!Sp^}H6fKKgkXyjzHWcP-ux<gfxJ&dN$}M2i
zRvGBYv>>;DOWdVU4<%wYF{g5LdHkOO6sjND4iGMmR4y`w$}dYqm{?Ld2?5df;1Ule
zhBkKwb`=Y%5Q!`%7CJ=qHR(bjaw-F6!#j04tZv{ecj|waJIkG&t0%eN6pAcjaWETu
zV{b%wo)G`;3ryvphumD6dXvu0rD}Zd%F?1>oW3toBR$yLpLMPwQHV&v^_zNW_qv4j
zBRM={svw+wBlg!}K<O+b(d3bL#CkgK$Mg$7m`umB!@UmEeKqUvh`q8VJrL2Ls!UY(
z4wzAJq|KDJqw$lfd^bL^GOF(~#Mrl!<V2Fx8u!(@)>zt;i?%H^lf*(^zGYeKo7SWB
zrJK=q5nM<&{wDw<TP}Coalc%+VfLn)Q)v)3EliF4KD>HV2~n6IPwpjzy&5327UfYU
zm5B4!VH+Sz=lY~Z)#&5~xjp4$+c{YPuU6exWB$uR7ik0E^K9Rm)2rq3)I2(CTwTrQ
zQrs-1iCAwT((9J!^sKIro9>TUooP-5txlN;nG$~2ilxxydTq>%7}xf6NVC7U@L~Rh
z3*B0q-SJZwWF-Uju{NwP?Tk(x++c|fY^6!~wL1G`+=-NPxdn75+ike_%Oz5i7@T?j
z3i=!%`)JSjs}6?-#49F44jrNC0x}o8Tw;&MvwBNcH`uL{P<ku`cUME2WJ2j%h#{k`
zh`Z;H-A$J5cSU>4&XQCsG|%sd{MzopvP@Ce%&jyg$ZXQ;%+)$j!;uOTNJ)K6O0w{p
z+b>;$t<+BLP-~;xJYh<UxIR$W(XSv*>x)g@xZ*CVuDey}$Uh_Hwvs}NGKUvNfBL4|
zHYq<ErYxJA@IJ4zyuVxBKcOb(E{u>?OIn^TyHT=WE=c}y^x=IKC{=!0VympKtueBK
z^U@J`vjxkZw$8gotF0G~L8?;hccf*WIwEI4KP>)+P`?9BdePqI8dsVexs1~RTAkN6
z9NZ_bI+hwAc1C5QzpU0;|9LWW{W!_u!o7&Jc3*^$xu894P%VFCmZn4{3qd3e7BHPn
zr^GE3{&R+I^xZQ%&w@Q~d@$MXWan1J`po=kO+rqXwpX&f``JrQG82{S?RJrpeS^8(
z@crHD!S2}9d6en<rZNY=mrA--L^m+rr`D;;W?m_kE>QcX%<aGw4!r7^B{ebX*f@Su
z!r$s|%e#HV28K_DOd&0`F7EUjkA+qBTC%|r<OBa;VD|6Dz@G$@y<mDU`2F4S$eVfI
z$~}5h!`p#>0xbvbmjfr0;Kd~HXKM#ah$N__4nfyll`@rca%t6mh@#Fwx1)u!D=714
zx21Lvul29*6eAw$;wv#CG5Ltwob-zedR5e~Hmd&Nv!S@~;Od>+9UC&CM`ZL|!#~&X
b&o%sW4gXxjKiBa8uNwYeR=}DNj7b0hF`<E~

diff --git a/x-pack/test/saved_object_api_integration/common/config.ts b/x-pack/test/saved_object_api_integration/common/config.ts
new file mode 100644
index 00000000000000..de1eb29ac63aba
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/config.ts
@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+// @ts-ignore
+import { resolveKibanaPath } from '@kbn/plugin-helpers';
+import path from 'path';
+import { TestInvoker } from './lib/types';
+// @ts-ignore
+import { EsProvider } from './services/es';
+
+interface CreateTestConfigOptions {
+  license: string;
+  disabledPlugins?: string[];
+}
+
+export function createTestConfig(name: string, options: CreateTestConfigOptions) {
+  const { license = 'trial', disabledPlugins = [] } = options;
+
+  return async ({ readConfigFile }: TestInvoker) => {
+    const config = {
+      kibana: {
+        api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
+        functional: await readConfigFile(require.resolve('../../../../test/functional/config.js')),
+      },
+      xpack: {
+        api: await readConfigFile(require.resolve('../../api_integration/config.js')),
+      },
+    };
+
+    return {
+      testFiles: [require.resolve(`../${name}/apis/`)],
+      servers: config.xpack.api.get('servers'),
+      services: {
+        es: EsProvider,
+        esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'),
+        supertest: config.kibana.api.get('services.supertest'),
+        supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
+        esArchiver: config.kibana.functional.get('services.esArchiver'),
+        kibanaServer: config.kibana.functional.get('services.kibanaServer'),
+      },
+      junit: {
+        reportName: 'X-Pack Saved Object API Integration Tests -- ' + name,
+      },
+
+      esArchiver: {
+        directory: path.join(__dirname, 'fixtures', 'es_archiver'),
+      },
+
+      esTestCluster: {
+        ...config.xpack.api.get('esTestCluster'),
+        license,
+        serverArgs: [
+          `xpack.license.self_generated.type=${license}`,
+          `xpack.security.enabled=${!disabledPlugins.includes('security') && license === 'trial'}`,
+        ],
+      },
+
+      kbnTestServer: {
+        ...config.xpack.api.get('kbnTestServer'),
+        serverArgs: [
+          ...config.xpack.api.get('kbnTestServer.serverArgs'),
+          '--optimize.enabled=false',
+          '--server.xsrf.disableProtection=true',
+          `--plugin-path=${path.join(__dirname, 'fixtures', 'namespace_agnostic_type_plugin')}`,
+          ...disabledPlugins.map(key => `--xpack.${key}.enabled=false`),
+        ],
+      },
+    };
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json b/x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
new file mode 100644
index 00000000000000..5da6fb43ff1d45
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
@@ -0,0 +1,349 @@
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:default",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Default Space",
+        "description": "This is the default space",
+        "_reserved": true
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:space_1",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Space 1",
+        "description": "This is the first test space"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:space_2",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Space 2",
+        "description": "This is the second test space"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "index-pattern:91200a00-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "index-pattern",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "index-pattern": {
+        "title": "logstash-*",
+        "timeFieldName": "@timestamp",
+        "fields": "[{\"name\":\"@message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"clientip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extension.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.coordinates\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.dest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.srcdest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headings.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"index.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.os.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.ram\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.char\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.related\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.firstname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.lastname\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"phpmemory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:modified_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:published_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:section.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:tag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:tag.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:height\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:height.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:width.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:site_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:site_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:card\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:card.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:site.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spaces\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spaces.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"utc_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"xss.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "config:7.0.0-alpha1",
+    "source": {
+      "type": "config",
+      "updated_at": "2017-09-21T18:49:16.302Z",
+      "config": {
+        "buildNum": 8467,
+        "defaultIndex": "91200a00-9efd-11e7-acb3-3dab96693fab"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "visualization:dd7caf20-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "visualization",
+      "updated_at": "2017-09-21T18:51:23.794Z",
+      "visualization": {
+        "title": "Count of requests",
+        "visState": "{\"title\":\"Count of requests\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
+        "uiStateJSON": "{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"91200a00-9efd-11e7-acb3-3dab96693fab\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "dashboard:be3733a0-9efe-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "dashboard",
+      "updated_at": "2017-09-21T18:57:40.826Z",
+      "dashboard": {
+        "title": "Requests",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"size_x\":6,\"size_y\":3,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"dd7caf20-9efd-11e7-acb3-3dab96693fab\",\"col\":1,\"row\":1}]",
+        "optionsJSON": "{\"darkTheme\":false}",
+        "uiStateJSON": "{}",
+        "version": 1,
+        "timeRestore": true,
+        "timeTo": "Fri Sep 18 2015 12:24:38 GMT-0700",
+        "timeFrom": "Wed Sep 16 2015 22:52:17 GMT-0700",
+        "refreshInterval": {
+          "display": "Off",
+          "pause": false,
+          "value": 0
+        },
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_1:index-pattern:space_1-91200a00-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "index-pattern",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "namespace": "space_1",
+      "index-pattern": {
+        "title": "logstash-*",
+        "timeFieldName": "@timestamp",
+        "fields": "[{\"name\":\"@message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"clientip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extension.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.coordinates\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.dest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.srcdest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headings.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"index.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.os.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.ram\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.char\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.related\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.firstname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.lastname\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"phpmemory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:modified_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:published_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:section.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:tag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:tag.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:height\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:height.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:width.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:site_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:site_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:card\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:card.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:site.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spaces\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spaces.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"utc_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"xss.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_1:config:7.0.0-alpha1",
+    "source": {
+      "type": "config",
+      "updated_at": "2017-09-21T18:49:16.302Z",
+      "namespace": "space_1",
+      "config": {
+        "buildNum": 8467,
+        "defaultIndex": "91200a00-9efd-11e7-acb3-3dab96693fab"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_1:visualization:space_1-dd7caf20-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "visualization",
+      "updated_at": "2017-09-21T18:51:23.794Z",
+      "namespace": "space_1",
+      "visualization": {
+        "title": "Count of requests",
+        "visState": "{\"title\":\"Count of requests\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
+        "uiStateJSON": "{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"91200a00-9efd-11e7-acb3-3dab96693fab\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_1:dashboard:space_1-be3733a0-9efe-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "dashboard",
+      "updated_at": "2017-09-21T18:57:40.826Z",
+      "namespace": "space_1",
+      "dashboard": {
+        "title": "Requests",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"size_x\":6,\"size_y\":3,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"dd7caf20-9efd-11e7-acb3-3dab96693fab\",\"col\":1,\"row\":1}]",
+        "optionsJSON": "{\"darkTheme\":false}",
+        "uiStateJSON": "{}",
+        "version": 1,
+        "timeRestore": true,
+        "timeTo": "Fri Sep 18 2015 12:24:38 GMT-0700",
+        "timeFrom": "Wed Sep 16 2015 22:52:17 GMT-0700",
+        "refreshInterval": {
+          "display": "Off",
+          "pause": false,
+          "value": 0
+        },
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  }
+}
+
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_2:index-pattern:space_2-91200a00-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "index-pattern",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "namespace": "space_2",
+      "index-pattern": {
+        "title": "logstash-*",
+        "timeFieldName": "@timestamp",
+        "fields": "[{\"name\":\"@message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"clientip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extension.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.coordinates\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.dest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geo.srcdest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headings.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"index.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"links.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.os.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine.ram\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.char\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.related\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.firstname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"meta.user.lastname\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"phpmemory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:modified_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:published_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:section.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.article:tag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.article:tag.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:height\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:height.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:image:width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:image:width.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:site_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:site_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.og:url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.og:url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:card\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:card.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:site.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.twitter:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.twitter:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"relatedContent.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"relatedContent.url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"spaces\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"spaces.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"utc_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"xss.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_2:config:7.0.0-alpha1",
+    "source": {
+      "type": "config",
+      "updated_at": "2017-09-21T18:49:16.302Z",
+      "namespace": "space_2",
+      "config": {
+        "buildNum": 8467,
+        "defaultIndex": "91200a00-9efd-11e7-acb3-3dab96693fab"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_2:visualization:space_2-dd7caf20-9efd-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "visualization",
+      "updated_at": "2017-09-21T18:51:23.794Z",
+      "namespace": "space_2",
+      "visualization": {
+        "title": "Count of requests",
+        "visState": "{\"title\":\"Count of requests\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
+        "uiStateJSON": "{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"91200a00-9efd-11e7-acb3-3dab96693fab\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space_2:dashboard:space_2-be3733a0-9efe-11e7-acb3-3dab96693fab",
+    "source": {
+      "type": "dashboard",
+      "updated_at": "2017-09-21T18:57:40.826Z",
+      "namespace": "space_2",
+      "dashboard": {
+        "title": "Requests",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"size_x\":6,\"size_y\":3,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"dd7caf20-9efd-11e7-acb3-3dab96693fab\",\"col\":1,\"row\":1}]",
+        "optionsJSON": "{\"darkTheme\":false}",
+        "uiStateJSON": "{}",
+        "version": 1,
+        "timeRestore": true,
+        "timeTo": "Fri Sep 18 2015 12:24:38 GMT-0700",
+        "timeFrom": "Wed Sep 16 2015 22:52:17 GMT-0700",
+        "refreshInterval": {
+          "display": "Off",
+          "pause": false,
+          "value": 0
+        },
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "globaltype:8121a00-8efd-21e7-1cb3-34ab966434445",
+    "source": {
+      "type": "globaltype",
+      "updated_at": "2017-09-21T18:59:16.270Z",
+      "globaltype": {
+        "name": "My favorite global object"
+      }
+    }
+  }
+}
diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json b/x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json
similarity index 87%
rename from x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
rename to x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json
index 107a45fab187bc..6cd530559c8f2d 100644
--- a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
+++ b/x-pack/test/saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json
@@ -30,6 +30,34 @@
               }
             }
           },
+          "namespace": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
+          },
           "dashboard": {
             "properties": {
               "description": {
@@ -274,10 +302,23 @@
                 "type": "text"
               }
             }
+          },
+          "globaltype": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              }
+            }
           }
         }
       }
     },
     "aliases": {}
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/index.js b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/index.js
new file mode 100644
index 00000000000000..1417444df0661f
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/index.js
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import mappings from './mappings.json';
+
+export default function (kibana) {
+  return new kibana.Plugin({
+    require: [],
+    name: 'namespace_agnostic_type_plugin',
+    uiExports: {
+      savedObjectsSchema: {
+        globaltype: {
+          isNamespaceAgnostic: true
+        }
+      },
+      mappings,
+    },
+
+    config() {},
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/mappings.json b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/mappings.json
new file mode 100644
index 00000000000000..b30a2c3877b885
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/mappings.json
@@ -0,0 +1,15 @@
+{
+  "globaltype": {
+    "properties": {
+      "name": {
+        "type": "text",
+        "fields": {
+          "keyword": {
+            "type": "keyword",
+            "ignore_above": 2048
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/package.json b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/package.json
new file mode 100644
index 00000000000000..1a0afbc6bfcb30
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/fixtures/namespace_agnostic_type_plugin/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "namespace_agnostic_type_plugin",
+  "version": "0.0.0",
+  "kibana": {
+    "version": "kibana"
+  }
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/saved_object_api_integration/common/lib/authentication.ts
similarity index 56%
rename from x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
rename to x-pack/test/saved_object_api_integration/common/lib/authentication.ts
index 5b158a6c8bf377..92888f3263ed9c 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
+++ b/x-pack/test/saved_object_api_integration/common/lib/authentication.ts
@@ -7,34 +7,50 @@
 export const AUTHENTICATION = {
   NOT_A_KIBANA_USER: {
     USERNAME: 'not_a_kibana_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   SUPERUSER: {
     USERNAME: 'elastic',
-    PASSWORD: 'changeme'
+    PASSWORD: 'changeme',
   },
   KIBANA_LEGACY_USER: {
     USERNAME: 'a_kibana_legacy_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
     USERNAME: 'a_kibana_legacy_dashboard_only_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_USER: {
     USERNAME: 'a_kibana_dual_privileges_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: {
     USERNAME: 'a_kibana_dual_privileges_dashboard_only_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   KIBANA_RBAC_USER: {
     USERNAME: 'a_kibana_rbac_user',
-    PASSWORD: 'password'
+    PASSWORD: 'password',
   },
   KIBANA_RBAC_DASHBOARD_ONLY_USER: {
     USERNAME: 'a_kibana_rbac_dashboard_only_user',
-    PASSWORD: 'password'
-  }
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_DEFAULT_SPACE_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_default_space_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_DEFAULT_SPACE_READ_USER: {
+    USERNAME: 'a_kibana_rbac_default_space_read_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_READ_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_read_user',
+    PASSWORD: 'password',
+  },
 };
diff --git a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
new file mode 100644
index 00000000000000..4dd2131f83ee41
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
@@ -0,0 +1,213 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SuperTest } from 'supertest';
+import { AUTHENTICATION } from './authentication';
+
+export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) => {
+  await supertest.put('/api/security/role/kibana_legacy_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['manage', 'read', 'index', 'delete'],
+        },
+      ],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['read', 'view_index_metadata'],
+        },
+      ],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_dual_privileges_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['manage', 'read', 'index', 'delete'],
+        },
+      ],
+    },
+    kibana: {
+      global: ['all'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['read', 'view_index_metadata'],
+        },
+      ],
+    },
+    kibana: {
+      global: ['read'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_user').send({
+    kibana: {
+      global: ['all'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user').send({
+    kibana: {
+      global: ['read'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_default_space_all_user').send({
+    kibana: {
+      space: {
+        default: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_default_space_read_user').send({
+    kibana: {
+      space: {
+        default: ['read'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_all_user').send({
+    kibana: {
+      space: {
+        space_1: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_read_user').send({
+    kibana: {
+      space: {
+        space_1: ['read'],
+      },
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      roles: [],
+      full_name: 'not a kibana user',
+      email: 'not_a_kibana_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      roles: ['kibana_legacy_user'],
+      full_name: 'a kibana legacy user',
+      email: 'a_kibana_legacy_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_legacy_dashboard_only_user'],
+      full_name: 'a kibana legacy dashboard only user',
+      email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      roles: ['kibana_dual_privileges_user'],
+      full_name: 'a kibana dual_privileges user',
+      email: 'a_kibana_dual_privileges_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_dual_privileges_dashboard_only_user'],
+      full_name: 'a kibana dual_privileges dashboard only user',
+      email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      roles: ['kibana_rbac_user'],
+      full_name: 'a kibana user',
+      email: 'a_kibana_rbac_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_rbac_dashboard_only_user'],
+      full_name: 'a kibana dashboard only user',
+      email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_default_space_all_user'],
+      full_name: 'a kibana default space all user',
+      email: 'a_kibana_rbac_default_space_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_default_space_read_user'],
+      full_name: 'a kibana default space read-only user',
+      email: 'a_kibana_rbac_default_space_read_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_all_user'],
+      full_name: 'a kibana rbac space 1 all user',
+      email: 'a_kibana_rbac_space_1_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_read_user'],
+      full_name: 'a kibana rbac space 1 read-only user',
+      email: 'a_kibana_rbac_space_1_readonly_user@elastic.co',
+    },
+  });
+};
diff --git a/x-pack/test/saved_object_api_integration/common/lib/space_test_utils.ts b/x-pack/test/saved_object_api_integration/common/lib/space_test_utils.ts
new file mode 100644
index 00000000000000..1619d77761c842
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/lib/space_test_utils.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+
+export function getUrlPrefix(spaceId: string) {
+  return spaceId && spaceId !== DEFAULT_SPACE_ID ? `/s/${spaceId}` : ``;
+}
+
+export function getIdPrefix(spaceId: string) {
+  return spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}-`;
+}
+
+export function getExpectedSpaceIdProperty(spaceId: string) {
+  if (spaceId === DEFAULT_SPACE_ID) {
+    return {};
+  }
+  return {
+    spaceId,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js b/x-pack/test/saved_object_api_integration/common/lib/spaces.ts
similarity index 98%
rename from x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
rename to x-pack/test/saved_object_api_integration/common/lib/spaces.ts
index 905b360c999497..a9c552d4ccd789 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/spaces.js
+++ b/x-pack/test/saved_object_api_integration/common/lib/spaces.ts
@@ -13,5 +13,5 @@ export const SPACES = {
   },
   DEFAULT: {
     spaceId: 'default',
-  }
+  },
 };
diff --git a/x-pack/test/saved_object_api_integration/common/lib/types.ts b/x-pack/test/saved_object_api_integration/common/lib/types.ts
new file mode 100644
index 00000000000000..fc6d3d8745fb93
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/lib/types.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export type DescribeFn = (text: string, fn: () => void) => void;
+
+export interface TestDefinitionAuthentication {
+  username?: string;
+  password?: string;
+}
+
+export type LoadTestFileFn = (path: string) => string;
+
+export type GetServiceFn = (service: string) => any;
+
+export type ReadConfigFileFn = (path: string) => any;
+
+export interface TestInvoker {
+  getService: GetServiceFn;
+  loadTestFile: LoadTestFileFn;
+  readConfigFile: ReadConfigFileFn;
+}
diff --git a/x-pack/test/saved_object_api_integration/common/services/es.js b/x-pack/test/saved_object_api_integration/common/services/es.js
new file mode 100644
index 00000000000000..f5ef3be4b4bde2
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/services/es.js
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import elasticsearch from 'elasticsearch';
+import shieldPlugin from '../../../../server/lib/esjs_shield_plugin';
+import { TestInvoker } from '../lib/types';
+
+export function EsProvider({ getService }: TestInvoker) {
+  const config = getService('config');
+
+  return new elasticsearch.Client({
+    host: formatUrl(config.get('servers.elasticsearch')),
+    requestTimeout: config.get('timeouts.esRequestTimeout'),
+    plugins: [shieldPlugin],
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
new file mode 100644
index 00000000000000..a45a378c1784b1
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -0,0 +1,171 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface BulkCreateTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface BulkCreateTests {
+  default: BulkCreateTest;
+}
+
+interface BulkCreateTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: BulkCreateTests;
+}
+
+export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
+  const isGlobalType = (type: string) => type === 'globaltype';
+
+  const createBulkRequests = (spaceId: string) => [
+    {
+      type: 'visualization',
+      id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+      attributes: {
+        title: 'An existing visualization',
+      },
+    },
+    {
+      type: 'dashboard',
+      id: `${getIdPrefix(spaceId)}a01b2f57-fcfd-4864-b735-09e28f0d815e`,
+      attributes: {
+        title: 'A great new dashboard',
+      },
+    },
+    {
+      type: 'globaltype',
+      id: '05976c65-1145-4858-bbf0-d225cc78a06e',
+      attributes: {
+        name: 'A new globaltype object',
+      },
+    },
+    {
+      type: 'globaltype',
+      id: '8121a00-8efd-21e7-1cb3-34ab966434445',
+      attributes: {
+        name: 'An existing globaltype',
+      },
+    },
+  ];
+
+  const makeBulkCreateTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: BulkCreateTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
+          .auth(auth.username, auth.password)
+          .send(createBulkRequests(spaceId))
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/bulk] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/bulk] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to bulk_create dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_create,action:saved_objects/globaltype/bulk_create,action:saved_objects/visualization/bulk_create`,
+    });
+  };
+
+  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: any) => {
+    expect(resp.body).to.eql({
+      saved_objects: [
+        {
+          type: 'visualization',
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          error: {
+            message: 'version conflict, document already exists',
+            statusCode: 409,
+          },
+        },
+        {
+          type: 'dashboard',
+          id: `${getIdPrefix(spaceId)}a01b2f57-fcfd-4864-b735-09e28f0d815e`,
+          updated_at: resp.body.saved_objects[1].updated_at,
+          version: 1,
+          attributes: {
+            title: 'A great new dashboard',
+          },
+        },
+        {
+          type: 'globaltype',
+          id: `05976c65-1145-4858-bbf0-d225cc78a06e`,
+          updated_at: resp.body.saved_objects[2].updated_at,
+          version: 1,
+          attributes: {
+            name: 'A new globaltype object',
+          },
+        },
+        {
+          type: 'globaltype',
+          id: '8121a00-8efd-21e7-1cb3-34ab966434445',
+          error: {
+            message: 'version conflict, document already exists',
+            statusCode: 409,
+          },
+        },
+      ],
+    });
+
+    for (const savedObject of createBulkRequests(spaceId)) {
+      const expectedSpacePrefix =
+        spaceId === DEFAULT_SPACE_ID || isGlobalType(savedObject.type) ? '' : `${spaceId}:`;
+
+      // query ES directory to ensure namespace was or wasn't specified
+      const { _source } = await es.get({
+        id: `${expectedSpacePrefix}${savedObject.type}:${savedObject.id}`,
+        type: 'doc',
+        index: '.kibana',
+      });
+
+      const { namespace: actualNamespace } = _source;
+
+      if (spaceId === DEFAULT_SPACE_ID || isGlobalType(savedObject.type)) {
+        expect(actualNamespace).to.eql(undefined);
+      } else {
+        expect(actualNamespace).to.eql(spaceId);
+      }
+    }
+  };
+
+  const bulkCreateTest = makeBulkCreateTest(describe);
+  // @ts-ignore
+  bulkCreateTest.only = makeBulkCreateTest(describe.only);
+
+  return {
+    bulkCreateTest,
+    createExpectLegacyForbidden,
+    createExpectResults,
+    expectRbacForbidden,
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
new file mode 100644
index 00000000000000..028889d76769dd
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
@@ -0,0 +1,165 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface BulkGetTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface BulkGetTests {
+  default: BulkGetTest;
+}
+
+interface BulkGetTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  otherSpaceId?: string;
+  tests: BulkGetTests;
+}
+
+export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createBulkRequests = (spaceId: string) => [
+    {
+      type: 'visualization',
+      id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+    },
+    {
+      type: 'dashboard',
+      id: `${getIdPrefix(spaceId)}does not exist`,
+    },
+    {
+      type: 'globaltype',
+      id: '8121a00-8efd-21e7-1cb3-34ab966434445',
+    },
+  ];
+
+  const makeBulkGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: BulkGetTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
+          .auth(auth.username, auth.password)
+          .send(createBulkRequests(otherSpaceId || spaceId))
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/read/mget] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/mget] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to bulk_get dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_get,action:saved_objects/globaltype/bulk_get,action:saved_objects/visualization/bulk_get`,
+    });
+  };
+
+  const createExpectNotFoundResults = (spaceId: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      saved_objects: [
+        {
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          type: 'visualization',
+          error: {
+            statusCode: 404,
+            message: 'Not found',
+          },
+        },
+        {
+          id: `${getIdPrefix(spaceId)}does not exist`,
+          type: 'dashboard',
+          error: {
+            statusCode: 404,
+            message: 'Not found',
+          },
+        },
+        {
+          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
+          type: 'globaltype',
+          updated_at: '2017-09-21T18:59:16.270Z',
+          version: resp.body.saved_objects[2].version,
+          attributes: {
+            name: 'My favorite global object',
+          },
+        },
+      ],
+    });
+  };
+
+  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      saved_objects: [
+        {
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          type: 'visualization',
+          updated_at: '2017-09-21T18:51:23.794Z',
+          version: resp.body.saved_objects[0].version,
+          attributes: {
+            title: 'Count of requests',
+            description: '',
+            version: 1,
+            // cheat for some of the more complex attributes
+            visState: resp.body.saved_objects[0].attributes.visState,
+            uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
+            kibanaSavedObjectMeta: resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
+          },
+        },
+        {
+          id: `${getIdPrefix(spaceId)}does not exist`,
+          type: 'dashboard',
+          error: {
+            statusCode: 404,
+            message: 'Not found',
+          },
+        },
+        {
+          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
+          type: 'globaltype',
+          updated_at: '2017-09-21T18:59:16.270Z',
+          version: resp.body.saved_objects[2].version,
+          attributes: {
+            name: 'My favorite global object',
+          },
+        },
+      ],
+    });
+  };
+
+  const bulkGetTest = makeBulkGetTest(describe);
+  // @ts-ignore
+  bulkGetTest.only = makeBulkGetTest(describe.only);
+
+  return {
+    bulkGetTest,
+    createExpectLegacyForbidden,
+    createExpectNotFoundResults,
+    createExpectResults,
+    expectRbacForbidden,
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
new file mode 100644
index 00000000000000..bab9b6e069c4c0
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -0,0 +1,167 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface CreateTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface CreateTests {
+  spaceAware: CreateTest;
+  notSpaceAware: CreateTest;
+}
+
+interface CreateTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: CreateTests;
+}
+
+export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
+  const spaceAwareType = 'visualization';
+  const notSpaceAwareType = 'globaltype';
+
+  const makeCreateTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: CreateTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+      it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${spaceAwareType}`)
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              title: 'My favorite vis',
+            },
+          })
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response);
+      });
+
+      it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${notSpaceAwareType}`)
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              name: `Can't be contained to a space`,
+            },
+          })
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response);
+      });
+    });
+  };
+
+  const createTest = makeCreateTest(describe);
+  // @ts-ignore
+  createTest.only = makeCreateTest(describe.only);
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to create ${type}, missing action:saved_objects/${type}/create`,
+    });
+  };
+
+  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: any) => {
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/^[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: spaceAwareType,
+      updated_at: resp.body.updated_at,
+      version: 1,
+      attributes: {
+        title: 'My favorite vis',
+      },
+    });
+
+    const expectedSpacePrefix = spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}:`;
+
+    // query ES directory to ensure namespace was or wasn't specified
+    const { _source } = await es.get({
+      id: `${expectedSpacePrefix}${spaceAwareType}:${resp.body.id}`,
+      type: 'doc',
+      index: '.kibana',
+    });
+
+    const { namespace: actualNamespace } = _source;
+
+    if (spaceId === DEFAULT_SPACE_ID) {
+      expect(actualNamespace).to.eql(undefined);
+    } else {
+      expect(actualNamespace).to.eql(spaceId);
+    }
+  };
+
+  const expectNotSpaceAwareResults = async (resp: any) => {
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/^[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: notSpaceAwareType,
+      updated_at: resp.body.updated_at,
+      version: 1,
+      attributes: {
+        name: `Can't be contained to a space`,
+      },
+    });
+
+    // query ES directory to ensure namespace wasn't specified
+    const { _source } = await es.get({
+      id: `${notSpaceAwareType}:${resp.body.id}`,
+      type: 'doc',
+      index: '.kibana',
+    });
+
+    const { namespace: actualNamespace } = _source;
+
+    expect(actualNamespace).to.eql(undefined);
+  };
+
+  return {
+    createTest,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareResults,
+    expectNotSpaceAwareResults,
+    expectNotSpaceAwareRbacForbidden: createExpectRbacForbidden(notSpaceAwareType),
+    expectSpaceAwareRbacForbidden: createExpectRbacForbidden(spaceAwareType),
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
new file mode 100644
index 00000000000000..6ab45db4d8cd7c
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -0,0 +1,124 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface DeleteTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface DeleteTests {
+  spaceAware: DeleteTest;
+  notSpaceAware: DeleteTest;
+  invalidId: DeleteTest;
+}
+
+interface DeleteTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: DeleteTests;
+}
+
+export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeDeleteTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: DeleteTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.spaceAware.statusCode} when deleting a space-aware doc`, async () =>
+        await supertest
+          .delete(
+            `${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(
+              spaceId
+            )}be3733a0-9efe-11e7-acb3-3dab96693fab`
+          )
+          .auth(auth.username, auth.password)
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response));
+
+      it(`should return ${
+        tests.notSpaceAware.statusCode
+      } when deleting a non-space-aware doc`, async () =>
+        await supertest
+          .delete(
+            `${getUrlPrefix(
+              spaceId
+            )}/api/saved_objects/globaltype/8121a00-8efd-21e7-1cb3-34ab966434445`
+          )
+          .auth(auth.username, auth.password)
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response));
+
+      it(`should return ${tests.invalidId.statusCode} when deleting an unknown doc`, async () =>
+        await supertest
+          .delete(
+            `${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(
+              spaceId
+            )}not-a-real-id`
+          )
+          .auth(auth.username, auth.password)
+          .expect(tests.invalidId.statusCode)
+          .then(tests.invalidId.response));
+    });
+  };
+
+  const deleteTest = makeDeleteTest(describe);
+  // @ts-ignore
+  deleteTest.only = makeDeleteTest(describe.only);
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectEmpty = (resp: any) => {
+    expect(resp.body).to.eql({});
+  };
+
+  const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 404,
+      error: 'Not Found',
+      message: `Saved object [${type}/${getIdPrefix(spaceId)}${id}] not found`,
+    });
+  };
+
+  const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
+    createExpectNotFound(spaceId, 'dashboard', `not-a-real-id`)(resp);
+  };
+
+  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to delete ${type}, missing action:saved_objects/${type}/delete`,
+    });
+  };
+
+  return {
+    createExpectLegacyForbidden,
+    createExpectUnknownDocNotFound,
+    deleteTest,
+    expectEmpty,
+    expectRbacSpaceAwareForbidden: createExpectRbacForbidden('dashboard'),
+    expectRbacNotSpaceAwareForbidden: createExpectRbacForbidden('globaltype'),
+    expectRbacInvalidIdForbidden: createExpectRbacForbidden('dashboard'),
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/find.ts b/x-pack/test/saved_object_api_integration/common/suites/find.ts
new file mode 100644
index 00000000000000..387834a4fa999b
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/find.ts
@@ -0,0 +1,237 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface FindTest {
+  statusCode: number;
+  description: string;
+  response: (resp: any) => void;
+}
+
+interface FindTests {
+  spaceAwareType: FindTest;
+  notSpaceAwareType: FindTest;
+  unknownType: FindTest;
+  pageBeyondTotal: FindTest;
+  unknownSearchField: FindTest;
+  noType: FindTest;
+}
+
+interface FindTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: FindTests;
+}
+
+// TODO: add space unaware type
+export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeFindTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: FindTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`space aware type should return ${tests.spaceAwareType.statusCode} with ${
+        tests.spaceAwareType.description
+      }`, async () =>
+        await supertest
+          .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&fields=title`)
+          .auth(auth.username, auth.password)
+          .expect(tests.spaceAwareType.statusCode)
+          .then(tests.spaceAwareType.response));
+
+      it(`not space aware type should return ${tests.spaceAwareType.statusCode} with ${
+        tests.notSpaceAwareType.description
+      }`, async () =>
+        await supertest
+          .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=globaltype&fields=name`)
+          .auth(auth.username, auth.password)
+          .expect(tests.notSpaceAwareType.statusCode)
+          .then(tests.notSpaceAwareType.response));
+
+      describe('unknown type', () => {
+        it(`should return ${tests.unknownType.statusCode} with ${
+          tests.unknownType.description
+        }`, async () =>
+          await supertest
+            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags`)
+            .auth(auth.username, auth.password)
+            .expect(tests.unknownType.statusCode)
+            .then(tests.unknownType.response));
+      });
+
+      describe('page beyond total', () => {
+        it(`should return ${tests.pageBeyondTotal.statusCode} with ${
+          tests.pageBeyondTotal.description
+        }`, async () =>
+          await supertest
+            .get(
+              `${getUrlPrefix(
+                spaceId
+              )}/api/saved_objects/_find?type=visualization&page=100&per_page=100`
+            )
+            .auth(auth.username, auth.password)
+            .expect(tests.pageBeyondTotal.statusCode)
+            .then(tests.pageBeyondTotal.response));
+      });
+
+      describe('unknown search field', () => {
+        it(`should return ${tests.unknownSearchField.statusCode} with ${
+          tests.unknownSearchField.description
+        }`, async () =>
+          await supertest
+            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
+            .auth(auth.username, auth.password)
+            .expect(tests.unknownSearchField.statusCode)
+            .then(tests.unknownSearchField.response));
+      });
+
+      describe('no type', () => {
+        it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () =>
+          await supertest
+            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find`)
+            .auth(auth.username, auth.password)
+            .expect(tests.noType.statusCode)
+            .then(tests.noType.response));
+      });
+    });
+  };
+
+  const findTest = makeFindTest(describe);
+  // @ts-ignore
+  findTest.only = makeFindTest(describe.only);
+
+  const createExpectEmpty = (page: number, perPage: number, total: number) => (resp: any) => {
+    expect(resp.body).to.eql({
+      page,
+      per_page: perPage,
+      total,
+      saved_objects: [],
+    });
+  };
+
+  const createExpectRbacForbidden = (type?: string) => (resp: any) => {
+    const message = type
+      ? `Unable to find ${type}, missing action:saved_objects/${type}/find`
+      : `Not authorized to find saved_object`;
+
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message,
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      page: 1,
+      per_page: 20,
+      total: 5,
+      saved_objects: [
+        {
+          id: `${getIdPrefix(spaceId)}91200a00-9efd-11e7-acb3-3dab96693fab`,
+          type: 'index-pattern',
+          updated_at: '2017-09-21T18:49:16.270Z',
+          version: 1,
+          attributes: resp.body.saved_objects[0].attributes,
+        },
+        {
+          id: '7.0.0-alpha1',
+          type: 'config',
+          updated_at: '2017-09-21T18:49:16.302Z',
+          version: 1,
+          attributes: resp.body.saved_objects[1].attributes,
+        },
+        {
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          type: 'visualization',
+          updated_at: '2017-09-21T18:51:23.794Z',
+          version: 1,
+          attributes: resp.body.saved_objects[2].attributes,
+        },
+        {
+          id: `${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`,
+          type: 'dashboard',
+          updated_at: '2017-09-21T18:57:40.826Z',
+          version: 1,
+          attributes: resp.body.saved_objects[3].attributes,
+        },
+        {
+          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
+          type: 'globaltype',
+          updated_at: '2017-09-21T18:59:16.270Z',
+          version: 1,
+          attributes: {
+            name: 'My favorite global object',
+          },
+        },
+      ],
+    });
+  };
+
+  const expectNotSpaceAwareResults = (resp: any) => {
+    expect(resp.body).to.eql({
+      page: 1,
+      per_page: 20,
+      total: 1,
+      saved_objects: [
+        {
+          type: 'globaltype',
+          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
+          version: 1,
+          attributes: {
+            name: 'My favorite global object',
+          },
+        },
+      ],
+    });
+  };
+
+  const createExpectVisualizationResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      page: 1,
+      per_page: 20,
+      total: 1,
+      saved_objects: [
+        {
+          type: 'visualization',
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          version: 1,
+          attributes: {
+            title: 'Count of requests',
+          },
+        },
+      ],
+    });
+  };
+
+  return {
+    createExpectEmpty,
+    createExpectRbacForbidden,
+    createExpectResults,
+    createExpectLegacyForbidden,
+    createExpectVisualizationResults,
+    expectNotSpaceAwareResults,
+    findTest,
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
new file mode 100644
index 00000000000000..7753015033572e
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -0,0 +1,174 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface GetTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface GetTests {
+  spaceAware: GetTest;
+  notSpaceAware: GetTest;
+  doesntExist: GetTest;
+}
+
+interface GetTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: GetTests;
+}
+
+// TODO: add space unaware type
+export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const spaceAwareId = 'dd7caf20-9efd-11e7-acb3-3dab96693fab';
+  const notSpaceAwareId = '8121a00-8efd-21e7-1cb3-34ab966434445';
+  const doesntExistId = 'foobar';
+  const makeGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: GetTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${
+        tests.spaceAware.statusCode
+      } when getting a space aware doc`, async () => {
+        await supertest
+          .get(
+            `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+              spaceId
+            )}${spaceAwareId}`
+          )
+          .auth(auth.username, auth.password)
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response);
+      });
+
+      it(`should return ${
+        tests.notSpaceAware.statusCode
+      } when deleting a non-space-aware doc`, async () => {
+        await supertest
+          .get(`${getUrlPrefix(spaceId)}/api/saved_objects/globaltype/${notSpaceAwareId}`)
+          .auth(auth.username, auth.password)
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response);
+      });
+
+      describe('document does not exist', () => {
+        it(`should return ${tests.doesntExist.statusCode}`, async () => {
+          await supertest
+            .get(
+              `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+                spaceId
+              )}${doesntExistId}`
+            )
+            .auth(auth.username, auth.password)
+            .expect(tests.doesntExist.statusCode)
+            .then(tests.doesntExist.response);
+        });
+      });
+    });
+  };
+
+  const getTest = makeGetTest(describe);
+  // @ts-ignore
+  getTest.only = makeGetTest(describe.only);
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectNotFound = (id: string, spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      message: `Saved object [visualization/${getIdPrefix(spaceId)}${id}] not found`,
+      statusCode: 404,
+    });
+  };
+
+  const createExpectDoesntExistNotFound = (spaceId = DEFAULT_SPACE_ID) => {
+    return createExpectNotFound(doesntExistId, spaceId);
+  };
+
+  const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
+    return createExpectNotFound(spaceAwareId, spaceId);
+  };
+
+  const createExpectNotSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
+    return createExpectNotFound(spaceAwareId, spaceId);
+  };
+
+  const createExpectSpaceAwareRbacForbidden = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Forbidden',
+      message: `Unable to get visualization, missing action:saved_objects/visualization/get`,
+      statusCode: 403,
+    });
+  };
+
+  const createExpectNotSpaceAwareRbacForbidden = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Forbidden',
+      message: `Unable to get globaltype, missing action:saved_objects/globaltype/get`,
+      statusCode: 403,
+    });
+  };
+
+  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+      type: 'visualization',
+      updated_at: '2017-09-21T18:51:23.794Z',
+      version: resp.body.version,
+      attributes: {
+        title: 'Count of requests',
+        description: '',
+        version: 1,
+        // cheat for some of the more complex attributes
+        visState: resp.body.attributes.visState,
+        uiStateJSON: resp.body.attributes.uiStateJSON,
+        kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta,
+      },
+    });
+  };
+
+  const createExpectNotSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      id: `${notSpaceAwareId}`,
+      type: 'globaltype',
+      updated_at: '2017-09-21T18:59:16.270Z',
+      version: resp.body.version,
+      attributes: {
+        name: 'My favorite global object',
+      },
+    });
+  };
+
+  return {
+    createExpectNotSpaceAwareNotFound,
+    createExpectNotSpaceAwareRbacForbidden,
+    createExpectNotSpaceAwareResults,
+    createExpectSpaceAwareResults,
+    createExpectDoesntExistNotFound,
+    createExpectSpaceAwareNotFound,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareRbacForbidden,
+    getTest,
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
new file mode 100644
index 00000000000000..5f2c7bf82a6e5c
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -0,0 +1,174 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getIdPrefix, getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface UpdateTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface UpdateTests {
+  spaceAware: UpdateTest;
+  notSpaceAware: UpdateTest;
+  doesntExist: UpdateTest;
+}
+
+interface UpdateTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId?: string;
+  tests: UpdateTests;
+}
+
+export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeUpdateTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: UpdateTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+      it(`should return ${tests.spaceAware.statusCode} for a space-aware doc`, async () => {
+        await supertest
+          .put(
+            `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+              spaceId
+            )}dd7caf20-9efd-11e7-acb3-3dab96693fab`
+          )
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              title: 'My second favorite vis',
+            },
+          })
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response);
+      });
+
+      it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware doc`, async () => {
+        await supertest
+          .put(
+            `${getUrlPrefix(
+              spaceId
+            )}/api/saved_objects/globaltype/8121a00-8efd-21e7-1cb3-34ab966434445`
+          )
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              name: 'My second favorite',
+            },
+          })
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response);
+      });
+
+      describe('unknown id', () => {
+        it(`should return ${tests.doesntExist.statusCode}`, async () => {
+          await supertest
+            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/not an id`)
+            .auth(auth.username, auth.password)
+            .send({
+              attributes: {
+                title: 'My second favorite vis',
+              },
+            })
+            .expect(tests.doesntExist.statusCode)
+            .then(tests.doesntExist.response);
+        });
+      });
+    });
+  };
+
+  const updateTest = makeUpdateTest(describe);
+  // @ts-ignore
+  updateTest.only = makeUpdateTest(describe.only);
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectSpaceAwareResults = (resp: any) => {
+    // loose uuid validation ignoring prefix
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: 'visualization',
+      updated_at: resp.body.updated_at,
+      version: 2,
+      attributes: {
+        title: 'My second favorite vis',
+      },
+    });
+  };
+
+  const expectNotSpaceAwareResults = (resp: any) => {
+    // loose uuid validation
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/^[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: 'globaltype',
+      updated_at: resp.body.updated_at,
+      version: 2,
+      attributes: {
+        name: 'My second favorite',
+      },
+    });
+  };
+
+  const expectNotFound = (resp: any) => {
+    expect(resp.body).eql({
+      statusCode: 404,
+      error: 'Not Found',
+      message: 'Saved object [visualization/not an id] not found',
+    });
+  };
+
+  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to update ${type}, missing action:saved_objects/${type}/update`,
+    });
+  };
+
+  return {
+    createExpectLegacyForbidden,
+    expectDoesntExistRbacForbidden: createExpectRbacForbidden('visualization'),
+    expectNotSpaceAwareResults,
+    expectNotSpaceAwareRbacForbidden: createExpectRbacForbidden('globaltype'),
+    expectNotFound,
+    expectSpaceAwareResults,
+    expectSpaceAwareRbacForbidden: createExpectRbacForbidden('visualization'),
+    updateTest,
+  };
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
new file mode 100644
index 00000000000000..6ce55e3470d004
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
@@ -0,0 +1,233 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkCreateTestSuiteFactory } from '../../common/suites/bulk_create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+
+  const {
+    bulkCreateTest,
+    createExpectLegacyForbidden,
+    createExpectResults,
+    expectRbacForbidden,
+  } = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
+
+  describe('_bulk_create', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      bulkCreateTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      bulkCreateTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkCreateTest(
+        `${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithLegacyAll.USERNAME,
+            password: scenario.userWithLegacyAll.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectResults(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(
+        `${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithLegacyRead.USERNAME,
+            password: scenario.userWithLegacyRead.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkCreateTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+
+      bulkCreateTest(
+        `${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllGlobally.USERNAME,
+            password: scenario.userWithAllGlobally.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectResults(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(
+        `${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(
+        `${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtSpace.USERNAME,
+            password: scenario.userWithAllAtSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectResults(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(
+        `${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithReadAtSpace.USERNAME,
+            password: scenario.userWithReadAtSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+
+      bulkCreateTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
new file mode 100644
index 00000000000000..8579aa5a986c48
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
@@ -0,0 +1,217 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkGetTestSuiteFactory } from '../../common/suites/bulk_get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    bulkGetTest,
+    createExpectLegacyForbidden,
+    createExpectResults,
+    expectRbacForbidden,
+  } = bulkGetTestSuiteFactory(esArchiver, supertest);
+
+  describe('_bulk_get', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      bulkGetTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(
+        `${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectResults(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      bulkGetTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      bulkGetTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            default: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
new file mode 100644
index 00000000000000..f147e28c01e98e
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
@@ -0,0 +1,261 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { createTestSuiteFactory } from '../../common/suites/create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const es = getService('es');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createTest,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareResults,
+    expectNotSpaceAwareResults,
+    expectNotSpaceAwareRbacForbidden,
+    expectSpaceAwareRbacForbidden,
+  } = createTestSuiteFactory(es, esArchiver, supertestWithoutAuth);
+
+  describe('create', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      createTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      createTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+        },
+      });
+
+      createTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            spaceAware: {
+              statusCode: 403,
+              response: expectSpaceAwareRbacForbidden,
+            },
+            notSpaceAware: {
+              statusCode: 403,
+              response: expectNotSpaceAwareRbacForbidden,
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
new file mode 100644
index 00000000000000..39f5aff6ffe1fd
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
@@ -0,0 +1,305 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { deleteTestSuiteFactory } from '../../common/suites/delete';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+    const {
+      createExpectLegacyForbidden,
+      createExpectUnknownDocNotFound,
+      deleteTest,
+      expectEmpty,
+      expectRbacSpaceAwareForbidden,
+      expectRbacNotSpaceAwareForbidden,
+      expectRbacInvalidIdForbidden,
+    } = deleteTestSuiteFactory(esArchiver, supertest);
+
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      deleteTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+          invalidId: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          invalidId: {
+            statusCode: 404,
+            response: createExpectUnknownDocNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          invalidId: {
+            statusCode: 404,
+            response: createExpectUnknownDocNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+          invalidId: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          invalidId: {
+            statusCode: 404,
+            response: createExpectUnknownDocNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectRbacSpaceAwareForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectRbacNotSpaceAwareForbidden,
+          },
+          invalidId: {
+            statusCode: 403,
+            response: expectRbacInvalidIdForbidden,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          invalidId: {
+            statusCode: 404,
+            response: createExpectUnknownDocNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectRbacSpaceAwareForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectRbacNotSpaceAwareForbidden,
+          },
+          invalidId: {
+            statusCode: 403,
+            response: expectRbacInvalidIdForbidden,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectEmpty,
+          },
+          invalidId: {
+            statusCode: 404,
+            response: createExpectUnknownDocNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectRbacSpaceAwareForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectRbacNotSpaceAwareForbidden,
+          },
+          invalidId: {
+            statusCode: 403,
+            response: expectRbacInvalidIdForbidden,
+          },
+        },
+      });
+
+      deleteTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            spaceAware: {
+              statusCode: 403,
+              response: expectRbacSpaceAwareForbidden,
+            },
+            notSpaceAware: {
+              statusCode: 403,
+              response: expectRbacNotSpaceAwareForbidden,
+            },
+            invalidId: {
+              statusCode: 403,
+              response: expectRbacInvalidIdForbidden,
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
new file mode 100644
index 00000000000000..f24d0f7868b977
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
@@ -0,0 +1,503 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { findTestSuiteFactory } from '../../common/suites/find';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('find', () => {
+    const {
+      createExpectEmpty,
+      createExpectRbacForbidden,
+      createExpectResults,
+      createExpectLegacyForbidden,
+      createExpectVisualizationResults,
+      expectNotSpaceAwareResults,
+      findTest,
+    } = findTestSuiteFactory(esArchiver, supertest);
+
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      findTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'forbidden login and find visualization message',
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          notSpaceAwareType: {
+            description: 'forbidden login and find globaltype message',
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          unknownType: {
+            description: 'forbidden login and find wigwags message',
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          pageBeyondTotal: {
+            description: 'forbidden login and find visualization message',
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          unknownSearchField: {
+            description: 'forbidden login and find wigwags message',
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          noType: {
+            description: `forbidded can't find any types`,
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+        },
+      });
+
+      findTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.SUPERUSER.USERNAME,
+          password: AUTHENTICATION.SUPERUSER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'forbidden find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'forbidden find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(1, 20, 0),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+          password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'forbidden find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'forbidden find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'forbidden and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'forbidden and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'only the visualization',
+            statusCode: 200,
+            response: createExpectVisualizationResults(scenario.spaceId),
+          },
+          notSpaceAwareType: {
+            description: 'only the globaltype',
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          unknownType: {
+            description: 'forbidden and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          pageBeyondTotal: {
+            description: 'empty result',
+            statusCode: 200,
+            response: createExpectEmpty(100, 100, 1),
+          },
+          unknownSearchField: {
+            description: 'forbidden and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          noType: {
+            description: 'all objects',
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      findTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            spaceAwareType: {
+              description: 'forbidden login and find visualization message',
+              statusCode: 403,
+              response: createExpectRbacForbidden('visualization'),
+            },
+            notSpaceAwareType: {
+              description: 'forbidden login and find globaltype message',
+              statusCode: 403,
+              response: createExpectRbacForbidden('globaltype'),
+            },
+            unknownType: {
+              description: 'forbidden login and find wigwags message',
+              statusCode: 403,
+              response: createExpectRbacForbidden('wigwags'),
+            },
+            pageBeyondTotal: {
+              description: 'forbidden login and find visualization message',
+              statusCode: 403,
+              response: createExpectRbacForbidden('visualization'),
+            },
+            unknownSearchField: {
+              description: 'forbidden login and find wigwags message',
+              statusCode: 403,
+              response: createExpectRbacForbidden('wigwags'),
+            },
+            noType: {
+              description: `forbidded can't find any types`,
+              statusCode: 403,
+              response: createExpectRbacForbidden(),
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
new file mode 100644
index 00000000000000..b718a7a07d9bc3
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
@@ -0,0 +1,302 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getTestSuiteFactory } from '../../common/suites/get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createExpectDoesntExistNotFound,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareRbacForbidden,
+    createExpectSpaceAwareResults,
+    createExpectNotSpaceAwareResults,
+    createExpectNotSpaceAwareRbacForbidden,
+    getTest,
+  } = getTestSuiteFactory(esArchiver, supertest);
+
+  describe('get', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      getTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      getTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: createExpectSpaceAwareResults(scenario.spaceId),
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: createExpectNotSpaceAwareResults(scenario.spaceId),
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtOtherSpace.USERNAME,
+          password: scenario.userWithAllAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectSpaceAwareRbacForbidden(),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectNotSpaceAwareRbacForbidden(),
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: createExpectSpaceAwareRbacForbidden(),
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts
new file mode 100644
index 00000000000000..d25a9b852b789d
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createUsersAndRoles } from '../../common/lib/create_users_and_roles';
+import { TestInvoker } from '../../common/lib/types';
+
+// tslint:disable:no-default-export
+export default function({ getService, loadTestFile }: TestInvoker) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('saved objects security and spaces enabled', () => {
+    before(async () => {
+      await createUsersAndRoles(es, supertest);
+    });
+
+    loadTestFile(require.resolve('./bulk_create'));
+    loadTestFile(require.resolve('./bulk_get'));
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
new file mode 100644
index 00000000000000..ae6465fa91e281
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
@@ -0,0 +1,306 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { updateTestSuiteFactory } from '../../common/suites/update';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const {
+      createExpectLegacyForbidden,
+      expectDoesntExistRbacForbidden,
+      expectNotSpaceAwareResults,
+      expectNotSpaceAwareRbacForbidden,
+      expectNotFound,
+      expectSpaceAwareRbacForbidden,
+      expectSpaceAwareResults,
+      updateTest,
+    } = updateTestSuiteFactory(esArchiver, supertest);
+
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      updateTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          },
+        },
+      });
+
+      updateTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectSpaceAwareResults,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFound,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectSpaceAwareResults,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFound,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectSpaceAwareResults,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFound,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectDoesntExistRbacForbidden,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectSpaceAwareResults,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFound,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectDoesntExistRbacForbidden,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 200,
+            response: expectSpaceAwareResults,
+          },
+          notSpaceAware: {
+            statusCode: 200,
+            response: expectNotSpaceAwareResults,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFound,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectDoesntExistRbacForbidden,
+          },
+        },
+      });
+
+      updateTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        {
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          spaceId: scenario.spaceId,
+          tests: {
+            spaceAware: {
+              statusCode: 403,
+              response: expectSpaceAwareRbacForbidden,
+            },
+            notSpaceAware: {
+              statusCode: 403,
+              response: expectNotSpaceAwareRbacForbidden,
+            },
+            doesntExist: {
+              statusCode: 403,
+              response: expectDoesntExistRbacForbidden,
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/index.js b/x-pack/test/saved_object_api_integration/security_and_spaces/config.ts
similarity index 51%
rename from x-pack/test/rbac_api_integration/apis/index.js
rename to x-pack/test/saved_object_api_integration/security_and_spaces/config.ts
index cf26e2e7cf4d85..81cf9d85671d18 100644
--- a/x-pack/test/rbac_api_integration/apis/index.js
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/config.ts
@@ -4,10 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export default function ({ loadTestFile }) {
-  describe('apis RBAC', () => {
-    loadTestFile(require.resolve('./es'));
-    loadTestFile(require.resolve('./privileges'));
-    loadTestFile(require.resolve('./saved_objects'));
-  });
-}
+import { createTestConfig } from '../common/config';
+
+// tslint:disable:no-default-export
+export default createTestConfig('security_and_spaces', { license: 'trial' });
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
new file mode 100644
index 00000000000000..791425ddb84fe8
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
@@ -0,0 +1,191 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkCreateTestSuiteFactory } from '../../common/suites/bulk_create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+
+  const {
+    bulkCreateTest,
+    createExpectLegacyForbidden,
+    createExpectResults,
+    expectRbacForbidden,
+  } = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
+
+  describe('_bulk_create', () => {
+    bulkCreateTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    bulkCreateTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkCreateTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
new file mode 100644
index 00000000000000..60aaf8b64d86d5
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
@@ -0,0 +1,186 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkGetTestSuiteFactory } from '../../common/suites/bulk_get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const { bulkGetTest, createExpectLegacyForbidden, createExpectResults } = bulkGetTestSuiteFactory(
+    esArchiver,
+    supertest
+  );
+
+  describe('_bulk_get', () => {
+    bulkGetTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    bulkGetTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    bulkGetTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
new file mode 100644
index 00000000000000..21050effbdd996
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
@@ -0,0 +1,251 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { createTestSuiteFactory } from '../../common/suites/create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const es = getService('es');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createTest,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareResults,
+    expectNotSpaceAwareResults,
+    expectNotSpaceAwareRbacForbidden,
+    expectSpaceAwareRbacForbidden,
+  } = createTestSuiteFactory(es, esArchiver, supertestWithoutAuth);
+
+  describe('create', () => {
+    createTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    createTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+
+    createTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+
+    createTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    createTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+
+    createTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectSpaceAwareRbacForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectNotSpaceAwareRbacForbidden,
+        },
+      },
+    });
+
+    createTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+
+    createTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectSpaceAwareRbacForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectNotSpaceAwareRbacForbidden,
+        },
+      },
+    });
+
+    createTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    createTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    createTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    createTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
new file mode 100644
index 00000000000000..634a3d60f1322c
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
@@ -0,0 +1,309 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { deleteTestSuiteFactory } from '../../common/suites/delete';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+    const {
+      createExpectLegacyForbidden,
+      createExpectUnknownDocNotFound,
+      deleteTest,
+      expectEmpty,
+      expectRbacSpaceAwareForbidden,
+      expectRbacNotSpaceAwareForbidden,
+      expectRbacInvalidIdForbidden,
+    } = deleteTestSuiteFactory(esArchiver, supertest);
+
+    deleteTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    deleteTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(),
+        },
+      },
+    });
+
+    deleteTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(),
+        },
+      },
+    });
+
+    deleteTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    deleteTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(),
+        },
+      },
+    });
+
+    deleteTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectRbacSpaceAwareForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectRbacNotSpaceAwareForbidden,
+        },
+        invalidId: {
+          statusCode: 403,
+          response: expectRbacInvalidIdForbidden,
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(),
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectRbacSpaceAwareForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectRbacNotSpaceAwareForbidden,
+        },
+        invalidId: {
+          statusCode: 403,
+          response: expectRbacInvalidIdForbidden,
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    deleteTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
new file mode 100644
index 00000000000000..04ba16e075ba6c
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -0,0 +1,543 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { findTestSuiteFactory } from '../../common/suites/find';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('find', () => {
+    const {
+      createExpectEmpty,
+      createExpectRbacForbidden,
+      createExpectResults,
+      createExpectLegacyForbidden,
+      createExpectVisualizationResults,
+      expectNotSpaceAwareResults,
+      findTest,
+    } = findTestSuiteFactory(esArchiver, supertest);
+
+    findTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        notSpaceAwareType: {
+          description: 'forbidden legacy message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        unknownType: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        pageBeyondTotal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        unknownSearchField: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        noType: {
+          description: `forbidded can't find any types`,
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    findTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(),
+        },
+      },
+    });
+
+    findTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    findTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    findTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        unknownType: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        pageBeyondTotal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        unknownSearchField: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        noType: {
+          description: `forbidded can't find any types`,
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    findTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAwareType: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAwareType: {
+          description: 'only the globaltype',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        unknownType: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        pageBeyondTotal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        unknownSearchField: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        noType: {
+          description: `forbidded can't find any types`,
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
new file mode 100644
index 00000000000000..db3399f8c6d47c
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
@@ -0,0 +1,301 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { getTestSuiteFactory } from '../../common/suites/get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createExpectDoesntExistNotFound,
+    createExpectLegacyForbidden,
+    createExpectSpaceAwareResults,
+    createExpectNotSpaceAwareResults,
+    getTest,
+  } = getTestSuiteFactory(esArchiver, supertest);
+
+  describe('get', () => {
+    getTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    getTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
+        },
+      },
+    });
+
+    getTest(`kibana rbac default space all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    getTest(`kibana rbac default space read user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    getTest(`kibana rbac space 1 all user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    getTest(`kibana rbac space 1 readonly user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/index.ts b/x-pack/test/saved_object_api_integration/security_only/apis/index.ts
new file mode 100644
index 00000000000000..c9be7152f96eae
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/index.ts
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createUsersAndRoles } from '../../common/lib/create_users_and_roles';
+import { TestInvoker } from '../../common/lib/types';
+
+// tslint:disable:no-default-export
+export default function({ getService, loadTestFile }: TestInvoker) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('saved objects security only enabled', () => {
+    before(async () => {
+      await createUsersAndRoles(es, supertest);
+    });
+
+    loadTestFile(require.resolve('./bulk_create'));
+    loadTestFile(require.resolve('./bulk_get'));
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
new file mode 100644
index 00000000000000..ab967d6611a007
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
@@ -0,0 +1,310 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { TestInvoker } from '../../common/lib/types';
+import { updateTestSuiteFactory } from '../../common/suites/update';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const {
+      createExpectLegacyForbidden,
+      expectDoesntExistRbacForbidden,
+      expectNotSpaceAwareResults,
+      expectNotSpaceAwareRbacForbidden,
+      expectNotFound,
+      expectSpaceAwareRbacForbidden,
+      expectSpaceAwareResults,
+      updateTest,
+    } = updateTestSuiteFactory(esArchiver, supertest);
+
+    updateTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+        },
+      },
+    });
+
+    updateTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+
+    updateTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+
+    updateTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    updateTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+
+    updateTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectSpaceAwareRbacForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectNotSpaceAwareRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectDoesntExistRbacForbidden,
+        },
+      },
+    });
+
+    updateTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+
+    updateTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: expectSpaceAwareRbacForbidden,
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: expectNotSpaceAwareRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectDoesntExistRbacForbidden,
+        },
+      },
+    });
+
+    updateTest(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    updateTest(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    updateTest(AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+          ),
+        },
+      },
+    });
+
+    updateTest(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      },
+      tests: {
+        spaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        notSpaceAware: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+          ),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/security_only/config.ts b/x-pack/test/saved_object_api_integration/security_only/config.ts
new file mode 100644
index 00000000000000..f71cc9207b3cc7
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/security_only/config.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createTestConfig } from '../common/config';
+
+// tslint:disable:no-default-export
+export default createTestConfig('security_only', { disabledPlugins: ['spaces'], license: 'trial' });
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
new file mode 100644
index 00000000000000..6f48c53a3f8974
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkCreateTestSuiteFactory } from '../../common/suites/bulk_create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+  const es = getService('es');
+
+  const { bulkCreateTest, createExpectResults } = bulkCreateTestSuiteFactory(
+    es,
+    esArchiver,
+    supertest
+  );
+
+  describe('_bulk_create', () => {
+    bulkCreateTest('in the current space (space_1)', {
+      ...SPACES.SPACE_1,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+
+    bulkCreateTest('in the default space', {
+      ...SPACES.DEFAULT,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(SPACES.DEFAULT.spaceId),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_get.ts
new file mode 100644
index 00000000000000..cfb4b301bccfb3
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_get.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { bulkGetTestSuiteFactory } from '../../common/suites/bulk_get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  const { bulkGetTest, createExpectResults, createExpectNotFoundResults } = bulkGetTestSuiteFactory(
+    esArchiver,
+    supertest
+  );
+
+  describe('_bulk_get', () => {
+    bulkGetTest(`objects within the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectResults(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+
+    bulkGetTest(`objects within another space`, {
+      ...SPACES.SPACE_1,
+      otherSpaceId: SPACES.SPACE_2.spaceId,
+      tests: {
+        default: {
+          statusCode: 200,
+          response: createExpectNotFoundResults(SPACES.SPACE_2.spaceId),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
new file mode 100644
index 00000000000000..4da115377f23ff
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { createTestSuiteFactory } from '../../common/suites/create';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const es = getService('es');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createTest,
+    createExpectSpaceAwareResults,
+    expectNotSpaceAwareResults,
+  } = createTestSuiteFactory(es, esArchiver, supertestWithoutAuth);
+
+  describe('create', () => {
+    createTest('in the current space (space_1)', {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+
+    createTest('in the default space', {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(SPACES.DEFAULT.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
new file mode 100644
index 00000000000000..d70f930d636772
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { deleteTestSuiteFactory } from '../../common/suites/delete';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+    const { createExpectUnknownDocNotFound, deleteTest, expectEmpty } = deleteTestSuiteFactory(
+      esArchiver,
+      supertest
+    );
+
+    deleteTest(`in the default space`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(SPACES.DEFAULT.spaceId),
+        },
+      },
+    });
+
+    deleteTest(`in the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
new file mode 100644
index 00000000000000..421b752801bfd5
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { findTestSuiteFactory } from '../../common/suites/find';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createExpectEmpty,
+    createExpectResults,
+    createExpectVisualizationResults,
+    expectNotSpaceAwareResults,
+    findTest,
+  } = findTestSuiteFactory(esArchiver, supertest);
+
+  describe('find', () => {
+    findTest(`objects only within the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+
+    findTest(`objects only within the current space (default)`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: createExpectVisualizationResults(SPACES.DEFAULT.spaceId),
+        },
+        notSpaceAwareType: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: createExpectResults(SPACES.DEFAULT.spaceId),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
new file mode 100644
index 00000000000000..c2055bd41dd61d
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getTestSuiteFactory } from '../../common/suites/get';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createExpectDoesntExistNotFound,
+    createExpectSpaceAwareResults,
+    createExpectNotSpaceAwareResults,
+    getTest,
+  } = getTestSuiteFactory(esArchiver, supertest);
+
+  describe('get', () => {
+    getTest(`can access objects belonging to the current space (default)`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(SPACES.DEFAULT.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(SPACES.DEFAULT.spaceId),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(SPACES.DEFAULT.spaceId),
+        },
+      },
+    });
+
+    getTest(`can access objects belonging to the current space (space_1)`, {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: createExpectSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/index.js b/x-pack/test/saved_object_api_integration/spaces_only/apis/index.ts
similarity index 67%
rename from x-pack/test/spaces_api_integration/apis/saved_objects/index.js
rename to x-pack/test/saved_object_api_integration/spaces_only/apis/index.ts
index c74b03792ba034..113cf86454d5ff 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/index.js
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/index.ts
@@ -4,10 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { TestInvoker } from '../../common/lib/types';
 
-export default function ({ loadTestFile }) {
-
-  describe('saved_objects', () => {
+// tslint:disable:no-default-export
+export default function({ loadTestFile }: TestInvoker) {
+  describe('saved objects spaces only enabled', () => {
+    loadTestFile(require.resolve('./bulk_create'));
     loadTestFile(require.resolve('./bulk_get'));
     loadTestFile(require.resolve('./create'));
     loadTestFile(require.resolve('./delete'));
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
new file mode 100644
index 00000000000000..c22ef7fe17e133
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { updateTestSuiteFactory } from '../../common/suites/update';
+
+// tslint:disable:no-default-export
+export default function({ getService }: TestInvoker) {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const {
+      expectSpaceAwareResults,
+      expectNotFound,
+      expectNotSpaceAwareResults,
+      updateTest,
+    } = updateTestSuiteFactory(esArchiver, supertest);
+
+    updateTest(`in the default space`, {
+      ...SPACES.DEFAULT,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+
+    updateTest('in the current space (space_1)', {
+      ...SPACES.SPACE_1,
+      tests: {
+        spaceAware: {
+          statusCode: 200,
+          response: expectSpaceAwareResults,
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      },
+    });
+  });
+}
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/config.ts b/x-pack/test/saved_object_api_integration/spaces_only/config.ts
new file mode 100644
index 00000000000000..38d65bab1b107b
--- /dev/null
+++ b/x-pack/test/saved_object_api_integration/spaces_only/config.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createTestConfig } from '../common/config';
+
+// tslint:disable:no-default-export
+export default createTestConfig('spaces_only', { license: 'basic' });
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
deleted file mode 100644
index 517aab85312fac..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/bulk_get.js
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { SPACES } from './lib/spaces';
-import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
-
-  const BULK_REQUESTS = [
-    {
-      type: 'visualization',
-      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-    },
-    {
-      type: 'dashboard',
-      id: 'does not exist',
-    },
-    {
-      type: 'config',
-      id: '7.0.0-alpha1',
-    },
-  ];
-
-  const createBulkRequests = (spaceId) => BULK_REQUESTS.map(r => ({
-    ...r,
-    id: `${getIdPrefix(spaceId)}${r.id}`
-  }));
-
-  describe('_bulk_get', () => {
-    const expectNotFoundResults = (spaceId) => resp => {
-      expect(resp.body).to.eql({
-        saved_objects: [
-          {
-            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-            type: 'visualization',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-          {
-            id: `${getIdPrefix(spaceId)}does not exist`,
-            type: 'dashboard',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-          //todo(legrego) fix when config is space aware
-          {
-            id: `${getIdPrefix(spaceId)}7.0.0-alpha1`,
-            type: 'config',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-        ],
-      });
-    };
-
-    const expectResults = (spaceId) => resp => {
-      expect(resp.body).to.eql({
-        saved_objects: [
-          {
-            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-            type: 'visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: resp.body.saved_objects[0].version,
-            attributes: {
-              title: 'Count of requests',
-              description: '',
-              version: 1,
-              // cheat for some of the more complex attributes
-              visState: resp.body.saved_objects[0].attributes.visState,
-              uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
-              kibanaSavedObjectMeta:
-                resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
-            },
-          },
-          {
-            id: `${getIdPrefix(spaceId)}does not exist`,
-            type: 'dashboard',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-          //todo(legrego) fix when config is space aware
-          {
-            id: `${getIdPrefix(spaceId)}7.0.0-alpha1`,
-            type: 'config',
-            error: {
-              statusCode: 404,
-              message: 'Not found',
-            },
-          },
-        ],
-      });
-    };
-
-    const bulkGetTest = (description, { spaceId, tests, otherSpaceId = spaceId }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/spaces'));
-        after(() => esArchiver.unload('saved_objects/spaces'));
-
-        it(`should return ${tests.default.statusCode}`, async () => {
-          await supertest
-            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
-            .send(createBulkRequests(otherSpaceId))
-            .expect(tests.default.statusCode)
-            .then(tests.default.response);
-        });
-      });
-    };
-
-    bulkGetTest(`objects within the current space (space_1)`, {
-      ...SPACES.SPACE_1,
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectResults(SPACES.SPACE_1.spaceId),
-        },
-      }
-    });
-
-    bulkGetTest(`objects within another space`, {
-      ...SPACES.SPACE_1,
-      otherSpaceId: SPACES.SPACE_2.spaceId,
-      tests: {
-        default: {
-          statusCode: 200,
-          response: expectNotFoundResults(SPACES.SPACE_2.spaceId)
-        },
-      }
-    });
-
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js b/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
deleted file mode 100644
index 4a7bfa30d40dc7..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/create.js
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { getUrlPrefix } from './lib/space_test_utils';
-import { SPACES } from './lib/spaces';
-import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const es = getService('es');
-  const esArchiver = getService('esArchiver');
-
-  describe('create', () => {
-    const expectSpaceAwareResults = (spaceId) => async (resp) => {
-      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'visualization',
-        updated_at: resp.body.updated_at,
-        version: 1,
-        attributes: {
-          title: 'My favorite vis'
-        }
-      });
-
-      const expectedSpacePrefix = spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}:`;
-
-      // query ES directory to assert on space id
-      const { _source } = await es.get({
-        id: `${expectedSpacePrefix}visualization:${resp.body.id}`,
-        type: 'doc',
-        index: '.kibana'
-      });
-
-      const {
-        namespace: actualSpaceId = '**not defined**'
-      } = _source;
-
-      if (spaceId === DEFAULT_SPACE_ID) {
-        expect(actualSpaceId).to.eql('**not defined**');
-      } else {
-        expect(actualSpaceId).to.eql(spaceId);
-      }
-    };
-
-    const expectNotSpaceAwareResults = () => async (resp) => {
-      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'space',
-        updated_at: resp.body.updated_at,
-        version: 1,
-        attributes: {
-          name: 'My favorite space',
-        }
-      });
-
-      // query ES directory to assert on space id
-      const { _source } = await es.get({
-        id: `space:${resp.body.id}`,
-        type: 'doc',
-        index: '.kibana'
-      });
-
-      const {
-        namespace: actualSpaceId = '**not defined**'
-      } = _source;
-
-      expect(actualSpaceId).to.eql('**not defined**');
-    };
-
-    const createTest = (description, { spaceId, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/spaces'));
-        after(() => esArchiver.unload('saved_objects/spaces'));
-        it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
-          await supertest
-            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization`)
-            .send({
-              attributes: {
-                title: 'My favorite vis'
-              }
-            })
-            .expect(tests.spaceAware.statusCode)
-            .then(tests.spaceAware.response);
-        });
-
-        it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
-          await supertest
-            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/space`)
-            .send({
-              attributes: {
-                name: 'My favorite space',
-              }
-            })
-            .expect(tests.notSpaceAware.statusCode)
-            .then(tests.notSpaceAware.response);
-        });
-
-      });
-    };
-
-    createTest('in the current space (space_1)', {
-      ...SPACES.SPACE_1,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectSpaceAwareResults(SPACES.SPACE_1.spaceId),
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
-        }
-      }
-    });
-
-    createTest('in the default space', {
-      ...SPACES.DEFAULT,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectSpaceAwareResults(SPACES.DEFAULT.spaceId),
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
-        }
-      }
-    });
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js b/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
deleted file mode 100644
index 07bb72a30e9820..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/delete.js
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { SPACES } from './lib/spaces';
-import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
-
-  describe('delete', () => {
-
-    const expectEmpty = () => (resp) => {
-      expect(resp.body).to.eql({});
-    };
-
-    const expectNotFound = (type, id) => (resp) => {
-      expect(resp.body).to.eql({
-        statusCode: 404,
-        error: 'Not Found',
-        message: `Saved object [${type}/${id}] not found`
-      });
-    };
-
-    const deleteTest = (description, { spaceId, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/spaces'));
-        after(() => esArchiver.unload('saved_objects/spaces'));
-
-        it(`should return ${tests.spaceAware.statusCode} when deleting a space-aware doc`, async () => (
-          await supertest
-            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`)
-            .expect(tests.spaceAware.statusCode)
-            .then(tests.spaceAware.response())
-        ));
-
-        it(`should return ${tests.notSpaceAware.statusCode} when deleting a non-space-aware doc`, async () => (
-          await supertest
-            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/space/space_2`)
-            .expect(tests.notSpaceAware.statusCode)
-            .then(tests.notSpaceAware.response())
-        ));
-
-        it(`should return ${tests.inOtherSpace.statusCode} when deleting a doc belonging to another space`, async () => {
-          const expectedObjectId = `${getIdPrefix('space_2')}be3733a0-9efe-11e7-acb3-3dab96693fab`;
-
-          await supertest
-            .delete(`${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${expectedObjectId}`)
-            .expect(tests.inOtherSpace.statusCode)
-            .then(tests.inOtherSpace.response('dashboard', expectedObjectId));
-        });
-      });
-    };
-
-    deleteTest(`in the default space`, {
-      ...SPACES.DEFAULT,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectEmpty
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectEmpty
-        },
-        inOtherSpace: {
-          statusCode: 404,
-          response: expectNotFound
-        }
-      }
-    });
-
-    deleteTest(`in the current space (space_1)`, {
-      ...SPACES.SPACE_1,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectEmpty
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectEmpty
-        },
-        inOtherSpace: {
-          statusCode: 404,
-          response: expectNotFound
-        }
-      }
-    });
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js b/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
deleted file mode 100644
index ea59e01eff96d7..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/find.js
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { SPACES } from './lib/spaces';
-import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
-
-  describe('find', () => {
-
-    const expectVisualizationResults = (spaceId) => (resp) => {
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: 1,
-        saved_objects: [
-          {
-            type: 'visualization',
-            id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-            // no space id on the saved object because the field is not requested as part of a find operation
-            version: 1,
-            attributes: {
-              'title': 'Count of requests'
-            }
-          }
-        ]
-      });
-    };
-
-    const expectAllResults = (spaceId) => (resp) => {
-      // TODO(legrego): update once config is space-aware
-
-      const sortById = ({ id: id1 }, { id: id2 }) => id1 < id2 ? -1 : 1;
-
-      resp.body.saved_objects.sort(sortById);
-
-      const expectedSavedObjects = [{
-        id: '7.0.0-alpha1',
-        type: 'config',
-        updated_at: '2017-09-21T18:49:16.302Z',
-        version: 1,
-      }, {
-        id: `default`,
-        type: 'space',
-        updated_at: '2017-09-21T18:49:16.270Z',
-        version: 1,
-      },
-      {
-        id: `space_1`,
-        type: 'space',
-        updated_at: '2017-09-21T18:49:16.270Z',
-        version: 1,
-      },
-      {
-        id: `space_2`,
-        type: 'space',
-        updated_at: '2017-09-21T18:49:16.270Z',
-        version: 1,
-      },
-      {
-        id: `${getIdPrefix(spaceId)}91200a00-9efd-11e7-acb3-3dab96693fab`,
-        type: 'index-pattern',
-        updated_at: '2017-09-21T18:49:16.270Z',
-        version: 1,
-      },
-
-      {
-        id: `${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`,
-        type: 'dashboard',
-        updated_at: '2017-09-21T18:57:40.826Z',
-        version: 1,
-      },
-      {
-        id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-        type: 'visualization',
-        updated_at: '2017-09-21T18:51:23.794Z',
-        version: 1,
-      }]
-        .sort(sortById);
-
-      expectedSavedObjects.forEach((object, index) => {
-        if (resp.body.saved_objects[index]) {
-          object.attributes = resp.body.saved_objects[index].attributes;
-        }
-      });
-
-
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: expectedSavedObjects.length,
-        saved_objects: expectedSavedObjects,
-      });
-    };
-
-    const createExpectEmpty = (page, perPage, total) => (resp) => {
-      expect(resp.body).to.eql({
-        page: page,
-        per_page: perPage,
-        total: total,
-        saved_objects: []
-      });
-    };
-
-    const findTest = (description, { spaceId, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/spaces'));
-        after(() => esArchiver.unload('saved_objects/spaces'));
-
-        it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
-          await supertest
-            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&fields=title`)
-            .expect(tests.normal.statusCode)
-            .then(tests.normal.response)
-        ));
-
-        describe('page beyond total', () => {
-          it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
-            await supertest
-              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&page=100&per_page=100`)
-              .expect(tests.pageBeyondTotal.statusCode)
-              .then(tests.pageBeyondTotal.response)
-          ));
-        });
-
-        describe('unknown search field', () => {
-          it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
-            await supertest
-              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
-              .expect(tests.unknownSearchField.statusCode)
-              .then(tests.unknownSearchField.response)
-          ));
-        });
-
-        describe('no type', () => {
-          it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
-            await supertest
-              .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find`)
-              .expect(tests.noType.statusCode)
-              .then(tests.noType.response)
-          ));
-        });
-      });
-    };
-
-    findTest(`objects only within the current space (space_1)`, {
-      ...SPACES.SPACE_1,
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults(SPACES.SPACE_1.spaceId),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectAllResults(SPACES.SPACE_1.spaceId),
-        },
-      }
-    });
-
-    findTest(`objects only within the current space (default)`, {
-      ...SPACES.DEFAULT,
-      tests: {
-        normal: {
-          description: 'only the visualization',
-          statusCode: 200,
-          response: expectVisualizationResults(SPACES.DEFAULT.spaceId),
-        },
-        pageBeyondTotal: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(100, 100, 1),
-        },
-        unknownSearchField: {
-          description: 'empty result',
-          statusCode: 200,
-          response: createExpectEmpty(1, 20, 0),
-        },
-        noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: expectAllResults(SPACES.DEFAULT.spaceId),
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js b/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
deleted file mode 100644
index 0369bffba26e5b..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/get.js
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { getIdPrefix, getUrlPrefix } from './lib/space_test_utils';
-import { SPACES } from './lib/spaces';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
-
-  describe('get', () => {
-
-    const expectResults = (spaceId) => () => (resp) => {
-      const expectedBody = {
-        id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-        type: 'visualization',
-        updated_at: '2017-09-21T18:51:23.794Z',
-        version: resp.body.version,
-
-        attributes: {
-          title: 'Count of requests',
-          description: '',
-          version: 1,
-          // cheat for some of the more complex attributes
-          visState: resp.body.attributes.visState,
-          uiStateJSON: resp.body.attributes.uiStateJSON,
-          kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta
-        }
-      };
-
-      expect(resp.body).to.eql(expectedBody);
-    };
-
-    const expectNotFound = (type, id) => (resp) => {
-      expect(resp.body).to.eql({
-        error: 'Not Found',
-        message: `Saved object [${type}/${id}] not found`,
-        statusCode: 404,
-      });
-    };
-
-    const getTest = (description, { spaceId, tests, otherSpaceId = spaceId }) => {
-      describe(description, () => {
-        before(async () => esArchiver.load(`saved_objects/spaces`));
-        after(async () => esArchiver.unload(`saved_objects/spaces`));
-
-        it(`should return ${tests.exists.statusCode}`, async () => {
-          const objectId = `${getIdPrefix(otherSpaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
-
-          return supertest
-            .get(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${objectId}`)
-            .expect(tests.exists.statusCode)
-            .then(tests.exists.response('visualization', objectId));
-        });
-      });
-    };
-
-    getTest(`can access objects belonging to the current space (space_1)`, {
-      ...SPACES.SPACE_1,
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults(SPACES.SPACE_1.spaceId),
-        },
-      }
-    });
-
-    getTest(`cannot access objects belonging to a different space (space_1)`, {
-      ...SPACES.SPACE_1,
-      otherSpaceId: SPACES.SPACE_2.spaceId,
-      tests: {
-        exists: {
-          statusCode: 404,
-          response: expectNotFound
-        },
-      }
-    });
-
-    getTest(`can access objects belonging to the current space (default)`, {
-      ...SPACES.DEFAULT,
-      tests: {
-        exists: {
-          statusCode: 200,
-          response: expectResults(SPACES.DEFAULT.spaceId),
-        },
-      }
-    });
-
-    getTest(`cannot access objects belonging to a different space (default)`, {
-      ...SPACES.DEFAULT,
-      otherSpaceId: SPACES.SPACE_1.spaceId,
-      tests: {
-        exists: {
-          statusCode: 404,
-          response: expectNotFound
-        },
-      }
-    });
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
deleted file mode 100644
index 8b140fd3b2a30c..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/authentication.js
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export const AUTHENTICATION = {
-  NOT_A_KIBANA_USER: {
-    USERNAME: 'not_a_kibana_user',
-    PASSWORD: 'password'
-  },
-  SUPERUSER: {
-    USERNAME: 'elastic',
-    PASSWORD: 'changeme'
-  },
-  KIBANA_LEGACY_USER: {
-    USERNAME: 'a_kibana_legacy_user',
-    PASSWORD: 'password'
-  },
-  KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_legacy_dashboard_only_user',
-    PASSWORD: 'password'
-  },
-  KIBANA_RBAC_USER: {
-    USERNAME: 'a_kibana_rbac_user',
-    PASSWORD: 'password'
-  },
-  KIBANA_RBAC_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_rbac_dashboard_only_user',
-    PASSWORD: 'password'
-  }
-};
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js b/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
deleted file mode 100644
index 4bc938ba7a4999..00000000000000
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/update.js
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import expect from 'expect.js';
-import { SPACES } from './lib/spaces';
-import { getUrlPrefix, getIdPrefix } from './lib/space_test_utils';
-
-export default function ({ getService }) {
-  const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
-
-  describe('update', () => {
-    const expectSpaceAwareResults = () => resp => {
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'visualization',
-        updated_at: resp.body.updated_at,
-        version: 2,
-        attributes: {
-          title: 'My second favorite vis'
-        }
-      });
-    };
-
-    const expectNonSpaceAwareResults = () => resp => {
-
-      // loose ISO8601 UTC time with milliseconds validation
-      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-      expect(resp.body).to.eql({
-        id: resp.body.id,
-        type: 'space',
-        updated_at: resp.body.updated_at,
-        version: 2,
-        attributes: {
-          name: 'My second favorite space'
-        }
-      });
-    };
-
-    const expectNotFound = (type, id) => resp => {
-      expect(resp.body).eql({
-        statusCode: 404,
-        error: 'Not Found',
-        message: `Saved object [${type}/${id}] not found`
-      });
-    };
-
-    const updateTest = (description, { spaceId, tests }) => {
-      describe(description, () => {
-        before(() => esArchiver.load('saved_objects/spaces'));
-        after(() => esArchiver.unload('saved_objects/spaces'));
-        it(`should return ${tests.spaceAware.statusCode} for a space-aware doc`, async () => {
-          await supertest
-            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`)
-            .send({
-              attributes: {
-                title: 'My second favorite vis'
-              }
-            })
-            .expect(tests.spaceAware.statusCode)
-            .then(tests.spaceAware.response());
-        });
-
-        it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware doc`, async () => {
-          await supertest
-            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/space/space_1`)
-            .send({
-              attributes: {
-                name: 'My second favorite space'
-              }
-            })
-            .expect(tests.notSpaceAware.statusCode)
-            .then(tests.notSpaceAware.response());
-        });
-
-        it(`should return ${tests.inOtherSpace.statusCode} for a doc in another space`, async () => {
-          const id = `${getIdPrefix('space_2')}dd7caf20-9efd-11e7-acb3-3dab96693fab`;
-          await supertest
-            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${id}`)
-            .send({
-              attributes: {
-                title: 'My second favorite vis'
-              }
-            })
-            .expect(tests.inOtherSpace.statusCode)
-            .then(tests.inOtherSpace.response(`visualization`, `${id}`));
-        });
-
-        describe('unknown id', () => {
-          it(`should return ${tests.doesntExist.statusCode}`, async () => {
-            await supertest
-              .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/not an id`)
-              .send({
-                attributes: {
-                  title: 'My second favorite vis'
-                }
-              })
-              .expect(tests.doesntExist.statusCode)
-              .then(tests.doesntExist.response(`visualization`, `not an id`));
-          });
-        });
-      });
-    };
-
-    updateTest(`in the default space`, {
-      ...SPACES.DEFAULT,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectSpaceAwareResults,
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectNonSpaceAwareResults,
-        },
-        inOtherSpace: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-    updateTest('in the current space (space_1)', {
-      ...SPACES.SPACE_1,
-      tests: {
-        spaceAware: {
-          statusCode: 200,
-          response: expectSpaceAwareResults,
-        },
-        notSpaceAware: {
-          statusCode: 200,
-          response: expectNonSpaceAwareResults,
-        },
-        inOtherSpace: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-        doesntExist: {
-          statusCode: 404,
-          response: expectNotFound,
-        },
-      }
-    });
-
-  });
-}
diff --git a/x-pack/test/spaces_api_integration/common/config.ts b/x-pack/test/spaces_api_integration/common/config.ts
new file mode 100644
index 00000000000000..ed0e45809d1b1e
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/config.ts
@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+// @ts-ignore
+import { resolveKibanaPath } from '@kbn/plugin-helpers';
+import path from 'path';
+import { TestInvoker } from './lib/types';
+// @ts-ignore
+import { EsProvider } from './services/es';
+
+interface CreateTestConfigOptions {
+  license: string;
+  disabledPlugins?: string[];
+}
+
+export function createTestConfig(name: string, options: CreateTestConfigOptions) {
+  const { license, disabledPlugins = [] } = options;
+
+  return async ({ readConfigFile }: TestInvoker) => {
+    const config = {
+      kibana: {
+        api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
+        functional: await readConfigFile(require.resolve('../../../../test/functional/config.js')),
+      },
+      xpack: {
+        api: await readConfigFile(require.resolve('../../api_integration/config.js')),
+      },
+    };
+
+    return {
+      testFiles: [require.resolve(`../${name}/apis/`)],
+      servers: config.xpack.api.get('servers'),
+      services: {
+        es: EsProvider,
+        esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'),
+        supertest: config.kibana.api.get('services.supertest'),
+        supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
+        esArchiver: config.kibana.functional.get('services.esArchiver'),
+        kibanaServer: config.kibana.functional.get('services.kibanaServer'),
+      },
+      junit: {
+        reportName: 'X-Pack Spaces API Integration Tests -- ' + name,
+      },
+
+      esArchiver: {
+        directory: path.join(__dirname, 'fixtures', 'es_archiver'),
+      },
+
+      esTestCluster: {
+        ...config.xpack.api.get('esTestCluster'),
+        license,
+        serverArgs: [
+          `xpack.license.self_generated.type=${license}`,
+          `xpack.security.enabled=${!disabledPlugins.includes('security') && license === 'trial'}`,
+        ],
+      },
+
+      kbnTestServer: {
+        ...config.xpack.api.get('kbnTestServer'),
+        serverArgs: [
+          ...config.xpack.api.get('kbnTestServer.serverArgs'),
+          '--optimize.enabled=false',
+          '--server.xsrf.disableProtection=true',
+          `--plugin-path=${path.join(__dirname, 'fixtures', 'namespace_agnostic_type_plugin')}`,
+          ...disabledPlugins.map(key => `--xpack.${key}.enabled=false`),
+        ],
+      },
+    };
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json b/x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
new file mode 100644
index 00000000000000..383f7083ff0705
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/data.json
@@ -0,0 +1,51 @@
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:default",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Default Space",
+        "description": "This is the default space",
+        "_reserved": true
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:space_1",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Space 1",
+        "description": "This is the first test space"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:space_2",
+    "source": {
+      "type": "space",
+      "updated_at": "2017-09-21T18:49:16.270Z",
+      "space": {
+        "name": "Space 2",
+        "description": "This is the second test space"
+      }
+    }
+  }
+}
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json b/x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json
similarity index 100%
rename from x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/mappings.json
rename to x-pack/test/spaces_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json
diff --git a/x-pack/test/spaces_api_integration/common/lib/authentication.ts b/x-pack/test/spaces_api_integration/common/lib/authentication.ts
new file mode 100644
index 00000000000000..20aa0b5e955e5e
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/lib/authentication.ts
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const AUTHENTICATION = {
+  NOT_A_KIBANA_USER: {
+    USERNAME: 'not_a_kibana_user',
+    PASSWORD: 'password',
+  },
+  SUPERUSER: {
+    USERNAME: 'elastic',
+    PASSWORD: 'changeme',
+  },
+  KIBANA_LEGACY_USER: {
+    USERNAME: 'a_kibana_legacy_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_legacy_dashboard_only_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_DUAL_PRIVILEGES_USER: {
+    USERNAME: 'a_kibana_dual_privileges_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_dual_privileges_dashboard_only_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_USER: {
+    USERNAME: 'a_kibana_rbac_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_rbac_dashboard_only_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_DEFAULT_SPACE_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_default_space_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_DEFAULT_SPACE_READ_USER: {
+    USERNAME: 'a_kibana_rbac_default_space_read_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_READ_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_read_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_2_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_space_2_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_2_READ_USER: {
+    USERNAME: 'a_kibana_rbac_space_2_read_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_2_ALL_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_2_all_user',
+    PASSWORD: 'password',
+  },
+  KIBANA_RBAC_SPACE_1_2_READ_USER: {
+    USERNAME: 'a_kibana_rbac_space_1_2_read_user',
+    PASSWORD: 'password',
+  },
+};
diff --git a/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
new file mode 100644
index 00000000000000..d7e0f55e276197
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
@@ -0,0 +1,287 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SuperTest } from 'supertest';
+import { AUTHENTICATION } from './authentication';
+
+export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) => {
+  await supertest.put('/api/security/role/kibana_legacy_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['manage', 'read', 'index', 'delete'],
+        },
+      ],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['read', 'view_index_metadata'],
+        },
+      ],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_dual_privileges_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['manage', 'read', 'index', 'delete'],
+        },
+      ],
+    },
+    kibana: {
+      global: ['all'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user').send({
+    elasticsearch: {
+      indices: [
+        {
+          names: ['.kibana'],
+          privileges: ['read', 'view_index_metadata'],
+        },
+      ],
+    },
+    kibana: {
+      global: ['read'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_user').send({
+    kibana: {
+      global: ['all'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user').send({
+    kibana: {
+      global: ['read'],
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_default_space_all_user').send({
+    kibana: {
+      space: {
+        default: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_default_space_read_user').send({
+    kibana: {
+      space: {
+        default: ['read'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_all_user').send({
+    kibana: {
+      space: {
+        space_1: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_read_user').send({
+    kibana: {
+      space: {
+        space_1: ['read'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_2_all_user').send({
+    kibana: {
+      space: {
+        space_2: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_2_read_user').send({
+    kibana: {
+      space: {
+        space_2: ['read'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_2_all_user').send({
+    kibana: {
+      space: {
+        space_1: ['all'],
+        space_2: ['all'],
+      },
+    },
+  });
+
+  await supertest.put('/api/security/role/kibana_rbac_space_1_2_read_user').send({
+    kibana: {
+      space: {
+        space_1: ['read'],
+        space_2: ['read'],
+      },
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      roles: [],
+      full_name: 'not a kibana user',
+      email: 'not_a_kibana_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      roles: ['kibana_legacy_user'],
+      full_name: 'a kibana legacy user',
+      email: 'a_kibana_legacy_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_legacy_dashboard_only_user'],
+      full_name: 'a kibana legacy dashboard only user',
+      email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      roles: ['kibana_dual_privileges_user'],
+      full_name: 'a kibana dual_privileges user',
+      email: 'a_kibana_dual_privileges_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_dual_privileges_dashboard_only_user'],
+      full_name: 'a kibana dual_privileges dashboard only user',
+      email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      roles: ['kibana_rbac_user'],
+      full_name: 'a kibana user',
+      email: 'a_kibana_rbac_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      roles: ['kibana_rbac_dashboard_only_user'],
+      full_name: 'a kibana dashboard only user',
+      email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_default_space_all_user'],
+      full_name: 'a kibana default space all user',
+      email: 'a_kibana_rbac_default_space_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_default_space_read_user'],
+      full_name: 'a kibana default space read-only user',
+      email: 'a_kibana_rbac_default_space_read_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_all_user'],
+      full_name: 'a kibana rbac space 1 all user',
+      email: 'a_kibana_rbac_space_1_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_read_user'],
+      full_name: 'a kibana rbac space 1 read-only user',
+      email: 'a_kibana_rbac_space_1_readonly_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_space_2_all_user'],
+      full_name: 'a kibana rbac space 2 all user',
+      email: 'a_kibana_rbac_space_2_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_space_2_read_user'],
+      full_name: 'a kibana rbac space 2 read-only user',
+      email: 'a_kibana_rbac_space_2_readonly_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_2_all_user'],
+      full_name: 'a kibana rbac space 1 and 2 all user',
+      email: 'a_kibana_rbac_space_1_2_all_user@elastic.co',
+    },
+  });
+
+  await es.shield.putUser({
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.USERNAME,
+    body: {
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.PASSWORD,
+      roles: ['kibana_rbac_space_1_2_read_user'],
+      full_name: 'a kibana rbac space 1 and 2 read-only user',
+      email: 'a_kibana_rbac_space_1_2_readonly_user@elastic.co',
+    },
+  });
+};
diff --git a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js b/x-pack/test/spaces_api_integration/common/lib/space_test_utils.ts
similarity index 68%
rename from x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
rename to x-pack/test/spaces_api_integration/common/lib/space_test_utils.ts
index 5d7f40f9c54b1b..f233bc1d11d7cc 100644
--- a/x-pack/test/spaces_api_integration/apis/saved_objects/lib/space_test_utils.js
+++ b/x-pack/test/spaces_api_integration/common/lib/space_test_utils.ts
@@ -4,12 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { DEFAULT_SPACE_ID } from '../../../../../plugins/spaces/common/constants';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
 
-export function getUrlPrefix(spaceId) {
+export function getUrlPrefix(spaceId?: string) {
   return spaceId && spaceId !== DEFAULT_SPACE_ID ? `/s/${spaceId}` : ``;
 }
 
-export function getIdPrefix(spaceId) {
+export function getIdPrefix(spaceId?: string) {
   return spaceId === DEFAULT_SPACE_ID ? '' : `${spaceId}-`;
 }
diff --git a/x-pack/plugins/security/common/model/kibana_application_privilege.ts b/x-pack/test/spaces_api_integration/common/lib/spaces.ts
similarity index 61%
rename from x-pack/plugins/security/common/model/kibana_application_privilege.ts
rename to x-pack/test/spaces_api_integration/common/lib/spaces.ts
index 54350ec2abcef0..a9c552d4ccd789 100644
--- a/x-pack/plugins/security/common/model/kibana_application_privilege.ts
+++ b/x-pack/test/spaces_api_integration/common/lib/spaces.ts
@@ -4,8 +4,14 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { KibanaPrivilege } from './kibana_privilege';
-
-export interface KibanaApplicationPrivilege {
-  name: KibanaPrivilege;
-}
+export const SPACES = {
+  SPACE_1: {
+    spaceId: 'space_1',
+  },
+  SPACE_2: {
+    spaceId: 'space_2',
+  },
+  DEFAULT: {
+    spaceId: 'default',
+  },
+};
diff --git a/x-pack/test/spaces_api_integration/common/lib/types.ts b/x-pack/test/spaces_api_integration/common/lib/types.ts
new file mode 100644
index 00000000000000..f149ad02cc1f73
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/lib/types.ts
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export type DescribeFn = (text: string, fn: () => void) => void;
+
+export interface TestDefinitionAuthentication {
+  username?: string;
+  password?: string;
+}
+export type LoadTestFileFn = (path: string) => string;
+
+export type GetServiceFn = (service: string) => any;
+
+export type ReadConfigFileFn = (path: string) => any;
+
+export interface TestInvoker {
+  getService: GetServiceFn;
+  loadTestFile: LoadTestFileFn;
+  readConfigFile: ReadConfigFileFn;
+}
diff --git a/x-pack/test/rbac_api_integration/services/es.js b/x-pack/test/spaces_api_integration/common/services/es.js
similarity index 89%
rename from x-pack/test/rbac_api_integration/services/es.js
rename to x-pack/test/spaces_api_integration/common/services/es.js
index 420541fa7ec5f6..c4fa7c504e12cd 100644
--- a/x-pack/test/rbac_api_integration/services/es.js
+++ b/x-pack/test/spaces_api_integration/common/services/es.js
@@ -7,7 +7,7 @@
 import { format as formatUrl } from 'url';
 
 import elasticsearch from 'elasticsearch';
-import shieldPlugin from '../../../server/lib/esjs_shield_plugin';
+import shieldPlugin from '../../../../server/lib/esjs_shield_plugin';
 
 export function EsProvider({ getService }) {
   const config = getService('config');
diff --git a/x-pack/test/spaces_api_integration/common/suites/create.ts b/x-pack/test/spaces_api_integration/common/suites/create.ts
new file mode 100644
index 00000000000000..54f20c93d03525
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/create.ts
@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface CreateTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface CreateTests {
+  newSpace: CreateTest;
+  alreadyExists: CreateTest;
+  reservedSpecified: CreateTest;
+}
+
+interface CreateTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId: string;
+  tests: CreateTests;
+}
+
+export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeCreateTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, spaceId, tests }: CreateTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.newSpace.statusCode}`, async () => {
+        return supertest
+          .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
+          .auth(auth.username, auth.password)
+          .send({
+            name: 'marketing',
+            id: 'marketing',
+            description: 'a description',
+            color: '#5c5959',
+          })
+          .expect(tests.newSpace.statusCode)
+          .then(tests.newSpace.response);
+      });
+
+      describe('when it already exists', () => {
+        it(`should return ${tests.alreadyExists.statusCode}`, async () => {
+          return supertest
+            .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
+            .auth(auth.username, auth.password)
+            .send({
+              name: 'space_1',
+              id: 'space_1',
+              color: '#ffffff',
+              description: 'a description',
+            })
+            .expect(tests.alreadyExists.statusCode)
+            .then(tests.alreadyExists.response);
+        });
+      });
+
+      describe('when _reserved is specified', () => {
+        it(`should return ${tests.reservedSpecified.statusCode} and ignore _reserved`, async () => {
+          return supertest
+            .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
+            .auth(auth.username, auth.password)
+            .send({
+              name: 'reserved space',
+              id: 'reserved',
+              description: 'a description',
+              color: '#5c5959',
+              _reserved: true,
+            })
+            .expect(tests.reservedSpecified.statusCode)
+            .then(tests.reservedSpecified.response);
+        });
+      });
+    });
+  };
+
+  const createTest = makeCreateTest(describe);
+  // @ts-ignore
+  createTest.only = makeCreateTest(describe.only);
+
+  const expectConflictResponse = (resp: any) => {
+    expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']);
+    expect(resp.body.error).to.equal('Conflict');
+    expect(resp.body.statusCode).to.equal(409);
+    expect(resp.body.message).to.match(new RegExp(`A space with the identifier .*`));
+  };
+
+  const expectRbacForbiddenResponse = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to create spaces',
+    });
+  };
+
+  const createExpectLegacyForbiddenResponse = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectNewSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'marketing',
+      id: 'marketing',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
+  const expectReservedSpecifiedResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'reserved space',
+      id: 'reserved',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
+  return {
+    createTest,
+    expectNewSpaceResult,
+    expectReservedSpecifiedResult,
+    expectConflictResponse,
+    expectRbacForbiddenResponse,
+    createExpectLegacyForbiddenResponse,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/suites/delete.ts b/x-pack/test/spaces_api_integration/common/suites/delete.ts
new file mode 100644
index 00000000000000..d35fe5aa8470a1
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/delete.ts
@@ -0,0 +1,119 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface DeleteTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface DeleteTests {
+  exists: DeleteTest;
+  reservedSpace: DeleteTest;
+  doesntExist: DeleteTest;
+}
+
+interface DeleteTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId: string;
+  tests: DeleteTests;
+}
+
+export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeDeleteTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, spaceId, tests }: DeleteTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.exists.statusCode}`, async () => {
+        return supertest
+          .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/space_2`)
+          .auth(auth.username, auth.password)
+          .expect(tests.exists.statusCode)
+          .then(tests.exists.response);
+      });
+
+      describe(`when the space is reserved`, async () => {
+        it(`should return ${tests.reservedSpace.statusCode}`, async () => {
+          return supertest
+            .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/default`)
+            .auth(auth.username, auth.password)
+            .expect(tests.reservedSpace.statusCode)
+            .then(tests.reservedSpace.response);
+        });
+      });
+
+      describe(`when the space doesn't exist`, () => {
+        it(`should return ${tests.doesntExist.statusCode}`, async () => {
+          return supertest
+            .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/space_3`)
+            .auth(auth.username, auth.password)
+            .expect(tests.doesntExist.statusCode)
+            .then(tests.doesntExist.response);
+        });
+      });
+    });
+  };
+
+  const deleteTest = makeDeleteTest(describe);
+  // @ts-ignore
+  deleteTest.only = makeDeleteTest(describe.only);
+
+  const createExpectResult = (expectedResult: any) => (resp: any) => {
+    expect(resp.body).to.eql(expectedResult);
+  };
+
+  const expectEmptyResult = (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
+
+  const expectNotFoundResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+
+  const expectReservedSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Bad Request',
+      statusCode: 400,
+      message: `This Space cannot be deleted because it is reserved.`,
+    });
+  };
+
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to delete spaces',
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string, action: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`,
+    });
+  };
+
+  return {
+    deleteTest,
+    createExpectLegacyForbidden,
+    createExpectResult,
+    expectRbacForbidden,
+    expectEmptyResult,
+    expectNotFoundResult,
+    expectReservedSpaceResult,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/suites/get.ts b/x-pack/test/spaces_api_integration/common/suites/get.ts
new file mode 100644
index 00000000000000..fcb0d90d1de204
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/get.ts
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperAgent } from 'superagent';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface GetTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface GetTests {
+  default: GetTest;
+}
+
+interface GetTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  currentSpaceId: string;
+  spaceId: string;
+  tests: GetTests;
+}
+
+export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>) {
+  const nonExistantSpaceId = 'not-a-space';
+
+  const makeGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, currentSpaceId, spaceId, tests }: GetTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        return supertest
+          .get(`${getUrlPrefix(currentSpaceId)}/api/spaces/space/${spaceId}`)
+          .auth(auth.username, auth.password)
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
+  const getTest = makeGetTest(describe);
+  // @ts-ignore
+  getTest.only = makeGetTest(describe);
+
+  const createExpectResults = (spaceId: string) => (resp: any) => {
+    const allSpaces = [
+      {
+        id: 'default',
+        name: 'Default Space',
+        description: 'This is the default space',
+        _reserved: true,
+      },
+      {
+        id: 'space_1',
+        name: 'Space 1',
+        description: 'This is the first test space',
+      },
+      {
+        id: 'space_2',
+        name: 'Space 2',
+        description: 'This is the second test space',
+      },
+    ];
+    expect(resp.body).to.eql(allSpaces.find(space => space.id === spaceId));
+  };
+
+  const createExpectEmptyResult = () => (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
+
+  const createExpectNotFoundResult = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+
+  const createExpectRbacForbidden = (spaceId: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unauthorized to get ${spaceId} space`,
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+    });
+  };
+
+  return {
+    getTest,
+    nonExistantSpaceId,
+    createExpectResults,
+    createExpectRbacForbidden,
+    createExpectEmptyResult,
+    createExpectNotFoundResult,
+    createExpectLegacyForbidden,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
new file mode 100644
index 00000000000000..9437414cc8b5c3
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
@@ -0,0 +1,89 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface GetAllTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface GetAllTests {
+  exists: GetAllTest;
+}
+
+interface GetAllTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId: string;
+  tests: GetAllTests;
+}
+
+export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeGetAllTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, spaceId, tests }: GetAllTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.exists.statusCode}`, async () => {
+        return supertest
+          .get(`${getUrlPrefix(spaceId)}/api/spaces/space`)
+          .auth(auth.username, auth.password)
+          .expect(tests.exists.statusCode)
+          .then(tests.exists.response);
+      });
+    });
+  };
+
+  const getAllTest = makeGetAllTest(describe);
+  // @ts-ignore
+  getAllTest.only = makeGetAllTest(describe.only);
+
+  const createExpectResults = (...spaceIds: string[]) => (resp: any) => {
+    const expectedBody = [
+      {
+        id: 'default',
+        name: 'Default Space',
+        description: 'This is the default space',
+        _reserved: true,
+      },
+      {
+        id: 'space_1',
+        name: 'Space 1',
+        description: 'This is the first test space',
+      },
+      {
+        id: 'space_2',
+        name: 'Space 2',
+        description: 'This is the second test space',
+      },
+    ].filter(entry => spaceIds.includes(entry.id));
+    expect(resp.body).to.eql(expectedBody);
+  };
+
+  const expectEmptyResult = (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
+    });
+  };
+
+  return {
+    getAllTest,
+    createExpectResults,
+    createExpectLegacyForbidden,
+    expectEmptyResult,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts
new file mode 100644
index 00000000000000..b2f86a77f78652
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/select.ts
@@ -0,0 +1,129 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { DEFAULT_SPACE_ID } from '../../../../plugins/spaces/common/constants';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface SelectTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface SelectTests {
+  default: SelectTest;
+}
+
+interface SelectTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  currentSpaceId: string;
+  spaceId: string;
+  tests: SelectTests;
+}
+
+export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const nonExistantSpaceId = 'not-a-space';
+
+  const makeSelectTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, currentSpaceId, spaceId, tests }: SelectTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        return supertest
+          .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${spaceId}/select`)
+          .auth(auth.username, auth.password)
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
+  const selectTest = makeSelectTest(describe);
+  // @ts-ignore
+  selectTest.only = makeSelectTest(describe.only);
+
+  const createExpectResults = (spaceId: string) => (resp: any) => {
+    const allSpaces = [
+      {
+        id: 'default',
+        name: 'Default Space',
+        description: 'This is the default space',
+        _reserved: true,
+      },
+      {
+        id: 'space_1',
+        name: 'Space 1',
+        description: 'This is the first test space',
+      },
+      {
+        id: 'space_2',
+        name: 'Space 2',
+        description: 'This is the second test space',
+      },
+    ];
+    expect(resp.body).to.eql(allSpaces.find(space => space.id === spaceId));
+  };
+
+  const createExpectEmptyResult = () => (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
+
+  const createExpectNotFoundResult = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+  const createExpectRbacForbidden = (spaceId: any) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unauthorized to get ${spaceId} space`,
+    });
+  };
+
+  const expectDefaultSpaceResponse = (resp: any) => {
+    expect(resp.body).to.eql({
+      location: `/app/kibana`,
+    });
+  };
+
+  const createExpectSpaceResponse = (spaceId: string) => (resp: any) => {
+    if (spaceId === DEFAULT_SPACE_ID) {
+      expectDefaultSpaceResponse(resp);
+    } else {
+      expect(resp.body).to.eql({
+        location: `/s/${spaceId}/app/kibana`,
+      });
+    }
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+    });
+  };
+
+  return {
+    selectTest,
+    nonExistantSpaceId,
+    expectDefaultSpaceResponse,
+    createExpectSpaceResponse,
+    createExpectResults,
+    createExpectRbacForbidden,
+    createExpectEmptyResult,
+    createExpectNotFoundResult,
+    createExpectLegacyForbidden,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/common/suites/update.ts b/x-pack/test/spaces_api_integration/common/suites/update.ts
new file mode 100644
index 00000000000000..d18f5b1da94128
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/common/suites/update.ts
@@ -0,0 +1,143 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+import { SuperTest } from 'supertest';
+import { getUrlPrefix } from '../lib/space_test_utils';
+import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
+
+interface UpdateTest {
+  statusCode: number;
+  response: (resp: any) => void;
+}
+
+interface UpdateTests {
+  alreadyExists: UpdateTest;
+  defaultSpace: UpdateTest;
+  newSpace: UpdateTest;
+}
+
+interface UpdateTestDefinition {
+  auth?: TestDefinitionAuthentication;
+  spaceId: string;
+  tests: UpdateTests;
+}
+
+export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const makeUpdateTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, spaceId, tests }: UpdateTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.alreadyExists.statusCode}`, async () => {
+        return supertest
+          .put(`${getUrlPrefix(spaceId)}/api/spaces/space/space_1`)
+          .auth(auth.username, auth.password)
+          .send({
+            name: 'space 1',
+            id: 'space_1',
+            description: 'a description',
+            color: '#5c5959',
+            _reserved: true,
+          })
+          .expect(tests.alreadyExists.statusCode)
+          .then(tests.alreadyExists.response);
+      });
+
+      describe(`default space`, () => {
+        it(`should return ${tests.defaultSpace.statusCode}`, async () => {
+          return supertest
+            .put(`${getUrlPrefix(spaceId)}/api/spaces/space/default`)
+            .auth(auth.username, auth.password)
+            .send({
+              name: 'the new default',
+              id: 'default',
+              description: 'a description',
+              color: '#ffffff',
+              _reserved: false,
+            })
+            .expect(tests.defaultSpace.statusCode)
+            .then(tests.defaultSpace.response);
+        });
+      });
+
+      describe(`when space doesn't exist`, () => {
+        it(`should return ${tests.newSpace.statusCode}`, async () => {
+          return supertest
+            .put(`${getUrlPrefix(spaceId)}/api/spaces/space/marketing`)
+            .auth(auth.username, auth.password)
+            .send({
+              name: 'marketing',
+              id: 'marketing',
+              description: 'a description',
+              color: '#5c5959',
+            })
+            .expect(tests.newSpace.statusCode)
+            .then(tests.newSpace.response);
+        });
+      });
+    });
+  };
+
+  const updateTest = makeUpdateTest(describe);
+  // @ts-ignore
+  updateTest.only = makeUpdateTest(describe.only);
+
+  const createExpectNotFoundResult = (spaceId: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to update spaces',
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectNewSpaceNotFound = createExpectNotFoundResult('marketing');
+
+  const expectDefaultSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'the new default',
+      id: 'default',
+      description: 'a description',
+      color: '#ffffff',
+      _reserved: true,
+    });
+  };
+
+  const expectAlreadyExistsResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'space 1',
+      id: 'space_1',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
+  return {
+    updateTest,
+    expectNewSpaceNotFound,
+    expectRbacForbidden,
+    createExpectLegacyForbidden,
+    expectAlreadyExistsResult,
+    expectDefaultSpaceResult,
+  };
+}
diff --git a/x-pack/test/spaces_api_integration/config.js b/x-pack/test/spaces_api_integration/config.js
deleted file mode 100644
index d93381cbd76db9..00000000000000
--- a/x-pack/test/spaces_api_integration/config.js
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import path from 'path';
-import { resolveKibanaPath } from '@kbn/plugin-helpers';
-
-export default async function ({ readConfigFile }) {
-
-  const config = {
-    kibana: {
-      api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
-      common: await readConfigFile(require.resolve('../../../test/common/config.js')),
-      functional: await readConfigFile(require.resolve('../../../test/functional/config.js'))
-    },
-    xpack: {
-      api: await readConfigFile(require.resolve('../api_integration/config.js')),
-      functional: await readConfigFile(require.resolve('../functional/config.js'))
-    }
-  };
-
-  return {
-    testFiles: [require.resolve('./apis')],
-    servers: config.xpack.api.get('servers'),
-    services: {
-      es: config.kibana.common.get('services.es'),
-      supertest: config.kibana.api.get('services.supertest'),
-      supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
-      esArchiver: config.kibana.functional.get('services.esArchiver'),
-    },
-    junit: {
-      reportName: 'X-Pack Spaces API Integration Tests',
-    },
-
-    esArchiver: {
-      directory: path.join(__dirname, 'fixtures', 'es_archiver')
-    },
-
-    esTestCluster: {
-      ...config.xpack.api.get('esTestCluster'),
-      serverArgs: [
-        ...config.xpack.api.get('esTestCluster.serverArgs'),
-      ],
-    },
-
-    kbnTestServer: {
-      ...config.xpack.api.get('kbnTestServer'),
-      serverArgs: [
-        ...config.xpack.api.get('kbnTestServer.serverArgs'),
-        '--optimize.enabled=false',
-        '--server.xsrf.disableProtection=true',
-      ],
-    },
-  };
-}
diff --git a/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz b/x-pack/test/spaces_api_integration/fixtures/es_archiver/saved_objects/spaces/data.json.gz
deleted file mode 100644
index a795be4f88ea3c0783f7268adf701f995cce6529..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2469
zcmYL_dpr|t8^`B3(jLM~&SAqaVOdkoS!^gq)Psc4>l|~)xlk=<Ysw+zH0Q?5GmUyA
z=i?j~DUuvUsOUiG9etkn`R8}v_w~E(>-v4Z3Mm2t&MWcG03MussJoUgJ}3~d>f#qP
zhmhEP<mO&FBSBT{$wdyA)9w2`BsR>%LT?7}^TS3&Bf!H}*vJ!~;*X=zbX>G-Gj(od
zjgLQ<a9mFQ%XFV*(;~ZcRDV1}EL=MLTqWTg)4x>?E#&+Kr_~Q(LZj<IQ8PaXAKLZ)
z9A+ZObQ2rPcC+5jQp+$`vbkc(Rz=z#C33u9Tv7~kqU20*fY-aNL`uXsXh-Iku0hM8
z-IUAPpZ4HEZsCtJ{E|b6jI4O5VkpHqLK~!JpY=g(02Mg(7VHw%Z(LA!j<2~y;^$$A
zz4f%tX%tMzaoqa+^5fBa?4F)cd8shtJ9~;!Vb<Y0AcicyGSmWoVKh>0Frf`E;oqI>
zk=4yEvc$_Zi52VJi@ZJ$d}Luz8{N^_u=3M?2r^tTvudx~)b#Y}az@Wmq_?x@UfAua
zwuT&*OZl2(B_UfyoxNAmLtl`J?z)6AzM%1?1f~O`p=py72s`@T_j2dPsK)ZyRdz;M
zr4p5aY!1VRkTF(|x+t2WD2h$d)wtsivhDEtDwQ5|!VxJ5j`TX66`Z3h+C}UzcOr+`
z_XxzQqQ0dN;%GvZ%T4S_b#p`X+IK>gx+`C=Bkalu*zty1{k1Ef?SmKyB|n}!FW?_G
zwa02M))c`5kk=f*9}*agD1=9dA2MvV53y0V`6R%6;3bcVdNAOU&YaNdZXr?u2qbPu
z8Tyum*B3<qR4|O9JI8;tE^lX3>wp6xUgzAeA()3nOF`oB;gqCI(jv}BBe!?f{8KNt
z@Qwb5W#4^vo#*Uyx%q*jXYTrV1%j69E-EMBg6~eOBnR|mn)2K&=xAG+EuQ>4gW{}3
zO62h+o3w9{7H0tZvOwU7x)&I8eK3k!1dX>A$t8jl-zVta7u*s6rl}ah3wdcC5}7z?
za3dG38CGScGl>`O=?l634qJa{YBu~8IQPZtHDX#W?g}FMFXl|L%hXj7b6<I~W<T$|
z=it(i(XFJ<fG?*lRXfz?)%E!+l2OuQC5c~=im2iBW8+|cW?8F14*JNQw1|`|J^pP;
z1FB4u=Q}_Dc%l4G+xlpRn8|rP)|>(V*>(MK!5A|+>xme3%A^Pj8UwPNaA{)d9NSm|
za4%kKS$A?fS9FsvztyZPQ}Dzmz()BxV|P$JmB70>gadUezx#6Zj|Gi7c`jOA#uAKV
z@uJMo>xSxRf&sUdyTYwM)wpPa`lQ5^xnCOJep0(wq539uNUT_vhHdyIrG$2(l@Vam
z=xIC8-J-Twp5|0OQVQ>an2;P-RQ_fmKq{LH|1NubyK2iOtGmnK51?V~Vi@`qx|^RJ
z>Qx?~`(XR>P`69fb|d!wS-$h^awRzV!J=fMV_=SzNsQb1fD&-cs}G;js}o9hggt(p
zIt-OF$H_j^wy4ot@V0LG+*UXv<5F-kCs3Gn%Hrdbw<B^oYYwVn<NaK49v45n)zr`g
zIxOZSf;v_mpxgd2$Vpd`hzrLXKdDM1?}iMsPzx&5%nXI=MvXRpcH6^mhY?3AGbz7>
zQ*-OtoBq@5<-k`1-c<}m(9268C)XBG?b-!1@r4Z4?;<b9Qj=K4J0vvZeOzE2{FwdK
z?b5S)GH|`_RVO355k&dEBP~$abFWW%(dW#}hW}LFXgPbcni1L@9EoVj?x0on8?b-~
zR(07@=cPw(zIiRU@Ul~44Vrzo`YpHLq>_i`W1cW&HyoyF&v>si-xl7`h#uN_>+Q5t
zjjt!dzmlgfwlLS1ZhOv5-i1$K?kzcgUA?EHik<GWDU77iq`t@LqkOp&ryd!@W0@EC
zI^yPPrDdf>f*7e-mf8uMoQH&lhaM?i%~9wFk`n{>Y@?LTm$7HOTa!kFHNEu<B*|;r
zR`{&>o#({^^)&D}Pu@y~d0c*NYr|nXp{XZttTh`=tAlG9Tmwj~-AmmN=U5d;WW$wj
z_L5hs-4n0g{%blQ=NcL15^p<k)QyU)7R%3z>wr`>NeErKmA-QttEB;LQ1iU*-pQOk
zxsvdO?B2Oi6ujPcs`uyB3wwfkMiIC}K6+&KE1yv-i8uN^@viZE4*D3qNKNX6=D@hl
z?vxWSkYWL>HMB`Zs%btw*TIWAqXwHB(_?sUZY;HEjws}+z=DE2(@y8PG!sSvf5z4Z
zASb|-Q}?|Q9}(G~_v-Wfc2`y_{T>hvwB96IHm|1;<_CQq58B$e!7=v5#H?e)+sZ73
z&7bWyq}_P|Lz$qqB?AHG^J%YZ!-T;NMMsMTHz(c?Nq+gn)d0Gi3i#w@#^u08=$3;2
ze<gR`*EH2>up%V9UjJQ7Pn<af8L&4W)d>t?Ri+R4=v9QKzdqUZhTnSjMRg~=wA144
z(YD8Ov#(xHZAQva(`TK|lx5b8R9~!kb|kzaf*3)WES+-;@85pT{$YCb;ho*SL1W|T
z(C0T7Ve`ZJ@Mo((g3k7(OL}!36PV#GGQK!zS5L*MSGo=rS7IqD(8z|iIQa}2xwpv@
zy@Q3Rj|cKzn>=I0u6A4a`@Od^QquXX_LmM@b#YU@)(z&cdxv>*#|)w*O3#+B8qreg
z0Lqy9x~7fNe+Vv{7RvMfU)pu0#}Z8p1;!F5l+RZHZ$^nUCnQCQQ~*C?!)=ARzaFET
za%vSos&m=F^Is{<fi0Up<Id-JJi2!KtuL^5_glH{*>I+TGKMx3?1VjlhZA};%?t^K
zb%ZF9=#ow3xy6Gub&RA~aZddKUO+3oWIxfz1js*83^}2Yh4SVFpfC|v!q+XEc=$LW
zk4=v<FNomBpgeY)3Ojjyt^bvs$9~phI<XWzyDq$Tp4f_~zB<-H+b)ayKhQ_tm7>Fx
zTQTTlz%wxF22s3^dBm2;4S`-x211|*w{LSX2d6FZ{nt!WQ5O^RAyVmtpp_c>CQ*Fq
zxHtw|W6rs$q4z25fBjcD6fjs01&+s|u<vmw?6-0#aAt5Q*lXJn_bFgT%+Sdk3PkbW
z6b^>}rhrcVO##e@!Ez{&N`D71lqQuTpMp_<v&7=8naxI0semH}%li%jm0n5M-*J%X
hAJHm1&M^x)CRG*!RnIxFnNeBBT)7RDf!1CC;D33)r1$^;

diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
new file mode 100644
index 00000000000000..760fd1d6cd9b4b
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
@@ -0,0 +1,252 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { createTestSuiteFactory } from '../../common/suites/create';
+
+// tslint:disable:no-default-export
+export default function createSpacesOnlySuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createTest,
+    expectNewSpaceResult,
+    expectReservedSpecifiedResult,
+    expectConflictResponse,
+    expectRbacForbiddenResponse,
+    createExpectLegacyForbiddenResponse,
+  } = createTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('create', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      createTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+          },
+          alreadyExists: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+          },
+          reservedSpecified: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      createTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 200,
+            response: expectNewSpaceResult,
+          },
+          alreadyExists: {
+            statusCode: 409,
+            response: expectConflictResponse,
+          },
+          reservedSpecified: {
+            statusCode: 200,
+            response: expectReservedSpecifiedResult,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 200,
+            response: expectNewSpaceResult,
+          },
+          alreadyExists: {
+            statusCode: 409,
+            response: expectConflictResponse,
+          },
+          reservedSpecified: {
+            statusCode: 200,
+            response: expectReservedSpecifiedResult,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 200,
+            response: expectNewSpaceResult,
+          },
+          alreadyExists: {
+            statusCode: 409,
+            response: expectConflictResponse,
+          },
+          reservedSpecified: {
+            statusCode: 200,
+            response: expectReservedSpecifiedResult,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 200,
+            response: expectNewSpaceResult,
+          },
+          alreadyExists: {
+            statusCode: 409,
+            response: expectConflictResponse,
+          },
+          reservedSpecified: {
+            statusCode: 200,
+            response: expectReservedSpecifiedResult,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          reservedSpecified: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithDualRead.USERNAME,
+          password: scenario.userWithDualRead.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          reservedSpecified: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+          },
+          alreadyExists: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+          },
+          reservedSpecified: {
+            statusCode: 403,
+            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+          },
+        },
+      });
+
+      createTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        tests: {
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+          reservedSpecified: {
+            statusCode: 403,
+            response: expectRbacForbiddenResponse,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
new file mode 100644
index 00000000000000..3e43defaa910cf
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
@@ -0,0 +1,255 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { deleteTestSuiteFactory } from '../../common/suites/delete';
+
+// tslint:disable:no-default-export
+export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    deleteTest,
+    createExpectLegacyForbidden,
+    expectRbacForbidden,
+    expectEmptyResult,
+    expectNotFoundResult,
+    expectReservedSpaceResult,
+  } = deleteTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('delete', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      deleteTest(`${scenario.notAKibanaUser.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+          },
+          reservedSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+          },
+        },
+      });
+
+      deleteTest(`${scenario.superuser.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 204,
+            response: expectEmptyResult,
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithAllGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 204,
+            response: expectEmptyResult,
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithDualAll.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 204,
+            response: expectEmptyResult,
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithLegacyAll.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 204,
+            response: expectEmptyResult,
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithReadGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          reservedSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userwithDualRead.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userwithDualRead.USERNAME,
+          password: scenario.userwithDualRead.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          reservedSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithLegacyRead.USERNAME} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(
+              scenario.userWithLegacyRead.USERNAME,
+              'write/delete'
+            ),
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+
+      deleteTest(`${scenario.userWithAllAtSpace} from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          reservedSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
new file mode 100644
index 00000000000000..94aaaaff6d9c9a
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
@@ -0,0 +1,332 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getTestSuiteFactory } from '../../common/suites/get';
+
+// tslint:disable:no-default-export
+export default function getSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    getTest,
+    createExpectResults,
+    createExpectNotFoundResult,
+    createExpectRbacForbidden,
+    createExpectLegacyForbidden,
+    nonExistantSpaceId,
+  } = getTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('get', () => {
+    // valid spaces
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        otherSpaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        otherSpaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      getTest(`${scenario.notAKibanaUser.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      getTest(`${scenario.superuser.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithAllGlobally.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithDualAll.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithLegacyAll.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithReadGlobally.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithReadGlobally.USERNAME,
+          password: scenario.userWithReadGlobally.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userwithDualRead.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userwithDualRead.USERNAME,
+          password: scenario.userwithDualRead.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithLegacyRead.USERNAME}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithLegacyRead.USERNAME,
+          password: scenario.userWithLegacyRead.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithReadAtSpace.USERNAME} at ${scenario.spaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+
+      getTest(`${scenario.userWithAllAtOtherSpace.USERNAME} at a different space`, {
+        currentSpaceId: scenario.otherSpaceId,
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllAtOtherSpace.USERNAME,
+          password: scenario.userWithAllAtOtherSpace.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectRbacForbidden(scenario.spaceId),
+          },
+        },
+      });
+    });
+
+    describe('non-existant space', () => {
+      [
+        {
+          spaceId: SPACES.DEFAULT.spaceId,
+          otherSpaceId: nonExistantSpaceId,
+          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
+      ].forEach(scenario => {
+        getTest(`${scenario.userWithAllGlobally.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithAllGlobally.USERNAME,
+            password: scenario.userWithAllGlobally.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userWithDualAll.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithDualAll.USERNAME,
+            password: scenario.userWithDualAll.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userWithLegacyAll.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithLegacyAll.USERNAME,
+            password: scenario.userWithLegacyAll.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userWithReadGlobally.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userwithDualRead.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userwithDualRead.USERNAME,
+            password: scenario.userwithDualRead.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userWithLegacyRead.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithLegacyRead.USERNAME,
+            password: scenario.userWithLegacyRead.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        getTest(`${scenario.userWithAllAtSpace.USERNAME}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithAllAtSpace.USERNAME,
+            password: scenario.userWithAllAtSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.otherSpaceId),
+            },
+          },
+        });
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
new file mode 100644
index 00000000000000..9410103cb25d7f
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
@@ -0,0 +1,257 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getAllTestSuiteFactory } from '../../common/suites/get_all';
+
+// tslint:disable:no-default-export
+export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const { getAllTest, createExpectResults, createExpectLegacyForbidden } = getAllTestSuiteFactory(
+    esArchiver,
+    supertestWithoutAuth
+  );
+
+  describe('get all', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      getAllTest(
+        `${scenario.notAKibanaUser.USERNAME} can't access any spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.notAKibanaUser.USERNAME,
+            password: scenario.notAKibanaUser.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            },
+          },
+        }
+      );
+
+      getAllTest(`${scenario.superuser.USERNAME} can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
+          },
+        },
+      });
+
+      getAllTest(
+        `${scenario.userWithAllGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllGlobally.USERNAME,
+            password: scenario.userWithAllGlobally.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithDualAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithDualAll.USERNAME,
+            password: scenario.userWithDualAll.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithLegacyAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithLegacyAll.USERNAME,
+            password: scenario.userWithLegacyAll.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithReadGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userwithDualRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userwithDualRead.USERNAME,
+            password: scenario.userwithDualRead.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithLegacyRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithLegacyRead.USERNAME,
+            password: scenario.userWithLegacyRead.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithAllAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtSpace_1.USERNAME,
+            password: scenario.userWithAllAtSpace_1.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('space_1'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithReadAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithReadAtSpace_1.USERNAME,
+            password: scenario.userWithReadAtSpace_1.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('space_1'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithAllAtDefault.USERNAME} can access default from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtDefault.USERNAME,
+            password: scenario.userWithAllAtDefault.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default'),
+            },
+          },
+        }
+      );
+
+      getAllTest(
+        `${scenario.userWithReadAtDefault.USERNAME} can access default from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithReadAtDefault.USERNAME,
+            password: scenario.userWithReadAtDefault.PASSWORD,
+          },
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default'),
+            },
+          },
+        }
+      );
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts
new file mode 100644
index 00000000000000..044670a822ac2f
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { createUsersAndRoles } from '../../common/lib/create_users_and_roles';
+import { TestInvoker } from '../../common/lib/types';
+
+// tslint:disable:no-default-export
+export default function({ loadTestFile, getService }: TestInvoker) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('spaces api with security', () => {
+    before(async () => {
+      await createUsersAndRoles(es, supertest);
+    });
+
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./get_all'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./select'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
new file mode 100644
index 00000000000000..9f323001e55067
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
@@ -0,0 +1,356 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { selectTestSuiteFactory } from '../../common/suites/select';
+
+// tslint:disable:no-default-export
+export default function selectSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    selectTest,
+    nonExistantSpaceId,
+    createExpectSpaceResponse,
+    createExpectRbacForbidden,
+    createExpectNotFoundResult,
+    createExpectLegacyForbidden,
+  } = selectTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('select', () => {
+    // Global authorization tests
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        otherSpaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        otherSpaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      selectTest(`${scenario.notAKibanaUser.USERNAME} selects ${scenario.otherSpaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        auth: {
+          username: scenario.notAKibanaUser.USERNAME,
+          password: scenario.notAKibanaUser.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+          },
+        },
+      });
+
+      selectTest(`${scenario.superuser.USERNAME} selects ${scenario.otherSpaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        auth: {
+          username: scenario.superuser.USERNAME,
+          password: scenario.superuser.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectSpaceResponse(scenario.otherSpaceId),
+          },
+        },
+      });
+
+      selectTest(`${scenario.userWithAllGlobally.USERNAME} selects ${scenario.otherSpaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        auth: {
+          username: scenario.userWithAllGlobally.USERNAME,
+          password: scenario.userWithAllGlobally.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectSpaceResponse(scenario.otherSpaceId),
+          },
+        },
+      });
+
+      selectTest(`${scenario.userWithDualAll.USERNAME} selects ${scenario.otherSpaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        auth: {
+          username: scenario.userWithDualAll.USERNAME,
+          password: scenario.userWithDualAll.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectSpaceResponse(scenario.otherSpaceId),
+          },
+        },
+      });
+
+      selectTest(`${scenario.userWithLegacyAll.USERNAME} selects ${scenario.otherSpaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        auth: {
+          username: scenario.userWithLegacyAll.USERNAME,
+          password: scenario.userWithLegacyAll.PASSWORD,
+        },
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectSpaceResponse(scenario.otherSpaceId),
+          },
+        },
+      });
+
+      selectTest(
+        `${scenario.userWithReadGlobally.USERNAME} selects ${scenario.otherSpaceId} from
+        ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.otherSpaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.userWithDualRead.USERNAME} selects ${scenario.otherSpaceId} from
+        ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithDualRead.USERNAME,
+            password: scenario.userWithDualRead.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.otherSpaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.userWithLegacyRead.USERNAME} can select ${scenario.otherSpaceId}
+        from ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithLegacyRead.USERNAME,
+            password: scenario.userWithLegacyRead.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.otherSpaceId),
+            },
+          },
+        }
+      );
+    });
+
+    // Same-Space authorization tests
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+      },
+    ].forEach(scenario => {
+      selectTest(
+        `${scenario.userWithAllAtSpace.USERNAME} can select ${scenario.spaceId}
+        from ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtSpace.USERNAME,
+            password: scenario.userWithAllAtSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.userWithReadAtSpace.USERNAME} can select ${scenario.spaceId}
+        from ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithReadAtSpace.USERNAME,
+            password: scenario.userWithReadAtSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
+        from ${scenario.spaceId}`,
+        {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.spaceId),
+            },
+          },
+        }
+      );
+    });
+
+    // Cross-Space authorization tests
+    [
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        otherSpaceId: SPACES.SPACE_2.spaceId,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER,
+        userWithAllAtBothSpaces: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER,
+      },
+    ].forEach(scenario => {
+      selectTest(
+        `${scenario.userWithAllAtBothSpaces.USERNAME} can select ${scenario.spaceId}
+        from ${scenario.otherSpaceId}`,
+        {
+          currentSpaceId: scenario.otherSpaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtBothSpaces.USERNAME,
+            password: scenario.userWithAllAtBothSpaces.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.spaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
+        from ${scenario.otherSpaceId}`,
+        {
+          currentSpaceId: scenario.otherSpaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.spaceId),
+            },
+          },
+        }
+      );
+    });
+
+    describe('non-existant space', () => {
+      [
+        {
+          spaceId: SPACES.DEFAULT.spaceId,
+          otherSpaceId: nonExistantSpaceId,
+          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
+        {
+          spaceId: SPACES.SPACE_1.spaceId,
+          otherSpaceId: nonExistantSpaceId,
+          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
+      ].forEach(scenario => {
+        selectTest(`${scenario.userWithAllGlobally.USERNAME} cannot access non-existant space`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithAllGlobally.USERNAME,
+            password: scenario.userWithAllGlobally.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+
+        selectTest(`${scenario.userWithAllAtSpace.USERNAME} cannot access non-existant space`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          auth: {
+            username: scenario.userWithAllAtSpace.USERNAME,
+            password: scenario.userWithAllAtSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.otherSpaceId),
+            },
+          },
+        });
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
new file mode 100644
index 00000000000000..afe5c3b39505a3
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -0,0 +1,308 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from '../../common/lib/authentication';
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { updateTestSuiteFactory } from '../../common/suites/update';
+
+// tslint:disable:no-default-export
+export default function updateSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    updateTest,
+    expectNewSpaceNotFound,
+    expectAlreadyExistsResult,
+    expectDefaultSpaceResult,
+    expectRbacForbidden,
+    createExpectLegacyForbidden,
+  } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe.only('update', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
+        superuser: AUTHENTICATION.SUPERUSER,
+        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+      },
+    ].forEach(scenario => {
+      updateTest(
+        `${scenario.notAKibanaUser.USERNAME} can't update space_1 from
+        the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.notAKibanaUser.USERNAME,
+            password: scenario.notAKibanaUser.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            },
+            defaultSpace: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            },
+            newSpace: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.superuser.USERNAME} can update space_1 from
+        the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.superuser.USERNAME,
+            password: scenario.superuser.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 200,
+              response: expectAlreadyExistsResult,
+            },
+            defaultSpace: {
+              statusCode: 200,
+              response: expectDefaultSpaceResult,
+            },
+            newSpace: {
+              statusCode: 404,
+              response: expectNewSpaceNotFound,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithAllGlobally.USERNAME} can update space_1 from
+        the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithAllGlobally.USERNAME,
+            password: scenario.userWithAllGlobally.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 200,
+              response: expectAlreadyExistsResult,
+            },
+            defaultSpace: {
+              statusCode: 200,
+              response: expectDefaultSpaceResult,
+            },
+            newSpace: {
+              statusCode: 404,
+              response: expectNewSpaceNotFound,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithDualAll.USERNAME} can update space_1 from
+        the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithDualAll.USERNAME,
+            password: scenario.userWithDualAll.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 200,
+              response: expectAlreadyExistsResult,
+            },
+            defaultSpace: {
+              statusCode: 200,
+              response: expectDefaultSpaceResult,
+            },
+            newSpace: {
+              statusCode: 404,
+              response: expectNewSpaceNotFound,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithLegacyAll.USERNAME} can update space_1 from
+        the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithLegacyAll.USERNAME,
+            password: scenario.userWithLegacyAll.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 200,
+              response: expectAlreadyExistsResult,
+            },
+            defaultSpace: {
+              statusCode: 200,
+              response: expectDefaultSpaceResult,
+            },
+            newSpace: {
+              statusCode: 404,
+              response: expectNewSpaceNotFound,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithReadGlobally.USERNAME} cannot update space_1
+        from the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithReadGlobally.USERNAME,
+            password: scenario.userWithReadGlobally.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+            defaultSpace: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+            newSpace: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithDualRead.USERNAME} cannot update space_1
+        from the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithDualRead.USERNAME,
+            password: scenario.userWithDualRead.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+            defaultSpace: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+            newSpace: {
+              statusCode: 403,
+              response: expectRbacForbidden,
+            },
+          },
+        }
+      );
+
+      updateTest(
+        `${scenario.userWithLegacyRead.USERNAME} cannot update space_1
+        from the ${scenario.spaceId} space`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.userWithLegacyRead.USERNAME,
+            password: scenario.userWithLegacyRead.PASSWORD,
+          },
+          tests: {
+            alreadyExists: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            },
+            defaultSpace: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            },
+            newSpace: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            },
+          },
+        }
+      );
+
+      updateTest(`${scenario.userWithAllAtSpace.USERNAME} cannot update space_1`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithAllAtSpace.USERNAME,
+          password: scenario.userWithAllAtSpace.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          defaultSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+
+      updateTest(`${scenario.userWithReadAtSpace.USERNAME} cannot update space_1`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.userWithReadAtSpace.USERNAME,
+          password: scenario.userWithReadAtSpace.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          defaultSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/config.ts b/x-pack/test/spaces_api_integration/security_and_spaces/config.ts
new file mode 100644
index 00000000000000..81cf9d85671d18
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/config.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createTestConfig } from '../common/config';
+
+// tslint:disable:no-default-export
+export default createTestConfig('security_and_spaces', { license: 'trial' });
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts
new file mode 100644
index 00000000000000..fb01fd18527c21
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { createTestSuiteFactory } from '../../common/suites/create';
+
+// tslint:disable:no-default-export
+export default function createSpacesOnlySuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    createTest,
+    expectNewSpaceResult,
+    expectConflictResponse,
+    expectReservedSpecifiedResult,
+  } = createTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('create', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+    ].forEach(scenario => {
+      createTest(`from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        tests: {
+          newSpace: {
+            statusCode: 200,
+            response: expectNewSpaceResult,
+          },
+          alreadyExists: {
+            statusCode: 409,
+            response: expectConflictResponse,
+          },
+          reservedSpecified: {
+            statusCode: 200,
+            response: expectReservedSpecifiedResult,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
new file mode 100644
index 00000000000000..3b073e377a4e5b
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { deleteTestSuiteFactory } from '../../common/suites/delete';
+
+// tslint:disable:no-default-export
+export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    deleteTest,
+    expectEmptyResult,
+    expectReservedSpaceResult,
+    expectNotFoundResult,
+  } = deleteTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('delete', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+    ].forEach(scenario => {
+      deleteTest(`from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        tests: {
+          exists: {
+            statusCode: 204,
+            response: expectEmptyResult,
+          },
+          reservedSpace: {
+            statusCode: 400,
+            response: expectReservedSpaceResult,
+          },
+          doesntExist: {
+            statusCode: 404,
+            response: expectNotFoundResult,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/get.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/get.ts
new file mode 100644
index 00000000000000..8017e3c62eec8a
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/get.ts
@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getTestSuiteFactory } from '../../common/suites/get';
+
+// tslint:disable:no-default-export
+export default function getSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    getTest,
+    createExpectResults,
+    createExpectNotFoundResult,
+    nonExistantSpaceId,
+  } = getTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('get', () => {
+    // valid spaces
+    [
+      {
+        currentSpaceId: SPACES.DEFAULT.spaceId,
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        currentSpaceId: SPACES.DEFAULT.spaceId,
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+      {
+        currentSpaceId: SPACES.SPACE_1.spaceId,
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        currentSpaceId: SPACES.SPACE_1.spaceId,
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+    ].forEach(scenario => {
+      getTest(`can access ${scenario.spaceId} from within the ${scenario.currentSpaceId} space`, {
+        spaceId: scenario.spaceId,
+        currentSpaceId: scenario.currentSpaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
+          },
+        },
+      });
+    });
+
+    // invalid spaces
+    [
+      {
+        currentSpaceId: SPACES.DEFAULT.spaceId,
+        spaceId: nonExistantSpaceId,
+      },
+    ].forEach(scenario => {
+      getTest(`can't access ${scenario.spaceId} from within the ${scenario.currentSpaceId} space`, {
+        spaceId: scenario.spaceId,
+        currentSpaceId: scenario.currentSpaceId,
+        tests: {
+          default: {
+            statusCode: 404,
+            response: createExpectNotFoundResult(),
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/get_all.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/get_all.ts
new file mode 100644
index 00000000000000..4380df0d196f9a
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/get_all.ts
@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { getAllTestSuiteFactory } from '../../common/suites/get_all';
+
+// tslint:disable:no-default-export
+export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const { getAllTest, createExpectResults } = getAllTestSuiteFactory(
+    esArchiver,
+    supertestWithoutAuth
+  );
+
+  describe('get all', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+    ].forEach(scenario => {
+      getAllTest(`can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/index.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/index.ts
new file mode 100644
index 00000000000000..6864ee7fbda946
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/index.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { TestInvoker } from '../../common/lib/types';
+
+// tslint:disable:no-default-export
+export default function spacesOnlyTestSuite({ loadTestFile }: TestInvoker) {
+  describe('spaces api without security', () => {
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./get_all'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./select'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
new file mode 100644
index 00000000000000..95e05822393b5f
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { selectTestSuiteFactory } from '../../common/suites/select';
+
+// tslint:disable:no-default-export
+export default function selectSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    selectTest,
+    createExpectSpaceResponse,
+    createExpectNotFoundResult,
+    nonExistantSpaceId,
+  } = selectTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe('select', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+        otherSpaceId: SPACES.SPACE_1.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        otherSpaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+        otherSpaceId: SPACES.SPACE_2.spaceId,
+      },
+    ].forEach(scenario => {
+      selectTest(`can select ${scenario.otherSpaceId} from ${scenario.spaceId}`, {
+        currentSpaceId: scenario.spaceId,
+        spaceId: scenario.otherSpaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectSpaceResponse(scenario.otherSpaceId),
+          },
+        },
+      });
+    });
+
+    describe('non-existant space', () => {
+      [
+        {
+          spaceId: SPACES.DEFAULT.spaceId,
+          otherSpaceId: nonExistantSpaceId,
+        },
+        {
+          spaceId: SPACES.SPACE_1.spaceId,
+          otherSpaceId: nonExistantSpaceId,
+        },
+      ].forEach(scenario => {
+        selectTest(`cannot select non-existant space from ${scenario.spaceId}`, {
+          currentSpaceId: scenario.spaceId,
+          spaceId: scenario.otherSpaceId,
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
+            },
+          },
+        });
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
new file mode 100644
index 00000000000000..aece5a0efc6391
--- /dev/null
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SPACES } from '../../common/lib/spaces';
+import { TestInvoker } from '../../common/lib/types';
+import { updateTestSuiteFactory } from '../../common/suites/update';
+
+// tslint:disable:no-default-export
+export default function updateSpaceTestSuite({ getService }: TestInvoker) {
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const {
+    updateTest,
+    expectAlreadyExistsResult,
+    expectDefaultSpaceResult,
+    expectNewSpaceNotFound,
+  } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
+
+  describe.only('update', () => {
+    [
+      {
+        spaceId: SPACES.DEFAULT.spaceId,
+      },
+      {
+        spaceId: SPACES.SPACE_1.spaceId,
+      },
+    ].forEach(scenario => {
+      updateTest(`can update from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        tests: {
+          alreadyExists: {
+            statusCode: 200,
+            response: expectAlreadyExistsResult,
+          },
+          defaultSpace: {
+            statusCode: 200,
+            response: expectDefaultSpaceResult,
+          },
+          newSpace: {
+            statusCode: 404,
+            response: expectNewSpaceNotFound,
+          },
+        },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/spaces_api_integration/apis/index.js b/x-pack/test/spaces_api_integration/spaces_only/config.ts
similarity index 60%
rename from x-pack/test/spaces_api_integration/apis/index.js
rename to x-pack/test/spaces_api_integration/spaces_only/config.ts
index 3c747f65541329..49e31da77dd741 100644
--- a/x-pack/test/spaces_api_integration/apis/index.js
+++ b/x-pack/test/spaces_api_integration/spaces_only/config.ts
@@ -3,9 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { createTestConfig } from '../common/config';
 
-export default function ({ loadTestFile }) {
-  describe('apis spaces', () => {
-    loadTestFile(require.resolve('./saved_objects'));
-  });
-}
+// tslint:disable:no-default-export
+export default createTestConfig('spaces_only', { license: 'basic' });
diff --git a/x-pack/test/tsconfig.json b/x-pack/test/tsconfig.json
new file mode 100644
index 00000000000000..87e34dc754cdc0
--- /dev/null
+++ b/x-pack/test/tsconfig.json
@@ -0,0 +1,14 @@
+{
+  "extends": "../tsconfig.json",
+  "compilerOptions": {
+    "types": [
+      "expect.js",
+      "mocha",
+      "node"
+    ]
+  },
+  "include": [
+      "**/*",
+  ],
+  "exclude": [],
+}
diff --git a/x-pack/tsconfig.json b/x-pack/tsconfig.json
index a01f0127c96cb1..4a965fa793432c 100644
--- a/x-pack/tsconfig.json
+++ b/x-pack/tsconfig.json
@@ -1,8 +1,17 @@
 {
-  "extends": "../tsconfig.json",
-  "include": [
-    "common/**/*",
-    "server/**/*",
-    "plugins/**/*"
-  ]
+    "extends": "../tsconfig.json",
+    "include": [
+        "common/**/*",
+        "server/**/*",
+        "plugins/**/*",
+    ],
+    "exclude": [
+      "test/**/*"
+    ],
+    "compilerOptions": {
+      "types": [
+        "node",
+        "jest"
+      ]
+    }
 }
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index 7b2a8ad84cc67a..bf3b9ea293564a 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -124,6 +124,10 @@
     url-join "^4.0.0"
     ws "^4.1.0"
 
+"@types/cookiejar@*":
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/@types/cookiejar/-/cookiejar-2.1.0.tgz#4b7daf2c51696cfc70b942c11690528229d1a1ce"
+
 "@types/delay@^2.0.1":
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/@types/delay/-/delay-2.0.1.tgz#61bcf318a74b61e79d1658fbf054f984c90ef901"
@@ -132,6 +136,10 @@
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/@types/events/-/events-1.2.0.tgz#81a6731ce4df43619e5c8c945383b3e62a89ea86"
 
+"@types/expect.js@^0.3.29":
+  version "0.3.29"
+  resolved "https://registry.yarnpkg.com/@types/expect.js/-/expect.js-0.3.29.tgz#28dd359155b84b8ecb094afc3f4b74c3222dca3b"
+
 "@types/form-data@^2.2.1":
   version "2.2.1"
   resolved "https://registry.yarnpkg.com/@types/form-data/-/form-data-2.2.1.tgz#ee2b3b8eaa11c0938289953606b745b738c54b1e"
@@ -158,6 +166,10 @@
   version "1.5.3"
   resolved "https://registry.yarnpkg.com/@types/loglevel/-/loglevel-1.5.3.tgz#adfce55383edc5998a2170ad581b3e23d6adb5b8"
 
+"@types/mocha@^5.2.5":
+  version "5.2.5"
+  resolved "https://registry.yarnpkg.com/@types/mocha/-/mocha-5.2.5.tgz#8a4accfc403c124a0bafe8a9fc61a05ec1032073"
+
 "@types/node@*":
   version "9.3.0"
   resolved "https://registry.yarnpkg.com/@types/node/-/node-9.3.0.tgz#3a129cda7c4e5df2409702626892cb4b96546dd5"
@@ -190,6 +202,19 @@
   version "0.10.2"
   resolved "https://registry.yarnpkg.com/@types/retry/-/retry-0.10.2.tgz#bd1740c4ad51966609b058803ee6874577848b37"
 
+"@types/superagent@*":
+  version "3.8.4"
+  resolved "https://registry.yarnpkg.com/@types/superagent/-/superagent-3.8.4.tgz#24a5973c7d1a9c024b4bbda742a79267c33fb86a"
+  dependencies:
+    "@types/cookiejar" "*"
+    "@types/node" "*"
+
+"@types/supertest@^2.0.5":
+  version "2.0.5"
+  resolved "https://registry.yarnpkg.com/@types/supertest/-/supertest-2.0.5.tgz#18d082a667eaed22759be98f4923e0061ae70c62"
+  dependencies:
+    "@types/superagent" "*"
+
 "@types/url-join@^0.8.2":
   version "0.8.2"
   resolved "https://registry.yarnpkg.com/@types/url-join/-/url-join-0.8.2.tgz#1181ecbe1d97b7034e0ea1e35e62e86cc26b422d"
@@ -2357,7 +2382,7 @@ expand-tilde@^2.0.0, expand-tilde@^2.0.2:
   dependencies:
     homedir-polyfill "^1.0.1"
 
-expect.js@0.3.1:
+expect.js@^0.3.1:
   version "0.3.1"
   resolved "https://registry.yarnpkg.com/expect.js/-/expect.js-0.3.1.tgz#b0a59a0d2eff5437544ebf0ceaa6015841d09b5b"
 

From 07919a7d2755227b7e4e06acfd297b28ff8f73ef Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 12 Sep 2018 19:14:17 -0400
Subject: [PATCH 131/183] fix package version

---
 x-pack/package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/package.json b/x-pack/package.json
index 2068663468f62f..e73ebd68d05638 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -45,7 +45,7 @@
     "enzyme": "3.2.0",
     "enzyme-adapter-react-16": "^1.1.1",
     "enzyme-to-json": "3.3.1",
-    "expect.js": "^0.3.1",
+    "expect.js": "0.3.1",
     "fancy-log": "^1.3.2",
     "fetch-mock": "^5.13.1",
     "gulp": "3.9.1",
@@ -169,4 +169,4 @@
   "engines": {
     "yarn": "^1.6.0"
   }
-}
+}
\ No newline at end of file

From d9095b6a3f56771955dd15ac9c5507187142ef01 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Wed, 12 Sep 2018 19:17:27 -0400
Subject: [PATCH 132/183] update xpack yarn.lock

---
 x-pack/yarn.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index bf3b9ea293564a..e1f6e8df855198 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -2382,7 +2382,7 @@ expand-tilde@^2.0.0, expand-tilde@^2.0.2:
   dependencies:
     homedir-polyfill "^1.0.1"
 
-expect.js@^0.3.1:
+expect.js@0.3.1:
   version "0.3.1"
   resolved "https://registry.yarnpkg.com/expect.js/-/expect.js-0.3.1.tgz#b0a59a0d2eff5437544ebf0ceaa6015841d09b5b"
 

From a665a5eee0efac597b90c4405accb2023a790aa9 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 12 Sep 2018 19:47:37 -0400
Subject: [PATCH 133/183] [Spaces] - improve ux for unauthorized users (#22982)

---
 .../edit_role/components/edit_role_page.tsx   |   3 +
 .../kibana_privileges.test.tsx.snap           |   5 +
 .../space_aware_privilege_form.test.tsx.snap  |  30 +++++
 .../kibana/impacted_spaces_flyout.test.tsx    |   3 +
 .../kibana/impacted_spaces_flyout.tsx         |   4 +-
 .../kibana/kibana_privileges.test.tsx         |   1 +
 .../privileges/kibana/kibana_privileges.tsx   |   4 +
 .../space_aware_privilege_form.test.tsx       |  19 ++++
 .../kibana/space_aware_privilege_form.tsx     |  23 +++-
 .../views/management/edit_role/index.js       |   3 +
 x-pack/plugins/spaces/index.js                |   9 ++
 .../components/manage_spaces_button.tsx       |   6 +
 .../views/management/components/index.ts      |   1 +
 .../components/unauthorized_prompt.tsx        |  19 ++++
 .../edit_space/manage_space_page.js           |  10 ++
 .../public/views/management/page_routes.js    |  16 ++-
 .../spaces_grid/spaces_grid_page.tsx          |  67 +++++++-----
 .../nav_control_popover.test.js.snap          |   8 +-
 .../spaces_description.test.tsx.snap          |   5 +
 .../components/spaces_description.test.tsx    |   4 +-
 .../components/spaces_description.tsx         |   9 +-
 .../nav_control/components/spaces_menu.tsx    |   8 +-
 .../public/views/nav_control/nav_control.js   |   7 +-
 .../nav_control/nav_control_popover.test.js   |  12 +-
 .../views/nav_control/nav_control_popover.tsx |  12 +-
 .../spaces/server/lib/spaces_client.test.ts   | 103 ++++++++++++++++++
 .../spaces/server/lib/spaces_client.ts        |  13 +++
 x-pack/plugins/xpack_main/index.js            |   1 +
 .../public/services/user_profile.test.ts      |  42 +++++++
 .../public/services/user_profile.ts           |  31 ++++++
 .../server/lib/replace_injected_vars.js       |   4 +-
 .../server/lib/user_profile_registry.test.ts  |  36 ++++++
 .../server/lib/user_profile_registry.ts       |  32 ++++++
 33 files changed, 505 insertions(+), 45 deletions(-)
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.tsx
 create mode 100644 x-pack/plugins/xpack_main/public/services/user_profile.test.ts
 create mode 100644 x-pack/plugins/xpack_main/public/services/user_profile.ts
 create mode 100644 x-pack/plugins/xpack_main/server/lib/user_profile_registry.test.ts
 create mode 100644 x-pack/plugins/xpack_main/server/lib/user_profile_registry.ts

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
index 0fd03481eec1d3..9d2457b38cfd85 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/edit_role_page.tsx
@@ -23,6 +23,7 @@ import { get } from 'lodash';
 import React, { ChangeEvent, Component, Fragment, HTMLProps } from 'react';
 import { toastNotifications } from 'ui/notify';
 import { Space } from '../../../../../../spaces/common/model/space';
+import { UserProfile } from '../../../../../../xpack_main/public/services/user_profile';
 import { IndexPrivilege } from '../../../../../common/model/index_privilege';
 import { KibanaPrivilege } from '../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../common/model/role';
@@ -46,6 +47,7 @@ interface Props {
   notifier: any;
   spaces?: Space[];
   spacesEnabled: boolean;
+  userProfile: UserProfile;
 }
 
 interface State {
@@ -212,6 +214,7 @@ export class EditRolePage extends Component<Props, State> {
           kibanaAppPrivileges={this.props.kibanaAppPrivileges}
           spaces={this.props.spaces}
           spacesEnabled={this.props.spacesEnabled}
+          userProfile={this.props.userProfile}
           editable={!isReservedRole(this.state.role)}
           role={this.state.role}
           onChange={this.onRoleChange}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
index 373e62adca6ff4..50ef26bbe56acc 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/kibana_privileges.test.tsx.snap
@@ -40,6 +40,11 @@ exports[`<KibanaPrivileges> renders without crashing 1`] = `
         },
       ]
     }
+    userProfile={
+      Object {
+        "hasCapability": [Function],
+      }
+    }
     validator={
       RoleValidator {
         "inProgressSpacePrivileges": Array [],
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
index 07e626b541350a..eb59b664832922 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/space_aware_privilege_form.test.tsx.snap
@@ -217,9 +217,39 @@ exports[`<SpaceAwarePrivilegeForm> renders without crashing 1`] = `
               },
             ]
           }
+          userProfile={
+            Object {
+              "hasCapability": [Function],
+            }
+          }
         />
       </EuiFlexItem>
     </EuiFlexGroup>
   </React.Fragment>
 </React.Fragment>
 `;
+
+exports[`<SpaceAwarePrivilegeForm> with user profile disabling "manageSpaces" renders a warning message instead of the privilege form 1`] = `
+<EuiCallOut
+  color="danger"
+  iconType="alert"
+  size="m"
+  title={
+    <p>
+      Insufficient Privileges
+    </p>
+  }
+>
+  <p>
+    You are not authorized to view all available spaces.
+  </p>
+  <p>
+    Please ensure your account has all privileges granted by the
+     
+    <strong>
+      kibana_user
+    </strong>
+     role, and try again.
+  </p>
+</EuiCallOut>
+`;
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
index 674b44ef3dbf68..aafe9d273c5c4a 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.test.tsx
@@ -35,6 +35,9 @@ const buildProps = (customProps = {}) => {
         name: 'Marketing',
       },
     ],
+    userProfile: {
+      hasCapability: () => true,
+    },
     kibanaAppPrivileges: [
       {
         name: 'all',
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
index 63c595314e24d6..e8d53770270db1 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/impacted_spaces_flyout.tsx
@@ -17,6 +17,7 @@ import { PrivilegeSpaceTable } from './privilege_space_table';
 
 import { Space } from '../../../../../../../../spaces/common/model/space';
 import { ManageSpacesButton } from '../../../../../../../../spaces/public/components';
+import { UserProfile } from '../../../../../../../../xpack_main/public/services/user_profile';
 import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { NO_PRIVILEGE_VALUE } from '../../../lib/constants';
@@ -25,6 +26,7 @@ import './impacted_spaces_flyout.less';
 interface Props {
   role: Role;
   spaces: Space[];
+  userProfile: UserProfile;
 }
 
 interface State {
@@ -118,7 +120,7 @@ export class ImpactedSpacesFlyout extends Component<Props, State> {
         </EuiFlyoutBody>
         <EuiFlyoutFooter className="showImpactedSpaces--flyout--footer">
           {/* TODO: Hide footer if button is not available */}
-          <ManageSpacesButton />
+          <ManageSpacesButton userProfile={this.props.userProfile} />
         </EuiFlyoutFooter>
       </EuiFlyout>
     );
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
index 82a1133f7aaa2b..07dd40c5de8a59 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.test.tsx
@@ -38,6 +38,7 @@ const buildProps = (customProps = {}) => {
         name: 'Marketing',
       },
     ],
+    userProfile: { hasCapability: () => true },
     editable: true,
     kibanaAppPrivileges: ['all' as KibanaPrivilege],
     onChange: jest.fn(),
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
index 1ff7b62f715a7a..80d848b5893d51 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges.tsx
@@ -6,6 +6,7 @@
 
 import React, { Component } from 'react';
 import { Space } from '../../../../../../../../spaces/common/model/space';
+import { UserProfile } from '../../../../../../../../xpack_main/public/services/user_profile';
 import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { RoleValidator } from '../../../lib/validate_role';
@@ -17,6 +18,7 @@ interface Props {
   role: Role;
   spacesEnabled: boolean;
   spaces?: Space[];
+  userProfile: UserProfile;
   editable: boolean;
   kibanaAppPrivileges: KibanaPrivilege[];
   onChange: (role: Role) => void;
@@ -38,6 +40,7 @@ export class KibanaPrivileges extends Component<Props, {}> {
       role,
       spacesEnabled,
       spaces = [],
+      userProfile,
       onChange,
       editable,
       validator,
@@ -49,6 +52,7 @@ export class KibanaPrivileges extends Component<Props, {}> {
           kibanaAppPrivileges={kibanaAppPrivileges}
           role={role}
           spaces={spaces}
+          userProfile={userProfile}
           onChange={onChange}
           editable={editable}
           validator={validator}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
index bcc59637436100..b386fcafc614c6 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.test.tsx
@@ -37,6 +37,7 @@ const buildProps = (customProps: any = {}) => {
         name: 'Marketing',
       },
     ],
+    userProfile: { hasCapability: () => true },
     editable: true,
     kibanaAppPrivileges: ['all', 'read'],
     onChange: jest.fn(),
@@ -229,4 +230,22 @@ describe('<SpaceAwarePrivilegeForm>', () => {
       expect(addPrivilegeButton).toHaveLength(1);
     });
   });
+
+  describe('with user profile disabling "manageSpaces"', () => {
+    it('renders a warning message instead of the privilege form', () => {
+      const props = buildProps({
+        userProfile: {
+          hasCapability: (capability: string) => {
+            if (capability === 'manageSpaces') {
+              return false;
+            }
+            throw new Error(`unexpected call to hasCapability: ${capability}`);
+          },
+        },
+      });
+
+      const wrapper = shallow(<SpaceAwarePrivilegeForm {...props} />);
+      expect(wrapper).toMatchSnapshot();
+    });
+  });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
index 2801862cabf940..dcdaf055cae8db 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_form.tsx
@@ -6,6 +6,7 @@
 
 import {
   EuiButton,
+  EuiCallOut,
   // @ts-ignore
   EuiDescribedFormGroup,
   EuiFlexGroup,
@@ -17,6 +18,7 @@ import {
 } from '@elastic/eui';
 import React, { Component, Fragment } from 'react';
 import { Space } from '../../../../../../../../spaces/common/model/space';
+import { UserProfile } from '../../../../../../../../xpack_main/public/services/user_profile';
 import { KibanaPrivilege } from '../../../../../../../common/model/kibana_privilege';
 import { Role } from '../../../../../../../common/model/role';
 import { isReservedRole } from '../../../../../../lib/role';
@@ -37,6 +39,7 @@ interface Props {
   onChange: (role: Role) => void;
   editable: boolean;
   validator: RoleValidator;
+  userProfile: UserProfile;
 }
 
 interface PrivilegeForm {
@@ -70,7 +73,19 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
   }
 
   public render() {
-    const { kibanaAppPrivileges, role } = this.props;
+    const { kibanaAppPrivileges, role, userProfile } = this.props;
+
+    if (!userProfile.hasCapability('manageSpaces')) {
+      return (
+        <EuiCallOut title={<p>Insufficient Privileges</p>} iconType="alert" color="danger">
+          <p>You are not authorized to view all available spaces.</p>
+          <p>
+            Please ensure your account has all privileges granted by the{' '}
+            <strong>kibana_user</strong> role, and try again.
+          </p>
+        </EuiCallOut>
+      );
+    }
 
     const assignedPrivileges = role.kibana;
 
@@ -190,7 +205,11 @@ export class SpaceAwarePrivilegeForm extends Component<Props, State> {
             </EuiFlexItem>
           )}
           <EuiFlexItem>
-            <ImpactedSpacesFlyout role={role} spaces={spaces} />
+            <ImpactedSpacesFlyout
+              role={role}
+              spaces={spaces}
+              userProfile={this.props.userProfile}
+            />
           </EuiFlexItem>
         </EuiFlexGroup>
       </Fragment>
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 5c744c908824cd..0d71749d0f1210 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -19,6 +19,7 @@ import 'plugins/security/services/shield_indices';
 
 import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
+import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
 import { SpacesManager } from 'plugins/spaces/lib';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from '../management_urls';
@@ -92,6 +93,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     const role = $route.current.locals.role;
 
     const xpackInfo = Private(XPackInfoProvider);
+    const userProfile = Private(UserProfileProvider);
     const allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
     const allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
     const rbacApplication = chrome.getInjected('rbacApplication');
@@ -137,6 +139,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
         notifier={Notifier}
         spaces={spaces}
         spacesEnabled={enableSpaceAwarePrivileges}
+        userProfile={userProfile}
       />, domNode);
 
       // unmount react on controller destroy
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
index b7cfeb94f958e7..7164854a11e2b3 100644
--- a/x-pack/plugins/spaces/index.js
+++ b/x-pack/plugins/spaces/index.js
@@ -19,6 +19,7 @@ import { wrapError } from './server/lib/errors';
 import mappings from './mappings.json';
 import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { registerUserProfileCapabilityFactory } from '../xpack_main/server/lib/user_profile_registry';
 import { SpacesClient } from './server/lib/spaces_client';
 import { SpacesAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
@@ -124,6 +125,14 @@ export const spaces = (kibana) => new kibana.Plugin({
 
     initSpacesRequestInterceptors(server);
 
+    registerUserProfileCapabilityFactory(async (request) => {
+      const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
+
+      return {
+        manageSpaces: await spacesClient.canEnumerateSpaces(),
+      };
+    });
+
     // Register a function with server to manage the collection of usage stats
     server.usage.collectorSet.register(getSpacesUsageCollector(server));
   }
diff --git a/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
index 81113fd4cde874..eb70629255ed03 100644
--- a/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
+++ b/x-pack/plugins/spaces/public/components/manage_spaces_button.tsx
@@ -6,16 +6,22 @@
 
 import { EuiButton } from '@elastic/eui';
 import React, { Component, CSSProperties } from 'react';
+import { UserProfile } from '../../../xpack_main/public/services/user_profile';
 import { MANAGE_SPACES_URL } from '../lib/constants';
 
 interface Props {
   isDisabled?: boolean;
   size?: 's' | 'l';
   style?: CSSProperties;
+  userProfile: UserProfile;
 }
 
 export class ManageSpacesButton extends Component<Props, {}> {
   public render() {
+    if (!this.props.userProfile.hasCapability('manageSpaces')) {
+      return null;
+    }
+
     return (
       <EuiButton
         size={this.props.size || 's'}
diff --git a/x-pack/plugins/spaces/public/views/management/components/index.ts b/x-pack/plugins/spaces/public/views/management/components/index.ts
index 651455d00e9f28..91f4964e1da068 100644
--- a/x-pack/plugins/spaces/public/views/management/components/index.ts
+++ b/x-pack/plugins/spaces/public/views/management/components/index.ts
@@ -5,3 +5,4 @@
  */
 
 export { ConfirmDeleteModal } from './confirm_delete_modal';
+export { UnauthorizedPrompt } from './unauthorized_prompt';
diff --git a/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.tsx b/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.tsx
new file mode 100644
index 00000000000000..a0888b86fa0eb7
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.tsx
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiEmptyPrompt } from '@elastic/eui';
+import React from 'react';
+
+export const UnauthorizedPrompt = () => (
+  <EuiEmptyPrompt
+    iconType="spacesApp"
+    iconColor={'danger'}
+    title={<h2>Permission denied</h2>}
+    body={
+      <p data-test-subj="permissionDeniedMessage">You do not have permission to manage spaces.</p>
+    }
+  />
+);
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
index 7524fa11dfd8d2..0ff739e127656e 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
@@ -34,6 +34,7 @@ import { CustomizeSpaceAvatar } from './customize_space_avatar';
 import { isReservedSpace } from '../../../../common';
 import { ReservedSpaceBadge } from './reserved_space_badge';
 import { SpaceValidator } from '../lib/validate_space';
+import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 
 export class ManageSpacePage extends Component {
   state = {
@@ -99,6 +100,14 @@ export class ManageSpacePage extends Component {
   }
 
   getForm = () => {
+    const {
+      userProfile
+    } = this.props;
+
+    if (!userProfile.hasCapability('manageSpaces')) {
+      return <UnauthorizedPrompt />;
+    }
+
     const {
       name = '',
       description = '',
@@ -336,4 +345,5 @@ ManageSpacePage.propTypes = {
   space: PropTypes.string,
   spacesManager: PropTypes.object,
   spacesNavState: PropTypes.object.isRequired,
+  userProfile: PropTypes.object.isRequired,
 };
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.js
index 07f97439184fea..17bb29ac6282aa 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.js
@@ -7,6 +7,7 @@
 import 'ui/autoload/styles';
 import 'plugins/spaces/views/management/manage_spaces.less';
 import template from 'plugins/spaces/views/management/template.html';
+import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
@@ -20,7 +21,9 @@ const reactRootNodeId = 'manageSpacesReactRoot';
 
 routes.when('/management/spaces/list', {
   template,
-  controller: function ($scope, $http, chrome, spacesNavState, spaceSelectorURL) {
+  controller: function ($scope, $http, chrome, Private, spacesNavState, spaceSelectorURL) {
+    const userProfile = Private(UserProfileProvider);
+
     $scope.$$postDigest(() => {
       const domNode = document.getElementById(reactRootNodeId);
 
@@ -29,6 +32,7 @@ routes.when('/management/spaces/list', {
       render(<SpacesGridPage
         spacesManager={spacesManager}
         spacesNavState={spacesNavState}
+        userProfile={userProfile}
       />, domNode);
 
       // unmount react on controller destroy
@@ -41,7 +45,9 @@ routes.when('/management/spaces/list', {
 
 routes.when('/management/spaces/create', {
   template,
-  controller: function ($scope, $http, chrome, spacesNavState, spaceSelectorURL) {
+  controller: function ($scope, $http, chrome, Private, spacesNavState, spaceSelectorURL) {
+    const userProfile = Private(UserProfileProvider);
+
     $scope.$$postDigest(() => {
       const domNode = document.getElementById(reactRootNodeId);
 
@@ -50,6 +56,7 @@ routes.when('/management/spaces/create', {
       render(<ManageSpacePage
         spacesManager={spacesManager}
         spacesNavState={spacesNavState}
+        userProfile={userProfile}
       />, domNode);
 
       // unmount react on controller destroy
@@ -66,7 +73,9 @@ routes.when('/management/spaces/edit', {
 
 routes.when('/management/spaces/edit/:space', {
   template,
-  controller: function ($scope, $http, $route, chrome, spacesNavState, spaceSelectorURL) {
+  controller: function ($scope, $http, $route, chrome, Private, spacesNavState, spaceSelectorURL) {
+    const userProfile = Private(UserProfileProvider);
+
     $scope.$$postDigest(() => {
 
       const domNode = document.getElementById(reactRootNodeId);
@@ -81,6 +90,7 @@ routes.when('/management/spaces/edit/:space', {
         chrome={chrome}
         spacesManager={spacesManager}
         spacesNavState={spacesNavState}
+        userProfile={userProfile}
       />, domNode);
 
       // unmount react on controller destroy
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
index 83a7d4149a25d6..f627159718452d 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component } from 'react';
+import React, { Component, Fragment } from 'react';
 
 import {
   EuiButton,
@@ -22,15 +22,18 @@ import {
 
 import { toastNotifications } from 'ui/notify';
 
+import { UserProfile } from '../../../../../xpack_main/public/services/user_profile';
 import { isReservedSpace } from '../../../../common';
 import { Space } from '../../../../common/model/space';
 import { SpaceAvatar } from '../../../components';
 import { SpacesManager } from '../../../lib/spaces_manager';
 import { ConfirmDeleteModal } from '../components/confirm_delete_modal';
+import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 
 interface Props {
   spacesManager: SpacesManager;
   spacesNavState: any;
+  userProfile: UserProfile;
 }
 
 interface State {
@@ -61,38 +64,48 @@ export class SpacesGridPage extends Component<Props, State> {
     return (
       <EuiPage restrictWidth className="spacesGridPage">
         <EuiPageBody>
-          <EuiPageContent horizontalPosition="center">
-            <EuiFlexGroup justifyContent={'spaceBetween'}>
-              <EuiFlexItem grow={false}>
-                <EuiText>
-                  <h1>Spaces</h1>
-                </EuiText>
-              </EuiFlexItem>
-              <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
-            </EuiFlexGroup>
-            <EuiSpacer size={'xl'} />
-
-            <EuiInMemoryTable
-              itemId={'id'}
-              items={this.state.spaces}
-              columns={this.getColumnConfig()}
-              hasActions
-              pagination={true}
-              search={{
-                box: {
-                  placeholder: 'Search',
-                },
-              }}
-              loading={this.state.loading}
-              message={this.state.loading ? 'loading...' : undefined}
-            />
-          </EuiPageContent>
+          <EuiPageContent horizontalPosition="center">{this.getPageContent()}</EuiPageContent>
         </EuiPageBody>
         {this.getConfirmDeleteModal()}
       </EuiPage>
     );
   }
 
+  public getPageContent() {
+    if (!this.props.userProfile.hasCapability('manageSpaces')) {
+      return <UnauthorizedPrompt />;
+    }
+
+    return (
+      <Fragment>
+        <EuiFlexGroup justifyContent={'spaceBetween'}>
+          <EuiFlexItem grow={false}>
+            <EuiText>
+              <h1>Spaces</h1>
+            </EuiText>
+          </EuiFlexItem>
+          <EuiFlexItem grow={false}>{this.getPrimaryActionButton()}</EuiFlexItem>
+        </EuiFlexGroup>
+        <EuiSpacer size={'xl'} />
+
+        <EuiInMemoryTable
+          itemId={'id'}
+          items={this.state.spaces}
+          columns={this.getColumnConfig()}
+          hasActions
+          pagination={true}
+          search={{
+            box: {
+              placeholder: 'Search',
+            },
+          }}
+          loading={this.state.loading}
+          message={this.state.loading ? 'loading...' : undefined}
+        />
+      </Fragment>
+    );
+  }
+
   public getPrimaryActionButton() {
     return (
       <EuiButton
diff --git a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
index 4871c46dcdedcc..3da9589c10e19d 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
@@ -43,6 +43,12 @@ exports[`NavControlPopover renders without crashing 1`] = `
   ownFocus={true}
   panelPaddingSize="none"
 >
-  <Component />
+  <Component
+    userProfile={
+      Object {
+        "hasCapability": [Function],
+      }
+    }
+  />
 </EuiPopover>
 `;
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
index b46ae0481840aa..ae120ec8fbab25 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/__snapshots__/spaces_description.test.tsx.snap
@@ -26,6 +26,11 @@ exports[`SpacesDescription renders without crashing 1`] = `
           "width": "100%",
         }
       }
+      userProfile={
+        Object {
+          "hasCapability": [Function],
+        }
+      }
     />
   </div>
 </EuiContextMenuPanel>
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
index 0308b8b5a4d210..9d8dd36999c751 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.test.tsx
@@ -10,6 +10,8 @@ import { SpacesDescription } from './spaces_description';
 
 describe('SpacesDescription', () => {
   it('renders without crashing', () => {
-    expect(shallow(<SpacesDescription />)).toMatchSnapshot();
+    expect(
+      shallow(<SpacesDescription userProfile={{ hasCapability: () => true }} />)
+    ).toMatchSnapshot();
   });
 });
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
index 127595c930ee42..8d033996f6a8d9 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_description.tsx
@@ -6,11 +6,16 @@
 
 import { EuiContextMenuPanel, EuiText } from '@elastic/eui';
 import React, { SFC } from 'react';
+import { UserProfile } from '../../../../../xpack_main/public/services/user_profile';
 import { ManageSpacesButton } from '../../../components';
 import { SPACES_FEATURE_DESCRIPTION } from '../../../lib/constants';
 import './spaces_description.less';
 
-export const SpacesDescription: SFC = () => {
+interface Props {
+  userProfile: UserProfile;
+}
+
+export const SpacesDescription: SFC<Props> = (props: Props) => {
   const panelProps = {
     className: 'spacesDescription',
     title: 'Spaces',
@@ -22,7 +27,7 @@ export const SpacesDescription: SFC = () => {
         <p>{SPACES_FEATURE_DESCRIPTION}</p>
       </EuiText>
       <div key="manageSpacesButton" className="spacesDescription__manageButtonWrapper">
-        <ManageSpacesButton size="s" style={{ width: `100%` }} />
+        <ManageSpacesButton size="s" style={{ width: `100%` }} userProfile={props.userProfile} />
       </div>
     </EuiContextMenuPanel>
   );
diff --git a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
index 2376914ec1b114..7827e26555230d 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/components/spaces_menu.tsx
@@ -6,6 +6,7 @@
 
 import { EuiContextMenuItem, EuiContextMenuPanel, EuiFieldSearch, EuiText } from '@elastic/eui';
 import React, { Component } from 'react';
+import { UserProfile } from '../../../../../xpack_main/public/services/user_profile';
 import { SPACE_SEARCH_COUNT_THRESHOLD } from '../../../../common/constants';
 import { Space } from '../../../../common/model/space';
 import { ManageSpacesButton, SpaceAvatar } from '../../../components';
@@ -14,6 +15,7 @@ import './spaces_menu.less';
 interface Props {
   spaces: Space[];
   onSelectSpace: (space: Space) => void;
+  userProfile: UserProfile;
 }
 
 interface State {
@@ -133,7 +135,11 @@ export class SpacesMenu extends Component<Props, State> {
   private renderManageButton = () => {
     return (
       <div key="manageSpacesButton" className="spacesMenu__manageButtonWrapper">
-        <ManageSpacesButton size="s" style={{ width: `100%` }} />
+        <ManageSpacesButton
+          size="s"
+          style={{ width: `100%` }}
+          userProfile={this.props.userProfile}
+        />
       </div>
     );
   };
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index c1599ed1a6bc5a..657194a09a5a8b 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -10,6 +10,7 @@ import { uiModules } from 'ui/modules';
 import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
 import template from 'plugins/spaces/views/nav_control/nav_control.html';
 import 'plugins/spaces/views/nav_control/nav_control.less';
+import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
@@ -25,7 +26,9 @@ const module = uiModules.get('spaces_nav', ['kibana']);
 
 let spacesManager;
 
-module.controller('spacesNavController', ($scope, $http, chrome, activeSpace, spaceSelectorURL) => {
+module.controller('spacesNavController', ($scope, $http, chrome, Private, activeSpace, spaceSelectorURL) => {
+  const userProfile = Private(UserProfileProvider);
+
   const domNode = document.getElementById(`spacesNavReactRoot`);
 
   spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
@@ -34,7 +37,7 @@ module.controller('spacesNavController', ($scope, $http, chrome, activeSpace, sp
 
   $scope.$parent.$watch('isVisible', function (isVisible) {
     if (isVisible && !mounted) {
-      render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} />, domNode);
+      render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} userProfile={userProfile} />, domNode);
       mounted = true;
     }
   });
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
index 0c35f175d930d9..9252055e339570 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
@@ -41,7 +41,11 @@ describe('NavControlPopover', () => {
 
     const spacesManager = new SpacesManager(createMockHttpAgent(), mockChrome);
 
-    const wrapper = shallow(<NavControlPopover activeSpace={activeSpace} spacesManager={spacesManager} />);
+    const wrapper = shallow(<NavControlPopover
+      activeSpace={activeSpace}
+      spacesManager={spacesManager}
+      userProfile={{ hasCapability: () => true }}
+    />);
     expect(wrapper).toMatchSnapshot();
   });
 
@@ -55,7 +59,11 @@ describe('NavControlPopover', () => {
 
     const spacesManager = new SpacesManager(mockAgent, mockChrome);
 
-    const wrapper = mount(<NavControlPopover activeSpace={activeSpace} spacesManager={spacesManager} />);
+    const wrapper = mount(<NavControlPopover
+      activeSpace={activeSpace}
+      spacesManager={spacesManager}
+      userProfile={{ hasCapability: () => true }}
+    />);
 
     return new Promise((resolve) => {
       setTimeout(() => {
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
index 6bd643de0f3f1c..bdf45b7c61bac7 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -6,6 +6,7 @@
 
 import { EuiAvatar, EuiPopover } from '@elastic/eui';
 import React, { Component } from 'react';
+import { UserProfile } from '../../../../xpack_main/public/services/user_profile';
 import { Space } from '../../../common/model/space';
 import { SpaceAvatar } from '../../components';
 import { SpacesManager } from '../../lib/spaces_manager';
@@ -19,6 +20,7 @@ interface Props {
     error: string;
     space: Space;
   };
+  userProfile: UserProfile;
 }
 
 interface State {
@@ -57,9 +59,15 @@ export class NavControlPopover extends Component<Props, State> {
 
     let element: React.ReactNode;
     if (this.state.spaces.length < 2) {
-      element = <SpacesDescription />;
+      element = <SpacesDescription userProfile={this.props.userProfile} />;
     } else {
-      element = <SpacesMenu spaces={this.state.spaces} onSelectSpace={this.onSelectSpace} />;
+      element = (
+        <SpacesMenu
+          spaces={this.state.spaces}
+          onSelectSpace={this.onSelectSpace}
+          userProfile={this.props.userProfile}
+        />
+      );
     }
 
     return (
diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.test.ts b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
index 6aaed0bb9506c3..e272d7d7454980 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
@@ -241,6 +241,109 @@ describe('#getAll', () => {
   });
 });
 
+describe('#canEnumerateSpaces', () => {
+  describe(`authorization is null`, () => {
+    test(`returns true`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const authorization = null;
+      const request = Symbol();
+
+      const client = new SpacesClient(mockAuditLogger as any, authorization, null, null, request);
+
+      const canEnumerateSpaces = await client.canEnumerateSpaces();
+      expect(canEnumerateSpaces).toEqual(true);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe(`authorization.mode.useRbacForRequest is false`, () => {
+    test(`returns true`, async () => {
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+      const canEnumerateSpaces = await client.canEnumerateSpaces();
+
+      expect(canEnumerateSpaces).toEqual(true);
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+
+  describe('useRbacForRequest is true', () => {
+    test(`returns false if user is not authorized to enumerate spaces`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: false,
+      });
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+
+      const canEnumerateSpaces = await client.canEnumerateSpaces();
+      expect(canEnumerateSpaces).toEqual(false);
+
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+
+    test(`returns true if user is authorized to enumerate spaces`, async () => {
+      const username = Symbol();
+      const mockAuditLogger = createMockAuditLogger();
+      const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
+      mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
+      mockCheckPrivilegesGlobally.mockReturnValue({
+        username,
+        hasAllRequested: true,
+      });
+      const request = Symbol();
+
+      const client = new SpacesClient(
+        mockAuditLogger as any,
+        mockAuthorization,
+        null,
+        null,
+        request
+      );
+
+      const canEnumerateSpaces = await client.canEnumerateSpaces();
+      expect(canEnumerateSpaces).toEqual(true);
+
+      expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
+      expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
+        mockAuthorization.actions.manageSpaces
+      );
+
+      expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
+      expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
+    });
+  });
+});
+
 describe('#get', () => {
   const savedObject = {
     id: 'foo',
diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.ts b/x-pack/plugins/spaces/server/lib/spaces_client.ts
index 2942b5a019fcb8..96bfd995ce56b3 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_client.ts
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.ts
@@ -30,6 +30,19 @@ export class SpacesClient {
     this.request = request;
   }
 
+  public async canEnumerateSpaces(): Promise<boolean> {
+    if (this.useRbac()) {
+      const checkPrivileges = this.authorization.checkPrivilegesWithRequest(this.request);
+      const { hasAllRequested } = await checkPrivileges.globally(
+        this.authorization.actions.manageSpaces
+      );
+      return hasAllRequested;
+    }
+
+    // If not RBAC, then we are legacy, and all legacy users can enumerate all spaces
+    return true;
+  }
+
   public async getAll(): Promise<[Space]> {
     if (this.useRbac()) {
       const { saved_objects } = await this.internalSavedObjectRepository.find({
diff --git a/x-pack/plugins/xpack_main/index.js b/x-pack/plugins/xpack_main/index.js
index 6e6ed25893ced1..231bed0fe0348d 100644
--- a/x-pack/plugins/xpack_main/index.js
+++ b/x-pack/plugins/xpack_main/index.js
@@ -88,6 +88,7 @@ export const xpackMain = (kibana) => {
           telemetryUrl: config.get('xpack.xpack_main.telemetry.url'),
           telemetryEnabled: isTelemetryEnabled(config),
           telemetryOptedIn: null,
+          userProfile: {},
         };
       },
       hacks: [
diff --git a/x-pack/plugins/xpack_main/public/services/user_profile.test.ts b/x-pack/plugins/xpack_main/public/services/user_profile.test.ts
new file mode 100644
index 00000000000000..45507ab6042844
--- /dev/null
+++ b/x-pack/plugins/xpack_main/public/services/user_profile.test.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { UserProfileProvider } from './user_profile';
+
+describe('UserProfile', () => {
+  it('should return true when the specified capability is enabled', () => {
+    const capabilities = {
+      test1: true,
+      test2: false,
+    };
+
+    const userProfile = UserProfileProvider(capabilities);
+
+    expect(userProfile.hasCapability('test1')).toEqual(true);
+  });
+
+  it('should return false when the specified capability is disabled', () => {
+    const capabilities = {
+      test1: true,
+      test2: false,
+    };
+
+    const userProfile = UserProfileProvider(capabilities);
+
+    expect(userProfile.hasCapability('test2')).toEqual(false);
+  });
+
+  it('should return the default value when the specified capability is not defined', () => {
+    const capabilities = {
+      test1: true,
+      test2: false,
+    };
+
+    const userProfile = UserProfileProvider(capabilities);
+
+    expect(userProfile.hasCapability('test3')).toEqual(true);
+    expect(userProfile.hasCapability('test3', false)).toEqual(false);
+  });
+});
diff --git a/x-pack/plugins/xpack_main/public/services/user_profile.ts b/x-pack/plugins/xpack_main/public/services/user_profile.ts
new file mode 100644
index 00000000000000..09b257aa80e3fe
--- /dev/null
+++ b/x-pack/plugins/xpack_main/public/services/user_profile.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface Capabilities {
+  [capability: string]: boolean;
+}
+
+export interface UserProfile {
+  hasCapability: (capability: string) => boolean;
+}
+
+export function UserProfileProvider(userProfile: Capabilities) {
+  class UserProfileClass implements UserProfile {
+    private capabilities: Capabilities;
+
+    constructor(profileData: Capabilities = {}) {
+      this.capabilities = {
+        ...profileData,
+      };
+    }
+
+    public hasCapability(capability: string, defaultValue: boolean = true): boolean {
+      return capability in this.capabilities ? this.capabilities[capability] : defaultValue;
+    }
+  }
+
+  return new UserProfileClass(userProfile);
+}
diff --git a/x-pack/plugins/xpack_main/server/lib/replace_injected_vars.js b/x-pack/plugins/xpack_main/server/lib/replace_injected_vars.js
index 990e4e1a7d53a5..b8362c6549e16d 100644
--- a/x-pack/plugins/xpack_main/server/lib/replace_injected_vars.js
+++ b/x-pack/plugins/xpack_main/server/lib/replace_injected_vars.js
@@ -5,13 +5,15 @@
  */
 
 import { getTelemetryOptIn } from "./get_telemetry_opt_in";
+import { buildUserProfile } from './user_profile_registry';
 
 export async function replaceInjectedVars(originalInjectedVars, request, server) {
   const xpackInfo = server.plugins.xpack_main.info;
   const withXpackInfo = async () => ({
     ...originalInjectedVars,
     telemetryOptedIn: await getTelemetryOptIn(request),
-    xpackInitialInfo: xpackInfo.isAvailable() ? xpackInfo.toJSON() : undefined
+    xpackInitialInfo: xpackInfo.isAvailable() ? xpackInfo.toJSON() : undefined,
+    userProfile: await buildUserProfile(request),
   });
 
   // security feature is disabled
diff --git a/x-pack/plugins/xpack_main/server/lib/user_profile_registry.test.ts b/x-pack/plugins/xpack_main/server/lib/user_profile_registry.test.ts
new file mode 100644
index 00000000000000..22a0b58b60c2ab
--- /dev/null
+++ b/x-pack/plugins/xpack_main/server/lib/user_profile_registry.test.ts
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  buildUserProfile,
+  registerUserProfileCapabilityFactory,
+  removeAllFactories,
+} from './user_profile_registry';
+
+describe('UserProfileRegistry', () => {
+  beforeEach(() => removeAllFactories());
+
+  it('should produce an empty user profile', async () => {
+    expect(await buildUserProfile(null)).toEqual({});
+  });
+
+  it('should accumulate the results of all registered factories', async () => {
+    registerUserProfileCapabilityFactory(async () => ({
+      foo: true,
+      bar: false,
+    }));
+
+    registerUserProfileCapabilityFactory(async () => ({
+      anotherCapability: true,
+    }));
+
+    expect(await buildUserProfile(null)).toEqual({
+      foo: true,
+      bar: false,
+      anotherCapability: true,
+    });
+  });
+});
diff --git a/x-pack/plugins/xpack_main/server/lib/user_profile_registry.ts b/x-pack/plugins/xpack_main/server/lib/user_profile_registry.ts
new file mode 100644
index 00000000000000..417341165fde40
--- /dev/null
+++ b/x-pack/plugins/xpack_main/server/lib/user_profile_registry.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export type CapabilityFactory = (request: any) => Promise<{ [capability: string]: boolean }>;
+
+let factories: CapabilityFactory[] = [];
+
+export function removeAllFactories() {
+  factories = [];
+}
+
+export function registerUserProfileCapabilityFactory(factory: CapabilityFactory) {
+  factories.push(factory);
+}
+
+export async function buildUserProfile(request: any) {
+  const factoryPromises = factories.map(async factory => ({
+    ...(await factory(request)),
+  }));
+
+  const factoryResults = await Promise.all(factoryPromises);
+
+  return factoryResults.reduce((acc, capabilities) => {
+    return {
+      ...acc,
+      ...capabilities,
+    };
+  }, {});
+}

From 5ed44276dfa067492508b65530bdc19ea9a1007a Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 12 Sep 2018 20:37:48 -0400
Subject: [PATCH 134/183] [Spaces] - Space-aware Settings UI (#22886)

---
 .../advanced_settings.test.js.snap            |  2 ++
 .../sections/settings/advanced_settings.js    |  9 +++++-
 .../components/default_component_registry.js  |  3 ++
 .../__snapshots__/page_subtitle.test.js.snap  |  3 ++
 .../components/page_subtitle/index.js         | 20 +++++++++++++
 .../components/page_subtitle/page_subtitle.js | 20 +++++++++++++
 .../page_subtitle/page_subtitle.test.js       | 28 ++++++++++++++++++
 src/ui/public/management/index.js             |  1 +
 .../views/management/edit_role/index.js       |  9 ++++--
 .../advanced_settings_subtitle.tsx            | 29 +++++++++++++++++++
 .../advanced_settings_subtitle/index.ts       |  7 +++++
 .../advanced_settings_title.tsx               | 27 +++++++++++++++++
 .../advanced_settings_title/index.ts          |  7 +++++
 .../views/management/{index.ts => index.tsx}  | 21 +++++++++++---
 .../public/views/nav_control/nav_control.js   |  3 +-
 x-pack/plugins/xpack_main/index.js            |  2 ++
 .../components/telemetry/telemetry_form.js    | 20 +++++++++++++
 .../public/views/management/management.js     | 20 +++++++++++--
 18 files changed, 220 insertions(+), 11 deletions(-)
 create mode 100644 src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/__snapshots__/page_subtitle.test.js.snap
 create mode 100644 src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/index.js
 create mode 100644 src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.js
 create mode 100644 src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.test.js
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/index.ts
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/index.ts
 rename x-pack/plugins/spaces/public/views/management/{index.ts => index.tsx} (60%)

diff --git a/src/core_plugins/kibana/public/management/sections/settings/__snapshots__/advanced_settings.test.js.snap b/src/core_plugins/kibana/public/management/sections/settings/__snapshots__/advanced_settings.test.js.snap
index 85abe0571d1167..00f953298c063b 100644
--- a/src/core_plugins/kibana/public/management/sections/settings/__snapshots__/advanced_settings.test.js.snap
+++ b/src/core_plugins/kibana/public/management/sections/settings/__snapshots__/advanced_settings.test.js.snap
@@ -51,6 +51,7 @@ exports[`AdvancedSettings should render normally 1`] = `
       />
     </EuiFlexItem>
   </EuiFlexGroup>
+  <advanced_settings_page_subtitle />
   <EuiSpacer
     size="m"
   />
@@ -396,6 +397,7 @@ exports[`AdvancedSettings should render specific setting if given setting key 1`
       />
     </EuiFlexItem>
   </EuiFlexGroup>
+  <advanced_settings_page_subtitle />
   <EuiSpacer
     size="m"
   />
diff --git a/src/core_plugins/kibana/public/management/sections/settings/advanced_settings.js b/src/core_plugins/kibana/public/management/sections/settings/advanced_settings.js
index 7ce4341f59ed8e..6ec6cd714556c6 100644
--- a/src/core_plugins/kibana/public/management/sections/settings/advanced_settings.js
+++ b/src/core_plugins/kibana/public/management/sections/settings/advanced_settings.js
@@ -35,7 +35,12 @@ import { Form } from './components/form';
 import { getAriaName, toEditableConfig, DEFAULT_CATEGORY } from './lib';
 
 import './advanced_settings.less';
-import { registerDefaultComponents, PAGE_TITLE_COMPONENT, PAGE_FOOTER_COMPONENT } from './components/default_component_registry';
+import {
+  registerDefaultComponents,
+  PAGE_TITLE_COMPONENT,
+  PAGE_SUBTITLE_COMPONENT,
+  PAGE_FOOTER_COMPONENT
+} from './components/default_component_registry';
 import { getSettingsComponent } from './components/component_registry';
 
 export class AdvancedSettings extends Component {
@@ -145,6 +150,7 @@ export class AdvancedSettings extends Component {
     const { filteredSettings, query, footerQueryMatched } = this.state;
 
     const PageTitle = getSettingsComponent(PAGE_TITLE_COMPONENT);
+    const PageSubtitle = getSettingsComponent(PAGE_SUBTITLE_COMPONENT);
     const PageFooter = getSettingsComponent(PAGE_FOOTER_COMPONENT);
 
     return (
@@ -161,6 +167,7 @@ export class AdvancedSettings extends Component {
             />
           </EuiFlexItem>
         </EuiFlexGroup>
+        <PageSubtitle />
         <EuiSpacer size="m" />
         <CallOuts />
         <EuiSpacer size="m" />
diff --git a/src/core_plugins/kibana/public/management/sections/settings/components/default_component_registry.js b/src/core_plugins/kibana/public/management/sections/settings/components/default_component_registry.js
index 221f8c2f82bf8c..41979d4bd66a6c 100644
--- a/src/core_plugins/kibana/public/management/sections/settings/components/default_component_registry.js
+++ b/src/core_plugins/kibana/public/management/sections/settings/components/default_component_registry.js
@@ -19,12 +19,15 @@
 
 import { tryRegisterSettingsComponent } from './component_registry';
 import { PageTitle } from './page_title';
+import { PageSubtitle } from './page_subtitle';
 import { PageFooter } from './page_footer';
 
 export const PAGE_TITLE_COMPONENT = 'advanced_settings_page_title';
+export const PAGE_SUBTITLE_COMPONENT = 'advanced_settings_page_subtitle';
 export const PAGE_FOOTER_COMPONENT = 'advanced_settings_page_footer';
 
 export function registerDefaultComponents() {
   tryRegisterSettingsComponent(PAGE_TITLE_COMPONENT, PageTitle);
+  tryRegisterSettingsComponent(PAGE_SUBTITLE_COMPONENT, PageSubtitle);
   tryRegisterSettingsComponent(PAGE_FOOTER_COMPONENT, PageFooter);
 }
\ No newline at end of file
diff --git a/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/__snapshots__/page_subtitle.test.js.snap b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/__snapshots__/page_subtitle.test.js.snap
new file mode 100644
index 00000000000000..24ec8954590386
--- /dev/null
+++ b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/__snapshots__/page_subtitle.test.js.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`PageSubtitle should render normally 1`] = `""`;
diff --git a/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/index.js b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/index.js
new file mode 100644
index 00000000000000..76b6293b4c267a
--- /dev/null
+++ b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/index.js
@@ -0,0 +1,20 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+export { PageSubtitle } from './page_subtitle';
diff --git a/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.js b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.js
new file mode 100644
index 00000000000000..35485fdc7b492c
--- /dev/null
+++ b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.js
@@ -0,0 +1,20 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+export const PageSubtitle = () => null;
\ No newline at end of file
diff --git a/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.test.js b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.test.js
new file mode 100644
index 00000000000000..2b1d06ceeed414
--- /dev/null
+++ b/src/core_plugins/kibana/public/management/sections/settings/components/page_subtitle/page_subtitle.test.js
@@ -0,0 +1,28 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import React from 'react';
+import { shallow } from 'enzyme';
+
+import { PageSubtitle } from './page_subtitle';
+
+describe('PageSubtitle', () => {
+  it('should render normally', () => {
+    expect(shallow(<PageSubtitle />)).toMatchSnapshot();
+  });
+});
\ No newline at end of file
diff --git a/src/ui/public/management/index.js b/src/ui/public/management/index.js
index 62f9850c839f5e..b4a0262bf88826 100644
--- a/src/ui/public/management/index.js
+++ b/src/ui/public/management/index.js
@@ -21,6 +21,7 @@ import { ManagementSection } from './section';
 
 export {
   PAGE_TITLE_COMPONENT,
+  PAGE_SUBTITLE_COMPONENT,
   PAGE_FOOTER_COMPONENT,
 } from '../../../core_plugins/kibana/public/management/sections/settings/components/default_component_registry';
 
diff --git a/x-pack/plugins/security/public/views/management/edit_role/index.js b/x-pack/plugins/security/public/views/management/edit_role/index.js
index 0d71749d0f1210..996169d4fc70cc 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/index.js
+++ b/x-pack/plugins/security/public/views/management/edit_role/index.js
@@ -19,8 +19,8 @@ import 'plugins/security/services/shield_indices';
 
 import { IndexPatternsProvider } from 'ui/index_patterns/index_patterns';
 import { XPackInfoProvider } from 'plugins/xpack_main/services/xpack_info';
+import { SpacesManager } from '../../../../../spaces/public/lib';
 import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
-import { SpacesManager } from 'plugins/spaces/lib';
 import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { EDIT_ROLES_PATH, ROLES_PATH } from '../management_urls';
 
@@ -79,8 +79,11 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       const indexPatterns = Private(IndexPatternsProvider);
       return indexPatterns.getTitles();
     },
-    spaces($http, chrome) {
-      return new SpacesManager($http, chrome).getSpaces();
+    spaces($http, chrome, spacesEnabled) {
+      if (spacesEnabled) {
+        return new SpacesManager($http, chrome).getSpaces();
+      }
+      return [];
     }
   },
   controllerAs: 'editRole',
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.tsx b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.tsx
new file mode 100644
index 00000000000000..0eef1703fc8563
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.tsx
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiCallOut, EuiSpacer } from '@elastic/eui';
+import React, { Fragment } from 'react';
+import { Space } from '../../../../../common/model/space';
+
+interface Props {
+  space: Space;
+}
+
+export const AdvancedSettingsSubtitle = (props: Props) => (
+  <Fragment>
+    <EuiSpacer size={'m'} />
+    <EuiCallOut
+      color="primary"
+      iconType="spacesApp"
+      title={
+        <p>
+          The settings on this page apply to the <strong>{props.space.name}</strong> space, unless
+          otherwise specified.
+        </p>
+      }
+    />
+  </Fragment>
+);
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/index.ts b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/index.ts
new file mode 100644
index 00000000000000..f403caf3eeebe7
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { AdvancedSettingsSubtitle } from './advanced_settings_subtitle';
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.tsx b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.tsx
new file mode 100644
index 00000000000000..c0a4924e9c072a
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.tsx
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiFlexGroup, EuiFlexItem, EuiText } from '@elastic/eui';
+import React from 'react';
+import { Space } from '../../../../../common/model/space';
+import { SpaceAvatar } from '../../../../components';
+
+interface Props {
+  space: Space;
+}
+
+export const AdvancedSettingsTitle = (props: Props) => (
+  <EuiFlexGroup gutterSize="s" responsive={false} alignItems={'center'}>
+    <EuiFlexItem grow={false}>
+      <SpaceAvatar space={props.space} />
+    </EuiFlexItem>
+    <EuiFlexItem style={{ marginLeft: '10px' }}>
+      <EuiText>
+        <h1 data-test-subj="managementSettingsTitle">Settings</h1>
+      </EuiText>
+    </EuiFlexItem>
+  </EuiFlexGroup>
+);
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/index.ts b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/index.ts
new file mode 100644
index 00000000000000..60fdf51dca70e0
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { AdvancedSettingsTitle } from './advanced_settings_title';
diff --git a/x-pack/plugins/spaces/public/views/management/index.ts b/x-pack/plugins/spaces/public/views/management/index.tsx
similarity index 60%
rename from x-pack/plugins/spaces/public/views/management/index.ts
rename to x-pack/plugins/spaces/public/views/management/index.tsx
index 4e91aca8ef1305..0f32ca154cbe53 100644
--- a/x-pack/plugins/spaces/public/views/management/index.ts
+++ b/x-pack/plugins/spaces/public/views/management/index.tsx
@@ -3,18 +3,25 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
 import 'plugins/spaces/views/management/page_routes';
-// @ts-ignore
-import { management } from 'ui/management';
+import React from 'react';
+import {
+  management,
+  PAGE_SUBTITLE_COMPONENT,
+  PAGE_TITLE_COMPONENT,
+  registerSettingsComponent,
+  // @ts-ignore
+} from 'ui/management';
 // @ts-ignore
 import routes from 'ui/routes';
+import { AdvancedSettingsSubtitle } from './components/advanced_settings_subtitle';
+import { AdvancedSettingsTitle } from './components/advanced_settings_title';
 
 const MANAGE_SPACES_KEY = 'manage_spaces';
 
 routes.defaults(/\/management/, {
   resolve: {
-    spacesManagementSection() {
+    spacesManagementSection(activeSpace: any) {
       function getKibanaSection() {
         return management.getSection('kibana');
       }
@@ -34,6 +41,12 @@ routes.defaults(/\/management/, {
             url: `#/management/spaces/list`,
           });
         }
+
+        const PageTitle = () => <AdvancedSettingsTitle space={activeSpace.space} />;
+        registerSettingsComponent(PAGE_TITLE_COMPONENT, PageTitle, true);
+
+        const SubTitle = () => <AdvancedSettingsSubtitle space={activeSpace.space} />;
+        registerSettingsComponent(PAGE_SUBTITLE_COMPONENT, SubTitle, true);
       }
 
       deregisterSpaces();
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
index 657194a09a5a8b..5ed4b57e87ebed 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
@@ -26,10 +26,11 @@ const module = uiModules.get('spaces_nav', ['kibana']);
 
 let spacesManager;
 
-module.controller('spacesNavController', ($scope, $http, chrome, Private, activeSpace, spaceSelectorURL) => {
+module.controller('spacesNavController', ($scope, $http, chrome, Private, activeSpace) => {
   const userProfile = Private(UserProfileProvider);
 
   const domNode = document.getElementById(`spacesNavReactRoot`);
+  const spaceSelectorURL = chrome.getInjected('spaceSelectorURL');
 
   spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
diff --git a/x-pack/plugins/xpack_main/index.js b/x-pack/plugins/xpack_main/index.js
index 231bed0fe0348d..c4d64dabc7f5c9 100644
--- a/x-pack/plugins/xpack_main/index.js
+++ b/x-pack/plugins/xpack_main/index.js
@@ -88,6 +88,8 @@ export const xpackMain = (kibana) => {
           telemetryUrl: config.get('xpack.xpack_main.telemetry.url'),
           telemetryEnabled: isTelemetryEnabled(config),
           telemetryOptedIn: null,
+          activeSpace: null,
+          spacesEnabled: config.get('xpack.spaces.enabled'),
           userProfile: {},
         };
       },
diff --git a/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.js b/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.js
index 1a7826f56d0d2f..54ba58832f0ea8 100644
--- a/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.js
+++ b/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.js
@@ -7,6 +7,7 @@
 import React, { Component, Fragment } from 'react';
 import PropTypes from 'prop-types';
 import {
+  EuiCallOut,
   EuiPanel,
   EuiForm,
   EuiFlexGroup,
@@ -27,6 +28,8 @@ export class TelemetryForm extends Component {
     telemetryOptInProvider: PropTypes.object.isRequired,
     query: PropTypes.object,
     onQueryMatchChange: PropTypes.func.isRequired,
+    spacesEnabled: PropTypes.bool.isRequired,
+    activeSpace: PropTypes.object,
   };
 
   state = {
@@ -80,6 +83,8 @@ export class TelemetryForm extends Component {
                 </EuiFlexItem>
               </EuiFlexGroup>
             </EuiText>
+
+            {this.maybeGetSpacesWarning()}
             <EuiSpacer size="s" />
             <Field
               setting={{
@@ -97,6 +102,21 @@ export class TelemetryForm extends Component {
     );
   }
 
+  maybeGetSpacesWarning = () => {
+    if (!this.props.spacesEnabled) {
+      return null;
+    }
+    return (
+      <EuiCallOut
+        color="primary"
+        iconType="spacesApp"
+        title={
+          <p>This setting applies to <strong>all of Kibana.</strong></p>
+        }
+      />
+    );
+  }
+
   renderDescription = () => (
     <Fragment>
       <p>{CONFIG_TELEMETRY_DESC}</p>
diff --git a/x-pack/plugins/xpack_main/public/views/management/management.js b/x-pack/plugins/xpack_main/public/views/management/management.js
index 8c244f8ae933fd..9e580f109d5369 100644
--- a/x-pack/plugins/xpack_main/public/views/management/management.js
+++ b/x-pack/plugins/xpack_main/public/views/management/management.js
@@ -12,9 +12,25 @@ import { TelemetryForm } from '../../components';
 
 routes.defaults(/\/management/, {
   resolve: {
-    telemetryManagementSection: function (Private) {
+    telemetryManagementSection: function (Private, spacesEnabled, activeSpace) {
       const telemetryOptInProvider = Private(TelemetryOptInProvider);
-      const Component = (props) => <TelemetryForm telemetryOptInProvider={telemetryOptInProvider} {...props} />;
+
+      const spaceProps = {
+        spacesEnabled,
+      };
+
+      if (spacesEnabled) {
+        spaceProps.activeSpace = activeSpace ? activeSpace.space : null;
+      }
+
+      const Component = (props) => (
+        <TelemetryForm
+          spacesEnabled={spacesEnabled}
+          telemetryOptInProvider={telemetryOptInProvider}
+          {...spaceProps}
+          {...props}
+        />
+      );
 
       registerSettingsComponent(PAGE_FOOTER_COMPONENT, Component, true);
     }

From feef8b742167000eecf0997c9639cfc1ab9acea9 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Thu, 13 Sep 2018 05:29:34 -0400
Subject: [PATCH 135/183] fix xpack_main replaceInjectedVars tests

---
 .../lib/__tests__/replace_injected_vars.js     | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js b/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
index f75ec5678f1c6b..19cf356b148670 100644
--- a/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
+++ b/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
@@ -45,7 +45,8 @@ describe('replaceInjectedVars uiExport', () => {
       telemetryOptedIn: null,
       xpackInitialInfo: {
         b: 1
-      }
+      },
+      userProfile: {},
     });
 
     sinon.assert.calledOnce(server.plugins.security.isAuthenticated);
@@ -64,7 +65,8 @@ describe('replaceInjectedVars uiExport', () => {
       telemetryOptedIn: null,
       xpackInitialInfo: {
         b: 1
-      }
+      },
+      userProfile: {},
     });
   });
 
@@ -80,7 +82,8 @@ describe('replaceInjectedVars uiExport', () => {
       telemetryOptedIn: null,
       xpackInitialInfo: {
         b: 1
-      }
+      },
+      userProfile: {},
     });
   });
 
@@ -96,7 +99,8 @@ describe('replaceInjectedVars uiExport', () => {
       telemetryOptedIn: false,
       xpackInitialInfo: {
         b: 1
-      }
+      },
+      userProfile: {},
     });
   });
 
@@ -112,7 +116,8 @@ describe('replaceInjectedVars uiExport', () => {
       telemetryOptedIn: true,
       xpackInitialInfo: {
         b: 1
-      }
+      },
+      userProfile: {},
     });
   });
 
@@ -147,7 +152,8 @@ describe('replaceInjectedVars uiExport', () => {
     expect(newVars).to.eql({
       a: 1,
       telemetryOptedIn: null,
-      xpackInitialInfo: undefined
+      xpackInitialInfo: undefined,
+      userProfile: {},
     });
   });
 

From 79bff575bf0e4ab1d108913a3788aaa7ca9696e4 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 14 Sep 2018 08:21:11 -0400
Subject: [PATCH 136/183] [Spaces] - code cleanup (#22802)

* finishes TS conversion for the Spaces plugin
---
 src/ui/public/chrome/index.d.ts               |   1 +
 x-pack/package.json                           |   1 +
 ...pace.test.js => is_reserved_space.test.ts} |  15 +-
 .../spaces/common/is_reserved_space.ts        |   2 +-
 ...butes.test.js => space_attributes.test.ts} |  10 +-
 x-pack/plugins/spaces/index.js                | 139 ---------
 x-pack/plugins/spaces/index.ts                | 155 ++++++++++
 ...est.js.snap => space_avatar.test.tsx.snap} |   0
 ...e_avatar.test.js => space_avatar.test.tsx} |   4 +-
 .../spaces/public/components/space_avatar.tsx |   2 +-
 x-pack/plugins/spaces/public/images/demo.png  | Bin 3748 -> 0 bytes
 ...egister_feature.js => register_feature.ts} |  10 +-
 ...space_card.test.js => space_card.test.tsx} |  10 +-
 ...ace_cards.test.js => space_cards.test.tsx} |   4 +-
 .../components/confirm_delete_modal.tsx       |   5 +-
 ...p => customize_space_avatar.test.tsx.snap} |   0
 ...js.snap => space_identifier.test.tsx.snap} |   0
 ...est.js => customize_space_avatar.test.tsx} |  39 ++-
 ...e_avatar.js => customize_space_avatar.tsx} |  99 +++----
 .../edit_space/delete_spaces_button.tsx       |   4 +-
 .../edit_space/{index.js => index.ts}         |   4 +-
 ...ge_space_page.js => manage_space_page.tsx} | 273 +++++++++---------
 ....test.js => reserved_space_badge.test.tsx} |  17 +-
 ...pace_badge.js => reserved_space_badge.tsx} |  24 +-
 ...fier.test.js => space_identifier.test.tsx} |  11 +-
 ...ace_identifier.js => space_identifier.tsx} |  53 ++--
 .../public/views/management/lib/index.js      |  14 -
 .../views/management/lib/index.ts}            |   5 +-
 ...test.js => space_identifier_utils.test.ts} |   2 +-
 ...ier_utils.js => space_identifier_utils.ts} |   0
 ...e_space.test.js => validate_space.test.ts} |  56 +++-
 .../{validate_space.js => validate_space.ts}  |  51 ++--
 .../{page_routes.js => page_routes.tsx}       | 109 ++++---
 .../spaces_grid/spaces_grid_page.tsx          |   5 +-
 ...snap => nav_control_popover.test.tsx.snap} |   1 +
 .../spaces/public/views/nav_control/index.ts  |   2 +
 .../public/views/nav_control/nav_control.js   |  65 -----
 .../public/views/nav_control/nav_control.tsx  |  87 ++++++
 ...r.test.js => nav_control_popover.test.tsx} |  66 +++--
 .../views/nav_control/nav_control_popover.tsx |   2 +-
 .../__snapshots__/space_selector.test.js.snap | 107 -------
 .../space_selector.test.tsx.snap              |  88 ++++++
 .../space_selector/{index.js => index.tsx}    |  36 ++-
 ...lector.test.js => space_selector.test.tsx} |  72 +++--
 .../{space_selector.js => space_selector.tsx} | 124 ++++----
 ...js.snap => spaces_url_parser.test.ts.snap} |   0
 .../{check_license.js => check_license.ts}    |  15 +-
 ...e.test.js => create_default_space.test.ts} |  52 ++--
 ...fault_space.js => create_default_space.ts} |  29 +-
 ....test.js => create_spaces_service.test.ts} |  21 +-
 ...et_active_space.js => get_active_space.ts} |  11 +-
 ....js => get_spaces_usage_collector.test.ts} |  66 +++--
 ...ector.js => get_spaces_usage_collector.ts} |  34 ++-
 ... spaces_saved_objects_client.test.ts.snap} |   0
 .../saved_objects_client_types.ts             |  97 +++++++
 .../saved_objects_client_wrapper_factory.js   |  16 -
 .../saved_objects_client_wrapper_factory.ts   |  22 ++
 ...js => spaces_saved_objects_client.test.ts} | 145 +++++++---
 ...ient.js => spaces_saved_objects_client.ts} | 108 ++++---
 ....js => space_request_interceptors.test.ts} | 221 ++++++++------
 ...ptors.js => space_request_interceptors.ts} |  14 +-
 ...rser.test.js => spaces_url_parser.test.ts} |  10 +-
 x-pack/tsconfig.json                          |  41 ++-
 x-pack/yarn.lock                              |   4 +
 64 files changed, 1566 insertions(+), 1114 deletions(-)
 rename x-pack/plugins/spaces/common/{is_reserved_space.test.js => is_reserved_space.test.ts} (71%)
 rename x-pack/plugins/spaces/common/{space_attributes.test.js => space_attributes.test.ts} (90%)
 delete mode 100644 x-pack/plugins/spaces/index.js
 create mode 100644 x-pack/plugins/spaces/index.ts
 rename x-pack/plugins/spaces/public/components/__snapshots__/{space_avatar.test.js.snap => space_avatar.test.tsx.snap} (100%)
 rename x-pack/plugins/spaces/public/components/{space_avatar.test.js => space_avatar.test.tsx} (85%)
 delete mode 100644 x-pack/plugins/spaces/public/images/demo.png
 rename x-pack/plugins/spaces/public/{register_feature.js => register_feature.ts} (76%)
 rename x-pack/plugins/spaces/public/views/components/{space_card.test.js => space_card.test.tsx} (77%)
 rename x-pack/plugins/spaces/public/views/components/{space_cards.test.js => space_cards.test.tsx} (93%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/{customize_space_avatar.test.js.snap => customize_space_avatar.test.tsx.snap} (100%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/{space_identifier.test.js.snap => space_identifier.test.tsx.snap} (100%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{customize_space_avatar.test.js => customize_space_avatar.test.tsx} (60%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{customize_space_avatar.js => customize_space_avatar.tsx} (60%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{index.js => index.ts} (77%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{manage_space_page.js => manage_space_page.tsx} (55%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{reserved_space_badge.test.js => reserved_space_badge.test.tsx} (81%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{reserved_space_badge.js => reserved_space_badge.tsx} (58%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{space_identifier.test.js => space_identifier.test.tsx} (87%)
 rename x-pack/plugins/spaces/public/views/management/edit_space/{space_identifier.js => space_identifier.tsx} (66%)
 delete mode 100644 x-pack/plugins/spaces/public/views/management/lib/index.js
 rename x-pack/plugins/spaces/{server/lib/validate_config.js => public/views/management/lib/index.ts} (64%)
 rename x-pack/plugins/spaces/public/views/management/lib/{space_identifier_utils.test.js => space_identifier_utils.test.ts} (93%)
 rename x-pack/plugins/spaces/public/views/management/lib/{space_identifier_utils.js => space_identifier_utils.ts} (100%)
 rename x-pack/plugins/spaces/public/views/management/lib/{validate_space.test.js => validate_space.test.ts} (57%)
 rename x-pack/plugins/spaces/public/views/management/lib/{validate_space.js => validate_space.ts} (62%)
 rename x-pack/plugins/spaces/public/views/management/{page_routes.js => page_routes.tsx} (55%)
 rename x-pack/plugins/spaces/public/views/nav_control/__snapshots__/{nav_control_popover.test.js.snap => nav_control_popover.test.tsx.snap} (97%)
 delete mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control.js
 create mode 100644 x-pack/plugins/spaces/public/views/nav_control/nav_control.tsx
 rename x-pack/plugins/spaces/public/views/nav_control/{nav_control_popover.test.js => nav_control_popover.test.tsx} (59%)
 delete mode 100644 x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
 create mode 100644 x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
 rename x-pack/plugins/spaces/public/views/space_selector/{index.js => index.tsx} (53%)
 rename x-pack/plugins/spaces/public/views/space_selector/{space_selector.test.js => space_selector.test.tsx} (52%)
 rename x-pack/plugins/spaces/public/views/space_selector/{space_selector.js => space_selector.tsx} (58%)
 rename x-pack/plugins/spaces/server/lib/__snapshots__/{spaces_url_parser.test.js.snap => spaces_url_parser.test.ts.snap} (100%)
 rename x-pack/plugins/spaces/server/lib/{check_license.js => check_license.ts} (73%)
 rename x-pack/plugins/spaces/server/lib/{create_default_space.test.js => create_default_space.test.ts} (74%)
 rename x-pack/plugins/spaces/server/lib/{create_default_space.js => create_default_space.ts} (63%)
 rename x-pack/plugins/spaces/server/lib/{create_spaces_service.test.js => create_spaces_service.test.ts} (73%)
 rename x-pack/plugins/spaces/server/lib/{get_active_space.js => get_active_space.ts} (65%)
 rename x-pack/plugins/spaces/server/lib/{get_spaces_usage_collector.test.js => get_spaces_usage_collector.test.ts} (78%)
 rename x-pack/plugins/spaces/server/lib/{get_spaces_usage_collector.js => get_spaces_usage_collector.ts} (80%)
 rename x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/{spaces_saved_objects_client.test.js.snap => spaces_saved_objects_client.test.ts.snap} (100%)
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_types.ts
 delete mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
 create mode 100644 x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.ts
 rename x-pack/plugins/spaces/server/lib/saved_objects_client/{spaces_saved_objects_client.test.js => spaces_saved_objects_client.test.ts} (80%)
 rename x-pack/plugins/spaces/server/lib/saved_objects_client/{spaces_saved_objects_client.js => spaces_saved_objects_client.ts} (61%)
 rename x-pack/plugins/spaces/server/lib/{space_request_interceptors.test.js => space_request_interceptors.test.ts} (58%)
 rename x-pack/plugins/spaces/server/lib/{space_request_interceptors.js => space_request_interceptors.ts} (95%)
 rename x-pack/plugins/spaces/server/lib/{spaces_url_parser.test.js => spaces_url_parser.test.ts} (93%)

diff --git a/src/ui/public/chrome/index.d.ts b/src/ui/public/chrome/index.d.ts
index 6b7835a26f90b1..e4ce8a6bb5b15f 100644
--- a/src/ui/public/chrome/index.d.ts
+++ b/src/ui/public/chrome/index.d.ts
@@ -28,6 +28,7 @@ declare class Chrome {
   public getXsrfToken(): string;
   public getKibanaVersion(): string;
   public getUiSettingsClient(): any;
+  public setVisible(visible: boolean): any;
 }
 
 declare const chrome: Chrome;
diff --git a/x-pack/package.json b/x-pack/package.json
index 8c5b5a9cd45819..248e6f7ead6fc5 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -27,6 +27,7 @@
     "@kbn/test": "link:../packages/kbn-test",
     "@types/expect.js": "^0.3.29",
     "@types/jest": "^23.3.1",
+    "@types/joi": "^10.4.4",
     "@types/mocha": "^5.2.5",
     "@types/pngjs": "^3.3.1",
     "@types/supertest": "^2.0.5",
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.test.js b/x-pack/plugins/spaces/common/is_reserved_space.test.ts
similarity index 71%
rename from x-pack/plugins/spaces/common/is_reserved_space.test.js
rename to x-pack/plugins/spaces/common/is_reserved_space.test.ts
index a2d610199ba38a..7c0bfb74b86eb6 100644
--- a/x-pack/plugins/spaces/common/is_reserved_space.test.js
+++ b/x-pack/plugins/spaces/common/is_reserved_space.test.ts
@@ -5,21 +5,28 @@
  */
 
 import { isReservedSpace } from './is_reserved_space';
+import { Space } from './model/space';
 
 test('it returns true for reserved spaces', () => {
-  const space = {
-    _reserved: true
+  const space: Space = {
+    id: '',
+    name: '',
+    _reserved: true,
   };
 
   expect(isReservedSpace(space)).toEqual(true);
 });
 
 test('it returns false for non-reserved spaces', () => {
-  const space = {};
+  const space: Space = {
+    id: '',
+    name: '',
+  };
 
   expect(isReservedSpace(space)).toEqual(false);
 });
 
-test('it handles empty imput', () => {
+test('it handles empty input', () => {
+  // @ts-ignore
   expect(isReservedSpace()).toEqual(false);
 });
diff --git a/x-pack/plugins/spaces/common/is_reserved_space.ts b/x-pack/plugins/spaces/common/is_reserved_space.ts
index 40acd7630b66c9..788ef80c194ce2 100644
--- a/x-pack/plugins/spaces/common/is_reserved_space.ts
+++ b/x-pack/plugins/spaces/common/is_reserved_space.ts
@@ -13,6 +13,6 @@ import { Space } from './model/space';
  * @param space the space
  * @returns boolean
  */
-export function isReservedSpace(space: Space | null): boolean {
+export function isReservedSpace(space?: Partial<Space> | null): boolean {
   return get(space, '_reserved', false);
 }
diff --git a/x-pack/plugins/spaces/common/space_attributes.test.js b/x-pack/plugins/spaces/common/space_attributes.test.ts
similarity index 90%
rename from x-pack/plugins/spaces/common/space_attributes.test.js
rename to x-pack/plugins/spaces/common/space_attributes.test.ts
index 8ed03ab21c4139..c999dde2756436 100644
--- a/x-pack/plugins/spaces/common/space_attributes.test.js
+++ b/x-pack/plugins/spaces/common/space_attributes.test.ts
@@ -4,13 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getSpaceInitials, getSpaceColor } from "./space_attributes";
+import { getSpaceColor, getSpaceInitials } from './space_attributes';
 
-describe("getSpaceColor", () => {
+describe('getSpaceColor', () => {
   test('uses color on the space, when provided', () => {
     const space = {
       name: 'Foo',
-      color: '#aabbcc'
+      color: '#aabbcc',
     };
 
     expect(getSpaceColor(space)).toEqual('#aabbcc');
@@ -37,11 +37,11 @@ describe("getSpaceColor", () => {
   });
 });
 
-describe("getSpaceInitials", () => {
+describe('getSpaceInitials', () => {
   test('uses initials on the space, when provided', () => {
     const space = {
       name: 'Foo',
-      initials: 'JK'
+      initials: 'JK',
     };
 
     expect(getSpaceInitials(space)).toEqual('JK');
diff --git a/x-pack/plugins/spaces/index.js b/x-pack/plugins/spaces/index.js
deleted file mode 100644
index 7164854a11e2b3..00000000000000
--- a/x-pack/plugins/spaces/index.js
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { resolve } from 'path';
-import { validateConfig } from './server/lib/validate_config';
-import { checkLicense } from './server/lib/check_license';
-import { initPublicSpacesApi } from './server/routes/api/public';
-import { initPrivateApis } from './server/routes/api/v1';
-import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
-import { createDefaultSpace } from './server/lib/create_default_space';
-import { createSpacesService } from './server/lib/create_spaces_service';
-import { getActiveSpace } from './server/lib/get_active_space';
-import { getSpacesUsageCollector } from './server/lib/get_spaces_usage_collector';
-import { createSpacesTutorialContextFactory } from './server/lib/spaces_tutorial_context_factory';
-import { wrapError } from './server/lib/errors';
-import mappings from './mappings.json';
-import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
-import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
-import { registerUserProfileCapabilityFactory } from '../xpack_main/server/lib/user_profile_registry';
-import { SpacesClient } from './server/lib/spaces_client';
-import { SpacesAuditLogger } from './server/lib/audit_logger';
-import { AuditLogger } from '../../server/lib/audit_logger';
-
-export const spaces = (kibana) => new kibana.Plugin({
-  id: 'spaces',
-  configPrefix: 'xpack.spaces',
-  publicDir: resolve(__dirname, 'public'),
-  require: ['kibana', 'elasticsearch', 'xpack_main'],
-
-  config(Joi) {
-    return Joi.object({
-      enabled: Joi.boolean().default(true),
-    }).default();
-  },
-
-  uiExports: {
-    chromeNavControls: ['plugins/spaces/views/nav_control'],
-    managementSections: ['plugins/spaces/views/management'],
-    apps: [{
-      id: 'space_selector',
-      title: 'Spaces',
-      main: 'plugins/spaces/views/space_selector',
-      url: 'space_selector',
-      hidden: true,
-    }],
-    hacks: [],
-    mappings,
-    savedObjectsSchema: {
-      space: {
-        isNamespaceAgnostic: true,
-      },
-    },
-    home: ['plugins/spaces/register_feature'],
-    injectDefaultVars: function (server) {
-      return {
-        spaces: [],
-        activeSpace: null,
-        spaceSelectorURL: server.config().get('server.basePath') || '/',
-      };
-    },
-    replaceInjectedVars: async function (vars, request, server) {
-      const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
-      try {
-        vars.activeSpace = {
-          valid: true,
-          space: await getActiveSpace(spacesClient, request.getBasePath(), server.config().get('server.basePath'))
-        };
-      } catch (e) {
-        vars.activeSpace = {
-          valid: false,
-          error: wrapError(e).output.payload
-        };
-      }
-      return vars;
-    }
-  },
-
-  async init(server) {
-    const thisPlugin = this;
-    const xpackMainPlugin = server.plugins.xpack_main;
-
-    watchStatusAndLicenseToInitialize(xpackMainPlugin, thisPlugin, async () => {
-      await createDefaultSpace(server);
-    });
-
-    // Register a function that is called whenever the xpack info changes,
-    // to re-compute the license check results for this plugin
-    xpackMainPlugin.info.feature(thisPlugin.id).registerLicenseCheckResultsGenerator(checkLicense);
-
-    const config = server.config();
-    validateConfig(config, message => server.log(['spaces', 'warning'], message));
-
-    const spacesService = createSpacesService(server);
-    server.expose('getSpaceId', (request) => spacesService.getSpaceId(request));
-
-    const spacesAuditLogger = new SpacesAuditLogger(config, new AuditLogger(server, 'spaces'));
-
-    server.expose('spacesClient', {
-      getScopedClient: (request) => {
-        const adminCluster = server.plugins.elasticsearch.getCluster('admin');
-        const { callWithRequest, callWithInternalUser } = adminCluster;
-        const callCluster = (...args) => callWithRequest(request, ...args);
-        const { savedObjects } = server;
-        const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
-        const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
-        const authorization = server.plugins.security ? server.plugins.security.authorization : null;
-        return new SpacesClient(spacesAuditLogger, authorization, callWithRequestRepository, internalRepository, request);
-      }
-    });
-
-    const { addScopedSavedObjectsClientWrapperFactory, types } = server.savedObjects;
-    addScopedSavedObjectsClientWrapperFactory(Number.MAX_VALUE,
-      spacesSavedObjectsClientWrapperFactory(spacesService, types)
-    );
-
-    server.addScopedTutorialContextFactory(
-      createSpacesTutorialContextFactory(spacesService)
-    );
-
-    initPrivateApis(server);
-    initPublicSpacesApi(server);
-
-    initSpacesRequestInterceptors(server);
-
-    registerUserProfileCapabilityFactory(async (request) => {
-      const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
-
-      return {
-        manageSpaces: await spacesClient.canEnumerateSpaces(),
-      };
-    });
-
-    // Register a function with server to manage the collection of usage stats
-    server.usage.collectorSet.register(getSpacesUsageCollector(server));
-  }
-});
diff --git a/x-pack/plugins/spaces/index.ts b/x-pack/plugins/spaces/index.ts
new file mode 100644
index 00000000000000..157bc2a010895e
--- /dev/null
+++ b/x-pack/plugins/spaces/index.ts
@@ -0,0 +1,155 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { resolve } from 'path';
+// @ts-ignore
+import { AuditLogger } from '../../server/lib/audit_logger';
+// @ts-ignore
+import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { registerUserProfileCapabilityFactory } from '../xpack_main/server/lib/user_profile_registry';
+import mappings from './mappings.json';
+import { SpacesAuditLogger } from './server/lib/audit_logger';
+import { checkLicense } from './server/lib/check_license';
+import { createDefaultSpace } from './server/lib/create_default_space';
+import { createSpacesService } from './server/lib/create_spaces_service';
+import { wrapError } from './server/lib/errors';
+import { getActiveSpace } from './server/lib/get_active_space';
+import { getSpacesUsageCollector } from './server/lib/get_spaces_usage_collector';
+import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
+import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
+import { SpacesClient } from './server/lib/spaces_client';
+import { createSpacesTutorialContextFactory } from './server/lib/spaces_tutorial_context_factory';
+import { initPublicSpacesApi } from './server/routes/api/public';
+import { initPrivateApis } from './server/routes/api/v1';
+
+export const spaces = (kibana: any) =>
+  new kibana.Plugin({
+    id: 'spaces',
+    configPrefix: 'xpack.spaces',
+    publicDir: resolve(__dirname, 'public'),
+    require: ['kibana', 'elasticsearch', 'xpack_main'],
+
+    config(Joi: any) {
+      return Joi.object({
+        enabled: Joi.boolean().default(true),
+      }).default();
+    },
+
+    uiExports: {
+      chromeNavControls: ['plugins/spaces/views/nav_control'],
+      managementSections: ['plugins/spaces/views/management'],
+      apps: [
+        {
+          id: 'space_selector',
+          title: 'Spaces',
+          main: 'plugins/spaces/views/space_selector',
+          url: 'space_selector',
+          hidden: true,
+        },
+      ],
+      hacks: [],
+      mappings,
+      savedObjectsSchema: {
+        space: {
+          isNamespaceAgnostic: true,
+        },
+      },
+      home: ['plugins/spaces/register_feature'],
+      injectDefaultVars(server: any) {
+        return {
+          spaces: [],
+          activeSpace: null,
+          spaceSelectorURL: server.config().get('server.basePath') || '/',
+        };
+      },
+      async replaceInjectedVars(vars: any, request: any, server: any) {
+        const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
+        try {
+          vars.activeSpace = {
+            valid: true,
+            space: await getActiveSpace(
+              spacesClient,
+              request.getBasePath(),
+              server.config().get('server.basePath')
+            ),
+          };
+        } catch (e) {
+          vars.activeSpace = {
+            valid: false,
+            error: wrapError(e).output.payload,
+          };
+        }
+        return vars;
+      },
+    },
+
+    async init(server: any) {
+      const thisPlugin = this;
+      const xpackMainPlugin = server.plugins.xpack_main;
+
+      watchStatusAndLicenseToInitialize(xpackMainPlugin, thisPlugin, async () => {
+        await createDefaultSpace(server);
+      });
+
+      // Register a function that is called whenever the xpack info changes,
+      // to re-compute the license check results for this plugin
+      xpackMainPlugin.info
+        .feature(thisPlugin.id)
+        .registerLicenseCheckResultsGenerator(checkLicense);
+
+      const spacesService = createSpacesService(server);
+      server.expose('getSpaceId', (request: any) => spacesService.getSpaceId(request));
+
+      const config = server.config();
+
+      const spacesAuditLogger = new SpacesAuditLogger(config, new AuditLogger(server, 'spaces'));
+
+      server.expose('spacesClient', {
+        getScopedClient: (request: any) => {
+          const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+          const { callWithRequest, callWithInternalUser } = adminCluster;
+          const callCluster = (...args: any[]) => callWithRequest(request, ...args);
+          const { savedObjects } = server;
+          const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+          const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
+          const authorization = server.plugins.security
+            ? server.plugins.security.authorization
+            : null;
+          return new SpacesClient(
+            spacesAuditLogger,
+            authorization,
+            callWithRequestRepository,
+            internalRepository,
+            request
+          );
+        },
+      });
+
+      const { addScopedSavedObjectsClientWrapperFactory, types } = server.savedObjects;
+      addScopedSavedObjectsClientWrapperFactory(
+        Number.MAX_VALUE,
+        spacesSavedObjectsClientWrapperFactory(spacesService, types)
+      );
+
+      server.addScopedTutorialContextFactory(createSpacesTutorialContextFactory(spacesService));
+
+      initPrivateApis(server);
+      initPublicSpacesApi(server);
+
+      initSpacesRequestInterceptors(server);
+
+      registerUserProfileCapabilityFactory(async request => {
+        const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
+
+        return {
+          manageSpaces: await spacesClient.canEnumerateSpaces(),
+        };
+      });
+
+      // Register a function with server to manage the collection of usage stats
+      server.usage.collectorSet.register(getSpacesUsageCollector(server));
+    },
+  });
diff --git a/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.js.snap b/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap
similarity index 100%
rename from x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.js.snap
rename to x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap
diff --git a/x-pack/plugins/spaces/public/components/space_avatar.test.js b/x-pack/plugins/spaces/public/components/space_avatar.test.tsx
similarity index 85%
rename from x-pack/plugins/spaces/public/components/space_avatar.test.js
rename to x-pack/plugins/spaces/public/components/space_avatar.test.tsx
index d63d3b393940d0..47f1b29bd55a15 100644
--- a/x-pack/plugins/spaces/public/components/space_avatar.test.js
+++ b/x-pack/plugins/spaces/public/components/space_avatar.test.tsx
@@ -4,11 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
 import { shallow } from 'enzyme';
+import React from 'react';
 import { SpaceAvatar } from './space_avatar';
 
 test('renders without crashing', () => {
-  const wrapper = shallow(<SpaceAvatar space={{}} />);
+  const wrapper = shallow(<SpaceAvatar space={{ name: '', id: '' }} />);
   expect(wrapper).toMatchSnapshot();
 });
diff --git a/x-pack/plugins/spaces/public/components/space_avatar.tsx b/x-pack/plugins/spaces/public/components/space_avatar.tsx
index 571cc083cb868d..e18459bbd8bf92 100644
--- a/x-pack/plugins/spaces/public/components/space_avatar.tsx
+++ b/x-pack/plugins/spaces/public/components/space_avatar.tsx
@@ -10,7 +10,7 @@ import { getSpaceColor, getSpaceInitials, MAX_SPACE_INITIALS } from '../../commo
 import { Space } from '../../common/model/space';
 
 interface Props {
-  space: Space;
+  space: Partial<Space>;
   size?: 's' | 'm' | 'l' | 'xl';
   className?: string;
 }
diff --git a/x-pack/plugins/spaces/public/images/demo.png b/x-pack/plugins/spaces/public/images/demo.png
deleted file mode 100644
index 700526918d4e76dfadc05ed21bc7db19cbe16e54..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3748
zcmeAS@N?(olHy`uVBq!ia0y~yU<?IfFAg@K$l9JW2|$XmILO_JVcj{Imq2!8W=KRy
zgs+cPa(=E}VoH8es$NBI0Z<hKgH44MkeQoWlBiITo0C^;Rbi_HR$&EXgM{^!6u?SK
zvTc<jd;=7m^NUgyO!Z9k43zA+6ciL}ic-?7f?V97+JQV<rHqo20xNy}^73-Ma$~*x
zqI7*jOG`_A10#JSBVC{h-Qvo;lEez#ykcdDAuw}XQj3#|G7CyF^Yauy<|ZcPmzLNn
zDS<441Bg3IGSd(?<rPD{1@xdkNJigK&p;n;Hc+b#NYu)|C^HpkGst{9LmRM46fvkh
zHu@mTksJf@DOeQfRXZ*leR#0harqolk7Qur`RVE67*fIb_V(T0SXY78i`5gE3pMy!
zFL0zf6{<D=n5dKet#(Fl%$&<xD~wXjYpbUIRPp{$@uQo8k%@&vK*6B_lX2j`!iSo|
z=fAsm8iEx45%_W8g1&v-yXW$I?MuF<3)X-4dhoNt?%v<B%A>}1_5c2^-`V=7>Ic8=
z-`}V1*Zn=32Q>A79An_!&Dr{@4haqpA?y=k9Y=*mLt->d5S0}koIW7CPQf7|=7DA1
zV($Nf0-^hbIdsH+{5yX8(e?k^m)HOO8~um<$K(1GLluVx2X%#2b7uzwb8`pNBB@9o
zP634roE=%upNRl-@1lkkZeq^BTwKDm=+;h4*9L}04TV(`k4^w)`?(D(%JTdK6&w_}
ze)RuW?tYlgI`1F*yz`TOer@OKc(t&5Zr!!tUs~tyc)$K$ef{qvjjH><yxy+LFI%_F
z{vUty?mmXb&8#k8-~6qTWn?<cw8)C*ofQ+yIWd8&o4>y<W#QoA?s#Re<28qXMYKc6
z`FrcH3o01sD6BgCV4bqVgB->{+v@#s?hOYvG_2qoH4I;veRz7c_WbeBSN&%S|4?{P
zewtmVc`1|r;$IcfT90l%=d7`Q?-^GT%UJ(s|GT^zNk%4f5rM1HdS}&z6$)Y*1NV*!
zA_qw0^KSp@`aOGpNG3Ct3;!tF&i`$%xe%y|GyhdF-)n(b#d?1$4+ZX;6)*SiKO_Ht
z^K?yMKGI?gTzf-C37Fe}$@@)`7cd`rIfQ7NwFB$W39K%ryJrX~I4lqnxY~7A5t!Rj
z7z5AhEdyrB6)Y}WlZrclxh>KmWOMhZQKMlsnixhi&S=Sir4*f4`KO}Z&|D4JCux*t
qS}*nMarh5GP!9yNo3cmbhw$9v!qZA*?gD$73=E#GelF{r5}E)nodm`J

diff --git a/x-pack/plugins/spaces/public/register_feature.js b/x-pack/plugins/spaces/public/register_feature.ts
similarity index 76%
rename from x-pack/plugins/spaces/public/register_feature.js
rename to x-pack/plugins/spaces/public/register_feature.ts
index 1a02313aa331d7..6744590e7d35a2 100644
--- a/x-pack/plugins/spaces/public/register_feature.js
+++ b/x-pack/plugins/spaces/public/register_feature.ts
@@ -4,9 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-
-
-import { FeatureCatalogueRegistryProvider, FeatureCatalogueCategory } from 'ui/registry/feature_catalogue';
+import {
+  FeatureCatalogueCategory,
+  FeatureCatalogueRegistryProvider,
+  // @ts-ignore
+} from 'ui/registry/feature_catalogue';
 import { SPACES_FEATURE_DESCRIPTION } from './lib/constants';
 
 FeatureCatalogueRegistryProvider.register(() => {
@@ -17,6 +19,6 @@ FeatureCatalogueRegistryProvider.register(() => {
     icon: 'spacesApp',
     path: '/app/kibana#/management/spaces/list',
     showOnHomePage: true,
-    category: FeatureCatalogueCategory.ADMIN
+    category: FeatureCatalogueCategory.ADMIN,
   };
 });
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.test.js b/x-pack/plugins/spaces/public/views/components/space_card.test.tsx
similarity index 77%
rename from x-pack/plugins/spaces/public/views/components/space_card.test.js
rename to x-pack/plugins/spaces/public/views/components/space_card.test.tsx
index f79c74201eeeef..26f8a226315b8e 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.test.js
+++ b/x-pack/plugins/spaces/public/views/components/space_card.test.tsx
@@ -4,23 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
 import { SpaceCard } from './space_card';
 
 test('it renders without crashing', () => {
   const space = {
+    id: '',
     name: 'space name',
-    description: 'space description'
+    description: 'space description',
   };
 
-  shallow(<SpaceCard space={space} />);
+  shallow(<SpaceCard space={space} onClick={jest.fn()} />);
 });
 
 test('it is clickable', () => {
   const space = {
+    id: '',
     name: 'space name',
-    description: 'space description'
+    description: 'space description',
   };
 
   const clickHandler = jest.fn();
diff --git a/x-pack/plugins/spaces/public/views/components/space_cards.test.js b/x-pack/plugins/spaces/public/views/components/space_cards.test.tsx
similarity index 93%
rename from x-pack/plugins/spaces/public/views/components/space_cards.test.js
rename to x-pack/plugins/spaces/public/views/components/space_cards.test.tsx
index 0a7fdd79d2059f..591f8c1507b7a6 100644
--- a/x-pack/plugins/spaces/public/views/components/space_cards.test.js
+++ b/x-pack/plugins/spaces/public/views/components/space_cards.test.tsx
@@ -4,15 +4,15 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
 import { shallow } from 'enzyme';
+import React from 'react';
 import { SpaceCards } from './space_cards';
 
 test('it renders without crashing', () => {
   const space = {
     id: 'space-id',
     name: 'space name',
-    description: 'space description'
+    description: 'space description',
   };
 
   shallow(<SpaceCards spaces={[space]} onSpaceSelect={jest.fn()} />);
diff --git a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
index 0810243a1d0354..28515ba71593d7 100644
--- a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
+++ b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.tsx
@@ -13,6 +13,7 @@ import {
   EuiOverlayMask,
   EuiText,
 } from '@elastic/eui';
+import { SpacesNavState } from 'plugins/spaces/views/nav_control';
 import React, { ChangeEvent, Component } from 'react';
 import { Space } from '../../../../common/model/space';
 import { SpacesManager } from '../../../lib';
@@ -20,7 +21,7 @@ import { SpacesManager } from '../../../lib';
 interface Props {
   space: Space;
   spacesManager: SpacesManager;
-  spacesNavState: any;
+  spacesNavState: SpacesNavState;
   onCancel: () => void;
   onConfirm: () => void;
 }
@@ -116,6 +117,6 @@ export class ConfirmDeleteModal extends Component<Props, State> {
   };
 }
 
-function isDeletingCurrentSpace(space: Space, spacesNavState: any) {
+function isDeletingCurrentSpace(space: Space, spacesNavState: SpacesNavState) {
   return space.id === spacesNavState.getActiveSpace().id;
 }
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.tsx.snap
similarity index 100%
rename from x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.js.snap
rename to x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/customize_space_avatar.test.tsx.snap
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.tsx.snap
similarity index 100%
rename from x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.js.snap
rename to x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/space_identifier.test.tsx.snap
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.tsx
similarity index 60%
rename from x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.tsx
index dfd1c85d19e3ea..180ed9b0dfef75 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.test.tsx
@@ -3,24 +3,29 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
+// @ts-ignore
+import { EuiColorPicker, EuiFieldText, EuiLink } from '@elastic/eui';
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
 import { CustomizeSpaceAvatar } from './customize_space_avatar';
-import { EuiLink, EuiFieldText, EuiColorPicker } from '@elastic/eui';
+
+const space = {
+  id: '',
+  name: '',
+};
 
 test('renders without crashing', () => {
-  const wrapper = shallow(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  const wrapper = shallow(<CustomizeSpaceAvatar space={space} onChange={jest.fn()} />);
   expect(wrapper).toMatchSnapshot();
 });
 
 test('renders a "customize" link by default', () => {
-  const wrapper = mount(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  const wrapper = mount(<CustomizeSpaceAvatar space={space} onChange={jest.fn()} />);
   expect(wrapper.find(EuiLink)).toHaveLength(1);
 });
 
 test('shows customization fields when the "customize" link is clicked', () => {
-  const wrapper = mount(<CustomizeSpaceAvatar space={{}} onChange={jest.fn()} />);
+  const wrapper = mount(<CustomizeSpaceAvatar space={space} onChange={jest.fn()} />);
   wrapper.find(EuiLink).simulate('click');
 
   expect(wrapper.find(EuiLink)).toHaveLength(0);
@@ -29,21 +34,25 @@ test('shows customization fields when the "customize" link is clicked', () => {
 });
 
 test('invokes onChange callback when avatar is customized', () => {
-  const space = {
-    name: "Unit Test Space",
-    initials: "SP",
-    color: "#ABCDEF"
+  const customizedSpace = {
+    id: '',
+    name: 'Unit Test Space',
+    initials: 'SP',
+    color: '#ABCDEF',
   };
 
   const changeHandler = jest.fn();
 
-  const wrapper = mount(<CustomizeSpaceAvatar space={space} onChange={changeHandler} />);
+  const wrapper = mount(<CustomizeSpaceAvatar space={customizedSpace} onChange={changeHandler} />);
   wrapper.find(EuiLink).simulate('click');
 
-  wrapper.find(EuiFieldText).find('input').simulate('change', { target: { value: 'NV' } });
+  wrapper
+    .find(EuiFieldText)
+    .find('input')
+    .simulate('change', { target: { value: 'NV' } });
 
   expect(changeHandler).toHaveBeenCalledWith({
-    ...space,
-    initials: 'NV'
+    ...customizedSpace,
+    initials: 'NV',
   });
-});
\ No newline at end of file
+});
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.tsx
similarity index 60%
rename from x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.tsx
index 7d6240d6a2c0a3..be279536ccd88f 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/customize_space_avatar.tsx
@@ -3,44 +3,43 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
-import {
-  EuiFlexItem,
-  EuiColorPicker,
-  EuiFormRow,
-  EuiFieldText,
-  EuiLink,
-} from '@elastic/eui';
-import { getSpaceInitials, getSpaceColor } from '../../../../common/space_attributes';
+// @ts-ignore
+import { EuiColorPicker, EuiFieldText, EuiFlexItem, EuiFormRow, EuiLink } from '@elastic/eui';
+import React, { ChangeEvent, Component, Fragment } from 'react';
 import { MAX_SPACE_INITIALS } from '../../../../common/constants';
+import { Space } from '../../../../common/model/space';
+import { getSpaceColor, getSpaceInitials } from '../../../../common/space_attributes';
 
-export class CustomizeSpaceAvatar extends Component {
-  static propTypes = {
-    space: PropTypes.object.isRequired,
-    onChange: PropTypes.func.isRequired,
-  }
+interface Props {
+  space: Partial<Space>;
+  onChange: (space: Partial<Space>) => void;
+}
+
+interface State {
+  expanded: boolean;
+  initialsHasFocus: boolean;
+  pendingInitials?: string | null;
+}
+
+export class CustomizeSpaceAvatar extends Component<Props, State> {
+  private initialsRef: HTMLInputElement | null = null;
 
-  state = {
-    expanded: false,
-    initialsHasFocus: false,
-    pendingInitials: null
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      expanded: false,
+      initialsHasFocus: false,
+    };
   }
 
-  render() {
+  public render() {
     return this.state.expanded ? this.getCustomizeFields() : this.getCustomizeLink();
   }
 
-  getCustomizeFields = () => {
-    const {
-      space
-    } = this.props;
+  public getCustomizeFields = () => {
+    const { space } = this.props;
 
-    const {
-      initialsHasFocus,
-      pendingInitials,
-    } = this.state;
+    const { initialsHasFocus, pendingInitials } = this.state;
 
     return (
       <Fragment>
@@ -51,7 +50,7 @@ export class CustomizeSpaceAvatar extends Component {
               name="spaceInitials"
               // allows input to be cleared or otherwise invalidated while user is editing the initials,
               // without defaulting to the derived initials provided by `getSpaceInitials`
-              value={initialsHasFocus ? pendingInitials : getSpaceInitials(space)}
+              value={initialsHasFocus ? pendingInitials || '' : getSpaceInitials(space)}
               onChange={this.onInitialsChange}
             />
           </EuiFormRow>
@@ -63,9 +62,9 @@ export class CustomizeSpaceAvatar extends Component {
         </EuiFlexItem>
       </Fragment>
     );
-  }
+  };
 
-  initialsInputRef = (ref) => {
+  public initialsInputRef = (ref: HTMLInputElement) => {
     if (ref) {
       this.initialsRef = ref;
       this.initialsRef.addEventListener('focus', this.onInitialsFocus);
@@ -77,39 +76,41 @@ export class CustomizeSpaceAvatar extends Component {
         this.initialsRef = null;
       }
     }
-  }
+  };
 
-  onInitialsFocus = () => {
+  public onInitialsFocus = () => {
     this.setState({
       initialsHasFocus: true,
-      pendingInitials: getSpaceInitials(this.props.space)
+      pendingInitials: getSpaceInitials(this.props.space),
     });
-  }
+  };
 
-  onInitialsBlur = () => {
+  public onInitialsBlur = () => {
     this.setState({
       initialsHasFocus: false,
       pendingInitials: null,
     });
-  }
+  };
 
-  getCustomizeLink = () => {
+  public getCustomizeLink = () => {
     return (
       <EuiFlexItem grow={false}>
         <EuiFormRow hasEmptyLabelSpace={true}>
-          <EuiLink name="customize_space_link" onClick={this.showFields}>Customize</EuiLink>
+          <EuiLink name="customize_space_link" onClick={this.showFields}>
+            Customize
+          </EuiLink>
         </EuiFormRow>
       </EuiFlexItem>
     );
-  }
+  };
 
-  showFields = () => {
+  public showFields = () => {
     this.setState({
-      expanded: true
+      expanded: true,
     });
-  }
+  };
 
-  onInitialsChange = (e) => {
+  public onInitialsChange = (e: ChangeEvent<HTMLInputElement>) => {
     const initials = (e.target.value || '').substring(0, MAX_SPACE_INITIALS);
 
     this.setState({
@@ -118,14 +119,14 @@ export class CustomizeSpaceAvatar extends Component {
 
     this.props.onChange({
       ...this.props.space,
-      initials
+      initials,
     });
   };
 
-  onColorChange = (color) => {
+  public onColorChange = (color: string) => {
     this.props.onChange({
       ...this.props.space,
-      color
+      color,
     });
-  }
+  };
 }
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
index e255375baf85b8..25aea985e01ac3 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.tsx
@@ -5,7 +5,9 @@
  */
 
 import { EuiButton, EuiButtonIcon, EuiButtonIconProps } from '@elastic/eui';
+import { SpacesNavState } from 'plugins/spaces/views/nav_control';
 import React, { Component, Fragment } from 'react';
+// @ts-ignore
 import { toastNotifications } from 'ui/notify';
 import { Space } from '../../../../common/model/space';
 import { SpacesManager } from '../../../lib/spaces_manager';
@@ -15,7 +17,7 @@ interface Props {
   style?: 'button' | 'icon';
   space: Space;
   spacesManager: SpacesManager;
-  spacesNavState: any;
+  spacesNavState: SpacesNavState;
   onDelete: () => void;
 }
 
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/index.js b/x-pack/plugins/spaces/public/views/management/edit_space/index.ts
similarity index 77%
rename from x-pack/plugins/spaces/public/views/management/edit_space/index.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/index.ts
index 0d5429ca5ed55a..65018a5e9271c2 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/index.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/index.ts
@@ -3,5 +3,5 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
-export { ManageSpacePage } from './manage_space_page';
\ No newline at end of file
+// @ts-ignore
+export { ManageSpacePage } from './manage_space_page';
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
similarity index 55%
rename from x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
index 0ff739e127656e..5b1e3893352120 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
@@ -4,71 +4,85 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Fragment, Component } from 'react';
-import PropTypes from 'prop-types';
 import {
-  EuiTitle,
+  EuiButton,
   EuiButtonEmpty,
-  EuiSpacer,
-  EuiPage,
-  EuiPageBody,
-  EuiPageContent,
-  EuiForm,
-  EuiFormRow,
   EuiFieldText,
   EuiFlexGroup,
   EuiFlexItem,
-  EuiButton,
-  EuiPageContentBody,
+  EuiForm,
+  EuiFormRow,
   EuiHorizontalRule,
   EuiLoadingSpinner,
+  EuiPage,
+  EuiPageBody,
+  EuiPageContent,
+  EuiPageContentBody,
+  EuiSpacer,
+  EuiTitle,
 } from '@elastic/eui';
+import React, { ChangeEvent, Component, Fragment } from 'react';
 
-import { DeleteSpacesButton } from './delete_spaces_button';
+import { SpacesNavState } from 'plugins/spaces/views/nav_control';
+import { UserProfile } from 'plugins/xpack_main/services/user_profile';
+// @ts-ignore
+import { toastNotifications } from 'ui/notify';
+import { isReservedSpace } from '../../../../common';
+import { Space } from '../../../../common/model/space';
 import { SpaceAvatar } from '../../../components';
-
-import { Notifier, toastNotifications } from 'ui/notify';
-import { SpaceIdentifier } from './space_identifier';
+import { SpacesManager } from '../../../lib';
+import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 import { toSpaceIdentifier } from '../lib';
+import { SpaceValidator } from '../lib/validate_space';
 import { CustomizeSpaceAvatar } from './customize_space_avatar';
-import { isReservedSpace } from '../../../../common';
+import { DeleteSpacesButton } from './delete_spaces_button';
 import { ReservedSpaceBadge } from './reserved_space_badge';
-import { SpaceValidator } from '../lib/validate_space';
-import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
+import { SpaceIdentifier } from './space_identifier';
+
+interface Props {
+  spacesManager: SpacesManager;
+  spaceId?: string;
+  userProfile: UserProfile;
+  spacesNavState: SpacesNavState;
+}
 
-export class ManageSpacePage extends Component {
-  state = {
-    space: {},
-    isLoading: true,
+interface State {
+  space: Partial<Space>;
+  isLoading: boolean;
+  formError?: {
+    isInvalid: boolean;
+    error?: string;
   };
+}
+
+export class ManageSpacePage extends Component<Props, State> {
+  private readonly validator: SpaceValidator;
 
-  constructor(props) {
+  constructor(props: Props) {
     super(props);
     this.validator = new SpaceValidator({ shouldValidate: false });
+    this.state = {
+      isLoading: true,
+      space: {},
+    };
   }
 
-  componentDidMount() {
-    this.notifier = new Notifier({ location: 'Spaces' });
+  public componentDidMount() {
+    const { spaceId, spacesManager } = this.props;
 
-    const {
-      space,
+    if (spaceId) {
       spacesManager
-    } = this.props;
-
-    if (space) {
-      spacesManager.getSpace(space)
-        .then(result => {
+        .getSpace(spaceId)
+        .then((result: any) => {
           if (result.data) {
             this.setState({
               space: result.data,
-              isLoading: false
+              isLoading: false,
             });
           }
         })
         .catch(error => {
-          const {
-            message = ''
-          } = error.data || {};
+          const { message = '' } = error.data || {};
 
           toastNotifications.addDanger(`Error loading space: ${message}`);
           this.backToSpacesList();
@@ -78,40 +92,39 @@ export class ManageSpacePage extends Component {
     }
   }
 
-  render() {
-
+  public render() {
     const content = this.state.isLoading ? this.getLoadingIndicator() : this.getForm();
 
     return (
       <EuiPage className="manageSpacePage">
         <EuiPageBody>
           <EuiPageContent className="manageSpacePage__content">
-            <EuiPageContentBody>
-              {content}
-            </EuiPageContentBody>
+            <EuiPageContentBody>{content}</EuiPageContentBody>
           </EuiPageContent>
         </EuiPageBody>
       </EuiPage>
     );
   }
 
-  getLoadingIndicator = () => {
-    return <div><EuiLoadingSpinner size={'xl'} /> <EuiTitle><h1>Loading...</h1></EuiTitle></div>;
-  }
+  public getLoadingIndicator = () => {
+    return (
+      <div>
+        <EuiLoadingSpinner size={'xl'} />{' '}
+        <EuiTitle>
+          <h1>Loading...</h1>
+        </EuiTitle>
+      </div>
+    );
+  };
 
-  getForm = () => {
-    const {
-      userProfile
-    } = this.props;
+  public getForm = () => {
+    const { userProfile } = this.props;
 
     if (!userProfile.hasCapability('manageSpaces')) {
       return <UnauthorizedPrompt />;
     }
 
-    const {
-      name = '',
-      description = '',
-    } = this.state.space;
+    const { name = '', description = '' } = this.state.space;
 
     return (
       <EuiForm>
@@ -121,10 +134,7 @@ export class ManageSpacePage extends Component {
 
         <EuiFlexGroup>
           <EuiFlexItem style={{ maxWidth: '400px' }}>
-            <EuiFormRow
-              label="Name"
-              {...this.validator.validateSpaceName(this.state.space)}
-            >
+            <EuiFormRow label="Name" {...this.validator.validateSpaceName(this.state.space)}>
               <EuiFieldText
                 name="name"
                 placeholder={'Awesome space'}
@@ -133,37 +143,32 @@ export class ManageSpacePage extends Component {
               />
             </EuiFormRow>
           </EuiFlexItem>
-          {
-            name && (
-              <EuiFlexItem grow={false}>
-                <EuiFlexGroup responsive={false}>
-                  <EuiFlexItem grow={false}>
-                    <EuiFormRow hasEmptyLabelSpace={true}>
-                      <SpaceAvatar space={this.state.space} />
-                    </EuiFormRow>
-                  </EuiFlexItem>
-                  <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
-                </EuiFlexGroup>
-              </EuiFlexItem>
-            )
-          }
+          {name && (
+            <EuiFlexItem grow={false}>
+              <EuiFlexGroup responsive={false}>
+                <EuiFlexItem grow={false}>
+                  <EuiFormRow hasEmptyLabelSpace={true}>
+                    <SpaceAvatar space={this.state.space} />
+                  </EuiFormRow>
+                </EuiFlexItem>
+                <CustomizeSpaceAvatar space={this.state.space} onChange={this.onAvatarChange} />
+              </EuiFlexGroup>
+            </EuiFlexItem>
+          )}
         </EuiFlexGroup>
 
         <EuiSpacer />
 
-        {isReservedSpace(this.state.space)
-          ? null
-          : (
-            <Fragment>
-              <SpaceIdentifier
-                space={this.state.space}
-                editable={!this.editingExistingSpace()}
-                onChange={this.onSpaceIdentifierChange}
-                validator={this.validator}
-              />
-            </Fragment>
-          )
-        }
+        {this.state.space && isReservedSpace(this.state.space) ? null : (
+          <Fragment>
+            <SpaceIdentifier
+              space={this.state.space}
+              editable={!this.editingExistingSpace()}
+              onChange={this.onSpaceIdentifierChange}
+              validator={this.validator}
+            />
+          </Fragment>
+        )}
 
         <EuiFormRow
           label="Description (optional)"
@@ -182,49 +187,51 @@ export class ManageSpacePage extends Component {
         <EuiHorizontalRule />
 
         {this.getFormButtons()}
-
       </EuiForm>
     );
-  }
+  };
 
-  getFormHeading = () => {
+  public getFormHeading = () => {
     return (
-      <EuiTitle size="l"><h1>{this.getTitle()} <ReservedSpaceBadge space={this.state.space} /></h1></EuiTitle>
+      <EuiTitle size="l">
+        <h1>
+          {this.getTitle()} <ReservedSpaceBadge space={this.state.space as Space} />
+        </h1>
+      </EuiTitle>
     );
   };
 
-  getTitle = () => {
+  public getTitle = () => {
     if (this.editingExistingSpace()) {
       return `Edit space`;
     }
     return `Create space`;
   };
 
-  getFormButtons = () => {
+  public getFormButtons = () => {
     const saveText = this.editingExistingSpace() ? 'Update space' : 'Create space';
     return (
       <EuiFlexGroup responsive={false}>
         <EuiFlexItem grow={false}>
-          <EuiButton fill onClick={this.saveSpace}>{saveText}</EuiButton>
+          <EuiButton fill onClick={this.saveSpace}>
+            {saveText}
+          </EuiButton>
         </EuiFlexItem>
         <EuiFlexItem grow={false}>
-          <EuiButtonEmpty onClick={this.backToSpacesList}>
-            Cancel
-          </EuiButtonEmpty>
+          <EuiButtonEmpty onClick={this.backToSpacesList}>Cancel</EuiButtonEmpty>
         </EuiFlexItem>
         <EuiFlexItem grow={true} />
         {this.getActionButton()}
       </EuiFlexGroup>
     );
-  }
-
+  };
 
-  getActionButton = () => {
-    if (this.editingExistingSpace() && !isReservedSpace(this.state.space)) {
+  public getActionButton = () => {
+    if (this.state.space && this.editingExistingSpace() && !isReservedSpace(this.state.space)) {
       return (
         <EuiFlexItem grow={false}>
           <DeleteSpacesButton
-            space={this.state.space}
+            space={this.state.space as Space}
             spacesManager={this.props.spacesManager}
             spacesNavState={this.props.spacesNavState}
             onDelete={this.backToSpacesList}
@@ -236,12 +243,14 @@ export class ManageSpacePage extends Component {
     return null;
   };
 
-  onNameChange = (e) => {
+  public onNameChange = (e: ChangeEvent<HTMLInputElement>) => {
+    if (!this.state.space) {
+      return;
+    }
+
     const canUpdateId = !this.editingExistingSpace();
 
-    let {
-      id
-    } = this.state.space;
+    let { id } = this.state.space;
 
     if (canUpdateId) {
       id = toSpaceIdentifier(e.target.value);
@@ -251,58 +260,57 @@ export class ManageSpacePage extends Component {
       space: {
         ...this.state.space,
         name: e.target.value,
-        id
-      }
+        id,
+      },
     });
   };
 
-  onDescriptionChange = (e) => {
+  public onDescriptionChange = (e: ChangeEvent<HTMLInputElement>) => {
     this.setState({
       space: {
         ...this.state.space,
-        description: e.target.value
-      }
+        description: e.target.value,
+      },
     });
   };
 
-  onSpaceIdentifierChange = (e) => {
+  public onSpaceIdentifierChange = (e: ChangeEvent<HTMLInputElement>) => {
     this.setState({
       space: {
         ...this.state.space,
-        id: toSpaceIdentifier(e.target.value)
-      }
+        id: toSpaceIdentifier(e.target.value),
+      },
     });
   };
 
-  onAvatarChange = (space) => {
+  public onAvatarChange = (space: Partial<Space>) => {
     this.setState({
-      space
+      space,
     });
-  }
+  };
 
-  saveSpace = () => {
+  public saveSpace = () => {
     this.validator.enableValidation();
 
-    const result = this.validator.validateForSave(this.state.space);
+    const result = this.validator.validateForSave(this.state.space as Space);
     if (result.isInvalid) {
       this.setState({
-        formError: result
+        formError: result,
       });
 
       return;
     }
 
-    this._performSave();
+    this.performSave();
   };
 
-  _performSave = () => {
-    const {
-      name = '',
-      id = toSpaceIdentifier(name),
-      description,
-      initials,
-      color,
-    } = this.state.space;
+  private performSave = () => {
+    if (!this.state.space) {
+      return;
+    }
+
+    const name = this.state.space.name || '';
+    const { id = toSpaceIdentifier(name), description, initials, color } = this.state.space;
 
     const params = {
       name,
@@ -326,24 +334,15 @@ export class ManageSpacePage extends Component {
         window.location.hash = `#/management/spaces/list`;
       })
       .catch(error => {
-        const {
-          message = ''
-        } = error.data || {};
+        const { message = '' } = error.data || {};
 
         toastNotifications.addDanger(`Error saving space: ${message}`);
       });
   };
 
-  backToSpacesList = () => {
+  private backToSpacesList = () => {
     window.location.hash = `#/management/spaces/list`;
   };
 
-  editingExistingSpace = () => !!this.props.space;
+  private editingExistingSpace = () => !!this.props.spaceId;
 }
-
-ManageSpacePage.propTypes = {
-  space: PropTypes.string,
-  spacesManager: PropTypes.object,
-  spacesNavState: PropTypes.object.isRequired,
-  userProfile: PropTypes.object.isRequired,
-};
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.tsx
similarity index 81%
rename from x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.tsx
index 755e6e4bf011e0..ae584ba715b63b 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.test.tsx
@@ -4,20 +4,21 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { EuiIcon } from '@elastic/eui';
+import { shallow } from 'enzyme';
 import React from 'react';
-import {
-  EuiIcon
-} from '@elastic/eui';
 import { ReservedSpaceBadge } from './reserved_space_badge';
-import {
-  shallow
-} from 'enzyme';
 
 const reservedSpace = {
-  _reserved: true
+  id: '',
+  name: '',
+  _reserved: true,
 };
 
-const unreservedSpace = {};
+const unreservedSpace = {
+  id: '',
+  name: '',
+};
 
 test('it renders without crashing', () => {
   const wrapper = shallow(<ReservedSpaceBadge space={reservedSpace} />);
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.tsx
similarity index 58%
rename from x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.tsx
index 2f0f96377fcb4d..5c358cb4fd5caa 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/reserved_space_badge.tsx
@@ -5,30 +5,24 @@
  */
 
 import React from 'react';
-import PropTypes from 'prop-types';
 
+import { EuiIcon, EuiToolTip } from '@elastic/eui';
 import { isReservedSpace } from '../../../../common';
-import {
-  EuiIcon,
-  EuiToolTip,
-} from '@elastic/eui';
+import { Space } from '../../../../common/model/space';
 
+interface Props {
+  space?: Space;
+}
 
-export const ReservedSpaceBadge = (props) => {
-  const {
-    space
-  } = props;
+export const ReservedSpaceBadge = (props: Props) => {
+  const { space } = props;
 
-  if (isReservedSpace(space)) {
+  if (space && isReservedSpace(space)) {
     return (
       <EuiToolTip content={'Reserved spaces are built-in and can only be partially modified.'}>
-        <EuiIcon style={{ verticalAlign: "super" }} type={'lock'} />
+        <EuiIcon style={{ verticalAlign: 'super' }} type={'lock'} />
       </EuiToolTip>
     );
   }
   return null;
 };
-
-ReservedSpaceBadge.propTypes = {
-  space: PropTypes.object.isRequired
-};
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.tsx
similarity index 87%
rename from x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.tsx
index 7970b2633ca855..f4f9b11f94b2d2 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.test.tsx
@@ -4,17 +4,20 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
 import { shallow } from 'enzyme';
-import { SpaceIdentifier } from './space_identifier';
+import React from 'react';
 import { SpaceValidator } from '../lib';
+import { SpaceIdentifier } from './space_identifier';
 
 test('renders without crashing', () => {
   const props = {
-    space: {},
+    space: {
+      id: '',
+      name: '',
+    },
     editable: true,
     onChange: jest.fn(),
-    validator: new SpaceValidator()
+    validator: new SpaceValidator(),
   };
   const wrapper = shallow(<SpaceIdentifier {...props} />);
   expect(wrapper).toMatchSnapshot();
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.tsx
similarity index 66%
rename from x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
rename to x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.tsx
index 4af9003678db11..1f9b006ef91ea2 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.js
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/space_identifier.tsx
@@ -4,22 +4,38 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
 import {
+  EuiFieldText,
   EuiFormRow,
   EuiLink,
-  EuiFieldText,
 } from '@elastic/eui';
+import React, { ChangeEvent, Component, Fragment } from 'react';
+import { Space } from '../../../../common/model/space';
+import { SpaceValidator } from '../lib';
 
-export class SpaceIdentifier extends Component {
-  textFieldRef = null;
+interface Props {
+  space: Partial<Space>;
+  editable: boolean;
+  validator: SpaceValidator;
+  onChange: (e: ChangeEvent<HTMLInputElement>) => void;
+}
 
-  state = {
-    editing: false
-  };
+interface State {
+  editing: boolean;
+}
 
-  render() {
+export class SpaceIdentifier extends Component<Props, State> {
+
+  private textFieldRef: HTMLInputElement | null = null;
+
+  constructor(props: Props) {
+    super(props);
+    this.state = {
+      editing: false,
+    };
+  }
+
+  public render() {
     const {
       id = ''
     } = this.props.space;
@@ -35,7 +51,7 @@ export class SpaceIdentifier extends Component {
             readOnly={!this.state.editing}
             placeholder={
               this.state.editing || !this.props.editable
-                ? null
+                ? undefined
                 : 'The URL identifier is generated from the space name.'
             }
             value={id}
@@ -47,7 +63,7 @@ export class SpaceIdentifier extends Component {
     );
   }
 
-  getLabel = () => {
+  public getLabel = () => {
     if (!this.props.editable) {
       return (<p>URL identifier</p>);
     }
@@ -56,11 +72,11 @@ export class SpaceIdentifier extends Component {
     return (<p>URL identifier <EuiLink onClick={this.onEditClick}>{editLinkText}</EuiLink></p>);
   };
 
-  getHelpText = () => {
+  public getHelpText = () => {
     return (<p>If the identifier is <strong>engineering</strong>, the Kibana URL is <br /> https://my-kibana.example<strong>/s/engineering/</strong>app/kibana.</p>);
   };
 
-  onEditClick = () => {
+  public onEditClick = () => {
     this.setState({
       editing: !this.state.editing
     }, () => {
@@ -70,15 +86,8 @@ export class SpaceIdentifier extends Component {
     });
   };
 
-  onChange = (e) => {
-    if (!this.state.editing) return;
+  public onChange = (e: ChangeEvent<HTMLInputElement>) => {
+    if (!this.state.editing) { return; }
     this.props.onChange(e);
   };
 }
-
-SpaceIdentifier.propTypes = {
-  space: PropTypes.object.isRequired,
-  editable: PropTypes.bool.isRequired,
-  onChange: PropTypes.func,
-  validator: PropTypes.object.isRequired,
-};
diff --git a/x-pack/plugins/spaces/public/views/management/lib/index.js b/x-pack/plugins/spaces/public/views/management/lib/index.js
deleted file mode 100644
index ab5331a58a7424..00000000000000
--- a/x-pack/plugins/spaces/public/views/management/lib/index.js
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-export {
-  toSpaceIdentifier,
-  isValidSpaceIdentifier,
-} from './space_identifier_utils';
-
-export {
-  SpaceValidator
-} from './validate_space';
diff --git a/x-pack/plugins/spaces/server/lib/validate_config.js b/x-pack/plugins/spaces/public/views/management/lib/index.ts
similarity index 64%
rename from x-pack/plugins/spaces/server/lib/validate_config.js
rename to x-pack/plugins/spaces/public/views/management/lib/index.ts
index 44493d21fb6d47..4a158168febd8c 100644
--- a/x-pack/plugins/spaces/server/lib/validate_config.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/index.ts
@@ -4,7 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { toSpaceIdentifier, isValidSpaceIdentifier } from './space_identifier_utils';
 
-export function validateConfig() {
-  // TODO(legrego): implement if needed.
-}
+export { SpaceValidator } from './validate_space';
diff --git a/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.ts
similarity index 93%
rename from x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js
rename to x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.ts
index 1a3cd091bb8614..c180f380d6845c 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.test.ts
@@ -16,7 +16,7 @@ test('it converts everything to lowercase', () => {
 });
 
 test('it converts non-alphanumeric characters except for "_" to dashes', () => {
-  const input = `~!@#$%^&*()+-=[]{}\|';:"/.,<>?` + "`";
+  const input = `~!@#$%^&*()+-=[]{}\|';:"/.,<>?` + '`';
 
   const expectedResult = new Array(input.length + 1).join('-');
 
diff --git a/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.js b/x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.ts
similarity index 100%
rename from x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.js
rename to x-pack/plugins/spaces/public/views/management/lib/space_identifier_utils.ts
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.ts
similarity index 57%
rename from x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
rename to x-pack/plugins/spaces/public/views/management/lib/validate_space.test.ts
index dac3e417a371cd..bcaab2bfa0ec43 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.test.ts
@@ -6,7 +6,7 @@
 
 import { SpaceValidator } from './validate_space';
 
-let validator;
+let validator: SpaceValidator;
 
 describe('validateSpaceName', () => {
   beforeEach(() => {
@@ -15,7 +15,8 @@ describe('validateSpaceName', () => {
 
   test('it allows a name with special characters', () => {
     const space = {
-      name: 'This is the name of my Space! @#$%^&*()_+-='
+      id: '',
+      name: 'This is the name of my Space! @#$%^&*()_+-=',
     };
 
     expect(validator.validateSpaceName(space)).toEqual({ isInvalid: false });
@@ -23,24 +24,34 @@ describe('validateSpaceName', () => {
 
   test('it requires a non-empty value', () => {
     const space = {
-      name: ''
+      id: '',
+      name: '',
     };
 
-    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Name is required` });
+    expect(validator.validateSpaceName(space)).toEqual({
+      isInvalid: true,
+      error: `Name is required`,
+    });
   });
 
   test('it cannot exceed 1024 characters', () => {
     const space = {
-      name: new Array(1026).join('A')
+      id: '',
+      name: new Array(1026).join('A'),
     };
 
-    expect(validator.validateSpaceName(space)).toEqual({ isInvalid: true, error: `Name must not exceed 1024 characters` });
+    expect(validator.validateSpaceName(space)).toEqual({
+      isInvalid: true,
+      error: `Name must not exceed 1024 characters`,
+    });
   });
 });
 
 describe('validateSpaceDescription', () => {
   test('is optional', () => {
     const space = {
+      id: '',
+      name: '',
     };
 
     expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: false });
@@ -48,17 +59,24 @@ describe('validateSpaceDescription', () => {
 
   test('it cannot exceed 2000 characters', () => {
     const space = {
-      description: new Array(2002).join('A')
+      id: '',
+      name: '',
+      description: new Array(2002).join('A'),
     };
 
-    expect(validator.validateSpaceDescription(space)).toEqual({ isInvalid: true, error: `Description must not exceed 2000 characters` });
+    expect(validator.validateSpaceDescription(space)).toEqual({
+      isInvalid: true,
+      error: `Description must not exceed 2000 characters`,
+    });
   });
 });
 
 describe('validateURLIdentifier', () => {
   test('it does not validate reserved spaces', () => {
     const space = {
-      _reserved: true
+      id: '',
+      name: '',
+      _reserved: true,
     };
 
     expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: false });
@@ -66,24 +84,32 @@ describe('validateURLIdentifier', () => {
 
   test('it requires a non-empty value', () => {
     const space = {
-      id: ''
+      id: '',
+      name: '',
     };
 
-    expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: true, error: `URL identifier is required` });
+    expect(validator.validateURLIdentifier(space)).toEqual({
+      isInvalid: true,
+      error: `URL identifier is required`,
+    });
   });
 
   test('it requires a valid Space Identifier', () => {
     const space = {
-      id: 'invalid identifier'
+      id: 'invalid identifier',
+      name: '',
     };
 
-    expect(validator.validateURLIdentifier(space))
-      .toEqual({ isInvalid: true, error: 'URL identifier can only contain a-z, 0-9, and the characters "_" and "-"' });
+    expect(validator.validateURLIdentifier(space)).toEqual({
+      isInvalid: true,
+      error: 'URL identifier can only contain a-z, 0-9, and the characters "_" and "-"',
+    });
   });
 
   test('it allows a valid Space Identifier', () => {
     const space = {
-      id: '01-valid-context-01'
+      id: '01-valid-context-01',
+      name: '',
     };
 
     expect(validator.validateURLIdentifier(space)).toEqual({ isInvalid: false });
diff --git a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js b/x-pack/plugins/spaces/public/views/management/lib/validate_space.ts
similarity index 62%
rename from x-pack/plugins/spaces/public/views/management/lib/validate_space.js
rename to x-pack/plugins/spaces/public/views/management/lib/validate_space.ts
index 1aa98aac8e5793..66b931e7f4c9a9 100644
--- a/x-pack/plugins/spaces/public/views/management/lib/validate_space.js
+++ b/x-pack/plugins/spaces/public/views/management/lib/validate_space.ts
@@ -3,24 +3,33 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { isValidSpaceIdentifier } from './space_identifier_utils';
 import { isReservedSpace } from '../../../../common/is_reserved_space';
+import { Space } from '../../../../common/model/space';
+import { isValidSpaceIdentifier } from './space_identifier_utils';
+
+interface SpaceValidatorOptions {
+  shouldValidate?: boolean;
+}
 
 export class SpaceValidator {
-  constructor(options = {}) {
-    this._shouldValidate = options.shouldValidate;
+  private shouldValidate: boolean;
+
+  constructor(options: SpaceValidatorOptions = {}) {
+    this.shouldValidate = options.shouldValidate || false;
   }
 
-  enableValidation() {
-    this._shouldValidate = true;
+  public enableValidation() {
+    this.shouldValidate = true;
   }
 
-  disableValidation() {
-    this._shouldValidate = false;
+  public disableValidation() {
+    this.shouldValidate = false;
   }
 
-  validateSpaceName(space) {
-    if (!this._shouldValidate) return valid();
+  public validateSpaceName(space: Partial<Space>) {
+    if (!this.shouldValidate) {
+      return valid();
+    }
 
     if (!space.name) {
       return invalid(`Name is required`);
@@ -33,8 +42,10 @@ export class SpaceValidator {
     return valid();
   }
 
-  validateSpaceDescription(space) {
-    if (!this._shouldValidate) return valid();
+  public validateSpaceDescription(space: Partial<Space>) {
+    if (!this.shouldValidate) {
+      return valid();
+    }
 
     if (space.description && space.description.length > 2000) {
       return invalid(`Description must not exceed 2000 characters`);
@@ -43,10 +54,14 @@ export class SpaceValidator {
     return valid();
   }
 
-  validateURLIdentifier(space) {
-    if (!this._shouldValidate) return valid();
+  public validateURLIdentifier(space: Partial<Space>) {
+    if (!this.shouldValidate) {
+      return valid();
+    }
 
-    if (isReservedSpace(space)) return valid();
+    if (isReservedSpace(space)) {
+      return valid();
+    }
 
     if (!space.id) {
       return invalid(`URL identifier is required`);
@@ -59,7 +74,7 @@ export class SpaceValidator {
     return valid();
   }
 
-  validateForSave(space) {
+  public validateForSave(space: Space) {
     const { isInvalid: isNameInvalid } = this.validateSpaceName(space);
     const { isInvalid: isDescriptionInvalid } = this.validateSpaceDescription(space);
     const { isInvalid: isIdentifierInvalid } = this.validateURLIdentifier(space);
@@ -72,15 +87,15 @@ export class SpaceValidator {
   }
 }
 
-function invalid(error) {
+function invalid(error: string = '') {
   return {
     isInvalid: true,
-    error
+    error,
   };
 }
 
 function valid() {
   return {
-    isInvalid: false
+    isInvalid: false,
   };
 }
diff --git a/x-pack/plugins/spaces/public/views/management/page_routes.js b/x-pack/plugins/spaces/public/views/management/page_routes.tsx
similarity index 55%
rename from x-pack/plugins/spaces/public/views/management/page_routes.js
rename to x-pack/plugins/spaces/public/views/management/page_routes.tsx
index 17bb29ac6282aa..fa7f26a32aa839 100644
--- a/x-pack/plugins/spaces/public/views/management/page_routes.js
+++ b/x-pack/plugins/spaces/public/views/management/page_routes.tsx
@@ -4,24 +4,34 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import 'ui/autoload/styles';
 import 'plugins/spaces/views/management/manage_spaces.less';
+// @ts-ignore
 import template from 'plugins/spaces/views/management/template.html';
+// @ts-ignore
 import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
+import 'ui/autoload/styles';
 
+import { SpacesNavState } from 'plugins/spaces/views/nav_control';
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
-import { SpacesGridPage } from './spaces_grid';
-import { ManageSpacePage } from './edit_space';
-import { SpacesManager } from '../../lib/spaces_manager';
-
+// @ts-ignore
 import routes from 'ui/routes';
+import { SpacesManager } from '../../lib/spaces_manager';
+import { ManageSpacePage } from './edit_space';
+import { SpacesGridPage } from './spaces_grid';
 
 const reactRootNodeId = 'manageSpacesReactRoot';
 
 routes.when('/management/spaces/list', {
   template,
-  controller: function ($scope, $http, chrome, Private, spacesNavState, spaceSelectorURL) {
+  controller(
+    $scope: any,
+    $http: any,
+    chrome: any,
+    Private: any,
+    spacesNavState: SpacesNavState,
+    spaceSelectorURL: string
+  ) {
     const userProfile = Private(UserProfileProvider);
 
     $scope.$$postDigest(() => {
@@ -29,23 +39,35 @@ routes.when('/management/spaces/list', {
 
       const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
-      render(<SpacesGridPage
-        spacesManager={spacesManager}
-        spacesNavState={spacesNavState}
-        userProfile={userProfile}
-      />, domNode);
+      render(
+        <SpacesGridPage
+          spacesManager={spacesManager}
+          spacesNavState={spacesNavState}
+          userProfile={userProfile}
+        />,
+        domNode
+      );
 
       // unmount react on controller destroy
       $scope.$on('$destroy', () => {
-        unmountComponentAtNode(domNode);
+        if (domNode) {
+          unmountComponentAtNode(domNode);
+        }
       });
     });
-  }
+  },
 });
 
 routes.when('/management/spaces/create', {
   template,
-  controller: function ($scope, $http, chrome, Private, spacesNavState, spaceSelectorURL) {
+  controller(
+    $scope: any,
+    $http: any,
+    chrome: any,
+    Private: any,
+    spacesNavState: SpacesNavState,
+    spaceSelectorURL: string
+  ) {
     const userProfile = Private(UserProfileProvider);
 
     $scope.$$postDigest(() => {
@@ -53,50 +75,65 @@ routes.when('/management/spaces/create', {
 
       const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
-      render(<ManageSpacePage
-        spacesManager={spacesManager}
-        spacesNavState={spacesNavState}
-        userProfile={userProfile}
-      />, domNode);
+      render(
+        <ManageSpacePage
+          spacesManager={spacesManager}
+          spacesNavState={spacesNavState}
+          userProfile={userProfile}
+        />,
+        domNode
+      );
 
       // unmount react on controller destroy
       $scope.$on('$destroy', () => {
-        unmountComponentAtNode(domNode);
+        if (domNode) {
+          unmountComponentAtNode(domNode);
+        }
       });
     });
-  }
+  },
 });
 
 routes.when('/management/spaces/edit', {
-  redirectTo: '/management/spaces/list'
+  redirectTo: '/management/spaces/list',
 });
 
-routes.when('/management/spaces/edit/:space', {
+routes.when('/management/spaces/edit/:spaceId', {
   template,
-  controller: function ($scope, $http, $route, chrome, Private, spacesNavState, spaceSelectorURL) {
+  controller(
+    $scope: any,
+    $http: any,
+    $route: any,
+    chrome: any,
+    Private: any,
+    spacesNavState: SpacesNavState,
+    spaceSelectorURL: string
+  ) {
     const userProfile = Private(UserProfileProvider);
 
     $scope.$$postDigest(() => {
-
       const domNode = document.getElementById(reactRootNodeId);
 
-      const { space } = $route.current.params;
+      const { spaceId } = $route.current.params;
 
       const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
-      render(<ManageSpacePage
-        httpAgent={$http}
-        space={space}
-        chrome={chrome}
-        spacesManager={spacesManager}
-        spacesNavState={spacesNavState}
-        userProfile={userProfile}
-      />, domNode);
+      render(
+        <ManageSpacePage
+          spaceId={spaceId}
+          spacesManager={spacesManager}
+          spacesNavState={spacesNavState}
+          userProfile={userProfile}
+        />,
+        domNode
+      );
 
       // unmount react on controller destroy
       $scope.$on('$destroy', () => {
-        unmountComponentAtNode(domNode);
+        if (domNode) {
+          unmountComponentAtNode(domNode);
+        }
       });
     });
-  }
+  },
 });
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
index f627159718452d..4a85fc2eaa5f43 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
@@ -19,9 +19,10 @@ import {
   EuiSpacer,
   EuiText,
 } from '@elastic/eui';
-
+// @ts-ignore
 import { toastNotifications } from 'ui/notify';
 
+import { SpacesNavState } from 'plugins/spaces/views/nav_control';
 import { UserProfile } from '../../../../../xpack_main/public/services/user_profile';
 import { isReservedSpace } from '../../../../common';
 import { Space } from '../../../../common/model/space';
@@ -32,7 +33,7 @@ import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 
 interface Props {
   spacesManager: SpacesManager;
-  spacesNavState: any;
+  spacesNavState: SpacesNavState;
   userProfile: UserProfile;
 }
 
diff --git a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
similarity index 97%
rename from x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
rename to x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
index 3da9589c10e19d..622f863331e79d 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.js.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
@@ -20,6 +20,7 @@ exports[`NavControlPopover renders without crashing 1`] = `
             size="s"
             space={
               Object {
+                "id": "",
                 "name": "foo",
               }
             }
diff --git a/x-pack/plugins/spaces/public/views/nav_control/index.ts b/x-pack/plugins/spaces/public/views/nav_control/index.ts
index 475360ac74a3b2..541c79a8fd4a36 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/index.ts
+++ b/x-pack/plugins/spaces/public/views/nav_control/index.ts
@@ -5,3 +5,5 @@
  */
 
 import './nav_control';
+
+export { SpacesNavState } from './nav_control';
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
deleted file mode 100644
index 5ed4b57e87ebed..00000000000000
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control.js
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { constant } from 'lodash';
-import { chromeNavControlsRegistry } from 'ui/registry/chrome_nav_controls';
-import { uiModules } from 'ui/modules';
-import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
-import template from 'plugins/spaces/views/nav_control/nav_control.html';
-import 'plugins/spaces/views/nav_control/nav_control.less';
-import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
-
-import React from 'react';
-import { render, unmountComponentAtNode } from 'react-dom';
-import { NavControlPopover } from 'plugins/spaces/views/nav_control/nav_control_popover';
-
-chromeNavControlsRegistry.register(constant({
-  name: 'spaces',
-  order: 90,
-  template
-}));
-
-const module = uiModules.get('spaces_nav', ['kibana']);
-
-let spacesManager;
-
-module.controller('spacesNavController', ($scope, $http, chrome, Private, activeSpace) => {
-  const userProfile = Private(UserProfileProvider);
-
-  const domNode = document.getElementById(`spacesNavReactRoot`);
-  const spaceSelectorURL = chrome.getInjected('spaceSelectorURL');
-
-  spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
-
-  let mounted = false;
-
-  $scope.$parent.$watch('isVisible', function (isVisible) {
-    if (isVisible && !mounted) {
-      render(<NavControlPopover spacesManager={spacesManager} activeSpace={activeSpace} userProfile={userProfile} />, domNode);
-      mounted = true;
-    }
-  });
-
-  // unmount react on controller destroy
-  $scope.$on('$destroy', () => {
-    unmountComponentAtNode(domNode);
-    mounted = false;
-  });
-
-});
-
-module.service('spacesNavState', (activeSpace) => {
-  return {
-    getActiveSpace: () => {
-      return activeSpace.space;
-    },
-    refreshSpacesList: () => {
-      if (spacesManager) {
-        spacesManager.requestRefresh();
-      }
-    }
-  };
-});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control.tsx
new file mode 100644
index 00000000000000..690ae64f775362
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control.tsx
@@ -0,0 +1,87 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { constant } from 'lodash';
+import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
+// @ts-ignore
+import template from 'plugins/spaces/views/nav_control/nav_control.html';
+import 'plugins/spaces/views/nav_control/nav_control.less';
+import { UserProfileProvider } from 'plugins/xpack_main/services/user_profile';
+// @ts-ignore
+import { uiModules } from 'ui/modules';
+// @ts-ignore
+import { chromeNavControlsRegistry } from 'ui/registry/chrome_nav_controls';
+
+import { NavControlPopover } from 'plugins/spaces/views/nav_control/nav_control_popover';
+import React from 'react';
+import { render, unmountComponentAtNode } from 'react-dom';
+import { Space } from '../../../common/model/space';
+
+chromeNavControlsRegistry.register(
+  constant({
+    name: 'spaces',
+    order: 90,
+    template,
+  })
+);
+
+const module = uiModules.get('spaces_nav', ['kibana']);
+
+export interface SpacesNavState {
+  getActiveSpace: () => Space;
+  refreshSpacesList: () => void;
+}
+
+let spacesManager: SpacesManager;
+
+module.controller(
+  'spacesNavController',
+  ($scope: any, $http: any, chrome: any, Private: any, activeSpace: any) => {
+    const userProfile = Private(UserProfileProvider);
+
+    const domNode = document.getElementById(`spacesNavReactRoot`);
+    const spaceSelectorURL = chrome.getInjected('spaceSelectorURL');
+
+    spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
+
+    let mounted = false;
+
+    $scope.$parent.$watch('isVisible', function isVisibleWatcher(isVisible: boolean) {
+      if (isVisible && !mounted) {
+        render(
+          <NavControlPopover
+            spacesManager={spacesManager}
+            activeSpace={activeSpace}
+            userProfile={userProfile}
+          />,
+          domNode
+        );
+        mounted = true;
+      }
+    });
+
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      if (domNode) {
+        unmountComponentAtNode(domNode);
+      }
+      mounted = false;
+    });
+  }
+);
+
+module.service('spacesNavState', (activeSpace: any) => {
+  return {
+    getActiveSpace: () => {
+      return activeSpace.space;
+    },
+    refreshSpacesList: () => {
+      if (spacesManager) {
+        spacesManager.requestRefresh();
+      }
+    },
+  } as SpacesNavState;
+});
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.tsx
similarity index 59%
rename from x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
rename to x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.tsx
index 9252055e339570..67f6e81df956e6 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.js
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.test.tsx
@@ -4,30 +4,36 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { mount, shallow } from 'enzyme';
 import React from 'react';
-import { shallow, mount } from 'enzyme';
-import { NavControlPopover } from './nav_control_popover';
-import { SpacesManager } from '../../lib/spaces_manager';
 import { SpaceAvatar } from '../../components';
+import { SpacesManager } from '../../lib/spaces_manager';
+import { NavControlPopover } from './nav_control_popover';
 
 const mockChrome = {
-  addBasePath: jest.fn((a) => a)
+  addBasePath: jest.fn((a: string) => a),
 };
 
 const createMockHttpAgent = (withSpaces = false) => {
+  const spaces = [
+    {
+      id: '',
+      name: 'space 1',
+    },
+    {
+      id: '',
+      name: 'space 2',
+    },
+  ];
 
   const mockHttpAgent = {
     get: async () => {
-      const result = withSpaces ? [{
-        name: 'space 1'
-      }, {
-        name: 'space 2'
-      }] : [];
+      const result = withSpaces ? spaces : [];
 
       return {
-        data: result
+        data: result,
       };
-    }
+    },
   };
   return mockHttpAgent;
 };
@@ -35,37 +41,41 @@ const createMockHttpAgent = (withSpaces = false) => {
 describe('NavControlPopover', () => {
   it('renders without crashing', () => {
     const activeSpace = {
-      space: { name: 'foo' },
-      valid: true
+      space: { id: '', name: 'foo' },
+      valid: true,
     };
 
-    const spacesManager = new SpacesManager(createMockHttpAgent(), mockChrome);
+    const spacesManager = new SpacesManager(createMockHttpAgent(), mockChrome, '/');
 
-    const wrapper = shallow(<NavControlPopover
-      activeSpace={activeSpace}
-      spacesManager={spacesManager}
-      userProfile={{ hasCapability: () => true }}
-    />);
+    const wrapper = shallow(
+      <NavControlPopover
+        activeSpace={activeSpace}
+        spacesManager={spacesManager}
+        userProfile={{ hasCapability: () => true }}
+      />
+    );
     expect(wrapper).toMatchSnapshot();
   });
 
   it('renders a SpaceAvatar with the active space', async () => {
     const activeSpace = {
-      space: { name: 'foo' },
-      valid: true
+      space: { id: '', name: 'foo' },
+      valid: true,
     };
 
     const mockAgent = createMockHttpAgent(true);
 
-    const spacesManager = new SpacesManager(mockAgent, mockChrome);
+    const spacesManager = new SpacesManager(mockAgent, mockChrome, '/');
 
-    const wrapper = mount(<NavControlPopover
-      activeSpace={activeSpace}
-      spacesManager={spacesManager}
-      userProfile={{ hasCapability: () => true }}
-    />);
+    const wrapper = mount<any, any>(
+      <NavControlPopover
+        activeSpace={activeSpace}
+        spacesManager={spacesManager}
+        userProfile={{ hasCapability: () => true }}
+      />
+    );
 
-    return new Promise((resolve) => {
+    return new Promise(resolve => {
       setTimeout(() => {
         expect(wrapper.state().spaces).toHaveLength(2);
         wrapper.update();
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
index bdf45b7c61bac7..38a241ef1738c2 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -17,7 +17,7 @@ interface Props {
   spacesManager: SpacesManager;
   activeSpace: {
     valid: boolean;
-    error: string;
+    error?: string;
     space: Space;
   };
   userProfile: UserProfile;
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
deleted file mode 100644
index 9f747481e626ea..00000000000000
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.js.snap
+++ /dev/null
@@ -1,107 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`it renders without crashing 1`] = `
-<div
-  className="euiPage spaceSelector__page"
->
-  <div
-    className="euiPageBody"
-  >
-    <div
-      className="euiPageHeader euiPageHeader--responsive spaceSelector__heading"
-    >
-      <div
-        className="euiPageHeaderSection spaceSelector__logoHeader"
-      >
-        <div
-          className="spaceSelector__logoCircle"
-        >
-          <svg
-            className="euiIcon euiIcon--xxLarge"
-            focusable="false"
-            height="40"
-            style={
-              Object {
-                "fill": undefined,
-              }
-            }
-            viewBox="0 0 30 40"
-            width="30"
-            xmlns="http://www.w3.org/2000/svg"
-          >
-            <path
-              d="M.874 40H30c0-8.046-4.566-15.197-11.652-19.768L.874 40z"
-              fill="#3EBEB0"
-            />
-            <path
-              d="M0 26v14h1.873L18.35 20.229a31.291 31.291 0 0 0-3.562-1.974L0 26z"
-              fill="#37A595"
-            />
-            <path
-              d="M0 13v23l14.79-17.748C10.424 16.186 15.38 14 10 14L0 13z"
-              fill="#353535"
-            />
-            <path
-              d="M30 0H0v15c5.38 0 10.424 1.186 14.79 3.252L30 0z"
-              fill="#E9478B"
-            />
-          </svg>
-        </div>
-        <div
-          className="euiSpacer euiSpacer--l"
-        />
-        <p
-          className="euiTitle euiTitle--large euiTextColor--ghost"
-        >
-          Select your space
-        </p>
-      </div>
-    </div>
-    <div
-      className="euiPanel euiPanel--paddingLarge euiPageContent spaceSelector__pageContent"
-    >
-      <div
-        className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--alignItemsCenter euiFlexGroup--directionColumn"
-      >
-        <div
-          className="euiFlexItem"
-        >
-          <div
-            className="euiText euiText--extraSmall"
-          >
-            <p>
-              You can change your space at anytime.
-            </p>
-          </div>
-        </div>
-      </div>
-      <div
-        className="euiSpacer euiSpacer--xl"
-      />
-      <div
-        className="spaceCards"
-      >
-        <div
-          className="euiFlexGroup euiFlexGroup--gutterLarge euiFlexGroup--justifyContentCenter euiFlexGroup--directionRow euiFlexGroup--wrap"
-        />
-      </div>
-      <div
-        className="euiSpacer euiSpacer--l"
-      />
-      <div
-        className="euiText"
-      >
-        <div
-          className="euiTextAlign euiTextAlign--center"
-        >
-          <div
-            className="euiTextColor euiTextColor--subdued"
-          >
-            No spaces match search criteria
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-</div>
-`;
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
new file mode 100644
index 00000000000000..47be61bc3c1482
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
@@ -0,0 +1,88 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it renders without crashing 1`] = `
+<EuiPage
+  className="spaceSelector__page"
+  restrictWidth={false}
+>
+  <EuiPageBody
+    restrictWidth={false}
+  >
+    <EuiPageHeader
+      className="spaceSelector__heading"
+      responsive={true}
+    >
+      <EuiPageHeaderSection
+        className="spaceSelector__logoHeader"
+      >
+        <div
+          className="spaceSelector__logoCircle"
+        >
+          <EuiIcon
+            size="xxl"
+            type="logoKibana"
+          />
+        </div>
+        <EuiSpacer
+          size="l"
+        />
+        <EuiTitle
+          className="euiTextColor--ghost"
+          size="l"
+        >
+          <p>
+            Select your space
+          </p>
+        </EuiTitle>
+      </EuiPageHeaderSection>
+    </EuiPageHeader>
+    <EuiPageContent
+      className="spaceSelector__pageContent"
+      panelPaddingSize="l"
+    >
+      <EuiFlexGroup
+        alignItems="center"
+        component="div"
+        direction="column"
+        gutterSize="l"
+        justifyContent="flexStart"
+        responsive={false}
+        wrap={false}
+      >
+        <EuiFlexItem
+          component="div"
+          grow={true}
+        >
+          <EuiText
+            grow={true}
+            size="xs"
+          >
+            <p>
+              You can change your space at anytime.
+            </p>
+          </EuiText>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+      <EuiSpacer
+        size="xl"
+      />
+      <SpaceCards
+        onSpaceSelect={[Function]}
+        spaces={Array []}
+      />
+      <React.Fragment>
+        <EuiSpacer
+          size="l"
+        />
+        <EuiText
+          color="subdued"
+          grow={true}
+          textAlign="center"
+        >
+          No spaces match search criteria
+        </EuiText>
+      </React.Fragment>
+    </EuiPageContent>
+  </EuiPageBody>
+</EuiPage>
+`;
diff --git a/x-pack/plugins/spaces/public/views/space_selector/index.js b/x-pack/plugins/spaces/public/views/space_selector/index.tsx
similarity index 53%
rename from x-pack/plugins/spaces/public/views/space_selector/index.js
rename to x-pack/plugins/spaces/public/views/space_selector/index.tsx
index 210e8ac8d5f829..e9b9a1795cf20a 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/index.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/index.tsx
@@ -4,31 +4,37 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
+// @ts-ignore
+import template from 'plugins/spaces/views/space_selector/space_selector.html';
+import 'plugins/spaces/views/space_selector/space_selector.less';
 import 'ui/autoload/styles';
 import chrome from 'ui/chrome';
-import 'plugins/spaces/views/space_selector/space_selector.less';
-import template from 'plugins/spaces/views/space_selector/space_selector.html';
-import { SpacesManager } from 'plugins/spaces/lib/spaces_manager';
+// @ts-ignore
 import { uiModules } from 'ui/modules';
 
 import React from 'react';
 import { render, unmountComponentAtNode } from 'react-dom';
+import { Space } from '../../../common/model/space';
 import { SpaceSelector } from './space_selector';
 
 const module = uiModules.get('spaces_selector', []);
-module.controller('spacesSelectorController', ($scope, $http, spaces, spaceSelectorURL) => {
-  const domNode = document.getElementById('spaceSelectorRoot');
+module.controller(
+  'spacesSelectorController',
+  ($scope: any, $http: any, spaces: Space[], spaceSelectorURL: string) => {
+    const domNode = document.getElementById('spaceSelectorRoot');
 
-  const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
+    const spacesManager = new SpacesManager($http, chrome, spaceSelectorURL);
 
-  render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />, domNode);
+    render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />, domNode);
 
-  // unmount react on controller destroy
-  $scope.$on('$destroy', () => {
-    unmountComponentAtNode(domNode);
-  });
-});
+    // unmount react on controller destroy
+    $scope.$on('$destroy', () => {
+      if (domNode) {
+        unmountComponentAtNode(domNode);
+      }
+    });
+  }
+);
 
-chrome
-  .setVisible(false)
-  .setRootTemplate(template);
+chrome.setVisible(false).setRootTemplate(template);
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
similarity index 52%
rename from x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
rename to x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
index eccdddb16c1e7e..b748d8aaf81e2e 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
@@ -4,23 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { render, shallow } from 'enzyme';
 import React from 'react';
-import { SpaceSelector } from './space_selector';
 import chrome from 'ui/chrome';
-import renderer from 'react-test-renderer';
-import { render, shallow } from 'enzyme';
+import { Space } from '../../../common/model/space';
 import { SpacesManager } from '../../lib/spaces_manager';
+import { SpaceSelector } from './space_selector';
 
-
-function getHttpAgent(spaces = []) {
-  const httpAgent = () => { };
+function getHttpAgent(spaces: Space[] = []) {
+  const httpAgent: any = () => {
+    return;
+  };
   httpAgent.get = jest.fn(() => Promise.resolve({ data: spaces }));
 
   return httpAgent;
 }
 
-function getSpacesManager(spaces = []) {
-  const manager = new SpacesManager(getHttpAgent(spaces), chrome);
+function getSpacesManager(spaces: Space[] = []) {
+  const manager = new SpacesManager(getHttpAgent(spaces), chrome, '/');
 
   const origGet = manager.getSpaces;
   manager.getSpaces = jest.fn(origGet);
@@ -28,52 +29,45 @@ function getSpacesManager(spaces = []) {
   return manager;
 }
 
-
 test('it renders without crashing', () => {
   const spacesManager = getSpacesManager();
-  const component = renderer.create(
-    <SpaceSelector spaces={[]} spacesManager={spacesManager} />
-  );
+  const component = shallow(<SpaceSelector spaces={[]} spacesManager={spacesManager} />);
   expect(component).toMatchSnapshot();
 });
 
 test('it uses the spaces on props, when provided', () => {
   const spacesManager = getSpacesManager();
 
-  const spaces = [{
-    id: 'space-1',
-    name: 'Space 1',
-    description: 'This is the first space',
-  }];
+  const spaces = [
+    {
+      id: 'space-1',
+      name: 'Space 1',
+      description: 'This is the first space',
+    },
+  ];
 
-  const component = render(
-    <SpaceSelector spaces={spaces} spacesManager={spacesManager} />
-  );
+  const component = render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />);
 
-  return Promise
-    .resolve()
-    .then(() => {
-      expect(component.find('.spaceCard')).toHaveLength(1);
-      expect(spacesManager.getSpaces).toHaveBeenCalledTimes(0);
-    });
+  return Promise.resolve().then(() => {
+    expect(component.find('.spaceCard')).toHaveLength(1);
+    expect(spacesManager.getSpaces).toHaveBeenCalledTimes(0);
+  });
 });
 
 test('it queries for spaces when not provided on props', () => {
-  const spaces = [{
-    id: 'space-1',
-    name: 'Space 1',
-    description: 'This is the first space',
-  }];
+  const spaces = [
+    {
+      id: 'space-1',
+      name: 'Space 1',
+      description: 'This is the first space',
+    },
+  ];
 
   const spacesManager = getSpacesManager(spaces);
 
-  shallow(
-    <SpaceSelector spacesManager={spacesManager} />
-  );
+  shallow(<SpaceSelector spacesManager={spacesManager} />);
 
-  return Promise
-    .resolve()
-    .then(() => {
-      expect(spacesManager.getSpaces).toHaveBeenCalledTimes(1);
-    });
+  return Promise.resolve().then(() => {
+    expect(spacesManager.getSpaces).toHaveBeenCalledTimes(1);
+  });
 });
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js b/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
similarity index 58%
rename from x-pack/plugins/spaces/public/views/space_selector/space_selector.js
rename to x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
index 3508bdefe3b0b8..fe596d761f9998 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.js
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
@@ -4,68 +4,82 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { Component, Fragment } from 'react';
-import PropTypes from 'prop-types';
 import {
+  EuiFieldSearch,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiIcon,
   EuiPage,
-  EuiPageHeader,
   EuiPageBody,
   EuiPageContent,
+  EuiPageHeader,
   EuiPageHeaderSection,
-  EuiIcon,
   EuiSpacer,
   EuiText,
   EuiTitle,
-  EuiFieldSearch,
-  EuiFlexGroup,
-  EuiFlexItem,
 } from '@elastic/eui';
-import { SpaceCards } from '../components/space_cards';
+import { SpacesManager } from 'plugins/spaces/lib';
+import React, { Component, Fragment } from 'react';
 import { SPACE_SEARCH_COUNT_THRESHOLD } from '../../../common/constants';
+import { Space } from '../../../common/model/space';
+import { SpaceCards } from '../components/space_cards';
 
-export class SpaceSelector extends Component {
-  state = {
-    loading: false,
-    searchTerm: '',
-    spaces: []
-  };
+interface Props {
+  spaces?: Space[];
+  spacesManager: SpacesManager;
+}
 
-  constructor(props) {
+interface State {
+  loading: boolean;
+  searchTerm: string;
+  spaces: Space[];
+}
+
+export class SpaceSelector extends Component<Props, State> {
+  constructor(props: Props) {
     super(props);
+
+    const state: State = {
+      loading: false,
+      searchTerm: '',
+      spaces: [],
+    };
+
     if (Array.isArray(props.spaces)) {
-      this.state.spaces = [...props.spaces];
+      state.spaces = [...props.spaces];
     }
+
+    this.state = state;
   }
 
-  componentDidMount() {
+  public componentDidMount() {
     if (this.state.spaces.length === 0) {
       this.loadSpaces();
     }
   }
 
-  loadSpaces() {
+  public loadSpaces() {
     this.setState({ loading: true });
     const { spacesManager } = this.props;
 
-    spacesManager.getSpaces()
-      .then(spaces => {
-        this.setState({
-          loading: false,
-          spaces
-        });
+    spacesManager.getSpaces().then(spaces => {
+      this.setState({
+        loading: false,
+        spaces,
       });
+    });
   }
 
-  render() {
-    const {
-      spaces,
-      searchTerm,
-    } = this.state;
+  public render() {
+    const { spaces, searchTerm } = this.state;
 
     let filteredSpaces = spaces;
     if (searchTerm) {
-      filteredSpaces = spaces
-        .filter(space => space.name.toLowerCase().indexOf(searchTerm) >= 0 || space.description.toLowerCase().indexOf(searchTerm) >= 0);
+      filteredSpaces = spaces.filter(
+        space =>
+          space.name.toLowerCase().indexOf(searchTerm) >= 0 ||
+          (space.description || '').toLowerCase().indexOf(searchTerm) >= 0
+      );
     }
 
     return (
@@ -80,17 +94,23 @@ export class SpaceSelector extends Component {
               <EuiSpacer />
 
               <EuiTitle size="l" className="euiTextColor--ghost">
-                <p >Select your space</p>
+                <p>Select your space</p>
               </EuiTitle>
             </EuiPageHeaderSection>
           </EuiPageHeader>
           <EuiPageContent className="spaceSelector__pageContent">
-
-            <EuiFlexGroup direction="column" alignItems="center" responsive={false}>
+            <EuiFlexGroup
+              // @ts-ignore
+              direction="column"
+              alignItems="center"
+              responsive={false}
+            >
               {this.getSearchField()}
 
               <EuiFlexItem>
-                <EuiText size="xs"><p>You can change your space at anytime.</p></EuiText>
+                <EuiText size="xs">
+                  <p>You can change your space at anytime.</p>
+                </EuiText>
               </EuiFlexItem>
             </EuiFlexGroup>
 
@@ -98,21 +118,25 @@ export class SpaceSelector extends Component {
 
             <SpaceCards spaces={filteredSpaces} onSpaceSelect={this.onSelectSpace} />
 
-            {
-              filteredSpaces.length === 0 &&
+            {filteredSpaces.length === 0 && (
               <Fragment>
                 <EuiSpacer />
-                <EuiText color="subdued" textAlign="center">No spaces match search criteria</EuiText>
+                <EuiText
+                  color="subdued"
+                  // @ts-ignore
+                  textAlign="center"
+                >
+                  No spaces match search criteria
+                </EuiText>
               </Fragment>
-            }
-
+            )}
           </EuiPageContent>
         </EuiPageBody>
       </EuiPage>
     );
   }
 
-  getSearchField = () => {
+  public getSearchField = () => {
     if (!this.props.spaces || this.props.spaces.length < SPACE_SEARCH_COUNT_THRESHOLD) {
       return null;
     }
@@ -122,24 +146,20 @@ export class SpaceSelector extends Component {
           className="spaceSelector__searchField"
           placeholder="Find a space"
           incremental={true}
+          // @ts-ignore
           onSearch={this.onSearch}
         />
       </EuiFlexItem>
     );
-  }
+  };
 
-  onSearch = (searchTerm = '') => {
+  public onSearch = (searchTerm = '') => {
     this.setState({
-      searchTerm: searchTerm.trim().toLowerCase()
+      searchTerm: searchTerm.trim().toLowerCase(),
     });
-  }
+  };
 
-  onSelectSpace = (space) => {
+  public onSelectSpace = (space: Space) => {
     this.props.spacesManager.changeSelectedSpace(space);
-  }
+  };
 }
-
-SpaceSelector.propTypes = {
-  spaces: PropTypes.array,
-  spacesManager: PropTypes.object.isRequired
-};
diff --git a/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap b/x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.ts.snap
similarity index 100%
rename from x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.js.snap
rename to x-pack/plugins/spaces/server/lib/__snapshots__/spaces_url_parser.test.ts.snap
diff --git a/x-pack/plugins/spaces/server/lib/check_license.js b/x-pack/plugins/spaces/server/lib/check_license.ts
similarity index 73%
rename from x-pack/plugins/spaces/server/lib/check_license.js
rename to x-pack/plugins/spaces/server/lib/check_license.ts
index f88e8f8221f000..e7fc63e724feb7 100644
--- a/x-pack/plugins/spaces/server/lib/check_license.js
+++ b/x-pack/plugins/spaces/server/lib/check_license.ts
@@ -4,10 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/**
- * @typedef {Object} LicenseCheckResult Result of the license check.
- * @property {boolean} showSpaces Indicates whether spaces should be enabled
- */
+export interface LicenseCheckResult {
+  showSpaces: boolean;
+}
 
 /**
  * Returns object that defines behavior of the spaces related features based
@@ -15,10 +14,10 @@
  * @param {XPackInfo} xPackInfo XPackInfo instance to extract license information from.
  * @returns {LicenseCheckResult}
  */
-export function checkLicense(xPackInfo) {
+export function checkLicense(xPackInfo: any): LicenseCheckResult {
   if (!xPackInfo.isAvailable()) {
     return {
-      showSpaces: false
+      showSpaces: false,
     };
   }
 
@@ -26,11 +25,11 @@ export function checkLicense(xPackInfo) {
 
   if (!isAnyXpackLicense) {
     return {
-      showSpaces: false
+      showSpaces: false,
     };
   }
 
   return {
-    showSpaces: true
+    showSpaces: true,
   };
 }
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.js b/x-pack/plugins/spaces/server/lib/create_default_space.test.ts
similarity index 74%
rename from x-pack/plugins/spaces/server/lib/create_default_space.test.js
rename to x-pack/plugins/spaces/server/lib/create_default_space.test.ts
index a3afd24bb95fc7..d0cf2812cc26d1 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.ts
@@ -3,28 +3,29 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+jest.mock('../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn(),
+}));
+
 import Boom from 'boom';
+// @ts-ignore
 import { getClient } from '../../../../server/lib/get_client_shield';
 import { createDefaultSpace } from './create_default_space';
 
-jest.mock('../../../../server/lib/get_client_shield', () => ({
-  getClient: jest.fn()
-}));
-
 let mockCallWithRequest;
 beforeEach(() => {
   mockCallWithRequest = jest.fn();
   getClient.mockReturnValue({
-    callWithRequest: mockCallWithRequest
+    callWithRequest: mockCallWithRequest,
   });
 });
-
-const createMockServer = (settings = {}) => {
-
-  const {
-    defaultExists = false,
-    simulateErrorCondition = false
-  } = settings;
+interface MockServerSettings {
+  defaultExists?: boolean;
+  simulateErrorCondition?: boolean;
+  [invalidKeys: string]: any;
+}
+const createMockServer = (settings: MockServerSettings = {}) => {
+  const { defaultExists = false, simulateErrorCondition = false } = settings;
 
   const mockGet = jest.fn().mockImplementation(() => {
     if (simulateErrorCondition) {
@@ -37,28 +38,28 @@ const createMockServer = (settings = {}) => {
     throw Boom.notFound('unit test: default space not found');
   });
 
-  const mockCreate = jest.fn().mockReturnValue();
+  const mockCreate = jest.fn().mockReturnValue(null);
 
   const mockServer = {
     config: jest.fn().mockReturnValue({
-      get: jest.fn()
+      get: jest.fn(),
     }),
     savedObjects: {
       SavedObjectsClient: {
         errors: {
-          isNotFoundError: (e) => e.message === 'unit test: default space not found'
-        }
+          isNotFoundError: (e: Error) => e.message === 'unit test: default space not found',
+        },
       },
       getSavedObjectsRepository: jest.fn().mockImplementation(() => {
         return {
           get: mockGet,
           create: mockCreate,
         };
-      })
-    }
+      }),
+    },
   };
 
-  mockServer.config().get.mockImplementation(key => {
+  mockServer.config().get.mockImplementation((key: string) => {
     return settings[key];
   });
 
@@ -67,7 +68,7 @@ const createMockServer = (settings = {}) => {
 
 test(`it creates the default space when one does not exist`, async () => {
   const server = createMockServer({
-    defaultExists: false
+    defaultExists: false,
   });
 
   await createDefaultSpace(server);
@@ -78,14 +79,19 @@ test(`it creates the default space when one does not exist`, async () => {
   expect(repository.create).toHaveBeenCalledTimes(1);
   expect(repository.create).toHaveBeenCalledWith(
     'space',
-    { "_reserved": true, "description": "This is your default space!", "name": "Default", "color": "#00bfb3" },
-    { "id": "default" }
+    {
+      _reserved: true,
+      description: 'This is your default space!',
+      name: 'Default',
+      color: '#00bfb3',
+    },
+    { id: 'default' }
   );
 });
 
 test(`it does not attempt to recreate the default space if it already exists`, async () => {
   const server = createMockServer({
-    defaultExists: true
+    defaultExists: true,
   });
 
   await createDefaultSpace(server);
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.js b/x-pack/plugins/spaces/server/lib/create_default_space.ts
similarity index 63%
rename from x-pack/plugins/spaces/server/lib/create_default_space.js
rename to x-pack/plugins/spaces/server/lib/create_default_space.ts
index 625b9229f9bd00..1e0e28c2f98b87 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.js
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.ts
@@ -3,36 +3,43 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
+// @ts-ignore
 import { getClient } from '../../../../server/lib/get_client_shield';
 import { DEFAULT_SPACE_ID } from '../../common/constants';
 
-export async function createDefaultSpace(server) {
+export async function createDefaultSpace(server: any) {
   const { callWithInternalUser: callCluster } = getClient(server);
 
   const { getSavedObjectsRepository, SavedObjectsClient } = server.savedObjects;
 
   const savedObjectsRepository = getSavedObjectsRepository(callCluster);
 
-  const defaultSpaceExists = await doesDefaultSpaceExist(SavedObjectsClient, savedObjectsRepository);
+  const defaultSpaceExists = await doesDefaultSpaceExist(
+    SavedObjectsClient,
+    savedObjectsRepository
+  );
 
   if (defaultSpaceExists) {
     return;
   }
 
   const options = {
-    id: DEFAULT_SPACE_ID
+    id: DEFAULT_SPACE_ID,
   };
 
-  await savedObjectsRepository.create('space', {
-    name: 'Default',
-    description: 'This is your default space!',
-    color: '#00bfb3',
-    _reserved: true
-  }, options);
+  await savedObjectsRepository.create(
+    'space',
+    {
+      name: 'Default',
+      description: 'This is your default space!',
+      color: '#00bfb3',
+      _reserved: true,
+    },
+    options
+  );
 }
 
-async function doesDefaultSpaceExist(SavedObjectsClient, savedObjectsRepository) {
+async function doesDefaultSpaceExist(SavedObjectsClient: any, savedObjectsRepository: any) {
   try {
     await savedObjectsRepository.get('space', DEFAULT_SPACE_ID);
     return true;
diff --git a/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.ts
similarity index 73%
rename from x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
rename to x-pack/plugins/spaces/server/lib/create_spaces_service.test.ts
index c27a505616018b..3eec4535547026 100644
--- a/x-pack/plugins/spaces/server/lib/create_spaces_service.test.js
+++ b/x-pack/plugins/spaces/server/lib/create_spaces_service.test.ts
@@ -4,28 +4,29 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { createSpacesService } from "./create_spaces_service";
 import { DEFAULT_SPACE_ID } from '../../common/constants';
+import { createSpacesService } from './create_spaces_service';
 
-const createRequest = (spaceId, serverBasePath = '') => ({
-  getBasePath: () => spaceId && spaceId !== DEFAULT_SPACE_ID ? `${serverBasePath}/s/${spaceId}` : serverBasePath
+const createRequest = (spaceId?: string, serverBasePath = '') => ({
+  getBasePath: () =>
+    spaceId && spaceId !== DEFAULT_SPACE_ID ? `${serverBasePath}/s/${spaceId}` : serverBasePath,
 });
 
-const createMockServer = (config) => {
+const createMockServer = (config: any) => {
   return {
     config: jest.fn(() => {
       return {
-        get: jest.fn((key) => {
+        get: jest.fn((key: string) => {
           return config[key];
-        })
+        }),
       };
-    })
+    }),
   };
 };
 
 test('returns the default space ID', () => {
   const server = createMockServer({
-    'server.basePath': ''
+    'server.basePath': '',
   });
 
   const service = createSpacesService(server);
@@ -35,7 +36,7 @@ test('returns the default space ID', () => {
 test('returns the id for the current space', () => {
   const request = createRequest('my-space-context');
   const server = createMockServer({
-    'server.basePath': ''
+    'server.basePath': '',
   });
 
   const service = createSpacesService(server);
@@ -45,7 +46,7 @@ test('returns the id for the current space', () => {
 test(`returns the id for the current space when a server basepath is defined`, () => {
   const request = createRequest('my-space-context', '/foo');
   const server = createMockServer({
-    'server.basePath': '/foo'
+    'server.basePath': '/foo',
   });
 
   const service = createSpacesService(server);
diff --git a/x-pack/plugins/spaces/server/lib/get_active_space.js b/x-pack/plugins/spaces/server/lib/get_active_space.ts
similarity index 65%
rename from x-pack/plugins/spaces/server/lib/get_active_space.js
rename to x-pack/plugins/spaces/server/lib/get_active_space.ts
index 143ed1b3e5dda4..907b7b164b69b3 100644
--- a/x-pack/plugins/spaces/server/lib/get_active_space.js
+++ b/x-pack/plugins/spaces/server/lib/get_active_space.ts
@@ -4,16 +4,21 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { Space } from '../../common/model/space';
 import { wrapError } from './errors';
+import { SpacesClient } from './spaces_client';
 import { getSpaceIdFromPath } from './spaces_url_parser';
 
-export async function getActiveSpace(spacesClient, requestBasePath, serverBasePath) {
+export async function getActiveSpace(
+  spacesClient: SpacesClient,
+  requestBasePath: string,
+  serverBasePath: string
+): Promise<Space> {
   const spaceId = getSpaceIdFromPath(requestBasePath, serverBasePath);
 
   try {
     return spacesClient.get(spaceId);
-  }
-  catch (e) {
+  } catch (e) {
     throw wrapError(e);
   }
 }
diff --git a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.ts
similarity index 78%
rename from x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js
rename to x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.ts
index 490c1c13ec7abb..ef4cb9b01ec1e4 100644
--- a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.js
+++ b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.test.ts
@@ -4,62 +4,72 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getSpacesUsageCollector } from './get_spaces_usage_collector';
+import { getSpacesUsageCollector, UsageStats } from './get_spaces_usage_collector';
 
-function getServerMock(customization) {
+function getServerMock(customization?: any) {
   class MockUsageCollector {
-    constructor(_server, { fetch }) {
+    private fetch: any;
+
+    constructor(server: any, { fetch }: any) {
       this.fetch = fetch;
     }
+    // to make typescript happy
+    public fakeFetchUsage() {
+      return this.fetch;
+    }
   }
 
   const getLicenseCheckResults = jest.fn().mockReturnValue({});
   const defaultServerMock = {
     plugins: {
       security: {
-        isAuthenticated: jest.fn().mockReturnValue(true)
+        isAuthenticated: jest.fn().mockReturnValue(true),
       },
       xpack_main: {
         info: {
           isAvailable: jest.fn().mockReturnValue(true),
           feature: () => ({
-            getLicenseCheckResults
+            getLicenseCheckResults,
           }),
           license: {
             isOneOf: jest.fn().mockReturnValue(false),
             getType: jest.fn().mockReturnValue('platinum'),
           },
-          toJSON: () => ({ b: 1 })
-        }
-      }
+          toJSON: () => ({ b: 1 }),
+        },
+      },
+    },
+    expose: () => {
+      return;
+    },
+    log: () => {
+      return;
     },
-    expose: () => { },
-    log: () => { },
     config: () => ({
-      get: key => {
+      get: (key: string) => {
         if (key === 'xpack.spaces.enabled') {
           return true;
         }
-      }
+      },
     }),
     usage: {
       collectorSet: {
-        makeUsageCollector: options => {
-          return new MockUsageCollector(this, options);
-        }
-      }
+        makeUsageCollector: (options: any) => {
+          return new MockUsageCollector(defaultServerMock, options);
+        },
+      },
     },
     savedObjects: {
       getSavedObjectsRepository: jest.fn(() => {
         return {
           find() {
             return {
-              saved_objects: ['a', 'b']
+              saved_objects: ['a', 'b'],
             };
-          }
+          },
         };
-      })
-    }
+      }),
+    },
   };
   return Object.assign(defaultServerMock, customization);
 }
@@ -75,15 +85,17 @@ test('sets enabled to false when spaces is turned off', async () => {
   const serverMock = getServerMock({ config: () => ({ get: mockConfigGet }) });
   const callClusterMock = jest.fn();
   const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverMock);
-  const usageStats = await getSpacesUsage(callClusterMock);
+  const usageStats: UsageStats = await getSpacesUsage(callClusterMock);
   expect(usageStats.enabled).toBe(false);
 });
 
 describe('with a basic license', async () => {
-  let usageStats;
+  let usageStats: UsageStats;
   beforeAll(async () => {
     const serverWithBasicLicenseMock = getServerMock();
-    serverWithBasicLicenseMock.plugins.xpack_main.info.license.getType = jest.fn().mockReturnValue('basic');
+    serverWithBasicLicenseMock.plugins.xpack_main.info.license.getType = jest
+      .fn()
+      .mockReturnValue('basic');
     const callClusterMock = jest.fn(() => Promise.resolve({}));
     const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverWithBasicLicenseMock);
     usageStats = await getSpacesUsage(callClusterMock);
@@ -103,7 +115,7 @@ describe('with a basic license', async () => {
 });
 
 describe('with no license', async () => {
-  let usageStats;
+  let usageStats: UsageStats;
   beforeAll(async () => {
     const serverWithNoLicenseMock = getServerMock();
     serverWithNoLicenseMock.plugins.xpack_main.info.isAvailable = jest.fn().mockReturnValue(false);
@@ -126,10 +138,12 @@ describe('with no license', async () => {
 });
 
 describe('with platinum license', async () => {
-  let usageStats;
+  let usageStats: UsageStats;
   beforeAll(async () => {
     const serverWithPlatinumLicenseMock = getServerMock();
-    serverWithPlatinumLicenseMock.plugins.xpack_main.info.license.getType = jest.fn().mockReturnValue('platinum');
+    serverWithPlatinumLicenseMock.plugins.xpack_main.info.license.getType = jest
+      .fn()
+      .mockReturnValue('platinum');
     const callClusterMock = jest.fn(() => Promise.resolve({}));
     const { fetch: getSpacesUsage } = getSpacesUsageCollector(serverWithPlatinumLicenseMock);
     usageStats = await getSpacesUsage(callClusterMock);
diff --git a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.ts
similarity index 80%
rename from x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js
rename to x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.ts
index 455d2f0932b322..9361bfaf18b373 100644
--- a/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.js
+++ b/x-pack/plugins/spaces/server/lib/get_spaces_usage_collector.ts
@@ -3,9 +3,9 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
-import { KIBANA_SPACES_STATS_TYPE } from '../../common/constants';
+// @ts-ignore
 import { KIBANA_STATS_TYPE_MONITORING } from '../../../monitoring/common/constants';
+import { KIBANA_SPACES_STATS_TYPE } from '../../common/constants';
 
 /**
  *
@@ -15,8 +15,10 @@ import { KIBANA_STATS_TYPE_MONITORING } from '../../../monitoring/common/constan
  * @param withinDayRange
  * @return {ReportingUsageStats}
  */
-async function getSpacesUsage(callCluster, server, spacesAvailable) {
-  if (!spacesAvailable) return {};
+async function getSpacesUsage(callCluster: any, server: any, spacesAvailable: boolean) {
+  if (!spacesAvailable) {
+    return {};
+  }
 
   const { getSavedObjectsRepository } = server.savedObjects;
 
@@ -29,15 +31,20 @@ async function getSpacesUsage(callCluster, server, spacesAvailable) {
   };
 }
 
+export interface UsageStats {
+  available: boolean;
+  enabled: boolean;
+  count?: number;
+}
 /*
  * @param {Object} server
  * @return {Object} kibana usage stats type collection object
  */
-export function getSpacesUsageCollector(server) {
+export function getSpacesUsageCollector(server: any) {
   const { collectorSet } = server.usage;
   return collectorSet.makeUsageCollector({
     type: KIBANA_SPACES_STATS_TYPE,
-    fetch: async callCluster => {
+    fetch: async (callCluster: any) => {
       const xpackInfo = server.plugins.xpack_main.info;
       const config = server.config();
       const available = xpackInfo && xpackInfo.isAvailable(); // some form of spaces is available for all valid licenses
@@ -50,7 +57,7 @@ export function getSpacesUsageCollector(server) {
         available,
         enabled: spacesAvailableAndEnabled, // similar behavior as _xpack API in ES
         ...usageStats,
-      };
+      } as UsageStats;
     },
 
     /*
@@ -58,18 +65,17 @@ export function getSpacesUsageCollector(server) {
      * 1. Make this data part of the "kibana_stats" type
      * 2. Organize the payload in the usage.xpack.spaces namespace of the data payload
      */
-    formatForBulkUpload: result => {
+    formatForBulkUpload: (result: UsageStats) => {
       return {
         type: KIBANA_STATS_TYPE_MONITORING,
         payload: {
           usage: {
             xpack: {
-              spaces: result
-            }
-          }
-        }
+              spaces: result,
+            },
+          },
+        },
       };
-
-    }
+    },
   });
 }
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap b/x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.ts.snap
similarity index 100%
rename from x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.js.snap
rename to x-pack/plugins/spaces/server/lib/saved_objects_client/__snapshots__/spaces_saved_objects_client.test.ts.snap
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_types.ts b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_types.ts
new file mode 100644
index 00000000000000..b2cdc09d66a1b7
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_types.ts
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface BaseOptions {
+  namespace?: string;
+}
+
+export interface CreateOptions extends BaseOptions {
+  id?: string;
+  override?: boolean;
+}
+
+export interface BulkCreateObject {
+  id?: string;
+  type: string;
+  attributes: SavedObjectAttributes;
+  extraDocumentProperties?: string[];
+}
+
+export interface BulkCreateResponse {
+  savedObjects: SavedObject[];
+}
+
+export interface FindOptions extends BaseOptions {
+  page?: number;
+  perPage?: number;
+  sortField?: string;
+  sortOrder?: string;
+  fields?: string[];
+  type?: string | string[];
+}
+
+export interface FindResponse {
+  savedObjects: SavedObject[];
+  total: number;
+  perPage: number;
+  page: number;
+}
+
+export interface UpdateOptions extends BaseOptions {
+  version?: number;
+}
+
+export interface BulkGetObject {
+  id: string;
+  type: string;
+}
+export type BulkGetObjects = BulkGetObject[];
+
+export interface BulkGetResponse {
+  savedObjects: SavedObject[];
+}
+
+export interface SavedObjectAttributes {
+  [key: string]: string | number | boolean | null;
+}
+
+export interface SavedObject {
+  id: string;
+  type: string;
+  version?: number;
+  updatedAt?: string;
+  error?: {
+    message: string;
+  };
+  attributes: SavedObjectAttributes;
+}
+
+export interface SavedObjectsClient {
+  errors: any;
+  create: (
+    type: string,
+    attributes: SavedObjectAttributes,
+    options?: CreateOptions
+  ) => Promise<SavedObject>;
+  bulkCreate: (objects: BulkCreateObject[], options?: CreateOptions) => Promise<BulkCreateResponse>;
+  delete: (type: string, id: string, options?: BaseOptions) => Promise<{}>;
+  find: (options: FindOptions) => Promise<FindResponse>;
+  bulkGet: (objects: BulkGetObjects, options?: BaseOptions) => Promise<BulkGetResponse>;
+  get: (type: string, id: string, options?: BaseOptions) => Promise<SavedObject>;
+  update: (
+    type: string,
+    id: string,
+    attributes: SavedObjectAttributes,
+    options?: UpdateOptions
+  ) => Promise<SavedObject>;
+}
+
+export interface SOCWrapperOptions {
+  client: SavedObjectsClient;
+  request: any;
+}
+
+export type SOCWrapperFactory = (options: SOCWrapperOptions) => SavedObjectsClient;
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
deleted file mode 100644
index da7a448d86d2d7..00000000000000
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.js
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
-
-export function spacesSavedObjectsClientWrapperFactory(spacesService, types) {
-  return ({ client, request }) => new SpacesSavedObjectsClient({
-    baseClient: client,
-    request,
-    spacesService,
-    types,
-  });
-}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.ts b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.ts
new file mode 100644
index 00000000000000..9e19556abd20cf
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/saved_objects_client_wrapper_factory.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SpacesService } from '../create_spaces_service';
+import { SOCWrapperOptions } from './saved_objects_client_types';
+import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
+
+export function spacesSavedObjectsClientWrapperFactory(
+  spacesService: SpacesService,
+  types: string[]
+) {
+  return ({ client, request }: SOCWrapperOptions) =>
+    new SpacesSavedObjectsClient({
+      baseClient: client,
+      request,
+      spacesService,
+      types,
+    });
+}
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.ts
similarity index 80%
rename from x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
rename to x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.ts
index fe9e363b01ce3f..5a6ca30dba8334 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.test.ts
@@ -4,24 +4,27 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
-import { createSpacesService } from '../create_spaces_service';
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
+import { Space } from '../../../common/model/space';
+import { createSpacesService } from '../create_spaces_service';
+import { SpacesSavedObjectsClient } from './spaces_saved_objects_client';
 
-const config = {
-  'server.basePath': '/'
+const config: any = {
+  'server.basePath': '/',
 };
 
+const types = ['foo', 'bar', 'space'];
+
 const server = {
   config: () => ({
-    get: (key) => {
+    get: (key: string) => {
       return config[key];
-    }
-  })
+    },
+  }),
 };
 
-const createMockRequest = (space) => ({
-  getBasePath: () => space.id !== DEFAULT_SPACE_ID ? `/s/${space.id}` : '',
+const createMockRequest = (space: Partial<Space>) => ({
+  getBasePath: () => (space.id !== DEFAULT_SPACE_ID ? `/s/${space.id}` : ''),
 });
 
 const createMockClient = () => {
@@ -41,10 +44,9 @@ const createMockClient = () => {
 
 [
   { id: DEFAULT_SPACE_ID, expectedNamespace: undefined },
-  { id: 'space_1', expectedNamespace: 'space_1' }
+  { id: 'space_1', expectedNamespace: 'space_1' },
 ].forEach(currentSpace => {
   describe(`${currentSpace.id} space`, () => {
-
     describe('#get', () => {
       test(`throws error if options.namespace is specified`, async () => {
         const request = createMockRequest({ id: currentSpace.id });
@@ -55,9 +57,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.get('foo', null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.get('foo', '', { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if type is space`, async () => {
@@ -69,9 +74,10 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.get('space', null)).rejects.toThrowErrorMatchingSnapshot();
+        await expect(client.get('space', '')).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -85,14 +91,19 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
         const type = Symbol();
         const id = Symbol();
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.get(type, id, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.get).toHaveBeenCalledWith(type, id, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.get).toHaveBeenCalledWith(type, id, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -106,9 +117,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.bulkGet([{ type: 'foo' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.bulkGet([{ id: '', type: 'foo' }], { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if objects type is space`, async () => {
@@ -120,9 +134,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.bulkGet([{ type: 'foo' }, { type: 'space' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.bulkGet([{ id: '', type: 'foo' }, { id: '', type: 'space' }], { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -136,14 +153,19 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const objects = [{ type: 'foo' }];
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.bulkGet(objects, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.bulkGet).toHaveBeenCalledWith(objects, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -157,6 +179,7 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         await expect(client.find({ namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
@@ -173,6 +196,7 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         await expect(client.find({ type: 'space' })).rejects.toThrowErrorMatchingSnapshot();
@@ -189,13 +213,17 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
         const options = Object.freeze({ type: 'foo' });
 
         const actualReturnValue = await client.find(options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.find).toHaveBeenCalledWith({ type: ['foo'], namespace: currentSpace.expectedNamespace });
+        expect(baseClient.find).toHaveBeenCalledWith({
+          type: ['foo'],
+          namespace: currentSpace.expectedNamespace,
+        });
       });
 
       test(`throws error if options.type is array containing space`, async () => {
@@ -209,9 +237,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.find({ type: ['space', 'foo'] })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.find({ type: ['space', 'foo'] })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`if options.type isn't provided specifies options.type based on the types excluding the space`, async () => {
@@ -220,7 +251,6 @@ const createMockClient = () => {
         const expectedReturnValue = Symbol();
         baseClient.find.mockReturnValue(expectedReturnValue);
         const spacesService = createSpacesService(server);
-        const types = ['foo', 'bar', 'space'];
 
         const client = new SpacesSavedObjectsClient({
           request,
@@ -229,7 +259,9 @@ const createMockClient = () => {
           types,
         });
 
-        await expect(client.find({ type: ['space', 'foo'] })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.find({ type: ['space', 'foo'] })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -243,13 +275,17 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const options = Object.freeze({ type: ['foo', 'bar'] });
         const actualReturnValue = await client.find(options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.find).toHaveBeenCalledWith({ type: ['foo', 'bar'], namespace: currentSpace.expectedNamespace });
+        expect(baseClient.find).toHaveBeenCalledWith({
+          type: ['foo', 'bar'],
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -263,10 +299,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
-
+          types,
         });
 
-        await expect(client.create('foo', {}, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.create('foo', {}, { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if type is space`, async () => {
@@ -278,6 +316,7 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         await expect(client.create('space', {})).rejects.toThrowErrorMatchingSnapshot();
@@ -294,15 +333,20 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const type = Symbol();
         const attributes = Symbol();
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.create(type, attributes, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.create).toHaveBeenCalledWith(type, attributes, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.create).toHaveBeenCalledWith(type, attributes, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -316,9 +360,12 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.bulkCreate([{ type: 'foo' }], { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.bulkCreate([{ id: '', type: 'foo', attributes: {} }], { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if objects type is space`, async () => {
@@ -330,9 +377,15 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.bulkCreate([{ type: 'foo' }, { type: 'space' }])).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          client.bulkCreate([
+            { id: '', type: 'foo', attributes: {} },
+            { id: '', type: 'space', attributes: {} },
+          ])
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -346,14 +399,19 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const objects = [{ type: 'foo' }];
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.bulkCreate(objects, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.bulkCreate).toHaveBeenCalledWith(objects, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -367,9 +425,13 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.update(null, null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          // @ts-ignore
+          client.update(null, null, null, { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if type is space`, async () => {
@@ -381,9 +443,10 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.update('space', null)).rejects.toThrowErrorMatchingSnapshot();
+        await expect(client.update('space', '', {})).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`supplements options with undefined namespace`, async () => {
@@ -397,16 +460,21 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const type = Symbol();
         const id = Symbol();
         const attributes = Symbol();
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.update(type, id, attributes, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.update).toHaveBeenCalledWith(type, id, attributes, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
 
@@ -420,9 +488,13 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
-        await expect(client.delete(null, null, { namespace: 'bar' })).rejects.toThrowErrorMatchingSnapshot();
+        await expect(
+          // @ts-ignore
+          client.delete(null, null, { namespace: 'bar' })
+        ).rejects.toThrowErrorMatchingSnapshot();
       });
 
       test(`throws error if type is space`, async () => {
@@ -434,6 +506,7 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         await expect(client.delete('space', 'foo')).rejects.toThrowErrorMatchingSnapshot();
@@ -450,17 +523,21 @@ const createMockClient = () => {
           request,
           baseClient,
           spacesService,
+          types,
         });
 
         const type = Symbol();
         const id = Symbol();
         const options = Object.freeze({ foo: 'bar' });
+        // @ts-ignore
         const actualReturnValue = await client.delete(type, id, options);
 
         expect(actualReturnValue).toBe(expectedReturnValue);
-        expect(baseClient.delete).toHaveBeenCalledWith(type, id, { foo: 'bar', namespace: currentSpace.expectedNamespace });
+        expect(baseClient.delete).toHaveBeenCalledWith(type, id, {
+          foo: 'bar',
+          namespace: currentSpace.expectedNamespace,
+        });
       });
     });
   });
-
 });
diff --git a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.ts
similarity index 61%
rename from x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
rename to x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.ts
index 92c9385cdda257..dc2131afee2b24 100644
--- a/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.js
+++ b/x-pack/plugins/spaces/server/lib/saved_objects_client/spaces_saved_objects_client.ts
@@ -5,8 +5,26 @@
  */
 
 import { DEFAULT_SPACE_ID } from '../../../common/constants';
+import { SpacesService } from '../create_spaces_service';
+import {
+  BaseOptions,
+  BulkCreateObject,
+  BulkGetObjects,
+  CreateOptions,
+  FindOptions,
+  SavedObjectAttributes,
+  SavedObjectsClient,
+  UpdateOptions,
+} from './saved_objects_client_types';
+
+interface SpacesSavedObjectsClientOptions {
+  baseClient: SavedObjectsClient;
+  request: any;
+  spacesService: SpacesService;
+  types: string[];
+}
 
-const coerceToArray = (param) => {
+const coerceToArray = (param: string | string[]) => {
   if (Array.isArray(param)) {
     return param;
   }
@@ -14,7 +32,7 @@ const coerceToArray = (param) => {
   return [param];
 };
 
-const getNamespace = (spaceId) => {
+const getNamespace = (spaceId: string) => {
   if (spaceId === DEFAULT_SPACE_ID) {
     return undefined;
   }
@@ -22,37 +40,37 @@ const getNamespace = (spaceId) => {
   return spaceId;
 };
 
-const throwErrorIfNamespaceSpecified = (options) => {
+const throwErrorIfNamespaceSpecified = (options: any) => {
   if (options.namespace) {
     throw new Error('Spaces currently determines the namespaces');
   }
 };
 
-const throwErrorIfTypeIsSpace = (type) => {
+const throwErrorIfTypeIsSpace = (type: string) => {
   if (type === 'space') {
     throw new Error('Spaces can not be accessed using the SavedObjectsClient');
   }
 };
 
-const throwErrorIfTypesContainsSpace = (types) => {
+const throwErrorIfTypesContainsSpace = (types: string[]) => {
   for (const type of types) {
     throwErrorIfTypeIsSpace(type);
   }
 };
 
-export class SpacesSavedObjectsClient {
-  constructor(options) {
-    const {
-      baseClient,
-      request,
-      spacesService,
-      types,
-    } = options;
+export class SpacesSavedObjectsClient implements SavedObjectsClient {
+  public readonly errors: any;
+  private readonly client: SavedObjectsClient;
+  private readonly spaceId: string;
+  private readonly types: string[];
+
+  constructor(options: SpacesSavedObjectsClientOptions) {
+    const { baseClient, request, spacesService, types } = options;
 
     this.errors = baseClient.errors;
-    this._client = baseClient;
-    this._spaceId = spacesService.getSpaceId(request);
-    this._types = types;
+    this.client = baseClient;
+    this.spaceId = spacesService.getSpaceId(request);
+    this.types = types;
   }
 
   /**
@@ -65,14 +83,14 @@ export class SpacesSavedObjectsClient {
    * @property {boolean} [options.overwrite=false]
    * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
-  */
-  async create(type, attributes = {}, options = {}) {
+   */
+  public async create(type: string, attributes = {}, options: CreateOptions = {}) {
     throwErrorIfTypeIsSpace(type);
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.create(type, attributes, {
+    return await this.client.create(type, attributes, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -85,13 +103,13 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
-  async bulkCreate(objects, options = {}) {
+  public async bulkCreate(objects: BulkCreateObject[], options: BaseOptions = {}) {
     throwErrorIfTypesContainsSpace(objects.map(object => object.type));
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.bulkCreate(objects, {
+    return await this.client.bulkCreate(objects, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -104,13 +122,13 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id, options = {}) {
+  public async delete(type: string, id: string, options: BaseOptions = {}) {
     throwErrorIfTypeIsSpace(type);
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.delete(type, id, {
+    return await this.client.delete(type, id, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -128,14 +146,19 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
-  async find(options = {}) {
-    throwErrorIfTypesContainsSpace(coerceToArray(options.type));
+  public async find(options: FindOptions = {}) {
+    if (options.type) {
+      throwErrorIfTypesContainsSpace(coerceToArray(options.type));
+    }
+
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.find({
+    return await this.client.find({
       ...options,
-      type: (options.type ? coerceToArray(options.type) : this._types).filter(type => type !== 'space'),
-      namespace: getNamespace(this._spaceId)
+      type: (options.type ? coerceToArray(options.type) : this.types).filter(
+        type => type !== 'space'
+      ),
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -153,13 +176,13 @@ export class SpacesSavedObjectsClient {
    *   { id: 'foo', type: 'index-pattern' }
    * ])
    */
-  async bulkGet(objects = [], options = {}) {
+  public async bulkGet(objects: BulkGetObjects = [], options: BaseOptions = {}) {
     throwErrorIfTypesContainsSpace(objects.map(object => object.type));
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.bulkGet(objects, {
+    return await this.client.bulkGet(objects, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -172,13 +195,13 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
-  async get(type, id, options = {}) {
+  public async get(type: string, id: string, options: BaseOptions = {}) {
     throwErrorIfTypeIsSpace(type);
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.get(type, id, {
+    return await this.client.get(type, id, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 
@@ -192,13 +215,18 @@ export class SpacesSavedObjectsClient {
    * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async update(type, id, attributes, options = {}) {
+  public async update(
+    type: string,
+    id: string,
+    attributes: SavedObjectAttributes,
+    options: UpdateOptions = {}
+  ) {
     throwErrorIfTypeIsSpace(type);
     throwErrorIfNamespaceSpecified(options);
 
-    return await this._client.update(type, id, attributes, {
+    return await this.client.update(type, id, attributes, {
       ...options,
-      namespace: getNamespace(this._spaceId)
+      namespace: getNamespace(this.spaceId),
     });
   }
 }
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
similarity index 58%
rename from x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
rename to x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
index 0e7d47d2578cde..e99e98c9eb5ed8 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
@@ -3,46 +3,60 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import sinon from 'sinon';
+// @ts-ignore
 import { Server } from 'hapi';
+import sinon from 'sinon';
+import { SavedObject } from './saved_objects_client/saved_objects_client_types';
 import { initSpacesRequestInterceptors } from './space_request_interceptors';
 
 describe('interceptors', () => {
   const sandbox = sinon.sandbox.create();
-  const teardowns = [];
+  const teardowns: Array<() => void> = [];
   const headers = {
     authorization: 'foo',
   };
-  let server;
-  let request;
+  let server: any;
+  let request: any;
 
   beforeEach(() => {
     teardowns.push(() => sandbox.restore());
-    request = async (path, setupFn = () => { }, testConfig = {}) => {
-
+    request = async (
+      path: string,
+      setupFn: (ser: any) => void = () => {
+        return;
+      },
+      testConfig = {}
+    ) => {
       server = new Server();
 
       server.connection({ port: 0 });
 
-      const config = {
+      interface Config {
+        [key: string]: any;
+      }
+      const config: Config = {
         'server.basePath': '/foo',
         ...testConfig,
       };
 
-      server.decorate('server', 'config', jest.fn(() => {
-        return {
-          get: jest.fn(key => {
-            return config[key];
-          })
-        };
-      }));
+      server.decorate(
+        'server',
+        'config',
+        jest.fn(() => {
+          return {
+            get: jest.fn(key => {
+              return config[key];
+            }),
+          };
+        })
+      );
 
       server.plugins = {
         spaces: {
           spacesClient: {
             getScopedClient: jest.fn(),
-          }
-        }
+          },
+        },
       };
 
       initSpacesRequestInterceptors(server);
@@ -50,9 +64,9 @@ describe('interceptors', () => {
       server.route({
         method: 'GET',
         path: '/',
-        handler: (req, reply) => {
+        handler: (req: any, reply: any) => {
           return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
-        }
+        },
       });
 
       await setupFn(server);
@@ -77,12 +91,12 @@ describe('interceptors', () => {
   describe('onRequest', () => {
     test('handles paths without a space identifier', async () => {
       const testHandler = jest.fn((req, reply) => {
-        expect(req.path).toBe("/");
+        expect(req.path).toBe('/');
         return reply.continue();
       });
 
-      await request('/', (server) => {
-        server.ext('onRequest', testHandler);
+      await request('/', (hapiServer: any) => {
+        hapiServer.ext('onRequest', testHandler);
       });
 
       expect(testHandler).toHaveBeenCalledTimes(1);
@@ -90,12 +104,12 @@ describe('interceptors', () => {
 
     test('strips the Space URL Context from the request', async () => {
       const testHandler = jest.fn((req, reply) => {
-        expect(req.path).toBe("/");
+        expect(req.path).toBe('/');
         return reply.continue();
       });
 
-      await request('/s/foo', (server) => {
-        server.ext('onRequest', testHandler);
+      await request('/s/foo', (hapiServer: any) => {
+        hapiServer.ext('onRequest', testHandler);
       });
 
       expect(testHandler).toHaveBeenCalledTimes(1);
@@ -103,12 +117,12 @@ describe('interceptors', () => {
 
     test('ignores space identifiers in the middle of the path', async () => {
       const testHandler = jest.fn((req, reply) => {
-        expect(req.path).toBe("/some/path/s/foo/bar");
+        expect(req.path).toBe('/some/path/s/foo/bar');
         return reply.continue();
       });
 
-      await request('/some/path/s/foo/bar', (server) => {
-        server.ext('onRequest', testHandler);
+      await request('/some/path/s/foo/bar', (hapiServer: any) => {
+        hapiServer.ext('onRequest', testHandler);
       });
 
       expect(testHandler).toHaveBeenCalledTimes(1);
@@ -118,13 +132,13 @@ describe('interceptors', () => {
       const testHandler = jest.fn((req, reply) => {
         expect(req.path).toBe('/i/love/spaces.html');
         expect(req.query).toEqual({
-          queryParam: 'queryValue'
+          queryParam: 'queryValue',
         });
         return reply.continue();
       });
 
-      await request('/s/foo/i/love/spaces.html?queryParam=queryValue', (server) => {
-        server.ext('onRequest', testHandler);
+      await request('/s/foo/i/love/spaces.html?queryParam=queryValue', (hapiServer: any) => {
+        hapiServer.ext('onRequest', testHandler);
       });
 
       expect(testHandler).toHaveBeenCalledTimes(1);
@@ -137,18 +151,18 @@ describe('interceptors', () => {
 
     const config = {
       'server.basePath': serverBasePath,
-      'server.defaultRoute': defaultRoute
+      'server.defaultRoute': defaultRoute,
     };
 
-    const setupTest = (server, spaces, testHandler) => {
-      server.plugins.spaces.spacesClient.getScopedClient.mockReturnValue({
+    const setupTest = (hapiServer: any, spaces: SavedObject[], testHandler: any) => {
+      hapiServer.plugins.spaces.spacesClient.getScopedClient.mockReturnValue({
         getAll() {
           return spaces;
-        }
+        },
       });
 
       // Register test inspector
-      server.ext('onPreResponse', testHandler);
+      hapiServer.ext('onPreResponse', testHandler);
     };
 
     describe('with a single available space', () => {
@@ -166,23 +180,32 @@ describe('interceptors', () => {
           return reply.continue();
         });
 
-        const spaces = [{
-          id: 'a-space',
-          attributes: {
-            name: 'a space',
-          }
-        }];
-
-        await request('/', (server) => {
-          setupTest(server, spaces, testHandler);
-        }, config);
+        const spaces = [
+          {
+            id: 'a-space',
+            type: 'space',
+            attributes: {
+              name: 'a space',
+            },
+          },
+        ];
+
+        await request(
+          '/',
+          (hapiServer: any) => {
+            setupTest(server, spaces, testHandler);
+          },
+          config
+        );
 
         expect(testHandler).toHaveBeenCalledTimes(1);
-        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
-          headers: expect.objectContaining({
-            authorization: headers.authorization
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
           })
-        }));
+        );
       });
 
       test('it redirects to the defaultRoute within the context of the Default Space when navigating to Kibana root', async () => {
@@ -203,42 +226,55 @@ describe('interceptors', () => {
           return reply.continue();
         });
 
-        const spaces = [{
-          id: 'default',
-          attributes: {
-            name: 'Default Space',
-          }
-        }];
-
-        await request('/', (server) => {
-          setupTest(server, spaces, testHandler);
-        }, config);
+        const spaces = [
+          {
+            id: 'default',
+            type: 'space',
+            attributes: {
+              name: 'Default Space',
+            },
+          },
+        ];
+
+        await request(
+          '/',
+          (hapiServer: any) => {
+            setupTest(hapiServer, spaces, testHandler);
+          },
+          config
+        );
 
         expect(testHandler).toHaveBeenCalledTimes(1);
-        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
-          headers: expect.objectContaining({
-            authorization: headers.authorization
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
           })
-        }));
+        );
       });
     });
 
     describe('with multiple available spaces', () => {
       test('it redirects to the Space Selector App when navigating to Kibana root', async () => {
-
-        const spaces = [{
-          id: 'a-space',
-          attributes: {
-            name: 'a space',
-          }
-        }, {
-          id: 'b-space',
-          attributes: {
-            name: 'b space',
-          }
-        }];
-
-        const getHiddenUiAppHandler = jest.fn(() => { return '<div>space selector</div>'; });
+        const spaces = [
+          {
+            id: 'a-space',
+            type: 'space',
+            attributes: {
+              name: 'a space',
+            },
+          },
+          {
+            id: 'b-space',
+            type: 'space',
+            attributes: {
+              name: 'b space',
+            },
+          },
+        ];
+
+        const getHiddenUiAppHandler = jest.fn(() => '<div>space selector</div>');
 
         const testHandler = jest.fn((req, reply) => {
           const { response } = req;
@@ -248,28 +284,35 @@ describe('interceptors', () => {
           }
 
           expect(response.statusCode).toEqual(200);
-          expect(response.source).toEqual({ "app": "<div>space selector</div>", "renderApp": true });
+          expect(response.source).toEqual({ app: '<div>space selector</div>', renderApp: true });
 
           return reply.continue();
         });
 
-        await request('/', (server) => {
-          server.decorate('server', 'getHiddenUiAppById', getHiddenUiAppHandler);
-          server.decorate('reply', 'renderApp', function (app) {
-            this({ renderApp: true, app });
-          });
+        await request(
+          '/',
+          (hapiServer: any) => {
+            server.decorate('server', 'getHiddenUiAppById', getHiddenUiAppHandler);
+            server.decorate('reply', 'renderApp', function renderAppHandler(app: any) {
+              // @ts-ignore
+              this({ renderApp: true, app });
+            });
 
-          setupTest(server, spaces, testHandler);
-        }, config);
+            setupTest(hapiServer, spaces, testHandler);
+          },
+          config
+        );
 
         expect(getHiddenUiAppHandler).toHaveBeenCalledTimes(1);
         expect(getHiddenUiAppHandler).toHaveBeenCalledWith('space_selector');
         expect(testHandler).toHaveBeenCalledTimes(1);
-        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(expect.objectContaining({
-          headers: expect.objectContaining({
-            authorization: headers.authorization
+        expect(server.plugins.spaces.spacesClient.getScopedClient).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
           })
-        }));
+        );
       });
     });
   });
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js b/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
similarity index 95%
rename from x-pack/plugins/spaces/server/lib/space_request_interceptors.js
rename to x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
index 2f461d5fdf7b48..3a6b0c18b05ed0 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.js
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
@@ -4,15 +4,14 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { DEFAULT_SPACE_ID } from '../../common/constants';
 import { wrapError } from './errors';
 import { addSpaceIdToPath, getSpaceIdFromPath } from './spaces_url_parser';
-import { DEFAULT_SPACE_ID } from '../../common/constants';
-
-export function initSpacesRequestInterceptors(server) {
 
+export function initSpacesRequestInterceptors(server: any) {
   const serverBasePath = server.config().get('server.basePath');
 
-  server.ext('onRequest', async function spacesOnRequestHandler(request, reply) {
+  server.ext('onRequest', async function spacesOnRequestHandler(request: any, reply: any) {
     const path = request.path;
 
     // If navigating within the context of a space, then we store the Space's URL Context on the request,
@@ -38,7 +37,7 @@ export function initSpacesRequestInterceptors(server) {
     return reply.continue();
   });
 
-  server.ext('onPostAuth', async function spacesOnRequestHandler(request, reply) {
+  server.ext('onPostAuth', async function spacesOnRequestHandler(request: any, reply: any) {
     const path = request.path;
 
     const isRequestingKibanaRoot = path === '/';
@@ -68,10 +67,9 @@ export function initSpacesRequestInterceptors(server) {
           // render spaces selector instead of home page
           const app = server.getHiddenUiAppById('space_selector');
           return reply.renderApp(app, {
-            spaces
+            spaces,
           });
         }
-
       } catch (error) {
         return reply(wrapError(error));
       }
@@ -79,6 +77,4 @@ export function initSpacesRequestInterceptors(server) {
 
     return reply.continue();
   });
-
-
 }
diff --git a/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.ts
similarity index 93%
rename from x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
rename to x-pack/plugins/spaces/server/lib/spaces_url_parser.test.ts
index 68234b3ba48fb6..5878272c849246 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.js
+++ b/x-pack/plugins/spaces/server/lib/spaces_url_parser.test.ts
@@ -3,8 +3,8 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { getSpaceIdFromPath, addSpaceIdToPath } from './spaces_url_parser';
 import { DEFAULT_SPACE_ID } from '../../common/constants';
+import { addSpaceIdToPath, getSpaceIdFromPath } from './spaces_url_parser';
 
 describe('getSpaceIdFromPath', () => {
   describe('without a serverBasePath defined', () => {
@@ -32,7 +32,9 @@ describe('getSpaceIdFromPath', () => {
 
     test('it identifies the space url context following the server base path', () => {
       const basePath = `/server-base-path-here/s/my-awesome-space-lives-here`;
-      expect(getSpaceIdFromPath(basePath, '/server-base-path-here')).toEqual('my-awesome-space-lives-here');
+      expect(getSpaceIdFromPath(basePath, '/server-base-path-here')).toEqual(
+        'my-awesome-space-lives-here'
+      );
     });
 
     test('ignores space identifiers in the middle of the path', () => {
@@ -57,7 +59,9 @@ describe('addSpaceIdToPath', () => {
   });
 
   test('it appends the requested path to the end of the url context', () => {
-    expect(addSpaceIdToPath('/base', 'context', '/final/destination')).toEqual('/base/s/context/final/destination');
+    expect(addSpaceIdToPath('/base', 'context', '/final/destination')).toEqual(
+      '/base/s/context/final/destination'
+    );
   });
 
   test('it throws an error when the requested path does not start with a slash', () => {
diff --git a/x-pack/tsconfig.json b/x-pack/tsconfig.json
index 4a965fa793432c..44b418ba975ecd 100644
--- a/x-pack/tsconfig.json
+++ b/x-pack/tsconfig.json
@@ -1,17 +1,28 @@
 {
-    "extends": "../tsconfig.json",
-    "include": [
-        "common/**/*",
-        "server/**/*",
-        "plugins/**/*",
-    ],
-    "exclude": [
-      "test/**/*"
-    ],
-    "compilerOptions": {
-      "types": [
-        "node",
-        "jest"
+  "extends": "../tsconfig.json",
+  "include": [
+    "common/**/*",
+    "server/**/*",
+    "plugins/**/*",
+  ],
+  "exclude": [
+    "test/**/*"
+  ],
+  "compilerOptions": {
+    "paths": {
+      "ui/*": [
+        "src/ui/public/*"
+      ],
+      "plugins/xpack_main/*": [
+        "x-pack/plugins/xpack_main/public/*"
+      ],
+      "plugins/spaces/*": [
+        "x-pack/plugins/spaces/public/*"
       ]
-    }
-}
+    },
+    "types": [
+      "node",
+      "jest"
+    ]
+  }
+}
\ No newline at end of file
diff --git a/x-pack/yarn.lock b/x-pack/yarn.lock
index e5d5878c9e0268..c5e29c09671998 100644
--- a/x-pack/yarn.lock
+++ b/x-pack/yarn.lock
@@ -162,6 +162,10 @@
   version "23.3.1"
   resolved "https://registry.yarnpkg.com/@types/jest/-/jest-23.3.1.tgz#a4319aedb071d478e6f407d1c4578ec8156829cf"
 
+"@types/joi@^10.4.4":
+  version "10.6.4"
+  resolved "https://registry.yarnpkg.com/@types/joi/-/joi-10.6.4.tgz#0989d69e792a7db13e951852e6949df6787f113f"
+
 "@types/loglevel@^1.5.3":
   version "1.5.3"
   resolved "https://registry.yarnpkg.com/@types/loglevel/-/loglevel-1.5.3.tgz#adfce55383edc5998a2170ad581b3e23d6adb5b8"

From 70641d5a44c006fae8eee57cf335049de1527989 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 09:34:51 -0400
Subject: [PATCH 137/183] update snapshots

---
 .../es/__snapshots__/index_privilege_form.test.tsx.snap    | 1 +
 .../__snapshots__/privilege_space_form.test.tsx.snap       | 1 +
 .../public/components/telemetry/telemetry_form.test.js     | 7 ++++++-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
index c8a8f284b9bad9..ab820e5e7507fc 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
@@ -182,6 +182,7 @@ exports[`it renders without crashing 1`] = `
         <EuiButtonIcon
           aria-label="Delete index privilege"
           color="danger"
+          iconSize="m"
           iconType="trash"
           onClick={[MockFunction]}
           type="button"
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
index ad9c209ec52557..c24b2d596ff221 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/__snapshots__/privilege_space_form.test.tsx.snap
@@ -78,6 +78,7 @@ exports[`<PrivilegeSpaceForm> renders without crashing 1`] = `
       <EuiButtonIcon
         aria-label="Delete space privilege"
         color="danger"
+        iconSize="m"
         iconType="trash"
         onClick={[MockFunction]}
         type="button"
diff --git a/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.test.js b/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.test.js
index 53717aa0b15a25..7bdef2120f3361 100644
--- a/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.test.js
+++ b/x-pack/plugins/xpack_main/public/components/telemetry/telemetry_form.test.js
@@ -41,7 +41,12 @@ const buildTelemetryOptInProvider = () => {
 describe('TelemetryForm', () => {
   it('renders as expected', () => {
     expect(shallow(
-      <TelemetryForm query={{ text: '' }} onQueryMatchChange={jest.fn()} telemetryOptInProvider={buildTelemetryOptInProvider()} />)
+      <TelemetryForm
+        spacesEnabled={false}
+        query={{ text: '' }}
+        onQueryMatchChange={jest.fn()}
+        telemetryOptInProvider={buildTelemetryOptInProvider()}
+      />)
     ).toMatchSnapshot();
   });
 });
\ No newline at end of file

From 3874fee12feb957734e9bb8e0b745ae777eec199 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 09:47:42 -0400
Subject: [PATCH 138/183] update role management screen for EUI 4

---
 .../cluster_privileges.test.tsx.snap            | 12 ++++++++++++
 .../index_privilege_form.test.tsx.snap          | 12 ++++++++++++
 .../privileges/es/cluster_privileges.tsx        |  8 ++------
 .../privileges/es/elasticsearch_privileges.tsx  |  9 ++++++---
 .../privileges/es/index_privilege_form.tsx      | 11 +++++------
 .../privileges/kibana/space_selector.tsx        | 17 +++++++++++------
 6 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
index f8875d707b66fd..a8165ab6cb9b07 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/cluster_privileges.test.tsx.snap
@@ -23,39 +23,51 @@ exports[`it renders without crashing 1`] = `
       options={
         Array [
           Object {
+            "isGroupLabelOption": false,
             "label": "all",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "monitor",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_security",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_index_templates",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_pipeline",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_ingest_pipelines",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "transport_client",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_ml",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "monitor_ml",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "manage_watcher",
           },
           Object {
+            "isGroupLabelOption": false,
             "label": "monitor_watcher",
           },
         ]
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
index ab820e5e7507fc..5280890edf5e6d 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/__snapshots__/index_privilege_form.test.tsx.snap
@@ -73,39 +73,51 @@ exports[`it renders without crashing 1`] = `
                 options={
                   Array [
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "all",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "manage",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "monitor",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "read",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "index",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "create",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "delete",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "write",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "delete_index",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "create_index",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "view_index_metadata",
                     },
                     Object {
+                      "isGroupLabelOption": false,
                       "label": "read_cross_cluster",
                     },
                   ]
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
index 2bfa2f38419af6..929935ba7f6ac1 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/cluster_privileges.tsx
@@ -4,12 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import {
-  // @ts-ignore
-  EuiComboBox,
-  EuiFlexGroup,
-  EuiFlexItem,
-} from '@elastic/eui';
+import { EuiComboBox, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import React, { Component } from 'react';
 import { Role } from '../../../../../../../common/model/role';
 import { isReservedRole } from '../../../../../../lib/role';
@@ -33,6 +28,7 @@ export class ClusterPrivileges extends Component<Props, {}> {
 
     const options = items.map(i => ({
       label: i,
+      isGroupLabelOption: false,
     }));
 
     const selectedOptions = (role.elasticsearch.cluster || []).map(k => ({ label: k }));
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
index bd8958286a17fc..2625ff9879d3fb 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/elasticsearch_privileges.tsx
@@ -6,7 +6,6 @@
 
 import {
   EuiButton,
-  // @ts-ignore
   EuiComboBox,
   // @ts-ignore
   EuiDescribedFormGroup,
@@ -98,8 +97,12 @@ export class ElasticsearchPrivileges extends Component<Props, {}> {
         >
           <EuiFormRow hasEmptyLabelSpace>
             <EuiComboBox
-              placeholder={this.props.editable ? 'Add a user...' : null}
-              options={this.props.runAsUsers.map(username => ({ id: username, label: username }))}
+              placeholder={this.props.editable ? 'Add a user...' : undefined}
+              options={this.props.runAsUsers.map(username => ({
+                id: username,
+                label: username,
+                isGroupLabelOption: false,
+              }))}
               selectedOptions={this.props.role.elasticsearch.run_as.map(u => ({ label: u }))}
               onChange={this.onRunAsUserChange}
               isDisabled={!this.props.editable}
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
index ccf5bd42722e08..6f1416ab43552e 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/es/index_privilege_form.tsx
@@ -4,10 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import {
-  // @ts-ignore
   EuiButtonIcon,
-  // @ts-ignore
   EuiComboBox,
+  EuiComboBoxOptionProps,
   EuiFlexGroup,
   EuiFlexItem,
   EuiFormRow,
@@ -23,7 +22,7 @@ import { getIndexPrivileges } from '../../../../../../services/role_privileges';
 import { RoleValidator } from '../../../lib/validate_role';
 
 const fromOption = (option: any) => option.label;
-const toOption = (value: string) => ({ label: value });
+const toOption = (value: string) => ({ label: value, isGroupLabelOption: false });
 
 interface Props {
   formIndex: number;
@@ -234,14 +233,14 @@ export class IndexPrivilegeForm extends Component<Props, State> {
     });
   };
 
-  public onIndexPatternsChange = (newPatterns: string[]) => {
+  public onIndexPatternsChange = (newPatterns: EuiComboBoxOptionProps[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       names: newPatterns.map(fromOption),
     });
   };
 
-  public onPrivilegeChange = (newPrivileges: string[]) => {
+  public onPrivilegeChange = (newPrivileges: EuiComboBoxOptionProps[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       privileges: newPrivileges.map(fromOption),
@@ -274,7 +273,7 @@ export class IndexPrivilegeForm extends Component<Props, State> {
     });
   };
 
-  public onGrantedFieldsChange = (grantedFields: string[]) => {
+  public onGrantedFieldsChange = (grantedFields: EuiComboBoxOptionProps[]) => {
     this.props.onChange({
       ...this.props.indexPrivilege,
       field_security: {
diff --git a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
index 4338d01c230e32..510217a9cbd652 100644
--- a/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
+++ b/x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_selector.tsx
@@ -5,8 +5,8 @@
  */
 
 import {
-  // @ts-ignore
   EuiComboBox,
+  EuiComboBoxOptionProps,
   EuiHealth,
   // @ts-ignore
   EuiHighlight,
@@ -17,10 +17,15 @@ import { getSpaceColor } from '../../../../../../../../spaces/common/space_attri
 
 const spaceToOption = (space?: Space) => {
   if (!space) {
-    return;
+    return { label: '', isGroupLabelOption: false };
   }
 
-  return { id: space.id, label: space.name, color: getSpaceColor(space) };
+  return {
+    id: space.id,
+    label: space.name,
+    color: getSpaceColor(space),
+    isGroupLabelOption: false,
+  };
 };
 
 const spaceIdToOption = (spaces: Space[]) => (s: string) =>
@@ -51,13 +56,13 @@ export class SpaceSelector extends Component<Props, {}> {
         options={this.props.spaces.map(spaceToOption)}
         renderOption={renderOption}
         selectedOptions={this.props.selectedSpaceIds.map(spaceIdToOption(this.props.spaces))}
-        disabled={this.props.disabled}
+        isDisabled={this.props.disabled}
         onChange={this.onChange}
       />
     );
   }
 
-  public onChange = (selectedSpaces: Space[]) => {
-    this.props.onChange(selectedSpaces.map(s => s.id));
+  public onChange = (selectedSpaces: EuiComboBoxOptionProps[]) => {
+    this.props.onChange(selectedSpaces.map(s => s.id as string));
   };
 }

From eb36356970a339676d8d045c6770d914c15611af Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 11:34:05 -0400
Subject: [PATCH 139/183] adds space selection functional tests

---
 .../__snapshots__/space_avatar.test.tsx.snap  |   1 +
 .../spaces/public/components/space_avatar.tsx |   1 +
 .../public/views/components/space_card.tsx    |   1 +
 .../nav_control_popover.test.tsx.snap         |   1 +
 .../views/nav_control/nav_control_popover.tsx |   1 +
 .../space_selector.test.tsx.snap              |   1 +
 .../views/space_selector/space_selector.tsx   |   2 +-
 .../test/functional/apps/security/security.js |   2 +-
 x-pack/test/functional/apps/spaces/index.ts   |  13 +
 .../test/functional/apps/spaces/lib/types.ts  |  27 ++
 .../apps/spaces/spaces_selection.ts           |  43 +++
 x-pack/test/functional/config.js              |   6 +
 .../functional/es_archives/spaces/data.json   |  47 +++
 .../es_archives/spaces/mappings.json          | 283 ++++++++++++++++++
 x-pack/test/functional/page_objects/index.js  |   1 +
 .../functional/page_objects/security_page.js  |  23 +-
 .../page_objects/space_selector_page.js       |  64 ++++
 17 files changed, 509 insertions(+), 8 deletions(-)
 create mode 100644 x-pack/test/functional/apps/spaces/index.ts
 create mode 100644 x-pack/test/functional/apps/spaces/lib/types.ts
 create mode 100644 x-pack/test/functional/apps/spaces/spaces_selection.ts
 create mode 100644 x-pack/test/functional/es_archives/spaces/data.json
 create mode 100644 x-pack/test/functional/es_archives/spaces/mappings.json
 create mode 100644 x-pack/test/functional/page_objects/space_selector_page.js

diff --git a/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap b/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap
index 617d9522c0da5e..d45aa825db89ce 100644
--- a/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap
+++ b/x-pack/plugins/spaces/public/components/__snapshots__/space_avatar.test.tsx.snap
@@ -3,6 +3,7 @@
 exports[`renders without crashing 1`] = `
 <EuiAvatar
   color="#BFA180"
+  data-test-subj="space-avatar-"
   initials=""
   initialsLength={2}
   name=""
diff --git a/x-pack/plugins/spaces/public/components/space_avatar.tsx b/x-pack/plugins/spaces/public/components/space_avatar.tsx
index e18459bbd8bf92..d89bcbc6e24658 100644
--- a/x-pack/plugins/spaces/public/components/space_avatar.tsx
+++ b/x-pack/plugins/spaces/public/components/space_avatar.tsx
@@ -21,6 +21,7 @@ export const SpaceAvatar = (props: Props) => {
   return (
     <EuiAvatar
       type="space"
+      data-test-subj={`space-avatar-${space.id}`}
       name={space.name || ''}
       size={size || 'm'}
       initialsLength={MAX_SPACE_INITIALS}
diff --git a/x-pack/plugins/spaces/public/views/components/space_card.tsx b/x-pack/plugins/spaces/public/views/components/space_card.tsx
index 3f72ffa271e83d..fc5a2c18b97865 100644
--- a/x-pack/plugins/spaces/public/views/components/space_card.tsx
+++ b/x-pack/plugins/spaces/public/views/components/space_card.tsx
@@ -25,6 +25,7 @@ export const SpaceCard = (props: Props) => {
   return (
     <EuiCard
       className="spaceCard"
+      data-test-subj={`space-card-${space.id}`}
       icon={renderSpaceAvatar(space)}
       title={space.name}
       description={renderSpaceDescription(space)}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
index 622f863331e79d..2c4d562c1e4f6d 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
+++ b/x-pack/plugins/spaces/public/views/nav_control/__snapshots__/nav_control_popover.test.tsx.snap
@@ -38,6 +38,7 @@ exports[`NavControlPopover renders without crashing 1`] = `
     </div>
   }
   closePopover={[Function]}
+  data-test-subj="spacesNavSelector"
   hasArrow={true}
   id="spacesMenuPopover"
   isOpen={false}
diff --git a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
index 38a241ef1738c2..2a7882b683ef83 100644
--- a/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
+++ b/x-pack/plugins/spaces/public/views/nav_control/nav_control_popover.tsx
@@ -73,6 +73,7 @@ export class NavControlPopover extends Component<Props, State> {
     return (
       <EuiPopover
         id={'spacesMenuPopover'}
+        data-test-subj={`spacesNavSelector`}
         button={button}
         isOpen={this.state.showSpaceSelector}
         closePopover={this.closeSpaceSelector}
diff --git a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
index 47be61bc3c1482..6dcb552b2ac78c 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
+++ b/x-pack/plugins/spaces/public/views/space_selector/__snapshots__/space_selector.test.tsx.snap
@@ -3,6 +3,7 @@
 exports[`it renders without crashing 1`] = `
 <EuiPage
   className="spaceSelector__page"
+  data-test-subj="kibanaSpaceSelector"
   restrictWidth={false}
 >
   <EuiPageBody
diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx b/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
index fe596d761f9998..a4975f23508efe 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.tsx
@@ -83,7 +83,7 @@ export class SpaceSelector extends Component<Props, State> {
     }
 
     return (
-      <EuiPage className="spaceSelector__page">
+      <EuiPage className="spaceSelector__page" data-test-subj="kibanaSpaceSelector">
         <EuiPageBody>
           <EuiPageHeader className="spaceSelector__heading">
             <EuiPageHeaderSection className="spaceSelector__logoHeader">
diff --git a/x-pack/test/functional/apps/security/security.js b/x-pack/test/functional/apps/security/security.js
index 3cb09a3adf8a46..0975278b6ee94b 100644
--- a/x-pack/test/functional/apps/security/security.js
+++ b/x-pack/test/functional/apps/security/security.js
@@ -29,7 +29,7 @@ export default function ({ getService, getPageObjects }) {
       });
 
       it('displays message if login fails', async () => {
-        await PageObjects.security.loginPage.login('wrong-user', 'wrong-password', false);
+        await PageObjects.security.loginPage.login('wrong-user', 'wrong-password', { expectSuccess: false });
         const errorMessage = await PageObjects.security.loginPage.getErrorMessage();
         expect(errorMessage).to.be('Oops! Error. Try again.');
       });
diff --git a/x-pack/test/functional/apps/spaces/index.ts b/x-pack/test/functional/apps/spaces/index.ts
new file mode 100644
index 00000000000000..11d2316aca90b7
--- /dev/null
+++ b/x-pack/test/functional/apps/spaces/index.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { TestInvoker } from './lib/types';
+
+// tslint:disable:no-default-export
+export default function spacesApp({ loadTestFile }: TestInvoker) {
+  describe('security app', function spacesAppTestSuite() {
+    loadTestFile(require.resolve('./spaces_selection'));
+  });
+}
diff --git a/x-pack/test/functional/apps/spaces/lib/types.ts b/x-pack/test/functional/apps/spaces/lib/types.ts
new file mode 100644
index 00000000000000..2ed91406e5f48d
--- /dev/null
+++ b/x-pack/test/functional/apps/spaces/lib/types.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export type DescribeFn = (text: string, fn: () => void) => void;
+
+export interface TestDefinitionAuthentication {
+  username?: string;
+  password?: string;
+}
+
+export type LoadTestFileFn = (path: string) => string;
+
+export type GetServiceFn = (service: string) => any;
+
+export type ReadConfigFileFn = (path: string) => any;
+
+export type GetPageObjectsFn = (pageObjects: string[]) => any;
+
+export interface TestInvoker {
+  getService: GetServiceFn;
+  getPageObjects: GetPageObjectsFn;
+  loadTestFile: LoadTestFileFn;
+  readConfigFile: ReadConfigFileFn;
+}
diff --git a/x-pack/test/functional/apps/spaces/spaces_selection.ts b/x-pack/test/functional/apps/spaces/spaces_selection.ts
new file mode 100644
index 00000000000000..be2b59d69d8649
--- /dev/null
+++ b/x-pack/test/functional/apps/spaces/spaces_selection.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { TestInvoker } from './lib/types';
+
+// tslint:disable:no-default-export
+export default function spaceSelectorFunctonalTests({ getService, getPageObjects }: TestInvoker) {
+  const esArchiver = getService('esArchiver');
+  const PageObjects = getPageObjects(['security', 'spaceSelector', 'home']);
+
+  describe('Spaces', () => {
+    describe('Space Selector', () => {
+      before(async () => await esArchiver.load('spaces'));
+      after(async () => await esArchiver.unload('spaces'));
+
+      afterEach(async () => {
+        await PageObjects.security.logout();
+      });
+
+      it('allows user to navigate to different spaces', async () => {
+        const spaceId = 'another-space';
+
+        await PageObjects.security.login(null, null, {
+          expectSpaceSelector: true,
+        });
+
+        await PageObjects.spaceSelector.clickSpaceCard(spaceId);
+
+        await PageObjects.spaceSelector.expectHomePage(spaceId);
+
+        await PageObjects.spaceSelector.openSpacesNav();
+
+        // change spaces
+
+        await PageObjects.spaceSelector.clickSpaceAvatar('default');
+
+        await PageObjects.spaceSelector.expectHomePage('default');
+      });
+    });
+  });
+}
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index 77c0aee49b83ef..f8b62dc9ed770c 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -16,6 +16,7 @@ import {
   GrokDebuggerPageProvider,
   WatcherPageProvider,
   ReportingPageProvider,
+  SpaceSelectorPageProvider,
 } from './page_objects';
 
 import {
@@ -66,6 +67,7 @@ export default async function ({ readConfigFile }) {
       resolve(__dirname, './apps/security'),
       resolve(__dirname, './apps/logstash'),
       resolve(__dirname, './apps/grok_debugger'),
+      resolve(__dirname, './apps/spaces'),
     ],
 
     // define the name and providers for services that should be
@@ -113,6 +115,7 @@ export default async function ({ readConfigFile }) {
       grokDebugger: GrokDebuggerPageProvider,
       watcher: WatcherPageProvider,
       reporting: ReportingPageProvider,
+      spaceSelector: SpaceSelectorPageProvider,
     },
 
     servers: kibanaFunctionalConfig.get('servers'),
@@ -159,6 +162,9 @@ export default async function ({ readConfigFile }) {
         pathname: '/app/kibana',
         hash: '/dev_tools/grokdebugger'
       },
+      spaceSelector: {
+        pathname: '/',
+      }
     },
 
     // choose where esArchiver should load archives from
diff --git a/x-pack/test/functional/es_archives/spaces/data.json b/x-pack/test/functional/es_archives/spaces/data.json
new file mode 100644
index 00000000000000..f76f2c6874b34b
--- /dev/null
+++ b/x-pack/test/functional/es_archives/spaces/data.json
@@ -0,0 +1,47 @@
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "config:6.0.0-alpha1",
+    "source": {
+      "type": "config",
+      "config": {
+        "buildNum": 8467,
+        "dateFormat:tz": "UTC"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:default",
+    "source": {
+      "type": "space",
+      "space": {
+        "name": "Default",
+        "description": "This is the default space!"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".kibana",
+    "type": "doc",
+    "id": "space:another-space",
+    "source": {
+      "type": "space",
+      "space": {
+        "name": "Another Space",
+        "description": "This is another space"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/x-pack/test/functional/es_archives/spaces/mappings.json b/x-pack/test/functional/es_archives/spaces/mappings.json
new file mode 100644
index 00000000000000..aeea7f7bcea4b4
--- /dev/null
+++ b/x-pack/test/functional/es_archives/spaces/mappings.json
@@ -0,0 +1,283 @@
+{
+  "type": "index",
+  "value": {
+    "index": ".kibana",
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "number_of_replicas": "1"
+      }
+    },
+    "mappings": {
+      "doc": {
+        "properties": {
+          "type": {
+            "type": "keyword"
+          },
+          "server": {
+            "dynamic": "strict",
+            "properties": {
+              "uuid": {
+                "type": "keyword"
+              }
+            }
+          },
+          "search": {
+            "dynamic": "strict",
+            "properties": {
+              "columns": {
+                "type": "keyword"
+              },
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "sort": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "timelion-sheet": {
+            "dynamic": "strict",
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "timelion_chart_height": {
+                "type": "integer"
+              },
+              "timelion_columns": {
+                "type": "integer"
+              },
+              "timelion_interval": {
+                "type": "keyword"
+              },
+              "timelion_other_interval": {
+                "type": "keyword"
+              },
+              "timelion_rows": {
+                "type": "integer"
+              },
+              "timelion_sheet": {
+                "type": "text"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "visualization": {
+            "dynamic": "strict",
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "savedSearchId": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "visState": {
+                "type": "text"
+              }
+            }
+          },
+          "config": {
+            "dynamic": "true",
+            "properties": {
+              "buildNum": {
+                "type": "keyword"
+              },
+              "dateFormat:tz": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 256
+                  }
+                }
+              }
+            }
+          },
+          "url": {
+            "dynamic": "strict",
+            "properties": {
+              "accessCount": {
+                "type": "long"
+              },
+              "accessDate": {
+                "type": "date"
+              },
+              "createDate": {
+                "type": "date"
+              },
+              "url": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              }
+            }
+          },
+          "dashboard": {
+            "dynamic": "strict",
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "optionsJSON": {
+                "type": "text"
+              },
+              "panelsJSON": {
+                "type": "text"
+              },
+              "refreshInterval": {
+                "properties": {
+                  "display": {
+                    "type": "keyword"
+                  },
+                  "pause": {
+                    "type": "boolean"
+                  },
+                  "section": {
+                    "type": "integer"
+                  },
+                  "value": {
+                    "type": "integer"
+                  }
+                }
+              },
+              "timeFrom": {
+                "type": "keyword"
+              },
+              "timeRestore": {
+                "type": "boolean"
+              },
+              "timeTo": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "index-pattern": {
+            "dynamic": "strict",
+            "properties": {
+              "fieldFormatMap": {
+                "type": "text"
+              },
+              "fields": {
+                "type": "text"
+              },
+              "intervalName": {
+                "type": "keyword"
+              },
+              "notExpandable": {
+                "type": "boolean"
+              },
+              "sourceFilters": {
+                "type": "text"
+              },
+              "timeFieldName": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              }
+            }
+          },
+          "spaceId": {
+            "type": "keyword"
+          },
+          "space": {
+            "properties": {
+              "name": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              },
+              "description": {
+                "type": "text"
+              },
+              "initials": {
+                "type": "keyword"
+              },
+              "color": {
+                "type": "keyword"
+              },
+              "_reserved": {
+                "type": "boolean"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/x-pack/test/functional/page_objects/index.js b/x-pack/test/functional/page_objects/index.js
index 9c505cee719e02..62af59b3a8d0f3 100644
--- a/x-pack/test/functional/page_objects/index.js
+++ b/x-pack/test/functional/page_objects/index.js
@@ -11,3 +11,4 @@ export { GraphPageProvider } from './graph_page';
 export { GrokDebuggerPageProvider } from './grok_debugger_page';
 export { WatcherPageProvider } from './watcher_page';
 export { ReportingPageProvider } from './reporting_page';
+export { SpaceSelectorPageProvider } from './space_selector_page';
diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index 58e961b566f709..d6bcd107c999d4 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -19,19 +19,26 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
   const PageObjects = getPageObjects(['common', 'header', 'settings', 'home']);
 
   class LoginPage {
-    async login(username, password, expectSuccess = true) {
+    async login(username, password, options = {}) {
       const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
 
       username = username || superUsername;
       password = password || superPassword;
 
+      const expectSpaceSelector = options.expectSpaceSelector || false;
+      const expectSuccess = options.expectSuccess || true;
+
       await PageObjects.common.navigateToApp('login');
       await testSubjects.setValue('loginUsername', username);
       await testSubjects.setValue('loginPassword', password);
       await testSubjects.click('loginSubmit');
-      // wait for either kibanaChrome or loginErrorMessage
-      if (expectSuccess) {
-        await remote.setFindTimeout(20000).findByCssSelector('[data-test-subj="kibanaChrome"] nav:not(.ng-hide)');
+
+      // wait for either space selector, kibanaChrome or loginErrorMessage
+      if (expectSpaceSelector) {
+        await retry.try(() => testSubjects.find('kibanaSpaceSelector'));
+        log.debug(`Finished login process, landed on space selector. currentUrl = ${await remote.getCurrentUrl()}`);
+      } else if (expectSuccess) {
+        await remote.setFindTimeout(20000).findByCssSelector('[data-test-subj="kibanaChrome"] nav:not(.ng-hide) ');
         log.debug(`Finished login process currentUrl = ${await remote.getCurrentUrl()}`);
       }
     }
@@ -63,8 +70,12 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       remote.setWindowSize(1600, 1000);
     }
 
-    async login(username, password) {
-      await this.loginPage.login(username, password);
+    async login(username, password, options) {
+      await this.loginPage.login(username, password, options);
+
+      if (options.expectSpaceSelector) {
+        return;
+      }
 
       await retry.try(async () => {
         const logoutLinkExists = await find.existsByLinkText('Logout');
diff --git a/x-pack/test/functional/page_objects/space_selector_page.js b/x-pack/test/functional/page_objects/space_selector_page.js
new file mode 100644
index 00000000000000..aebe065fe6ef94
--- /dev/null
+++ b/x-pack/test/functional/page_objects/space_selector_page.js
@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+
+export function SpaceSelectorPageProvider({ getService, getPageObjects }) {
+  const retry = getService('retry');
+  const log = getService('log');
+  const testSubjects = getService('testSubjects');
+  const remote = getService('remote');
+  const PageObjects = getPageObjects(['common', 'home', 'security']);
+
+  class SpaceSelectorPage {
+    async initTests() {
+      log.debug('SpaceSelectorPage:initTests');
+    }
+
+    async clickSpaceCard(spaceId) {
+      return await retry.try(async () => {
+        log.info(`SpaceSelectorPage:clickSpaceCard(${spaceId})`);
+        await testSubjects.click(`space-card-${spaceId}`);
+        await PageObjects.common.sleep(1000);
+      });
+    }
+
+    async expectHomePage(spaceId) {
+      return await retry.try(async () => {
+        log.debug(`expectHomePage(${spaceId})`);
+        await this.dismissWelcomeScreen();
+        await remote.setFindTimeout(20000).findByCssSelector('[data-test-subj="kibanaChrome"] nav:not(.ng-hide) ');
+        const url = await remote.getCurrentUrl();
+        if (spaceId === 'default') {
+          expect(url).to.contain(`/app/kibana#/home`);
+        } else {
+          expect(url).to.contain(`/s/${spaceId}/app/kibana#/home`);
+        }
+      });
+    }
+
+    async dismissWelcomeScreen() {
+      if (await PageObjects.home.isWelcomeShowing()) {
+        await PageObjects.home.hideWelcomeScreen();
+      }
+    }
+
+    async openSpacesNav() {
+      log.debug('openSpacesNav()');
+      return await testSubjects.click('spacesNavSelector');
+    }
+
+    async clickSpaceAvatar(spaceId) {
+      return await retry.try(async () => {
+        log.info(`SpaceSelectorPage:clickSpaceAvatar(${spaceId})`);
+        await testSubjects.click(`space-avatar-${spaceId}`);
+        await PageObjects.common.sleep(1000);
+      });
+    }
+  }
+
+  return new SpaceSelectorPage();
+}

From accbe4fcf52fc841071d785da74025e6d7e7419f Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 12:17:20 -0400
Subject: [PATCH 140/183] debug ts error

---
 .../public/views/space_selector/space_selector.test.tsx     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
index b748d8aaf81e2e..96d99f0a293609 100644
--- a/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
+++ b/x-pack/plugins/spaces/public/views/space_selector/space_selector.test.tsx
@@ -31,7 +31,7 @@ function getSpacesManager(spaces: Space[] = []) {
 
 test('it renders without crashing', () => {
   const spacesManager = getSpacesManager();
-  const component = shallow(<SpaceSelector spaces={[]} spacesManager={spacesManager} />);
+  const component = shallow(<SpaceSelector spaces={[]} spacesManager={spacesManager as any} />);
   expect(component).toMatchSnapshot();
 });
 
@@ -46,7 +46,7 @@ test('it uses the spaces on props, when provided', () => {
     },
   ];
 
-  const component = render(<SpaceSelector spaces={spaces} spacesManager={spacesManager} />);
+  const component = render(<SpaceSelector spaces={spaces} spacesManager={spacesManager as any} />);
 
   return Promise.resolve().then(() => {
     expect(component.find('.spaceCard')).toHaveLength(1);
@@ -65,7 +65,7 @@ test('it queries for spaces when not provided on props', () => {
 
   const spacesManager = getSpacesManager(spaces);
 
-  shallow(<SpaceSelector spacesManager={spacesManager} />);
+  shallow(<SpaceSelector spacesManager={spacesManager as any} />);
 
   return Promise.resolve().then(() => {
     expect(spacesManager.getSpaces).toHaveBeenCalledTimes(1);

From 703d90d87f8c8ff988090c988e8b26578b8e4c30 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 14:30:47 -0400
Subject: [PATCH 141/183] fix invalid login tests

---
 x-pack/test/functional/page_objects/security_page.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index d6bcd107c999d4..a1f5e1b9af2bc9 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -26,7 +26,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       password = password || superPassword;
 
       const expectSpaceSelector = options.expectSpaceSelector || false;
-      const expectSuccess = options.expectSuccess || true;
+      const expectSuccess = options.expectSuccess;
 
       await PageObjects.common.navigateToApp('login');
       await testSubjects.setValue('loginUsername', username);
@@ -70,7 +70,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
       remote.setWindowSize(1600, 1000);
     }
 
-    async login(username, password, options) {
+    async login(username, password, options = {}) {
       await this.loginPage.login(username, password, options);
 
       if (options.expectSpaceSelector) {

From fc07717b66fdaa7ab206fbb4446d0cb2fd97a541 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 14 Sep 2018 16:21:47 -0400
Subject: [PATCH 142/183] test diagnosis

---
 x-pack/test/functional/apps/spaces/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/test/functional/apps/spaces/index.ts b/x-pack/test/functional/apps/spaces/index.ts
index 11d2316aca90b7..4e5e647c748779 100644
--- a/x-pack/test/functional/apps/spaces/index.ts
+++ b/x-pack/test/functional/apps/spaces/index.ts
@@ -7,7 +7,7 @@ import { TestInvoker } from './lib/types';
 
 // tslint:disable:no-default-export
 export default function spacesApp({ loadTestFile }: TestInvoker) {
-  describe('security app', function spacesAppTestSuite() {
+  describe.skip('Spaces app', function spacesAppTestSuite() {
     loadTestFile(require.resolve('./spaces_selection'));
   });
 }

From 49ea3349dc6584e4533154deef9ecd893044f9e9 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Sat, 15 Sep 2018 14:25:26 -0400
Subject: [PATCH 143/183] additional tests

---
 .../manage_spaces_button.test.tsx.snap        |  17 +++
 .../components/manage_spaces_button.test.tsx  |  25 ++++
 .../confirm_delete_modal.test.tsx.snap        |  53 +++++++
 .../unauthorized_prompt.test.tsx.snap         |  20 +++
 .../advanced_settings_subtitle.test.tsx.snap  |  23 +++
 .../advanced_settings_subtitle.test.tsx       |  18 +++
 .../advanced_settings_title.test.tsx.snap     |  46 ++++++
 .../advanced_settings_title.test.tsx          |  18 +++
 .../components/confirm_delete_modal.test.tsx  |  99 +++++++++++++
 .../components/unauthorized_prompt.test.tsx   |  14 ++
 .../delete_spaces_button.test.tsx.snap        |  16 +++
 .../edit_space/delete_spaces_button.test.tsx  |  47 ++++++
 .../edit_space/manage_space_page.test.tsx     | 134 ++++++++++++++++++
 .../edit_space/manage_space_page.tsx          |   7 +-
 14 files changed, 535 insertions(+), 2 deletions(-)
 create mode 100644 x-pack/plugins/spaces/public/components/__snapshots__/manage_spaces_button.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/components/manage_spaces_button.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/__snapshots__/confirm_delete_modal.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/__snapshots__/unauthorized_prompt.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/__snapshots__/advanced_settings_subtitle.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/__snapshots__/advanced_settings_title.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/delete_spaces_button.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.test.tsx

diff --git a/x-pack/plugins/spaces/public/components/__snapshots__/manage_spaces_button.test.tsx.snap b/x-pack/plugins/spaces/public/components/__snapshots__/manage_spaces_button.test.tsx.snap
new file mode 100644
index 00000000000000..174b16e0c56564
--- /dev/null
+++ b/x-pack/plugins/spaces/public/components/__snapshots__/manage_spaces_button.test.tsx.snap
@@ -0,0 +1,17 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`ManageSpacesButton doesn't render if user profile forbids managing spaces 1`] = `""`;
+
+exports[`ManageSpacesButton renders as expected 1`] = `
+<EuiButton
+  className="manage-spaces-button"
+  color="primary"
+  fill={false}
+  iconSide="left"
+  onClick={[Function]}
+  size="s"
+  type="button"
+>
+  Manage spaces
+</EuiButton>
+`;
diff --git a/x-pack/plugins/spaces/public/components/manage_spaces_button.test.tsx b/x-pack/plugins/spaces/public/components/manage_spaces_button.test.tsx
new file mode 100644
index 00000000000000..374ffc5d365003
--- /dev/null
+++ b/x-pack/plugins/spaces/public/components/manage_spaces_button.test.tsx
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { shallow } from 'enzyme';
+import React from 'react';
+import { UserProfileProvider } from '../../../xpack_main/public/services/user_profile';
+import { ManageSpacesButton } from './manage_spaces_button';
+
+const buildUserProfile = (canManageSpaces: boolean) => {
+  return UserProfileProvider({ manageSpaces: canManageSpaces });
+};
+
+describe('ManageSpacesButton', () => {
+  it('renders as expected', () => {
+    const component = <ManageSpacesButton userProfile={buildUserProfile(true)} />;
+    expect(shallow(component)).toMatchSnapshot();
+  });
+
+  it(`doesn't render if user profile forbids managing spaces`, () => {
+    const component = <ManageSpacesButton userProfile={buildUserProfile(false)} />;
+    expect(shallow(component)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/confirm_delete_modal.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/confirm_delete_modal.test.tsx.snap
new file mode 100644
index 00000000000000..7f00705b160fbb
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/confirm_delete_modal.test.tsx.snap
@@ -0,0 +1,53 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`ConfirmDeleteModal renders as expected 1`] = `
+<EuiOverlayMask>
+  <EuiConfirmModal
+    buttonColor="danger"
+    cancelButtonText="Cancel"
+    confirmButtonText="Delete space"
+    defaultFocusedButton="cancel"
+    onCancel={[MockFunction]}
+    onConfirm={[Function]}
+    title="Delete space 'My Space'"
+  >
+    <p>
+      Deleting a space permanently removes the space and all of its contents. You can't undo this action.
+    </p>
+    <EuiFormRow
+      describedByIds={Array []}
+      error="Space names do not match."
+      fullWidth={false}
+      hasEmptyLabelSpace={false}
+      isInvalid={false}
+      label="Confirm space name"
+    >
+      <EuiFieldText
+        compressed={false}
+        fullWidth={false}
+        isLoading={false}
+        onChange={[Function]}
+        value=""
+      />
+    </EuiFormRow>
+    <EuiCallOut
+      color="warning"
+      size="m"
+    >
+      <EuiText
+        grow={true}
+      >
+        You are about to delete your current space 
+        <span>
+          (
+          <strong>
+            My Space
+          </strong>
+          )
+        </span>
+        . You will be redirected to choose a different space if you continue.
+      </EuiText>
+    </EuiCallOut>
+  </EuiConfirmModal>
+</EuiOverlayMask>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/__snapshots__/unauthorized_prompt.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/unauthorized_prompt.test.tsx.snap
new file mode 100644
index 00000000000000..673576cd01b3f6
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/__snapshots__/unauthorized_prompt.test.tsx.snap
@@ -0,0 +1,20 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`UnauthorizedPrompt renders as expected 1`] = `
+<EuiEmptyPrompt
+  body={
+    <p
+      data-test-subj="permissionDeniedMessage"
+    >
+      You do not have permission to manage spaces.
+    </p>
+  }
+  iconColor="danger"
+  iconType="spacesApp"
+  title={
+    <h2>
+      Permission denied
+    </h2>
+  }
+/>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/__snapshots__/advanced_settings_subtitle.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/__snapshots__/advanced_settings_subtitle.test.tsx.snap
new file mode 100644
index 00000000000000..0d539fffe6e348
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/__snapshots__/advanced_settings_subtitle.test.tsx.snap
@@ -0,0 +1,23 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`AdvancedSettingsSubtitle renders as expected 1`] = `
+<React.Fragment>
+  <EuiSpacer
+    size="m"
+  />
+  <EuiCallOut
+    color="primary"
+    iconType="spacesApp"
+    size="m"
+    title={
+      <p>
+        The settings on this page apply to the 
+        <strong>
+          My Space
+        </strong>
+         space, unless otherwise specified.
+      </p>
+    }
+  />
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.test.tsx b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.test.tsx
new file mode 100644
index 00000000000000..39444cf01e88b7
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_subtitle/advanced_settings_subtitle.test.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { shallow } from 'enzyme';
+import React from 'react';
+import { AdvancedSettingsSubtitle } from './advanced_settings_subtitle';
+
+describe('AdvancedSettingsSubtitle', () => {
+  it('renders as expected', () => {
+    const space = {
+      id: 'my-space',
+      name: 'My Space',
+    };
+    expect(shallow(<AdvancedSettingsSubtitle space={space} />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/__snapshots__/advanced_settings_title.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/__snapshots__/advanced_settings_title.test.tsx.snap
new file mode 100644
index 00000000000000..4bffc7433987ce
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/__snapshots__/advanced_settings_title.test.tsx.snap
@@ -0,0 +1,46 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`AdvancedSettingsTitle renders as expected 1`] = `
+<EuiFlexGroup
+  alignItems="center"
+  component="div"
+  direction="row"
+  gutterSize="s"
+  justifyContent="flexStart"
+  responsive={false}
+  wrap={false}
+>
+  <EuiFlexItem
+    component="div"
+    grow={false}
+  >
+    <Component
+      space={
+        Object {
+          "id": "my-space",
+          "name": "My Space",
+        }
+      }
+    />
+  </EuiFlexItem>
+  <EuiFlexItem
+    component="div"
+    grow={true}
+    style={
+      Object {
+        "marginLeft": "10px",
+      }
+    }
+  >
+    <EuiText
+      grow={true}
+    >
+      <h1
+        data-test-subj="managementSettingsTitle"
+      >
+        Settings
+      </h1>
+    </EuiText>
+  </EuiFlexItem>
+</EuiFlexGroup>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.test.tsx b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.test.tsx
new file mode 100644
index 00000000000000..d46848f2c103fa
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/advanced_settings_title/advanced_settings_title.test.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { shallow } from 'enzyme';
+import React from 'react';
+import { AdvancedSettingsTitle } from './advanced_settings_title';
+
+describe('AdvancedSettingsTitle', () => {
+  it('renders as expected', () => {
+    const space = {
+      id: 'my-space',
+      name: 'My Space',
+    };
+    expect(shallow(<AdvancedSettingsTitle space={space} />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.test.tsx b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.test.tsx
new file mode 100644
index 00000000000000..2fbfd6da452e4c
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/confirm_delete_modal.test.tsx
@@ -0,0 +1,99 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { mount, shallow } from 'enzyme';
+import React from 'react';
+import { SpacesManager } from '../../../lib';
+import { SpacesNavState } from '../../nav_control';
+import { ConfirmDeleteModal } from './confirm_delete_modal';
+
+const buildMockChrome = () => {
+  return {
+    addBasePath: (path: string) => path,
+  };
+};
+
+describe('ConfirmDeleteModal', () => {
+  it('renders as expected', () => {
+    const space = {
+      id: 'my-space',
+      name: 'My Space',
+    };
+
+    const mockHttp = {
+      delete: jest.fn(() => Promise.resolve()),
+    };
+    const mockChrome = buildMockChrome();
+
+    const spacesManager = new SpacesManager(mockHttp, mockChrome, '/');
+
+    const spacesNavState: SpacesNavState = {
+      getActiveSpace: () => space,
+      refreshSpacesList: jest.fn(),
+    };
+
+    const onCancel = jest.fn();
+    const onConfirm = jest.fn();
+
+    expect(
+      shallow(
+        <ConfirmDeleteModal
+          space={space}
+          spacesManager={spacesManager}
+          spacesNavState={spacesNavState}
+          onCancel={onCancel}
+          onConfirm={onConfirm}
+        />
+      )
+    ).toMatchSnapshot();
+  });
+
+  it(`requires the space name to be typed before confirming`, () => {
+    const space = {
+      id: 'my-space',
+      name: 'My Space',
+    };
+
+    const mockHttp = {
+      delete: jest.fn(() => Promise.resolve()),
+    };
+    const mockChrome = buildMockChrome();
+
+    const spacesManager = new SpacesManager(mockHttp, mockChrome, '/');
+
+    const spacesNavState: SpacesNavState = {
+      getActiveSpace: () => space,
+      refreshSpacesList: jest.fn(),
+    };
+
+    const onCancel = jest.fn();
+    const onConfirm = jest.fn();
+
+    const wrapper = mount(
+      <ConfirmDeleteModal
+        space={space}
+        spacesManager={spacesManager}
+        spacesNavState={spacesNavState}
+        onCancel={onCancel}
+        onConfirm={onConfirm}
+      />
+    );
+
+    const input = wrapper.find('input');
+    expect(input).toHaveLength(1);
+
+    input.simulate('change', { target: { value: 'My Invalid Space Name ' } });
+
+    const confirmButton = wrapper.find('button[data-test-subj="confirmModalConfirmButton"]');
+    confirmButton.simulate('click');
+
+    expect(onConfirm).not.toHaveBeenCalled();
+
+    input.simulate('change', { target: { value: 'My Space' } });
+    confirmButton.simulate('click');
+
+    expect(onConfirm).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.test.tsx b/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.test.tsx
new file mode 100644
index 00000000000000..35fdd69f64e8b4
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/unauthorized_prompt.test.tsx
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { shallow } from 'enzyme';
+import React from 'react';
+import { UnauthorizedPrompt } from './unauthorized_prompt';
+
+describe('UnauthorizedPrompt', () => {
+  it('renders as expected', () => {
+    expect(shallow(<UnauthorizedPrompt />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/delete_spaces_button.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/delete_spaces_button.test.tsx.snap
new file mode 100644
index 00000000000000..efb34025573aa1
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/__snapshots__/delete_spaces_button.test.tsx.snap
@@ -0,0 +1,16 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`DeleteSpacesButton renders as expected 1`] = `
+<React.Fragment>
+  <EuiButton
+    aria-label="Delete this space"
+    color="danger"
+    fill={false}
+    iconSide="left"
+    onClick={[Function]}
+    type="button"
+  >
+    Delete space
+  </EuiButton>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.test.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.test.tsx
new file mode 100644
index 00000000000000..456a6d1ccbb436
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/delete_spaces_button.test.tsx
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { shallow } from 'enzyme';
+import React from 'react';
+import { SpacesManager } from '../../../lib';
+import { SpacesNavState } from '../../nav_control';
+import { DeleteSpacesButton } from './delete_spaces_button';
+
+const space = {
+  id: 'my-space',
+  name: 'My Space',
+};
+const buildMockChrome = () => {
+  return {
+    addBasePath: (path: string) => path,
+  };
+};
+
+describe('DeleteSpacesButton', () => {
+  it('renders as expected', () => {
+    const mockHttp = {
+      delete: jest.fn(() => Promise.resolve()),
+    };
+    const mockChrome = buildMockChrome();
+
+    const spacesManager = new SpacesManager(mockHttp, mockChrome, '/');
+
+    const spacesNavState: SpacesNavState = {
+      getActiveSpace: () => space,
+      refreshSpacesList: jest.fn(),
+    };
+
+    const wrapper = shallow(
+      <DeleteSpacesButton
+        space={space}
+        spacesManager={spacesManager}
+        spacesNavState={spacesNavState}
+        onDelete={jest.fn()}
+      />
+    );
+    expect(wrapper).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.test.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.test.tsx
new file mode 100644
index 00000000000000..e560af2d3d99a6
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.test.tsx
@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { mount } from 'enzyme';
+import React from 'react';
+import { UserProfileProvider } from '../../../../../xpack_main/public/services/user_profile';
+import { SpacesManager } from '../../../lib';
+import { SpacesNavState } from '../../nav_control';
+import { ManageSpacePage } from './manage_space_page';
+
+const space = {
+  id: 'my-space',
+  name: 'My Space',
+};
+const buildMockChrome = () => {
+  return {
+    addBasePath: (path: string) => path,
+  };
+};
+
+const buildUserProfile = (canManageSpaces: boolean) => {
+  return UserProfileProvider({ manageSpaces: canManageSpaces });
+};
+
+describe('ManageSpacePage', () => {
+  it('allows a space to be created', async () => {
+    const mockHttp = {
+      delete: jest.fn(() => Promise.resolve()),
+    };
+    const mockChrome = buildMockChrome();
+
+    const spacesManager = new SpacesManager(mockHttp, mockChrome, '/');
+    spacesManager.createSpace = jest.fn(spacesManager.createSpace);
+
+    const spacesNavState: SpacesNavState = {
+      getActiveSpace: () => space,
+      refreshSpacesList: jest.fn(),
+    };
+
+    const userProfile = buildUserProfile(true);
+
+    const wrapper = mount(
+      <ManageSpacePage
+        spacesManager={spacesManager}
+        userProfile={userProfile}
+        spacesNavState={spacesNavState}
+      />
+    );
+    const nameInput = wrapper.find('input[name="name"]');
+    const descriptionInput = wrapper.find('input[name="description"]');
+
+    nameInput.simulate('change', { target: { value: 'New Space Name' } });
+    descriptionInput.simulate('change', { target: { value: 'some description' } });
+
+    const createButton = wrapper.find('button[data-test-subj="save-space-button"]');
+    createButton.simulate('click');
+    await Promise.resolve();
+
+    expect(spacesManager.createSpace).toHaveBeenCalledWith({
+      id: 'new-space-name',
+      name: 'New Space Name',
+      description: 'some description',
+      color: undefined,
+      initials: undefined,
+    });
+  });
+
+  it('allows a space to be updated', async () => {
+    const mockHttp = {
+      get: jest.fn(async () => {
+        return Promise.resolve({
+          data: {
+            id: 'existing-space',
+            name: 'Existing Space',
+            description: 'hey an existing space',
+            color: '#aabbcc',
+            initials: 'AB',
+          },
+        });
+      }),
+      delete: jest.fn(() => Promise.resolve()),
+    };
+    const mockChrome = buildMockChrome();
+
+    const spacesManager = new SpacesManager(mockHttp, mockChrome, '/');
+    spacesManager.getSpace = jest.fn(spacesManager.getSpace);
+    spacesManager.updateSpace = jest.fn(spacesManager.updateSpace);
+
+    const spacesNavState: SpacesNavState = {
+      getActiveSpace: () => space,
+      refreshSpacesList: jest.fn(),
+    };
+
+    const userProfile = buildUserProfile(true);
+
+    const wrapper = mount(
+      <ManageSpacePage
+        spaceId={'existing-space'}
+        spacesManager={spacesManager}
+        userProfile={userProfile}
+        spacesNavState={spacesNavState}
+      />
+    );
+
+    await Promise.resolve();
+
+    expect(mockHttp.get).toHaveBeenCalledWith('/api/spaces/space/existing-space');
+
+    await Promise.resolve();
+
+    wrapper.update();
+
+    const nameInput = wrapper.find('input[name="name"]');
+    const descriptionInput = wrapper.find('input[name="description"]');
+
+    nameInput.simulate('change', { target: { value: 'New Space Name' } });
+    descriptionInput.simulate('change', { target: { value: 'some description' } });
+
+    const createButton = wrapper.find('button[data-test-subj="save-space-button"]');
+    createButton.simulate('click');
+    await Promise.resolve();
+
+    expect(spacesManager.updateSpace).toHaveBeenCalledWith({
+      id: 'existing-space',
+      name: 'New Space Name',
+      description: 'some description',
+      color: '#aabbcc',
+      initials: 'AB',
+    });
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
index 5b1e3893352120..090a636ff76967 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
@@ -213,12 +213,14 @@ export class ManageSpacePage extends Component<Props, State> {
     return (
       <EuiFlexGroup responsive={false}>
         <EuiFlexItem grow={false}>
-          <EuiButton fill onClick={this.saveSpace}>
+          <EuiButton fill onClick={this.saveSpace} data-test-subj="save-space-button">
             {saveText}
           </EuiButton>
         </EuiFlexItem>
         <EuiFlexItem grow={false}>
-          <EuiButtonEmpty onClick={this.backToSpacesList}>Cancel</EuiButtonEmpty>
+          <EuiButtonEmpty onClick={this.backToSpacesList} data-test-subj="cancel-space-button">
+            Cancel
+          </EuiButtonEmpty>
         </EuiFlexItem>
         <EuiFlexItem grow={true} />
         {this.getActionButton()}
@@ -231,6 +233,7 @@ export class ManageSpacePage extends Component<Props, State> {
       return (
         <EuiFlexItem grow={false}>
           <DeleteSpacesButton
+            data-test-subj="delete-space-button"
             space={this.state.space as Space}
             spacesManager={this.props.spacesManager}
             spacesNavState={this.props.spacesNavState}

From 29686c6dfb2c7a05dc9ebe0111d1b578e560f1fc Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Sat, 15 Sep 2018 14:32:55 -0400
Subject: [PATCH 144/183] re-enable spaces functional tests

---
 x-pack/test/functional/apps/spaces/index.ts | 2 +-
 x-pack/test/functional/config.js            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/test/functional/apps/spaces/index.ts b/x-pack/test/functional/apps/spaces/index.ts
index 4e5e647c748779..455692b86fc81f 100644
--- a/x-pack/test/functional/apps/spaces/index.ts
+++ b/x-pack/test/functional/apps/spaces/index.ts
@@ -7,7 +7,7 @@ import { TestInvoker } from './lib/types';
 
 // tslint:disable:no-default-export
 export default function spacesApp({ loadTestFile }: TestInvoker) {
-  describe.skip('Spaces app', function spacesAppTestSuite() {
+  describe('Spaces app', function spacesAppTestSuite() {
     loadTestFile(require.resolve('./spaces_selection'));
   });
 }
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index f8b62dc9ed770c..7633a95fa9e56b 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -65,9 +65,9 @@ export default async function ({ readConfigFile }) {
       resolve(__dirname, './apps/watcher'),
       resolve(__dirname, './apps/dashboard_mode'),
       resolve(__dirname, './apps/security'),
+      resolve(__dirname, './apps/spaces'),
       resolve(__dirname, './apps/logstash'),
       resolve(__dirname, './apps/grok_debugger'),
-      resolve(__dirname, './apps/spaces'),
     ],
 
     // define the name and providers for services that should be

From 9dd36d31853e8be259507a135ac9abf72900d835 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 18 Sep 2018 07:36:39 -0400
Subject: [PATCH 145/183] sort spaces by name

---
 x-pack/plugins/spaces/server/lib/spaces_client.test.ts | 4 ++++
 x-pack/plugins/spaces/server/lib/spaces_client.ts      | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.test.ts b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
index e272d7d7454980..1c0c50c6a19688 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.test.ts
@@ -102,6 +102,7 @@ describe('#getAll', () => {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
       expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
       expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
@@ -134,6 +135,7 @@ describe('#getAll', () => {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
       expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
       expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
@@ -178,6 +180,7 @@ describe('#getAll', () => {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
       expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
       expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
@@ -226,6 +229,7 @@ describe('#getAll', () => {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
       expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
       expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
diff --git a/x-pack/plugins/spaces/server/lib/spaces_client.ts b/x-pack/plugins/spaces/server/lib/spaces_client.ts
index 96bfd995ce56b3..5e29875c3c8ec0 100644
--- a/x-pack/plugins/spaces/server/lib/spaces_client.ts
+++ b/x-pack/plugins/spaces/server/lib/spaces_client.ts
@@ -49,6 +49,7 @@ export class SpacesClient {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
 
       const spaces = saved_objects.map(this.transformSavedObjectToSpace);
@@ -76,6 +77,7 @@ export class SpacesClient {
         type: 'space',
         page: 1,
         perPage: 1000,
+        sortField: 'name.keyword',
       });
 
       return saved_objects.map(this.transformSavedObjectToSpace);

From 4544c7acac87cde2e621e0ce9dd38ad76f2c96be Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Tue, 18 Sep 2018 08:39:41 -0400
Subject: [PATCH 146/183] re-enable spaces functional test suites

---
 .../spaces_api_integration/security_and_spaces/apis/update.ts   | 2 +-
 x-pack/test/spaces_api_integration/spaces_only/apis/update.ts   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
index afe5c3b39505a3..e2d1e26fdc7181 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -23,7 +23,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
     createExpectLegacyForbidden,
   } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
-  describe.only('update', () => {
+  describe('update', () => {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
index aece5a0efc6391..54da0b7ecebdcc 100644
--- a/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
@@ -20,7 +20,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
     expectNewSpaceNotFound,
   } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
-  describe.only('update', () => {
+  describe('update', () => {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,

From a3b316805c8ec03922509b6f26839ecd539b8a2f Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 18 Sep 2018 15:29:28 -0700
Subject: [PATCH 147/183] Use an instance of SavedObjectsSerializer for
 migrations and the repository

---
 .../build_active_mappings.test.ts.snap        |   3 +
 .../migrations/core/build_active_mappings.ts  |   3 +
 .../migrations/core/index_migrator.test.ts    |   7 +-
 .../migrations/core/index_migrator.ts         |   8 +-
 .../migrations/core/migrate_raw_docs.test.ts  |  27 ++--
 .../migrations/core/migrate_raw_docs.ts       |  14 +-
 .../migrations/core/migration_context.ts      |   4 +
 .../kibana_migrator.test.ts.snap              |   3 +
 .../migrations/kibana/kibana_migrator.ts      |   9 +-
 .../saved_objects/saved_objects_mixin.js      |   6 +-
 src/server/saved_objects/schema/index.ts      |  20 +++
 src/server/saved_objects/schema/schema.ts     |  41 +++++
 .../saved_objects/serialization/index.ts      | 145 ++++++++++--------
 .../serialization/serializtion.test.ts        |  58 ++++---
 .../service/create_saved_objects_service.js   |   3 +-
 .../saved_objects/service/lib/repository.js   |  19 +--
 .../service/lib/repository.test.js            |   4 +
 .../service/lib/repository_provider.js        |   3 +
 .../service/lib/repository_provider.test.js   |   5 +-
 src/ui/ui_exports/ui_export_types/index.js    |   1 +
 .../ui_export_types/saved_object.js           |   2 +
 .../apis/saved_objects/migrations.js          |   3 +
 22 files changed, 267 insertions(+), 121 deletions(-)
 create mode 100644 src/server/saved_objects/schema/index.ts
 create mode 100644 src/server/saved_objects/schema/schema.ts

diff --git a/src/server/saved_objects/migrations/core/__snapshots__/build_active_mappings.test.ts.snap b/src/server/saved_objects/migrations/core/__snapshots__/build_active_mappings.test.ts.snap
index ebb9566181eb48..d16f9feecb9c0e 100644
--- a/src/server/saved_objects/migrations/core/__snapshots__/build_active_mappings.test.ts.snap
+++ b/src/server/saved_objects/migrations/core/__snapshots__/build_active_mappings.test.ts.snap
@@ -23,6 +23,9 @@ Object {
         "dynamic": "true",
         "type": "object",
       },
+      "namespace": Object {
+        "type": "keyword",
+      },
       "type": Object {
         "type": "keyword",
       },
diff --git a/src/server/saved_objects/migrations/core/build_active_mappings.ts b/src/server/saved_objects/migrations/core/build_active_mappings.ts
index 5181e99e90e678..f7f4ef73a5c71c 100644
--- a/src/server/saved_objects/migrations/core/build_active_mappings.ts
+++ b/src/server/saved_objects/migrations/core/build_active_mappings.ts
@@ -71,6 +71,9 @@ function defaultMapping(): IndexMapping {
         type: {
           type: 'keyword',
         },
+        namespace: {
+          type: 'keyword',
+        },
         updated_at: {
           type: 'date',
         },
diff --git a/src/server/saved_objects/migrations/core/index_migrator.test.ts b/src/server/saved_objects/migrations/core/index_migrator.test.ts
index 6d08e703dcfdf1..e99a49ff35b610 100644
--- a/src/server/saved_objects/migrations/core/index_migrator.test.ts
+++ b/src/server/saved_objects/migrations/core/index_migrator.test.ts
@@ -19,7 +19,8 @@
 
 import _ from 'lodash';
 import sinon from 'sinon';
-import { ROOT_TYPE, SavedObjectDoc } from '../../serialization';
+import { SavedObjectsSchema } from '../../schema';
+import { ROOT_TYPE, SavedObjectDoc, SavedObjectsSerializer } from '../../serialization';
 import { CallCluster } from './call_cluster';
 import { IndexMigrator } from './index_migrator';
 
@@ -46,6 +47,7 @@ describe('IndexMigrator', () => {
           },
           foo: { type: 'text' },
           migrationVersion: { dynamic: 'true', type: 'object' },
+          namespace: { type: 'keyword' },
           type: { type: 'keyword' },
           updated_at: { type: 'date' },
         },
@@ -78,6 +80,7 @@ describe('IndexMigrator', () => {
               },
               foo: { type: 'long' },
               migrationVersion: { dynamic: 'true', type: 'object' },
+              namespace: { type: 'keyword' },
               type: { type: 'keyword' },
               updated_at: { type: 'date' },
             },
@@ -188,6 +191,7 @@ describe('IndexMigrator', () => {
               },
               foo: { type: 'text' },
               migrationVersion: { dynamic: 'true', type: 'object' },
+              namespace: { type: 'keyword' },
               type: { type: 'keyword' },
               updated_at: { type: 'date' },
             },
@@ -301,6 +305,7 @@ function defaultOpts() {
       migrationVersion: {},
       migrate: _.identity,
     },
+    serializer: new SavedObjectsSerializer(new SavedObjectsSchema({})),
   };
 }
 
diff --git a/src/server/saved_objects/migrations/core/index_migrator.ts b/src/server/saved_objects/migrations/core/index_migrator.ts
index d1b718c1be3900..bae5d37bc6e3aa 100644
--- a/src/server/saved_objects/migrations/core/index_migrator.ts
+++ b/src/server/saved_objects/migrations/core/index_migrator.ts
@@ -149,7 +149,7 @@ async function migrateIndex(context: Context): Promise<MigrationResult> {
  */
 async function migrateSourceToDest(context: Context) {
   const { callCluster, alias, dest, source, batchSize } = context;
-  const { scrollDuration, documentMigrator, log } = context;
+  const { scrollDuration, documentMigrator, log, serializer } = context;
 
   if (!source.exists) {
     return;
@@ -174,6 +174,10 @@ async function migrateSourceToDest(context: Context) {
 
     log.debug(`Migrating saved objects ${docs.map(d => d._id).join(', ')}`);
 
-    await Index.write(callCluster, dest.indexName, migrateRawDocs(documentMigrator.migrate, docs));
+    await Index.write(
+      callCluster,
+      dest.indexName,
+      migrateRawDocs(serializer, documentMigrator.migrate, docs)
+    );
   }
 }
diff --git a/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts b/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
index 3b8088af8bf271..96e26c2b4f403b 100644
--- a/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
+++ b/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
@@ -19,16 +19,21 @@
 
 import _ from 'lodash';
 import sinon from 'sinon';
-import { ROOT_TYPE } from '../../serialization';
+import { SavedObjectsSchema } from '../../schema';
+import { ROOT_TYPE, SavedObjectsSerializer } from '../../serialization';
 import { migrateRawDocs } from './migrate_raw_docs';
 
 describe('migrateRawDocs', () => {
   test('converts raw docs to saved objects', async () => {
     const transform = sinon.spy((doc: any) => _.set(doc, 'attributes.name', 'HOI!'));
-    const result = migrateRawDocs(transform, [
-      { _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } },
-      { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
-    ]);
+    const result = migrateRawDocs(
+      new SavedObjectsSerializer(new SavedObjectsSchema({})),
+      transform,
+      [
+        { _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } },
+        { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
+      ]
+    );
 
     expect(result).toEqual([
       {
@@ -48,10 +53,14 @@ describe('migrateRawDocs', () => {
 
   test('passes invalid docs through untouched', async () => {
     const transform = sinon.spy((doc: any) => _.set(_.cloneDeep(doc), 'attributes.name', 'TADA'));
-    const result = migrateRawDocs(transform, [
-      { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
-      { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
-    ]);
+    const result = migrateRawDocs(
+      new SavedObjectsSerializer(new SavedObjectsSchema({})),
+      transform,
+      [
+        { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
+        { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
+      ]
+    );
 
     expect(result).toEqual([
       { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
diff --git a/src/server/saved_objects/migrations/core/migrate_raw_docs.ts b/src/server/saved_objects/migrations/core/migrate_raw_docs.ts
index 3f37606fa0c294..ffafa9908d23e1 100644
--- a/src/server/saved_objects/migrations/core/migrate_raw_docs.ts
+++ b/src/server/saved_objects/migrations/core/migrate_raw_docs.ts
@@ -21,7 +21,7 @@
  * This file provides logic for migrating raw documents.
  */
 
-import { isRawSavedObject, RawDoc, rawToSavedObject, savedObjectToRaw } from '../../serialization';
+import { RawDoc, SavedObjectsSerializer } from '../../serialization';
 import { TransformFn } from './document_migrator';
 
 /**
@@ -32,12 +32,16 @@ import { TransformFn } from './document_migrator';
  * @param {RawDoc[]} rawDocs
  * @returns {RawDoc[]}
  */
-export function migrateRawDocs(migrateDoc: TransformFn, rawDocs: RawDoc[]): RawDoc[] {
+export function migrateRawDocs(
+  serializer: SavedObjectsSerializer,
+  migrateDoc: TransformFn,
+  rawDocs: RawDoc[]
+): RawDoc[] {
   return rawDocs.map(raw => {
-    if (isRawSavedObject(raw)) {
-      const savedObject = rawToSavedObject(raw);
+    if (serializer.isRawSavedObject(raw)) {
+      const savedObject = serializer.rawToSavedObject(raw);
       savedObject.migrationVersion = savedObject.migrationVersion || {};
-      return savedObjectToRaw(migrateDoc(savedObject));
+      return serializer.savedObjectToRaw(migrateDoc(savedObject));
     }
 
     return raw;
diff --git a/src/server/saved_objects/migrations/core/migration_context.ts b/src/server/saved_objects/migrations/core/migration_context.ts
index 78471bc84f471a..e660a53ef8fcff 100644
--- a/src/server/saved_objects/migrations/core/migration_context.ts
+++ b/src/server/saved_objects/migrations/core/migration_context.ts
@@ -24,6 +24,7 @@
  * serves as a central blueprint for what migrations will end up doing.
  */
 
+import { SavedObjectsSerializer } from '../../serialization';
 import { buildActiveMappings } from './build_active_mappings';
 import { CallCluster, MappingProperties } from './call_cluster';
 import { VersionedTransformer } from './document_migrator';
@@ -39,6 +40,7 @@ export interface MigrationOpts {
   log: LogFn;
   mappingProperties: MappingProperties;
   documentMigrator: VersionedTransformer;
+  serializer: SavedObjectsSerializer;
 }
 
 export interface Context {
@@ -51,6 +53,7 @@ export interface Context {
   batchSize: number;
   pollInterval: number;
   scrollDuration: string;
+  serializer: SavedObjectsSerializer;
 }
 
 /**
@@ -74,6 +77,7 @@ export async function migrationContext(opts: MigrationOpts): Promise<Context> {
     documentMigrator: opts.documentMigrator,
     pollInterval: opts.pollInterval,
     scrollDuration: opts.scrollDuration,
+    serializer: opts.serializer,
   };
 }
 
diff --git a/src/server/saved_objects/migrations/kibana/__snapshots__/kibana_migrator.test.ts.snap b/src/server/saved_objects/migrations/kibana/__snapshots__/kibana_migrator.test.ts.snap
index 37505db9b3adc5..4c329c928753a4 100644
--- a/src/server/saved_objects/migrations/kibana/__snapshots__/kibana_migrator.test.ts.snap
+++ b/src/server/saved_objects/migrations/kibana/__snapshots__/kibana_migrator.test.ts.snap
@@ -23,6 +23,9 @@ Object {
         "dynamic": "true",
         "type": "object",
       },
+      "namespace": Object {
+        "type": "keyword",
+      },
       "type": Object {
         "type": "keyword",
       },
diff --git a/src/server/saved_objects/migrations/kibana/kibana_migrator.ts b/src/server/saved_objects/migrations/kibana/kibana_migrator.ts
index 59a46624575a98..0ab9daa1d5772a 100644
--- a/src/server/saved_objects/migrations/kibana/kibana_migrator.ts
+++ b/src/server/saved_objects/migrations/kibana/kibana_migrator.ts
@@ -22,7 +22,8 @@
  * (the shape of the mappings and documents in the index).
  */
 
-import { SavedObjectDoc } from '../../serialization';
+import { SavedObjectsSchema, UIExportsSavedObjectsSchema } from '../../schema';
+import { SavedObjectDoc, SavedObjectsSerializer } from '../../serialization';
 import { docValidator } from '../../validation';
 import { buildActiveMappings, CallCluster, IndexMigrator, LogFn, MappingProperties } from '../core';
 import { DocumentMigrator, VersionedTransformer } from '../core/document_migrator';
@@ -34,6 +35,7 @@ export interface KbnServer {
     savedObjectMappings: any[];
     savedObjectMigrations: any;
     savedObjectValidations: any;
+    savedObjectSchemas: UIExportsSavedObjectsSchema;
   };
 }
 
@@ -64,6 +66,7 @@ export class KibanaMigrator {
   private documentMigrator: VersionedTransformer;
   private mappingProperties: MappingProperties;
   private log: LogFn;
+  private serializer: SavedObjectsSerializer;
 
   /**
    * Creates an instance of KibanaMigrator.
@@ -74,6 +77,9 @@ export class KibanaMigrator {
    */
   constructor({ kbnServer }: { kbnServer: KbnServer }) {
     this.kbnServer = kbnServer;
+    this.serializer = new SavedObjectsSerializer(
+      new SavedObjectsSchema(kbnServer.uiExports.savedObjectSchemas)
+    );
     this.mappingProperties = mergeProperties(kbnServer.uiExports.savedObjectMappings || []);
     this.log = (meta: string[], message: string) => kbnServer.server.log(meta, message);
     this.documentMigrator = new DocumentMigrator({
@@ -133,6 +139,7 @@ export class KibanaMigrator {
       mappingProperties: this.mappingProperties,
       pollInterval: config.get('migrations.pollInterval'),
       scrollDuration: config.get('migrations.scrollDuration'),
+      serializer: this.serializer,
     });
 
     return migrator.migrate();
diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index a222b1c49180c4..2d876b0652e177 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -19,6 +19,8 @@
 
 import { createSavedObjectsService } from './service';
 import { KibanaMigrator } from './migrations';
+import { SavedObjectsSchema } from './schema';
+import { SavedObjectsSerializer } from './serialization';
 
 import {
   createBulkCreateRoute,
@@ -62,7 +64,9 @@ export function savedObjectsMixin(kbnServer, server) {
   server.route(createGetRoute(prereqs));
   server.route(createUpdateRoute(prereqs));
 
-  server.decorate('server', 'savedObjects', createSavedObjectsService(server, migrator));
+  const schema = new SavedObjectsSchema(kbnServer.uiExports.savedObjectSchemas);
+  const serializer = new SavedObjectsSerializer(schema);
+  server.decorate('server', 'savedObjects', createSavedObjectsService(server, serializer, migrator));
 
   const savedObjectsClientCache = new WeakMap();
   server.decorate('request', 'getSavedObjectsClient', function () {
diff --git a/src/server/saved_objects/schema/index.ts b/src/server/saved_objects/schema/index.ts
new file mode 100644
index 00000000000000..f494affbf18ff1
--- /dev/null
+++ b/src/server/saved_objects/schema/index.ts
@@ -0,0 +1,20 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+export { SavedObjectsSchema, UIExportsSavedObjectsSchema } from './schema';
diff --git a/src/server/saved_objects/schema/schema.ts b/src/server/saved_objects/schema/schema.ts
new file mode 100644
index 00000000000000..b53ba37d6a7319
--- /dev/null
+++ b/src/server/saved_objects/schema/schema.ts
@@ -0,0 +1,41 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+interface UIExportsSavedObjectTypeSchema {
+  isNamespaceAgnostic: boolean;
+}
+
+export interface UIExportsSavedObjectsSchema {
+  [key: string]: UIExportsSavedObjectTypeSchema;
+}
+
+export class SavedObjectsSchema {
+  private readonly schema: UIExportsSavedObjectsSchema;
+  constructor(uiExportsSchema: UIExportsSavedObjectsSchema) {
+    this.schema = uiExportsSchema;
+  }
+
+  public isNamespaceAgnostic(type: string) {
+    const typeSchema = this.schema[type];
+    if (!typeSchema) {
+      return false;
+    }
+    return Boolean(typeSchema.isNamespaceAgnostic);
+  }
+}
diff --git a/src/server/saved_objects/serialization/index.ts b/src/server/saved_objects/serialization/index.ts
index c1a046ba8cef7a..27c0cb7c2eb3f5 100644
--- a/src/server/saved_objects/serialization/index.ts
+++ b/src/server/saved_objects/serialization/index.ts
@@ -23,6 +23,7 @@
  */
 
 import uuid from 'uuid';
+import { SavedObjectsSchema } from '../schema';
 
 /**
  * The root document type. In 7.0, this needs to change to '_doc'.
@@ -57,88 +58,96 @@ export interface SavedObjectDoc {
   attributes: object;
   id: string;
   type: string;
+  namespace?: string;
   migrationVersion?: MigrationVersion;
   version?: number;
 
   [rootProp: string]: any;
 }
 
-/**
- * Determines whether or not the raw document can be converted to a saved object.
- *
- * @param {RawDoc} rawDoc - The raw ES document to be tested
- */
-export function isRawSavedObject(rawDoc: RawDoc) {
-  const { type } = rawDoc._source;
-  return type && rawDoc._id.startsWith(type) && rawDoc._source.hasOwnProperty(type);
-}
-
-/**
- * Converts a document from the format that is stored in elasticsearch to the saved object client format.
- *
- *  @param {RawDoc} rawDoc - The raw ES document to be converted to saved object format.
- */
-export function rawToSavedObject({ _id, _source, _version }: RawDoc): SavedObjectDoc {
-  const { type } = _source;
-  return {
-    type,
-    id: trimIdPrefix(type, _id),
-    attributes: _source[type],
-    ...(_source.migrationVersion && { migrationVersion: _source.migrationVersion }),
-    ...(_source.updated_at && { updated_at: _source.updated_at }),
-    ...(_version != null && { version: _version }),
-  };
-}
-
-/**
- * Converts a document from the saved object client format to the format that is stored in elasticsearch.
- *
- * @param {SavedObjectDoc} savedObj - The saved object to be converted to raw ES format.
- */
-export function savedObjectToRaw(savedObj: SavedObjectDoc): RawDoc {
-  const { id, type, attributes, version } = savedObj;
-  const source = {
-    ...savedObj,
-    [type]: attributes,
-  };
-
-  delete source.id;
-  delete source.attributes;
-  delete source.version;
-
-  return {
-    _id: generateRawId(type, id),
-    _source: source,
-    _type: ROOT_TYPE,
-    ...(version != null && { _version: version }),
-  };
-}
-
-/**
- * Given a saved object type and id, generates the compound id that is stored in the raw document.
- *
- * @param {string} type - The saved object type
- * @param {string} id - The id of the saved object
- */
-export function generateRawId(type: string, id?: string) {
-  return `${type}:${id || uuid.v1()}`;
-}
-
 function assertNonEmptyString(value: string, name: string) {
   if (!value || typeof value !== 'string') {
     throw new TypeError(`Expected "${value}" to be a ${name}`);
   }
 }
 
-function trimIdPrefix(type: string, id: string) {
-  assertNonEmptyString(id, 'document id');
-  assertNonEmptyString(type, 'saved object type');
+export class SavedObjectsSerializer {
+  private readonly schema: SavedObjectsSchema;
 
-  const prefix = `${type}:`;
+  constructor(schema: SavedObjectsSchema) {
+    this.schema = schema;
+  }
+  /**
+   * Determines whether or not the raw document can be converted to a saved object.
+   *
+   * @param {RawDoc} rawDoc - The raw ES document to be tested
+   */
+  public isRawSavedObject(rawDoc: RawDoc) {
+    const { type } = rawDoc._source;
+    return type && rawDoc._id.startsWith(type) && rawDoc._source.hasOwnProperty(type);
+  }
 
-  if (!id.startsWith(prefix)) {
-    return id;
+  /**
+   * Converts a document from the format that is stored in elasticsearch to the saved object client format.
+   *
+   *  @param {RawDoc} rawDoc - The raw ES document to be converted to saved object format.
+   */
+  public rawToSavedObject({ _id, _source, _version }: RawDoc): SavedObjectDoc {
+    const { type } = _source;
+    return {
+      type,
+      id: this.trimIdPrefix(type, _id),
+      attributes: _source[type],
+      ...(_source.migrationVersion && { migrationVersion: _source.migrationVersion }),
+      ...(_source.updated_at && { updated_at: _source.updated_at }),
+      ...(_version != null && { version: _version }),
+    };
   }
 
-  return id.slice(prefix.length);
+  /**
+   * Converts a document from the saved object client format to the format that is stored in elasticsearch.
+   *
+   * @param {SavedObjectDoc} savedObj - The saved object to be converted to raw ES format.
+   */
+  public savedObjectToRaw(savedObj: SavedObjectDoc): RawDoc {
+    const { id, type, attributes, version } = savedObj;
+    const source = {
+      ...savedObj,
+      [type]: attributes,
+    };
+
+    delete source.id;
+    delete source.attributes;
+    delete source.version;
+
+    return {
+      _id: this.generateRawId(type, id),
+      _source: source,
+      _type: ROOT_TYPE,
+      ...(version != null && { _version: version }),
+    };
+  }
+
+  /**
+   * Given a saved object type and id, generates the compound id that is stored in the raw document.
+   *
+   * @param {string} type - The saved object type
+   * @param {string} id - The id of the saved object
+   */
+  public generateRawId(type: string, id?: string) {
+    return `${type}:${id || uuid.v1()}`;
+  }
+
+  private trimIdPrefix(type: string, id: string) {
+    assertNonEmptyString(id, 'document id');
+    assertNonEmptyString(type, 'saved object type');
+
+    const prefix = `${type}:`;
+
+    if (!id.startsWith(prefix)) {
+      return id;
+    }
+
+    return id.slice(prefix.length);
+  }
 }
diff --git a/src/server/saved_objects/serialization/serializtion.test.ts b/src/server/saved_objects/serialization/serializtion.test.ts
index 9f594ff31c44ac..e9dc0cf4ed991b 100644
--- a/src/server/saved_objects/serialization/serializtion.test.ts
+++ b/src/server/saved_objects/serialization/serializtion.test.ts
@@ -18,19 +18,15 @@
  */
 
 import _ from 'lodash';
-import {
-  generateRawId,
-  isRawSavedObject,
-  rawToSavedObject,
-  ROOT_TYPE,
-  savedObjectToRaw,
-} from './index';
+import { SavedObjectsSchema } from '../schema';
+import { ROOT_TYPE, SavedObjectsSerializer } from './index';
 
 describe('saved object conversion', () => {
   describe('rawToSavedObject', () => {
     test('it converts the id and type properties, and retains migrationVersion', () => {
       const now = new Date();
-      const actual = rawToSavedObject({
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
         _id: 'hello:world',
         _type: ROOT_TYPE,
         _version: 3,
@@ -65,7 +61,8 @@ describe('saved object conversion', () => {
     });
 
     test('it ignores version if not in the raw doc', () => {
-      const actual = rawToSavedObject({
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
         _id: 'hello:world',
         _type: ROOT_TYPE,
         _source: {
@@ -86,7 +83,8 @@ describe('saved object conversion', () => {
     });
 
     test('it handles unprefixed ids', () => {
-      const actual = rawToSavedObject({
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _type: ROOT_TYPE,
         _source: {
@@ -100,7 +98,8 @@ describe('saved object conversion', () => {
     });
 
     test('it does not pass unknown properties through', () => {
-      const actual = rawToSavedObject({
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _type: ROOT_TYPE,
         _source: {
@@ -121,7 +120,8 @@ describe('saved object conversion', () => {
     });
 
     test('it does not create attributes if [type] is missing', () => {
-      const actual = rawToSavedObject({
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _type: ROOT_TYPE,
         _source: {
@@ -135,8 +135,9 @@ describe('saved object conversion', () => {
     });
 
     test('it fails for documents which do not specify a type', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(() =>
-        rawToSavedObject({
+        serializer.rawToSavedObject({
           _id: 'universe',
           _type: ROOT_TYPE,
           _source: {
@@ -149,6 +150,7 @@ describe('saved object conversion', () => {
     });
 
     test('it is complimentary with savedObjectToRaw', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       const raw = {
         _id: 'foo:bar',
         _type: ROOT_TYPE,
@@ -167,19 +169,22 @@ describe('saved object conversion', () => {
         },
       };
 
-      expect(savedObjectToRaw(rawToSavedObject(_.cloneDeep(raw)))).toEqual(raw);
+      expect(serializer.savedObjectToRaw(serializer.rawToSavedObject(_.cloneDeep(raw)))).toEqual(
+        raw
+      );
     });
   });
 
   test('savedObjectToRaw generates an id, if none is specified', () => {
-    const v1 = savedObjectToRaw({
+    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+    const v1 = serializer.savedObjectToRaw({
       type: 'foo',
       attributes: {
         bar: true,
       },
     } as any);
 
-    const v2 = savedObjectToRaw({
+    const v2 = serializer.savedObjectToRaw({
       type: 'foo',
       attributes: {
         bar: true,
@@ -192,8 +197,9 @@ describe('saved object conversion', () => {
 
   describe('isRawSavedObject', () => {
     test('is true if the id is prefixed and the type matches', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(
-        isRawSavedObject({
+        serializer.isRawSavedObject({
           _id: 'hello:world',
           _source: {
             type: 'hello',
@@ -204,8 +210,9 @@ describe('saved object conversion', () => {
     });
 
     test('is false if the id is not prefixed', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(
-        isRawSavedObject({
+        serializer.isRawSavedObject({
           _id: 'world',
           _source: {
             type: 'hello',
@@ -216,8 +223,9 @@ describe('saved object conversion', () => {
     });
 
     test('is false if the type attribute is missing', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(
-        isRawSavedObject({
+        serializer.isRawSavedObject({
           _id: 'hello:world',
           _source: {
             hello: {},
@@ -227,8 +235,9 @@ describe('saved object conversion', () => {
     });
 
     test('is false if the type attribute does not match the id', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(
-        isRawSavedObject({
+        serializer.isRawSavedObject({
           _id: 'hello:world',
           _source: {
             type: 'jam',
@@ -240,8 +249,9 @@ describe('saved object conversion', () => {
     });
 
     test('is false if there is no [type] attribute', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(
-        isRawSavedObject({
+        serializer.isRawSavedObject({
           _id: 'hello:world',
           _source: {
             type: 'hello',
@@ -253,12 +263,14 @@ describe('saved object conversion', () => {
   });
 
   test('generateRawId generates an id, if none is specified', () => {
-    const id = generateRawId('goodbye');
+    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+    const id = serializer.generateRawId('goodbye');
     expect(id).toMatch(/goodbye\:[\w-]+$/);
   });
 
   test('generateRawId uses the id that is specified', () => {
-    const id = generateRawId('hello', 'world');
+    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+    const id = serializer.generateRawId('hello', 'world');
     expect(id).toMatch('hello:world');
   });
 });
diff --git a/src/server/saved_objects/service/create_saved_objects_service.js b/src/server/saved_objects/service/create_saved_objects_service.js
index 25331153d2d940..79af776984afee 100644
--- a/src/server/saved_objects/service/create_saved_objects_service.js
+++ b/src/server/saved_objects/service/create_saved_objects_service.js
@@ -30,7 +30,7 @@ import { SavedObjectsClient } from './saved_objects_client';
 // import / export from the Kibana UI. Import / export functionality needs to apply migrations to documents.
 // Eventually, we hope to build a first-class import / export API, at which point, we can
 // remove the migrator from the saved objects client and leave only document validation here.
-export function createSavedObjectsService(server, migrator) {
+export function createSavedObjectsService(server, serializer, migrator) {
   const onBeforeWrite = async () => {
     const adminCluster = server.plugins.elasticsearch.getCluster('admin');
 
@@ -72,6 +72,7 @@ export function createSavedObjectsService(server, migrator) {
     index: server.config().get('kibana.index'),
     migrator,
     mappings,
+    serializer,
     onBeforeWrite,
   });
 
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 93371b7d1b7443..67c0b8712a2816 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -21,7 +21,6 @@ import { getRootType } from '../../../mappings';
 import { getSearchDsl } from './search_dsl';
 import { includedFields } from './included_fields';
 import { decorateEsError } from './decorate_es_error';
-import { savedObjectToRaw, rawToSavedObject, generateRawId } from '../../serialization';
 import * as errors from './errors';
 
 
@@ -34,6 +33,7 @@ export class SavedObjectsRepository {
       index,
       mappings,
       callCluster,
+      serializer,
       migrator = { migrateDocument: (doc) => doc },
       onBeforeWrite = () => { },
     } = options;
@@ -51,6 +51,7 @@ export class SavedObjectsRepository {
     this._type = getRootType(this._mappings);
     this._onBeforeWrite = onBeforeWrite;
     this._unwrappedCallCluster = callCluster;
+    this._serializer = serializer;
   }
 
   /**
@@ -83,7 +84,7 @@ export class SavedObjectsRepository {
         updated_at: time,
       });
 
-      const raw = savedObjectToRaw(migrated);
+      const raw = this._serializer.savedObjectToRaw(migrated);
 
       const response = await this._writeToCluster(method, {
         id: raw._id,
@@ -93,7 +94,7 @@ export class SavedObjectsRepository {
         body: raw._source,
       });
 
-      return rawToSavedObject({
+      return this._serializer.rawToSavedObject({
         ...raw,
         ...response,
       });
@@ -129,7 +130,7 @@ export class SavedObjectsRepository {
         migrationVersion: object.migrationVersion,
         updated_at: time,
       });
-      const raw = savedObjectToRaw(migrated);
+      const raw = this._serializer.savedObjectToRaw(migrated);
 
       return [
         {
@@ -202,7 +203,7 @@ export class SavedObjectsRepository {
    */
   async delete(type, id) {
     const response = await this._writeToCluster('delete', {
-      id: generateRawId(type, id),
+      id: this._serializer.generateRawId(type, id),
       type: this._type,
       index: this._index,
       refresh: 'wait_for',
@@ -294,7 +295,7 @@ export class SavedObjectsRepository {
       page,
       per_page: perPage,
       total: response.hits.total,
-      saved_objects: response.hits.hits.map(rawToSavedObject),
+      saved_objects: response.hits.hits.map(hit => this._serializer.rawToSavedObject(hit)),
     };
   }
 
@@ -319,7 +320,7 @@ export class SavedObjectsRepository {
       index: this._index,
       body: {
         docs: objects.map(object => ({
-          _id: generateRawId(object.type, object.id),
+          _id: this._serializer.generateRawId(object.type, object.id),
           _type: this._type,
         }))
       }
@@ -359,7 +360,7 @@ export class SavedObjectsRepository {
    */
   async get(type, id) {
     const response = await this._callCluster('get', {
-      id: generateRawId(type, id),
+      id: this._serializer.generateRawId(type, id),
       type: this._type,
       index: this._index,
       ignore: [404]
@@ -396,7 +397,7 @@ export class SavedObjectsRepository {
   async update(type, id, attributes, options = {}) {
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
-      id: generateRawId(type, id),
+      id: this._serializer.generateRawId(type, id),
       type: this._type,
       index: this._index,
       version: options.version,
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 9330f0e0f029b7..868673fdef601c 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -24,6 +24,8 @@ import * as getSearchDslNS from './search_dsl/search_dsl';
 import { getSearchDsl } from './search_dsl';
 import * as errors from './errors';
 import elasticsearch from 'elasticsearch';
+import { SavedObjectsSchema } from '../../schema';
+import { SavedObjectsSerializer } from '../../serialization';
 
 // BEWARE: The SavedObjectClient depends on the implementation details of the SavedObjectsRepository
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
@@ -106,11 +108,13 @@ describe('SavedObjectsRepository', () => {
       migrateDocument: sinon.spy((doc) => doc),
     };
 
+    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
     savedObjectsRepository = new SavedObjectsRepository({
       index: '.kibana-test',
       mappings,
       callCluster: callAdminCluster,
       migrator,
+      serializer,
       onBeforeWrite
     });
 
diff --git a/src/server/saved_objects/service/lib/repository_provider.js b/src/server/saved_objects/service/lib/repository_provider.js
index 805887c9a24b55..b92fd424c0b89a 100644
--- a/src/server/saved_objects/service/lib/repository_provider.js
+++ b/src/server/saved_objects/service/lib/repository_provider.js
@@ -28,11 +28,13 @@ export class SavedObjectsRepositoryProvider {
     index,
     mappings,
     migrator,
+    serializer,
     onBeforeWrite
   }) {
     this._index = index;
     this._mappings = mappings;
     this._migrator = migrator;
+    this._serializer = serializer;
     this._onBeforeWrite = onBeforeWrite;
   }
 
@@ -46,6 +48,7 @@ export class SavedObjectsRepositoryProvider {
       index: this._index,
       mappings: this._mappings,
       migrator: this._migrator,
+      serializer: this._serializer,
       onBeforeWrite: this._onBeforeWrite,
       callCluster,
     });
diff --git a/src/server/saved_objects/service/lib/repository_provider.test.js b/src/server/saved_objects/service/lib/repository_provider.test.js
index bc39fcecf9384e..5a6d3cde8ef800 100644
--- a/src/server/saved_objects/service/lib/repository_provider.test.js
+++ b/src/server/saved_objects/service/lib/repository_provider.test.js
@@ -18,6 +18,8 @@
  */
 
 import { SavedObjectsRepositoryProvider } from './repository_provider';
+import { SavedObjectsSerializer } from '../../serialization';
+import { SavedObjectsSchema } from '../../schema';
 
 test('requires "callCluster" to be provided', () => {
   const provider = new SavedObjectsRepositoryProvider({
@@ -41,6 +43,7 @@ test('creates a valid Repository', async () => {
         }
       }
     },
+    serializer: new SavedObjectsSerializer(new SavedObjectsSchema()),
     onBeforeWrite: jest.fn()
   };
 
@@ -59,4 +62,4 @@ test('creates a valid Repository', async () => {
   expect(callCluster).toHaveBeenCalledWith('index', expect.objectContaining({
     index: properties.index
   }));
-});
\ No newline at end of file
+});
diff --git a/src/ui/ui_exports/ui_export_types/index.js b/src/ui/ui_exports/ui_export_types/index.js
index 1da233efa16b46..f870e29bd43e54 100644
--- a/src/ui/ui_exports/ui_export_types/index.js
+++ b/src/ui/ui_exports/ui_export_types/index.js
@@ -25,6 +25,7 @@ export {
 export {
   mappings,
   migrations,
+  schemas,
   validations,
 } from './saved_object';
 
diff --git a/src/ui/ui_exports/ui_export_types/saved_object.js b/src/ui/ui_exports/ui_export_types/saved_object.js
index 9e06ae7fc757ec..f9c0ae45816fe9 100644
--- a/src/ui/ui_exports/ui_export_types/saved_object.js
+++ b/src/ui/ui_exports/ui_export_types/saved_object.js
@@ -35,6 +35,8 @@ export const mappings = wrap(
 // See saved_objects/migrations for more details.
 export const migrations = wrap(alias('savedObjectMigrations'), uniqueKeys(), mergeAtType);
 
+export const schemas = wrap(alias('savedObjectSchemas'), uniqueKeys(), mergeAtType);
+
 // Combines the `validations` property of each plugin,
 // ensuring that properties are unique across plugins.
 // See saved_objects/validation for more details.
diff --git a/test/api_integration/apis/saved_objects/migrations.js b/test/api_integration/apis/saved_objects/migrations.js
index 7ccf272b0c3f1a..0865d337b3b2b0 100644
--- a/test/api_integration/apis/saved_objects/migrations.js
+++ b/test/api_integration/apis/saved_objects/migrations.js
@@ -27,6 +27,8 @@ import {
   DocumentMigrator,
   IndexMigrator,
 } from '../../../../src/server/saved_objects/migrations/core';
+import { SavedObjectsSerializer } from '../../../../src/server/saved_objects/serialization';
+import { SavedObjectsSchema } from '../../../../src/server/saved_objects/schema';
 
 export default ({ getService }) => {
   const es = getService('es');
@@ -248,6 +250,7 @@ async function migrateIndex({ callCluster, index, migrations, mappingProperties,
     mappingProperties,
     pollInterval: 50,
     scrollDuration: '5m',
+    serializer: new SavedObjectsSerializer(new SavedObjectsSchema())
   });
 
   return await migrator.migrate();

From 04ed13d89d0abf15be021fe8fe569bb41388ef56 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 18 Sep 2018 15:40:26 -0700
Subject: [PATCH 148/183] Fixing spelling of serialization

---
 .../{serializtion.test.ts => serialization.test.ts}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename src/server/saved_objects/serialization/{serializtion.test.ts => serialization.test.ts} (98%)

diff --git a/src/server/saved_objects/serialization/serializtion.test.ts b/src/server/saved_objects/serialization/serialization.test.ts
similarity index 98%
rename from src/server/saved_objects/serialization/serializtion.test.ts
rename to src/server/saved_objects/serialization/serialization.test.ts
index e9dc0cf4ed991b..297e6431bcd576 100644
--- a/src/server/saved_objects/serialization/serializtion.test.ts
+++ b/src/server/saved_objects/serialization/serialization.test.ts
@@ -22,7 +22,7 @@ import { SavedObjectsSchema } from '../schema';
 import { ROOT_TYPE, SavedObjectsSerializer } from './index';
 
 describe('saved object conversion', () => {
-  describe('rawToSavedObject', () => {
+  describe('#rawToSavedObject', () => {
     test('it converts the id and type properties, and retains migrationVersion', () => {
       const now = new Date();
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
@@ -195,7 +195,7 @@ describe('saved object conversion', () => {
     expect(v1._id).not.toEqual(v2._id);
   });
 
-  describe('isRawSavedObject', () => {
+  describe('#isRawSavedObject', () => {
     test('is true if the id is prefixed and the type matches', () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       expect(

From d406c6170769d59a10e1bdd6325d016a23b38525 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 19 Sep 2018 15:25:33 -0700
Subject: [PATCH 149/183] Making the serializer conditionally include and
 prepend id with ns

---
 .../migrations/kibana/kibana_migrator.test.ts |   1 +
 .../saved_objects/serialization/index.ts      |  42 +-
 .../serialization/serialization.test.ts       | 833 +++++++++++++++---
 .../saved_objects/service/lib/repository.js   |  59 +-
 .../service/lib/repository.test.js            |   4 +-
 5 files changed, 812 insertions(+), 127 deletions(-)

diff --git a/src/server/saved_objects/migrations/kibana/kibana_migrator.test.ts b/src/server/saved_objects/migrations/kibana/kibana_migrator.test.ts
index fb8218345575ef..590873d58a3fd8 100644
--- a/src/server/saved_objects/migrations/kibana/kibana_migrator.test.ts
+++ b/src/server/saved_objects/migrations/kibana/kibana_migrator.test.ts
@@ -88,6 +88,7 @@ function mockKbnServer({ configValues }: { configValues?: any } = {}) {
       savedObjectValidations: {},
       savedObjectMigrations: {},
       savedObjectMappings: [],
+      savedObjectSchemas: {},
     },
     server: {
       config: () => ({
diff --git a/src/server/saved_objects/serialization/index.ts b/src/server/saved_objects/serialization/index.ts
index 27c0cb7c2eb3f5..bae166a1815e0e 100644
--- a/src/server/saved_objects/serialization/index.ts
+++ b/src/server/saved_objects/serialization/index.ts
@@ -61,6 +61,7 @@ export interface SavedObjectDoc {
   namespace?: string;
   migrationVersion?: MigrationVersion;
   version?: number;
+  updated_at?: Date;
 
   [rootProp: string]: any;
 }
@@ -83,8 +84,14 @@ export class SavedObjectsSerializer {
    * @param {RawDoc} rawDoc - The raw ES document to be tested
    */
   public isRawSavedObject(rawDoc: RawDoc) {
-    const { type } = rawDoc._source;
-    return type && rawDoc._id.startsWith(type) && rawDoc._source.hasOwnProperty(type);
+    const { type, namespace } = rawDoc._source;
+    const namespacePrefix =
+      namespace && !this.schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
+    return (
+      type &&
+      rawDoc._id.startsWith(`${namespacePrefix}${type}`) &&
+      rawDoc._source.hasOwnProperty(type)
+    );
   }
 
   /**
@@ -93,10 +100,11 @@ export class SavedObjectsSerializer {
    *  @param {RawDoc} rawDoc - The raw ES document to be converted to saved object format.
    */
   public rawToSavedObject({ _id, _source, _version }: RawDoc): SavedObjectDoc {
-    const { type } = _source;
+    const { type, namespace } = _source;
     return {
       type,
-      id: this.trimIdPrefix(type, _id),
+      id: this.trimIdPrefix(namespace, type, _id),
+      ...(namespace && !this.schema.isNamespaceAgnostic(type) && { namespace }),
       attributes: _source[type],
       ...(_source.migrationVersion && { migrationVersion: _source.migrationVersion }),
       ...(_source.updated_at && { updated_at: _source.updated_at }),
@@ -110,18 +118,17 @@ export class SavedObjectsSerializer {
    * @param {SavedObjectDoc} savedObj - The saved object to be converted to raw ES format.
    */
   public savedObjectToRaw(savedObj: SavedObjectDoc): RawDoc {
-    const { id, type, attributes, version } = savedObj;
+    const { id, type, namespace, attributes, migrationVersion, updated_at, version } = savedObj;
     const source = {
-      ...savedObj,
       [type]: attributes,
+      type,
+      ...(namespace && !this.schema.isNamespaceAgnostic(type) && { namespace }),
+      ...(migrationVersion && { migrationVersion }),
+      ...(updated_at && { updated_at }),
     };
 
-    delete source.id;
-    delete source.attributes;
-    delete source.version;
-
     return {
-      _id: this.generateRawId(type, id),
+      _id: this.generateRawId(namespace, type, id),
       _source: source,
       _type: ROOT_TYPE,
       ...(version != null && { _version: version }),
@@ -131,18 +138,23 @@ export class SavedObjectsSerializer {
   /**
    * Given a saved object type and id, generates the compound id that is stored in the raw document.
    *
+   * @param {string} namespace - The namespace of the saved object
    * @param {string} type - The saved object type
    * @param {string} id - The id of the saved object
    */
-  public generateRawId(type: string, id?: string) {
-    return `${type}:${id || uuid.v1()}`;
+  public generateRawId(namespace: string | undefined, type: string, id?: string) {
+    const namespacePrefix =
+      namespace && !this.schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
+    return `${namespacePrefix}${type}:${id || uuid.v1()}`;
   }
 
-  private trimIdPrefix(type: string, id: string) {
+  private trimIdPrefix(namespace: string | undefined, type: string, id: string) {
     assertNonEmptyString(id, 'document id');
     assertNonEmptyString(type, 'saved object type');
 
-    const prefix = `${type}:`;
+    const namespacePrefix =
+      namespace && !this.schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
+    const prefix = `${namespacePrefix}${type}:`;
 
     if (!id.startsWith(prefix)) {
       return id;
diff --git a/src/server/saved_objects/serialization/serialization.test.ts b/src/server/saved_objects/serialization/serialization.test.ts
index 297e6431bcd576..2a1b554b3bf6b8 100644
--- a/src/server/saved_objects/serialization/serialization.test.ts
+++ b/src/server/saved_objects/serialization/serialization.test.ts
@@ -18,11 +18,51 @@
  */
 
 import _ from 'lodash';
+import { ROOT_TYPE, SavedObjectsSerializer } from '.';
 import { SavedObjectsSchema } from '../schema';
-import { ROOT_TYPE, SavedObjectsSerializer } from './index';
 
 describe('saved object conversion', () => {
   describe('#rawToSavedObject', () => {
+    test('it copies the _source.type property to type', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
+        _id: 'foo:bar',
+        _source: {
+          type: 'foo',
+        },
+      });
+      expect(actual).toHaveProperty('type', 'foo');
+    });
+
+    test('if specified it copies the _source.migrationVersion property to migrationVersion', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
+        _id: 'foo:bar',
+        _source: {
+          type: 'foo',
+          migrationVersion: {
+            hello: '1.2.3',
+            acl: '33.3.5',
+          },
+        },
+      });
+      expect(actual).toHaveProperty('migrationVersion', {
+        hello: '1.2.3',
+        acl: '33.3.5',
+      });
+    });
+
+    test(`if _source.migrationVersion is unspecified it doesn't set migrationVersion`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
+        _id: 'foo:bar',
+        _source: {
+          type: 'foo',
+        },
+      });
+      expect(actual).not.toHaveProperty('migrationVersion');
+    });
+
     test('it converts the id and type properties, and retains migrationVersion', () => {
       const now = new Date();
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
@@ -60,41 +100,53 @@ describe('saved object conversion', () => {
       expect(expected).toEqual(actual);
     });
 
-    test('it ignores version if not in the raw doc', () => {
+    test(`if version is unspecified it doesn't set version`, () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
       const actual = serializer.rawToSavedObject({
-        _id: 'hello:world',
-        _type: ROOT_TYPE,
+        _id: 'foo:bar',
         _source: {
-          type: 'hello',
-          hello: {
-            world: 'earth',
-          },
+          type: 'foo',
+          hello: {},
         },
       });
-      const expected = {
-        id: 'world',
-        type: 'hello',
-        attributes: {
-          world: 'earth',
+      expect(actual).not.toHaveProperty('version');
+    });
+
+    test(`if specified it copies _version to version`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
+        _id: 'foo:bar',
+        _version: 4,
+        _source: {
+          type: 'foo',
+          hello: {},
         },
-      };
-      expect(expected).toEqual(actual);
+      });
+      expect(actual).toHaveProperty('version', 4);
     });
 
-    test('it handles unprefixed ids', () => {
+    test('if specified it copies the _source.updated_at property to updated_at', () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const now = Date();
       const actual = serializer.rawToSavedObject({
-        _id: 'universe',
-        _type: ROOT_TYPE,
+        _id: 'foo:bar',
         _source: {
-          type: 'hello',
-          hello: {
-            world: 'earth',
-          },
+          type: 'foo',
+          updated_at: now,
         },
       });
-      expect(actual.id).toEqual('universe');
+      expect(actual).toHaveProperty('updated_at', now);
+    });
+
+    test(`if _source.updated_at is unspecified it doesn't set updated_at`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.rawToSavedObject({
+        _id: 'foo:bar',
+        _source: {
+          type: 'foo',
+        },
+      });
+      expect(actual).not.toHaveProperty('updated_at');
     });
 
     test('it does not pass unknown properties through', () => {
@@ -173,104 +225,689 @@ describe('saved object conversion', () => {
         raw
       );
     });
-  });
-
-  test('savedObjectToRaw generates an id, if none is specified', () => {
-    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-    const v1 = serializer.savedObjectToRaw({
-      type: 'foo',
-      attributes: {
-        bar: true,
-      },
-    } as any);
-
-    const v2 = serializer.savedObjectToRaw({
-      type: 'foo',
-      attributes: {
-        bar: true,
-      },
-    } as any);
-
-    expect(v1._id).toMatch(/foo\:[\w-]+$/);
-    expect(v1._id).not.toEqual(v2._id);
-  });
 
-  describe('#isRawSavedObject', () => {
-    test('is true if the id is prefixed and the type matches', () => {
+    test('it handles unprefixed ids', () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-      expect(
-        serializer.isRawSavedObject({
-          _id: 'hello:world',
+      const actual = serializer.rawToSavedObject({
+        _id: 'universe',
+        _source: {
+          type: 'hello',
+        },
+      });
+
+      expect(actual).toHaveProperty('id', 'universe');
+    });
+
+    describe('namespaced type without a namespace', () => {
+      test(`removes type prefix from _id`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'foo:bar',
           _source: {
-            type: 'hello',
-            hello: {},
+            type: 'foo',
           },
-        })
-      ).toBeTruthy();
-    });
+        });
 
-    test('is false if the id is not prefixed', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-      expect(
-        serializer.isRawSavedObject({
-          _id: 'world',
+        expect(actual).toHaveProperty('id', 'bar');
+      });
+
+      test(`if prefixed by random prefix and type it copies _id to id`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'random:foo:bar',
           _source: {
-            type: 'hello',
-            hello: {},
+            type: 'foo',
           },
-        })
-      ).toBeFalsy();
+        });
+
+        expect(actual).toHaveProperty('id', 'random:foo:bar');
+      });
+
+      test(`doesn't specify namespace`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'foo:bar',
+          _source: {
+            type: 'foo',
+          },
+        });
+
+        expect(actual).not.toHaveProperty('namespace');
+      });
     });
 
-    test('is false if the type attribute is missing', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-      expect(
-        serializer.isRawSavedObject({
-          _id: 'hello:world',
+    describe('namespaced type with a namespace', () => {
+      test(`removes type and namespace prefix from _id`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'baz:foo:bar',
           _source: {
-            hello: {},
+            type: 'foo',
+            namespace: 'baz',
           },
-        })
-      ).toBeFalsy();
+        });
+
+        expect(actual).toHaveProperty('id', 'bar');
+      });
+
+      test(`if prefixed by only type it copies _id to id`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'foo:bar',
+          _source: {
+            type: 'foo',
+            namespace: 'baz',
+          },
+        });
+
+        expect(actual).toHaveProperty('id', 'foo:bar');
+      });
+
+      test(`if prefixed by random prefix and type it copies _id to id`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'random:foo:bar',
+          _source: {
+            type: 'foo',
+            namespace: 'baz',
+          },
+        });
+
+        expect(actual).toHaveProperty('id', 'random:foo:bar');
+      });
+
+      test(`copies _source.namespace to namespace`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.rawToSavedObject({
+          _id: 'baz:foo:bar',
+          _source: {
+            type: 'foo',
+            namespace: 'baz',
+          },
+        });
+
+        expect(actual).toHaveProperty('namespace', 'baz');
+      });
     });
 
-    test('is false if the type attribute does not match the id', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-      expect(
-        serializer.isRawSavedObject({
-          _id: 'hello:world',
+    describe('namespace agnostic type with a namespace', () => {
+      test(`removes type prefix from _id`, () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const actual = serializer.rawToSavedObject({
+          _id: 'foo:bar',
           _source: {
-            type: 'jam',
-            jam: {},
-            hello: {},
+            type: 'foo',
+            namespace: 'baz',
           },
-        })
-      ).toBeFalsy();
+        });
+
+        expect(actual).toHaveProperty('id', 'bar');
+      });
+
+      test(`if prefixed by namespace and type it copies _id to id`, () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const actual = serializer.rawToSavedObject({
+          _id: 'baz:foo:bar',
+          _source: {
+            type: 'foo',
+            namespace: 'baz',
+          },
+        });
+
+        expect(actual).toHaveProperty('id', 'baz:foo:bar');
+      });
+
+      test(`doesn't copy _source.namespace to namespace`, () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const actual = serializer.rawToSavedObject({
+          _id: 'baz:foo:bar',
+          _source: {
+            type: 'foo',
+            namespace: 'baz',
+          },
+        });
+
+        expect(actual).not.toHaveProperty('namespace');
+      });
     });
+  });
 
-    test('is false if there is no [type] attribute', () => {
+  describe('#savedObjectToRaw', () => {
+    test('it copies the type property to _source.type and uses the ROOT_TYPE as _type', () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-      expect(
-        serializer.isRawSavedObject({
-          _id: 'hello:world',
-          _source: {
-            type: 'hello',
-            jam: {},
+      const actual = serializer.savedObjectToRaw({
+        type: 'foo',
+        attributes: {},
+      } as any);
+
+      expect(actual).toHaveProperty('_type', ROOT_TYPE);
+      expect(actual._source).toHaveProperty('type', 'foo');
+    });
+
+    test('if specified it copies the updated_at property to _source.updated_at', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const now = new Date();
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+        updated_at: now,
+      } as any);
+
+      expect(actual._source).toHaveProperty('updated_at', now);
+    });
+
+    test(`if unspecified it doesn't add updated_at property to _source`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+      } as any);
+
+      expect(actual._source).not.toHaveProperty('updated_at');
+    });
+
+    test('it copies the migrationVersion property to _source.migrationVersion', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+        migrationVersion: {
+          foo: '1.2.3',
+          bar: '9.8.7',
+        },
+      } as any);
+
+      expect(actual._source).toHaveProperty('migrationVersion', {
+        foo: '1.2.3',
+        bar: '9.8.7',
+      });
+    });
+
+    test(`if unspecified it doesn't add migrationVersion property to _source`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+      } as any);
+
+      expect(actual._source).not.toHaveProperty('migrationVersion');
+    });
+
+    test('it copies the version property to _version', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+        version: 4,
+      } as any);
+
+      expect(actual).toHaveProperty('_version', 4);
+    });
+
+    test(`if unspecified it doesn't add _version property`, () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: '',
+        attributes: {},
+      } as any);
+
+      expect(actual).not.toHaveProperty('_version');
+    });
+
+    test('it copies attributes to _source[type]', () => {
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const actual = serializer.savedObjectToRaw({
+        type: 'foo',
+        attributes: {
+          foo: true,
+          bar: 'quz',
+        },
+      } as any);
+
+      expect(actual._source).toHaveProperty('foo', {
+        foo: true,
+        bar: 'quz',
+      });
+    });
+
+    describe('namespaced type without a namespace', () => {
+      test('generates an id prefixed with type, if no id is specified', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const v1 = serializer.savedObjectToRaw({
+          type: 'foo',
+          attributes: {
+            bar: true,
           },
-        })
-      ).toBeFalsy();
+        } as any);
+
+        const v2 = serializer.savedObjectToRaw({
+          type: 'foo',
+          attributes: {
+            bar: true,
+          },
+        } as any);
+
+        expect(v1._id).toMatch(/foo\:[\w-]+$/);
+        expect(v1._id).not.toEqual(v2._id);
+      });
+
+      test(`doesn't specify _source.namespace`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.savedObjectToRaw({
+          type: '',
+          attributes: {},
+        } as any);
+
+        expect(actual._source).not.toHaveProperty('namespace');
+      });
+    });
+
+    describe('namespaced type with a namespace', () => {
+      test('generates an id prefixed with namespace and type, if no id is specified', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const v1 = serializer.savedObjectToRaw({
+          type: 'foo',
+          namespace: 'bar',
+          attributes: {
+            bar: true,
+          },
+        } as any);
+
+        const v2 = serializer.savedObjectToRaw({
+          type: 'foo',
+          namespace: 'bar',
+          attributes: {
+            bar: true,
+          },
+        } as any);
+
+        expect(v1._id).toMatch(/bar\:foo\:[\w-]+$/);
+        expect(v1._id).not.toEqual(v2._id);
+      });
+
+      test(`it copies namespace to _source.namespace`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const actual = serializer.savedObjectToRaw({
+          type: 'foo',
+          attributes: {},
+          namespace: 'bar',
+        } as any);
+
+        expect(actual._source).toHaveProperty('namespace', 'bar');
+      });
+    });
+
+    describe('namespace agnostic type with a namespace', () => {
+      test('generates an id prefixed with type, if no id is specified', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const v1 = serializer.savedObjectToRaw({
+          type: 'foo',
+          namespace: 'bar',
+          attributes: {
+            bar: true,
+          },
+        } as any);
+
+        const v2 = serializer.savedObjectToRaw({
+          type: 'foo',
+          namespace: 'bar',
+          attributes: {
+            bar: true,
+          },
+        } as any);
+
+        expect(v1._id).toMatch(/foo\:[\w-]+$/);
+        expect(v1._id).not.toEqual(v2._id);
+      });
+
+      test(`doesn't specify _source.namespace`, () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const actual = serializer.savedObjectToRaw({
+          type: 'foo',
+          namespace: 'bar',
+          attributes: {},
+        } as any);
+
+        expect(actual._source).not.toHaveProperty('namespace');
+      });
     });
   });
 
-  test('generateRawId generates an id, if none is specified', () => {
-    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-    const id = serializer.generateRawId('goodbye');
-    expect(id).toMatch(/goodbye\:[\w-]+$/);
+  describe('#isRawSavedObject', () => {
+    describe('namespaced type without a namespace', () => {
+      test('is true if the id is prefixed and the type matches', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+            },
+          })
+        ).toBeTruthy();
+      });
+
+      test('is false if the id is not prefixed', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'world',
+            _source: {
+              type: 'hello',
+              hello: {},
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute is missing', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              hello: {},
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute does not match the id', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'jam',
+              jam: {},
+              hello: {},
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if there is no [type] attribute', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              jam: {},
+            },
+          })
+        ).toBeFalsy();
+      });
+    });
+
+    describe('namespaced type with a namespace', () => {
+      test('is true if the id is prefixed with type and namespace and the type matches', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'foo:hello:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeTruthy();
+      });
+
+      test('is false if the id is not prefixed by anything', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the id is prefixed only with type and the type matches', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the id is prefixed only with namespace and the namespace matches', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'foo:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute is missing', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'foo:hello:world',
+            _source: {
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute does not match the id', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'foo:hello:world',
+            _source: {
+              type: 'jam',
+              jam: {},
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the namespace attribute does not match the id', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'bar:jam:world',
+            _source: {
+              type: 'jam',
+              jam: {},
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if there is no [type] attribute', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              jam: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+    });
+
+    describe('namespace agonstic type with a namespace', () => {
+      test('is true if the id is prefixed with type and the type matches', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeTruthy();
+      });
+
+      test('is false if the id is not prefixed', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the id is prefixed with type and namespace', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'foo:hello:world',
+            _source: {
+              type: 'hello',
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute is missing', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if the type attribute does not match the id', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'jam',
+              jam: {},
+              hello: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+
+      test('is false if there is no [type] attribute', () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ hello: { isNamespaceAgnostic: true } })
+        );
+        expect(
+          serializer.isRawSavedObject({
+            _id: 'hello:world',
+            _source: {
+              type: 'hello',
+              jam: {},
+              namespace: 'foo',
+            },
+          })
+        ).toBeFalsy();
+      });
+    });
   });
 
-  test('generateRawId uses the id that is specified', () => {
-    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
-    const id = serializer.generateRawId('hello', 'world');
-    expect(id).toMatch('hello:world');
+  describe('#generateRawId', () => {
+    describe('namespaced type without a namespace', () => {
+      test('generates an id if none is specified', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const id = serializer.generateRawId('', 'goodbye');
+        expect(id).toMatch(/goodbye\:[\w-]+$/);
+      });
+
+      test('uses the id that is specified', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const id = serializer.generateRawId('', 'hello', 'world');
+        expect(id).toMatch('hello:world');
+      });
+    });
+
+    describe('namespaced type with a namespace', () => {
+      test('generates an id if none is specified and prefixes namespace', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const id = serializer.generateRawId('foo', 'goodbye');
+        expect(id).toMatch(/foo:goodbye\:[\w-]+$/);
+      });
+
+      test('uses the id that is specified and prefixes the namespace', () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const id = serializer.generateRawId('foo', 'hello', 'world');
+        expect(id).toMatch('foo:hello:world');
+      });
+    });
+
+    describe('namespace agnostic type with a namespace', () => {
+      test(`generates an id if none is specified and doesn't prefix namespace`, () => {
+        const serializer = new SavedObjectsSerializer(
+          new SavedObjectsSchema({ foo: { isNamespaceAgnostic: true } })
+        );
+        const id = serializer.generateRawId('foo', 'goodbye');
+        expect(id).toMatch(/goodbye\:[\w-]+$/);
+      });
+
+      test(`uses the id that is specified and doesn't prefix the namespace`, () => {
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const id = serializer.generateRawId('foo', 'hello', 'world');
+        expect(id).toMatch('hello:world');
+      });
+    });
   });
 });
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 67c0b8712a2816..37483b7d71c9f9 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -17,13 +17,13 @@
  * under the License.
  */
 
+import { omit } from 'lodash';
 import { getRootType } from '../../../mappings';
 import { getSearchDsl } from './search_dsl';
 import { includedFields } from './included_fields';
 import { decorateEsError } from './decorate_es_error';
 import * as errors from './errors';
 
-
 // BEWARE: The SavedObjectClient depends on the implementation details of the SavedObjectsRepository
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
 
@@ -63,6 +63,7 @@ export class SavedObjectsRepository {
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
    * @property {object} [options.migrationVersion=undefined]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
@@ -70,6 +71,7 @@ export class SavedObjectsRepository {
       id,
       migrationVersion,
       overwrite = false,
+      namespace,
     } = options;
 
     const method = id && !overwrite ? 'create' : 'index';
@@ -79,6 +81,7 @@ export class SavedObjectsRepository {
       const migrated = this._migrator.migrateDocument({
         id,
         type,
+        namespace,
         attributes,
         migrationVersion,
         updated_at: time,
@@ -94,10 +97,11 @@ export class SavedObjectsRepository {
         body: raw._source,
       });
 
-      return this._serializer.rawToSavedObject({
+      const savedObject = this._serializer.rawToSavedObject({
         ...raw,
         ...response,
       });
+      return omit(savedObject, 'namespace');
     } catch (error) {
       if (errors.isNotFoundError(error)) {
         // See "503s from missing index" above
@@ -114,11 +118,13 @@ export class SavedObjectsRepository {
    * @param {array} objects - [{ type, id, attributes, migrationVersion }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @property {string} [options.namespace]
    * @returns {promise} -  {saved_objects: [[{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
     const {
-      overwrite = false
+      namespace,
+      overwrite = false,
     } = options;
     const time = this._getCurrentTime();
     const objectToBulkRequest = (object) => {
@@ -128,6 +134,7 @@ export class SavedObjectsRepository {
         type: object.type,
         attributes: object.attributes,
         migrationVersion: object.migrationVersion,
+        namespace,
         updated_at: time,
       });
       const raw = this._serializer.savedObjectToRaw(migrated);
@@ -199,11 +206,17 @@ export class SavedObjectsRepository {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id) {
+  async delete(type, id, options = {}) {
+    const {
+      namespace
+    } = options;
+
     const response = await this._writeToCluster('delete', {
-      id: this._serializer.generateRawId(type, id),
+      id: this._serializer.generateRawId(namespace, type, id),
       type: this._type,
       index: this._index,
       refresh: 'wait_for',
@@ -238,6 +251,7 @@ export class SavedObjectsRepository {
    * @property {string} [options.sortField]
    * @property {string} [options.sortOrder]
    * @property {Array<string>} [options.fields]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
@@ -295,7 +309,10 @@ export class SavedObjectsRepository {
       page,
       per_page: perPage,
       total: response.hits.total,
-      saved_objects: response.hits.hits.map(hit => this._serializer.rawToSavedObject(hit)),
+      saved_objects: response.hits.hits.map(hit => {
+        const savedObject = this._serializer.rawToSavedObject(hit);
+        return omit(savedObject, 'namespace');
+      }),
     };
   }
 
@@ -303,6 +320,8 @@ export class SavedObjectsRepository {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -311,7 +330,11 @@ export class SavedObjectsRepository {
    *   { id: 'foo', type: 'index-pattern' }
    * ])
    */
-  async bulkGet(objects = []) {
+  async bulkGet(objects = [], options = {}) {
+    const {
+      namespace
+    } = options;
+
     if (objects.length === 0) {
       return { saved_objects: [] };
     }
@@ -320,7 +343,7 @@ export class SavedObjectsRepository {
       index: this._index,
       body: {
         docs: objects.map(object => ({
-          _id: this._serializer.generateRawId(object.type, object.id),
+          _id: this._serializer.generateRawId(namespace, object.type, object.id),
           _type: this._type,
         }))
       }
@@ -356,11 +379,17 @@ export class SavedObjectsRepository {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
-  async get(type, id) {
+  async get(type, id, options = {}) {
+    const {
+      namespace
+    } = options;
+
     const response = await this._callCluster('get', {
-      id: this._serializer.generateRawId(type, id),
+      id: this._serializer.generateRawId(namespace, type, id),
       type: this._type,
       index: this._index,
       ignore: [404]
@@ -392,15 +421,21 @@ export class SavedObjectsRepository {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
+    const {
+      version,
+      namespace
+    } = options;
+
     const time = this._getCurrentTime();
     const response = await this._writeToCluster('update', {
-      id: this._serializer.generateRawId(type, id),
+      id: this._serializer.generateRawId(namespace, type, id),
       type: this._type,
       index: this._index,
-      version: options.version,
+      version,
       refresh: 'wait_for',
       ignore: [404],
       body: {
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 868673fdef601c..4139d26f1727bd 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -281,7 +281,7 @@ describe('SavedObjectsRepository', () => {
         body: [
           // uses create because overwriting is not allowed
           { create: { _type: 'doc', _id: 'foo:bar' } },
-          { type: 'foo', ...mockTimestampFields, 'foo': {}, migrationVersion: undefined },
+          { type: 'foo', ...mockTimestampFields, 'foo': {} },
         ]
       }));
 
@@ -296,7 +296,7 @@ describe('SavedObjectsRepository', () => {
         body: [
           // uses index because overwriting is allowed
           { index: { _type: 'doc', _id: 'foo:bar' } },
-          { type: 'foo', ...mockTimestampFields, 'foo': {}, migrationVersion: undefined },
+          { type: 'foo', ...mockTimestampFields, 'foo': {} },
         ]
       }));
 

From 7b87f0ad91c7da788faafbc84cc5f76d0c9fb0e2 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 19 Sep 2018 16:18:43 -0700
Subject: [PATCH 150/183] Adding repository tests for the namespaces

---
 .../saved_objects/service/lib/repository.js   |   4 +-
 .../service/lib/repository.test.js            | 473 ++++++++++++++++--
 2 files changed, 443 insertions(+), 34 deletions(-)

diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 37483b7d71c9f9..43cecc256cd5a3 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -264,6 +264,7 @@ export class SavedObjectsRepository {
       sortField,
       sortOrder,
       fields,
+      namespace,
     } = options;
 
     if (searchFields && !Array.isArray(searchFields)) {
@@ -287,7 +288,8 @@ export class SavedObjectsRepository {
           searchFields,
           type,
           sortField,
-          sortOrder
+          sortOrder,
+          namespace,
         })
       }
     };
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 4139d26f1727bd..b2674061bf9e6c 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -39,9 +39,9 @@ describe('SavedObjectsRepository', () => {
   let migrator;
   const mockTimestamp = '2017-08-14T15:49:14.886Z';
   const mockTimestampFields = { updated_at: mockTimestamp };
-  const searchResults = {
+  const noNamespaceSearchResults = {
     hits: {
-      total: 3,
+      total: 4,
       hits: [{
         _index: '.kibana',
         _type: 'doc',
@@ -83,6 +83,81 @@ describe('SavedObjectsRepository', () => {
             notExpandable: true
           }
         }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'globaltype:something',
+        _score: 1,
+        _source: {
+          type: 'globaltype',
+          ...mockTimestampFields,
+          'globaltype': {
+            name: 'bar',
+          }
+        }
+      }]
+    }
+  };
+
+  const namespacedSearchResults = {
+    hits: {
+      total: 4,
+      hits: [{
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:index-pattern:logstash-*',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'index-pattern',
+          ...mockTimestampFields,
+          'index-pattern': {
+            title: 'logstash-*',
+            timeFieldName: '@timestamp',
+            notExpandable: true
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:config:6.0.0-alpha1',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'config',
+          ...mockTimestampFields,
+          config: {
+            buildNum: 8467,
+            defaultIndex: 'logstash-*'
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'foo-namespace:index-pattern:stocks-*',
+        _score: 1,
+        _source: {
+          namespace: 'foo-namespace',
+          type: 'index-pattern',
+          ...mockTimestampFields,
+          'index-pattern': {
+            title: 'stocks-*',
+            timeFieldName: '@timestamp',
+            notExpandable: true
+          }
+        }
+      }, {
+        _index: '.kibana',
+        _type: 'doc',
+        _id: 'globaltype:something',
+        _score: 1,
+        _source: {
+          type: 'globaltype',
+          ...mockTimestampFields,
+          'globaltype': {
+            name: 'bar',
+          }
+        }
       }]
     }
   };
@@ -108,7 +183,7 @@ describe('SavedObjectsRepository', () => {
       migrateDocument: sinon.spy((doc) => doc),
     };
 
-    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({ globaltype: { isNamespaceAgnostic: true } }));
     savedObjectsRepository = new SavedObjectsRepository({
       index: '.kibana-test',
       mappings,
@@ -129,9 +204,9 @@ describe('SavedObjectsRepository', () => {
 
   describe('#create', () => {
     beforeEach(() => {
-      callAdminCluster.returns(Promise.resolve({
+      callAdminCluster.callsFake((method, params) => ({
         _type: 'doc',
-        _id: 'index-pattern:logstash-*',
+        _id: params.id,
         _version: 2
       }));
     });
@@ -139,6 +214,9 @@ describe('SavedObjectsRepository', () => {
     it('formats Elasticsearch response', async () => {
       const response = await savedObjectsRepository.create('index-pattern', {
         title: 'Logstash'
+      }, {
+        id: 'logstash-*',
+        namespace: 'foo-namespace',
       });
 
       expect(response).toEqual({
@@ -223,6 +301,72 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it('prepends namespace to the id and adds namespace to body when providing namespace for namespaced type', async () => {
+      await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        },
+        {
+          id: 'foo-id',
+          namespace: 'foo-namespace',
+        },
+      );
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `foo-namespace:index-pattern:foo-id`,
+        body: {
+          [`index-pattern`]: { title: 'Logstash' },
+          namespace: 'foo-namespace',
+          type: 'index-pattern',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
+      await savedObjectsRepository.create('index-pattern',
+        {
+          title: 'Logstash'
+        },
+        {
+          id: 'foo-id'
+        }
+      );
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `index-pattern:foo-id`,
+        body: {
+          [`index-pattern`]: { title: 'Logstash' },
+          type: 'index-pattern',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
+      await savedObjectsRepository.create('globaltype',
+        {
+          title: 'Logstash'
+        },
+        {
+          id: 'foo-id',
+          namespace: 'foo-namespace',
+        }
+      );
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: `globaltype:foo-id`,
+        body: {
+          [`globaltype`]: { title: 'Logstash' },
+          type: 'globaltype',
+          updated_at: '2017-08-14T15:49:14.886Z'
+        }
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#bulkCreate', () => {
@@ -366,7 +510,9 @@ describe('SavedObjectsRepository', () => {
       const response = await savedObjectsRepository.bulkCreate([
         { type: 'config', id: 'one', attributes: { title: 'Test One' } },
         { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' } }
-      ]);
+      ], {
+        namespace: 'foo-namespace',
+      });
 
       expect(response).toEqual({
         saved_objects: [
@@ -386,6 +532,67 @@ describe('SavedObjectsRepository', () => {
         ]
       });
     });
+
+    it('prepends namespace to the id and adds namespace to body when providing namespace for namespaced type', async () => {
+      callAdminCluster.returns({ items: [] });
+      await savedObjectsRepository.bulkCreate(
+        [
+          { type: 'config', id: 'one', attributes: { title: 'Test One' } },
+          { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' } }
+        ],
+        {
+          namespace: 'foo-namespace',
+        },
+      );
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'foo-namespace:config:one' } },
+          { namespace: 'foo-namespace', type: 'config', ...mockTimestampFields, config: { title: 'Test One' } },
+          { create: { _type: 'doc', _id: 'foo-namespace:index-pattern:two' } },
+          { namespace: 'foo-namespace', type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' } }
+        ]
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
+      callAdminCluster.returns({ items: [] });
+      await savedObjectsRepository.bulkCreate([
+        { type: 'config', id: 'one', attributes: { title: 'Test One' } },
+        { type: 'index-pattern', id: 'two', attributes: { title: 'Test Two' } }
+      ]);
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'config:one' } },
+          { type: 'config', ...mockTimestampFields, config: { title: 'Test One' } },
+          { create: { _type: 'doc', _id: 'index-pattern:two' } },
+          { type: 'index-pattern', ...mockTimestampFields, 'index-pattern': { title: 'Test Two' } }
+        ]
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
+      callAdminCluster.returns({ items: [] });
+      await savedObjectsRepository.bulkCreate(
+        [
+          { type: 'globaltype', id: 'one', attributes: { title: 'Test One' } },
+        ],
+        {
+          namespace: 'foo-namespace',
+        },
+      );
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'bulk', sinon.match({
+        body: [
+          { create: { _type: 'doc', _id: 'globaltype:one' } },
+          { type: 'globaltype', ...mockTimestampFields, 'globaltype': { title: 'Test One' } },
+        ]
+      }));
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#delete', () => {
@@ -403,7 +610,27 @@ describe('SavedObjectsRepository', () => {
       }
     });
 
-    it('passes the parameters to callAdminCluster', async () => {
+    it(`prepends namespace to the id when providing namespace for namespaced type`, async () => {
+      callAdminCluster.returns({
+        result: 'deleted'
+      });
+      await savedObjectsRepository.delete('index-pattern', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'delete', {
+        type: 'doc',
+        id: 'foo-namespace:index-pattern:logstash-*',
+        refresh: 'wait_for',
+        index: '.kibana-test',
+        ignore: [404],
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id when providing no namespace for namespaced type`, async () => {
       callAdminCluster.returns({
         result: 'deleted'
       });
@@ -420,14 +647,32 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it(`doesn't prepend namespace to the id when providing namespace for namespace agnostic type`, async () => {
+      callAdminCluster.returns({
+        result: 'deleted'
+      });
+      await savedObjectsRepository.delete('globaltype', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'delete', {
+        type: 'doc',
+        id: 'globaltype:logstash-*',
+        refresh: 'wait_for',
+        index: '.kibana-test',
+        ignore: [404],
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('#find', () => {
-    beforeEach(() => {
-      callAdminCluster.returns(searchResults);
-    });
 
     it('requires searchFields be an array if defined', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       try {
         await savedObjectsRepository.find({ searchFields: 'string' });
         throw new Error('expected find() to reject');
@@ -439,6 +684,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('requires fields be an array if defined', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       try {
         await savedObjectsRepository.find({ fields: 'string' });
         throw new Error('expected find() to reject');
@@ -450,7 +696,9 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('passes mappings, search, searchFields, type, sortField, and sortOrder to getSearchDsl', async () => {
+      callAdminCluster.returns(namespacedSearchResults);
       const relevantOpts = {
+        namespace: 'foo-namespace',
         search: 'foo*',
         searchFields: ['foo'],
         type: 'bar',
@@ -464,6 +712,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('merges output of getSearchDsl into es request body', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       getSearchDsl.returns({ query: 1, aggregations: 2 });
       await savedObjectsRepository.find();
       sinon.assert.calledOnce(callAdminCluster);
@@ -476,17 +725,40 @@ describe('SavedObjectsRepository', () => {
       }));
     });
 
-    it('formats Elasticsearch response', async () => {
-      const count = searchResults.hits.hits.length;
+    it('formats Elasticsearch response when there is no namespace', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
+      const count = noNamespaceSearchResults.hits.hits.length;
 
       const response = await savedObjectsRepository.find();
 
       expect(response.total).toBe(count);
       expect(response.saved_objects).toHaveLength(count);
 
-      searchResults.hits.hits.forEach((doc, i) => {
+      noNamespaceSearchResults.hits.hits.forEach((doc, i) => {
+        expect(response.saved_objects[i]).toEqual({
+          id: doc._id.replace(/(index-pattern|config|globaltype)\:/, ''),
+          type: doc._source.type,
+          ...mockTimestampFields,
+          version: doc._version,
+          attributes: doc._source[doc._source.type]
+        });
+      });
+    });
+
+    it('formats Elasticsearch response when there is a namespace', async () => {
+      callAdminCluster.returns(namespacedSearchResults);
+      const count = namespacedSearchResults.hits.hits.length;
+
+      const response = await savedObjectsRepository.find({
+        namespace: 'foo-namespace',
+      });
+
+      expect(response.total).toBe(count);
+      expect(response.saved_objects).toHaveLength(count);
+
+      namespacedSearchResults.hits.hits.forEach((doc, i) => {
         expect(response.saved_objects[i]).toEqual({
-          id: doc._id.replace(/(index-pattern|config)\:/, ''),
+          id: doc._id.replace(/(foo-namespace\:)?(index-pattern|config|globaltype)\:/, ''),
           type: doc._source.type,
           ...mockTimestampFields,
           version: doc._version,
@@ -496,6 +768,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('accepts per_page/page', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       await savedObjectsRepository.find({ perPage: 10, page: 6 });
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -508,6 +781,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('can filter by fields', async () => {
+      callAdminCluster.returns(noNamespaceSearchResults);
       await savedObjectsRepository.find({ fields: ['title'] });
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -522,22 +796,51 @@ describe('SavedObjectsRepository', () => {
   });
 
   describe('#get', () => {
-    beforeEach(() => {
-      callAdminCluster.returns(Promise.resolve({
-        _id: 'index-pattern:logstash-*',
-        _type: 'doc',
-        _version: 2,
-        _source: {
-          type: 'index-pattern',
-          ...mockTimestampFields,
-          'index-pattern': {
-            title: 'Testing'
-          }
+    const noNamespaceResult = {
+      _id: 'index-pattern:logstash-*',
+      _type: 'doc',
+      _version: 2,
+      _source: {
+        type: 'index-pattern',
+        specialProperty: 'specialValue',
+        ...mockTimestampFields,
+        'index-pattern': {
+          title: 'Testing'
         }
-      }));
+      }
+    };
+    const namespacedResult = {
+      _id: 'foo-namespace:index-pattern:logstash-*',
+      _type: 'doc',
+      _version: 2,
+      _source: {
+        namespace: 'foo-namespace',
+        type: 'index-pattern',
+        specialProperty: 'specialValue',
+        ...mockTimestampFields,
+        'index-pattern': {
+          title: 'Testing'
+        }
+      }
+    };
+
+    it('formats Elasticsearch response when there is no namespace', async () => {
+      callAdminCluster.returns(Promise.resolve(noNamespaceResult));
+      const response = await savedObjectsRepository.get('index-pattern', 'logstash-*');
+      sinon.assert.notCalled(onBeforeWrite);
+      expect(response).toEqual({
+        id: 'logstash-*',
+        type: 'index-pattern',
+        updated_at: mockTimestamp,
+        version: 2,
+        attributes: {
+          title: 'Testing'
+        }
+      });
     });
 
-    it('formats Elasticsearch response', async () => {
+    it('formats Elasticsearch response when there are namespaces', async () => {
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
       const response = await savedObjectsRepository.get('index-pattern', 'logstash-*');
       sinon.assert.notCalled(onBeforeWrite);
       expect(response).toEqual({
@@ -551,7 +854,22 @@ describe('SavedObjectsRepository', () => {
       });
     });
 
-    it('prepends type to the id', async () => {
+    it('prepends namespace and type to the id when providing namespace for namespaced type', async () => {
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
+      await savedObjectsRepository.get('index-pattern', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.notCalled(onBeforeWrite);
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: 'foo-namespace:index-pattern:logstash-*',
+        type: 'doc'
+      }));
+    });
+
+    it(`only prepends type to the id when providing no namespace for namespaced type`, async () => {
+      callAdminCluster.returns(Promise.resolve(noNamespaceResult));
       await savedObjectsRepository.get('index-pattern', 'logstash-*');
 
       sinon.assert.notCalled(onBeforeWrite);
@@ -561,15 +879,30 @@ describe('SavedObjectsRepository', () => {
         type: 'doc'
       }));
     });
+
+    it(`doesn't prepend namespace to the id when providing namespace for namespace agnostic type`, async () => {
+      callAdminCluster.returns(Promise.resolve(namespacedResult));
+      await savedObjectsRepository.get('globaltype', 'logstash-*', {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.notCalled(onBeforeWrite);
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        id: 'globaltype:logstash-*',
+        type: 'doc'
+      }));
+    });
   });
 
   describe('#bulkGet', () => {
-    it('accepts a array of mixed type and ids', async () => {
+    it('prepends type to id when getting objects when there is no namespace', async () => {
       callAdminCluster.returns({ docs: [] });
 
       await savedObjectsRepository.bulkGet([
         { id: 'one', type: 'config' },
-        { id: 'two', type: 'index-pattern' }
+        { id: 'two', type: 'index-pattern' },
+        { id: 'three', type: 'globaltype' },
       ]);
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -577,7 +910,35 @@ describe('SavedObjectsRepository', () => {
         body: {
           docs: [
             { _type: 'doc', _id: 'config:one' },
-            { _type: 'doc', _id: 'index-pattern:two' }
+            { _type: 'doc', _id: 'index-pattern:two' },
+            { _type: 'doc', _id: 'globaltype:three' },
+          ]
+        }
+      }));
+
+      sinon.assert.notCalled(onBeforeWrite);
+    });
+
+    it('prepends namespace and type appropriately to id when getting objects when there is a namespace', async () => {
+      callAdminCluster.returns({ docs: [] });
+
+      await savedObjectsRepository.bulkGet(
+        [
+          { id: 'one', type: 'config' },
+          { id: 'two', type: 'index-pattern' },
+          { id: 'three', type: 'globaltype' },
+        ], {
+          namespace: 'foo-namespace',
+        }
+      );
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
+        body: {
+          docs: [
+            { _type: 'doc', _id: 'foo-namespace:config:one' },
+            { _type: 'doc', _id: 'foo-namespace:index-pattern:two' },
+            { _type: 'doc', _id: 'globaltype:three' },
           ]
         }
       }));
@@ -649,7 +1010,7 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('returns current ES document version', async () => {
-      const response = await savedObjectsRepository.update('index-pattern', 'logstash-*', attributes);
+      const response = await savedObjectsRepository.update('index-pattern', 'logstash-*', attributes, { namespace: 'foo-namespace' });
       expect(response).toEqual({
         id,
         type,
@@ -673,7 +1034,30 @@ describe('SavedObjectsRepository', () => {
       }));
     });
 
-    it('passes the parameters to callAdminCluster', async () => {
+    it(`prepends namespace to the id but doesn't add namespace to body when providing namespace for namespaced type`, async () => {
+      await savedObjectsRepository.update('index-pattern', 'logstash-*', {
+        title: 'Testing',
+      }, {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'update', {
+        type: 'doc',
+        id: 'foo-namespace:index-pattern:logstash-*',
+        version: undefined,
+        body: {
+          doc: { updated_at: mockTimestamp, 'index-pattern': { title: 'Testing' } }
+        },
+        ignore: [404],
+        refresh: 'wait_for',
+        index: '.kibana-test'
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing no namespace for namespaced type`, async () => {
       await savedObjectsRepository.update('index-pattern', 'logstash-*', { title: 'Testing' });
 
       sinon.assert.calledOnce(callAdminCluster);
@@ -691,6 +1075,29 @@ describe('SavedObjectsRepository', () => {
 
       sinon.assert.calledOnce(onBeforeWrite);
     });
+
+    it(`doesn't prepend namespace to the id or add namespace property when providing namespace for namespace agnostic type`, async () => {
+      await savedObjectsRepository.update('globaltype', 'foo', {
+        name: 'bar',
+      }, {
+        namespace: 'foo-namespace',
+      });
+
+      sinon.assert.calledOnce(callAdminCluster);
+      sinon.assert.calledWithExactly(callAdminCluster, 'update', {
+        type: 'doc',
+        id: 'globaltype:foo',
+        version: undefined,
+        body: {
+          doc: { updated_at: mockTimestamp, 'globaltype': { name: 'bar' } }
+        },
+        ignore: [404],
+        refresh: 'wait_for',
+        index: '.kibana-test'
+      });
+
+      sinon.assert.calledOnce(onBeforeWrite);
+    });
   });
 
   describe('onBeforeWrite', () => {

From f2a2f467e5e6c708512163fc4c0347317364c9bb Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 07:13:12 -0700
Subject: [PATCH 151/183] Implementing find

---
 .../saved_objects/service/lib/repository.js   |   4 +-
 .../service/lib/repository.test.js            |   9 +-
 .../service/lib/repository_provider.js        |   3 +
 .../service/lib/repository_provider.test.js   |  58 +-
 .../service/lib/search_dsl/query_params.js    |  58 +-
 .../lib/search_dsl/query_params.test.js       | 521 ++++++++++++++++--
 .../service/lib/search_dsl/search_dsl.js      |   7 +-
 .../service/lib/search_dsl/search_dsl.test.js |  15 +-
 .../service/lib/search_dsl/sorting_params.js  |  33 +-
 .../lib/search_dsl/sorting_params.test.js     |  15 +
 10 files changed, 597 insertions(+), 126 deletions(-)

diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 43cecc256cd5a3..0f585407cb86b6 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -33,6 +33,7 @@ export class SavedObjectsRepository {
       index,
       mappings,
       callCluster,
+      schema,
       serializer,
       migrator = { migrateDocument: (doc) => doc },
       onBeforeWrite = () => { },
@@ -51,6 +52,7 @@ export class SavedObjectsRepository {
     this._type = getRootType(this._mappings);
     this._onBeforeWrite = onBeforeWrite;
     this._unwrappedCallCluster = callCluster;
+    this._schema = schema;
     this._serializer = serializer;
   }
 
@@ -283,7 +285,7 @@ export class SavedObjectsRepository {
       ignore: [404],
       body: {
         version: true,
-        ...getSearchDsl(this._mappings, {
+        ...getSearchDsl(this._mappings, this._schema, {
           search,
           searchFields,
           type,
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index b2674061bf9e6c..f28b7101385741 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -176,6 +176,8 @@ describe('SavedObjectsRepository', () => {
     }
   };
 
+  const schema = new SavedObjectsSchema({ globaltype: { isNamespaceAgnostic: true } });
+
   beforeEach(() => {
     callAdminCluster = sandbox.stub();
     onBeforeWrite = sandbox.stub();
@@ -183,12 +185,13 @@ describe('SavedObjectsRepository', () => {
       migrateDocument: sinon.spy((doc) => doc),
     };
 
-    const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({ globaltype: { isNamespaceAgnostic: true } }));
+    const serializer = new SavedObjectsSerializer(schema);
     savedObjectsRepository = new SavedObjectsRepository({
       index: '.kibana-test',
       mappings,
       callCluster: callAdminCluster,
       migrator,
+      schema,
       serializer,
       onBeforeWrite
     });
@@ -695,7 +698,7 @@ describe('SavedObjectsRepository', () => {
       }
     });
 
-    it('passes mappings, search, searchFields, type, sortField, and sortOrder to getSearchDsl', async () => {
+    it('passes mappings, schema, search, searchFields, type, sortField, and sortOrder to getSearchDsl', async () => {
       callAdminCluster.returns(namespacedSearchResults);
       const relevantOpts = {
         namespace: 'foo-namespace',
@@ -708,7 +711,7 @@ describe('SavedObjectsRepository', () => {
 
       await savedObjectsRepository.find(relevantOpts);
       sinon.assert.calledOnce(getSearchDsl);
-      sinon.assert.calledWithExactly(getSearchDsl, mappings, relevantOpts);
+      sinon.assert.calledWithExactly(getSearchDsl, mappings, schema, relevantOpts);
     });
 
     it('merges output of getSearchDsl into es request body', async () => {
diff --git a/src/server/saved_objects/service/lib/repository_provider.js b/src/server/saved_objects/service/lib/repository_provider.js
index b92fd424c0b89a..4c5a2f3124f052 100644
--- a/src/server/saved_objects/service/lib/repository_provider.js
+++ b/src/server/saved_objects/service/lib/repository_provider.js
@@ -28,12 +28,14 @@ export class SavedObjectsRepositoryProvider {
     index,
     mappings,
     migrator,
+    schema,
     serializer,
     onBeforeWrite
   }) {
     this._index = index;
     this._mappings = mappings;
     this._migrator = migrator;
+    this._schema = schema;
     this._serializer = serializer;
     this._onBeforeWrite = onBeforeWrite;
   }
@@ -48,6 +50,7 @@ export class SavedObjectsRepositoryProvider {
       index: this._index,
       mappings: this._mappings,
       migrator: this._migrator,
+      schema: this._schema,
       serializer: this._serializer,
       onBeforeWrite: this._onBeforeWrite,
       callCluster,
diff --git a/src/server/saved_objects/service/lib/repository_provider.test.js b/src/server/saved_objects/service/lib/repository_provider.test.js
index 5a6d3cde8ef800..567c50a6a9fdd7 100644
--- a/src/server/saved_objects/service/lib/repository_provider.test.js
+++ b/src/server/saved_objects/service/lib/repository_provider.test.js
@@ -17,9 +17,11 @@
  * under the License.
  */
 
+import { SavedObjectsRepository } from './repository';
 import { SavedObjectsRepositoryProvider } from './repository_provider';
-import { SavedObjectsSerializer } from '../../serialization';
-import { SavedObjectsSchema } from '../../schema';
+jest.mock('./repository', () => ({
+  SavedObjectsRepository: jest.fn()
+}));
 
 test('requires "callCluster" to be provided', () => {
   const provider = new SavedObjectsRepositoryProvider({
@@ -34,32 +36,36 @@ test('requires "callCluster" to be provided', () => {
 });
 
 test('creates a valid Repository', async () => {
-  const properties = {
-    index: 'default-index',
-    mappings: {
-      foo: {
-        properties: {
-          field: { type: 'string' }
-        }
-      }
-    },
-    serializer: new SavedObjectsSerializer(new SavedObjectsSchema()),
-    onBeforeWrite: jest.fn()
+  const index = Symbol();
+  const mappings = Symbol();
+  const migrator = Symbol();
+  const schema = Symbol();
+  const serializer = Symbol();
+  const onBeforeWrite = Symbol();
+  const provider = new SavedObjectsRepositoryProvider({
+    index,
+    mappings,
+    migrator,
+    schema,
+    serializer,
+    onBeforeWrite,
+  });
+  const callCluster = () => {};
+  const expectedReturnValue = {
+    foo: 'bar',
   };
+  SavedObjectsRepository.mockImplementation(() => expectedReturnValue);
 
-  const provider = new SavedObjectsRepositoryProvider(properties);
+  const actualReturnValue = provider.getRepository(callCluster);
 
-  const callCluster = jest.fn().mockReturnValue({
-    _id: 'new'
+  expect(actualReturnValue).toEqual(expectedReturnValue);
+  expect(SavedObjectsRepository).toHaveBeenCalledWith({
+    index,
+    mappings,
+    migrator,
+    schema,
+    serializer,
+    onBeforeWrite,
+    callCluster,
   });
-
-  const repository = provider.getRepository(callCluster);
-
-  await repository.create('foo', {});
-
-  expect(callCluster).toHaveBeenCalledTimes(1);
-  expect(properties.onBeforeWrite).toHaveBeenCalledTimes(1);
-  expect(callCluster).toHaveBeenCalledWith('index', expect.objectContaining({
-    index: properties.index
-  }));
 });
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.js b/src/server/saved_objects/service/lib/search_dsl/query_params.js
index bcf62f21ef4158..5bcff743c10824 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.js
@@ -59,36 +59,66 @@ function getFieldsForTypes(searchFields, types) {
   };
 }
 
+/**
+ *  Gets the clause that will filter for the type in the namespace.
+ *  Some types are namespace agnostic, so they must be treated differently.
+ *  @param  {SavedObjectsSchema} schema
+ *  @param  {string} namespace
+ *  @param  {string} type
+ *  @return {Object}
+ */
+function getClauseForType(schema, namespace, type) {
+  if (!type) {
+    throw new Error(`type is required to build filter clause`);
+  }
+
+  if (namespace && !schema.isNamespaceAgnostic(type)) {
+    return {
+      bool: {
+        must: [
+          { term: { type } },
+          { term: { namespace } },
+        ]
+      }
+    };
+  }
+
+  return {
+    bool: {
+      must: [{ term: { type } }],
+      must_not: [{ exists: { field: 'namespace' } }]
+    }
+  };
+}
+
 /**
  *  Get the "query" related keys for the search body
  *  @param  {EsMapping} mapping mappings from Ui
+ * *@param  {SavedObjectsSchema} schema
  *  @param  {(string|Array<string>)} type
  *  @param  {String} search
  *  @param  {Array<string>} searchFields
  *  @return {Object}
  */
-export function getQueryParams(mappings, type, search, searchFields) {
-  if (!type && !search) {
-    return {};
-  }
-
-  const bool = {};
-
-  if (type) {
-    bool.filter = [
-      { [Array.isArray(type) ? 'terms' : 'term']: { type } }
-    ];
-  }
+export function getQueryParams(mappings, schema, namespace, type, search, searchFields) {
+  const types = getTypes(mappings, type);
+  const bool = {
+    filter: [{
+      bool: {
+        should: types.map(type => getClauseForType(schema, namespace, type)),
+        minimum_should_match: 1
+      }
+    }],
+  };
 
   if (search) {
     bool.must = [
-      ...bool.must || [],
       {
         simple_query_string: {
           query: search,
           ...getFieldsForTypes(
             searchFields,
-            getTypes(mappings, type)
+            types
           )
         }
       }
diff --git a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
index 53b943ee6793bd..45f241ba41883e 100644
--- a/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/query_params.test.js
@@ -50,43 +50,225 @@ const MAPPINGS = {
             }
           }
         }
+      },
+      global: {
+        properties: {
+          name: {
+            type: 'keyword',
+          }
+        }
       }
     }
   }
 };
 
+const SCHEMA = {
+  isNamespaceAgnostic: type => type === 'global',
+};
+
+
+// create a type clause to be used within the "should", if a namespace is specified
+// the clause will ensure the namespace matches; otherwise, the clause will ensure
+// that there isn't a namespace field.
+const createTypeClause = (type, namespace) => {
+  if (namespace) {
+    return {
+      bool: {
+        must: [
+          { term: { type } },
+          { term: { namespace } },
+        ]
+      }
+    };
+  }
+
+  return {
+    bool: {
+      must: [{ term: { type } }],
+      must_not: [{ exists: { field: 'namespace' } }]
+    }
+  };
+};
+
 describe('searchDsl/queryParams', () => {
-  describe('{}', () => {
-    it('searches for everything', () => {
-      expect(getQueryParams(MAPPINGS))
-        .toEqual({});
+  describe('no parameters', () => {
+    it('searches for all known types without a namespace specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('namespace', () => {
+    it('filters namespaced types for namespace, and ensures namespace agnostic types have no namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('type (singular, namespaced)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, 'saved'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('type (singular, global)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, 'global'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('type (plural, namespaced and global)', () => {
+    it('includes term filters for types and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
     });
   });
 
-  describe('{type}', () => {
-    it('adds a term filter when a string', () => {
-      expect(getQueryParams(MAPPINGS, 'saved'))
+  describe('namespace, type (plural, namespaced and global)', () => {
+    it('includes a terms filter for type and namespace not being specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global']))
         .toEqual({
           query: {
             bool: {
-              filter: [
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }]
+            }
+          }
+        });
+    });
+  });
+
+  describe('search', () => {
+    it('includes a sqs query and all known types without a namespace specified', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'us*'))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
                 {
-                  term: { type: 'saved' }
+                  simple_query_string: {
+                    query: 'us*',
+                    all_fields: true
+                  }
                 }
               ]
             }
           }
         });
     });
+  });
 
-    it('adds a terms filter when an array', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis']))
+  describe('namespace, search', () => {
+    it('includes a sqs query and namespaced types with the namespace and global types without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'us*'))
         .toEqual({
           query: {
             bool: {
-              filter: [
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
                 {
-                  terms: { type: ['saved', 'vis'] }
+                  simple_query_string: {
+                    query: 'us*',
+                    all_fields: true
+                  }
                 }
               ]
             }
@@ -95,12 +277,21 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{search}', () => {
-    it('includes just a sqs query', () => {
-      expect(getQueryParams(MAPPINGS, null, 'us*'))
+  describe('type (plural, namespaced and global), search', () => {
+    it('includes a sqs query and types without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'us*'))
         .toEqual({
           query: {
             bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -115,19 +306,25 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search}', () => {
-    it('includes bool with sqs query and term filter for type', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*'))
+  describe('namespace, type (plural, namespaced and global), search', () => {
+    it('includes a sqs query and namespace type with a namespace and global type without a namespace', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'us*'))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
-                    query: 'y*',
+                    query: 'us*',
                     all_fields: true
                   }
                 }
@@ -136,19 +333,98 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('includes bool with sqs query and terms filter for type', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis'], 'y*'))
+  });
+
+  describe('search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { type: ['saved', 'vis'] } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
-                    all_fields: true
+                    fields: [
+                      'pending.title',
+                      'saved.title',
+                      'global.title',
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title^3']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'pending.title^3',
+                      'saved.title^3',
+                      'global.title^3',
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, null, 'y*', ['title', 'title.raw']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending'),
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'pending.title',
+                      'saved.title',
+                      'global.title',
+                      'pending.title.raw',
+                      'saved.title.raw',
+                      'global.title.raw',
+                    ]
                   }
                 }
               ]
@@ -158,19 +434,30 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{search,searchFields}', () => {
+  describe('namespace, search, searchFields', () => {
     it('includes all types for field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title',
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -180,17 +467,28 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports field boosting', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title^3']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'pending.title^3',
-                      'saved.title^3'
+                      'saved.title^3',
+                      'global.title^3',
                     ]
                   }
                 }
@@ -200,10 +498,20 @@ describe('searchDsl/queryParams', () => {
         });
     });
     it('supports field and multi-field', () => {
-      expect(getQueryParams(MAPPINGS, null, 'y*', ['title', 'title.raw']))
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', null, 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('pending', 'foo-namespace'),
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
@@ -211,8 +519,10 @@ describe('searchDsl/queryParams', () => {
                     fields: [
                       'pending.title',
                       'saved.title',
+                      'global.title',
                       'pending.title.raw',
                       'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
@@ -223,21 +533,28 @@ describe('searchDsl/queryParams', () => {
     });
   });
 
-  describe('{type,search,searchFields}', () => {
-    it('includes bool, with term filter and sqs with field list', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title']))
+  describe('type (plural, namespaced and global), search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -246,21 +563,58 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('includes bool, with terms filter and sqs with field list', () => {
-      expect(getQueryParams(MAPPINGS, ['saved', 'vis'], 'y*', ['title']))
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title^3']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'saved.title^3',
+                      'global.title^3',
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, null, ['saved', 'global'], 'y*', ['title', 'title.raw']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { terms: { type: ['saved', 'vis'] } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'saved.title',
-                      'vis.title'
+                      'global.title',
+                      'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
@@ -269,20 +623,30 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports fields pointing to multi-fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title.raw']))
+  });
+
+  describe('namespace, type (plural, namespaced and global), search, searchFields', () => {
+    it('includes all types for field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
-                      'saved.title.raw'
+                      'saved.title',
+                      'global.title',
                     ]
                   }
                 }
@@ -291,21 +655,58 @@ describe('searchDsl/queryParams', () => {
           }
         });
     });
-    it('supports multiple search fields', () => {
-      expect(getQueryParams(MAPPINGS, 'saved', 'y*', ['title', 'title.raw']))
+    it('supports field boosting', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title^3']))
         .toEqual({
           query: {
             bool: {
-              filter: [
-                { term: { type: 'saved' } }
-              ],
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
+              must: [
+                {
+                  simple_query_string: {
+                    query: 'y*',
+                    fields: [
+                      'saved.title^3',
+                      'global.title^3',
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        });
+    });
+    it('supports field and multi-field', () => {
+      expect(getQueryParams(MAPPINGS, SCHEMA, 'foo-namespace', ['saved', 'global'], 'y*', ['title', 'title.raw']))
+        .toEqual({
+          query: {
+            bool: {
+              filter: [{
+                bool: {
+                  should: [
+                    createTypeClause('saved', 'foo-namespace'),
+                    createTypeClause('global'),
+                  ],
+                  minimum_should_match: 1
+                }
+              }],
               must: [
                 {
                   simple_query_string: {
                     query: 'y*',
                     fields: [
                       'saved.title',
-                      'saved.title.raw'
+                      'global.title',
+                      'saved.title.raw',
+                      'global.title.raw',
                     ]
                   }
                 }
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
index ea34c127e98549..41d71bf2d586e9 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.js
@@ -22,13 +22,14 @@ import Boom from 'boom';
 import { getQueryParams } from './query_params';
 import { getSortingParams } from './sorting_params';
 
-export function getSearchDsl(mappings, options = {}) {
+export function getSearchDsl(mappings, schema, options = {}) {
   const {
     type,
     search,
     searchFields,
     sortField,
-    sortOrder
+    sortOrder,
+    namespace,
   } = options;
 
   if (!type && sortField) {
@@ -40,7 +41,7 @@ export function getSearchDsl(mappings, options = {}) {
   }
 
   return {
-    ...getQueryParams(mappings, type, search, searchFields),
+    ...getQueryParams(mappings, schema, namespace, type, search, searchFields),
     ...getSortingParams(mappings, type, sortField, sortOrder),
   };
 }
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
index 85302b5e257222..7acdb6d7bd6ed1 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
@@ -29,7 +29,7 @@ describe('getSearchDsl', () => {
   describe('validation', () => {
     it('throws when sortField is passed without type', () => {
       expect(() => {
-        getSearchDsl({}, {
+        getSearchDsl({}, {}, {
           type: undefined,
           sortField: 'title'
         });
@@ -37,7 +37,7 @@ describe('getSearchDsl', () => {
     });
     it('throws when sortOrder without sortField', () => {
       expect(() => {
-        getSearchDsl({}, {
+        getSearchDsl({}, {}, {
           type: 'foo',
           sortOrder: 'desc'
         });
@@ -46,20 +46,24 @@ describe('getSearchDsl', () => {
   });
 
   describe('passes control', () => {
-    it('passes (mappings, type, search, searchFields) to getQueryParams', () => {
+    it('passes (mappings, schema, namespace, type, search, searchFields) to getQueryParams', () => {
       const spy = sandbox.spy(queryParamsNS, 'getQueryParams');
       const mappings = { type: { properties: {} } };
+      const schema = { isNamespaceAgnostic: () => {} };
       const opts = {
+        namespace: 'foo-namespace',
         type: 'foo',
         search: 'bar',
         searchFields: ['baz'],
       };
 
-      getSearchDsl(mappings, opts);
+      getSearchDsl(mappings, schema, opts);
       sinon.assert.calledOnce(spy);
       sinon.assert.calledWithExactly(
         spy,
         mappings,
+        schema,
+        opts.namespace,
         opts.type,
         opts.search,
         opts.searchFields,
@@ -69,13 +73,14 @@ describe('getSearchDsl', () => {
     it('passes (mappings, type, sortField, sortOrder) to getSortingParams', () => {
       const spy = sandbox.stub(sortParamsNS, 'getSortingParams').returns({});
       const mappings = { type: { properties: {} } };
+      const schema = { isNamespaceAgnostic: () => {} };
       const opts = {
         type: 'foo',
         sortField: 'bar',
         sortOrder: 'baz'
       };
 
-      getSearchDsl(mappings, opts);
+      getSearchDsl(mappings, schema, opts);
       sinon.assert.calledOnce(spy);
       sinon.assert.calledWithExactly(
         spy,
diff --git a/src/server/saved_objects/service/lib/search_dsl/sorting_params.js b/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
index b977924ff62c50..bf22e2818939c6 100644
--- a/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
+++ b/src/server/saved_objects/service/lib/search_dsl/sorting_params.js
@@ -26,24 +26,29 @@ export function getSortingParams(mappings, type, sortField, sortOrder) {
     return {};
   }
 
+  let typeField = type;
+
   if (Array.isArray(type)) {
-    const rootField = getProperty(mappings, sortField);
-    if (!rootField) {
-      throw Boom.badRequest(`Unable to sort multiple types by field ${sortField}, not a root property`);
-    }
+    if (type.length === 1) {
+      typeField = type[0];
+    } else {
+      const rootField = getProperty(mappings, sortField);
+      if (!rootField) {
+        throw Boom.badRequest(`Unable to sort multiple types by field ${sortField}, not a root property`);
+      }
 
-    return {
-      sort: [{
-        [sortField]: {
-          order: sortOrder,
-          unmapped_type: rootField.type
-        }
-      }]
-    };
+      return {
+        sort: [{
+          [sortField]: {
+            order: sortOrder,
+            unmapped_type: rootField.type
+          }
+        }]
+      };
+    }
   }
 
-
-  const key = `${type}.${sortField}`;
+  const key = `${typeField}.${sortField}`;
   const field = getProperty(mappings, key);
   if (!field) {
     throw Boom.badRequest(`Unknown sort field ${sortField}`);
diff --git a/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js b/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
index a7ff1041f313a5..71833f13956591 100644
--- a/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/sorting_params.test.js
@@ -138,6 +138,21 @@ describe('searchDsl/getSortParams', () => {
           });
       });
     });
+    describe('sortField is multi-field with single type as array', () => {
+      it('returns correct params', () => {
+        expect(getSortingParams(MAPPINGS, ['saved'], 'title.raw'))
+          .toEqual({
+            sort: [
+              {
+                'saved.title.raw': {
+                  order: undefined,
+                  unmapped_type: 'keyword'
+                }
+              }
+            ]
+          });
+      });
+    });
     describe('sortField is root multi-field with multiple types', () => {
       it('returns correct params', () => {
         expect(getSortingParams(MAPPINGS, ['saved', 'pending'], 'type.raw'))

From 8c314f53d87119c91ffcff9a1c973ec469c211c0 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 07:25:59 -0700
Subject: [PATCH 152/183] Modifying the SOCs to pass the options with the
 namespace

---
 .../service/saved_objects_client.js           | 22 ++++++---
 .../service/saved_objects_client.test.js      | 45 +++++++++--------
 .../secure_saved_objects_client.js            | 12 ++---
 .../secure_saved_objects_client.test.js       | 47 +++++++++++-------
 .../apis/saved_objects/find.js                | 48 +------------------
 5 files changed, 79 insertions(+), 95 deletions(-)

diff --git a/src/server/saved_objects/service/saved_objects_client.js b/src/server/saved_objects/service/saved_objects_client.js
index 7741800fc2e272..f1dc4dfbbc1900 100644
--- a/src/server/saved_objects/service/saved_objects_client.js
+++ b/src/server/saved_objects/service/saved_objects_client.js
@@ -102,6 +102,7 @@ export class SavedObjectsClient {
    * @param {object} [options={}]
    * @property {string} [options.id] - force id on creation, not recommended
    * @property {boolean} [options.overwrite=false]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
   */
   async create(type, attributes = {}, options = {}) {
@@ -114,6 +115,7 @@ export class SavedObjectsClient {
    * @param {array} objects - [{ type, id, attributes }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes, error: { message } }]}
    */
   async bulkCreate(objects, options = {}) {
@@ -125,10 +127,12 @@ export class SavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
-  async delete(type, id) {
-    return this._repository.delete(type, id);
+  async delete(type, id, options = {}) {
+    return this._repository.delete(type, id, options);
   }
 
   /**
@@ -142,6 +146,7 @@ export class SavedObjectsClient {
    * @property {string} [options.sortField]
    * @property {string} [options.sortOrder]
    * @property {Array<string>} [options.fields]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }], total, per_page, page }
    */
   async find(options = {}) {
@@ -152,6 +157,8 @@ export class SavedObjectsClient {
    * Returns an array of objects by id
    *
    * @param {array} objects - an array ids, or an array of objects containing id and optionally type
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { saved_objects: [{ id, type, version, attributes }] }
    * @example
    *
@@ -160,8 +167,8 @@ export class SavedObjectsClient {
    *   { id: 'foo', type: 'index-pattern' }
    * ])
    */
-  async bulkGet(objects = []) {
-    return this._repository.bulkGet(objects);
+  async bulkGet(objects = [], options = {}) {
+    return this._repository.bulkGet(objects, options);
   }
 
   /**
@@ -169,10 +176,12 @@ export class SavedObjectsClient {
    *
    * @param {string} type
    * @param {string} id
+   * @param {object} [options={}]
+   * @property {string} [options.namespace]
    * @returns {promise} - { id, type, version, attributes }
    */
-  async get(type, id) {
-    return this._repository.get(type, id);
+  async get(type, id, options = {}) {
+    return this._repository.get(type, id, options);
   }
 
   /**
@@ -182,6 +191,7 @@ export class SavedObjectsClient {
    * @param {string} id
    * @param {object} [options={}]
    * @property {integer} options.version - ensures version matches that of persisted object
+   * @property {string} [options.namespace]
    * @returns {promise}
    */
   async update(type, id, attributes, options = {}) {
diff --git a/src/server/saved_objects/service/saved_objects_client.test.js b/src/server/saved_objects/service/saved_objects_client.test.js
index a7189f5a39898b..e69b12d1218cc4 100644
--- a/src/server/saved_objects/service/saved_objects_client.test.js
+++ b/src/server/saved_objects/service/saved_objects_client.test.js
@@ -26,9 +26,9 @@ test(`#create`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const attributes = {};
-  const options = {};
+  const type = Symbol();
+  const attributes = Symbol();
+  const options = Symbol();
   const result = await client.create(type, attributes, options);
 
   expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
@@ -42,8 +42,8 @@ test(`#bulkCreate`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const objects = [];
-  const options = {};
+  const objects = Symbol();
+  const options = Symbol();
   const result = await client.bulkCreate(objects, options);
 
   expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
@@ -57,11 +57,12 @@ test(`#delete`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
-  const result = await client.delete(type, id);
+  const type = Symbol();
+  const id = Symbol();
+  const options = Symbol();
+  const result = await client.delete(type, id, options);
 
-  expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+  expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
   expect(result).toBe(returnValue);
 });
 
@@ -72,7 +73,7 @@ test(`#find`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const options = {};
+  const options = Symbol();
   const result = await client.find(options);
 
   expect(mockRepository.find).toHaveBeenCalledWith(options);
@@ -86,10 +87,11 @@ test(`#bulkGet`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const objects = {};
-  const result = await client.bulkGet(objects);
+  const objects = Symbol();
+  const options = Symbol();
+  const result = await client.bulkGet(objects, options);
 
-  expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+  expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
   expect(result).toBe(returnValue);
 });
 
@@ -100,11 +102,12 @@ test(`#get`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
-  const result = await client.get(type, id);
+  const type = Symbol();
+  const id = Symbol();
+  const options = Symbol();
+  const result = await client.get(type, id, options);
 
-  expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+  expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
   expect(result).toBe(returnValue);
 });
 
@@ -115,10 +118,10 @@ test(`#update`, async () => {
   };
   const client = new SavedObjectsClient(mockRepository);
 
-  const type = 'foo';
-  const id = 1;
-  const attributes = {};
-  const options = {};
+  const type = Symbol();
+  const id = Symbol();
+  const attributes = Symbol();
+  const options = Symbol();
   const result = await client.update(type, id, attributes, options);
 
   expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index eb19f59c296932..0825678f0f87d5 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -47,12 +47,12 @@ export class SecureSavedObjectsClient {
     );
   }
 
-  async delete(type, id) {
+  async delete(type, id, options = {}) {
     return await this._execute(
       type,
       'delete',
       { type, id },
-      repository => repository.delete(type, id),
+      repository => repository.delete(type, id, options),
     );
   }
 
@@ -64,22 +64,22 @@ export class SecureSavedObjectsClient {
     return await this._findAcrossAllTypes(options);
   }
 
-  async bulkGet(objects = []) {
+  async bulkGet(objects = [], options = {}) {
     const types = uniq(objects.map(o => o.type));
     return await this._execute(
       types,
       'bulk_get',
       { objects },
-      repository => repository.bulkGet(objects)
+      repository => repository.bulkGet(objects, options)
     );
   }
 
-  async get(type, id) {
+  async get(type, id, options = {}) {
     return await this._execute(
       type,
       'get',
       { type, id },
-      repository => repository.get(type, id)
+      repository => repository.get(type, id, options)
     );
   }
 
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
index 99656772c0df79..a099fab25135a4 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -353,8 +353,9 @@ describe('#delete', () => {
       actions: mockActions,
     });
     const id = Symbol();
+    const options = Symbol();
 
-    await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.delete(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
@@ -366,6 +367,7 @@ describe('#delete', () => {
       {
         type,
         id,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -390,15 +392,17 @@ describe('#delete', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.delete(type, id);
+    const result = await client.delete(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
       type,
       id,
+      options,
     });
   });
 
@@ -422,11 +426,12 @@ describe('#delete', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.delete(type, id);
+    const result = await client.delete(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
@@ -820,8 +825,9 @@ describe('#bulkGet', () => {
       { type: type1 },
       { type: type2 },
     ];
+    const options = Symbol();
 
-    await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.bulkGet(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([
       mockActions.getSavedObjectAction(type1, 'bulk_get'),
@@ -834,7 +840,8 @@ describe('#bulkGet', () => {
       [type1, type2],
       [mockActions.getSavedObjectAction(type1, 'bulk_get')],
       {
-        objects
+        objects,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -863,14 +870,16 @@ describe('#bulkGet', () => {
       { type: type1, id: 'foo-id' },
       { type: type2, id: 'bar-id' },
     ];
+    const options = Symbol();
 
-    const result = await client.bulkGet(objects);
+    const result = await client.bulkGet(objects, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
       objects,
+      options,
     });
   });
 
@@ -898,11 +907,12 @@ describe('#bulkGet', () => {
       { type: type1, id: 'foo-id' },
       { type: type2, id: 'bar-id' },
     ];
+    const options = Symbol();
 
-    const result = await client.bulkGet(objects);
+    const result = await client.bulkGet(objects, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
@@ -950,8 +960,9 @@ describe('#get', () => {
       actions: mockActions,
     });
     const id = Symbol();
+    const options = Symbol();
 
-    await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+    await expect(client.get(type, id, options)).rejects.toThrowError(mockErrors.forbiddenError);
 
     expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
     expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
@@ -963,6 +974,7 @@ describe('#get', () => {
       {
         type,
         id,
+        options,
       }
     );
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
@@ -987,15 +999,17 @@ describe('#get', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.get(type, id);
+    const result = await client.get(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
       type,
       id,
+      options,
     });
   });
 
@@ -1019,11 +1033,12 @@ describe('#get', () => {
       actions: createMockActions(),
     });
     const id = Symbol();
+    const options = Symbol();
 
-    const result = await client.get(type, id);
+    const result = await client.get(type, id, options);
 
     expect(result).toBe(returnValue);
-    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id, options);
     expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
     expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
   });
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
index 5bb42acacd3920..ca9b9bb2ec1c22 100644
--- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -69,50 +69,6 @@ export default function ({ getService }) {
       });
     };
 
-    const expectAllResultsIncludingInvalidTypes = (resp) => {
-      expect(resp.body).to.eql({
-        page: 1,
-        per_page: 20,
-        total: 5,
-        saved_objects: [
-          {
-            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
-            type: 'index-pattern',
-            updated_at: '2017-09-21T18:49:16.270Z',
-            version: 1,
-            attributes: resp.body.saved_objects[0].attributes
-          },
-          {
-            id: '7.0.0-alpha1',
-            type: 'config',
-            updated_at: '2017-09-21T18:49:16.302Z',
-            version: 1,
-            attributes: resp.body.saved_objects[1].attributes
-          },
-          {
-            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
-            type: 'visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: 1,
-            attributes: resp.body.saved_objects[2].attributes
-          },
-          {
-            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
-            type: 'dashboard',
-            updated_at: '2017-09-21T18:57:40.826Z',
-            version: 1,
-            attributes: resp.body.saved_objects[3].attributes
-          },
-          {
-            id: 'visualization:dd7caf20-9efd-11e7-acb3-3dab96693faa',
-            type: 'not-a-visualization',
-            updated_at: '2017-09-21T18:51:23.794Z',
-            version: 1
-          },
-        ]
-      });
-    };
-
     const createExpectEmpty = (page, perPage, total) => (resp) => {
       expect(resp.body).to.eql({
         page: page,
@@ -290,7 +246,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResultsIncludingInvalidTypes,
+          response: expectResultsWithValidTypes,
         },
       },
     });
@@ -324,7 +280,7 @@ export default function ({ getService }) {
         noType: {
           description: 'all objects',
           statusCode: 200,
-          response: expectAllResultsIncludingInvalidTypes,
+          response: expectResultsWithValidTypes,
         },
       }
     });

From 93c6b79e2282a2155023b1fe5507155de5c31b0c Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 07:58:22 -0700
Subject: [PATCH 153/183] Centralizing omitting the namespace when using
 serializer.rawToSavedObject

---
 .../saved_objects/service/lib/repository.js     | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 0f585407cb86b6..41c098df2b7bcb 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -99,11 +99,10 @@ export class SavedObjectsRepository {
         body: raw._source,
       });
 
-      const savedObject = this._serializer.rawToSavedObject({
+      return this._rawToSavedObject({
         ...raw,
         ...response,
       });
-      return omit(savedObject, 'namespace');
     } catch (error) {
       if (errors.isNotFoundError(error)) {
         // See "503s from missing index" above
@@ -313,10 +312,7 @@ export class SavedObjectsRepository {
       page,
       per_page: perPage,
       total: response.hits.total,
-      saved_objects: response.hits.hits.map(hit => {
-        const savedObject = this._serializer.rawToSavedObject(hit);
-        return omit(savedObject, 'namespace');
-      }),
+      saved_objects: response.hits.hits.map(hit => this._rawToSavedObject(hit)),
     };
   }
 
@@ -484,4 +480,13 @@ export class SavedObjectsRepository {
   _getCurrentTime() {
     return new Date().toISOString();
   }
+
+  // The internal representation of the saved object that the serializer returns
+  // includes the namespace, and we use this for migrating documents. However, we don't
+  // want the namespcae to be returned from the repository, as the repository scopes each
+  // method transparently to the specified namespace.
+  _rawToSavedObject(raw) {
+    const savedObject = this._serializer.rawToSavedObject(raw);
+    return omit(savedObject, 'namespace');
+  }
 }

From ba43a69d2d383f7cebd8dd44ed5759ec995d8434 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 12:16:56 -0700
Subject: [PATCH 154/183] Passing the schema through to the
 SavedObjectRepositoryProvider

---
 src/server/saved_objects/saved_objects_mixin.js                | 2 +-
 .../saved_objects/service/create_saved_objects_service.js      | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/server/saved_objects/saved_objects_mixin.js b/src/server/saved_objects/saved_objects_mixin.js
index 2d876b0652e177..a487dc8e041cdc 100644
--- a/src/server/saved_objects/saved_objects_mixin.js
+++ b/src/server/saved_objects/saved_objects_mixin.js
@@ -66,7 +66,7 @@ export function savedObjectsMixin(kbnServer, server) {
 
   const schema = new SavedObjectsSchema(kbnServer.uiExports.savedObjectSchemas);
   const serializer = new SavedObjectsSerializer(schema);
-  server.decorate('server', 'savedObjects', createSavedObjectsService(server, serializer, migrator));
+  server.decorate('server', 'savedObjects', createSavedObjectsService(server, schema, serializer, migrator));
 
   const savedObjectsClientCache = new WeakMap();
   server.decorate('request', 'getSavedObjectsClient', function () {
diff --git a/src/server/saved_objects/service/create_saved_objects_service.js b/src/server/saved_objects/service/create_saved_objects_service.js
index 79af776984afee..c57d45effa8d77 100644
--- a/src/server/saved_objects/service/create_saved_objects_service.js
+++ b/src/server/saved_objects/service/create_saved_objects_service.js
@@ -30,7 +30,7 @@ import { SavedObjectsClient } from './saved_objects_client';
 // import / export from the Kibana UI. Import / export functionality needs to apply migrations to documents.
 // Eventually, we hope to build a first-class import / export API, at which point, we can
 // remove the migrator from the saved objects client and leave only document validation here.
-export function createSavedObjectsService(server, serializer, migrator) {
+export function createSavedObjectsService(server, schema, serializer, migrator) {
   const onBeforeWrite = async () => {
     const adminCluster = server.plugins.elasticsearch.getCluster('admin');
 
@@ -72,6 +72,7 @@ export function createSavedObjectsService(server, serializer, migrator) {
     index: server.config().get('kibana.index'),
     migrator,
     mappings,
+    schema,
     serializer,
     onBeforeWrite,
   });

From 954d9dfd9c03c77a95d000e6a738a89ea2d2cd18 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 12:23:02 -0700
Subject: [PATCH 155/183] Changing the schema to work with undefined ui exports
 schemas

---
 .../migrations/core/index_migrator.test.ts    |   2 +-
 .../migrations/core/migrate_raw_docs.test.ts  |  24 ++---
 src/server/saved_objects/schema/schema.ts     |  10 +-
 .../serialization/serialization.test.ts       | 100 +++++++++---------
 4 files changed, 67 insertions(+), 69 deletions(-)

diff --git a/src/server/saved_objects/migrations/core/index_migrator.test.ts b/src/server/saved_objects/migrations/core/index_migrator.test.ts
index e99a49ff35b610..d14c8f55c9b927 100644
--- a/src/server/saved_objects/migrations/core/index_migrator.test.ts
+++ b/src/server/saved_objects/migrations/core/index_migrator.test.ts
@@ -305,7 +305,7 @@ function defaultOpts() {
       migrationVersion: {},
       migrate: _.identity,
     },
-    serializer: new SavedObjectsSerializer(new SavedObjectsSchema({})),
+    serializer: new SavedObjectsSerializer(new SavedObjectsSchema()),
   };
 }
 
diff --git a/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts b/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
index 96e26c2b4f403b..a4906b9c7ec851 100644
--- a/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
+++ b/src/server/saved_objects/migrations/core/migrate_raw_docs.test.ts
@@ -26,14 +26,10 @@ import { migrateRawDocs } from './migrate_raw_docs';
 describe('migrateRawDocs', () => {
   test('converts raw docs to saved objects', async () => {
     const transform = sinon.spy((doc: any) => _.set(doc, 'attributes.name', 'HOI!'));
-    const result = migrateRawDocs(
-      new SavedObjectsSerializer(new SavedObjectsSchema({})),
-      transform,
-      [
-        { _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } },
-        { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
-      ]
-    );
+    const result = migrateRawDocs(new SavedObjectsSerializer(new SavedObjectsSchema()), transform, [
+      { _id: 'a:b', _source: { type: 'a', a: { name: 'AAA' } } },
+      { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
+    ]);
 
     expect(result).toEqual([
       {
@@ -53,14 +49,10 @@ describe('migrateRawDocs', () => {
 
   test('passes invalid docs through untouched', async () => {
     const transform = sinon.spy((doc: any) => _.set(_.cloneDeep(doc), 'attributes.name', 'TADA'));
-    const result = migrateRawDocs(
-      new SavedObjectsSerializer(new SavedObjectsSchema({})),
-      transform,
-      [
-        { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
-        { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
-      ]
-    );
+    const result = migrateRawDocs(new SavedObjectsSerializer(new SavedObjectsSchema()), transform, [
+      { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
+      { _id: 'c:d', _source: { type: 'c', c: { name: 'DDD' } } },
+    ]);
 
     expect(result).toEqual([
       { _id: 'foo:b', _source: { type: 'a', a: { name: 'AAA' } } },
diff --git a/src/server/saved_objects/schema/schema.ts b/src/server/saved_objects/schema/schema.ts
index b53ba37d6a7319..2f40fe1dd1198f 100644
--- a/src/server/saved_objects/schema/schema.ts
+++ b/src/server/saved_objects/schema/schema.ts
@@ -26,12 +26,18 @@ export interface UIExportsSavedObjectsSchema {
 }
 
 export class SavedObjectsSchema {
-  private readonly schema: UIExportsSavedObjectsSchema;
-  constructor(uiExportsSchema: UIExportsSavedObjectsSchema) {
+  private readonly schema?: UIExportsSavedObjectsSchema;
+  constructor(uiExportsSchema?: UIExportsSavedObjectsSchema) {
     this.schema = uiExportsSchema;
   }
 
   public isNamespaceAgnostic(type: string) {
+    // if no plugins have registered a uiExports.savedObjectSchemas,
+    // this.schema will be undefined, and no types are namespace agnostic
+    if (!this.schema) {
+      return false;
+    }
+
     const typeSchema = this.schema[type];
     if (!typeSchema) {
       return false;
diff --git a/src/server/saved_objects/serialization/serialization.test.ts b/src/server/saved_objects/serialization/serialization.test.ts
index 2a1b554b3bf6b8..22f919da24007a 100644
--- a/src/server/saved_objects/serialization/serialization.test.ts
+++ b/src/server/saved_objects/serialization/serialization.test.ts
@@ -24,7 +24,7 @@ import { SavedObjectsSchema } from '../schema';
 describe('saved object conversion', () => {
   describe('#rawToSavedObject', () => {
     test('it copies the _source.type property to type', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _source: {
@@ -35,7 +35,7 @@ describe('saved object conversion', () => {
     });
 
     test('if specified it copies the _source.migrationVersion property to migrationVersion', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _source: {
@@ -53,7 +53,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if _source.migrationVersion is unspecified it doesn't set migrationVersion`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _source: {
@@ -65,7 +65,7 @@ describe('saved object conversion', () => {
 
     test('it converts the id and type properties, and retains migrationVersion', () => {
       const now = new Date();
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'hello:world',
         _type: ROOT_TYPE,
@@ -101,7 +101,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if version is unspecified it doesn't set version`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _source: {
@@ -113,7 +113,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if specified it copies _version to version`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _version: 4,
@@ -126,7 +126,7 @@ describe('saved object conversion', () => {
     });
 
     test('if specified it copies the _source.updated_at property to updated_at', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const now = Date();
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
@@ -139,7 +139,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if _source.updated_at is unspecified it doesn't set updated_at`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'foo:bar',
         _source: {
@@ -150,7 +150,7 @@ describe('saved object conversion', () => {
     });
 
     test('it does not pass unknown properties through', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _type: ROOT_TYPE,
@@ -172,7 +172,7 @@ describe('saved object conversion', () => {
     });
 
     test('it does not create attributes if [type] is missing', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _type: ROOT_TYPE,
@@ -187,7 +187,7 @@ describe('saved object conversion', () => {
     });
 
     test('it fails for documents which do not specify a type', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       expect(() =>
         serializer.rawToSavedObject({
           _id: 'universe',
@@ -202,7 +202,7 @@ describe('saved object conversion', () => {
     });
 
     test('it is complimentary with savedObjectToRaw', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const raw = {
         _id: 'foo:bar',
         _type: ROOT_TYPE,
@@ -227,7 +227,7 @@ describe('saved object conversion', () => {
     });
 
     test('it handles unprefixed ids', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.rawToSavedObject({
         _id: 'universe',
         _source: {
@@ -240,7 +240,7 @@ describe('saved object conversion', () => {
 
     describe('namespaced type without a namespace', () => {
       test(`removes type prefix from _id`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'foo:bar',
           _source: {
@@ -252,7 +252,7 @@ describe('saved object conversion', () => {
       });
 
       test(`if prefixed by random prefix and type it copies _id to id`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'random:foo:bar',
           _source: {
@@ -264,7 +264,7 @@ describe('saved object conversion', () => {
       });
 
       test(`doesn't specify namespace`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'foo:bar',
           _source: {
@@ -278,7 +278,7 @@ describe('saved object conversion', () => {
 
     describe('namespaced type with a namespace', () => {
       test(`removes type and namespace prefix from _id`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'baz:foo:bar',
           _source: {
@@ -291,7 +291,7 @@ describe('saved object conversion', () => {
       });
 
       test(`if prefixed by only type it copies _id to id`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'foo:bar',
           _source: {
@@ -304,7 +304,7 @@ describe('saved object conversion', () => {
       });
 
       test(`if prefixed by random prefix and type it copies _id to id`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'random:foo:bar',
           _source: {
@@ -317,7 +317,7 @@ describe('saved object conversion', () => {
       });
 
       test(`copies _source.namespace to namespace`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.rawToSavedObject({
           _id: 'baz:foo:bar',
           _source: {
@@ -380,7 +380,7 @@ describe('saved object conversion', () => {
 
   describe('#savedObjectToRaw', () => {
     test('it copies the type property to _source.type and uses the ROOT_TYPE as _type', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: 'foo',
         attributes: {},
@@ -391,7 +391,7 @@ describe('saved object conversion', () => {
     });
 
     test('if specified it copies the updated_at property to _source.updated_at', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const now = new Date();
       const actual = serializer.savedObjectToRaw({
         type: '',
@@ -403,7 +403,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if unspecified it doesn't add updated_at property to _source`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: '',
         attributes: {},
@@ -413,7 +413,7 @@ describe('saved object conversion', () => {
     });
 
     test('it copies the migrationVersion property to _source.migrationVersion', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: '',
         attributes: {},
@@ -430,7 +430,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if unspecified it doesn't add migrationVersion property to _source`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: '',
         attributes: {},
@@ -440,7 +440,7 @@ describe('saved object conversion', () => {
     });
 
     test('it copies the version property to _version', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: '',
         attributes: {},
@@ -451,7 +451,7 @@ describe('saved object conversion', () => {
     });
 
     test(`if unspecified it doesn't add _version property`, () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: '',
         attributes: {},
@@ -461,7 +461,7 @@ describe('saved object conversion', () => {
     });
 
     test('it copies attributes to _source[type]', () => {
-      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+      const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const actual = serializer.savedObjectToRaw({
         type: 'foo',
         attributes: {
@@ -478,7 +478,7 @@ describe('saved object conversion', () => {
 
     describe('namespaced type without a namespace', () => {
       test('generates an id prefixed with type, if no id is specified', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const v1 = serializer.savedObjectToRaw({
           type: 'foo',
           attributes: {
@@ -498,7 +498,7 @@ describe('saved object conversion', () => {
       });
 
       test(`doesn't specify _source.namespace`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.savedObjectToRaw({
           type: '',
           attributes: {},
@@ -510,7 +510,7 @@ describe('saved object conversion', () => {
 
     describe('namespaced type with a namespace', () => {
       test('generates an id prefixed with namespace and type, if no id is specified', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const v1 = serializer.savedObjectToRaw({
           type: 'foo',
           namespace: 'bar',
@@ -532,7 +532,7 @@ describe('saved object conversion', () => {
       });
 
       test(`it copies namespace to _source.namespace`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const actual = serializer.savedObjectToRaw({
           type: 'foo',
           attributes: {},
@@ -586,7 +586,7 @@ describe('saved object conversion', () => {
   describe('#isRawSavedObject', () => {
     describe('namespaced type without a namespace', () => {
       test('is true if the id is prefixed and the type matches', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -599,7 +599,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the id is not prefixed', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'world',
@@ -612,7 +612,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the type attribute is missing', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -624,7 +624,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the type attribute does not match the id', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -638,7 +638,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if there is no [type] attribute', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -653,7 +653,7 @@ describe('saved object conversion', () => {
 
     describe('namespaced type with a namespace', () => {
       test('is true if the id is prefixed with type and namespace and the type matches', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'foo:hello:world',
@@ -667,7 +667,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the id is not prefixed by anything', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'world',
@@ -681,7 +681,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the id is prefixed only with type and the type matches', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -695,7 +695,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the id is prefixed only with namespace and the namespace matches', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'foo:world',
@@ -709,7 +709,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the type attribute is missing', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'foo:hello:world',
@@ -722,7 +722,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the type attribute does not match the id', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'foo:hello:world',
@@ -737,7 +737,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if the namespace attribute does not match the id', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'bar:jam:world',
@@ -752,7 +752,7 @@ describe('saved object conversion', () => {
       });
 
       test('is false if there is no [type] attribute', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         expect(
           serializer.isRawSavedObject({
             _id: 'hello:world',
@@ -868,13 +868,13 @@ describe('saved object conversion', () => {
   describe('#generateRawId', () => {
     describe('namespaced type without a namespace', () => {
       test('generates an id if none is specified', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const id = serializer.generateRawId('', 'goodbye');
         expect(id).toMatch(/goodbye\:[\w-]+$/);
       });
 
       test('uses the id that is specified', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const id = serializer.generateRawId('', 'hello', 'world');
         expect(id).toMatch('hello:world');
       });
@@ -882,13 +882,13 @@ describe('saved object conversion', () => {
 
     describe('namespaced type with a namespace', () => {
       test('generates an id if none is specified and prefixes namespace', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const id = serializer.generateRawId('foo', 'goodbye');
         expect(id).toMatch(/foo:goodbye\:[\w-]+$/);
       });
 
       test('uses the id that is specified and prefixes the namespace', () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const id = serializer.generateRawId('foo', 'hello', 'world');
         expect(id).toMatch('foo:hello:world');
       });
@@ -904,7 +904,7 @@ describe('saved object conversion', () => {
       });
 
       test(`uses the id that is specified and doesn't prefix the namespace`, () => {
-        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema({}));
+        const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
         const id = serializer.generateRawId('foo', 'hello', 'world');
         expect(id).toMatch('hello:world');
       });

From a293000d75d4f8fdfaac80bc088c34f254a8f23e Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 12:24:20 -0700
Subject: [PATCH 156/183] Adding schema tests

---
 .../saved_objects/schema/schema.test.ts       | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 src/server/saved_objects/schema/schema.test.ts

diff --git a/src/server/saved_objects/schema/schema.test.ts b/src/server/saved_objects/schema/schema.test.ts
new file mode 100644
index 00000000000000..43cf27fbae7907
--- /dev/null
+++ b/src/server/saved_objects/schema/schema.test.ts
@@ -0,0 +1,48 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { SavedObjectsSchema } from './schema';
+
+describe('#isNamespaceAgnostic', () => {
+  it(`returns false for unknown types`, () => {
+    const schema = new SavedObjectsSchema();
+    const result = schema.isNamespaceAgnostic('bar');
+    expect(result).toBe(false);
+  });
+
+  it(`returns true for explicitly namespace agnostic type`, () => {
+    const schema = new SavedObjectsSchema({
+      foo: {
+        isNamespaceAgnostic: true,
+      },
+    });
+    const result = schema.isNamespaceAgnostic('foo');
+    expect(result).toBe(true);
+  });
+
+  it(`returns false for explicitly namespaced type`, () => {
+    const schema = new SavedObjectsSchema({
+      foo: {
+        isNamespaceAgnostic: false,
+      },
+    });
+    const result = schema.isNamespaceAgnostic('foo');
+    expect(result).toBe(false);
+  });
+});

From 86edf751cbd83e2b6db930de71342c9a4bc3cfb2 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 12:27:07 -0700
Subject: [PATCH 157/183] Making the complimentary serialization test use the
 namespace

---
 src/server/saved_objects/serialization/serialization.test.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server/saved_objects/serialization/serialization.test.ts b/src/server/saved_objects/serialization/serialization.test.ts
index 22f919da24007a..196275d2e726d2 100644
--- a/src/server/saved_objects/serialization/serialization.test.ts
+++ b/src/server/saved_objects/serialization/serialization.test.ts
@@ -204,7 +204,7 @@ describe('saved object conversion', () => {
     test('it is complimentary with savedObjectToRaw', () => {
       const serializer = new SavedObjectsSerializer(new SavedObjectsSchema());
       const raw = {
-        _id: 'foo:bar',
+        _id: 'foo-namespace:foo:bar',
         _type: ROOT_TYPE,
         _version: 24,
         _source: {
@@ -217,6 +217,7 @@ describe('saved object conversion', () => {
             foo: '1.2.3',
             bar: '9.8.7',
           },
+          namespace: 'foo-namespace',
           updated_at: new Date(),
         },
       };

From f54a294a89e40374f39011dcf8906e9a956cd679 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 12:31:30 -0700
Subject: [PATCH 158/183] Fixing uiExports

---
 .../__tests__/collect_ui_exports.js           | 23 +++++++++++++++++--
 src/ui/ui_exports/ui_export_types/index.js    |  2 +-
 .../ui_export_types/saved_object.js           |  2 +-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/ui/ui_exports/__tests__/collect_ui_exports.js b/src/ui/ui_exports/__tests__/collect_ui_exports.js
index 2a7464e58c8d09..58f55cdf6915b1 100644
--- a/src/ui/ui_exports/__tests__/collect_ui_exports.js
+++ b/src/ui/ui_exports/__tests__/collect_ui_exports.js
@@ -38,7 +38,12 @@ const specs = new PluginPack({
             'plugin/test/visType1',
             'plugin/test/visType2',
             'plugin/test/visType3',
-          ]
+          ],
+          savedObjectSchemas: {
+            foo: {
+              isNamespaceAgnostic: true
+            }
+          }
         }
       }),
       new Plugin({
@@ -48,7 +53,12 @@ const specs = new PluginPack({
             'plugin/test2/visType1',
             'plugin/test2/visType2',
             'plugin/test2/visType3',
-          ]
+          ],
+          savedObjectSchemas: {
+            bar: {
+              isNamespaceAgnostic: true
+            }
+          }
         }
       }),
     ];
@@ -70,6 +80,15 @@ describe('plugin discovery', () => {
         'plugin/test2/visType2',
         'plugin/test2/visType3'
       ]);
+
+      expect(uiExports.savedObjectSchemas).to.eql({
+        foo: {
+          isNamespaceAgnostic: true
+        },
+        bar: {
+          isNamespaceAgnostic: true
+        },
+      });
     });
   });
 });
diff --git a/src/ui/ui_exports/ui_export_types/index.js b/src/ui/ui_exports/ui_export_types/index.js
index f870e29bd43e54..9ddd6e97cde0dc 100644
--- a/src/ui/ui_exports/ui_export_types/index.js
+++ b/src/ui/ui_exports/ui_export_types/index.js
@@ -25,7 +25,7 @@ export {
 export {
   mappings,
   migrations,
-  schemas,
+  savedObjectSchemas,
   validations,
 } from './saved_object';
 
diff --git a/src/ui/ui_exports/ui_export_types/saved_object.js b/src/ui/ui_exports/ui_export_types/saved_object.js
index f9c0ae45816fe9..4b0ab0eefea390 100644
--- a/src/ui/ui_exports/ui_export_types/saved_object.js
+++ b/src/ui/ui_exports/ui_export_types/saved_object.js
@@ -35,7 +35,7 @@ export const mappings = wrap(
 // See saved_objects/migrations for more details.
 export const migrations = wrap(alias('savedObjectMigrations'), uniqueKeys(), mergeAtType);
 
-export const schemas = wrap(alias('savedObjectSchemas'), uniqueKeys(), mergeAtType);
+export const savedObjectSchemas = wrap(uniqueKeys(), mergeAtType);
 
 // Combines the `validations` property of each plugin,
 // ensuring that properties are unique across plugins.

From 1cbd7030f6e6e4245f4f8e18e35bc2db8c51fc4d Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 13:36:26 -0700
Subject: [PATCH 159/183] Removing erroneous export

---
 src/server/saved_objects/service/lib/index.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/server/saved_objects/service/lib/index.js b/src/server/saved_objects/service/lib/index.js
index e773275b9dfa17..30adefe7e47c1c 100644
--- a/src/server/saved_objects/service/lib/index.js
+++ b/src/server/saved_objects/service/lib/index.js
@@ -20,7 +20,6 @@
 export { SavedObjectsRepository } from './repository';
 export { ScopedSavedObjectsClientProvider } from './scoped_client_provider';
 export { SavedObjectsRepositoryProvider } from './repository_provider';
-export { SavedObjectsSchema } from './schema';
 
 import * as errors from './errors';
 export { errors };

From 78d44ebee0b553b66ba5bceead44189c67cc0a39 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 14:47:29 -0700
Subject: [PATCH 160/183] Fixing find api integration tests with no type

---
 .../common/suites/find.ts                     | 53 +++------------
 .../security_and_spaces/apis/find.ts          | 68 +++++++++----------
 .../security_only/apis/find.ts                | 44 ++++++------
 .../spaces_only/apis/find.ts                  | 14 ++--
 4 files changed, 72 insertions(+), 107 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/common/suites/find.ts b/x-pack/test/saved_object_api_integration/common/suites/find.ts
index 387834a4fa999b..92a57d3b88c142 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/find.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/find.ts
@@ -142,50 +142,15 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const expectTypeRequired = (resp: any) => {
     expect(resp.body).to.eql({
-      page: 1,
-      per_page: 20,
-      total: 5,
-      saved_objects: [
-        {
-          id: `${getIdPrefix(spaceId)}91200a00-9efd-11e7-acb3-3dab96693fab`,
-          type: 'index-pattern',
-          updated_at: '2017-09-21T18:49:16.270Z',
-          version: 1,
-          attributes: resp.body.saved_objects[0].attributes,
-        },
-        {
-          id: '7.0.0-alpha1',
-          type: 'config',
-          updated_at: '2017-09-21T18:49:16.302Z',
-          version: 1,
-          attributes: resp.body.saved_objects[1].attributes,
-        },
-        {
-          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-          type: 'visualization',
-          updated_at: '2017-09-21T18:51:23.794Z',
-          version: 1,
-          attributes: resp.body.saved_objects[2].attributes,
-        },
-        {
-          id: `${getIdPrefix(spaceId)}be3733a0-9efe-11e7-acb3-3dab96693fab`,
-          type: 'dashboard',
-          updated_at: '2017-09-21T18:57:40.826Z',
-          version: 1,
-          attributes: resp.body.saved_objects[3].attributes,
-        },
-        {
-          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
-          type: 'globaltype',
-          updated_at: '2017-09-21T18:59:16.270Z',
-          version: 1,
-          attributes: {
-            name: 'My favorite global object',
-          },
-        },
-      ],
+      error: 'Bad Request',
+      message: 'child "type" fails because ["type" is required]',
+      statusCode: 400,
+      validation: {
+        keys: ['type'],
+        source: 'query',
+      },
     });
   };
 
@@ -228,10 +193,10 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
   return {
     createExpectEmpty,
     createExpectRbacForbidden,
-    createExpectResults,
     createExpectLegacyForbidden,
     createExpectVisualizationResults,
     expectNotSpaceAwareResults,
+    expectTypeRequired,
     findTest,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
index f24d0f7868b977..bed788143083ea 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
@@ -18,10 +18,10 @@ export default function({ getService }: TestInvoker) {
     const {
       createExpectEmpty,
       createExpectRbacForbidden,
-      createExpectResults,
       createExpectLegacyForbidden,
       createExpectVisualizationResults,
       expectNotSpaceAwareResults,
+      expectTypeRequired,
       findTest,
     } = findTestSuiteFactory(esArchiver, supertest);
 
@@ -89,9 +89,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
           },
           noType: {
-            description: `forbidded can't find any types`,
-            statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -129,9 +129,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectEmpty(1, 20, 0),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -169,9 +169,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectEmpty(1, 20, 0),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -209,9 +209,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectEmpty(1, 20, 0),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -249,9 +249,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectEmpty(1, 20, 0),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -289,9 +289,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectRbacForbidden('wigwags'),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -329,9 +329,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectEmpty(1, 20, 0),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -369,9 +369,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectRbacForbidden('wigwags'),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -409,9 +409,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectRbacForbidden('wigwags'),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -449,9 +449,9 @@ export default function({ getService }: TestInvoker) {
             response: createExpectRbacForbidden('wigwags'),
           },
           noType: {
-            description: 'all objects',
-            statusCode: 200,
-            response: createExpectResults(scenario.spaceId),
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
           },
         },
       });
@@ -491,9 +491,9 @@ export default function({ getService }: TestInvoker) {
               response: createExpectRbacForbidden('wigwags'),
             },
             noType: {
-              description: `forbidded can't find any types`,
-              statusCode: 403,
-              response: createExpectRbacForbidden(),
+              description: 'bad request, type is required',
+              statusCode: 400,
+              response: expectTypeRequired,
             },
           },
         }
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
index 04ba16e075ba6c..35634e3f5d9e36 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -17,10 +17,10 @@ export default function({ getService }: TestInvoker) {
     const {
       createExpectEmpty,
       createExpectRbacForbidden,
-      createExpectResults,
       createExpectLegacyForbidden,
       createExpectVisualizationResults,
       expectNotSpaceAwareResults,
+      expectTypeRequired,
       findTest,
     } = findTestSuiteFactory(esArchiver, supertest);
 
@@ -95,9 +95,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -134,9 +134,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -173,9 +173,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -212,9 +212,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -251,9 +251,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectRbacForbidden('wigwags'),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -290,9 +290,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -329,9 +329,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectRbacForbidden('wigwags'),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
index 421b752801bfd5..4f704b3d382197 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/find.ts
@@ -15,9 +15,9 @@ export default function({ getService }: TestInvoker) {
 
   const {
     createExpectEmpty,
-    createExpectResults,
     createExpectVisualizationResults,
     expectNotSpaceAwareResults,
+    expectTypeRequired,
     findTest,
   } = findTestSuiteFactory(esArchiver, supertest);
 
@@ -51,9 +51,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(SPACES.SPACE_1.spaceId),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -87,9 +87,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectEmpty(1, 20, 0),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 200,
-          response: createExpectResults(SPACES.DEFAULT.spaceId),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });

From 3e20cda68df792dab2d7907c1cc9f796486f8e54 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 15:01:12 -0700
Subject: [PATCH 161/183] Fixing some tests

---
 src/server/saved_objects/service/lib/repository.test.js     | 1 +
 .../saved_objects/service/lib/search_dsl/search_dsl.test.js | 2 +-
 .../lib/saved_objects_client/secure_saved_objects_client.js | 6 +++---
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 78485f2d5ca25e..c9a0e645b3015b 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -759,6 +759,7 @@ describe('SavedObjectsRepository', () => {
       const count = namespacedSearchResults.hits.hits.length;
 
       const response = await savedObjectsRepository.find({
+        type: 'foo',
         namespace: 'foo-namespace',
       });
 
diff --git a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
index 1dffd7050afed2..18c1aa4e9a4fc5 100644
--- a/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
+++ b/src/server/saved_objects/service/lib/search_dsl/search_dsl.test.js
@@ -94,7 +94,7 @@ describe('getSearchDsl', () => {
     it('returns combination of getQueryParams and getSortingParams', () => {
       sandbox.stub(queryParamsNS, 'getQueryParams').returns({ a: 'a' });
       sandbox.stub(sortParamsNS, 'getSortingParams').returns({ b: 'b' });
-      expect(getSearchDsl(null, { type: 'foo' })).toEqual({ a: 'a', b: 'b' });
+      expect(getSearchDsl(null, null, { type: 'foo' })).toEqual({ a: 'a', b: 'b' });
     });
   });
 });
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
index 74c435a6df0ba7..df6052dc4bb3dc 100644
--- a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -49,7 +49,7 @@ export class SecureSavedObjectsClient {
     return await this._execute(
       type,
       'delete',
-      { type, id },
+      { type, id, options },
       repository => repository.delete(type, id, options),
     );
   }
@@ -68,7 +68,7 @@ export class SecureSavedObjectsClient {
     return await this._execute(
       types,
       'bulk_get',
-      { objects },
+      { objects, options },
       repository => repository.bulkGet(objects, options)
     );
   }
@@ -77,7 +77,7 @@ export class SecureSavedObjectsClient {
     return await this._execute(
       type,
       'get',
-      { type, id },
+      { type, id, options },
       repository => repository.get(type, id, options)
     );
   }

From 1350708e853a3bb2f203da7f7293d541cacf748f Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 15:09:17 -0700
Subject: [PATCH 162/183] Fixing included fields for the find

---
 src/server/saved_objects/service/lib/included_fields.js     | 1 +
 .../saved_objects/service/lib/included_fields.test.js       | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/src/server/saved_objects/service/lib/included_fields.js b/src/server/saved_objects/service/lib/included_fields.js
index 3e849af7edd898..8c94d03008e701 100644
--- a/src/server/saved_objects/service/lib/included_fields.js
+++ b/src/server/saved_objects/service/lib/included_fields.js
@@ -32,6 +32,7 @@ export function includedFields(type, fields) {
   const sourceType = type || '*';
 
   return sourceFields.map(f => `${sourceType}.${f}`)
+    .concat('namespace')
     .concat('type')
     .concat(fields); // v5 compatibility
 }
diff --git a/src/server/saved_objects/service/lib/included_fields.test.js b/src/server/saved_objects/service/lib/included_fields.test.js
index 441b78f533f6a4..3455db3784a068 100644
--- a/src/server/saved_objects/service/lib/included_fields.test.js
+++ b/src/server/saved_objects/service/lib/included_fields.test.js
@@ -30,6 +30,12 @@ describe('includedFields', () => {
     expect(fields).toContain('type');
   });
 
+  it('includes namespace', () => {
+    const fields = includedFields('config', 'foo');
+    expect(fields).toHaveLength(3);
+    expect(fields).toContain('namespace');
+  });
+
   it('accepts field as string', () => {
     const fields = includedFields('config', 'foo');
     expect(fields).toHaveLength(3);

From d892566bbbc86fc49fc16416f54abd25edbd2011 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 15:13:38 -0700
Subject: [PATCH 163/183] We were specifying schema twice in a test

---
 src/server/saved_objects/service/lib/repository.test.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 9363b9b6ad6f26..a839f180806f10 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -189,7 +189,6 @@ describe('SavedObjectsRepository', () => {
     savedObjectsRepository = new SavedObjectsRepository({
       index: '.kibana-test',
       mappings,
-      schema,
       callCluster: callAdminCluster,
       migrator,
       schema,

From 05f3465828b50d81f9cce32da67cfd06704b3021 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 15:21:54 -0700
Subject: [PATCH 164/183] Removing erroneous jsdoc parameter for SOC bulkCreate

---
 src/server/saved_objects/service/saved_objects_client.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/saved_objects/service/saved_objects_client.js b/src/server/saved_objects/service/saved_objects_client.js
index 25c252d195bf13..f1dc4dfbbc1900 100644
--- a/src/server/saved_objects/service/saved_objects_client.js
+++ b/src/server/saved_objects/service/saved_objects_client.js
@@ -112,7 +112,7 @@ export class SavedObjectsClient {
   /**
    * Creates multiple documents at once
    *
-   * @param {array} objects - [{ type, id, attributes, extraDocumentProperties }]
+   * @param {array} objects - [{ type, id, attributes }]
    * @param {object} [options={}]
    * @property {boolean} [options.overwrite=false] - overwrites existing documents
    * @property {string} [options.namespace]

From 1c3b4818bb3bdff654de4930c66c4d6b561d4418 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 20 Sep 2018 16:12:21 -0700
Subject: [PATCH 165/183] Fixing include field tests, they're checking length
 also...

---
 .../service/lib/included_fields.test.js              | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/server/saved_objects/service/lib/included_fields.test.js b/src/server/saved_objects/service/lib/included_fields.test.js
index 3455db3784a068..37935ab9153db9 100644
--- a/src/server/saved_objects/service/lib/included_fields.test.js
+++ b/src/server/saved_objects/service/lib/included_fields.test.js
@@ -26,33 +26,33 @@ describe('includedFields', () => {
 
   it('includes type', () => {
     const fields = includedFields('config', 'foo');
-    expect(fields).toHaveLength(3);
+    expect(fields).toHaveLength(4);
     expect(fields).toContain('type');
   });
 
   it('includes namespace', () => {
     const fields = includedFields('config', 'foo');
-    expect(fields).toHaveLength(3);
+    expect(fields).toHaveLength(4);
     expect(fields).toContain('namespace');
   });
 
   it('accepts field as string', () => {
     const fields = includedFields('config', 'foo');
-    expect(fields).toHaveLength(3);
+    expect(fields).toHaveLength(4);
     expect(fields).toContain('config.foo');
   });
 
   it('accepts fields as an array', () => {
     const fields = includedFields('config', ['foo', 'bar']);
 
-    expect(fields).toHaveLength(5);
+    expect(fields).toHaveLength(6);
     expect(fields).toContain('config.foo');
     expect(fields).toContain('config.bar');
   });
 
   it('uses wildcard when type is not provided', () => {
     const fields = includedFields(undefined, 'foo');
-    expect(fields).toHaveLength(3);
+    expect(fields).toHaveLength(4);
     expect(fields).toContain('*.foo');
   });
 
@@ -60,7 +60,7 @@ describe('includedFields', () => {
     it('includes legacy field path', () => {
       const fields = includedFields('config', ['foo', 'bar']);
 
-      expect(fields).toHaveLength(5);
+      expect(fields).toHaveLength(6);
       expect(fields).toContain('foo');
       expect(fields).toContain('bar');
     });

From 3b115ad8ff0ae8e7fd7bf33dc6d7262dc5fdf8c5 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Thu, 20 Sep 2018 19:41:33 -0400
Subject: [PATCH 166/183] redirect to space selector when active space is not
 found (#23340)

---
 x-pack/plugins/spaces/index.ts                |   3 +-
 .../server/lib/get_space_selector_url.test.ts |  30 ++++
 .../server/lib/get_space_selector_url.ts      |  13 ++
 .../lib/space_request_interceptors.test.ts    | 132 ++++++++++++++++--
 .../server/lib/space_request_interceptors.ts  |  22 +++
 5 files changed, 191 insertions(+), 9 deletions(-)
 create mode 100644 x-pack/plugins/spaces/server/lib/get_space_selector_url.test.ts
 create mode 100644 x-pack/plugins/spaces/server/lib/get_space_selector_url.ts

diff --git a/x-pack/plugins/spaces/index.ts b/x-pack/plugins/spaces/index.ts
index 157bc2a010895e..155627776ee3ea 100644
--- a/x-pack/plugins/spaces/index.ts
+++ b/x-pack/plugins/spaces/index.ts
@@ -17,6 +17,7 @@ import { createDefaultSpace } from './server/lib/create_default_space';
 import { createSpacesService } from './server/lib/create_spaces_service';
 import { wrapError } from './server/lib/errors';
 import { getActiveSpace } from './server/lib/get_active_space';
+import { getSpaceSelectorUrl } from './server/lib/get_space_selector_url';
 import { getSpacesUsageCollector } from './server/lib/get_spaces_usage_collector';
 import { spacesSavedObjectsClientWrapperFactory } from './server/lib/saved_objects_client/saved_objects_client_wrapper_factory';
 import { initSpacesRequestInterceptors } from './server/lib/space_request_interceptors';
@@ -62,7 +63,7 @@ export const spaces = (kibana: any) =>
         return {
           spaces: [],
           activeSpace: null,
-          spaceSelectorURL: server.config().get('server.basePath') || '/',
+          spaceSelectorURL: getSpaceSelectorUrl(server.config()),
         };
       },
       async replaceInjectedVars(vars: any, request: any, server: any) {
diff --git a/x-pack/plugins/spaces/server/lib/get_space_selector_url.test.ts b/x-pack/plugins/spaces/server/lib/get_space_selector_url.test.ts
new file mode 100644
index 00000000000000..77d7db1328c147
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/get_space_selector_url.test.ts
@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getSpaceSelectorUrl } from './get_space_selector_url';
+
+const buildServerConfig = (serverBasePath?: string) => {
+  return {
+    get: (key: string) => {
+      if (key === 'server.basePath') {
+        return serverBasePath;
+      }
+      throw new Error(`unexpected config request: ${key}`);
+    },
+  };
+};
+
+describe('getSpaceSelectorUrl', () => {
+  it('returns / when no server base path is defined', () => {
+    const serverConfig = buildServerConfig();
+    expect(getSpaceSelectorUrl(serverConfig)).toEqual('/');
+  });
+
+  it('returns the server base path when defined', () => {
+    const serverConfig = buildServerConfig('/my/server/base/path');
+    expect(getSpaceSelectorUrl(serverConfig)).toEqual('/my/server/base/path');
+  });
+});
diff --git a/x-pack/plugins/spaces/server/lib/get_space_selector_url.ts b/x-pack/plugins/spaces/server/lib/get_space_selector_url.ts
new file mode 100644
index 00000000000000..3f24553306b2bb
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/get_space_selector_url.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface Config {
+  get(key: string): string | boolean | number | null | undefined;
+}
+
+export function getSpaceSelectorUrl(serverConfig: Config) {
+  return serverConfig.get('server.basePath') || '/';
+}
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
index e99e98c9eb5ed8..5b8792c45de372 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.test.ts
@@ -51,6 +51,30 @@ describe('interceptors', () => {
         })
       );
 
+      server.savedObjects = {
+        SavedObjectsClient: {
+          errors: {
+            isNotFoundError: (e: Error) => e.message === 'space not found',
+          },
+        },
+        getSavedObjectsRepository: jest.fn().mockImplementation(() => {
+          return {
+            get: (type: string, id: string) => {
+              if (type === 'space') {
+                if (id === 'not-found') {
+                  throw new Error('space not found');
+                }
+                return {
+                  id,
+                  name: 'test space',
+                };
+              }
+            },
+            create: () => null,
+          };
+        }),
+      };
+
       server.plugins = {
         spaces: {
           spacesClient: {
@@ -61,18 +85,37 @@ describe('interceptors', () => {
 
       initSpacesRequestInterceptors(server);
 
-      server.route({
-        method: 'GET',
-        path: '/',
-        handler: (req: any, reply: any) => {
-          return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
+      server.route([
+        {
+          method: 'GET',
+          path: '/',
+          handler: (req: any, reply: any) => {
+            return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
+          },
         },
-      });
+        {
+          method: 'GET',
+          path: '/app/kibana',
+          handler: (req: any, reply: any) => {
+            return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
+          },
+        },
+        {
+          method: 'GET',
+          path: '/api/foo',
+          handler: (req: any, reply: any) => {
+            return reply({ path: req.path, url: req.url, basePath: req.getBasePath() });
+          },
+        },
+      ]);
 
       await setupFn(server);
 
-      server.decorate('request', 'getBasePath', jest.fn());
-      server.decorate('request', 'setBasePath', jest.fn());
+      let basePath: string | undefined;
+      server.decorate('request', 'getBasePath', () => basePath);
+      server.decorate('request', 'setBasePath', (newPath: string) => {
+        basePath = newPath;
+      });
 
       teardowns.push(() => server.stop());
 
@@ -165,6 +208,79 @@ describe('interceptors', () => {
       hapiServer.ext('onPreResponse', testHandler);
     };
 
+    describe('when accessing an app within a non-existent space', () => {
+      it('redirects to the space selector screen', async () => {
+        const testHandler = jest.fn((req, reply) => {
+          const { response } = req;
+
+          if (response && response.isBoom) {
+            throw response;
+          }
+
+          expect(response.statusCode).toEqual(302);
+          expect(response.headers.location).toEqual(serverBasePath);
+
+          return reply.continue();
+        });
+
+        const spaces = [
+          {
+            id: 'a-space',
+            type: 'space',
+            attributes: {
+              name: 'a space',
+            },
+          },
+        ];
+
+        await request(
+          '/s/not-found/app/kibana',
+          (hapiServer: any) => {
+            setupTest(hapiServer, spaces, testHandler);
+          },
+          config
+        );
+
+        expect(testHandler).toHaveBeenCalledTimes(1);
+      });
+    });
+
+    describe('when accessing an API endpoint within a non-existent space', () => {
+      it('allows the request to continue', async () => {
+        const testHandler = jest.fn((req, reply) => {
+          const { response } = req;
+
+          if (response && response.isBoom) {
+            throw response;
+          }
+
+          expect(response.statusCode).toEqual(200);
+
+          return reply.continue();
+        });
+
+        const spaces = [
+          {
+            id: 'a-space',
+            type: 'space',
+            attributes: {
+              name: 'a space',
+            },
+          },
+        ];
+
+        await request(
+          '/s/not-found/api/foo',
+          (hapiServer: any) => {
+            setupTest(hapiServer, spaces, testHandler);
+          },
+          config
+        );
+
+        expect(testHandler).toHaveBeenCalledTimes(1);
+      });
+    });
+
     describe('with a single available space', () => {
       test('it redirects to the defaultRoute within the context of the single Space when navigating to Kibana root', async () => {
         const testHandler = jest.fn((req, reply) => {
diff --git a/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts b/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
index 3a6b0c18b05ed0..dd5b865d5fd8e2 100644
--- a/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
+++ b/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts
@@ -6,6 +6,7 @@
 
 import { DEFAULT_SPACE_ID } from '../../common/constants';
 import { wrapError } from './errors';
+import { getSpaceSelectorUrl } from './get_space_selector_url';
 import { addSpaceIdToPath, getSpaceIdFromPath } from './spaces_url_parser';
 
 export function initSpacesRequestInterceptors(server: any) {
@@ -41,6 +42,7 @@ export function initSpacesRequestInterceptors(server: any) {
     const path = request.path;
 
     const isRequestingKibanaRoot = path === '/';
+    const isRequestingApplication = path.startsWith('/app');
 
     // if requesting the application root, then show the Space Selector UI to allow the user to choose which space
     // they wish to visit. This is done "onPostAuth" to allow the Saved Objects Client to use the request's auth scope,
@@ -75,6 +77,26 @@ export function initSpacesRequestInterceptors(server: any) {
       }
     }
 
+    // This condition should only happen after selecting a space, or when transitioning from one application to another
+    // e.g.: Navigating from Dashboard to Timelion
+    if (isRequestingApplication) {
+      let spaceId;
+      try {
+        const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
+        spaceId = getSpaceIdFromPath(request.getBasePath(), serverBasePath);
+
+        server.log(['spaces', 'debug'], `Verifying access to space "${spaceId}"`);
+
+        await spacesClient.get(spaceId);
+      } catch (error) {
+        server.log(
+          ['spaces', 'error'],
+          `Unable to navigate to space "${spaceId}", redirecting to Space Selector. ${error}`
+        );
+        // Space doesn't exist, or user not authorized for space, or some other issue retrieving the active space.
+        return reply.redirect(getSpaceSelectorUrl(server.config()));
+      }
+    }
     return reply.continue();
   });
 }

From 1d8b2c5190ee7697fad59a194e5c91bb571fa0b8 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Fri, 21 Sep 2018 07:16:22 -0400
Subject: [PATCH 167/183] Disable spaces for BWC reporting tests, as they
 require OSS data sets

---
 x-pack/test/reporting/configs/chromium_api.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/test/reporting/configs/chromium_api.js b/x-pack/test/reporting/configs/chromium_api.js
index 9ebbfce0ac3ac4..461c6c0df5271b 100644
--- a/x-pack/test/reporting/configs/chromium_api.js
+++ b/x-pack/test/reporting/configs/chromium_api.js
@@ -21,6 +21,7 @@ export default async function ({ readConfigFile }) {
       serverArgs: [
         ...reportingApiConfig.kbnTestServer.serverArgs,
         `--xpack.reporting.capture.browser.type=chromium`,
+        `--xpack.spaces.enabled=false`,
       ],
     },
   };

From 493f8998a224f8a55b7af25a2976c2466bb26c88 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Fri, 21 Sep 2018 06:41:26 -0700
Subject: [PATCH 168/183] Updating Repository test after adding namespace to
 always included fields

---
 src/server/saved_objects/service/lib/repository.test.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index c9a0e645b3015b..6d832ea3c2d123 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -797,7 +797,7 @@ describe('SavedObjectsRepository', () => {
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWithExactly(callAdminCluster, sinon.match.string, sinon.match({
         _source: [
-          'foo.title', 'type', 'title'
+          'foo.title', 'namespace', 'type', 'title'
         ]
       }));
 

From 33d871baca021bc4789ad23e791f386d44e2a339 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 21 Sep 2018 11:31:26 -0400
Subject: [PATCH 169/183] [Spaces] - Suppress conflict errors when creating the
 default space (#23390)

[skip ci]
The Kibana server automatically creates the default space on startup. Before attempting to create, it checks to see if the default space already exists.

If it exists, then Kibana won't proceed. If it doesn't exist, then it will attempt to create it. Given the async non-atomic nature of this operation, there are no guarantees that a subsequent invocation won't also try to create the default space.

In this scenario, we were logging a superfluous conflict error. This PR suppresses the conflict error while allowing all other errors to be thrown.
---
 .../create_default_space.test.ts.snap         |  5 ++
 .../server/lib/create_default_space.test.ts   | 59 +++++++++++++++----
 .../spaces/server/lib/create_default_space.ts | 30 ++++++----
 3 files changed, 72 insertions(+), 22 deletions(-)
 create mode 100644 x-pack/plugins/spaces/server/lib/__snapshots__/create_default_space.test.ts.snap

diff --git a/x-pack/plugins/spaces/server/lib/__snapshots__/create_default_space.test.ts.snap b/x-pack/plugins/spaces/server/lib/__snapshots__/create_default_space.test.ts.snap
new file mode 100644
index 00000000000000..bbb3b1918718df
--- /dev/null
+++ b/x-pack/plugins/spaces/server/lib/__snapshots__/create_default_space.test.ts.snap
@@ -0,0 +1,5 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`it throws all other errors from the saved objects client when checking for the default space 1`] = `"unit test: unexpected exception condition"`;
+
+exports[`it throws other errors if there is an error creating the default space 1`] = `"unit test: some other unexpected error"`;
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.test.ts b/x-pack/plugins/spaces/server/lib/create_default_space.test.ts
index d0cf2812cc26d1..a71278a737188d 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.test.ts
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.test.ts
@@ -21,14 +21,21 @@ beforeEach(() => {
 });
 interface MockServerSettings {
   defaultExists?: boolean;
-  simulateErrorCondition?: boolean;
+  simulateGetErrorCondition?: boolean;
+  simulateCreateErrorCondition?: boolean;
+  simulateConflict?: boolean;
   [invalidKeys: string]: any;
 }
 const createMockServer = (settings: MockServerSettings = {}) => {
-  const { defaultExists = false, simulateErrorCondition = false } = settings;
+  const {
+    defaultExists = false,
+    simulateGetErrorCondition = false,
+    simulateConflict = false,
+    simulateCreateErrorCondition = false,
+  } = settings;
 
   const mockGet = jest.fn().mockImplementation(() => {
-    if (simulateErrorCondition) {
+    if (simulateGetErrorCondition) {
       throw new Error('unit test: unexpected exception condition');
     }
 
@@ -38,7 +45,16 @@ const createMockServer = (settings: MockServerSettings = {}) => {
     throw Boom.notFound('unit test: default space not found');
   });
 
-  const mockCreate = jest.fn().mockReturnValue(null);
+  const mockCreate = jest.fn().mockImplementation(() => {
+    if (simulateConflict) {
+      throw new Error('unit test: default space already exists');
+    }
+    if (simulateCreateErrorCondition) {
+      throw new Error('unit test: some other unexpected error');
+    }
+
+    return null;
+  });
 
   const mockServer = {
     config: jest.fn().mockReturnValue({
@@ -48,6 +64,7 @@ const createMockServer = (settings: MockServerSettings = {}) => {
       SavedObjectsClient: {
         errors: {
           isNotFoundError: (e: Error) => e.message === 'unit test: default space not found',
+          isConflictError: (e: Error) => e.message === 'unit test: default space already exists',
         },
       },
       getSavedObjectsRepository: jest.fn().mockImplementation(() => {
@@ -102,16 +119,34 @@ test(`it does not attempt to recreate the default space if it already exists`, a
   expect(repository.create).toHaveBeenCalledTimes(0);
 });
 
-test(`it throws all other errors from the saved objects client`, async () => {
+test(`it throws all other errors from the saved objects client when checking for the default space`, async () => {
   const server = createMockServer({
     defaultExists: true,
-    simulateErrorCondition: true,
+    simulateGetErrorCondition: true,
+  });
+
+  expect(createDefaultSpace(server)).rejects.toThrowErrorMatchingSnapshot();
+});
+
+test(`it ignores conflict errors if the default space already exists`, async () => {
+  const server = createMockServer({
+    defaultExists: false,
+    simulateConflict: true,
+  });
+
+  await createDefaultSpace(server);
+
+  const repository = server.savedObjects.getSavedObjectsRepository();
+
+  expect(repository.get).toHaveBeenCalledTimes(1);
+  expect(repository.create).toHaveBeenCalledTimes(1);
+});
+
+test(`it throws other errors if there is an error creating the default space`, async () => {
+  const server = createMockServer({
+    defaultExists: false,
+    simulateCreateErrorCondition: true,
   });
 
-  try {
-    await createDefaultSpace(server);
-    throw new Error(`Expected error to be thrown!`);
-  } catch (e) {
-    expect(e.message).toEqual('unit test: unexpected exception condition');
-  }
+  expect(createDefaultSpace(server)).rejects.toThrowErrorMatchingSnapshot();
 });
diff --git a/x-pack/plugins/spaces/server/lib/create_default_space.ts b/x-pack/plugins/spaces/server/lib/create_default_space.ts
index 1e0e28c2f98b87..c33283033b7e97 100644
--- a/x-pack/plugins/spaces/server/lib/create_default_space.ts
+++ b/x-pack/plugins/spaces/server/lib/create_default_space.ts
@@ -27,16 +27,26 @@ export async function createDefaultSpace(server: any) {
     id: DEFAULT_SPACE_ID,
   };
 
-  await savedObjectsRepository.create(
-    'space',
-    {
-      name: 'Default',
-      description: 'This is your default space!',
-      color: '#00bfb3',
-      _reserved: true,
-    },
-    options
-  );
+  try {
+    await savedObjectsRepository.create(
+      'space',
+      {
+        name: 'Default',
+        description: 'This is your default space!',
+        color: '#00bfb3',
+        _reserved: true,
+      },
+      options
+    );
+  } catch (error) {
+    // Ignore conflict errors.
+    // It is possible that another Kibana instance, or another invocation of this function
+    // created the default space in the time it took this to complete.
+    if (SavedObjectsClient.errors.isConflictError(error)) {
+      return;
+    }
+    throw error;
+  }
 }
 
 async function doesDefaultSpaceExist(SavedObjectsClient: any, savedObjectsRepository: any) {

From 0a6d4f0738008669a4fd2961a64a3bef1e50fba2 Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Fri, 21 Sep 2018 14:22:07 -0400
Subject: [PATCH 170/183] fix telemetry with spaces enabled (#23403)

---
 x-pack/plugins/xpack_main/index.js            |  5 +++++
 .../lib/__tests__/replace_injected_vars.js    | 20 ++++++++++++++++++-
 .../server/lib/get_telemetry_opt_in.js        |  7 +++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/xpack_main/index.js b/x-pack/plugins/xpack_main/index.js
index c4d64dabc7f5c9..5e5224c73adf8d 100644
--- a/x-pack/plugins/xpack_main/index.js
+++ b/x-pack/plugins/xpack_main/index.js
@@ -82,6 +82,11 @@ export const xpackMain = (kibana) => {
           value: null
         }
       },
+      savedObjectsSchema: {
+        telemetry: {
+          isNamespaceAgnostic: true,
+        },
+      },
       injectDefaultVars(server) {
         const config = server.config();
         return {
diff --git a/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js b/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
index 19cf356b148670..863f07725ad296 100644
--- a/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
+++ b/x-pack/plugins/xpack_main/server/lib/__tests__/replace_injected_vars.js
@@ -9,7 +9,7 @@ import expect from 'expect.js';
 
 import { replaceInjectedVars } from '../replace_injected_vars';
 
-const buildRequest = (telemetryOptedIn = null) => {
+const buildRequest = (telemetryOptedIn = null, path = '/app/kibana') => {
   const get = sinon.stub();
   if (telemetryOptedIn === null) {
     get.withArgs('telemetry', 'telemetry').returns(Promise.reject(new Error('not found exception')));
@@ -18,6 +18,7 @@ const buildRequest = (telemetryOptedIn = null) => {
   }
 
   return {
+    path,
     getSavedObjectsClient: () => {
       return {
         get,
@@ -121,6 +122,23 @@ describe('replaceInjectedVars uiExport', () => {
     });
   });
 
+  it('indicates that telemetry is opted-out when not loading an application', async () => {
+    const originalInjectedVars = { a: 1 };
+    const request = buildRequest(true, '/');
+    const server = mockServer();
+    server.plugins.xpack_main.info.license.isOneOf.returns(true);
+
+    const newVars = await replaceInjectedVars(originalInjectedVars, request, server);
+    expect(newVars).to.eql({
+      a: 1,
+      telemetryOptedIn: false,
+      xpackInitialInfo: {
+        b: 1
+      },
+      userProfile: {},
+    });
+  });
+
   it('sends the originalInjectedVars if not authenticated', async () => {
     const originalInjectedVars = { a: 1 };
     const request = buildRequest();
diff --git a/x-pack/plugins/xpack_main/server/lib/get_telemetry_opt_in.js b/x-pack/plugins/xpack_main/server/lib/get_telemetry_opt_in.js
index 1f9d6c5849e2f4..690f9021fbefdb 100644
--- a/x-pack/plugins/xpack_main/server/lib/get_telemetry_opt_in.js
+++ b/x-pack/plugins/xpack_main/server/lib/get_telemetry_opt_in.js
@@ -5,6 +5,13 @@
  */
 
 export async function getTelemetryOptIn(request) {
+  const isRequestingApplication = request.path.startsWith('/app');
+
+  // Prevent interstitial screens (such as the space selector) from prompting for telemetry
+  if (!isRequestingApplication) {
+    return false;
+  }
+
   const savedObjectsClient = request.getSavedObjectsClient();
 
   try {

From 41992d3aa1810575890296282c4fda55db1338ef Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Fri, 21 Sep 2018 15:19:43 -0700
Subject: [PATCH 171/183] Switching telemetry from savedObjectsSchema: to
 savedObjectSchemas:

---
 x-pack/plugins/xpack_main/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/xpack_main/index.js b/x-pack/plugins/xpack_main/index.js
index 5e5224c73adf8d..28ef9a49f165d5 100644
--- a/x-pack/plugins/xpack_main/index.js
+++ b/x-pack/plugins/xpack_main/index.js
@@ -82,7 +82,7 @@ export const xpackMain = (kibana) => {
           value: null
         }
       },
-      savedObjectsSchema: {
+      savedObjectSchemas: {
         telemetry: {
           isNamespaceAgnostic: true,
         },

From 04efc8843de225e494d9a1512c8ddb204601f351 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Fri, 21 Sep 2018 16:18:25 -0700
Subject: [PATCH 172/183] Removing erroneous plugin from the spaces api
 integration tests

---
 x-pack/test/spaces_api_integration/common/config.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-pack/test/spaces_api_integration/common/config.ts b/x-pack/test/spaces_api_integration/common/config.ts
index ed0e45809d1b1e..97a92cd4e666f3 100644
--- a/x-pack/test/spaces_api_integration/common/config.ts
+++ b/x-pack/test/spaces_api_integration/common/config.ts
@@ -64,7 +64,6 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions)
           ...config.xpack.api.get('kbnTestServer.serverArgs'),
           '--optimize.enabled=false',
           '--server.xsrf.disableProtection=true',
-          `--plugin-path=${path.join(__dirname, 'fixtures', 'namespace_agnostic_type_plugin')}`,
           ...disabledPlugins.map(key => `--xpack.${key}.enabled=false`),
         ],
       },

From 88aad1d79e673056ea148b79f0a5a72ce1c1c4ca Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 24 Sep 2018 06:31:35 -0700
Subject: [PATCH 173/183] Fixing find test that is throwing a 400 when there is
 no type

---
 .../saved_object_api_integration/security_only/apis/find.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
index 35634e3f5d9e36..79da8f6a600a6f 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -56,9 +56,9 @@ export default function({ getService }: TestInvoker) {
           response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
         },
         noType: {
-          description: `forbidded can't find any types`,
-          statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });

From 6777c8c91db45e7b81f8c3a1d66d3d98c91b04dc Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 24 Sep 2018 06:51:58 -0700
Subject: [PATCH 174/183] Fixing other find tests with no type

---
 .../security_only/apis/find.ts                | 32 +++++++------------
 1 file changed, 12 insertions(+), 20 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
index 79da8f6a600a6f..d05e687b309a66 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -378,11 +378,9 @@ export default function({ getService }: TestInvoker) {
           ),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 403,
-          response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
-          ),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -429,11 +427,9 @@ export default function({ getService }: TestInvoker) {
           ),
         },
         noType: {
-          description: 'all objects',
-          statusCode: 403,
-          response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
-          ),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -480,11 +476,9 @@ export default function({ getService }: TestInvoker) {
           ),
         },
         noType: {
-          description: `forbidded can't find any types`,
-          statusCode: 403,
-          response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
-          ),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });
@@ -531,11 +525,9 @@ export default function({ getService }: TestInvoker) {
           ),
         },
         noType: {
-          description: `forbidded can't find any types`,
-          statusCode: 403,
-          response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
-          ),
+          description: 'bad request, type is required',
+          statusCode: 400,
+          response: expectTypeRequired,
         },
       },
     });

From 4673d514f30391b27d3c7c210dbb555e4d4fdac9 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 24 Sep 2018 11:42:07 -0700
Subject: [PATCH 175/183] Moving the expects to the top of the suite factories

---
 .../common/suites/bulk_create.ts              | 114 ++++++-------
 .../common/suites/bulk_get.ts                 |  88 +++++-----
 .../common/suites/create.ts                   |  96 ++++++-----
 .../common/suites/delete.ts                   |  78 +++++----
 .../common/suites/find.ts                     | 159 +++++++++--------
 .../common/suites/get.ts                      | 160 +++++++++---------
 .../common/suites/update.ts                   | 151 +++++++++--------
 .../common/suites/create.ts                   |  88 +++++-----
 .../common/suites/delete.ts                   |  84 ++++-----
 .../common/suites/get.ts                      |  84 ++++-----
 .../common/suites/get_all.ts                  |  50 +++---
 .../common/suites/select.ts                   | 107 ++++++------
 .../common/suites/update.ts                   |  92 +++++-----
 .../security_and_spaces/apis/delete.ts        |  12 +-
 .../security_and_spaces/apis/update.ts        |  10 +-
 .../spaces_only/apis/delete.ts                |   4 +-
 .../spaces_only/apis/update.ts                |   4 +-
 17 files changed, 697 insertions(+), 684 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
index a45a378c1784b1..f91c5099d7aafb 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -25,61 +25,40 @@ interface BulkCreateTestDefinition {
   tests: BulkCreateTests;
 }
 
-export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const isGlobalType = (type: string) => type === 'globaltype';
-
-  const createBulkRequests = (spaceId: string) => [
-    {
-      type: 'visualization',
-      id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-      attributes: {
-        title: 'An existing visualization',
-      },
+const createBulkRequests = (spaceId: string) => [
+  {
+    type: 'visualization',
+    id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+    attributes: {
+      title: 'An existing visualization',
     },
-    {
-      type: 'dashboard',
-      id: `${getIdPrefix(spaceId)}a01b2f57-fcfd-4864-b735-09e28f0d815e`,
-      attributes: {
-        title: 'A great new dashboard',
-      },
+  },
+  {
+    type: 'dashboard',
+    id: `${getIdPrefix(spaceId)}a01b2f57-fcfd-4864-b735-09e28f0d815e`,
+    attributes: {
+      title: 'A great new dashboard',
     },
-    {
-      type: 'globaltype',
-      id: '05976c65-1145-4858-bbf0-d225cc78a06e',
-      attributes: {
-        name: 'A new globaltype object',
-      },
+  },
+  {
+    type: 'globaltype',
+    id: '05976c65-1145-4858-bbf0-d225cc78a06e',
+    attributes: {
+      name: 'A new globaltype object',
     },
-    {
-      type: 'globaltype',
-      id: '8121a00-8efd-21e7-1cb3-34ab966434445',
-      attributes: {
-        name: 'An existing globaltype',
-      },
+  },
+  {
+    type: 'globaltype',
+    id: '8121a00-8efd-21e7-1cb3-34ab966434445',
+    attributes: {
+      name: 'An existing globaltype',
     },
-  ];
-
-  const makeBulkCreateTest = (describeFn: DescribeFn) => (
-    description: string,
-    definition: BulkCreateTestDefinition
-  ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+  },
+];
 
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
-
-      it(`should return ${tests.default.statusCode}`, async () => {
-        await supertest
-          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
-          .auth(auth.username, auth.password)
-          .send(createBulkRequests(spaceId))
-          .expect(tests.default.statusCode)
-          .then(tests.default.response);
-      });
-    });
-  };
+const isGlobalType = (type: string) => type === 'globaltype';
 
+export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
   const createExpectLegacyForbidden = (username: string) => (resp: any) => {
     expect(resp.body).to.eql({
       statusCode: 403,
@@ -89,14 +68,6 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     });
   };
 
-  const expectRbacForbidden = (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unable to bulk_create dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_create,action:saved_objects/globaltype/bulk_create,action:saved_objects/visualization/bulk_create`,
-    });
-  };
-
   const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: any) => {
     expect(resp.body).to.eql({
       saved_objects: [
@@ -158,6 +129,35 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     }
   };
 
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to bulk_create dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_create,action:saved_objects/globaltype/bulk_create,action:saved_objects/visualization/bulk_create`,
+    });
+  };
+
+  const makeBulkCreateTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: BulkCreateTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
+          .auth(auth.username, auth.password)
+          .send(createBulkRequests(spaceId))
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
   const bulkCreateTest = makeBulkCreateTest(describe);
   // @ts-ignore
   bulkCreateTest.only = makeBulkCreateTest(describe.only);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
index 028889d76769dd..04ce2317cdb972 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
@@ -26,43 +26,22 @@ interface BulkGetTestDefinition {
   tests: BulkGetTests;
 }
 
-export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createBulkRequests = (spaceId: string) => [
-    {
-      type: 'visualization',
-      id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-    },
-    {
-      type: 'dashboard',
-      id: `${getIdPrefix(spaceId)}does not exist`,
-    },
-    {
-      type: 'globaltype',
-      id: '8121a00-8efd-21e7-1cb3-34ab966434445',
-    },
-  ];
-
-  const makeBulkGetTest = (describeFn: DescribeFn) => (
-    description: string,
-    definition: BulkGetTestDefinition
-  ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
-
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
-
-      it(`should return ${tests.default.statusCode}`, async () => {
-        await supertest
-          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
-          .auth(auth.username, auth.password)
-          .send(createBulkRequests(otherSpaceId || spaceId))
-          .expect(tests.default.statusCode)
-          .then(tests.default.response);
-      });
-    });
-  };
+const createBulkRequests = (spaceId: string) => [
+  {
+    type: 'visualization',
+    id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+  },
+  {
+    type: 'dashboard',
+    id: `${getIdPrefix(spaceId)}does not exist`,
+  },
+  {
+    type: 'globaltype',
+    id: '8121a00-8efd-21e7-1cb3-34ab966434445',
+  },
+];
 
+export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
   const createExpectLegacyForbidden = (username: string) => (resp: any) => {
     expect(resp.body).to.eql({
       statusCode: 403,
@@ -72,14 +51,6 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
-  const expectRbacForbidden = (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unable to bulk_get dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_get,action:saved_objects/globaltype/bulk_get,action:saved_objects/visualization/bulk_get`,
-    });
-  };
-
   const createExpectNotFoundResults = (spaceId: string) => (resp: any) => {
     expect(resp.body).to.eql({
       saved_objects: [
@@ -112,6 +83,14 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to bulk_get dashboard,globaltype,visualization, missing action:saved_objects/dashboard/bulk_get,action:saved_objects/globaltype/bulk_get,action:saved_objects/visualization/bulk_get`,
+    });
+  };
+
   const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
     expect(resp.body).to.eql({
       saved_objects: [
@@ -151,6 +130,27 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
+  const makeBulkGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: BulkGetTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
+          .auth(auth.username, auth.password)
+          .send(createBulkRequests(otherSpaceId || spaceId))
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
+    });
+  };
+
   const bulkGetTest = makeBulkGetTest(describe);
   // @ts-ignore
   bulkGetTest.only = makeBulkGetTest(describe.only);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
index bab9b6e069c4c0..afd0d3d21b46ee 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -25,50 +25,10 @@ interface CreateTestDefinition {
   tests: CreateTests;
 }
 
-export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const spaceAwareType = 'visualization';
-  const notSpaceAwareType = 'globaltype';
-
-  const makeCreateTest = (describeFn: DescribeFn) => (
-    description: string,
-    definition: CreateTestDefinition
-  ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
-      it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
-        await supertest
-          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${spaceAwareType}`)
-          .auth(auth.username, auth.password)
-          .send({
-            attributes: {
-              title: 'My favorite vis',
-            },
-          })
-          .expect(tests.spaceAware.statusCode)
-          .then(tests.spaceAware.response);
-      });
-
-      it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
-        await supertest
-          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${notSpaceAwareType}`)
-          .auth(auth.username, auth.password)
-          .send({
-            attributes: {
-              name: `Can't be contained to a space`,
-            },
-          })
-          .expect(tests.notSpaceAware.statusCode)
-          .then(tests.notSpaceAware.response);
-      });
-    });
-  };
-
-  const createTest = makeCreateTest(describe);
-  // @ts-ignore
-  createTest.only = makeCreateTest(describe.only);
+const spaceAwareType = 'visualization';
+const notSpaceAwareType = 'globaltype';
 
+export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
   const createExpectLegacyForbidden = (username: string) => (resp: any) => {
     expect(resp.body).to.eql({
       statusCode: 403,
@@ -124,6 +84,8 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     }
   };
 
+  const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden(notSpaceAwareType);
+
   const expectNotSpaceAwareResults = async (resp: any) => {
     expect(resp.body)
       .to.have.property('id')
@@ -156,12 +118,54 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     expect(actualNamespace).to.eql(undefined);
   };
 
+  const expectSpaceAwareRbacForbidden = createExpectRbacForbidden(spaceAwareType);
+
+  const makeCreateTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: CreateTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+      it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${spaceAwareType}`)
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              title: 'My favorite vis',
+            },
+          })
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response);
+      });
+
+      it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
+        await supertest
+          .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${notSpaceAwareType}`)
+          .auth(auth.username, auth.password)
+          .send({
+            attributes: {
+              name: `Can't be contained to a space`,
+            },
+          })
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response);
+      });
+    });
+  };
+
+  const createTest = makeCreateTest(describe);
+  // @ts-ignore
+  createTest.only = makeCreateTest(describe.only);
+
   return {
-    createTest,
     createExpectLegacyForbidden,
     createExpectSpaceAwareResults,
+    createTest,
+    expectNotSpaceAwareRbacForbidden,
     expectNotSpaceAwareResults,
-    expectNotSpaceAwareRbacForbidden: createExpectRbacForbidden(notSpaceAwareType),
-    expectSpaceAwareRbacForbidden: createExpectRbacForbidden(spaceAwareType),
+    expectSpaceAwareRbacForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
index 6ab45db4d8cd7c..6a06405b6c6be7 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/delete.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -28,6 +28,45 @@ interface DeleteTestDefinition {
 }
 
 export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 404,
+      error: 'Not Found',
+      message: `Saved object [${type}/${getIdPrefix(spaceId)}${id}] not found`,
+    });
+  };
+
+  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to delete ${type}, missing action:saved_objects/${type}/delete`,
+    });
+  };
+
+  const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
+    createExpectNotFound(spaceId, 'dashboard', `not-a-real-id`)(resp);
+  };
+
+  const expectEmpty = (resp: any) => {
+    expect(resp.body).to.eql({});
+  };
+
+  const expectRbacInvalidIdForbidden = createExpectRbacForbidden('dashboard');
+
+  const expectRbacNotSpaceAwareForbidden = createExpectRbacForbidden('globaltype');
+
+  const expectRbacSpaceAwareForbidden = createExpectRbacForbidden('dashboard');
+
   const makeDeleteTest = (describeFn: DescribeFn) => (
     description: string,
     definition: DeleteTestDefinition
@@ -79,46 +118,13 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
   // @ts-ignore
   deleteTest.only = makeDeleteTest(describe.only);
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      // eslint-disable-next-line max-len
-      message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`,
-    });
-  };
-
-  const expectEmpty = (resp: any) => {
-    expect(resp.body).to.eql({});
-  };
-
-  const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 404,
-      error: 'Not Found',
-      message: `Saved object [${type}/${getIdPrefix(spaceId)}${id}] not found`,
-    });
-  };
-
-  const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
-    createExpectNotFound(spaceId, 'dashboard', `not-a-real-id`)(resp);
-  };
-
-  const createExpectRbacForbidden = (type: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unable to delete ${type}, missing action:saved_objects/${type}/delete`,
-    });
-  };
-
   return {
     createExpectLegacyForbidden,
     createExpectUnknownDocNotFound,
     deleteTest,
     expectEmpty,
-    expectRbacSpaceAwareForbidden: createExpectRbacForbidden('dashboard'),
-    expectRbacNotSpaceAwareForbidden: createExpectRbacForbidden('globaltype'),
-    expectRbacInvalidIdForbidden: createExpectRbacForbidden('dashboard'),
+    expectRbacInvalidIdForbidden,
+    expectRbacNotSpaceAwareForbidden,
+    expectRbacSpaceAwareForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/find.ts b/x-pack/test/saved_object_api_integration/common/suites/find.ts
index 92a57d3b88c142..a76c49b6570f0d 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/find.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/find.ts
@@ -30,8 +30,85 @@ interface FindTestDefinition {
   tests: FindTests;
 }
 
-// TODO: add space unaware type
 export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectEmpty = (page: number, perPage: number, total: number) => (resp: any) => {
+    expect(resp.body).to.eql({
+      page,
+      per_page: perPage,
+      total,
+      saved_objects: [],
+    });
+  };
+
+  const createExpectRbacForbidden = (type?: string) => (resp: any) => {
+    const message = type
+      ? `Unable to find ${type}, missing action:saved_objects/${type}/find`
+      : `Not authorized to find saved_object`;
+
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message,
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectNotSpaceAwareResults = (resp: any) => {
+    expect(resp.body).to.eql({
+      page: 1,
+      per_page: 20,
+      total: 1,
+      saved_objects: [
+        {
+          type: 'globaltype',
+          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
+          version: 1,
+          attributes: {
+            name: 'My favorite global object',
+          },
+        },
+      ],
+    });
+  };
+
+  const expectTypeRequired = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Bad Request',
+      message: 'child "type" fails because ["type" is required]',
+      statusCode: 400,
+      validation: {
+        keys: ['type'],
+        source: 'query',
+      },
+    });
+  };
+
+  const createExpectVisualizationResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      page: 1,
+      per_page: 20,
+      total: 1,
+      saved_objects: [
+        {
+          type: 'visualization',
+          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
+          version: 1,
+          attributes: {
+            title: 'Count of requests',
+          },
+        },
+      ],
+    });
+  };
+
   const makeFindTest = (describeFn: DescribeFn) => (
     description: string,
     definition: FindTestDefinition
@@ -112,88 +189,10 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
   // @ts-ignore
   findTest.only = makeFindTest(describe.only);
 
-  const createExpectEmpty = (page: number, perPage: number, total: number) => (resp: any) => {
-    expect(resp.body).to.eql({
-      page,
-      per_page: perPage,
-      total,
-      saved_objects: [],
-    });
-  };
-
-  const createExpectRbacForbidden = (type?: string) => (resp: any) => {
-    const message = type
-      ? `Unable to find ${type}, missing action:saved_objects/${type}/find`
-      : `Not authorized to find saved_object`;
-
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message,
-    });
-  };
-
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      // eslint-disable-next-line max-len
-      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
-    });
-  };
-
-  const expectTypeRequired = (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Bad Request',
-      message: 'child "type" fails because ["type" is required]',
-      statusCode: 400,
-      validation: {
-        keys: ['type'],
-        source: 'query',
-      },
-    });
-  };
-
-  const expectNotSpaceAwareResults = (resp: any) => {
-    expect(resp.body).to.eql({
-      page: 1,
-      per_page: 20,
-      total: 1,
-      saved_objects: [
-        {
-          type: 'globaltype',
-          id: `8121a00-8efd-21e7-1cb3-34ab966434445`,
-          version: 1,
-          attributes: {
-            name: 'My favorite global object',
-          },
-        },
-      ],
-    });
-  };
-
-  const createExpectVisualizationResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
-    expect(resp.body).to.eql({
-      page: 1,
-      per_page: 20,
-      total: 1,
-      saved_objects: [
-        {
-          type: 'visualization',
-          id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
-          version: 1,
-          attributes: {
-            title: 'Count of requests',
-          },
-        },
-      ],
-    });
-  };
-
   return {
     createExpectEmpty,
-    createExpectRbacForbidden,
     createExpectLegacyForbidden,
+    createExpectRbacForbidden,
     createExpectVisualizationResults,
     expectNotSpaceAwareResults,
     expectTypeRequired,
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
index 7753015033572e..b8166a3bda70ab 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -26,65 +26,15 @@ interface GetTestDefinition {
   tests: GetTests;
 }
 
-// TODO: add space unaware type
-export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const spaceAwareId = 'dd7caf20-9efd-11e7-acb3-3dab96693fab';
-  const notSpaceAwareId = '8121a00-8efd-21e7-1cb3-34ab966434445';
-  const doesntExistId = 'foobar';
-  const makeGetTest = (describeFn: DescribeFn) => (
-    description: string,
-    definition: GetTestDefinition
-  ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
-
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
+const spaceAwareId = 'dd7caf20-9efd-11e7-acb3-3dab96693fab';
+const notSpaceAwareId = '8121a00-8efd-21e7-1cb3-34ab966434445';
+const doesntExistId = 'foobar';
 
-      it(`should return ${
-        tests.spaceAware.statusCode
-      } when getting a space aware doc`, async () => {
-        await supertest
-          .get(
-            `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
-              spaceId
-            )}${spaceAwareId}`
-          )
-          .auth(auth.username, auth.password)
-          .expect(tests.spaceAware.statusCode)
-          .then(tests.spaceAware.response);
-      });
-
-      it(`should return ${
-        tests.notSpaceAware.statusCode
-      } when deleting a non-space-aware doc`, async () => {
-        await supertest
-          .get(`${getUrlPrefix(spaceId)}/api/saved_objects/globaltype/${notSpaceAwareId}`)
-          .auth(auth.username, auth.password)
-          .expect(tests.notSpaceAware.statusCode)
-          .then(tests.notSpaceAware.response);
-      });
-
-      describe('document does not exist', () => {
-        it(`should return ${tests.doesntExist.statusCode}`, async () => {
-          await supertest
-            .get(
-              `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
-                spaceId
-              )}${doesntExistId}`
-            )
-            .auth(auth.username, auth.password)
-            .expect(tests.doesntExist.statusCode)
-            .then(tests.doesntExist.response);
-        });
-      });
-    });
+export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectDoesntExistNotFound = (spaceId = DEFAULT_SPACE_ID) => {
+    return createExpectNotFound(doesntExistId, spaceId);
   };
 
-  const getTest = makeGetTest(describe);
-  // @ts-ignore
-  getTest.only = makeGetTest(describe.only);
-
   const createExpectLegacyForbidden = (username: string) => (resp: any) => {
     expect(resp.body).to.eql({
       statusCode: 403,
@@ -102,30 +52,38 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectDoesntExistNotFound = (spaceId = DEFAULT_SPACE_ID) => {
-    return createExpectNotFound(doesntExistId, spaceId);
-  };
-
-  const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
-    return createExpectNotFound(spaceAwareId, spaceId);
-  };
-
   const createExpectNotSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
     return createExpectNotFound(spaceAwareId, spaceId);
   };
 
-  const createExpectSpaceAwareRbacForbidden = () => (resp: any) => {
+  const createExpectNotSpaceAwareRbacForbidden = () => (resp: any) => {
     expect(resp.body).to.eql({
       error: 'Forbidden',
-      message: `Unable to get visualization, missing action:saved_objects/visualization/get`,
+      message: `Unable to get globaltype, missing action:saved_objects/globaltype/get`,
       statusCode: 403,
     });
   };
 
-  const createExpectNotSpaceAwareRbacForbidden = () => (resp: any) => {
+  const createExpectNotSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+    expect(resp.body).to.eql({
+      id: `${notSpaceAwareId}`,
+      type: 'globaltype',
+      updated_at: '2017-09-21T18:59:16.270Z',
+      version: resp.body.version,
+      attributes: {
+        name: 'My favorite global object',
+      },
+    });
+  };
+
+  const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
+    return createExpectNotFound(spaceAwareId, spaceId);
+  };
+
+  const createExpectSpaceAwareRbacForbidden = () => (resp: any) => {
     expect(resp.body).to.eql({
       error: 'Forbidden',
-      message: `Unable to get globaltype, missing action:saved_objects/globaltype/get`,
+      message: `Unable to get visualization, missing action:saved_objects/visualization/get`,
       statusCode: 403,
     });
   };
@@ -148,27 +106,69 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectNotSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
-    expect(resp.body).to.eql({
-      id: `${notSpaceAwareId}`,
-      type: 'globaltype',
-      updated_at: '2017-09-21T18:59:16.270Z',
-      version: resp.body.version,
-      attributes: {
-        name: 'My favorite global object',
-      },
+  const makeGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    definition: GetTestDefinition
+  ) => {
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${
+        tests.spaceAware.statusCode
+      } when getting a space aware doc`, async () => {
+        await supertest
+          .get(
+            `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+              spaceId
+            )}${spaceAwareId}`
+          )
+          .auth(auth.username, auth.password)
+          .expect(tests.spaceAware.statusCode)
+          .then(tests.spaceAware.response);
+      });
+
+      it(`should return ${
+        tests.notSpaceAware.statusCode
+      } when deleting a non-space-aware doc`, async () => {
+        await supertest
+          .get(`${getUrlPrefix(spaceId)}/api/saved_objects/globaltype/${notSpaceAwareId}`)
+          .auth(auth.username, auth.password)
+          .expect(tests.notSpaceAware.statusCode)
+          .then(tests.notSpaceAware.response);
+      });
+
+      describe('document does not exist', () => {
+        it(`should return ${tests.doesntExist.statusCode}`, async () => {
+          await supertest
+            .get(
+              `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+                spaceId
+              )}${doesntExistId}`
+            )
+            .auth(auth.username, auth.password)
+            .expect(tests.doesntExist.statusCode)
+            .then(tests.doesntExist.response);
+        });
+      });
     });
   };
 
+  const getTest = makeGetTest(describe);
+  // @ts-ignore
+  getTest.only = makeGetTest(describe.only);
+
   return {
+    createExpectDoesntExistNotFound,
+    createExpectLegacyForbidden,
     createExpectNotSpaceAwareNotFound,
     createExpectNotSpaceAwareRbacForbidden,
     createExpectNotSpaceAwareResults,
-    createExpectSpaceAwareResults,
-    createExpectDoesntExistNotFound,
     createExpectSpaceAwareNotFound,
-    createExpectLegacyForbidden,
     createExpectSpaceAwareRbacForbidden,
+    createExpectSpaceAwareResults,
     getTest,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
index 5f2c7bf82a6e5c..a7548e69397b8f 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -28,6 +28,80 @@ interface UpdateTestDefinition {
 }
 
 export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      // eslint-disable-next-line max-len
+      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unable to update ${type}, missing action:saved_objects/${type}/update`,
+    });
+  };
+  const expectDoesntExistRbacForbidden = createExpectRbacForbidden('visualization');
+
+  const expectNotFound = (resp: any) => {
+    expect(resp.body).eql({
+      statusCode: 404,
+      error: 'Not Found',
+      message: 'Saved object [visualization/not an id] not found',
+    });
+  };
+
+  const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden('globaltype');
+
+  const expectNotSpaceAwareResults = (resp: any) => {
+    // loose uuid validation
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/^[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: 'globaltype',
+      updated_at: resp.body.updated_at,
+      version: 2,
+      attributes: {
+        name: 'My second favorite',
+      },
+    });
+  };
+
+  const expectSpaceAwareRbacForbidden = createExpectRbacForbidden('visualization');
+
+  const expectSpaceAwareResults = (resp: any) => {
+    // loose uuid validation ignoring prefix
+    expect(resp.body)
+      .to.have.property('id')
+      .match(/[0-9a-f-]{36}$/);
+
+    // loose ISO8601 UTC time with milliseconds validation
+    expect(resp.body)
+      .to.have.property('updated_at')
+      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+    expect(resp.body).to.eql({
+      id: resp.body.id,
+      type: 'visualization',
+      updated_at: resp.body.updated_at,
+      version: 2,
+      attributes: {
+        title: 'My second favorite vis',
+      },
+    });
+  };
+
   const makeUpdateTest = (describeFn: DescribeFn) => (
     description: string,
     definition: UpdateTestDefinition
@@ -92,83 +166,14 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
   // @ts-ignore
   updateTest.only = makeUpdateTest(describe.only);
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      // eslint-disable-next-line max-len
-      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
-    });
-  };
-
-  const expectSpaceAwareResults = (resp: any) => {
-    // loose uuid validation ignoring prefix
-    expect(resp.body)
-      .to.have.property('id')
-      .match(/[0-9a-f-]{36}$/);
-
-    // loose ISO8601 UTC time with milliseconds validation
-    expect(resp.body)
-      .to.have.property('updated_at')
-      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-    expect(resp.body).to.eql({
-      id: resp.body.id,
-      type: 'visualization',
-      updated_at: resp.body.updated_at,
-      version: 2,
-      attributes: {
-        title: 'My second favorite vis',
-      },
-    });
-  };
-
-  const expectNotSpaceAwareResults = (resp: any) => {
-    // loose uuid validation
-    expect(resp.body)
-      .to.have.property('id')
-      .match(/^[0-9a-f-]{36}$/);
-
-    // loose ISO8601 UTC time with milliseconds validation
-    expect(resp.body)
-      .to.have.property('updated_at')
-      .match(/^[\d-]{10}T[\d:\.]{12}Z$/);
-
-    expect(resp.body).to.eql({
-      id: resp.body.id,
-      type: 'globaltype',
-      updated_at: resp.body.updated_at,
-      version: 2,
-      attributes: {
-        name: 'My second favorite',
-      },
-    });
-  };
-
-  const expectNotFound = (resp: any) => {
-    expect(resp.body).eql({
-      statusCode: 404,
-      error: 'Not Found',
-      message: 'Saved object [visualization/not an id] not found',
-    });
-  };
-
-  const createExpectRbacForbidden = (type: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unable to update ${type}, missing action:saved_objects/${type}/update`,
-    });
-  };
-
   return {
     createExpectLegacyForbidden,
-    expectDoesntExistRbacForbidden: createExpectRbacForbidden('visualization'),
-    expectNotSpaceAwareResults,
-    expectNotSpaceAwareRbacForbidden: createExpectRbacForbidden('globaltype'),
+    expectDoesntExistRbacForbidden,
     expectNotFound,
+    expectNotSpaceAwareRbacForbidden,
+    expectNotSpaceAwareResults,
+    expectSpaceAwareRbacForbidden,
     expectSpaceAwareResults,
-    expectSpaceAwareRbacForbidden: createExpectRbacForbidden('visualization'),
     updateTest,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/create.ts b/x-pack/test/spaces_api_integration/common/suites/create.ts
index 54f20c93d03525..45532d4998e801 100644
--- a/x-pack/test/spaces_api_integration/common/suites/create.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/create.ts
@@ -27,6 +27,47 @@ interface CreateTestDefinition {
 }
 
 export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectLegacyForbiddenResponse = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectConflictResponse = (resp: any) => {
+    expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']);
+    expect(resp.body.error).to.equal('Conflict');
+    expect(resp.body.statusCode).to.equal(409);
+    expect(resp.body.message).to.match(new RegExp(`A space with the identifier .*`));
+  };
+
+  const expectNewSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'marketing',
+      id: 'marketing',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
+  const expectRbacForbiddenResponse = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to create spaces',
+    });
+  };
+
+  const expectReservedSpecifiedResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'reserved space',
+      id: 'reserved',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
   const makeCreateTest = (describeFn: DescribeFn) => (
     description: string,
     { auth = {}, spaceId, tests }: CreateTestDefinition
@@ -88,53 +129,12 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
   // @ts-ignore
   createTest.only = makeCreateTest(describe.only);
 
-  const expectConflictResponse = (resp: any) => {
-    expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']);
-    expect(resp.body.error).to.equal('Conflict');
-    expect(resp.body.statusCode).to.equal(409);
-    expect(resp.body.message).to.match(new RegExp(`A space with the identifier .*`));
-  };
-
-  const expectRbacForbiddenResponse = (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: 'Unauthorized to create spaces',
-    });
-  };
-
-  const createExpectLegacyForbiddenResponse = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`,
-    });
-  };
-
-  const expectNewSpaceResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      name: 'marketing',
-      id: 'marketing',
-      description: 'a description',
-      color: '#5c5959',
-    });
-  };
-
-  const expectReservedSpecifiedResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      name: 'reserved space',
-      id: 'reserved',
-      description: 'a description',
-      color: '#5c5959',
-    });
-  };
-
   return {
+    createExpectLegacyForbiddenResponse,
     createTest,
-    expectNewSpaceResult,
-    expectReservedSpecifiedResult,
     expectConflictResponse,
+    expectNewSpaceResult,
     expectRbacForbiddenResponse,
-    createExpectLegacyForbiddenResponse,
+    expectReservedSpecifiedResult,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/delete.ts b/x-pack/test/spaces_api_integration/common/suites/delete.ts
index d35fe5aa8470a1..eb1a663ed2cb3d 100644
--- a/x-pack/test/spaces_api_integration/common/suites/delete.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/delete.ts
@@ -26,6 +26,45 @@ interface DeleteTestDefinition {
 }
 
 export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const createExpectLegacyForbidden = (username: string, action: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const createExpectResult = (expectedResult: any) => (resp: any) => {
+    expect(resp.body).to.eql(expectedResult);
+  };
+
+  const expectEmptyResult = (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
+
+  const expectNotFound = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to delete spaces',
+    });
+  };
+
+  const expectReservedSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Bad Request',
+      statusCode: 400,
+      message: `This Space cannot be deleted because it is reserved.`,
+    });
+  };
+
   const makeDeleteTest = (describeFn: DescribeFn) => (
     description: string,
     { auth = {}, spaceId, tests }: DeleteTestDefinition
@@ -68,52 +107,13 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
   // @ts-ignore
   deleteTest.only = makeDeleteTest(describe.only);
 
-  const createExpectResult = (expectedResult: any) => (resp: any) => {
-    expect(resp.body).to.eql(expectedResult);
-  };
-
-  const expectEmptyResult = (resp: any) => {
-    expect(resp.body).to.eql('');
-  };
-
-  const expectNotFoundResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Not Found',
-      statusCode: 404,
-    });
-  };
-
-  const expectReservedSpaceResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Bad Request',
-      statusCode: 400,
-      message: `This Space cannot be deleted because it is reserved.`,
-    });
-  };
-
-  const expectRbacForbidden = (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: 'Unauthorized to delete spaces',
-    });
-  };
-
-  const createExpectLegacyForbidden = (username: string, action: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`,
-    });
-  };
-
   return {
-    deleteTest,
     createExpectLegacyForbidden,
     createExpectResult,
-    expectRbacForbidden,
+    deleteTest,
     expectEmptyResult,
-    expectNotFoundResult,
+    expectNotFound,
+    expectRbacForbidden,
     expectReservedSpaceResult,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/get.ts b/x-pack/test/spaces_api_integration/common/suites/get.ts
index fcb0d90d1de204..aeff87f9e4fee5 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get.ts
@@ -24,30 +24,35 @@ interface GetTestDefinition {
   tests: GetTests;
 }
 
+const nonExistantSpaceId = 'not-a-space';
+
 export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>) {
-  const nonExistantSpaceId = 'not-a-space';
+  const createExpectEmptyResult = () => (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
 
-  const makeGetTest = (describeFn: DescribeFn) => (
-    description: string,
-    { auth = {}, currentSpaceId, spaceId, tests }: GetTestDefinition
-  ) => {
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+    });
+  };
 
-      it(`should return ${tests.default.statusCode}`, async () => {
-        return supertest
-          .get(`${getUrlPrefix(currentSpaceId)}/api/spaces/space/${spaceId}`)
-          .auth(auth.username, auth.password)
-          .expect(tests.default.statusCode)
-          .then(tests.default.response);
-      });
+  const createExpectNotFoundResult = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
     });
   };
 
-  const getTest = makeGetTest(describe);
-  // @ts-ignore
-  getTest.only = makeGetTest(describe);
+  const createExpectRbacForbidden = (spaceId: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unauthorized to get ${spaceId} space`,
+    });
+  };
 
   const createExpectResults = (spaceId: string) => (resp: any) => {
     const allSpaces = [
@@ -71,40 +76,35 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
     expect(resp.body).to.eql(allSpaces.find(space => space.id === spaceId));
   };
 
-  const createExpectEmptyResult = () => (resp: any) => {
-    expect(resp.body).to.eql('');
-  };
-
-  const createExpectNotFoundResult = () => (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Not Found',
-      statusCode: 404,
-    });
-  };
+  const makeGetTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, currentSpaceId, spaceId, tests }: GetTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
 
-  const createExpectRbacForbidden = (spaceId: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unauthorized to get ${spaceId} space`,
+      it(`should return ${tests.default.statusCode}`, async () => {
+        return supertest
+          .get(`${getUrlPrefix(currentSpaceId)}/api/spaces/space/${spaceId}`)
+          .auth(auth.username, auth.password)
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
     });
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
-    });
-  };
+  const getTest = makeGetTest(describe);
+  // @ts-ignore
+  getTest.only = makeGetTest(describe);
 
   return {
-    getTest,
-    nonExistantSpaceId,
     createExpectResults,
     createExpectRbacForbidden,
     createExpectEmptyResult,
     createExpectNotFoundResult,
     createExpectLegacyForbidden,
+    getTest,
+    nonExistantSpaceId,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
index 9437414cc8b5c3..3037c7461d7182 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get_all.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
@@ -24,28 +24,14 @@ interface GetAllTestDefinition {
 }
 
 export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const makeGetAllTest = (describeFn: DescribeFn) => (
-    description: string,
-    { auth = {}, spaceId, tests }: GetAllTestDefinition
-  ) => {
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
-
-      it(`should return ${tests.exists.statusCode}`, async () => {
-        return supertest
-          .get(`${getUrlPrefix(spaceId)}/api/spaces/space`)
-          .auth(auth.username, auth.password)
-          .expect(tests.exists.statusCode)
-          .then(tests.exists.response);
-      });
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
     });
   };
 
-  const getAllTest = makeGetAllTest(describe);
-  // @ts-ignore
-  getAllTest.only = makeGetAllTest(describe.only);
-
   const createExpectResults = (...spaceIds: string[]) => (resp: any) => {
     const expectedBody = [
       {
@@ -72,18 +58,32 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     expect(resp.body).to.eql('');
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
+  const makeGetAllTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, spaceId, tests }: GetAllTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.exists.statusCode}`, async () => {
+        return supertest
+          .get(`${getUrlPrefix(spaceId)}/api/spaces/space`)
+          .auth(auth.username, auth.password)
+          .expect(tests.exists.statusCode)
+          .then(tests.exists.response);
+      });
     });
   };
 
+  const getAllTest = makeGetAllTest(describe);
+  // @ts-ignore
+  getAllTest.only = makeGetAllTest(describe.only);
+
   return {
-    getAllTest,
     createExpectResults,
     createExpectLegacyForbidden,
+    getAllTest,
     expectEmptyResult,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts
index b2f86a77f78652..b862aa6a466f05 100644
--- a/x-pack/test/spaces_api_integration/common/suites/select.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/select.ts
@@ -26,30 +26,35 @@ interface SelectTestDefinition {
   tests: SelectTests;
 }
 
+const nonExistantSpaceId = 'not-a-space';
+
 export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const nonExistantSpaceId = 'not-a-space';
+  const createExpectEmptyResult = () => (resp: any) => {
+    expect(resp.body).to.eql('');
+  };
 
-  const makeSelectTest = (describeFn: DescribeFn) => (
-    description: string,
-    { auth = {}, currentSpaceId, spaceId, tests }: SelectTestDefinition
-  ) => {
-    describeFn(description, () => {
-      before(() => esArchiver.load('saved_objects/spaces'));
-      after(() => esArchiver.unload('saved_objects/spaces'));
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+    });
+  };
 
-      it(`should return ${tests.default.statusCode}`, async () => {
-        return supertest
-          .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${spaceId}/select`)
-          .auth(auth.username, auth.password)
-          .expect(tests.default.statusCode)
-          .then(tests.default.response);
-      });
+  const createExpectNotFoundResult = () => (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
     });
   };
 
-  const selectTest = makeSelectTest(describe);
-  // @ts-ignore
-  selectTest.only = makeSelectTest(describe.only);
+  const createExpectRbacForbidden = (spaceId: any) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `Unauthorized to get ${spaceId} space`,
+    });
+  };
 
   const createExpectResults = (spaceId: string) => (resp: any) => {
     const allSpaces = [
@@ -73,30 +78,6 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     expect(resp.body).to.eql(allSpaces.find(space => space.id === spaceId));
   };
 
-  const createExpectEmptyResult = () => (resp: any) => {
-    expect(resp.body).to.eql('');
-  };
-
-  const createExpectNotFoundResult = () => (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Not Found',
-      statusCode: 404,
-    });
-  };
-  const createExpectRbacForbidden = (spaceId: any) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `Unauthorized to get ${spaceId} space`,
-    });
-  };
-
-  const expectDefaultSpaceResponse = (resp: any) => {
-    expect(resp.body).to.eql({
-      location: `/app/kibana`,
-    });
-  };
-
   const createExpectSpaceResponse = (spaceId: string) => (resp: any) => {
     if (spaceId === DEFAULT_SPACE_ID) {
       expectDefaultSpaceResponse(resp);
@@ -107,23 +88,43 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     }
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const expectDefaultSpaceResponse = (resp: any) => {
     expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
+      location: `/app/kibana`,
+    });
+  };
+
+  const makeSelectTest = (describeFn: DescribeFn) => (
+    description: string,
+    { auth = {}, currentSpaceId, spaceId, tests }: SelectTestDefinition
+  ) => {
+    describeFn(description, () => {
+      before(() => esArchiver.load('saved_objects/spaces'));
+      after(() => esArchiver.unload('saved_objects/spaces'));
+
+      it(`should return ${tests.default.statusCode}`, async () => {
+        return supertest
+          .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${spaceId}/select`)
+          .auth(auth.username, auth.password)
+          .expect(tests.default.statusCode)
+          .then(tests.default.response);
+      });
     });
   };
 
+  const selectTest = makeSelectTest(describe);
+  // @ts-ignore
+  selectTest.only = makeSelectTest(describe.only);
+
   return {
-    selectTest,
-    nonExistantSpaceId,
-    expectDefaultSpaceResponse,
-    createExpectSpaceResponse,
-    createExpectResults,
-    createExpectRbacForbidden,
     createExpectEmptyResult,
-    createExpectNotFoundResult,
     createExpectLegacyForbidden,
+    createExpectNotFoundResult,
+    createExpectRbacForbidden,
+    createExpectResults,
+    createExpectSpaceResponse,
+    expectDefaultSpaceResponse,
+    nonExistantSpaceId,
+    selectTest,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/common/suites/update.ts b/x-pack/test/spaces_api_integration/common/suites/update.ts
index d18f5b1da94128..ca422f65ecaf31 100644
--- a/x-pack/test/spaces_api_integration/common/suites/update.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/update.ts
@@ -26,6 +26,48 @@ interface UpdateTestDefinition {
 }
 
 export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
+  const expectRbacForbidden = (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Unauthorized to update spaces',
+    });
+  };
+
+  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
+    });
+  };
+
+  const expectNotFound = (resp: any) => {
+    expect(resp.body).to.eql({
+      error: 'Not Found',
+      statusCode: 404,
+    });
+  };
+
+  const expectDefaultSpaceResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'the new default',
+      id: 'default',
+      description: 'a description',
+      color: '#ffffff',
+      _reserved: true,
+    });
+  };
+
+  const expectAlreadyExistsResult = (resp: any) => {
+    expect(resp.body).to.eql({
+      name: 'space 1',
+      id: 'space_1',
+      description: 'a description',
+      color: '#5c5959',
+    });
+  };
+
   const makeUpdateTest = (describeFn: DescribeFn) => (
     description: string,
     { auth = {}, spaceId, tests }: UpdateTestDefinition
@@ -88,56 +130,12 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
   // @ts-ignore
   updateTest.only = makeUpdateTest(describe.only);
 
-  const createExpectNotFoundResult = (spaceId: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      error: 'Not Found',
-      statusCode: 404,
-    });
-  };
-
-  const expectRbacForbidden = (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: 'Unauthorized to update spaces',
-    });
-  };
-
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
-    expect(resp.body).to.eql({
-      statusCode: 403,
-      error: 'Forbidden',
-      message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
-    });
-  };
-
-  const expectNewSpaceNotFound = createExpectNotFoundResult('marketing');
-
-  const expectDefaultSpaceResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      name: 'the new default',
-      id: 'default',
-      description: 'a description',
-      color: '#ffffff',
-      _reserved: true,
-    });
-  };
-
-  const expectAlreadyExistsResult = (resp: any) => {
-    expect(resp.body).to.eql({
-      name: 'space 1',
-      id: 'space_1',
-      description: 'a description',
-      color: '#5c5959',
-    });
-  };
-
   return {
-    updateTest,
-    expectNewSpaceNotFound,
-    expectRbacForbidden,
     createExpectLegacyForbidden,
     expectAlreadyExistsResult,
     expectDefaultSpaceResult,
+    expectNotFound,
+    expectRbacForbidden,
+    updateTest,
   };
 }
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
index 3e43defaa910cf..f16a192eacb34f 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
@@ -19,7 +19,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
     createExpectLegacyForbidden,
     expectRbacForbidden,
     expectEmptyResult,
-    expectNotFoundResult,
+    expectNotFound,
     expectReservedSpaceResult,
   } = deleteTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
@@ -89,7 +89,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
@@ -111,7 +111,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
@@ -133,7 +133,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
@@ -155,7 +155,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
@@ -224,7 +224,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
index e2d1e26fdc7181..dbecb4f3ce2327 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -16,7 +16,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
   const {
     updateTest,
-    expectNewSpaceNotFound,
+    expectNotFound,
     expectAlreadyExistsResult,
     expectDefaultSpaceResult,
     expectRbacForbidden,
@@ -98,7 +98,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
             },
             newSpace: {
               statusCode: 404,
-              response: expectNewSpaceNotFound,
+              response: expectNotFound,
             },
           },
         }
@@ -124,7 +124,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
             },
             newSpace: {
               statusCode: 404,
-              response: expectNewSpaceNotFound,
+              response: expectNotFound,
             },
           },
         }
@@ -150,7 +150,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
             },
             newSpace: {
               statusCode: 404,
-              response: expectNewSpaceNotFound,
+              response: expectNotFound,
             },
           },
         }
@@ -176,7 +176,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
             },
             newSpace: {
               statusCode: 404,
-              response: expectNewSpaceNotFound,
+              response: expectNotFound,
             },
           },
         }
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
index 3b073e377a4e5b..a0902281f4c73d 100644
--- a/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/delete.ts
@@ -17,7 +17,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
     deleteTest,
     expectEmptyResult,
     expectReservedSpaceResult,
-    expectNotFoundResult,
+    expectNotFound,
   } = deleteTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
   describe('delete', () => {
@@ -42,7 +42,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFoundResult,
+            response: expectNotFound,
           },
         },
       });
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
index 54da0b7ecebdcc..649fb07c8cbdb6 100644
--- a/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/update.ts
@@ -17,7 +17,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
     updateTest,
     expectAlreadyExistsResult,
     expectDefaultSpaceResult,
-    expectNewSpaceNotFound,
+    expectNotFound,
   } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
   describe('update', () => {
@@ -42,7 +42,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
           },
           newSpace: {
             statusCode: 404,
-            response: expectNewSpaceNotFound,
+            response: expectNotFound,
           },
         },
       });

From 7c1e8c06b57589f0828e1a7f563848f6ab8ac343 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 24 Sep 2018 14:35:00 -0700
Subject: [PATCH 176/183] Changing the way users are names to hopefully make
 this more clear

---
 .../security_and_spaces/apis/bulk_create.ts   | 180 +++++-----
 .../security_and_spaces/apis/bulk_get.ts      | 138 +++----
 .../security_and_spaces/apis/create.ts        | 123 +++----
 .../security_and_spaces/apis/delete.ts        | 127 +++----
 .../security_and_spaces/apis/find.ts          | 158 ++++----
 .../security_and_spaces/apis/get.ts           | 121 ++++---
 .../security_and_spaces/apis/update.ts        | 117 +++---
 .../common/suites/select.ts                   |   6 +-
 .../security_and_spaces/apis/create.ts        | 106 +++---
 .../security_and_spaces/apis/delete.ts        | 102 +++---
 .../security_and_spaces/apis/get.ts           | 169 ++++-----
 .../security_and_spaces/apis/get_all.ts       | 147 ++++----
 .../security_and_spaces/apis/select.ts        | 339 ++++++++++--------
 .../security_and_spaces/apis/update.ts        | 116 +++---
 .../spaces_only/apis/select.ts                |   4 +-
 15 files changed, 1014 insertions(+), 939 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
index 6ce55e3470d004..3d27bf583b7201 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
@@ -26,52 +26,55 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      bulkCreateTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      bulkCreateTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -82,44 +85,38 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(
-        `${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.userWithLegacyAll.USERNAME,
-            password: scenario.userWithLegacyAll.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 200,
-              response: createExpectResults(scenario.spaceId),
-            },
+      bulkCreateTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
           },
-        }
-      );
+        },
+      });
 
-      bulkCreateTest(
-        `${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.userWithLegacyRead.USERNAME,
-            password: scenario.userWithLegacyRead.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
-            },
+      bulkCreateTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
-        }
-      );
+        },
+      });
 
-      bulkCreateTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -130,10 +127,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -145,11 +142,11 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(
-        `${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllGlobally.USERNAME,
-            password: scenario.userWithAllGlobally.PASSWORD,
+            username: scenario.users.allGlobally.USERNAME,
+            password: scenario.users.allGlobally.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
@@ -162,11 +159,11 @@ export default function({ getService }: TestInvoker) {
       );
 
       bulkCreateTest(
-        `${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
+            username: scenario.users.readGlobally.USERNAME,
+            password: scenario.users.readGlobally.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
@@ -178,29 +175,26 @@ export default function({ getService }: TestInvoker) {
         }
       );
 
-      bulkCreateTest(
-        `${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.userWithAllAtSpace.USERNAME,
-            password: scenario.userWithAllAtSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 200,
-              response: createExpectResults(scenario.spaceId),
-            },
+      bulkCreateTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
           },
-        }
-      );
+        },
+      });
 
       bulkCreateTest(
-        `${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithReadAtSpace.USERNAME,
-            password: scenario.userWithReadAtSpace.PASSWORD,
+            username: scenario.users.readAtSpace.USERNAME,
+            password: scenario.users.readAtSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
@@ -213,11 +207,11 @@ export default function({ getService }: TestInvoker) {
       );
 
       bulkCreateTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
index 8579aa5a986c48..eb52bd53779170 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
@@ -25,52 +25,55 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      bulkGetTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      bulkGetTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -81,10 +84,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -95,10 +98,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -109,10 +112,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -123,10 +126,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -137,10 +140,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -151,27 +154,24 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(
-        `${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 200,
-              response: createExpectResults(scenario.spaceId),
-            },
+      bulkGetTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
           },
-        }
-      );
+        },
+      });
 
-      bulkGetTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -182,10 +182,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -197,11 +197,11 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
index f147e28c01e98e..f3a7f161833af2 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
@@ -28,56 +28,59 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      createTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      createTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -92,10 +95,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -110,28 +113,28 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
         },
       });
 
-      createTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -146,10 +149,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -164,10 +167,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -182,10 +185,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -200,10 +203,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -218,10 +221,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -237,11 +240,11 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
index 39f5aff6ffe1fd..b8334112c4ddf9 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
@@ -28,60 +28,63 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      deleteTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
           invalidId: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      deleteTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -100,10 +103,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -122,32 +125,32 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
           invalidId: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
         },
       });
 
-      deleteTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -166,10 +169,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -188,10 +191,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -210,10 +213,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -232,10 +235,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -254,10 +257,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -277,11 +280,11 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
index bed788143083ea..cab579e493f0db 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
@@ -28,35 +28,38 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      findTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
           password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -96,7 +99,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.SUPERUSER.USERNAME,
           password: AUTHENTICATION.SUPERUSER.PASSWORD,
@@ -136,7 +139,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -176,7 +179,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -216,7 +219,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -256,7 +259,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -296,7 +299,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -336,7 +339,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -376,10 +379,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -416,10 +419,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -456,48 +459,45 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            spaceAwareType: {
-              description: 'forbidden login and find visualization message',
-              statusCode: 403,
-              response: createExpectRbacForbidden('visualization'),
-            },
-            notSpaceAwareType: {
-              description: 'forbidden login and find globaltype message',
-              statusCode: 403,
-              response: createExpectRbacForbidden('globaltype'),
-            },
-            unknownType: {
-              description: 'forbidden login and find wigwags message',
-              statusCode: 403,
-              response: createExpectRbacForbidden('wigwags'),
-            },
-            pageBeyondTotal: {
-              description: 'forbidden login and find visualization message',
-              statusCode: 403,
-              response: createExpectRbacForbidden('visualization'),
-            },
-            unknownSearchField: {
-              description: 'forbidden login and find wigwags message',
-              statusCode: 403,
-              response: createExpectRbacForbidden('wigwags'),
-            },
-            noType: {
-              description: 'bad request, type is required',
-              statusCode: 400,
-              response: expectTypeRequired,
-            },
-          },
-        }
-      );
+      findTest(`${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAwareType: {
+            description: 'forbidden login and find visualization message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('visualization'),
+          },
+          notSpaceAwareType: {
+            description: 'forbidden login and find globaltype message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('globaltype'),
+          },
+          unknownType: {
+            description: 'forbidden login and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          pageBeyondTotal: {
+            description: 'forbidden login and find visualization message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('visualization'),
+          },
+          unknownSearchField: {
+            description: 'forbidden login and find wigwags message',
+            statusCode: 403,
+            response: createExpectRbacForbidden('wigwags'),
+          },
+          noType: {
+            description: 'bad request, type is required',
+            statusCode: 400,
+            response: expectTypeRequired,
+          },
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
index b718a7a07d9bc3..45f1aefa8bc053 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
@@ -28,60 +28,63 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      getTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      getTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -100,10 +103,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -122,10 +125,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -144,10 +147,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -166,10 +169,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -188,10 +191,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -210,10 +213,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -232,10 +235,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -254,10 +257,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -276,10 +279,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtOtherSpace.USERNAME,
-          password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
index ae6465fa91e281..7c452a32dcffea 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
@@ -29,35 +29,38 @@ export default function({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithNoKibanaAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
-      updateTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
           password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -79,10 +82,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -101,10 +104,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -123,32 +126,32 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
         },
       });
 
-      updateTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -167,10 +170,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -189,10 +192,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -211,10 +214,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -233,10 +236,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -255,10 +258,10 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithReadAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         spaceId: scenario.spaceId,
         tests: {
@@ -278,11 +281,11 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
+        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
         {
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           spaceId: scenario.spaceId,
           tests: {
diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts
index b862aa6a466f05..eb365fd9880357 100644
--- a/x-pack/test/spaces_api_integration/common/suites/select.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/select.ts
@@ -22,7 +22,7 @@ interface SelectTests {
 interface SelectTestDefinition {
   auth?: TestDefinitionAuthentication;
   currentSpaceId: string;
-  spaceId: string;
+  selectSpaceId: string;
   tests: SelectTests;
 }
 
@@ -96,7 +96,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeSelectTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, currentSpaceId, spaceId, tests }: SelectTestDefinition
+    { auth = {}, currentSpaceId, selectSpaceId, tests }: SelectTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -104,7 +104,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
       it(`should return ${tests.default.statusCode}`, async () => {
         return supertest
-          .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${spaceId}/select`)
+          .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${selectSpaceId}/select`)
           .auth(auth.username, auth.password)
           .expect(tests.default.statusCode)
           .then(tests.default.response);
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
index 760fd1d6cd9b4b..bada6ab2519d22 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
@@ -27,56 +27,60 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
-      createTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         tests: {
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
           },
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
           },
           reservedSpecified: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      createTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -94,11 +98,11 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -116,11 +120,11 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithDualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -138,11 +142,11 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithLegacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -160,11 +164,11 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithReadGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -182,11 +186,11 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithDualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithDualRead.USERNAME,
-          password: scenario.userWithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         tests: {
           newSpace: {
@@ -204,33 +208,33 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.userWithLegacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         tests: {
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
           },
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
           },
           reservedSpecified: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
           },
         },
       });
 
-      createTest(`${scenario.userWithAllAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         tests: {
           newSpace: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
index f16a192eacb34f..a8b83baec9d7ed 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
@@ -27,56 +27,60 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
-      deleteTest(`${scenario.notAKibanaUser.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.noAccess.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         tests: {
           exists: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
           },
           reservedSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
           },
         },
       });
 
-      deleteTest(`${scenario.superuser.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.superuser.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         tests: {
           exists: {
@@ -94,11 +98,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithAllGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.allGlobally.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         tests: {
           exists: {
@@ -116,11 +120,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithDualAll.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.dualAll.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         tests: {
           exists: {
@@ -138,11 +142,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithLegacyAll.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.legacyAll.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         tests: {
           exists: {
@@ -160,11 +164,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithReadGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.readGlobally.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         tests: {
           exists: {
@@ -182,11 +186,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userwithDualRead.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.dualRead.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userwithDualRead.USERNAME,
-          password: scenario.userwithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         tests: {
           exists: {
@@ -204,17 +208,17 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithLegacyRead.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.legacyRead.USERNAME} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         tests: {
           exists: {
             statusCode: 403,
             response: createExpectLegacyForbidden(
-              scenario.userWithLegacyRead.USERNAME,
+              scenario.users.legacyRead.USERNAME,
               'write/delete'
             ),
           },
@@ -229,11 +233,11 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.userWithAllAtSpace} from the ${scenario.spaceId} space`, {
+      deleteTest(`${scenario.users.allAtSpace} from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         tests: {
           exists: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
index 94aaaaff6d9c9a..7a7ab66cd3cc0b 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
@@ -24,60 +24,63 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
   } = getTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
   describe('get', () => {
-    // valid spaces
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
         otherSpaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
         otherSpaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
-      getTest(`${scenario.notAKibanaUser.USERNAME}`, {
+      getTest(`${scenario.users.noAccess.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      getTest(`${scenario.superuser.USERNAME}`, {
+      getTest(`${scenario.users.superuser.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         tests: {
           default: {
@@ -87,12 +90,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithAllGlobally.USERNAME}`, {
+      getTest(`${scenario.users.allGlobally.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         tests: {
           default: {
@@ -102,12 +105,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithDualAll.USERNAME}`, {
+      getTest(`${scenario.users.dualAll.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         tests: {
           default: {
@@ -117,12 +120,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithLegacyAll.USERNAME}`, {
+      getTest(`${scenario.users.legacyAll.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         tests: {
           default: {
@@ -132,12 +135,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithReadGlobally.USERNAME}`, {
+      getTest(`${scenario.users.readGlobally.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithReadGlobally.USERNAME,
-          password: scenario.userWithReadGlobally.PASSWORD,
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
         },
         tests: {
           default: {
@@ -147,12 +150,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userwithDualRead.USERNAME}`, {
+      getTest(`${scenario.users.dualRead.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userwithDualRead.USERNAME,
-          password: scenario.userwithDualRead.PASSWORD,
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
         },
         tests: {
           default: {
@@ -162,12 +165,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithLegacyRead.USERNAME}`, {
+      getTest(`${scenario.users.legacyRead.USERNAME}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithLegacyRead.USERNAME,
-          password: scenario.userWithLegacyRead.PASSWORD,
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
         },
         tests: {
           default: {
@@ -177,12 +180,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithReadAtSpace.USERNAME} at ${scenario.spaceId}`, {
+      getTest(`${scenario.users.readAtSpace.USERNAME} at ${scenario.spaceId}`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         tests: {
           default: {
@@ -192,12 +195,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.userWithAllAtOtherSpace.USERNAME} at a different space`, {
+      getTest(`${scenario.users.allAtOtherSpace.USERNAME} at a different space`, {
         currentSpaceId: scenario.otherSpaceId,
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllAtOtherSpace.USERNAME,
-          password: scenario.userWithAllAtOtherSpace.PASSWORD,
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
         },
         tests: {
           default: {
@@ -213,21 +216,23 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         {
           spaceId: SPACES.DEFAULT.spaceId,
           otherSpaceId: nonExistantSpaceId,
-          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-          userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-          userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-          userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-          userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-          userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          users: {
+            allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+            readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+            allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+            legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+            legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+            dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+            dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+          },
         },
       ].forEach(scenario => {
-        getTest(`${scenario.userWithAllGlobally.USERNAME}`, {
+        getTest(`${scenario.users.allGlobally.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithAllGlobally.USERNAME,
-            password: scenario.userWithAllGlobally.PASSWORD,
+            username: scenario.users.allGlobally.USERNAME,
+            password: scenario.users.allGlobally.PASSWORD,
           },
           tests: {
             default: {
@@ -237,12 +242,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userWithDualAll.USERNAME}`, {
+        getTest(`${scenario.users.dualAll.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithDualAll.USERNAME,
-            password: scenario.userWithDualAll.PASSWORD,
+            username: scenario.users.dualAll.USERNAME,
+            password: scenario.users.dualAll.PASSWORD,
           },
           tests: {
             default: {
@@ -252,12 +257,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userWithLegacyAll.USERNAME}`, {
+        getTest(`${scenario.users.legacyAll.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithLegacyAll.USERNAME,
-            password: scenario.userWithLegacyAll.PASSWORD,
+            username: scenario.users.legacyAll.USERNAME,
+            password: scenario.users.legacyAll.PASSWORD,
           },
           tests: {
             default: {
@@ -267,12 +272,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userWithReadGlobally.USERNAME}`, {
+        getTest(`${scenario.users.readGlobally.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
+            username: scenario.users.readGlobally.USERNAME,
+            password: scenario.users.readGlobally.PASSWORD,
           },
           tests: {
             default: {
@@ -282,12 +287,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userwithDualRead.USERNAME}`, {
+        getTest(`${scenario.users.dualRead.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userwithDualRead.USERNAME,
-            password: scenario.userwithDualRead.PASSWORD,
+            username: scenario.users.dualRead.USERNAME,
+            password: scenario.users.dualRead.PASSWORD,
           },
           tests: {
             default: {
@@ -297,12 +302,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userWithLegacyRead.USERNAME}`, {
+        getTest(`${scenario.users.legacyRead.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithLegacyRead.USERNAME,
-            password: scenario.userWithLegacyRead.PASSWORD,
+            username: scenario.users.legacyRead.USERNAME,
+            password: scenario.users.legacyRead.PASSWORD,
           },
           tests: {
             default: {
@@ -312,12 +317,12 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.userWithAllAtSpace.USERNAME}`, {
+        getTest(`${scenario.users.allAtDefaultSpace.USERNAME}`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
-            username: scenario.userWithAllAtSpace.USERNAME,
-            password: scenario.userWithAllAtSpace.PASSWORD,
+            username: scenario.users.allAtDefaultSpace.USERNAME,
+            password: scenario.users.allAtDefaultSpace.PASSWORD,
           },
           tests: {
             default: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
index 9410103cb25d7f..f5863b5ade0536 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
@@ -23,73 +23,80 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtDefault: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
       getAllTest(
-        `${scenario.notAKibanaUser.USERNAME} can't access any spaces from ${scenario.spaceId}`,
+        `${scenario.users.noAccess.USERNAME} can't access any spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.notAKibanaUser.USERNAME,
-            password: scenario.notAKibanaUser.PASSWORD,
+            username: scenario.users.noAccess.USERNAME,
+            password: scenario.users.noAccess.PASSWORD,
           },
           tests: {
             exists: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
             },
           },
         }
       );
 
-      getAllTest(`${scenario.superuser.USERNAME} can access all spaces from ${scenario.spaceId}`, {
-        spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
-        },
-        tests: {
-          exists: {
-            statusCode: 200,
-            response: createExpectResults('default', 'space_1', 'space_2'),
+      getAllTest(
+        `${scenario.users.superuser.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        {
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.users.superuser.USERNAME,
+            password: scenario.users.superuser.PASSWORD,
           },
-        },
-      });
+          tests: {
+            exists: {
+              statusCode: 200,
+              response: createExpectResults('default', 'space_1', 'space_2'),
+            },
+          },
+        }
+      );
 
       getAllTest(
-        `${scenario.userWithAllGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.allGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllGlobally.USERNAME,
-            password: scenario.userWithAllGlobally.PASSWORD,
+            username: scenario.users.allGlobally.USERNAME,
+            password: scenario.users.allGlobally.PASSWORD,
           },
           tests: {
             exists: {
@@ -101,12 +108,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithDualAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.dualAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithDualAll.USERNAME,
-            password: scenario.userWithDualAll.PASSWORD,
+            username: scenario.users.dualAll.USERNAME,
+            password: scenario.users.dualAll.PASSWORD,
           },
           tests: {
             exists: {
@@ -118,12 +125,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithLegacyAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.legacyAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithLegacyAll.USERNAME,
-            password: scenario.userWithLegacyAll.PASSWORD,
+            username: scenario.users.legacyAll.USERNAME,
+            password: scenario.users.legacyAll.PASSWORD,
           },
           tests: {
             exists: {
@@ -135,12 +142,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithReadGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.readGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
+            username: scenario.users.readGlobally.USERNAME,
+            password: scenario.users.readGlobally.PASSWORD,
           },
           tests: {
             exists: {
@@ -152,12 +159,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userwithDualRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.dualRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userwithDualRead.USERNAME,
-            password: scenario.userwithDualRead.PASSWORD,
+            username: scenario.users.dualRead.USERNAME,
+            password: scenario.users.dualRead.PASSWORD,
           },
           tests: {
             exists: {
@@ -169,12 +176,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithLegacyRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
+        `${scenario.users.legacyRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithLegacyRead.USERNAME,
-            password: scenario.userWithLegacyRead.PASSWORD,
+            username: scenario.users.legacyRead.USERNAME,
+            password: scenario.users.legacyRead.PASSWORD,
           },
           tests: {
             exists: {
@@ -186,12 +193,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithAllAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
+        `${scenario.users.allAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllAtSpace_1.USERNAME,
-            password: scenario.userWithAllAtSpace_1.PASSWORD,
+            username: scenario.users.allAtSpace_1.USERNAME,
+            password: scenario.users.allAtSpace_1.PASSWORD,
           },
           tests: {
             exists: {
@@ -203,12 +210,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithReadAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
+        `${scenario.users.readAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithReadAtSpace_1.USERNAME,
-            password: scenario.userWithReadAtSpace_1.PASSWORD,
+            username: scenario.users.readAtSpace_1.USERNAME,
+            password: scenario.users.readAtSpace_1.PASSWORD,
           },
           tests: {
             exists: {
@@ -220,12 +227,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithAllAtDefault.USERNAME} can access default from ${scenario.spaceId}`,
+        `${scenario.users.allAtDefaultSpace.USERNAME} can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllAtDefault.USERNAME,
-            password: scenario.userWithAllAtDefault.PASSWORD,
+            username: scenario.users.allAtDefaultSpace.USERNAME,
+            password: scenario.users.allAtDefaultSpace.PASSWORD,
           },
           tests: {
             exists: {
@@ -237,12 +244,12 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.userWithReadAtDefault.USERNAME} can access default from ${scenario.spaceId}`,
+        `${scenario.users.readAtDefaultSpace.USERNAME} can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithReadAtDefault.USERNAME,
-            password: scenario.userWithReadAtDefault.PASSWORD,
+            username: scenario.users.readAtDefaultSpace.USERNAME,
+            password: scenario.users.readAtDefaultSpace.PASSWORD,
           },
           tests: {
             exists: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
index 9f323001e55067..d3cdfec9a93beb 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
@@ -23,191 +23,202 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
     createExpectLegacyForbidden,
   } = selectTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
-  describe('select', () => {
-    // Global authorization tests
+  describe.only('select', () => {
+    // Tests with users that have privileges globally in Kibana
     [
       {
-        spaceId: SPACES.DEFAULT.spaceId,
-        otherSpaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        // Select the spaceId with the user in the currentSpaceId with the following users
+        currentSpaceId: SPACES.DEFAULT.spaceId,
+        selectSpaceId: SPACES.SPACE_1.spaceId,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
-        spaceId: SPACES.SPACE_1.spaceId,
-        otherSpaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        // Select the spaceId when the user is the currentSpaceId with the following users
+        currentSpaceId: SPACES.SPACE_1.spaceId,
+        selectSpaceId: SPACES.DEFAULT.spaceId,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
-      selectTest(`${scenario.notAKibanaUser.USERNAME} selects ${scenario.otherSpaceId}`, {
-        currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+      selectTest(`${scenario.users.noAccess.USERNAME} selects ${scenario.selectSpaceId}`, {
+        currentSpaceId: scenario.currentSpaceId,
+        selectSpaceId: scenario.selectSpaceId,
         auth: {
-          username: scenario.notAKibanaUser.USERNAME,
-          password: scenario.notAKibanaUser.PASSWORD,
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
         },
       });
 
-      selectTest(`${scenario.superuser.USERNAME} selects ${scenario.otherSpaceId}`, {
-        currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+      selectTest(`${scenario.users.superuser.USERNAME} selects ${scenario.selectSpaceId}`, {
+        currentSpaceId: scenario.currentSpaceId,
+        selectSpaceId: scenario.selectSpaceId,
         auth: {
-          username: scenario.superuser.USERNAME,
-          password: scenario.superuser.PASSWORD,
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 200,
-            response: createExpectSpaceResponse(scenario.otherSpaceId),
+            response: createExpectSpaceResponse(scenario.selectSpaceId),
           },
         },
       });
 
-      selectTest(`${scenario.userWithAllGlobally.USERNAME} selects ${scenario.otherSpaceId}`, {
-        currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+      selectTest(`${scenario.users.allGlobally.USERNAME} selects ${scenario.selectSpaceId}`, {
+        currentSpaceId: scenario.currentSpaceId,
+        selectSpaceId: scenario.selectSpaceId,
         auth: {
-          username: scenario.userWithAllGlobally.USERNAME,
-          password: scenario.userWithAllGlobally.PASSWORD,
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 200,
-            response: createExpectSpaceResponse(scenario.otherSpaceId),
+            response: createExpectSpaceResponse(scenario.selectSpaceId),
           },
         },
       });
 
-      selectTest(`${scenario.userWithDualAll.USERNAME} selects ${scenario.otherSpaceId}`, {
-        currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+      selectTest(`${scenario.users.dualAll.USERNAME} selects ${scenario.selectSpaceId}`, {
+        currentSpaceId: scenario.currentSpaceId,
+        selectSpaceId: scenario.selectSpaceId,
         auth: {
-          username: scenario.userWithDualAll.USERNAME,
-          password: scenario.userWithDualAll.PASSWORD,
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 200,
-            response: createExpectSpaceResponse(scenario.otherSpaceId),
+            response: createExpectSpaceResponse(scenario.selectSpaceId),
           },
         },
       });
 
-      selectTest(`${scenario.userWithLegacyAll.USERNAME} selects ${scenario.otherSpaceId}`, {
-        currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+      selectTest(`${scenario.users.legacyAll.USERNAME} selects ${scenario.selectSpaceId}`, {
+        currentSpaceId: scenario.currentSpaceId,
+        selectSpaceId: scenario.selectSpaceId,
         auth: {
-          username: scenario.userWithLegacyAll.USERNAME,
-          password: scenario.userWithLegacyAll.PASSWORD,
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
         },
         tests: {
           default: {
             statusCode: 200,
-            response: createExpectSpaceResponse(scenario.otherSpaceId),
+            response: createExpectSpaceResponse(scenario.selectSpaceId),
           },
         },
       });
 
       selectTest(
-        `${scenario.userWithReadGlobally.USERNAME} selects ${scenario.otherSpaceId} from
-        ${scenario.spaceId}`,
+        `${scenario.users.readGlobally.USERNAME} selects ${scenario.selectSpaceId} from
+        ${scenario.currentSpaceId}`,
         {
-          currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
           auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
+            username: scenario.users.readGlobally.USERNAME,
+            password: scenario.users.readGlobally.PASSWORD,
           },
           tests: {
             default: {
               statusCode: 200,
-              response: createExpectSpaceResponse(scenario.otherSpaceId),
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
             },
           },
         }
       );
 
       selectTest(
-        `${scenario.userWithDualRead.USERNAME} selects ${scenario.otherSpaceId} from
-        ${scenario.spaceId}`,
+        `${scenario.users.dualRead.USERNAME} selects ${scenario.selectSpaceId} from
+        ${scenario.currentSpaceId}`,
         {
-          currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
           auth: {
-            username: scenario.userWithDualRead.USERNAME,
-            password: scenario.userWithDualRead.PASSWORD,
+            username: scenario.users.dualRead.USERNAME,
+            password: scenario.users.dualRead.PASSWORD,
           },
           tests: {
             default: {
               statusCode: 200,
-              response: createExpectSpaceResponse(scenario.otherSpaceId),
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
             },
           },
         }
       );
 
       selectTest(
-        `${scenario.userWithLegacyRead.USERNAME} can select ${scenario.otherSpaceId}
-        from ${scenario.spaceId}`,
+        `${scenario.users.legacyRead.USERNAME} can select ${scenario.selectSpaceId}
+        from ${scenario.currentSpaceId}`,
         {
-          currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
           auth: {
-            username: scenario.userWithLegacyRead.USERNAME,
-            password: scenario.userWithLegacyRead.PASSWORD,
+            username: scenario.users.legacyRead.USERNAME,
+            password: scenario.users.legacyRead.PASSWORD,
           },
           tests: {
             default: {
               statusCode: 200,
-              response: createExpectSpaceResponse(scenario.otherSpaceId),
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
             },
           },
         }
       );
     });
 
-    // Same-Space authorization tests
+    // Select the same space that you're currently in with users which have space specific privileges.
+    // Our intent is to ensure that you have privileges at the space that you're selecting.
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        users: {
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        users: {
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+        },
       },
     ].forEach(scenario => {
       selectTest(
-        `${scenario.userWithAllAtSpace.USERNAME} can select ${scenario.spaceId}
+        `${scenario.users.allAtSpace.USERNAME} can select ${scenario.spaceId}
         from ${scenario.spaceId}`,
         {
           currentSpaceId: scenario.spaceId,
-          spaceId: scenario.spaceId,
+          selectSpaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllAtSpace.USERNAME,
-            password: scenario.userWithAllAtSpace.PASSWORD,
+            username: scenario.users.allAtSpace.USERNAME,
+            password: scenario.users.allAtSpace.PASSWORD,
           },
           tests: {
             default: {
@@ -219,14 +230,14 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.userWithReadAtSpace.USERNAME} can select ${scenario.spaceId}
+        `${scenario.users.readAtSpace.USERNAME} can select ${scenario.spaceId}
         from ${scenario.spaceId}`,
         {
           currentSpaceId: scenario.spaceId,
-          spaceId: scenario.spaceId,
+          selectSpaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithReadAtSpace.USERNAME,
-            password: scenario.userWithReadAtSpace.PASSWORD,
+            username: scenario.users.readAtSpace.USERNAME,
+            password: scenario.users.readAtSpace.PASSWORD,
           },
           tests: {
             default: {
@@ -238,14 +249,14 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
+        `${scenario.users.allAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
         from ${scenario.spaceId}`,
         {
           currentSpaceId: scenario.spaceId,
-          spaceId: scenario.spaceId,
+          selectSpaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
           tests: {
             default: {
@@ -257,99 +268,133 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
     });
 
-    // Cross-Space authorization tests
+    // Select a different space with users that only have privileges at certain spaces. Our intent
+    // is to ensure that a user can select a space based on their privileges at the space that they're selecting
+    // not at the space that they're currently in.
     [
       {
-        spaceId: SPACES.SPACE_1.spaceId,
-        otherSpaceId: SPACES.SPACE_2.spaceId,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER,
-        userWithAllAtBothSpaces: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER,
+        currentSpaceId: SPACES.SPACE_2.spaceId,
+        selectSpaceId: SPACES.SPACE_1.spaceId,
+        users: {
+          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER,
+          userWithAllAtBothSpaces: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER,
+        },
       },
     ].forEach(scenario => {
       selectTest(
-        `${scenario.userWithAllAtBothSpaces.USERNAME} can select ${scenario.spaceId}
-        from ${scenario.otherSpaceId}`,
+        `${scenario.users.userWithAllAtSpace.USERNAME} can select ${scenario.selectSpaceId}
+        from ${scenario.currentSpaceId}`,
         {
-          currentSpaceId: scenario.otherSpaceId,
-          spaceId: scenario.spaceId,
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
           auth: {
-            username: scenario.userWithAllAtBothSpaces.USERNAME,
-            password: scenario.userWithAllAtBothSpaces.PASSWORD,
+            username: scenario.users.userWithAllAtSpace.USERNAME,
+            password: scenario.users.userWithAllAtSpace.PASSWORD,
           },
           tests: {
             default: {
               statusCode: 200,
-              response: createExpectSpaceResponse(scenario.spaceId),
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
             },
           },
         }
       );
 
       selectTest(
-        `${scenario.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
-        from ${scenario.otherSpaceId}`,
+        `${scenario.users.userWithAllAtBothSpaces.USERNAME} can select ${scenario.selectSpaceId}
+        from ${scenario.currentSpaceId}`,
         {
-          currentSpaceId: scenario.otherSpaceId,
-          spaceId: scenario.spaceId,
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
           auth: {
-            username: scenario.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.userWithAllAtOtherSpace.PASSWORD,
+            username: scenario.users.userWithAllAtBothSpaces.USERNAME,
+            password: scenario.users.userWithAllAtBothSpaces.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
+            },
+          },
+        }
+      );
+
+      selectTest(
+        `${scenario.users.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.selectSpaceId}
+        from ${scenario.currentSpaceId}`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.userWithAllAtOtherSpace.USERNAME,
+            password: scenario.users.userWithAllAtOtherSpace.PASSWORD,
           },
           tests: {
             default: {
               statusCode: 403,
-              response: createExpectRbacForbidden(scenario.spaceId),
+              response: createExpectRbacForbidden(scenario.selectSpaceId),
             },
           },
         }
       );
     });
 
-    describe('non-existant space', () => {
+    // Select non-existent spaces and ensure we get a 404 or a 403
+    describe('non-existent space', () => {
       [
         {
-          spaceId: SPACES.DEFAULT.spaceId,
-          otherSpaceId: nonExistantSpaceId,
-          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          currentSpaceId: SPACES.DEFAULT.spaceId,
+          selectSpaceId: nonExistantSpaceId,
+          users: {
+            userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+            userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
+          },
         },
         {
-          spaceId: SPACES.SPACE_1.spaceId,
-          otherSpaceId: nonExistantSpaceId,
-          userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-          userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          currentSpaceId: SPACES.SPACE_1.spaceId,
+          selectSpaceId: nonExistantSpaceId,
+          users: {
+            userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+            userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          },
         },
       ].forEach(scenario => {
-        selectTest(`${scenario.userWithAllGlobally.USERNAME} cannot access non-existant space`, {
-          currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.userWithAllGlobally.USERNAME,
-            password: scenario.userWithAllGlobally.PASSWORD,
-          },
-          tests: {
-            default: {
-              statusCode: 404,
-              response: createExpectNotFoundResult(),
+        selectTest(
+          `${scenario.users.userWithAllGlobally.USERNAME} cannot access non-existant space`,
+          {
+            currentSpaceId: scenario.currentSpaceId,
+            selectSpaceId: scenario.selectSpaceId,
+            auth: {
+              username: scenario.users.userWithAllGlobally.USERNAME,
+              password: scenario.users.userWithAllGlobally.PASSWORD,
             },
-          },
-        });
+            tests: {
+              default: {
+                statusCode: 404,
+                response: createExpectNotFoundResult(),
+              },
+            },
+          }
+        );
 
-        selectTest(`${scenario.userWithAllAtSpace.USERNAME} cannot access non-existant space`, {
-          currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.userWithAllAtSpace.USERNAME,
-            password: scenario.userWithAllAtSpace.PASSWORD,
-          },
-          tests: {
-            default: {
-              statusCode: 403,
-              response: createExpectRbacForbidden(scenario.otherSpaceId),
+        selectTest(
+          `${scenario.users.userWithAllAtSpace.USERNAME} cannot access non-existant space`,
+          {
+            currentSpaceId: scenario.currentSpaceId,
+            selectSpaceId: scenario.selectSpaceId,
+            auth: {
+              username: scenario.users.userWithAllAtSpace.USERNAME,
+              password: scenario.users.userWithAllAtSpace.PASSWORD,
             },
-          },
-        });
+            tests: {
+              default: {
+                statusCode: 403,
+                response: createExpectRbacForbidden(scenario.selectSpaceId),
+              },
+            },
+          }
+        );
       });
     });
   });
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
index dbecb4f3ce2327..7cbf08d03014d9 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -27,65 +27,69 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
     [
       {
         spaceId: SPACES.DEFAULT.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
       {
         spaceId: SPACES.SPACE_1.spaceId,
-        notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER,
-        superuser: AUTHENTICATION.SUPERUSER,
-        userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
-        userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
-        userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
-        userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
-        userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
-        userWithLegacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
-        userWithDualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
-        userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        users: {
+          noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
+          superuser: AUTHENTICATION.SUPERUSER,
+          allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
+          readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
+          allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
+          readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
+          legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
+          legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
+          dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
+          dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
+        },
       },
     ].forEach(scenario => {
       updateTest(
-        `${scenario.notAKibanaUser.USERNAME} can't update space_1 from
+        `${scenario.users.noAccess.USERNAME} can't update space_1 from
         the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.notAKibanaUser.USERNAME,
-            password: scenario.notAKibanaUser.PASSWORD,
+            username: scenario.users.noAccess.USERNAME,
+            password: scenario.users.noAccess.PASSWORD,
           },
           tests: {
             alreadyExists: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
             },
             defaultSpace: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
             },
             newSpace: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
             },
           },
         }
       );
 
       updateTest(
-        `${scenario.superuser.USERNAME} can update space_1 from
+        `${scenario.users.superuser.USERNAME} can update space_1 from
         the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.superuser.USERNAME,
-            password: scenario.superuser.PASSWORD,
+            username: scenario.users.superuser.USERNAME,
+            password: scenario.users.superuser.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -105,13 +109,13 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithAllGlobally.USERNAME} can update space_1 from
+        `${scenario.users.allGlobally.USERNAME} can update space_1 from
         the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithAllGlobally.USERNAME,
-            password: scenario.userWithAllGlobally.PASSWORD,
+            username: scenario.users.allGlobally.USERNAME,
+            password: scenario.users.allGlobally.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -131,13 +135,13 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithDualAll.USERNAME} can update space_1 from
+        `${scenario.users.dualAll.USERNAME} can update space_1 from
         the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithDualAll.USERNAME,
-            password: scenario.userWithDualAll.PASSWORD,
+            username: scenario.users.dualAll.USERNAME,
+            password: scenario.users.dualAll.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -157,13 +161,13 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithLegacyAll.USERNAME} can update space_1 from
+        `${scenario.users.legacyAll.USERNAME} can update space_1 from
         the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithLegacyAll.USERNAME,
-            password: scenario.userWithLegacyAll.PASSWORD,
+            username: scenario.users.legacyAll.USERNAME,
+            password: scenario.users.legacyAll.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -183,13 +187,13 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithReadGlobally.USERNAME} cannot update space_1
+        `${scenario.users.readGlobally.USERNAME} cannot update space_1
         from the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithReadGlobally.USERNAME,
-            password: scenario.userWithReadGlobally.PASSWORD,
+            username: scenario.users.readGlobally.USERNAME,
+            password: scenario.users.readGlobally.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -209,13 +213,13 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithDualRead.USERNAME} cannot update space_1
+        `${scenario.users.dualRead.USERNAME} cannot update space_1
         from the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithDualRead.USERNAME,
-            password: scenario.userWithDualRead.PASSWORD,
+            username: scenario.users.dualRead.USERNAME,
+            password: scenario.users.dualRead.PASSWORD,
           },
           tests: {
             alreadyExists: {
@@ -235,36 +239,36 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       updateTest(
-        `${scenario.userWithLegacyRead.USERNAME} cannot update space_1
+        `${scenario.users.legacyRead.USERNAME} cannot update space_1
         from the ${scenario.spaceId} space`,
         {
           spaceId: scenario.spaceId,
           auth: {
-            username: scenario.userWithLegacyRead.USERNAME,
-            password: scenario.userWithLegacyRead.PASSWORD,
+            username: scenario.users.legacyRead.USERNAME,
+            password: scenario.users.legacyRead.PASSWORD,
           },
           tests: {
             alreadyExists: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
             },
             defaultSpace: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
             },
             newSpace: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
             },
           },
         }
       );
 
-      updateTest(`${scenario.userWithAllAtSpace.USERNAME} cannot update space_1`, {
+      updateTest(`${scenario.users.allAtSpace.USERNAME} cannot update space_1`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithAllAtSpace.USERNAME,
-          password: scenario.userWithAllAtSpace.PASSWORD,
+          username: scenario.users.allAtSpace.USERNAME,
+          password: scenario.users.allAtSpace.PASSWORD,
         },
         tests: {
           alreadyExists: {
@@ -282,11 +286,11 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.userWithReadAtSpace.USERNAME} cannot update space_1`, {
+      updateTest(`${scenario.users.readAtSpace.USERNAME} cannot update space_1`, {
         spaceId: scenario.spaceId,
         auth: {
-          username: scenario.userWithReadAtSpace.USERNAME,
-          password: scenario.userWithReadAtSpace.PASSWORD,
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
         },
         tests: {
           alreadyExists: {
diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
index 95e05822393b5f..d7f6562c6e715b 100644
--- a/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
+++ b/x-pack/test/spaces_api_integration/spaces_only/apis/select.ts
@@ -37,7 +37,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
     ].forEach(scenario => {
       selectTest(`can select ${scenario.otherSpaceId} from ${scenario.spaceId}`, {
         currentSpaceId: scenario.spaceId,
-        spaceId: scenario.otherSpaceId,
+        selectSpaceId: scenario.otherSpaceId,
         tests: {
           default: {
             statusCode: 200,
@@ -60,7 +60,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       ].forEach(scenario => {
         selectTest(`cannot select non-existant space from ${scenario.spaceId}`, {
           currentSpaceId: scenario.spaceId,
-          spaceId: scenario.otherSpaceId,
+          selectSpaceId: scenario.otherSpaceId,
           tests: {
             default: {
               statusCode: 404,

From 8873643c0cf18f2f98235aedffa1a5d663ab9874 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Mon, 24 Sep 2018 17:31:39 -0700
Subject: [PATCH 177/183] Adding tests trying to access or specify other
 namespaces

---
 .../common/suites/bulk_create.ts              | 19 ++++++++
 .../common/suites/create.ts                   | 18 ++++++++
 .../common/suites/delete.ts                   | 12 ++++--
 .../common/suites/get.ts                      |  7 +--
 .../common/suites/update.ts                   | 43 +++++++++++++------
 .../security_and_spaces/apis/update.ts        | 12 +++---
 .../security_only/apis/update.ts              | 10 ++---
 .../spaces_only/apis/bulk_create.ts           | 42 ++++++++++++++++++
 .../spaces_only/apis/create.ts                | 37 ++++++++++++++++
 .../spaces_only/apis/delete.ts                | 29 +++++++++++--
 .../spaces_only/apis/get.ts                   | 20 +++++++++
 .../spaces_only/apis/update.ts                | 30 ++++++++++---
 12 files changed, 240 insertions(+), 39 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
index f91c5099d7aafb..a21a9bb547e1aa 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -15,8 +15,16 @@ interface BulkCreateTest {
   response: (resp: any) => void;
 }
 
+interface BulkCreateCustomTest extends BulkCreateTest {
+  description: string;
+  requestBody: {
+    [key: string]: any;
+  };
+}
+
 interface BulkCreateTests {
   default: BulkCreateTest;
+  custom?: BulkCreateCustomTest;
 }
 
 interface BulkCreateTestDefinition {
@@ -155,6 +163,17 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
           .expect(tests.default.statusCode)
           .then(tests.default.response);
       });
+
+      if (tests.custom) {
+        it(tests.custom!.description, async () => {
+          await supertest
+            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
+            .auth(auth.username, auth.password)
+            .send(tests.custom!.requestBody)
+            .expect(tests.custom!.statusCode)
+            .then(tests.custom!.response);
+        });
+      }
     });
   };
 
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
index afd0d3d21b46ee..c1f62963242a18 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -14,9 +14,16 @@ interface CreateTest {
   response: (resp: any) => void;
 }
 
+interface CreateCustomTest extends CreateTest {
+  type: string;
+  description: string;
+  requestBody: any;
+}
+
 interface CreateTests {
   spaceAware: CreateTest;
   notSpaceAware: CreateTest;
+  custom?: CreateCustomTest;
 }
 
 interface CreateTestDefinition {
@@ -153,6 +160,17 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
           .expect(tests.notSpaceAware.statusCode)
           .then(tests.notSpaceAware.response);
       });
+
+      if (tests.custom) {
+        it(tests.custom.description, async () => {
+          await supertest
+            .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${tests.custom!.type}`)
+            .auth(auth.username, auth.password)
+            .send(tests.custom!.requestBody)
+            .expect(tests.custom!.statusCode)
+            .then(tests.custom!.response);
+        });
+      }
     });
   };
 
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
index 6a06405b6c6be7..1bd6aa568cf430 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/delete.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -24,6 +24,7 @@ interface DeleteTests {
 interface DeleteTestDefinition {
   auth?: TestDefinitionAuthentication;
   spaceId?: string;
+  otherSpaceId?: string;
   tests: DeleteTests;
 }
 
@@ -53,6 +54,10 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
+  const createExpectSpaceAwareNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
+    createExpectNotFound(spaceId, 'dashboard', 'be3733a0-9efe-11e7-acb3-3dab96693fab')(resp);
+  };
+
   const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
     createExpectNotFound(spaceId, 'dashboard', `not-a-real-id`)(resp);
   };
@@ -71,7 +76,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     description: string,
     definition: DeleteTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -81,7 +86,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         await supertest
           .delete(
             `${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(
-              spaceId
+              otherSpaceId || spaceId
             )}be3733a0-9efe-11e7-acb3-3dab96693fab`
           )
           .auth(auth.username, auth.password)
@@ -105,7 +110,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         await supertest
           .delete(
             `${getUrlPrefix(spaceId)}/api/saved_objects/dashboard/${getIdPrefix(
-              spaceId
+              otherSpaceId || spaceId
             )}not-a-real-id`
           )
           .auth(auth.username, auth.password)
@@ -120,6 +125,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   return {
     createExpectLegacyForbidden,
+    createExpectSpaceAwareNotFound,
     createExpectUnknownDocNotFound,
     deleteTest,
     expectEmpty,
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
index b8166a3bda70ab..e60f96004f7afb 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -23,6 +23,7 @@ interface GetTests {
 interface GetTestDefinition {
   auth?: TestDefinitionAuthentication;
   spaceId?: string;
+  otherSpaceId?: string;
   tests: GetTests;
 }
 
@@ -110,7 +111,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     description: string,
     definition: GetTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -122,7 +123,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
         await supertest
           .get(
             `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
-              spaceId
+              otherSpaceId || spaceId
             )}${spaceAwareId}`
           )
           .auth(auth.username, auth.password)
@@ -145,7 +146,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
           await supertest
             .get(
               `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
-                spaceId
+                otherSpaceId || spaceId
               )}${doesntExistId}`
             )
             .auth(auth.username, auth.password)
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
index a7548e69397b8f..b3a5e3126bca31 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -24,6 +24,7 @@ interface UpdateTests {
 interface UpdateTestDefinition {
   auth?: TestDefinitionAuthentication;
   spaceId?: string;
+  otherSpaceId?: string;
   tests: UpdateTests;
 }
 
@@ -37,6 +38,24 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
+  const createExpectNotFound = (type: string, id: string, spaceId = DEFAULT_SPACE_ID) => (
+    resp: any
+  ) => {
+    expect(resp.body).eql({
+      statusCode: 404,
+      error: 'Not Found',
+      message: `Saved object [${type}/${getIdPrefix(spaceId)}${id}] not found`,
+    });
+  };
+
+  const createExpectDoesntExistNotFound = (spaceId?: string) => {
+    return createExpectNotFound('visualization', 'not an id', spaceId);
+  };
+
+  const createExpectSpaceAwareNotFound = (spaceId?: string) => {
+    return createExpectNotFound('visualization', 'dd7caf20-9efd-11e7-acb3-3dab96693fab', spaceId);
+  };
+
   const createExpectRbacForbidden = (type: string) => (resp: any) => {
     expect(resp.body).to.eql({
       statusCode: 403,
@@ -44,15 +63,8 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       message: `Unable to update ${type}, missing action:saved_objects/${type}/update`,
     });
   };
-  const expectDoesntExistRbacForbidden = createExpectRbacForbidden('visualization');
 
-  const expectNotFound = (resp: any) => {
-    expect(resp.body).eql({
-      statusCode: 404,
-      error: 'Not Found',
-      message: 'Saved object [visualization/not an id] not found',
-    });
-  };
+  const expectDoesntExistRbacForbidden = createExpectRbacForbidden('visualization');
 
   const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden('globaltype');
 
@@ -106,7 +118,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     description: string,
     definition: UpdateTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -115,7 +127,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         await supertest
           .put(
             `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
-              spaceId
+              otherSpaceId || spaceId
             )}dd7caf20-9efd-11e7-acb3-3dab96693fab`
           )
           .auth(auth.username, auth.password)
@@ -132,7 +144,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         await supertest
           .put(
             `${getUrlPrefix(
-              spaceId
+              otherSpaceId || spaceId
             )}/api/saved_objects/globaltype/8121a00-8efd-21e7-1cb3-34ab966434445`
           )
           .auth(auth.username, auth.password)
@@ -148,7 +160,11 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       describe('unknown id', () => {
         it(`should return ${tests.doesntExist.statusCode}`, async () => {
           await supertest
-            .put(`${getUrlPrefix(spaceId)}/api/saved_objects/visualization/not an id`)
+            .put(
+              `${getUrlPrefix(spaceId)}/api/saved_objects/visualization/${getIdPrefix(
+                spaceId
+              )}not an id`
+            )
             .auth(auth.username, auth.password)
             .send({
               attributes: {
@@ -168,8 +184,9 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   return {
     createExpectLegacyForbidden,
+    createExpectDoesntExistNotFound,
+    createExpectSpaceAwareNotFound,
     expectDoesntExistRbacForbidden,
-    expectNotFound,
     expectNotSpaceAwareRbacForbidden,
     expectNotSpaceAwareResults,
     expectSpaceAwareRbacForbidden,
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
index 7c452a32dcffea..a5b52affdd9c84 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
@@ -17,10 +17,10 @@ export default function({ getService }: TestInvoker) {
   describe('update', () => {
     const {
       createExpectLegacyForbidden,
+      createExpectDoesntExistNotFound,
       expectDoesntExistRbacForbidden,
       expectNotSpaceAwareResults,
       expectNotSpaceAwareRbacForbidden,
-      expectNotFound,
       expectSpaceAwareRbacForbidden,
       expectSpaceAwareResults,
       updateTest,
@@ -99,7 +99,7 @@ export default function({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFound,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
           },
         },
       });
@@ -121,7 +121,7 @@ export default function({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFound,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
           },
         },
       });
@@ -165,7 +165,7 @@ export default function({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFound,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
           },
         },
       });
@@ -209,7 +209,7 @@ export default function({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFound,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
           },
         },
       });
@@ -253,7 +253,7 @@ export default function({ getService }: TestInvoker) {
           },
           doesntExist: {
             statusCode: 404,
-            response: expectNotFound,
+            response: createExpectDoesntExistNotFound(scenario.spaceId),
           },
         },
       });
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
index ab967d6611a007..b719b85ca7bbed 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
@@ -15,11 +15,11 @@ export default function({ getService }: TestInvoker) {
 
   describe('update', () => {
     const {
+      createExpectDoesntExistNotFound,
       createExpectLegacyForbidden,
       expectDoesntExistRbacForbidden,
       expectNotSpaceAwareResults,
       expectNotSpaceAwareRbacForbidden,
-      expectNotFound,
       expectSpaceAwareRbacForbidden,
       expectSpaceAwareResults,
       updateTest,
@@ -62,7 +62,7 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(),
         },
       },
     });
@@ -83,7 +83,7 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(),
         },
       },
     });
@@ -131,7 +131,7 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(),
         },
       },
     });
@@ -173,7 +173,7 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(),
         },
       },
     });
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
index 6f48c53a3f8974..75b2b3a3c08380 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
@@ -4,10 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import expect from 'expect.js';
 import { SPACES } from '../../common/lib/spaces';
 import { TestInvoker } from '../../common/lib/types';
 import { bulkCreateTestSuiteFactory } from '../../common/suites/bulk_create';
 
+const expectNamespaceSpecifiedBadRequest = (resp: any) => {
+  expect(resp.body).to.eql({
+    error: 'Bad Request',
+    message:
+      '"value" at position 0 fails because ["namespace" is not allowed]. "value" does not contain 1 required value(s)',
+    statusCode: 400,
+    validation: {
+      keys: ['0.namespace', 'value'],
+      source: 'payload',
+    },
+  });
+};
+
 // tslint:disable:no-default-export
 export default function({ getService }: TestInvoker) {
   const supertest = getService('supertest');
@@ -28,6 +42,20 @@ export default function({ getService }: TestInvoker) {
           statusCode: 200,
           response: createExpectResults(SPACES.SPACE_1.spaceId),
         },
+        custom: {
+          description: 'when a namespace is specified on the saved object',
+          requestBody: [
+            {
+              type: 'visualization',
+              namespace: 'space_1',
+              attributes: {
+                title: 'something',
+              },
+            },
+          ],
+          statusCode: 400,
+          response: expectNamespaceSpecifiedBadRequest,
+        },
       },
     });
 
@@ -38,6 +66,20 @@ export default function({ getService }: TestInvoker) {
           statusCode: 200,
           response: createExpectResults(SPACES.DEFAULT.spaceId),
         },
+        custom: {
+          description: 'when a namespace is specified on the saved object',
+          requestBody: [
+            {
+              type: 'visualization',
+              namespace: 'space_1',
+              attributes: {
+                title: 'something',
+              },
+            },
+          ],
+          statusCode: 400,
+          response: expectNamespaceSpecifiedBadRequest,
+        },
       },
     });
   });
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
index 4da115377f23ff..5bce939b22ee7c 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
@@ -4,10 +4,23 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import expect from 'expect.js';
 import { SPACES } from '../../common/lib/spaces';
 import { TestInvoker } from '../../common/lib/types';
 import { createTestSuiteFactory } from '../../common/suites/create';
 
+const expectNamespaceSpecifiedBadRequest = (resp: any) => {
+  expect(resp.body).to.eql({
+    error: 'Bad Request',
+    message: '"namespace" is not allowed',
+    statusCode: 400,
+    validation: {
+      keys: ['namespace'],
+      source: 'payload',
+    },
+  });
+};
+
 // tslint:disable:no-default-export
 export default function({ getService }: TestInvoker) {
   const supertestWithoutAuth = getService('supertestWithoutAuth');
@@ -32,6 +45,18 @@ export default function({ getService }: TestInvoker) {
           statusCode: 200,
           response: expectNotSpaceAwareResults,
         },
+        custom: {
+          description: 'when a namespace is specified on the saved object',
+          type: 'visualization',
+          requestBody: {
+            namespace: 'space_1',
+            attributes: {
+              title: 'something',
+            },
+          },
+          statusCode: 400,
+          response: expectNamespaceSpecifiedBadRequest,
+        },
       },
     });
 
@@ -46,6 +71,18 @@ export default function({ getService }: TestInvoker) {
           statusCode: 200,
           response: expectNotSpaceAwareResults,
         },
+        custom: {
+          description: 'when a namespace is specified on the saved object',
+          type: 'visualization',
+          requestBody: {
+            namespace: 'space_1',
+            attributes: {
+              title: 'something',
+            },
+          },
+          statusCode: 400,
+          response: expectNamespaceSpecifiedBadRequest,
+        },
       },
     });
   });
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
index d70f930d636772..04db10af003888 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/delete.ts
@@ -14,10 +14,12 @@ export default function({ getService }: TestInvoker) {
   const esArchiver = getService('esArchiver');
 
   describe('delete', () => {
-    const { createExpectUnknownDocNotFound, deleteTest, expectEmpty } = deleteTestSuiteFactory(
-      esArchiver,
-      supertest
-    );
+    const {
+      createExpectSpaceAwareNotFound,
+      createExpectUnknownDocNotFound,
+      deleteTest,
+      expectEmpty,
+    } = deleteTestSuiteFactory(esArchiver, supertest);
 
     deleteTest(`in the default space`, {
       ...SPACES.DEFAULT,
@@ -54,5 +56,24 @@ export default function({ getService }: TestInvoker) {
         },
       },
     });
+
+    deleteTest(`in another space (space_2)`, {
+      spaceId: SPACES.SPACE_1.spaceId,
+      otherSpaceId: SPACES.SPACE_2.spaceId,
+      tests: {
+        spaceAware: {
+          statusCode: 404,
+          response: createExpectSpaceAwareNotFound(SPACES.SPACE_2.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: createExpectUnknownDocNotFound(SPACES.SPACE_2.spaceId),
+        },
+      },
+    });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
index c2055bd41dd61d..012df684920455 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/get.ts
@@ -15,6 +15,7 @@ export default function({ getService }: TestInvoker) {
 
   const {
     createExpectDoesntExistNotFound,
+    createExpectSpaceAwareNotFound,
     createExpectSpaceAwareResults,
     createExpectNotSpaceAwareResults,
     getTest,
@@ -56,5 +57,24 @@ export default function({ getService }: TestInvoker) {
         },
       },
     });
+
+    getTest(`can't access space aware objects belonging to another space (space_1)`, {
+      spaceId: SPACES.DEFAULT.spaceId,
+      otherSpaceId: SPACES.SPACE_1.spaceId,
+      tests: {
+        spaceAware: {
+          statusCode: 404,
+          response: createExpectSpaceAwareNotFound(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: createExpectNotSpaceAwareResults(SPACES.SPACE_1.spaceId),
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
index c22ef7fe17e133..6779ed4733ec59 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/update.ts
@@ -15,14 +15,15 @@ export default function({ getService }: TestInvoker) {
 
   describe('update', () => {
     const {
+      createExpectSpaceAwareNotFound,
       expectSpaceAwareResults,
-      expectNotFound,
+      createExpectDoesntExistNotFound,
       expectNotSpaceAwareResults,
       updateTest,
     } = updateTestSuiteFactory(esArchiver, supertest);
 
     updateTest(`in the default space`, {
-      ...SPACES.DEFAULT,
+      spaceId: SPACES.DEFAULT.spaceId,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -34,13 +35,13 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(SPACES.DEFAULT.spaceId),
         },
       },
     });
 
     updateTest('in the current space (space_1)', {
-      ...SPACES.SPACE_1,
+      spaceId: SPACES.SPACE_1.spaceId,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -52,7 +53,26 @@ export default function({ getService }: TestInvoker) {
         },
         doesntExist: {
           statusCode: 404,
-          response: expectNotFound,
+          response: createExpectDoesntExistNotFound(SPACES.SPACE_1.spaceId),
+        },
+      },
+    });
+
+    updateTest('objects that exist in another space (space_1)', {
+      spaceId: SPACES.DEFAULT.spaceId,
+      otherSpaceId: SPACES.SPACE_1.spaceId,
+      tests: {
+        spaceAware: {
+          statusCode: 404,
+          response: createExpectSpaceAwareNotFound(SPACES.SPACE_1.spaceId),
+        },
+        notSpaceAware: {
+          statusCode: 200,
+          response: expectNotSpaceAwareResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: createExpectDoesntExistNotFound(),
         },
       },
     });

From 7f49d05651dd6873c90378984f58e907ba573edf Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 25 Sep 2018 07:48:13 -0700
Subject: [PATCH 178/183] Making user descriptions not use constants and be
 consistent

---
 .../common/suites/bulk_create.ts              |  10 +-
 .../common/suites/bulk_get.ts                 |  10 +-
 .../common/suites/create.ts                   |  12 +-
 .../common/suites/delete.ts                   |  20 +-
 .../common/suites/find.ts                     |  18 +-
 .../common/suites/get.ts                      |  20 +-
 .../common/suites/update.ts                   |  16 +-
 .../security_and_spaces/apis/bulk_create.ts   | 122 +++----
 .../security_and_spaces/apis/bulk_get.ts      |  47 ++-
 .../security_and_spaces/apis/create.ts        |  53 ++-
 .../security_and_spaces/apis/delete.ts        |  65 ++--
 .../security_and_spaces/apis/find.ts          |  22 +-
 .../security_and_spaces/apis/get.ts           |  22 +-
 .../security_and_spaces/apis/update.ts        |  65 ++--
 .../security_only/apis/bulk_create.ts         |  22 +-
 .../security_only/apis/bulk_get.ts            |  22 +-
 .../security_only/apis/create.ts              |  22 +-
 .../security_only/apis/delete.ts              |  22 +-
 .../security_only/apis/find.ts                |  22 +-
 .../security_only/apis/get.ts                 |  22 +-
 .../security_only/apis/update.ts              |  22 +-
 .../spaces_only/apis/bulk_create.ts           |   2 +-
 .../spaces_only/apis/create.ts                |   2 +-
 .../common/suites/create.ts                   |  14 +-
 .../common/suites/delete.ts                   |  16 +-
 .../common/suites/get.ts                      |  12 +-
 .../common/suites/get_all.ts                  |   8 +-
 .../common/suites/select.ts                   |  16 +-
 .../common/suites/update.ts                   |  40 ++-
 .../security_and_spaces/apis/create.ts        |  18 +-
 .../security_and_spaces/apis/delete.ts        |  18 +-
 .../security_and_spaces/apis/get.ts           |  63 ++--
 .../security_and_spaces/apis/get_all.ts       | 274 +++++++-------
 .../security_and_spaces/apis/select.ts        | 247 +++++++------
 .../security_and_spaces/apis/update.ts        | 340 ++++++++----------
 35 files changed, 844 insertions(+), 882 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
index a21a9bb547e1aa..21e1c35c49b043 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface BulkCreateTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface BulkCreateCustomTest extends BulkCreateTest {
@@ -67,7 +67,7 @@ const createBulkRequests = (spaceId: string) => [
 const isGlobalType = (type: string) => type === 'globaltype';
 
 export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -76,7 +76,9 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     });
   };
 
-  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: any) => {
+  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       saved_objects: [
         {
@@ -137,7 +139,7 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     }
   };
 
-  const expectRbacForbidden = (resp: any) => {
+  const expectRbacForbidden = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
index 04ce2317cdb972..c09933bdb8d0df 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface BulkGetTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface BulkGetTests {
@@ -42,7 +42,7 @@ const createBulkRequests = (spaceId: string) => [
 ];
 
 export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -51,7 +51,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
-  const createExpectNotFoundResults = (spaceId: string) => (resp: any) => {
+  const createExpectNotFoundResults = (spaceId: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       saved_objects: [
         {
@@ -83,7 +83,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
-  const expectRbacForbidden = (resp: any) => {
+  const expectRbacForbidden = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -91,7 +91,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     });
   };
 
-  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       saved_objects: [
         {
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
index c1f62963242a18..5e0bf23037d047 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -11,7 +11,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface CreateTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface CreateCustomTest extends CreateTest {
@@ -36,7 +36,7 @@ const spaceAwareType = 'visualization';
 const notSpaceAwareType = 'globaltype';
 
 export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -45,7 +45,7 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     });
   };
 
-  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+  const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -53,7 +53,9 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     });
   };
 
-  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: any) => {
+  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body)
       .to.have.property('id')
       .match(/^[0-9a-f-]{36}$/);
@@ -93,7 +95,7 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
 
   const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden(notSpaceAwareType);
 
-  const expectNotSpaceAwareResults = async (resp: any) => {
+  const expectNotSpaceAwareResults = async (resp: { [key: string]: any }) => {
     expect(resp.body)
       .to.have.property('id')
       .match(/^[0-9a-f-]{36}$/);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
index 1bd6aa568cf430..394722d7d368fe 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/delete.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface DeleteTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface DeleteTests {
@@ -29,7 +29,7 @@ interface DeleteTestDefinition {
 }
 
 export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -38,7 +38,9 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: any) => {
+  const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       statusCode: 404,
       error: 'Not Found',
@@ -46,7 +48,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+  const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -54,15 +56,19 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectSpaceAwareNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectSpaceAwareNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     createExpectNotFound(spaceId, 'dashboard', 'be3733a0-9efe-11e7-acb3-3dab96693fab')(resp);
   };
 
-  const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectUnknownDocNotFound = (spaceId: string = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     createExpectNotFound(spaceId, 'dashboard', `not-a-real-id`)(resp);
   };
 
-  const expectEmpty = (resp: any) => {
+  const expectEmpty = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({});
   };
 
diff --git a/x-pack/test/saved_object_api_integration/common/suites/find.ts b/x-pack/test/saved_object_api_integration/common/suites/find.ts
index a76c49b6570f0d..af90255bc01f04 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/find.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/find.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 interface FindTest {
   statusCode: number;
   description: string;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface FindTests {
@@ -31,7 +31,9 @@ interface FindTestDefinition {
 }
 
 export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectEmpty = (page: number, perPage: number, total: number) => (resp: any) => {
+  const createExpectEmpty = (page: number, perPage: number, total: number) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       page,
       per_page: perPage,
@@ -40,7 +42,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectRbacForbidden = (type?: string) => (resp: any) => {
+  const createExpectRbacForbidden = (type?: string) => (resp: { [key: string]: any }) => {
     const message = type
       ? `Unable to find ${type}, missing action:saved_objects/${type}/find`
       : `Not authorized to find saved_object`;
@@ -52,7 +54,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -61,7 +63,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const expectNotSpaceAwareResults = (resp: any) => {
+  const expectNotSpaceAwareResults = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       page: 1,
       per_page: 20,
@@ -79,7 +81,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const expectTypeRequired = (resp: any) => {
+  const expectTypeRequired = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Bad Request',
       message: 'child "type" fails because ["type" is required]',
@@ -91,7 +93,9 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectVisualizationResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectVisualizationResults = (spaceId = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       page: 1,
       per_page: 20,
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
index e60f96004f7afb..8462c00faad233 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -11,7 +11,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface GetTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface GetTests {
@@ -36,7 +36,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     return createExpectNotFound(doesntExistId, spaceId);
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -45,7 +45,9 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectNotFound = (id: string, spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectNotFound = (id: string, spaceId = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       error: 'Not Found',
       message: `Saved object [visualization/${getIdPrefix(spaceId)}${id}] not found`,
@@ -57,7 +59,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     return createExpectNotFound(spaceAwareId, spaceId);
   };
 
-  const createExpectNotSpaceAwareRbacForbidden = () => (resp: any) => {
+  const createExpectNotSpaceAwareRbacForbidden = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Forbidden',
       message: `Unable to get globaltype, missing action:saved_objects/globaltype/get`,
@@ -65,7 +67,9 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectNotSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectNotSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       id: `${notSpaceAwareId}`,
       type: 'globaltype',
@@ -81,7 +85,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     return createExpectNotFound(spaceAwareId, spaceId);
   };
 
-  const createExpectSpaceAwareRbacForbidden = () => (resp: any) => {
+  const createExpectSpaceAwareRbacForbidden = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Forbidden',
       message: `Unable to get visualization, missing action:saved_objects/visualization/get`,
@@ -89,7 +93,9 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     });
   };
 
-  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: any) => {
+  const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       id: `${getIdPrefix(spaceId)}dd7caf20-9efd-11e7-acb3-3dab96693fab`,
       type: 'visualization',
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
index b3a5e3126bca31..e010a768cc1dac 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface UpdateTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface UpdateTests {
@@ -29,7 +29,7 @@ interface UpdateTestDefinition {
 }
 
 export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -38,9 +38,9 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectNotFound = (type: string, id: string, spaceId = DEFAULT_SPACE_ID) => (
-    resp: any
-  ) => {
+  const createExpectNotFound = (type: string, id: string, spaceId = DEFAULT_SPACE_ID) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).eql({
       statusCode: 404,
       error: 'Not Found',
@@ -56,7 +56,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     return createExpectNotFound('visualization', 'dd7caf20-9efd-11e7-acb3-3dab96693fab', spaceId);
   };
 
-  const createExpectRbacForbidden = (type: string) => (resp: any) => {
+  const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -68,7 +68,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden('globaltype');
 
-  const expectNotSpaceAwareResults = (resp: any) => {
+  const expectNotSpaceAwareResults = (resp: { [key: string]: any }) => {
     // loose uuid validation
     expect(resp.body)
       .to.have.property('id')
@@ -92,7 +92,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const expectSpaceAwareRbacForbidden = createExpectRbacForbidden('visualization');
 
-  const expectSpaceAwareResults = (resp: any) => {
+  const expectSpaceAwareResults = (resp: { [key: string]: any }) => {
     // loose uuid validation ignoring prefix
     expect(resp.body)
       .to.have.property('id')
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
index 3d27bf583b7201..c0e3a6c82a174a 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
@@ -57,7 +57,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      bulkCreateTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.noAccess.USERNAME,
           password: scenario.users.noAccess.PASSWORD,
@@ -71,7 +71,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -85,7 +85,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -99,7 +99,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -113,7 +113,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -127,7 +127,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -141,41 +141,35 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(
-        `${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allGlobally.USERNAME,
-            password: scenario.users.allGlobally.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 200,
-              response: createExpectResults(scenario.spaceId),
-            },
+      bulkCreateTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 200,
+            response: createExpectResults(scenario.spaceId),
           },
-        }
-      );
+        },
+      });
 
-      bulkCreateTest(
-        `${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.readGlobally.USERNAME,
-            password: scenario.users.readGlobally.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+      bulkCreateTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
 
-      bulkCreateTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkCreateTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -189,39 +183,33 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkCreateTest(
-        `${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.readAtSpace.USERNAME,
-            password: scenario.users.readAtSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+      bulkCreateTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.readAtSpace.USERNAME,
+          password: scenario.users.readAtSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
 
-      bulkCreateTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+      bulkCreateTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
index eb52bd53779170..54d1fcb3b4b665 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
@@ -56,7 +56,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      bulkGetTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.noAccess.USERNAME,
           password: scenario.users.noAccess.PASSWORD,
@@ -70,7 +70,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -84,7 +84,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -98,7 +98,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -112,7 +112,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -126,7 +126,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -140,7 +140,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allGlobally.USERNAME,
           password: scenario.users.allGlobally.PASSWORD,
@@ -154,7 +154,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readGlobally.USERNAME,
           password: scenario.users.readGlobally.PASSWORD,
@@ -168,7 +168,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -182,7 +182,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      bulkGetTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -196,22 +196,19 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      bulkGetTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            default: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+      bulkGetTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          default: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
index f3a7f161833af2..57df81e60cad0f 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
@@ -59,7 +59,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      createTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`user with no access  within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.noAccess.USERNAME,
           password: scenario.users.noAccess.PASSWORD,
@@ -77,7 +77,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -95,7 +95,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -113,7 +113,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -131,7 +131,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -149,7 +149,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -167,7 +167,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allGlobally.USERNAME,
           password: scenario.users.allGlobally.PASSWORD,
@@ -185,7 +185,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readGlobally.USERNAME,
           password: scenario.users.readGlobally.PASSWORD,
@@ -203,7 +203,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -221,7 +221,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -239,26 +239,23 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      createTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
+      createTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
           },
-          spaceId: scenario.spaceId,
-          tests: {
-            spaceAware: {
-              statusCode: 403,
-              response: expectSpaceAwareRbacForbidden,
-            },
-            notSpaceAware: {
-              statusCode: 403,
-              response: expectNotSpaceAwareRbacForbidden,
-            },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
           },
-        }
-      );
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
index b8334112c4ddf9..56cf2c8b067b6a 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
@@ -59,7 +59,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      deleteTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.noAccess.USERNAME,
           password: scenario.users.noAccess.PASSWORD,
@@ -81,7 +81,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -103,7 +103,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -125,7 +125,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -147,7 +147,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -169,7 +169,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -191,7 +191,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allGlobally.USERNAME,
           password: scenario.users.allGlobally.PASSWORD,
@@ -213,7 +213,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readGlobally.USERNAME,
           password: scenario.users.readGlobally.PASSWORD,
@@ -235,7 +235,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -257,7 +257,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -279,30 +279,27 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            spaceAware: {
-              statusCode: 403,
-              response: expectRbacSpaceAwareForbidden,
-            },
-            notSpaceAware: {
-              statusCode: 403,
-              response: expectRbacNotSpaceAwareForbidden,
-            },
-            invalidId: {
-              statusCode: 403,
-              response: expectRbacInvalidIdForbidden,
-            },
-          },
-        }
-      );
+      deleteTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectRbacSpaceAwareForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectRbacNotSpaceAwareForbidden,
+          },
+          invalidId: {
+            statusCode: 403,
+            response: expectRbacInvalidIdForbidden,
+          },
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
index cab579e493f0db..ed13a1fed8e343 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
@@ -59,7 +59,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      findTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
           password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -99,7 +99,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.SUPERUSER.USERNAME,
           password: AUTHENTICATION.SUPERUSER.PASSWORD,
@@ -139,7 +139,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -179,7 +179,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -219,7 +219,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -259,7 +259,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -299,7 +299,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -339,7 +339,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
           password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -379,7 +379,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -419,7 +419,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -459,7 +459,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      findTest(`${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      findTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtOtherSpace.USERNAME,
           password: scenario.users.allAtOtherSpace.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
index 45f1aefa8bc053..013daeb0c99e91 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
@@ -59,7 +59,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      getTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.noAccess.USERNAME,
           password: scenario.users.noAccess.PASSWORD,
@@ -81,7 +81,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -103,7 +103,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -125,7 +125,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -147,7 +147,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -169,7 +169,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -191,7 +191,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allGlobally.USERNAME,
           password: scenario.users.allGlobally.PASSWORD,
@@ -213,7 +213,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`rbac user with read globall within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readGlobally.USERNAME,
           password: scenario.users.readGlobally.PASSWORD,
@@ -235,7 +235,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -257,7 +257,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -279,7 +279,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      getTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtOtherSpace.USERNAME,
           password: scenario.users.allAtOtherSpace.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
index a5b52affdd9c84..458c449ab0fedb 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
@@ -60,7 +60,7 @@ export default function({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      updateTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`user with no access within the ${scenario.spaceId} space`, {
         auth: {
           username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
           password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -82,7 +82,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`superuser within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.superuser.USERNAME,
           password: scenario.users.superuser.PASSWORD,
@@ -104,7 +104,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`legacy user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyAll.USERNAME,
           password: scenario.users.legacyAll.PASSWORD,
@@ -126,7 +126,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.legacyRead.USERNAME,
           password: scenario.users.legacyRead.PASSWORD,
@@ -148,7 +148,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`dual-privileges user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualAll.USERNAME,
           password: scenario.users.dualAll.PASSWORD,
@@ -170,7 +170,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.dualRead.USERNAME,
           password: scenario.users.dualRead.PASSWORD,
@@ -192,7 +192,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allGlobally.USERNAME,
           password: scenario.users.allGlobally.PASSWORD,
@@ -214,7 +214,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readGlobally.USERNAME,
           password: scenario.users.readGlobally.PASSWORD,
@@ -236,7 +236,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
           password: scenario.users.allAtSpace.PASSWORD,
@@ -258,7 +258,7 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.readAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      updateTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
         auth: {
           username: scenario.users.readAtSpace.USERNAME,
           password: scenario.users.readAtSpace.PASSWORD,
@@ -280,30 +280,27 @@ export default function({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} within the ${scenario.spaceId} space`,
-        {
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
-          spaceId: scenario.spaceId,
-          tests: {
-            spaceAware: {
-              statusCode: 403,
-              response: expectSpaceAwareRbacForbidden,
-            },
-            notSpaceAware: {
-              statusCode: 403,
-              response: expectNotSpaceAwareRbacForbidden,
-            },
-            doesntExist: {
-              statusCode: 403,
-              response: expectDoesntExistRbacForbidden,
-            },
-          },
-        }
-      );
+      updateTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
+        auth: {
+          username: scenario.users.allAtOtherSpace.USERNAME,
+          password: scenario.users.allAtOtherSpace.PASSWORD,
+        },
+        spaceId: scenario.spaceId,
+        tests: {
+          spaceAware: {
+            statusCode: 403,
+            response: expectSpaceAwareRbacForbidden,
+          },
+          notSpaceAware: {
+            statusCode: 403,
+            response: expectNotSpaceAwareRbacForbidden,
+          },
+          doesntExist: {
+            statusCode: 403,
+            response: expectDoesntExistRbacForbidden,
+          },
+        },
+      });
     });
   });
 }
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
index 791425ddb84fe8..c5d31fc946d445 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
@@ -22,7 +22,7 @@ export default function({ getService }: TestInvoker) {
   } = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
 
   describe('_bulk_create', () => {
-    bulkCreateTest(`not a kibana user`, {
+    bulkCreateTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -48,7 +48,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana legacy user`, {
+    bulkCreateTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -61,7 +61,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana legacy dashboard only user`, {
+    bulkCreateTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -76,7 +76,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana dual-privileges user`, {
+    bulkCreateTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -89,7 +89,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana dual-privileges dashboard only user`, {
+    bulkCreateTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -102,7 +102,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac user`, {
+    bulkCreateTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -115,7 +115,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac dashboard only user`, {
+    bulkCreateTest(`rbac readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -128,7 +128,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac default space all user`, {
+    bulkCreateTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -143,7 +143,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac default space read user`, {
+    bulkCreateTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -158,7 +158,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac space 1 all user`, {
+    bulkCreateTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -173,7 +173,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkCreateTest(`kibana rbac space 1 readonly user`, {
+    bulkCreateTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
index 60aaf8b64d86d5..8905f138bf8ebe 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
@@ -19,7 +19,7 @@ export default function({ getService }: TestInvoker) {
   );
 
   describe('_bulk_get', () => {
-    bulkGetTest(`not a kibana user`, {
+    bulkGetTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -45,7 +45,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana legacy user`, {
+    bulkGetTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -58,7 +58,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana legacy dashboard only user`, {
+    bulkGetTest(`legacy reeadonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -71,7 +71,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana dual-privileges user`, {
+    bulkGetTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -84,7 +84,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana dual-privileges dashboard only user`, {
+    bulkGetTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -97,7 +97,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac user`, {
+    bulkGetTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -110,7 +110,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac dashboard only user`, {
+    bulkGetTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -123,7 +123,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac default space all user`, {
+    bulkGetTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -138,7 +138,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac default space read user`, {
+    bulkGetTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -153,7 +153,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac space 1 all user`, {
+    bulkGetTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -168,7 +168,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    bulkGetTest(`kibana rbac space 1 readonly user`, {
+    bulkGetTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
index 21050effbdd996..54c1f292f13fce 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
@@ -24,7 +24,7 @@ export default function({ getService }: TestInvoker) {
   } = createTestSuiteFactory(es, esArchiver, supertestWithoutAuth);
 
   describe('create', () => {
-    createTest(`not a kibana user`, {
+    createTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -58,7 +58,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana legacy user`, {
+    createTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -75,7 +75,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana legacy dashboard only user`, {
+    createTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -96,7 +96,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana dual-privileges user`, {
+    createTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -113,7 +113,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana dual-privileges dashboard only user`, {
+    createTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -130,7 +130,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac user`, {
+    createTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -147,7 +147,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac dashboard only user`, {
+    createTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -164,7 +164,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac default space all user`, {
+    createTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -185,7 +185,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac default space read user`, {
+    createTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -206,7 +206,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac space 1 all user`, {
+    createTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -227,7 +227,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    createTest(`kibana rbac space 1 readonly user`, {
+    createTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
index 634a3d60f1322c..fbba12ad41f87f 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
@@ -24,7 +24,7 @@ export default function({ getService }: TestInvoker) {
       expectRbacInvalidIdForbidden,
     } = deleteTestSuiteFactory(esArchiver, supertest);
 
-    deleteTest(`not a kibana user`, {
+    deleteTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -66,7 +66,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana legacy user`, {
+    deleteTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -87,7 +87,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana legacy dashboard only user`, {
+    deleteTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -114,7 +114,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana dual-privileges user`, {
+    deleteTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -135,7 +135,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana dual-privileges dashboard only user`, {
+    deleteTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -156,7 +156,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac user`, {
+    deleteTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -177,7 +177,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac dashboard only user`, {
+    deleteTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -198,7 +198,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac default space all user`, {
+    deleteTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -225,7 +225,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac default space read user`, {
+    deleteTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -252,7 +252,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac space 1 all user`, {
+    deleteTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -279,7 +279,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    deleteTest(`kibana rbac space 1 readonly user`, {
+    deleteTest(`rbac user with readonly at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
index d05e687b309a66..79dbe4d4e05cf5 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -24,7 +24,7 @@ export default function({ getService }: TestInvoker) {
       findTest,
     } = findTestSuiteFactory(esArchiver, supertest);
 
-    findTest(`not a kibana user`, {
+    findTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -102,7 +102,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana legacy user`, {
+    findTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -141,7 +141,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana legacy dashboard only user`, {
+    findTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -180,7 +180,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana dual-privileges user`, {
+    findTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -219,7 +219,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana dual-privileges dashboard only user`, {
+    findTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -258,7 +258,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac user`, {
+    findTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -297,7 +297,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac dashboard only user`, {
+    findTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -336,7 +336,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac default space all user`, {
+    findTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -385,7 +385,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac default space read user`, {
+    findTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -434,7 +434,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac space 1 all user`, {
+    findTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -483,7 +483,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    findTest(`kibana rbac space 1 readonly user`, {
+    findTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
index db3399f8c6d47c..0d3168c9322c55 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
@@ -22,7 +22,7 @@ export default function({ getService }: TestInvoker) {
   } = getTestSuiteFactory(esArchiver, supertest);
 
   describe('get', () => {
-    getTest(`not a kibana user`, {
+    getTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -64,7 +64,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana legacy user`, {
+    getTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -85,7 +85,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana legacy dashboard only user`, {
+    getTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -106,7 +106,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana dual-privileges user`, {
+    getTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -127,7 +127,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana dual-privileges dashboard only user`, {
+    getTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -148,7 +148,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac user`, {
+    getTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -169,7 +169,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac dashboard only user`, {
+    getTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -190,7 +190,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac default space all user`, {
+    getTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -217,7 +217,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac default space read user`, {
+    getTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -244,7 +244,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac space 1 all user`, {
+    getTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -271,7 +271,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    getTest(`kibana rbac space 1 readonly user`, {
+    getTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
index b719b85ca7bbed..84125c5071005c 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
@@ -25,7 +25,7 @@ export default function({ getService }: TestInvoker) {
       updateTest,
     } = updateTestSuiteFactory(esArchiver, supertest);
 
-    updateTest(`not a kibana user`, {
+    updateTest(`user with no access`, {
       auth: {
         username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
         password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
@@ -67,7 +67,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana legacy user`, {
+    updateTest(`legacy user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
@@ -88,7 +88,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana legacy dashboard only user`, {
+    updateTest(`legacy readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
@@ -115,7 +115,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana dual-privileges user`, {
+    updateTest(`dual-privileges user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
@@ -136,7 +136,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana dual-privileges dashboard only user`, {
+    updateTest(`dual-privileges readonly user`, {
       auth: {
         username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
@@ -157,7 +157,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana rbac user`, {
+    updateTest(`rbac user with all globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
@@ -178,7 +178,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(`kibana rbac dashboard only user`, {
+    updateTest(`rbac user with read globally`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
@@ -199,7 +199,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME, {
+    updateTest(`rbac user with all at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
@@ -226,7 +226,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME, {
+    updateTest(`rbac user with read at default space`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
@@ -253,7 +253,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME, {
+    updateTest(`rbac user with all at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
@@ -280,7 +280,7 @@ export default function({ getService }: TestInvoker) {
       },
     });
 
-    updateTest(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME, {
+    updateTest(`rbac user with read at space_1`, {
       auth: {
         username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
         password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
index 75b2b3a3c08380..cf794079a42ead 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/bulk_create.ts
@@ -9,7 +9,7 @@ import { SPACES } from '../../common/lib/spaces';
 import { TestInvoker } from '../../common/lib/types';
 import { bulkCreateTestSuiteFactory } from '../../common/suites/bulk_create';
 
-const expectNamespaceSpecifiedBadRequest = (resp: any) => {
+const expectNamespaceSpecifiedBadRequest = (resp: { [key: string]: any }) => {
   expect(resp.body).to.eql({
     error: 'Bad Request',
     message:
diff --git a/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
index 5bce939b22ee7c..129023130e7160 100644
--- a/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/spaces_only/apis/create.ts
@@ -9,7 +9,7 @@ import { SPACES } from '../../common/lib/spaces';
 import { TestInvoker } from '../../common/lib/types';
 import { createTestSuiteFactory } from '../../common/suites/create';
 
-const expectNamespaceSpecifiedBadRequest = (resp: any) => {
+const expectNamespaceSpecifiedBadRequest = (resp: { [key: string]: any }) => {
   expect(resp.body).to.eql({
     error: 'Bad Request',
     message: '"namespace" is not allowed',
diff --git a/x-pack/test/spaces_api_integration/common/suites/create.ts b/x-pack/test/spaces_api_integration/common/suites/create.ts
index 45532d4998e801..f8ae030b42681c 100644
--- a/x-pack/test/spaces_api_integration/common/suites/create.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/create.ts
@@ -11,7 +11,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface CreateTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface CreateTests {
@@ -27,7 +27,9 @@ interface CreateTestDefinition {
 }
 
 export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbiddenResponse = (username: string) => (resp: any) => {
+  const createExpectLegacyForbiddenResponse = (username: string) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -35,14 +37,14 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectConflictResponse = (resp: any) => {
+  const expectConflictResponse = (resp: { [key: string]: any }) => {
     expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']);
     expect(resp.body.error).to.equal('Conflict');
     expect(resp.body.statusCode).to.equal(409);
     expect(resp.body.message).to.match(new RegExp(`A space with the identifier .*`));
   };
 
-  const expectNewSpaceResult = (resp: any) => {
+  const expectNewSpaceResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       name: 'marketing',
       id: 'marketing',
@@ -51,7 +53,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectRbacForbiddenResponse = (resp: any) => {
+  const expectRbacForbiddenResponse = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -59,7 +61,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectReservedSpecifiedResult = (resp: any) => {
+  const expectReservedSpecifiedResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       name: 'reserved space',
       id: 'reserved',
diff --git a/x-pack/test/spaces_api_integration/common/suites/delete.ts b/x-pack/test/spaces_api_integration/common/suites/delete.ts
index eb1a663ed2cb3d..43b37900616e79 100644
--- a/x-pack/test/spaces_api_integration/common/suites/delete.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/delete.ts
@@ -10,7 +10,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface DeleteTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface DeleteTests {
@@ -26,7 +26,9 @@ interface DeleteTestDefinition {
 }
 
 export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string, action: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string, action: string) => (resp: {
+    [key: string]: any;
+  }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -34,22 +36,22 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectResult = (expectedResult: any) => (resp: any) => {
+  const createExpectResult = (expectedResult: any) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql(expectedResult);
   };
 
-  const expectEmptyResult = (resp: any) => {
+  const expectEmptyResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql('');
   };
 
-  const expectNotFound = (resp: any) => {
+  const expectNotFound = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Not Found',
       statusCode: 404,
     });
   };
 
-  const expectRbacForbidden = (resp: any) => {
+  const expectRbacForbidden = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -57,7 +59,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectReservedSpaceResult = (resp: any) => {
+  const expectReservedSpaceResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Bad Request',
       statusCode: 400,
diff --git a/x-pack/test/spaces_api_integration/common/suites/get.ts b/x-pack/test/spaces_api_integration/common/suites/get.ts
index aeff87f9e4fee5..ea5e3ba09a7edb 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get.ts
@@ -10,7 +10,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface GetTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface GetTests {
@@ -27,11 +27,11 @@ interface GetTestDefinition {
 const nonExistantSpaceId = 'not-a-space';
 
 export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>) {
-  const createExpectEmptyResult = () => (resp: any) => {
+  const createExpectEmptyResult = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql('');
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -39,14 +39,14 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
     });
   };
 
-  const createExpectNotFoundResult = () => (resp: any) => {
+  const createExpectNotFoundResult = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Not Found',
       statusCode: 404,
     });
   };
 
-  const createExpectRbacForbidden = (spaceId: string) => (resp: any) => {
+  const createExpectRbacForbidden = (spaceId: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -54,7 +54,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
     });
   };
 
-  const createExpectResults = (spaceId: string) => (resp: any) => {
+  const createExpectResults = (spaceId: string) => (resp: { [key: string]: any }) => {
     const allSpaces = [
       {
         id: 'default',
diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
index 3037c7461d7182..c2ef7d5d3be3e2 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get_all.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
@@ -10,7 +10,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface GetAllTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface GetAllTests {
@@ -24,7 +24,7 @@ interface GetAllTestDefinition {
 }
 
 export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -32,7 +32,7 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectResults = (...spaceIds: string[]) => (resp: any) => {
+  const createExpectResults = (...spaceIds: string[]) => (resp: { [key: string]: any }) => {
     const expectedBody = [
       {
         id: 'default',
@@ -54,7 +54,7 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     expect(resp.body).to.eql(expectedBody);
   };
 
-  const expectEmptyResult = (resp: any) => {
+  const expectEmptyResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql('');
   };
 
diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts
index eb365fd9880357..507a4005adc102 100644
--- a/x-pack/test/spaces_api_integration/common/suites/select.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/select.ts
@@ -12,7 +12,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface SelectTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface SelectTests {
@@ -29,11 +29,11 @@ interface SelectTestDefinition {
 const nonExistantSpaceId = 'not-a-space';
 
 export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const createExpectEmptyResult = () => (resp: any) => {
+  const createExpectEmptyResult = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql('');
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -41,14 +41,14 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectNotFoundResult = () => (resp: any) => {
+  const createExpectNotFoundResult = () => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Not Found',
       statusCode: 404,
     });
   };
 
-  const createExpectRbacForbidden = (spaceId: any) => (resp: any) => {
+  const createExpectRbacForbidden = (spaceId: any) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -56,7 +56,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectResults = (spaceId: string) => (resp: any) => {
+  const createExpectResults = (spaceId: string) => (resp: { [key: string]: any }) => {
     const allSpaces = [
       {
         id: 'default',
@@ -78,7 +78,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     expect(resp.body).to.eql(allSpaces.find(space => space.id === spaceId));
   };
 
-  const createExpectSpaceResponse = (spaceId: string) => (resp: any) => {
+  const createExpectSpaceResponse = (spaceId: string) => (resp: { [key: string]: any }) => {
     if (spaceId === DEFAULT_SPACE_ID) {
       expectDefaultSpaceResponse(resp);
     } else {
@@ -88,7 +88,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     }
   };
 
-  const expectDefaultSpaceResponse = (resp: any) => {
+  const expectDefaultSpaceResponse = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       location: `/app/kibana`,
     });
diff --git a/x-pack/test/spaces_api_integration/common/suites/update.ts b/x-pack/test/spaces_api_integration/common/suites/update.ts
index ca422f65ecaf31..a937aa497dcfa0 100644
--- a/x-pack/test/spaces_api_integration/common/suites/update.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/update.ts
@@ -10,7 +10,7 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types';
 
 interface UpdateTest {
   statusCode: number;
-  response: (resp: any) => void;
+  response: (resp: { [key: string]: any }) => void;
 }
 
 interface UpdateTests {
@@ -26,7 +26,7 @@ interface UpdateTestDefinition {
 }
 
 export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectRbacForbidden = (resp: any) => {
+  const expectRbacForbidden = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -34,7 +34,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const createExpectLegacyForbidden = (username: string) => (resp: any) => {
+  const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       statusCode: 403,
       error: 'Forbidden',
@@ -42,14 +42,14 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectNotFound = (resp: any) => {
+  const expectNotFound = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       error: 'Not Found',
       statusCode: 404,
     });
   };
 
-  const expectDefaultSpaceResult = (resp: any) => {
+  const expectDefaultSpaceResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       name: 'the new default',
       id: 'default',
@@ -59,7 +59,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     });
   };
 
-  const expectAlreadyExistsResult = (resp: any) => {
+  const expectAlreadyExistsResult = (resp: { [key: string]: any }) => {
     expect(resp.body).to.eql({
       name: 'space 1',
       id: 'space_1',
@@ -76,19 +76,21 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       before(() => esArchiver.load('saved_objects/spaces'));
       after(() => esArchiver.unload('saved_objects/spaces'));
 
-      it(`should return ${tests.alreadyExists.statusCode}`, async () => {
-        return supertest
-          .put(`${getUrlPrefix(spaceId)}/api/spaces/space/space_1`)
-          .auth(auth.username, auth.password)
-          .send({
-            name: 'space 1',
-            id: 'space_1',
-            description: 'a description',
-            color: '#5c5959',
-            _reserved: true,
-          })
-          .expect(tests.alreadyExists.statusCode)
-          .then(tests.alreadyExists.response);
+      describe('space_1', () => {
+        it(`should return ${tests.alreadyExists.statusCode}`, async () => {
+          return supertest
+            .put(`${getUrlPrefix(spaceId)}/api/spaces/space/space_1`)
+            .auth(auth.username, auth.password)
+            .send({
+              name: 'space 1',
+              id: 'space_1',
+              description: 'a description',
+              color: '#5c5959',
+              _reserved: true,
+            })
+            .expect(tests.alreadyExists.statusCode)
+            .then(tests.alreadyExists.response);
+        });
       });
 
       describe(`default space`, () => {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
index bada6ab2519d22..79cb4046ef8fc3 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
@@ -54,7 +54,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      createTest(`${scenario.users.noAccess.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`user with no access from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.noAccess.USERNAME,
@@ -76,7 +76,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.superuser.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`superuser from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.superuser.USERNAME,
@@ -98,7 +98,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.allGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.allGlobally.USERNAME,
@@ -120,7 +120,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.dualAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`dual-privileges user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.dualAll.USERNAME,
@@ -142,7 +142,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.legacyAll.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`legacy user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.legacyAll.USERNAME,
@@ -164,7 +164,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.readGlobally.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.readGlobally.USERNAME,
@@ -186,7 +186,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.dualRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.dualRead.USERNAME,
@@ -208,7 +208,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.legacyRead.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`legacy readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.legacyRead.USERNAME,
@@ -230,7 +230,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
         },
       });
 
-      createTest(`${scenario.users.allAtSpace.USERNAME} within the ${scenario.spaceId} space`, {
+      createTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
index a8b83baec9d7ed..c6f3c339785be2 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
@@ -54,7 +54,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      deleteTest(`${scenario.users.noAccess.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`user with no access from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.noAccess.USERNAME,
@@ -76,7 +76,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.superuser.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`superuser from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.superuser.USERNAME,
@@ -98,7 +98,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.allGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.allGlobally.USERNAME,
@@ -120,7 +120,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.dualAll.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`dual-privileges user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.dualAll.USERNAME,
@@ -142,7 +142,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.legacyAll.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`legacy user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.legacyAll.USERNAME,
@@ -164,7 +164,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.readGlobally.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.readGlobally.USERNAME,
@@ -186,7 +186,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.dualRead.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.dualRead.USERNAME,
@@ -208,7 +208,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.legacyRead.USERNAME} from the ${scenario.spaceId} space`, {
+      deleteTest(`legacy readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.legacyRead.USERNAME,
@@ -233,7 +233,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      deleteTest(`${scenario.users.allAtSpace} from the ${scenario.spaceId} space`, {
+      deleteTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
index 7a7ab66cd3cc0b..3d1cc4d1e9b5fa 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
@@ -60,7 +60,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      getTest(`${scenario.users.noAccess.USERNAME}`, {
+      getTest(`user with no access`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -75,7 +75,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.superuser.USERNAME}`, {
+      getTest(`superuser`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -90,7 +90,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.allGlobally.USERNAME}`, {
+      getTest(`rbac user with all globally`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -105,7 +105,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.dualAll.USERNAME}`, {
+      getTest(`dual-privileges user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -120,7 +120,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.legacyAll.USERNAME}`, {
+      getTest(`legacy user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -135,7 +135,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.readGlobally.USERNAME}`, {
+      getTest(`rbac user with read globally`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -150,7 +150,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.dualRead.USERNAME}`, {
+      getTest(`dual-privileges readonly user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -165,7 +165,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.legacyRead.USERNAME}`, {
+      getTest(`legacy readonly`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -180,7 +180,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.readAtSpace.USERNAME} at ${scenario.spaceId}`, {
+      getTest(`rbac user with read at space from the ${scenario.spaceId} space`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
         auth: {
@@ -195,20 +195,25 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      getTest(`${scenario.users.allAtOtherSpace.USERNAME} at a different space`, {
-        currentSpaceId: scenario.otherSpaceId,
-        spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 403,
-            response: createExpectRbacForbidden(scenario.spaceId),
+      getTest(
+        `rbac user with all at other space from the ${scenario.otherSpaceId} getting the ${
+          scenario.spaceId
+        }`,
+        {
+          currentSpaceId: scenario.otherSpaceId,
+          spaceId: scenario.spaceId,
+          auth: {
+            username: scenario.users.allAtOtherSpace.USERNAME,
+            password: scenario.users.allAtOtherSpace.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.spaceId),
+            },
+          },
+        }
+      );
     });
 
     describe('non-existant space', () => {
@@ -227,7 +232,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         },
       ].forEach(scenario => {
-        getTest(`${scenario.users.allGlobally.USERNAME}`, {
+        getTest(`rbac user with all globally`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -242,7 +247,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.dualAll.USERNAME}`, {
+        getTest(`dual-privileges user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -257,7 +262,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.legacyAll.USERNAME}`, {
+        getTest(`legacy user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -272,7 +277,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.readGlobally.USERNAME}`, {
+        getTest(`rbac user with read globally`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -287,7 +292,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.dualRead.USERNAME}`, {
+        getTest(`dual-privileges readonly user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -302,7 +307,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.legacyRead.USERNAME}`, {
+        getTest(`legacy readonly user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
@@ -317,7 +322,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
           },
         });
 
-        getTest(`${scenario.users.allAtDefaultSpace.USERNAME}`, {
+        getTest(`rbac user with all at default space`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
           auth: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
index f5863b5ade0536..767074db1ed71f 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
@@ -56,178 +56,148 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      getAllTest(
-        `${scenario.users.noAccess.USERNAME} can't access any spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.noAccess.USERNAME,
-            password: scenario.users.noAccess.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
-            },
+      getAllTest(`user with no access can't access any spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.superuser.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.superuser.USERNAME,
-            password: scenario.users.superuser.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`superuser can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.allGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allGlobally.USERNAME,
-            password: scenario.users.allGlobally.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`rbac user with all globally can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.dualAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.dualAll.USERNAME,
-            password: scenario.users.dualAll.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`dual-privileges user can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.legacyAll.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.legacyAll.USERNAME,
-            password: scenario.users.legacyAll.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`legacy user can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.readGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.readGlobally.USERNAME,
-            password: scenario.users.readGlobally.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`rbac user with read globally can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.dualRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.dualRead.USERNAME,
-            password: scenario.users.dualRead.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`dual-privileges readonly user can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.legacyRead.USERNAME} can access all spaces from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.legacyRead.USERNAME,
-            password: scenario.users.legacyRead.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('default', 'space_1', 'space_2'),
-            },
+      getAllTest(`legacy readonly user can access all spaces from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('default', 'space_1', 'space_2'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.allAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allAtSpace_1.USERNAME,
-            password: scenario.users.allAtSpace_1.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('space_1'),
-            },
+      getAllTest(`rbac user with all at space_1 can access space_1 from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.allAtSpace_1.USERNAME,
+          password: scenario.users.allAtSpace_1.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('space_1'),
           },
-        }
-      );
+        },
+      });
 
-      getAllTest(
-        `${scenario.users.readAtSpace_1.USERNAME} can access space_1 from ${scenario.spaceId}`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.readAtSpace_1.USERNAME,
-            password: scenario.users.readAtSpace_1.PASSWORD,
-          },
-          tests: {
-            exists: {
-              statusCode: 200,
-              response: createExpectResults('space_1'),
-            },
+      getAllTest(`rbac user with read at space_1 can access space_1 from ${scenario.spaceId}`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.readAtSpace_1.USERNAME,
+          password: scenario.users.readAtSpace_1.PASSWORD,
+        },
+        tests: {
+          exists: {
+            statusCode: 200,
+            response: createExpectResults('space_1'),
           },
-        }
-      );
+        },
+      });
 
       getAllTest(
-        `${scenario.users.allAtDefaultSpace.USERNAME} can access default from ${scenario.spaceId}`,
+        `rbac user with all at default space can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
@@ -244,7 +214,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
       );
 
       getAllTest(
-        `${scenario.users.readAtDefaultSpace.USERNAME} can access default from ${scenario.spaceId}`,
+        `rbac user with read at default space can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
           auth: {
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
index d3cdfec9a93beb..c6d140e8fbf4a8 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
@@ -23,11 +23,10 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
     createExpectLegacyForbidden,
   } = selectTestSuiteFactory(esArchiver, supertestWithoutAuth);
 
-  describe.only('select', () => {
+  describe('select', () => {
     // Tests with users that have privileges globally in Kibana
     [
       {
-        // Select the spaceId with the user in the currentSpaceId with the following users
         currentSpaceId: SPACES.DEFAULT.spaceId,
         selectSpaceId: SPACES.SPACE_1.spaceId,
         users: {
@@ -42,7 +41,6 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         },
       },
       {
-        // Select the spaceId when the user is the currentSpaceId with the following users
         currentSpaceId: SPACES.SPACE_1.spaceId,
         selectSpaceId: SPACES.DEFAULT.spaceId,
         users: {
@@ -57,84 +55,107 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      selectTest(`${scenario.users.noAccess.USERNAME} selects ${scenario.selectSpaceId}`, {
-        currentSpaceId: scenario.currentSpaceId,
-        selectSpaceId: scenario.selectSpaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+      selectTest(
+        `user with no access selects ${scenario.selectSpaceId} space from the ${
+          scenario.currentSpaceId
+        } space`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.noAccess.USERNAME,
+            password: scenario.users.noAccess.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            },
+          },
+        }
+      );
 
-      selectTest(`${scenario.users.superuser.USERNAME} selects ${scenario.selectSpaceId}`, {
-        currentSpaceId: scenario.currentSpaceId,
-        selectSpaceId: scenario.selectSpaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 200,
-            response: createExpectSpaceResponse(scenario.selectSpaceId),
+      selectTest(
+        `superuser selects ${scenario.selectSpaceId} space from the ${
+          scenario.currentSpaceId
+        } space`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.superuser.USERNAME,
+            password: scenario.users.superuser.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
+            },
+          },
+        }
+      );
 
-      selectTest(`${scenario.users.allGlobally.USERNAME} selects ${scenario.selectSpaceId}`, {
-        currentSpaceId: scenario.currentSpaceId,
-        selectSpaceId: scenario.selectSpaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 200,
-            response: createExpectSpaceResponse(scenario.selectSpaceId),
+      selectTest(
+        `rbac user with all globally selects ${scenario.selectSpaceId} space from the ${
+          scenario.currentSpaceId
+        } space`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.allGlobally.USERNAME,
+            password: scenario.users.allGlobally.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
+            },
+          },
+        }
+      );
 
-      selectTest(`${scenario.users.dualAll.USERNAME} selects ${scenario.selectSpaceId}`, {
-        currentSpaceId: scenario.currentSpaceId,
-        selectSpaceId: scenario.selectSpaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 200,
-            response: createExpectSpaceResponse(scenario.selectSpaceId),
+      selectTest(
+        `dual-privileges user selects ${scenario.selectSpaceId} space from the ${
+          scenario.currentSpaceId
+        }`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.dualAll.USERNAME,
+            password: scenario.users.dualAll.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
+            },
+          },
+        }
+      );
 
-      selectTest(`${scenario.users.legacyAll.USERNAME} selects ${scenario.selectSpaceId}`, {
-        currentSpaceId: scenario.currentSpaceId,
-        selectSpaceId: scenario.selectSpaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
-        tests: {
-          default: {
-            statusCode: 200,
-            response: createExpectSpaceResponse(scenario.selectSpaceId),
+      selectTest(
+        `legacy user selects ${scenario.selectSpaceId} space from the ${scenario.currentSpaceId}`,
+        {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.legacyAll.USERNAME,
+            password: scenario.users.legacyAll.PASSWORD,
           },
-        },
-      });
+          tests: {
+            default: {
+              statusCode: 200,
+              response: createExpectSpaceResponse(scenario.selectSpaceId),
+            },
+          },
+        }
+      );
 
       selectTest(
-        `${scenario.users.readGlobally.USERNAME} selects ${scenario.selectSpaceId} from
-        ${scenario.currentSpaceId}`,
+        `user with read globally selects ${scenario.selectSpaceId} space from the
+        ${scenario.currentSpaceId} space`,
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
@@ -152,8 +173,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.dualRead.USERNAME} selects ${scenario.selectSpaceId} from
-        ${scenario.currentSpaceId}`,
+        `dual-privileges readonly user selects ${scenario.selectSpaceId} space from
+        the ${scenario.currentSpaceId}`,
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
@@ -171,8 +192,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.legacyRead.USERNAME} can select ${scenario.selectSpaceId}
-        from ${scenario.currentSpaceId}`,
+        `legacy readonly user selects ${scenario.selectSpaceId} space
+        from the ${scenario.currentSpaceId} space`,
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
@@ -211,8 +232,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       selectTest(
-        `${scenario.users.allAtSpace.USERNAME} can select ${scenario.spaceId}
-        from ${scenario.spaceId}`,
+        `rbac user with all at space can select ${scenario.spaceId}
+        from the same space`,
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
@@ -230,8 +251,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.readAtSpace.USERNAME} can select ${scenario.spaceId}
-        from ${scenario.spaceId}`,
+        `rbac user with read at space can select ${scenario.spaceId}
+        from the same space`,
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
@@ -249,8 +270,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.allAtOtherSpace.USERNAME} cannot select ${scenario.spaceId}
-        from ${scenario.spaceId}`,
+        `rbac user with all at other space cannot select ${scenario.spaceId}
+        from the same space`,
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
@@ -283,7 +304,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       selectTest(
-        `${scenario.users.userWithAllAtSpace.USERNAME} can select ${scenario.selectSpaceId}
+        `rbac user with all at ${scenario.selectSpaceId} can select ${scenario.selectSpaceId}
         from ${scenario.currentSpaceId}`,
         {
           currentSpaceId: scenario.currentSpaceId,
@@ -302,7 +323,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.userWithAllAtBothSpaces.USERNAME} can select ${scenario.selectSpaceId}
+        `rbac user with all at both spaces can select ${scenario.selectSpaceId}
         from ${scenario.currentSpaceId}`,
         {
           currentSpaceId: scenario.currentSpaceId,
@@ -321,7 +342,9 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
       );
 
       selectTest(
-        `${scenario.users.userWithAllAtOtherSpace.USERNAME} cannot select ${scenario.selectSpaceId}
+        `rbac user with all at ${scenario.currentSpaceId} space cannot select ${
+          scenario.selectSpaceId
+        }
         from ${scenario.currentSpaceId}`,
         {
           currentSpaceId: scenario.currentSpaceId,
@@ -360,41 +383,35 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
           },
         },
       ].forEach(scenario => {
-        selectTest(
-          `${scenario.users.userWithAllGlobally.USERNAME} cannot access non-existant space`,
-          {
-            currentSpaceId: scenario.currentSpaceId,
-            selectSpaceId: scenario.selectSpaceId,
-            auth: {
-              username: scenario.users.userWithAllGlobally.USERNAME,
-              password: scenario.users.userWithAllGlobally.PASSWORD,
-            },
-            tests: {
-              default: {
-                statusCode: 404,
-                response: createExpectNotFoundResult(),
-              },
+        selectTest(`rbac user with all globally cannot access non-existent space`, {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.userWithAllGlobally.USERNAME,
+            password: scenario.users.userWithAllGlobally.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 404,
+              response: createExpectNotFoundResult(),
             },
-          }
-        );
+          },
+        });
 
-        selectTest(
-          `${scenario.users.userWithAllAtSpace.USERNAME} cannot access non-existant space`,
-          {
-            currentSpaceId: scenario.currentSpaceId,
-            selectSpaceId: scenario.selectSpaceId,
-            auth: {
-              username: scenario.users.userWithAllAtSpace.USERNAME,
-              password: scenario.users.userWithAllAtSpace.PASSWORD,
-            },
-            tests: {
-              default: {
-                statusCode: 403,
-                response: createExpectRbacForbidden(scenario.selectSpaceId),
-              },
+        selectTest(`rbac user with all at space cannot access non-existent space`, {
+          currentSpaceId: scenario.currentSpaceId,
+          selectSpaceId: scenario.selectSpaceId,
+          auth: {
+            username: scenario.users.userWithAllAtSpace.USERNAME,
+            password: scenario.users.userWithAllAtSpace.PASSWORD,
+          },
+          tests: {
+            default: {
+              statusCode: 403,
+              response: createExpectRbacForbidden(scenario.selectSpaceId),
             },
-          }
-        );
+          },
+        });
       });
     });
   });
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
index 7cbf08d03014d9..a5bfefc41fdb3b 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -56,215 +56,183 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
         },
       },
     ].forEach(scenario => {
-      updateTest(
-        `${scenario.users.noAccess.USERNAME} can't update space_1 from
-        the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.noAccess.USERNAME,
-            password: scenario.users.noAccess.PASSWORD,
+      updateTest(`user with no access from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.noAccess.USERNAME,
+          password: scenario.users.noAccess.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
-            },
-            defaultSpace: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
-            },
-            newSpace: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
-            },
+          defaultSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+          },
+          newSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.superuser.USERNAME} can update space_1 from
-        the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.superuser.USERNAME,
-            password: scenario.users.superuser.PASSWORD,
+      updateTest(`superuser from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.superuser.USERNAME,
+          password: scenario.users.superuser.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 200,
+            response: expectAlreadyExistsResult,
+          },
+          defaultSpace: {
+            statusCode: 200,
+            response: expectDefaultSpaceResult,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 200,
-              response: expectAlreadyExistsResult,
-            },
-            defaultSpace: {
-              statusCode: 200,
-              response: expectDefaultSpaceResult,
-            },
-            newSpace: {
-              statusCode: 404,
-              response: expectNotFound,
-            },
+          newSpace: {
+            statusCode: 404,
+            response: expectNotFound,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.allGlobally.USERNAME} can update space_1 from
-        the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allGlobally.USERNAME,
-            password: scenario.users.allGlobally.PASSWORD,
+      updateTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.allGlobally.USERNAME,
+          password: scenario.users.allGlobally.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 200,
+            response: expectAlreadyExistsResult,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 200,
-              response: expectAlreadyExistsResult,
-            },
-            defaultSpace: {
-              statusCode: 200,
-              response: expectDefaultSpaceResult,
-            },
-            newSpace: {
-              statusCode: 404,
-              response: expectNotFound,
-            },
+          defaultSpace: {
+            statusCode: 200,
+            response: expectDefaultSpaceResult,
+          },
+          newSpace: {
+            statusCode: 404,
+            response: expectNotFound,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.dualAll.USERNAME} can update space_1 from
-        the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.dualAll.USERNAME,
-            password: scenario.users.dualAll.PASSWORD,
+      updateTest(`dual-privileges used from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.dualAll.USERNAME,
+          password: scenario.users.dualAll.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 200,
+            response: expectAlreadyExistsResult,
+          },
+          defaultSpace: {
+            statusCode: 200,
+            response: expectDefaultSpaceResult,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 200,
-              response: expectAlreadyExistsResult,
-            },
-            defaultSpace: {
-              statusCode: 200,
-              response: expectDefaultSpaceResult,
-            },
-            newSpace: {
-              statusCode: 404,
-              response: expectNotFound,
-            },
+          newSpace: {
+            statusCode: 404,
+            response: expectNotFound,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.legacyAll.USERNAME} can update space_1 from
-        the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.legacyAll.USERNAME,
-            password: scenario.users.legacyAll.PASSWORD,
+      updateTest(`legacy user from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.legacyAll.USERNAME,
+          password: scenario.users.legacyAll.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 200,
+            response: expectAlreadyExistsResult,
+          },
+          defaultSpace: {
+            statusCode: 200,
+            response: expectDefaultSpaceResult,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 200,
-              response: expectAlreadyExistsResult,
-            },
-            defaultSpace: {
-              statusCode: 200,
-              response: expectDefaultSpaceResult,
-            },
-            newSpace: {
-              statusCode: 404,
-              response: expectNotFound,
-            },
+          newSpace: {
+            statusCode: 404,
+            response: expectNotFound,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.readGlobally.USERNAME} cannot update space_1
-        from the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.readGlobally.USERNAME,
-            password: scenario.users.readGlobally.PASSWORD,
+      updateTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.readGlobally.USERNAME,
+          password: scenario.users.readGlobally.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
-            defaultSpace: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
-            newSpace: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+          defaultSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.dualRead.USERNAME} cannot update space_1
-        from the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.dualRead.USERNAME,
-            password: scenario.users.dualRead.PASSWORD,
+      updateTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.dualRead.USERNAME,
+          password: scenario.users.dualRead.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: expectRbacForbidden,
+          },
+          defaultSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
-            defaultSpace: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
-            newSpace: {
-              statusCode: 403,
-              response: expectRbacForbidden,
-            },
+          newSpace: {
+            statusCode: 403,
+            response: expectRbacForbidden,
           },
-        }
-      );
+        },
+      });
 
-      updateTest(
-        `${scenario.users.legacyRead.USERNAME} cannot update space_1
-        from the ${scenario.spaceId} space`,
-        {
-          spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.legacyRead.USERNAME,
-            password: scenario.users.legacyRead.PASSWORD,
+      updateTest(`legacy readonly user from the ${scenario.spaceId} space`, {
+        spaceId: scenario.spaceId,
+        auth: {
+          username: scenario.users.legacyRead.USERNAME,
+          password: scenario.users.legacyRead.PASSWORD,
+        },
+        tests: {
+          alreadyExists: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+          },
+          defaultSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
-          tests: {
-            alreadyExists: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
-            },
-            defaultSpace: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
-            },
-            newSpace: {
-              statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
-            },
+          newSpace: {
+            statusCode: 403,
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
           },
-        }
-      );
+        },
+      });
 
-      updateTest(`${scenario.users.allAtSpace.USERNAME} cannot update space_1`, {
+      updateTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.allAtSpace.USERNAME,
@@ -286,7 +254,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
         },
       });
 
-      updateTest(`${scenario.users.readAtSpace.USERNAME} cannot update space_1`, {
+      updateTest(`rbac user with read at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
         auth: {
           username: scenario.users.readAtSpace.USERNAME,

From 3832255ed16dd87b7222dce20d47f3d3001c885d Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Tue, 25 Sep 2018 11:51:39 -0400
Subject: [PATCH 179/183] [Spaces] - Documentation (#23205)

---
 docs/api.asciidoc                             |   3 +-
 docs/api/role-management/put.asciidoc         |  42 ++++++++++++++++--
 ...es.asciidoc => spaces-management.asciidoc} |   4 +-
 docs/api/spaces-management/post.asciidoc      |   2 +-
 docs/index.asciidoc                           |   2 +
 docs/security/authorization/index.asciidoc    |  11 +++--
 docs/spaces/getting-started.asciidoc          |   8 ++++
 docs/spaces/images/delete-space.png           | Bin 0 -> 147931 bytes
 docs/spaces/images/edit-space.png             | Bin 0 -> 150439 bytes
 docs/spaces/images/securing-spaces.png        | Bin 0 -> 206138 bytes
 docs/spaces/images/space-management.png       | Bin 0 -> 161175 bytes
 docs/spaces/images/space-selector.png         | Bin 0 -> 151302 bytes
 docs/spaces/index.asciidoc                    |  17 +++++++
 docs/spaces/managing-spaces.asciidoc          |  25 +++++++++++
 docs/spaces/moving-saved-objects.asciidoc     |  14 ++++++
 docs/spaces/securing-spaces.asciidoc          |   7 +++
 16 files changed, 124 insertions(+), 11 deletions(-)
 rename docs/api/{spaces.asciidoc => spaces-management.asciidoc} (100%)
 create mode 100644 docs/spaces/getting-started.asciidoc
 create mode 100644 docs/spaces/images/delete-space.png
 create mode 100644 docs/spaces/images/edit-space.png
 create mode 100644 docs/spaces/images/securing-spaces.png
 create mode 100644 docs/spaces/images/space-management.png
 create mode 100644 docs/spaces/images/space-selector.png
 create mode 100644 docs/spaces/index.asciidoc
 create mode 100644 docs/spaces/managing-spaces.asciidoc
 create mode 100644 docs/spaces/moving-saved-objects.asciidoc
 create mode 100644 docs/spaces/securing-spaces.asciidoc

diff --git a/docs/api.asciidoc b/docs/api.asciidoc
index afe7722a0cec5c..a650d016ce9518 100644
--- a/docs/api.asciidoc
+++ b/docs/api.asciidoc
@@ -26,7 +26,7 @@ entirely.
 
 [float]
 == APIs
-
+* <<spaces-api>>
 * <<role-management-api>>
 * <<saved-objects-api>>
 * <<dashboard-import-api>>
@@ -34,6 +34,7 @@ entirely.
 * <<url-shortening-api>>
 --
 
+include::api/spaces-management.asciidoc[]
 include::api/role-management.asciidoc[]
 include::api/saved-objects.asciidoc[]
 include::api/dashboard-import.asciidoc[]
diff --git a/docs/api/role-management/put.asciidoc b/docs/api/role-management/put.asciidoc
index a2b2ed73684311..864d315205dcba 100644
--- a/docs/api/role-management/put.asciidoc
+++ b/docs/api/role-management/put.asciidoc
@@ -30,7 +30,7 @@ that begin with `_` are reserved for system usage.
 `elasticsearch`:: (object) Optional {es} cluster and index privileges, valid keys are 
 `cluster`, `indices` and `run_as`. For more information, see {xpack-ref}/defining-roles.html[Defining Roles].
 
-`kibana`:: (list) A list of objects that specify the <<kibana-privileges>>.
+`kibana`:: (object) An object that specifies the <<kibana-privileges>>. Valid keys are `global` and `space`. Privileges defined in the `global` key will apply to all spaces within Kibana, and will take precedent over any privileges defined in the `space` key. For example, specifying `global: ["all"]` will grant full access to all spaces within Kibana, even if the role indicates that a specific space should only have `read` privileges. 
 
 ===== Example
 
@@ -52,9 +52,9 @@ PUT /api/security/role/my_kibana_role
       "query" : "{\"match\": {\"title\": \"foo\"}}"
     } ],
   },
-  "kibana": [ {
-      "privileges": [ "all" ]
-  } ],
+  "kibana": {
+    "global": ["all"]
+  }
 }
 --------------------------------------------------
 // KIBANA
@@ -62,3 +62,37 @@ PUT /api/security/role/my_kibana_role
 ==== Response
 
 A successful call returns a response code of `204` and no response body.
+
+
+==== Granting access to specific spaces
+To grant access to individual spaces within {kib}, specify the space identifier within the `kibana` object.
+
+Note: granting access 
+
+[source,js]
+--------------------------------------------------
+PUT /api/security/role/my_kibana_role
+{
+  "metadata" : {
+    "version" : 1
+  },
+  "elasticsearch": {
+    "cluster" : [ "all" ],
+    "indices" : [ {
+      "names" : [ "index1", "index2" ],
+      "privileges" : [ "all" ],
+      "field_security" : {
+        "grant" : [ "title", "body" ]
+      },
+      "query" : "{\"match\": {\"title\": \"foo\"}}"
+    } ],
+  },
+  "kibana": {
+    "global": [],
+    "space": {
+      "marketing": ["all"],
+      "engineering": ["read"] 
+    }
+  }
+}
+--------------------------------------------------
\ No newline at end of file
diff --git a/docs/api/spaces.asciidoc b/docs/api/spaces-management.asciidoc
similarity index 100%
rename from docs/api/spaces.asciidoc
rename to docs/api/spaces-management.asciidoc
index ea66d50d396b99..f5f9a9d81c2fc0 100644
--- a/docs/api/spaces.asciidoc
+++ b/docs/api/spaces-management.asciidoc
@@ -6,12 +6,12 @@ experimental[This API is *experimental* and may be changed or removed completely
 
 The spaces API allows people to manage their spaces within {kib}.
 
-* <<spaces-api-put>>
 * <<spaces-api-post>>
+* <<spaces-api-put>>
 * <<spaces-api-get>>
 * <<spaces-api-delete>>
 
-include::spaces-management/put.asciidoc[]
 include::spaces-management/post.asciidoc[]
+include::spaces-management/put.asciidoc[]
 include::spaces-management/get.asciidoc[]
 include::spaces-management/delete.asciidoc[]
diff --git a/docs/api/spaces-management/post.asciidoc b/docs/api/spaces-management/post.asciidoc
index 569835c78b2f80..38ff647051335f 100644
--- a/docs/api/spaces-management/post.asciidoc
+++ b/docs/api/spaces-management/post.asciidoc
@@ -12,7 +12,7 @@ To create a space, issue a POST request to the
 
 [source,js]
 --------------------------------------------------
-PUT /api/spaces/space
+POST /api/spaces/space
 --------------------------------------------------
 
 ==== Request Body
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
index 47c3f16dc500bb..e26c26a8aa9f4c 100644
--- a/docs/index.asciidoc
+++ b/docs/index.asciidoc
@@ -52,6 +52,8 @@ include::monitoring/index.asciidoc[]
 
 include::management.asciidoc[]
 
+include::spaces/index.asciidoc[]
+
 include::security/index.asciidoc[]
 
 include::management/watcher-ui/index.asciidoc[]
diff --git a/docs/security/authorization/index.asciidoc b/docs/security/authorization/index.asciidoc
index ddc5bca0cb0424..3320843bc7a814 100644
--- a/docs/security/authorization/index.asciidoc
+++ b/docs/security/authorization/index.asciidoc
@@ -2,10 +2,13 @@
 [[xpack-security-authorization]]
 === Authorization
 
-Authorizing users to use {kib} in most configurations is as simple as assigning the user
+Authorizing users to use {kib} in simple configurations is as easy as assigning the user
 either the `kibana_user` or `kibana_dashboard_only_user` reserved role. If you're running 
-a single tenant of {kib} against your {es} cluster, this is sufficient and no other 
-action is required.
+a single tenant of {kib} against your {es} cluster, and you're not controlling access to individual spaces, then this is sufficient and no other action is required.
+
+==== Spaces
+
+If you want to control individual spaces in {kib}, do **not** use the `kibana_user` or `kibana_dashboard_only_user` roles. Users with these roles are able to access all spaces in Kibana. Instead, create your own roles that grant access to specific spaces.
 
 ==== Multi-tenant {kib}
 
@@ -15,6 +18,8 @@ either the *Management / Security / Roles* page in {kib} or the <<role-managemen
 to assign a specific <<kibana-privileges, Kibana privilege>> at that tenant. After creating the
 custom role, you should assign this role to the user(s) that you wish to have access.
 
+While multi-tenant installations are supported, the recommended approach to securing access to segments of {kib} is to grant users access to specific spaces.
+
 ==== Legacy roles
 
 Prior to {kib} 6.4, {kib} users required index privileges to the `kibana.index`
diff --git a/docs/spaces/getting-started.asciidoc b/docs/spaces/getting-started.asciidoc
new file mode 100644
index 00000000000000..e6a96553873b7b
--- /dev/null
+++ b/docs/spaces/getting-started.asciidoc
@@ -0,0 +1,8 @@
+[role="xpack"]
+[[spaces-getting-started]]
+=== Getting Started
+
+Spaces are automatically enabled in {kib}. If you don't wish to use this feature, you can disable it
+by setting `xpack.spaces.enabled` to `false` in your `kibana.yml` configuration file.
+
+{kib} automatically creates a default space for you. If you are upgrading from another version of {kib}, then the default space will contain all of your existing saved objects. Although you can't delete the default space, you can customize it to your liking.
\ No newline at end of file
diff --git a/docs/spaces/images/delete-space.png b/docs/spaces/images/delete-space.png
new file mode 100644
index 0000000000000000000000000000000000000000..8237df1136a9e8ec9a3bcda5aebc85253365bc6c
GIT binary patch
literal 147931
zcmcF~WmH_vwk__`xO<QUmq6nlf)m^w0>RzgodkD>5Ug>R?#7*v;O-6$!R_Uq``#G$
zeE0l)W2|2_#@<zH*IIL}Id@fznu;7Y1~~>C92~a%M;UcEI3!g#ID{!Ql)ob>kh5zz
zI4mYxX=yciX=z$DS0`&*dn-7&k1=T(sG1t`Bt!dYZ{ECVk~jeP5|n<-AlFBNuMAB{
zM#5LX3Mn*~BO%hod`Db;@FTjoN?pc&VT|6i4wL@fXvg<B>@=rua2;nllLGtWIqU6i
z`;)Id0$Jm5h2#@>agA#4;TmLpzGY5J?DdygG97YDgb=GCf04+6P7tBW$jQO!MlSbe
zc(uaO+tn?PnLjta_7Zzgi)UcM;bRM?WsFTk`Xj-uB(SFMz)KuNcs7#xm=DW*$G1@^
zlo;OQQPBZK#cL2z(%r_ynMta^OT>(Be*6iq_Vv(w&u!L>GEIFrkv?AysU5w6Q>SlJ
z@&(IB)APoC_{UswjYe-=%1dizB?Gr$?jJnu9ePd$Nr<5f@#neMd!ZMvk;!j3Q)Vcv
zTD0hKUw7I3oU&%2R!R~6pHj)mko6ERvFTLLIJYYhY;~WKUr`-7Fnf6W;NZ$Gfs&ia
z*t9tcyxWM83mFVwlOkShTtjF%KH<?2$(Ijd4ai~2=zYbLc2Pj~zv0rkbPKbH3iugL
zXFq&FQH%`{@mx_GkGqG2e;j_7OtWJ>7>Sz@@QKz`HgTLW;j3-rIwj&_JG9+&&-Pm~
zX@vM56QF@1>IBaxw2f;(*Zy4w!+as4U|4}Lx4ABE5)EPXbQsa4EKFLcp2x-5bUgW0
z#YOv1viMy86h_*jGF|J=-VjdG=~!5t@>fh89^iH{(bZP=R@VVAf<G6X9u5-;o+%lU
zjZq$kMQeXpbB+uZr3*%ULrZlL@|<ktEmPbjhg48s2=@dZgX=0ch&<|dPfN4Z8?Q^G
z>X*!PK9P|$jHF8UdE2**^DIHGuR^?fvJLf2P$aQZNQ9L;lT-$aArjzFj*iJF-fxA#
zF;0uAjgA(@PGikDOG`fY!j7}~wkY8u(>Y~YvJDfzkKlm$NiK4|7+ubOTM{*%oF~=j
z=yq{4U9FjwI{H!KSxtDd?>bmi48<Bh_z}EfSaiK?@aVNv2K_OTXqj5Ae8X(;dQf3r
zwI#&!A$|E)h^Rwdj>jzF&l8a1xO2rDg#9{0U=T|+$YEMhuc%9)jhne3Uk%?GOO*i|
zUh<|lp@23H3}0J9fDkj9p)W(!LsR186J*&Y^sg_pN#eY!H&8QWlBsWKv&cT<aBT)x
zS@wAIW`whgGw5f<4c#X7&0SW*x9;IC_c;!q*x|&OQBYBn0vaRgkTyU>aH(@n{8d`c
zufI??wmfS!ztw>@8&KiZHiBZArjb85pEpF32_gz?U_VK6k)jq$P<}+v*z_X~w*T&n
zl8HzhO0R~X9olTluz=wiENUtaL^_fr0Af#uu@(}oAl+{2AEIzd(s-ky0FdbD_`(wp
z=m(>b&7*(})X|*y@iMgBAMwA1mNL-G#Ewf6(=mP|YrtDf)THaBm-{+9%vg%u9_LOk
zI!v)c5L=|FN$_5VeP-r6DtT~ZiOT^YAJv2;=JddUtGlRv%$fA@^y~rAAEu>{9+^k(
z;I|f7<4BD|B3#785sVhLnMgTNL>9ZcjM`!EA)EnJ$9=x_NkF`cZKW0J+IcP!>isRj
zJCQEJ_2_f(@kQgEM;F04v=`q72{Duk9M{LB^rn=+8W4-N8*UV?4-ve}Ib!N!z>mQy
zCYqso(N2jb>tF0w-?H9<-+F6KQ6IOUO8?be-t!HOI$@0TC<D<~{^XmlD&LmmS4(jf
zMimAXCKc!uMil7Fq{>{&x)qpHm(udzVkiF|Cbr~sCCrk`mo=7LlXrY$!r+yH%5p@=
z8jH)A_)Svpqn>JIQErJyVV9P+How-5W_}@?rg34H@qOW??5@ggk|y>K_B7c%r8M;n
z4KEGVPv`3EKW+FFv&Gr7(&Y?Ps*3Z9M2iE|imHI$L0aDLuC(519%(LV8CQPOV%J2}
ztoT9vJ-v!rySsd;>VtNprbVU8uf0mG?^IfyHFI?;I$r8Y>QmaBTI*GT^3Uxk@=$dK
z-LQ&!U5ltevIGvH4+15P2Zj&y4=N9WzO783W))IuvWoPI+f5o}8&wsh?c%jV=agzN
zYPR*Mu;R@|OnDnfSxKWvTS*I=u$vK^?w7`z?3$LF*N+d5?~X4#Vm)vUR({==j{U-(
zoA_l^W>EL2hCAQ*JEu@U+9_^Lu-iC5Ilw8PHn9GM?%5CJdq|CBJlH;r3PlI|0XqRp
z8hap;0&9x&hMYV8DS;<`jx>+!h`XHPksLE&p0t235d6y=g{v|1IO}s(022z68IyX-
zDHA&rV!3uXtURI|Rf#71)40g^&+)m;_c_;D6gf!(1s28*fm5OOn`U$%-On!It?sfk
ztKwb!G2gL$Z6R&@Duk*pRj6}(cH+mB#|p<3{4x}{IZ8Pb{537#YpQDcS|B&sRA2V3
znVXjF=lNr~M%_|vG<Ux*-)KI<J^DX>c~n7-ln$3JlJ169&Fqz=$kmYtnEla_(-~qL
z%1gY><I5csBocZr)a}yZu_vShTz4*N4{sayvUT<m9dyJB8c*l;GCZu^Hp*z@?+kQt
z^Ga#^-FDrU(^=8x<l1{$bclEQ>Bwa!WrOTMaJ_Nlsw5*vCx4!<PQ3fHo45PcSDeP~
zeY&{k{sIS$22J9WX912$xl`;p|2mF1fq0@x*}6p#Z&3a#$LnW!et0tYM+9SJAru7!
zJH++IE?qahicnDDbm3NEx@p43-9`d9NlHojr}Pi$2Pq@z&r$gp4B-(`H5i=}{FZKu
zS|>d&XWM&;!W1glN!aV8FF**t6#fj5no8X9=?I2P&rUD<_4*TSELF46ky(?LyUL$>
z^nUaif_F?J2`;f&1a5Tc)WYnZPA8pheQiW8x7#(_Wv~hKALuCrKk(O>Q5e%1J(Va$
zUC#Ph<$dKLrID8Eu2Pq^J1_F!lsT27{1c&eo6DNF+8Wj>?R;8JU*>*o&uUh<lvAnD
zmA)xIQNACK+0t}<&{(X@QGaY>I}<un%olgUu8TT{a&C(&Udgj6`sJUc^ayp!Z7{Qt
z{K3$JBtYiL%*YIQ*FJx+I-8^%R~Q#cu1U@N7NA*5H%ge7=g1eZ_lLheukGW?*X^`M
z{t8umj>WXN9hDJ>;o0!0lPYz)L)D*?{_9V%Pq@7J)|B~`Vj6r`M{LV_W7eXqXm9VV
z_{DOBJAD#IawFV?_EE-H#c;DSgz9{H7M}*LI!VGg78;WqxZF0KA`&C4B7)cz41cvP
zIKx5*jKm{eG>uBt-@NVU?)Mv+E4x$Q{F!dWF~-mKs6WoyW4NWOZhYCEYT$eSxuRhH
zRisVC!DkGkmB>IFUnf?3O@Fubi)xmyo}}LV5v=NXj%%K<?%wXSsX1eGDAmbGPLJ7W
zzFy2c0E%*j%_`u(#<JkuNDtcTV+vCq<L_P{UtZ}M2vVHThSo3|h&vECb~cK-`x%v4
zS>5AoB|cH9dNG}JUBnG>YIXkcOgnjKFlg$uP#w>2)H>7B^25HV{r;h<?6>G6)4AO$
zO;c~tV2|}9{9wqpu#Lh$8*wHYf!!V~Pij|YNznIlY>D<i%I1mZ={y>b9*&T&sj%g-
z9pr|n931~RR*UXA+k2(RYYe#5Y_qDUsj!K0dpB%YzP^Q3uFW1+bY@q)Ul-?vjVCk`
zOt$1=ihIHQhwphw5IAzX4&3Swzs;AGWQcOio49nUd;Pxta_Usu`@5yB`InJf@7(m!
z;?e?t%c)GK$>ZU%<owjS>3W+h@1^x}&7FalqiWBpOO)6C{c3e*-TCf1MO*I%{H7#K
zx;bh$35#0m#qsJf1gAA|J5MrChh|8uXMNz*_x{c8$o|=Ys;%l+0hxG}@7YsVC39)T
z^*|}fD(3(vs&Cwj+N;GZ>#>g9%b(Y)FYEn1XY=3Y!<-b>k9t<0=QDe=A4?u-y2k<q
zE_&|5&Z0zVM8%BnQtu8I`{Jicr;d9U{B57eU#`KXHyeeS44cDA2&C0E`s8p<o`@2P
z2*GO@Q@AOFUc5e%gtzj7A+P<hk2zg!@M?$@i`=;$7{Os6{fDtSLJ3dGq$||#abq8;
z-nH9uOvdVJdPC{_Nh$s9(BLZZf;qo|!66f2VJ4nZ^<MD6w30T0(byB5j)_knP6wmF
zNxLTRJDusW)O@|+;3VMWWh6Dd;ZM3h`z;TrH+N^bX{PVue16Ebds%&2*xwf3cVE^n
z&vXl%e+PK;5m|%ZO8(}DV>Y2w(b0#ZVEqL@orBls$E%f8nGI&zi}}TR#_jroLZ%;~
zXwkv{ZhdwHcLG06f}XE?S>!~YmLg_gvJyx#|Jyd$36i}p)29+gnGon{|Ce1HA-&1(
zdU&e_{~w-}Kw9I0k70JYKlyI|AD*Q}s8f;H8mTHkAo}0){vG-MJT>jZ5#!%wZxEr4
zTWjP@?Ga<hu~FizvV#4^8W-Jf4j%l3ZNPI#!=6HU25-pgA9v0_^JXd8^IWA56`RF{
zm));blrsLqEl&Br4k`ZBT60R5=v-}HJ{xX0OwA+YrP$3iC|PXjTw8F>YN8_fNpXB#
zp=yd{W<iZ%AkxrXIODjYXJ_i^>TmOv`B#b{Qf;U8{89H;;T6i)NV?n;q6Tf1p=bI7
zgMaRjac*#b3W;1bVwWreuWlX|lXc_E@QrI_Gx*hCsQyFH)?5WKF|JcRj#H6R^M@g}
ztcDVM^UkgD!MRXpqNy{{x4B%6o~@tL&K7Vm$i^7W`3t6M#7XrKh*=f>;Tin}1Nuji
z`>#zN)dJGN+E|skq==Vf)wF{x1$x*oegI9T1zNH)J)~C4>}4Ci7MwY3CXGh5;fBi6
zU3HgzUmj}g8i8y*1fLeux7?v)s`S*2=1jKr5n6-pLd}i^%gXjBbhLO$2Jpuvn5{)4
z-u4M+aQ9Peu>m#{l3-fI<4j971c8#u_rd|k@#T{UC7H^4LT5&h7udG5o$XCzB-8-K
zYHWM<6t_A-2qHgnnU%Wxjk`|a&I_gJ`x><_jYsT;cbWYXRU8EtY5;|bG)r&0Py!v0
zk-&wuXuOHkR&vD#r-HZuw_1qI0O7a+xTaw{eZJ_8ag0Z~Z)Y3rI|#mj+e$A`2Yh<s
zlequTm<;1<7n+j(?uMX5u(u4p$n`*#rikAxk9eqP7t7Oa$Amq3J#HW}V&A`UQBhbd
zjc^HM-v0VqSeh$SkBz*UXLPe*4E<>N1g9p+zuf`DV~Wn?)$qaUSL;90bV{<1#zI7o
zB7S{^HW9IX{!T;>SVI`%L>J6Y6?LH&Eys01Ejg}h84BimRgp6NC`D(weEV}HyC(lP
z_i*{~Frhirrx|+_In1#XFFdL0!+g&#A$}QaZZ!I9&#B2{svHg;G8`07%p!!Jm`xeU
zZu0GpH!Cl0Sc6kl?9q6<V-mEP5URZ&i>(~tgpQbL(AqP7&s8!(vxsAHo$TAhAmelL
zo4z34P8pw<9)~4mzk^YwqVORb=?l~B%}kSIxn^-s9~@e~Ck<OYuam6hKamWny>Y5j
zyYk>t1c7YU)U4uJ00bTxRUZ~li=~_nFuK8gnLTx9%l;@0eCTkb2m{E%O6r}L7so+U
zm%lr{f2OIGjuV<+`cVF2Yv<9SeX0!TM3EvSHQspoMa$97SFnWbZODgO8@Mt;lEnmo
ziiLP#BH$pW;2?ePJzoL@f@bW^Nfzo*j^C&%Wf@Q*jJwA@IL%20#r-=zcHttJP=TFS
zbjHhIdqhq>&v+xa)f6V9x28YV!OIp;n)o49_-J(H@+)7O#n{kj_4}dx)I~L$x1You
zYRZ}8y-~xPWdxm2$4tuz9^F^_P5mq*EPtU>c8QJNSD&(1>+%3F!~|?2cv=a^8PpG(
zo^{?Ogmle+OZi&9D%G~(ojWw3yAmiqsz+Wd`Iew@QyG&O8@;VEJfT<`b5}^1O+USy
zHrbTJk=DNtpRr(^J*hXzo0gFT*V5Vyjp2Pb=KVHTl1TlOz2&RdYNR($D239fUgDq6
zW{+3jP0`ViP%^TEl0Q@VSSyfaFkc5l)z^N1ofC-pF!qj(*U%ORr0lc+BCOWKX?0%C
zN<amLO6F#{`q+|P{u(JwQ$pSPWmSV5N2v=d6;&)44yBQ0<Pq=p8DSnq%Kg-nGubx^
z8ZElh;@EQt@|m>e?{)0Mx3c#G;U7XVzDGVK)%Om?>(N4|R~!ujaw05lI6-k6K-BG`
z=XD2)(2-%BEjnG)iBlU+JK0>n^80vjMC;Gu)td*oe}}$}0KB^&-diYdya^^HDQi>$
zEw=z}!2FHbH0MhO@GJdLF+~&sGelHZ0E;%iG|xbVg*>bc&^-4u5R4dF)X^wG3Ox$v
zy>1($b5?e~$i;3;d$Vzbhn<k_kb&|hKvx~4+?mO0k#736wJ~?&_nwJGep&{NYXk>d
zvUGKlYa+3*vhxWyn+8h{7wpb9by?B<5giO+z`A9?!2GC-YlQNFZ4C!ex81pGJ>s{_
zyaSilnSxsfBfC1`qqS+?HscN|9#a>n#mqKK+v=vp_hdb=4s(P#mbQCjh+ofuI<fx*
z8aQ+L-3?J{NUIyWp2fNXz^<+`o@YR~i=NJjtMjANarwh{X&!v!`gS*iEy0p1!aOhk
z7z;SNBCeK^3hi16wRp9nm}^rlf*2V<!9c5d$VKQ;qRSb?*`T=31NqZuIK0SOJ@+bg
ze0V&-|FAnB^gD(cX1ig@u=Cohok(HB5g45Xo8|>m7NSg|ZK{lE1=0eDTgwHHL#P!*
zOQvd0T51uQXOH5-wy>9{6Dz#q4Rq%KruZzV0|*M`Nt<v#!dFGgdr`0d*fAE|+;hdu
z!0&i|v)LeJ_YK|L)|q8$o9jhhNGw?R<FcL)mKhZfCbVWaNi`H2Zi>g<w?UQDNf<et
zavg!UhjffLxPC#<YVf?vX%yg>P5~eRgbhrkaDNEpc<-+0WAkobi(~mETMw0kFUFl%
z+g>&8i>Nq;luy6h2=rSi?mSt?;Y#!4O?|2d1<LUlvWSz)t3*V3w4T)b4|ww;E`B8h
zR=o5<^$@7vJ}b!7#d}Xupj0JTIkwi2P+kh}5v1b``+NlOIB3uargb+Q@7U&Sn9leI
zUaQKOvch)WA1Qi;ybDjkLy6<qgW3^F4LvcU?QB?U9C`qz5Wz~^(_)fppB6q>|L%@~
zzqFwap^$@j;Q%h=>jy3Lw{i-5OAS1m0a35$O77IdxZJ`ey==`6r|p}o*LPi#QL8D{
z0h-e*MqQ~$<sT<&k!kY`kff%fo*_S7>2)Pc4tx&oz^8LT4E&00UubUKj^hx698zdX
z68zbfBb^gMua(G(hvr)YSp;;^%ha`%uxc7XxpedB<~6`L;18;g7HH}hg)Sim%OKrD
zdf;jAMtUlefop!^(PT&DvTG0utV|Ze$W4314b>d5khD8tTism)0h%zjeI#<@wY&9=
z?&NU>yT6aPj4cj~`Jb@bHzm{8Y8vF`@uOKNx&kgEs#$U(hqWBz4*?(=a>RgX_w8Nz
zz^*+{OcWbKp_8{Vo;Xk%vzmr<{CA2{OGw}I(<#tx3UJ1_J#a?a#^7yBvL%I|PBWQ?
zRy-JfCK(q1beqI-WSU1?IAYT-1aM^@!KLG^XY(9p#yx(LG%6oXauG(6ZX;^<btqt6
zHL*5rU^_wVya6;06gzv#i-}UGI?s!3QC<u3&J^1>iP&N>50XVZ$-qitNts2&5VzLo
zXzRd4%;>G;9NU6!4QPR0Kw-ev;GK~I%DzzeMxDUegKD1QZ_0E=Su{fj%DPEY$l09+
z2+XGBJ}<SgNDcf-#;&6d)CtTFZ2!al@16988=kjYIy0dnc^>uJ9u5~RdJpzXdtViQ
zonmlyIHywIBBBP)5J1HJi;u3~T}|ThU2h{urBX-GPZ?1gdxa#-I+{&U)RMhdYxQYc
zhA!3;->maPZoCkW>39mTn&i76S9_K|$OTghZabSR5v_t^?^g%SsG#B-4Nt?&_K-l5
z#sRLLV^S$NBYl;PZ(B4&V-t@V*9O05Oa|GzQ)S_nE$-@_QK<CiK($RPEYRm2fE4P@
zV2~KRQ^9YSJJwLsX6{aid(UeKC|Oo73Gd^Lu@tSo3Tp0TI#s9NF^wUY7wp52OtNSW
z6(z!igS94H5^8Z5g?;|ZJ$oQw5K|Lns0SvyJWq5Gewgfxcv>XMF|r5&_tcN@$05Mb
z;dicjgYhqaXt=!OLUN{Q&_)d;`ZhM3EChfi@At_gytzQ$f}$+?OyRUG&Zxy>8N#@L
z9CKiAyF?d7um1z_|A4o@P<JPY7XGr{D_-|O1NT=96Ku#&whKGSg7#*o9QWk8OO{ZP
zC0jFxG?OK!j~D&P!}Ekqpk>h^v@)=Q)P@)CT}op|A1x4`6=86q(7CVDTbd5Z*a&NF
z2m~Spjv=F%Ux$8m1x<pVvF6Yi#`_?<Ju9G50!i(e7TbCWMGO@q$_NjnRd<xLOn?>_
zyCV(sRwEjBZ4<DLR4Ybu-IGU|O58Z2#wAHc3~zKem}2SkX@iW73s|Lkakni?r2|&_
z#H`!Ol^AWpJeNw$CVetR7*V**U8p#YlulgKZ2J8+F|1=+Dn6gj9bO-$!lRx2B}9s^
z-(KpgE~I@HNk{ZLN1IXlR~j+3QneEXeMDX5T#m9`Jk(P=e7ZgwnIMVIdTh(zg(iPr
zETG6)8-IbsHI3EIpNthn$rdbKJ`7Bx?G4N^r6^>aT%Z!)v8J>Dm=5L_32&n9CkB|K
zjgx9v@xEXr)xG&gcn6|CQ5@FwzC4)xDtxhKQ)S8h!;Mze{3f?+z5F^*fqGX77_z0V
z_K_Rogy)kkx}&5EZRC_I;w`kmf>DXi0?J^;I|XQwXMPs#^8Y5nWbJimevuC$gpTZv
z^8<Kjfod_Z0fe*7G_w+b?j$KCg`Ne7rumv(bY@8S^2h`wCc(*mq?yngfjn$^bInDq
z&HWp<dHzR0A%4uM^#b}HWYO{Gok$vsv5eZV*2c<pjZePY9n!3IViWo1eqg9G(#&1p
z2wg)Vok-i*vr?1HKY9^nT9DWe?=lP*=V5{NCZJiN?(4)eE0J6jQ3#D995=th$agKF
z0O6=Iq}33c&7Tp!rO9iV$&|w$H|`6mD4Pfv|E&c7jZtqGggTCVHI^*M-fQj5pb~?7
zO0xUq)@LJBZwn-;79ANwg7G)AauUC|Yf(GW2=S)g<f(D}98w`R^4@dSQ%{1C(y^2L
zd)O}!h3Jr|uB7&ZfMoRP(AtO;)A)3Ut39!ov6Bf>l=W}xwJNEX_ao?i&5SuJn^!6G
zZc)D#%YL?CP<2A%)6)LE&IO~{1H3(8rE6#UBpTlwSsm?DU%}$Gqf>=RW&Xs+(rDU(
zExw(Nzqv_!=|b;Fl;Xi#s8#W1`q+~ykba5W+(AvJE-IX7hJO!}f5{8t??ZG5R9Vvb
z@U}xVGSAe3u*ta<<S`MJz14!%m+3Ersy(jnZ1r3_Ok8;}U1nbmSAb?wy@IkwsN=qn
zUy^|}Yl^AMR&_!DS&smOZ2X}Yuh#vW<q~|k?}x`|_zxT#<4R72dW}-$ef}wv{HuI*
zVTI5*`bce-Ch5t1iFVr>BKFDp5nxb@*mie!^*qj(Hq<Kl%lMys`L8n<1b7PyB1IeE
zjY?k4C%<Zr<cOS46-)MugpmIE6`Mf5&vRD|>S3N+Y4IMr4HZXShEb<2l}QytcMW(q
zi`Erz(Yr9`CWjjjIgDtD>ZEV~+=KsGZQl)23%)9l(dHdqR5TpS(u@-#DH2vW$z_BS
zG^=3o9@J|BhqG9*a8sisPsw(iT?hb3`p0YsI&^h>pvMy^V{6S(`m91qU)1~rniSV2
z4Y9G90m+gj6H5SPuPlW;C<SimID^QpnC&oh<#Xe>%0K5_dM{)=J)eTI6h%}61xXM1
zV^z@_+sBiK!fBMy6OavJM2!<4bpAa@{w44P8X*|OFjMCG(S+*jamdh7bGcND4bcV)
z-J<MK9z2GIESuIV*DTh9ZQPwe=T288J#XQt&ePaZ;<uCO?A(1n*pZeuLV1udI0S@y
zYdXlhR%k+k%xAto2R1pq9Umu%3x$VMveuyJqpDPQ(#LK5gM^&WEj8(S_(mrFI{^<p
zfH#xHUrl5)URtY-`#$Cbcsz9|xyVjV+skj>pXx@Y$Yjppgh5vV>p$yjT0G=PlG}Wf
zqtKQWiC_O6rkg7|tcPR9D4S1x*-<I5;`EyN&(iYWjkI@WpZ3-Ww6iu{h!tH|+BDOV
z8|@t-vJDY8IJGBmCE2$#incy;jYMkPjtPUH-F*}%R!|2kmLxBbrdO|4upF2ubc|D5
zx^baae2pqT7Cy1H$x^LWoE{l5xvtX+h#4H~IFlBMVOXCaObpM>bZyXauX>j-cbVCw
z4od=`(}$;+VubMyRPmyT?sR3J`8eJyjmGLZ>F;ic;r)t|!Z;?4IJmkmNBGLx77_Rl
z-uvJ2Z;#(5UcA1tMe$N@AP<Q_$J=L;iX+gMlTf~kT=DG090)6MHOo5ms5uPB!C)lB
zZ^0vALBpm?oW2YzKnssHXF6T6Wl?aB-Qfi3n-%ka3bR6wz&w*1!_`j+S4;F4f-iy+
z2#(&fS<@T|89NU3i4*#hT4rn!3{c1N4Hz!PFk2c;?pO1YayWznQ}B*ASAGx=z43|V
z62ZAGVpJ0P>P--;UHIeS?SDWIr^LRvXy!n6TPu9Y>ID0Dw$jm9HI7r*M<$BWMc$HT
zVK9SCq3)3Pbh;weW?S<XS2>RXJ?#eizt!l-h=)8I&h?U~cOz>>n|g|DBz34`S(JMG
z`+E%lsV~QDXKa!OFVHE=Xzw=^G1_cFCTl{iEN4@`)9(+qH}hvp4o0C1O!04}_i7y1
zvrQ*<Xp(y0LZ*w$a&N13zimvHzX#~N`?rSp|24-VANw$SU>iTqO@<}Kkda~$hMbk}
zgGs4JynkVD^@`u_?@HL=>Kk*tpb^yY)Y>Ja!Cl6m9HjSmd~)ApMp8_)ZjB4BC&<7&
z9;2;Mc?-eEAb0HS<7UxqGpz^7m@OHe6LY+5*54H@NBT&@9b%&-vJ1FyD}%6d+QXI8
z@9&EfT2bhyGBvpUV(#Dm=LITn46vyJZ7P6$J17^Vi=RzHq~J?_+CUR3ZlPV?2MTVw
z@ATp8C33%q@VLy;=sTTANnC^jkj5eakZGnK-K}?14<%>us*sLZ`hiE&Jt{UuQ!;|q
zMM9yKSk#wIn2nW`B-+myHz@1~OxabLb}ztgZ(g72cIDFe1j53sqOd-WV}GjoM_2LR
zYV-wH2+7}ik!z1L`4-@OLo!Hdwvzaz>U7}M+YA#embd~lgWP<BuNQk#?TRbKN&l!n
zNg~3Q3L+yIHplVArFLu))5(+Mpy9l{Q3@RorT<&AG+2BTC^7cxPhFbx{sZPdeL<q8
znFvBf=VUp8O2MJtHf0Xe>As6d6&~l3E{d2V=S*Y4S8`Sg8a1ZQ2+{XB$xsksT6Mt4
zT->+p-3k9oAF6@zuMi<sCf?<tYH>oXmR4b(j{YXDBEMA5Uw_Pupt#54SxVfZZV-&P
zEN}1ejFK03!Dj9MfT(MjA$f7k@r;luix>n*s`lFj+6ajX)UqxD?m^Op-qc`--j_)y
zJLhHj<wMC4qJ&vg-r!T4@oh2frPGXA2(*=d)0j}j22Xw5Ivqils1e6V`?yM}UO7es
zz-cWSsOzZj@X~B@u~YBP(@v=38}{`%%r@n(X#BOC2vZRjZl(DT`QZN|V0NDh;-D*+
zN>xh5H@AH~`#!LU(H9&AWDCP@8RVn9V#8=)L%Y+&#;1)<vR@v($?Gu#sK-=M*Ju`*
zTwmdh!oFwsTdeVLR76YX4WhHF)azC9t1LL14}KxL^-<Z%ug)j{D&j^Eyn0VYFc%WG
zL+>eGL)R1UCyzxNJ988}yJ}56OY=UzSVmSSz52LH*Z5PzJLf44@_ztX-IzEDDGzyi
zxHz`{9&CJ=J#^nX5{T4V*`6O*`O=!<8DYCnaJDNdwLLTa0BU+9oAt+06l+3lL7$(0
zjZb?@6uN&-eto9W>mD&;KCgD@yy|OZol*)@f%fDE)jI|e*}P=wbyZDJ{5JS?ivhlC
zH6v={+}K^`_dCHD^aeT;4|I;I-v3{iRW<#b&a46iWA9Y*g#_2%n@;u~nl}_oEjl1-
zJoHRcMQgK*XqT-u{DJi}y1q3ZH69c@+=PE^*XBGkv;3qN%M=yOE#*a9jz{z3lTIv|
z<Z+^<$XPkw4Si8~E~r7s(Z<0bW2W&HW*G6bI-I7DKGxST?GU3u{y6d*z6;Sew)d#w
zH6P0t0CZ$a69<L4dPZI6Edz*^SJfami|ObuWwZA789MVeUX(v;ISN1WIkx+QFF}rw
zaJBVhk)hfsPpf6U=2fTR2cr|7R+TDS52g1iu-|zqhHPIy{%W}YcADlYzVk;6l?e5E
z)p&lZMS1@0cOCrg0A4@cB>mtdEq<b|P)?(IW%z<-)k~;@-Gaq(`Nt@A(O+EY5qWy2
z50Im<<mY3PUZ<VLm4nW}t`8J%*0oEl6RiE{O2Iu`ge_d=-b9Li+T&%tRVw1pNvO)K
zqp8^l)7DZ<mFBQ{OgK>-WB-mqSIL)RVmH1&%`IZBN2h7O{WKo0OoH^yPsx44v~pBW
z_byi=XEOtU!u1Edjwl+@GI^f!JU(qt<-|-4PN3M%w?9`<0E`{oc==iRll7>dDz)u|
zNKOV4;BO<Mtz40pSxI_ffse!7=hw{|RV#+NpDA0!U+)m7-0c#szA828{wr@yb&y(o
zATLMtz<vz<RFNh`BacuiDQ5~Xq>67YtosdU^vmeAONUN4H%r}O)(?lBQ7dRKVk~>7
zSIWD3LnGxWH~S+Yeq1|jLfp}Wu;2kXL|$}d!8V!NfVN3XyuP%<V3;zO7B2z27AfC+
zE8!-agcaIH4wUivvlWi0s2B7_v^l0g1%{pxnxQC_;Z2t<$GyBXD+RK!qZjAs5CX%D
zr@X+g=lAwsppxtKhZV@ZPGGR-jYR}9))&~cKz<~9oHu_HS8-Xt^K^Zc%5uj*fUw|_
z-yR|r3L2;|YXIZ6zf6pp@?2k9SWvLxKy}5rV}e|!GB&~-eQfuV^o=a#KKzn0jYh=O
z>1hnJeVswGcr;vdCxz~JKG-x(Bi0J0#sQ}_AjTJ9a`Zdaqa#3ARJ2~x|MzG6wAM}=
zS{#O6O_odgd5FJI6K30+bX-+-Dwg$D!@8-(3V3S)Q)0zZHq<fM#2i!`%&<V3bp~m!
zx_!%A4ac#bG?C&FEH*{DjgoYYKXTok&?V4|2vDrK`{{AxSM92v8-D#Pv;o<wUzgtY
zFhXnJKs=@-aDK^qFKaSt?hI%1-HB+Dy^iC#@eP63l^toz;kxf>hmqmhhJz;7E%JGm
zWBB7aT>5~h|IM81%3e~|s-clSy++H{pvR0%&}@Bp0Gg7w1S98HrA0zcXyA$4Aiu{9
z|9_E%iz|YK7;i{lMU{ZkZ4tM`iN;@Iii(^{S&qL)u|`b2<mIEWFkXd#nPJFu$i{sM
zv=&PVDg5byyuNZ1=rFGAH6GlETSmV2^A~IrF5RQpN)erygHX>VYs)+r$#Z9U?P5!L
znr^Gto%XEB1reuwXmp3uBp|1;*!C91J5n{2u3&ebCRLY7{1ehrm?;#<7D)ZlVX~Ry
zvGy!YH~DDS2bCnK<U>kGvC12S_86HM>0#1Kz|))Y-^U9?IltO8`=v|R7f$>-Z>bUY
zMfc2+^PTAZJSQU_f=9bHm#-&OfAmfen7ifR?#y+a&4^9yw|v~T?x??8YgX^RrjnEd
z2>PPc+kKz^p4+CYR`Ya^|4VNGu!p&;-pNNOqT2lq+=Zs0>U7U;CwIW?2fBFo+!yB{
zMg`s~wW`;g6AQe9gZUwwp|n<zh0`-8!JU0ckFx1BF<fPST#Ym`HZ&;FmSY3)o%K59
z5wkT4QBlZhyNq?=M^*bf+wZm-Kgr%_*Q8HCKB29GvLWa6{V7^w0nBN4bOS4qqbu1H
z<;v3B!orUZ&-q9BZZnsyBTQ-qi=@TcRdzF)+@MtP3IIr$zlRwo$^o|+b|ssgaB^Mo
zuU4T?08dwxJ81SS{v6gOi{4o3+~AN4hjSuGpcI7GO0x4f?l-NE-6kG^wFf41eCh(W
znX)Atw4LwR;Dr)R<}v+pGe@maZ_A(B0lUt+mM_zE6oLqapTJPct*E%lP+j;0N0O}}
zg}aNS>)rC$sNt?g{>?x_rGq)?uisI}k`UG&8rTSR+7kbs1>}$=EeG3d^$5HcMPRZU
z+stgoXsq=;BZN^8e%%}w!ZKH^WeY;x{hVw#mw{W?lv$)(wu47{BdqOkW9n(pAhyN<
zdjh&(I%UR|HS9K2S_yAaQ_2XKLDu_yikV~uvhbBWeW+o%9bXUVXFx)RZx)QPYVjhZ
z7BK*Gcc6igMTgzVz0Ghc$`ie5{0ziJl_1OAXK1tJ*&zH%fqiSB!TvIgXG!w5VQZ<0
zIloV#Y#o|2%)j;x+o&De5p~fJkLg;_YXy%@`yI;|>HJw&SgXCo6nQmVieL7QfPMfa
zqrHv}iKZxfT4W`Up>F0LsSN*-mffb1x!!PTS8J>F5Al;`Gc*1s>2ZvKR&Q)1b*5VA
zHg0+%q@NO;=jI%enLsPUzXW(^-Nr<3Oopk4)$v3=S(6ks_Mrs+%GN%N;b#DS%19Xd
zQNv0iqn|Z|yP^#R3VT!jWPHvf4fFyt+M_nj*|aY6?=)jDZIUh_EMXxlgaJGP4C+6M
zI6V3d?B2r^_*x%UYp$8ighfQ0)3Gdd>$G6$-e5pF=dP<y0^MyMSQNCk6iK2JzTesJ
zTk=Z#C`WLl?bKI8kKbBS;<4F(8g`?$AS_{o(nh^x<L8&IS{E)bUw17uS1n-J=b+7!
z$KKXLY`NxGxGH5SydvjkjFU=Is|G0drn>0b!(i;MpIoDGS1Y}mWUqm4sPwmJe(03&
z>vD6Xqtlf$(o11x_|{Ys7Vs+oMIbDlVuO|#_;aNgNMgT^tQ&Fn%s($8025J#<43+t
zDRhSTL!5W@weg1R=ic!TQf&J(IW~Xsn2CyFOB*S|DSNNshrwxt^>g_y{*#Tq>)=+K
zr^}=UMd&^uVvT;yUagT=SxL}Ts0rEAQ&n-4T~nkRuh|NUCNN{aInV19QpLMM;QVrs
zIGDB05*A5&_8CSjT2S#mp<vbxy~c@#@Ti?BEd<jH<qSu(9|!UtA?J+~YFirL40R4j
z$ZDQc|4-|^M369<=V|R+3;n}4_=i$!iU2?z@BIGRrqHr8vJ{0Abhj409`oGO@X~N5
z)~>b+%CT~}#4x|_sedrW9i3P7e6>UchSXx(75iA?C?cMBOzxRcB`bnGj&Y9nJV9;N
zpHo6sCE~|PX2hZ#C`lZRsxkFtYvEpM1M1o?Mdps*w?%I(4G3a{iJO3?*|G9)9zvh<
za-#%Ce-A#t)c}IrZKC(7G1mQX_3f~yIp@E$mD|Q(ppdosGx=~z-`{Ntw#ia8wmHF8
zkWxB>ijpvy8$g<DeW4CWn=!<kHnTwZY9F>NPltlJkH(?b2D@`ouxcxOvnp-7d<v|@
zG$rfRZa%zdvY~+T6uSOa^87~Ub9$quSFGC8%byXh&tepi2TDV>xC4^;?DxxZ1h*Es
z%=0QP&zHGZ{xy?7i!;HTCjxSQWzE#gBD#vexgP~rbK{>0{-pSS=(}PhzCTTCROZ3<
zW$)~)l49aEMAT}Ng?LZ}n8VMTw`vVt(bZ1LW1ixk0#3W(BzZFAgCz$ZoR<Yf{^S!4
zcdA$FwV=s6#XmAF)6~8K-kqMEQrtpEz9-%24Dp^0=NWVqU$#e_auSA&aW9!5m3@)6
zFS*;RrK1%8z^e2IPp<=^ll*|@zf{t@YqUGBdZ!=lnDL_(d2-*xZGtSX!{YAYB#+}q
zy_6WnDW1`ABlgkkhx>ErGVWt~52?3lpe9qhO$snOnPa@5UNNM!SHsl}lyQpEWyD3F
zo>xMSr#AYR8?XhpnmuayYJ36&RSO3tOcLc0`j;0Z2%N|OsJ)^?W-{bP&-Vl3Q1h-E
zeC-C&wEaRT-X;xoId^&uU5yP_#vOZq-}Gh1F{NO1;#vYrKf#6Z>l2rnr4b?u<4kjM
zc6fSU;?-)!MGfBfznjm{w)15FI;k&2B%tqWXk-{HNUhIhYQQM=#+L&>hEQpdn{>ZL
zKxZF-fqS|G(9qj9i-$4RIyqGW7huNV)5)ku1Ci9h#%S?+7;XFLYmA9K)UJwKx3{~V
zxU2J^9BhHZb<rzp#MEdZ3~`CFsWR@ez=FW~_~ah<wE9t-Hi!Kd%%M53&G=)OS+>P9
zV`y3nDghcPnO7bb?JxiPpUvATyaERso>)zb;AP<sV|Q90lUb-zeRS~-7UD0*3glx}
zG*lLucX=&@>9+v8ZDR8YZ+}a<oe2L2K*^+;7*!;CK&%wY4ONN%`{=jrA~NX-*;fk&
z%p!eEfbkB@lv`qyFO*!O=|JbU593(?6xSG;712^JIu#>{?;_84!r`B=V!3pGv_zeO
zdC3e!Jyl=;18B}2+M3WMPp+A>vky*?rwCsispm;9mg*F3lW)4^)qv+Im^3VkZ4@Je
zK6fZCj(>6l3wkp|kTeq}p*+Ky;(tO6a78@)a7Dgff(q-mOFCI+LZn80M(rn`%K-CM
zrLmGw-arq(3TKE2$#!Ua;egR_?`nZ)z_{bWP}3I5k7b~9QiKWi+A#RKFa{js%)PnL
z<>_l9?D@alE%7}5883q&FJayg;JaWOW`xKlbw%Do!S;OhI$fc|gr3<9Q7Q!K)^6Ms
zT@u#6`|9u-?vlX7)puZ~wm?D1-MBco@iv(~Nl#kXagG+>v=1+819FGwfmC|36?g%I
zqCc3_@$L9{xNXD2LD&#LFqbpLv-kPMg-pX@r_E#uP;yCFJw6=}CR$!xQAUrluf)C+
zl+Ys{>IOZ|3HyVwa!xvbjA#h-IVLYu6^uegtNHP>%W>M6bfq=&>RW{0(ir0n;{mU8
zL%I$eN^xs+f`;7<U2P#1G&|}qL3)ZyNL0DNH)R}cF=PJ?y&gVeNh?nljk^A{JUQie
zkR#rAI)9$?*%R|q4a(;G#GU~+IcOmT2Y?WNa#98F^Mu`3jTOx01Gxo~Pi(5@EkexZ
z8{{w<B-Ln3n&E~<2cGL0@#ZCh<tWpkp05yn)G(zR4S(v5d-*Lut&{8{wTkMg<xEAV
z-P0Ax@dOuzN&Ugm$`^G2xgO=SQ6lf3(}Vn#h-4td<z|}ZvkSWxUPTG=eC3~FwpyOM
zC~grB&N@2E86xB%xf~mbU$PY^M?=1Hv`SZN3tneMmA?i1i39$4`E#oYT~3l9UmoWO
zU#OOxZa+i>uY_#;iZXp&cA`ml2#Q{?a9EM90vhw>J3lcW5M(zS%)f{SiWoU6-j*n~
zwPJm+d2JKW*s*w|X)F9C!g1~}?-?gF2wuNdcCIjcB#-wlF#5yUX7U?kRJIh_EQj%I
zk0JF8xV2d8bm?{X_~41l*tALtR2e+bpp6#U4dnlP;kdJSghj{knLY71?{xDCbLkis
zb4tYHd`(ttw=KGKjCuE0#OyLeMC^h4lfUk5V)-bIO>(;=R*TnF;9Oj=OvEbOCbnb~
zWM3uU#IW``($q8Vjs*&<zs(I1QvQ02ytM8-2~?Ji+xAv&>h=6=FE3KCGhG*Pfi>Ij
zHuU}>+&g=UtzOn-saZdc(|}8{^j|+9o{EvE{ajz(;fT?C&*3CFJv0MZa8E~a5G_0|
zpi$%JKG7Qq`}O_)H2RMVu6s~X-JXe$C*%8eLt8I|@9$0q%#n`=p1b|$YaH@NQ|?8z
zwfBZRM8y3c2Vz|ptpnL`Gg#Tt+W14F2)pjLHwJ^G`Hx!hLS7-=BWzM4o7<K&TN+eO
zZ+RpB62wgkr*EZ1@G{>zh1NXlzT?pKtZdTtJNWr;U~|Ae#7aJW0sY*ND8OZ7>^i0C
zqbdpsu|RP&Yrk6|&@i{vMWf`9>D21Mea6UF?YaK4J#mbcj-UH`RFUg`SArotQ#cMD
zX(CcQ=*8YB)h)I)Qm|`vtMB<ds7F_*_cQb38Y1`Y)V71=?%4XAI~a8;9nq@RZf2`A
z3VvYZ?bf4rm|!eoL9ah}xmkFubZRAxYm78|d&1JmQ4WA)gS^Xp05D!22);u)zI3j$
zFejVhF8s1d7l1oQLFs)1yYa_}3tOjEbDkdP7x?VXfQ9nGlQsVtw;xd#t%<WXclh`5
z<*Cc0=!zR0xzeWY&q=YDJ?fW$G0aJI7#ZR({<ZRbbw*tXVc#C{Zq%-hEm2_`DlFP1
zP*HcP-aU+%`8kFvKhPO>US!gH0g8Cr?kAlkU(g{bjrsS|RaoRta10fgW{n6Pu?+(S
zqbc84K_n|4MocgtNQtoiK`Zn(#NY#(q|J%{a_7N^6<_`Ov>Q6}O%d-2YF;I}U~6P2
zp5s%>&>+A4*=yAh#CRJQB(Ok)0GLK)I=`J4b&AwfbH+1w7m>}7>AMp$ME*^_<anA!
zG~1d)hSW#2GgP{rf<c2NOx-_Jg*8_Gjh?xWVkmJlnv;RA&rnxq0Xd)hJ@>1w8ZFNp
zac6t|FlVM3x28h`6lx!=SeBpmOc+RPPCwjDhrESP5)&@9Sl0?`=Ej#kEfT!j0+@)u
z+@PZPfd~yRzL;Hj`zRi_hENgq5j<Y9KRaV6QXBR%a&44Tvbb~&tmj)vV29-)Aca~?
zxrPiG=H^)QpKlrcnI2Nwb9qFZSLSH}(zcXD1altP&+X^DcqTyC-4X>3vF+&hJ|IXr
zyVFs6z;1dYZ}eBfoc%VMEil4J_V)qVKLA}Kk`eDM<ts=p^2{Vod#`DVoqF1WqZ3{j
z3k2Of&KO!S*ykER2!h7?&VBUo+MyZqttwrQ&RzSLZrG$!-k9lF#wJbp@`9kQyQyA>
z)ZxX&C`6}6S&y!kZqru74|ZCOv$!;y9LGi>jj+DvG#ukmrH%A4c=2T$T;dO?6}{{O
z-ukiu5Bt2;Ts)q^$6uJy_nQ{KY#Sqmz)AWt99+G<^s-5SlHrhG5T6tLUKVaE?g!ss
zh5ne&&(rk^M8|x0Qw2l>eH<>TtCb2q!o`#DbTKloY2@1U&F3t)Y(d+^-N%`7p=QLO
zI8e09g*jWw>Z)?Vgv?&mC4wNne)A(M6S_Jf-=)T)&54(b3%;*{mk`qJ<=XZX0o0jJ
zpy#BS-W5rp{AT_&Jon*3zYU|SUrgWct|>@1LsVg_h3@n(+CTj+qW%&}%<Hk$VPd<n
zuyfi_@qDSaGZ&M-_x*u()9i&#Q^I&Zdp(~6mb+-AfJJc=l8c>Dmx05Nx@is+Y;kS-
zyef;muYys@^|+V~X)K@K5uc2$zt)qny%jI+uEj_GXo!0}f%{BlOuiK{SUwz>XcrSQ
z#k?_g+==?NEXmXNX_L^t`;oQgi+I2Tg6Mm@M{g9`bDZ#ukMELt{<tq@G^my=G};JN
z(I5WngxHf5QcoprDKb>2;>{q1lnG-Hhw2*PrFY}b5Q5Ly3um|JxgL0`WytOEqCoB^
zK^67l_Ho?EWxYR*!OOK_&>H)lX>x>LEN3pL+@&i)UIN>N>37_Z*|K1#!%;s*C%{2E
z!z3bgHE`?`=ydj*dF-Os3WYa~5Q;f+mj{+bIc3L`cc;Z1Q-8t7@CwrSHOLmy8Kw7_
zC)|8&VKbx{&CW!HO<L^(ie>2|8e(AJ%O7-ZFBBlocoQPiAa~d1RRn=G{$LIaOR4hk
z131dE-0J=rdCk1m1<}?iXIF|X(uZelcoyTc6J4&e1JW5PV;51u1~%>b&O=Nt837$j
zZuQ&*ULRjCp-Nk>m1Qn{&+~Phj1HoHz%<`VyOf!*So|!N1Ib%-fw0C#Tt}{%!LaN7
zsRCN0yiS2cOr<y|S1^qQ%RMtm80z1eaDqwsho|g<KMO$>cMBJ_lf%r2B8;Nr3goC3
zO$mKtC=3K%Xs~_tJTq$2CjW%o7iffK+D7x)Q<s{EUJpIY&-+p|YtMbZ&)BR9T!F8=
zHR6`onhYik8IU4F9NUEox4eb!h=!nE!A}l6%vFgVW+Q}oEic~=e5ekKz+LZ|mB|hB
zE$2XHY)Zm!`TJowD(vEelzIam)(xl9{Oy!5aZ!f<2sY;R6H65>p9#Md={>!zwzF}U
z@?tf%DBx~>yNWi4Pa6)4%zlP8=p_?O;-cC$sa@!!+#n$8%dxdWi~0IBI^ewbWB-c$
z-O+)Nb~*NN0_vpevUX8|h&J@d_d6}_-C%AilUyi#;z)mwdE#-}b9m4yZAqSyfCx&>
zxy|1@aWR!OuzLiT^kNMpm^sd7`a!c^7rWd#X>4gO?NRHt8Xvq1%Xu}(hVhWu_|~V1
z$OO1~i4@*|fO6t4T^NT*@Q8RPx3SdM3<@6&q^iwmo9y`Rb%8vLl}>ig^H`kbyv1`#
zp;kEMHb!$F<-m<d^7iiwtO>PKywhFMS>rInwCgn)Q<@(1-pmQce0U!Y+Tc(P8u0Q@
zGOPRrC4>rMLGsifcG%pL<)Cb|4ib&rQ|M~)nMsc`1UiU!k->}4!TE-*#6Tz0Au66E
z1_3Wjk(utz!|mG+ex?ivx&T%?2|`!kGyg=H48H8TG0vn~Si%aH%fe9OO;ND0E9dM_
zpcrzbl>vIwEAiwp7Q&|sF~wGij@n3C6s|&64cyyd80GxHmcBbC4EI>o#kNKjri0S6
zZ3FG%+?jPj3w^Jv9oV31vyP3n`_dh=B~3AJL1@0PCIvJj?xG>?i{V5Z&b9UF+MRUd
z)?o{@za0>E!@pHt7y9Z~Z)9Z}5TRo`Hv4h@C)bo};j=99S*3l@+9#5Lx1%F&#~I-P
z&VTF#GEZZxYX0kl%El_b_ru|R$d^w*Gm*rKpYvOVBF&uhFl#AZFdxbrtisVKQAWHw
zJfwwR+S=qVc(C%J*TWt<>Mi(i>p?<=Ieco4E$>2u37;K@I65je<sLTFpp~fdHBtr$
z(t=;~77tD|+2a;MW7jXPxwomf^VE@T6JhAcG|<&Oa_b5I>CHlc#7nAt>JHSsT~dT&
zn_|^ge0@)4;`vJ?M_aQtEPuPL<p7+1rrDkVa4=71IhRS~HtE_6XH?u-_8t}|E^~jY
zuA85)H|yZ2&Gv*pvJ+g+H6Qf}UL(8{$un6E_1dwIB7tp}#|zrkmvNBvs}qW0SI5C(
za5~AOH;dPzkBjBO_BzzFHv0e?TI=&-u(*t}wp4s-dC-BJ;?WbKY$h=*5bBnTNnW8W
z=j^d$iDnj$yR&9W!ojw{71BELvTV_-jTh~&nw{q+JzwCee^v45k{!EUcorlcbTeU=
zxyd<r{9+!jWkGDwDJSfF>eN2?DoJg>@79GbW<r3$f&%N|v7q{Dvj_om*5DRoY@pP)
zI*GRF80Q7G2#rq&E{vIh@RyOUyW$ZIEC4uTWU+pHc}`&0(6cxDTtnjhY&^RWzp;<y
zb-GwGky6~GAsZzLZpvMb?~hbB!@zW?&K2|)H`wk}e;%n`6F65Ds1@C9w_NO6Gv+S5
zb_VU^p86ocZ<F8yNjR*u?B^Ys%<fU_cnt+4!3z#|d9UL(urO(L_r1O}V#!Ht=y^QI
zf3%O!CMtt87=>W_rEr*(?=b)+vvBn%`4`@@>8XglJXsUshymOcD%uNVWOFB)!Ji)?
z4VcRafw^1d!m4J9(kD-A{hczdSAiE2<+<01<`{_76>-KiA9Z5Is@b+ccULeG&~YPi
zeO+<p;KIjvs(wB<Zb#ZBDTxi*oQd%N!`@p)#j$Mt!vO}@!CeM-OK@j!0we^2y9IZ5
z9o!|jOK^ukaCb@2;1FDc>!0M@d+t5wp6C1f;a!W>GfY=^@2b6PTh;!xl||H@#GYS6
z?;Vjg&pp^K-OiN{ds#0>WFL)Ia`F|z>_W|a&cj<kf##1G_Dx(X_n!(w@x)!t211>6
ze7TKZ>#32BY-`<kCP67)=voaGGsm?Dx~})3`#xqQF9WI&Ps5JDoq?A)Tg`|F&Yj;n
zSFn?WJmp&m?lh`4DfTVSEdm6;<DspphTV>Te<jp9n_QcfN7s|00Rdo*T()@EMmef{
z&YJmf_Bi06P|eqD>y##vLe>HMGV{u$KQ~2#fwFDl;+58p5WfqlhN6kx_@j5}*d6s(
z%wMS`S49Aqq_-ko#*i}`WKUevp<`9hQMm5XZJ0+H1>RK_bkcxeOYR@y&W-S(F?hn$
z&z<55idyS5F{BHEV)Hy>M?fp&0i&RO;t7rr1%G#~K(YROKN@0pJDf%A_G2p(7S1a<
zIjxCI5RlUn{NW7$_?FX^GSzR84Zf@VmX7?o?6`JRcZ>lZ-NrLdVlp@YQ#eS^DPC58
zPlH?SH2KV<{<Uq%-9rz9&m!IOx>sO}JTlFo=l*~zAxf9p0zcT-M4qzsjf+pasn3RJ
zT-)kBwtlWxC_w~1AO`mp;&tNeYM7{lUE3GA$&gIYR}=w?x3J1^FkcbABWk_q2SDG5
zb)=2~i7|4~vB<m!192&?@Vg2qgE|8|Y<tsmFMBgfQx-4OpTIoiVjk!4SkZ?gAHwII
z35eMt9M>KWx?$uMgy@zp^Ed!W>?i7EOgUC;lJE<ZSc@FS0q`|*0^h&1W2Ff0G_C+A
zuyWxR0fskUCrGc*qmMOlzb|^+!Ftwa1_xmX2Pwc*qgrEd=KqjCP39Xlv`WD-%<=^%
zBc?uaFTkiZb;?57gc4YoBFUAn6(2U(Eyj{yuH*}+&e7(Cgmxb4{d{XUg46e;XTbm9
zyC3Z5M1;Vk-tW{+UPrB_%Qm;oQbDAVghO#pnm~>wLfqVTZGeh0bBmwdd(yW|{SrIO
z4<%`ctJ=A3(zIh0$$w1JOMBzYx&7)mj(!oH?-fXAIKi>1qh;ji@G%cJANZaIz7g1m
zNO(zc*@YR}Y1Ln4B#<L9i-sgNTf}8x54O#50ty#RpDm=dRM?_U+1s;8iWr>h)&cB_
zNqJ7MZ1Ze}3}1K!xl(AW)o)H?KvVPtPU4y3R><n06w5W0McDd?r%7hvOJ#8e&GCp}
zoOlc}E_~_jggyF*xmdm;9H6O3jkLdX)q1yW&ddY@#2dyVrLfS$(HL+EDD2f=Ks#CU
z@?&KoY+~Ic=P<%BN*Rr{TI}^ioB_^)>hSQ2%vJidACO3Q)&vL;c&0^^T+br|tkJHp
zSs_>0*6*dN-kvEV9f`F+C8?bkXyaiO279|7ubS;1ZP=9B{7%ItA_&L{<S3qhN&Dc7
zYh$ZSchn-SAkmMSY}3ti7geU{EUMym5G;aUSn8Sw-)^IeufBzh?Ej7Iy4UJ7fh%f(
z0-AhX{bCouosgEM*@_s^C9rgYdxN_old|mn@V3CVvk5U;2+LsNweCKm=b~`e0T2F(
zeFOpD4(mgCX#bDma8a<LLR8zUG}B`|{{qFFI`~<tk?#ReqOjhlE(mY~FKWh9Q{9Fs
z`^|=;=4jvJjF|YFp3uoJTVN<)egxfbqrXpr!%)N*VNb!t(4E>D-)ZCM%#KT9a76q$
z9$>?c*-d^0U>7BQ&Bhz;|H=^eG(yn5jcm}@<jgZ~q@$>N@R37j<j0TnLMMMwTTB+J
zPB3GhN2n^Gi5HyHBPc-EsRxUTM==uIy|3pWPdpM0gVx8eYN=>z^1RN!$6aoNFAU){
zVuye>4!`THsNF`dX!&lIbGY?M()YLwn5L>qboACg>Yes^JfQetRn)TaK_lhEwANcc
z=Q<h5D1@Zk2Cc&gDtVY|d?fgsufva!ZTH-&932(cU#SJB>E1Gupc?jXvRNRNH{xTo
z_<I+^apwa7bI|Kz2QNiWa!OUNe)5_CO4M#QLV}187ueyha@?Sy3KZMC3n$zBE8@Kg
z=#8csf+7Y|Ijtub`~zlDcVRn~1ucXvAI(Gk3Xma&)8!%p68AZefLgXKS!ZbEI&Jl*
z2|-&3TG%Pq8B0abY@FJm5Hy@Fg${;9H1_%t*i}2%YLakG=Zr{CPXgD#2AjQg=W~3Y
zZ<?J<jfe5~MS)@xwdR);a7k#22N-@IyuMPJnWRIVYGU32G&&+k_dK+M&7?4b=*CF1
znR~N#xN^UvS%ub4TFU1Kr;`?+;KG``IKXUjWW?w+lR@GZ)md4iyR~mxZz}-5uMwj#
zeqi{1Kk=xCzh{t!Ly>N&F~u?WYC{ue7~<#OmcR+EYU?wa?=6M%z<HNsUR3jIk50!h
zmg_oht+(x!?^&RIS4e85dO_Lt^>fX1%7l}Y3}BfMs*O6c^J^+6JuKF!ZV1~js*tKJ
z+sM4?9>nI<(SOh@aT+taJOW-3t~`>wiotYoUUk;>Y!W>H<@T0SC`4G#)XfBfH{taz
z+mlDC@uiv!O5a=j7zgscv!|1uHs}iMevg!SSeRoy&%~u9So9M%@eoV@#;_Bre)32$
z8%*yLQM^c@k#B;v2OX2_kdZZ1YM5Mm=SV0mTzsl;K5$#UNhVL<8(SbN7;_#MST|I9
ze8OE3WDk*tJS~%7HYzU9y-yF>0ogbCHZCbMo~K>jR*VWc>fNgu25*GeP?_$G`YLxj
z{mE0*O!^Gh-X(RK0KW&%pr^-vP=1GG-MxYcSJO-02wMv2pXx5R_p;CkQ6it~Ui553
z%@TMwd7<5Q$U3`>F@g&tz^Z^J7t-L@_>{gZl)@vy77#>35P`?oH)agYu2{3LT;hHz
zof4kR(@P%|jCSc$Mk@2UlDr+RkbF5fI=PnH>uhkc4XZ&ioChVm`{;l%SR}z1Aa6XO
zH|D>A30G}*F40PgpSHUTPD2D_1eJ!H2Gq_G9;EF!h+(8X5IDw}nWpnK)kAVNw&g4$
zNXyuB@dfM)o2}wqxEhyk_ZRJOlQhbMUaT9B2>b-jIGD0j9aaQlo$pljb(d*c$3&>>
z=naA`B)!enx=Z4f@xMC|)kI`3fhpwcI_)Bv-MUfjroRQ-@z+2|y0dpJEl{M7;KPg$
zGw$${j8|E<8+BQVdP%HBR}ykDde$*a1o3i0YDD-Ymm2nT@t=@q5w*koL$`x!S3LK_
z`CN2&pU&z3jRhd`v}2%KZIwsDG3SZAKE<`$X)z<{Alzh<#zgi#cvciuS#^8p4xz#O
z$HEG59m5KVwlm|Q&5;Zm$c!1l9^k*Y+xTl&!aWk8?U9cNdxw(HYrQl6f#0-g&P}Wj
z1+BmF<8X&Fzc7RY+ix37ZzKRf>U+%AYv$^`+JnH&Oc#ju`BZA7w7-wo0OjQ>mUg!#
z4Dol{K4=A4-r#{L3B6%xQUkNhu@aZv$4+%Oo-{c4_aS#4DJlS)u~OH7Aa#{C#x)iE
zBAO$R5KO>g0edO*uxCi43^vh8m-okO+-O!z4}_h$-n3!5Le9+>Q8sD#(vJSC@vl)T
zYR9%9=wa-5zLk-yA5k!xqwSTmb6yb^WgbKpA|MTlBn^vuUPY^x8&F<H6s;}ycTQjn
z5ZTV^O>`8I0vdVQ;1}Pg_<;~leTCM~WBW_hxA!_ab>oz!4Cjf3&K&)A4T7UtmgmIp
zeCdUjH^me5M#4sWpd?UitV+M}nK-Q<VEZ+(Vo2bh)Q79P^Jt$!k($jv#Zm<HUiPP4
z;yokHbT{EdUe;@O(>@?f7o4?5VTc#_J2a0HYq+6&cTc$~n)GE0`8;(X(8qmcmJE~7
z9;|Lhqvzp&&0m_G7QUd@;qKsN>_D8nwPAN7X^(c5DRz2VV(rlEU!WJMT)Di;qrANi
z?cd}gpN_2D5V4O?HjR-mMK8Y;_929~k9pNShjAPs7u7UiAX{5v0*(MLKlDSUp{vK(
z8myrV8^nSq){b-4mZ(8c!!{7ebL!!BL0bja-1{mkctTWlB<mEJXVkP59uF>^p9?G5
zc8_<i(iiK;jI$pPLCR0K*)t{-1-3)eFiuI-btranJC3l`X|)+~&Chu+{O=!n&Kxcy
zOJ$c{)3=O^d{Yw?^MnK2ig<K5?%Ki+7M{$I&BER#gP<+W2u<V*NWsZQ*5jjGQ(e`P
zoG8|73Zlq-eN^UpT=+a@&1!~^>@E-5zSK%s4+?qC+qWIqx2*#H4&3Yr?E(8!_p2SF
zNZk!<g`6Ra{iG(trz^HU`6$!Uh<Xe~_+h+ImXFzX$TS)pn;cIEJN*O1oN$z1hL}o?
zWduU;l_KQ6UfVnI^)qTLCaI{!Aa}q`HX*V?vWgFo{+#WpXz#^H=u8H^b-{eAtszGK
z##7E9OnWTir(md`0YL{3vIR|+Hd{N!0$CAdTi*!x;qm~|jxg`fVUpW1O)YV1gwhmZ
zyi;3q9_|R<M*5d_3&&;k6{RT+xGXLZ<9M_bTdElNJK4`%lEAXW?GhN5NsV|vPwt;c
zNe8DZ5d<ndyzP>A?M<y+BLXSah;uwD?Al7m#foTF^pQUmu3q1^+QU(5#GSNtTr<vt
zZt+Gi5+sEaz+_q>iJ&_!xa*8J6JmEe8$vj43{5YOR=BGS!a<kFhIyxL9nV?D*)I$W
z&Y+JjULcFNn`Ht^a@?iMj#=Xf7%m;g5gab;c?)f6h)CNR{>Ve~J)F>Y(+EfPK&|6C
z7Na!$uCU^z(I%lxXpehFRpV&o^O@_zN_dNDBDK8RqpZ3k8IS_@@SsIin2;dK3hx+A
zA0Ets5B<9{-j1xC9gF@c_uq~o0ixvvwuta$5vJF+VC8&KgZm>N=_|O}d;DcS`IDII
zavMOVkI~^NBSv<wNR{zVR@S2)nEL+UPNz306AF5yKB(1!e(U&tnWBf+da4}(M)0+p
z*P)!fwnHi!G4BYH^M>H1d*J+Wq_NRyQ&8Ydejr?GG&?D)kQylM2`_H5t<tS^R;qsK
z^~H?6#Zwlzb-P>9d9B)io?PiA{%$V7xDTIQv4Y(zkJ~o2nE*88s%LZg9-3}=1Zs$x
zl!G_z#jvuFki+!E51@2~V8_=w?)R#_t4z%)go&|_ii)PT86}^0y?7T<;2$@WhLY_b
z+za&S1DIxqn$)grU(bxAYx7_Gx`e>nD+>5Ezq}1U>s(vtzBhSXe2AoAHc0xeS2b?$
zu-ag2&|ik)fx*RNh+^M$v)G-`=Yrpp<s%vaWhuo-p}_xfN0fYihyP|KsT#`M_S=A-
z?QjZxXM)%rFK_49cH2sW77atl#w~s5VH6teT!jf9k1+ATv=vQs<IpLTiOT{{MSIrM
zs9s?|8Jp8fI1J{LW8E&Q#b#7}VYp~{vHWbhcvQ6vTis=34qJA}C_F-X_*u@<^lk9r
z*7c_AE2}D>><(^IZyv#iRg+kAJ=tT)QHgBZ(*OfVcPt|-Ap)EWZIey~yYzF`$^=y$
zxq%X8H)@Qn37lENRCqN8QZlSXS}TZpWp{TN9bI+ezeu#e1P?8M*UBw%0_RNznh=K>
z6gh2s#6s1F?D7*BhD;$yfE#Q+hfchPD4VgGcfcJPgm1>_<4p%{*+JQ{!;A~vMiLhq
znaGMk=<(PNdEqLu)|_$uU|;mMpLJH(>jyP_22B>)qO^4vi>cjA8MlBn#UGwGo+=B7
zihe)O12#Rpq6mvc9q#6sx__iQPK<(SVz>jPn_g-vL*5^K_JgD?bqP-3+%rB|Hh5T%
zkypUm9$)+G&EeE7MyDtwCB1(3(Vf`wKdlDFM{;zFp#|8tk9UaO;{|^M<8tzSJLC*B
zK^xk2kL`4_LlNyU9p6ara0+-hL<JLQF!Lm1*OdlP0xo);8s+D9b80?ctacNq-=-|5
zOb>BB5rb3XyW{xVuP!(0Ye!r!0`6cNNyG<4JyovY+R^0*XCleaKG_v2^~Ki{46E{5
zU4>6iQyLwmz8d(E$qR7#5`ZDSAMfdoKHCqxMbWXa<bL%P=RMJaInclgbvFKep9)Jv
zNGxQABCPurf&p!dlyJc$JdQrpY@oE%oB8q52*a0aVt7Vimd^GE0oPV?P8L>B5{}{S
zyM0uC^tva@-GNYA#}K~G^A?=CC-)1&F2beQ)=Nc~DHH`FtbL~l`mjn~t5=22l{sEj
zKB3(g!JNJ9j}ywFNkoZ6<L+TzG*=e}<cX_sP41!{*K$YR2oxEIF<vhSK?_`EMz)pb
zi(G~-iF%1n?`_sdr>NcJ(;k3!61M1)cSNh+quJ$Ua{6S-?%g;;cF4XC%m_?mvRcGO
zyqoVX1|nv?&{^MBVYW=>#tr8=JC2l0U}4n5^IWBHkb2TpP1Fd4dEdUcn)UF%6^EbU
z_^p~`5Pui{3V+{VVHi=kqO?XxzagK4x)ZoQxr|e#@DwR)JSil8yunoT+`ILLbm*G)
zA6ZR^?{g*Fy<qR@_P@gI^&pZw4M4|WPg%5QBb48uAaezhqZM{`_TU4&MpC+ZKHO_5
z@wN6E++#?#p$jOl-vDfi*(js9k&)qbb=Y_{R8QBu5oQU-IBI$20yX>RZBJ}>(hA{+
zJK(b@hC+(O@GR}UmLA$^=xT+jDTYU`$z9{@h0gYkCEMtZ@og+_Vx(Qjk`hBNNSO*>
zZGP=XvEQXla`AoOnb>$m)XCmT-b9L8Q55QcQmy4befRm{!_AAFgxba)_9|qWThnQ+
z6qB0)+y@{tN3dG3-zzjpzW_JuBfOCf-gd7eV$T|mh*FH+n>Bg8v=4yc7~tzD+rB(A
zN>4`KHFCs&oKfy?o>)V>vLBOcFXu*3e15*((er%>Kq0VA!9mYQ1Z4U-P(quw0u}vG
zlkHBh1!(=Wj~<M^2T=@dC?XGq7^kMg!-F3c3|qYd*WoFkPx*K>u__2=J|5wveJ`EW
zEnCP~%!0hCx#URRPPvO?yxdyU{CxL44Hz<u+>kd+m%(+Eh&*c>eTWjH#V<*4-RB6o
z>?ZKwp~>EQ5g>7UI8)i*=&fjb)E80IdFcyN<+YOKWPv6Z#+t&+X!&%p4G*zhez_#z
zP~o*)tJU$c%eK>gCe4?$|3#3OZ-45H&b}9L<weV`^&r|T_4qgU2cA3S6>YpS+B<^J
z7EFtTO*O|G@|s8KEr#~DXXVQUo;VpT)*X;)C$8Z!AzNPy=cu-@+KlV+j}Pp3l6aiK
z+k`N$XNHf-`o0uCczGM%_2a)QB!EYCTfOIKvPVk7@)qjsY8E1$jaeB>Sur7T%Q*dP
zO!k9}F$La-^MunhLZ4{!i=SJB-DuS=?TKn;zlm;-&@1TDaO!Od$>oMtvQ+|ezPj-z
z&jy0RDr4JY6`!b1MlB<2y?XAbtpnY53b+yRM2*dxuXw}5*Il9YCH~x3tEUs~*;Z9q
zwjpPg+y^6VFQfK@XN|}f?UM2?xPI8>AQJ>=t{65Z;Vl*?<1Mlr8+z+hl<kyqnKo@S
z8@6B0*|`a&w0i7F-kB1KYv%U8w81_i6upan+loNtk|p-kC6v?!7tk02?D*(KaTgI;
z;oMy0^K_<*QiZ<Z*3RuQZh-DWJe%zC5QK~n)zCg>X*b&CpEg5tq|;*d;_+havfn%D
zaG1XzMXjYNSnG~RtOreNJA9+oXIn7NDOEppPcf@ajRzKQw)=}pR%G~xmj_}PArksE
zMn2vGJq2Og6k4X9I(D-Q>#67COPCPv-$6X9$m)vpGt$}YQ|_mW@}783#~SodT2B#F
z1>sxF1J~}I4gDtnMyu%MQJwXUp`S}Y*C^MsBZeaA@D6@TTbBz&Xt9B#(C2C&(s9-b
z*37^IT_119BiQkAaSs3@Q*V48r&^Q%F&lT&gXV+a-pt`KYooL6eOhAp@_|%o&Dg=-
zPoFZ**Ng3sJQqxhs*D$MfVQ-bY%kL%t#|tKSMVloi;n1NbG<7*i{vP$M^}adZj66a
z;avm#*9YJ0zB(OUU=9o)<<1;Aus9NUglfN9RBsiyBwY32oPGSG?wFrK1k3p|3cIZ#
zo*f?OP0x}Vclz9*T|y{As}!_;({RvQ>Ng4E=S`x<GSa1defS?JofQhx<804J6_5Do
z9PnA>A~?SVhwCBXYPHpqms4q8d~(9@ZLP|BZh|&e5JvZ0uiy@7W5}#Bv;Kj!aJVEl
zQRovR@DPCJP#LW8M<reri677asI_blM+OJxS`1-r7fzdS=DjD@oQyP#qAy5v2K)M_
z-yP7kzaI*&uDKkN=xG%Bjte+-Vo5E=Tk6Dj5RPBzK5ttgz`sx2E9`Fbf@U8<>Q}G)
z1d;lQ2o;{;T4U)$f%ndZ45}&d*W#H7fRwf>(RDo#S>0Pe;f=)~zcD2ZsWnGr7wL79
zSA85QwCJjQK_4i}W&$H)xMxuE$j`f`UsoVL(ibmV-k-i8^Fx>eOF)Vp-<C_)mOT<b
z8OHE^Pe^EU3O0JL@@;JIbhWoNbovKVGN@2q?N^3L?3vh$x)F!yr|%jf<1ZYP-yZ&6
z#{2NAvRTnIr~Y4M;JzK<2<Ms|*ct8avZlzF-joilUuyda;$@8ifJd3P#I@}wc~sEC
znJ-{Q3zxS0$uy;~pX>Ggt`tR_dyk)pKf(P&IXO8rtMoIx9CDY+%s-wz&UyxeyYfL(
zf%#?X{{H8OM@4?R3A@H%@js{j_2l)zJK>N|e*aMM2<bq^d`1EEw@s}7$Fp~|&$oWa
z694v_DSxoxKgU(rXXH3H(WW7d-<42*YqR?B3t;eZJjeVGDf-*-#2=8$n$lQ<>qjQ5
z_mWV3?uYPs3SY|qkkK(NMNS$`)Su!V=eiz0an(YL5ejA^jGWWD9c&R!{`Bu!+doS0
zo{z0uerAr;AIrSIIF~qj0<RUIbCd?eDBN>p1aA})7PS9|R&o&$c138mbLIaz^Seh}
z&z+p7%5DE=7{%v{*JWM=dx!lG9luo+%`;458u<KovgS_;|NH_#kQPAfm{9yD#z6t+
zp80AN4|)6>&dI;{@Au;Q)=>EWSS<Z4MQMQCG-T(Ct8{|VrS@<pajmLrD_o>goBx5N
z_~Ul2ivS(4z(>)Sp%S2^*VN3(GU@_^b_RovT(!%3Mu*nVWxniniOt}I#wDS5eE&f2
z^%mm6JAoX0%wUN@QFfax&l$|>yLn}$dDhLcrG3qU$(m)`&C8pu@xT{<cK^S>w8}tV
zeT%eVq9L&d#a3k;CNpQfZqe$SF1fg)B#IDZjK^nEdK=nwhh6m=PHae`z~r@Bu9D-M
ze=JkQ@N1ORGhIh4h@SSfeQV`>P%&RK>52()g!ZE*uF>MNlG+krQZ{gQR%_V382S9*
zr{%h=v9ILzAIbhNQMRP5J)F=kN*LAv&O8JAH<!FRJgb0PGui_HH4;z6{fzn2G?9~N
zX1^7pVq8&SqAd>UOsbc+_T1>ra|x&QpU&E_%&z?7v<6jS4ad{@cOT(7M49A0gG#zP
ze2`cVL@Wyxqmt=<O`9f(G4D8J_R;=L$wF3<6f$=vQ&PS2K^vC6o79>@kG*Yh7J>iF
zCD1fT)ana?j~JcukeGv7J4&#HDu+4gKR@zhX&q4_)RAM&zgwY@6Av)cFDr-D_iE61
zDoIX1&2>Z*_GiMQty#w71YHALlO?eB?5n1g&uoV0__jX(_mx^t4z*F<^{Vs3&oeb#
zCXa|gxpO8f>(iMJK6o%`tOk`;Iw?v7`?KL)1=dJEf~X_gFRQm6Z~NQ6YzPQB)oQle
zmGz%Z*#n<JOX$~est<1t9p2wC{4N0ak6QCfrWAqkV?)8aezU;rm;LEvl-B`{q!5aU
zFW9zs4RIqoJa>qU79JTnTIDibKV*jNd&Rdy56+(=YN3YCq&`pIW>#*H`|;7?FAJus
z2zp{r*2{@IWPe0&G(9*tSsbqQSX-zdzoxYo940}NB0mSCm@sgq>R~j~LC^Lo_0g?2
z$X9uy;8B?~KAzzd?%>}<(DKAtRIU07R4p=8vm17f9GVt8pj5~OyKh|2p_P*09ehx}
z&j9-_5x~_LA}BwvCsQKG(_p!zm^soebw|_HL{a<|(BK6$aoU*#ogmA(K>H$1b^PQT
z0k|Bf(Aqr!7PA6f3>%y*(F`dW`Xz-dc<E)YKnXS}9hbbDK@K_F<DeYX_9vL+bo!ww
zB9t<2!uhOz4`;Ojwe3Qy8~Hwi=~yQZ@!=n5&RRpFUq#fF`c7SqvTV$`0?F-teVgv)
zv3qcuo<v5P%D-#W3v08OvVEuDQ!eE$o64B$-|$L{zP%*qLRF?C{+Wc@;;gejH@KFG
zv(^XhG=kV`tL)GCrPS*7MM#{o^~AGjrLS}CI3JQF==Y%}f}c%6Ro>PsqJZL}zZLVJ
zJR*QGR1E{!S^GO{MCO-n7DF|FNN)2=7^hf@Z>{xX#pL2yv>a(LaGPGki-jed<*b(&
z-lqjLB+HJZktLNbl4!WRbg%}$A?6_6J|CQj?Xq3dKUuh$5YkpT__Q26$6@a;o%62F
z5W@W6jb5#>H*+8wNHAWmcAn(YLUOl#JN9`Z8V#L1Oyqti($sq42X+s2ou*vDTU&}S
z-u=`sUuq7GF)=juE_WNOC&5!=mq?PY!i|lHlbFtmMO;7cqofxM$yL8;1Fd4|!4HqA
z%KX(ztUh3_ati83FdRm8C@?ARbai2ed~A<b%!V}a(1qjEn!+2WB_Ol7GA=pYb|+e(
zm%qN&fAJpeyEoY13t}Oi19?t__@hNDD&s#EE~1r7r@ltOJ1IcyHpmAsrk-Zo=;}d<
z6$QJuz_8Pp)28S{hFSHrIXc_CARHyNl#H8ioxknP={t`jmGCgh!YN39?CvUvv{D$R
zhtR<=k?}*7K*j!ep-N|`_M?jK<f?kSQN=>k(Vi3MOLo;cWy(JOaY%<;SjusTzbwOF
zWb`=MH*?p;=g1k9Il-5gB1b7C1%32f0huDd6v6lCDvTS+(?~pK;xKE*@7E>#ahGaI
zRcwsVFi;Ko@oee+s~AIsb%Y__tZB?XU9_#|tpl@F49`ejb2k0(W5z`qR&z@)Y&IxP
zQ2MZF)0IYiKkGX{nCdVI$aN55aUL@b+<#E?<l~=_p)XW{{Vos#lUqnrM8Lbwsa*au
z*b=0Zu2bH^q7T~EDAi&>B%fwj<$iXQQqn9+Rff=xa3F$4)R#HYgzCS#5*_H29j5nW
z9DR@auiU@D9D)UQyUq;w81?!xAUL%IrTR1Jo;15<ytf$g8n$-3tDInY?5E8)b=ebd
z$4s>jd4Hmr?w<yRF2StXWr)JJanc#Wv9K>)PV_l2;OOK^Pwv(qu51gAU?$YSeBL8I
zoL~L4H$)Qj321-A;{-D-AV+{ifpRj$mjkVHfD87>7^9ilIX^5*se5Qu2MILFw!q^N
zH}O)0dskZMep)^ssc@Xjf--kd5ImJD_`NFsAN}};3+OjX^-GznltG!yeQ<VHK;RXr
z`bN)0cSK0SO~O7qNgZqt)3_A^f@wRzKb62t`4S9exNmE>#>E<I28`<&5l#>0NtB;|
z!y7&C)R&^#yx&Z410N(I3k9XYyC~hbSc~vIrsfVJ4jr41>XJvP7IUz5YaN`)Q}&?`
zBVgeHO3PtNb?mZyl0-cxrrwbW0QF&KJ%KGthTYHulFT7_G8eT0tR{u-{sF|IAvspZ
ztKg3a92sDzRBNRBM<|k366h7?Oji{|^@8QVdP!mfX_R$v=QGB|Ob|c11g0+bX}PeO
zojvqge!|Z(1#4i6ldoAv3pcI5EKC6n+-$b6Fmdy}dJ+`$jLy5X6em+8@z{Y}&#DLC
z@DU0VfNZCj5z25ZKGTO_7zj~aN+$~6{B>IfDG5(?h_!%AqJ_M}_bU1I4k6;hMJSWa
zoZ_kdy7H+#Uhd3EGqa4&xv-KHCp{;BTUwswuhySlg&Q_xME8e`t<(6=2h;G(JZYoM
zz-BZ~tG@fa<LGa^x~4`v01M=Zbh%RFVaR)TpSPkA-}Mjr)$2u09b8hNxmHWi@#JIL
zF>ck4tq1m4RPmH>X|j^1Pkc5G#;3t4U2Pf$up1-nN7I+<E7{8PS-x+?xe^TN9ZBBT
zgizS^Fd=p$0lK7oj3&Ss=s}z(-<t>mdCJcK%J?pK%P)tuGG(cmBHfjlJ{S&dNStFH
z@HCbVWvBqtog?Px+B7kXXddr4V#uy9cx%xC>F#;fOR5OfZ%pVmYBq2GX1V_G;ZKkN
z&w8QiJ2r?9V$((Mt#~PC-H-udlDp1%R$&Tsnb)DB#>c57O;>gI60B#hbBs87C#kY!
zQS>jwJTO=YQA3WpPpB0dJH(zmf;qU^hQ}88%C^rGS}YEGg)-@C`St)wj99qc<HHZ<
zmzu*iZ-VI?j+q<Ow{ms=(W|Kx{pIZ;E0%_l8U);XIX&-Rno<?hn|a6a1G@VyPqr@y
zSUwuJ><wW?MeU26iIcbwY4-uoNQ-2QIJ3faN7Y+pX<6Ii7oN85Qc<T9j~f3Bh+YG5
zevXohv0<`fdF=8-^-2(XUg&qIBB9lZ5Om81)b1(yyUM<Eoi}H6`3L{_StRD7I>vgj
zo~nlDNDU>Q)JDn0J9~7u|F!AnZzA*juWKnlM_%BR5v3fkOCg2lgY5N>m`;$6Me3@s
z)m!J`;<$gDSdflV;Bz2mzT>3#PjvZRJx4Hu9z1dkd4E-ye*`rD|HXgj%>S1M4B~wp
zyZy7-OW=F05y-k;wg1y-Ly%YweC<}lT~K=B+5Fb+uA{lG^(U^(v8omO>fd>^|BYNb
z(#U_=7K>Pj6f;4zIuquNc|j9u<HfWQq1!vl)5gi)@$7+rhaOv%cYFH?L)xeYQ^Q{L
zJr1_}4PuCK`ZnhuP5zAV?uUM<484f8sr7xC%(O*Y-`r<E@x%i2I%)rjeYn92p+SS0
zUszZ-4CM28Q-p&QRIlyvC37)Y)vn~-kdXJiSuAtlTD|;v$X|uDLs3GHc70GBY(kVP
zttP~au0O>Ayf#K0G2y)1&hoJoAhj9wO(Ji9dTi<4I4!?Iw3c2AauYCqWAEZ(imlXi
zXv<Tl#bWB=;n8V%{x=l<RXoZnhtoi3s%q)EsliRcA<~g8srcQ6n&iiBk5ZD)cyiR&
z4QX2s>|JBuO?dF(jgX!TvQ2ev+To#F(RL*{2_qYvm-2Rit=_u1nIkLOMNO(VX`p97
zr>*T<vzND{{$qx27R`U_&mu*Y$0;Bnl4=?0$+_;a@bY+AlPHQ-xa>!c(i}%g)2N>N
z3Q^>He^@|-5lA0Mhi@1WS~HkZ|5-5Y?fjhndNyM`<D8w4HD03=(YUy(ENxkUVWf*^
z840eYdT0ka^=dfwy@~q=eWSD?b~M@N_aPX|WLIWy4T^{2a{4?yJfmXIudFmqPfv$%
zP5)k5`H%SfW%)iUu=vJKKqo0hCNar@rX^q1Q%mt2;4G9VGl<gJ-c>JjzJsB=IRkfU
z>}5ND5AIwCS?f(ev(^5_algDPu`D~VHL?&E?dNNnn#(nEQ#{vU9g>KdGVP{vM$J_{
zmUampzuxDJhA=afh7B<ZiQw+r?jeVkWO>I)nWE{w6k2RWQY5<J4HrHV(^uUVPHqqF
zMx6<NORhX?EZ6xr1Eng+KQ5=MUw!t1P|6JJIcL%I08#9iKFX`{kv6DW>5Yy}{D6E|
zRqqk$@?Guv=u2mG@@z80cc!q=Lef77^+~e?t@8O&>V0hVed?>$#a^@*)~IXRRP|ta
z@!;J*#%Q?Tfkd-zz*4puhrv;}h0MK8&V(6dFo9b==xC64`n4H@$^L6H!hHf@?r1ko
znIZ8x$9j+O0tNf79=wk&Eco8?;%fTuq~DRB#D~$6-YXQDa;ha^b0Auv2+n3`aapb1
zjF>O^^~Mt{G8RUhs^x~JWE>?j;anAJ7PgFEyzaeCs#=LYb9V3w5s+lr=>Af(m51Q$
zrd_YZWNaEjEe8e$Vy+KjuMZm6qpg`VSwa!x(-_DsvTj=P;cHN()#kNw^K9@9(M6gp
zvFr;nc1Wz|Yt^}a#j+$UFVvpp$52%@80Ij1!0^k8c(D;8fHQJo@y+-iTO*Kdf{|G&
zCHdIBo4j^$bF?IaV7LblywiY{ZWS_XnKx<Mf7-Zq*;a}^JYYrFLB(w#>{WiRHNN4}
zqHX$3j8p(_c=W86r7mo~tlx;kZfni1nI&ty<)Nu{$(o<^{%~7-Hs5MkQZ&UFr1^Mh
z*b#%cKhWy$nfZzG%9u^($M$yb?PTge<)U(@uR44Uh0UXh*Mk>Xn)7YRnb}_v-Yn%-
zi*OWA1lnx-KWcErH@N0m#4CM8+RaCWcXbVcm8KyHDv<e#${`!nx~9nAUNOgnT}|9T
zB+nibE<tVtridtu>0>jK?!i6c#W3J0HWRzX2UQHt>(56a5%h2o@W^5MuxgY}e4-AE
zSit{2DybF?|K!=`t43#s0@wkGP!w8XB^)0wHf*uI;Oj`cW)IBLgs=<KRF&%*c!hV|
zfjZRft!-?UE}EVJP?smDAuDaG)y<JlE?;yS_xJY;L{3+p9##~pR^8F=o1^>#v(Vdb
zxQj$Du__PI$%HJKm28EPphwcy(S!U#;#j@e`jCXZ*W0p$yfok{AF`fq$dXrjdxP#S
z8-KRb^CS!#^9u>-%uMTU`_xt>%JzohVDqUJjrM$2KGzfKHL!EISXjYMRue|jY<p4L
z0QIQXobtZP`jM+%V>Cne=t)Uk4ehfQ2{AF#cw~EJ+g}o+s~(8=wx?9tqD?h-FfqsF
z0}l_p%6(r`G1%?5UTV4Iaz#)v!-hwh=N)U=`x~!)9m3|poP>Py@UqZ*A?`*+)RI-Z
ztrM^{@SG9`kstI-Au0wEbePgcLWxinH&`06_jUV_WWD3Fa0Ap^8BVBth%SqOe=;+(
zR%s%NMP@cAoKG<3NNJ|i8?1@Vc*OS8&3plWlboC!6=0LNrfFrHJ=!TeYsx`jN_{%F
znn7@~U`XmMB-(_ndYx0y%W}tpRD~iWr|;XpG?M0YlKh5lo~d2e#D^$M8k;etQkPa3
z-Mags8MWMDY-}va4Sru17~(Gx6Oh&3PV!{(@wuk>;EWC%>G4y&4QY6nOcl!gA?=Ti
zWQ%D~@S>gWkIp)EI3I%jA%~GO0ae;$zenJIXY>7R$bXp||85MJ#8Pt@^dX(lN1w|I
z7`B>E2bnU*g7Z`@X-me*+Nr+&bYUO{gfL-)P8J4;FD#QUWa`bEFkd<na4I?77fO;u
z8VNm*!K1<}zIgg4UY8%QY2sxXs29(cmIfIcv)&(l+4hp4lJL!RrsAD^ZD0Vwa$#kW
zAB@ECiAX)k25l|TsHH}OKJ8ym*ZSFFXg|CyA*fJtYHV<!;4BBIByJTWgiOpYg~MeM
zWiCfs>jcKpNWAMTp=S&$orm~_qOi}}p5}3Kuuuvj*C!T;OpLo<_oi-duB-Fo+=G~o
zs5Q6`bE-&@gFD`dklW?7J=YB8i?&MC<1WVO#ZU$21M5;$31iVf0Iou`O6Ip8V;utq
z;1dh7Z{I1_WMCI)uaL)eQ7XL4L;%eDOsWDx7FbpA9`a{EC9&21XL3kVnguxe`Sw(!
z>m?@$jBDBM1xX3A=HQD`;#kbR@S#b?IV8E>l2HaZr_k?8>Vwy^AgRp||72B65eB&r
z--H!Oq_*Si;=>Y#F3&y@U+7xR@FrGzyP9h(yyxA}&*xymhYt3o&_nq1gUG)lFpf4=
zWIsz716=Dfmy%1EFH?cwpXn!hevXdT_@)S_pKa2dp5c8Q#g~`3nkl-zo`ivkYco)$
zflf_`3&_{-)t_<*n6&_jiP)34vg~4_pEdvn*uncmSZ7Ly?{ud*IhB+<5j|~R49}b}
zvOd4ot+XhI&78~F2o_Ol4M7lUvQ1W05^!O$$c_;aCq<zm0s0VWSq?Cw<C4vmW-!UE
zmNAPuB!t!^h7v5*xHpeYZ@s=GEHYI<-Zz@<3`I6A0LHRg%#;C*f~geqyW-4}dl+5B
z8$j6SSfSNMgP2#ON*OimHS`r>f|z1fKwfr_OUqgGN~=%G7sWbj`7ig8Kp1;_dy)y1
z#C!Yu8|G3B%GWXmJs#*DTVbm)NRj!LaWcSpyf<0N%$m5gO5oz1WNGhWPZ`(`rDydj
z>Tf?xIi2~Bg_FOPZhZumB&;BZrSUraK&X+jdh;=JA#SRnzP|ZosIi;z+zbXA00m0C
z<KG{1_<$Kfm=)i*4z;yP8fsNgyplADsj@N7k~ADjA|x4t4|F9=_Pq@g5KB4<*c-QI
zX<Bu5>41tuL9dq_X#q^K{(+QVFHCQ9yNJ(~+-dl^$zWfygp;FA*n<?u`w>u3c%ub*
zo8MeyBW&~`X;D4{FGR~G%`Pp4dS7xUGe}UdVBX3wNQ61OVW9sQMfzE@P!Nhm54tM|
zR+7H3TDIY5a7RO=uQZgR7=?;rT}+Z-IQXn5zVHP1alu?alL;0C68S_7BBPR7D^OG!
zzfGSu5N4+$qwTZWX&ZX08y~QcE-g>hPfN;JK9COf7ds_I19=B#48X?Xf^6cx87FuP
z?4rulOW%sm%3qW$F>taMTRsT1CO(VvLM%QuYYi>0^jpbU`O_|NgVI}>!JSMcO~JF*
zR8eOI44lnq{9Jz-OE$m^ydNTkB2T4L4xKRGt(B$P<b+sB!VcKYa9Db*sPF^kA-Zxs
z4RQ8nc<YgE?(w69vIWVzw;F*+m^2*UQ)#9G0n+e?5fiG6d?`g`P1tTX5|cdJs&i72
zM6!hwOLh{Xz#rSVwiIITd(&5oK4`zPw@S1Hp&CmBMIj81GxlgDl}s$o2B<J=o9&H&
zRb(iB;B3Y>o$@Zyk7}jAytKOYA6GH*LGdfchq3{-wY~nDtBdT+nuR+Y2bRX6DyMi3
z|6!?AQkk6;rbs|!U(sWw<8ovCH0xc&3uxa(vEhfC0sSayL@{Y~ybNP$_q)W6Bk?u~
zq#oXofxRKu(liP)i7VX_#?sKHW#lsWC7ATZEEj_V@zoPGKmRu2!#V<EXuUsm<`)bS
zbqA{or|VFK<g?NU*s^2h-;Rd8I?ohMOrhB8gB$?;rdFnds9~1gH6rE~)RTC9nIEfF
zV8eENOAaL)L}w+g%;|1VA1Y>8<1Je_fUL-e+7djs)|aIE!;tvPnY6jF?<O+IDGxuj
z&W(4bcrlrr>fMK?xC*Y1MXyYhR3B88R*X;c3%<Yz)=kGr(UX>(pu}Y(Dt%r4>P#$u
zY057t625VY+oA!cl}nHg10x$p3%qH)>_-A&_l1)&t{7$Em5_6EQzF%!Bm-6J-v|0Z
z{G5O|Iz%eL2w|tU^yvi)>jkm-eQJF=65g(u{9PKt-*U2Oan`?Ov?iv;;5mBrgBn_2
z4lWweQ_Ks;Qibm+pzMV#<o;ZkRdr+jQ$hY~^ss_DXyR#8iz}#4$vF&^10wp}<8NLw
zGqSg9;ATkICL)faOtT&M3iHkX*nZ=9b;;`oOb$f+QU_$gmF%e&pl#0uSUPaGSC}(Y
zdUlE8YUjQ|+~QpF)peGa{t+WWK%Lt4GfbI4VKY6P0QP+$Qmr0>Wj}&hHRB-0{7wvZ
z-z}U>hAXm(pzwa2c}m39@NI)rt0M>}-(-4X0wejWk~<JKZds`vY(1c6#o?Fm>ARCY
z9jLoo>^hWO2F=|xOz*Vy67uqmk~?cLO5!V347c@fd55=i=BGn%1w%K($2@{<zq}09
zOg#Qp@H6yKUf%TXuTm4-(MMi2xEacT%Ks{94e_GyCD@H79weRqj<$jIv^C9>R+8qx
zMq0~2IBxiTZ2HE2<zqg|#<xU{fQ*-b1}p%LM<?T3(eQ`C3R6RtkOMdAsr-_XLASHh
z0i^o(RIv~k8Jz)0>6EqX$q;ENN-P(nY8k%%^Zumd>$5mOgzeXAgd`(=TEoO<_HAYD
zqSFDw%BXiYtvri_e>Z0Vzoh$<t0jY;VXCp)Z*@Co3&0#4de<yLxYJnSSaN0^<p5Ir
zG4gSPN&%c8y(i8fU|uN=BLgYZZkds>&F4tptGCnM9B>5$o(*xvLVyKWK#DGKU?i0h
z6>Q#5^Z0{)X$_OsvsNyv5w26d5;TGbm4|)tsItn`>At$*v%gA?ydZ!kLg1tOgnBe8
zl(?Q8Wp+?qW5<j?-=|D&=hC+&MG+b9!@UsjWaXz%L-S&>Ez98Urng10Bnj2h;Z7II
zJcz9NMOn7z{$B%)gu%v)kph>H37O09dFP~;I?J2oQjT;PE?zTIhXah707$+bc7m>(
za(y>-mGIvgNCjeRsJW$5HJ2dzHE3)=1T(wC=f#F>i#6fQuM!M~d03NCgAC$aV&Lq9
zs%|t&1hjc*;KvvS1o&98jgsjB*eWScv$UN;wVT$O`b5*rYJ~99J*7p=0%1q(cgMki
zZ~OHUH`Jkqo&Pp)|1x)Tm<af8HPlLte9t35P7S^6FJx>K7O!zmE6WXexpQ=+5X)iy
zQX~8rwVcveUxs#;dN($~^J|V2Mno7SBc>-vV6%)dBd*jZj)@@L3_}R?QGggcK@~?k
zXmv70ot4ZN`!2jM?7e&aJf{w0oSfAel}z05boFiWoD`6ol(*1T=6jjkXX)Ml@qMr&
zePd~{B8wAEpZy`CAYUqEcMp#YM}Mm4`9>|9WTwx|`f}M{6WMKke*(0`U({#T$uip>
zx~$9fDYjZZb4{J(6Do)bQ--LXeO~!_f9znCjG>|7_a$q4jWtkLH*)BO$2MkTm#Fd3
zLv={<2}WV*`^qT8JRTr+s5w9Be9qass51zi42t>i?dnJQTj{sPTSJLQw^R*sfsh3T
z%KA_z87G-TWsQ1?-2@t-MWwcE-aZo%Q`eOLe|vDhco~b3G8!KWo*v==p!h|Ki69%=
z=nLvV$#VNV-UH34jE#+Vc6K0GlnheH9wnX-Y>dzxiN-O;Comwf^i0AWA`rV7Dh(A2
zyA0CpQ!yP&Z`S!%63NlV5Y5M+8Atxs?Tva|Ay7Ss&yguk<Wiw;KOBPj08S{@0)qH(
z+1G$TzND`*HQS^Yo!zgU2ApoE3gomi_$n_UN^d+c3&h?!y}K!Jrb>U873IVnm^drE
zrL4|ZdA9j_09m%uFc!3Yq5J?+0+$t+??s;>i67G@kKz8eqx39Cexcxwfj@gFBOwyL
zyGf2|czeDZ#deB&u2F0eTb|_~Rj)QHrWJ>{EGE!gb|E+e(#;Q$Mvcavn2AT5^w&YY
zLq*(6Td2%JKu#>m{;AWhQqg)qg+)4eAx$V{ypv2fxRzL84=zS%+;k2jFDWZ?#1znZ
z08xVvsNmM<kGV5@B4+z~UM}E;=DSlNZfKKbC|V{*^@9w)wyD>e@PectPWON_AY<%S
zhog?izv=;e=y=~}X^VgH3FpJJw58!akG8`Ou&|_rUct<jc_LQ}`TE0jA@2v+`Q4b!
zo<g`-e9-gzzXyVP$PL6cyKdo13X3DaHMAcwFhaAv!{(kH0wphyHdW#pPy&PxPI9$l
znC%w7C`8gBiPMOE7veuldhxnJ{$1Nb{uwpFdT$YfVjQ__=^5A^(khF#7k^88M#EeD
z#bJ9as1;4dn6~+~j{8>PyC|7VSIFNyRlQt{lP}edD(1<kSSkUDh6t840O#UzF>7bl
z`|t;oPtGkRlHu0O=2+k8X<8iOgiffKW{OytC;Bb2hT<IkAqYS?jTlC+T+w$IlbWrJ
zEFU4#5%1I97RXqZPL(QD%EuyW^i(qH8W1eJUknNvdb23lCB7x|MRMzdunGo6wdFj=
z`{1+C`<S{A{{@<w&Te%ptXOu^`L%C34UmaR)m`N^dgwvQ=$WE%^KkE>ZP<(P?h$_O
z8Pyw1ySIF6>uVMEf0_Ag-+&Y8N)9haYiCTCxxbyte)Adi!eiBGO)!B`(DMwD$;=lU
z93y}Z?l2J*Vc^Chc*zFApRg&*h61-&cYR)u|4ILaijwP9@nI;{cwy4^*87h{niaQP
zNseLf+oZHy`}Y^Z^d@Z#1NP#LB4PjI?*G<?dJZ7HWoIth1=Zxg&EY>|GE0YF>T*<@
z!=mc{Y@z^&5SULl)71W(lK(Tbs~V-y+Z^O_87%AkKb!CZ@fXe4e^>^6GyWqUtdc<(
z$o(v^=eqcsVT9wimH3mYXKC(0cz!AYR0zp$$*wx2Am=uhkdUZY11a_W<f=Qo7}K!)
z<3@j8W$E^d(6iYNjo&|Y&`^-q7>%X#ro9U`{<{N@;#Uo1OQU_(pzQw_$$AJKREh^Q
zzekcB(a)C0|7cm~`T@#Rii&;#?b*8gj;;I-;h?g{Lk<p@uyL@-nMWI!&WHI7eo@u|
zreyoDDHF(?c=SbQAhc3HLwUjt`S;T-tq=gg!4nf-{r&F+u<>v}8JFPyh|MA+GzB5?
z@&2*Y!vfq_`BJc|$&bqgmHj`Mm=@TPA43b0=HTQ|N=Y8pMZ20NQ3tVNJOn^FUR~q~
zUrNkMC%pdboizV!8ENqSUZK9m2l;VWNFD-`Eqk9O?GLtTl0oOn+S9pB%`8Jj`Z?^G
zSb9a);r>2dg+tDk^Q@w=+`NjJ=*86E_))%&yGu!qk33t4K1V~zEyyGK65yTx5nGl+
z-uV|7G++2B(FIl<k&a|&H^Q1XGW<C@%poG9bqq|})kuWM&w27jE%7pw-vih1_Lr*y
zw2SM+I~@6BkFB%-roceSwIP2Y+`c{(>`SF|Hek8EZNguI4Wzfw;G39VGzAQ)x(BG$
zqWG2g`!4H?D&ULfRK=&KF+4PQ|LK~EiM-t)gn5O#XILx~vgoD%n-kK%o)vpOa6ZH#
zm2L){TKG1s%N^`bK_KkMl(9oy<_O!&Tg<{Ls-Q~qGePWg(w7IA%Q#XutAl~(G326z
ze#`iEmg^7J{bFnanA{{v$xuIq4E*}mNOl=^=EHNJ@SkJC>Oi`h{Dfef@G}PznW?$u
zpuPq)K!Cnfl5})UN*|tJcleSQjN1I1Kh%QYWHTWqeVoR}i0p<SEN{Ms-$E+_f_7)!
z`G%1jsFkqyI-=g|4=H<g=FG{n*(V}{h_PPz{L%E;5=Z><KMCITm(Z~|7C1Xz<<!?M
z9(okYn<yokI=?Q6e?}PTmEtyg%psp?Xy7lwlF7!#`=Qt+w-C~rPAv5u(mJX5mUZvE
zFoteOQ(Y&Rq%aW_!1Msg39{QI_?RO2g>X9TCryrGHy-O&=HB>-!NauDo0$5WeZ_e?
z{tpP2O9<dWEX?u*Av^RsUYNzttSR+lf4F0M_86=ATwT=@qw%~&b^n^7&*ajS9`0<V
zCTF~EG}-+ci^8u$f|K={+jPv^S9y?NGn_|^h)%rX2U8rg?4r~-|8r7e%-0gJKy{(T
zJy??q$|DvbayD+0Zb+Z|;xU>Tavu;7<0y}JSWWf0)&(Xg&aF&Qj40R6v4xnCl93U)
z`6C5seBQRZT#$#IkS?KpEhq4@sJXKrRWL%no>Y#7J7<WeGyapH?DiQ=LaE^chnqr!
zv6v-{`+cayLff-Cq@uv^g3HsL>+(#o`ji5QA^De-$rAux!Ugl-%I<+V)(9#4Q$rL8
zl*;mc&#WGdIioZ1mUODPs5wu-BZaJo(wScz&7%m$#b`Md17F5%lul0p>`ieA9rcH)
zkXH!;yM^UgZY!~hH)SIzKL}Fil3#`fQars-edR<BeoHCLjjmD<R9sro@u~jx&Sm(E
zP)wRQUtlLY9ZVy!VBI(kWx(N(f}(?N0X2J`AGPeejtjYmNG0K~;f8g?w3N*ix+DBO
zp5jz-tx(c8)H!kSKxUVi2WQkbCU6DACLUDOoCB?03WukIzR8-aH_{VEv4Kb+HZVWx
zfhO7@W&t{T<w9kH<}at{6gXjsx!w(0l;cR~r!~Dt!L|6e0=8^Kuoc);D`sbB7HgqR
zrL<}Es*n0Zm*^wNBe;R4#6@+S@)=7cTJl*pRf?=NsQ1z|GPX$?Y1WA5nrUziJF|P+
zbtVX?@CDN7SPY<_AUzno6mRt>j{7^5UO1RD6q~>EwT@%B38GHXQT0W^#3H1)r_!9^
zs?TFZNJvV`PTk`sz<vW<1L}Pb>vL{AmK*OXTOgFSlF2wa-0wDbM}La}*W3&{S6$q5
z!3{1+3vN(wyg=p4&C74X|5oscQ^Oiv5UpI_GsbFkn6YOh3=|ToM~DQdYAA>lqZ0k9
znm|b#8B}Bp66Pn-7F<$Wnh99=B%82l+ziDcLiq*s=9l*FxJH050NDwCfZ21&RwVxP
zD*Z|#e3chtC)Kv?LL9UdB&~FK6OR%0Tb?D%_1Eac(Y>ZHFp3HH0@836CGyiJkeK<1
zoAcSre3$%|{wUhcuRz%eiWAKb^nV{U+Z6i!ljZU33YiEQwZa+Qe5{PU7>b9kkML*r
zyV#_}00Nv|I#y!ec3Mbk95mqnG4+*UZEfqiElz=A#ogVZXrMrlpv4QtDemr2++B;i
zyF10*-Q6`f1i7rW&)MhxOaA4VBV)cgzVYN<Ra2YvOOm-JJ_9C*A<Qo{^HG)SHoK__
zAt4}umcnNmJ@}3$HBZXk9Nz6uM?p^bUZSpU6{0DxYqFdj<>W??3Q_wY3vHI?m*sH8
zck{JA6@yu{*92{?mqEt2prXbfC@&b2At%9#6-^07josAK5UOToVGvdK!d~WUnH=g+
zQBVQl^G~VDP==}|l2v(<W*LiiR<)fpB}GT(npxj%T97O(y8Zi_{!Lbej$mWsFg-VX
z3^!c#303O?NR`E%Bk9kqU-Q4S07m|Ut#|KEax~325gYnYj<-v@u~?QQkugd>tI?#V
zEj0+{#jaL5O(SwU?FLavdRY{M=KSQs=;`<bddXpaFPAYVeBthPD&LM2iMMVABReRI
zluB+IR0jNJighR9b&=mNBfKrq8)8gDg@K&qvpe|vs%pm&wmBX<WF6oCLwkF>$?3Tx
z4SsY8QAwD>U%MI8rmqn&LuUJDs6flk-AOAMwrk^<JUmL<n#2-5*I(Z};z#kwo8$gu
ze7w*X6B%7u4P5^~B}40@sFi^9_Du*t=qM^BMpgpaTTo3-HoQ?>)Db0({Jk#!$x0vB
z&}xl;M1e*i(USWA5J*}4n}Oa<Pk|tVO~q-ygp`q8N5x;divJM60!pZLH;*_z7EtVT
zx4`o1pc7>XB`@WlDQ;Ftu6Wj(Y5j00^B5vjk|9i%-6`$R>EU_MZ-1XV8o)zN$4L*m
z0*ataDWe4Jiaal_G2|Oe@O$5fQer-OvxteQdo;x~S-d{asAT?qooYmSmx$5-<a||n
z=}#wm#S9(92F-rApgj%x0=4KFD^>@>P*THi?eS&(24SV5w9Y$M9)2pJGZpCwRAj4*
z=uZEw#yAr8T|_Kapk!g7zn~gfs52|*#}}p?9{s`j-^98NTrfEZE)#{RX#K&Ms06a8
zxo^K%=cSMOmjCN-C*vbfMg~|3%tjZPR`kn`A5n;B$wUxzx&5Pj=+KkVu=)k1qz0`(
zUvb{3l!ap=(BJ<pX~93hzT@|(z^MA)LwN|g>IxlU=SNW(OxnvK>ux$JRJO756M~QG
zrpnoPdH$dd3i_wk*6OB?kJ1YbK2Sv40y$^fk5r`uRb|yEqBrXtxg}o|2h=lR6NAyB
zn&q#>BATU20zBTcbYLlPg{qk7EQpjvu--7>y&~O*(O^7vY$Vl?_hYngnP#Mlo<bD(
zsS$tWOWWaL%nKJx!B;3Z##MRL;EXsRPYyb>&;2u{_{u+c^e+`=O+d3T$mae^9iD6@
z#{fn3H8K)cx)9^ryxKceNUlM!V0YaHMGWp$iBJKSzU=P-=k#3|>l61QtsEv>$LW`a
zj|wG-na&dAwVm^hDd<8!mo&=E`wB(G62#iXsF5}^XNW=dO3Wqg%PsSSupM3nQYhvI
z({t7J97_gsN{z;2V^31q@`WUREFrHxlex$fn_aT?g^P!ByQ9md$+!t;RGxJD<mg*u
zh6zNC=zn6bQRuT*XRItLLZjlWV9*~bhGn}zQ^z)g&MqR2x{dNdW{dw6#X4r7Whj#h
z+G#heYbQTB{8|)Y@55*|Op50HnP)4kHVlywr0g56z|5E7HoR#-#Pz>^JO;YWZg4*^
z!@(b<pLZvg(c7;;z!le3ZSeju7Bk*gzn&<Dj454fyft$5W%zs9X}W__yV%`#{N)^C
z6PP^7I7TU}+4!XCeu<18)!k5mTbZ`u&pPLttcJ0if3#A|hlzw|<S8m;Ew$ng5vGD(
zJ|ISj#49-#Hieh464L)N0Q&hxIf<9J3eHHRQWFB%ha_*NT4jI31pChGhad-V|8D9E
z#2^#afis$y%e4uPYS8+fc=s8(hEzv~MWdzmySid%cQ<*S0+jKfJU<PQr*h}V7P!Fg
zii&~0BE>=qzCo^S^%=v&>eevjMCqJfKYflIIyJ}K=BQ&>vEO-c<nQ}0E^z`|Tj|$#
zj%5eZrogOl$t>Xi2R**O`$f@d6lE6#A?2C(coSn$T)cD1#n-C~s$J5UfSS(#2ompq
zfGEegND>2&EnP+H=rm(iw)9(+z~c8|a!I;SR-Nvn_}#&gA#udBFv)G;JJB3)-TdRS
z4P?1t#n;f7EQ6!={}6(2i&VlPgVSA#pYlCAPSlq|gr6z?Rac`BN>m{p%N*bIFmalq
zjsYXfUqYyTWpK|{+MHlHnORaF*avS)V#qt^zS}Np$e<GpE&cggYRowLSlYAh1mnyY
zH)3>SE)JAiwG`imIK2`zn<%+hRmLSdc1XSzH^c`y(r^tvLo22L%oyDjChWDk&CwVk
zu#R2TkJ0Ace5&`J9B82w%bj8|ixNY8ciWZVKd!xM+w_JQ{nidXYvo9Jwv~tjPRDu-
z*VX^eHq%9r(SpgT3+|Udr&YkZK{!aIFrMj^Frei=7ueZ>DB<v(G{0|2i-UjpO*rtA
zq~|X&(ORW}n9y)#-5Yxyhd<P|WGprL0qf?wEy?OMOhp;li~4jLAZ0^ZZ5n5wi^CL$
z+)X}-IWqTh9E0vl+ehJ-*+<fm+wo>Q^`P+e5)NjPx!-j&D+^J?)RWD$w%dx=$>RDT
zyFu#kZB4;OigAk5)h`1pnEaJvMQ&R2MIV>PGqU{!S)I$6=+}M8SXIy_?RP{h6bpya
zaRTo-55h2Lm^09s)%BrR;w=9w(2D)PZ6_CX#gKg3!Jz3C7B#dmJBE{&DC_OlIAiGD
zS&MmL`)9A|LcZyC4`Oza+5L)!=?)FVUIq;1gBJy8Ok;&pDMI5E)P+>ETR^l9;6~nm
zz}@*&OmLm*S~6yrlXxq}3{6t-AYTO!Oy3-rHePB_#+UmzFm!+wT}Pz8{-d7Sutro=
zmtR;H=7LNg_!26+|2|@x+L?JAf+<`2{sBW`*y(>Px&m6L*q-oL%n$fPk27!8`*ryC
z?K}~+t7^=tA)kc)0mv!<*+1&_Hy8m1o$|?WIDxr+{1PDLh`szV8-N}|Yn5FY_n-Z-
z2!!DT*^`M!x&#?mX$9&{_sU{$J=#Bc3>#h)uvOP0{6~BFoPGHi>G@n){k^A{fM98c
z2YvgD)~=1$gK=HDBi+|<?H?PIF8Hs191U?GaR~WNX-)f9yW4GrtnvnUdgWiB@`(`s
z7RQ0ZsV<E?G*HcxKkYvWYqeUft;F0O8O{^pYvBDq3sOJ~^{!rd6kmY`6oBt7KGP@>
z_<(`v@O@nTBtdi&d?ntaMg<k!AO8^YGgu#4CzUp4(whn_J&XiSbv3gv?td5S1${Da
zG=MUP(rZ2JKGu{#x|A~#Xd5yxj6PyQ@Lxq4N}7ePkO^4R0c8Uvq$T`KkRu{9nY$jm
zG5S})m>OmOBF+jNRGeIf1p(_1hWDSS`%{!u&Y2ROrh<fSy!l4^{qmdAUy3xdlv9@N
z50)s%=9T}2DPaT?3x^$wd>Kx`mYv?30epr8RyrOZtPBF8xcJG>jXz;TL_hLP9*Pb&
zL#<i0ni8dwBgmvIkALZ!X!!@a3BteOmdncG;)Z6`<-}TbbL3L_2Te+HuPr_1(=rYJ
z>{L{ene89uDND=+5f<8>*QONMKUWi~#gCo$`%aAikD(-k2$N%wW5E9lo>2>$Vn8zT
z&y5Blhhq*~+%Z2fN9^w~MgBhG$Rk<8lNtL^1$EWKP-#h{))jK7Ewq+a{wXo}V!xZJ
zl$eBw?i~Ghok0rdYu|LV&1!@mS#Z*yKjppYPT5OuC?~6uCD)CmS=lwL6(@jNVTDTb
zxpj2Rt<6P|jTj5|4&HoZ&bT;1EvvPk8d8@biY^8~&yLS4YRa<eQ63;q)b{KexeGYK
zd_uCz3r)tHC)r{lTi{#KL;PQ3+DBF_D>oNf=y?mZ+6BDL7Up(bTzGk%`9`S6r<FX4
zR&SDnt~gEvj5YBHkD+F3pj5yT5`68)&u3E}@;Jg9+-@k&{^;o^%-v9fi?l)yl}5tF
zUDiMR1oz;FzPoqOBjH<C+v=PSsBxX+BddW~L4%@ptwGUZG%q2mYA4;4z9s`O5ka?W
znVc|+sF-G-q;Mn72u}(HSDZ5=BR_$v9(cavfKSBH*^?V9TZy)RuzTvg$C6|K3M48j
zs?nJd0na+Abf4I1yD!+gO^7Se-XAP2M|*16YwW&jY6PZ@*2Tbt((eJM{+l&a@uJhx
z(|0qsp88_S@qA3uv_o`SwH-j86MEc@<2fm-wV4LdkTF?ab-0J#ASkqCWmls&H$N5?
zm1R+y_)sXiwYpDAu%w7~k+QS%?k6TFg_6Q+5tUO)h{RKtf74dwbEEq+xps2E^D{Cw
z)UM9aA*a0*>5+G@LLT4Hk`1tZWrYdv=c#3KbSSO|qB4@p?B^w{Bu7jjZ5E($#6Zk0
zt%Y6#c(&<GN9zpo{sgh5`-h)v^Wc7yaOZb}f0mS<0P5M&Nqw^a!x}D^Az}1+TEvgi
z2u^_-aj)%kDqs;$R2PYi)zx~FX_l<?pEpE<7Yxrjd1V$%z~dhiORMfpH2K~R6W4N7
z_?N@e)2$*I=Ytqh{KvlBe2%98(L8C<9u3ZVr)Hn#!destHD(C|X&T_@jkB}vZ3<kA
z_`%}1ooc0Kh*K>65gs1y=~-{dliU1|Bu<Wh2t+!z|Nno?k_SA_r_}@79GQ>dao^PI
zOcdJOqIe#cCcFaWy{_WG*KrLyizp;;O+U1yG5RLvs<Dv(&&g94BqByea8K@h)oxr=
zXguLYMtQlp^)Y6R<p>XusVXOw76@ES*R|=NCBl<y9_ssMv9EnUsLPjBFL%i&C9W7_
z69eop^dor`96LCF<(-@dXO$O!yfsfjn-!2UTP!`9nv@}@<n{Oaq11_i!gLldC*@4i
ze#|Rjesb(gmycc7;)ONO*<kzmU~DE9>7DNBj*z`?z@MMpOPA1+yAgoV8Gk}bwoQMu
zcu=LJtbA8f5`c;-d)6Oa&z`iU&(8jcj9k|HT?k(7SPsIYTd2^I=d>^LWzR4>Uk?jk
z!+q7(RPVC}!AW&PK8`4%%Zn%AaL>Oor{ObJAMD|USzjnu#Np9>uCFOpPA|w~q9c@7
z`84W3ufD(gz|CZXNZVK{nhY26_dhWEd(?|<oax!1w7`4$7n-J%ju3eU<ffdYq8m(t
zzx)Jsi3&@n5bI|;H**x4435V?%Ykh7M+zdt_{Pi7iOH%6y_<LX>N@ZPYcjKAWx`+c
z`LV8QY9{C8uPDDzXJa^Ooj&{-x`>!#^+A9E<%H~xjE622OVjcT<V9(v4>FYeEo(80
zwbU!qYW6)|Ix8xo4f7_5bFh7%zyzXJnH>i@x>iH})_Xj%JACJBYHLa~y+vmrs^>7u
zZTd?ohoRfBRu1!#LcSpuNpFl5rT`xb{n*l239GQCEI6)8)xjn@el{2<FJ)$w1yhtW
zG<KYYpk|twNcoR12aApyHaz%{fzeN=dz#%YI+chEm?##r&FQr@&1p%?+1n}T(7>5f
ztNyf7XW5;-2KkUEnb!2OMeQP6UH-p7Ql*Z@^K_U?w-$3msgRd*J)-l90Z(Z2*Qj`<
z6u5rCZaA908{#|5sPWE1rRUV@ha~2RnQXYChYQNWJEg}OjCBzVRqB-whMb5`r<>3c
z^Fn{3x*L?j>10g0oTMufVK-R8<S|i0xXG4QZKtVw&QJn;l@CIrPY3N4rDoH`*-+k`
zKRa-|*zjqACnrg}JCJt`rDcPR*=u;6M}*}`ch3>$V#I1HCWGUEn-<;-BJa^*`Jw&~
zrFVKB{LOWb)8Up;0%^{f_Tq?ICHVVpZ8c){jlgJ8sj!g-8be~a1GMuOih>y!nOYXO
zGjUOm0V44zPQZ0`TS;JsC%Yyd-^F#ly&VljHNE)T|78R}iG5&^u)m4_G8{2KUu{lp
z7q$`ze*xRht!~Uk&fi%n&&x;{x}rZVr%Zku!i0^e@@#L%MgHC%gml`GLHxiV6_bvh
zAb_X<HOs+w!oHYkiQ#j4YT@rP=5BgV-I%8fBoT0TY?;@_%~4h?+05OIHPRwGvTh}9
zrCW|#XQ_^BV1sGUfH{?0Gh>P18bx~-;dxW6i*+TRj7gnnw=l(mGi%vRa)H;C+W4v0
zGm=_2*D7Y3iZLX5cqwCJVsI!UP6~OmSQ8&xGyOU#<ao}cN4aIX^D27A|7+yOh5WUj
z00hm*@uM81I}>-@<g;uw?L_v}7>-ca4o?}{>&Ax{+y`_sh4Nw>D;QFU4Ef06!#Yaq
zu+s=H@n%b;-=v9*rl^P6WToE8Yvh0#4Om%wW4@X%$_1K*p)`c-TpWro{wYWFdEUm@
zHOkL!wq?>-=AV-1G8-%9Yk4yH#sd%AymV+~E~a+z;k_a~C$&?9SLYfB*yaG_OW9q;
z#1V^2n<G8J!<mpaU;)}+;(-PC#1eg$vh58GxKO$1xVF+!kqsRG>MI!xD7i>(4JSPi
zp43r6Q@Jzi6J8j3x?$br#_CcZ$RLW~x4nH$`=e?+5Hv_K#<@Cv=pSCo=QTDs%=Asx
zF`vVzQ6Cm%vV~5M+Gu=y$05=*c@dP^B=a?aKz!=%e^|m-8mI|@YvggB9pnR*1I)|^
z|57&-6NHVo*L&Ne{3QMLHrLd0UX4LBV7&P+SGl31W3ibO6_Y)Q2#b<IqwkIq$JJ-b
z2Y3ht2L0h?U$BgFW5bRE8@@Vx!Je-8fsL~SJxEWRtEZ5d^bjBdDd?zOsyHZ6jn7C3
z!{acHrZsn94x6DBCRZ%a%EQm^yBSqh3i}WNTUo3lJP=S96`K%*pYhI+i{;FR_jje)
z?G=>xBZ$*As_eunTWPLBhrcVS_fsE78i?Gl%wqra5`B*l{t1E;%CV{8e=<07P*jOp
zCe*sJ>D#Q2S}rD*Vp<7HIsck!`nlRLNa;w+0|c0rj1A&<;&i74qf7zh-1zck_2*Zh
zy*g)hV^A<jg0w(R^ienFRASo>#p>S{k5&THGn(K`nl+H8{h}<gO`Zy0VW7N_r!KXU
zjep%RM%<}%*X3fAb4#*(6g?z3EHrN;KJB=M;^w_sZU9&%wY_|Lz1|QThn{M^hw$t#
z#9KtI)d^a{Biu|ux^-z$_8e3Mv3xb#p9;Tw7j|=LWeN)3&MNU-k8;>v4bkjGi+;w7
z*^~Ev!aQ$2AU^1Kd3}DQ*rvYvdx5%n+lZ5sSA^#JtQ*r`%}zrz0P+z(q!Mcw*sW&{
zy6g8PtmH6Br6SDJVv9UbUtLI1Lpu0?nE7tKJh<~$<#Zr&7)|6eET_HKEEa4~mXW7A
z*Fh^*<p@BY&MT!9Nnv^|JiI@)#pHdkxHQ^~ab|)UYQ*Ua&vN%+r<=6?E*pnwKN89q
z*UhU5NC({|eueEjV}B+37?Vk^OEm;ovWLi8pUtcLo(eE&x4F=5w9`}t5IGrJr7sL=
z7$R6KApD9(27P`CjY;Q{DKMc=5TnqS!lUYCmvkH4WUx%gH?||a99L3G^q2lxOP{{D
z$tky6<NAIa(y98nM9HtM!(;GAIfq+6MN$t{Sb-zn*O5$w_dHIg%=F?Q>CcvFu0}S<
zn68~@c3ycV-F}v063BfN0<r3{Ez}N8^Cf>iZ}7%<WuN+BO|@5FsU6aoR4I}?p|;kh
z#b&NCTdFd+5vHc&N#rF+VGtr^-kqwZ5dm;ovkf!N?R+^Dx=hbZ54h9C@3;-y*ecX{
zICN?sbld6T2d~YH3mfx552Sga%RQe4H7=&l)>*J6PI9OxUo5!tw<B>GQk)T5R0moH
zVKp{3^6T%$E6H_r!IKD-1SzgfJvep2;%tU8RM?3Bl%Pu4#Jn;)5Y#kr(O<()swryN
zLT<h0Q6k~OP3jM@z9H(K3M;8W-yhjulvRb5Rc>aYEzbf^um#5<TGe84KOzhof#l@2
zH7%Ru`V0$$XCBMYuldL9C0j0&2!U1a%CN!cpBy};GO~UQEqNOO$cqv+8;n7tAc=8r
zV65LeH0Z)&9sVOE-}YBH4%UiWP%7%xhgXktwuhM=^Hnv0If8tz8!j5?W>?oV8*Keb
zRKnjBf^RAw7M*L<b*6u2#h7VnZQS}5K$#(Qf;>DQmQjFKR*{~2$+(i-#ql_=UK}0n
z`vI2+37d67t3H^h?okYtjfT9DPxIW9^As0&R*t(JcPKM1HHNIe*FHafJ#XIfkog?Y
zcwW)|c(~(oaMp)l1iZ|o$rOJt;mNOi>?$yN7$b_DUUX)<!RftoykVZTo&~MQ%$Fk;
z1Z>sKZGwwFH6a044AhhN;m8+X-dh4qSHlbn>gv2k5>Z00E}Y!l)(!V1{k?}lNL(Qj
z_(F6lzLKYryVa0bA_BGCjSul7N)w=-x@A5ZS$f1tHt6fHfRKGcjs&rP4c96a(yILa
z-SV94`F|XN#n0%Iz;H6#l7g29+h<a*K-+3hD-4{diYyR>BFS5!TBTSTRK^ZOpPxkQ
z`w0)3ny$i@PGamQ;?@qS^g3dF-W)BRTH{{b2bs@Pe<8%T=m7_L;zK-dc3kuj+iBDn
zw-J;lvXUKIbWVul)qweOnz`?T<BKXQ+*u^q%!}(lni}`n_cOL6GsqD6#pks@tpmhG
z`7gO;ZRDr7=gyXF<a+kE9_tyW)_Q_9NTJpDt<EbsFX`HablX{&V=U?9^h&8Gd^8Ib
zF;C!NOcqZSmASk)8Y|>*)R5H>RQ~E0m$U_X%bk$b3Vw1jaynny;@IS`eO?x;a_9zy
z|02y|2^#BAT=}ux4}*Wci<0Wm@2BJ2m)0@A;QrYz)DpR;5$p;Zh){pp6_aF45t)p4
zAOFiT{sw)g^-UgDIrlI(|4B{91O3h8f$SMl-&jPr8rG?4gTKrV)pWOgL1xU5-+rRw
zMjX}tO7G_JcoWI#+N3^o67@}3fsVb{DJJ1aRMzx0IDD$IUwBuw6E#W8;ZtaBF5Js@
zNYQ$tiZ)Wly8aeG2Y?^tak+Dd0%0{CFJqdI98&?iM+sn~dOzrX|AT68v|w3brZlgl
zsd%0T$8NfjQ)41MM4WGtlD-;_&?`QANP4mpL&3*mWvlbGR~%Jh7(I?lPeY==%-B7b
zcY&jtisN6a1&Q>%`hxvot%UPG5h=`Y0Lm*q*2GZ)Yn!8j!9XefCrax--!KdhoG&8o
zPZbF&z2BmUgD*TUcr?9_nt2XtI!Vh}QBYUGKc8<WUu<`Mid9_TKrM_KbqEZJll@{=
zi2E096#EyfBhBuSIBmlG=w({<gkkF%!HMG^mB&*8w476-hNruy^8Mj$4}`457CuC4
z#YYwda+%OwPyN-!HLa`AQBc6(MmR7$H&YLLW772JGXMF#pQXee=hSzJ%OI@W{ZY|!
z1^*a)cVeB>;r%{Hr<kX)1kUmOl(t4PcUl_xfhAKp0!+^!1EaXD9`l;n-A;PrdjEF7
zNVMFozt;UCihV)U23)hAW~~|4@sVRzA-Au7EQT3m)bt9QRW2B&+NtjoV-89zwp%VO
zQ{^v$1O2-)yuo4I_Fe=fOQWM2F&AU7lyR={ep`B#?s_DxWVVu^YB_8IN3<{m8qc(u
zc3fK6FPaooS=I%Q`hXTHQRyp=E&a^5rybj$d~L!|m>2v@hUYg{7|wRNb0XPa*tas*
z>uTKrqL?JE79njtt#TBXoqV;aNvv<ChOi|^uGuv|`gL<B3Nw1Tx9z^{8j??LggLZS
zF=jIbcxkTy3BCc+i4M;QzKLspycjBCTMA5&29L+?ndCENw=C7NdKbdB!T0MtK-^oa
zeocumYS+io%j_-M7V_ShvBUp4`I}o>A9Fv>|6^`3+-}{PfAr_?C61CdD{2dh!yKfE
zS78j5whO7yocmurcG@d@=A<}h{AbnN$0ea#7bjxWb4TL$+`e*&Y^*uqq^iu?zG4?`
zeqA>B1ruA>at1j&Yb4MBBA4sVN(0yxO;znKr-hu7Hh(qd(DqqQJGxuN(XZHZ<J6VX
z5JgjEvQa$CLi%jKhSqelEMr#Nhq*QMcF`Q7Ij<{B!EMb`-QH%C`Rccl?pq8cyjFy;
z|G2$1=&V=2YS0_5{_*^#(I;Undq<hG`?s2!>>{O0u9=z1&JtG>N`Q8QjI@1hLT^~}
z^PK_G*4~JJ4!az=SAS1<-avh!Tr>}Zfwwu}O4`~cuqu?^$8L$Vknp#HVmNxTK9_Uf
z94Jf+@Dr>eZGNzgQhU1)OM{%~Y#k+SZ2LB&ti6cRGP6)1D*DKKZkasa1W9Bw3i0_f
zdhNJAKeb(7E^@qOqhK*Bi+)UdZMWWhK9w1Sle&dR9XL~afy=M{dSAb=Q)55gLlh+t
zk$C=DYW5~8D>zIFe`w9%P1N?B#VeG^Tx!5F6KCmR-2CC?g1J}p%?-WW!gxUUgZiVZ
z#ZR(O=}>T2l=o-j%vXc>eIxSO4d1xP2f_^PweSg|TTG9WXf50RA)$Whu+*ug^^m$#
zfp}Hf9<LxT#Lkz#kRn=K(AT!>r?94@Cu#7aedW6u7?ts-<?nHHQf5T#mFdHwaYwk$
z^C6FNQh5C3_n#XsTj*)>22qu-)>zk$xl!i=_V(8b%9^8M7Zpv1p{3Oaj1xNwFf0Nt
zNM4@fhCddU!xQJ7Vrc|R)|9g>_Mr&9x8*O#dOk~n`xZnET~gz8qy|)<_%tJ8pI5hn
zdjS}<J|8jz({}g1>yrzz_*gyPxo37+vNUd2<#t3}5VfF=^X()(Or(xXPOS%!n$yuS
ziS?}lZ2FH5HkC+LO@SYw0p(5mS7Db)D;GV-Dz_#l_&{PyfU<HtS!M>{%Pw!JJ*jUT
za}%BrkB5Al?ZqC?ep%@hf4tvC+Re}Bn`HU^k+%KmTJV6-M#OS^M`Y^w8#^-qf-LaR
zU20Oea{cO))%uFnma(z*@|He9B<V{^=l^7LpUKigrS^(aY9gIep6f?X|Jd6MQ|q*X
zM3ZSp|JiNBB&Vh`_oH{yrdrd>E6vnuw|hltP=%)Jo1&sY<;&;(;=)YdH6v;aQ!h=A
zeQ*<aJqbK?kr9aG{otzkluEKw&<PN8KJ`=%AL<k11_WDsmf^m=4CM2ix1CH84EBKw
zr*uynKZkRr7^c}0TDfhioZd&o+4g5&bg6gpLBDy~qhG9jcB8t^4qjAKIrCSV;71A~
zLaVpjx#eM>jcBdxgzD^ks{GMmgp#tn95Z5^msf@%=3(TxS1cK<-4gWnj5_}JQ3wzU
zlyBzvoD%aj-Ber<NxQjWZ5&+^pVAT6Q`#o#J`GO6GUouJ8kd8dO=0+Di%(H}1@y0t
z-#`nM8X!=OvxVK>ui8vjWl0|Wuw<?Un3Sf5#oCsOis8-(;IAlo2w`KlsGeDR*msWX
zvqUB85z9vn({aHbnRn2?Z&?)K=lm@V`kZF}SbnpU7U_WRo8CBLg}W`{?C43M?Xi#U
zaXlB%^!&79^Duy2rp9ut1ECRoOSsSnFROAhFc<#nP9qBYuG0xss>a+y;{9Upb!OF%
zqV@&_8_(+EODyv0wo&`6p@sHlv$(PpsqH0(Jmn>A<!tR?2bgUBBm_9OZ@P`iS4PZ=
zmr})Z+Hm~LN1&>tVaP??x`+Cs?H8gIWW+I9hbzTj^7LDlJCoew`NCz?TZOohYQgn*
z-OP<fovq%Ygkpi|?I)NK98y9^%F#~1xuu!7xda1o+liZis{#DF#tN{f4OX)k=kEoH
zf1cj?(~Rq(_2;cX2DyB;jV(jrg*WZK1n)NJ*ECHGlID2AKLOLDWM#YhbqTR7+*%HB
zDXng{I|0Vz3Ou_TsB7WYgwCHra)g;T>5gI&{JOhEmI?4gdQ$cf_C_Vdz*YXEJKir?
zk&j1WZR@9&lyTZgPC&0f5(c$OVYPv4o}(u2$ys|WxtC=cj4jFLOptGXb8H@^;@3GA
zML0K+!90x#K2Z%^0A<$lGN0{4I`>wwkWQo+imXCU52sC<_`)`TGSE%O4OvK_g{VI2
z8TujvFF`TZf5O`P37~1S(lfXnP?_3@B>3jzIk{4UfeLsfJWNlT(1S_f;s9sdpNA~X
zu~mMHA?B>-%yK8qJhu2%f*~R=&y7zBx~Xgh&sDDbExb13@-_zy=Di?X8OJLhbsb}A
z@tpZzWS49cdpNzpu+wZ0aM5^^bhe$#!Au{n`Am%6JhqZfZv^ziVMNOd{?65LhfR8U
zlp}1|U<PZzx8h&+7<2}#ki2rwWqS;cj}+ETj~`lXy{y#1p+29{w>8<oo;RJDohqC(
ztICPu*qU0I_S;vs`P<8Re)4YGBB^TyO?+_}_>*xaYT4GgW@2XbZ9-QN?g;~OVs9v^
zfAr^PWslmMo8W6>$=q5aUbE{Z3L=F0#z8QMgz(-ne&dDp?k6kL{5jg|6GUgT_qsxi
z6+qxx&%b>V<c*G3r*Jd76QytIClD`oNadH2;N;DcpK8?XvGmwC-fk$aKt+{1PZo$N
zG3eBQ1j9*tg+qc(7mBe3Stc6b=kdsEpRz{FpsI~c(G0<1x0AR{xfzm_`L{sYKo3K0
z!8w~pQ-)(XEzdWXLOYb|H&bbJA2)Nj_#Z1?L|1eJZt7-d*G{1ayc|Xhu3Q0+yA1r?
za7?bh?pVyt`$Xo(ivUsE8B6Ht|Dogh^i|ViY)o<|33Am!WIN^9xSb78@|OZtDA?ZX
ziD_41)$9FIVK2x@*c2P7-YHm=ayCFG-JU%p?sJLzuboK>@89kuUSIAvyoJtRPf%Po
ztZJh{xeQSo?kHBR2aals=o@^9EbW)Lg3UkCp*UTn;ouLnU6C@}uIL0_PLZ0xzDfqM
z?C7g@djU<4TU3MlP|jTyL0gs18$l3~HWE|;8}5#~Y)>B5Uj~nz#C>8(s||8oC3`IE
zQO4NilyuPnun@w?RuUIvRKPRB$qUWvUD63Sy^<*8g2-NA*gg>C#~CT{$Dw>lu@iY@
zg`8*0_+WdeFtbldUci5*<Bh73bUZ(0F!x?7j6YL{5320mYrpp44n4DvjV5Ebg}4t>
zULYKv*z=28x;OqXNM?7Ef4cU5Epp*xW&05>C24y!Ze0B5MszI+n{}q2&04v0O~-)k
z02BA7#KsF><XaaGTP|e@_Ef{R;qy&+>Ezi#H(xHC5bqAE%PBZW6QK6CpOh?zl~$)q
zQo(ny;9_7Y-<DDB^r^(D_XQOYGI0I|U4VnKgC;MZP;E0|w!G+y_~v=r>7es$_I!WE
zP^oJv?JQ92w5uo(=Ym?M9x#`_#&eTOvz-B-`Ilot!0%+S!!@C9CoUoEu7APyTK4|E
z@!oNZVAXuUwu@0n<n+Sx>UPlHbaRih(~@dE&?of9%--aJs_<|u3QrQyYSoIJx$Yb}
z!qEB+ug%CbO%&J;)fcvFiysop2qPNdvQy5rXui>7d%bbqQ#&Czaw31F|0=`0`kvjv
zF08uYz^z>qkG<XbId5@uZ$zM}42K$>`|9Y}GZ4F93JcsVQt-UcY-E?tSs*)o-454z
zA-43(7+OU*Z+U2ZfIz>I7bk|K-#_76y+EK{Hecbvmw@}tB2i~Y7?qI|)GcSVbs#8h
zYjasDHuoq1Vmo$rPhRN)7x{2i-LzXHwAB_T-^)A)%Uu1Gdj6D3oXO#uUli`p5=3;W
z?bEmd56+$-3Ti!fhnc{Dq*m|{@y}yp7FyhJmiLxBuMv4C-ElGXkyN(eWS@HME}Vv%
zTelFY>3AW&I-JQiZABgAu&3UCSW}$vyeDhg8}Hm&$$V@ot?`)8a5)VzwtY+Q6j|cS
zi*5V5>;w@el}dNn$$i4|{2ge>V{m|xQL511`1nFAdFuZjPFSoU<RybFHG}MU{|xWq
ze38ic4)X&DLKpMDespB^(=lE>NeV=JsXN?|CED{5ZjqS%6@27dw@<R^8pHCR0>UIt
zr7Vg;5?YvT>Xvd3W}j@i>-IIo?o)Nose?d6iecQhBf?<Mm;$%awS`rm@$X-S(u}tj
zIlQAPy{=xW;o`TOlqN*m^Qefuphq^`zOb~lf6DZjIJG5c+FqgoAKEiKu75TdhoJUf
zc)L>%>nkE&y#A#r!k-Eh?eHSkc%*uH4YKNq$=vXBVkmiJ=&7rbVebARfb+ZNW6h4o
z#fWpAls80b)%L{i+}wS>uKD4`5yv32SphL+x<)b0d#=yr8Z#)`<8Yh&?qiwYp5$!4
z#^r$9<O=ZW_jiAn&e^d)LG4bNBr1l*W!+`G_SGB0nfSGpqIKxtJ(7$Fd-)edfic8F
z9ba8Fn(@w8vPkuGmxqp4@Ltq2Wd(6u;!hu)wM(4FrU>Kh@ob3~1eVSl9xrc5C&&d^
zcWGJfl%sW(%Ju2Oc{}0B$Sqw`Vk{%`uPpb*@8({RUJ%iNK_~QQC&+r{z(osYDM2gx
z{`T|Cz$=<iVQ3JJ;7dAYacn&djg||?+%N2{ad_?S)=0s>VRFr~BZJh~{CVLsAd--Z
zt|zt2GZycz7<4cexAT+l(Zj2?RX0n=Rfoc3kjecnbP!3DkdB+`YS!tg_1gzBZ$RYZ
z-ke-_LA_%PgPcwt&J?jM36*7_2<*edK~(Q^lZG^$;B|uarquGSD_}8XA*oFaLZlq9
z{9B%%%ndoE9@5qHT5!TzN*;Q4x>Rec?!+SaxJRN#niiSQFh8v-O-T;|@-sEAf{p7Q
zK^@VDk5k1s+qfm9Vxo9*50AViKc2BGnh#vdT+a{%UNr!bE*tNgbZ(~~auLA79Y)V&
z4{jCG4DdXVm>U@`s<B_sSKB%B6O6z~Y}^WHJ?}auAqrTcTB4{%vOSM$r?|K+y}Xq_
z<z=@5M2RSa-S4|L{_0fllNeU3ubwV#z^mSG4%RX|Wc)fYm5_{&%K16Z4D|d>oD>MP
zc(0V%=i@#ax==SkrqdU6-$Lx|X+);V;(^H2E=tQ7hT(cdnP_yu%AGOqRDc21V_;CX
zAdrYK^n(l=z!xyQWW(J%rD>pIbntI4X3_4SS|fQ)UQQl@3g>*{cqREKa^V}OTT0ng
z&`b894mM(9cN?KxRW3}}w11P(Vd0^@QYk-)yfyznji5C$(uE=eP^xM7uJ1|+iL0@a
zRl;yW60nH}4+*2;Nn=0X7KRD6o6`gDGgzRr;rNAv(z(2P<A<fR`r|&|&^Qc49Z#ps
z!;qYTiBAm0p}dQuk~v$lJ-qHb-0yBRB<J<T)??;~+Ait-41V>V{@E1T<!<cBF_z}d
z^^wX!L5f_GEAal@73~xG$D8~9j_kNE#hO((^wPs7(D{hg%s(UMUlGi%7BdFF$Mb~f
zkqg9$zN}0bn7&&A(X1PWmG=f+Hy(*=IMVx~ZVFt2RT5M~fnLa8+k8||$|>bb;=)2m
z)R>Dz-K^l)MUNg1gkFPL6jcr$Fgqe&?w5JxTzWBS&VeFz_pIq9#PC!ZdtQ8z58GQ!
z$B`0~OC-HN!*H@wk<Mdb60kwAv?g7|jx0>uLgC%VOKq9jHuuZl{;qk-VD*<uYg61Q
z7l!`YvCn*QO5?E&pnMnLkxAOmG`{f#gZb#Q(5R0*a1i+Iot!9b`#ZOd3fl48?0RRk
z(skFwTcT(YO~K|(a1;g5+(tK=J1Hanu$>C3mL>V4cN+_$VO8fKQ}>(ap1JLIZ<yzO
z2PBvDP2Az`VQO&;r*Ur@*&!(8PewcPE=mL^Pns}9AmE0FsyIwlgOHeX-&NUAy%R0_
z<E8`QRo`0}CXIGSbL(l?Bk!Y2z@1>Xxhg+Dts!MT)R{T>>H6Zk7BvxUAJ?MyhATxz
zDyJYfWOj5QQ&isIcY`T*M;i>O>vY?V3ZuobDBK1C*2N?1{=}fDH_3%gm-s5XU7<k|
z0B3WFYGUT{M3GTzM)>O2?#oE==g8-+sIMtJQ;vxFSli~AkBVtL;HOpy8HC~>M~HlJ
zEo#oZmG#?QUUXxr@&S39ky~Q|Hf3@5qYK~@-K~h?*Dt0(5+MsP$_|$43SIE;b4+Ui
zhiPpAIp^t}`0bptd``haH`zg@v?v3G8_*o$lB(3_@P#a_mrO$5esEv`Np3Qog9h%%
z+N}{v8_QSPL&2(dgn~zq8H`IDV96l1C6}R;t*IadE3wd44iDyZy#5yAOmP5XSZ%68
z|NRlwuzbiAD;^_2@MFSdh+BeaXU^I-@b7%!?+ir1TX9C~!*xrBUybyHkOnR#T)MM0
zStBkXwfwJZ-;k{xnCLntOTEbf7|a5tKm1HgUtX>{h%YL8TfUBTL{Xv&6-l&GOw%lH
zWHii~AfeQ(#Xp^>%kaa&D@1fTPH{<NuDoV2|GJjueMCccqZ~|*h|J1%<PC{K-nG+v
z931QH4kCUAoY+fB*vGiM*KrKfk8pDiP(PtmIRCi4(?E8Bj{!k&!!lb*;JqFmxB6?o
zknk^xxl=CHRic4m(X()3!6IuJL7Pn!g5ev_kD%k7pvwvPir!lJ7c9u>i?+v>xx~(-
zpO7y`EW?nnGtfwbie3r#J5#FI9Fkis7-cZpQs}Aqi6!I{hYi;8K<%5y7gRyXxhx!Q
zyWJ3q?=Ej4FtMTW9e3`H-zgWv=BX<A9n&r5Z_n>pB&~*ncXYkE6Wf=h=;Q=RgoVa=
z&ygO82KpX${`&gW5wW9XA4gV3DH2kWt84@-emy0{AQq9kh1d=S2#J~!$AFq<v!hWt
z4nD6yE~QjsJxWB*u;VJg<K_fl!<x4#FaWnz-q9;a%lJDMHA+{u;Pc5C{3OW}+EtFg
z7wp#)ytcU&QIWV3irSLz$-2hkt^-JJneSb8<*`LqW%fSTq;Z^0XtWbeYk5rU>yEKq
z0O8^L#W6Rlm+8BXS`%X*BC4M3OrM)F*K-K%5jmMX0>%U2iV}ghscNs0@~3Z<IAPk%
z+VD=TwdwaPOQWP4Y$+4(#yN!_ak`+xWROJKdKUC;NQO-bjtofxlL%Dr8cG`(6lJ^q
zni#L;e*9(2jUgQPG)~^&7IC9DJcm|zy5okc?W$5tZkn;wg<FOJuczp;X!*3)DeS`r
z2YzmP$`4ILIfGv}X%x!w;?Al4cJMH7SA=g-ZX{wuaV{mdezJz;I>U6C!|l+R>-BMn
zlDb(W0M3f?GdS3eaF4bmyH8=?fkTsZW3o3E-wl|m$yf!Ua*Y#q3gz(_xZOkEk8724
zrl=`KAKdt2?!Z9{JJ`mmt7?8*yILF#LF5^=&mzh2r`%sk_VfgeOpN4&0pu)Whv$%*
zCrETXn909ToD*NlPfDkFW^Fb9nW2BkFT^ol4*A%5`0$WWlFE!tQ{hbD7rgi0n;?ea
z{39in(S&{MI)`l0?w3*a<>*%9sw0mBv}%&hkOA##k%(g{Q3fDTzHsBViNl2BOSxPQ
z{m9(?2s@b+#XF~vfYyGH<C&z;@c|$ISYkfE<BBMGJmgbz06J283?gRaDpdF*f~mDP
zffl%d8Yu2e<+*jr&Z_WfS0evjE;@61WL@uq<S_rEM#&l_Yz%viZMIV-N8Z7X#KDGt
zN_u54Nkw}=pphEsH}38Uz%4E)p2p@@kfcxDSnGFGn{)qR4(&(ut@k9H62tafFoFvA
z)U4lBh?lr=9rC4f9KOg&ihw5m?^3oE^(PQ#{a2>EmDSxV;0$mnADMYj`cs@TPb@u7
z^8rEVZ7PH*!h8p5(?wA~gBgVVS~s|{`xoTQH&-EeGlg2QqGH>|4iF;jDGuf2J9G^X
z?42K5f+#I|-<#V`j39wCgRHt5qdsk4ir$G^n*%CZpUoUl6z%A8KLnB7sat$--lmV0
zt?%}Tq6V8qS?!dATpDgyVGJTLFP58}#s<Oa6DT9I_Ho&%UjyxLG)jO*^SJU{e|9(5
zIz`*O;W0l3Q+=UR|Jh;+BgVH9*ZBDqb45k55vk*9=zf#C5fHJ@P13I*K@?W$v5z^3
zf1I_JesbAaAsDM}`moR489dyE_y?O>)f)0%Cv|IVH4fyiZaC*@D1~hFna1(J(V|XJ
z-8wg=P1%A#L8$FlK@*GX*y4XTR>BgoMrh#(b_FOO=_^}p-R$qaE3&*F#R^ro5C5jl
z{VP$QK}=Ufd`K`9l8Cd{npE^u9AYhO)nHHz|5#s`sh`!Qi_7cqvzUe54wT##qN5+Z
zEcYAr*9}!FZY>+c1E}tWwZ?}{8T@lVdONQ!gc&hRS_+-`P#7m9qSuXRDVCKKIFxjl
zg~meBz`@5H0S7+Jh~t~b_{hS-Bud?>aXUFKO?g)n632_^NSRn#Pm$ziWwU&_prj9K
zutu=pM`&8{f=)RBP!FjGj)1BMlr+Zakq7#va2?5=ycibSo_k+@$jB3!eyN@)UPQDn
zRO=@=dlID!NP~sneA>tiE0IaZTf_5ArcYOG9A9s0^FTzIrXIwRZ~q`vpcR;{JB{O@
z_DRXE`e%A4nKfN~m>KrFu%7Da46l`cjj8R4u2Fan7qYif87}IL>llUdc;pw#hU`*+
z%i3O_&zJ>XSH00m5pU*^P<L8|K5tLCzxlT0u^gk5AX>Ubfj-Nb=qo3YH(j@c*_@q4
zDTdMz%<P|q8hCqr`V6@gEXo@$5s1-r+zR1&@$H<-kT&zBlsrn0L|<2mHNT6@J;uUY
zYOX`H=Wr^fw=1dAE^ACUHrI2_&z)$qCulcRKiMf+WXP1VChTE2`poC3)9w(mQr2zy
zaHir7T#4D}_Fh+)t>jGFsrbpcuXGi^9$8W_(Pc~Xj4ScB;f`5b?w;8gFPUa)s0>(&
z{_C!($o)t~((TBd9(1)jH4z><W3Qx+nQ#>xIrbN=o&C(YSK;9{DsulNRpW*pSlqD8
zn|q<-SwAthURRuy=P(jRi&fh}#sn`U0Ku5;w5L3O*jRa(=xN-^bl%wAr)<8#R@V68
zH$mb~E(dtJR6yFeE$^PT3_{5BqFg<Uz0@M#%1{WbK1~Jg%o9)nEC{N<>0DefZNZU|
znl424bHxY0AAl1i`PxsbMKbnMmoz`K?7MxO!lt-nDyn-Tt~(=s`C|hP`eQ8Y7J4it
zEQYh8N$%^_apKqeTN$`t#%gLdcDzqWF_au4X_^&L!}4XzwqGgvx`oS3O&lu0oN`9S
z*V1RCeG6*Ncg=hv@sW6&X*8n^VLUN{g+?Is(9Q!Jaz;;iAspnZ(ddD@VT|@*(hEao
zD4>qEp{-6%f9SP^=}|h#mM|p-5OeL*)1k<3Y;8?<ESd?lKV{aziY#7k1(!cu@#aw!
zLTUV9l)jE6@-$`U#YK?pXqtsBcc4u|v!jz`CqGzu&=f<Z-*2~BD#kLoE^f4-C24zM
zsc_Yx7jz9o5w!>zB}#~$BaM_Oh)l3WbbNextSBy9`^c|i8QKm-QlK*St;M42at-$!
zMQ_~~tRgF}8)x&P*gj%@#K)Bcr~3kpUU!#o5cGIWJ=!9o0D_J1^TG*=2D&~u;qwA6
z7#Yn*gb!-GcU()5=Fa%J*Od{|Ab#dmZPl3ks#ArQB0nJgD~A_{`w;%{8asSIQc{c!
zi*|lWOjN&E&yA7YDqhm21Srfy$g-I-_L6=&DI@4gouA_QhNCW>Ef_~fD_ry*x7=z=
zB{NaYzhzAd-J>Mc0D6zmuC!V=NnQI!wSh<#Nqr*_rT(6Dc6p}_On7%RkrR7NQ&V3J
zalh~RNU}y!Taw$aw$Rwt>p-Ay)A9R$c-5D)ZT2MB><5FC@o3lh+zB;B$-#LSn0F!K
z$a2hUG((8wWISPU`0zFGy_<c0_~$_)xf+8qJ;_&%J48;1s$%_Zh(-5cS#g;MtoJm2
z(O)QZg?=g^6yTt$i08xuiyj;imC_YzHtz%j$ay%tN#uV&cQI8v)fpZp{hK<2#MrxS
zyMM??0W<tt^hpfa@<y!N&ifP;7C+?~#=sbw)X@CB4R!>JC#AnmVaOomF3_ozy28i(
zS!F#V72e~51b)-_UKeYfX?#qAU%*HhggO7V$^tUEK*v*>DdF?@5>c_|?d~Dg&MH+k
z)fT7mR6!Jbvr<;)eoh${mcF#3xn!-MLoDqxthF`0pbN9<SP8X6dt+sesO=I3H5Dng
zhF;>sgv`k491%IR>-46!-pSHZ`Yb*pjtznRN~Y}I&m$wGfwgApIMr9%bAcsLq4(5`
zk{ISyo}#+$!r$aa0{ypcdfbPFu4q+4roKG!v!5Mu6x+$~^EQhU;fc7M3CV9BQgj9n
ztea&oAmj6v{|UPAgq)1~1x_0!&29Z{Hv$tK^yu!q*=%8PN7_WC{Lua#mkFGq3b74=
zka)bU7iE>kS-7pZ?v9s&FY<HeoHX4!<Rz9Vvs+N|sr<_<@{r-grAueq&4otk>HVV4
zRX04IKDJbNa#bIrLsH7h8DNUN{xE*o85!())#1h0foykOa;!_x_5Ln%poU|gR=j9F
zo49X=6&47+GkCSz89TfQQn$ii=Q1uV3NyUp5`mCUuMbi-x39FRgBh2PD!j2!g|2jd
zu~`AL(nHeM>uJ_5;bO4BJ6k{B{GTFy&_NEY--dvm0+$N0#ux3V-%_5q76Z(gp8)`d
zh&HA6QN7rUt=r}-?LgZGMTMbs3$?nf_d6RNk6hfuD6miO=~ivVu$m5Y!fdAca5htQ
z9!IIsX?7f#43(XZ9NI2kTBly6a6O5TY^V0Pd3zd)F;E{3H~H|DT4&&^M(Qw_KX6oE
zKDu8fxo3hB`qGgi$zs@z0zr{Yd(&Yy_i-#aZFVfrM=d9WcS)KaWO9Q0=Hh8G>~|}_
zz~>nYnTum2E8&MDJPH)keW;397*TcU<#-<>eZV+d)D23~R1;P!fmm2w(SpZKwk)>Z
zO<zE;PWKMEQ6voFs8Kf$Qaek4c#oreJx>r8b<k$CH_y5|n1*tB*ToGGwvd_g>|bKx
z%pgu`TF_|AblZlSH_TKVA|jO*zKNwsIhu!i41`ysd83>!zdIZ-rLQTfB`$~$@kQ3#
z+s(@@&kZvZ_&6KAOUpo)hyGWavC#1)b{ivf2s@{=6&1jl!|i9q>)9pDXnvZb=I=2Z
zkEOpnNjmQkp~)&4KqoCu_ZS@?pO_Q-OV-^OXZeUOyDZ)?F^QLZEIn-n3A$@?cHT!D
z-@TM<Nm)e!sC6m)aD+!$O@bMb@IFNAeR54W7pnb%l9>2JMDUi6^QmPc%x83bz4n7j
z@BZNyQ@P{vu&;8jx0S}=?U6T8`OeI+3$(zi5-?^9`MR@JpADv``optYWFHDDVVJhm
z*qZxXGw!KXH==~s=h}h<@XK68zI4)N=L8_qc=^iaOw2e(Ac20zCZuQuqU+(7dA~Va
zsFQs%!wnv@_JF2&+XZ@@zPL|6?4xO<;9uUQR&I3!5qEV+WCrY@F4Co}Bt_I5A<+UF
z!xb5zn@+hq#g8T;jXlX2)#oBmJw1fJ#7}gw=?Hxp$n<7nZ~7s0-CLQXcLd^jeiIbO
zie_|huGbynx89C{oJ)XL<u}7KJptK<xz0E**G6fMeWE;<wK{*-FI;hqVjl{M<=P&%
zIhsz!4?sqfgJf5%eiu_QJ{R8j^Ddi_*Wj60FAwkxyrM6Sf2Wo$T}A7KX^SVeic07k
zWc47&jO~b*wj_CcNR^<S7-ci6^O49X<56@rac^r(EwhiR^95GB%vw~CidiD^!(ShG
z;=uHY)=w8VK~>KQ12&X%s&Wsn&Q&v`_+=XP7?m#&)7AR|l13fxk0rEtmqRRGco$FC
zV=lFTV71I9ES)zaZaJQFmp1c-Ke+g~-+GP%T=x2sE+=SSgRU#u;p`c{j(G(tYr?1E
zY=w@z0=aNR%s>6_EP#cW>m7uA>g$8kNEXjyirlv2@Lqe*Nb;K;4*#-K!r9IzPA{jY
z=0#gKEKn}3e$7^_ntB-Y-5Y|CrbX7L@h4>=a#`$-;S-yc_BRpuv-Rhl<7+fC>+Y!m
z4`L)UDYm}{Mtj`>E?}XF&5-=&rlaE-1(6FO^*)Zvd<vm39Jx0NP&2|fWXQSN=?L-R
zst~mRK(O9Pl>VdXl1bqD(sOYAk%H$MB4Nd~<3w|S{v}mdXF}xpDt_iNd(BAcigI^e
z)HE%3cS`aKBINO5|C;Dm7aAIrK|~0jkjT?77|rm6-TM7yivP#dJBP=?J@3O!8rx~?
zY??G^8oMzX+qP}nwr$(CZF{3`?7r#qdA`r@{co>pch5O9XYQGUIrmJh`;yd{!UTNw
zSJCW-!fdQJRp1g#moJyq(iB0i!fh#0T3Cx1YLfb3q!3BbR%EQd`K~|Y;I&g+z>8SP
zT4Bn^%Uf`w?-(Q3fs-1Mttx@&cOutPoDXS^w@z$rzO!;XKGHwIfy-g+6*wBT&E)Xy
z;Yd)2e*_&TL=sc*OM}y0PJVIn93~I0$z*Q$IH?F4d2w?4%p?KRCl`PJfyzM@mS$&p
zWgb5b+}O!O!Ti|aPLGwoF2aOaaURLrStkj)?y={Y*-0Tp#IaNO_%5%b;{%e)@VzZD
zf>=Z_B1_DKgCjYOOk^8#Y`}^EpE^fOwq_(L?$U)tv|80=E|of2<OOxZ{Xu?}N*4UU
zeT@QMXk1KV{{<Y_<~|+<3$bTe!DYt#3G7|p?<{8{#%4Lh++Y4bs6F>7x^tiPE4&^$
zM2H?ECh&iKWR^S*J{|A<etW=Q%*aIMz(3A-=aAw!hARuY-N`+p>#6_K5)0LC&#wDB
z-ycYRVOhCym}4z-;B+7%cxCd2<{yn77Ek|9fJNwtkmcoys<!on?d9|uTT+o1=+V^F
z9WA_H62>m-7>?|<pA4(&`8d-Bo%4I`1%<fuW)8i1UxJ<|3}0O1HsK-?n@99IU|`a?
z+Zj&F(-yVLb&vgnR(H?YINJ}esw}UP3doOqpWE4qQ&|b-@iKr6NXT?!#Xs$vmwrV=
ze!uzNRE;JS=;|R7JUh1$pw-pyPoBy9yOj*|o@p+E86(As!*0sm0({lpo5Fh!(GXv2
zXmYmWFLZ*i82}CM$`h4@ACC9=LKFGY{CQ_Yj4ax1g{~gfrRNUdce{?Qo!!bs@VM1~
zsnw>RWgi#if<L<_mbF2P;<@80`}O#H=q7rvot`I94;TFk2+Vu5!@hRr#ot|N{F+q{
znBsl;sMq7Ktp~Zu%lmM$>2kUXkWo~ffZavuR%?tsxXLL%?3D9j$6K7Wm1;4Up0g}@
zBFJ!lF11P#`$c&BpuhZw6G@xcbq_LG<Uvx7x6{S4^TlkSGBHUc?!5dXPvi%~%xai9
z-5Wu*^sn4RBKn0lnBk4KwoTh-Yj1yg4=%G8K|?k{MPogRTF>e#4B5+s@#>B>F&Iv-
z9h(fd>vXom<>a|fdaRdS7yMkHnMnL&`_tKxXu7gqM~9~TSO0BW_@DG=%2DsAuwBcx
ztCjRQ#g#b8S)SBZt=DraZ=4}b_bfct7mxS!PDJbm<wRfCb`#Gm^Dho#=iC6DmfyVX
zv^z{J@1#QC(Wb$*Irm^bF3>znkneVS)Bgl`+idM^L1k#4?8ovi-mbC%jk|}WyS-qt
z$>8Pjd`~u6UzJ&ZkAV7j^C8@v^3xp!uxKcS#PV-|x-+lKek6Pl20)#VG;sFYTdaaj
zrpop@`#d#x|67IS5mzzOI|PLp60s1$@ifKqnU#$&j<{RK>Q7UJKr_*x5xT-|<hyd<
z?8=(hg&$m*AaYJ^DI~iPW{T7e8Y<y(wah!qL|$a;Ea*+8F^>>2B0H0m=T}{k*P%@Z
z4;3>@6LE73TH`Cj<sd6dbG;`f*)UxDnmRW)I$xHIMh59n-4n?RQD|-?xsOVZNzVAh
z6k)OxmZDM|B9fzQfSE)$DFxgS)TgcrP4&k;CwRQh4pRaN+vmbjY$^fNMX#{L7(k*N
z>G{`}92ZF>c1{GDgiJr03@SSues@YRo;RFt+vz1Cf?;Qq)?PfLcjF&)hw4AT-Jmx8
zQx-&>y||}Z$xG3S=~zk!Lb-nJt7wTbwywt3;6Mge*>K;xGC^=yA6ZP4RQ5viI>8{l
zJr0|CaHv)en@ezXUBA^c<hzMz{7j6;)^dk`=aC|Bp;~SyrzJyo_uk2WT*xINJ3Twx
zrHQ;EkL|vu+S8Cm63LB&e@wUTLQMX13I6(4YAoB`glS1mPX4E8S@-T%)n)pHC&YO=
z)a?yacR4u-vYyuRhd0SLv~<UMee3*E@N975N4*vmRy0OcHss2>8J1b~MrPG|Bh}Gq
zz}&skoGVdyLy(#%?;lN2hmEvy#jRDVZ#8ao8RXA%kIMBlrY8>X04jGYUdouF(7TXw
z--FNQ1|KGLcG#e}{8R6Y`AG@W{IR`pbF+Xdtb__GhZKsK1l%vDK#zNWRdZ$fQWygh
z^Si9fN6m(xKfzS(+S{!=uXvBQ+MTbq0wJ*=ouDqW*ynFD*^Q0fpZYap=9dCuw)%gc
zD3XEJ>ZA3auGD2lg;YP?$qEe&=$|iy+w3c1yH0F~cY)~}@5rLf6L|q44X_t;>MBw+
z;5Te2@A{aPH6m4w@B35srTd8%nFh}T>kqg+pD|TZQ2YU3l^XY=yGy6XgqQYkfs>46
zq?Mdd*=#vNc+u?USX<&(Q6ky-r-wvdf;g~ufsl}E!hL*OX&*O|gCPIu9Mjz-`>KUS
zEr81S4Qo18lpwfx3z1NBlQ2BHpC9*4d;%>;Yl8<yXB=qfOz@Yu)cu5!D*A}6|7BCv
zE7o-98yKvp2OoYs>}DHTnoBsTqq!n;m{>`Toz%CDCN$Pf7rZELpg@5LWY2&+Zza#s
z_nOSDDefQ&Eo0Q{sKV@Y?pbw85GA~jgW+$t46ylkcbYbWm<VhwH*DUwrl_StYFU}`
zZdNED8i&b_7~9iC?}GnQ#xx2>^g5wCG!8UxWHYvhPd8(8UYKRILAT(OrH;)PC}dtj
z0D*f-F(oL4>6gQK6M(+*F8T9_MZ7=ymG6Kf`1j>nlqhQ6sJryg_)&wOd<^p~X_`qd
ztc32@h6%F{b(zxuItt8Kg*lpSS$BQ1Fp2Qlp6{xv8UDeS9bh7atH{Op6>KuE#2co5
z9mS%cacMmJJx~YIR;il6JgMoK31%LO2{yQs-8VI{*OKBwLYzPruX@~*VpP{>yb^(M
zb3{U53OGM15qjyQ^3jeAIRyoAc}<4v{*xw>h;UlhP@K4A2lBD66LYuw9<B-4$QTZ9
zW-vpZH(J91_B1<Zb3qtHx{IA>+aCHRNWo4DHef?end@eqYAW?I>X>VWH0#N7=u;9=
zadP#b$PaIdb!-tam`WVrG>@N;?qpHLh4<UqEGj!>C<6RpP7YQ0@*a6GMkC`c2Z)-?
zCp^Wf0DNrmqKxV)Qxcd{QOdDVD`Wpbz7|fN(^Q7PE~rX?cW^+Al}Q#gWM(l@&EI@W
z4#9z28=4N`nuu2NnIe>H0?!^!R>V()VG{Qt=Q6${16<|F&q)G?%w73AwTYH2jWq5Q
zI+1wO{wE-HEpv=!R}Su`s@12%6IQv7Vs&B0hyr1wqi`fJ7Qf<p?s@cGi?W|erkO|8
zrQh<kkGVqg<k}-l;2G`1T54p&^da{yS}zS&k&zDcJfaZ_E*3ky2Vkx8s8m^EwytbN
z9;7fx!b`H-k*3YJr;dvXt>5#RrPsFb3zDe@O>^xQ_r&%R%3npPFm1se7R3iAB@+rO
z3snSZ2N|F5c~E@uCEV8(6EO1XmWJ1`X_%pdi783Vjw|g}@M;r_NemBiYU;D~SeU=X
znXQ`8l9N^xnvJKGG1{pqn19sv2`~_Bk+Si4(U@X6Is|cwmYagx>A<XGjnAhh3}9_L
zU3nC?;?<g(=QgFlAV%+yQo@EV;2fUenvF5DY=i;b=mHG%2}4AIf?^WbN~+rn?^l@^
z*&9iT<+ip=a$2in)`li77;<e+Lg06juACy0V3b7eXkAp__zbRQA5X(uL+rv#=2;XL
zXAHPmGe=ENMGr@1)T=re@KV+7M87$ceq#bJHN^>89`MVcGUO~<jei_4u)}P+^zqNj
zTyHXr<@7Beb>+!O&qEWMR?7P`$uLemvKqus_X)4n<)f-6!H}f2hX&(u$x)z=y5*);
zOaE3t$18uB>S)onxA?9OOdguLDg;pMoILL^w=L@^GSXL6ubq}Q(bJSv{fVnL-rr|u
zMl>u-IG@oNaf*-wYx@{uKj*`&F6ys_P&?aW*MmtbE7TIuu`Skp+^t$+wcl&Ol45K+
z?oaKkcH+f+XhdRd%;Q=xaR`D>MvNf4G0All6+k<I9O`=z_Si3t#jFOMbmZku{`Yhc
zWU1!J$puw_P!|J)!`}%tH60Ptf$D-?tf;6M^%NjR%7#Pt{mfe5fTZ&Z{3?4hW{(N-
z89|VzgqXC53_OSpFg7BmC1k7lbWcH9Y=V{6F>d#QXFg8VrY=-PN|q-&5*}s~Zde<!
z$FH!+VrFqF_Duj|+MSbg*jwu-$&DO{YuHF!1L53}qQ&8wt>fwLD&)kD&8qc6DS~hz
zIDq!;<>;V=ntp0<JbF7snTPl|fg7fo>j|qWooS}s<nW3dCM2t5@$8+lm@U!J-u~+u
z*zOQId@8?<W4h=v%*}uxOwgJJorK!c@l%os*qZxp))_YnV=N#QP=h!<RbZJP^2V)l
zg!bJ}m&Dgenw^H78}3~TS>opN)?ryeCsb5rffiltHbH`d08;l}8Lr)2SRfaCcclWy
z^gUak=tQT1g9n<7x?i3db<5T2;*VsO*)(8L<&)^u5`pf4lIbp0T}q=N`nm7-jrgHl
zzZ*B%M*pXFmuptWKSrb5ozUlru2dD*p@8P`BTLAv$2>ED+wF+S)bx|Cy%Gsy+e1Jl
zWAfokI6Xh^I<{0Js{7ce2l1H|Nk_9A_Jcy<i)w3MW@>6`YpHUzmU4~xAy2;PvKtL@
zeqB+Lf69?>J{fm$ikPizf)M<iioM~yp3!0NPcT{-0J8!xURk54mdLq>v(=nnB~;_O
z*Lp|7+&PFWsX`ag;Nfr$9n2%ul56r{tG+QlYL;9N(-E6|w#|ns1~WcUHg*^02)w+&
zk0@ZNRUw2w=Z3iFs(-3AQ?mNvMP0G>rm%rpuNgdV5A7$e=`g#R-|1RDz?+kf@q^6h
z>0(5vKJt1U2RnTY{dzqX9xhyXdaK<^S7;0yvR1RTWz|)raBqRx@CfQpkN-;(r@Mn5
zN7PYu;}7Db>siZq%@zP)-KIIKbEeYqh=sqzAR|fVV0m`R1TKfGrQ6G*nlf!fQgqvj
zNU}jVJ}GN9FD8<gwinlqE|p)O;q*C}VJ~3GWjMZvC9uu7>-kigO_ZpVEIFX1C&pwf
z^M!~E*H+hEASL{4AR@`qbe3T`G9veu5L(B07G`gSJ;%AAo7A%pA!L^mV?N56JLZew
z@8z{x1S>RAY18@C5$=Rbf6vjSMwRC?DC&mhosCoM{X9@{!x+(ce_nV|mVYzWn;#U~
z5WZn$B5w0o0XPRYIHUJi+RBB;)#fg+3}uA?g8yk2J~WIn*9~t_3k?MulRq|v_7*Tl
zRD}8)c#a`o<YH$i$(<+q8w+)LZjV$FI<?zTOHmcp3>RNidhRZl{Sc+MIM$Ayvb9lw
z^&%$M5N`FwZTQ7t83q%L-VC?EL%aAmS%90JW6gd5ecNsE?UHPUWB}bX2*FP;>~P`Q
zfsum?LoZ1sp-@;ZJD68l8tC-(Yp5c#BbTh%%fYzzmL_bxF3p0JHK2Izk^yJOs=HuT
z3+rltu6yQZ8WnP;fKquv3XFp^1r5Uu+`2oC_RyL*P$br_^SW)EHlMLI#)nPqK2$&h
zK|09Aj9e`_yu4LrH&5icWnSE=(o^e@s+vEio-C(Rd5b<79)<TO?N%>VOQWJ_xFArN
zBnRb$3gSTLXHuqcmQQFEy?0ff%?~V(JBkdhLnM~LTxB_PDGKi=g_V2M8cqwQYDo|U
zk55^dcw~P$MK_!ytU~fm<1x>tMTp)WX7y#B&1UVAunR7j5sy>m-mx|Xhc8VVrsCkP
z{p#&a`fA0BByhe<FfI3{uTikc2A^8x5!15QDZ{>-LBJq&qS&Pm2`}U@xZ{btrqHf)
zXD!FiODj+|yzVW=_wy!)>E_4Dx%OP`^_Xkc0s=Y|D=~WANl#aGxz_WDAYG2l?wc(%
z?OU!dI$<2XfCSs90w8rSlC(_=A;oHCVPN5IPgqg=d`=#ziU-r?fM#7V2`cDgnSZRU
zhI5Ac40oH@IkUe#J5};jR(d?u-Fz8hNsT}{z{0w|BZiDQH6&J+A<>qkFsv<%)No{y
z9kS9_>KeiYWYi@pAgD`Y{Xwa_m*Am^W)N!1hI>>`9_J7|4)wnnAx(EcX|?uyvI}P%
zUUQQbmOv1txU<Y3xiVe?TCU`OaYUFa!wBr@4)>{;(<tYfJZrt%XwBCwy*(NuFNbuY
znAcy>4)o#AAwwBC@nj+$DcbC5?3Hl-1MSFOZ*#lr8N+8TG??N3=l#st<MEQe;t*eb
z81nk0wBCkqE~}|!9+i9jWjsXuGAv8BS4Gu)(7l>R{Cf$11WzgNV5y$0z<INUR<ty)
zD-rK|niyyY>XwKlC@il1;*CI_cH;)d!dfbU?W(c;tV_ry9IyI_u><pMkY;UpUFmz*
z>B2`!>PP$zVP9R{(3WKib+5?l_=a)QppM`e(oISwy6?~+LzHx)7hYuGb27y!zcHaC
zT|3q%F3!z_yx>-5J(5RdtYU%oP%^3EPdRHoXxDg`L(_VWY<ND(hOMc9iyXSFv#>`|
zIbiNqE2!G+HQl}TF6ZFpIxNw$e)>eA6)U}wa!#|1M3E(090*4xg)w3jTW4J4Q%fbn
zZ2KFIH8^nqeUbxt9(MPD$hM+cECKvfe?_rSY9toV^n*^-?&Xl0QLm5r+$s;@S~zL9
zE7^HgnEgWh-C_9`1R8iOTcrklcM#%gJ+M^%r^T6QhcI*EKov{dcrx)ei)e}+99Uq_
z6j_d>&&4Pu?0RMkH)I);J2v?1Wq2L?yC0hfsJ?uI*N5*qSHNZ+F?s*qJxiD*F^-4r
z1&UEUNT%2irxD}H@*s~brOlyF@8g-$D)wHLxv|{D0g;IcpoEmEiSx4S(oMr{`A<!1
zo7a}xwN}TC2MYfv!G?mo0H}nL+7wCH#Q-BHn+2@?s?B%IAM-I&$E0CX$oobIZ(AJp
zo>whRKh4updDST5<HZB^kR_!8>I)gTus!izj3bG%_t!A$^qIgmvNKcLs*=1=(y-AC
zK*{5Vq<ao;%=4bZ;xp30f$|)#^cO{;6EX!D06P~Ga-_shHGT=%nNLUcb8>2AjzxhG
zCy*?Q^2UHgS%^5iIVqZQrE+Pm!~t9?-Q2<XwX#I4wT_!`N5$D;3J{BO$4NDUZ7R=w
z)HYG}=KDr55+JLk7cI|c=A4P&uU-{3MEKhyHc!BN+3ov|`%C)E&i(1Kk|9HnHBYsL
z*Z%t0F~GK*qjOA2E0FK_XHF_xsXXg#@}NCq4LV=T6xuC*T^TxHF!Vgj?u8XxBZPp(
z0OlJ;F2XNhxDN03#v7iGcd4_211Bgh-S!sL54wcDBC}T~L{`Cd`LvreSjra=B$Owy
zoo}LO27`2(^-Rxf_ownc#h$Kb4?TFt{|O#+2BlUMH?K;!7ir*&j0h{VY}IKq_IsDD
z&YC{*#_5j`|DA;~N=$3rpvURhH{EyT?h9Ja=8>-#m4b!qL?}CyBm8t|(3n|jqB_V0
z-BJnJaVsQHq#c<yMIn$ZyVvwzsdKW#@aEcpV^etM)G?Xq@bW6(^h~3)$e}mrh#5k{
zX8TbLzU8&<@fT14W@1EWC5e*B*to#>&lo;dG+za51lK`<JRn~=FEGr3xxI=6dJsvR
zb}6SVZ<yy%+i(cL3ZkL0H1AW(u8i`BSJA;nsj+8lkPVQ^5Z;?nfijT8w9i`K26GoB
zC6qpcT9|LJ&d>aDa35}#DI0h$5A(%e&*sIRzHMy+tk%D_UfR)$$i$*q;AL0sol7c{
z+C67wKC7i6i|x<anQd1)X<#QFtmCF6gn?P&{#<6<;OZoY;{8;BPdsU$6Oeh<Ra`LD
zMJ3?UTDUjL?^Of1S-|v(0-Eo876!Fow9P3~=|1i>Fb4vH_Q1e0zmb!cOp!UnbuWT$
z!IN}pKh9LO#wRa=S>c9nJia$pRD2=P8LuQ_+nTF#BFvmqOPPcoG@5l?&V2}=94Ip^
z4%+FuGmb`=zNckVFvkRk^X)_gTisSl!itluUm^n*X9uOmZc+FbBV$Q6H7K?>uF7VU
zst>wC&lqS5$$rP3Bnb(zFkM^XOufDWd=NoXhRNMm^U6-wKQ61!J>llmTzO1;0Nl>G
z?SVJ60)n!k&GCXfKeuMnyg5yq&>MdYHi(yl-+%D^iHb@Vzl&uGk;Mw4Hg~rcH{7Qs
zRGb!K5Rm5mQd$sd(Igjg<j=qR%;ucpRk(ueC=&(`8_xegn5%G;b7p~Z*q|l!IDp6e
zV~YT%x>@9H6B|WlAl`HLYbgsg1jl!9#<$QqV|YU;d3iZ1&HOWrIK}k9*C^7q{8|)q
zJyxzicD98hTYNWdHS>b7%<(o8qoNnt2fKoJ$#LSH@JL}eZH`|Y^?DSSKQsjPH|)fd
z5f?-nEvL=Qas>RK`@v+bqQ1?V+$_&CNYN;7bCEjWQAHqTvpHHfaddQ1*1X+b&CgJ)
z(jk!cCLE6gc7YQ8eXhe3#oMx#n_ye1liK5oKgX5nQu9KtQWk~^0t1{Dh2i%CiA;rh
zD-1DO=_!}3imZm(PoxAs>g<XlF5U}EyX)|X2w_2$nu0xVXzKBC8Ck{3R3KCO*UNsJ
z;90+t5QdPwDyZVZK{285vBi)2HXjQbnUAJ9IKjJaV>Ji!^T$>fpB1|@`FjK}5o&ez
zO-xJ-pPh^0^z=9f&G<{}1=$08y25<aML=C^UW-=$2u(~JfEFy^h4gm3$6y=BAor8@
zbd}xJB=48GfdWQEl<>jfQBGTLndI#v=HLhowE)U0qkcY_X;nS0p`znLDq2Zq{GwcH
zN($okXn%~9Uk9-0-*Gt@K?E%AeymK_@s2a4o*oDw0_@31NnoAm;_$VgRXEo_bJC`#
znP{<n<Iy#)FT4FPQz)=O*ScjcxJ8t|L!*U2z^F8>DDO>@Ol`}fN0W+R`k5RnF7H_N
ziv;z%sI<gECVK2bQJ3kw(!xA~v0w;};{h8iY&0K#MoRI1U9{S2eK<90-$&}=%%M8w
zZUODBV#|Lz^AMx#NX~H*1wK;R8(R=m$!w{k!bIjC;_{r0<?*kyG+i5qnz~zJOR$0I
z?uHaSHU?(&jeUi<SA@U-8EAXjm2JZLN(K1*nmh6#9vB`r-D6qn3tw9hQceEWWgv`<
zlwYTu6~e~!WP(1CQQ|0aL79-;xPG2CNEkmW_9K%K^wPFO()D$r^S=Rc;DPfKfig)B
zw<K9X_sxAq?Xi_|<vyKXd}B_&K!^y>;@4OntB*RSmC_cHb84rJ<)S<;{{@6MqMKsv
zM>8{45TYotVyvW$eIm!Om2<TyvY+sDoNjU&=$PZsy<C+DB^PF2GX_I}X>NidgS~pB
z@MW9MVk;coaR0N<4;1hf3-A?*ygOyS*M3}dhXNhgt^^3MkkHWYvZ;zuPAXui_QZ@m
zugkVSChHTJDrX}@Xg!VP9NemwaF&zIYDMe@Ko@lvrr`@JL3)WQ5Y;LHON#bLttZzC
z<NrWLvSS1Q0h>5W?l4w4258c+sXw3r=lg~PCd9RRMOX@q;n(>i*z;3J|E?iSe+FYv
zoXE5+#jgHRNK?HNs|rJ1o{Yk+1P~Z1v}+;Y$z8z$5Brra-XV)|omwc6=5Jen!Tf*F
zzyQz0`DplbLR$MylcXk^nAjq3=^59+dc9~|(|m){$iU$$j5s$WhL2PMgLY*e0OW{e
zK$A!l91fiif=i=GI&d00V^OsX36bQpfRH>A>m!KM<$|P%{;vlP0C?DHfjy7&qWRx`
z1^7^<7x@07^4<($gu$<*1tUNx+$lck0JUB<p-*jwA|F125*?Pj%Ece26aihR7O^pr
z>RS~*zc^H%z-MM8jNtjGIX{gAMdevW=`VX|b2EIXSwlfk+tl}F77F|S$v2Y=Gr}~M
zeU^uPk*0Ph!)~$C6@S1f)%eD!Q1Q>;R`5_itfLcDTEg=6f8HmC0Zk`vI?))ic+fn_
zF#}^e_c0PhszaZ-^0Lox&LF=82?a%`=n|a_bAp3e64d9a#{|VULN8noNhwy4@t?#P
z;1?n}kc9<<k>v>9x@e0^E-&RuU;pu<J-m@Vq*<@?A?4412Z{)$%5o7g-zxrkd~K8A
z0%ySS#_MO&$Hvrv&%UY(0}Gowg~4fN4%7*T1;N%PtdPtGQbs)u$E&;kKQT*DXO0G<
z(y<H42P5Z7MG}A={5suyA6mW-A1>j@{cwOTD8IGNY(d5h&?L;2@MdSgnUxh7)X#8;
z;ewwMC*hVuC#`PM7tu?&{<Dk|1elf*ysdc?_x8#VvI`;cLixWFX7~@bz1+$^Zg2y8
zqEJ!5;UqDGgM!J(nSP;P*~ZKdNS$#by;OZeb=D{p|J(InxBg+fU|?6Oa<90tf-m#J
zSFeLl@aAOh>b(Rqg6cx$Hvd@T2RILQ6xsjzT(eD<b1FzeB6M3|(kAzM-%_}R(JiKs
z^Pht6<skw@bK^zRI7@<=w`sEf`QrZ%z7L?nL!@B`Pj+F!F8seZaPJQB8Y}(k+(u?J
z?v&UofPDCm8hf^UJ|^WHQTk`&&yR><0u9dD>~bx2abYbYL>>BHum7q1<0rm+!9cF>
zUz{|foy^T~XxB>rhu<Dvf1kXD*B@-<YXAOP=Zc^2h<6#k<&5UJvs|K#`5ztUkfENS
z?1he+2qqV>sZ6wMY3RCAjFp?2uqb#|abAO!*Zu!G`&WzqhuRfx2&c@o-7;l1;crIh
ze&C;VHW2$n7;chle+hA{c0!lg(LitzffI~V&(#(>b`|HkRs1^<nXq7~%!|OzAKbQ!
z%7J{w!a4m8Sr*dg!r#;t6qe_hO7bNu66s1<a%EBf&M$A64{7#mzD@bq|H)GQv&Yh2
zYBIoml1vuyuTQ)uh2V&Asq5rXTw2gI|M?wmjGB8C9|;gPUOqEpa2N3Pe{Nvq2IgEx
zY~+NXVC6<qf%zY!_$$s1kuYESi<+bl+6?uK_4r!y7|ofK@$a$nj(@bYqs^z&Jm}=K
zV1(By8Ad~mijEpomZlZ}2~EQIEhQiUE<s5tzoHEaC)5_>X;oIN9h*Mm`_{I}XH^7e
zfiaT@-2A_)U<Y?<?|kyKfL>3%zkC)uMsl|AI(-1ILNAy$Q!W*4*>3PgaNr<V>+J6>
z--K=NM@pY8daF=Uw{ItJ|GTaGpRYV2hZ&L6D3ZcE=1(7lnl&}~pd>sw@Ft7saK??W
zu>qqsH~IXw_N=Kc)BaHda=5W5IlO9I2H76cJ$F^9MH#JG8R+n`sQAx<<W=JDnZ&@`
zPxAxl=9qxkffG>(C>0rg@K6t-c{Dv{src7Ay9E}OJima1%dfB{W#&CierO?6@!WT+
z3EavuIyp+gHEScn<yn>{I_imkq4}-~F`@8{_9`cHAUxClIx*HTvpW9wl3{DNSlrtF
zGS_pmFqXsfo^%zIr15+f<=%6X#^!&qK*w5u??`x7zXX*>lo*vXl*bsToAneQU-UW;
zP)!vn1YEjvtI+gg774j?oVA%tU50|rV(%X#Pd0q{XXd_NZm^YX(LlU^h2RKqA;rt3
zOwYtH1%#O}7w5G}&0EKPK`&ID5sQjk;^_m;qL!Fj@S6%H4q2j!(_uW}Jjr5RVmzrh
zx9G2if@VYD;b(b(b4pJmE0u^V3Ca<|bJ7J`u-MB>(4x`FVglB=<jya5D4y!an~>XF
zSq@cg25KPM{!C#_Oz;;P@aw42X#pru2eRdZibQ$gjaR=$0ful}_{_W*JKBk(A@~FD
zuIP6+#*^H&JpnA@*RRF@xu~fS9~R5HeMamt=_BFk=$oc4S!^qG&$lxBEE}z*A|vIL
za2e7^v6`-`rFoN4^1l5wxCe5Rd(q5E=dojczO2xHP5^j=d#uo<5As(8lO8Ic2Gz;~
zb!I5OYLNw5jM59ju=5E163Otekl)XnH9!<m5sks3^hVPs)dA3SqA1=*R{+eKx#p5i
zPN>KOf^(Xhpq>mDYd{U_dPsaZfftnHT{83$!fNnv#26O-Cpxo!s`aCSOM*qLX%jGY
zDZ0kIXE^jkWuL-PmCzzK+!;(u1{1Ze)7PlvDT{J^KBbuEju_SF&6*`wd@R#A2*3#*
zs>an9-NX(F_CWLdT3%vreNhwP_nWg<++R62Z)6CR{^z|v5J0?>^^t+F@e<SuL$StH
zW*Eck#*rGWDPO8lfIyqWp7LN-3@si;z)@-*9I62RKOb(4x?;H(ib4fWi&YT5g?4=g
z>pNh<2r?FQlKqNC)s^qfb{7Q^14F{AjZIbYig4b7Om_H#7AzzhCa|$K%krxLI{Ql@
zt&%!76>ULlN{R`&aFChCS2<^WPwpnnq`X<3r4T-&VgjT4>4`2e?Qxnh87+E<JQao6
zY<1b<Ms_MH49)mF86`Eiata8s*uK*|?-M)~BdoLL?}lm~_@sWHxd<w&%J`+kC=5k8
ztB&2KKaSRVwjzBVoOPAefG?dUUCW-6))=tl*GX+?Ey>z)-Aho*i}uy^73bpd3WWc<
z1sRz0eV7ycwYqP26XCQ+V$LmIiKmL`%8g8W#qkq%vmI;N7sAMkc^ckd^8P#^-CiYM
zzYUkj{PXYM(IhizVYTpz<HO87dZe{EsgB>6*ifJg0P&ymJ+nDhmmLbwqhk2%oNH7|
zDk>IX0Q?g(8E4c3F~W9n3JOZH&=LfG0(~)Pcu^@e)CbEj$DugA<lu=3$~k#eu(q|f
zA(2r<-Cqz5zJ$Ud3&<K0R8-J#abXw;|BM^~W8XAfavzI;tKyF&gOSbkrJ|!1z!?vR
zLG<lkD={@UArdDDjiHtxnHfbrIf<461j{>W|GS&|FErKglFj_OSc%kvL*);_?5gSv
zKpzDdIyB5<Xw=Ho7VS>M&K5TXVR@SYQTb$X+h6s6fRC7xO2OdX-8nWOC`7IW39CVu
z8Rmq44s_G}1?CF_-w?Aul=txtzrP@NG-%E2YkjX`k$+*`FY0N>8iKj;oE&0^6a*?-
zdJ!>4f3N3Bn}6f?6e;nN|NX#&z43bP91R2)j17;ojRtiy4GapW+E;}tGL#tGmT+?k
zO9a+qN4WrXCWDJC`@XTyoSSGHmx%=*QQ{w&db<7p!Z+X(NgHq2Sh>uvagIUE_WSa(
z%0)qA4m2oB`CjnJ17gszptG2n9JpH%1!<zVVLWO7&orpwVIv-t_Fp;Y`RWiNW3ek~
zYaA;XP?Fga42fG%-}QwYX)_ia<C4xbjlPV$=AnuL@yueCl|uQ@q}vL~_k0#01OruG
z(Xt8%|BB?x9o}<E7wBB<Xei`5GO-a7iT5-<F;FC_E-P=n*-Dxz>Ed;-=<@!i?L?QY
z49vLm-tm|2UP>@_hoq_I*GWcweD`l{x!fwA`EA{$)4uWS&8jbSZ>Hfki@72*(2slQ
z1n;YuJvC^Uyd7m1ySgRzu%3r)duTbG6Z?eUDAaNT{IfHk-E?8_b#fG*<=v;8o(-Bz
zByyl|`5jsDefl=-2i5=9Tp#A22=iD>eJ&_}IPl{;3*2t50^FGzRqL`u0lSHAmiyOa
z-An&Zp-$~K)G?EE-)1qI;C>o8XC~-0a_CUdh^d%RftREggdTXoCf|#;3-srqpyLMc
zhs`D^Eyl%@!*I*(cZvcm8~g%QOo1(BU9hpeBnC9Q2WIB{6hgNA0-A<NHNVj0CoUOR
z0j2c;Mj15J<{{X3c__^ZDWVI<i9KU#&fUwF4a$&zr`R0_T*`y%n2zi2-OLLfe3gaW
zvZ)^fEnMtaGhoyhNhm}{)A_)qExYj^c_m-?oT`veI<`-{OEt>s4SEJVbpgKO@m^r#
zeoXC_$c0Oe%-LOh=1kU`6B+y->b2n<8lP#$MG)$AznGjA+I(sG@jLOBtB$F)^dGf5
z8kAMcV29}WIu*QfkjN1c2H2JuznMGDx!@_aJ&WGm7&DVuk0Q~sDd&Ef9jor0Hd3U-
zfT{Vww)blkU2$8&;l;0?zs@Ym2J)RZgBlS}TP}mlW#{?GAUIWn#H;=dV(!r3?USyg
zdfyJo(J&H}<T?iLXex6`^)f56q`N~pLKsy+%L{TDfn&PkqI@y#&RP6Nm`F)c#2F?t
zb(&66E{2MCxL{=da9U*ieyF$@Atg030rG(GA)~$lr@9f`NTUJ4pr1)zR(jL-M6u|Y
zijE9&8zLAzOACv+v4>wu$b`ge!V?LTa3&cIk;yCav8ZbzBVm>Woq#~RhFd=g=$Wvl
zZ3WEokI|kx!YnK=kUs6?GaN^<{vN`!-WxQ|?wRSI`#o}@yjvu4EZ^&3e*9kLHVgxu
z$tw}a9|3wxVotIgB5>vr6<VH5_tD*_ALwg+Ao<?Gyep`(xNh_v&>IZ8aDE@;d^^NO
z9ll6B$MU^RR_+TpvvIGQbo!Cqd4cpoE7x^r+2)j3oIZX}o3F^p7R=T(-$Zb?%1!^Y
zwBKqiqW-q4rC5X1y!iwp4otH}k&=veeTe>i(Bu0@y`^cuW;1jHzxdL<RlL3V__b4c
zUE+%17#ZEU<Nf{7p@*PU6Yuxlem!V#ECVZ7uW}l#<m!GMzq|^cvoF6@$5V68V|xwo
zk##{ZyzSIh*V#4JT=Hi1awp1u;hCkE!B_G1a^%U~S@3*)0J)qej6F+L%6-Y~eJHNJ
z6ib~oalfK;dFLQrsu!mp+Mb{#U#ZmP-zfC4lQrp7+Zt6G8<3kuk9!`Xq%HpD;O7r+
z61D7?v1f;-WX5#HNumLxAiq!;B<PQVMh9+++tQL(2U%Ot4+E&;5p|_7Jj7_VC5{q|
zs2U}~eFzRvR#GNyu7JAR?G+UZ5h7hikdpeXl&<dW^KH$81$vENN}D@`aHB2AZ9$C;
z#muR$!>w{Dh$9IHb)oE+>MfLtUrZW`WcUavr-UrA6>`{^gJIJ}YJ%pb9QMbkb$I#s
zx<3Cr;FFM$S_)~}xodmL78IVlOL?1%SK-+sN4U%^xVx>^?i$MYAe})9T^QYb)&W9d
z=V&{J&Uedi;Y|SdXk9J}*&nSIp&(+~trk?{zgs<qmW-)I2VZsKtrohv?AAh46@Bpq
z)zkgt`>3jR=Z@NTcMkP~U4AS32EXDoIN#_E&g0=M+r$qN5Ru_yKZGcd^6l~B?(y26
zwMGX7w_q=wkdYzf*8oW=K~2}<LM?=&ehIf!{Ypqg|BRo?&b|g~v;7Xx2PVKCc+5IV
zxblu|bbIxm-E0qKtJjs{Q)6_x5ro0c7wz{H$aFkh|EMv>_q}G;-d|Vro@MbMACk-p
z`XPlgV*Qm>0dY~K?zg8$yB%iO$VcH6!tmIA!0s*ji+juS((5gzmbWEOQ<4H1IV0gd
zKzcZ&SENol@^Nod`TL)FYuWzKf4bg+b(SK;L_<hL3ZuuL_T9g|8vZ~MgCER`=KV=G
z&hh)VZ_95#9MR~=897c%#H?#GODKG&+tF`V76T$s{Yx@Yt@Kj@-Sbj|)!|#ctTe28
zBPrqEPXnkXQoF&SAEbKYqIm_KTxs2icwmk*xY4{lLEm{)-_fao1YaDkQ&U(D5d@)X
zmJgm)?oXi~^`5FnXukUWAchn8ctcSiL{zPN{n8u`T5l5nC_1*APcbg5vE-xm231FU
zoFl=XP+ocW=+Udu(doi&b|H*^X=aXp{N3CWN6Yga(T<wHZ@c>)zx;g*PG1Ln=vP`m
zEr2LEPO==-v-v>Q&4?`h`auC19K63FQ9V;RkLpNs+;5!a0&Y5t)PEBH>>9K2INt1X
z_Q4o+S2rGuy6OR?-Q-H4^~Zx-in|G*mCcE*ny94VbmPg^W{kh|{)njM`X*^XQ_80|
zl$+x8?#foC3^(qecM5Htw}AtuzANl;|CyZ~oYWTB^7YHYq~DYE2MI;$Dop5^-`5{T
zy8&LE8W%Qu$A;OA@7xE9i^Pnzc$C?kkp8R7h%`Kdeumz9&)!vhW&u;V6e`_s8~G-p
zL_VeY(t?&^NLsF^kgty~ZYh5G3>JL~5kx$q`ZiRP>mg4!TRqd}jJr82HfqaTUwCa9
zqd3?${e2sA(W-f#7?P?tB0PrSOH|?m!1{;wN)%@Ep(@_)?K}S5Fj^Gcb(aLtr7*cd
zMRDe}1O8;wbdeL@#L8<$4$ygi&vdyxEA^)53O%t^D+jH*TkqvpE9G<yMYRM7;<G;@
z{9@mSNO*ta-g>vgLpsL|8^j;4GdlAcAfDJ$xx}fCKFql5-g}GY>2H%vmz4x1e}2Xf
zzbTRyrcOKyH!u0t*M4)PHyV~$gZJ%ZwU}4PkdB|<<WpEvRc{9Nv7Vw4(#K^dgDvn^
zhSP?w8qYTG>X}#X3z2u!of@~)EpXheNRrgqiVeu#b<|ad0!_3CKmL)V?rk|LB;&#{
zp6-{cb@&F_G<I>_TBj<IYRd{H45qth{33+aj){}H9bQE3@xJS>a=(8?MMdvV!31Xf
ziw(M%$UETJoy454`9?&?b{Hfya6Qf2$9d%u!Vhc@7ds98I$xyMquVKy)h_jNWFRYb
zTpl=0YA&f9!Smp8D-munRps&Tu|Ul<F|qm7rc)gV+b`fXAfA++1=o?hNFi2*v^Woq
zZmNfky%3!)o=UA4mJASrbvahP>F}HAGb});@Ngw1zB-j=>Tpj-LJRd;ynHlOZ!qbV
z--7m=fR-&R%OTe9<Y>P!w=bD228V}a$)`-701JIj0Ynx9?7Uv_{QfyWFyg8!q?!sv
z<+-T#N4ceM-7!Z|>Pf1CNGU->YEAhu;TLcR@)aVlXqQ99{_Ry^{~Y1jK?L~hxl_6i
z4cNDWOa_*DtCrRNJV+DiF9{{*GO|JL4@dvJNXllo=^L*p@}cZ~oJ8${d^qY+iw{?)
z&z?e@<v_r*r;Gv;25?rl<I{Wp{@krEY{e0e!hhMG(7;qsR6v>nSKa&$g5P?!`HI`1
zZ;0ph@=CkmF^TzjJ&lHd$BZOm5U{hmUOhMt?>)CxuQzM{!DnMUdy}%;a`0*|+W<1|
z;PU=D=T6|0)3YQmew5v<XXykBm0|NyV}0}Y7}>+l=yGzC8{<+M|AyV<;-i&0w{TQy
zNblS8N3sYF?Ajc67#?j_bb3`Q{<gJwPtE*rj=2tj)e)uTRxwRu9X>hGqy5~REiaD2
z;Xo8(*<x@~Su=dQeys5^al0e(bih(V;ENQI7qwizpNuSxef;MuZbtxJ=P`u?`zu5Q
zrR+|7GtscOwP(zLEv<PtFQ%&Z?jf}GU}p5>PqpoRu?(D$Y+e_nWDQ5`u>l0UarMUo
zf|m2G<k`w?oh0XPNt50P${Y6#z(V>a4v+gGu89<m&sUXWWVL$?1%-gTE^@r;u18|4
zjw><pTOOq1Y#WR&*O#vu++JK+sx=71h&WL{J?DO}{ITl4f%jfmJ7{3tEw1hoEc}jJ
zjL7-f)EBemrl`EeL9z=gTOhUy+PWJSx$_a#jmRBN7?B-|28%1S{K^x{ajmC*KXcfs
zAM>F*j8LSm(m#4g*_z9b#u^ao1G3Y5KTWURDWj<xELuZ}V7KRrLkRqML^TeYy>iWH
zj}QgM1?W&qOG_>fCkPD{Sa3XP52@MSPrJOfy5i<aS~nmPbv|KWy)^~m=g`8MG#U=<
ztiCYp`~ArwB}NJ+u%+6|7pOgb8BDPSVNx*ybT?XRO(xWQ!;Q3}c<ahl3&6VH>JV5p
z+_|x;RtAiDp-u;Ox6bH#3r?~1(`ljfhoXM=FDbU%*WuMx@;9h_+V*&5oa#R3P!KWN
zIfvaxmCp_w7h`&K8H5@b3f3cm1<$4f#7-TKHNQm-XJrNhh0)y8#%$&j>zTmEzvd6;
zZ-dFUysVA?o(SHqzmjwTR+-oSUcX~=9r%(V^@~QrF1GmdC0*1b8ww_R@JS4xAUU}W
zf&nq<w+IjvlTzY-E;OM(cN6DO#FwD33Cxz)x$>Iam@BT$HEW)}TZt-uR~e2eE_(zs
z7P@|+W6e<Bn_Cy!*t2QmtI0vhhi<<Ge`uY)R5DcaTGH+o6*3eBY>R<#{Fi24E@+%!
zLVwwQD4oN-))d=ATB?$HXz#5x#Yb05EF^9t7%A>c8ISv;{FaA7NL=F-e^TN4>NX7L
zi8qYSXihKy5*xk}unXNPI_;IY#bb%d<G~qoD1sMVQ((+?kpf$978$Q2{TOuo-U!!S
zlhrkxHR1NG1L_F2-IjoFbgO8@BnNi+&{VfUQXCmXaN6VZmoM3BXa!v{N;EREy#6LJ
z((=HBl?9QrNd**IFlV_v(5y)QB-9HjW^}{Xh^Bqn!&@PpW7xZug(=?-z^m@YrKzWG
zG{9Yszqd?Oe;Na7tI^IKPwRCRV{3Whorgl}&Z+97DzqVCXY-;<C|mi)L)-c0?s6$G
znM|{jQ3UQ;(hhe@+X9vTJ%+f~gK$c}8ECg=Tn%~JLb1!Tn4(>1<?2A6p$`ZFa@bkK
ze58aw^E4f>GG<EWA$4JLh@dlPj7yir9oC_IV|s>el`I?Osb+`OfqSBv8e?nLzAW^X
zR6?bV<J^P|FRBRM{CUY(zD8B=+a`BV%t=wV56-Xo_nZJ5+;>(?LnAoP7m%`Hs{cMe
zO?Eh9>+-(K$&A|bBN#t0w;!-uNl|Wda=Wj#({vpkUBfgV>Uz}`;iY+KaAUDj4%oYM
z-Wn|Uj;w!l@B`Gl$ID<f=YXFe>M7}vjzDP#2i4MLZXj)}65aI~bp8XGl;0?%UO30$
zBLhoCh;%SO|Myw+cnpWmm#P#;ELS<7h8@OVuhT!+UR%6i8d|yoB5Yb^<*Ry1N-sI>
z&JF(rW-nFgOiL}ZTWQEPJ<C~8Rra-*8td+<0+@_*rcLvusJ+sWPn;REyw0@(#F)`V
z`q^*3b=+NoXE0X~@w?c0{DH4_xsD{5!v@svZL?tQhBTnqAx`|X>;A!T40-gR7gb8D
z7JYn7-^>2T^Gov-m)Q7rat58ewHsP_JzcLYw}U3erC%f^`a}|nhR3)-3fBoS?c>Ro
zZHmXBz$0*)>!bc!H1^gz{;}2*j8*D)m2ln!73t0=oQly_j5qX22E2?AUL9gB*LM=~
z;FFZYKeea^qXP#LR|DR|M3sl|CRBr&^tAmythppF!&QPJg?gW}Yi;k~*eDTmR!ktO
z+;4?wD_?D+2m_b}hIRl}Ye9tKQItOhdHv#Shx_UEc6>o<ZR8S=Rq4%yj!ITg5=;Ao
zklK3Bi_$wmrTz_%{`>w6`%%~}sDF^3h0=8#zI<d#$b)V@l}&CoR_3F6hj#aC;v6Hg
z*iq!CIS9hL)<VSQjYznE0kSGF_%m!&(!QmL(j`97d%}z_Vd<>oij~k#48$F#esLWg
z47rchWQddK|H;3a6RNzQTV8B_vHL56Q_G!D_HCMYc)<dOXyj4;MSsB5SZ~yr#%AS7
zU{#u|Zysq_Uz$7W76u)^A6oCmw0{Sm4N`j3J&|Q9ikAV2%y`q!ksWg+r>dSc%M;Tx
zc)G71`BfQj*f<IYw!fkt1i@}8mF-RwL^O{{M5`6{wg1KUMa$!Dm6S>Fp)X}VdWa~S
zEBMgd3^W&Pou{2_(qsaTZzvBsIwR6OirE?&+X(BIZo{3Yj9h-^D~eT`Lc^b|<w4Bu
zdSQve^<bI8D~&FUlVmTk+%tC`jBIfnlA+xW6*2f=tY6l%w4!jMfY^(4ohGy0apC$i
zQmM8+jC2}2ADk69o%|lbGauAYVm{wS%P{cJb9*x-V3vYo9L2kiZk=ONOG5l5dBX*{
zC}U0po;PjdyRoJVa@VUZ{1na{yhwCrpzCXEW~yKp!21#Y+L8Lv@jK5GJGwI$JJB)H
z()yKDa|~Nmvtw^@b%#%a4LF-FLKpyfxSYr<NO$<o40I`xr9Z6Qlg-Jx944d=LO3%$
zkU<0CsCFP`x=>uUyVWI`4CDwf=q)%@ytKm%6QP7QZ>2`(SOIogi?2j1a=`MZzknT6
z$p2n7Q_XF3I{Iy}@$jl4J#d1KeCX`Rp;SFS9E)>t3};HJJaKk@)&rZoKdNqQimz=P
zfg46sB-s;B-{Jp|-A-6<G`M>fy)|rGEY+J3-|hzd@4R{C0p&zyFVumTgA3x&z!!50
zog@LK_h*Y_z(`N4v^|=V=wRtb=|f?x3&(}fy5d&)jl;8X1!VyZY-f$}86&?C=N8u8
z0fH`h!)KZv&6u`-atpwa!LJQV`->_KOCsOlAGY1;TMr)z8c(q%%UG=RUiqv{4#&&9
z16hs_b8DwU1L=9AgcMSB4k$e@)(}U^n{xbibq^xqud1m!D78O%cSYGAu(6%w^gH&2
zVp$5qv6GdlCbi6zh$_4(3I?u7iozlH3{9?<G}^{rJoTB6a(PpS*Z;<0%~cH?Oyh}F
z<oeold$LIFX!DEp7X|7;syluEm|^kmxo!S;gWn(++eta4bW~_(PJTd!=;@FQKCcT5
z*5p&>SQ`P%?vSQnK-bf|@s|3min<i!fgh506LrP5MqoZ2TP5VKU|8u9W#xuZf0=gj
zPS@)pIq-{Y*OT?aQmi~fcLyeDU=*X*x0LND$0|<K9$Ib!z<q04aXfUkFk+SvuW5wI
zn)Gn!S)AM)Isg||^YH|U@6UmbS}tr4?8a+5EWqunR9Y>v@E<R3jY2yf#7I6-3*=kT
zaN9r}6l}au3mV$?R{o}{KZp|D&xD1EjW#N0vb}AS9z%N>PS5i0`#DyV5IG5tUjo!v
zYz4-;u&sn}*crTEp3pba2j$(+=EfM8K{okV>DM%~^h*Jh^2BZU-+P$**ycoQMnf8H
zZpx!ug{SV;dilwk=XEFb#np({m$crbe|8T5K%f^1QLf!1hbLny%HoNWT@GK-wNs}y
zDs_yZD1tL2zxX|sL3ULeh`^m*_sdxf8cr(yc#&~0SE2Mq2dR7Z{TYE+!M;#7fA%k^
z_~|&@$hQ`ApUKFW^`tcY5v9V&EJvI5&V>Lb1JJbb-&OYSpMa-|R3F>bh}izxlP=_1
zl0R~{g&J3AVGabIV+sX<xHZUxUsC>$3&27X>0EMA<#8-tMG#-|piHyX3J(Zh@-l%D
zC42m<uQHk^1Z3XbpL$@1<24qlAT^CWH_ZM-XtrUj^xzAJj?&^Y!*F}%odR$abzo!{
z2Hzzwj=q1FhnOOKVtseM;$B-D+fopj{h)Q4fg=>)dK$1t+s=3HZYR_qjs207VNNC-
z!Iy0{s)jpTjD|%RNQQiIIXWMnrxz^58Qbnk77i4mOVRtL+4kj(<;YZnSpCn+r|{Bf
zVS`E4KY*L!{e$;Tt|!N60`r?N-ExZ__~@;E)-aA81f{Uc!`zj$Vq0ccbOs7(0Y%g#
zudV<+PPu4wbtP*9?%>n>2n`O&BpZAiHlcG3I%0BRc^k{QB?YAfY^=SL-hSr3&@A##
z06B}J@<ns5t1!;$m$vtZ!$;tHwrkEZ%&t|g0)A`MrghQ_Q0n53nzEuF?O@NKLdryL
z4*Tc9p&(=~{D+QCC`EEP;gN?V2%+Ey`+MySIK}^6>-l!#gFQ5N38Z}$3^~t}lZ356
zks1(73Ar+mwOZ!(7gG_4mqd>@C1w>>9|%V>O`sP1XWeyP2;;JJs&!F5vg+dpv=c10
z=^vN$&p;w$i`{@bfUEtYixgTUl%@KmFJA64sxh)WJ$Iw`)>qb-K|VP?G^`bo>*>n<
zRZxS+ku4A0L9fZeL7n619?rg|tEa`Gn%rtr+O2C|L{j*miRim0P+`MmGqDAf8~BBF
zpUa`R#J`$G?E&5BS4u$f_M0ExDY3)F7NYOQV_PUU?OeK_?Jj||{?z^h@vKUadUXfH
zJY5Tfy0|%0taRsn(ydpx??Xd@E+a?HZQ=`q<IthO+jiLR0CEShP~C(OLK`~L-C@2c
zRA@)rCyvkTGy%Gl%zo+Wc03~_&ab|~JFoCYyE_<~^rGQhY62x(bDS~LLwihSW5cG^
zgn3bd^NG83S2;Z2uE1}lqH-DltZ^119&Uclu(zD0G~`gWX?GOd;_?w+)9KI}9FD!P
zID%)wgy{9>7H(=S4&4F-De^dlOn@Ige6}@Z+V^Cj1PlLX9>&5=%j(0YChkB_))Yrg
zJXq-ekG;1Fi!0mOMuTf`_u%dt+#$FV+=5%-t|2%CcefBcxH|;5;7;LM1;Oo9ckk}~
z^?$zq>fD~oRkfbEri?k~koO&fJPO5fqAxgdTQ2}R#c`+%(KBoe5OdF1KR*<|Sc_Go
zjUYUfuNy-a$Qf|wgNe*ATjvH&JCrA-M@VWPUL4^^;~rKgkLN20F0i+X$k4vJ%P$sA
z&39JJ^u|<vU)rtxIhLSgD9oDJ2MOaDM}ojvwQ}U_v)sE_Gf$p_eCx>2i|}R?EM-#U
zSswM~VNAMsu`~)Sw64duG{gY|P9GZygw+pVF##sBsw9B7g_K@c_WVs2K#{Abx;0Q1
zyX6p%m(}FlVU}4h*R4V53^r?z3NdnLh0DF+MJ~FBxZhM#r&}+-z#FNfj{V(H4m^8g
zxB`=TODug#!1+BsaG>a+@jKPobg!4gi(rd$pZwi+|DyBcXMmSquMW{Wsqm0=A9TyI
zNOOrUK^(2>(cZxWrJ;Vdj##~LI6}j=cNEj8vqU^)*wP{Vj`~_-bR$lfd65~&*GdC&
zh<bE!*}>668f-D1{^NQY4Vd^-*)g)lX2QzlWrDc-yo*%A&0mWIXuC3~q^RB_g(s~F
zyhSWk4{)+75PAPP85h4V5>#H#Iym}v8G?nAmeCVB&ief8*yGaPAi&6fxJ59<Am_<)
z<({O&5HYVnZ39<_Fmcl`+w=XN&VM$fKT2?_@gtgbyQsq%r_GXZy{apXHtS9%-S>Ux
zy+52c5Ud^))C}g{Gp5HcogJH~BhAc2=LY}+s9{!29*uam{kH#_FL#j$E4=#K3Mr<{
z+@Xvs0c+b65p{HBa6Hp|SHE&8xO$!r)2a2;iS!UTGAd5mOBX9n=o2&iZ>9c91t+oF
z7^&`~K;14JJ4Um*!*y?dcI6t^ljf`1sLg=xNrDI}6{7NI-d8Ygsd7734fDs)<pUCV
z=*YMCxXUZ>1MBtUEOsXHQKi=M!W+IP!X&)*L`HsFE>(wL`sTeX&jnXXhfPq$bl+6f
zIIQ)w1haf^`m7$w6p8&DuGsr)&QE1ppL*WO>tWM^h4w&_v~4&N14&h@1x{drC|iy)
zlqMo-_~XV5^TnFRJ*t0pBco2%?b_PAiJ2dbmm3{C!wr`<IBx_~yKWiP<B5V7b6fR&
z&Ei%JI-Yjza$}p4mll#z3rvuZ%r;~BZ+;!6yQw#8&vPfXOV&Edn}L){v8g}nE~XN5
zx}oM~UkMobyh=u0;F!;zsyQ?%uulh8&niN(Bf!1e@1X*$yW`)NOUx>uJs;DFS5Qcb
zA?`risWp5;0m^-LYi-PE{T5q{hL2^#ylu$grYh=pxvb7eSRk?d8^{it=4SasuuQA?
z1tZ&YuTjoD(y(>R+1Qty2eBFK$uWFL!)3K~7B4c$u{iE5>svi*OBKnxq1?A}8k;bh
zF;Yhy__J=H$lZHmujM&GlV9*Ev4X>WpV`IZ8NWvOQfQLY6$>d$#)WX+#16oMra0aD
z#g;y`z94&m0!y_%@R^|7fpHLpI)H4>@F3v(i=99K^L#m-IA#KOdscL1q8=7Z|N1=m
z!!sE*Evy>%{)%1AoK#f@rM@@c%Wq6=2ZrHjly0%t>h}fJE)&gn^9s8%L#C@#F;Z+;
z)QgTR(-9KqH9B}mHQE7^{yFt^kYZ=PD9<v65eJU#x)4B=VQ5*d-ZbxdS6ItA%m@pf
zRkh6af&=Q&k^HrlrAQ^mgYG3P<KNKH(<{W5gY>`>s;aVvz!Jjm>VKgo*eJH7v_8Qt
zI4(uR2G;Z+kavfnl;*|i;8zXO=&bc<oFI}hg`2M}_k-5^hCu@-<mxl#gvhSV+x03U
zQkH5oxAbi;%4E*Aj?-V~FpQHTUyX#b7C4#;I*MVLY*K*4dge1EpLmXKQNY)HqD2iI
zAs-~KV^+$)=SooVHWa#Z_2iUN24eppKJh+wl!Y35b=X6{1I+79AyrfmoM8<ldE0)4
zMC!9t4L?Syl*jy@U|XCu@E@Bfq;~wyIuL@6X9{c*`lVq}8d>)0On^C*WCwuKbbRbj
z4D-4Ub+T@)LS_=liZ9#z7>CWUf~}Acu|*LTinp8aSVt1}F>ucB{8d$x6}h$bEswMr
zHA^wG|A}|U3%L2zmvEulDAIWGfRYg?m+j+)E+q6w<abFb&1+rYFt%w2>J2IRhUF?D
zqMTg3a*PaK5=OWE&>eln2Yf*w6IXI({G!1pEq9E`-{|BiG;k?m_|k5)@i4FF&7-+R
z;fB6V32GMbFh8wUS8qfH_AlhcV+Qwb(|^k2JHRjC4<sh*xMsD_mvF&`Bm-~?K(d1B
zo4}eov(BESBYkZLGU_SZOWK|6Lx2kXaK_f7F7m5atJ-ubPuIN8Ko#Za<57~ha$_~^
zcZKMjr45-SNSV=xvk3hvLKrn7&ghkZPQXxpQ-r2{TDysk5zHWuvY<J4SKzI@(A}}@
z&mzv7!Zl{*hh3_t)Co^9lB<Rx`IW7+-`sr@=7=A94(njR8&~nO$P*VUUV1M_enNFy
zcBsOx^o60YqEyP{eDKmtqQ4>#%5r!<05=k`R0zD`v0?&~*qu>cR+0yAD-kOK?%<7I
z9|Wbjh-%$>1$A>W!ibJN?TXF3=^{CTcPlU5`_@fe7IublH*GIG+*t;_s1wlPv5I2}
zT`~#BF$c_Xx&p2+g>D|`ezIW+HEkD3Q;Vt6Mb+rvuX8dR$|xvl%|qgl7+d-0d{`3}
z&z~s314bHA_~h+rlss_s6Jvca^%s(@G?>F0Y>|-;9=tr1u9CFw{aU7k?j7TgTdwKl
zS+ZnT!E~sy5+;~0p6K0t`mU<Ud9j~1{o;wD#$t*5-ygp`K`(CHqc(k5mJYjn8B+m`
z*}gMra>I)=N08QEyY^GEGpf;uZ2SfExb)K(QSm21@g(a;<M*Bh>o!}kZrttaYtH}L
zim%!1U%SOi+QIsEJ#QH2fqUN8gMnk=G{=m(=d>QQ%(tmT(;B;Lgk|wtc1yUl<5>@S
zF>mXxnn2)KuH*hL^v-Y4c%U51m^nN20Pp!TCNNyW+D>nEFXO?Zr=8-zHz9Oz6Vm;o
z)Rh+1U#RJ>NHK~OJFA+P40|xw$c951p)m~F(IWX&_X|5D>7I#7nX=%4%bKQI^Z{8X
z%Ed(F=ioxbrhIE5(D)mYuNajM?5M1RS#`p35X|pJ=yJm^4)albY9Za0^qS$NtLok@
zaoGgbX>@bt_e8GbZD>vtk^SS3x&6ID0&l5J`;_Dtd6`9`gp_uzIb5+R9nC#hiCAK(
zw>qL#f6Ojwr%^C9<MdCqqum+>c%ZO`0l&lz)s~C_PD;2il;)ZXgeFAxcIQ<4m5REg
z!EQ-yB*&naHAs;U$+r>thaYg=y?zVWP~v_}<O(8I&6<m;_HP3M@h|#2%Dx@87sATs
ziom?)h{VAnVGkMpHePeNElL;K)@kbfBJzx|{W(;DXPwLiOC<GdjG=P4$kQlRfP2nB
z>FP46#t%c5lp8~5^9qCLybZhA&>OR`u&<o26d7q<r8kmF+0ik7b$Ftgra+J~dpVuw
zQ=%nnOD{pNzNKh{5%>ZA{`gUM<5UoE63F(O@j^43`xvLHDtMO!5o7do8aB8xNNnG8
zEQNiN+5mnagqu2^3m{2Y4Dcqf*1N{?3tU}K=LJwg$11xW`Eo0lV6D=sSxZ<I>wfsU
zSU=xKFM-)}K>NraN`tz%@ybrLypYA#{buIW7v?e7t%n_zaH0!)F{noj)@#hYb{UFQ
z4V8hddbo~&Cm%gG(_dg;DC_g9&=c0q2m=<$($;kh3xTi?JzxFi))IC&g-8nzSP_yT
zjaUq>^s=L4J;If(fVI(wk)w;4eClm@<b{}_7^-8y4gpD|TvQl_iUL<)jF`1)JIk-d
z9l!vmDhjqeD!=c-#LuaA?AuLeq}&K(ajlP}@VWkQ)fpl~SFCOVr&6dw{Fs~eKTHn4
z0)?cd-B04f$unb@Z-v6HO8qK2t+X1i`LA|}IqpC(;Il&SyQjJ`>!z#+2f0H9kvlKN
z4EFJ)%`=V&xjBJ3z-<wm`I@Jb*=`IIpjS1jsV=8bb`U6siv8?tHX^r{Zqv{u9X2~9
z3P9Kh6o8i5Q6q;Wp~<s#EE06`*sp21J>tWV855~hD~+b@s%d+%luF9iP&RbKR5Qf*
z#MCRTL7SAn5aA<9?O5iRA-MxH?RDoILkfZ;Yd>=tk3|IPDsHt9gpj*3?;gIP#CqIH
zKsfJnsL$&iccpVhUBSd~XWu7vW%eQQgeU8$$GH_1MmX>TqYX0;x>`FP&+5O1zxeB8
zP5F@UAe+ZM!lQ5c5pGVXruQWRIEOdmy(y(=;+_v$n!QX5g@GnmG6v?)zZmd$L>p4?
z?i?1kv@-b|cLlvsSrngJ3mVh&g9);^jwsijwy>X!o+O}CVLIal(1yuof@pO}WxD86
zDg3jMS!Vm%VyfHLmX38$N}mtVaBw#x1+9Y_sMUwCSVD3<VOT{UxgDsZt=l?=m7^{p
zyqv!f^pCvIUwE>9;IQ~@27LK`%?jIAM(x}?sT7>2AqY1MVKc1R<5;3^Q9kEQOYYu-
z8i3w5HvY5T2aC!#YldzmbA#I%QMWsuc`uPh7~p6TM5PQKzJA`(kKF1Rwho4*wqEaj
zz4AgE2iw|z3InRDs<$Hf@Nev+e-Dl;nfq0elM+{tDqOm#_P$LDJ_V@(z!BTDlD`VH
zQ__0mX>t>c+BlExm=e;aoX@*MBq+Zo6UcVLR!<PP$JvjK?v)P2d`{**rYM)CNwFRp
zkOD;Sba!Nqx-6lt4dB-dL0GB1yZU*94N39&lW;Dkx>>bb%kAL9L?PxE6ErMIJx7dF
zO_5A#E)X|p@?o|-VnIBt`Ykmh_X(RbP+wLt%4TT&g8-3&3BfE^Vq<LOoOY-kU2fd;
z+(rMj6=@9gOu^t=*ECi_mft*@sk=ojm8oWA?+z0aLg0_%0I;8_k{__$WTn%Wm%mjw
zQO+<RGBC*R<^u-RL_gd#k#M^(r`!1Oz2i`;CpmD;dVE+cv~upn76m?g8V6NT#v@NT
zL`11b88kF6L2ESAvqkLD9PTBkYEO#5%g9hs_pGzdhX1Tn{XqHA%|7PfBhP|%Q3!7+
z@XmhiH$-vZG_w(RD>gD#^5#H}W-9-g5@pz4+^=V>q(C1WfxNxnTuQ{Vwl^e|bhv*U
z)L8I^HnYlaV<wkVzcFQWO>*~F-i6FZ8^Vy~1rtyG`xi~;aYFf?Xv7&LJc+xN)D)F<
zbUbPo#f)#$O<%GlH?AG;j#(5t9soj5`@;khCsHrjIRwdSB#iHQS3-k5+aSE8E*Kmw
zpd&9MFI1hH*-BcJlg-MaBVvA|Xc`%AQ(Z?x`U7tv#<>q0i3ih%Z{I{H8R5kX%cNYD
zcMo<|P3bXF;>7S7Wp3PgnA@v^&G`zh+n427L)V_nqM}qcWpt_M1`<qQxYcn=ztzIV
zKIIZkh|7)1&HdiGORd^WGH1*(V2tH9B*_aptbLRGBgbrLX(!;2nk+RXRih@>b5*>$
zh$Q(c%Y-^X;g$B#%WDy6(H$Ly{1a~O=S4my0BMBU;#jIHcFd^1QV`GdCA_BZqnZ@g
zxOQq%1nfnfV#tSuCLwOHFJXTNM*_F#gcXj0L>8o|{I~D<mqw)F-_oT961}#`oV2K2
z@DhkWB(HywhR}FeOTE{;`I4{g&4no^Nt4n;(h*Uj7>_ZBeNZ+1n4i(3BTJM?bgC}N
zQc~16QE(|xKFL6)L)EV|&Vad~F7j6>cJOQ>V;o(;>e}1O@AZYnLFR=+SDoLgXb+Ud
z==<(Et#|kuek34gnp1w0{5b^H{1W86uy>#8g<I@>_LIuA^~+|e$#K5C%6yf+joRhY
z&oev>yrPt|ELW#Cr+nzc%~yly+G&i>U%u8(UPNVtu1JxJn_bHx%KZ>wzw}0iQs4(S
zR0sil+(dn;$y%+A&T2f0!fn;6MNwy7eGwjR74BcmHNQb<Leucjg|B0_jhAm?d_V>l
zpNQqPoQV-5BJ3<J_e+gBeGGf4_s$8+Vs{yJ|Bhk8LKif+U>?_RZWsvz){>hxT-2Mz
z8Wt(nwSt&8e1F?3Wlt9>i672Zh3jaU<{QbTT^Sn@@J;Rf;I$~o&AM>30pKLfd^|q8
z*7~`U7%S&!AL5mHcB0r@aJVqnE~5I>8%@>2B#Fpz)R!kp_nA@<|K=U$%;997C_Z6Y
zj2zq7kbeI;!mpXR+iXnuAiQGFvwhJ?zGPzccR0lsZr8CkT}~B3j&4OjeNiqd>FgaF
z+ND)EmmungL#?;*Zu%QD8ehQoV^e2}@3u83D%yK$LD~<r%;KiIsDLsL!&O@*K1Gf$
z2i!hsMTJkz@UDm{P`<+ESe4N0Zm3wCMAmhCVQKr6)fY(oakQbUF0`TqUS+XLAHoRi
zZ``-LfWZziw3t1sNchSjPR1>`3d#zyKRhMK0|~~^iePg@@#R9~Z(;Pht%7^0pWGdk
zeu8wqoRVPAwfD3)g1gSBb<`^kdLa0s*{7Xt!+82wWkqEtwJy&NjR7y+02dkjSN^ZQ
zbVa^nx0JcCZ=LX^3gtXso?0Wm@nco41nlPunaz)s<-&RjQxgo+a>oN$;yYxi^BdjZ
zi`~ywDCv181KX(~MSigYCr0}Fvhqskx33R-O3jWB`8V4#uZ~2ps}dW*4haW~->bUr
z=l|xho}xe~q9a|PWKH6~R9hoRQV8)-j^bCfma~uyUG6PiDb<X#Ok<tGHH@&a^ERY}
zfCxI$d3)ljU+LZ}PfmiI=3gZhD)S<$;eHU(FVaFQ&BL{v4C&Wd&cWM%L+h1Pfs|$A
zYnRAs)f^BF3z8hzrf&n<2_NNsH=Zy0hwkG4_767cVs5%^&7b_XyEKg2&oo;bWk!8@
z-8Fqf%q|5>G5pst^)t;X<Uf{A3g7q^+Q92=XLv1Fv6qoH&_!*Qb85u%!|@phVo>sw
z6bhy^&e8B9NN?@V$rd<uV*AGv2Eo{%X}5MF1P{O<Y(EgsVoI;eL8vGHr4N|@K_?t0
zD98B^oN5a~%Vxq2C*@Lod^XQlmD*p@`0{K%?@&{i9%Do>k>?^P(_@X)yEP|!!C&wJ
zTtk78F^f`kr=k3x-Sh`?{^ngif%R&5(ub12#|q)E{F}ljMkftnN4`G_)mi^9#pU0x
zK*-hpe^7ZJoz=_#>F-}$^8fL8Sp3I3bpD|4tN-xC{tvRADq;gVWTtJ%l^Ik1`NVs4
zXzoFK&j^A2I2UF9Q{GH34-d`Y?<D`~=qo*Rl-Ff^UlrqDuD_5VTqeBkXs5vCZ(B=m
zVeMmibeqqelC>5Z8B4hNP>6Z03aFZ2s~DGIp!VQeml{}Zjh${UZx0}7!*dyL^I;6Z
z%<ss~>(U3nq)pcqsVeI$MrJQh4%<pn4XZ3%2MF?rk{o3t0N;DBaaF#g@P7_7=1*3$
z-|_b;$S`}lqk`u2!dpE>gZMTc$LG<Q0v^m5qAG}9<~{DK)@%mj719ce+h&}8SHnB%
zwG)X}k8I4J>WPFm!lQ4vy<=@Z`N-{^@=G%}jHyhe&-^O2=Nz|-%}dk|h&kSIW%CPp
zet0GVH;+yFW6m|XlMi7ee}#@yh(A8m_-ZXt_fylxoMTxP(#fK|7}#TICX-EM*wFI{
zU780{PEsfq1iZg$&I8L@7SNTNtun3wHidQTO2)BE|4VKCV}W2HOQHt+ivs=Bk4V6b
z*>cu+-?A4~-<X*-$_tDWB$rb5_OD3gC-rbNSsfPL-c?>a2L;+XmHm{`2b_PPiFLa9
zG8@}sek1v_>bJ^L-LgH%xTr!iDsV}!aWfK*Z7s~R>uJ@nadCd+_t|P4!e<)Og=FxZ
zH<(zr!?vO<X6m3jgj|6oUE~u9bFQiw$Yvd{2DW{xv3WW00Bz8SyTkvOyC-HB16x8s
za1p0^_^h5>98fhuH($Nkv~I+Zv{Wy;1I+?eo36xe?Ku%>A=Gqm-|_n3n*Iuo+K+*U
z8RP1=NBY%A5|9fHLOKARc^XT|6z2}*c!!&h=X_l}iz2cypYgTl*@2Mz24;=3BE670
zRR(+^&}EzOVy~3%zN>R+y*hu<asQJ08x`2`N2_Mdnm;9@$0#OfF3!071!st??A@qZ
z9Kv~eZ1xX7q1VG_xhPbKQO!08wSDbner~}0_~~t!AF7<<S+JV<<PZZ4n&W)k(08+r
z`xT};m*pvIPPoEVaoL^B3N{%(FZL+jnqGs{tFg`HwHA2u9uOeiXF*O1o?yFHdpo7<
zfZ`ei@z)Nf-R;#(1Thd%(JA&VQy~<&tiBiW!e7<SjXxl3MUTX^U-eGQck<yz=6eoK
zGx8&>;5~Rp%}Hpbk{djya$MHvFnE9h_ADUfxN%`Nx)F{V5tz9>#OAPj;4YRT2JP3!
zZ->?_QkFgnt!Y1yq6s`uE0XXaj)`Q4!$o(Ct4UK87McT=@=eo4OmQSS87M?LMJ)#e
z_&;qx3*G*XCU}??cE+>ZS=QMc2Dw&?zn<6W9e){>7|#+!80#{QgfD^%Cv&Hq%;O*|
zuiIX8;M;L%8lHBbpp7BeWn7P&+6=&3MO}B^_>38#LddD(AHQhiOKMjijY&cjW(u4d
zY%PK>@;b@Wtp!n4e(c7akJT=|5h6Lr;d|Su4m7c&AI`Qil1?i^>&<jZHQRe&Vb|Sp
z9@=$f4>+W#%0+ag?}Le@-)tg7Ukl(vX1szBQ9a+~0?l^rU&Swy5z(QQ^<g%A_BmjG
zzlQ>TdFvduT5IuA|Fe-KC<7Q?kYK<+HRVqpPVR$|>fc0g^1}raBPnXc&qy*}bUbA^
zGGz>Jdr)Wd-K_>T8h?i<mIDoYX6BSmr8}<f-7$&Z<=K=q1xw9h!LZr;M|UxohBDzD
zzzR{_U1J&OW_S!UT`ff4X&Hh@grpy%BS%dd`P?y{2L{br)zNaHlzt_M$@b!%Bq?m}
zv>r3o{bA2E+wLi=`v!F7sQ|hWB&TR^L48-i!M_VCVmIH%83=2luKpwWy<ybKQ<Ejj
z==TcDq@}k>rIURC|Mo)%SKgh9c)YFau)M+_BVSrR=caSGzh4Nvh3|TFU}{@7>TwA4
zkAZk|dgcAi!AFTIfc*v(3`~N;z1OR7Ht=yrb6sOG$vezQe%DLQ7$O&L#h5CF(E$Y~
z=3Yn=N#NL2s)?i{ltfaS*=X_=d&{f1&-3wrZd*~`11JLdkKM0UzAC)JtpOyY#q!v2
z$s6cjDQDHBaKv$*KE4rW2+6<G$;`)*mO75qRfRo@pr_C8A@wv+m~w2oeHPvH<Q$<*
z3kAxdvHEScTUc3bcpv0Uohsh=Z#bzze-J}bM1rQ;j42&BI+Uk}qREG~MdI&4x|qjV
zZd!@0ShgzEP6Pc4?H($6)k6-S3qHECq#*chzP~1r&gF}C{M17#`W~Hc;}+Iq^;MO`
zeR{)rAE=vYH1A)ePB0*C{3=x4aqW3GEqmJ+(C!reV<5)ai@jyXm_IaRko;vi@?O@T
z$oI4b$+7cy*4+vX-@7TO+E7UJ@S+RmAln`71^;#jF^ZOW!3r?*niDCQrw3a$XY+uE
ze8*uIH{bkqGkRb&4HTB7GT8653mCwZH3zD~8w+05w;TY*5_hj(MZ%*eU-7D~UOkr&
zOh}%<=s<MQSEw%kYZm&i-VNn&4%bkh_4PQ?VD@;sUM|20&gXEVGSAuQz&rD}zK#Wo
zwzhVGpg_BQWn-AhyFMG;husU%qm@xVd7vv*Sm-i8aDa+lAd(lW-}@jp&Mx2z|J3cx
z$Ma^vmzUMNod&LM8!1xkz<p28tvV~C?*gj0Y(h7(Pe*lh!?D6Y?#LmZNm3c+GQ=fe
zf5oupZHEg>{*=K5+CTByACzA58y0r{Dbl_ZCb}MTRnq|l$1zpVz989s4>x&#xd@Ws
z4WWvE;kHCT0K5oT?QC?jaSU&sO17K4#$U*^t48}zUkqn^TZr26LU(aok-D9DUk0y&
z2kL8n{qB@_w|jecg{?vyoiAberulV8Ci}VZf)YO`R>l9=8WtY^GBXfvs>`OewBz?3
zwBLU8Yq+j6Ot#xj9q76%M*sZdoA7vK_;*oqu6v79LvVboJqzt;;pXV82(SJ-j@h8F
z`nuY{2I<5#_2401#iE}YI-4PHcOQ6pGwrq+Ki#!<p+;Z5Be@*upV2%T;+qt~M#*hv
z7WHAMTno66#6b}UACmLmW;;<5X2+Sw36iZkh+vOx9Evx#9WSOze8*Q2d1M=3vas`W
zc@aPKzXxQyPYxdP;t6W41@?P7@AI)rSnuPdcVCEnJ9th39(-?Ygo!mJFFc#O7sw7D
zvc_3nLVh})G%gS{9h~vLPk`g!b~PTFb%BW!ywSB^F&J2!e2**I`U>b5$~zr$Xf_D1
z$@YZHp5yH;ixYuP*?a9<Hhy3<I#ygTfTW!JV-NkgaTYwG&ATEyujV*{ukJs|cNNF!
z#0c;)b$W&-gMCU)l7p~xYY?5KEOR;hQq!$Qi9EW-`BC;5N#F4Ug`1KEBy&F;Y;AA-
z?xZIpOn+a2*gVybBugIROLm8VCV1>+zkzA#dFcgAc{QE1L;!vU#)XX6lLw5;13g@~
zxdI16<5>szsvmLVR{f*Z+|S$2`0ktl@6WrAXzgcN>kq@t`WG-JJATu4IPWAZ0ZOA6
z(9rCgS2<d4qH3}-e)r#O;yRHyv*!k$za^<3+tA)5^MeWxJeIPbC1O9@^gpYq9pJ#f
zeR=X3N4pv&aYr-@KaYMqZ%4^nyB6{?P;SxV9l%{Q3P)E;yMpRib~JeWJ@!-Ek3Y!a
z`7C#JYxzYr+wW3#;->rQ^j7Xs4^)n=JQQ9k?F@SApLpQ8ZyY2G->J>H7<g^p8tV~5
zk9+B(S^BozR$Vjevt2-!w$+z)(YGx)$u;3`{}^k12H-t^x*Fp*e<=k$_|eam6gPQw
z1h|k7?}l-h;H?3u4C+N87epJ`oJ7&<gTs$U)0S9K4;#j}TiN<X;zByoTyU5O(iNn)
z{A8l7r%Xe$7B3ruKzC#dwvJjH*;9Umtn)g2UecBOJ1X=6fAnX3Su$VF{a^8O_zPDL
zPtNhjg6rl>o;Abo$-_hOWYG9T0BdQ0qh;Cj)Y}zr>{HJrE6{8r)G4=M$mRwB`<Qo?
zn9sof-SIjai5tksIXi&=+_w`IKkLY6&vfni=O#F1EHDgGWb$LhY15SlKg6r)Jlq-B
ze_wWPm&eMI=65$xFudIwj!(gBj;|L*V%M|>R8aeg2TFKW?p0yEPyFb4m@Bx|_>4Y`
z!p7SFgg(Wc${-TuI`CQQ!i*Xjjl}0SnBSybz@$tjj>EFtbYbD{h=mWmX5F+2T{asm
ztfyEqqf0ap+x$fKnByi={j`GA?>^qAP1^FB)@<5t7~eAzu6L{aN}K}%Uu|K{S7-K<
zHXDYPo}u+AEgF77eB=py@q-;J+ev%9u;O=ojn5ECyAu#NM%f(jF4HCP*z~}=dHl8P
z<?fBD?=jsbAC0B@pFP7)gBbJD)Ph%rgXX+Iiv<titU)RhlPgdsjNlKgS2LvqVci8`
z=8t{29cATzGHu|V&q_*LKK`}!=HZBQdS(W#rYK^v+HqHb#73PR-~x+}_(j#&cq+Ix
zG_)3{&F2Bb##T0&_DQQ~CvN{Re|)yxj{&~I$e!JfHc!ou;4K3i<-X;de5LMkY!hKU
z=I=_z>KI1{m(9I<zhn)1G*LSLrHi|%om>1T#4Gdw%<vh#t)S<d0Yv~8p++i;sZ2(j
z5(w<TM_gYLa?XcuHh0$4D@2v8o8`G-?!;~2D){njiH<N?MgRV%)oMJ!wv;XZn(4UX
zWg+Kp)u{u*j-(u>Q6?#&?Q8uyf^v0eJ_C1-4y_@tts9+<Q)!V|r%HInm}n0FBqa{d
zOqy)D_NrLYj_T-73Bjs+ehi;+OOz_?n-@1Ap#$`-&nlC{!6f-)E}-5eK=j+w38&{{
z<ehrs2a*@Br!<U=b_8Vs+o|mb1$;IbBEEjvW)d5_m3_f2DlQn^%Zpb4cgLXZ;On-G
zE#3gK`H@|8?OdEyC1ti;quKi}-6BuE9e0;mw7L!luP^fNipVa(N$4gs@=Rox`}}J-
z;dCL(v1DGmv;-QvuJ7zo1YGoDy*Mq?v^HG=(?la2L@&3u9X6b)^n?TK)I*`gZ+CE)
zY?@Vww+FuC4BV`q#%*?8zP}Jg@Ja0uPbhu+cxn&HgZkbI<+O3mjoBXvmpk8OPJpLq
zpW$NDP@*}5+cRF}L3SSAZ<o{VJB}ZLEUJE%6@cn%FM?n!x`!wv7hOPwCP2`B)^QCw
zaBIQ*n13=q7wC^T^%T8h&>CfN!I^AGb~6%e;76ma4Rbe6mPgPS-BAwWV%b!avLMyp
zB~)W6t#h%#zu|u<lHspA=6Bu-ZU;^d2ZU7Xl5u%23l*?8t(#VC(?VZYS*I?s0uAQ2
zKeXk;LeBR;<+{=n_VmKZZXR%dxw@hn|3wbtdK(;Qp^tK+sjKss?8ARu#(|qxba2*0
zrVJy&icF5d{a6$w#Tjg0-NR4nn0)!sty)*Pw|Em(?)xBgVkGQf%F0%}`SN>=@9~9^
zfcN&>#S74rBT%c~wiyxLH?9shHC1m0p5`Y3UTd8CyU256+iPA~(S)D8gh0RhwAxI`
zc2LjdVY0M7G#-bfVR@g?re%eG7<#Uq`_@8$)8MWL{Mm*2eFS`<kJF?L;5`3~5*t&#
zgMLYeGe9<+8v#UHnL~A?={aklXW_F&GpJHU^o^e7&su<KUJrB14&cTUen#-yU!nrM
zxOa=6R|#^h?POPp#>G!K^ezaV$22*gb-Y37b-X039)WW~n(Zs(#3A*Z7ga%{BKmc%
z-p(u$vC42GR;2K5Ins5C9}3^tpDXbb`o4WF2N4l8y*es;*kh}g_y*y{%rL>DqtLc0
zEPDIT&fP11j*6M6&37kzdNF(3CEqmkvt2}&m~@xL`Pdf;IC_RnxIYCL$uxet;JQgk
zS#uM#&2k(p;K<sm=bapus1B!F3m$W7!xeqHfjI7;PscUlhY1f1;=DW>C^T3s0oSco
zTMbTzVSGmt+^&=GPp5E4wo-?Z&+cHo$6XoStiGwJXmLNg=*21D2%ic8&l{dCcMk0t
z#BQy-h4ad>ztw`|9v=mh-+UpB{IOo|&BsHB{mO_O<-3+>bY=gPh8|iIsVENgw;%cR
zI`Z!@zxT%+IgBT&56nuVB#aiTeQ!t?Pbhcd<3DGT<sr$|`m+CBKvSl&1|5t8M-+v?
z8iQJ0T=jt?Jh;n9&#3Y}Jz4WTlHo{~3*vF{S2cZ0hYsAyE@!6fhe5U-;yh8z?lxfB
z(km5y9MR}KVSVp%H>_bN(s+!Norfm{fx}Q@w<nc!Y<a-9qsc`)N>UY5J=e~<m#?I2
z72gqf&VCmDcG#T?quUB&Vn;E48WkAA`=q${4$A&?W#(e<E84B~^M>(aRFN|OTiJjI
zskQsLXuy#>-!#@9h5f)C-6u<{grK4drpx9bS*366)DcV9L_{#o*PX%V!Q3mMsWgg!
zT9nr#W|OQYZH<X-*O?C%x{O<GSlX;7;pY2?FY=$lleAT@#XDA7rw1g<tLiTIy0_~B
zS^8+2pO7A%xaJx<O}4sqK~tDB3UNEBW1TXC-w%mgdOv=`Z?)ogW{X|C^=>?%(s6c2
zDCxlin=%m2r@rX&jqZr{uODX;B{1EXn(C0$6Ej<C!FNATF^x@M0+^Z<&$=u#ZjBsz
zK7O>C^lyCDErDx+F+KHOLV6Own-cND7P*=r2Jr*)NIE7OwnvYG2i>}T(DL5j68T-h
zj=|Z_Y;xW~w6pZ7=3(N`;Zw2F(HpRbrCd!v4~BU5U9A@Z({SZ+d3ic%v6fe(V{8es
zFooiJoin5gqsNDO4v})Z`ApM?c4iK9oBx%l2Z{U}-%Y{udQ^URevJ-iZ+s);iK)K5
z^~$9E@tOb|ui+qf1R4+&9R<*YF!^WC$I3<Opd&%=<l-H`?_q5F{z%PAa;A14)g8qj
zS*0+M)Y3R}1T5HxbknQzk-eI!XWjMYm1i`G;>54|VTEG6bFtyC52z3D@G)|~?}R;f
zjsm-*yf{NGctZ;-pu6dWY}1(qof^l^)3N1uc2HRRnMf!+Y7C+vY7<c?$*;54sdqow
z{GijGK$exKRz1s$FOdq>EjR^lMM6mV9Lr=>d11!415n+|nw-#v*hY#=oK&*9XbA7!
z;{D^qF6U(dH}|jTHQlYyo$EPX*%=08fj$W~;_%0_Lx<`-i_=CY9(&-O&DSWJoKCqC
z&b!U-+<vE55TXyl&d~RtYH~%RVvU?*ucJxbgLLsic=1ooR&Gh=8<8|4OF+lQN0Fr#
znz)OA6BlNKg|OU7KER+S+fbn`)&2$Da<D;q<A}l2S>5Kgyd`lIm*uE1pJ5nWpfTcw
zm)ToG6%WC?H&2gj&0E9W20_YtlARBE_@L8nqfoxJH*^_Y56I@((=Nx$qHH}pd@q^M
z2*6cT+<TH$NTG$sjx+bm<1O&qNQ%X4<)DaDR;_L$NiKz@(|i1Qkq1Gct4*5H3(s|D
z+<@CPGd+@6L?z(IfXo2Ztstrh!`oHzsh1nHryb9Db9RA<vKKdW$A@|Ht=~SXW}xki
z)w9?$0^+?#e1B{<7QMLOYTTCXL==#L)tg6>mIKB-`J<dUjo$8;duF^OZ_#eLh~Saq
z$#r;2azfL0+N9tTwyh0>*PxOde>sj&Ncptl-mfU8$cBxB(iN0M;--VMi_^pkCfm{R
z+kNC4QJOP@k8P-dt1?S=!)Q;t;hV#Gx&DOyox)z{N8M(oo_!IXtQMeON%3ahp5$1l
z4`W4HBANs0qqsxC;bg&O7wu@G?H6oAaQ9)|tdKOa8?g?zf+Tat^lh<M8A&hmxhEm|
z)dO{T!q{WjMWH7Px#6r#fA}f>yl*c8p{X<??Ur>Cq&{5INOoO2Q*h==U22Dt-eU=D
zh}bRX%%59!WxJf{Vh$TQUC{fN=R7xcyTz@m9IrmcHBUII7(<jyT|sCU<4@`U=8uZo
z6nT<$A3PB(&+_3!;J)(M&HYf`MvJLWR7CANLNR?9Cj><k2GZ63ptC&pj4Vhj6cl4u
zhvYp*n_Z}V<~bR>YZQvX*D9G0N<L(U-(0i9f4V$&+Bw(H0<3xK^gYLmZkOr2AYLaR
zns-otv{LXpaUDimo{4E7wB1BaGXfBHJ$EtzMv;c8whG@$U!}G@FOYIrJ^F(>F9P7w
zUhgbPt{zv_Cg^4wdKc~jH$})<#PJz_XJ2xdRBv)UFfjY~PgC%`xAP_GI*4nz{$2x|
z%*q0sHV4Mcc?!SLG2{qhs_ufK6ZT=FMpFD@HeogO0_E|H$ij3evs*+c=TM=HkI;&R
zs@Zmqy48cNJZ!%Cf)sbZ+keN;f`YcxhP&ClrS5f1yj`5G6+&(-bWoA5b<n$s$2u5j
z><1O?3%nb!Ox^28gtC*bZcH<aMnrC;neO0VeVM#<p7|s?AfFeIT_-(C&lNB%z4;2|
zk!@bGob!4#1<ZK$Ben|Mhn12r`kYl}zG&EN<wv^s&9!!Q{Sh>^9WohUaMd3T*ql1~
zTEOo-EpH4ljxOS{Z#J=;pFu)GJ=bW)IOJK~qPbor)&rr8VFIGwkGqog_^duQy<21t
z%u5w}jW(e<?1768pt-TGsMUa#D2*=Hx5~@jj!L+EXu>yFUN?Ku&UhMkUqZ>G^ejyl
z*G0z1tghF^dpUZ{+Xka7T6CX5Xsx#-&btS-huve&*I~xJENVmZNZdR9kEg*0_|f`k
zHCDB__yHGK2434V{Aa}~p&7}9tF%E^tX(9Jj$HmN^9gWlH#vcnWFi;s{4a+pW-G(-
z1MUZ8p+OO*Jgm~ti(||hH?8e=8Q_F4x5lrheX%<J2s%0;9mW+nFoaw;yY&nYv0X30
zL(BZnD6+uEMdQ#Sveq1kuIP7)?Msp1|0VEZnJQpmQs`Ay&i@fQ`?h3?QbM6hb0apo
zy7Mh@QzLL1sM70M{Qwu|bIiB&I#3S^gW=<NZty<4E}z=YJ~vu(*=q(>*m+eU0GE7j
zu|a1wBu=@~+%+7FZpm6m^W>(ED7vru4X|uaR{{g--s4|2_4NMMeCdO)6N7-F(WzZ0
zrXk#_vfZ~skV@IRtD~8?<r!>vGuXu3^?Y_si+aCy<bIB^af)Z|(-K&j4t&pYgd(B-
ziEjZDe2sjnq8-9_$xb!||MhG~FvqM%Btw9h^$Ck)KTQNplwTp+H;VwO-}k7G8f(c!
zk4eLuv#Ga@;9hyhyF*6_r5Q`~#Aq^c5jg^TgB+f~|H@sD9=0f*r)UDP#-&5om`?k5
zaovo})s{P6t@Ac9Jy*KTXP7?zD%p@3yzztwW^ed3!v;5jOiTM9?Kah)%wSNc{o%vd
zy&J1hgx7qycm4a?Y)8>g#_7YwM<UH72#>WE%O4sh(?e}7F{0C|El^V!3uk=nyU)T2
zs7wd+O!^3Gn@7Av2eC_C-=dM0>Gg2llqrs-r{35g@<$(9s;=30SsO^Nlue15#QaoS
ztudetRz^FN9*9%5u#Iv7iD<r4GU{v)DtF0W?0wT3pwC;j*SjSa<4AlRv&!D#GT+5P
zbN*v*mXGgoA$VGKbWPFh%{mUZMFVklbYUxlZ5%_d*VU&ei5NcfG-yLQ^)OB%+Xosv
z)X)sdzPCy-vABJ2s-WSI_CGRk<p5lnGLQG1kZU|S<M?!LI8(0RX}dnJ?;q-Lmbj~>
zKslXIR-mayx8ktGKim`66h?;bAEv*DyG%OMin5w;;If`jEgV#Vy5>1xfAA7BK0v<W
z8$3hG4`UUB0uvX)OpktI`U-4a;Gl7J<+iWPE4+5!zmU%E@GtVx`5J+)YF#c%&8{qy
z!wK_?^`bZ>Iehp~%sFN+>^DOmnUvLS(2+07BN?|p+m8!VJ!2dWvFMmK>(G%9i^*U-
zLa;7LK%4h{xO5isV<)PBQH!cM*Bnat(gn9-cescg?ht+g#n>Qajk$s#(U<CY8`o@O
z7nR{efdF12Z+|L+n8B@sg8?T5>(nXosr9`Y+4KXW@v@QnfhoC8OcAU)5!C6yN{O+0
zF@Nm$dbaDcGUT;RaH0xNf}|1LCVF--i49wqi(>+-Icz2Z7d0d`f$X~B3);walB+&C
ztia7X<m0R?%#s!?pl4#6HN?~s`X#19x1(r$3Wj6o@jyj*s!B$Q7)&ZUK?lEO-%pIk
z6RX=${!Me4F6hZC&HPwRvL5JP2D^a{>+<yS*r!lKG0w03E}-Vto8j~_AmvnpRpek0
zSLMY>Fr1m&K|zVjef0Xt>3KZ?4)5N<Kd+Wo*KVS;z_>!+Sbw<s{R`|FKaYC~#8#Dr
z-F*ZknCp*>@|AC%m9Ycrd;*`Z7x5iBz(ZDGZgXtPT*R8URt;AQOZ>)93vc#k&jT{Y
z%IMAtqX^H(ZJvIddYTe;-wpEjGjAGGr|*yqX+$`8qBiVG($pYjvanq!INy|`5xarL
zh^)l%s}IFfjlb+&1pfjfNTl;sMP|s1=?*v$W@?~6SLudwEifjDiw!1u%4&%$p2!F>
zXb5?e!Z{%lkDL0a&z&*)q_T;7{s@WXT?^t`h3k+BronLJgjQJmF?dL7VHqvp%HIN}
z;-k*xp2`kyvbL5JD$tJrU)5RQ2;^acEr{AuJK`Fsf&}U<o!@9kchnF&RUgVcjte;N
zV(B(mz)63mw;IY>vK*V(O4IE7=RorlL;U7-3Dr97lSxhh&6wNqs35E@R98l{sWnDY
z<m|zqG?t|G4Bo8XhMvQ)P(&VYu4wgG{q$z<8Ucealfhxj9!Oz@9o_&)Dkw}JGvlx#
z$$$?o*C?{y8rO}gL;oSfM)*ZOs0TjN#R{2llwDIr_c%lP+XCWB<u7B1vfm*LmDvz(
zQ_@tJR=<}MV0ny8(3~tXx$%XPrQvQzm^ax}`rNn`A&b94G+j?oA%;xPZ=%7;cqo)W
z$~bbtV(0x&idy#utXjHEJHeeTj^}rE_5=fOtX@Km=&XR|wEK}l-F|*DUi6v8hbvS^
zU#r?Xn&1qz|M6%4b*yiNDw;?PVAr)A5-X~U$#+iVo6o<C9KcCf-WlPfNetGZCJCv~
z<A%aH2@%hnDU~VdP8Lc2fcs)G!?h*mUpshLY(>MHXKzmBPU3ZqW=ZHNPI=|~ao9;Q
za*$8|4+HojCMf+0|C{H4d8gaQuR&GZCGp&aot=Xb<Yp|E88G^M>EYUp4lEP8$_e#(
zmQQL?<XBnMk|@b;YsgZ_Lv4s(`nZ)Eq*RU)LTN2oN4CepHIu6mZQ9P>{$>v<>37({
z@mj~d8h7!28akttT}+ND7B#w7yPi~5wfnCc`IlwIUV^9?;bj&<fVo?>ta${<94p7^
zea?#W-dbsv;F2myzR;>R=%?EQHy4GWRmevk+jhGl9o8Y8TILVPH{*QfnFH$54eUSl
zBVJBnGN7N2B;A<4sWUT9f7t7kgTU7Tkhwh}hbkKjjkDpJSyQ*@pep4qd2Pr#(xs8B
z)XfT7J#b{7LZqiO`Os0&HiTzCzJx^iou46UeBIgnWT16j_nWgZ{)F=Q%NixLA_~x#
zyH0>k|C>5R28SyvkXc@ls{BNv;49zQCuG`QXVOw7&vXKrSvZz|%*OvXsOX`xdOk<c
zaZX35t6IlQJ6Q32kPGXJEXGXksVI^{X{Sp9F+L-6Zlzc(99m6F6NY32eLb~fn+uGR
zjzn#sPCqpmvIn%T#l%f5pDH2)hNQu8A*D4L_C#<)A2HI%BhzM8@ufuaq!SrPstn#H
zO?x}2BPjx)3st;?$d(ckW8QF9>hW8PQ|cF|8j_TDvBb5s)_A8nllyM2to%qzx@|~W
zRr+delT~VFL>?-3<*ixTn6Y;C3EnfA(m~ELabBoTk@UIbAAj4Qv6ti?grq+QwPbAy
zAJ&XQpuc<S$eE>I)x!x+>xqOP()c>tbBayr7SRH9zQ?e1Ugg)Y`%s?B^mC7&_>3OJ
z6V4CJiKwN#Cn^r8Q#Fx^AjxDH_!a)4K@3pPO&7|kL17CCmYSR)r3<P`#RA5@pEzs}
zXdVRIyvPU<Hpgn|=t)3+bC3PUwf(n0(8L{<R!S(LSMJrsmR<{d7oPY&F~nv4W6pHp
z0KS-EPqZ6j@JoZm66W?m*v*iS-Y6`_Se+<k9L|+u!pc;`H!Q2*q`AxY``qwJAGyPb
z)4LM5miH)GG%i7$DOq@bn?e6xViQ~JbPTW*Y(y}up&|7;$kuBFwGP%YrS0UqR66Fc
zv`&r)e0t2msb-(@el<F0zbxX5u15<KmSn;EIBQB=>MB4Kp*Lrkk6vZVS2N23gF4jB
zHo=tbfa8$=*YN%febqW5De6`e%t#Hi4OmPO9%wZ!OT#ADiQY6tdZ#SGkx4-Z?4}!1
z<*;SENlKMQg6UCz`ZnrO%9e^#*62^{{}eR>OD$ZJs?d;a`ayH(14J}we^PsL9|-!8
zL+-tQw99{tKFDYlX`r#qynmF6b+~0@EX=-PtGE4S%`l`zJC;tx^k^<qsXKS0ZLFdw
zF{-<<EIl6@{LYT~gH(fjS)vz<0@UYK_;%lzM#YlSxCW-{AFbR*`a?^!IJyShqLG8<
za<n`295PWIDl`aSJ)dcNEBF6p3;i+kJvh|0laQnF9P!Ry5l$%Js}?zz73wr4wXho0
zC+`lI<<UZp+-kL5Uc2WA>G7o#CVy7WPhilC`9}1e#6?cRnK|+F?Z21qKcPg3&rroA
zCz4Krv7dVoP>OitV^9$^hWp_sZj{+&-DuN@Ze6J?q5j3$hKh`FqtgE_23ws}e{>HJ
zifI?W*ZB-Qrotr(ieTr^&i1;PK1_hvy?@7H{ub6hzy79@3oK=_+K1R_tj%!Kq{VxP
z{J*ykxuC*fX_;3ieZA0ptp9KCC=x;8s?ffz;;sC@tRx)dVpR;Q_;&EGUi|mr?*=|(
zw7&T}7r_7L#{T~X{#ub9U+JE0XR&~WzfRHrDH60HK~Z$r;%ci9DcSOu6r)aZbHNCW
z#QClYwde0@+CcSh$u$wC&EFaE@dG!UK>mnPp};&55A^#=tR+O4_qAH<|I{jSFr2%S
zM)h?52%WR5!AdQB8|`L1lgw5gCHWyV+ji!mQLY&S7n$V9ufE9oqf>9Msla{zS(SL=
ztRAE4Ll$mDTMO7({&-=bc{Nez(W~)fVZsHs)gX7+v+v+a`R6;0=P_^^U9L>^?og_}
zL$nXC{vs#owfNNMhML%ak2M&bC|Dj>#iCZDobdD~rA~%=`;&NR^+5%!2nhD>joiSa
zHEE($xq8?pxs071mmeAaU@YfDo9{Ln>{k`KucfuBVZ_%n@Z2&~GO(Cx7S1Mb>Uyb1
z{i<8m99wp`cR+=WB}lDqSglbAv9Z_m__K$^a(yRP6bTVjd2D^#mzg&bPzse_4eN!p
zJ$2Cif@=kac8!aWbA3<aTOM;C!N0E9de2bI$4EVUBl84dR;L_{PWlfJ(zfl&aw5Ww
z&&68`Fnv#(@pHXFMyKA#^DUrya^n*ZciDe$NRT)!yUmWguQ|^3Hbr6vbK3)u-t~t6
z@V20_U}OBr1AQQYDRp6nVlUJ$@_H?$=P|y=#27#I7Ok+ZoDeD=#$R|{H*?DTJUb&<
zo>5L?SMK_j%3v{wc3}kMzc~8oTibqNqsV8AO7by5-<e-4!H881KJD%7Us=so8jhS>
zr4Z#Q4Z*IP^xsoBcj}Cix5WMZg)=Ex2Ob{kTn3THvw2XAnz1t!QFC(E?Ke^As!SH7
zy>Ehv!L6=rq22!2BrUJ+oOjK=_AjQu86PVJ{BZYN!VU(K^pqG<#+(=Jr*1ogyV*_$
z60Dxz7>mA`(--@KnWB_e&p4gt@$L+GqnfI0>t({u1ngESE<43YXFGKqBo}H)7eed|
zJhYO(Iky^CxKz1xBkOwz=r|ZYsFm<cE;;<jB^}^zubgeJJ5bjz828wSvdbtmI;*QX
zVc!s_%`*wqUf1;H|F_DlJB6g!;zdb&lVI{@;^_x#NgZp9)cdhK)D-~~66CuHAC4U3
z+4=TNw$;+87j=kEfsFMn_3AKsP;FD_Eos&DJ}OKDzqk1ja&bLeTdFF3K94*F$zWy1
z9EJHTeI8ZVnuG-xT+mKr1XZrdXKmV8%l7uF&!>sXccB4xJ!9gx)_f!gg-Q;G*411K
z&f+!1DEMsBU7CenI}+L2%w&PEZ~bIS)Um8RTogDOv2<QRmR@BJp~L|JFijbAmT2i?
zmfP0|Ee3;E@vl(bPxHdMGg$+_m70dYW!W)j`%027drU3o`@ZaUb4uX6ZsC|kpTs4L
zlN@l^oJhFp4Ud8AGYfrkj@R}~yR%jyq-?z(U2+s0HPdAa8?gE$Ajkk1zD4YZi!St{
zLULbnHM4Y2pKGKh-GI|yr1FeCb3|<RLWeH-8XdpYEBhKOCW#>8eOkWcv^XIf%wUC3
zw-vVvF6$N!ld21`A-4Z=Kb-f4wD9>39P4Sip{>7FE-DmM0wZnTe&CnwF^g$^`Mz#v
zFK~O&b2Bszk42{7xW5SkQ%Z^xB$<HXyBvXfdT7!I9nj@Uj%@d83!a77cY|zNkYQS$
zt@w7f>GEWGmV*4z1(AnIe$dg>W%f-iI8}EO!2}=C->?nMy?PP4JJbVyMV6VxqdP^|
za)fSf1_-`fK3yH2Mi$vT$lUEB(E+hn?Slq>1Oiv|1EW7?*+(3_KH$5RjV_tSht^)n
zsI9p^lIoI80VM@b!!%R`@mSt{@N1>UdpbU7xu{XmNJrVCdJM#(BXOrVW`O@g1^rt=
z2*OJDfu*&tR$OzI!YD@%XRm4nq$gKmS72wXC%^Y7M}eD`IZ3Xo7QXTDhaA2pwpia(
zYrk4auqO3Hr7+cHiyHcK=+SA$q`$Lb`RLN&mY0B#EF}5e;PRKQDF0EZ1}lyly~{!#
zK!w^;uGMyshcG@9k)a@e>KAVCVsDc@3U;012)?y|+GtU8^P;X#%;Jy~WPQ)PJ3fqM
zsGRzq);d$3Jsy3h#>1@<0<ej^-q(Zj_@b9AS0}*TvgbYWW&TKPx1Us%uD80{9s9%Z
z{m_w|uz9VocNQ0o!^n*S@sXE>ehAckbEf=hRT*yPPTNJ&-EwBx@nlIJui6_OzZQOx
z9mreV@&EAkmSJ)B&f9QtcXwFawLpOucXzkN-KEgt?(XjH?(R<U7I%kItjN2)?fKpE
ze~;t(u)Dc7$t07>IcFw`4H&p=C2Vl#{l$0h{%EFdOgH`;JL|epzK+XeDDLlH;vK$2
zOdG~ea`okTKf!IZT>jK}r(uN!@wAicX}|8q6kKn^<oeYEVL+Xsun`t2#+~}S>qPC-
z&yMoVkSRg&nh-1IpV(fP;V_XbiII%`^{<)%vd!zr_333T`_~Be{eIpx-l95gS4;L=
zC{@BWHawgeivhkO{MDb)_&aZ`T5inljP|kDfN~Vk<F6MCPp4ho2u)i`l}VS=!56(I
z$)9k%-Cty_yH<kkFUS$>&$*aI&B}U~d61tD0?lH7a2gF~HVwvkGxVrWzkYZ`P{mw6
z@I3FpOa62aY%f+!E>OFlCfyx6Kg~lDXwRG0sj2gtFYWNXbCLC;?H2gy#FJnA`{`uO
zRRoKd<7n&sOC`d@1CpBr&fh?F5uz_#EyzcSOs{X=j+-CA1JYg@uTET=UPBo_kUKfh
zzZ0;uC}Gz>h0v?66)DY63~RY8sB2|qA1uQA<%ofBFezJbGI&VvG}8AcSm@cYY}B1N
z2{dMOluAW4b<n}?XcyiX(%9XCR-7ntr3`tK5vfAq=xEAnw8+UH&m(y2_G))QXQ2i=
zDATMVcIp>K!s*0rvC9J+8|+%IxGU8zM@Y^^85&r<ymnmfXKqmSRt(7re+(jArt^0P
zR9|e9zo&N1_D1*mbd+2YjF@xb?P+9jAZ@;U$^B`kJbPF_>m8A&*CRtl)4>p~`wvC;
z&JXuNUrjrR*(_5+$E$wg-9F985O;?y;puSAa1$gy?+!29%0cjSu<E>oA6!+^dk1{u
zvK#I&hudg9hl9tnkSUKwzI&HGmapIdSml8c&vK@iDl&;q=z5K#wh{W^uzO&?_duPS
zb|MCRd2xT7?Iv@%?p?k#3f>%IbS*Ye6R{qYcHgy|Ccj;MjR|kw&I-=z9X`kovhub^
z)@>OeFY#j_==hEz4=nzMJd9VI4UO0pnw-rCCeL^4`RTTXNcO#x!OQgwQn|w-a?9=G
z2@CbH;RgNvIg&hS)<`b7POwu|OH!@f9Ok8?ePQxW5U;)%gQf@uf3$(LC(&oRD!z;Q
z5M~c}PZAIKrj_p!PlsXkvE&=x=bng<>z|Mo=1ehziTf&aKlrjwaT9GhB7Uys3o9n}
zL_bnS7Ip6{qCBmiQ~zIh;d__%%lS5(vUTO)>bdwqs?WeSG@9cu&zeL<7!u+VI`OoR
zw`2TKzWbdSNq0~4Th19JN}twwt=aLO*v{HsMKDup@Tj*|jQ;r!riCklc&4M+cr2B&
zwQH3~5!!1}pFbJ07@Cx9V65(IIm=Bwe5=t87d~cE_VF=ZL?h?$u0gJh%w;tbp^ulc
zm}pbokg`T9o{uzdfZNK!nPen3ExWSca0rN3bt9=4Ta9xk`oO`#k|hO@1T&RMg!4Ly
z4se%&@krL5?pK^tKU%zb1b&(P21mpwSZ~pP=9a_#B?QPIJ&w$rX~$=t+8EfFP9Bho
z)Igk@1Nb(jT#=;2useCO>{OZ%X1-=meOeO;ORdy`<A2k3Y?_}x>X;AD#o70b1%*J)
z?(N&v^kRQk-XX{S3f#xW`Iq4B0G!uIPuo`b?)GOMP~hOz{aAAM8~*7^ndI~$3$+Za
z;BG8lyJobPXQ`k?At=6%O?;h?lg|?IAC)^vMs?t9!%Xl@;iQyR)9Ux+`u##QU<*Cf
zbNZIlUteJ5?!U0_^H3k9HGCd%gs41IPQ;d(U16Wmv4eA9jI_C|<F}2*ff&~txa<1<
zp6_aoO@ts#VdCz)6UMHS49(?*Z@f;ion_j0vE!{A`lX7<CiaVOE|Z6s543gf6eWJ-
zr+3U(^Z8E`yCD(+E-7@)v(V7f{-REQ!`MZnzHW@5>l;b2sR0=S-04e$cnbiCtI-}k
z(<sW3tS_;EM_)+Jgl0ei!`Zno2L=Z=4P!)XoUsn(Xa$+yzyKx;j2ajQD%*HZqvowi
z!5$so2a-M+q_pXS7}}0!9~<lJ-41;25p$%r+JgFM3&E9_5isKt-=Ig>3}=LpLUUXG
zCf~+S7ocNrmJa~c6{($i<EHBiw&)6VscK>m*3hAZ^~oLOi_Qlq=wQXecA$NNuGPEW
z1;D!=580FrW)=Z}S)P`q&3=`lH=t$r4e?yc?1LPx?81{s6hW=(iqV(G4$+CygU|T-
z>*4E;zIfj2Ka6Ud9vqU>O(#U1mLqY9^?hD2_<gCoCne|4C`SaE_tbw1GQ7b6r}Ril
z<7Spa{#sb{r1H?g8aPch#Q9l#P}0?e^>c2C0S-)dG?wNtP=w}V3ex-bVEwZ(;cDL@
zWF7lK7w(5II1U6mu}`N>C#Wm;`S-_i#PIMYyKz^!X`&3D^GSS17<P^5FTc^-2|Xvl
zY!@ecW5j|M&_0cX?%M@MCy@anD4}`8iAD*+{Mz_j`8FYST+eHrSLz0^N9#D&7tp~5
z56#g(m`NynZ!32{>}|g~3DzGn;eURIyk>&%^w{>@eu427|6NkX3+mFCMv1ZEEYMxU
zRP0&-a@9K7-~NZ&bYOV4IM+|5Jtx)zHEMD`7s=lvq<@=rltX&lH+VO$jzX8oSP?zU
z-vRnU)AhZI*<*}SdI{Jug_G_OXZYG9%qb>PCrfIXjtUT>A!8#cm0*<y%*)I?X0-OU
zi0*(3L}eVJc9tP|Qx}}HQpq<|LD6JuS{4s;J(?%RbfJUaSjq1t=$n?wrA9_(`YgTO
z*JiMB>OX{>_`aR0fhHzD5Olh2^Kh5K8;>k4df%QI+eZHEU2X$BLxUA%$)AlD9dC~v
zWjC5#mRro|Pita+&ox=|*$G?tbK}y|tz?o(&WscegPsE-+eq=`SQT|;<eB;zr&AN(
zCbupLSgy2kf)7L`(Y&IAb6&gCJCBEsm=<zdJ6uE4{@4~wfO*98lg7y&hH@djLDo+Q
z3rWd|usuh(cU1^n4F+nS^^N>SIm?5iKb?0oD++fIq7C8scXJ=98ZMnW^4dvk+X^Gz
zH>o;odj%KSh2|r#BH?_y=goN8LzR2yD4!)mSj~Jqs92ok7k%o6YWw(%)v|khV*j;E
zdxwj^6FKw~(TA?_A<Q&AuIaVdpQ9e8m5=M^%oi4|)svBoKtBx)#7?|2VAB%rnZ^(C
z<K>Gp&eJ4)uUpoq?~QV&H?u^wOT(@`XLqlId?zOD8@j#yC{KuYwhM0#(&cwv4zLYT
zv@AFv%V?4goA$0q*E<mr&O6}fA8G0oX5cud`-2beuQoHefaR@7DcZ?{($A`d{N8S-
zO`<Tw_dD;G_xjTff68iIjUg}t_&$4{cAf;ex=obdG%ljgcuhAVW@sDd5u2(2Lza@W
z9uUsEU&*+?p7r-N)x<u!)=sZ^F`r36lep#J{rqIi{&X{qvh||dG+ec28?dD30d{_<
zbJ~3%=j!qc68{g97W&1})_zR!<>_{Nw3sBb2rHD>Cz4d;lNb*-ojPAVqN7BZCLN5w
zg1&S0#JIBbM#4r&@Zk;2n5ei$s7dydrRbsk#wrSJ0~FoaKP*+CA=Njk1lT~iGXanj
zac|g$eG=6SxuvTR*iFj(Z4O%WM+sXZvcS^z=Bv9Wdea619axC{A-fSTaoNb}SPhLQ
zfI$IY)lHTB>ty{59Mc=vJ!Xc-iq3L{qd&$n|0Hfg+k6|-lYw_TYpY+@rfZv(jfEq$
zN|I*Ii6>6sQXF4&=5@<H?Q5<Ioy_MgiGZIY9gyLqHnmbi3xv|GscX$JF&X$gFg7v@
zrs%_dr>2|A+3b12k_{pGOgqf#k9ymv0bEsNB;f`}*Do-7WZ-aOu>x<oW~a>l%o-5W
zP|dzSv3C%a2hUHgWIWaFGGy(Qp+mDjcX)a%s61@_LHY33=vakyW-V~)1rmNzR>qJI
zN%7n=lud9Vi+v52PR-Lg65=qG-7MXep0MG&L5bO=3QQ$%4zZ2LS;Ogc^kJ`8Qol2U
zYd5iFZ+&BjVA=t7T86c^iLvJOih47@q2|8(mB9#gA$x0OL+S8J+~Hhw!!RO_b6~?D
zBbn!ebbr@Y)ki!+PKi6o)-?)TTN=#m_g3%MiEK%Pwpg;?C28zdBIK+aLKQU<TtaK`
z9}5hce5)p|CJ}5?S#7S4pDs`UUCwrDKH6n+KZ>={{{sn$=DTLi+4;|%`_D}|o@oBv
z9-qwZkhhKzx}%KQ0wZ1Dqnc&9LV~+|$Z$MdZ`p759w;paUCTpY=d0^_kLus&v2q97
z^>QX1+jjW#zSpf=t~?Ih)a#Tc<GS?WzB`;*^r~<C(jTE)3T!1<r8koKc?0E4nWg#(
zx0hh+fz@bsrnE;;x>JE>!mN~_{i2E4)%}uI=PHt2QGFxgtZ4%&)%z~ZEM@*oG{!qw
z$67ngA1~c+_i(G;*&M2)7j@@Yf|G(v&Ion2cMNo#S{Q;o{SrzM0{784j-hvX)63u1
z`%-|Ags++nH;h5scHT{FxT##7-ykh9r9%i|guRfn%-kCAzq{3PYj)HPBet2%;ERf2
z(CR|?4=IUul}Wo2gPaHt3_R{8Ef+)V&$r|<M6?iL>siFklurBiva+&>pUmO-N}b`u
z+o4mA03q+rWHH4nz#xlpXIHp<d@&&q91WJH1T`Ua5shi63(MQnEv1Nfj-O~8hvrP?
z^8IL4oixO((h=YLnzCnw2m9v@>OPxan2U=*vk<-+V-?{ZGoG&?FtVJ5HxdY7DKGT(
zC92#xaMaW~8=$$5XdwtaR3Nc24GL3bl;7170iekgyPz0RrNvDZ)OK)*h3C-iW~>EI
zX+|j+{FGj<27i9yIyCq7{{S9GrRryTdvnvPjw9M5S{m#Z9zt9ft#QO~5!pZ5y8ulz
zDKP|71JLa2uwb-zKs_#U2i&J<!_~SYW<pp@oqDizHo~EGhX`3mA21#$PMFjbc)l5I
z9*F~H4yHY?`&5W>)IpC}HAOGtlaYQExw&Rb`EDGZ=BV<s*XZ-AC`9d2#LcK4n|6yX
zbVHyFVR#aQ=-R|b^Bf8KpQ?wp^PRwV&<Jv%J)`5Ff<8)XiN~JlBzY87!KRp!m@en~
zXzqX311@IqiB3CH`D2QHvuXPJHKgbEiu(K8^$lU14n9V^j*uB8Mv?IM>7k94J%XPx
zWff0WGz)QgC0P52LS{b8L&nj~IY*bWcu7!*5DTwC<nny*Kccc&FOD2co8A$jdMnY6
zfC89^FeRZ*mc0JBC-A-!V(%*cz=^gWQRD}v#jY3A93vg0ttw{Eo~8i~S~2vFLz|8X
z9>-8{QWN$iDkAPr^;7Q&P43-^?9B;bt^=peh@nMJ`10GX29?ue(;Cg3#!i1*X6JGS
zB_CpRCK1w;LYF-M>8v($2!C*GKe0r-*f!6jsR1)F7F^Q_g4^lyh>wjL2}H)d(?Nul
zBL^7;J;+P*lo6k&ub+P68I6;ai8~2HhW1hjeX`{#7uA9-qKOefMfcU5ioCL;I8j#M
z{_YfyE7P-QVqm1jpcPD?+g`rp{y0)!AB(qZJv&sE)BW4x$q5Qrs*2}Uq53^T(t(c8
z#@Rc=k#2IJi48C^^n|9n|6Op`#n^^1TID2{2$RM*pT1@cPQAHTI@h9By~QEUlE$l*
zdQ>;VS#-DP5*-+24L&%Vpyuwf4j=U5pxe&{XQNI%Mricv?w7~BNUrsJhAatdAx3#b
zJY=N-p4@1CxngD5LlPMR1f*7j&RR$c(b@uvv+()AAwK9yShKktDbTg*S&Qf@7{_=8
zwOpe<;d0FQE71&QDJD%0hj?}jfPqMwVPAnL{iy>5Li19DD}=Y~A7`G6SqFUlYq^1V
z$fi$vX|teXhjc#Nzsnh?s*S5(_pJ%Rahc#5z&rKQGC}1&n4f%rgD@)lz#UTMj<4vI
zYIopM!WttYUlfLi8JmHrwSHKDfChmP7Be@iFc7ycNW63QVmy-=<h@(OZg2NaUeOOc
zINLuQZ^CPKEQM*@2+wGAj#q(2O`tc|i!%WIaBPHvzfzjpoFIgKnHdKEW0tn~mr?!<
zxf|9fSrVv%{U9+8rx>)T;-2#~{(@Tpsh66^k7+;)jA`uI)vtb_t$xp#<sHuKWoBXt
za`0>p&_NlqQ#U1Y&?u$`hIo*j-%@2)gM|sa^ifgCjAX;V{J0lxuny1hTv4Jh$J@+9
zkV^7{$v2oGDp`OHzQ`GU`~Ie2A$)E-(7|q)amNOuJd*}0Ft(3lA~yEUs9F0$oNX7f
zpM2bvzzZI_F<1R_gUHory-kVxJ(X5F(7e<C?sG$JD8H-hi7LZ^R0Ld{+3N1&5VnS)
zxz)*xO<dlneePQrb}AH{)}eXaPcGJI^l7(I7Dnnz9VC-NobEK1A`eE%Zy3!@FNc|2
zFas*K1%;8+ooqh^A>n*DII-LqhaM`nI4OA-y*2hf`%!)^uq?oWIO*+T&)}A04uz5!
z05-JiR!4QJjjLj7Rel+x0|I=;Rpytz*pH1$#-9@5i^MI$rtk*q*5prcVbq4$pXwMa
z_%&(dMv|Xjdg=O{58y^UwXE(})D=&TA;6}FOpmZxMi|hMp_>{RG$O*(8E50DdQ+9#
z8Y$Q_$g1*jSpjens0RAR`w1?Ca}-0)Q<GGS2q{;+R;DKNl3Ly~g%S*0BF69v1!(kf
z00KM<2UVcoyPn?2iN_*Z?1$%!&V4CP!Q9|Q3Ii5Bt;mEUSIo^;dqRV+ANd+E!OV0-
z(__KRsf|!Z9zr$SG(s?OQJaGEl3P#)<0Lsm(<UF&#w}ff+KsubHe?kgz6L;}<B7a8
zqW?6YE4htFA(~*ABkn*M23gtDI~VotYguuDRYDIp<SxXH&~SvNd5)-W%ZQ}GG*8s}
z9y_zGudC0DgX^N|Nr=xlPH$1VT~sPjIXvk}34#ai|575LM$d($lHjY=VKr^w#BYYf
zV;S$^pW>#bWj!FKV^d&a9SUqwo3ONE>kCVPMTW6$pqINWheaDzflmw~&6Baw%v*6u
z6beP$C%|Wr6ndmeLO+WHLfgXO#I5v|KsOM_I?>HUXa_*?iq^a}ntE<!eof~Q+m7KX
zr!^&M8<g<8Ho~DcW7*40$@}T=3gK*%yB1$+T3zRc`<)JS@$$!lfI*&tn-Du1t%Q{K
zLUn|VvjtsQRqRRSej*=nX&p}iC#wf$;p9mt{x=Kg@6?u%R=OuL%PMHj#yn}~<kafG
zXVJy|V2cq<IIi%G52*~cGrzFZ+|F!B86d%4I+5GjUXzoswN{IiG@g&XUDhv`q4OO=
zavfmoetN3|nEE@DtpKj<(*qewon%kyYe=~aB>6l-IUY5@8*A9Wh@NohMtKw}-0%rD
zv=9pBx^CJS=bcv;Ko+2#H~nF<#=<pL0&(Wi9{`QQ<j)k!HM6K8o}A2q&Gua`w5%6#
zh^92YqgdFV4du>hjCAt+@;Cv~^Cz!+qo3Lw5HzQtCyPSjmw&`Vjk;I`qTuckPSkDb
zin_@&12Kb6Id`7`94FCpc}4M8;E$<FtNm6rWIGAVfMMRlW8N~lRf(z?qfK4tqr{xL
zQ|VWMh;u$#3=y}w=+`Ko^28;2@P47undeqL7q2q6B(AP#Z0EnzBMCh!WGrOclFU2l
z&K#|{)Be7qgVtI8c(r`BVG?i1g^eB7MzGLv3*L$o_@6w`YDt972a3vETAidJVceES
z;C@reL%gJ0#Jw`kVvMfsG~g<{K*yvXFbJdSq1AOLOGFP$=7Z>mo}~hVb`pgK-sJR<
zhG8fU1QscbkW2gKvT8*Wel~W*wA;nSDl$kkibidSK4htq|4^+_q+o6s0ft5^l^7yP
zrUO0*7p98-#6F!uy;!Q{7?G^WlJ=31XMXvX)-@mFMJmI2?W#w7BY(nxSn@i-9~w7X
zR41F^!Lkpf90@e9{lBIBKNnt8Simo|_+ouM{qh1p7prrA$@c|QJ795=28gO7jmilm
zM^fmz8Ka)%?g<Jf;1RdTr>tNM92fNTI&-mK3@A^G_5FC__YG77V4|990ap`Kh&4ww
z1X%^Q{Uk00$G_;;!LhHy?Kn5E63ld@Zo@0EvdVk~X7+Ur16hYCEQF*n{EM!Q3$nj`
zlcAir-NSYCQbW4~t75-kR0p4ju}%09H<ip>H1YwxT983nYQmX3)y0&PHHGY9^aY)h
za%!{AKQ+V9=!_CPnh*nVQ;Q!^HdAQ66-LZpG!bWEZKMVRL4o|EzPg*_y|eb1$kU;L
z!YXHzuBjSUC>Qx~GC(N2)0$`)sNQbd(p}M`m;Tr%AEuFz5WLDpFGEskgAOAO8IQWN
zDd9zqk(o*V`1m+0x!**Pup;kG`(KUeo{i?dR2p{ny>@8E8O5+>*|liwhbN=H8=j6d
zJka4Fbzwb%W?p<%6qx6HHynE);8h1bgDx*hXmIM=8Cng1`1}$gN3KT2R+oHMN7duo
z)sh^NE}tb7T#(7JR`B6Osso!#U%C*$_}*Mp5NmLd1WoZ2V1v(vf3EELv}#h$bXO<@
z96$|2sEao4guBK?w{IFT+NHH0d0Yhm;xqS(TsvXe`?Tli#y^gvV&P^q3b+v;WewQJ
zG6<qeaHi9z+*9Q3hU_b@nYB-<KJq$$4TBY^Fs_IYamF+AKFSYGJ-G%77lkvKU}(&-
zo8QJ;i+?w5P#PFxsaN2qtKdZwRmSS(4ZD8l$*hF+9pa^li0kdp7lQThlfsL}i$X!^
z@f|JOcoXGehVE`9tnRZ>E2uv;^2Eodh)xeC<_D^j0TKF)%HRcYQ$#Q|rE2Zlm&OW(
zT_GEm&dD1!5j5!>1F_V!O<!~gwe4&Pj_6TzxdMo$h2Y33FFTZ_!R<aKK%FsO`5^aB
z&4yBN5Oq-qE~$Tw%;H!b`MKzRMr+kT_Nvla(PzFDy>{yb5;T|HPD0^;1kCzJ4U<pO
zgzO`YyqqfYUa_2Xn9@oX@VrX*dQ-xWbea-M4Ulze+6PAKm+CgzXD;P8$p@NM@2W!H
zy5hBWACZe!#F>kS6+9<!OxB5qfTt&ysrY>yE=+EmQdat7tLgs`Z@(B1-#ZLnx3ebp
zTVs*T(HTmyxwSAXsWf1K<jHt#8)Te~RY|^x;@h<|!RKYp_3=9~ijU#Q9p7%7mt7*c
zWCvK)mWGZOs~ry31x4Sfh1Tk{8Tp%si?O(A^=QD1xX8~(mhfhw!yOYfl&Jn^cu|EX
zI0jReMsZIBGlav<5C%tb^H-yRHW9x*Dt5dy0gWn_6GzhS^VwsxKp%~cf%|t7EbURj
zM{$FR;!2p|>G8`aBd-4)jI}-uNhQe_D_Gl-qtO?NBmh0;`bLR}V@;*#rQGFPD$<DS
z_pJi~4vYoaqL;=c_WyTk!=Ec*GEm_0R9P}m+#bjn(gINRp?js3|1sWr+Q>j*E^S*C
z;=e7%B4X6Azam!8{H0TN!U7d-3wzHtq(`Q|^sI*hUE#_YeamwGx8|>f6yZKPKR4Yk
ztMh^*MiAflJqER>1#;IeIJ|aeb#?W|Zn!1Dx$swTmccb#i96dv#1Git{;UW|f#fbM
z4Dr?WGh{S)zTNLtH_!nuRD!#5|Mb<SP3e!5D3HLO_q%MlPZWQ9B_CEo%k5z{?~eei
z%`@1;jqqmjg0<iJC|+KmyH);!(fj`^x{nwGB*FVG_f?la2hRU+XaB0@zfDw+hYTpN
z`^WvZ#S*AMjaOKSA;`ZvaWTl}1xb^@vMu^Ifq|faYc^KGMy&s%sIXtH8K$T4p7H;9
z;eRt&M*<6mh|0}wwh}wG_}kh!sMZ2-71E%{vkK`|4+c<Ph+tPMP2}Do*h);hthk^}
zb+H1aN`uF{v6ig?AeLvWJ%T`~R3#|7I$7i&Lkf)Y(iKvL?<22Jn=WX8!BHuQc67sp
zs!WAYBm#-QefuU+R6k<kglcHiqC!uTD7C0v#;~VET<eP~WdhGouB;K{rZ*|n>T_Nt
zSKug0>}^A!DZAFD^^a0~X(fB!Q%+0COZ^(eZ+(HeZ;F@DC5>BETypa(k@T7&fGPkr
z+U+dm5tEthk=(*UD5hYOa<=Vt@<n=NZcRIipFS<G1`<BCI=*5}NMsIesL0}*S1m1m
zHprzc<zGDYF}_UwQ{QWtK>An5WN}gp(xVz!g&NfKXeHL*USs?PDZJX350FA=UjiYD
z<Vs`u1*}mYl(3#ZcV0sI!G1KZhL7`a_&|%TU`pR>fV-v86T+D2i007tYW%%{E>{9Q
z^b6VMof3I%0M0y1G@~uQ7=r_k;?#lpB)T|HvT&Dz@A#RTCnki{zot9`425Q*^nfl9
zuDB#dweLA|RXnusJGtxaH)-c4l(Qnx@9c`TS&)KD{RHNv6%ENJ2T$_+Nk4B>(2X>V
zq0|~}3zktjL-pqNmP|coK<Ok?SUpFEPE;`{iP@Tdal;NW4K<JeM@np@_GeD@-}U?#
zVNAwSnnc}idMR8#5vKF2ixi}L&aTKXFWFxtQq=%I?3FKTvI&@?almZHXVVI*s-kRp
z1<2A1(jy5XWf@@~-j~d6Q>5$q>eL40l#86ig7+a+TF)bNF9li`1)p4BdNNpH|6CsW
z5o{OMU^|-ZYc5P4h@n-ipdnerURNOc52XM(88QY+gYgn9J}fZ&wJK@*mxEjWzlZ69
zwv~rd?z==-vewDw#cL1@N)4VRa8pmDC^rJLxDSJrSv5V%Bq*U{<TNVP&7%RVibIS#
z`X-y2#pC@N^bPNF31Sit%-;SOwh>YPCy2WgBxRx94h_IT{r=N}5s5INW$W%EXbH|N
zr8wN51ddLDX~}p2cfAbZH?!4D$|7b^S}92jiPRtk=kbjuJO#i5d*bBqHV_<sr*gS8
zTD`cw!qiN+@*feRJum@11%rICct+ZUw5z3JaH^*62hI(^^#)Eznz9O4neSk&Z#>d|
z4dpB!a}r9eO01(KBLu>og`|U!wG;pJuJ@ttex(tjDV1zL9I#EaN+Q&E@%FAfHcOIH
zINwcrsK$RQ7Gf3s{ZNMgZQGoro&t@mkyD#iB|*MKK|8+DH&L2SGI$m4?}@{xh`)ar
zc@v8_M2<@|S=;2<28wL$QK8r@_>mg#YaqJ?(J#pb+U5uu`-c7Wp4R%txiTOcOqW1N
zuWf}})|9BdYXSSt&12^4TtHVBZd)7Aq*0-kLtbm7MbtyV&W>42$Vv3Tdxy5q<|Wm_
zB=wIJFwzm(alzBm6Yu-qx(NPnHGf;eV37nf5~V;hEa+L;7KEp1gdkr@GATk##Y^gm
zI4K)(m|Pwu78upAinG3%e7NSed#l`4HKiS$54r9QNoa0qA)dG$`ZcOc0GH?mH5+57
z-?X5;!;A=%OKYttSA<oq?m~e}(9<*hW08G5nqIor>N4^?N`2HY&bBLmHuH8^zvtHw
z4x_KGxb{tjjSC^Pb@HS-!D`S6ldP(>A+2~}opTNU5vDF{pu`|gu^t*iePx_RD?#a7
z0_OnS&VfvEbe1%$u9c}B`Vh}QOh0_}@C-XIJ7NMZ%Qh}n8p2_g8qP*jZ_#n04$qPC
zob|2}YflGW+7pIaHs|A#?gDf|kEetH1AkDshEGRej0IE(mdRiohvlG#MSsIvil{IN
zIx1@0A+5UYjLYX4um0g3zYw~_+!X1#vJN)~lHz&=ZQ101BbT6_fG}z{dyA;WTuOYw
zBwAsk&;&FpiYZBP4F6$|uNso^9;sMO%7Jp{E-}6d2#m6k=9LINqc5X~O*Z=^;YbE6
z0%M3x1tfsHWq)RE1=fp6v0<86QD~k1A0{8&FAoBSkJuo1R@9FrC$}c|JAZ`*{=e0!
z-{z{{Jf}q*a16Sv5Fb<|7`%qrz&DKYX~*P4eInrfVnSg30|!3<sgtQI23$6m(s5`;
zapt1|PRbl%uJF`H&gk?%<7vjM+09b>W%6~5`9;uUBLw0c@}+VqN8A|#g}_>sRzeuS
zpc9<yy~wh~qkc;1>+<mz`<E)FQmIZw@)9_`=7yeb)nBps6dFI%uo~E^DZfQ=n*9s+
z{H?+#7`|{=@&jXe*^5+>u`#twlBRVdiX5on7$n{zI%vHV_{hETig{T=(ys<#{G*aJ
z6D56nxjq<3iuWT17I$yLRN>G^<&-8u(v9$GA<q~mFL^AG`tRYrOiw}vA7|sM3~a^O
zD<w)IN3aS7<`#H;){U`cClxthD3xR4`@*nJ+2SV+G~M`dUls>=;2?#Uxp6sx;RAgU
zC_|C%%8D46xuyR$rN6+Mhp>UrAVw?z7~uq{m9vg5$P$u_wdIj+^N5s=7$Cb;5U{YS
z;PR6)(oOkUz~Gh&H$bIEjqWKr5X}uSk8ME-00gz1O7M&Jmnfm;`i6eQxO_;pA@{99
z+{wWVM<s~&6+v&6fo=`+KT6b|(ZMm+2c48+ux6|LDr<@XFMd3;jw`6m5nRYhZ|WC5
zC*}6~W_tx(D@}Vw!mY>)o;lU8g+X>R)Kd9xjs4e`o&xj~g)0#c%M);@GIT&f1N%#8
z0w4QnNP84y5QAfS2m?}sLaa3(mczGNH;zW?{bVBbLM5hD=yFw@B32uV%xGJlr{w8^
z+7_!BYkHjP2E<VE=@04mlq&kbP>wz@62PfW>gSso-C@yjOtsu=B_Whb^}0c}x?0G-
zTv8!KsT0@T$rnwnyc@(K&EzD8P(*zHT^2lQ3y<pVgq}xn0o#vG%$44{OT_=&cy$Rz
z&a$-~`W`pVH@2lAC8rb<Krt?tR4X!u&J_R<vg7jw3qy&Ua;xKjs%40Mk-$ds!6u7>
z|7Hdqn+H4hRlyFJJn|#yMFMq=jb6JC&YX76=N8(b-7rSe)=4Vri_+wZgW`JXBTYIF
zQ*?iUQX*$zCEXepa(oWLC|Lt&*K)!eBgk3&i8F*bzwo;S{De^qEt>qW)U<yat{!dF
zUu~=u5@r$_A$n{cN+zg;Q+>(`9(qHDkDM=%j4O#IbAhMa44~_$z{Io0It0WQZz|%1
z_3)<%H>n5$5>35zLPT0@J9g^6+d_NT6cWg>ruW5V;eLzix#>SEaatN76%LEWb7!5Y
zC=g?u?=!KUS-wKfJpt`-N_!(Z$<3}Ch~J60$WZGqmQ2SEOne}}OHeICmF8?Vt}SbY
z62JH{wIQhuH^fE9W3G#Rqr6+7s`Fv|r^cs;|A_GygI&&#k9}*^O2H~;+QivEe9A@}
zMh?`B8^>8mLyW9Ilkd{VvkH$siXa!$iT$j`0$UE5)X2cSc)huEHWaH^s3Sm9scp)+
zkeWi-i6}?!&l21Zmp$PweHS$5Zp7x$`fHz<1-eM)hCkg;yRZ^rOqo>zz+pro2z;Vm
z@t{SUS!4h;)0fYV%R%tJ96jdex2^+Gp9Bq&Yr2!VREoG(bS>Nw&GT_7vhWY4W0n>c
zV3F-XgV?2372~_E9OFrdM$Btxp+8bE$(_?EA4JtVfLWR?*RXSa6PAr*M#?%ak3m@)
z{fYmYHhodJec{mLjTHc3D#8&cfWonRQq3W5G<r;JZq^e`X2Dz$XeqEF$Rxne5O+2_
zQE0`h`<x?r0!GQAW=<rOoPue|Ffz7^GQ>$|X%gdX^l#xFJ9tA@aEASOg7xoZ$wvA;
z9Bm!7*m%#4I5R(zwcRR2NEXi@Zht@y4n9h*O#Qy)v@O#<QD6mfOM0jTVkty@-)ge4
z#&kGuS>({`Hum_;BYxE}j@e&7Cl0IC)ABD+EC5|0ug}bfcuE*~&pIM7iLBMO=lIU(
z3~TeV1`Ztit148f2;r!6l(ZxN{8+^Y`0V_UtSm6dV*<QkiLCdkyST|E$JcC?JR9@I
z6(X#Z>NLFsxJy)%=Pkdm^xrtTOE3x$Eg1@n92eIT52jAZ=n%0;oMc}|r>L22y19Jr
z3t7pNF<~CR{YG3QX_R*E#sC=OU&=90-oCXBk0uR|DL01smV32t?A(_9%DNaW>GPw-
zRJI(otZ5GTU;?-(22Q&Mep<XKy~g6gFj<Q6#g;$>Fjn%buv1bYJ?{!}Gh(JXXY!Dh
zG$l*bfM;sP_b+ORJszSycfqhEv*z#pI-H;%jX3rl$?>m2#%R!UFz}7;Yllv-6k3!J
z@{7P5&_%^jQg{~d%&ItnnCHw%v=9)_9my7y`-a+>YJdpMT|@hWPfT{_AJL=-iNyVs
z)0IpJFm0YO1t>W&kmfYF{OkN_7Y2(J{sR|+kU$9aTo$6-<6)T*7V9X97U6+t1&asp
zDz_~DVjr+AlL%2I<2rH{BwmGO9R#ED_H*L-!F5JxlFL{9_2|d|g)IXHVMEa=)zx}=
zO_8`&5T(DH|7$V|_xXwxYfgSl4pyHhvIUU#9UwyLmoIN{jKwC8h^4qo$X62ZyQ^v$
z4kcA$GH#g*H8;Ze_WG%#*}nmM97N}W&RaO)TDMYdn|^qj@DUA9pu3oNeCu;-F+b7C
zAZ6iOD|`Kkkb?tqkI{SgAtrc(#9+p3ZFbmM_Fpbm4&=Z&a61eQRYaslHK5ttqvc%t
zOX{I)|FBLx^7Ur_k6~vKHptL76h=(#Qz>+hY9NoanUu6SCtS0-LP))3%OwA^eIo@1
z$tn*8Ul=ScztV1(6T44+%dF(peaC*5^G_l3f}ir7c>QCE^mz1?wsFRzR|C2;UL2t_
z+qd^y#fjk+3`#AuZ0;^BxIX<KYAiJWqmC)E8e|>p;B4mMNQee3RJBSK_tX~^P?aDj
zqGuJgCJ<$1NyBNjM|v@IQL%`C*y*#PiUZq_B!u5YP2y-l1g}D(gM1opw}c8Bnixfl
zGnKXv|J=x<8pMh<zFc&4ZMsfGZQe0lsrf&7gB*|wXk~qA;4Q?d^j#a7xKH??`TiYc
zO%z;+fTn@Ze%=5jIu5r(J}p*^nGPlIWgYh-1vHFej<j4>pLm?6(<d)}(S(e|s0^hr
zc^&)1eR5mAIL+ejY81T3V@$_5tZ@@I@6c;tD6Qy_3LM*qF&<F%8NaxZ|3!o+P+*OG
zn#@e`uAr^8jNscsI|VdA95k7X22`~4Xwsd8g1OGabDhzgS{HL5-Ifo3=*zloOG;uf
zB|Zl>6`~jLI0Pys*jJz6n4E^4eVWvNcxWXnBtuU94O$U?bwZttaE9+Z0q{~2p0O9T
zQYIxmcv~j4HnI#6lfZbt8W4!}7k~37eMaM33nD@Aq(y!)S}d)QG%5{EE;&+QgWRC|
z7FxRC4Byc~q2L(BHn_<I4`8En5u&N3Y4gf75q|Fys`XbTNK4zwFAZUpGu&r#*mPi%
zupZ{fMiZs5t{*?jqY)m*poSQ7b!M4jfJ!sK5JIG(KN=D>xVjfMxB9^jfm5m568#@@
zwFZdaiJ;8800H_GXK<r=uy6q-ZR2(#xy6bDSNfic5Mn@l$S1(b*9L=H@KJoSAS=dl
zY^}r;tU6h(m^bx$OzJ7dU(vNrAJOlPPp?d(N11>>*f`mjj7gN&)PL&`-yiWlFP$3v
z)#<k&!p65$6hw5Dy1f5k4T_1U7O=vEr`L;iV}y)0Y~6itMgg3B10ny*;{Vo_HARqO
zbzdrvh_&Q@_vxtOer>puR9^eFE9e@IyVKmlCZ9DlAX4`=Ok;?Hiz{D&CWRzb7W0nm
zujU^@N3GR;v2}mt_q+fj)mBsc>77_!?$q+IZV1lq6F}yVoRb4v!UCNI_k#>Tv)zA+
zp~8Z8Q!NiC|HTZzCzcJT5F?050V4?k0U^`T>Qr((ruy1=`=R()#igUU|Lj=r=XzEB
z^wfd+H<w$@A7^&O^XI`1P-v)NXsEvQ!UEf)iCa~Aq5_aj0zUDhdPxLvl1yA-+H{GI
z(ry%4)?3Mfs-Q#>0}>3_K@6=-3GS6)y9Op%NRb?BSP8zP&}K=0Ofa-%dC0y|mS{wD
z`P=#Sax1i7nV*rPu2Z`s?yN1fX`zFD07GlR1V@)=3QQUc^MMWN;Y6DeaZeX0!~3l+
zzr6r@XBi4yi@OyeW+4zZ1oYNF9)Sz=827pMi%c;lZ~*DQo*D#5imX#`V;8c2C4pX^
zX$Pg=oO>3>hW{hm-@cxLgN0JJztPnFXQ98P-Y|huJAbZQ?EXi&q~PrWpq6A3P{aAp
z)J|!EZOMx+H~iLrNd(HghY2;tz3%@<<mI<l1#n`Mrt{miDU{m|Zl}7||3^-OWHDbO
z5em)Y<O;1nnfE|DYK9LRxtcmI!Vks`k`~eYr)VKPdXzOg+i-#Ly*k;M+#IH*#(l?;
zL7ACp{`N{B(4g*3&%yM!PWq)hzq%OPmq@osc#9%kZe_GzkK3@?Ng67B8izEaVJIi$
zzeM$cJ=Fx~rOUc38xDqHOqFPO!+|dwZ#&nQ`=77(5L4IWkGme?awbn&!wZ6YDInIt
zC;zZE%lUzjxgZAdTwz`8GcQ151;sP+O)A8njPGpK<Fj?)=LIY<v_q<z#_pB#Mdv?N
zrBhhou4nyYHHQ+Y>ffkpjJDzS0z?4ku8X01m@d%p_=W}yaK4+nxp3*4I(3D6+f5Hb
z7Mw<$d^2{bDt&M?9Yh?*F4{VJO;VM$KfLUTu8ik~pdFKZB(|%@bO}6wW|KjT2B}JW
zbrm+Gj}&vR3$?;(^h_(C=fhWXX`Tva6(L<?e2OA@Vbx`SSHM#X@HUw9qh@h`4A9`{
zgLIYQ+X`l`l(>(tyRFN#raFR*v`;32r`-{Lw#CUReF(G}LTiqVH6$48QM4h#X2iv;
zG>rNJeYXA8PnMa<4VET1QOZ0O-IDLy5V;J>{PtBqBoc~d8bVIYA%m<!P87))?Sj$@
zU7=L)4{7(a*>Ia5ky?gp&{x!<x2%V1v##%4i?wwSA^`uP!!^Rc)y|z(gL@XhcE9zK
zaaGKlQ2usjS`HRGajx#0i`UTckco&UFWU#;Fx60nV)@F1;{smjKrO}$X%g-rnG-{@
zRE>;<7FB#5ZiV>Rf`?U0Ly@FmDB64)DzoK6*f*E`jQXNc)1RklMi`u2>?Q}vV{#G}
zea8W1vOJkhgsWDZ$F||7xLxkC0aA#NnZ8{Wg<AwgI+c0eA&limfJ5f^Q4OX<$fYza
zdaUw=%uZ>mPhlW^w~p<x^!C)YR$BOF$3PFra2*maW7x$*(}Dx+O<+$`+=UQA$&JX<
zZ$Glt#{{D)Y@l5QJVFvJZ~~FE>2@n4ysCH|mWP6%t*cm!j%2!ZU7RP_B)x}AmdafB
zw<Gq%#BB1IZQU|68-R&j8bH_6OG5&gFQ--qMYV*%v|ToOc8AFUdTPrg>??Qohap6G
zL;<J}R+zA)3sNgnxzC~@qNOThQ6yP4Th?O>x#97Hfl$1>^#+Y27b5j|&HWe{oUAbp
zLb80=%^r>BZdvKA6DESOLs%dcw}&*IDAb4ieK7jV3EcJhzYye{;DDiNg!e>+P-7y}
zWDpV)X_aq8-K-3DO!jSz%4uXeI|pF!7*r-$HAQ55X{1wJIo*uVBw?$bowL`w%dRfe
z5WnN$G(W&Wa5XoW2>QvUR)WcpKDlC`KL(Eg1<P{jR@eJ2&`+w#uBTCzfni1S9^_Iv
zxxzma@p4!PexK*$;ep?xu)rxcwRUZdpcLqLH8vg?ODxNr_6*0lmN6PXxazIIy1&g`
z`134){e!a`9b%(VE%<Gjv%05JXXV*nhLU;{O68S~>JM$Sw})-G_<Xk9+v=fP`pdRh
z%jBHN812-h)AhnU=WAfsr`ap*uo2%2z*TaD?S*BgW;8m@JEdECw!<6BgD!uyB*9}U
z_7&EQVqDrV>u=?FO5`AwGp?y9297TjAtBx1MJhcy*&|vZrR&oHY0}$kcO5@t+by0w
zoyH|vx@dGUtf+Ju<27VUn%Te(gKndgo4tk}4=LKmHr$(Y{$S7&5aPSDn=&?|^thFA
zi~4Cmg`P5flG*KE$szCu031+53;qpgbC1*6>FHo&Nkd2R#}wu1C*Y2PcoFIeRKO4T
zCD$n$_?qQMba?7uF=%xiy;_~d`S^Lc1_`5J{6`^LVFq&nnIo?dO~sGe7^D&d%1M2=
zmKs_8tjZai*QvE+_uPW|m~K*uX&CJL2%@~K87^H)L1cL<n<#~E%3~rc<od{{TcOxj
zjndD9Fs-x(9~2}VcmZx_sx0OPsMhsx;n?u+Xb1ASs)DqoI0E<h`#D*o_C#uqQ_}+H
zwKaM<@}T;oTrhp#%lLSs=;05LqPb~1wwu$th>K6_HcQ#>XUG(~HITgh)8_usc{Tj7
z*6Hqk2P9?=bxHP)8-uhV(3jg_iakWV(Rrh`aMWA<_#~5J!9NXc(CZ&Q%|0-0X={!!
zue_hvl@7L74D7302zGMC^-~~e`jVQd$B7#xaA;8Z1L9|yATH}Yb#D9$@UkaG*6EIn
zkFW2@3Idzb8FPFxp;cI(Ptp+PmeB;3j_5j66Ahd04m;c)KfS5n$mr6S&02aej#2%P
z-t@VaMji4N5ljQ9%jb#R-TaoCPDxFsn4Oc2$J8H{hPLR`IAq7p!NOwwoR{5XxT<T_
z(YCxI6Le$vA5cP|8f|8vZfTu0QXK@A4&Xr2_7(CFz)>^i8YgGp#MiLl5#cvbJ!S4b
zK3X^M8!b4(Nt=YJ1+Iv7snl=fl35!fqCufJ<K5$gZlxcs6oPkUGOZ|;T9Pl5m1tJ4
z@;${hR2li-1vh7Y>e?JgHmboc?T535=e;JxAJHmJ3BE{VgUpD_#GUMA9%D(`O0dDy
zrtgOe)6JlDJ#E2|r?3IKzu940V@rDd(mFmh^})#2-enBicbsyjfi0j1{s|$nH<j(R
z3VVP5v@1}Q_tR+r5i!YilGc5OxsZ;t7CfYcm$d?<Nr1O@gO-s!fMM?8pojaUMYc*I
zY_E?WBUzlDnZnrV*>%?((c3D9QE?s0HRn%!29x;4&cC;krNfO_1+&fem$lM}>`5BL
z_%IQHf&v_s?q=+P5$A9EDhuS*4?<6B4#1{P$0AfC*xf7cO@om3N0ifxmWjy0`-*m%
z!@<>Up!{8W>c|T5mgs=mjKRzN3v%!1S#D0f&<8swRQVKs7!qoT8f;o197;2d-ig+T
z-*~K_8IO9E5)<$s<0Eg-9_LcVNSo)JW2yN;5q5^j=u=<EEP7xbTo!rkM#D;~W;(4v
zL1?jItCHKeI}p_?sFqiO6B#YUXuxG+im|8mbjtdI&|pRo(lz8wg)9vPahkn1#ttfq
z{Dx<>tgPHBs`s=Zo|=!#2qqz|`W07VfOk%)aByuQ*9+C=g_))082mV8v#vW&q-za=
z8a6gX_;+?rc3wNIFOn3S#t$Q`;mJ5Qwyn_PwJDQi)piD$9|AA$baa|HL=sdgOylEm
zYTH%&uD{nO1;v|jl@PT#zNP;=+MV%)Y+}f|j1z}(;(VXo{N4SKA07cgOObnP*H6E!
zK54mTz6H3PcK>xZAv4-57je&bLxbz#tWkP+v3H^Fo97FFxJwBHYZQYQ;GSz+*l>->
zx()O-^_(|6*likntO_Vc)#bDOt7g|jgO3mpq-`JMITM|2W)zvapH1~JwntjS<2fU{
z*fqM8E7d9k_GBl*-;#dFe1FlF&*F5K`h8jM-O-Rnsmi4fEJ__sF)4VbB<ZE6--gY(
z(A%KQ;_GGKvWSgWkxJ`g`RrQbjT+FQ8!Ovi8#3R0Uaaao_iEzcg&Q6lcfB8h+>L6(
zl6HZmgwxhbt7kWx(q!WeDg5X^)XmP6Os`7M$@Sg_0af|YP%vq-ph8X0Rom|_GQwy@
z2f{o1qef~j5ksi7!qbAfZRZ1hq2k}1f*xeFW$defDODIJO}>hoHPonF`@Ue(us7;#
z3eG*RQv!y7IP|Dk6zvZIeNycT{nZfW)D>vjm4s*tF{AVF(7kZvv0yA(q8nXqx8J6$
zMW8o&nvcfaOPqUkh1)aazm&t?F!|yV(HPx7{g@V>$kE?}OEH>Vr3lKbhQ~3x!c%s6
zh!MDQBdX7xg(DcAOUHdGnPBWmqmONjr<U*Qt#^}}Y^r%P^(-q(_<ldBE4PNR$1V0J
zZ^Y)<ElSVDSPWyopPb-ta7O?V8Q^OlRDriI`037N5@e7G(3b1m`(R?iH9k0A&!lAX
z@!3*_yeT$36D+P#L^H_uJq>)yB)(`n<7G8Af<I}hb#O^U^?fhx!@GGu(*Ru|S`s&*
z!)L}WXbH%4-X0rSHZ-$g<Nb(?oKb8IieZWB*{+1Pst}<<IH<R8kvU=eVkP?mlw?@A
znlgv*OwL)j_2qqO7;BEl0-@eNJc&O(xLbb>QV4{Y_neY9Y*%!L^$mose18+ujbyM8
z0DEc%?rShI9p+)OVrpi_m~`yljlodviv^F}y;7^JzGlFQ#qG1F#dYqSSQD?VZ-rss
z#s{TO>2#0hvmgP#Ek&;HGL;a2nF_vx8PK$X$Dh0ik15-+>4z(i`3n|;p3NLIjh~z!
zXCw|ie)D-%!Pfv;0n_+faaeHF<#lR#upt5g0#IwV@^Z3T7~?BRo7}A$R;#l+!3>!L
zRT`~eH0|}SSAC-X)MhjUZ^xO{ZGgauYw38kGV0Clf@wBXE!;zeRumU}cAT?`2Lw)J
zn8opND25ZfU~F_RAyFRj2BRogu;PI0dQ=TIRKvxRxfP$OKkD{-4MClW=xc)}kBrEu
zTk^|?Mh(GhMj2lHknSIU1f3A}@?yx##tE9TM9j(Jh;W;fsiW5hM=f|gp<g6PU1rcK
z>Xk}WZSau|%*<LC9VWz3i0XByEUs=^hyq^=@fgVY)HQtG#MOY^i)=Y&KsG%_(E(UB
z8Yzy9pz<VX@(Skh=&`UF@krK#tW+@mnA-oe@;^g;2I8M@Y>%}>a&TY;zHoc}c<ZH#
zG>lM7L0lZuTawJ?j!T$Y^U|wW-d<VSq670mQo+=Cn}$IOS(_*jD6w<SE!*s`_Vp0c
z)%ht#f8W1PM`~GwcL}8z9O}S28{4sU3$48=d(CUO0{WFsM&5+2gcmrt2TazKVis7y
z{R7<p*-Wl+pxR^>lsAEXSEKAP;ao;thM}X3Vf{)bV+4<`fn4t1;UZD~MkLn2j99%R
zaf%03GiJEy8CrAwH4Z}&uvgMI0~my37u3J`*w;`J7-pr<{11U)vOq;Zywa1t0oc#L
z_2^6KcWbikEF}9!2`@4K-6GfcfnLRuNC34J2*&oXQO4F84M%B1X%pdW4ygS(PXFrZ
zHn;|cgLd}69M^vo40v<*#_!K&|7ThaCy1x8s#lEq1ttIej9iO!L;UkUzvop$45pb?
zAuj&$Ka)Yyx~{#u>;?x1ksb0mE7n@<r;DOmW`>r-wYmlMIw?{6sD7Nh+uRPXslnb1
zBd><9A>aAj4MqMXo!T$913VNRB(7_mK%<t+B=4kOt!xO+8K6?@j5B6e1TBm__7<OM
zN~RwAJ5375Q|+v^2E>(Er{NE=Z<dW(C)DPHjnz2+upMZmAi*EsgAB^D3wWqV9|QLH
zXOH?=m*GuOw7XSBCK)@;IF==9{01~{zgs*vlkEsDhQ$c&j6S#_RR6I)GKx5)ofe>)
zk?8N-*#DR&bF`T0cx-slzxwBI9}Fl#<<h6pi2h-1|CT5KsRiPk8Wd<i4#0o)7(JW>
zpXR6t?SCc$W&osD1%X0n|CIE1qp2ZjAnv+$m2PHVj&N#>W?h2jddAhG@t&C>KmR{^
z{+DNg1-?d?WlulD{UuI@$|6+bD~RS%wR~%J|6Z7^V1OZ0Mgx7#m#tc@TAOGskWKer
zUH7|ew*X%o40)Oi#2b^d%fp(zx}(KL(0t4JuH9hIaxy9^df9;K1QHwDVD)LPPL`RW
zX^j5=5Z^PjrwQbx%89|ioZjcoCb6LF8GCaY-SK*iSVr<x$nms~7b&Bv1Tn_Tt*(@=
z)PzO-Z$t4)fYeaK!gUe9@e%npuc%pyG^*8c<8WCmUGej8ZRTr3I#X(@Bj%4ON8?AB
zj;l$Q5imKpqfvz+uSKr0h*1<gJlpG~&7^AW>R_>!d};q_svkZH+Jza}a<6hbosw{^
zkZ@()(o2u2Fw$IegIMcJT@elT;9s_;NnrC-oZp(nd-7uWG`ZXSho#HllR1KH`7tN@
zW(8Yfpz2*@bW^qWgWd8y1aU)TWjXEd^^&HnF}VsLiV}E|7+Bh92^Q-4jALePOnTte
z2E)Vo#qRq<$GhiT-tTPF>60l0+R$EV@DF}_wK6oA0PZYn{cNN=lL`%nRbcJcvGy<L
z%W8C)P2}YMO#ze=pzFx6q8VkyHs22+M<Qu<=rxu?*~j`gmfD4n{e^Ix(YSxcqO7%N
z-x1R9CtnsOzxq)<)fJVO$W^m|O=(&s)_r@<zNlXz>G+oQ(EMtizohFOC|-E}OYqH2
zbPfHhWs2l3nYH0jE!D#f<5rEjz^CgnQKixX?Zx^|uFDoA6qL2CTEleQvx{S#?SVts
zPYsAG_X<;*#Q{*<&|0I;(NL0AUo9WtxO<6+51YH330)?KR&EuV_88oDnjW6PS5Y2|
zprpOMyOC}SGhufgO<&K={y(<90xHUHYhUT1yO9v2yBWGeLh0_3mTrlmL!?w1L`7<l
zZieoZ92)8F7~((Z@80{}@BgheYu4mD@0_#uInRFfv-i6`lkYhj@!+Pq^FMqIEc?wS
z$7jd|xI+JQo&HujTH$U_4COX;9oByNW@XhEc1C>{5)}J)%F1X$oGL_Duz?gH(eUID
zBkIoZ2%;6)8bjA;O}d%7Pw@@<N$PkZA%T|+=_Pt=z7sr0T|6IE>qSjN`=ZR#bDs)T
z54B0C)Ek5>YgWi}Rk3;DtsY1oTlL>mXcZx7POrc2(+6p>XajkL5n0oI6i$$#@gVB3
zlb2OSh<Fw^7=xx9fKL1`-{2R;t<%u6caYn>v6=b|7A-=2i5_IWO6pB;9Q4ukErOQh
zQWIq))}a(Owtpq5H<7RB)yKSjm7>t&T8>fUG85U{Z)oAkuxgZjB!$~RvXZ5#8>SN+
z<cL<eJMNOMSKDwef#pcrn=jfNUVW$(ntjl1Y%P1QBTXWH%q{p3>wS$oZ>kHwM&=`j
z+pJ<{*qQvgFoMd9hf23E((B+$2bCA;$pAwJ>9e<?ouVb`4PD7BND&53uv&I_ue?a!
zDm@;jj`}!uPU$g8Qc6;=P-Y=NxT*&kjS;}sEF9$19zpx#SDui@wyA*;xRMt`C!Y4O
z*Ib37D><CNpiax)-fdA$on3Oix83~U<IwQ1UPJKAH~{TgeNf|9oPnebIGi-CCQ!(C
zqS)c6nG+AGA;4As0A9@#9{p|A@l(d`+pC(!;gOk@V>gQaT+=8Zw<43<nK1`Z1>u{i
z{-bj*4~zL1C_HNOc|@4V`39wLE=}I$hF#j0Mk)s%`w@jSE9csGNke|%A#=$O{4lGl
zkVOwQA3OjCc6TRcwmF;F+j<f;lcO^hw$r5{>o^h;o8K5ljlVL2+dd7RT^o8`0%ruF
zU$SIronyQo*6FCzr<ThXNbv@b8^EK5U7s1hlfV-Rj2BONIkf47ha*-1ZZrGdvHArk
zUsfawT$x;XAiBe7U7=A$j+7GLV%?&p<5-SH`%OR6hv#D@Gn&Yd&zw9AHqVnU#3uHA
z<J3G3N2deKQ7^=ASqb_XpMW_#1}A|d3kR=7dx&ebn#?yDzd5#ORYyn5c-h(Yj-S?j
z%6lr(9WUtM734R3lR#a=^K53Awj6M5vxf^Js1b{=ImV6jDsY+zq7P%w{${hW99(EI
z`DQ{b?gblh43N|mKfjmngwYMFLnh1%LHt!jCBX1IgQEqP!|6n&msg&d<xzi70GlmI
zn|^y=;eGe_+ibcgA?`MB$I-!it4lnkbz1{WPu<4flN?g~)Kus>ntj!=WX4of(iHl(
z-mdZ#nQe`NTX55;ajU;y`HvL_O23<GMQ>JlH`Np0n+|C9XZV}pIC~Mo9?KYzyYeBE
zY%fLTDJbvBW^t2Lq8V(pa6RAsMF!+GVGP5q(&{#-MLl9gG%YU<wV>#_%ZWtIXwAo7
z;0-R2-0Mx%2zzwVx0@rU>e=mC>#G-i`A?h`j#IGAg<k@G1a0Md`Z@PStaw}HN;tR)
zRTjphr%$}(BwBc#B}a*Kj)Ssm)4n*!0?u7=r%Wd}np*{+2|D_Jaw0KW*shnW%5tbx
zO+vMpkUN`|q<pQ^DAn0p|LQz*tZB_4td$sDqDtC49=%0%^(6N#2#Wo73>z^AKX5P$
zzKHonOR|~w9C}M|s;zqa?%a|Ymf7z8DtaD)L-u9ayY<yu-Og4#luOrlOkKmHmm_VX
zb;eMM9a)mEZbjx;Jt+4k^A>fvWe$@68=2CL%H^H{npxc|zXjOU3jtl+V|_1a)LUs7
z!Qr4ZQWBeuYr-%F;35LZDZ$b<ix(X8(J=J=JJgRXY`k74P+alX>lnVp9rk-@CF)Gs
zzgC(>aUSRiERB%D-f^FV{Fv+13-uwm$77OrrB!8;I08}}1azEo#ZMN{em+<=dec#}
z5=lSjh2`{ZR9UZO*jm<nsW^x?L6*?w8cZBx2+-jIDR*E~k=G7NcHOuO7q4bqAPl<u
z8l%&V4j?gw3MJtN7u^C^agb$Df-oW_C@vjLj10hCMF?pqQ%8czwqtAH7ab>}w}6y%
z41sjc6&I^een)4UaT{8z@ed$k)@YC62%3wX^1}3BO+GL95*H6B5viZ4`>ec2i{OWI
zIhv7|2S-DcT#w=1d$Mead6@ycJxAV9W82q9810exF?9U5zj>T;n9dU4?gQ8y@{%Wu
zW~ubc2m+~#sI|anHh30&xVKS9D-Pz)U-uP4kdKgbdVD4TdcC<kAWV@6)l-pvTz-z-
zihh_)loa2#Gw>-jTM^-0gd8Sxv0uiJN`*Ma$86BXEGyLEV^&63>!(m{v$;M8ZQPJM
zwcO~X^VwNp3W^+XMRXPW(8$d1F83o^4}S4P9-XjBoo70(1h~?y*TQT$hE;f1c>V2o
z?s)CW!lPvT3=4;?%njoI1sCf?5uiV{-Ddbp6~9*8evLD>Bem<}4lfi&3=HH-H=UiN
zPb<?p8f{I+xpLah4ROg%U-+3PRHCx6GSL}mOoh3~zAqK@BBRoBts_n4az!X~T};)m
z-|`doKs5!%8_#DAmF~0RY(v|Xe79c)Eu+=HmM;iUZQBq?LBA`;7c`2G6xc6h&iT4I
zCS`_dOnS6fZ7DjEF6DoN7~zCv9VQK5Fh0G{#)(s%c_m~$ypFQpn^cgd1S#T?Fn!<C
zN_BY|MzAS}T%><1c5#U#1hEeAApIG0Z*Z~c5?QAFUx>R#%?!$>E<`Av>B`(6Nb+r;
zMYI#sY<E6-1wxcaKd-+z*hOX-TAniG=pJyL9!+ICs!KWG!lah6T>eD^aze{yuivdZ
z#I2VqR2i5~U0HwaE9%PNNZ5z~$zjc`UWGae*<~@OEE9kX0Ue=866SX8BB1Gk<uvL%
z&V%s&eUNS1i7Oh^<r4TA#L!!kW%{x5rN}dTiUclWsP(i!I!BTU@T#K6th%FZmr3Sq
z1s^%WwO$h|REfI8Z`_T;OmW%J>naJ-^>x|EtB%wD(kPQxT)YNEY-(Cg2VO!uTRDvg
zrn!YKFG+?5pBaY`vjifB3H-vb9kxBF=0h5Onz;!cNDckpxW7cs%&?2VOZq8DTwP6u
zGVk5^Qu?-!>o+toupQ7d4z46&T&V6@LCkylYAw5R(=B10&*SG@n@-E7&q1lx)pA#s
z$5&0}fwngVI>q|T;5hSHn34XW;|I@}uBO2CmQX{Mu*1rIhs!K)9B00tE90LKZcFG_
zTtfzu-&Z(8gDCfF7G^k&tOT7)l4lBS(cNl0QAfi0g(90zF>f3?_kIBa91<L0JF`kx
zj^?1RR1$uj-N#&g>zdUpS<+wzWW1Riq^o)vh^r+OFDg!t$NQ|4nIfEEOW2WJ-1oku
z(7cofrAsUL1?==vMwj8gLM%fD@ct?Q^*6i54z7k-$lJ5`>tJL~L^&dnm<8Whg6S-O
zw<YOX^}E{f-OSUKqKMM?h4$y7?~e`IM;C}E3ZMn@YbDwdIYeyOZ>rsjoD^V|O)v=8
z%Qfz2k%dawP)?c5odK%~ca1rgRBPKI{AQE{eJLbtzNfde49ieEGqc{C8<djZi~KBc
z35WHkdWCZLi#UAGjhh~4XpbhuHK^da4_jJi;%`6$RWnoQBuMxG?=m4%f4G{G)ycu7
zq$laRnI$LWG(TG?0&R=R@2lafRAz<#@)8m?_->SG0{-0zrut0k-WPDsYB8{`wD(Rc
z%o=@!=ns!YD}eAsB3&88Ae6{qsry4bs%U18V&KXGY_P&Zy*J@L%C-GSa+Ps~h}?D(
znbXeY>{k71ZtpOt_774Df5>|3j_Ft3NJvXRDTp>O|21_PZ1}Hm&=1s>5Y33RjGPj&
z;BMaERew61O`_(vp5+kFyTSJIKp5wNTQ8>5TH5pA0C5RBb6HWyKIF9(HSY4E&-{KQ
zQ8Ve4V93>&uv?-&zWqE$*6FPt+e+H`(IG8ySi#1%en!q|V~BZyMTU?E8qlE&t9a#+
zpu1oVu^BoL51bM|pJdKp5nLf*v&O04_$apA8E(CDxTg$K558*Mo6O0sXuaLGox!Cv
zKAe0<mPzHmSGm_&P=0cXq5NX#$I$&WY=6+!xmMZ9-Mz_x*E$i_Q42lSRh@%oUx$H}
z4|FVb@Ru_qa+W^Jlvx!J{*Bibo`VZk0i4hI{BomhHamt6jDH6m_PMWz(PZ|^&u73@
zF^7k@kOuL=ET^+0H;Q#@)Pxjn_sB`bxw4j}$*E4x06X*qSzyrQ<N@OMkoC~|yjP8H
zT#<+>sC=E<%33bSuMqNkx5T*ImCWng<-E`z0eq4qkzq>fiHn5YVUs0!<CBY7rV?{o
zWoy<47|A{s=PkDXZzZ4TR_Q#1R=ecu9p%^rR=(`&1}8oOuZNr~>&D}vX+vb}i|g%A
zWMpoqO?^163*uL-tu~tn;?R|n#`8~cKlg=c0<;QI*@WMlj!phpuNXY(&biXh2s&i<
zx^TGk)T=Ks2$Cxnr!`1pUh(-j?87H97%Sjee?8_m7F6KG`ZvipN`d5MB)W}-3A0Vf
z)2j|HQ`DtHa6%|nwfod)(4dadGS=DoF_@xMiH%aRg9}8IwKbz`Yx(Cd#y+8JX<eZf
zw{vL?91c2zK68*bITxIvVN+EuYzn;I3l+PX(b)B)SpP}nfUBRBqx{Wad*%&}4bIhQ
zo2@(<5IL<vcu^y`JF6ChTc>tiny7q6TrA_Q3PQ)NO{s-SVT1ecMUtyf%V!eBIxtL(
z-ThC`#nm!!KkvGG&jOwOeyXOj2)teB*lRcpEEBuw32w_i{+fKDKGHO6vw3&o$Z_1a
z5yAE}?}vW5Ud5<M{=^qo)zcXoup?b6i28^47rxRDreGE#_wbP8o;d=On}Lh5S<bm%
zv-+`<{lj?@yI)pnS&$hYroQLhHNoOc;~C-&Z*I8Zy=W~r+uszK5ut5G>!CY+aW&zq
zO<_viBV~nJNVo}+A9fr#a_dP5{9vf{f9}H4RC#nSb=>0eWEf_@AI15TMNdT4!NJ>j
zyTtlcI>*C+O015hKU4W%dI_HUfoq%={lDV<JJ@&p(Dp0Pd-kE(X*~NvHL*G;s9(mQ
z`mN7Q;BUmHE+uRGx%(~Soa)2{F>CEB>S$Y@i$O;5`RvQ{%gwcl=1Ups>O}L?7KqQR
z_)%(X8mGB#qh{oOddr;~u4w>;yXNM8_2Erb;8mIabWdlJoBt$EVC;emlap!Vn!`oE
zcktZsU@Cj6(roS08J9nVfckgZTn)-ER=lg2{G2qADdFLOYfXW3iU(^9cP#%MPO+Y6
zH-YMv54Xv|KSgAtcZ092FT!(RucD~$bTT9yOnuf^_bpv+DbT2$#=_HIhM4cIs8=vH
z-)MWCKrSQiwQ6`DZUtb=<*mQo^f>>ty_+-@a!BrJS;e~em@c?~+Il7p+X6lemHFOa
z?0sFj@ud(GaIS984BRd^wWYpq7L?rl;TiL)=&AqUz`aD{ajO^sf^z@o>JLK!2Qn8e
zo2_lcs5w?kryHh~eThNy3BkKV0z%w&sh@bgpu48#Iae4)s7RU73KCuLi#aZV*Kq2e
zA*he1jRXyeKQy*l<oLp13p2@qG8Z#Tw=(`m-a(Cpl}d5eW8x1nBy$SR^^@Jy=UV>b
z#U}QQ&pb+ZF9(53Z>Vod)1iY}I9Ct5sY?p+nvbx@E2(YK*r+iU_gCt__WZVc`lI!7
z)lUqS7k7!x&O;b+5Q|)`AG4Y{M`*Cr!=R=Gp`@RJEvIW2$fCb_2H7~EOMyqM7kQ^d
zuwxg0QQ73kxog<)oXXO@J?nT>zNoFl<<|#raI^nx(6W7EMb1Nl0@SkXS*^L~%aN>R
zsL9dShpO>5T3EGha9H4_Ov2oQ?`F>)r-WOgLnEUpLI=P=gML|I=b-fpgO!k$Y2i%I
zR@-f|GI+M-+}p(QdgMO7c@xA5F2CO_5xWg;8Gd$O)gu*?Z=8TrHK&LpKG?F)`7no#
zBe*BS>6drcv%6@a;2cyYw(cD~`S}!==l(#f>?rHu%m%hR5WH}3edgqK#XVB-?O~g>
z)c1bEYgfIgt>vr?XHLfSZ1)0-)91yIltD=Q;IZvpo!GtaNX<lT)9^i!<@G4Fc?qvC
z>!wN?DMjUqLs>2A?egWUacvXCIq+D;@vVq?qTe;eKCOCC9B+dCRHC6kja`mU*T_sM
z=QWw3bHc2p=_$<1Dj!GpLsie+y(#p0%YzLNHY`yY45Q|(fj+D>3wYmz7Q(1wc5hfI
zMzr_B>dGE&*9`Y&yzf4WU2AiKaLRgV3=6bn{{ULEa)S5keI~(?eE&xBAp`WIRTDE~
z48%PbzXP}Vp^E2;(DJ*>Z>ZO*{=IfX_xr)YgDpJub~s|;>*Tm-Ja>o}JDZ}j2NL}Z
zq+IVmX4fp;{0^NwqP(4i9{z-K=<Mm{Tn=4i;fSuD<ZPHwTx_TZ%qnl2!#WQAo2Z@*
z&Jna8ga;m+`TE0b4=SkrZ~5(@M0?xmHfw5oMkujVdcK|Dm+Rfs!3mQb0aM~f7_Iia
z?s7oXysclgO+94~AsPFchxb~$2K9cM4TpDl6rXx$6ilxwy`cW$*7283Q2FxUaIsrx
z>r#a21=I_=wDd;Z=eTlz(0|Fkw)t=kEUg3;d>B?Y2)Hf@JhBb$9-aqUUj|)0_qqZs
zSxg6x;LP>hpY7{lWR8w^GYF~$>teBH-j^)gWd~QEG(JGYakd6`zpW96!xqoTVWSTB
z=@oN<In4{%r!9v2ArfcC7hMlmUxorU*e?VHTf6Y}eoll-ly++4)VSPtZ5kf@4!5?5
z+}my0SMpjhHE}q+zFzWBiEp`0ba8i**kUww=qLcdjyP{IyYI*x7H^(WG_NFGfL*Si
z0sZ#)y_P-&L<W;e;5R?YT;XWX8m@Z1IB6`Xi2heb#xX>4FhbMbHtxNV!k6#5Y5NP*
zun*0<4x6O_)UrusES%+;3fAvosVq~1^DYVzKT9j(tbgixC3{=j*eIuUUl){<yR5?$
z7g}C38Ti)QNj&HtzV!!H^p$6uM(`#wuzIE*%ua0NRtni$C=^)n*oQqAR#6ol&Gy}8
z%*??JyZV(LmfEk46Mp#7bw}x%&iRgj(e35TbJO$biz8jSm_nY}F&S*RrQ?n?woxe}
zWiw`?3++n!1etH$Y>N^W>UY8LD+}=O<tG>}`3&!D7dt+=8)<KitBr}CU2tjbQd_!x
z>EG$n(p46GK(e1udzTuxoo49h{Os^4!crmzH7uV%)DHKxuy^E8rhZkDreNLe9)Dt0
z<ipkJ{v2aKvo$!&gAR(L`CN})%3g^w5Vu5eaJU&}Db(eAgrVuu>1ei!wDWCmto72y
z---b1w4vM8I6A^QaoL9)+kLkFZxAFof{S)&CdO-qrS+dMQ9xyRMiSdXvG1U%&hC<8
zi&$_}x%o|bAk=@~$<*ZMVcquAi;rs^Q%0YwMojBsM{YS>uX}pUhR5-E@x<9sXUj0N
zBFi?=Qr1!ABlorw8x}1>2!7d$vY<p(3KtND?PX*0Es_SbX*#+xIolq#43K-2WxUis
zUL2WW1Z#oXQOd@Fud^CRdWJC~U|Lordjr8YjRL&J?uGRQ1_dTneT`q)gDlpy_^~nG
z_x}>Rh@QT6LBrj@*p1b!*$c?7N}A%BcYZj@Qm=N%zVPrrIyJRQ^qW1L#Tp4pYd-aF
zT@psMQEKr%P>dz~=I+|0tzxD$R_T205A>)ruWdaZ*}tXoo;$V`rI>o5?y<g*CKGim
z7@|9w2XZxvmutLJ51QVvF-u(|<y(eX&3-+|JnOh9-O~Oue7Oo}B~8!Id)xS5{)b+e
ziE6_#^&Ui7x<mHAgNeH&3SG-m40)&p?yMujYJoO;MN4Nwu=8(XGyL9%x@H6j?#Wx0
zL6|HGJsobN++B$f2xbkCb1r>&1bXaHfS@{Gwlgq;3MRUlpuUr&P%ocqm)8aNoItvq
z&J%XOj(oUJPOM_Qz2LM2D3jfbFFK_vPxPN!??x7lY_|p%t3qNJe`S84nTaz`rz7dj
zH!o~Q{*G;*(XhXE@#*2J$vt1?D?lrsLGhuQPyu&2H|<cd^mRr1FN6|te1W^e+L`9$
z!Zf?Ci;4!6a;IT8y|2GmCN2uSn`T>15^CoVgARgcYwzdbc?}8|aN|hYf`7nOw*&kA
z2zRm6Oy9Yw3jt#!+d~V~>FQNtbw^L+-f8Qtk^h6?l0A`;|3-vMm)WRz$xHI&%`DV(
zOLgBAhQ(tO-5i;9Ar(+8Q*w3DNI<9fWgZk*7OSIC3~(wb{wFKz4e%JIxi}Ew=lRdT
z*I6MTt}*W0wr>0RcQqb@se>%XOk5|bz0O_xzuKhj)qv`nmjRcRV@BiRr>VRb+o*AR
zf%c0*Yo_8jA-Q)?)CQ8}YrBxf?c`qd9B@xdT#*CM7dhvO@9)EO{BLCTWgG0NB^s>+
zmplr@VB9!WwLv?G7flk4lR?LQ(=w9Wu)Qo2cJI|M3%BnzgNmVLHJsOU-bDyhyWNqA
zGt+m!R7$iU7fq4WW;pLEf3<{!2d-S2+IR<VaBxM>Zr+b%?2(n<GyC7<Jftq%b3VMm
zibAu*sqfoZgr#59Uj~!vkm%uqoWkl?H->|63H%2!T1Q%r&ueFvDNG!$`<m9v{NH0e
zE1HQ6+O92qH3&pZM15#GElp~i+mN`#gWZ}oEtWl;F4cZ(-Y>nVZw>$cDiJz^NbOKv
z-n<}w9qi&1Z4$6l7IHdEk$uJmJiW)!<6Z)5;^eKFu?>Cx6c#Gwk6T%s4U6@fu<96I
z5Ol!tyH_{lps0NC8vr`mpQP-<W@-bziMa~c+~N3Di5)Pu67cuyaUkt}j-{?D54=+I
zhm*IR*`m``l{r8s#A#!P%EO!Bi^<yN;b(VEhZQcjYpvBQf=$CG69ZGhcVTRT4UW{;
zle%Md@_$3@+@8nMiVDG(9dM2B-()Ymbi%Fix=0Yhy#4-e40Zrsy4zIO$A5uEC{rdD
zG&mlJQ$r%LYkmPey!~)DZz%pG_FbJAh7Q2A1=eIezPKbGY?`BrIaZcO#WPzHpJ0`Q
zV*67M`>f~TuJ3~4;YtaX6@2y4oeL-`WHE9Z5jnR4Gqw#rng7vzYwBE?e!rlQWf~`h
z6hX2OFwdXXXEUlsjYW3hkvlQJz6~qk60^bySX5tb;9i!U*bs+_`#(_J_a0my^<?2f
z7Q7E`GM0W`Cid)AaNfLvb$=5Ld%>b(XaY`bIvjcR)xK-ny@rnq5i#MT_HfYH;vJ%d
zmHN%yQbmuHmf5U)k=5q?ozrkz!CAF8G`M+N>>_G&-cjAR-+N}-<UwL@O2Vh|ZdWC7
zMpXi)c@aJ>iac+IrO7t4U+xo0Awy_Y@TnqM{lUfS;m|KZrEJ4?-@W{vA9x4iO$%U3
zDUly~aaad+_URkgGuQj9-J{cy6Eyiy1(i4vF79fz%DJsH+)I*xlaHnFJ+1in=3YYW
zZ6#IkI2PC@L{1eExZU(yq2&6<^c<GN4aS9Jl$5Gt^=<Tsl-BhsY~Og~8qa_H@Ged4
zVA^z{p{%mD<&(VXW8e$Fi7C=}L5;sLH?T%Yju6yc%+T%*d|9aV5ew$lT}H4AGVU-q
z_8=c7lA+k8B2}o4@%(+&U18l5A0&ug*2%Ko?vc<u8KeHiMI5P#Cecl|yQ?BCdwmzH
z*xfj=z<Kh`0t**_v#rRoLa!z=Z~>7mYzfY$!RckW+z?bKNHjBWm6zjF|ICx{*rU@j
z0}lN>tq7U%5*3$a-h6;u*nk50Rmrj%8}nx7FJ61P(wN9)EuKYU?IW5Njo!6nRP2{4
zdVDf2`BKX==j}Yko!x91A+5<(5BF~-z1o$b0Y;+UQ_jAtmS6;wG=lVF;X^k0I*u3k
z<VR#3>m0ucvChsvP)NM#=t&?S^kECWFk$^&af*lDg|Ea&Jn1%KzHH00lvv^5@=jv5
zE_EcQrVxbOv#=hv*;|cM<%kfVzGQ9f$U1Z}5f<rm%Mznu_iz?i(}cuW!iuoi5rRh{
z=1X)ShGi(?UQ4u*J}*}Aup(h0aWgCd4)$NH+&fSYoRnA33jOF#F0Kr2=0_lNbL>zk
z53__mH53Wt?B>V$R>zD+!@p>9+l;K{8hPj)c8>M6geS0@m}9X1jA+^ud%9ZaFuakd
zW1a@Wo)p?KOMN@@jrM9?fGN;-cKvOacrc7AZNNG{ly(zQ=@y&OjJb0mq7EtMB@@@l
zega6LrC8C`e(y8hGoxS44FowmKSN2rTs@3+POdoypHmjXQDceJyGxGY#_e9%Tk+Fr
zy9-H%p5xie$?~A{VG8HE6^6Q_dMmp9+IgS`p+^Pm!xQ-B>CJsjO|m%tQsQRCNUH!n
zU(85xK@me0DLyiYI_Xs|DT-S5oUJ&2M3sj(9d*9B+fRe2yhFSz`EBgtnh9gO#7se2
zf$8H3ss<3j25%{!J0#}Hd^yZT$k(O4$gzs(=E2S^GP4ip>~4LHe-6NpwC-!qGOhBh
zfl#N|!p?6~jIUPdV{6A3lzK4IbRZU1Cn}X{Tq}kf-BRlv$Tv#ShHhT{{q81w+glWO
zY$kOR8*XGJyWPs)>ZHsJD{K~s4_X$8L#x0otc}B-Ag3*+KYT8nU8-{YCb-BL{~GCn
z>S<8yMkp{md1jKc@{j81AOpQbJybThtr#{Udh2dVkdH$dW)a6D)d1buN@aOGM7nAl
z03%%kNJymv*YFwcPDa;MzNv5HiGosTrs!8=j?a2SBbesi09$m7)ATsY7eX!mx~P8^
zT(#AFk8K}72gU)o`o5oF^Kr`asTlUGiLH85KW^SYVlfwrM&YT_k5~~7qy}SV0Z(Sy
zLfvnGx%%R*a_c^C_=7PG^lkb2|JJ{4c_I+X_L~NkH(!1W8h;^ijqF4<zw7e7`;T1g
zf0mFrAsBgYBV#I3-yXh{5RpsrvZuz7`ygp=Zw>Q6r@I~IdM`Eynyo9BUO`gBT#)eF
zaTvdv+vFbl^t+?>Y2rUi3~HF<^WdqL+ly9^b##dgb~muB7+$M~8&Zk~S77l6{a}a7
z(V~$uxA|><sPRdyAJwS=^AyL8>0f&5FqnT;?<Dtlv5dUWd(clao;%vk=aPZo@A!ou
z>}1n)&`D7L1w(4*&m6&}1{UQm?o|&<2*!Dj5ziSWToNUAs$-u^2W~~vkeyY|75M3g
zA<p=Dnk*6o*bx|QrI2xTj21B@OWFAwB*DM+_qL~k&}dOGtUz|p^zYaHc}EIi%!T}7
z`G}AHaZ{`tNAl`Ap+}ZLxcyMCh8my2HP$+=@v9ZCiiA9;3AtQu-fXb=vwMb20=Ba2
zL`WVzi_-D2{A{#G(p1D=R~6GTL!j~+UMrGgc=GjRc^JngdL9)<qM^%);2-~ls+Z-T
zQ)rW-&-GuH3Yh+*pUq$Zmp;mmrFsnKN3x;s#(S-p(mn0Z7`bNBe|qq&oN5SU%}gB#
z`VX-%{;}ad3qES{JGOWJmx0s%)Bn^jf;r(u5$gbnk;?7xEJ_NGMuS1l^wQVGP*;ux
zgw)QHtg-u&^#LMEScyb(RlW4=SK@R-Yr;S2a#pEaYh=cbWY!SVK={AfLkJP7iBY$z
z)G5{R$`kag$U^dQP{zX4!*t)K!q}s)L#;W822On<Cw`p%#pmGCoHm6BSeCWYi&VaD
z^>`dI<YYTi>b**sIoXJYDLFB-TSl8NNAg=8ma(@n|7H^5qv1#$(o(^l;nN$xBEJuv
z1{=(|!N>n(Mo_fx!}egpWg#}4oPytU7{N|yj440T2ekE)zvvv=$Ny3;HBWuBAe>@c
z(3|#Q+Z!a9Nt#CBS-e#$TC2UC*6_;uKlpZL0%<k+i`Y)O$(u@vi;lFMEH7xy;r3Gp
z*MuiJ?a-O(%UTN4GmF8RjE^H;BX-^hT4td?2~>+!9}lth3IWQL-RbyL#Zw;j#>{E_
zUSks*h#bXoF5e-XIMmL<Ku#PR<f|_Fn(=dMs!t_Z<;s1W^|GzCZ@ty^n*xS$4UIl4
zUV*qmnZmcT#413>Wyf`Lt;ezsZ#28lb->KYSh$U)J|FEg+B=F*1jFH+MD57K@vhTB
z&4@v>R@&t~>t$NW60h^izWX5H*~cDehv_Xog^1^5**^U81FJVK@o(X&7wi`yY7A>U
zWI_YjTMT`&2-G{bb?2)}WW)@%w&^8WrS*Je%Vd#tZ|#_-ccO=_lU*rQ+(2s9wSt|F
z-z99rw(Hipt8N`3@g0|Vl`>(%6#eui@82D14%Xhd=zsChFRpT?uao}<v#cA#YYgzd
z+xvRzAEJ{{7FteZ;@p_+!sS>A`f!(rdkw}O5TsS+UL1;BpV8HuGIjXvwEZUbS~cL(
zBcNo7m;{3gK~qmx0Z&K~>1w+4k1fNJp4?e??s@`Io?8FDydO;?*(fzBZSd^~YFadD
zc_B#BDa!Xr+0fbJ*U$PO!Ob{t_Q<6JhhJi@jnO~E9$|>A*}y7*da6Eln3S?@!>kKW
zd{FScn|YpDm-3KwF@9Q>0b4r)gEgXlYm==b&F*S!SIp2xtWE(FI6j=2p6kqZVk(`@
zprZTqYhgvxcWP{BvH$={HBvaGb9rVvjWQ{WCymHWlrSQ<LXQgMKKrGM_F^>u>uYb3
zX#c)kXJXGayCfC3+99rO+7U&tRjYmHW0e--N<nBpQRjprwWJsmo$FUaemgZaQgg%G
zG^U6a_adP*LG4lvd!bgIJE>;_ryqpmFOnhr+~uzn3>k71?)A@J$rzBQNqn*ztkrfV
zjdOQ=a&H@P+~Jb5!yN}m2;yc##uIWyY9GP4yP>YDH6dX`Kn;DeX%|hnVS3ABW7o@5
zPw6Gu`Q`aXRw^_!G54g~c1)n&>!Z+uCBj9)XWl&Fmn}yob;*H6PJfJC4gq?^JRd$W
zok>8M|KtZQ6%)J?K?#`HE?vlw&6NcunQ((kf-1;6pM0aNVs#YO>FJ~)R-eH|%2+S_
z*+}Mwu`cuigAiZ`fxM3(C@W?}$-EkC6D~~c12w7U4Ie2Ezo5bA&g$|tJ~tQ|R^x;i
zAU2|7okROpN}v(5{88c~Lu_->_0Ey<sC&4w`68Vd-UPCUgs+CxISuetBGnQ$2AlCn
z6|r<gO47?AJT_LNZ^aSC-cs0AuD`}=$B|`;%YaIg(E4P48j=a;rs#sXT7Ab^bNAxb
zDbm_&`NZI05r5hjP0Kh8#@<wPbZ|DGwHe?Cie$P^^NEO>b@Yl#G@Gd;F{qWfH~)K^
zI1_!!n7d3Xn!ssug&dEwV(C6&x+vc8L_&BSwjSg)vuZ^hGEw;W@wNoK8I)tIb56E-
zRI!L5s9Ub8EQf`)GQGQD0VS$j=8IpU5Tov|75r~`)4=9v%w5Vv$&oc-P`H+iWaCsv
z-me<3vKSi+YG>MQLz~T|!PU2!ZvIL$^qO8SF^FPY-7u)djv<P4a|etW@`NxldVP{0
zY?$ubXq08q>nU`QHITQ}5fMBp%sq~?Lg(Up=Efc#D<YfVU-5-0?d7cYcW=A85%dYU
zX~t6H;Su&(eA$n1`Gr7~8>gA?5J>cH;0(Hwhl!MCjYj9jn3)p800f%8lSnVgYJZ*C
zfk@T}-n*;s<Wdp=R$F!X4JJsxB%>Of8$4;s%3#f1dYU0G5sMp|c|LN`EO#IRFHQ81
zc$ZCkF=&_<0w0?_%#foHN`j26ZOPILj;9NV{+G=Yz3}DAE3+-_@N?5s({Nm_49=B2
z;4KQG{}|(%-eM?w)bm{lyJJas-Ibm+0m@gm>w$XVC}JO1TYu=Y&z@I&%pE`JL4`m!
zGz|N&VuB1%7*zg?gh50KIK}2kXrGWQUPAaOdc#|{r~5D0M2hQ%3oWeruz8Bl$;XG}
zmnW>5X8eRhVnz*(fczZO5T0z7w9ar^Ro<81pIdRo`E}@FcM@<^K!SVn(P?en>O=jo
zSjW9F*$iyBoH-zU9b@d#Yd`?oG-PUIEB3O9TQB#l;Au@p7r$j{0tTU%9iW4Ikh7zm
z5zUj0#A5k8eJpX1ACXJs-)8ln2T#x(W7n1NLS-smgRiCg)FAn^$gDWx<<w*c-m3uk
zBKGUs5n-^MUE8%hU|XG&og(-uxAl3u(&(#ap)yoy#2tEN6Ys1Qsib9}O1Jya2x)|p
z_WVqh0spd-q|BRnn$@+8@P*0;56#2{KnVCUc6Q!*^&ZP+Rqc1~I*J?t3ObSR8L#LJ
zPHYNhI3AiZu7RBrzCvc#2e1&C+D-SYV6F2DoQR_>^c#{K$aF4FI&PGteH4?u0(71~
zWmHEmCCJW*s7bcC0Rb{#usy~T6WbQ_g2vVtcD*oJ{g;|9QGi#-pKmd#Ki0w!JQhHW
z?61g(v#YdA;;qxmf_TDXM9@cT0TcNl;*xsaj35GKWbHU}z`Ynsg=0h@I|n=D^$T1)
zu6Oj5MF}!O%;_=C09C4Nt#T33H+NYb@z@JpMQ&EKdal#iWNiNRQPxsM=pGA6=8Qiz
zF!SDVzq_a}7;Qh{VN>dNHG)chuD#OhC)pDXtk7_Cqv>-EO90A;zCt1vuf$LRzbwjQ
zCzLdF<iN76&cJ91_{~0V#Gm>XXaA*4{<#kcd<hr05{!JampMX&x5OT6Lv=eKuhb!J
z=iqdoQK&=UHfMY`SO29e^6QYLLQWD}jZ!yHDl!`g5}N77A&Y`e3s<x)yt`TM^?YJT
zDF`h#4E54^mbn;Wb?`YkOaoE~oT2RLcO;N7ijXNzjHpzM4%1A_HeFDYMRrW(jVaBj
zFaxwGlBdZm@eAc=F-ty?%2?Ubz1YzVAiMH};Abl%LM1!=x>pCBQM1{QGI+)@AY~E`
z)ew&w-d{P@%9sO5G<=iou?FQIPX0ox|GHm(f~#jZS=Sl+jUTo4Djwx#c&0Z$JdJ4{
z<s)>>nT<%+aOq`JbRp}^F={??R|tMU5aADfG&-VMYi@S2AGmBxjvC;PCM@lcH^jr5
zn#0QBX)N}?#~2i;oWPC))M(=!4Gcm7S*#X~rh3(9mzMRIY^rG$DbeC;JV(JFB6#u9
zWx|dM+b!{@MMJav4?Y=GxmT)qVGd+;9}`3%3l$dbv=_<@MZsIT6P2~+^>(yXTyf{A
z$30-)c2k0I-ANnI>R$KeK+ZR5Usg~Cehx<`D*t4UNvJ}+++oc$ZTpSpT~>|(7=*qA
zOfUWa3O?WyEHsKFGMT`hUl(O;q85iG;t*R8SA{<Dr-Yuptyd$3Bj&8I89Y7VQMWzE
zmMyR5Sw$<ru4zAa#9aXAAV&ksJo7hzZSgn8&8Dj-)-+S$%Uoic9w=omK8GEqBBcGI
zr}Y}uRZ2~x`@SGMd)?J!E*IA*ATcFU!+hac#GR=i;SN4q7Jv}Km2K7jq`==+YpRX5
zZx_LzyC<o`>f9W;)-!j;sR!*Hu`)wE(c`_OdwzOo`3KoR;<N7DDaW{v{8(n>w#s6I
zFhw~b%m>XgC?bf9l$uy;XzYpy5YN;0S=5fVd1l^z@hG-4*`##CZ17qY3<Ht)RM%Cm
z?f;>I|F=!l^q4#LR)j~M`_m$|eTV2fAJskKUd1h;CAHh;LjCr0Uf6~V=e|m0rHmU$
z_T5~zBj!{Q!4rgDBF4pMi_~$dSkqXRP($~LZGb(AOnN0`w(2Ms5&vMBpqLNLsx~g~
z&g{_kI(+&dAUQW3%mGiBb>Z4CGIEu&a{C?J$hH4)@|<+v_x@773tDsW{PBM^^`JC+
zEN^d*4B~Jxcby_r)C<jdb)xv>U%dd5Xwgus;+CC72{B1+XY5xxJ>N!iI$H(#r0Z3(
ze-0;NmL6m$WTQH)#dD+<#qXt?54zg3cq*<uC*9|TPMi*%TA#uwhoja1S_A&Ds56O3
zHQJ)vD6&}jm<}n86;_~z5Z-nnGxaTgHX;$h%BXc7?#-9!tN5j_L}Q&TMBrT%{*Qw=
zAbDwt0yw8;^F7$`0PYtL+<X>!X0Ibpr;l#m*(<^x;-`rIS4jJ~s~RGl$@~DTAW5%S
zr8j5_{v{ax*FE&Hhm3&a|5sV}_hYbhI2&;XTiogY_hkRi2Q?w^x1HX7e*u5-g6Apw
zN9e#|LidaR#Gmk^G{b*DiL*(C{Qs;EY9o41bNo9dPq*j4&I_D_);s4e(VWph3`g#2
z@LZ;d@77EB2Jr-Ml<@FL^K66GpK%ItV$6kY)jZb@gMZ!sBm8W{Za3`g;7`(J%#t<h
z`D6GqY^weC--_r^{WGvz`Uus23qCknf5%zxk#Cu-XM$&(mfzvqS!@Ui^Seuyo20{e
z3V7JzssVVZrYa*^A8>9Je@KtbqGntRhjQZd?^8OPaF(=<Kfs?c;6)+xwvf_Q_zWI2
z999htan4oi=KS<vsdh6=7q)B~d_$3_!0>nAE{H+~()a{kRlF{pGrnAIsjV|Ztk2YU
z)pT5-P<ky`5_k^#5(^Kv;S$<Dzd|2her*+`3(^o9ciiX7tF{EZATa?iEL##Z*VWqL
za(SlA&NZ%HnR@?`%!)?Z{1Qy_=iCoi3n=?#CFOrrWbn!~1_X#$%w^q$>igqi+#V8C
znXs^Kf0|a=s4fnOP@uJYR{Sn}XyG#mcq(rHhka-ZVZa@}7AlXk{P|Ilo-Iqw5MC6c
zee7gJ<<LgKWmzUj^O=ugR9gcKVP?AL?rX-SmLp1!K@3l28jB+Hu=T4NWjWSU*w#j;
zVSY`IZ`@q+`fn+W7wBDMZMfjac)w0D%Z^d)&f29<q!<Te+!!F7-)j;hKEdzkSJj&2
z00-W<N~=OEft<*!DvPkys8f@z0Y@R0=^Y#8qPRc#ZPds7c1PoP2lzD3&^=XS=8o<Z
zbnX*kOachSpAUF`)N$cslUn&g<^p&@sG6y_5}w5MY>dYsROvlQ+~_obv8lL^Dv3|_
zxvgQ7y!KzWn{hyzU!ZAXC=n5|slf<G0L0$>;=<{n*}*Q=l+SbwMNBw|REpD-JT@iQ
z5M60byp;TUO<wv!mr8$TY3GyjW8Ng>P66&u_x|dha&Ys>pljPMe1K4n2U4WB$?|*(
zUsrm*UZN^gUn2Ns>fNLg0YVJ$^>D5$e$;c(a5pasWd;r)Q-=q26X7_%tU(f&gh79g
zaFvF%enB1Qciq1hpG~_g0c|WH<o3&1^dw8_^s1r?LtouRR?0hq=tx&|R>uWwaK{gL
zSl}x8yzEX+Q(i+wKtBv2R5$2mEnD|89jj@SFVcKG*39K&<0@FK9tjfy4D^K2#pyct
z)bVt>PDe}-^3n|d)0aY}@o`*nA*GUO-^Fm(_G%HK)gJvUq;^F^A@c_6NQnr`bA?NC
zV%Ov`*TJM)uIL`HAD^n*-}Agv$t`^)dw`!L>%9&cq9uH3zz`@*-?*G;PL53Q;&kRd
z&zd3q;K~|UcgT=@@N6qE`|52AziBPi(pNpMDW^B8Lys7^Er9?|8?Hr7hQJ>W<G1a_
zKG43DJx5U^lqsbn_XYu#Z^p(HKRLA4Ph~8%^W)oLJ!DZ6vd!AN&SJA`jDB|yUM06p
z46$p!4<t(8FvL2!1$1xm<4v7Z&^#BtiaRRtG<sg2+8Si#P(AHpSpVqqGzj-CZ?`F@
zCb4y_qzBO&mbpEW+hG|vaaRPFF(ezW*Z@O{r0anRWK}{T3(<yUpWD(=`egB?mB+JA
zTYCIg89-&L#^2I^rJz4@SnxJiG{;uuExhFEXnXDmnR>?2JvUR~2}x%7+b`0i8qb%a
z>nb^v1nzn)+2kWDxNqCy>alw&G!*eeToLR$F<#W++QzRgRxbbWaeWp1?2DI?yInPY
z0yEp%=jfVAwYo1KDK;1;HO&7G`T%Vkv~L|W$r@3#5(tT<X+hlpU2{Ybq&Xx)FxVIS
z>FXxz$(f?0s{}$~EC7p_TWd&{V(5&7uQFQ+1b*GEH8^7kiOMnmsYVsjfSU*9_gX^|
zc&i6ohPLROj9WK^XzHNno73-PXp}5iVqBJlf<0E1vXUnvI1e*>UW-VP>zs0NjZhiq
z$KJT>_NzN~Ow$x;M`;`Qmj0qy<!#jT{43uCQ=^p>NO~v})#;_Ji$Rv^ZXsDH@yobY
zw5e`U_lmhXtHZuB?m7&jZ4LAgQIWWFiJ%ONFOioriv-5Nl~{-FR&eQ1gbGu`><ewR
z$F-{r3C{lNhBn;5x#l_^B%u(DPBb+@MyV4Ocam&2iH2SG%U%2!T0lzvBp@IM%rcaj
zC5$>jlMP1O_-Z0A<?l!#Aw_b~xq0o;B+pA*TNj^b{C2m{xIVQ?=Qn;#*<|?mKP%YB
zHU<Y&V<HjR6gv}KZ#pGcEDivt3Div0G)mm8`5gT<Q;g79XDp+et#7Cf)Au?~tQko|
z5A)2@sx$m-50LhU2IZ0<zxs0>7uBLiYXet4Iw6~BHGE*ei~!e$4G@Mz^jWepW3~p3
zy;)k{rx&uxq?x@2R1!xa(r)xd*#rfM`t+J@t_XlG!j0Op^rDuWTn*MpybZ4sW*6N(
zCX#H&_f*90><Vgxe>1u8(&XDcQwc{SgmWM|h(~dh<HW~wi&&|hg=3*rW6j&?6{Xv&
zFPfrxAV8_w)&u=hUc${?B)4GGGj{F+nM-a(lf%&;jV83~kMWx1A-s}$9C(;256^Re
zkr7s^M)va%V+m{-LS-eW)>&IUPg_*&e5EIB&?$}LJ4D=^wd3xyCiEyNG6_*a0V?6v
z!m?_13-v&A!?>!jOHcT<C_uf;Dm?c4U=wFu83)09%D<*;%m}`*J^N9_iqGumfhDAP
z)OVk-p)ARGY#(&Z%-T>`)a#+*#k6!ffN+WU6hs$ODU$b5+CHbcL#Oe^alPc_Qb3H0
zzvjBG(b?BGMeiT?3`Zc`MxY5=Sa7Ih^a>#}5!nxvOd5K6z<q7iB(3NM<!LCzxc&WM
zz&&n?5t0DZP%{e;?V~5R;znmW)_5mnYZSDWLR3QS9k@D41?6n<&#aY8J;1Auk>v?+
zND5CKQzg{bSNf-{x>5R_V1{Q$KLV@fs3bkSpGMND#w+vJD&mmnY08hG!3UW=!$MS@
zH|ruH@7n`v!k&YOY<=;+fYKoWf4wj2(fc~Rji=cV{KKCxnn92ETHSz2_~v{<Z$J0i
z3BCFfOz@d^t+i6XeibV8@slK15%4JpO4vh_Il39W^o)$)rHL$470ph-C$4xbg|heU
zN`ujSRDEo}rHhq|6C7v;ovHP?FdYa1m7b3Y8u)%7gEVzF=xkeK37IJXM8SZ%KE@o7
zrGeY{o~7XTFDdZ7@qZnMqG=*vB)8p!PcgCQ(G#i~sZMz(4L>(PdmG?))j;PaC#`q#
zApttk&)`|q{>Q-o(}n<CjC2&AW-8<Usrjuu5fOnAuX(<NylFvm-Ptmz;|Kx06JG!g
z60YKI7cNa(xS|u!OC@njJX{KcynbdI)2>4s?@CFiJwuuf1Mkxat%UFY9ApXUYw-cr
z=*(*WU{(4f8iFesqXL?|G5Oz?A8k9J5tuXRW?PdU$D=3>OMkdzvZ==xMfr4)X^L4F
zz%e0(9wd#C><Yk{m=7EjT=g@bE;&Tlg(*&R3mFSmSH}Hmgpr&6sEjD|R<R@sK~#P>
z!N(};n&86>(Z*z{tAA!f<9w7MWcR#Gm7{A#^nE*OBB9FXsJiN<U$3~h&&8FEFg;(r
zf2emvtsma$WN<Se`(2N@#94rOAJu&<A>_7g{wz5#BC&o#yT9R#y(xTcR+`|)pA;h9
z6NDu7-J#>HveCfBF=dq>TZ-{s{rIJ?r3?vS3%#z?miUJbaiim%g<Q|{(!$j&4e4SU
zFOfZs7Qj4jQ1)qOQEj-x<qQ}(ey%dGwb01`9%o}z25weoqZx&Ha3}D<U$$}-<EHsc
ztu~)e7dL=oGLOW|MdY?r=Z1jZ%6Lpl)nzf)x8Rjq*O{AkMdhu5w@#sDx}`)6>0=K0
zzKTMOIZRE*2r&yy>E#b+F5{m5n(^^wrlv{WZzk>H*Pl3yQVRj1a6QEtJQ>k+h3C|y
z%@*a6Vn!YmkY-x4wiA)|qSsB1Df1`?c=Al40%<+4Q?Nb2Thq#9#)j*|a;8%$(bRxp
zal)U)7vA6lJ`EsmB}=%u&U}2*N)&e8E5G`LF`lhM*WlyP7GpF-*e39!nlw%kke4v+
zU8`P7=nx>Bp!H=B3@DZ6&^N18`6`N;Qpzw_%7QC*c~rz!HA1HWXc?B2qWH_&Wp$nB
zhhx4r(POd;{tIj&D#SQCT6T<8mPw1obcbqar3g_+63z%5k=qB60*q2p^QTRzfS>bs
zIGep5ZYk%D`?&(AGij_HUZE`k17+3ht*(xLvZAAwkApr#@pT10=q2*+D#6uOVest(
z2S-RC&%^Zt=`%9h+;^)W+(EW&Oky1-55m~cC>eS;;ur6=LY;kwn{w@^BY+rlGGA3N
zaPE=ZU(1GO(hzHzSrj|#`K?)2DK{>}?-u>(;}+GnP7oDzVe*!hl?4_~)MwryC2u$`
zDgSXJ!3ThZgHAJOsej3dt74>V2ExA)J<bOp6A6TlJ9gY5Q8ilSkYIP!&Wk&A&6NKU
zH16>}qU>3U9|L$HcdGA_D~41M$~?G&-RDqNIj~e+@s-@dyNBkfBA2?|&apP*f`}5z
zd)=p>zsNiz8aSzvG!IO(`phcnPM|yGWYlEwac@8{{3L04&N)kAcqZU?m9`Z@(m+W~
zblSgE$YKb$TP<I}Hpn>@Zv+k$Fz>~GuStbA@`7q!h`N!ZB-Z(Jhg+b*I}20a00E#6
z8gTz%8<Ac~l8%wEFKiq<Hwic|!#B?`?i2X~#>Ld&VEkEd7@sH{nGfMDYn3pN*Ci(q
z{;nAjR<hEs9gI9x@=IJ74nn}{ROO;jOtc)rE`7}uM8Ev-B_ZZ`xoP%nw=0VueU~ng
zKuZw&vRy~G>;fQ{X@{nMS0UD|m}+;d+I2TsV#2rQa&GjP>V4d1(%SrTsxzDlw95*(
zgYi{kx_xsjmhWDC9wrFJPI}HpAnUVa$$@jw)79a=xZ57^6$J9ZoRcM2sS}tVlY?H1
zvkn3hTI6+C3$xy`{jndg0^IUvpSy%dz+23Mv5<uN@<Z_enO-1f@!@D%O`0eqvdo~V
zBqeUpZY%R=4X)^k9wo5Rx0S(HOli6JtC{iw+b@Z~aSRjBh9oP~q;rYc<#@5=y~C%%
zQHk6vV<BiCiy-50+U1037zG=;sIor-?{{eLC1I8R7@|6Ss{}gqsCU&}$r__=S%@HC
zoD=4x8;-0Zsn5JZ5VEY!2w#p^`&&R60FQC#>P?y3Mk$pDFK}e4tol>tzM}*0-QSR{
zL=HX~239GLKqnE+b%&@IRqB^&w~()6`%ffBLXpo`8(4m5FB0Daxm3P9!H;2v+fP&;
zSNgt?Te!_=nb_t+r{{{l6tIk|ve^;;?4Z9+boz6!{d&FTbS|~CH$*XOAl~c3v%d6u
z_T%YCwbca5){?)GqnsbE6gbrAT+WJkxT-(sUj-?6qoT7^mH;<d*L(oGjiB!w@!M)F
z$JV}_R^AYHY{TO#_pkLAq~>V-*U1+Sjfm+Rb8j|T{?Hm?k4<$)T0F_?&?wmuG6U*e
zpm6b`_a|qy&0N`7*<Iu=jqaY?+k^o}@&k$*6hb_7CO3oZx@{(80+;x91`(67qX{ij
zk_^%{zV~WIm5u}F)Yu4N7tP3keW|*N69%@OHBlMbG)uP6+sS8tw*fE?TAlw~%&r{<
zKEx@vQkI^ZjqDB4eebU$lvNi7XEL?--8?Jxi7<E0A6ygD_Sd3rpa62yz=3;yp>0yr
z_Y+Aqt5%vIonNp2xU`WQ+@;H|40E48nko+bD!jRTuKAlo(ynLr2mC&6Khf6EhGUR+
zkXkhhT-)vQ2vpyXh}Lukr^vM17>il)&!V=b?e<zytZ;~N#C92@eake5QNAG!U8$Q$
z!zCb&vWXzd?@<JfS^d+n1YYZhCEg0GywkTeu)0l(I|>@_m&=|Oq67I{qN_FQtqv>`
zZQn<pGk*ZnJRm=~EjP#aW%&-eAnW#M+cVTFzCT#Y(ieGb+7)8L2=7cYy(ATHiiA!1
zba-(tMrw0bgi8qEfuN+9p((eNkSxlj>nO<;-BGXfoa-_QG8Y~M54OLI5C}l1QEueS
zkM1>TqH~#Vl-%s?(%FG`h5Wy~Ob0y~41LQCcDooO3wARzYj$dsz2&CtDvMLp{=xjA
zlCFt*#r8q6z&r#6YL|4QN*10u>yEjk@u-{1<<!UozMNs}@8V#rTa01jSSjC}1pmC^
z)m>1z=#39wJ8{xn|FUpL3{nndQ&|r5l@{Y4SY-R?)4VPq6nL8&FcnfeK)*Jk&4W`P
zshk6%N=ExOmoEjIQP-^dV_T6aIP53nEtN>3=PFukK6~)6d~+{e42!s+-E=Bud4D3C
z2)1CYm8CHx-H}l~_A0HT$xiM4l(8_|kH4H-8xhUubsnXdrKn%a&T=S1%N|Q%(r?WU
z(Rqe;rnmo(t+xz|YuUO+6E+DRJh;0w76=Z(-Mz68+}$m>yL*7(u8q5Qf=h6BcZb^~
z`R;r6bIw0_R(G#jRdbFpYSyS#S{RIc5!*bc+k7)w_Mi;aOg!=E;VuCJem?KvnW-+|
z?qM}vl1Y-vpBmA7h=z9Ge;hRtUil1p-OMn+Z?<RCeyJ|hXl2V;&+V6ve7#D*ay4gI
z%%@Mb+g3nq^^nT%6GFakI0bCKHyZLBa9D63pr|}R$FIRNc7r;ds7q>P$!50u*L5{-
z%aNynICFrzmJ^m)A=cW7+@ilekb{pt!*bhB$L4t;sT*|{>yyn#?fhox!dQpxvyZ)5
zJG?oq4pb&%m}iDAbQYV<+_-qblaYO7KkpKgSA>3vx(w?(r<i1}{Z>HcFJwH&oqrnI
z!AI5+GG#<`$Ij3U3~@>g)9V@lgv=Vd$WC?lGW&(US%ar4Pmk_e=}E|Qgr^GpmENE7
zq2`VA5^jrmr;PeM7o6s235+l8Ez{q4*1e!tFKeWe#~HRm9b0djv_pPV5X2dx0X50e
z)iDo!j2-ix2~40dowQ0LbsIbOF-K4|Syq>_oNx+F4SbEJ-L~$w**c0P08P^w!Yw@9
zO?ud+2QOKV3p?TP+d;MT693oBLfSsC_@AKC6Kvskgtj%9jJu&nxE+zCM274ru?w-S
zyn<5n(Tju4`zdS?^lOQ3`1Hc843X~~R9uI*x@PGjvy;2jzq?|5(U_@bJj(TA>MSt_
zgLV`>G-F5)r6R~_|Dew3IrIZkhqkB-V=#GHOAGPDK2ZjR>+xx)*ur9vg7e-4)MC$a
zl6-c;Pjwr@dV$w{Gw`W~WyAiJr{zt0w<?hbMhP1#ajH)BX3P{Xyx3v&;{Ve8J{9#+
z$U$ETw?N9yPUsEM{EU1E5Oj$&OaH#QgWu6)U*8)-D(AsBZ&Sm^C9DVAi#gK(HYD|u
z_o?9UFB-dGs`{|30;kgjY|E(hsO@n({e%Uq2>!cDRUguE#k1~=fazt^sr@;?WK4mp
z!LUKdfJv`b`+b!>Z)ZfnrYBC%!}Ci1l;^O)0|K5wt4!s*bczgXF6n<~B@R@2IOkz^
zd#Pe?f(<%1Rj|vZUme$w-MgK~xElvqL~i{4>Nmk;m1MS-w|fG3$sTsbgzOoJ3Gg$P
zzk(|8hCj@Us8b_SgTHi|ss|S60a@Qq@9_ol)=#u<O5JNQ|C#45l8ioGyt~&-LEEzM
zKs+X)-<{W(1*%gvDAnPKh^nVv3-)Pzl-B<-g)}~w=LvPdIB&^J$ZNR?y=zjKH(08X
zn4oI;eQM4uMyjF;NGJIlDGx~?H79qDVoV5XmZ7cCGZYhReQ{6!?1%uz02sF_2_Na`
z84DvT#lel?kby?$$*keMqlepemytzg7FCU^DW_X$O>J0hYSRh_5O+ZpMw;x8d!Q+u
zRydCDb*sSYlFsTWUdOaL1SZgA-2Mh<h+bBLp1%2IR6Vjsi;{k}v?fG1Zi^fG{3F7O
z_eUDq1lK+ph5RRA*_(g`A2#3c6_kt3`7<iFKQ&XCmzt@Ux1%HJC^|F;>b$?~s4Ku+
z#cr1`t^%<HSWNt3L4c}O9&UtFz<?mreT=MfYlWD39`R7&SDVxsL1oFeiW4(+QrK)R
zbXB{-!w04<^S77XJ(UqB*dK{9_y3wYxuK`;ES%LUeXvoBnsdm{Je<@AsA@&fwqPi_
zNTu~&KezKjZILY!s8WF8OEzkt1Z_^JR_RLoPa`771gw=+Z+}OK6a+pF&`cc3Ah7KT
z&2f8nCjgm$?w3PT>G|x6IU{9$sP)KXiu8sUHKnvrv$lT9XwgvC&YwGxA7MTQBvM*t
z<Z81h4zlCBUOwK<h*uvoN~;67e;`EaJ^z)hkiIm6N_tLj4?#Y+DWwa&bAMNpGQ}Av
zPpUzd5#V>F&H@Bc1VM{<RGHj<{#1xjwyoqR>PMOpba}=lwf6_6X<uOaGGnX(QX6AP
zc~xK}TWS+CoiamfQgeXc>ZV5yEN6S;SYjv7piGEz`If8=VEnlYj*PZhRjV;rB@~Yt
zY}d7Ch~5_Xv(Bib{OgEuEx|s|DWD2kXgftt^WJguyVGIy(4U!7Lp3zl(LbI2p4$ap
z+Zr4|uW1nE7&KMZ;FG0Z$<?B;HFAz?4W8roB3$6g^b(B8Fy(6vJ`m=zq(NOhXgu?`
z8M8wb@>054T7fA@CH@y5RQj9xgh0pn&F{3;K%?$z`js*%uKYr}z1t8Id@h8cDr(_q
zd3w_j`kjTmY#XUixCtPj3AM@2BChjtVUJH75qLu3YYs1`%3Z%#kyym~C(|;CQI?>X
zeu+;awVt<})6<Vi9)>z(G)<>$jccax^h@k7^m9*;&X!M9A|;xsAlkVE*JDY%%f&MY
z>Rn)NF?Ax}`@L7Poad#~_{2L3E4=av)ufy((#2Nqe6Itz>B&`9KM$|35EjD(P-f#A
z@qARpg}==fQv{BwlA{1~tcym>6IRk|9MJ&V>+$;2gGcE<Md3wr=<rlR|47zyl$~fy
zF4^fLzPsDQ5@9+~`!UhzUS%xDWzx#SZ(8b88D~8O&R(-$9iGd+n)hl*=6t$1S~nL3
zS0U%0ef@a4oOCL&-)_~mad-IgZfPQ)o%bvE$9q@Hm=Zj*-p57d;?P&DK4x|Bs9kbf
zO)zt^I=tQ@u9OWqbYPI;T*O-?aozqX5*8H;wH@m1W)s8uCVQHgdd}#`2`4&>u7KeO
zCN`e>dsrnGEjGug9uvS{k#~jf^T|Cp(mdh2_|;q^UBrhuLv0I@*T2G;$f(~ZT4}^M
ze0NTNcs^|Hx1yg<EN36*rhFt#n!QSAQA0aID9nu{6!L|JMfsMvl<fvJN&WiGj-ge%
zTYzAZ{c)Loy+)w<So4MGb8<`!PRbARID>KW+n=q2;mKZJoe9kAQOy1L7^i2UL~^(n
zY@tNt6nDo#HAB({c-#aRj`We}uq`}LyAE@9jSFDBUkHS#Yl8@F4TwlkBQc-&vfAr4
z)kH$fYmj@wOU$~MD2thtSpW=nemU{NU)F5ot*}4*!0ILUy3h8?N&4!C&PcGdMX@w0
zB9ikXlMk^Qx;H%k+u$z+qM!hdudkqqU-=l4Gu@;TdCuPx_qClm@@1y-I1_Z+i{VOe
zoWWy|^Yj!9t+NRi{F7pkGbC_Oxkv39P4gsA)_udlP>cDjXmH_;A9K^f0Ehv&a#%3p
z3^Kp`W&zb#m$QqRuY{joLB&CLm5vs;pTEue8L{1t`yo|Wv}TYx$fE~1GJig?<U*jp
zCnuTw!JRK)z>Kq)O!$`ZF?>zPA{ZM#VDCZAghEk6P<yO`BPlE5E+#yJRvZHd%t<(c
z1G&v>SRN#ws^ddV$IfH%8GnIZ+sD&_*+Q*gyo}=NNoq%BVpcTr7-203j^L9hpJ3*2
zIr0d%q5**iY6e>eZ6N9V3CgNLu<t*xpH^;BKk>MF&G-`vyn+G|ubfwZ6AHfwJRL{J
z=_=Y5@44ssfH4!v<Eirgd#p=D#I}++QcvWnAW?4+$ejeVjqT8}4pX4;;~P{I-Ub}=
z;7)Y@<SKSP`MWb|FRd(l^;HArVG>AlKYiANE`O$MlloA;t4kz`(>1o^piW<p6=EgX
zZIbbhg=$DR=#JMVWo0|pAS!AoYVE;8)gzvrfmMf6b{!oG<!i?oq@5aV=Auy~CpmC8
z<a9h|_s~|~DSt3;=?&^F>HRqQoQy%>e?!eYj7C|?@Qu3b9`$bR5!(P;oG$l_t4US(
zG(8*b`9v~SFPbSB-jXWL7=I+nu(}lo6AcN{zE@CDf}fX;Z%Z<8p81F}k&xHW6ohX)
zDSlcT`V9yJ<7d3ZuK6lV<9WD3HIt8(HjjV~ZEpwOK)$&$21lI9!)1r-{|efQbmhFv
zR%7)JjpR8ZKomz*%(hkG2NNHDkCHT&?818ylAinNUau8T{0kN?f>3IOxgBR7AAAG6
zcSps^Yldq~X&sAH%eIRig0Ehl`J9ZYMM`UTj>*u4DTSiVn8r&oQ_n2@V?)f%t^qLJ
zP<@Q}3&yeKzJ*y!K}45Jio(Mr+2yY4ZGoyF`AaYckwJpd#-a!Z3Z;SZb=Ja9YoqLG
zk2y95E=2vV&J&Axdu&Vs>2%s<CQ96hYl&yEK1hoydu?ztA~bVd#`MZ((T9Z-_X83N
z=^g@qr%aMihc!tzlM_pL21haq-Wtn4dOaV+6#SNL@4hAK0ZF|aI5=>hu@lm9`NgkP
zbD!5?`Cf*<1r{opigAsF1@<Mu`52{4;Mm_WZ4f=;g856$Nj-U%!i1UiPYDSgzWMv<
zWd+(#=%rq(@kXMzpaq<uzGbP@3CX#1AKH0q7`Pee+K(Ja5d^con+^$CNH3wIi+g1C
z^QNF-QvJN;EY@>j<-xA_BCVP-fS&P=6x}qp`?OY}1(aQLx^Wr^qfsupgo3`zZ9O2$
z@;hP4A$=5oVTuRoqr|TxBX@k+O%az8)DALr3VAyA1FS#zY?*j2wYt%>B1Ja?n*s`4
z<%M}P2pG0Q6!Ya+VWhm@imazAh=kOb2HD1)LOTHo*Ip9z(`OAh#P-b!ub)w|`R^Fo
zkOO)`TE=#XSz;17l$kRqNYR4yP1jEc%Y|ubCgNOS`u|zoP&Ld~7Q*;Fa+Hu(jrtc6
zL7}*?Lh+rZMhgd8MvY@&%8D{~lkuOR_(zO&rO0oqr>ddWVLYm)K$dv>sFt$yBIPen
zW~ik|ofoc{W`1>sr}mxMK>d#Ik+e^1``&J1)<2kZ=v_x}+OvgkbN0{@WcihiD1O8w
z4zMi62;9!@qR*liIMc*Y50kt!M2rN|5b9)8Xh`>9`Dm(V-9Xci^L34>*XT3nhLenx
zjkol4*cs#pqn(8#&?rnIp#?h|h&E8}nuXw{HUht5zoZsQ1E!CrC(Uy4midRM5Q<ED
zNq$j<++2e;;e$e7VS_a$NusC|RVrT=;b*y?Wt$<p47^t{h!BvYf`rY;uGuK$b<r#E
zud^x^RbgNaMce!K@Jp;oqq5v!50NHvlB-ywa7Be-#*PaMx}W-7dD>wpv{EiaX(VwI
zaeEfd^{WrvRmE(7H^fB?s^$nQ8|y>cy4YB5?&_o2=%aAx7l*`Par{U-DpK?yzYB%>
z(_qeF_3{re<kgVIkA%Eh8?<l2y?6tKk}R|Gews=rMDFD1iw_Gu9?{Kq$578yl*<}N
zJXarSPTVhC3XDr#+u-xQ?bB_x9Le;}{E>h#Ms_xFE=X^_h7Ct;P(8o~yN1PSTt^6C
zt`COP^yn?jxlFFmqo#1+Ph|#6<M*kEW(5<k^KkgRg4Usb-4lo9Zi<5qt@G}6RwYtz
zs3sy^Jl-QN9jEGcJP+X}Ni8=I4&jgY3WC`jx(|ZZE!XSDv`j-sdDd8O6L<%{KRWS}
zu>Za{htIu7!SW}Ymc7#&(?i(}Y)6KeXb$Px@?Qd77Y-v_a+$&jgF?_r<VcYuuY4#V
z17A&!6>0^6B2pWv{Wy{jS+^oa)ZNtl!BqZ2KID3OXvQtE{pe`7YZoZI8q|D5TT!H<
zhUEj)B;6Ok8mdD^6b#Yf(*Gb?HEQx>0w0B;WPH@MnFFcOogUN#arccFDKDRLAl`Y8
zD-|EAEag`l_}8%X2#`lMY*f5JhpI^bIx<EYBP0g;)#Rc)OoyErF^1oF=M$9ui#e7#
zP$H9$Cj?nATdy|D6+2PZC@eN-x!Wl=CU>u2f4xSp%oaKe<%Q`h9iWXCvGWl(0!t_2
z(5pg(Dm>R%$G$0|g@kkqX9^(s^~}0bhV~S|QZd6p;L3*r0twarSP=|DD|Kim5_8&b
zFpS@uQgs9SnEKE=3ZDeV<rlEw-YcC497y6Ao=?Zxk5<(O&aMshDOz)-D43}4%4|vm
z{l-fe5~lTi*BHy6R$oXB*Cy|oD9lFL^2pK9gVdV6h)&n}3@fhuf9FV)?5op_v6u;B
zXkr^8D83>DE+4rrD?Ohz%fRYfU8UyLLBgDmIqUoM3W2VV#0>bPaa8(^ebuf*1`ToV
zSY{Ut^3sKV!=WNd^7B4V%m>?K{EhG(f%kc`2FV;Us(CF6dv&gTQd*qNa<g;^sIOnB
zE9Ql|SZq=uk(QbGRc@iY=2M6}))|G|gG(qys2CNMpU^594yWq0T&$k@7i>-qhvbge
zzk{ho5K8F?UMc4b(+oLMHFdvme#k^a@z}O!K%Bs>LIC~?G^_JL(iiOfbB7sPhxc{X
zhDag_S5w|)NH@Y}xAYj;{fEkHvSIc_+##2%RUfLT0FGX=elr<L=|pTWM<Pf6U@QEH
z0>8!|F!h4^(0;I8L7HM8xwkctgA3D0$s(6dsY!@W*ME_tbT%B^RB^(R3(R?;8=jAl
z5bCFtb%(HnAnc76!@yfUn&y(PYrJrnNaksC>~fb(@ic3&j6C7^gu*G8?#Y(e=mc7W
zoOJ8Ljk^Wcv^=enUw+G$6%Dk8MfNA+>v%z>ocwULMk6(5isysE+qpFDOpF&u8S#06
zhX(kI*ASRPf1MSsjY?{zpv03BhA83io;FQeKYck3dka^zZ*%<}qJ0l)_lRDM-j4&n
z*}5MLLh!#klOD@wegVrUie5o#jcJ&lf>t*5MtN9Z>lQ4njG9%gMMc?31x<Vc1xuXS
z@-=J#h4^F-Zei?>eCxg3yKPK`7A>v5s30gYmT`MTbe^OjI#h)Vw)Xzw7D^(C-wAL6
zgq2>vp_GloD3_2l!ox?li}IEpWH-hDJ8nUXe0<?5$WPOQ6LKI4)1eI29isQ(1Wr0Z
zBrA9ic{dmq0_o6bMM!n?R!l0uqi1t1G>9_}j)VmVbvyHvv(!NJE>8IRnE07TLd+E7
zg^|(F8ny^+WfXZvIjeg#sQ6S^6gX@-VvgTKQVjG}MD<@cbkT#>S~qca$DLYJ_SKVd
zhMc;CbX>_Nho6avoR8VaeB_m9UHT;O;X7;dumQwtfzZzqwIRT)zzOL(9~iPq6g@Ik
zNwfrtcgM@lkXIgmXc0nsw3=zkaQf0_7bHo2)&YH&C|LlAqYH;iL|&ktVvL3i7?hqO
zCNwb<k&kGzzOJ14w25OWh&WrndUG|`lLI?b#;AGb_M)6$TJw5u#}~fYMRCB;q6Any
zWhda}rhBB0<sWYL5|<019fBg^bbykpkhhew74Z!!!WOTK1rf@wRWn>NQt-rrRA=Pc
z3n1Rlkk1mLWv+1y^0aB71m|ObCOv~h`>v7nt5fnngG&vadRYGG<ziJPJ2H;!5_DbM
z{ktguhwu>BFJHQ|Hooa3HmpojI>PB>MU6Nf%Sn71B>P5x!5BL9(iHmCj+M;#1~!U!
zSToqulwta=;8ZPEQ~U!>5#;sTgyPH}L>utS)oKP=BHxyG#do+W&zHUGrn0=MrFB%P
z{qsnoby73O6(FD>g2K^Ms3`?CBm_^zT)28cf{!?|wh`cUr$zCEqjF#=dyliJUQb4p
zTT#!|0y%qV8(a?iC(Jxx$&WZ!^S@`((4scql)G^&d<d&Z!>yoLk#fWh3PO|RQ*Ud+
zl@Trn2&^fgiyPLcF1eb|O3v=Vz{o8U%(YWM(pD3Sj2i-h{7{a7SqUUc;B|><+xV$J
zb1J7Oddsck60cfvMRC#1xtWY@#nHKI-E@Db?J5`$+>{K%|K4uS2Lij%#7wrw!PXyF
zm1f@#4r+yTg>i?^6R<Wmgch0VKrK2+8P$7gq?i8C^!FI?|72^qICnYsVHasJIq4PH
zX^TRH57G%s&<kRsCvmGEn#A5M8PtZ0iLI`jCQjZw*k#&qW0Bgca>;c&53Hx5@)CA(
zJ4BPdbU<QkNBr>>jY6DI8X4Fira6ns$}DQ`Xwm(_PO6W6t%uFE(a%$lEbiQs^T}P$
z&+WEbfXDTACK(mNk^exQk~7W)s2i_lUV2z*fmyF@6RiX$b@OG<86n8>wIdca_*io!
zf8Ou-!FZ;^_@A9B?lX@qrYPPstTDpp=)@xy(oFhAirj9<XFcJ1u8X&6a~7OEqBQu7
zZj&v?-~R?09+ua_abj=zjO|UR?0re`px+C<IyGR%FM?<rbwQ|8zvqVFwSV+JR{JN#
zG5nzuQaEyYg!TJP(vkv(7rX<DLcTFuj{O+$3i`e5XAYW40rIpSm|$vzAen$aVbB6c
zoXT^&FLVq^P^y<Hh{292HblrqLTib`#Y)I4qbOvqv*pPB`SdGjw49I`LMuPyQACv&
zwV<y0LK|+II}q7&@)@#Gos4wIk0k%g9|30uh5jYPnX2uX*Kx)KB9Fgz*uN-v{0ewa
zUkHo6@o_=pq|9*{5fr|;q`#A(`b{6NpzKjUF{L1&r@Z_t4QUfg1iUTeyCr0!&H!OE
z3HoI6*W~Nvur!&cp^<hJq#6YM72#i>A5XAOhZwlJ13K(UnMjh!k4;C4(q4oh<gPCh
z{e=pYM+kR9`Ls<&w0)1b=qVi`lDy~5qt+uewX&m;p+BFky>#Q<FD&2hGQcCbHrOc5
z)GE4@>~WNdbNa`}28WUmjs9VALH<M_?tc2{f<8lH-}-upXvnW#dJ}RJIx?np?m+8I
zwJYZn=<Y*D?$q2oK(0H%YbeGP2#QIyHH9NVF$Q;Rna#4Gu}3oCP2&ZlTLBb*Y+JO(
zg3iNIwd*Nz7VHvta-<ouKv~PmhX*Z2S+Zt{naU=V98DXmz7gBaGWKJM1A{|WN?aO8
zk^KmhW^2VB(5I&a?sd^$mZF>r^pheI*~nF0s5h!r8MXk=262t?PqK4YyDJODC3N+9
z?MlyS6u(uz;7UDv1s$d|C_Ozkf*KYPuGTDR+Nv&a+YQ|ivK^|r$$7~r(C&8AdEY?I
za{X|+kRcMnY7h<5(h)WkO?+|&YhdA-XVGXi5lNAGb8hURG_rkGuR#L@ja7y@vG?@v
zcEhL`MxOUubbToGawU{Q;73o%PjIfvQy!RiqcOfWX4^*`Lf%Kh6vLENcCJIV)fveg
zI2iNdD)STxLJ95LOyE@D8MdoyVTnjMPoIE)XP)f2^5__r;Z?m}Q^Ri(>ZVt)opg1n
z)s;%=72u<82Q;4x^^Zs1Psr{-M`jmgFVkn=OiAEl)A7(6+I=HCgle2R&GZsT<LE0{
zH{-fpYHVNco-)}+7yu=%5kYM_irP+1iMsCkbjQy0+}q%wwxNrOv9K__*H_I>t_~(|
z>SBJLF>Z<K7`UiHqsV1WZGQUz`89ed26Dt+f0~rFpj8JTnCzl(K}A?V%9h8Wnb-V&
zJhPK`?oG4>rM`wn<i&lpzJiC=()oQA!aq7oVK=_nPR#`{pXJ2oCG#xsdgC)DaTCY2
zI`^-6o(!}G3<Xm%_bhii7xz;T`QGUoDdS%-PF8Sv^vbI~Iy0}_J<(-RvMzZe&qRz&
zv@%*&*r2TOaRud5@=V-eZ)aS(Ix5%L@maK7=hCcN9M@X)ei>VmpgyHgC!9O1H*J;X
zc=tHv!kvoE<;@PbGGt}OeC8J4pS$a+!hBLyOjOF`Sfo4U@-S7q0L729og~ZKHyE|?
z^q=3?Nlfz&<q1PUGM*Gx`1wq?M;^O}j&jAhQ`&L<qn8_hL%(C0tA|Mv5&x`dg*hI-
z*J!#KhFj>qd0Xs|k+oLno_(55bMAd5<95hVuZ~iI259anJ5TLnckFchQR``YL4z0A
z0PrDsJse2H4=)wqvG%>m^N77vh~2dvrr$A7d4@G?%?gA^nW#s<t`by}S*p>E|LM{g
z&7L!h+jVZEAzxWw65$1DpcrX|d^<`gzBMmQ&xMw4Do#)1rr7Z{X@DHhpWN)MjDPNw
z4M-LlSkHig!>Eg9X_D7u?GkrUjMpyBRbLW(P}bz;jjLT|xyxp!MW^bA#?-dutf#ww
z-ZCx^8~DV+IhH4pDXDo6Eb+J2c7s(>jMvQ3_Ga)1t(W(s1eY0<pTz(;b6RT8mz4Qs
zgb6Ua`j2X2>@&3W+BAs0aRyB@x*6D6awuN+PG(3E`p#vvQW=F&e6KmCldl-}yYu92
z`L`d#spuf@r*z>X@}rlfPpd&rQ(?xbiw187QeC<&w$WrE;1jZ>-W-P3Jx5${0q#9K
za1y_2PiuA_M=&C3YSPT%0kFdQ3fo@;khtXu{Aev4MZCq#4Q0r=uMRiHWz*2i<GBmk
zv$P)x65o1z>+o%1c)Jn(kqEDRwuOnyu-@gB5x`OMaz9@D#KoFd)uDlo$@aPtc~54X
zN_88%S)1UztRZpTWO`jUyqS`5d?@0z;gB_~2C^``j#x6=(YZa%ZC|XM>(?!%)YCV-
z=BA5hndXQwsqsenDW;rX`#4OSX0EoM^ws|KvgS^8;-|`46m-0n;gl+WOO2P(C8TgF
zJKYJ;fNB03TOFRT>{VHPv`xr$Y0v#!ZLFPe?kdlfN6}{8UK1Ool)Y?O^2FFlT0jJy
zUaQi6KNy<2eA_VGQaW_IP)WR6RNV~7roz~qp(BRG20R0ckbj3c>54Vp!|IgvkE|$$
z?)ez)MW*Hb&Zg7L$-9*FNV;n5-N1`XN_cBkN4~EcS-kAbV`&NhXe3V7VVJZ6-ysjx
ziB1fgIfA7o)dw#QOZ;I#f+s<{1XGRKX_t@}w5PK-*XMnFTy2@)t&0;?W8WTAIjIeG
zh-=NYH@}4z_#)}{*>&w$Hs=X+5O;Tse9OJ$9m0te!dhn2E~_Er$vNid1w=>2`r@Q2
z<>YFkH|wE5Dk$Q&Q~1>6c=<6uRw~G88pexVmI2p^c9|G&Dzqmxv~RSoJ9Q&fm`JSE
zb4l#6?IC@Dwvg8R+jkq5vYBC5ca^Rf>A-eEU2*B6`6x}k(|ygdyuoCTtp@eAmSM-k
z>k)&WIV>dsrBh~XA)1bLO0^&gnQ!FcdA=%A%U3Eh*$hAKBUHcz4h&-lxocitHAd>>
za?NNxf69CIl+n7&l|Mig)25R@$!S?-+azo_YR~SE0gR~Gt`|QUyq<em0@^`>wih{F
z{gdWXhZi%tfVyfcbL;xDnU>1)sH{VtjG8HSH`A&{LoD4k4cq&&CHL<DwE^|}wO_;D
z&jta9*Q%2q1)gr7ld`;O9FDBZv;dLWW|>5qk2{mJ%a10Ub&F*)tcKt~*Yx&=JwhUl
z3Wd6%X6IC)ywa!3xVyU&!>29lvTyf|nkdGSdt#1L$Yoc%YR&PZN;hdlekKm5o9rc7
zY^9_Ez4y~&9&~9VW?F0!`&bd?O6zlqcxZZjp77^Gbs2S4kn{HJ;CMn^*4EP7M_R*7
zZ@?lW0}vS%L^cX)UH>&MoJi!hf8td4nGTJY%T>cdocz}e?lPH1fXmLH<YrLBPK1A!
zvq8woz84++;R(!syod44KMt~+*K&?6q;<mV3lnZiiHJuw^`G~fe44-6QtNdsi{oqU
zmHiOyRo!qn6lTBr&VriaJ#?TXCBm>z0LOwRprvhl+U2e6C5OBmlNWwh2qLvEaV;5&
zUHv5ZV{EsPfX*B8{vCZb-qEB*a@9StI<06|Q{66bfG}Q40&RNnumhKQnxr|HYfawT
zoNGxe1cojEv!wXAA96gO46uG>tD7$|%}pnkE%Hgt=8{I=d^4Rua^q}X=~KC`c{TZL
zY+XoDPHB=Xo+ZH9P6`vmV+PcT4B$6WO!DZQG?(fzbF!ERWRhpP{))lA1l#g*lxyQ;
zDFr%s{SF_9BxHO2lj`B|Q!RO;bwn;1xcpe%)tq<XLrpc8X~u&w<md><VkS0TXc*pN
zyvLMh^v%lqwx-*9#^F*|I|H{8g8;ih29I}2<pbmF3qFTy@?aNQy!x{v8D(#Q%dCun
zrj4~w7g8m3nK)%x#;EFm9Oy_}+um(y3K0326a{kQv3F(n^PO%f$+Ag+uZ|f8UHzRb
zV+w}HJNfty`zICOFgaxM2Udd+;N20j>e%CwP#c=(G;$<sd1>FJ9!Gg%-_&@68=73K
zy`OxvE@NzmUntcR%r5e4*VZ>zpiaxOvg^w&FX@*u7ep&x@aAr>tw0V1@k=Gpl_ePy
zUK3;Ycs3#ZhA2=e-{j5Si#)beP@3p&u`4517accBdP{zqu(_;zT0{h{)ZaNNm8bqS
zVy%ySsnC{A30odU-tE&9=9{?GvJ9-T1mJK@#b)Tkv08PaRhxZbntrYi<8iIaO$m2|
zuuL)lj-+Y?11taD3NCwc#Y1MjqNsZ8>L+dn*B<*-x)ar%D|_Zn!)n<YYvU;&{OtG}
zB7OB;o=z7#;xeO&cjOk0*lYUlo=j>dsor_jNm^C0!aiL`^Xv~9OBWS7PT2-_7WBJA
zc9cwjr9uqgd4F~+;5TfV=Ul2rKotFp`c(f2CGc&uRiVPIOYZt?AoAG_6-nrNynGAC
zG^;@x+Pf%vyk-Akrd^n(iU0Znt%wnfK9VusLg#<7%Wl00K{btL`A6?a45ZD2Jwv&A
zlve0ac;WW*DI~hm^!d$-=c&ECV$2y(S*;F|eUm(h-bo*(L5DP9>OtbXCi7lEX-AT{
zabX$x^7?YEXnA~G_h)X7@J|?uhmBkiKw)9US<SwRZatRGPWRG$4s**-{|$$0478|y
z_Z#GqXWkplxy4Ji6wV~yi7e3)%lk8K8#fZAyPGJ7&O=24$k?L6HGG)boi;z^b+MSV
z_iRVBTB5}!5{c@>0qkoeB!tp`yr}dnPjeRV?M^ehc&lHUaU+cB66XjA;EaVu3!_*9
zMf#_#%4pm^UTLXi>Kc^EC+zMA-cMoQEZsb+$01ZGrL6JYn&R_74#Azj-ly2Vxh_gX
zx@|F(+RRO88d^zFUYbuqT&hs5$=ekFsrU9+U#=_c{zknoI+i*<iEq`*+$f;lKW@2J
z+eUT9R!J&BYlI`=m+h7&1(L5Wzw@-aXY%lX{>%ks8FmjKgSu<o1J6=dRrvQpETnjW
z?qel%9+vOnwgKOibt^0od8MYh$^O0g9>_y9Ussz5uM3x%3D9u8kI>;TG0Iz8ZIpXo
z`2;VnqKz~ZuTwM^>XD8}#Zqrhqv0VN7@w$H@pvI-J~LeE<xy(L?p?KY8(H>zqN6dT
zS;7C1O1&$)YN+9HW(>!A8=CNOvqX5h^Dxd6FcG5T<&T#AAgsZ!lA+dDm)G1HwV%J+
z9lsY0l!Zbj&AeGQmkk^7j{k>1SDz4u|H;ewLvmO1EGLwtbf6rhXut)<U{*^ms9fui
zPp)u9uVY2R_Bn4uSHGHE;s~ddYBi^n2G`0n`xzdny570JW8CeI%z6I9j3zL#cn6{6
zTab?TughB>&4PGCQQ*wHzZ{SYy(gqDCcxJ?%+Gt~mi${TJJVCj*fe+2Wnf)Xc0F;<
z&2>6|GL;{HF32#!#$~z+lAS~wE>1FDtSocPefKM2HetAFnqoJ?-wN3&38DP#6qr5l
zNee8g?7r?#Q_m|L3n_q(YLsQy<mTShl2co8#U)z5pE{KCWT;&j0BG_wd}H~E;2GZp
z-EJtTIknu8WG@pu1h6FGZQAZ>wU$t~MO(Hm19rmDD;i^^LL==8a}qon1h3VeNPWl+
zQ>D_{mhUCjH(GJ{1+vgd!2XD1ApHM^oJSXmPfp@u*ty$Qm$1m!sRBVtgDojGKok^L
z{ZRbiPktuL{X<-S_fnP~&`ufvapLKfqtB4vE9knFasp*9M@ob?hDx^hWdPcIj~?IF
zj@ghWFbe0#(KZ9qM@7MwO<YGic?w=aPYMQ(q~4YFcN55}@o_-pjESBIt^?A^F*|a=
zDNR`<5@UFYw^7R3kd0b<6=He|{O^J8ad7u^l;#LAz2hGt;GAln^pp6t`sJ*Mba((#
ziGAgh{MD-ZXv3kb;mh*w>t6(UcV}UWRp0X1W=}lP5{r7S^*l#f5-!Dcz<RzF$SE-n
z2Ia0K1>c(NhXl-+)y>uGQRx{zqN`Gj)wcsT$f{;Cg6?vbfBF!GH@N90u4*nflFj7b
z+0uGri|tKB`bQAeD>*UflC@c8BCr;mmDwFg`LA{1PLw+x3`)8d4Z8Il@<1#=Ytuvw
z8^R=p$Mwak@~zp=35CxLxMlAlq60vECIVPhNCV2`oE1w3EVB0}Li-cc#emrjz4kPZ
z@@wa#ot_#^=G<?+ZWSV>M>a;f0|<`S10d&lMtA=*Ac7&#2t{_@ai8S@$pvkz#_2Z~
z_ib1Q@1b!^+L3EUpR8ISZ~k!3Ej%?tb5uSaLZe9KxFrtSK_?^Zy&dL$!_6B%q0V``
z=n!>})_&(UUz?o~_K{+VW4VpN_rA~8JU0~|sXYd#N^V2+lALxM1yWvlp)*9-i@hW#
zS37*+nBmRFdRo4*w8WOO2eP*Ey;rZ;P$Yx}lutZ2=7p|E^UBzr?&hhuZ?#nu+#>D!
z_W?hx;nTR$aB|$OT>NrRF{bP3-CYcfy&vP8HfE=!GHacR#&}uO>M;|L;*bFQMMMWu
zy@dmJLVSY;dE*aYMyE5dwVAond0b}Qh#_-RQ{MeegQL{`!zgajA@Rmd`KO2p1P%WU
zkNz*MDR$qQp1p4i`P#1a)MdEOFIa$kS_ytPIx_1ALqTAlJXX0qt#tLn6Z-I(`>eqv
z<%*BkH>AdOyU1rzIqpq5p_s*KK*Cx>$B2DpsjwmL=1v^TZAEah-I?|FIw>R^5wPSu
zVw2;{K>2X{rO^|*pyTjSo-v|*^uUvEEZOyZdd?=ekd;Y+4z_7GA<bLDyp6E$-;a}G
zt-OwGra(ngs?Bql6sJqXJU#W~HWs_tb8md|g+p7>HDVe*X0w%KIUaDISkNw7S6hXw
zHqX_n=;}64-dNEvgj?+Q&vPWf#?7E1E^G9kH`j@CmJql&2pxmRbF+g^yH8F^KVE)*
z6gA4voFK|+mb`wV^1JUYlw2u9EG1uHSu2@y5JDf>f06=nMcyxuj%Qb-;t#Y2`o9CP
z$2dxh@X57Y>s;+r)4iquI&4TO^AQwKJYcZ3nH0rr+h%VF508)IjwJejJv94xQMJ7m
zwU)^F-LUIkPt&*c>AeRQi7wwJnIzb^Kr3+>5MseSC5y7Sht_CUJ?&ax?v6_D9<N{l
z|0PwTP>kW?etcr#GffnC`lD?5mo|y7cW!g<d<X7A!76uYlVD#5QPPyBNQTRG+cpEL
zrUM0Dc1AcwW=JjKMOmz%!Zomoh&K1JwtHUgMhN?tVmkAyo9gqb*Y|1Dlv>WuMd6fq
z-sc;#6ogJok++W0B2AZkHzY|TxIvOKM9|at**n8)e&G4;TJV}o(M1z!$`Bq+Vd+>h
zn4>amf{f1dMnYC^MtO^>S)Si4D{qwg`y^<gZ-+uG_`;>NWlsy=M2s+m$E)09>X^?z
z2~!VYRZ9nIB$W-hU0ui?-x7{oDh~OqbJuyZTBR<}*7A9jfgw^^6&$wImLxQPE}yjA
zUUKXm{rWhw?&`X9SA?~Hph9wV@V({Xc6$}V;g5-5_mIh}RQ#Hz(;QBRJ0?-l^YKVK
zz+w8pS6BpnDr@=JfAEezv~B5OrUE8)L39GFaZAXuBtpo0i|C}JE-f{drZ3Z+Wu+d5
zGk`XI2J`sycD!;2mwxqCW&?Qm=W_miBq?&;_u=^)FbJK~=5mu2guIHgOyqF+zB|j_
zvr&2;^9_N!=ab=;s;s(UimCT_eH#rgk2|04(b`(*_UX#yjbAk*<3(Klcw88VU=t;@
zYYI}2CHb?AJNMIKf|@H95vc+NuxlN8%PMa#N2>OKl9lrc3^u-yCu|uFx>~evA)V@U
z-g^etTYJy(tKogPs|X+N=tu9%uhxH@Xk_d?eRA!!JiR(~KXLMalboz)B#Q0Gy-AiC
zVC`qLK8~{ENyC#)-=aRF*0}3L@b2lZcve4Q710VI0y}hvyb3(Vex3Z_yk;r3YBq;d
z7YlJM{4RyE`N)>#TYmKhMYP}FYbLdtzs_2AN#4e>;-I>A-xBt-o!e-g+`n##J4Ns9
zZvEvRdmyIfB_HYaXkZRG6oM5dbjwg@q_#fywqvTcA)~>YuQOG3>3ngrzoFbT%Ti-q
z%j4Dn&->hYA{Gm6Taz7R=$bM0;n?%8DSDXRl)_5l>G=8S*!!uu{l58GNr*$IVKc=3
zRMe{J)6>dHeD<>3d~*hS;xXGH;~Z$gc_sNFh*|FWfvEJE?ArUYD{n*lvKC~x7`bqg
zdq$LCTp^5i3%iq*=G*fQ5CSW(t)S(Q`f!*?!$9wH!ZYZ->~-{Ph1V8N^*!SG9(lKE
z)x=ONK9e3_B*6PT_iQP2xucF&T$QYCP*T}Cxa|yFa*mhkMDUK}LM~>^!2rcs`#D2^
z=cD2E+2G3dQwGKzdkkR|ptj6I$05h1x;T&9NzWj*-v%Y~BTwVH4{esCcXJZ8egBa>
z;$NmnhK~KxD|0y9r0dqGVR}A&ylK2N!3Hy4O8*0#e|b7r?FUtJw>>zMCu1JfkR-Gs
zfPv^uja}^cLA{aYUjNN;7(cZLsn|mCQ=^QuFRyO8bM>>WhgMJ)meky(VB0?|ZUuNW
zS$1dCuPGRx-<%4K8Z<UIz8D3X(NBWbPd?<r%OU7RTZ`74@1L;D)Y)p^$!xAY`Fq&v
z2E`~euU@1+xmOM5*kYb;Pu{_VoL@1Qhe6ch%VPZt&85RNWP#drM*BzfMj9(FEIHxm
z7tVSTICOQFr{`x{7{gLf8S1pRWYC{+M659npIzXAL26SUV`*+#IFfSbL?5QP6ymO%
zziq-B0yu}h-{~#7EoN}Kjm{5+df+MBosH9D{bVaEaQ24BgH-DkrRPH*K(#8y+UrZ)
zJY#P6<%CV7uk)0Z8)Kb@qR9jpx98c;k-55ttRX9kU%d+&kmIEu@no&qYId9mi`z!M
zEt8zHpYB-}`)?vW3ajK9|DYt~VO*r4j^qs23$ix)j|2|>A+)Eiy_AOgp~`+VrU&u9
z6%68Wj-|c#h<I#FCk&ivnqZ-)9xmgfEiu1ZugAajFQXoxdsApebp38a*~Z{@?RIF+
zX%D%1|IB*D=)v@GGP~^4CWh&AjyaLj@~=dv<`XaDjqimsR{j|@)0^1iL{>{y)<Dhs
zY;W#~#9Zz)r`qQ!zN|V6bNlWk%LZd(jeK$G)3WNP3s-)NltG~}Uj~+`PoI51DRo&0
zJ+pYi{bUIYywlZPdtxNBzx$iS5Yr*LxM@(2)@pIw>?RQonF|9np)k*BCqa5T*w#WJ
z5r2-17FDb87dIEuJjMv*Yz767C!xBy7|{0d$C=VRK!evUZPXAaXSL@wr3Jd%DaG07
z0cKNzxX@aEg*$;p(4^r}0*HU;w(uC+A*Xd%o1Amzy-vFs-j9}2^#zS{kz5+<5l(j{
z>7s=;54whtI1@SmQSP>TbK4ggOTEi6P{%mG5j$y|j3kQI77;8bBqHZgPP|8?iqrh{
z7~G$&?aKxb{@~H?d6thMNu~U0kH|k+H_hGZAimp6$N?s$6{g&BfD{D}sU@##isJO4
zJ#rpmYKFN!`%`3Yy~fD;&`H_2&OLo+DR*hwoB5se1x9nB@TwIr;6nd;S_IPODRW^u
zbX4VnD7Q*!Y5ANp7k|9OV`F_2qMWhbV+1tn?96>+(%cG}f8n8``qTO0&B7jFnR3!R
z%0JbngYo~*gTJ$QNJA5SJGy$%v1F%JY3nu0p!GJut5w=VT<a5^G0^B5+Tsy5y3`Dc
zH>Z(T%Q`feLYaOO9}Z<vZ{ak^*(8Vs)=wTgr2O)%4-=*D<^i065t?Uy;Z94l)8pwa
zY-yI}5{MzoTGzFfeaG(07RHuS(`v=_ZNR$qxDWRpE^e*Iv6Y?$4-AD@;?$w@zn!O$
z9R0txL4eSZv=ZgCCm=W@!f}4KRMH{XASkPrXKVgc1ET%w5e}WnQw@C2l_4STQv#zq
ztpvb2096D{$A3`4!hMg~^k{{`!7ws>09u!7WKmcwPuL+d92;#t?)@_SkrpDA`9{an
zrBVtu4x*OZ>q_s|7EReHpgiY66=Iz8G2U_PXK8jWUPZ+@Ls}fTA<Wrsw<5N)<bW|s
zODs<;{Ty4~9mPBmpIpNK(XWBfM}W)*n-#%<;l903gu#2mMl4re?%nk>#hvXT+vg36
zB+eqlG-gR@&YJsY1a?dZzdVt({7oe<IINv4_3bCzs`-k{EoCIy#JS1>J$YlK27Nfj
zCx$s0{4h3Z3@m#s>VQ+jT&5a@4a@PR!X%ur2{kjRrTW!+yixcaZa9D`32@X<VyPlS
zZCs?*&$n+G8Ya`&%pKG$ot-Dfsjz@t@l}FNi~_rpbC2qhjmOk9$o~<%fB)<dLT>=M
ztPwc$7c*c>Biw3DKWyi(%-_DR#k3Iuo4q&k%qa`u_vEh4Oz$hduf}ui5=o!1`k)?B
zJDE7hl~**v3y04=RqffnKK~B1nUqHohYt7<i@&CcZEaHWh3Jb~n^qeEz7)zH@cN-^
zT9R`fs0%V%ALj!%^@7-~q?C7yBBRXaMMywHwyu2yGooihGOXgiy<Y!r>q;X^gT_>H
zZowPQ&#l(t=I$#NC+K#|sc4&dI}V11XZJcEU^&{%`az^e17<yGcR6_+B-Bshe8Azl
zmj0wY*3E6<a*aUW(Tc1qda98c97aZgyt1=4=)y8UnD=dq@f(c-;mfN7MxtxM1k=13
zbGCc)+-!$yAl<3(Ww8N@9$M=L3RFeV*C$UyH1M|0NQdr{_=g&d^CWg<QRqKSb;*SG
zkj)#N@sk=VTZfYp`ZhBaNUBwn*QjGFhILk9p_fQ%Tk-z32(E49RJ*~%WG1Z~fk<iZ
zn#U3VKFzTGZjTrcM_uBN+&i-=t;&st4A5^O1Q`^8?eY%Iz{0Rv@k`Ncl0u2J6PlUS
zJv7idOs}8Wm1s7)+taXkeqiyl>h7suXoKIzLC&T4{1*0an*yO(Zhddx=R|aO8~@^N
zVvYOi!9R)oj=tijI4oFX<%yCE_c#Z?^-8PG<r@lg+=;o<KQo&lI@PijE0m`@`4_Xi
zq;H@YqdJ=Kg>@x^TPzUqh2@@&FVEgS35ss$PQ1}rYb_Gh9Bq%*V@CXwBM@hK^roQU
zcA2)vlS!-9{8@>)+hB9F^E$Zyi-g<4eyy)fPKI)6Lt`CzYknHDk9!yu1ER+Qf9QVm
zHI-m@E2`q_mm0Hf=CxJp7pgNl<v5jTjNCHg#pjs?&Sx*DRRblyZ}4Y^n|ADTGv-fW
zpAY`<emu0ITW(C5a_QL<w>dt6`uX~?`ZeF?o0Qzc_>b~~DypR|b(UVz>I_iV@8uHB
z8!p~MIMxoz?bXPxQ566jU{z5FW5eqUlUsALKiDh=laCrqjt1&DKb&4?Yl5YkP)CLN
z+o$AEUUG?FW9gCrN)NL4pBvI%b=gy_oKt$EZstfN%kj=cj#s2WR-cV>NFY`d7g(rO
zAI&xv#m8DJ;<1mb$Ybvu88SbSC+^JczM|{wJ<k*U+i{i<o5^~3qR++STN#%nXe}NE
z<Zj1xH{N4&wmj!xDy45I5Pv)my^oFgby|>@i_lqRDV8?(M70Qd9>ikvqJKIbVSA9*
ztO5jGwxCg@GjHECwYdjV&76~9LfY{eiYJ_(>2vY_%dQnil$Fj0M=fK~TLWmD{)a!V
zlHbhsAGzma2w8}$MpO&o`|UjaH+r8KyezUK@*@5Aw*32AB_iZn;wtT!*#E%J%y5X^
zA}+f??|)oNd~pD>Xi?n#jp6@nQAga%_6n8@*8e9d{^On<EGUpI4S^-XM8B<ufA!#B
zu5n?3m|)}rGXwv}HTAbI1{oU&bNri{e)obL#GkV<I6A@fKdym4LA*OS<!GLetqT7l
zHOMzt1|b$e9vnB^-$wuc=upU?pK)Lfh??Ray}XYo6^kYpTnGQhqrQSB^m|#IU<kxG
z=S)*WGp*;IZVvc$hW*v#pFdLfUo<)+v(njvKJ&?Lw)XMDs=qqrRu$&)@|?Z7kR1^r
ze&$hZaOb}teI%sAFNErpn0v9jC;G<X&X|%ntAVAJwd!|D{pat$JkcsFPqNFJuSCIo
z&2k&z53Tz3C3(BqQqT4pHjv{`clI|U*iRi0^-WsZexv!XQ9DCxh&UeGB-mWPdJyP|
zyIBSEr<Gm(K)oH$)TuD`d=!Ix8e*75pnRIxb)e50;kPt4A^6urHhl20Qh$y1^Y~Z`
z?oB@|y)ut&RZr52@(=}g#gvc`duwMKjb|yynd6kNku|Q(^l+45FCP|K2iK?e>G2NB
zvSg~dw6yE*qWRy^=r}_;+1AY(xu-h6?bQJV@DkiIa0X~i^I2E}xiYHb!ocP-&t&Y>
z>>NUk+v@j^wU%XSfC=;Yr`f#49goe-!=FkX)EkJx8LmUoFi=q<9lg?6@(ZLt-eCN#
zb^Hy%N-YR6WDOc5mP|;E&Ibfjm7A5R3|(2dFP^z+9%{a8*U(KXQfV+4-*fQmII9d-
zR4pr4ubQb93Zc?w`$#j>lSo6N<83f_!SVB+Bb;a>MOq3t>N2<Csw}j877*+C3s^O>
z{H|>5=uP&n9*#UW^cEFL7}XQbQ{N@%_e$3P4P>I<*OB!&e(>1-=FVnoFS>UJFzM6j
z<M5VEkCo4vj^L1E_O!|DU}LEOA&1NJ0<94Xv=3QERh`+aWMg>UX4+=0YFym>uTK<)
zbaaL#8}_05(A%IVG4&bMAtXcE_Xw(h1o~VN0j$d=?T=*344e_I=_7N7t)`2aptNz8
zeBZpuAYhID?}^iodC4M+TP@8^pqqHc0l_wk3m4Rr^HC@N<1*ZfL+}4mO8p(wVB>?`
zg^R13tMzFQ<8WTjKf3ufZHjPY#}ce2_1e<dbLLtk;|+Z=2MIsIB1iwxqf7%KH_z9r
z{s2lPvNT?nTC#!X2*lr$WVE$To#nEZP;j;!Qd>_~14AdRKnFEFkuA{C#~?$EiT$Be
z3PWx@m3e-ydPXWN)#B1Q<TQ%=^Zp7nsdRxpr}}!pe9`=pEBK>Y=xgxRR_Y};;9ljB
zt+`rR;{v+~8S0w2Bk72DMd8J``+tw%V*4T%Ib!PT$)6q}4u+xBjm52|My9g@Id^?2
zHOj$8brk+@GWon0jqOspx|#_#u~ilKF!kO#poF2&$I2SLW^>GY56T$*I*aWBu`BRX
zib`?G)x=Rg0TIERA)}#pbDdF!kxW;AmE#?ad;59clF33rlFa^f`4yjfqqsq_cKUph
zR%e^;$n3E@3|ca&7#}Q^S_<kv|3;>lc_#z(c-W3OilFk?>Tcs>6NoV^%&2x)(iT!;
z*(RN9btk|9qzy{FGW|8C0kBB$aPrdIj;K!v6#<8YBG9)j6j0gr08D*5NM4g?frBpM
z;_OSL9(J7Ooxa&#D;0mpdbeqGNe2|%DAF-zq~F(5=%EMp{5O4M!uSNJXZ8r49)4xq
zK;Nh)IVF$uNX$CI{)i?*dfJt-C;lT^eNBI7z-~)gl|0Qn?TS4B6TE#sZOL}<J)eTd
z?q)B$B#(Efc*To^OMrE3i16Pz`6ne9!#f0f(TzVeVi>2^OebeE+BP!q4m&@Oc-7hm
z)7n*iUp@wkB@)ru9i`gqQUaag2RFJ@!HcqF96^@O<oPDv2T~ydR6r|xTO7_%z&2U-
zcXc$b5aBjSsw}$Hw37kePz^31C{9&~uil{#6rx!CkV@_sE0{&;N^x%UzbI@1UA@5t
z4SBHF$Ks<U(FOu}T4o#9z@~p~PuP#}i-z)hudTB;?$1V2QsxV?<c0vi3@2x6WgQ6b
zD#IhigSTvUZ?9OTR>$~xV|;E;U4VP5!Bj#g3s|V1C)gP|!caPG^2@cxJPj}H%sI9`
z-)qTI#jtF=5<#QXK+zJ8)zrPY(ToNF2UKd^w2*v~d7Ep~OPw*LI!sqRZu&+l15SIh
ztviqBzqsxd6ax9l=e3aQv80Ytl_3FQjn7%u3MwP1XYH|a5)agvf}FY<anppH_xA-?
z_X2%Oko}*?&4wBw4u_w(w>%Qgf7x-)wKWthI-Jd!_Lm9SHO7_=$_-`l9nOm#MxX06
zA6i(Inul9`9j|QdMmGnuhjPb0Isr$^xhU=hG;u(+`=c5%?`hAX)>hBXx@75GHOo}%
z3~eW#iWl9vs_jA&Uj@)VK-{eV#nCvZE=;FAy|0{W_lA|X>*!6LwLaUp>NArh?9I>k
z3C*V|W?Ua1T=Xyuk5EL5%Z{;R7JAl{MX1ny=ejy3x-O+$raanlba(G>o2MR3rPP<v
z$a;9nGv$P%Ya{IkaZStTQb-Nm%UBX-xulkAy*1@4ji<M`vtzoyUt*^#%q;IoiL_Q~
zX&{lqp;7oxxcG}43qddRyhMXV-bR@5W04<p;sQ&em-un@@UkvEe=ODneeUYK%_C{2
zMXT~Kg00!aq4XOCH{O(@dMboR$$f9uh?a92$vP=82=+lU^NH>8rlzk0=S&*>FtC)j
z@`e5i&wq7HrtgdB;3LLD%XAmN8jFgm^Poxsg3KDfB!qH1v6YxN{%otKvKlm$;K@0`
z$&yAqYhoQ~f>x&#h0IC*tAicUTx=i`sj8_Wj&b>&g&e#XP|DJ+`kQSSMv@E)Z{lg_
zxbc5Uz>Y<Th4sg0EX~{on>7-?te6aw|N0DMD;KrTt~+e|XeSH(|F}wQ^Z&JX<^NEw
zf4>|pjzWYe6ozCgI@Sr5>`@NG7)vx0V_%1?X_Gx>kUjf0V;N&+GPa5=6JjhGOQAWA
zEjw9;XM8)~*XxAW^A9}FZ})5Nd+zIVU)SgQT<`1sSuO|z)DZw$!3W&5=4J%OoB6!q
zliDXSBWV}#$j=jE_wBzh`CmBltLZNKG)+o<djJ;xKhfa8AkVAhdUbi&_S2p%a4XBc
z)q|nA4A^?35$TP%a#V_L{bj?d=<<t;u^zMVgHWsT@gaSnN0+FXjD<>4MGq4*JFg*i
zCDDf;qg-vsbHLD@pPy&`E|rnn4VN_0Pi%X@(?>Q@fUPHFKYfL&a=I;bhes<hVy_x9
zhL9*3O2QDj+ESda)ZZC}DjfosL-m#QVLbQR<j^Qa;`YCW`JYR7MJ8V^qn^I(tu%va
z#HDnsx0V&;DHj!flH;G9;J+4l#^qn4?)D4Nj*YojCrgm3k8{o(pj@nC^9D`GBeC&Q
z2gvxSL4ajwz;?!R_O|O=ip_|R5}i25PqCV{%T_VjF6I7sB;DWuD<Ku%@IG9ep5aqP
zbLTjbo1E*ZO#bGzcz=<|6hTlQ$adnb%jpcvDy!j><i=jV3inm%`@Z^@q)MD**+M~Y
zCa54F&xi}G%*a33E7R9x4!<)Cn(s90d&?t@GOI+4uHQ@u%-WHE7LkBZl$H)Fk3F@q
z3yaIlmCJ0|q_nDsW75<5XRrhOAKJf1K1F)>jm$X@YAFk01q9B0Zl<K<P4L)cQ>_{Y
z2B=uae5a7@8aIq}n;iA~8@Jl#KI8-Tr2iy=?fJ^mT`?L{<IG>moW?AU2C$rrKW=fm
zBxs<LYF3%BHW<r@^TkfJMVKzZop4mnOU8+1C>JlECN`sv8S=t9hYl`R%mLWOEsa?q
z8rPkEihM%9sS3wqB*|P!!FG{}x!n4e+TF!~h_m6h;@m|Q25RW#BwL$00gKw+hgYw|
zmF}_a?HY!Tyo%iIcdmB(2tdh<>)^mhmJcM=;+@EKThD9ln#s4){JGk-+PAkR8>)+N
z+=~wfhpFY5XrE~uWOb$HRAYQ#);*_$cvw%-l0Lxz4iQVO^n6puzmbI=48IB}JdGk4
zOPN~_N+`l?y$}PqQcrGC9_~sB5?T>GeUhvKYa;uS5TyVE51l-Dyx3v;TR!Lna$+ap
zX7Y&0{EN+o-MEUq({t&RA8r`2VSIFGPFGLg)W4Rrej?dThvNALpbNd-9e?Cw!IS$=
zg{)4J++>{-5=mw=v2(t&?T$@-W@fYObH2`%@dQs;6TU<yBiGr>rFX;yZGJacKiGK0
zH`NqU0-7NW3v8CZapXr~N-?b|PzsjQ^f65DlKtG5nu_!lJ*Bmbhk+MtaOsZ9-rn~y
z#nm9`%mn8rew?r7S%1OHyEAJ(?Km)n#sK(c$1*?{+)w58e{ZqNy)QX{gL#1iHXm4#
zBOF)zWyAX7zAhjek?GNYY*Gps(Kz-M>dpx><NfsVn*4&r`njM=SCUJ+Vdsdx&VZ$a
z#kLZsffzRjuV#Gq3xZ7&fbq#`^esGpZ^<^XFkAE>nAjQB@FY_F?M|5HVcw%Di&whm
z@~WWXOO5<(It{I4{trpiWq<HsP$l3jvQA3-qbKKGx#XxOefYP&UKLKIz)8b$O|Xqw
z9SU~MtC&~H@q<bHSs8EaNGXJNK5a-N3cAnwG*CGF%ojB4)KnIQ;^T>*-T*5%;KOZh
z2$6|GU9YI-b0ml#)H5-uNtZNm!ar=9C(a?huK-Ny#pWYulTIXB#ra_<WZQVe@mOa5
zgok!n#LcxcIgKp)RO0KcQ+`SdqR1*-U`P-9>Tl)F70$hL1Sv>QVtuSk+H!AhaE-Vp
zKdJIA!xgKw>h#CDT9=`Qp2O9t)d{zP@W`|4Iuc?Dr^02Xd$~*cWvg<v*&G0=fqn!h
z7(wms3yf~|cpVJ~sN^sg&+Yg@qkCRIMnUpDda<7r0ZNC4oiegK(c-9`G8aNrQOUc8
zXqjMLMFdcwi*|W-U2PT$CiOMtH)nB_*@77p63rP?IuKig?oAPxO%Vw#pkQUgWb!o;
z5?P&C%}JdL67c2>X=VR*xNkZ}?|N}KS%ey{t-5Sp4JD;IAp*Ow?JK4%7cEM2F)7!G
z8k~`$aVR8SvF*>E@4$(w>M6E?AG_5k_ACnx^1}0%$8>=W;v9No`8k~#%+dKYDW`;T
zTDe;Ug|TH5M|fK!*|~VHZs2|0FWN{=Qx%BNUhGz;j;M0dkI}3_7f7wL`_U5YW?1to
z!pU?{pbSEwR3MT1(uX6W;Eq-DgX&~zHD0Ln@8&_ZvRfT+tH*GMf=uVn?>|dhIU@Y-
z;!J6hWd4E?XE21Ec3Fev^ZI@{{S=r5LBNM&wnuHDJNNu$A9L%Vdggp)D;EVE)}tZM
ze}LKq!q3%VJZHx~ZhH$#m*_h2bv%;-ZD#}2lrhbdIzSJ7)V)->JJ(iM*=O&pTr8<l
z87>!X=8nTnQPq{OL9`gOQO{q5psFJM*Q?YGK9ei8^^FIBqIpqfYn<Ph<~U4FvFo<}
z8wcMiS26P(zc+Wop#s4}NuRn*tUJeP@o$ZWA45$#FJ1%3CM}>68OOamxmyZ#Ik$gf
zcz(WT7XT2Elw+*Lo7bl^yB5yh`&eXW;2?JY51HbO3O(iBoW(t+@2l?dmh{Qt8)k#c
zT7&&Vm@S{Y>cupwm*h+3XHnBr!YB7xAI1w9@O!wCE1chIR*C{|DVlmLeP@HyP$en)
z7}taEzeQsAtWvve)~GT0TI0tHEqJL@gyAZK3#tUSxM_|x(KK&B%MWpocz@hMZG|=q
zyUQ*#st&l|o^ZF_P?>Qx2`pkG`|vzw)GXceDGZGys)v%K2X*lzovizDK7h@Z-BLOG
zl$9tFx)~|%>-@^@06}*-NJfhCd(-UL1MUL(7yw!PrV%6gabI6b{l>TlBkC=m+TUmY
zPEXwX&;KWq|2HD}{N|_hnYGRF+quSx{IR3|L}L6ps6Yr4yI97uXi6>s#o&a=xv;O<
z<H7az7(_pH*p=gsafHZTd$l`yp%Vu8M#sV-DMWLuHRkgNy{3p~p?<=@XY@^Z&t`)N
z<4gJ_ijZy-jyoAkLdSy``Imc?sRqHs%55}6h31);`wpH3UHVp5?vs`Kl5Am%;craH
zq3CZS0`0h114>aMO#79B;j`cleHJe6YHBRaJsURcLWa7o-kk1}a8oEwY|o#iY<K+`
zor&1bPBZ)&Rm`r8vcuAX06j$(9)J)+VS>{z-qh9MVQ1<}Z+Wgb-;QMrlFf~NMlyNA
z6ZZG9y`pP;^*Ao235-)@gy*5bY5}zu^mBUgk^bXtE%^Qt+hil-LSp=++9?_Tznhb|
zo79(Z2^~;OHcSWp2Bw?W4eIk?6Ovwg!-?9Dj->?t<GQ**3_(`uJ^bryLQ_nK%#3Vi
zJ%jIj2*{Kj9k8@|$Wg*JXJe7wvHGE!K1z?FFVIWrqr+zdDnTsSEeRbbge{>GyU<E#
zMCWvyxgqH&eap5Vf9cKnhL4xD4<cG*BO6xog}q{YZq*rfyJlPg5UX1IbN*B%p^tbp
z5@a)YE&;$kP`SRzm3ImsD2qcXhD<sNHswMit`I;{#dE~kWbwA8j2omxLbbLK+}}S+
ztR5HISQu$iJ(QR2V8nlv@AXsnUQYmxbj3zD6-|+EgpFU7J@e-R4!&@={b$vpUoFko
z3Km8WOBfD-n{Pc5anY^`33POEF*?T_9;$Q2<)tz>>>G5n3y!d=eU(V-^9bs#tb8Lg
zDhm6u%04sr@HR*!AA^GF#_NK~Mxv0@fNgYweqx-nN2v=+mLGF=u#M&k>XysEN*Vj7
z$D|io<_uS$&<@4eca!+RMCsGcw<g;`6vH087LSriPX?=@#Dc@sRFKnEOmBh%s)I^(
z1k>9s^kJ4m@RG>LERXS*Ex%5xpMJB`OsuDju-G%Y&oj`fYTt$QFB6a3-EeM=`zZf#
zhDQR<!XEj%%*eOjWg<?a5f5E$I%V>1<i0mfXUx8KJOPDWS@8*|2Ui6X?qAa%Ox!9v
zCnz*Hk+YO+HMs_8b9NheFz_rc1_sD=hVy;0QJ;g<W>ySiZc92|Tr9V9Nya;4FrO{1
zxYY-%;)|)9uUAz#&2X=E>g+(XOG(#M(Q7lLbQeh3w_ZXF&GbQzak)*MpsofVIRE3!
zX_f;_H1K#R!^^NBha!f_B%)3A`W&j3DKTinu|~d3SCkyMGYajcZ4da+($F{+UH$a;
zaQXWHK&gXnC&VRb$hBw2Ec`U~Y=y7eh>ivrIZrtbx^(~6QE>^(#DKaAHs^g^FC()K
z=F=WL0wy@B<=`!^>VoV0u{LXLGuYuuMF<2>vZyj$5ArBM29sd*fg57vB-B<D6c*Ht
zHx0iuy;!gan@bHMIeh-G@tj_6RkgC1*OBUVC9TiwXQ`)OK^IZ}unkr&OMIxJG%*n)
zdXvKl)b{rJbfV^O?20TR-y<7C1cg63swTBV3?temTi^Uq<(%I?OJ$@|t^CO+P4FlJ
zT(0iUE8ozuvSJ){+D!0NgGfJ1TX=BO8au+ELvut<<?%|n2SRDa9gd!_QsX)kglITK
zKo!&l{Ms8A=m0BUF1lo`UO$MBP6%`$n0&N?XCB{&3>myfv_{C#nemue>z-0q^%>K3
z&kS}q==BPc%dNGO!o9ZD=WH#CyYY#eC%`Z3x!lxU%g(bR;U}9TZF7@P+^qj{5^VpY
z{-p4oB9jXBU_yyNK--jCPe=LVx1o^C6Wi=`_h#I8r=}!k`s#`~NQS}H*1|)!%I|Z7
zGoN}mDaReNsYAv8J+^J;*zRHLc;}kXL5jf{8X!Bk5Voza40LH()4rl!TWu;mDnXuT
z9vPi9@c3rVW;%QWdUq^5l3$vIy$aL`0)f!QFeUpH(6^<=(PE727kXNYa4tHSY}^>T
z^vw8jb6nSp9yU`sfJq6AobSKND_yH>nqFdoX9VhmDO;UiOn;K51(`L0!i6)d-nKQ;
zG3PQfCntuAdyDBflI@`6krHxI=~<>(A;Ezn{@6cqP39?bwL<TYD(?jl472m~?QsJ$
zRo4Mav;4Ei3hY;hQ`?gP!@tu=>Fq`OUPEpz15LDdPmzUOi>lpjgM=LUO%LB|Qb^?l
z4G~^ZYO#{j?1SODj6TsqoJ-Js5%b45=!;58`_c@AM2K`#b|jC;sIb~J@l#gbwX-GM
zl8KV|+Pah$Zt1(1P<s4x)r|=;=UPgSgyEX2@LQSA7U1lU&oq;25Yr1PsuptI)+Ai|
z6h5d7roqh{56v@9Jmcf%XE))s5uMDE$$Wsqd^fmvfw3+}ra3^yA{rk>JJP5fP%%W$
zq>kTup!+$^gj?YBMuGVa862fUHb7vot5m^s<#wHQFR0%TB2&6Nv$P%OquBp=MMo>#
zC;Uu+c7f+#m*Vm$-3ssEipE#ITyK$fPD!szFX|9sIoq31j46y+BJ1nhW2q0DT?~aQ
z@&Io|AQuNop495%i5$(B{v;>E0<=q9km`5_Br7d#AQWwf%B2Cr@RAoEc)6ImtX4Hu
z&b7!F%M0@UtOWI|DFq7dnjH^cD`t<$d-S7+0Uciwk2H&i^UCP`05!3n8uHb}fGTaK
ze8}XS5>e#6$*u$>$gQ#;PAw?gv`xOPC3tUW9piRu2EIa;-&|@MXb@&lMD%4-s?IkF
z8bvXo)iLrxFC`{DzYt?m&C#ZidUBICSVaBEtd0AAS^?8>P7uy&51u5x=s~`qB=&|A
z@_Lmy{bgp2gI4^lfF8E3K?N6+f0g;C`5)(Uk9@w(a0L-Mew=B1naD^3WEQWWe4vr0
z(yaPsH9)*RU<V+|os%E{!4Yp-u*+ygF|+XM2|J<6`J10bWtqnTSLNP6J<nM+Y$@8q
z-ON6t={<Gd^Kfn+&{|4nI<uolva69S)+{)&AeUuLk8p}<es>T-6RUqOYfN`*KEw~<
zT7b<iJRONI23&I09fixJ^zcisuNAhwbykhKDj^75{$$lilo>*)ff0_u(oKwG)zFz7
zj$-8X^&ae#C`N2<Nu<&NN+%e@aCsq#sWLB?aR#&*V>a-LymaFYG7d+JM&`Xh%&#x6
zq(0}6rh`W+K6&kXK|_i7S2E(AYc;#p80>dZ#c_YkcwO=d<voy*(XIO08Uah3`+wgx
zOCOH6ToyJ@_Y)m!J;QH!&@&A$H8}2Y7(EC6tS$O0<T%81D)cFhg^c)-bAXZ9EfhMn
zvJpO}BA5w!WiWB>AV^x{$h5QSwzFz~*g@s#GOV_*h2~ktfBeY-tp6b<!-i;s;2ru}
zZOBGJ$cB-MOMvBSCL<zzdS~5cdu?YtWc&O3wYfhhQQ(lj4f-f79OnE?O?GdWd7YiP
zYp*6n#q8M``yrS`(*oDSLVkqptYz-3XYP<+dj*B`Z3%6Yc76!$Y=>;v>=1Sq)VCCO
zW;@q!z$-JS^3c59XtyVw!EH+x^#!==FFQB|*0enmBNhV^twX$LCg|7GgMmCpePWy1
zRdjpQC0Q5BkPTsq5YR{ayqyb&>N@HVY5lCs`QL>BXwSrQ487#-)%RrByaufqKk<H?
zi1|S|8x_mQ-L|Y80B-b$(EIDR$JMvTLpG8^){}P7!md8uOG3Qr+W~aqIP!6D#6~N7
zhx`*GqtvYh&sO3O;QC~<BK;y+;}IWiMTy;7flsXSnu~=c_C)i4+x^!j1t<`j^*ZkF
zcTmg4q1f@IZ}#Uxh6`8)GBUPKjA;w2sTl<$j=?N8od0g7r}<s;2$U^BD*1^S6;6vw
zL>Z_ex`bn5W09G`fs|P6iKWKo*3Q=Z>T6$Dta)Aa>Pw~I2edd8{fL#V{~3IeA*<55
z^23>le!A#0u1?-a(bjP#S8Bnuupn^f^41PtjeI}rGTD!DQ0gJwTZWpYH|{<DA8MLs
AZvX%Q

literal 0
HcmV?d00001

diff --git a/docs/spaces/images/edit-space.png b/docs/spaces/images/edit-space.png
new file mode 100644
index 0000000000000000000000000000000000000000..dae7d01f665c0556859856c5ee1cb32354a31a31
GIT binary patch
literal 150439
zcmb@sV|Zp=vo6}PZQEwY))PFj&5o@OJ9eJfwrxA<SRLEyuw$KGYkg~<efImU{p<Xh
z*EPmfv&N`dHLLEr$B0k@N+ZGJ!+-hm1qmP{q4MPmq{5dk;1jUWe`gR&e762RsjbAt
zl>p-6q)N^X7FM?AU%tphB&WitsRD3DkCQ1WDVs!2P`xmUWK!{UAi>H5W8xsuWf24N
zOr&wJv=HdAt4=Dy3o2D4Y*!}8jcO6d>Bl?DqL7ju625d?YEFMWp3K~CcR8N^?D?8L
z`6Um33N5NpiR(*)<oATMS&^fmA~Wh!Hjw~qB`9l=%)u!v7zt_VFIu7Ny{R6pU&w80
z*C$Ng8$Wxo-H3%#5x$@!@g}EEOojSDe%Xj&NI3u#ISFxZ#QSbCCQ*iNDVrxUcEk?U
ztP6`)#UdnojEFK81%io0jPJ_KgDJ(InjE<-7!xL|jKz}YC_%QvHLz&*?TUUNephpU
za2=~yimO)bjY|AzO)IBh<IVbmrg1>dA}cze=Y;)j>GPTI!{g_40`iP8G=n-RTvYra
zqqjr)!l1c)h>vm-J|2`d#4Qq;;w8&|DY%u^Tihp%Ju^ZNN8gt(#kV}7yKzXQnX(-F
z5TPrn6!D;t4@>6&Qf6f|5-dQ;DB`d*f`oQFnz)lJl+OdJ=B-PRX_)VPFq!SxH9-N=
zfPnjk(qz>0K(NdheH_Vw#YiYhjIT1Ok!0*7RZP59=r$q5YWrZj(UDa`9Bzp45jAQ9
zMc4(}_rNyRVJ%zwREp(12;QJvel`;=6c7n!)oc*ft>le3Up>2%fzf2#C(udbPn_`5
z&<uR?ssdT-!O<u(==VfWltMfLGCR+H0oL7K#$MM6PY8Dw9QhXnNHFTSfeiSPAVgBz
z)9NdzK|!(~5R{}u*8%Tw=AIG-UDA-b^?6_3z#>qbrAMH~y`M=*)_SA0uoS)HsIR6{
zL1U1LWZ(9^+E^}Qr29&RtESsvE_nrF%lQNt*wSz%5Gg`Y?MmPfsDy{i!I>vX5j5an
z!<a}cs1``^mp+(~cj@wDuG1V7XGPl((EBh>Xx^klw+rB;ZTCfCqVd_2^v@nwcT<#_
z8HmGQMc$S8r~B@I2ns=4p#OO7-_XmyU)O#0SSuc^_!(=KRHg7hqx*SMYErq!$1at!
z{>X>bp(4$09P{Umhv2+(!?O<Qa}Gl{l4yk4sI*>A3qu1XZ3R#T))`5ZdNa1>Np46m
z*f>0PZ#KX)U`#S<JxV+}BRn~Umtjc$`9TU2=1_bXG*-ZwNq}8|`ab!kP4_O{7H!!W
zb76H3?y{hv+pxa5%Y5w7HQ4Dn(@vS`ix3So3=GJ(F{Bo9rw;2&(vkyrrMlziBFxU7
zdyQH`ZQX7I44Bf6e<bxRl$7IDLnt0E#Md39H&Iqxm;w<(8F1BIZ|onoWnR!}5ZHm_
zO5hrS%|;X}@a{hZjf8n1&qOhJkfwte@~}1_A9r<5p;<&pJYk?wA<4)%gJVy~N5Y{@
z!gwf%!&%UyB}mz1&=UfSD99xuCq=QzsATXO&{kvB$a=}8;}^!Lijdl)T*(E;2o5kJ
z^VQTaxFne7=E`93e}on~onUejO^G7R4xc!?3hG2$il5IeoM8Q-UJK}vcxC%RXNoup
z**Ge|ij5sYWonfMnHh#<dZ<OE5yUmX;!AYi=T#5lK`Y&t-yp78W)&bl-s61|=)&9%
zzv@4~ZhUg<!nhjjMYn{62qfx{>Z6vYEW)rrjf6c6)(_Sh;C;$Gqwb<Wk3cNInj`wq
zNDRjtS{+i^v)BXMqcb6>k6KYAk9P&QQ<A7)Mu?A7V8wICJ;VbO)&QGDD6-?SBeK)7
zWU@bH$&1B`or}9=X_D5GbLf!bevM(9u{dL<OXo-$h;9MwDGez+5@Bf1Fc~6IsA3aD
zwPmyw%k#4e1@gMoH8i-@AJlU47}X5&x(uH4ZY2+ahafei3Z`VqZ24rBR8<dEMdd4%
z?RiU1xeQ^Z^b~1bU}ZsezF>i`Qhp^*S)IBk{hd0!+L_v#x<Pq@I+GfNT4@D#SxP0b
zMt8|trIbdanrXSy;!(MJ8IgKt^-?WR(?bQMGNZwwzFp}DcyEUW460CQ1(nuonTCzv
z#W3?peJyM}(R(3(0lx5hwNfiD$R<{&=W7?V8#YQdD$0r5L~8^t$ydWy@9PjDMjQV$
z;%LBSzzxG~#m#L(YKCZfUYlsLX<BdIK0i5sI=^;{bVEMbSbQ#;SVUTyTGTJrt$kHO
zS#JE5nfF!PA!>`a+rU@B*TJ{Oul|GV-5a_rpjtG#-!_N{S`+C7DF#s-X*iSsaR&DR
zpDp?=hCO--H=Fg0t%TqeA0cKLH<#0|f6)Y*wK45H{ad;(H8iy`wMyb|Y9?xk5{;6Z
zl8_P@d6Ep}NrB1v$)z-|%=>hLOwiX{Qv*A{nLyiJW3oD}Z%+Mt-Nnh~1&8PpUK7U}
zd>Xcu;FZ>uFiV^^!smqNvgZWc5(Frj@|jcI)h%V!mDPPM0}mNQ*2fk!P3yMH+>xx~
zE=iVZhh^&zYOh~jeO|3!fiR)s!Q%Pi-Gh~LM}>*fwfMfqe>9~vM;S-6V;{3QvqpHa
z__+AGom$+E_%wO89rN3R+a^7%9KQ>W*dzK+rm%VFo!0E@r?zo-`Z>9HB)0u(yKl?v
zENyde?){yAiuPOi%xNxh2k(S;yYc5;VQQvk&N5l8aQE+Sj_yY<VG<jz6k+${6=o7u
zlGqvdTx7!%hsZ1LZDe5#;aJ1sZBu^^|C~?e&u?JdV0d7!;0929(6Zn*5ZjGiS}xk9
zfpvMad3$*&Mlm~2J2CwrF?sQM@e1)5F@5oGVL9*=!69MQ@SRiKW-hDh7d=jw`$w_-
z1VAJZ(l+h~&j7a=`Wz22k+A*S*$oOg6S-vky)tPeQ8V9}ag(|$@J~J55ZoLFJ+(lL
zQ)D`Z3t0*=Ka;z|MQ2-I8<x}Ke)WFw%@kY(Tp~sV`W6i|RSK26JfWb|<q!kF3ouX=
zYNp~Wc3X4s0q9R$0-ohu@U>gsR?}&yS^(QQ)g7#t7WWs_N}WoGfMi9KB^L_MlM#Dr
z&M&H~<(Vq4ZH$+EmvTA64oJ0OSA#73!g6;2208DX%fueOZs{EwTAV-d+5<5I%Xr3k
zx*S{Iq|7g;2`6PI`QoaRvJ-sOipa(>v$O3veUJWd*JroMY{c&;H*%LMqBE~1M;!ov
z+Knv)hh0>v*qkcPPy1}YMZTeMpj!~;lnbeH-kmY7Yfo4RGQiS3nR5$e@^^lZ{h1Zw
z!gmZkxhaH_p2}DIy=V1p_^uNtn0ci!u7TBM*C8Y}#5}~GNmg&MZN>2>a9CeB<U>ur
zNQIKFqkG8v=Th;L%I<uMIr9WJ<EzdjLyz8`mWsh`dy=l#^S9F6<xhb&0lV)L@U2+7
z8t9sl8e2Mtt=5X^UfQDC%V#&0=S!^1n6=L~znhv<$48SK^rf|F^q1>}One8S?~oY2
z`fSmzcs7#P?e$RyDNJy8Z%?jo^bGsUO=%2PQ|SuZVc2&z3c7mh7n_?uBk#q&5h;35
zUvynZjk2hB{&7#fcxljW>NHiH%xP4=R9E*#dZ;Orsx1B`_)2|cvq{p_n?KTH@d`E)
zkPx(!_h%={P}Q&7jrL9H&KNYvCCwOXTT#4>y-eoTc=mDzbx(u@K(dn_C9<>sV_zkB
z<Y?=W2v8k%s@`V+DghaV*gP9{%s%OE%C{CyOFJ`4xweHlZYE<IF{WFx5QIH$e8!$R
zaKM?fx=vi`PZO4l3sVJ|mkpgdRXl#(TmN>b>HXEx*1V|i(z`T!wz{^$-SS(a)A055
zTy%M6+i1JZnd8=Cz4}Sl!(Opx(<#j3_<6Icv-aw6o1m?C2W(gLM!Y%f5QIpq{$YRj
z8i3pyyPqwZtw}N})U!SO+v}O~@#pd7u%eaXL@u6irPt+KS2;~l>HTmK&L+z+3yfFP
zhtj9%0>inc^v9piJL~PCp3CKg<sb*y?X#ZE_vN(SjMu_flI{t=uh%_KL6>2IB!WT)
zPf1Uwt9{WkMKkBUD?V0l_#gNEMh`oAX%xF-AaL9&OC9_#4(<>la^OF<;Ac=0F+DiG
zi()<kcmqC%B40DR+Q5_`2v*s$+~9u%)#<!U)MARb6N2tw%AzJ@i0Ip`n5QGP)I0~t
zd~gYUY+%2Xqy1n>=<g4h3JNlG7pwOG<4G=T!x)deK<=1Qmij#s)(<)~<mz-JOIPyp
z{PIQQ3qV3t%@gcGAI1|)5=Zc~8z&*ofR+r7>dzK`_>cMFElK4I@PdL5Y_+<)f^c$D
z8D%e){4gMCK9me>(c{OOzlEUzKHy6XJYV9~;qUeAY-e{5_v4H9M|`N*tfC-!^Z<Tb
zuxyR6UyTM*9KE3)jx1&iRN&}f5kDkE$Vt)SU}YdF|7*D8F1iD*>gafVH_|E>WXAum
z>HkCOzlIw?Sef|)cRu_ErhljEUqamfA=JW)*+BMx5&HjAQ`#0VCf+U{_KgS@6X&R~
ztPC@SyQQvyv$sap4FGm~D`#Y7j>KRyao#e4<xdFaW`*XAAiJ}30*g^dkX$HfVNIP7
z#mQ=Fp(xG2vZk|XNz<<X|NTb)W!NGCcmiknS6XvX4|wqNmWz?Bpr4imc%hG1_AwPM
z9!M!QF$1mA33JW*E|a+Px4_e-?XBs9NqI~>ZSuaKFD2(&J+}n50uIquEJ8@$cNJrr
z%o6HJQ8Rw)QQM|9qLpBrh|%_TrXh3hYrF9+V9AZ+=Kpk;2>Ep?87UyK7g0z1`gf#=
zeLcSRGyVm?8y=2#DA{bjn1V`1VyGdogtSs53X`7DtO5y)spr*=0Ck?Q_7S$6Nj3R?
zZ2;4D%?Z+gXmp?kc|hW#$?X%3kuND4E@;h2q>dk6R?bo2l6^psuri6x|9=I_{}vGe
zz35<ojJM>I@dgJu$fm^<9)4Xh^(>HEY3<%Aa=_tl0oNCDcC{ak#Q-X(NN61N8Zvrn
z;%}-5U>vHh5thL{#zLHIYy-a-Zo+%iexRc8SMmEG!?oi>dUcw(9$Q@3Eo3GhSbQ_3
zc@%bMBYLJM3Vah_YY@la(LJ9EQc<Zj9=_BXGEW-#wS_Jei%qL;HQTP>63kr})WM3w
zPyjS>5M#!|NolJT$6bSJqx%h%?fNm8ihy=v9itw`{6jKNU)3Km_IhLsqqLrao2a<N
z;$*vn%`40+^^uE(pQ!gjAOzzgv9gdU)GbydxHPCi@bZFAZ;U$-lufrp*b#hy&NL82
zu($P~uxnJ(f7TsVe`x|H@aveB<&*yH{cVnaptkEG1A96*TuP+|Zp7VA6>dGl`ONXf
z85;kId+31J_z;gg$Y(s&bS7(nD&^3=de|WhJ+7Ers?*}5tyF<RD=plXPp`unsne91
zoSBLQp8}%^8KG|nJD`qri9xT4Dn!eJ6ncHyd?5TtIKL+ccasW{+hRlp2pnMPG;tEr
zg)&6>7JZ37Vro*jn46Fj{p)oPHBkkT!9|r5>3XPdiOjLNV{5UptKV7lpOM~1f!3B!
zp_MI#P_1(Z^35w`Hl&Ua5hTw$dcOF*9~<!Tu;O??9@%VuoYn#>hfJ9VFlFI%Zw}V6
zDN~D4CqOZ>vc+aRfuQ2xfKkP<A6;uxqZ&*;!0hV2Ma|K}4RINka%^QAVd0P6PnYzL
zSFK<<cx&fK>;8?X0>IJIJz;h5<=oQp#Wb-2SkM!{+9NFKF^im|elsijw$m6>TA!Kd
z>|$zaX<2c5`$)iQ;{kqQHx-wY5ewM1AIfNW!Kk6yuTGxx^!f>g*#|jNA?DL&%_8O3
zgMH-?ReFWp!YfEr`_V?EyU&r#jbmXj7-Z<s2clWnF>wgkPp#RhZzpgfrITJI_9a7G
zNG0kkDh`WxuoWX0jjGio>9etk6)R>Q39*@!F34|_2pOs}F;nhV^_VyEU$k!vZj!(t
zIqqmgr!Z9XF470|*N&n?eLCr{`G2sNFt3N<q~uCOl+(#ChCF#%VU|?$*QDKsXD?kv
zj?B=g7}**}4g~5=>UAO9q0rEppUU2`?U%-+)iYy1Q>v-ab8+X&Nx{v891O|fe*Uts
zm7feN4dQJf7LI!D-3*ocPHzd%aXtB{TX*1!y+O#RRKz@-@Ln(TlV*WB@&C;Ef0Ib9
zcpk7gf>i#+)gFrED@|GZn+J_c&z!KI5ZD~e^g!9g@9XVNXzlG@46y8SENICNli>ke
z!tRV9<gHj4IT<m|h{*CF@Om#duj2L&s2tn{6qc2>v;J8#(~H;2dgdeeP;NUBnqo@s
zMZS&oR*0Mn+^U1q%Wi_1YQWH87P&;*Drv!Yxhgn^@;GL4ann(xrv!`_J$4RF78+7E
z{V<0TS8>XpflhXBtd>hs65McNtdB8koiLr~ayN4eL32}KM|2(F0{3(DZ>U&N{R$h#
z#@66SOcB(`r_nIvzU|$ZwZ1n5EtEDlhl%fVYZG7@U6m)VH`G-i1+iL@Z*M)1xCxQf
z*ZW0auqBG<cE<QpK5fL?S3*(lg=>9T=GJc1o|jw1xJ!#cOiKlG758b1=D-&2gmeB~
zi8t%ud6vnf8d2HY^B2uDXRudAs)C6Xwz>{7bp%BFZE*e>+rdtRucoWSiii#v!5_OH
zj<l*SY4NmkXYy?3u8N5E62mdTklIv-k*;pFFjxEF5uiq!zm|i5=(nCc{P0Cg;@9n3
z9>)iIVwxTrlW8Na2++@cFJrMH1F}L2FcY(i!B+y5{-J&%x!f}t-EoZ^g;?p{nU;MT
zbY>QA_Wr|36M5oogu+3AWai2!1Y;AYJ3sxi0f2qt|6BF{JDJ<FK%P-6l-*ha0X~&R
zhQn$*SGFB^G<G+d3w1v00lken+ROfsU|1nw#{FPwA%vqWoWiF&o8af5tdMFO2-kbJ
zeurN&VyY^%>#@UovR=rG8|mN(mJ^utd<HZnDJdsQMaH~d{YZLN)Co%Vp#!`^(|TQ@
zs+#jkN_vqTKP6d@awCa>3gri^CeOuz&!`dG^a*ssYD3|!d}Kk1&K!io-|=yP=VM^F
z6qOQT(N%f}F8-o$Y0mRoWJ(S-5EL#?{F(Uy@pkR)F%i{VK1>Snh9c`k=%n>G&viv`
z^V28$EBU_y1F_8-frX6S^AZzo+|$S>=sWZoeP+=XTR>L+WT}S0c@!cnOT9|to=gA@
z=u$d1o`7#&;>04MIEX;V*A=yeP$-BhjAcKFs`Gk3r_s}fF@h?CA;Rmo9?{%tuY9wK
zS*W)T*9c0O`<|XxfLKNv#sU%Baa>YLNP-I2Z5yb0iycO~rnqly6)I?eelj^)zCDZ{
zgC?>3I=|rCb4`%a4K9I|tPK8nTwE4d6fkCXd=NU9c{R4Jr5_g!FZw$4tIG6-Jjk5*
zpKxHuT_O)SFTtrrD<A9trM?Pzd36#TLFWr^cCZtru8XM(Yl=?G4uCwv0?URTSwhCe
zItslqsU<B=gz+oB0@eIpQ`I+;#Q?!)#>w5>c>4V`pl6(%Ys$xXt8$g0>ffoM#g!3d
zt-a<jQ9Tv-g)8qT<7g>&d%ZQodCZ#|BO>g<nctgWvpPH*zlbUT5XmFKe;wI#%Xs?(
z=QOYyMK`O%XXMDiQanLz8;M32xuAI`gMG4YzTFq2Y(t1OAW_v=-)!`bmCBJhT4cKZ
zL=_J17iCUSJVj~U*3cvoBMwIyFzyLLB|&+5I*GvHdNot@XI!$tTFxO=`A{lYUAX)W
zgSOFt(RC_!WRVzA%=F?GDbb6(%j0!RNX@hbVrk7C@F-ko(C|L8)is~tuy|u4MSY(H
z0)`5OrP%c9+3>wPNry%t0j`(pZPA=)c6D{^K~}45j1Gxt^~QMZP}Uc{GPdK~oG1@c
z94y|r>AZXUFt7W|`ZV=_4!&1yVni|9W$aXUuJxt#D48Yv^Y{ADhgF+wuut^ETR<!=
z(h6}{{yo%eQ_fn$iPoi%L7RC~E7}M9t_!t)PVsvEGlN3SA#K0rNa#Y}{1cO}YSWt#
zuWq=Y^ff=f(D5Pzw0~7gzDkM<7ayJUvsJqouH8=%i?qZQ)0+*A0a&uv9`VkaA3{s=
z<hCH?gRfsj%RPB<fp%&URZS=5*w`SV^vddLgBA_l;uRR6!Tv|iBubI^LbK2+iqtb$
zd@VD#F)@&BX<&F0%TRD*VRn&zJCK9jBHb&Yc)WyOI2r)INn1RcD>0eO7~S4V0f-fj
zi=LWm_|Ad2>5u>FavGi*fvrqC#vsK8(C4o(l8~MFDG7)`)3f|+yt$^+o8}sP`}RVy
zxEZUfE~D^-g=aoGIX;95)!sfvL1yb<(2hc_hJHFrI|O4GV_%u1`<~m}jd4k^fwk{-
zX!;&dnAY=vnF7N#G?ao>k$m<#w*AlEqAxo_<ZyLBcne|>(ysqVFkH}E8J+s`3GMmu
zYv1M!fgORC@jIK;4>W6V%>;5z!Sbx&UUXA7xv%r{`mhu=w!)z+izYAZ<wgKVUz0o~
z`YVQ%5Haymj?jp)TBhMcxtlZ(){x%e!*BA5ae5a$NkK~ficR+T(S4zpW8=m{I2pm=
zi^b_A&L_6+BWHtSV^d)*ZC@fHG@aPl^jGblG<DxYe`9TroNQH)p-&qOjH=lmU}1{r
zCV@Co6CBB@YRPr=<*KTZ(35#GX0cK+MV}zbnTXa}5p+^Xn<_BdOIy0ey()gh=J18>
z!<EyTtaFBZ=OM-j`;~gPb65bnq!`N(%Ru)X3>P0pl-5hj4%OCG?BDo_rvMPankAH$
z7$WN!N|jCZ9j)VN{}JnUKU!rP$Fc~e?dfm_FgwP{;}nLu0h}tOuPm62Vo8H?h7$@?
zl~mNmeA>e!6o-Djp_ipy?W{5kRl!ngXjuL}hUS2tLOTwZ|2K~4MG07!wIZjEXDC26
z{hZSRsyI}ZyuZf2`L{{qCy>(z&7hkSAljaW*d5Q@@+(0Glhqp!S<?TxBRjxWi~nPV
zAs<#B#^ye4y`l}9$c6FLt~C!6k)t=)Ab^z0K#Pe^yP;X7>csy0=WIJuVAajf0=uW-
zsSH2KNHn8wVH1)~Q~A6y2Fi3*O(QEmuUn--*(&mmk+^O&RaU4%gbQ#A8KHaaV5?8o
z>rR9`-&2h3W8$-OKsiJdXqWpHaqI;(<A5eW9M|CzjX7ml`#epa&AEmrB^?RE($(n8
zI~yfN)7T{az%1D&s%S2miGOp6Gbs2I-8UB&wVhZO5z*#{;zQQRtX%3WGb5}6ij`_R
z+;~F^Et2kImPqCFe)*Sn?d%8*vJ#CrN++k5BeuCY`Py&`c_g-SZ;WES{F-`;#atp7
zAnDl(URhKm?)WMs%QnGJ$GM{ueC$9;HB>=%4<<rwmd&xg?ZJw-wpVDF-Jd;lPZsBF
zh{A5zC45|yRfKid>7ux+wM5hAQpVVzWt1A%k4ohQJ?W5EVxrJk3vExke(b&x;+CZn
z8O0e%2o{z<_8U7LJrh{}#+%uoAIdvpfaV@@to%?KMchd203rW&MGQ2$Z!ko5%vz1&
z>5dwc50^f1<|rRJkgi#iwK@0f8PDoGCe@WA2Tk&3aZi><`I<~+QBjUrA7U9#9rG;V
zO8#X|LTniLayFbL)}od&HS<oE^0LUT)E42_c3)ho;jOGOIGq~BMg54Uzon2i<;%6d
z6gAbM(x~3f1%Ghbp4f=1$Av+ps>DgN4-Ni;n$ovJP1XK^3OxAc(~V4H1p3^>g7ZLF
zQWV=+Y)A0)8-|<oxwZde+C(6#rq`Ykxlq138wcmKQ`F6S-e}C3{??^8^sRh$aXp=y
z&#PeHS_hh4Z3Ontc|MVs5^CDuXK?JC89oBJ2moKNEi3v?`}t3;SR*!!w1g+`;J^kZ
zowl|N9sAx#toaBFr!0LXP11c@195f-<lJ#0uDur24D_Wd-?^HG{cvguJqRHcedpp7
z1?NS-eKjdFJ4UsfcZ`Y7qRoXU>o?I{<cHB@(msSwuRGBarOwW}x6bZUvuhHo;*V6A
zjJEYu&G@X8$VAOXPfmroqz|2}$we7DPO(DhPyroEJ%E(04)Rp8{M_s>tX*)H5FUo&
z4oW=D+ek|UGk6plm>1678!i=!4;^Y|vx5Y+`M&uzWV`oGV{z&3zc}F^?9V4LBr_`%
z42-b9?ilZ+Oj=f3+z&|tkMr%=C?(>*FMN<g3T$MN1)kt1low->Lxj|#i?d7CfjW0#
zdSiADPxF1~tApiMQ3!PTIgd-7*;`wr%tRz{bvOw4UF|iv6fMQ&P9hf^S(!-snZ!=a
zmXye6cgC@#n%J0WjDzt&Ujbk@<vF&e7*qw;bJxx;0b4P)+V&KxoE7sl^;?jllo^3<
z6{%w{*;!BJ9X(!xQYF}y>y&lYCDy&sQ&p(w&Ms&!^jFqbC*jC%i^;*a!~Mf>g3sl2
z-`m>7eduYz=y~u4m)GT<)usy>7eKPOg`pw(t^LtQsz^yQZkY%0{|0dxhV=;pGt$`i
zWW;2ldvrU4kd5R{!$kg8nvO<!_c9I0XhtHof(ZVjg~@}{EY4v5j6KZvNWut3>8NYe
zCYv(N!9|@uf7hT;dK9!(xtnvHUy&!mk>M9D|E5dRB)tYDP!EIwfPQ2>+Koio>Fus>
zUX4O1AMmth>F5Fe;9wjA&K@Y7cCN_M)1?$K#!f-_ZAPA{8Yj3HaChu3N&W@qtuEPi
z;9bVnHY2dYtu74a>;G`_U$&4a!2d4*$`4Ve=Q^rhAC@6qKKrVI>?;QA&nR0E6qre6
z+GNcIQF@}^l{RZuwoyAy!gvJ~<~4i$8z9kB)w9j!ki!0ozMr8wI>D_HQU2o6W+eY+
zopt;G|KR^vC!}#WME7yu>>|XAO5Qc;;_J2Ra9Yl9?J%}!eTDuEyH~3R7YHnbh<K?O
zaASwUM>{m{5B5lSJlW*)Y<<GHLUr10YXUMhCWKc|R*Hp0>%A2d0nPu;YyNkK^LG;g
z!k|9kzp#7`@%YhKy8d+*5Q<%6NJ7mQs(oLCF$th}p*y+Y`wrdfu!WFF5J#<(z;q=f
zfF4igRhtH3kR8(2hCuEJ|3=`oGdMa*d-$7&IIMe)M%&=M<#mQcRy**Yj{9$h^**9+
zTj&laKjd*JYuI5O<z&h*_@F2!Q7H^JVce+1R7-iZwPljC)C>DJ31h7n?``Y<tjhx#
z{Ht09EV$Sw4S4NGJ0&J{eQM2K>AkX2;v{QFj2Hq!V!n%Jg0USl>0EwUTkw&fROI*R
z-1FuQ-G6dC{~~|`_|XCg5~x#-j_UScltkqgaPmi#l5n8eVA3&%rGFxMISkN}F0(sd
z|6cnYSsO?2g4-_o{k~f}m@nt%w+cG%1!@F2+O%4ea;f^VR<a{5gM5Gl`s+sA7xaU~
zl~Va;a!BrRp=LU}@!L~|*;YUrD&762r6CngXaB<~(fV1E>5%_d`){i~w{ri}7C+to
zqe10ya=17TIU@U*bsVUPqt?@`QpwM&!~HHPNlUMMqY6Ka7%CAd2CYT`9{dRk96<M(
znjJW`O20pQx(5-8P&EMY=<+3&=xl09h2_T=Sqgfg4a%H}@I~?2&Okwp5F7egdB(iF
z?cc}9$tYpt&*Hr#B#4#cLXx2f2``KsYzlv<$y_uv-YJd6O(d_Ap0QgHFiuWkGD6i1
zLrJnWvW9_LVJ6#qe)KMIG$`rl!JDETma3q~Iznla7ku*YtPS>WVINso&@$7B0u8{N
z8(orL9As|Q=vA3z|Cw?BvjXq*hKu~d^FV@yC85MNF|pUEpCgWD9fWI_!3WOD$*PYr
z(M#!QFtfYdDUWZz!15wK%8`o=Mtr^@DYtpvjJqYiMXG$3P_;ZhM|k8b?31EXN@)?h
z!S+^d<~Kc7myQ&w*R_hJ2=Li}F&lO`>lgZLW?%Owh0XR@k>bbkpp9oTCZLV7Q0^=o
zW;%Wh96GCn2ckw3uOMyeatF0mLg>jD@vLYuxM88zx+X9Qa|F)rx$!4EL&}lMq);ma
z-JB*CV!4zJ9;2hW?IB8W;44Ywp}?W4hWlcuu(Ns(TU_usc4d{J1p~}HDWcDQfr%Q}
zJ2p3lBxc7nfJj>!0JE_E>?BMEQMSYk`8Dx?|0y`o12WLs$gE6QY0AHQ(2gV8$RUJ-
z!V-fD_y9jA`_<{m;G<;QGm+&yB==!y&VQ++H77r7Rxc-2%;hWa<PfjvvXuj7eu^*F
zYdK?$M9NbB$d3%_7EC^4D!(WzzsmPRA`?nZL{g{Rx}3I@BR5}+W^uexNkGSvDdQz3
znaA)Wu1Rh@pC~mM3K>sqy(F1d8X0*q9;QxnBw`4mWhts6DiAF6YN~ALHDB#91oog%
zl={amd}F2`icm`XV@DJludl25lf@6VVYq)u$0~{ksOa-V^ggZxrK*7Cx*6*n@;_yR
zk3!guIL>x;y($^*C-08_i79R6Y{rcy0s;>rdQHO(>+ko;hN$q|?i!wU7a}37Xoo$m
zmPiTciC7I{(p=HkrY166Xw)XUa0-djG{vOMWKa?1r;b!NY+Z6iV)*UKzIQ9L2A<{*
z;33hdNAd`*mqA=?XlI%7^eXU?QCK8wo4TPUBAu}4)KY0Hr4$;r+aMo%oO0()>zGjb
z6p0Fjy*ODH;$G+)T%gKO%)O4b)=ofxJ{wg^e!OwP6T_;4vuyD%(%d6eC|8S2(L<2Z
zB4>X3ui&0+V>z*sZ)O}4oNz;A=u)4Y@x`uMAOD87`p?SJXBRHgok$%jl)<4Ao1ILx
z78bhWv&_9B%Yn}28=&_1Y&`a<>5m{xZ3^Qm>6urn^6P=3^oD<s7-5^FHKB!&F9t{G
z9c-AAQUcvfUT;9X>uyH|ol0cXLe$aOX)&``$%@@!HPjhhB8?I6LA&vl6^ns|;s<16
zX(dKh`N!DAPt6w14-a-BG}98lP?d}W*jxtuWN4WEy_@?xl)j`RuH6qLWAVmZ@&w9(
z4Ql!qO7~0Q63qNspy4rnh3rLDHERxJjEus27pm`{rUu5(e}lgMg~lBP!Tr-!5q3$r
zsTg2{ICa0<y(vw4x?=kH2w>7wEPvgv)ur%>Ed%g8y?E`xWsHX>NlRC7_!~fQ{UT|#
z&LQ_{g$)!-o5vM8e<TujwrEjthe#laMSd_>wmDf$E{d)%r>jIe2-#|`VqK@B6itx5
zBaLTl+f2&MNVt|HpR|<FA8|dgwzi6;sJ}s_RwCz(XRR+@jbS}U1EA6b!lJt+RjVvT
z9X?gkjW;~eEVBGNAo(v-l=#89W)^K`{8e>>0TI_Y<Rv!)%2hJ@nP2l81`u2{>_;9T
zXxc)J9eL|ND-#_cz6rQqi6EY=fKOB6O1!*1GV%C-B#23DSicWsNx{kKwG^I+BTreV
z;3kg*!DH<552e5pK$wz||6bu;BMU!b^W)UMb#^O)(Duu^KpS@>FSi0x$bYw%g%0Zo
zwcGPhHjYPc4^M(q@SQZ0QU?XZp+(}mAaFcEds6fb#vof}uQ0=KI=YJ78Fi0KC8>}5
z{NGKx2WG(f6XK~UC(S>G^%F{}vG^gV4-u$kL(Wqkev?{2qh|K!a+*(zRr@9&zmVRL
zq|i%N={`RyD<~B^7e`5N^kgXBKo*}*iB47s<2FhW)Il~ov03-r;jk-L%sqe5G1&w*
zf7V1<_-7m)ja)mJ7F!mb2#d}*x{JeY0969=S(GQbnyEY(Lo5BC;OoB+f6K4}yl4~}
zZsFru-W*Pdtkuf3P$33*tsb!zb|exL9Q?K;_0SomsKw}RmMO8Yuy_%hZEWny<6y}H
zC;O0@SaWv+6wc}m&~#SgWMyPvhoxzx&eES}WvDJ1ETtEJHnw>(slzEV4sZy&Ybv74
zT+YUE&MDcElUCZQn9|n1v<iW8IN5A5depPZ=+oaPJ%<$|wOHQr359dRqq_vC2wh)i
zjSw$aR91_F;c@?Ob`S-4Q7Jf|GEnmO=1C1m#L*7_nTeO;z~22v$v6v>DD^O!TG>L%
zLGj8$0c@GyJzs2(n(Y*q>w3KwlwBt-bVzjjBc70wQU3I$oG2%AMGSf{Iue;*su&GG
zYX`rg7$52usRoNtFW~SS`R%InFtSnWMmLV$!^5U9j@lZX7(7up(N(SUF9oCqOe5s?
z$J;NN5%psR!N3t2Q&YZ`;L2d^(iBshoX<3gUNZbo*wh~b{QgL-NGZ6L$;DQOh?I>N
z=ZLhNQXbKQiXOQ4w;ZurNeJ`I_lDJ|v~8cgex`5pQaY=su-E%c7+eVZ8qkdou7ZIO
zPxB>uo;l2;e7P>dO2Zg@!+01Z%~h=urOl&A=><-EhvEu=S<0{&L3diF6?%wkn7a^C
zWeOj9?14DG6}a>DPYh$nH>k0uSTqfh96Ey<XnfDT)tqziiDkm0s_H+iwC1r)w?-GP
zUtkQ$JDYkCzN$IDx3;-+Qtk$)r#-!`a-6>4e+=3*S(}v<lk@UIY5&o8<u|Py?+o=Y
z@B_=8HVn|c(Mn3qj<C_JB~K??jFPiC&2Pbs67q)N5PBz;Y&I+RNui_}qM*JUu#3?=
zeApUq&`^(VN;2EhREbx`rvA`)_|!Z;l!F-LDf;Y*NIXP_prqOr0I~;eX3ulPbYN0Z
zwfgmf);sYPg+B@1bLG1RV`oXMYOs6XuX(9^|8OVV;*#!20ZK(Ryzs9OevVBZMD_Jv
zxq~WkX8tk+6XwQH_KQmY>*W6oA;3#HBWczUfKP+jy!ka)8^{NTA)2J7@ily#{NOSO
zqH`A^V<L%l4`@zPc|QkG&V_ZUGFff(+YFYBfxsFqH}!VwYsjAC@xDwz-#oH7M~_6!
zUsHM!T^fu4>X%02LmEF&sQ5V3v$Ho~8Zr$}e*0Sr@J&z#nQhcvDdqg>Yc7FxbgHGW
zw-U6%Clv>ZlteTFSbpka;gxh02bQ>GGEKimrtyiRFHB`*g?ak1=X^hG=$J0QY`tvT
za-Q8o=HP9&6L;21ZG05+m>hw`ggkgZkia5cCF#<H_5~@a5uk8N$M?+G*#inIaXKDJ
zf<FZL`p!_adQYE}$`;`Kd7-Uq5vhTZL-&j_z5Z_V<#i4dI*fWR1PLnadAmCn7RF%w
zx-_oDo+#9@7Z7(|g<0n?06QzN2ck6?77CgK>OtjWG?UMV2LIj~J&*+OBPx;?n3m?8
z<tR}ZyUAuTDR}MFQohK_#7ra@{%*mS<c!!<;b)*W4rd4F=i|VxF`{jJbNhVl(NfXX
zY>+Y>yfKs}Smo}uB)8j)SwPm4sqq$gc-}&P6w60p%D34P++7J18k_N>v!nHcKT}nX
z;dAvD&O^;$*j-9q(zjeGJx&23DMC=!8-eNA^{yoen)9&{rB7Hr!hnO;_xWU#{wymk
zCrT8AR7TM{-9wuqfn~eKJf@!`qYI@w@-;A9?>h>db=}XezSF~67n?0OL@$D&)4Qz-
zsUHQQmT2CWoTD?Ie5=P(>owf|j`)P@?ZgN;Ors$O@_aYT1Cx{BEy%H!%XX;5Jr1~x
zXZQp*mfZ&ClgEp)rRfRPp?8X<)1w<GhW*nM*iYYYK-Vpw1jOvtmW_H;|Cu;GqF^`P
zh?=lngJsFN7*Gb%>5h-MsL=qWaj_~47}TNB#gy0?Ft5gDwXs@Vex)W`DmJ2_*&lta
zq%g=NpkW8^SQE3>rMi};J{Prif%pE_RyCcgF(sepkwm2%i_=RZ7~y<&Cl`7a)6-bX
zB+R*frvAUIuSji*Lb6?A=%aF0f8+_j&?PhMt#go4SNMV1x2SqwKI5&5DcU00Ll6~3
zR(nE4Fdz1i>Z?Wn({1voV@!!+j#?gMqmaXrjm)E~LzF3Hv`TQqJk!<zlKDpYc0~c<
zP&OafIjnEm$;(9;>o4}&lC$!e+sf49g`~ZUbgd#xojkd)r8-UyDJdQJ>EVl!>Fjl<
zoh=$R-&-E7&H3b-enpa=$gWWFo5i+@qWSW&<|h+VMhp2&@UKxi%ui=AT@e0Px{n+s
z@}J;K24E)(-lX6g7f!o`+t)W;yiR<fkWRVlwVH&wlao^b`0X7d8`(Oe%h4z259bxW
z*L>gO7R$LRHu!}^G~XvuzjtF~cea7m$=1^RcEb>_sU)(Q;dbA_p@o53C)5GP4WoOU
zxQ1cg)SI<v5S#rxr^HL=RvqtsLICC7`1i)^t;gQMQYXk4#NSBY7-HMI9)P(5F)MAA
zlnQ6XCHx(6dmCz5k-SikB}B86%K$Qcj)ep#$8}lT)p{bu9wCg!$A~V9mo~Q>fhvXi
z5%0uNaR;9Xi#z-~WZTfAVadAss>GBork6C-Mx0C!BI%qX#ugHRs5wD#hYtM_O64iu
zoU}LT929w8jdYjj%BWxbExvdq^6#jQ*OFJnzPMO(SgA8Eh~d035NyXcI|_xmDawf;
zUXId2<5xD^)mFFUZcYEMFy4z>Y0ppL&fptkE0{g~yWw@*``sT8!k-ncG9Uj%DR}UJ
zf4za!^G1=x#1TzX10|WRh@--2w?B^+M#w7!N08;RZk}STV&as~uei`2r6iGrveWx(
z)=X5*6FBuyj%HyI%+<PatgLDo|7|e-<f*PycY<h9#4VET#gZpbCBn$s*?g{zLRos4
z>#rqsA5DL?__FR!Y4TX;*Po+~JYK@$Bru3Yu-ABm(Rad;|I9ez*t7e%d;Bw+Qdo-S
z@+OZ}HJR)<pzf~fr<J5&z^I*SS*f%zl+ziWO&QwJim1L7dvAlGVJ<DIg!lI*cs}lW
zD~8aA@gWI(w=L~4@Qr(qz=T7HQ2l$576}m>dog_BW#AC6)~Ra+|DA#z)^Q0k*lsoJ
z?<p%*z1g2QiY7;y4kmXF2&_NQvN}SzyUOP!sO>(us<!+vV_*yw5eYY2(Y~Qio{*I8
zWwf0JUL{3mh}r6W5Jc<Y?{{nG=DF4BexFd6{60npzD=D{+hK<-&$|?HcP@2$a&-7~
z)M+@EXHGKd^DY?-qk)Qo!G&TxRp4-ac|mf0L$ke82{H&)NH(=|-8XeG3s9b!8Yt_)
zCtv%HQL3b{%1pxlqi`;abq{)3NB`IMSxZ6|WtCBx7bu+h$#&`Wx{{KDVeF?!MEUP2
z*JF*!_x<N{|Gf6{mhgJ@iT!Qw6;n?WPl;6_{H(1;<k}uK3<kd!tijHfKwqR_8->xA
z68d*JcIAj>2aXyo4@vc@0K5^Q8@`bbDz_z%d>z}3F&wrfdq+09{t|^uwk~PfNr$}-
z3?{Zc-$Uxq#20(l_au*r<KEqAZRvZp*=oa9v=9q}r|W&*lf|J<fyNRZ65fyu9W2l0
z>~*MexRnNDluP*D&MroCQQaS9-I?+DN}_4B=P^t-*LM!;Qw;w9YOeaW1N#&<=&bF-
z96d8~vOxvt-4z91%xv*942&w|!)nx|6~`F8$uPcK>Qe4jK^&>I<P`cmq3@=R=x75x
zTpR?#cGTZR+4o58KuE?hQ1x+fjz}bL4a9;va8TiB1K?ftzMoE#`SljtPC(eiQxD0g
zsw_QoVWQ#_?IzuA3>Rc%?iAN2YbZ9}xrR9^&aj`xBr`O{yN}({b)S}11xaY*NN8v>
zi}z!rcQ*&K29^g4KYp_r|H(7aE7|bJ_?bWWjoCz|H05NqfKCrLwmlpk3k{w(<VX;q
z^+I(l?oKn|J`T@f%^XEw!h@t_U^ryjO-@F3E)4z=;|R#&*Nm%(bQK0P7WKif0Eo%O
zU}i}Dwm8T^nxjEGJ1*W~#AK&S=T(Qr_m%vd`n;ieFxovEOk?$fjJ?teK~fIG`b1uu
zzQh$UVSI77R|d+!1}{pkYIWMOEnTiCx<Hw(bb6XDwsl(7m_z9sa3P+em@JQM*SY?J
zKESFpHrfBN6?8Sc`Oe2s!cm+R=X(o<rMM*Ixfk)uo6p)MI&ZScB5ZU#H-Y;)rfNy7
z=DlJ~q~JnJ&+JerEy6PrLl}JW^>}Y1xru#VBIqemx=zp<2KiPGi!h_U7^&mF9bpjW
zJ{T$e$3*GF&UyPbDQ_?A+Gf;^*DX+XQGv~D$Wd>tk+|1(r`g0f%%h|S8lz$|L+W7=
z;_*R^PcJJoG+EAXAf<aW@96&G<T6NkpQga{PU`SS7JnB+6!)mfJO+l7*}5~MZYR>P
z4u-(Zn!E%bj`0$XaQ<=Gs}dneOfkb(G7vCXVe(?O`U(}1U>?Cew6&9u3wW_U6>;Iv
zmNa=2$hE@Pk!QNxgUgu*b5UIZbQ>pd#6aMqXJcoN+#UNmu0a2nl+om1;BV7t;8wmf
zes=uhcd^nDW4g>$?8@)Kf=Iw+fM*(<8xInG#c%OL^K^Z?w#LB5O7VZ>MK0CdYcC}U
z?To>TY*4NDxdFH3cT8v_=wBT~DWs8?;5V2_R`s(+PkDQzcp!`liakOh4lu?QEMmx-
zWICe+HdXjk={2L%dn<Om?cJ%vVifyeARy*k^GsnY?jFYw)ZYzhA=;|5@v^ebkzZaD
zS3SEy0WKNQdrB;q|K6qm;ev-bPd2ag?D1c8*ajYZ3h`^D#2gM#S}x$fH8>MB&;{U(
zHXrxx;);H%9Cp&j%#uCqxHB5Gz^AIX7!TCX%n72Jj>bywCI_YQ`?D>wjs}9Z2fb)i
zarvS4q4vIg(~B<qO;BfX4_$PuygJrENbpo3ohy1GSGtaE@s(G%3ek17p`z^zUNJr=
z0(_NNTKE(<GIJU0{HzfKpp?>7_>bLw49O8o-}4Y+Y$G+S-2&000xlfNYa~V)Ee#UP
z!(~1^1w26QJ;FPo)KE1VPZ)c*Up-=avhwE1?dQyj|DFI%BW0~8vpc>g%LvLPxL|GZ
zaD5rlQ#!SIdHXQsJkxCZ4C;pWqsU4!h|W4IVr$B@4j-q+LW~fPfyUsgzL$~Gr;uYq
z4M}@%3X2#$`s<d}7q3>`Q1dX1cy+aLHel`MY|4S@rbF*eYfL9Ev6b=VL2N$7h_O*B
zw(PnDUOEo)Zl$Cy>sbI?`05S8k}ar&w-VdErU$qGrr3L8C$gfgNEOHQv7}k6-5r7*
zL2dkguFKaU8s7~EpYLqSav1p-rDm{!>BjSR_0`E}Q-yII6)L%$NGh5*gu#1>^z2D}
zT*PCix!i}EcBx=}hYfdw37kNasqbS&Og`fcHj7aqKGz*N*QXKj{WASW0f%>;$tLyz
z_S{WJh@clDVWcr3sA>wyl<zgs6|DE80reGlyBdrS4)g8XaBXHs6E1a%f#=cl=<a~?
zr!Bo~)aV0I*qq-^p`|@Bs9o+W#nJ7%<)NW*iA~x5#oXr8?y<Ry>_k9BIq%vdQE15$
zw@<s#__l=rGz{B$=k~1A4lUw^E$QGN@6-e8-6&qee$G0G9AXYwC_KPQYv%Ev=}k`4
z{i(S9H2*{m+^@!*fdnaNO_Zd5>5sfkTfb+y`_P41v<AikPsi)6F}Kk6M`H3KTg48k
zt;c~8$181Vrd!%a`%x$^1g;m~QAV~GkV^I>G)7XluMw^qd7D67&2^$zWEA24ENY>u
zStR_+RYUX5x|ULv0qxlgQqhD^HmWu`F3k%Pd@b$a^y=O)BodqzxEPY_@{D%7wsa}<
zDpsP@8ceTv1RlgCcpzl%E|S<hJj2?hm~=qc!rzNzncwf?06O*yXHadfo<ysj-ha-2
zLCl?}?2Pf+|6Ki{S(+VIArtmNL34|59jz|cGki*kA@B7d3TsmtI0@<V@vL~_{>X!?
z&mT?I>ma2eG(&}8<9f+(`MaA3S~E-0Ds}%FVKjcQK7uec+G_k99tK7?qYkHkoDDTG
z#~YHn0{mjF0jv_xVeZTr5|3<e;CHfWL+Yhc?9-WEqLIg(`d<vJVVKCUj8~Lf`0PL+
zW_biE+Ib|;YWWnKt%5q7bQv>Yo3yjYhx;LRh>y`OmwB~IHYrMtzQVBDmV^X)a0ICw
zB7l*_tZYBmZ@r+3-S#Ux+dv>z=AV1#D5a=yyROomy<rLYG$8_P&eQsX(O@^&d6_s&
zNyOSJdJaK!b4_kHv|dm`mFJ&DULL+RhF}>uCp0v>V06i(PrO0!nPOoaU3%qPnd!7y
z6o82d{8pN&Wv^1anxK4OU3#b4rkfoW(Rd#3baZ=^m8lI30s@DSo^{;l3+EqxiZgzX
z2X=KxnB=e~badul6B;7VC?695;6RFc@6Jho^_VJNp~AY17Jll^NsnOK!>y>9!Yktb
z3zufxT#A|Tr8kRd|Jop|{Tx{Q?uU#3$)FDlUCFEkaSj%&GkA~VrTk=0FB;jDZXp`Y
zuI5bcK-DSBp4x_)y#J+vP*Xd_>@UnKzZ)twAkxjt(8qZ2)muN;ljRcOlUqB?hXEF~
z5mv}@x0!`?xd3E}VWCf%9_Oq7ij#U&i2{Ms?YEG|QIOHnx@vqvX+HwSE1k-IlNb?A
z+DK$>cAx+n`Uc_m@>BpkW#42*qH_#e<oEZ5SH?wiWauak^c(KiUMg-lyS3)9!WgJ&
zLjG_ZYNEa<4xypz%NM0(JV0u_+mu(?Ewl0QmL(?~(!SX;BsU^l4ZX}zPFc)~@1Jm!
z66~!8F8uYhy+8GZY4_6vZCP1inz?hm-}&3^uyXu=``5u)2Bz#PoJvuk0C4ti2Imh?
z7Apw=i5>OjHkI+|NP*zl^`B#+w(H*^#XFlTxV)Vn%)4Hv<<r`q$SM0^Qn2|5BiCZS
z7ND4pe7l?FUxcDs2AUi$Eu3t2vSfI!rKBdOq6U%p>4AqG4I0^4g$^vrrG3mtt+)vx
z{a$NT4bNSWexSqcd3zY8)EZ3kMNnlidAU=qqj<pA@i><iTY{^nWH<1#LWq`yM^ll+
zQ!&W)GXxgJ>a~T|af{D(I0aP@O!%i8EA<L#weO-LUkYgeGjKE0Defl0x?c9|J-H)A
zj6}X9U`+3J&TRG9FMPYX%w$PuLNl#KzF~W<v#;eP_O&D@SsA9s!k)<vS>0v{a<HV#
zfQBZ2c4oBbeTCm+o(;YTiP)hVm6+cRYk%5azBAt22|L;a`vaj~pl66vTTFK67`;{B
z%m%PgN6XfCS+fFwkEn$q$sL=#R1I5VE`jIAh$|%}#zq~-8f)kCdbv4Jz<&<@oZmv~
z2XgcDcnCk_7C6LO7&IqIZnHSS)O&t9Xx$e=BNO+-!Xryafzyl&`$PtH;Y@m6AwBV(
z{ES#^^k&`fM%g7Igcc_8Pb+IgZT?OdtK`NLmN*{Ao{I;^c=s!{l#IC=wpyoU@7_E(
zDOh4?XatN>p$ug(6w2j#Ya_%F4pto3*TbAje`uLxMr1PGv+Hi8v2Hg%V!f4krsoYi
zS|B4&!IO3-6<kjtdXz=@BXU~ME1t8wSl8c+%Xc^YwJ3s%rtRgmql6NsaoZm$N`pjF
z;uRUzvGwq~3$6q3J2p;EdMIGun{MC8ScAO9K{tkC^dY})2$o5gJ1o8gb`<$?Ku#KY
zf7R;BR1f7{!azECC6%Nnh$Ph^RMFC<X@@5@)d!EE_Y;@Dpx~z8dtq)!S`pvOkT1wC
zbGeX`hB)&vTV$b*+OefMi2faY4`3AW`VEfeErbx_7nQ4H<-A<xo=L39!jX;V(<uzr
zyo7pO$Zy@R^G!_n&(BnrTN(RZEIf47bFBMRdSgW{*D#@UluBf^z2%A2yPh>@p-3bV
zA~YDb+MVDw?$iVPT~sfwpaZu&Jy?JIn;`xrav{wqw(QP=N^$W7a+`X;W8$ViBxO6+
zWjiOa=ALdNjF_37`QFR1tQ7Sf)*m!ao8!><vF|>!Kae7_+k$ja6HP-diO7xgZ)8GL
zI{}OD9oUaOvkIq$X>YynHy~JhLgeiqB4y6C#^>YDJnpyPJ!!APo~se;>fwU*IGq}o
zL*Nzk8@>b-O#oOG7K6U4sGgy@{p0IlO$P>v2Fv5*G>9~AJA5ED7Da;_!pgh=6%!p8
z&514k$;g6X2vy_u@Wrsr4#^sPfAn;k7aKB3_x=Av-8+9*`Ye5*6HV-7V(-`!dty5i
z+qOBeZQHiJW83z`c5?GQ=ias6bKdtKxNG$f&-3)|-rd#J)!kK}u7Z)#NeN)f%FOw~
z=1sP_K6s?O@2NAJV*4Uk^~a_=;uB1`qAz+r{3Jio)c8qUx_fvQ$sEPsZOQ8w{L)zF
zXK?T?aT~|z@G_>_{0d6U<rEa1kF^_hHbfnduzSL`IRx~jwR@ST+{b`Dz>jA0x;T(e
zw9>Z;1%?;f1{%h*e?F;32vn(DcPwT5a00Ko+Rj_Bqxrn}w&Jdg)b#KltTz92cG!fO
zbWRU1LYWPFaNT-+Y@W8nr1)b^ZA#vx0u^`7I&S6x8FR}9z^nF|Y4u3>Zu%o0ax9R_
z)f^i|SrlUIiVthn&0-ji5@8Eo>HtD|YP@6vL_NJy+O}IPEwX<BjIMNqa{gMrks-Ip
zo9gLVlL)|ui*YmyctHIYS|jsa#@UTVt;Hyd!DCxt_F|2rCDxa+DrG$?Zmh&G^cO1x
za7$p4me`}9&T^hokyzG+2H&9gKi>nQc1ruf%^$cVOL#~BA_FD0jKW?{&C4l@|Kw)F
z2JHGm<`l6Sn<SP>eSBm5-TL{NWQ0oPFV!F{r{STu_<Bj$Hzj<snwWC#`gdii#;M;t
z0$@grU#kCLJrLJ8W6HJd-SIl8_|nYo3ELRKi^!YV3@4L?Zu0(oe4f&*OUnu84aIa~
zFqk9(Ev@(6SlR<W{F!jY;}^!=w*TnxYqrRGEz?t`^LXZJlaPuHJa5W9IyqbA6$&{r
zy3MtP$a)G;@PJACcT7+u&SD;L6ieE3Y+N#e=6br}ks-E=%ya$T<{CzUZaZ~|pufvY
zBbKX*zHRfKVYS&JJob?%P}z&1=T6i;L1npn3(50&UF<CjN9Z>4vp2URozqh7gNOBs
z_9ma^Gq$~*0&(gD071rg3)l7P48qxnkdG>mCX|}e+X8@YM<}}j9ZAU5!b)nd2wIm^
zvcDo?NIW{9PtDGg)yVx0b|a3`@pd-1++l!o(S1qh%9XMUjKv#vvh=Gqo)Qdc|KL}d
zfYvoP#^=T}_qqBF(=o$G;sA%sgTNIv+4DN54J0Zf3c9hfb5%WdGUjNyh`ib%*Xir$
z!+h|J!8nncuXcSaM69ve<G({7h~oDT(%tZ-uStT*AS2;SUh=m6qyu1l%m0pe2oMTJ
zmpsy28$sh{*#qNdXzBdvT%^ezW|HlRu;u+q!rA1GLFXt_Z*@+;Z1;j9!pn-Th>!Q3
zC`S&%ct=uZ&_`V|P#rJddN9!yE%xdr7c~DnZ0Jps8}pqnkB)({aaL}bK~0`6%E93+
z$j1ewPG30U7DR9K@so)Chl$NjIB9uJg@X<^ryP<LZue8u>UaiKOdSe6-d5lxJEP5v
z4ccZVCzi|)X1#*=QQ1v5^zfw5fT~W9e4DYLVRj!(hwe{kR{qRu-jR-)Z|_bi$phjQ
znW*EC4Z^^%XV>TaXV<sJ=9yld?o15yD9hDv(T5w?3v2{ET@|~#>okTKiooBHu}YgK
zoIj*0wHS>1cwEmjtFK4*$r)YuZQ+g=;iYk26CdTfxybnsm4^$}YvxMG8Juo}%1lj<
zbLjfsIGC;nWKXY7FSQul1PBf&SR#%ir@Em9ZN(Vi^kXLYyuz0Fbb=xw=?M+xz>oYP
zp4={q+2f4@Ml#l;a%GY19_7$6@^TXHub*I9zD^0WelGiRaX;yEeetS6;Pc%k+)*8p
zY5TFMYDDf$%cRa69J^B3Jm~tk?_Myi%!s^n4tmE*SIciWuUclvavNx5GYCa(w4&}`
z=?H6HU0YWFLgybxQr8;ZgRI~8jJZCCdZ5i#gaiyYM!87(WCeSBt>uTd!(WCgaZRJK
ztL#M}axhvWmyj1u;jQ^5YkPyic0WfM42X_`zwSpRKDixyZ`fmhI7|>daS`F(HLVFY
zI6uAg4s7MC1O``cR%<d9Dao0JG1YvSa%-nOLtk8=XnWHHM`H%53?YaJ*wTAGOrj=M
zQQ%Ek?VS4WrR4g1))Pl*8FwLX7WiLp8jU8u?K8PvuZ#fp*!E`R{bzbs(T19<2X?5{
zT>n<mGv;P*jyLO6JG<KN8Zg{igp-p+l_(|W`e}UrKoDfJ-h>d%RzChRP>L#=I6~d_
zO)jKgEqA_`B+U^Juw0^U`MmSk({x_<iW1~YGS%@&CCgq8mD5WPu&_KsQNhq=VCT9d
zJEu%h1d!7e<$KleGb)5xaXr|2eEWW9S$(!va?A7Nu5H5%15Kg$%dF;X4$Jj2nS#nW
z-c~mF+ac;laz#w0H+(*Rrr!}hZWZ6>bKK4vV$p8-7J{6-J%o!3%yy$<i13!D?;hYa
zJM#f~5YaqemwsNS&!l`C7bV(ypjmR!)-yHaQQO1s(U4aqHX;4~P*Sz&PSo*q2COs9
zgXCbHzYA9b_Or?BdggU*yK-2NdHMAfG3Di>nIRYKel?!*w;V~$y)Imry9W%N5aQ1A
zCPt;JPEA#j{#u<Q(c(F$|7*4nj%>tveghj9<9B+QtO$tPZvN;=2L}6H#p4xH6v4r+
zkluX!0WU$WBo!X_CnRn*cg(O=_+FFh2zs5V@+?63RcBv#7Y%e{2q~m5H3wD4-2*x1
zs<_V<&1g%6N|97wmvni|UC#!<e8Sdr%!WNxElh>i6|tX-O<Cet82#J;kq5q-Y~u=Q
z$}N)$=QZj)&;dv|{_4yLm+!|QNHd>uV-%Nb{7n0A^OXkF`puP!im4t*CWDpu7*%+}
zEo2SzVSo>zS0q$$+AjQ%RiYRJltA9ik?{h<D6dk9l5$?cV`atq&DMR5oIC-d9Xv2(
zS$poqz2qf|R$#)EktaBk`b)1R+R?w7FAqkaa6^<Z6)nYyyCxZrGFmdU#nvS7U~b8;
z_NdBiew-KZ`Md7tCGYADM#|G}FXW}-mtlW10JSDpFu1>n0X<lsj#4dh9PfI6Y>K3Z
z4AS9fJa7FO6<30y50zd@WUg)`GOjkrr|*oK`W&0|gR91W@(0F5cK8s!8(R58hG2L5
z;2gQ=fPYT0tQdzLaaf%hQo!Pe%&-ZrnmPhyX@L^WG@I{DrB3l@b<xxh?f8tIgqw+u
zcwdnJ&lf;B(TN26^>Q7ecWfqOR|Es{nx<DjgXb^Nf-JtsaApVwK;kM?rwDhbULsWd
zjTHb%!|^<N(<mTR)#eocPgSL$oPr!oWzDPJ&&H<UFk@-1lE1^07A-Lb9&YaQV+Hy0
z?Y>VjUDT^Aw?m5ueA_2O1OxrD(t~B^!Dvhrg~+?vwOH7JthD4(z_OU6b2L(n5-}9Y
zJe~zY?x0{7%LBpUx-c*!5NFGE2#+n>u2w5hEjv!uX>tYI_6tlEk(7`Ocu;kH)z2m|
zUWYhiFT?nTzzFwxf(MY;7MpclqZ{&@RCO-ByB0><+@GQZk^B{%yrmpt)6*H_vy1O9
zk%^0{tL?ToHvBZDA=Dbx22V!ROM{qv<~d(_yaj<oCiijGCw9!ed0#D-FC(MJX^jt}
zI30<{`sZ{%j9%WE#ZE|U|M%$zQplNL{Q)W=0`5Q5fg+e5pMnSf5a?)MioD?^DMZXb
zUtEh)9TQSnb!Cl^dWYCq9#1h31EObk6B<84>ES3InG@0D8^L5o-*pe1WOr($D1kRr
zymnetiNR4B8a=VB8kd{F8_?tH=9(q*&&EF0G_}AMHR2an=CH9ZcQUXV%oYm#DIpz|
zYs~?)COdy|zoe6!xLpXRJ+f6hBCzG>*Nr!}`i3Bb)Plb~n;T;CYPxS=h$qmfvAsZ)
z$A}JC1Y>icTr5!>3waq;mIYVSZCft1zu4g6qUrHU&Ko;5_2)6)rp354bBH<*Mzw5a
z7#35J{_LLY_CjiQf32BG#}#{KSy(Xwt#oM#RlTEGXfQseTG7wE(wK5S=ur?kBeGp3
zPjfeFiQkT$+?GOLoXQ%|a2&Pc)lSH>!ycveV=w#%m-D6n<R}=T6z;#qmF(E@QRr^p
z$=URXtZRTCg*s7b^xAN`B$zP|<*T^qv!4*wU!ZF7l=_hm%g`um=Ox|OtTfh$9yDDf
zMjM1!0pQ<}?-v5nx~Bm@Bjf|%Mh0n-a&s?2_&gxo?$OG4pXYgT+3g^_+`L-VZ(0L+
zUB2I+hG!J?FMA7>Fx^o;_aSF=B=}x{i6o$s>4)o>dcd8ofpBUYxKELZIEHM%9+I9c
zH*uw%-ceqf<38Z=MjGRJ5Y3OtsF~@VhfIrn|DyR%{?{nvQ9}(u(kP<PYv4@y-Uy~h
z2BWPdGvb*bDHsQ00@~l(LqPVBOxnKC1Ga)pO32Ugko?X}!VkygE+cZ7iA>wi_eaWr
z&}D1$oj<jYa6zq9!IPn~;lJ4%oY;O!R4~}TdHpjPE&LFexy&&R`(Hg*dWe*lV&2kR
z`pF5p!ar!iYE0fyP*$UNX2`R8ZX)HG=N2vr6H3+|&;Nwmm`GuMDd~YfM6(&-{?1~#
zElrZhaOec~1S}Ck)|VYxzTC>Xy%nxlZP3mxl`5A{H;fUMA>aS=hX=dCVr5=AV@I7@
zI->*Bt+=R}Ze0*3F8e;@TOxoKO*>vz5KudQg|wLla`F@Arb`}ZZFdP2;}C13Uf4T}
zeV>1yK(++7lM=`V;B++pEu=?~i#QI*K$=5}8OY7fPD7!nWDv61Z-*AhnpLaEKL|ws
zAb$6&fkn70fdMD~Mds;VO4vR>+>s`7^vr*CUuK&_>HM=OU@JcU*}^k~I(?HU_(Moa
z+Wz{w;pmPR9S8=+mh@vkCk0kb<sQ|dwmV!$QY!V0UEBNB;SCKQF71jq6rxi+Xjxn1
z=ONCV;Y*II&8p*po-()8%hU7TN~!G51qcr{zL;81BM^4E-GZFlnsGSiWhBI_-I)^N
z(A(F@s;V++b*X$M8IJe$fGiVOAI%F&(yxgBnwl9q&U!F2$e9gsJi#w@`~|!s-DDx9
zWr454UkWBIl;|2wnKc+@7ZT3y*BpIiqly0Y3GzOZZ-TKpz9jv9UdhDjR6zZ{r($Y#
z4=(?}GCw+?5vO^tQU#IZVn&7Gz}NS{Mt&-bJ#3@hWpB82?#=-iGv1IYTimRgtBo?U
z&hgEQvORmExtN^pn${|Yx@rKgw~I;Kl*1Do`)7xdxH{QSF|q?~-mqePqM#r(=-13t
z_ry%{pgXMs1GxEejzB25+asLUvi|0LQ9)HZ6e1}|3&}p9h^lBp5;AAwfg-v*<uIfj
z%PDHG;+;^3o%7YBQA71;8X0d!yPM*nRj^XjyI)03mC!&v6&YS4MrnnLKmBH!pWE(&
z?TS+lov|UyBx@McifEB#+I)&yYpz>K_swh3=M4X@)+3)U2@`Lh20c$CDec;Hv$T)n
z<vMcK<jcsqbn<Tt5!8l!g(9P)4|caV3f5|ksEM_uox)=<*T45J$9L_G-m)@|Qg~kF
zPjtvQG`O8eJ7)e?aERJMvom4wYMEu2qK}sY7htbQ7}-Mcvgq#^`!SkK%AWS2?=YCL
zMKJ-^VtYRtHS;+)lR2WU`d-Z@aa4(L(~@_}k;$Z(`^R&?oc9f7y$2gi`R?68GQo2x
ze@0}ze|Lymg(vcUu~3|UG>LC{#5g!4r1n3;TKLA8QPak987a%>hO?=Z9$G+6`-?7A
zN!koS+vkum4Iv@3o?8#5UIG1+Y~{`*e`?$zx+n-A{_U=t`W^A{F$ik{T(SD#Tka$?
ziI{JsB<9=3IrRZbxUnh9ELwWBjVS9oPmKJG4tbKZDHfI*?PcYsl7+M>ioDku<6S7d
z<Y*Y&m0duPw`ShST*X0*^XO^@buGIaF*L6gClhfP(NSe{u0A3ytIcYNWh94vwdTOz
zEtOb`LcYd3xPg7gqa-{fTV{oMgFx<PiPB$|i!J(fRutsZ{-bnh=9qClhU7ART1bsX
zI18xnreP)#VC_wWj9cLOuXl2zsBSEdNqC*I8FR08S>7AWo<-D?Cd<wwR8v&lJw((-
zJ1BjE@@75TAAN7C9n*~aw4)Qh5TuPEXW{D2Wdz5Ln`vc{MoCj{CvO3oA-R9Dbf}`}
zNts7RM)yXB6UIFk5gxcPJQKEpeEjAeudSiZ4`2jFYARn`ez|&#zg3`54h`s@zC@}v
zdoyi%c){pT@dc}7;r64Zbbb7M8sQ2*8c?;S_yg-!s>1$Y9uq%#+j!<}y8LF+1tE_Q
zG)cZ`8--yyl$44MP}GS9HBD2_h!5?*Gg~ZBX{n=&EE*^_h~HUT`dzKeQaexrjkr6$
zMxgsQfxMQv0`L3g0)ZB1V{ouRpj&BO{oB7U41EYfDS7>^%HN|RZLqbj%ncmypPdjI
zEzJ+Rk<P2=ik&d6#zurcMQ4-y0;Bpsf^u?VR&tfb>g4Qc(CC>f(2{RS{LNm3J7pQ3
zSn7>H2=D^+eC|=V!^e@wLs_T6-9d(jPffJ3vEk#qV%ftHWqAYJ7$XoWH!OP)%%=*}
zan+DIFqFqEO1YtpB}d2T^USm7Y_ntBe7nLi#9GO<Du-&YTJoEWl&*DiL#bL|oT<_j
zksdSWjF~Hu)HB+VCLW2lVR`;j<Rjwm^Xpq$GsBJs&lmP(R;+aNl8TRAzFXe@(JBa$
z?-hpYMAh;9@SNGpl_31bdk8WjcciGuL+fP3p~%5P)5h>PjC5MFJg?w)#6Cw63ibM9
z$aS6?YV7v(z2a5^{mr}uTXW2akPurL-j&Z?0AQN6+pi->BG<&mvzr)Zt%S^sfEg3=
z(NfU46#nJzyo&p{469FRY$Q9f5cbU#A*Qt4PmekhYl8fYePur&T_}s1d~ksrsZUlx
zIFsdZcw`PW$?+kzH?));bU`NeCevPFPEM&LC_djM(V?d3El-9~2t$EXi42^IUi1@f
zN*r~<J))${_VK>3^jBcJFcB?cfltD8l5~Ps!2V`RJhk4eeK}>y%pcxQPPFvJ3c}P{
z)a(vnAFPka>#Krfh60N~gBcClW_ND~PWz~{<;-krOti)@`EuT#Jc1-$-D2g8Z*?1a
zCw>RzJIt&_>LSuZVfrO<7=?Nd<4aFTFU+3lEW)a)n4s)-W9^REM|3fkG;2Cfh$zkc
zic|vTGU`dfo>+~8W0_B@Dq(p*FjS;zOkZ3Jq56ztuHE;kE}{9RNL69cl<@ACZ<0Ug
zfFX9#J0sBkgilF)iOa_*GPWMk?jW+!VF1dw;Am|R80wRNxA|0RW&#+wuqD&u{#-d&
zY8l=4W1l`%zGlTHtY^p^acUA~gpvXz6jdmxa#ErcG@>!)yJP_&`8e6)W6to?D)`!T
z(su{US~%&#Yhk#NqPu8C0&(`pZh7+=2a2|t=%K!;P2fO&C(<t+W%=~Qy)ZSf4m(72
z%_Wy>5n=7-P5_DTWLI>56q)+Wol2cgIliV|AEnfg{(}ww*>6tlhrHY8Gf-i91Buz~
zHbZuhG1e5-wmg%gs^!OicPc=2o~$GWXW9ms<fUzz4y%Gax{=l(B-3V3P$vd53UZJ!
zcd=KgzC^xkTzztsQn{aNsDT~WGBAY@lh2|Hw}jD-TWKyizP6U7gU9oPARLWfEmc4s
z2W=h>x!2uDmPlM;$8zfnM3m{C_R}wSkh83snN_srDzk4&OYr-4CR?%oeYNCtcu`X2
z`8-9=p0Wjo$BW~2rE6%<&j>ebw){Afo_5YsmCi3cgw|ZWq?75|eLi2&f`=LCJ@(|q
zCA6$ZSv~74W3vI0c1yd>vlHrK6~UqR8WfI7b)QJtEN{xgPj5KrA+V_qp}xqj80$_q
zd&GZju55=$Yz1e54D4akeSIpSgv@2+wHL-D2TEJbMO(WQLNUcS9i8iTC-!kDp+!ZW
z_L)N4m!dtORn}y~krVvBG0hsODrSCdqyC)`8JQ<?_hpdy>D=gD4@){+i7v_qS_2h`
zyuz`msA=C*cZ;VE2|L6U8(5a3RVFpf)B--5n(75@<p>SJ<}(7IC*BBr1n8`m_+FmC
z8m!LLvaVON62->LnJpMCOAA{URMOYj`%-NBaG0$Jq4&pvI#1uKJ{VL?4%J!JIa=~Q
zc^>mWuNc{#31PB*o*}xjZ~0K<bHALtP+|R+L~d?aEjGh}BUlGx>UzS%^3=#wv<2m(
z)eg*Q61?U`N4scx2@PhwMDZ>(0FHtO`KUrRz+3)usLUL0DF(ySxCpknML3=o^TDOD
z6sNjIa%HvfEuG6QZ`9&UBW}IQ<w`V1&HX#gB}+R-XS^G<B0x*J?D3s=c`npdcu&C{
z+D{W=!r5!J-h!>}cM+5op4!JBntA2IR)7mQ6Y=I@66sC}OLQ3;o5w9x8Ck8`7B1(D
zlY=ftp{w!DspBurSF0gE^GbyYWX%aWfgFtu8y1Te^xjf_!3g(btO!glWRGLM-7)&^
zUX#yPOk_PBlAc!9+1}}RjdxZ7*W`9AX+xGDXA<(`T6et6Vle1Obp(D%W%DXjF$(ny
zHN`M}LHna8ks39Y8_0K<pWK_S?r_p3cg(8B>#Q_t&8ZIJ@4xj$`(`3+-fm}6)wHF{
zpit8^I0T2puUkxX1jd4#9_KRLJmB&Cwf#j152vj?8DC-F-X=^O%{M^()#v-2`V|Ek
zKMgIU$IltAbBAh<wr^9I9xWP*bTBYhwNp}N8bYiSrRIBGPwq=g^hUMq7=WcBicu(K
z-^+>}MWAPAhx|L+<xo?Z@}j6Es>yQy$jeiS!Xdws9u*2oN6;M07TcGd#+9D972k9<
zw^^Q?h5Le$)O?m(4NHj&d2>Si>^!DEsv<J|tHEcUo!`Dhk~A52;d4PN@|x>cP~pGp
z9=cJFYvXyx)O5)iay7%VvwbMytsKcMVh4H$49=D9D1dLrR%XPOBxs>|gHJz3YHf|@
zLzo3G84IYr0zA{rer&1evv|2hcpGz)ZLpPOw8&m9=#DfAvh9kFo|bm#j@WI6km;x#
zFO>`m5hxuh!C`3_@71al^>s(RR)n|GPUR~U9L(x9mG^1{cPSzJUPJ?;MQ9n?d@#=5
z|9+ljLVBVttPW=1ZNioU07z|)F;#?N%s5npVzqzZtGCf#i?s)w&zB2TYY25g<k4a`
zJ;*^&1jGac1jH_1J1+y^(_;eSdKRuS2*xfZGdK?T(l<D!I*gE`@VR`c!Pd9`5_gYy
zpI_Z6#*YPtq^<sdETeK+x<8ttWq^6Fw(vdIu@*45&+z;{fM+|M*<v^Ri@C~>;}mZh
zs{hgpoNbE{p*)GMkL%LM?{Ui$9Z$oH_*%Z~W8=&0vn~b-_yu|&@arHw(L_p8npAdl
z14r6QV*#VZdMtjs<S3r<C_;wHYFbiQ+G(lMD4xl?f%^A>21*MMyaIW>0wN6MQGc(=
z3;jhVdLtaHbi{s0^5PELqXNkG2Gbg{6`1{@s-An1YO|kbKiG}}#SHDjdxN`~_JYP8
zzIT17ak(S(u|j`%N2ey;C_&0%t#6D>3_$S~h3y3#9cx!aa?sHU{m_AMkEMmZD!b@7
zdF0Psmq!Qlz0p5Ei(Kr5uW|4%*xZO$>UxjsMB;mD+NkPH@DS<M8h?);H-2~G{nl#B
z7Y9f}a+f~~h^HI^zO{qPS60(uNHvUUovKKFTbT3BbV?trIGO8?20vT(6^88|;1ypg
zUnIXMwx(Tcdm72q;j`3fhbcFZ8M2=?pbbwfSh1WP$Ef9MGI%9Yvr|hr##^%$09xJp
zE$FK}OIoyQaO=w1?BlP6Mf1H0fQBY{DU4AMhx?-_U7u$AU?5k3y*P)_Y#AAm`062A
z4J93i9l2&3GIGQ?qkQ;Emm!~5Afx;s^$RyNQ@c`e^Z4Bv0tM$++47zC!%4UimgXJq
zue4XZYJrl9W#;;fN003~Z7&+^Eb9IvWp!Iw<Ek|kx9^hyWzF?n%o$GcAc@bX+X<s;
z{kd*n)1!@6cqBAd2owyn-xXQ7q;l>0j?J8;;%wH3zj~)V>CXX}{<Ey@-6g1xI4hHZ
zAR{q4#4yENvoEAZ@-i0r)%zo?#T$N!ZGx(H!{1p*S!sOo@HNd)E~Udhx!lRXu9?di
zMbaEMl?cpLNb&UK-SSIiOpOIU>JBw(+-U9KY?U)+mCA>e%`zk$wkk$_x)kbEVAw&k
z6Amd^I2$pjurG3ZX;EZ)IL;{kTdj3+Yua^&&l}-l^(tKTpGBw!F)qzqg+MlQH$r75
zl<@t#)Ka+}zfCkFg8ro~TEQbClI!c&%k55=t=I@%m!(wQJbp!t&nD0ZkO@ZHs|6@%
z1Q9W@kZULegxF=$=3FN*mwqpDMQ;XfVWE3_ih(jG>H)3!IyCX564M>pMUEfooup3g
z)iUzSUHUBEZ`MTi=iIg%3p`_|0KE9S%Srvvg>scv-8}QFStE;Bdj4?QwK~(L!Q?7!
zkPtMNG8Rc?LdJF~NjZxK6xgP>1|jG=&D%@Mcw=}#MuK5U+?1aY<+zy8coydJsMFCi
z2I?+6o2JG{7r-tDU}f7c5*b_L1)X#eQeMju|1mk5Ur^T=|Mq_T;8_bS9h=h8HplHs
zZO2wYY=<Q1P<eRvaO^u~0!JO==L#{>+Uo7Mo9fY~7-bLIOT~T;2m}}V15U>W%JL~N
zOur5-?w_7WJ%dr!QdzvlychXWmu*v&QJ=dAyGKnda24NPZs>;`uK~LhRF60I4zOi}
zcI-4KB<|9Vhz9ESV<F~g)gu*<<MxQo@d9TezLZ1kUS`X;Z5lJ)u`~i(ZsNPOg}FM-
z4>jmpr}G9Qsw8CdOVPOgNqU>hwT5)OA2*1O1omv!r*oT70c>`CnJG7`a2>a9qTF2G
zwv}{Q6-LNdWT~KwHk%Oy-a3(!ail~%J2|Sxo*~P7sisKoFJIoqd&NChDr>CHK`Tx+
zpg?2_ZSSFjy7x((Zmxu0l4w<1Oex(PW5>Vi!)#FyV>XX&3>roAMt^dD0A>fHh0_mv
zcZcXsq!2IrANsLcH1soF7Xr^)?ewKp-|j`lguZORHbLL$T{2=?2poJ~u-xkYz`)*A
zEu7FNF!#}S-eaXTUHFC6e1m4C=w%|U+`A#|-c5g|o^DxUV2)F&8E^x!b*$|V>OR!B
z;;N0fwM$?gE5F(qVu~TTU@qo^FzP>9y`=*8x@Y3eW+5n?L_YReD8<CATa&o>v&n1D
zt}NpQJ@x)d$<3e#r!EW;qSFzgwOduYXG(X`>4M8`iD!HMCpV@0Ot^#9i3;EAiViEB
zOaIXt=s_TrtctnYq}aMA!Tf@N9qKgZynWP4Kq5GPVuLkH;Oni8f<g%S+Eg`oW^+W`
zzbHHFxM^ef#y~(P{~d6C0NwGhdrRT&%DpNCPQ<TY-|;a?lfv!K=xUqIbVxHBWaoNm
zVe?Bv{GRtQUIj2=)n+(yPRNQG$exwvcVDiuM>T>!!@4f(_f5y2TI2JN&QS*<A{%PZ
zoh3CRuf6T@Hpo-+aTHx2aAiPyS73kp$mWpHv;Z7Fk!u&;-|PB4;&BIa1>zh4RTxa8
z9k=_qbF}r5&;lKMgJs7eyXTh`Jyg-_p+h6UWj6->@aUUfk6JeuU;A{#q1wQRwG`cj
z*OfM>qA3(nm}>~~yq}1ntN8SdvnghN9I|<5;nSPYObbVMx~DFon!ne(CfTuE@@P^B
zHX8Y=fjUvQmv47(1$N-q!JTWS7YW1JpttLF|Fi2wYqIU*aPCz?`o8GiUaXZp@cz9@
zpq=-9=Jgdq^={(THin&y4Y3PFrVdGx%NtGu&|<B$#WmgR#NeI&34wA0<hcw>y21!g
zhEp^BU~tK8`Q4f$ta^}wixE&3=3hZ7IIQ~iu;fl6s8ro`K1~Ni1+&JE3Y28q?oZD8
zrTzE)cu^UYSh6E}|7)d99_P=;?@(EX9KA4ITV695n$5ntIkm>*y>n;RIM{xzHV$D&
zi7XG2NgymRy72J=^gJMjC+QugPxZ7OZyhhv!KB7{ol4dgtR$uQhfZz4=#1z)H0hJ7
zb>RZt>Gf_=XtZY_X#G0%PLGMQnX>Eg)c3qKxFGG)?S``MyZ0KK9d>A|(y^oa<bM>=
z0tVb)lVTfRviN><Dl0S*2raFVi&qpdc~x3&fKETAO}f6X{Z?&dK>*`w==-B>b(LDc
z^KrTMf$1%%vz&TUdpET5BtBcY7P_pF8=@i6ZQ;KCn9Mii5<YNVH{o<VeRg+5Mx$9F
z03eykyW|z!W*C7X^Vy@u@QSSdQJIu8gE2U%R^edXcFp;A<lpLg(^?v*XIi3HnSe$R
ztQ1df-BJ{8=!Fx8&^>%v(UPuaQn>fhWd#qLHg6z~qUjFizHU#?$%<mveMHy*t@g)F
zrvuW*&fs(|m-0piuv@N{t-BU0Rjb7H?xLc%c~kUc2(y{`^4$~ABw1gB)Dreov?Z;P
z{24(1gAUzg?E|G`S;c%+_qaw+we7^L<73=FjDQd1Je@^A&pHT*#uXvG7H2mF7&!wV
z$DR*pjZQQ{b-%yhtcpVPPIRGZf8<`p5Ux8{#rb(`5Wm%S!4rF}>t5~##`LVV-Y;{o
zj~-3IYbew8;E)cHQfGT6f4vL;jBot%?q!wV7jeeHw3Ur8Rdi0urP|Vh%eh^$j`U)5
zAo5HHAA32Aecnf9u;+n72!c|=20rP2ALAqPJ+iL#)TuR=Qq)h}e004`C~;MeDwd1e
zJImU1`!rCn&UTuB_y<Y}Dk$-TSp>eCMPf1v@(GO7{cqu!Z6N6n`Fk%CuI&*@#jC#_
z1lxSF(tgz`Q%7QdTAMmw_lg+k-_TX$x@?``Lx2wST@lTj@85K~Kd}$JE{HH3b|(q#
z;6eM=bg$Sg3`x(DVNKP}0$h6g5u+HvQSn5wzx))g{gr-txLumz|AFS;p73m>f}8hr
zJoYp%TwJ72nhGHjjpy$gYIajrFmpe{XkwBpn2p2OX65kKL7V?(OFr^qJ9O@UeNlYN
z@Z1ZHLQsI#U)&LR{l2!dsv&AHP?dbuOFgv>8`_DoQcGX-{;0-$ZpWkT&Z{%qDKj)S
z#Rr3kh&bXM<4^qjVd}O~V_yz(P|-_QPDf^HoKW^KiochUh(~Tm1fwvZu*=k1enN-Q
zZ9Oa|>tET<ClZkz5ViYVF<qY)wy1$*#?@hm_<6N9R=6#{;0}F9xvulBZ3kf_i9wsr
zu`pN!kI{Ob_US47IpwX#8Cm5Fn2gu*+*E7Y=7fJk<>k^A+$a?NpqJ8Ri{rlTh?)kj
z)bY#4?H;M)$&!dSjaM;?0QnIDdX*f+F&v0jH1Q|)K+$}~0|`GnBMOoC6*rovK^(N6
zGu%jk_XV*FWT)L{Nc^OkYy&vS0~Ou<q7xvIR0tudyi<za-Pb#!wp+O03$R9=7)U&>
zz22Lt&pbGq2*~gwc5HPA?~};8-ZhB(zBUGn71uZ-4*JOZFmG_YDuw~~8$%R2=yg_7
z@e84Psry0xIpDW)f#O($NiLjVGhM<_g{}SYZheX!LZ0OV@=)C!c**C9-aY<+WJe_m
zn#;Kx%C?pt&b(DrTtI$NEAV!1qCXbqrr$;o5N+HQ-j@%_Xtk)RHeOOfbi_c5z8ROf
zx9KDOtHxwyxBc%-rdRp*d!8B#|B%3L?308{JiJ(Hj*Uz&P=M1hxKxXYYU@y(F~qg`
zGANIR>o%>p+uyUDKpJG#Gwwcyk6O{0Vy}`JJ%`#TY`1=iaqTCjFAtt@Rjh>+NJ|~L
zk21Y!D|4|r_y)Z&{-Qh);{tXouOArP4KK2_=E(d2TCjIfS!N;BMy0eb@9?%huhKMW
zeDFRr8KhezWY87q@YOMcPfINM5xn8IOjj#wm-<016HhN~JBBZI&p0;&SB!fz<!(JI
z{27Ho?&R28m5IE6=(^-vOy(KhP6HpWcOq;U&QD&q2^O&ErM*CGI?0Vc<38?Tca*3=
z^y>#k$;zZ<BN#vT!!MMnuGL=<&LaIS4)xx4pNXLkNO<y*w1ADevta$B8}rN%PjjD-
z5m4Xe02^m}DU_fp&VzQU?cln7`zDO~x<@xy!_93GjZ|Y0=!_dcT0KBh_YH`)r#=d^
zpv_e7-gO@^R)h?<bwBp9K`}nz`ou=4w1q;M&OK5I(2Yl0{Fe+jR4~fZ#V~uk=OGfu
zuw1<XEfiu+ulDa%k5@ELu)JWKc8)D^=@;e(j~qbo`;)h`%&cF+@AIMmuG(j4msE15
zdyhTB?FrftquY<b*e9UdI~6Ql;Th!?u3y?Evfo8#l8eMcuDt3U`GNydLnr{-PMV-a
zRjNH69J|Zt*7@zJAA^{T{*S+*_|K6e?*L%mlejky%>L_^rbK{OYzKYiotkeVP$X{4
zcdpxX5!3NVFphKrTW3=1kB_+2kH&G%SUR&#Q7Kj-RPrr`x2<x;>kqC=-HVE)tG&ky
zdxt#C)SLI+tpfNqI9i;7Hc_7IJ|@@SU7t!7uairVZZ}-Z$6<7sE(R{+I$cAa$`k!G
zK8qDU)k=e}&dYuBl(f0pIm1ljOn~Np=dCF4Jq@`#Sk9vpMDSimF7-e*pKZTue|A&a
zCSQ)`txN5X;;uTM>Ueu?&t1X5br<sSzFw$Eb=crZknSyzOv%Pu${@F#M<Fji9>R(D
z^2ncgNgeYU|HSV;6(O0_sRf5;!w@c0bEVnfpLk`qh_6eKZK$Q>-Kkkujj@PoaI{1p
zlj9KMoq`C#0BM?^#E9l*LT`SsA}-BwF<4Em-#I*|2Cd{#APuRJ?Kj5s+3H4eq)Mr8
zMdXeD1|8FLAkagle+-=K)=xC9G@I7;F~n_SjgC>WET*TsJ5@oH;ILDmvn^{9D4m~&
z=xj{Z)!L%biWVLl0AE`4gmB`QzRq!%`ZZC4(ZL~1!|FF>mL!a_@hNwvCvJlk7W84{
zLg7G~=V|#S4=&2;TU=jQ?Ldj5uW!h>7a_8PQZt<g*=W6t<25|YuzPVHd`O$dKjDeW
z6b68mRedIwKx9Ne(0|P8WGAYnsE7<~ffVTL7s7N*v_u}VW4NH;#t9%~F4^5^$ryLU
zjgbDM;V;J=XZhVEVO9W$%MLK3(L&y2DCm2dETP7k1xE9}=yqs|rEXvB1sl_*^#NQC
zcNOc9hzu5iWJZN(kj|F^aYE0{PL2YGw?Bww5(Xs1_>%s3G1j8=Pkjf;g`ZLVshUE+
zV-M&#?m7lTL2FR@k=#U_^&~+!%D^7plSis?=*~`rl^dDAtxbs^p^gZ|4U2!m$c4JE
zbQPtgeTIq)uu$3)5&63k*QW^_7~FMrFEXs4jN{6afeH-~GWB0oOHG*2s>96?LytcN
z7=|aN6WuJYhQEq4<Y5P<lxMiJ?%0mg0mOa);=!rz5UoQ>u5@u_69(i<!@-^I%jNh;
z&M|kRi~8tuh(Hfye14Nk;!Zrm_H%QHvd$JIC)4*G)bAQPf3iEt-RxlEhQ$BLB?fgL
zTTWv$3z&E1m>k8@%jG{fDk$R}UrVs)$cSF&w(CydaDRRx7SP{IDE`Kxl0YgYP?1tS
zrcd>27WQ(j6S8#I4<H|mjK2VytAB3amau!9OwdzoVa0G+?lS%B;y5i_eAoSKqY=lf
zE~PfsaUzP24$2xc>icHW&=|2=1*x;dVq!cB_=4{CUi5H?E%dhP0|@OGSU;1?g-CHd
ze|?{6u`E%Ya(L^$S8zDS6+#$gu8)5;%5+xgV^DK^V`*1SC@cX0Aj6AS6>+oA|5azc
z!bL1Mh)-wzyI7Ku*Gmu7*ya(%*OBUH^qFv83myN5vL8tv65S6*^f1GR<z|ay!|vE`
zE%q)P1@eGCP*2-^U1rM;Kcsyvc~wbvw8-WBxX@wsSrM*wVwyTePuX`Z?DMoRq)rny
zh1mgVNzDt~%yl43J`wg)q8eO+7~y!!vY?pcRLnBMK#g+@Z-3!bkHlUX!?1%-eyR)t
zo_LUKjcUnnd;b{+0z8Lr!f~1TYI|2Vm)M<P-5#<Hnv!Uvtxdk=>1^1etq+crsBKZ!
z+JBIvJA6H|-Y^9@Tl7AA*`L$tgX-I>k-LxQMf3Uy?{8~;Y~W_^gThrs10)EiuOuAC
zIbtJP3LNz|g)Ul>z4(5c3T*=LdH)E;fru!EQ=d+M)2R*Mh`5U<H6{Kb?ToTktlHI_
zhlm?g?dkKX^0Fx*6Or5|tiUEPOEI+5W%o!#-h!Hy{u4hE`)PQqB!r9@AAr9~ilv$*
zAmQKjbdg_7^xYCePD<Ykjk?y!(NcOeuz(30CH8Qd*RIp<K}hkrYPOq#ht0$JOepQ`
z{P@w!b<Y?IWvq4M6`_}p8P}T_DT6NVEA||J=&6z=gPlu->*WMsYr<pShMR|a%aoet
zCk%fdDXVdIfnL%UckOz-hBZ633skE9&U}NsT;NtEsQ3&nYH~o&w8)iR^BD#^@fLq@
zG%k}S5+1-nB_FEPAa-UzDI?g+<3a49u5L?>9C-nU6)qkJ2mAKWaU}kUwcS}*@<%xe
z38r2Bk4n<aI!!PDzG(j7R}>G64`D8^h_2BIF;w3jin<#IQrIX>)bQ-GXwOFx;h^6s
z{?8@r<4R}9L2ktCr<b|y1@?&HaKUS(TY~vnZ$X#wmv!?IU(q{VaoB7S2x=4N?Dwa=
zpF0zt!(h!_mC*bKh_8-gRck+zEY<bV^KuI%gwA*|y^yTqcxdIUf2t=n<cr1-A2H{N
zqus<k>c6!F>n_#NXQeWK&*fED;qwt@?{EoU|K^T8Fkv&mcKHS?Y>%LCum?9&S|f)U
z>ZFukQgp>KnQ4URDg7^9aCQ$rWh4$;mZS2_{z34C5C$VHO$i_k7b6*WA}N0b@h<#P
zAB{^*(>f7ill;~@IXtN@{2+V=aqZ0nm0f3MKbuD*DhvGM0$eKPBik;eb>_Dw#pVx;
z@VUH^EwBAX0-aRTn+0XI@$7dpPe44R<T+G|aJ*e~XYh=_`chTx=gv&+>Ctu+<W?`3
ztY-w5we@c^z_Y9Oo3v`|0tDaW3!mNG_E8ZEVOJ%o?}pDrPs&LB)meExLyL~kz@ik^
z(_<!^UUvVl@%KA<l0$_77*ElEx|K{1Qg5no{ezzr-(B=Ak|TT{p%@dg3_eGAroG*K
zmAou;V6n}o)VSJxs6ye<X$x5c0P@etsYMr5*#414gN6@=RA#j89&!hDUa}6TIjHY4
zkUb82I0|+O3Bp#3Yu`lOn>G<X)9Jy`hm){z!bi8LP3`@RBH3J+vxY}oI62T+R7Swe
z5q?XWlg%fZ&P}89iL=_+4o1{vZln>GkRM#TAB?5iNskIf#tg~leI%K5FaD*r!vJLo
zBclo_C@g>tFRS|457zQoD_{MceAj@Zo;pt|-z5A`@0?_|uU<%94<}?vNn}CdW-A$;
zmltf?&#HPzU!s5*6etd!Fz-&c$kd6;Xu^Sk=(`dN(qqX@=-I<Em|Qm^QlHkm7aO(M
zM7!pCMpXQ1KnTvP-+l;7(LgX4gwpLrH#5=U&A&{(+ethO?#sVCpZ8Q+Oy(58B{Z3+
z#o035X^^qpl#jjVHd<Vk8-KT9Ett?{;6TTGgU+D#O%p~n6RzY|{nA1HlXA#F;nSRY
zLbzZ_9b%yQ^(Lkp9Zns>$`usTKRdiwkEwj4y|~!>7JPqzIoW-13#jkxgd*lTo#wQe
zUid5q4HmZSeNZ0H*bqLP@r1yIo+{G#>hrvV&M=o@rHM8D^49+_DK6f0u{1aeYbWRP
zFNa*Gup0toMF3B!l1$rq;r);n8aS|nAr?KpXAu6=#QC6Kk&M#ja}3d>zLLU!7^UgZ
z%^n2*A?p83$&erpQmARMn)pZQ_5bFKFXs54iCq>HO?na)v;3bO)Bj4E_}~<2Uxicu
z|5><ob82>Uv}|)K7WIF3zJ(cl+(K$ia_$Q{=^HNk>pl($6mnHf&S@#Q+jRmaeX;TX
zJNW<K!(Sc{4-XGq9{2eaa^ZM)pEmkv=(d)Yp1FRozyZ?ap#Toa|Df$ZboLDw=$V;8
zZX28znAy)GG|o>>`{VBqcIR&;J+rTnZ{qVmhwGnbxoW86RfVM#b&9n4az&44nL)#!
zy>Bg^l(vWe{nKBdjikD*O@@TatF!yp|2y~V%YEFpua>&0b5Q=Tmi^PXRg@f41r0y$
ztpD!nzj$8zpImxbYVv<g*8i?wPUDMn%q3%n{!h-Cm;B28dti1@@Lxpy_p7<&c3uH4
zYhqHLk^+pX+DZ3~J{1erT7{L>X!AA1|G|l0y!nO)Jzr_6|1-Cs1QUPr;&`!$<HgA|
z@S6?da;R8bVtTX{qurBJzYJ~!4=B1EMb;Z09||t&|5eu?loF;HAzI0^vvUUX=><$L
zEktIRJ1&3QZ08BPEqJf%*Fmk6hdmTvNQgekP|g3I7yo?e*^2y?8AA3qYVT|}K;;6*
zmw#gw+d+yaHuU~gAK8H!`Z-Wo-)=YbK^i+x+7Q$Fc;?Gvim2W!q>jPB%Xv*xdA#1+
z#<D&4f7A6}Gx$>%v{8i`NIEpQiaoXEkWQ46vj0B5rMwfL{RylsP&)R=AFj`bqSjht
z9a1C-&atxv>tM4(yKtq1Y=6MbvAse3K(agjKdP1^fS%{{h#F*Qt+i2EpDoWPijjJE
zC;GS@X=YFITt^a^e;*W~5w8$Z9hn*#N~86->cimE^YJ8J7Z!4R&dRlQc4F1fm}l9Z
z-PKPReHtYgAnl=qA6i#2lSh_t;)4CZ$o&mk6{#fAG_O~ahjjWB45e6T%*Ds5=guu$
z&&t36+>Iq1JxT`QnBrP0tK&$S#`}np`R;MBf6kbMy!u-ucA&o4r3|qqng(1sf_9oE
z5<ZsigH?L2Rl2e1QWHcP8?<j@W2q*9F>y6du=wG4l?-&+l8@&9==&FCZNq+5t~*GP
zlA5m3pzNUB-5Wa7@xGabs-~MN>ro?<S4<y<6&-Jtvb;3d_zv>J8wQ)A63bY|sFJ?|
zNsoemr!&^+u)&=y;&0JwTj7>Fnd?Z%E1ZS-M7N@Xsf+(wt>fpHlBqFzwC<o-WYBmd
z3nPudC|c+FzJt|1V=y*E(S!^?q7*iZ63+-p?PVh$p)^X2R=N<8I6kFWwp!&EXJ5iV
zaLX=(SMuf<A0~Bh@7Q0eKvmH|a2_29P6y$u5GtFHnHl-^=J{-y^+BT@*0loppA_#2
zM6F43%FoXy(bUo!Tg=1QM2l`9l%t*zT02>+tDRX-O6g~}2b7L~LBvJU!c%@8tw8Eh
zp9Im4ErQvFg!7rtYqVJ7T(lHXr?J5O@%e)ohpMPs2r7Vw?gTHvT|<CcG$C45$<x+s
z6CG@Q7PulCp!?)-sk_#T>biGpvlEjXps!)kA33zS0@mw`PeC^<x?9Vv#$Lv*V4S&&
zx{WA{;Zaa%vTbOb<%uL5jJ$-uadG}PpaIoPj4KOXqqf4%$>EnCe-^ir@GO~BO*~>v
zV++^;EP-Mu3pO}J-@pvawP>_>nK81MP(f{@Q$VB@BMgi*6g)gyauMzcz2fS$h^pB3
zF0x!NfR+}X^@i>E^prY#K;4H&v!l1p=s$&^FAR8?QD$mvtnb~OqpO=+C=r-Vm&!Ls
zUmNpIDj17x3r9Q>Sf9p-X^3QXwY$sNRU|3xw9aqkO_xJlsG`JFfNx*k(<A%d1p3{H
zub-gpW=4XG%VF0KVgY>unG#^Ls&>|N4?;tEz+QwIkGxvS3#cxST^a75IXD-dx3YJa
ztH|Cf*Q$*~KeVd45T@Wx1I2t)Qo_QKvTZR9ww`cH$-^0q?`Tt|+u^x!t?U#6B9^vZ
zzww<(45hRO;jHmwp2fzdMx|~|_8z6rUN55V#kv@Vw-C|(Dov#DzVLOuy|$x>*!(kO
zT-{RuDZ1ArBfVp363D~oaXo%_S$nI?X^qDO%Es*2S4#}3xkd!)!B#O;qhgXjKl1@9
z%ZNzg>p&8dm}mq=%FoZQR5S&TWfA*7HwZmjVSnoDnWFG{!f@5<+ge-SD+eEB@uVsX
z$=elA{9u88eGEZJJN@FI9S>$peY$lVoCxhMLxjQ=q+vj+z3NI2_+DVmECnrpY+KGS
z&P0zQhnPj?uf(SNsMbdAvyAf^6Gi650i#?eRR+zo3S>0g2<Keyy05sUqVRuA^tcB*
zuXwXQys?^qK$26#A61>#WZX<G)J@iF0JFHG?W0JK8V(M~cNr_4W<6RFsdqFB6qxH}
zFqi!75PXfeI>wyW#1J@JL2*6Cv<6Gx4{0!D5@lAG2<$))ch<pVhwh<em!n?#4y>Zc
zc91AmvX)kl9E&09X{K59xh}Oo(JJS^O0_oBw&tM~Srsm!N)kic_DhJZS`ru9vFru@
zL;A>lLYFv&78jG>+}s>n>xdS&FD8+dk^`NDBx0(Y-E%N6sN^Sz;mT1qKDr9fWhU7}
zon!Tuu}P{pf=QD?T5=O4xDnYfFj_b{h^upuTJ`M|irS9lF-k)Qf=dCAsVf{cw@v<?
z`OpKz`)DJo^T0w?vhD3{7)VhInm04#!{L-OO;E-P3mn{)W*o%MYj~J~-M+$dU8~FR
zBaa5*w@tj1x6MZiq|-E>>sHh2Lz0$SS+0&2L-daY3ufyx%&5{@4~85SNHk->?&C7(
zn~SRj5O^^-du)i7sBX~PWhiC3g$wW3DWn?rr-9V1<?%dqx#b;deqgvQE__Znuiu#7
z02I4hh`@2AHG&U3gY$n#tY4jkIZJnkryiR~mG6|5jfJ5wMCzQ((Ejbo?L<MEbGf9J
zvIAt$ch_j;QAicY7V*tT?@{`-V)AxETCQzPApx0Cpx2Z`vG&~WyO7+8!nuu=upR4~
z@^W$!eFD&RWgov5St%xE2Iiv=NszxB`P~W8__)Aaw7$Twhb=?|b3YW4<^I}D$0QC?
zU0QB$lk`L-7b?aR%@x;=4SAJvHs?erHYA$w2ZQ!_)az7DhdWz`_Wk+kO)FSyfBT~V
zJ)v)H1UnX)_Uiug9rji`C1j@3Ul>}6j&)G$WA=@vpdd4#(jN>0b#HFqla37J7Nd-}
z{=aq;Z@17_*xeVCdgnCKLUyXu`eM%3ynWbDVxBS1PkJNRaL1m3dOUT)nhxGu4X|U)
zmx6xCXAP=97eoG%CgI@|*O(%y(o(ws3CWp;kN|(J&5dYJf`u!^B}ieV#pM}S?<{>M
zcdArxO=#){S_TH?qzPS?rI)*|W!JIm(JRxMfr9<tw^v3C?5<MjV>MKv=po5N9f(0R
zh4(3GDU)()11Wwaf2Xfah{gL!Zq_dk+QZ33NMDcHs#f~sK7cRP-pVm}M=u;8`32r~
zC|8YR$5EzDXRGM#Hhzb;2yM)(LgxGm|C3t7^z*^=Ay@rW%_%bO{6FN#zhz2~k#LT3
zUT9mS>0kzdvQ=-1MZ4at)e?!I0;12|ZT2!6?TRBxoV+GQt&Gq&x#WzWy#@0~;8`uV
zWI__yyW<($p7+5m?U?%fc=gFRM@_q+^W0Rp!f~xdMq`VvZ;QOP?5SZcKH9L<Sl!63
z%HXinTrQ56%b2A@sI>-T%Hs%E{l6otgGFb=E26}E0LTH>ZRT8y14TK$+4NE5q}x+?
zwJG!Mv|q>oS`ceg+w=R*8IEP-`Xr%nYy<y^Q?{Mu$V}U*9vQJ8E*Xh-;=@!|z{6!`
zIMWRnT0vF=NlhwlFVCGYVgLaLIz~|xV-3fDu0;Pnllk6~e=XDn6<pLEY?o|~HVc@@
z{2#8yUs2}nHdWXiw`+FH^<{`EO5GOH`ZoIEqqp2hg6>cBaX${%2SUPm+>tA!BnGex
zpnB!yQyy3IcMtU;N2nsaJY4i{BC>0#FA7}yU9pqMl#wJ6HB7keFHIe<X!u7*K%ZVb
zh}|z)D|nJ38gDW3ME7c4Uu$3CVuv;cur8%N;IqA7!Ky4h={MgW-^JLo{E_%vEY&+f
z3EsL^Y?s72aKnu}P#G(%7?LX1!{S$V5eywrY`i{L`UtT6WwW0#e%1lXYWHVk*1GXj
zcs_VxB!veVM_hp~|3>)y_wiucNAzD>dv(a4(`O7S4d#ARA6^)5JR33ei=?oNmIHb4
zTrn~3paXxSNUr&qFG9mer3FAEv3#!AsJK5@9&glxY)7SwCgsH5{vYPvGAfRAYXc4L
z?(XjH?he5{Nbn%RU4py2lLUvL!M%~-?(Xi;`0bqeX3osHbN}D9`bSl-?s}{Cu6N6`
z4XsmDq$#R3x}l!Q3rU_b=3=raVlb_VT-s5y6a#hT9rrh=E#c(AfKal78Ae1g`&iy=
z+^|`J?f4XRN^og7gSNKGN?#7hRz5Pd3dOn8*tCFJPshs}@!>f&E1Uz+h!hE(#)teq
z-h{(&fp~Zl;*O4s>v)%6ml1<l_ry7trGl-V-bJ>p7E@_oag<ehL8Z^UshMEz{{BE-
zeTr8rc*+{o;bzqMB!T^JVUyq0VBw{*&G<yX=`B(R*R5=9=*1-@OdQ5<=JsXc8~)*q
zZk$Vqa_m!5QFV`xk6&DUU|qNt;fdWUt+gD_{Zgs_GgpJAFalYulD{yMv&X-GHF|86
zVp!%|hLZ-Tlk;bGQ_q9gn-M#oHb=bgZx>;G*QoQjXt>PMlM8e$q=JT&TH(+o4F}4{
z2ha>oDC|cBmr@$b6Q8y^oNesr1JWe{6L&6oWGyAQ&i!s|Yo#+C#OibBheRoH>Nwx8
z*aqV>*!FL91&$du6()BolFKSZC%@`(u892un0Vv;?L7MbVw6hacO0i9h;PUtDg;pN
zkKqW5o-0?f)?3oJSm85g*ceEf|BwmPDI%1Y@2)oWW%mb26AC5T!9rN572Zwr*Fj0#
z@H#t(Fj?G_ty;~9q}&#ZQ>_*kN@I2FmM_~2ceJo+xEr|Mj-Fm-{F{%vF@^fu6$~q%
zLjyT$wH^=B&oy2Q&jcR5a*T?0eR>i<i@#ZtKbdQJsxBySNZpD5<0<~q^7|_J%2F6b
z-cGtTH9t9elD|?GYdXfM9mAWgKg1=;{Ex{0ztb)%D%JbK2u~n-hlH6+cI=kPTDRrD
z$ptWU;1fnXW!wLUPa_JR0;kGZsu+C!kC)_6)IwGiR+V#e;IGqv9+Z)S*aJ_yBKhwR
zhN%R^`#W6p-{U}f&}B=(;d%Z=nEw{(QW$>F|GT&USUMjb#QU;<9;Ls?_s@gL;Jklg
zRDUg65(Gjs=<^-_)v136BEqKSKcDWe8~Fd<V}8)Lg`~#VA*rbNO10gIuP3NEZ?K&m
z%ci}@@i+VEZw9x4ICulPl6;iH#g;_T1UEaRF{4okUuRW7!>3s#n^hBt>YhPA!{OpI
zFLI2e@4g|3o{hENCl&Z`JN}~I-w%L!7$tg}yz?dzyRu0i{Ob`Bq(P(B5R;OQVpCeg
z)`+DIol`VWcovox2A%epe5n6}Wl50o^W*FPv=2F@Gx_NaYCH@J%Ue{pwPm`qzu!AM
zdmHV$@*nu(zYKNsL@UX$BCm)91W78$S(jcKO#7!CV-D5KDA;`BD;@u{7XW#`FQuwK
zTnVqq`}K}%T6zzioKd77nRnPMM$s}PzL;ZUW3(yf<t&}g=n|obrK;Yb?u8y#Lo`lT
zJ971Qi|7vRx7dP0LJTvT1pnMZfx}^<l~PH+N)*3QCu3u2F4%pt)ZP?Y2W>)wHOSA-
z&TMWcIv`B1e&wo&nw-9hm!E%YT17;vHx$XXOz%`!;DPvkcOPS>j`k)xuUS80g>fgb
zva)h`M1<IShcDabok5%B9pwL6^HJ%yJit;E^j(?gklKcy;XaM+9@?g%w`(l{btTrM
zcdx0e`1IkUI-6FceOh>f^vKc_I)>dzpU?sLxxqXy4Bi*!8&0jL(t62$b$Va8v#3e!
z7>G?}kRU*#MK{r0{fJB=>@!vv5lIvh5`yE(Zu3&O6{%N$fLm8vTXv%I)_8xu?$C4z
za%#yK87qEy{gE*LU$$I~Q>&_}mFyaDF4!hrpep7GHug}|nxM)n{95s_Sp+PiqyeIH
zk~o$c9Ad&*{nO=@TahyQC`A}+(e!xW#J<GKu1s}it++N;^I;D!dJ7hXezuyv*7JFr
z^0nI7M&ub6UHR;b;?c@G=V@%|GKNHXfkK+k%uTOYB5Hz7$2@cTow<0q)!kuXdATS*
z|J~;1=D~EaO3Ek=6_v?Mi5f2JhX9k8_aCY3{|C1P4q%k1D`0$6<Fk*jp9X@ZmEp3X
zR~TOG1lPa{qQ%(ey+S@nFF@AZ{J8H&z@Q;zXTd)|XXu$B;5VHpfLQP)#hNosc<&|u
zVRAlHDx6T;f~oK!Sp^I2WAuA_HgasL&)N3EzS(fZxkwWQx){7m%jEe^mThbWB*al7
zLFe~<+O>XY<v6y(cM2Z~Z3+sPk2R**#{<SGFMg8eucP?+`FZRl$V6|H_pdu*QE0g1
zSGu!BwQSXYTE@o1!?T(xK@0lwrToPH_GmUdDvF~*ZH7POKY7l72`brqKlBpk$sPX~
zxscH3XfvR-FXt-<FT6JA4WLEBy3j9~v`rV1pT`9-zJAv2z_6v}Wln-jG!#!3l@;4g
z)Dwi?)vpoxwa;vji7~Jembi*pd2nn@YKTq@AhxzF`?8V^&Zpc*YO4<n;|$1ZTBD?)
zrV!|4%vH#ENAW5A9Y&qE5b+Buo<c0)mz*Mm6@yb{s4mQ!K8@&#6T#%n3QBB6wrqp;
zN!A4nJQ@y1M!t5&kh+lXSDkyquX6cSa3!*ZRXh@5$RSx-`i4BlYeuf7ik>0rEP4$#
znx4~m=UgQfkwV;wFA7W_{|v4CDY1`eKqFc*53FlznE_V~$MGBo@Q9~Nh_+^0gVOmj
z_sEWnLx2h{Z`7r)0{w{AftucTy-Rg`MjhU)OCi8W5H8FPY6Wozvk=w~G`)J)2K*HU
zycI3Hgllp?ku^9^3)6qQ#xnq~?pj7!kEHcS;f>-=OiT_Ru=E3=dfU-0kH$4RF_4g<
z+h>8k@%2ydp1qCZXsWE4Yop+#(D(b6eg!v+jQ0{;^As&>3SF)Y5}+PZh%5Oq@4a3j
z80B?h1HQ3)z|-t1J`}#9se*|cn%YogQc_ZW*!`6v{cir`#IC8S3746>-RqXULi)y6
zv)h=-`fR0nI$X2RG(5Guss$duuFpWeZ}g%#&#&idcNmF>*tZ(Y42MyNG^6hqqp}Ng
zrf0EkoyA`7*n{VMmEi=Ua7|6k;P5bqLHf$-DjF_sIJHt{zG16dXqWlo2YGq;xe8sg
za9;j_^6HKyTzxMu{@2H277Dj$y)j;1Ufde(7T4p@z0oXvZnaZeSBa&@PXw`qd_g-q
z=4Oh&q{ovQ3(gdYi4*N#2_wfWr@t#L)LEjSV_?L1u+sBBJU-%g`wD<Wr&+vlPTZKf
zCy9XD2x_jcj}Iyu8d#3Hs_Fz^bdctM-)j(?H=bc<6ejzY=Ahvw!)o>><P2sTAO!a-
z#XAfkR#xcHoxJZ!A19m)7W;8V@k4RXIDR4?M#Xl-dH`op;y;~-_z~foxqAs`L#(3i
zY(u#tZIl`DksAQLJt<aLVD4(a(=*fc2Le4tvVLOKK#h^-uf*=#H^I+W<=Jb@s~5Qc
zJSAHFT1^Tmr<k-mthIRv6hfb1CxNIY3D#c@CDp}-ctvBn9Q#5Mk6j1VyQUXtG=B%^
zGx<sOstVq*;-SN+{0rM@-`z_$3-U+=?1dmp*q49J`&`J($pMc*3JMX65JdjqfPi<s
z^k1o?lK7nWHX7!QIBNGxx~`TTIt!fl$Dk##P`)eYL}D>$h2Q6<kabxRVNuUq^%-#L
zoPw(Ce2fYspaHXfY0QR^7&OY+WM?J3+eb%{@$smN>8xO8{n2dhVGuCL8=z&GP~=<f
zSNSD$(%C;olD)H*;=tG~5bw=#UyB$Z_8u9O)mV!ML^0_%epsrvUTE{IBXcYvHK*gH
zlklzXnb;Xha++4+(IxcV8#eZT!K&_fEMsFH&DLmU66#rBCwY6l?{u0sbl0>JeR>47
z^S?N2J;!&R<xAf;6Hd!iI|QBf124C&AJhYhe{0geJ~OGJIWVI?nB#7pysY*R3<#PB
z8yW9D4_s~Gs>=E#7GeNRPKkk#JmNncML44)#chpg7>!!7LQI=YsO)(|y<?so61ytz
zl##7YcIn(dx^I@gjrA1-BQE6P+m{;DXGIzPz=<l4ZHN}yo$wPB_{8k?E$T_x2>Om_
zI5^K7<+Ce?oE^?J+LGAfCACRXq9bbOOEYrVRrX}{M_6nY-RQ+()5+%LlnZx8z{;(+
zDmjtEn)^E%dAo^rTZW+yv&D3&Rv$TV$^aB$;5!w;%U~0@g3=(a_;PH+^ka!i^jz;V
zJ_#MZEUGBt@;UsynZDGhr}K^{WDsw;w$gR%=R0l$#;yvM#~Q4l3(zQ}aX*!Fg~p04
z&x<x&MB(^W_C#2ms4?IV7rMH%@!P-ny|3Bsh9T+e@O_GA(`_ucy#fAQ^BVr}9WSVi
z-e$4@JW(&riY-otN#dqKxO_J<R_5tZs$#2*fy573KxS2f6%$G5mEC;cO_XOpJTf8)
z+N7hc(Uv*aQ7j$d5g0UE69p2|oqMmYh<j$U<a>*jd4TOW5&P^s_?Qc%|1u54y_q1<
z9KB2{uXWxCn5&Z!PjdWZI4Jr;LOEqN)6nM{Ynu1U7QaH;A^B5I`8*#6hepeBVH>cM
zY6LYPN{<Yu>X)k}JBd$G57D8@gIu1QxTL{ravPU^BzSRjKEVaX{@j`bA<(bcj3fHB
zge-nkYzT~f=+4V~0$Ea0)Gn<pBDt+aDj5PwvFTH-O@*q=YgE%tNB~IfbydaoeQwO+
zzRl*vsE@CWRtLp3gm!G!Gpq}+1g8TnUtya8I5JvgCIKr_;Az<b%)v}J)BF7IUI?@i
zkPHQnC8XZD-XBotI*?OPAPqw{WU4A4V}TPA5yhMnU$0*_-xb}?_?q7wOokrh&k?rd
zYbS_5S+BOZdaAc5eHqHN%@Fc#WK+fxs#n57wr}3W?v30AZJmV{SBAT@Ra>9Dkg%}r
z#%25RTI(0(*$$CcpxO45L?ug$%b{s~Qf8)&PG5;;<Yz4>xhKv0Oah0t%ji4%_FF9q
zhKb1{8KgAQoYuzO)6-AkY;_i+Ahj@(5jyirCd0Nhb$49kt<V4Un#9atsakKdgg_|_
znF#SGF_yeW`r;202!7Wib3w+qJQ4p66O%&l2yCplP$Ys-u`keg)w93$LHrNUt3GIc
zdA=Txx#si%Iu2U^GymZLGpCE@L{I}-0#Gr|l8Xjdw_A-ritYhAR^%}6v5_WPK0W!_
zE!GzM<QZ%eJh|M=eO5Cdi;A|dkWzC`odNa&ZT;CFT~1?&xsex|&4iFCb2%#{N0gSs
zdlGy;h!A^jDzz<Fph+V&V{hBz2G=JS>G*tQlnxwIsuWVBCU6?ANlC8-Tp%KLzpV;D
zDi64sT-b_`(^aC5iwL9n3fX8VekJl=;j^Iig2dWhEAEiox)e8C%XpZQQDY|ddyueG
z`IQWnpF$>hNG|bE6EEsZl^^A6C|E8P1P`N$g(bl$ddxL%pl)(MZ|o0>(_v#Ci5Ffn
z2|w&$7&rm2c5i2<c7|y3IJaW01eVrAFtONg3Y=6z5%ElKicfD(m*-KTnZGIt?QL{_
z34NCz6b3Kca^V27OFf<G6HC%-%?6MOMf_GA&FI#30SH+6pkc64NwhUTIB**JClICR
z%}W*vUP>KJu}Md6Z<;|&38jkcS64FuT(wz6r@y{DZQm_B@KlJ@GsUPE)<`opAG@bT
z(mhrLMbu7tFdVgf6;Emgc~k_>(|mgHmNsZbT9SL$-wMO^26Z9@`MG^d^p&-=Qq|o1
zqw)G5Y6$C^S^kso`j;H;dO$C!oAnsJK)pG3{sxPVGq>}7b#icIuu5W6@~j1We<LiV
zmG!2>uLlt9u5B+>v(v%$tJF0~FNyQhG(2&m>7ySj@jByTc(<V*X`jN#0?Jp>nEC3%
zRb2o6V)8;?oSSfX(aRc*-kgEiA^6KHezld)_&*N=?9n=CQw3Ufz0`D7cHeO1+_I6|
zTTHHIM=zJp5o)d_$;5lW<Czfpne^`pJw7lXc9sbtkLZSq+X`?ZUWxSt>S%EGvpB@E
z$mScNPDph?)6b^k%<2Xl^yqE7=|ocF<AUZLeC!w3k5jjWG>q40Ucrioe`ga@Xd2ei
zQ_>**DKZvNn-0;XXD^U9Z=og{rxr*?L$e><I~yter7O3R7N+6O<M3M=JuJ0XcE6h%
zGDw#O>*a!&rNv9Xq~R7d`Din#W~j!19b;D5)*yl<IAhwE*xnzYra&sh@=G?(^Xc^G
zIP5~1X*i#K^hbX$d(G&{>u&}#UVZOb+2%FLq*t>vD5v;J^%M2>N?Z~D84L%h##1en
zsn+i^v+Pa!0^25S%>i%ro__d^Ur(_nzs^a}pRejwaNP}xAAWEHjZ7v2B<9E<&J!jX
zY$&K=6d5HLjI0a0ke;=(qYtQ<cS{8^?R}>)9s6ZPsKB<l{0R=1>w??BbGO0K$yrQG
zj7+|7i;{{NO{9V^ILzx7aHW;Ad0-w!q1$|c8I_PIZoRgrL5Qi_mkdy*lPXPNIBTln
zIg$KvIMqyp?ba?|yZ=r>>osIRST|bR54qn=qN<<7uvLBq%eIMkal4_kdb1Y^9X552
zdUrpC<%kAM;WGaUv3#jG70KG#I@C2#j}3GyDF<uq-n$Yp_xR5ml@u-}hWe9Ve<9n{
zsMTGkS2E6QNke4XY%FzufyvuE``l=s{H0}5gXTwxV}U)VvF~jP8F#5@5xInB;n3nE
zJQ5PuR+fggilP0Co@8Z!iviDyV=rEioa?}m+h~1}X+$JDeMQMf1y?CR{kZVc$dBAf
zvl*hOLOIv^rkuYCz6~GP8RY_0j{Bya?F%%vf);_keRf<!)Q|hWR+kYtv#P657;3zR
z6qUM&RNBCox4<Kc$*Wk&uXJ=5KMY5%JKk39$|?@^KTUV`mCeSWZXPrB$l=eOCIc4W
z8oa=aytaKA?dK7d+E&phx^?d@!_V7Pheud?yh(f`Z;vyJYC0M2PEvf)QRhbI;615j
z><l|#wa*PA`|1gGEbaPclO%)Dw2nm{5vK{M(hFm^ljY>yw7#2|a9m$I)YzRuyM!Z#
zHblG2oT&8?2~%e{+qh?zZTFs1UbvIyuM@TW(E5qefLU_XDv8sR**{-vg>PVZQ%?1z
zCG)^fsH3HjnSnlCW7f}gz##IJp1LF}8lJ{Rt?)3E#Or{pBrBo?!qEG)LAq?i887NH
zsN}dx4fj2p*wb_&HYq);hW5-ZAp5h<mzg68b&2DLg?4ZEm^LorNWY&94z8_}^<DdV
zH@LeWu$$_Mlx{0h8Te&Dc21+iy8VdM1KohfkWK$T(NkBke64b)7=o+ko953Zw(6iB
z0VxU0*IQp_nG$#zB6{R0Bh|Io=*M;}^F&vMTqru^QojNXn(2`kcEk-?#u{>OOK12(
zniqB2O(C=ng`FtkSBsYtqpo`hD~!x)R7Rw0`+i8qjSo-VQKgsv5K}|mGOa@_pcHw)
zeXoL7kgk&7|Cz0y+Lv$%=gSvw7c`1x^Hz&PzHgQ3<<}XIM_6EnJ2s4Qpv-#M+}zxK
zL7tfNf+#;M`5Ax=ASg3(Zo2clQ~z+XC@g_&F9gSkb?bBbwpYpV$m8wt<(R<vM$2(k
zZ<EvZ7-}rzzA5&Xv3^x`90nF9uW0D3N`sjgxk@!ohS&}*C;7$0X7>9c!CCOW=Z?<=
z_zL|iaqt8nBq60-<H<-W1C*4u?QyCdf*zx(uFJ~ClW!WK%Q}6j;a0#tzx_|BFq<V%
zFM@hWx5K=v^sMl~2f8Sz4?v%~`1#ipDhGNUO?*mQRh7R4ZK=K8QmEnVHnYH)hQsGc
z2kc-M##!d&Xs-rgs$KOR1au$`Dl1E*tC*kgx7v5_AAENkIj^IbuUy4m-5Kb^tpwxU
z*L`sm(wMmz`8BLm5eTuuEXF{S1oad%*a42~rPftkr_-Lc-|;?vvIdw8NvxWlHSZJm
z0RVX7!G4|PTyc?nM{7leQSg{Hhe?Tv?<-L?bvJmIn-~Z3s~JeDw`aM_p4!>`{YJ)9
zmj5UO{0q2jLIrOyE*O?Nc`!mW9u)ONgo_t_p;lcr1sYiTHlCBk;1mYQDIuIYpB|ge
zsQ<)M$}6V}^?$yUVKiu(KxNkWG0{YPM1Or!H;%vPJoByiGuwDM{V>{a3w>Y7$Ixb-
z&)QLmG`Su<KbYAD$gM$mO@Ay=RIZRWIVouuYOY4t#0W3Gqt<|yCYyf7f$(WjE$sVQ
zw$$a3!dT*R(|P~5Cu55A)5WF97Z9SAs&vWq4<p-vHE=148fS$I<u|Goh(ME%;L+g0
z$})(7j&5V82nFW4uZFgDZonB{E==sP0p<fzH=+8G7OiS%V%rfVvqQJ@#>Qu{rhGV9
z%A7zOB`GG!5kd_?I5;@E>MAYj%o=Ga_{yT7i0`hAifDFKc5W2xoz>43`vZ)QR{BTw
zAnzdS*KC<j^{3;e87aAelKm#v<2kFTuW~83%?W>#k)Zrt?7%W#1!gS=yR_fmABBs8
znm!pA{0dS%?$N_pz%Qw9DSVoB-L}J~n<X+{byJ9nJUTKMbo2N3SIp*}3}-3?4~{k5
zFRc;Rcvn_dLRt^9n5_8s$|56ihtpVCaL6^nYeuq*wxSn(<wB50<<(O@6n>iD$t-%B
zO_7PZ(yFl>N~G$4a(+>Hnq^B5$p>}wJ~cr3DD)4QwS?n$iXkEu0XZn&Srxp6l^f<t
zaGu*mjR+UlN{6FFCm&CvOkbzmHKe6A+kr$gMyisSQ9)Wdba(mMtMZdI|5|3G#mnJD
z!51>p84Z>D(vm{wmxukl@`@I_MRqIt54+#MBcUxnt+jcEw4@fkcMSr$Q(@7#3|yBd
z^rh3QtE)&1XqCm!Tu(}_QUhj<ij(}>hOU~;wBNVWxolH6t29<GSCsz|SHbxL3SdNu
zrF=>RB^h&o8Gf~G#Apc6sWA<?tf*!Xap`tA^xE3n3k`&TN!6FO3R4lfO-{I!V#2I1
zp)H_uKJR?<14aGt3WI8ju-{52KDa5Vv57L#z5=)7uCQm9sQCC64_bZ9kXU{@s%>{m
zwhPV9mLbjQC?MQOsd=K{T8&J6)v}C%p4Eyv*P-L#dv=;$DQ%}*5_QUet6CH~2#tsY
z7;p}j!?Wnkz)QvPd0gas{=BT{32Q;li7Eab079(lCi7zD0N>y+s6R{=O6{hy)8m#7
z7TL>E$i()6Oxxk7DKjpl2EEb)o%-B<t%vJz5r%LEuK;#!g~BvrKfLO;D|t@>pMQn}
z8>qU{sT-&Uw?Pps8!1tonImj=zh|J$vRaL3NYJ|fTf4YH)MjrO0fIdi-HaDGD7Wi=
z)je<XeIZ@At9LeN&YycqW(9fKX;UQ8QdR$)PODobS+3Q_toM2Q{GeY^l=rF1G^}me
zMjaMbv`h5wV1e+<jk-ja>TsMRoO#(+h~9X~$8hMt*+xx+qxov%hHmW!k&oZDKyE@(
zjGds7kx{=B2yK(zBm5*IMTO;m*70-(FQHM6?TRqPX5F5ij=SP>Jt~cu0*!=^3qJEJ
zg~3UDs=nOnTPoR-v8Gg<|3N|651U!~A`#!}!>E*$ma~$JuconA>SB`XAh&UQSIOEJ
zNxmF$21|B)y~?na)$7LUfLFi4<|8aUKg(*h*<2GH2>+pT_`>oJNG-n+l%PG6N*V`h
z%u~VzhJ{k5?~_HK?IcB#Dg}|EoWnn>lWprp==^RP)R~h2!LG7=4v}8`AjqJuy+qXP
zFvxUqt+{Ou(5fd`q5pHtN*{oa#W6!J8Pzcd_0o)u#i~K7Y9a|0-0pp!s{g*kvG6H5
zMo%3PpL0+a#z1q~!q3LHsN3NFblFlT;=nDZx|ykAMKvlB$Jl2Qw#sHPRWGN+<938&
z9M|_~g)=k~o`26x<3Kg{H{4`GRwN!8TT@nu=U$&{@iN(5%33HMrB|IkP`<B`k-4tl
zSk!GS@^r!>cr{27iUm@*+aSI;glp-|UpW_4m)i`~Ds}vhO8xZ-ye3n1g8D2hQ_K8Y
z?9K!QFxxYcSlY_tylO@e(NkKL8M*FG6h?Vf79&_GWqGf<&YOTdC|qtk+)OT83mu`E
z`X7yi>Y6XsBs{AwNeSTEmC72)lOb)MmsLT*k?{L^oC`MhXRAmGc%LMoV6hl(Ox#ke
zCksQ!%zd6O2QDryN*b+Qn<o*u>L_0a0>B`mA8fPuQR*~hL4Y2s@1x6#*Kwt0V^Lwm
z_j@FeJ!@c_9OkLG^fQwEmwxk6Q-eySI#Ib=k+cb@l@czyIV>og6?0ugWb5mDP}5>K
zP{d|Kj}sHa?yx2(for?cRHL>&A~*0Yx}K;ZzIiuQpVhQ4{Fl;&(Eq3$u=4N%jPl0H
zjty#0QaA%s@Y;jS>#1I=X<EqNN$XA5{(kN)R+<H3Osp;i74Fw8Zj(?x*-bSi8z8N^
z{27s7+K|w;pAZY9jD9Iq&)Vw9q+xBsYm?l_$_>}h+*XYT*>!eOSo1<Pu(y^L!u67E
zUYjQ|b1Tg1<>0{TOHQnsR7ie4saZBCW|pcn57Y~RY3P{fnB9`B)U3Di?&#={J~DO<
zD=jOT1)Tm|w{I%562Rw?WU_G)#HWxnG<9hmliRO26WL2=)NHU^0~OCYQDDSng!R8y
zdp*iD7q-MNmRvO*`DDvolqv7y)5b>ZdOle=@BjqjZnIl1mmYeYs;oNIs|c<0%bcnk
z#%nmL-Tf_&?%0f>itsT;r1)&XtNmk#TkA@5_V}|a66xGB4B*Q1{VezF{xtqENL<Hv
zd7@9SoQH>pUkjG)9nmNL1`_&<S~6{7^5c#oUw<5I8w@|pRaY5emC;+)lvbTBHfH%_
z-s&>h-Z+s-0WyVsA7?yD^uj^Ei-M=vCy&*b&%K)k?e!x!XMuk(ZH5o5Wq*e6J@<dQ
zT>Up__eW?|mE?Ee9mO)i`M<CJUwZ%~1)P6tMM64)|B0Oa@#7Md-|`}?ZjkRU$oB6C
zpp~J6DxJUD#s60O%tT<Ll3y3y;Njt;8Tm3bL;p8aW&it52x9I2^ZhFgB<H6q5af-3
zrNY^85n?g?kcXI?^P6;keY)1OK?<<*0dDK!w-^Ie)g%fK8~a>JDQPyv{lfy0-2jJU
z{XPU0v~BXg1o#gbZnHoadi3?<6Zo41_=^mI2$YU$k{C(Axim~{u{;y@6eOiwg(wA8
zJq@2giQRv{B&Fja?93-c3^ZwZNzBXJ`+iL#y#nK>RM?B#fSgLC+Rq3-nD~)9E7oII
zuPVSJ8|*B}{#x+w2Z5awf&3Uspd@og$IpEW`c=K4WHyS4f$Qi8H*4%bCkQXI#m06I
z%U6<x1_5a9J2%UjZRme{3Q*pMF-8f-WFM$Tg2$bw?O{Up=5%5zU0vLUU+bJd;2@Y1
zGaOWI^%Dk^F*%UJL_S$<#$d20h#u#6!{le&3^(WI${zj3rEsV64=d#V2&x(fJ7ZLd
znntKEK%khzI)bVwFDd%q*!_OQ0Ejd7UPY8i6%;eqS=8w@VpQXAi0yGUa}d{%C0%Rt
zhddh@=}$d<qRpNuLcuEjr(gHS<!=K;D<QgV5R>$)PXhzB8^t0Z{a!j*{JIG0_O>Ox
zzN6Jq)~ms`7%XDPGLNZ>eH`u2X}Si){b1k*V^&5^_nK#NbaiJ!z}Fv;REUa-38=?U
z)*|^PMTMT;7%TA5%590<_2f=OGVpJ;DgMsCQzbYBV$-T|s1ZAs()Uh8=1lKY6u=m)
z=YGL+b8~y#cP9W}7oU(2FdF#Pw6k|WO*gn`7-&$G2%tB=m$%{unj9ym3_+`nW)_CQ
za<8`3C+xdft(PT0erqVxH0BTU?vLr?Neb&(ttttEEqYpck+@h?h}-Ob{WL6@$)BS!
z8e{!N3|0Ud!e$<QHhGYEZ+v~w^dDpTANo50@>LhoW;eH}MsbNJO0uLAML9fcbO7O%
zvoEnrR3w`>BjkC-hY@Q&3%mvh3RqI>MRGkqw>gnhU_9Ls_pM-MvEDuA;?6W6b?DX;
zZUHC;=AlI8JPl4FWu#XFUzvOm8L$~72I&B=>AoJD!%#YP+u^Xh#kKcV{N@=^*tTe1
zAg8M*UiiktmF+!5?2nBP^#~)Ol?^u(a}0CbTE%x6ANDuG8)LpC;GHsWMSs;!eb5<p
zq9@l){dKB$Hmw}}GNm12hIEYfNoGKwT=3Hl*||!L@l#!$yW|r!k`p;O<o8Zw4Xad#
z|9R>^PRDXYD;bsQv+S7&2--ghJL1BHB~8$hV<H&k2CEdWAdncVC_dSMo%w9~5`q#d
zkG<Tws;gfJP>=|$7$0#yEs!1iCiU^afyxvj3ATjQ!vOM<2}P6MljpBE6E6j6mj}`7
zn|tfHb>E|9im8RkZIa>0-H?&P!x1Ht!aqcen}T9Opp1mw(5z|_Jx+({3ssT@owSF$
z<iWe3AaveH(a9z`-X3sYlSIs4p@rnvboAT>`K%;<fnec@FZRfH#g+OR8>ng2+APNP
zHfxY3VqSJNH@b6;kyPAncd$qZQq%nf<UtFAyua@Fn)!MsyWtzB9HvWPfln=XW|*Lw
z%!Ey=NlwLnhnQ?~yk0uA5@e^^f2-4Ks(_vOH6<w*622Rr3Yrij$%#4~m1w#Ug`gbA
zP<U}@=5EsCZ%MAnei*Jr3V=s;b2BX<(;~RyP0bBFY4h=rZNmVik5kHji@d}2QaqKH
z^AkoUkrR*jLbOL1*&9nC!*-w1dT|jzjC=WL;L_&Dx<<GL;a4^Gqk*05aY9(p>smpw
zINh=LlxMR>>~wRVvQS12%@pOVKU~|Q;71c|qY)W!3s5}KHGrT62+^r^BO-p<kul4K
zBG+@VTE^(SZN;maIv?5|N@q7iPIcg?#im1UI(rQCu+d?GY+6vLND*f=YKK-CdxUD{
zgR)wxf?4Z4=jU{E4mqG=zw=OhaKvux%kF}3kC9Z6!HCRxo+vLB!G3OrRq^Qnf4jdh
zY^pJ&v<vaK)8k(OJboRq|L%6;!TC3}^QZnX7=yH7%3N4VZEnJhXb5g-i^Z``dRluV
zBzd;wT;j40CIKAnct~UKF|UVL`x^$9-;?ynIjz<-Hb|A~Xktc51*i0jprP#+LRt%9
z>3`E$u|F}WK&^X0{avP@ZiTvX5?C?ASg}%zgg|v$<E_Kc=IZXhGHWSdq?Z~*<8T)H
zHD;L2?N!gfNy;{OX^%oczn>uwR|bcNaIFpLzP%j{qUty*V*aLkZuIz~7tJ-RMqHw%
z*7NDw;RhLp$6f9wa3j#<;CAr%!hQ<OA+8g7GK=TK^9t6%QYB3;;R+655zphMZapC{
zFSJ46{=;Ra60H-$Kp4tOz$HY>RxXcUXjnOcR|ArS;tjXp?NDBLY+SDrMW~5K8g=^X
zDGJcq7Myy`6{awVv`RTyiFsedZtU;a=^vRI`FFpG_*FKQkg33L%ZOr*l6woiPJYFn
z+V_HM&DV+&yj>_p#@1;$LXMYu(b=u5e@!`-H3D`6oX1jTXAg%|hEbV*;Dr^xYWl73
z_B$ocVl$s9ohbqhn%bR%ZtQ##_#|(iHe|Bm*Y7yJ3?+fMqm<+_E-;<YYp~Z&eQ}+P
z(kAv~c731w=K8Titl>Ot9tjEMn7S^-8CE8b;epL*aI!XJwWho9ZBN7eXsQAGc0Ozl
zzff;rZ@>7@$Nm@=4wVspg@#GIs<Ct+*W*MU$hZG=v4o<4*6Pgjoti{q`U2W<L^v=w
zS}?fzDFO?QbW&Z_<tjb=y)o%t_(=B<iHf3KEQCPg*6yNzzN&#w?%T7B!Nb<-`?{)6
zZbvtgKiK|7mjjnEN*b(csi?7gpWG5QicBtU?nJ*s25UwoA+;7I<Yquv%7lG}1!<oT
zr+Yb}yoGFnEkA9@!GmMM>4s$Glo$}a^o*X!+fX$Jmd3Ew?Cnh_6C%NrFwQbr2~qB>
z5iBFL6EpPRIjHDMDn!SR>`-{zY(IEx-U$P54rSsUIl-#^ZYi*<mY61WD^-*8LO{)d
z)W8OR{gR$yDt8??WGmjc$Xl`$m(~)5H`kU7Kw1$ZRE_r}%<yckU00LL20xLN9Z<sO
z0IXqrv2Vv#SzW>FxSQk6$U)&zq3HvpG?X(dJ!F*1ie#A8pKhEXyIaCY78e)DnxhkV
zGwkd}(o(W%+R;Ph3JI}yfY6%%x8cf*1Kt1+Ssn#!Xf=zcEB!*iebJ57E`TSd?CPzo
zMa+F7pd%cb-3DH<OmPml5r?SoQYhO>n0Mj0V_EMYY1VDV0ZjE#+S5y+do<LSzycnm
ztkx^JT7sKDjCNQ7IqkxVVO;xL0RH*+FXJX%Z=;fS7Bzha33j|%R13hT>ZaYv(x%-8
z7N;M5Q0KxvFhLMPl!IlEzF2DFtC95@AE!4zoPQWmue;)1f)*7FbQBy7W`rZPJwBla
z(?3-{{V84oOCd#G8yp6;2}o#na(RNk$pH#hdAi^?k_-ptSgf<*n3OMi)hA<O7pT_W
z1LgaP;i%2(i&L4<he4q*{*17$f6M%BB81hc=pXlQ$qc$L(TVV3xs<OLWUm)l`uQm~
zF-TmuKB|0h#M9%nRSI}C?uvW=Xt}_G=T^TUpTA()zh(-{MAL`ATP~s%g{r!@WU5h8
z^hR05aI(5G+2M-0)My<sS#;iY6Y;Z$o(az3tsZ+!+1@lS@XhjE@Lf?!BkQxn`pudI
zT*3SVmSpnxLQ>iiK`|*z0x2~~R5h?~v{I2sV&CY4Fu@K<sW1=QLsL5rh4j~(>lQI#
zVa+iT9jiifas-@*d0GWH-m-&i*)9hQPP&MQ?IKibInfrKG?eYF)(engCZURBNd`h+
zw8^IVMa!wS32n5e6yQs#La@c;JSRFl5$a0`-l24UXcMbZ%U9_i8-%o5b;qZ_xACYR
zptx|HD*P07cQ9MQkDSLJmu$yj04q_?Onj(IU2jbgN)0w<4ls==B7a1EkvB!s{dq7w
zv>H*1-e9+cxw^y^@H0*%_xOgkEtwsc?|Vd!u+$17#s_f40611K>MqFicYmC$R71+2
z<Wf*fhdR8ih*oiPsr|Ge?eIUx`bB;%;HGMjlpKsXQiw}HUissPFq*x9k+})`V~XX(
zb%6!?^^n3m*_BQ7j=kyn7t$&4{hm%OT5MmoWJ$b)hJk2_Fcg!XYFjk4BsiW$YrD>8
z)-{i(kAmwgF!WJia66BQ5?XY~XKT3k%KnfHpA)|FbdN8B3Gg`dG%(0<;^5uzQR9Y;
zBSql$Fb%}xxX&s&kD?VO^dNOc69l>>A+8~J)rTlJNu@>D4z;qDi@`#>pNBA`h(K$*
z<NW&N3{Bzp2E%48U%`v^WliX*(6^YeRy9E^Em3aKYw&$&3%lBKXqz9^q_lm{^EZac
z#-n#5_?O7<>jve*rnrkI%SYk+I~1F_{zj?)lI<P^OgF|z0$ysXsWl>N=;fR8DeA~K
z%w93dNZg_KX4{=KKR}xTl-$~e<aMr0=c_+g6}uK!FOFr*Qd&f!<p7{W*Q`jzaG$?d
zx-ZmiR_Fg9QyI=jZpX>Uil-zSKA)g~0N^GAlWBtEYw_9ylaD+3#$~cTgdocUi`5s9
zTyF=2fy$SQ`QX7%>-75kk+2<I?&*E&TJA)AG@43bJga5`!|cU(Ps?vqfjxy?!^22?
zJFyzAT1Yc@PThyoIF7*goDobjG`azU=Jdg#&;@vxvV|U$n=<3197(~*HVP6|0!%$e
z`H^+_Pgb3Mh!h%>ca+rMyK|-l%H=R8slLlQY4)v*QkL+xKIJ2wZlA)QkZTv)6%k5H
zV1J~eCrT^MV(-+(qNHY`GO3W0Wrb7R;Ro!-!osSl>u4Xk@N1O5hq7sKq~7lN>n;3)
zwxUv$@t^`=5Z(v`0!5Yk5uQa~#^MUK$^oV7#mw9`Ggj$_k{E1|WZ4=;>4bUr{?MmG
zQUhAiE*Q3y_vn?$Yy&Oa)ND|7a;&<w7Fna~eT~hA#!NHS$x}3)nvoLXB$+*8vVGj*
zf;BqkP=Qu*=4f-2Q(kH+;L+xE6b9k4>IqBVxW6@iZ5+ar`>IT>2DyVlnR=K+*B(jm
zp0Am02)>nMk{|6@vYrAoQ9}8KCel@~P^BiXL8Qj$#?`E|u)i@b9m1OKy~tF+^>V$v
zX2jdKh&rp!_XBBCNv)Ox-t2$hc&vd}(g9LQi6jX<g>n(A&UU>C>e-15I~LbVX(Ahe
zKUxlM9U1D&v>}Y_$5hn~rL~a9WB{h4YehiYd9i~nT76_)Z&;^-dilT-r)%OqZk}aj
zbPo6^BG1v4rglx>4=o(V^`@LkFm$WF6|&dJRQ*^PSYbf2{;B%NUR&fpg}|S$b`uh~
z8-|jku{bPi(rsVW%RtRj7o5D<iE^O&Y$8|44_>sx@VaRZYXPcnuMM{IKiM?bg8%(W
zAHaXAbiMw9(v4k!Oh`75Y$x-P{%Y##sb<A%)N@Kgyq5Uy|7+5QJYmVi%p6i$Rfqr7
z8}+~9>d!l+jf0FtNmL`2`DJGMPnotG82~i|cPTqM(mYi1THf*D=Rr8fLhBoAE$#3&
zQJT-Nea*h%iT?o674kg;Sc2$=n}YlbSMd204jo>yQ8EHXNf)FJXK5EqT-X>SJt3Gg
z_MS3PTmeaRPb0_VLod(Ae$%aelI{CjnCtmV@c)yjf!<=ITt|??UjDqV$Rd|{t6A^O
zSZmLdJS>+?)BEPIDH4+s>72j1YU{s{>c24Q8C+k33QY%Fn=(IhfbI3?jGwN6vhoN+
zrYEh#V|YU|FoXehD((Pvq1*u!gf~gAD$X(jP*xvTe+8uvhaY8!eoM}7*83fURHZEE
z_cbODK8Sv&Sb}q<7)B>={CiBgfiByXP|4E*eiEJ9VW#JYz*<7)djRB#a)1;@E5$B!
z#ygBAJg_J}oXuly(+3iSi`%b<vO^8IcB79j&kgoOJ#o^jcG^bc|F=Q&6=BW4_HD%N
z`fsf~*uE|1t#o5mlK7*?g@nlSp%p3H0TilH`gUE)b;#Tu6OLLrD<j@o4pOrif22oK
za;`i|&v4U{DJ#BwW>lsrMcsk-5!!=zZnA+Xo3)4Zw}hbfWhcCTU9nki8!<|WJ%d%n
zV>=xlcVs1R9(ml2l@AL5#D^^Abw=^56MPA$q{wWv0>ctI(QC1X0gd~G(qvBSmdvwN
z&kfh%r`XZT5Iw}8olU3yCgO7z2*(;2DJ^=KA6OnGFm`4TW~}W3n7|<}K-B+SGK*jG
zRbxf8XZKpC&Vng6M<C8F30`T*rO&y&rANJ}s{={Fk<tj7MVGqqbO}ZK4OMWqj)r|K
z)a*31UA6hC$ot&SYQ6A#F!kXPAEQA%>;Q{&Z!!HhiSuQgQ5&EpCn&J;hxVYQ0B3Io
z$B%)Q54mOc9PiiU^`gS*&V{yHYs8?AVc-Xi=Q}&i0=GaAT=h-ZJP9p{l41QgWtT1B
zj%Vz9N!N4KDD{RzoOm={ubhaPh))oxSw6qHa9KB4J2=raE8+3FNPOW^C<*5RL66}-
z<1cN>nfh``@G9h$TC3cWZxog45!!g|KDVRZgxZ1M%53@JdEn)s?I`r8NNx}qaz}~w
zD#{};>R|QK=|s?z_{(H-_=h_07x?TZi{LzG{>JAzl-M=ROU3Fl*-jtKa_+OBsUaAZ
z_6Z!Kta-9wJcv8H^?=IdyA3@9@RgVHjl=!Njc#Z%olYM(WFtkf>NF!UB7Yjf7fYho
zB|q>uk$d!(c5YOWw;E)Hd3*7w?(yBY3><pmz`CdTjb)L>{8bJIv;JU|jkEl(aZ=na
zy3|ed2NdEc9o$t$p`AQo6xy4?FvO?9MnbtkNjJAcPm23W0){vtBG@cqz=%4>&({*g
z#opVcZc3yQ%vy{_h;{x%yv4bIqZk=bXZ~f6uTrOxFwrswba2mU2ZnSsqe&q7v9X56
zYK}K~)O~ia(gNR+#|1S|M2FNIIo1*)?=`~5sNaqTZ|P2ZTa*60=s2R+p}n-_0rZL{
zxn{E%F+^&Rj$j(b*@)48H0^O8&UaBYTYp@?Sd%d(XCFoMz50mgf9=Ys*NT&Cl*`+E
zt<rY2r<xtBz%oO?@~1**;tSk<v+MpkF8$&8Cj!|t@777jC*a15$%1cS1uder&ef{<
zbB75FdX+)nLkVOF7Ci2Ibkw{|XfrK%zb8NT)QV*#o={OOQ_9q8J(Q>-2F^W9MZ9aY
zy{ZLjS7xF5V*eR=4D8X|;7fHJ@zY%uY{t?BvBHp{_rTiKpi%w%o^B4z%B<P=yK1%S
z1j_Vqo<nPX%A`0|C6PSxpokKImQNTR&nFU!4<DhDU5Hm}+~A<^{Nc<jSwgdkKb)*L
zqEpC3_w8zYSs)bPsp_3nxV*T!?du+8U_EJ93;zXP2DG_&%4T6b%*sQ<aYZ+iM(GWO
zDBj#ZMuw?It+$`X_2xN|wpjFrmD}F)Katp2A6<?=MGb#ze~kp)jMhhb7+?#ZLgCVL
zDam$DLK3POr5Fnbu`wb^kkd3y!4IbhgQ{RY2DH4kduZyHCRiJEyls{fKs*@4j}I?s
z*7*eUECVtUYdr@n{^F)K{8S&>g`yaqMiTW+z<*MArBeUg>umt(nT3pikmq*8=Pzva
z-U262>-y>3W?&se*O-Gr9G$^}KuYYF$=nJROxZZT2n-oxnUMsEuD2!eZ{$&!G7ix%
z7Tm<vgwc5&xWO#`YY`^veqYW|=K35sWK3?NPcdB>G1y>!n$2g(w%yLMcw7&q@^<W6
zw%v70+6iF>dZ};@oyXz)Ws^q-=#>UXGg5~62qV0C(_#*AkM(kVu_WCx1t*4g3zRPZ
z=0T0kd3eF-bqYIB-|%#Csl84<qlBz}#f1*!a?~oPR7mQAMlrkGVx{G@G4Ico87X~P
zaHlU+oo63B6vWF*lwIcC*c=lYDx^YWueCy}LVf^be_?=QbF^N-Hi``aU`{!)yWsNJ
zgS%ASUYsPw?VX$It0qCkOs!({c06MXWodT@jjwg516o;qerepCs^XLvBMn?U2sn{Z
z6V0v)UUnC&$II0)B(o#Td0Cj<^tAJ0WQ4|^<^l#BNP6}~M!T=yn5D$ESig_Hf@`+b
zzt=X=gs8dO5R)uEQX5WUv~JRn1)p?UyeNQCY53ynfa|Yy0`=Uy<q+)Z32|-d{|-qv
zIvNj1{%X*H3IW~rE~V!&Lo=T0a+YIL=jSn^(VGi&=>2)*%2$Mg`F%ddS5LY};a5=S
z9U?VagNws@&x1$RQ-Zz@0{(q0#e77#A6D-}e>5|I<aGt)4PSG~;uTxl+P;aR(WB6-
zm39hbVh}<ZL>Bgk#}g6MoLmGR9HvC}TXX79tJ>kr@IO(5H7?V%JfI%M&WtdSY&BEX
zV4#A#z?Kh&vf<bwoLK2JbcByNDqeD#jcylNX;<h(NkrOzOzrrC)G){++vtQ%KaBX9
zRgRH4kCe)NTZs=&l~b22)c{{QW{z%wg}t*E`JpN{QI(v&PgiC|__g(gWhDIpqj0)*
zb89QSL^5B?gso3pD-j#!=8)$d%~*7I7{t@Y@&s#}pa-py#}?QE^9qv%L<9xi1)S5U
zG0h{}M=G<PCy5$nLFjGEQL$nCHB;9F)0{X2{7{|oA~C<Qiz_Fox_+`LH?E`kd>G74
z)xq6Cxv1WeY8tccvtDze4R8f%bWC}s2;QDp(a<#qMDqCsB;Y<!^9GL{JBI*f?|v6!
zM`l@XmE%hLN<4&OV~bM8t%~?CBN=R9v|tdZo|uG|^+7VOF-DdZP3lV(QI^SK&8X}!
zw**;+N+5CcPy(SRve!49%o%I*)u}q_%wX=m)L}T(1fLO1AZ3#cg^PK&<W}!nG7C81
zc_pnH?8*wXc}k)|UHRjD*YQKB*Wi6be4(e*oe$u?TqMnI)?KQjQr!dQ>pBPAr$xTR
zl|%1|i-&n^S#ax}`U2#%q;cG?1UZ!P+V%2m2MfqK%+hx~%z(TjS=ShQFSWQ?b8j(z
zaWm!7s-DV!n53%kkbS;+At3Jv${Gt`*U{V=;Yb(1<x*OK0$#CCk%%++aUeM(V9_|b
z@4-MtG5eLMBkvB%#*6-n<8&d^o)cfS?yyLw)|AQb*#@zVNe$>TB74%BY`WZs{}h}{
zZGK$I%vsozo)JAnna+q32heu*>voP?T`7D&GLX!Jf>xrwf=YWuNsN%g6GB?})%hS{
zc71bMs(kXnU*cjqPGsxWzVh(79A{N-7g*)*xTi-=I4I=yc4yd>Y!LrIlVx85;9FvZ
zV{8-xHWZ?jXfnX+vL!6w`I&`EH0Z&>G(bfRLD`S9X=79l2&%B6U1N2}%wlrlnUkfI
z(X2C<?vUpS*IA%z^xaE(Wm5^KJsU8@p>!tGfHP($7Z-J#nSkHJf$3YkOAFxla355V
z?eM{7qsy2I`OaHlG0}^tqGIg9PyfSt)JC$OI+4}1_2z4xb*^Y)+;Iy=h1I$!N_P)F
zcTkvCT<5ESrBamTSYP)G%m-E-7N6_;eW*X3aw*twj)>bGa%Dc#(!tX26Y!<N=WRPX
zqT<rh{5|fcJx=gFnOW{Iv}GY!kz@jCL8Xtq^O_O9%X8a08q~TjIs%Q{a;7080fy%7
zHQO5>gBwnxtB5kye~cpTEL`D6jnZv=FLozISIHKm&N*jn&PW$}6nbuQLm@ty0sD2r
zpwnPO#cfx(kv(rMI3@Vizv3m*|C4ilWx{uf;?-;y{5<KX0D7@OO6?-7Wt0TXfW)9_
z`UEV0WV6m}*!z~8i{5Cb!KQjVjN&ngDpqkaJ(_B&X-^?sdu4k4x@SEwxO$&0C{9F|
zu8N@|Ht%kBLVg$6V=bnEDb39b_^J?WlZGEA-S;{&bF!eV)t{ZBzoGdJS=^VlF-|s1
zf`l4F=%7r#%DjOt{i=d*eRCoqNvGYB`4vtibb`C`07EK~=#%Bsn5L+r;Eud<m&LC3
zQ1Q^T8MtD;0cyS?*cM#2f!0RkbjQH3hea<l<MTdc^VCEgQ-jFs`~%sD&Mi)^zn?(c
zOL?JRdnTvP@pwx1%BOs_1h5EA$pm(!_?UXW^N7$4tzj%1elY^H37}f^%Z{(&>z;Sp
zO=qR*@Xds6P|ZfS%*MVEbNB`6ADS<}4K1FI)-ODAOw%)M$Yt$)qEr#PaT`s_moWkA
z&q82;hkT{OdUH+TC0Bp+S?;s`;J7vElz5qo;}ta3_e50w6!+LHE(enc9Q##$&f_l-
z)d3%75Gu(4@Cm5leuLyv3ZF<;UTHe?8&SYIm}TY0ySL-+rLO7iLu7|0nJc(c?R1sI
z^pYm~d5B<QUlCw<Xo4MdqbqIwLw@L7BKg7k3q6ziT$w5?JgUXNFB;5>3pv`kG0Ikv
zDlieH+mj|&d5IO8+=z2j#Jhyfrjt;ylGOxK_KPx&cNglaI~nYUTPKM~K51!Q-VMWi
z1yT?5iv$Uy0JkT)DPX<wN!l7b%i?GF-_$2zo3yP1;5fdU^rR)Rnyt`|I6Fz}>ESQA
z5ybB2+J6zF7$Cb!ngm)+yrWg}YSKpNwIqoP67UTT#)6aL4mGm)?%{TO@nHFdb#J)Y
z<8*d)g1~w5>o5XvXLNrE1SEfqq4)9CndH6nVBq-=kX1FE$#5U+>6Q}zj&53^6E~8Y
ztosJSXLUPSp4ZS@MUM7q>o85ZSR#d9GqMl6#@(2-PQg%vlTl9_=#`XVVKg)*OP05w
z!R!4P&k#$I;c(<cx5Zw2Lk+1_4hExu{m}nw^LRV7-kb=1NQHZ09c2rji-HRd?$8So
z3aH-2Hi6NhK}l)R!!npRHa&;Xumhx(Jbr&zs0!y!A_DYo-fg~EknXDf6AGw+R7_Up
zqUQ&*cTq-nYM8>nh)+!U5|B?S$BTAZLoW4bnD?$J0mq84nR&22_u{rbcOHG494###
zng)jj62_C9jJYg-&Acl`AuV2PpT|EkX3PASbeS5m2tUi>BOD@fC>cjcKWdzTFY}D@
z87y3>`1n>->PQpE!Ro25hOZlM2hk)>%Yjv`G+HcIqbb=>Z5SZT<9j=}W&U3kN%<1;
zvBY43fm1%UQ|R&OsS?Xjlb(#O1IK^%0!T^hwD?BOOh+W_7wDLe@hOuTTkSGJm9Mz~
z8p=H;F5+9WHw70NHgu#3nq&<?^4em{jfoz5jCif7_6g;t;6rngziw#p@+|#9b{ah+
zn1mZYIkQZnej1b>3=J?IkQ`OSl^BsL%%NQ+osg0ME~Z)D-Mfg7$Qvd+z$S<3J-`wW
zM5Zs&z2%HSB-8CPgA7}$2BBx&0M*i@bD%^I3GIdRh^Vb&aPPCRxVQ*v1P~a9@^ONE
za-KSJ?K)61AIyqw@cvIY4mXM#>!9mW)j=GDWMu_3x6gj0&s<rH_xNo|{jsMvMBsFO
zn4Hb0w_LsJc-W+wL2`K*7y4xi5haXe7K$ucp+GQ_&55}r9;BpuGwut*cSKRpbUEoR
z2l9Vd^_=lh^$#Ka3HtnjUI*4vllGcHgci(B4^6aSj@rDRqoAA0>p?q@$$_FlVX@L-
zr3(sO2mMKv?YCja7Do`5`FFHwqk|?tAnZQII^>)R8xKHyO_}!p(DjvJaWq-m!2$yW
zcX!tS!QEkScXxLS?(XjH8a%kWyIX=22paU8Jo4_d`|bYht9quZPgfne&wWn4WB9$g
z{Ktg+NLf@;NJp>#f1v!2Nt{Xj22l16hW>Wd|6^*PKLB-Oa3u2}_<Obf`;C4&fFxTW
z>X;?TN2jm@GsO&2g!d-Pfy2?v{{{{I-$k)_4?{utpmD&eF@-_Udm7SxbmF8L+~~lN
zpX=Pc`m7|0Ki6?@#KLTfKaewvTFVB&ev4_o(Dp?Amhz`>`5$OMXu9^4kWzFRFxf?#
zO+=87p1mRg5>jFqcndT<tL@ALmfFx;HB(IKlOrReq9REMxCnT|yH2UQX9w?^q=E;M
zSO*3uiP*)b`$n_zIJZ*%Db{~Iib@5X97SfrSn#LfeGJy?XEhFP%VPiUN4N4cXmfhI
z@lSJ^IAC2z3k6^wzc@)UDF}$Jn<S(;((U2Amwg4KW3MKBliYoAPyhWzgo*h02*e&Y
zcm4v4i-iRQmsLT`I^&*kzF9Y6b)I)<hcuO5zcw3to|ya_Nb{6wihp=%+?wY@@47v1
zA`w76dnv1mhdoi#|DKhAE{6eI<slq}VVq{uBmeM;h%G4Fd5|aiMU(jQ?x%p5CPg>}
ztd<Hum!1iC1YIIXiMnJY88$7NVw7HjZv9IbA=GJXxC{IO;A}ILcX-@}*}s8|2ohCI
zO)V^u2lLN$U&jc>vN=OWNx9xK`&7l|@PU%U)6?^3^p>~l8SR|&;7dpjfwGyganfjA
zEgo;c<Tg<JAikdo`=W>2uS-r-jh*%ACl(i?2WAWbfyqbRiy**Cra<@)ZRc_e(V-$~
z$>CV5=6tiS-^=7|xr4{kt(eu@u8H0|+aMCUr9RUH&JwlV9n@0I20%FmV|>63?wc0`
ze36&6-UGb!j7*5(bs+_-%48C;AH%xhcR{8X97qPynW8Q*yrw<8j)(E1#xP=@^%mk2
z1W-@{GVgMs&Su2J>n^8&I|Qh8yy-{*fJln_2Yvf{&>B~k0^c*;zPk*`J==OA#yA`B
zh``?B72f*d3<#SpdFV<NZA0q9<-a|JP}2N}ckJ_BmXQ5$K-_43b-xu<N(t&M5Eg_w
z-GKG!z8CULDsP}*G{(s6@&pwzkvm4k{nF7%EHk8OXK%-kMXjLjeu8{}vbaF-mS~|G
z!w>o-K25OK04{YuwIFYvJbuLh@v0BL_zSdH#~Pwd0R9m)RGd<sMt+vMxyE}^ikB{U
zov*hd-^1}&9CpADgn;=n12Wl6+^9<oBm&h;D$I%LB@YG(@oiS|Bqu+sRA5CgL5MDN
zFH3(YmrI`(<Bgd8o`dxVen4WMr9Ub7uI2=WWLZ4;&UZGNTWM8lq0jY8htc^GrOzS%
z*c9xP`lw}gUBTW~1GnQcGG6D4D%ctK(#rvR{<xSF@?bD4e6_{om&ackE)RzZ!H%gf
z6{!a|7jzUH;wq7lyCAf>-!SB&@x0Y+E@go`x+qlf<|IMEPHIMRSt($Ih-wxDLVoV7
zRXL43cIW&L)^|dZ+UBzr0E}24)O>#*_6avqsL;u&iI4#Bk(5T5-u}4q{<teWLFz9(
z^mRBs*jKQ!XV18WzT48?ROCv{O3Y$KI$wc8(crcO3{3Lxw1Oj{g`TyMYa_*+t>5Em
zYa?mWBMnW!XO())4GFpA|H9gpV0fRe0uh&)5(8%}NUBpbBe`VG+HX#QiEjkk_2_|o
zkUq-<s|I;o01i`y0<Xs|K5(*!jG73n;Z~+p>H{@)I6gkUyu26B3uW1pNREyk56Cj?
zwm0|}q%Yt>66btO;yRrcV)b;_mzJ&L+53FFCUt%ifOAeDn%OJ7dv>Uo!*r>hCQwWf
zhlU>B%2K)`ir6eoHZu2;2p25E(P_dGNs;`Bs^mebMlvg+E}~qxQ?nJUZ3A2Ad3@!1
zdF?E0tq7arQ^twc1XT}&wNvZ%wBKzZ*KJk@O3abVYokKI)3C?621Hc>2gHUGC5THC
z?cV90twFV4d)Z$;Z9Y6qF3-+P!bhhv2I$~P^hgd7uE!J@RF=S8y98!wd%nJ!(eh=q
z5Ug^FvHI+Q0Y4XWTY7Ly*DE!j0fwQSRD06ijD^z1IrrM8V*4oBz(Zpgf+IdZY@NJ;
zzvod$w8Rm%wSA94|Awkpy#lvPbIW8mFg_v$6sw*QXpMJIN=y#Wa7s0pn%XZaud`R&
zLxf`g+xmh~tzb}DgU0hxDJDumjSxA|MY>J>s7+;Jb-op)3yzWQ6@uZ$FB}epLln#P
zNH{0~L-0nZ_AMmgf&)bnc&)qk4VOr{XfQxWXxh8R5p#VENqM0zG3`w&Aeq{oD5kZ)
zf)UuK_>fQk`P7)1D8PrGK_@aWF%uCdlr5yNz06HmXn`D$+a=}#xf2-!<Gq>8?t6i5
zmnBab-OhQLQ*ZM(iq<Y&%5&e8y{`{a=iC+%cfP|w_t1}&@}Mu(+VRlVwy|)i)OyAv
zSRVQf)Tpd-Pr5InGZL*ly-LE`dtKYw7<M<JP{^+Z5l^v9FA{!gs-{e99Lg!Ry04=D
z3XA`M9R6q(8QS%Hh-Ldsw6=zKwp-e)YPFTnOKI`pq#84CE?c~ox>BCDik_nDfody~
zD^${#@<6WNFkZ=Ci!sPD;dpo`j9{8CvN!fqUth9S9nmx1<K3CRKjZD-q6GfZ;MmUT
zIf5P{C&gO_($^ZC%U@3~mx6DUSIeVLVKU6>o54S|{uQx;G$xu{o`_sfq}@l~YI~Ng
zpTDrk67&n`A$mnl(wwm)m;y$WhU=Uj)sDCvq+Z?K|Hxnn@7QjHH5kh7zqE)O?hJ^!
zb5LOyhIsq=5c-D37#wu!PYwQXDlr)ANVdOn7L~Q6=@42sTwBg1U6_WdPmR%kF01Eo
zCdb(7+L8#1^iTD50_OaJI)U;+=74+E_yk=@ITf7f`wm!sHRH}cxL`+F;OZCFZP9zj
z|9vM>(rFiXJJj)Lp{yre!LIZoxAgd~LM}XTsT5npTgJD(8+$!vsyA)4(f6GPBiXRf
z>3YBk<-wv_mXTX`?9GzpkndbPF%4(aN;N#%52No9GUn{YJZlIzp|QS?5DM*kr0u2g
zRzM9*)VA@o5k)aH<U|p-E4&iAwJ1=@&E7q!nm%*U?!Kt+?os``dYuERsE|Tm_^XiR
zClMQV^g99`Xfrpr0r6pCip8kA4}Bvf!E1D^$jEu4<{yRfZw05n-`el47<}e(qo2y*
zjAisuk6{`8$a7`yG;#zk66CbnXvN*7)j~)qOVE3tIX&Z}S;kgmwVC~-pC5lo@>g>2
zw>KswOT<l&t^j?X8Xi1)TZpbokG$R@l`^oreB}iirlIt21^Lg8`0}MG+$f~ABz%)$
zI8ENgqdDu{2zpc6VW2a<_hZSsjdl^|^E*2r_DhxAVb(}k*Z>VZnrVDyd>9PcLBIHc
z{(Pp06w?~i=eal@u&9(%BIi?#MzedO55afK1LwU1b{NtvdWtVa*kzmF(CH>B)rLci
z`l85}9<5554EEp`>KA?a@yE;+-ZGnBX`1*gC{B3pEOno@<zH+o-gI#EzVR3)JE?-)
zAQAh8uu26Eac15cMyDm);iTL*GAEjdO~F3UBG0_~-l!L!p6&HgqTcf3NTyoFcBK_f
zHH?EU9lMPQo0^0biqjDZOyjm~Bsu-KGeQI%HJn0-maG)l4f$$S$lo}(2eDsw@XW0}
zo;#YL9GjC0gF-Y{g_EmyP$4j~+}K6PhL)AaSjm2)Y=G{8gF{IA959{Z9C1owm=(sa
z#891={EL9Un90uepIKrzp`I$rWwQta#Yb6A_86&~^vo2~;iyRVyIw1hmrX?onP60C
z|9yh<Y`Z)2BDYbZL&zcNE_nVW9W{X=H<*D9)$DB(>b`=WsqTl;rE}>@QZ&IpC}C$f
zi`Nnf$!ge49YPwX35q6L89>bpbHVzViR%-b@Qq5PThA|}-7rPyoz48(zVStX;H}nf
zwp&hr_=^>Cx{2VxmHj{&#MMQd&~0GOaJaV>a<WbD;Jz19C7|I#E?hPMr*SAxaC-Nl
zi!H3=5stDCx$;Awm++%>xV*><_m7*DliGxb{^C6(s(7y$7|6_&teDa6>i(7=UGQuG
zgl5MO@X`oeABO<cdbuDZq};Tiq$nT<C)&WLUzw1J)n2iR-U{2yTHGeLG;Kf7y1<Eu
zMZ>6<485Rqs19amP=_X;32<eH1j<$AL+~4@@*k*8o2H{JTFXAfPxGYG**$0BhlhrP
zj|K#xLAQQ2kISDIma`H?4E}N~LHpD5@Gpn<k8mgn7aS^8)P%3-EAtP=YeC0QkTy$7
z>)E{>XSUmC5Ygp?OAO>Mk$J|$lp_pYrGBT>{eZ#?jR4W$n6Icl^0PXRdwU1TI1y9W
z*qX-D69zLYz>v9QFM%OJ+npdmRhQcd?R85<VN)-&TfscgbcV8a_}dYDQ8qUif3Bsn
zp8XFTO}z!Xp5h~5Q4T+Xufh*E9q&1@a=!FC%-hA9%4wOkDCv0WGTm+NZarP9ZAe(<
zn6G%HSwRW(Ul9!gaxp{r??rs-mZx=(!x0Qz;<IvsC$jL|+qnuo&QD-|Qjbh_p3hK6
zJ-@PJ9hHj;u5EqA8=-eigbWwbqo^;R5r$O_=b(i80XvWoASPNJ0hFxK=7<T}KyW`D
zy$h3A@e>JzQVD#HL&EnD6Okg<F2g4dmRS8fw_kU4DH?S$2hZrr=imL>8DcBvBIxu8
zKKXpj8ijT(YRtjVVApF8`@UED{|g!YrDS(@F}Fod&2sze*mZ?pN<;MZV=>&_1oRfX
zEt%+BLZzyE>!ZZNG<h(snh6DKU8CbL2*Y#DrbS?R+oqW@5i<0Hn;b@Y&Ui9o?8JB}
zs%J{g<~B2$!&>|j=19k*F^uOS9K0z^K0<Xe4ro%B!bmIU3JW@ZP-YA)nc*cL)GK%?
z_Kc4sV@bSQ+>&Q3wFc4rnpvrXnl>0y)LD^P&{WB~t5%`{%}6dcNUN_npnPvj-qrK2
zHBn*o<U6I-yN?r8k=Bz_Mgn<8Creo)6$UVvVGeP$@)vrHFAVb3N%|ItfDYmf$ANb1
zB-tW($kziHQX-JbEHhrg0aYe7S;L{%%SNBK86KPzNgsvMcLgp!U8g=rU0IP7yG9#(
zkYsrP7ix}#Wnqu(#?|sQZeOwZ&EJI-A0~tq4K95+z1m+Qm4{v=l}2MRS)jJpX^0b*
z+GSo5oBBU6>HorW|1l|n4X<?IO=^ko=LE3qiiMJQ<Y?<b+O}Mfi+-BbK~lv6D}|kx
ziih55Jk~@QkWaIL?xZFw3cZu7;TsNkkvp6Xro>`VF92R~8L`k3m13^bPTgK!y<UU^
z^7yxRPmi8g>KoccUHbg%2`k%cT$>has+xMmu7iPh1(m;aeo^RS&Wenf^>u!KIF97-
zIU(`U{_>&l=~kf9lWj-Jmdf#QAzebE6(!Y=T<hL&cAGm+bSx)8@ie7GpM;W`g6)DP
z=hqJ0LEKzv9%Jf55Ke=$`~JM7A}oD!ApvRWXNdIlAe2XNSaOG3!fvB=P4a}q8~Fqx
z6m(>N*}&m=T1A>pHU0H=mm}93sy<7o{`kEd?KZsNNC&R8n;t783e9zw8KZ%uW5ssE
z$UqEiK)k!#hVnugYJivzL8~JhIJB%-FP$1G<sFS@mz>drM5<vK46)gE%A$FTT=apl
z<5qqYzxMx0`~Lur<ZJ=g2@iO}p9tiWOeBJ-VH!r;ecA^^6byhb{9d@UR!e=$+n*ze
zC>cMqUU}W{cz`=lYg|?<;)f5b8LTumUAn3s8gX?Q0JaD?!EB(T2FlcOCR(2D@9fDW
zN#PW2<2u&qI~5Q~H-#;a4BA%v!6>AMTyEQzJc}a?b+{y+61x(A^yRTDW&zt7m#BW8
z(65T#v#XyrHS(uM2>0+6NN#-&9t@{it{L3Ru08CV+!RHT39?T}uN1Fh0AMHOY7Jb-
zo5S*rczj)d3x-5VoPDPgC5s|00*_(EOiY~v{!XD&Jyob)b%1hHH8(pa;*3?3RB>(Q
z6N$LTXJ7!U?Uim#5-}$iiWYUi7aM+R0>C1=1$%y;4lx3@V}k>zUtCs!UCD|rjEtd(
zX(AY)p3CZOA;g@8ofiKJ+ruc2?Vlo*R{&_=SF!oxELG+_w{-jw1LQS!E;4zZ;04vb
zL2Xxu54y34?G2RVGN0CBO=LYHXC3!`%?(_%5GzqGv`sWEqjebXy=3+!ZZ(At^3?dj
zCTFb^AV?@D_Ql_b+350%sJ2Z7n{{}QX!qW86CG=<WfQQ?-WZWp*A@ogD5$w<D)C^#
z#~@;wuaVsG*zc8h>ssn*RwUnP`wCt$UE&FC0eNWQOMkAnsoJfN%phV?Xknl4xz;U)
z?#4HV9_FVbin`trjHOS}l2jCAOs0`g1!hqEr2q+5s#scUd9Wh^OEIcgY!{106ueFm
zZn-;kAo+9+iA2Id^<#_WGEFNQ`<vmAgodke@oAGXJgx2^<QO4Xn>MjVr4Ikc-B*eL
znbbzA;%zd=)k6Kr`--p?aaa_4`U77p>0qDQp}v<t=on|R0_B49U4gqgokTU+3!&uD
zl)gE^WtEcb@8?>ch@@Hscl+ph?`amI7YBE?vbA781Y@QP1d|Y{Ss=+baRKXRFD*B~
zn<~`$cg;0zSMYAFLeMfIvCAc?6-(w8(rDE$H$|%W<HJUsyd=A+4_#kki2KF*Pj|cA
zJB5X_I2{tI_^7z4H_cQK%fmGd&K2f8-c!hB$CMkr7xX=US2Cd!G879hlvfDPC$mPZ
zT=Di^iO&PNP3>(k$zy!BbzdKnV`OLXz#xcgD(NowW5`Ku*du@Oqkw|k`LcbM=<W8-
zsoa*>RPsw2mmO4wGeH1N&F4b3BY~8s!M%%}a~5+hrxox_*v_EeAt7)_77zwEQ`AaD
zR-!;u^IWOGwK`kQln2{3tZ-M607L00MbTw<t$DP0QYdpRk3w&IM|UGD?(?(`7ypTy
z6D9MFGc4ttn?xWjLdvzEW&6F|=x<n<sunV+xmuY!?>0=~(lJ#ySJt#qxoSBqJ?zm7
zP@_XUTSTHqm$2h~zJ`8)1vI9$&JG(i43Rnw*df~PV4G|FMF?`aZ8QDA#2L*BTuM(G
zL!m+$%<^OoXHM^?`j+?k2Wkq{^q0(pzwJd{DVgnre`hN?kGWV2IKo5!h-f>sUTc>C
ziR#%9OV@_j^?FC?Y>N{hHx%1nCO4EXS6j_wTHMp^WA>T#Ms$=!bRRo{d4I@oA&s%j
zN80BljQB0_q)Atq--k}j=Ocl4&Sa(C40eI;Gm6CRK3~hl+nK4wn_q~|<?IfhD4lLi
zCR#UrD5R7eD|Kk%H)0UXD_;*2Cy2Q;^@g(j?7+mR($@N1;-~$QapK_{C2Qrb(>(^s
zO%m9U^~8%c9(?svzRh_4!p&`OmsD<QmI&%*unyMK=rC4`K3qVDkU18fLg&q>6XI`A
zj2w)G^Mx{adbj{AH(oT`UIb$>VB_qD<XC9j5qNhbEtbv-Pd%H)bc2pJr;$g2X{#`S
zw%pSqi%9q2K!%4_f&zHH!=h~Ig&c$O=k}Z{?x~ZU&vR*RukYaZ;KI93f&0D}))E>m
zn5!HCC%I>>Z;#$8Po%DO{J50rUS}6`qpI$s0T*nVT)uODO4(`iyp#Cgts$))DN}TS
zkE2|!ijQDfc^bQt=a5-i)}^A`nQ~IODc|kvA?U4Av5c|SExB&1-rnKz`l?c?7TRnd
zV|<$Tu<Zz9EG9bo__@0ScU~z3uDm~f+*PUsl=yPu;INpqCCGZxKti@kgOyZYu&GLk
zN&TQ8MYY&HG5nbD6r(P)7nZPx8h+mwBVx^{GpERHT8t|8d<jQ4rAyKpXIw+w+=MZf
zVZtON=-*z(iDG6g6cV*Y1c$k{CBY6xBlT6*&YW{vDwxhNspu}ON}Gf!E#eUsgN_6@
zrBw#$DS{Jb92>Qb8J4}!?=hRnP7q(Y7L}+obskS7w?KWEzR<PGdu_w5$U~|7y(2A(
z=`P7mGgTkk+?a&t_}d?OgRu`_s3w#^X~}?i9|#)^Y$2nOr#4#l{f=w@xJUs*lJ=Wd
znA%%QIcy$yXI-L9iE3I_N0fb=drP-1rXRhK7t~<!%EDq`GUp0p+y>R(5i%0`$A{T{
zy>f-df6<QWk`lGjyr5T6gHqz(KTx*xSw-l%I^K)wJbncQn2(va<EP_@U>GuE)Ac*?
zzY_zf;4xDSpnR89`UPAB5@HlKa~g{;)X7q9XyBXm&@5bPp8b74%XC**O>A>sl{#6}
z5lg-2s-5~5dc34a*xug7-Gcc3Jtb6#C%!-yXxCn>6%aP~5|8eLbDerF)Gx+XXS1)F
z)r|w;){S%YvPWya-H}2jK}8+>&}&n9d77{oCOs|&^8AnZ^Y|^_yT|Pq_$O%lylT|H
zi+o#)SkQ*UVfDs>c)X9_u#I|TeSYi*U+`^&kW~n&l6jKb_n%_iO|Bt^*=~a-P_gQr
zR0y}B^%cw_MjGJ?t>(TbRbmvbbd}p1e7g-wB@O2?&UQ3>Q>D}Fz>5#Zc2+=s=c^|t
z6^-ER<?t>;8Qo|U)d4o{3gr(SxP?p<uXg@D{A5x~*wK)9cO@aw|6!iepbWlS4J~YH
zogHSeLX}ouTV0+}eOwxt*N0?(e;?|lk8Uic=g$J5f?C3H;|m5p<}BOIo=mwN@TLiH
z66t#tX(EL53I7pUp~>|CDc7>JNlo&`h?Oqzj-05v*#Sh~H<X{Ro_OHB?Z`+Pl-(=5
z+&D^fDD)QcS6n|P&@mmX+&lrJo;?Xpntu4JJvsOPg227JUfV3gQG}3{B6Y3N^^<wi
zO?W<aQZl++XPjp;K5#d-e7SONp^Wpf;D3+!>s=|S5*cmsi|=%AW}tZA8FoPFSH1wJ
zuc^D$#Dt_Y!HP+=-_)Px$vT)Haa$M7Lnzl;1}?sRVKQETEIJu&AIK8k*9chFJ&x6D
z&K2w&azRobBz!EQRd3X1b}rYL<B&by4vH23&|iCs0Lt~}2%LKQJnU97r*XMKVNX%T
z*;C*Nhjc+_uMt9Qdw%d~pn7KgAzsA!)VnRCRS=o67yGW(<TnzW6y=vbXWh<r9*((e
z-6L(aRJg6@yWghQ9SmpETLzC(TbD9>N{vpfK^}3P<XlsLMX8-8AWE@wbm2eDhvyG$
zIFi6jsba-8;BcYz-P4K_*@jBZt2p8?mlqxCHR_H9)D@3<f4=lM0p^h)$yY3L-2ZUB
zxwu1vf+ZVA4kSRhCG2z4iw<tF56nmPn5WbmielVOAt~nHtjBJ@JqqnVG@32X=LgmI
zMVjKb?{}u=rj(o}6!)L%*$HK0Oy()zPzmH`Xj@kyPkcMbl<nd@x|)N=dYV$2yThjv
zu%7n$u_I&+e)2SWIe#xLe?RJ<#&)Gs-sMy&?|gpEutX5m<EI+)U@&Xx?EAt3^jTih
z8$Z!~*!D`azkJp@lGlPmmt33@G<YzW0xsM&W|R-*u7OvJNi%S&;%l|Sw5eGHX?*Dx
zmmxIJy9NiA&#rh|67uGIBb43~3J8_(e~)=UBG$!ev{1+AMz|4-_MF`PaiKhtEP+Gv
z*8kgDw;n<oADpCl*kU$MtJAd!MZgEGG7rZAN!(4`14?JduGV8w>r9T}C0joo81ILx
zZ4ExX<mNw6e7c|V^1*U{2i%DP@XVCf-t?Hx-;_&qI07&nX}i2jxg3p_EEUfERo%aj
z11_r-u4A4K@zVr6h<XYnJvd-_-v2i8QUco6k3kFlae}qI3Sx4cBGyQlcCB-@sUsgr
z83y{-no}TAk<~;*uOz|owaa*~@I=7Oek#aF0fiiEunCG3v?F5z{3psHS(wqi%9Je|
zE#?JqV(YNnu5SDbBWX4K;sg@o{jS43IdnK8B@-#-d5|Nd6OjEI&w$!tVdAnf<S0&#
z4i^&)z#MlJF%&^XMjZiHSqz2&vO?iafrGSU^ZD{n5J#0VVX)YMeGWC9>((ld20%gb
zDI&~a4^<mVqG`y)!DTifTZXH^C7dh+QV0{>UpeBXpb<(aUTpd=JAep=%*4k1h!?}4
z2V|D1YSBK(Cw*~E%~jZXk%0GP(R4cs(aqLWprZ*qn8HTV{E=g9^7TpMG6$IF4ql!6
zBe1Ttoixz!e#4?f5K1Gl?Fl;WQW5)LcJJ5a+L+w$jI?i*M+h)a2o;GWyv3IY)WOxS
zZ?`|lH9?w1X-2X&BUR}YZ*a6j04aXI{O!ZQT#H!#o3vfNEIMcN555RYJ>2LD0vb<E
zq29*`v<9tsub%l;|0P&Ju(ls;lNqrzCTuH0Qz=dx8rhPFp!zoim6`kES95#}m_lOJ
zF>vB2VaL&^Me~Jz=2o1?TVM1K0X*gWmbu{Vk8#pd)e);Cp_PS<gW~xLVFokmL6Hem
zeG^T(p*8OIlX_UsOYfX5=HW~GTZqeC*m)K|D!0q0emd~|Ba-|U<98F7!cP;gqXR>k
zysIkpEV67h1CGzdlfd6iBG?DF^b-ZOEDn-YRu;)uJFVwM0wjy4tFr5?bO940BD|67
zh_Df#FMHp10nw?1YrI=fGL>EhZ+UX^pmWPqv|C4Q2laa3DlzC6&}^DyuVt~WO<Qo=
zfn8;Rvvk7O;<^KwynVK1?50Br@WM-UEm*ZSr9$&xsuOev<C<i1E?u036H{Df%ln1h
zo0lU&t;qNm8iX`HN1P4X{W1Ofw0BUViw|m|oi%caSio-kqLeTWx%l1ncqzfA$hXbT
zVWY183%e0*3N+$B_z58AarZZ)VHc5D4wQQJ0WTkw<Z#_X!=pRM5vl<57%A{P*Hj%(
zG<4*|P|tYBj7*t7Jr?{$H6&_+E{oR{G96pPT)W%UpIn^ys_3%oQ-fi4x*|NSHu&sU
zX*gg8FW?qJXQs&p^`K~eB?ezOu{nE3j}1OMbE&r_kx$I;NxjiZ8{#;8mcx@3#b!it
zDA3U=q8Zl3?6kl<L*F9vw58xBh#TeHU`lrA%1BMVQ`+jl)P(rsEy-NN+-!jbmUfer
zl-=i-u3wv%e-zH_<RCGbn)S4~n%!irx5>Y8sxN-QPq@pPmiwYx)&Nc)v26-hK+3qg
zP(E*LVlKm3<!CQz9!--hgj68_9T+<HTRYWpgIt)im?T_daA1!QB%OR>C2)ay41?v8
zO_GUd)Gq+$QU9(_Z+1l(P%K5>cC_+{mRbX=S(@<K>^3ZlQ_doEzuxicGl!+}h}0r6
z7c=V17Jl@--U)25rr`P^?|xA$xm1LO;V9e)O_SufR77S$++Hx%jM<1enQ_!`<Mh@r
zV@?j!H`Dkulqd~)0ztny2w}clzo;vtt6xucee?bJk7ukLPc4FxG5ADkqeWL0HL<)x
zFA?fAs**v#MHQS8nFDC$vXKK;N^}5w<Avn_IuSSKQ%h}slkgPN99E5(uJ9&?++OA}
z8qu;sZ=WQwYsUy=T2Ch_QIM{ZD_07iY<;P1n1#Net0szsT+NKAF`H8n(S|SMi~q-l
z7oZby{$?6nt|xE3`xF%iP0+e|a1IG#&hH$xy&h`Z;t^Yr@6eCaSOM}h9-VNy7elIy
zAV^_3W{TDgY%qgg`UMZTT-gXJ70Uh@4Wmh7$S(r}13igB?~8xl-LAp6=gG=UGq93f
zC5rkhynN0tft!7JfNXVl?-$Horbzdr96Ze{epe$o{5BK`F>Elh%wM3D=?OaV(`w0R
zs>ndyLpPBB&=;;qq(9FwxHJ-i&N&`8Hx3rj&aRBwyH0sRY~UDWN6g#29Ff!HbDWZK
z{5XimMclwgrF?mJ8(5mj!X{@COl@8{krXJ6oEl%uE=dwa2qoY|el;w#L=(>XDY}v}
z3m;Yl*}<WjcEQe5isT04LkCaUWJf}JP5`K6kx!PQW44k#ir#bgbob@hFblXry)>4d
z-EFXQxtiATz{oS_w^w=T)*BL|m)_$oEHI#t(*5oA^)<<HGXs5MD{(q3vcGCchU%M_
zY)+iF7jKx}#U2Aku&(3RjPS6tgPr5(UT8T9Y);$SL+<r4eWn=?asm*0MG^L4eQjN+
z`y9Y^Fk{zM9p;oHv=8q~h?t@0z|vwfS_|Bn0*s8@O4lxva&lsWfuR{E>-1jW8Io_4
za&v37U))_?<-2=3zD8{fUM(qpFI6g))v;bEo2^^#c4~`^asLCj7mx(BwtDq%Dz!GD
z*+{mItJA?kLcT`_EJ^LI?&4!f2nE0&lA^|?mkUVL@#Eo(+N%-Kk|$TmCG38eViu6F
zxBm&U<7ABz>F&y!kncIAYB+wq#0QJ#ErcG$vSOm7O)R)J&1n9@d?b0O3V#(rUbQtw
zqi+^FZ=dtBz+aTq@HMyQWBuf*G=MMeqtk7h)76-14`^tnUbA<-4#Lg8X-H(;C(#&V
zy{iGU!?Y6k6iJQg-~b?dZS9wVte+(8SV{a7h1f!EMRhpXioHV+7g!45dlme32zk0?
zIOJ?Q0=MTKO8@iwpV+y43=Bv;#vr^$3<hzBZ~-uaed>Am+AaQzQs3K?6Y30z{qtql
z@60zHIo~6G4xWQ)2?*pweIwur(~jon!<SRV`FRRnny^AtWgC%VxD<X)rE@tM;oe6z
z2f$PdI&u_ltI;Ed(b22Iqnl}e+;2KuH+rniE!-}@EyLdl`9dkXBV^2@>+a2jqkKhW
zim===^y5z&R!<IO#EVUf8T1CmpGn0H77$Z<gXLy}8FXDNDG&x9)5XSo`xS~qNNDui
z2-XobiA1R_W1c}_$R+vPbtV9}n6oCKNyhL4RPQ;<0UYZOd-!3wTyd`S5q9gXl<y0W
zAR5L9)W}H44td~&7t8+vtiJ{0{~7eKgTkHP#AzB_uw9x$mn(sF1f7}YnFF%Q=uGth
zw6&_w3<)X`8YLo|bt!XtuSDcl=orAC9)Bw8e^I;YAbzXcck!8^xFzoyrLMhcW1+kB
z8R1!#^lR|bbhYa~7w92remXGPm_}m^He0r&H&4T$ukpu(1T;`aq!ATTbR6~m{9u3a
z6wu@SfRYw#i%_fGW1a}GW2Qvid^TPhhyhO^Lh|nyc#80Q5kVz>-ag;<4$h(+|BGDs
zdniJ(r*{#3tLdcA9+8euB)4}`E5W?5Jnhnb;jcwO3`o*u%|}g>e@5RM?bmsA@SK4C
zwYn?#FCpDygSAOThw|eAstZwXoIj{zOnodsoK3AvMO^E8>h%`OD*fw`_Zb4=h8bb%
zU^TW353hl0$Y-Z6%TB)@Tbk6HJP;2mP(B>ifZW)BBj4G^3LKH*U!HA1tuQ<AI3G^;
znKKDcByMg^xwR%s?AFYIdaF>u;}1s#`v!)%t$^E2{q=fz#*k7)is};>?yX-*s!Z9;
zrFXX1I2vhGZDAQ#f$ny{CH+?!Ka>AQV)^UYn6fK*ZsQ|orgUKOTB%}jz?WJ=<DUt*
z5~(KwZ4Q6lUzP+ZMV28Uas=>G;L^Y#M57b8>lxDty%ebwvv+c(!zh?l9{s3=#x1S;
z2U_<>g!-F_C(wG*`u@F24&Vy-_hZq7^9~9mnWHguZx3SvAMAg|a@?F5r9BT_E2@C%
zJ@{)jV;Jah@^n@BRx!R0jsx==P?1WO_G16o)*y09>btk*wOGn8jfB#+<<2mdW{u9R
zj+MYX4)9`{46;%)!@IF)_W~!a=guc20!ww=&Gk=%E59l)pVn;Dg%~*b5eVPO0JOa#
zG8b-7C&WnUel5{`9HG{)2KG|qEIaMp1M}!$$S5dMGC+*LsNAQ&Uqwb>BkE-2JPZz%
zY8rCjP&r>d>5%y63Wz~O{5uO1e`w^%DHh6zQPmfQnJY9&<oo%4S#^ZCpFQv?-n{{P
z|FE{_bsn?c^bm{=>z?5gK9B#ao=>b88meeb<G6eT9u{($YLE+JIeNtVMToo-2OLKy
z`^PzS5fO5X)s#P&sgIByot^QSnQ)!Dh%Daxzo;dTSq=$6Vr}Jz3CpBJAAFsWpHb!<
zer-JstSLHGSZ^DXK-`q#)*aVDOmge61BB&`?{U|tRu=zw@`ekboPr#S69`X+MV>y$
zU_h4Dq^D5C$cpAhAR?#5Eqrnv{(<YZpZGf6r%*YxW5#7PT^^}^v-}B2dYaH2Z7J;=
z<Lvlmu=*bM!sM{*6oVy6)2w6d&7<Sq9Mv4{BUUs8)#w-*+an$UAup~&Ifmz+jlV{N
zP(C41{?hjk!Y~Yb;*uK+09th9&%g#*<R8@UYS5ypX5xxnNE|!V#l10?OE_vU_Dt4u
zt98aM6Q^`Goxt~=$QX`nC_OP`E`Aa3f`Rmdyd=zuZ9$Md$?Jd@gPXWO9co|V4izM-
zL(N_v<QOX0Ygg*;%91ucm?Q~SWLpM@t8n+->(vBRB9ZWPQfR}W+{_uX3HXIt{D9K+
zPl@UgXI%4J7lC0%?mTN%K78AVPdwquC>j`vX@=8D{icQ3a^07#d?#ojzW3*SVS`$r
zj4+&DcSYH^T0e$K5lnPg4z90-o^_aXAwca`6u1a2S^x*Z*2Rd#xL;u=rqIh~d|Z+r
z?ebo}gL6n}C~5*qq5)GJw)EET!;o1T%n91sOfBd4Lp}wMMgl3sn@&`A&riZuMDPvw
z6%8nmL*P(b^<ctKJ6n;^`v6+$8;s)FhoJo?pn-(cUEAE<a8%oHPfRB}@GD|kCHX}{
zZQ|Ez*XdsJpG>Vhk%I8LjLX~m-Yi7D;6gFDYAFCeqMG~HuRDR*a92J*hVw`a230G5
zc?m!3=vhKOtlSon4Sf^Z8^P7l+_4;R=-~4vR{WA|Oidyz^^-Y^TZS}`Fx^b=ELuUX
zF{n@qfs1}`B7Fad-v)WkBqxpM`GY&|+%7KKJ3DA}jhF+&*@*4>hcYlY{)<qyN(`gt
zIpKsJ#ZDim=T8mn-(Q|l4L@h>f4QhGlkr>=R;4SA#qXz`Pa#s<^_$*04yD9Z3r&#i
zGmQjjHQV;a{aAWej5q(ybL%+=uptfJjLNGQwl!YZ;|<c!@~beHlZh`eWzog%-<*<P
zS{<eDNcEqh)@ns<!$Hbl3z;h2Tu2Os21QEfxg(#vn@h`LJ`dxQEFr)Qy4q%uUhmw-
zhFII`^XCnuy@~<C(-9r2L`e8(m5%rgOLNw~Zxnl)@EEn5e%-EwVlNoymoD81N9&%n
zrlF_QybatL4;=gJqT_Wx&EdE3W(Z%r_#?@oeS5A%AUvDBVOU<dq*One@@#Z{_>6z>
za2SAq<4xDphFs}}FIK3ExL?^7Tj2I(awT0Ax>IYh_vRN|owF|*SF=q(V;Ni>OiQlT
z+^!UbJSX51(CtW|mV^G=HOTvjyyK)|!j<tSm$+vWnaTkcdpE&oY#OM<6t<2I93b!v
ztk)OkrY}E;G3Es?Dkh6#lVFZcP;@X~SEWPXhkDB+a%>tELTOu9{(wLxItWfasLttg
zfJDK#8O{Pq)n7-v#8KnxFO?egE*V|I0z|)LY|U^y?FXB(*?&Jm*6zp(D&(f3MQXxE
z!VB6EviW|(Leyc1yI2!wdGV1>vmJ%@jZ?-3Lwyg8MGBN-``Z@$Y2yEGD?<uS4(f!%
zEQ6A$czJ7gx^sA}%E}iCvuMDQ-@59!MPYT1mpu1wJ<)$F3xRmh-SbzX)g*aDs^Uz0
zorr_IV}BXD-T(`|WuL?<kD^obrSh15LJ`KO7j!!wZ=Spqw%>sw5tG!pDEPz`1T@n6
zJ@JiC9x@8POxa;!Un|tEygXfEy|AuWtZ9ByF(sx&8-=@krc@IKa_MXDWiTJs%|XBV
zPXRb>4qu$y*9P$2(mnHw!E!FB{cq&|G^+pdqVmoFAg#l!MAMwlcq_2HBvUmz7%U+K
z9zJVbpiZ&CO24jcCz3@HpRpp4LS3LfzpG%c{8(#r{r-qQea~NHP+=oJK}$Dmg&a_y
z-kM=3@`O>n+qOrPz;dGqM2&9~gABKMuov%GDIuVE?tp<~$MX}9=2E}=g-aAo+Kt9M
zI-yldluvcMhi=V*98F*_NmTjXm|VnYG2hC3p&j~>M;=peLMv<#7qO4Dks-yGPrgAD
zxhjR>5%u(wweY$sJ#)LB8_?^R+WGMT+E{a>sa(GM7sMY9;eYvjJ2}X|iN=Yvb<erJ
z4m)SX&jK1GP*-^b**ibJ#W)yC&gOjl=4`1;Nch$WkNBx7I`wPgpjjiIRH_KI4|NW7
zIW=ce0|h7NB<Pd|1S(@k^0~d*-PCCD%Rwjl%grz~CZ|D!qJy-Z^Kbr11L|ek0}C<|
zqa%Kim6SPN9lXyfeRDwza98}%(lETuBm?-B4T6Hb6P)U8yLvbHk^u_n`jgw0AR<(B
z$OTCVTvIy3+D+f}LJ46xlP5|9&vV6YejQO3j|-T1Om=U25`y_*UVdKP97D71L-IeU
z+5d1rsX!$WR2d`o#CteXdaWcf;_6C4OBFGmivdh$U&+<KSg>zwX3aLpvVod2p>ZST
zh-ALchxzcc{}~;3l%BlSYmW4wudk?1N<l~f_T!fN&-Gk;`4dnTIWC<g%KJqBEIX>o
z$rE~CqY1mO_7C-9X*W|=BO}Zt>};s@?eGV2S|3)2<#|we8@>!SG^I^=YKkN98}pKG
zSWM+`hkM6o&-AH<ps&YB9w*4Xe1#V0S{zmj)Dx#@`)*8GO8SWyB7Ifk@&n9ZRPVHK
zZZcFNP!fZ_E$wEUfb4LDm@zEh>J${Z{_Q6IYeoO|oxOm+4GGp)pn7DO03jI#l?3Fk
zn{PQB&KD@nL4*Ng3eqWPs#Yj$#fy_uBYi=GR!oO4YFCF-5F9=~JIFpI!9qm5(j=A|
zZS@VRe>o>)tyV#|jKo&By5hja4vlK0>tHpd={pJS8%+p)p=3x*BUXev>;dkL^)RDK
z7>|<2ixMU5Zlv?Nn_nux(q+Dfnk1*BC$Ni7Co_SQMLuP<JSt!)+)lGFU(2Jwo5cQQ
zlM%%^vY2@_;-yeVxCfUk8ry%!K*~jt4w;BT7@*iY9Q}7gg+Cp=zh1U=8?bU7qobbA
z^D05hBS11RUs$RnhVST1JdVuy60S~BFrq?p_IS_HOvp((c;kM2t&!9eQpJ8|ZlHMJ
z2fG^tufA7UaCyIIwPb6aZ4ZYcXw9OOP;Yg}w-%gbSENp(F_$(NQZ70AYrH_FkPkDw
zJ?k?jNqjsdFPrGeRLYRLdY*9!nZaQU?_eW9L^r&rNgA`tg=Db~DYNz8l;*!Kz9sm*
zT&zi&A1!vFV}MXnjfR4{wk@(m7fEZ!3Kfz3tqHU+m$?MCvWvs$lY=261`3_}PDy~E
zh<Yf@tXLSi>TQs&L~GnqJX?5_BE0mTc#fZvy9N$obxSyD^Huo$U^Q)*OeIsI-f%$p
z2h#5UDmJQANKh`D#4rIqv+W({DyOPJKnZP7qKsGUUT%M>1S|0yJ_<pQxx+6@*7gp5
zg$QhtaI9}A9}xdnZ=qbkiVQ3AsL7lXOO+U&#}bZV_N>02f5SeEbj-8Rtws59BYk=f
znr61%G~7Qn=f8i-VaPMej2V##7}Dl&Kud~YQ2gnprgi2u?Vn-wza;qgKa4?uJq@x_
zBYxRs{{IL6)O|g&poTy7s1mmStlaqf_n=$Kw0}1Q(jHDU`y(InZxj0CVkP`tB!w&Z
z=;Z%+LUJT%Jo(i9r}ckPw!dR*Ze;!00a>Cp?EhhW96{qnj`(spAO8Dm>i@30UICD?
z|BneOGl0gGYxYOK{G+nspDN)@1XS0??SEkU-zVrlCi**z;KJka=^t|Whamj2LBNY4
zW!!&lF$a>0eA{nerY(kY`hUo{4)r&#0GW{aKPE_n2^yzazB*X_A2N0&=_v@$7I0+w
z?-LaGMv_N2>P$z0N|ZSJ)?k=fuTJ;wWfU#K@YI9+55KDsrs%{l&R~gXW*T+*O^AF@
zyKfgYb*64H@Y2bt?i5L}Y#SJf;on7|*gaIGe74qw3+g1dU^@fDXNyyo-LbQ4x$Se#
z1+b0!Pa6~7qZ3Jik%%3AvMjV6gD6y}7;q3zBDzs@fCaDK%85rQt7p7h1cUF>4|$;k
zUIGt%ai&vdTQj(<-26#=rqPYWZ`U3)&5sY|s{-EjuxBMgQPMBb&0>3@TSj>I&Xebb
ztRpKajI#+7)ofCDSdCBQUX|^7ovK~Gr=|bNAi9fK^_AxXUq(U0=#>sGv-tqp=gwz4
zo>kVyqZ+rHDR`YM1W<9Qy?i2v^{mld9cDd&fjXxhEKhv+6=7#|F)o78@lgcyS7+gY
z*IV=Fqj#XbGAH=A1GxV}PyUp+{2k<lE-Q29@8ILgK9Q>huPHSX?mei332gJHHgd`u
zWAJ+ju*g9_;dM8G>|^11dL)^Gnw<W}$zi5F(m8wy^ObfR7RQBG_nZ9ht&Yz~DKE`v
zlq4w3CO4HMG2KBnxJ$$j_3U>3!0@Hb+)%Y<%#DR$NYu#ms{Ml*s>L`=O&co-_2JD4
zM_KD@-@7RYrV5(V{kP+E$shh?K`2swkTCev;3N{r3K<cddHTK0DJrwKO4gNDg4R@X
zXclutq@68sNZ@4tK{s2a)1ME!MuQ|_7&4H8dDRj<zAbHgU5~tUJ54psdbCBFWD_$2
z5P2`jN_;ONLfl{r+mnx+){P<4!FQ_@dUfMt>7P)U?Vl6VZufZWGAiqw^SQx|ytp!}
zUK<k?a_ZJ9ozmR?(<DDg1D-8rMV?){?*#Bjgah*xX-=A0nKkGhZuK{Q$O^sA%{uLa
zM9s<xmaHi{9kmuq&?W?k);vb~c(h6q2)_9k)w^yd6F4a!hP^Ltv|S%a)x-}&&TF@T
z!<KYgPQX@J-&@g=H$fBV?~Ib%1Z#!i4NBWz1kH6r2`#)IQK`t-Fwrn$`td|)AE)ig
z1EIAS!~J7W#+y6uBRfEETFd{kEQX`a2{*xUY=)r(vxM)NsACfQ;j&tTBQqnM@$JQT
zWt{?pC8q<ENmIdADZiBoZoK;qCs_<`4)qRn==h}jrGI@Kt;%I%MRD^v2Ja^ZoiLM3
z*FK3Fk<O6lL0(kxesP<@v0DDXty-2wbhCQXVdSXvN7$iTi!c@7q`gPre{3v&S~7XB
z?~cL2BA+;Av{P(0qCY&vaEc%!cMq`54h)MeQ6+y%PHM?96>;^cJduiO0ZH7RSpSP=
z&?<mtOj^N!N$9lLKOqO(C5M%PT${am<*OxuDo*=O{?}oH!=JTR8<lT@Uvb6rGM6Hn
zGMoE__M)|A18Vc%)$((rfBkrX#bU@bw~x4UTt0t!+hB53Ffsg-e7mq`CtQ&IgQ$}o
zH^!t7Vlo9|hohSK0Y=KqwH$!(1Mhy4W1Mo}CT;hyrIy_WUmbl!B<*nr_@{JOS5JbB
z+rbB)Ew>|nPLzH->sXg<Z$HfKH|)Tnt%&atj-Ril`0evI!tMzOLyfdjcT4xTd)E13
zvcJ0cOL-|AIN(#;{pY5%zlB*SG}ZPn`sg{YrJxExMp7+_limxjbR_{!n*4mkJR*kk
zSfSGOmzNdcRbyEl*&DR|B22tR_m$P8FpYMv)w!;{RtO$N5@>I28oA)hIcQy;Y#ygd
zBRz+_D0!%TQk5L*2C^9sN{|a=LU^lRP!M_S;Wf(5;!N)Pzua#@%T-hhJWjpdTdLrE
zaCZHm|H<GmMCCH-BzD?tT8x$uiYv4;WSLJ#Y>C3sICsV0W_W6U==g0Y>M4}u(3thY
z=Zw5+9V3>YP_#}J$`*?g%8BnYhNBj<l#;EOrYhcNExFzo)M10+{Cnna$7;-t!Z6?1
zq+HrHzFi{N#HQ+cgPpbz3f%AB??w+p_iH<2NO>ZZOV;^!!t=kiA_($6?yq9z1m||3
zs2tuI@V7Cl@US9iM#HMses{OJW5=4UUi2koI{b&7`@?4D%>ot_AYMgY$cW%i)>U9(
zDv5RvVD%v8adoj1zWlt*CGRe%P?YQIUsNDC`$XHf<{|*Bd*6*O8#F6I0%!$PJpbJb
zfX$?ZdX}vjHRBhDY8_IaoTcffshshm#E+g|*WtatisXIdC-g#9)OU*DXVnePMCg1H
z>77>%-gGe2XNuqe_y*u(8i2nQLQ(~YSH~}-s|7!tTpWkS>D%FP#>MKk@J2t04@j9<
zrdFv;7IWWd*URI@FF2E~4L1s4fj9~-HiS@wZNWLhpNdRU`YaXpdgkPqeHN`7;#m42
z>6Jf<Ggix!l&P>v79|~Agk3K0K%R&Dq)G6g>v<=}=NOQ*Im^N{s0R8QCa*~Pu}PMS
z0@0}BEv-o_6Rka+lgJ1M3*F=bqNa|eCoiLBxyIBdU?QSKbJJ8~K0asu=U%3uoMD;`
zdL6;Mg3@hwBI9a=dFjt4TwsfU4F9sye2>+cZKJMsVwV-bHP+<*y-TvSvyhO$=bYDC
zW`x3x*b%>>-C(T<fVH%hsw<*pj@Jl|1XZs6#RTH@YVmzg%TW|#PAhuzn9#=aUZ})m
zMO>9d(4thOYBtmTFR#2N6~lpR!kwEop^7g)kr|IqgW~BuZ!};HQwbXJIf-Jsx{_Gs
zLvc=@0Is`Riu8ODKa5NHgqf_CoP$QBE`L=Fu6(p$4RMJs11nWbL?1;bYtshkWy24T
zstgJI3Qm+Z@ZhW%!4WCT-qK{VXjYB#HKZWuq7G3#L!M?MSGK)iGRBV+LH;VLKB#~K
zE^%98v`k!8ro8CgW_XpFBSV9)Oco_Fv=t<0+DT_aOT7h1FX$0AfpUR>h1Ir7{G^_o
z{BX_q?~dcl03=R{a#%|%1}%miuisPXeQ8T`-`v1AmD3;aVh6mb*|85v&XQ3N*;T%e
zNt4#1*RJRGMq2fXq3~{qX8|@2*sRp$1fMj9v^mgYuYS<^MbJr?Y<ojr;PJtJy&EF-
z*LJE>mfF3DmGoZQJI_U&hZQhPARnF#Y@hcs$Eg^xA50`08xIFO$D+nj^UnS#QJ;7=
z<=uMdZpPxJ3Q-+ijjm1oA$Xr3OEQpZ7?qSLFEEWv3xFlrydQ8{xm-5})xL%vvHeh@
z8j+G&@xWW{!ij{7h2!T}=grt%LKfaRcU9;}qT@Nrk~;Ob4Qw|!Ue;oA+xmE8a~j$P
zhuJ4Ud!!Eh)EE&h>YfL^^u~eNx!&RTovdyEpEpLf-&UN;yIYjEW}2=3$LEQ*#2xTT
z<gd-P!8IMITy7CbA}KhLC?~$1-^%qqCKK9T;0Me3Zu+}qzBiPpMUaq*2o;@&Z`oK7
zra9D%g$(rl&&CZiMUXfY8S-kPbcw-MzWqOKo{G~bSVhas-Ywcm4vODe<g=wknWhDM
ze4W27&Pn*dNv4X~>7Y;Oj(c6tAQ_wA*-paaj>~|?1^gzu>1x?sRt8_Phccntj?r?T
z6_NsGNrpC~Jz*#kFBziH>AC-fZCGB`uA4WI#NNu9j7Dl~_hQP<7uV6d_3VuVjFUp{
ziPEuxD(+^kw%(-}rN|~h-;q++<Jh4!@w-8OPlaZ6%$^U2_TlHgf~yJC`&|tbcFZd7
zkaaB(#it)%e3`zlckzb2B}3n43D^5QJlX6(Jxw%{WHJ{Uk1@`1Jd5dA;)?Gc_;;TN
z3ZI_{Ldy*J$SJ-7cy@F%?_CD8esn~)Y=d4umKPS;Zjt7GNc=^t5NeQT_Q*L-K_^D!
z){<>Tz5@+bDYC39kST9litg=%*ZR4hzU$2bVWVSXCtodbgeC<krC&yRzw9D)Ww|~6
zG*+_}Kz+Fr`6kr$>%)Y{Tkb>eCTj7w_dw4xbQGBb`8KN&D0yKL1(*5f-v7WR1rkx?
znh4&My=jICPr^u%s)SHvidrfdicR)ps$nXm1ogh%EO%djs2(A~wvg!7hGm^A2{S2}
z4c0&Ie)AtII(IiYhkAZ|6@K_R&-vhP#lv<HX~*{rO>#>O>aX5bN43f9b9U~2pTp<=
ztJ=+eVh*`d7e9irrF8!|b8RnwnZM^d>G6^8DI}dw5hI43WWNr3(?FPSoR_R6*w;hW
zIhQA;#Tl8~>vg$8=}M-wk)Pr7grr1WUsNNG6XmYF`uh7NtL$MReXDZ#Q`TdiH|Ug)
zCTHSsf%Xzak}!+mz}AQesXXP=oo~lTvO!FW>gw=qYY<xmG)YPFcqk}hWUC2}c4}py
zUOe;|bq=aRf)$ba1;xJJ-W^4sF@(t*9AQWMgd;C!1d`Cug$}<#xVT)J8HrLm!bM09
zsPt@($BxBc$0duXSV|vXsL+qBDClZJRsuiRG0K(e8mVAAUPt6DxRX$gV1|qtrk&F~
zxGR0V!J{D)R4p(3Sv0g_gMo&gDpY+NRH_t4+|pAuftNP&L0tGM;ThtYm^C?KP6!FV
zVt6*j$@uvndB@)vj!&$gZmqbh>nCss2y#0lX3E2xVVKsoHezOGW^yjB$JO^*87q?T
z*nD}EP!?x$b|O}$bZopRm}QD~J>t^rdm?)p4Z#1$+FORz(JWn{f#B}$?(QDk-E~7C
zKyY_=cbDMqZo%C(K+tR;xVzu|9=q?!ckaLYb3eUjdY+l;>Z;YNR+VSqE$z1B;fszQ
zu8>3J1TH?<e&)KJ@^6HMipJlBH#&_K!^F)>AA^*Fh%k`skBn;-?gtmJ-yQX>ikK0d
zIG9$Rb4McL4{YjIX|n?$wB(GA?B;LS^BrQie$o8JByn6h=Tegd`+|%TPs+lB(eH4U
zC@y#N^!U6iBwrBjr))pP+T-sj_ahrSm5Ru)`B*uTXQ7~&JrZtvN9(z3cmSXApj1<}
zZ2O#e+ff=y$y2k93K5o!QP*>cpkj#$mgSA<bApOD=CV&Y3ZvAz07F+vm(#$&TC>5v
z${UFL^cRfqpG_c-7M4SvBcHpA4CN%6KQ!Mb>UYoDc~w6fL7cDx)v*F;X83mW8P2k>
zrYE|9+5ARZSZp{+6x%nXa2wQUgVLBpv*`K)IBLbx0TLy#`EqvcMqwfiPkhMAqBdAK
z$_93|dbTqHqPUnoM4u~`vKZm+obM14<LO(3%-{Zelz%-}jSV;=x`MPeN&uiorw9Ii
zb5RQ}S(Z<>nt~zVMiSk3)k)iNrrhO<?sTP0Y3irAiMlh*-RWi|Bs5#m1GsFhNSEt5
zW4ZtZ6hHdCT%eNiFmKn(r9dQaUcnovax-*2nr60$eQZnvu<@JR9VEf=uy4@%NiQL0
zPim&XY|D0<;ZK|TH_)LU_Lsj#K|zIa9U9)yZoO9i?jGzF8=eLz$*WDYQZ&$zNJbl%
zC8t9D;5ys8d7*)GF&4R1ci#jOY}f3Y%~y&$Yil-Q<}h*u$HHfPmU&%P1xPhYGKe2#
zihnazR*4TzZlrdgaH4pUc=)_*ho6w37r>?JJUo2bYIWQ-^@oT07bf%448epbdPV(2
z9t@4HleBpMnFGf-e}z;O2lZ#TYH<N^@dR=NrfH4|HCUkvnoek$b05weB^q_yx8C|i
zvY(}xG&F6+`ZXi-HeO)&00hg^xbX_vhQNC1N~^XO#wW|>BNYiBY8}YXM1iXHZxBH;
zaYI>g^V-Qx>vbV_3iI=2HD(@vhG_o=Q-xqS#*cX45ks^EM`pIL8;NqlQ>VZIE~wJU
zyKqi7)_j{!wzw4)2r&Q`lQfeAclVAYmng6&x<a`e=h(nb&-n^$DlyFJ2N{#d$<Rng
z!M$=pxDZuXWH)Yg)k*YUfkn!5Yz0kUrF3*CVX3&vELN2Xt3y>(3}wLKGg|DQj$z_&
z(Q0$A_b=Z;GCnVlZ;mqmG5den8k3U0)=axV7QNs?S>?XIOrZ&7R<24lYn9Z#XQNbT
zDB$h4Add$dsK8FtQaf?(YFIOQKCyUyUbb1^Z;+Rtk&|vZVlQq=Rjr0qKHElb>Ps?4
z7EL!S?v65{W@Etkq1D|Kl%VX5My!uH>Hk@J|F(C0a6}E78kpd4Ge;IyTzWSmN$q&%
z_9lG>s+XWdrrqtA5NleP;~{p$wZy^LrwWoNG}83&o6cj6BxTj(7r(XIT1KJa|7{)m
zjS!iV9Hdq;zyei)_d{>mRGAGDvM&usZHsifnP%gJ=6|?@e?QYla0RkV7{$arXq|NF
zPsYdoomCprIo@4=qtpDqJ_K}8KndBbX+Z=B3GK?)obXBoPF35mzq^@#-S;0$$<JS;
zkb(CF`sYs7fBT~U_fKt9AP~?|L7(c3;(x=Kvx^|0)$%KFo#=m$+bf^|=5{mN<k$bt
zH~;5y&MODeW9JtK+Xer$iGPl7XM)J(W1J2dZAt(8Aw|^CK}c(Pgp=3*9`EJ+1Oh^>
zfNT!bf8sa)%n}1is6g~}HT3<ve><4Jx#hoJsZ}5d3tk>H11kPc&>aA-pa7boglhWq
z&&cv$WS?aS5E5DwF)^6)|KVygGeI*bC}gkwlRNcaU-YjZHLxHsSRXwtf*-Wa_NJim
zbU$lVtvP<Uqi3|oygH0pxLhb08l|b|f@^k4`SUe!V1j1PjO1tqA<ZJ_D0P4ZAo9g&
z;vNg<C#y88f{S%9@0&My3VoU`eJr7W^O*i^0==9fA|6Xm7Nz%HY&xe$IkmpW1T{Gk
zARaXOgAoa!RTt2*ny*>T#IGNfQH0zMCp%P(jMy17u6LZO1<cplH)+^FKl1#_nIW%S
zzSP#lm9PqxGzQL@Q_H<t#iC>F{C4%)tW$0Ji%d+q6jl4h2|Kt2?t2m4NZY5Kn)A!!
zgCN!7(5^Q{LseqpKXdx+Bh<3<+PlzZszEf_uQ7O3pKm)2(UeX&GUDkmP)biV@lD~l
z94&Dyn5H0VRKU5=TNs{+;C)vk*^&@X`L_Hm;{^S~QHXnW1KPj&hWJkt#ybL_k#glj
zLLlN3(5Z~aPs#JJL<2SA6ejjRk9BO!>IL-nez~|^6v>AhQe!6?91~k}n8t{Gra}-i
zb0zD}?19WN`3X24ZU&u<f+SlYs5b6tByWzjKVA%WPd#{^ftzBbke5k7uXDTLJxPRU
zeQO15h3-Ar&e82^;mlTuX$kP1vWka5&kallni=^)xs>9AkVnYMRszxex6hZ08$R`(
zdtcWtM|Z+6+(zD}K*U;G5t8vb<9(v?+_JNeEVrb1Zgpvk({qCOEPijQyUDoQJNW+F
zBEs5caM6Aid>x_BKW<XE|1@(8KJb`I{dh96w28};jn8$r3tE@I7su?K7J9$b=lQIq
zJ{%26T^>3ilQA%8qbX+Ermz21W#xwrZq?%py|DEHRqeSM?RAC|wM!VqdK$v5OoM@<
zUFWqS+jVmy$74`3l%sYgb&vJ6>wU)jVjvZL9_7wXJ9z*7mXZ&FAk0sI9kB)2nBHTJ
zPxiUsSB(a#?-rKznv49nRn6!Kv#?LV{?-FZN1cU$`xZvoL=x-Hq4}6giTHR@lOHBg
zj?l+ce^>YI0IxhIz7VMr#gT-g>t{`$*u$A_*!R2dm)qZWRP4XP6J@=TF(u=TW=_XG
z5Yk_~6e0uOe!Ab_3P2d}wFEVvfNL`7Mf9_MUzGfM<uLiQeEjfbN(ceZ2bwAxFE|Gz
zetk?low6Pdm+1O=n4P)z2Lm2+_X{{5G+zBfX-HjIi&R^!V#WW+EpH(3mgWaVQz;EP
z#f_iZjOV3G5RSuKpcMgIeLP)!W(>CBw)BMD2}@(qZasmbg#pnvvsrHyPEqpP%wzyM
z-Z(p7{V)f$tzLYkm{d<x{IdxDk~j3Q8B-H?Y~p;eykkUkkbY6E7*BsRAumcfY@t2S
zosWe9$^qJqv}^=L;BofUzVO<v>wyJ$mK9QFo0F$Lo~K-4rEg@)MtK59NhNqiXXxWz
zwz%n^4ilaG!lHT&H_N+DDC~2IDB8IduzKDN2f2sCSx0Y+D+DH7EgX4<eBa-?#UPf(
zpWEA6tC%#7e1aDH3%$g6st-dR{|6YIXXs<F^WeTykN6rOtXIYR3qJ=Qw`0A-!wQXz
zd@8iK$q)0!v9E(_6;jnRLp`mzp$T`1u>?{PqzKFc*A)HVLG9zt7^}82!e_%{FYafh
zA0M&*+*}lt@<8oWJEx%dhp2E?TJgVZa<_cJz>2~g+QXdh4lse`Ss2}9mF{rjz<TNU
z_#`VB!eEhX%Tu|p1oEbDB@h*nOnHN*y_e+p7sJQU08)i~0dhi24NnSl%p?n-+!=^<
zKX?PGQ?kTiBkcdkK~qDNWG?c7?rx8yG!KpOV-t@D9cD2WWwOg>8jXD|)#${{?*xI>
zJVm#cAz7W&5=5k8{9c&T2@*2pTu64)*|3%2GA89BT<wSAxk^D(D_Hw-jLJiV!;{>G
zK|^#w#lWr`eL2NxGE{0fD)!mJ^LV_zqK;KvV$FsYtIZZdT~0R`Dxhhe5=(?oNS+k+
z%Zs2ifL3xmgdx}?jGX=vLZ>|WQza@J67`>Z=o=k4q9(od7kKZNuFIQ2J^S}?Fb-HS
z-?!5b2+l8~8BRP|j$n?(XzV>ku`ly*4_+OGYR4>H@=O8)UarGyQ9rg1A{JD;lH|Zg
z-Za!}nl_Fe7?<^XYMs5a<6t@1z%mSwC?hZvre3yB_u=tjYkYm*(y<l@1=k?d7&P$(
znRj7q&(7x?a*!5+iupDKjuflX-%*I#_HA!YR=~aPiAvju;|hJ!TiK%~sF$d(Lu$iX
zey3Ah@%40)Sy$@A#<<BnJU_$(K9i^63k&eP!Zt-jge=KN!W?1=p@Os@FUcL!fvk@s
zCO?zv4}O$lF3FHZ>4Vt-v=v@&ZM4hv>*Da&^*K;f(xkDX2v4D7`(s`;e~n3<k0@|E
zOI`H|T6pc`;4H8=bRRw7{2vn&&-+vm0dw$^vx9Imix2g*Kl2v@q|VFoi^hrz$uw&_
zNs=>UH3w;6_ZPFhojs*}kkycq2DnFvC+XRR56x#NnM_wOK6oEO>9z+_(WH6ky_mbN
zSoD)K0Ct=Bqzt%8P|YQ7j9~cuxM->ak2K;fK^;?_92B)SG%^no?8On)@R`_)h1pTk
z*i7~i@vCvjes)iykubH_PM2^T7I9y(Wiq_!xN4P}>mP6B_{&x%LBx;N6taAFJeTXR
z;>MO~Z3fOWt1B3~HJ~{xKz-g#_hM-?mlL>Mmk(Y-)A`yUi;ofd#AbwfS-d2&|3wUN
zednGDEL>Dby+W`!#GNnjQ4)9_Z0jhMp}?BvZ0emkztPH0%XVh+kPK&!Et+-j6*~)k
z<3=7V(u3-~uP>eLo;rtToo@I)SzGTC`D~s@oypb9WUwAZpXp_)Px`|X^-A+QkGkzw
z2yXab$z!SrEY*9<AKS<0AC;JuOwE3q3`=e8)W_{7;Ce@3d@KeLAK-B4!9Q^+HmoIw
zpUx4s#vR1L7{x`s<{e4&WJ$CP5t2hEEXe_?owR;-92~E}Ce?fV;0S)OkoI@TL0v6Z
zM3jsp2)zvIn62C$#!W-<4<!3(ycn~wU4mKzsr7Shc!GMR{rPDp-^*5_N0DH*^>Xyh
zZn4Pf2kz&m5nv^<VIR<?Gd?LRY*)?U!K3dhMlx)IisTvH&1<=n-CFVI*q{{1!?rx;
zup#Zh1#`7JoBb~@E%!7C>iQJRT|ha}tG!|)%yJ=Pje?<vPRX6#qnV3MZedbJc4*xF
zr1~#=suW+aL=SNzJBQc(F^#&y>{6?wG!=>Fr*r$qDTT=@+Y)ujWrmCGRH2KEOc1cw
zFg>jMBZnwu1Pgb_RvFEBd=jg!s;IJ+Wcu>Ich-M7cE!-*6UR+6>G}hg0Y!jl7V*Uq
z2c=n(A#_2g-x#*Sf&FL}g6o%epOaXtyr>EIaw5%z^up&0RHKQ0LfdV+@wcC*U-oOs
z)t%c5{IJ^yBRbUu{!-x<m6<^0Hf%`X48<qH_u~(BxftrWtz><jxHY{kD50{rGFbvV
z8SFT?wX#^RHe(|Dwdps6qq1}2>wu0sQ=^}p%3UIPs3#u@14F*0af=3dmz|pyDQQwV
zItrpp&_zk7vW4(d#SsKt6eMXkpW-m6_Uc`BXOzf-f<>w@7e-|QECLe~4If2ML7#+3
zn&tLq#B{-8_E14~__6({ve=&;S_*_cT0K0}w+kw*Wm?f1bo2~P79iA{y3l(*xbCS7
zVA87d3mqqT{|qMpvqkhoD1nhoY>|%nVX;BPVUKPlLfmC}@0h2rr`8Ib4U@>v2J7bN
zeSq3dD9%n$0Klrz&s`-96^l#j)7r#G*mU&szFD_4By>>w@>NEb7dmJ-_SK8)7e)27
zhK5S;t`qJ7_o0mU-MARV4^NTLwXP#7W%&ypKOjs~R_58d`EvNxm#_dq)CvQ7W*QGC
zYjJh9bIb8-qmGm0AI`;*i%!_&v+tBJj<*KZ{bmM%wE|;-lOG5nU1D(ABs=1kcAq{M
zQvR@_gw&~vmxyLZsgf-$PVpJ7n4(M)Ee|N|%)*f7q7;JtO~;-Hyvsk)2Zt3+k(QB>
z)E*&yII6ryJuocwP4je5`Xg5isFcd<1M!x9QP8a*+qc6{M}Pck^8p~2kBFJ@=gW0!
zuE_kLRvSSG?P(2jegTX0X}I5p&CE8k?w*d?lf<o$(AN>iTWo|EO|zA9g>BzmsfMvd
z56D-^pXW`4FH&N~U6>WGkcdKgNJ4Rb^M-1OnkXLYK|v3umtDKFK{?qAo$T^1D&3c{
zi#^3+Ul(*fz{3YiDTa$E$0b3Gpi-lJI0zdOk>FyWuy%)j`eZw&HVJ`PFnY2n|A}aa
zb~8%ifSN)ZW&#u0$cPUcDI;P!=lh4CfS;5#HDh0~3L^9NPVR>q3y{8j@N+IoXMF;q
z4VD`Ev-qRlPK+vyt}%Z|U<3znrjpZgqI*^t!B7NDy{M>a!`0@oz<oIkSSXzl`&|>1
z5%@6PBy_MyhY~U*!Q;dv2aI=OBAoHP5>%wfA>}5e1P^*u)>TDfekW<N`W=-0qF+?9
z7e51DtuG4Ntnww)J7FH$Cla)j!O=IEp$fqsA&YNgcYxvU$DR~<x0a!P(@z9(zfHyL
znnY!4zW6$Cb(9ZX_reoT8$lHR*f2Yg6}X-wTS-2nk>ihE{^AqxY?u)wC3#b@kL2Ta
zK%{rQ0iE9N&hD7oM(if|OhmOpID=J-wNY<>NY>_Mh|pVc7u)+HAuM)$M%hfN<_UP&
zu>-6O9@13iQ3f7%-`-sZVZ-8)(Qdr5zTV!mKGy52<H_ITsH<*k`n73A@yz(V6pm8t
zxx8IjuA)b!GF4gLw|IRUVJvEoT=LH@KW}@kcgOHKua<CsN?Ar>xl>{A{bkq&%Nkat
zs*1!glsvK}W#UN+CBf;0weweO_FuV4W_+*2QUNL+CKi-O$dL2|t%$hvhby^pdnW!k
zst>LNyg8xMi~~i7Zvkp!iI`&K9FLtEFzxvTRS=o}SZ$mgn7^%+60eX?mZ3j^NJf%q
zL<fGPTumplkXt?8%$di*#o^#TDpb2}Zbhp$b0Co4KL`lBz?~K6MT_DDPKGX<`+Nur
z?<=_LTi5y)l&1TUJB46Orj+Hj5Ryl$toQZicbAS19953C|Hyd{JUJPSa`DfPU`@eg
z_&PQx{Jt;?!UmCvs)9dn4uX_QV#T0^8SCqJOijRZA1qke#t{+^E;~OKCz&9;LLm=7
z-^Yo@E5e2tgl>c(Z;vsj7F4ZAcM^9&*G3=6{$SxMlMd$v^&(Ug%8rARKzX|cs?%K0
z&ladrLs*)+-|y7U8Xwpk0L_D@sXuJm(v4+)S-7iqKbz3Fu)vDkKgW%mvho`q$#S~*
zmR2$_qW+0V=hJM0NKvw0o#~QlSGPTJJ^b*RlAyowsThC+QYxD}an_mXlI85}KCX;o
z0slts_S-v`zL4J(ItVB)@(?VH?;Gf}716?V&J|MKTz5p%y>YI6Je0O3wPNA>N<%L)
zKgMnfwkHJ=XBosswxl&t5h+nt`Jkm$F3JaEXD8)D7RT=K4BfxR`Brr;ep~9N%)%td
zNN&74-*MDZNs3x_*560R&DhQc{yS3s&}-8W{R1cLm?IkRR483`$$pUx;RnCkpMml@
zwwFwQ#%)>&A~x)yk`^?_-XM8cvncfix1KX`Nzc@#q6=(#?)<VUaC2tUov@`f3$7je
zSBqdOX1$O|sskz2d4~&8%wdF6nJ*Wb^9+G3`9@L%!X8-WP6~<sB<srK<5Bgd6G#Fq
z*PqvKfY{R1_qqF0>mNeK0_)w@1D?I4fX{n9+jq;t<g5Tfu5a|@4*rI+N!p17ZV;by
zeev0`&PBxcEd<yEGQ|-hUq97Ae=_M8D@X{vYPP@%1a)CHxmakt@B_(igc5ysFi-nn
zQKm#Jz(z!*p@Z|huGe<GV1yz|HjVFwh$UyG@9I5`PR3K^=Z@d?e8Gc}VEJB0y)}44
z+>&p%<?H^1;x<G-7C1w(lSHfq>WH#AxB%Z;Xp>gc)@Y7$o1|a0E-+gth47<h%iqh~
zC&EZExp!lOu)1HY&inQ&g70qw?@o3^@-QTccjZVhv5thER%-7<g{}>%FvVlqYW=G{
z<ZG6b_WL@vasszl!l*nF=0PN!&^gwrizn<Y;4m&RK<*2r`jfZ7^@gr`=357#MbY)e
z!v+;5nm~lrN17m;6;Z8ps#iESD?nz43Ls{}TOxc-@p9C5s}EnOHh1s$^h$1TI>z7j
zoIi4LME~BKJeG7h-DTr`QBIArv~G;*#26j&463RAJ0Y@$8$1R?e)YZ|uuSwJA7aZ8
zSgEIzOqo+3n2>c~our_6P@YU8_2~c(u5#?|VJ1e&DWpnnp)hd{UwKz4vi=&V&zY-l
z=SG-X%lBeO6ZaL0l-XGezaYQi(hV(`gx7BS5u7{6IG3^sz)r?TRgepQf`9~=%JXMO
z@W;09+XUz6!vN6~)r`gp0yp8-6pGUy7eM)B8i~^}m;jq63M>**qwlX4Q%tyzl;zBi
z`<G`*$MJHuqLqGYahBxIB69V({kkeyq`D_Rb3;?B%at6_uV{xw?~zb199r|$0WXAB
z2v>?Coukt*%VQ2Cl*l=SKSdSKm?bb>Z>)$Bi(fw|o~*`PxmKfYlz$wGsw+$$O#D4{
zsL&&rWWqn1V1Gffnc1280xb=j_$a1e%dH~=`!F-J2B3(`Gh1u<^{X#VM9x-7loM61
zH_|_ctUP?Hk35Xke9HK!lR)^*6Jv)TIXLhE;=z3m9HgO`k{<ceq)H&i+<QTkTSmrB
zuJYm*O1U)ElkQIs)}F;|_-fBZMKw&$%Sfnkvw_3^=<9rj18H~P(Lzu|`98fyw|;k!
zb-;ULJ4l@)(f%o}Z@^A$WIAVV@*8AQ&vnX9_kTgD`tJ~UpauxWA`<8)O5ZX?&$xfh
zn|9_k5zxC54d3mQQq+q8I5MPRXc)yfh6EmuR-q}DQ-htbX>3JYdWS0qb%P;R+s&EB
zZO;QDUitHBs<0~>rj5--sm^l6Yj}29OdDzJ*G_j>uBX9f`vUvt;dDudKep)8t1k)@
z4lzm7(-)+}!O6gUP-)DNDbJ(r*|1IwMy0Kzqfw?K#F9UvGM+Nw(wO5T!eG&4>%+bj
zDkE|%bWnSe1%7I+d7Y*GQ7=#t0xUCC&PI)-I7Gqrl`=qavGNI)3nKg&hSU%E1tIas
znCfV%vW{YR{-NuwUkqop9ddkvPDR$|z9e5w9KAd%Q1q(??#V7&5lP?Z7fe=VP(6q$
z!zx3neCk}Agm3-kNO6Q`I5^s95e}!ivLdfUso9Owi#_<blxy$vLJ8pgQB|H0B_asg
zHLp!v>0UC(u1Ai4K&r+IoUIt|^mB)t@bV1648~@`@TuK*c#!-LPVcf%fMiB9obby^
zOLbkEzTxkhwSa+ARb|Ob`9V{|sx~rJjTA8Co_EG4$yPBXIHa{^8~7WGt&Y&VI{h|0
z85vQjvkVSv!IUsP+xD1AvZj?b2UyvO$z4OSPZVP=L-ZU3Gh2cX9_C1Zaj6NBOxR7o
zYe<Cq;uR{%!X}`S6C55bxfU*djEt^XsOES=A`bbhzDfmkEee4=mx%->gKiTHv5itu
zig$1xSunJ2%18;7L%!{)dZ;F8gQ`3x=~rz9&B$YAiHs`u=SJQKPNt+I6#9*L@y|_p
z?^EawddsQq9(Mu^Yn~XNROYmAnIk^~RjUhfS*3S6`ty0UU>(X6fqA3x4y351QI)fi
z;8vQd+pD}$soP;O(4(FbRf@ZrS$}aA|AeUhVPC$(v`uHd+s_PEFc{UWhW>sNvOqnF
z`@oERU`b{qNnakmq+6t6PLLU4>XVR^5oLyPZTkJ*SitKZ$GM=lj*M}`7iFLJE<z3P
zI6&Ag4<^%;@T3xI))}{RSI(VeCXJhVCQnfbgB(^SW)hG+sWO@r2A=$LyZBn97VNvd
zlR8V)YDk^>o{5?_-4~=dP%%SL{k1%jE{9!c(=IyFJ%(0&00b23;GBmv46GvSryGfE
zClH@Mc$8ZIbHn@$Y4>P&r!9U!Fqxn#9V18{Mwb4ksfpjZ2M}1m6dp+7wm#2}wXdfo
z?bEuDSZ&^r7_Y&L!Yq#$f;K^gk$z%9$n=yU{Yg%o)VR+?%)$cVtn>5>#H>4`Xa(wf
z=Z)GTQ)1(}s#6oQkR_?{p&B1^%!0~hh86*~%(#S0q=rHlcou1*K0>SwU-TB!?trwd
z?i{0-1J5PFZQ0XrdyJi}KaV>8ad7jd`PcDqJmy%e&xivwq@K?gp!B+nnh}HVtwYtC
z8^WH3WR<XUpr*Y{JOsLtu$?^Kd{`C#F3xQ8N6*BRF~~?uHmgfrYZ5J@d=ePclFLNQ
z6pa++1+;uo3|<coBx?Alfn<WX!g7iDXJviFpnzaBdRcZh7Q4>`hIp&k`0ooJu^Lew
zEInY#S>o|y2`18NMdS~@yZ?F{a}T|OhmUj<;tLbi&21_u2wVq@QcKa0>}ILe)CL+l
zZq%#1dj9107qBmCiIhQM#kUA<vLl60Q#CQAib{zLWDs~>b@YC@u$X+?Phy$lB`skv
zXod2ME0Lby<!?`)@@!bC`#ij>M`$w-+gXn@VDttt<J}2&zAlV*ZRm&g1&vx<esc9%
z?(%dqhex33<EF<87+P}`%{Z+n-w>dDe&MP@_1i5?b<ru_i{_!e3}ridgo8@rlU&#2
zuH)z8w-j|e3;CuNwnv;4H9<3`y=qNzItyzqJiW?rd*ElW^FAL`t9<`9Tic>v+85vK
zx<{ywm83N}RX@H&{gGGx<AkesE84&6_MsH-1p9L-Y)ANxgV@Zp`)#h?9BDRqv?^N$
zW7}!7l6~U3tB~g}<8{_Lsi}*!bDrRP?AlLEj7n9?200q)O?-?~hhr`hnd=kz#Sau*
zS-6tlBOvfXn(SIL^Qo6fjlZMHFiE0<o$+|x2{eq~C?~C`7IVwGjA~#=<@?Y>sMU?F
zcQNQfmTBwqf|xBr!N&;$o#C2^`6P9kx~j_-ENZWOXqXJ@J*c*PIZf-eWlG`b1wJ{`
zh+hhGd30p5>p$(B1u5DLY?r5yvvb2^H^>!lw{y-~h<&;wXwpq7n&XLskIJP(V`NZ|
zlM*2*&<#msF&+wOVlYj}N{-NXcHT5R5Px-R)C6j);zf{tbyQ$eUCR@)DxaakiD@FI
zj7%V_Z$#lo4N0w%mnK1fU4kbKfg%}Cr(LOvV9-5E)uPd8I-!RgzqJn4IG+)*UH>9*
z@#u-BZ;C-q1tI+X9YMWZiuEYQqfVtO9g4c+-q-ip(%BLdDhZ{I=am#(wbul#|LXdh
zHl2NlQkA=(^HEH2d-Bh9#eoGT_<eDDdRh_yAo1Xj?-99;x)`o__sb{Z_FVmzo}P|I
zNcd_U#GsH}7yKMvC$-Xi&tpgeAIxbt6R#M7sV&fCOMx;v$0V?lL8up-4dQOjB*oG%
zQl#q_Q&2sqqH)7ACKc9JRjsxrg@{u!1~6<0tJ)*dPgCUd;b!{F?c}33^&+H@!{eYK
z3^sH}T$U!#Oh@6z4O>%Az|SLCY#GOpiWX~X=vxmo3yP)48I|dh{#KVhjp|M~MuG%z
z;>$U3)TAp$@|7b#wOhRYI_OBL0*otAbS=shAUj5Gsp_cvi#>YG>x}S-lW6hY?3wX6
zZ>JYB9(CGJC(xDtrk}_m$lfWNl2xZN=}A_r!yeH-EkjuYHx%5f#vo|bw*$kymY!hi
z^mxj5kwzJpNk7`G#@BtSs1u?_|3Wu|#23i)f1vrlPEh&LEHLH<d08lR5GfK;hN&mG
zwtwf&t+)UY6e)^jla84+Z3gJwV)8Yd<R85EzF1x{QQc~BM#y}(s%Z36IYG%FC<wB;
z(_K^73`c85Bdk;_=BUXOsG&A!tz=)c{f3n2P7V>frEuGPsG28f?Z8XL#q753P=iE$
zxLrJ=|LoOnqq0Z}Ual-#iSfPD^rImGH;i!iQi3Kf*)e)MqL<rwe<%H2lJa6%>$gRY
z_dmL}|I<ijwIT4_e#oMG;<rb7H@Fja>$ivKt4AjS$f!o}X>G@93aJmf2%#L!+r|AY
zs!$yS{qVur=F@*vJz?tktwo5i@z2e^Cg|x0vNa6XC;0>Ex?XJfrU?ItKmIwFvO=DN
z1iDIjU2vXAIaOgezT@0iQSB5SlQ8AfN*hq?y?Z;+UI%9N6fLqC{e&V4o$(9D0ly^p
z!HxgBF|!10k<LC8L^QHy5*Q^O@w>`U3E6)~wbxEwbQ0FL`?z=c-z<QCdMp=-?E>0S
z7fuEug#WSG|KkcgNe~$z^m1qZ&qegl`}Mkj`jI6a-}GPA{a5z#pC19Ce^rhdzqE1u
z?-}fK&_Ij|zVCGc41eM!|GY<@@n4h-9AVJ0_kV8scSeDJDQLW1k(mMce|qH)=oUC2
z!T{cIoZO$K3IC=u(EdedSb(1x_@5Th3-SN!EAWf=U-}xb^re<oBReT}>ez4ScQwDV
z3Cj{eZKpBK)X3&{XcgnSMM0OnXIFf>33@<-zV*9_G5_>1ao^Z(bW|9g@x)iwf&x`!
z^Qe+YvXjjg+~Xg1l3%}o-FS*kwF|FhuUd#mq}2D_zO3FAJG#Ov5()?VNTC5-+q)4f
zt|Q^s9GEU~?g)6`zOT9t72_q&sp^D(f4(amT=9QS-~%*k11bk5Ot|{2TYAfC12-*F
zJ2G6}Fpx&RNiIa!FyZnuXj*LqE!xp%8?-L8gbV{8%9EBA_YSkK`R!#SfFFFgE9vL}
zEpMFURjo?i@qgPW|0?k7Mg)CB3sG<^hOB2u-wi+AuWClwv8%*>!KY!d<gC9a#w~&8
z@~%-}kB>u~NrRDH7z{dH7!sIi*qYg9%=ebGJ^rm*o`ju>=F3S#v0_<Tz*fPC+w9IO
zF%W$eE-K0jj^acoY<V*$NR?ax*T$3K?KeBaMjd*2xp}?U@z<`)-(fT~&)1*P5Kj%c
zk<WeGVXzOEIJQjjORnU-ucrtmb6+W^F*P}KItxg%%9GoCW0cHih7+zOv`TF{aoZmu
z>ojLxVv2De9!rT6)NCIXPFJTq8Pcz5efb^oOJdcaxr~2QAt$&q;ahb-b9d|2tMIuU
zt=LwrG~pvAS$xfW6vN+-JMS}hO6%V)2w5pRkJ|SRWdt?2bRpbmB(i(oT64dDy}vl~
zYGm1e9^y&LV9u$W6pT?4&WMR_m}q1>yuLU)X0Lx-k-+jROUefIr~A)R(2DTCqFb6+
z`Uk0piBiNa`<jhy8&#JwXF|{qiPzJu>t*~J=2mlg{F~by&u^QUk(<M~UNNXqQ%8_2
zrA4x=C#`~Ao6NPw=%IKH#iqpst&&e<-TD-^7!<NZ7D}yd@t~ehiY%z!3o)g@RR&*Y
zc*QKza}CXIgpngklMa*fHb<!8<C+rouS@7sX&)HNRj>g&guqToC_No6w0U?I<0s)c
zVK#`6jB*&*3I9?}4Ygdu_60o;`X!zBomELYpc#j4#tCpm&-Ea-j})%$$CVdBb`0*A
zsDw70#rpbJ_tir@SUD0(hj<2}GQs8Rf~uT!obU{Nrc!UXa5gw@VFY|O0!S>zK*44*
zttlRH-@-A3ke@LRh9|9M6V`092%rL>WS5%K6b2^wLDBqqk?JmYgW%>wQPPJM084tl
z>Q`34iUJIC3mMyrfx4WFZkb(j*coQf9K}+;W4YMPj0MRt0gz@dX|>o({?q3Q<`e_z
zUTit!Um>LjzUmS9s_SudWry9UHrmWi!f<kExVMGVvjhsWuSrP`U_?tM{q1cz55Uf1
zP@SI7!8#W~WWgJZ6LQ+sctm67Pjt7;lqw;NCO?^ir@`jRdjd18`{2N{%AZ;yi)0Kk
z*7MC>MT&gN+26w8ad|m4DOHKGAT7<40_ryBZDov+A{lJkK0lD8kHb3v_PM+-&8Q6h
zUU|zHHKb>xgAU!Qq}9JFA#{7d=mtOjaQ@^y6CzD{#`>>5(*JOS50x;B?^=&WOZc{F
zAdc8^u75TJ6sa<XX)$2o?t2~HM7{Sf0q0Xzl#gC+@xw;RIicTDYd`4*z`}RGVV#<I
z=IMpwId&4QaWRM)x>DU>@pjyPM-{U@Kw=H!)WQHRyI7(4-GOru`QkWESUB4et3;JX
zQw>5jqDnUIq<E;f(*3B?4Y~=03l46T)KH;p>RwWl?Sy@9tr?jXyQ~}KJec#NX~u*P
zDMqN&v<Xg&!&b}@kV$2RYWhkXRo{vvX7+=&O1l*@go42Pb*VM{ObF!^T%&ApO*tVg
zgfNRMKa%RPbD2rPq1Es}6n$`B7TtOYTzYtwr|Q)O{%YbD#%2Te^Ki6CUMarf$oW9K
zwczfPH-RiqoDey+u|;bt=jX-*3l$0Q@B<H~c89918~g@1Iq8#G(h_7=Pytq^H9vg%
zX!GuJb7kE=fB<2zUSXsL$8Akp9O8NVp~k4r)`+g4P!~AZH$YRxQJ^uREuZZUo#|nf
zkXT3DQ?(j?y{o%>cKXrC4jE`UGKEf6m`yeDn8If{pX>63^PAZq4ohW@Mp`H|xys}r
zw52aN0)4LBtd0e_ue-X(<h4bRhRiA^FI+mh!-c@05o=L_Uh!ljbP3;AOi_i`JCKaU
z`$iif+$L%sKH|Z14z4NY5L)a^hJY_61{PU3qT&i|7c(A)LaTu68lzjkj-U^fFn>lc
zNX@kQ*CBBvD>`+)c^Hg3#uwwMBTOC)sWT>7Lhz3-0Pe%N%$j9`!cZR8C2!5&M!j*u
z)#ARMlvtCmc%-K$tVM<Vmo0#EO<+oD0NhnU#2GKj0Q7BOq%(F@K8D_p>Y=$Jb(-c)
z91d#^PpQ_L@`ZL%2qer17s&m%&v#l;b1s89>E3dF9fn+veyn{ai*h<c-}N*SV~DZ6
z!=g{T+n%`wM&}CWN-~J8Q)N3^xyaroc{`99EH>%jK%Kip{KN35<4#2#C21$kAbGNK
z!BV_PY>9aBSQGM{5hr=te9)1ovPtimKE7nO4v(skqy9cWJjuPG9b}atWL3#V@zIKR
z-<5xx>SxKbBR&+0w%LjE^SMHgthBa}^kAai<(c?t4R=r}Kbs{@S&v`uHUV|Qp9(=9
zA>unl#sW-bwZPr|H97t5Z*h|a8#wm+Ps;|XcG7>uI*(BE6q6GZ(6VmGP1YNDpTMxI
zg)!hTyFPa1t9y|YC_ub;3yx-fk{5?}IB|xGK=lEE#po0JGeZfB0{xc5k&s(}{RoB|
ze3lQ40#gsJ)7U&I8k+FUIpS$P{B9(arP;sDBp%KtX6)IPqw%4UL&JEHN7Nh-t6O&J
z-R&3H7_`5mpLX1eS%>|8F#E;5;(Wn?i=%DtJmbos_l)1q?>vMkSWxFT;8?Zc8co$>
zdvQPaY3DGAE5T;A%HxA92y%R`5iDyM|Fv@r$*B-Opw}#Jq5Of)ar*Oq&Bq(4&De%2
z3h%eaWfqSRlWqU*QN@)2yWh3JFg>c-X|Y4szm45YuuM863){a9WcKs6oitILtP?|%
zw{tLNaAV_25{4q+2Dbd_<2a;>LNS-Tl&P2c!T5+Iw|o}t1(0*LMGsB#;@+twPL0<H
zLkwv@l$PZQFw(T~SE&wJ|Js{Rn00ZS`Z_3#eBJX52D=|Q+xaf?K!YgFlL67G_aRWg
zhR1^ptQ1X+mI+eXP(6IHv9!)|in&esYfzYE>@_TO9bi>AoyL0TGN<zLG|-GDt-Vk$
zO_4@gp;ybPTT(Xy%yPudWV#hTLBm!m&32Auw{-it_V@Nfh^jW7oW0N^!;fn1Xob!l
z09)4B(`e}KLlTdSPdOPNw1F&JiB}GM?Q8ZpQ&4Fb6t4Pvzr=)!1Qs*DpFuFE9x^!(
z8<xQsa9@93#xz9-g-B9VR8U4c(%th}OmVqYBI}0*As$3A%Fzubk1Gcxp@|oHNs6%V
zqXUs^?qmU;wf6H)>x#&|TpT`B0V1sVb$52m&OSU-xj{H=2sZF?FT34h^_^?oZ7u$5
zz(nk>TA0Ij@IZ=!_K#gE>ip3nv3Fk|<1xAZ6XtF)R0AXa2x43v$nb+%$XBmnlDAeD
z?M|1TMNPvmaH&i>q4M9MK0+Y|b_ftU^}M6*0m)$G(yFY{()a*?cf(N%xwLP~w#A$8
z?WWWLVsuumWILi*2IidWFc=&C?}9opJPls_s*Q39Ic>!7eyg!}f=>WIPp*BM-k5Ib
z4}+Jj;~j#(FCPkUt*QAzNvb82RPxQ(OJe>Q=jJv%DtkecJly1z$(z?ey?i5UY65wt
zp}c&tU)41&7kR9n(4128>Q>n$+qGhLcu<Ih^zuRwWnB)-L2(6EZODX&im62A@rj!L
z+UF(&0v<>o&$0syS&doTU<T$M-nUtF%)~k49P+80+SJQ5MiqENoZ7Jj-hLJy5Xc5j
zA#TJcz3IBd>yrDfIl!EDA`dBN%EMKLM-T3V3%f!Lcx{ND34cZCHiNSzT-T}S6gb6D
z{3iVI{g+$5*fEJZCbaR&Y~Or4yXB%y<^@PKI|*kV8oz~D^4^!bKrD}X`a~|_iCkY3
z7<(p>p+{2^g9m1mgT{yE^1Fs7Qgy)HQ4dT&O!xB<`U1)kt;M1u(lVl>UV(Ydn0O8T
zVo&&J?7>2((rI*)Ii14D8#?Xmp}^dCJENuxuAP^5^$4jiIw1p$;YWwFJ}h4Z_)w)<
z-sA(v`P4O1`ihvvAlnx#Ue|V}$I$ESY-nS@O^KO?*;;H&YI$zLql)Ou9Ih&T6EaqD
zKiew>C<zDZ5c@^Y!9`lJ;W@aUlctZ37aBMt-<%O3i7DdUC0MuscRfaD2t?W?0*ENU
zZ%)x6i&>$w?sEsm+Dyfr)f4z*vw^MdCcy8=0KjsKz1nJhR+WqXTIxb~mLE^9`x_;M
z&h)RCR^fnL@R-a|jnb+*7{?g=r`XK!ZrgGm&tM4VcdUb@;#bP9L9iSn_CeRLVTBlQ
z`z6M)&-HBlxlC0^JLg^)K5I~_HJj23(&CciklK2B^;v_--K|2=zJfpd*XuFSkb0z+
z9}qfP5XzQ910muBvoz<LlZ@4`QDmYWzMzOkB<c@{H|R`VSYZZ95oaTCgA>Tvbie%A
z=kesj<{k<L=7tdmWVGRpnou!blEBHr6+5z_Nd~UDjx2_qC6BuxX#T2JN+XG5C=z&e
zZgUwQaGt>_wo3F90+WgyAD!NhgBC#dnNo}$aC1^%Nygfqe3V~jaRe7#$Gq`r178iU
zNsH`G6K%pcbL7fG%ry)+*eE1_k|Y21cPY~cD;RxDkd%wx$<65|Y>>&%o&8g2huAlF
zM>uMrLb7x}^*3}-CjPz#F=--!n3<O~_WdKM!FL{+<}u0)nnPrNfO3Oa&6Rk(SF;5`
zt8XEuz<t(3jdDmjzw7zO^hlpeta(&lO$iTKjf#*s;Zj5c&e*B=DR!u`a4CHtet%$>
zGR1eg<pDqv>G2@bB;R)}I@3Io<^)CpEF!jc@XY|<>7RMmB|A&?Mj<2=RNe)6%WgXy
z^4eo`{j7#pd-e*>(-sxM?E>&dzE|BGRGmu@Zap6|IVOs5u!QpSValXf95g?dj@646
z4;6Wp06=KAyVq~urlUo~)}%EBddFY(R9O-F+Ji{2pR!V!D7<fon`;*$wXvH%MVMj-
zw}vMJM;^SOlb(}!Y^h^<u>-ohrKjbFyCC5c5>TXSsC7B4P(?$S5LM`awGg2pr2aJ-
zG5P=wXTiZyi7L3lK1o{!*TM5u|3N|E)vEO99A6FZ5S~go29J{ocl*cF)amvG-r_~%
zxn$h8(*l+@qiBk<RYoLitT{LH2DM4VnLPX8r%o{&q~K27Ai9nc#|9HPgeZSHCge^{
zM)AY~jG+`wXFJKj5S-s;Z<c7Rs=;QV5$jSMOZOG3<)Z#Q({mINM4P!7X<<ioxO5;=
zPpH^hD%lygN<LwVbB}8UX6LZVr06@9>-S5prsZA0VVrQDf;dh`O9f+9cs6iL(az7$
zG0Y)(0aWnmuPMf)0tIV6;r?$e0F0!p)kI=HQCVBwE&)O1#H^@M-&ns*30`L5^GwID
z9foiw^y1Z#{qj{W9<V?)r?I8+sKFQlcgZ^!j_oVG^+pr@<~e13!f|r_f$TAbV?_aP
z2fkN~^*}OK+hBY4f&%PDo<_sp3-#lQQ7hdP(j~^Xfy{NT?Zi;)0(jiWCy?AoHjcQq
z-s%6zYTGg)@C-Omld}Ck7<sd}pov<l&b4dMocUSB?jX}YO^hw5J#<c}=*m{o&zk!G
zW!Lg~hTu0{Bznz1!8nHMzy8ulPN4d1!X`C?ktH8fe=i)c0uy;DG9pf*0U3dxCP$_i
z)ZUP6;u(H_1XQ7^)Y;S+C3My8XnEdVW3|-A9%Ga2lF?EYz{)6>o+K_F``&14sp{b%
z<=OH&SDMAqj%X8yo$G;N3p5bEHGoLR+(GFR9BR}+<Ig@_yr!KFlX4k}V(%omRTt1?
zGKj9l%Dlu|Iy8K3!mgnL&yF4p;wQ=sr9o3?z>1{&B*z=}=uQ%%9|EBilQv*b@x__~
zr;Ow6K)PO0(fpgZ?pL@j(VxHi)}R2=&NM?MW9>y!z$f?iP8nxJbwm3kw4t{6B!CH7
ze*V@}5=)62e?w87v;!x2kXRjMpE2vgb*M28cch7F{HUsqibTCa=0G;O)JCh=u_2=-
z&vDf??N!@C54Up$Z4b$g#RiiWDP0G;^KPzMau!&79JMX3Fyw&Lx;{C>V!7;3%+IL8
zE<wnhOxO(5QO8USepMKSpLcWOj72(0Xw%DKdMhw;%9E^3W#$W9IBd@Z)Ab`ahr2w4
zx0lj#$vzcL3(wq~7uQiZY-(|-@s5v@iB&cjKaYp-n8Wl&W0#P|1E;Ir&csYLMov+u
zB82!PnTJVQXdbF31AX*Te*rSVW(1xE`VY2FZ7REmx~t@dn5#7r#bk)+4mt~}kvthb
zZm_G@+Sj7XK<wYb+sV~C4CluKPrELs39Q$Bz;~bwn{J-$92CR_=bICcSsZ~uI07aN
zcc&}SX2Mg2$ER_|-+zWPWd99p1Xa{Cy~5Y@O-%qOuJ;4y9m`8@^fLjo#LuptRs;mQ
zVc$00!7DdCkWO`5<6}A7cx(PqXBFw6-o#5~yM)eTiRN~QvIxgH^l?m5Qj)cufG2eq
zvp>-3idr_@bI?=|dme4-b!nyT%SSl5u_J#VdA5wa2q|Q17ljHg{m>aqqy<=Y^@n4w
zcgdt%y6k)&yk{k|xgzc43-RUHDF^#y&+IX}BH9u{9ZPfC2g~}K&`s9RC{DT8GNQ0V
z20S))ws-@5s$0FAWnM#-g0q&D)_M6hg*B$Kf;Rj$TCRwY!QhHSZ;D*m8Z23h?4?^H
z>sw%InOK{f_EZXwe4pO6Yy}DyuEb{x<j=f1f+*bP^AEv=PU7s2N#%Ll`D-ZH#Bn|t
z2+kX40~}nWY;)JT_BEOo1TIFqxk=eb8RId)h9;0M9LzX8TS9#1UjLqno~n-L8-LOY
z_KxzrEH9{_j*?rQ^s?7(#qS0pmS`mklm182L===wVP_(J1S&Nx)cDy)DO9&z5?`Hm
za7tG=8oHPip2T=yX7;NyQK5BWNMs{-fk8sp4T7oZ@5Ii86#c<W(gqiLv~mQDxV<(C
z+w9n_AdjeJRgtBrS1gx`QQ49TlAtp%y2{e+?@PD5Yv|wRA3z|Edsv~3KXgm2K~#34
z>=>NXpu!jvXUCVc771K-Nb1maLbr`~mi4F^<>zA=F7&JL!Wptc6caW@qJdcQ((-f6
zm3HHgbk=y{%}C;qu(F02PD3LDh#46EZs!T6hkL;^T4_-`I59ClIZ^$ZOS!#eNa#m-
zLVUd9L^K&A!@Z|5ewGkA{|0B!e}Qkfl2ewY->WLvOKqIO8+4A2Z-{Uml>OA7I4WEK
zFNqjA9BPz0&o<EX6-_5K^4#)^CmvH#DY+mcA}()8V%wp$n0F*!aC*kK+`zUX(*~hy
zk$WK@l4y^L3Z`Z%N5+Y@zs1#Ux)4WQ<6qs``%fib92&pQsCd_Z#lIWONql2L>z6s6
zMG<dCNWwc@%EwHknfGh%bREEd>s%D^yOD{gws>RG3Vy!iCg1*D6EZzj-&Kc#(_|W<
zytPc3s4w@^W-Dy<{2kuL6QTd%E#czgt||i|(zrcgB2-b#mQvPk-Rb>f`u#xM!}fQ#
z(du9-OGm~Mp?d*H8W%_rEDT-3ML1o_<sQznTox#J&8ogEXfCm82Py3d`zH)0K{kY*
z9U_dGZ((-t*I?^qJtiUPzmiHx+19abcY%3MoevM{l`c)^b>0Vy&B86`SyA_Iw@@a~
zF(N&weD3iY!57k?&h=r6`-)hICZY^fz+F-C&vgkdQsR?{ZO3=kFAbikcec*t=eQp;
zrI1DT50Ff43P__6>qi}5Wn|=7JC6zW@2z#BhJ>}|aV%>TqfoXS*9<PoT&WXe>6>ue
z?t@t9v3FL=AsFO%Nq_%7;IL@oP|!*w0V=*Og~QQAq!>7#o!J-SkeKau8|O{3Ifn7J
z_%TPI?S3g-7Hd7mG4%XpNVktf$oNhlO3mOT&Wi|3K?Vzt&FYG-!?+S0GIrrWQIl04
zq<Nv!>R5gN9;i1si(_^$Z^v^+SJnG;3SDP*D$CjvrX&sD@ney?oT#t!r^18^zkyZ<
z72gqlGvgp}PV80ub7W8x_?h!YWnPMAA?-9RS&5@*t_(@SC+%h&ixe!(*GUmGAQlBC
zXDLWc+E%9WLo@tFNUe}Bbb!sX$x$^choK$NoAsNdlqNQZ(CDbbQ2;c{dl=-y!>f+7
z@ch*j8)AvTC3ruRr>u%lWG9ex7-&y^4PzSvO`IOC)NK?NbeUs`kV|pW&MPUcuh$AY
zQe*VncxT20)*N?Oz5^N+Oz42s9Y-;K_WJkaj<ZrbIY)y*j8*1Ctj9bZ-?Sm$ihELJ
z7L<V};?U*;@#S3>`xv2Y(DtnKsB`Rj$)d$Ab6k9j`@^r!I{Ps^?~5~`27&^!TFZ!S
zT4W(INK>p;b>}$GgY2$7jB9g(YQ-DUmJ^=v2p@1-5{9~$=UPH=I2|sJ=CcUwQUwQx
zc2X>0=A2744UgDKs@SJxdB>rztBBt_BsyFp{?3@0HH9#(9ud|MoUqI0vN2^^r>#H?
zv~X;+Iai^fsl$IYleQCKJW%{}XV~M$05?H*dDJSGkfcVE5x}hoVpvE(6l10`0U1*d
zqAvEZgf?!c7nzKvFtZcpg5?;$gJA}o@NlAnb<_y=ymE9j!4)nEf9>(HEg;fgn3A>&
zKYUL3_ATzh9u3hV(VH`AOvEnQGO)NLqR9Q(y68MIlxkO0y)0`oR5n?yR~B<f*1j~N
zIKd<^e9Wu)w}{>NEk(LTQEy&B)s%_2iUX`dujTy7uTM!|#`P*yb#)}{;u#3DYtT~m
z%*r@$@|HYQ@ZoeHB_snsHIs-|`eR^X%$wqIe7cJtgn%4cvS0jUOTCoSqD-PduOP=c
ze~mP&rJ5tj-lUs(Q$cG%+b-KSXQ~Xbx2V>I#2M4~cxMp3<szT5SG-6}u5h$;adAVT
z2&X;Sbi;7l7n93;OX-l?6_HnbjfM7Me5^y<8+&~$vR7<B-PuSrc34xiYLa55%+iDr
z0tpqM5iN0}b)#|;Wo4T8MkAfR+IWZWeLZ0uoi2d61MOCfgQJuFzE{eVVbgd0evhT=
zl|Uj&&@{NA=pcn)>OwOvqd&M3@jV9uu^OPVkssNh+Hgc-1rdo1`~)5-xrc%>cvt}k
zl&&}3-Tg`SL_KU?`gRbK1=o%p;Um?M<o-FHK_b|ltkj(<urd0`c^7s6cAm3BS~!+_
z>lwi}=Lr}Qb`})29=-L0VJOk){`1A?TD(*xRx|M<%rIhjMa?rXY*jmit>FlzKbSfK
z9_pxd`1F01ANirIqA5n0J;PMilbrNs(@V-Tjf~7>Xmh!xvZm(yvAK?c%TQoA8I6SJ
z`FCg-!5c-i`RAL*Tqo)zd74U5_1^mz>GbydT&J1GtwgWf=hOzL<>{swf;!hpbw=c&
zfU0bL1r#=w53s-MFJji#=$?n1lwfh_wCidyuraUBF@g%_Lu7{1RQ3ylMzlwq$C-w^
z$EJ#DzQ9U}r>|;-R5_~jI{%QhfHgkBa6!OyJ6+G0HlyR^P6>(i>!}WT95t^nqNEC)
zQynT9Rv&L}@;D6&I*e;vx*cjI{FR_$-6+rFJg+-Emd^UNUlx?gAkfeS1@3{wni_jv
z46dg}mig|Hm&_Ui$&OL3%^mXi_|v7la7f2gonj+m{9d9P7L1exBG?}V1st17d2&BD
zIT>Scc=)SkHs993bx7rCW+P1cLv*Y8Os?2eCZ|`$NyL6t4AT)kv1fmVYU9UhX<x(c
z1mwU?Yb3f*8F6a}-R0`o&do<O$VZ9H)h1@16N%IRhpxAdtD{Nwhl9Jj2Y1)t?(Q1o
z1b26L4<xutaCi5^2?TeyLvVKuKX&&%yZgNFy?@T9XQrp7tE;L@zID8)xg*gLxwocu
zJTFxW%Z)zDJA=yoX-szTX+1J24>V!`lOuX0HixfGkk|VH-*8_Gnl&C{#)u10k})SD
zzgQ$k|H6=UK>rJgGmu3SQmH>`C$Tm?#WCFY(ounVK|?e;I{tcf=Oi(E&RPA`I7EUz
z^#Y{xon69udzX!&Mg36cJkoVl)$#gO#uOE`2u4Y-d4`=MHFDYUZJ($YlRxB_9!M2X
zc(Jt^p!aJ-<<BunwwtuHu_)bT?az8CNvUVnX<=Kyr8S0Op&sZvwB$77tY{2*<h|Xn
zx(=awA`Ru^7aE3Xn|ygM`0#>;&kX$o19>xr!^#RFjS8~(;W>?XseY|tVQMc7y)(A;
z>MdmF`iMpWhTOK;#^`wVP|X{i=M;a0)CashM&AQ69mpMpigqiqNbz-abH6vEE7TSX
z?K?Yud+J{?Pg#j^1^NN)?nLwsl*9{0dJpLQq(Eh3{CEr}X`8oOtD}ms#KxELTwnKt
z7+?{dQyyGB>chg)0OrNIr7>^q1wD)kSZ@JYUJZ{%W_Z|&n(LxP1Svbej74nP-|rXc
z>G4T(^3^wfoCvxm@!j-Td3!N1^gwop-}5dAD2D$xtB7w+(m365PDtI$=(((MH}R5o
z_poYwB<&A_v3)4v`cRL|a(`sRn{V+OUr@vc(S^hHks@L528T-9ux=1r(G8-2%e@Ci
z<=!#^ro?uPUej?_v2N<bZ(ven8%Va`B%V*2Pf#Bek{Fpm>X!Z8dXqaZK%aSv57?@>
znnp9^bzd<&Mh`=4vjJzB2nu?*fIk=v;r@l&I%qq8)fp>+7xt0ypB#-NlP^(w{8i7c
zuf{*}y~2(iUxIR~`3>b@BbL7C75ZDuDgfAut<i~d*7J&6wbT~xthq45F%(6pv<evF
zHkvBX>yFthXrlYq{ty?1fByqcQdnhd(~_XpD2ZC@c>ErFyTz!0WeFcP-CUITLyqZM
ze@+y2Fkwo)xo-oFDqWs8bKUAWRc;%8;MQ<~#N|%Vo^G!*%;!f30_DA#s!T`z)mED@
ztWFQx;M*NcGu7;GG9qWPT$LKp5J#xsp$tgf0dch=AIMDxLZ_Rb2-#!1JlHxR5=GVn
zlZvP}w2tbvux>4aRMccYmfI1lK=_ahgD^1ZOGn((#XiXDoD*AH)7U?{45w*h+&=%~
z^G#4|<F;GZBMaPc)cVa+=4DKxt^9yf1*;0HxuH`fzJVQGst<dcHTjr}DU24#GirZH
zhksBXED|Rg9!<lbv~`cPXjRxxp#P0&qXF(6v0XeROdk0Ik<5FqYstun{J_N)E7fj}
zn$kWFi$4r6LuBR*MoCh7L17@BLCVEe;5O9i#TH1Uuuq!I=S=!hk@a(3%mRxd{Sg94
z0Zk~VVoxx=&^BL85<MWBgY<3vYoc83W+ERYvnrj3SJk7J>5Z47Q4139nkN*gwE+x|
zKl%=S-^|a}%B<w~EcQfDk?P|YPGPZ5+|#<^d2UsUKXZm`?!#PNe7SZtO(RlLq}bL9
z@6=RA1i3u6&BVr_VHP_~ssEE@{<X;O60z^?qpGP&+-SJ@!WBw-t4}QM*!fe9y_0|1
zg6#O{pimrOr%oWFpfBOz0RH8;rN2yy{ddhDBR2bGSQg9V0mLRgwG1CKMyY&#s}BL0
z?I~hskk-NDCO*i*Wg)B_B_Feqr_%Bi?g^f<Tgz5I{Mut3Hpsf?MA<>W?ht49I5Rsj
zBOLq2gVf{wTkNICn0Cyt;T-`MIVv`Oc*Z-{X)~_*V5$;tqw9x2Zs+!g&zW998~i@d
zoSY!vP5;Pc0riWYp=dh^$B`yC73+LXf{`_XIE?78i2%mRzmxe7!T-;tRd^@2FnR$l
z(}gcb`AhD|90#u;e^qUZ*Jd=f-AYH~fYe8hnMU@cozZb20kh#uX8q!T-*@WM)Is!Q
zDH4jNVl>Q(YhxRL{#91Nn1FaQE7P6fvvDG)W8dp$FY0B`JL0ON<;T^U5Yib)pixkH
ztl+^?A#MfxFJ;t5Ud?DWN~*CUOy&W=um07>)Ga3)VbqtV58bQH;;j+4CWvdb^C~Mz
zVXXUh(_=lflj|`8`nS^!BAPe&KZO39L;p)c-BYSM7e*r%kEW9{)J4jp5s=zNgwnH~
zDq^fOD7&8s`Gx4YB66#3XB{eB48F|23qwR;44$GU>q(7Y2|sipB_M<28lH1`iOsrS
zyh@KO;aLV*(od3aHju$cB65v5W#y}!{Gkol8OCJkR^oD$*$Dlhi9)FKL%}q;ljT&P
z@iBuGmVP-KBRz;fHkcZX_S$8NJb_+-c`d@;Vp>Y3w0-9wf99J_zp`d&F??_@KSV1^
zbQY#s`Da(nL}6a2pJdT8=3Qndmdqy2EykZKlr19E${iV}F2+}zI`N~4TJv2(wZ|sZ
zQwgN1nOK;nW@xhL7|u6)2oknNt<+m9v{eEw12SE(M`&H9YU~wC3SZ4B<gs;jx*HHR
zGgklTJTkBTsr6uKnmDB!XsKRJujMDL&Yb(?sDFwy-#z!6v=yqe)n2TJ1^ZN=+hTMB
z@xkDi$Q5dX7E5zPBZr=mP2gnB`R=9~%~Stbb#&d(qF7GF??&|H7^Lkl4!I_-=m{iC
z(a1gc*7NCclMb>yNdL7om<XC<*Dz$oievIv1Ozb`b?9px`A8n5pQ15p{UeTzpP(5%
zPX;eYPp8Y>0m9Ji>jl7}KHoXpE{0#!sM~8t3<gRohkhsHbw!T*q_SI7Ky%iCr)Hvy
z*&A-Y>~eJ!M)pAiO&YQv>sIxu6`F&aj;9G4BUw)4l&nSfSY#&iNp{0u=*57-$C^HB
z+D;mR(=cI0`d^@3u8HXwiaXJ=Ue-CG9{E|`kb)WGf<QTm85*<zQ2p5T-I_JCxKGI&
zKkdxS>~?XRT0JnF0Nm3ziL{W$<7@RS?|1RYx2wnKXW6B*Yx*>)QFr{s<M2-t8Yx`B
z!!C1NUc2&hhxLeCm0_M?KvwTV>+G}VMNc<65c%xYc61o1adAX+ZUVdm^tL??OMPp$
z*ZC7;A6Q?1ZTHpJj8{7FlD_A`N6;lUCGHJ`V>`j_cRP>waP@1NFUhw0D~Y3V=ZD(f
zJ6PQ6RU`6Kqq3wifWYN>U|@`9Pm?aUCt}Nq;InQAyX`>W<%r64GfgrN6YwM@x(Pak
z;y(&5IEL0~B$b9CK=#WQeBn3HdfBg_+RE1R!F|rO9ds!yt?xnkGmoSqDKXk8w%{aF
z|EXR8(ojU?&LJy}nf;FPxKs&6WC{4Vys+xqgUy1zpR=RN%fpq#gWZC>Fdr^C9UF0T
z;rLXkj}*GlGv3xctg>EiSuIOXZA^Te_`UGybgwBjp9V+M@1ybJ1p6+oF1(G*CQ=fg
zJJG~U({wI>yebwUAP#jO-Qkdd{1@!a_w*b17a+m`IzGPav?dIu7A{0ChXNYQr#5?T
z+;jQ<BDA&YZuXXvGf<iHuZyLkL<*j^lMZ$CbrxDqt;_g(J?D_`Fwx&Kj3Bix3X=;r
z^oi1s)^reOQB9S09FToXWJf6Q7MP6@TiXdX4b!YgR)q19^`na`tTvZ9Lum>t<oq6m
zt%-8((-Q7;`&{l}?KxZ4I~dpR&1|nL%`h|vhM{Q3O(yPnj2pjh*G#r5Hy`G^=b8C=
zJpS<MIThNKH-KdJYSk|}+w7%+?j-OtXlL<hf6!-m+#Ce=Q*krEbZdK|xjWhY0fBml
zmtPmJ0|F*mDo_}#g9AXC&D#y;roXSaWyiS-e4@=mW=&^Xv@!w|1N2-B7nrJa>r+=V
z)v9fNB(r#>BPbyt^QS*j^yzSU9JO5w)^Vn{#lE~QR-XDjPrHgRc%<?RFtN{1TlSfF
ziB}AYD^T1P_Q`3(=4L5dd~Cpqo0im>X;h}{9Iwb36qD9CY~Mfr^|)AX)be8mCNVEX
zFBrMM9)IdyfA?q*9dHSIriIJbV;^IENYID(L97Q{c-jZW2s$sQtmgl$-}+q(Ay9Ba
zyvm>*88lPX)+3K&?76k`$I8<?ppul-Hzof-oFFw@PzTDZCY7uQZk4A>vV<0UnjE*s
z3SsWfxI^MJlvD}dPKdnE)*n-JPdY)$sQm|k$vF7LyH{=T`=)<?AeQ?E!Neg_>qEHD
zAN!w{|JD&(M^vgjv28yuz4<<s6BC6eC>>cdFFlHST}(L($E650Rl-r=oVcIv8NvTp
zozUR!E_v^6o#{2cM`9_&X7oj7q5>Da7&Nflc##f@DRn%EPR#AdbM!S@3AL*qkI*We
z>{GJ+HZUOm<pMOWT=9;KMXS8C3bT6g(s!4BZ)$tjiEoflobMurL9C5P;fL>WQP3`z
z#gaZ>4>vaak!r^8;WfkH!3i&vxFsdWSapS{v=YBP9Owq6n)puxMRjp%V+e<@frEqq
zo5Oa&F`9hwR>IkaBOtdC{?LQ6=Z_DvjaGFqXCyD>sTCoO{~Hd&yiHv2B3EBwcqIlg
zX4rb?y^Vu=b?1$^v3>*0v<+Z&<%e#)sXz>$22y-Q+(u|bK?^xaUVsq9Y2-#^E^~!7
zoXPzHic`eAWLCt6ubS8qxt&OMG<l+1cn@95t8OTIEQIgfNjQ$Q+u<_Y-hjq?Lq&lq
zWs(&SqM*<Awp;rnvuZ`=DsB$i8n&%$r)(t?2Eh)Cn{k;*zt^3*WHtnZ*4hIQc+SQL
zq6{L`f72DlCM;r#PA<Ey)EnUo_`ro);pMBRJmGWf>T4qM4w{b-?}W$J-*2(&8?~u+
ze^x*yorA+D`A}ud1!cKb@KY!$4s5L#6;~VIF9BO5Z8+3^`_uPARO`HIRfIND&KA$~
zGE-7_9hS>>6D8EgbC|&5V^*gi!mGnpx>;zF@6m@6X5ILSPzPydSK&Qo-7qLx^-tvU
z1!A$v_;amDar^?fig^gU8m(lj-9#C2Nb|-1o^zF7^2_Q8Ghle;tXD`S;O?a1{T*6r
z4T31S*cg8D#T3!bVqh2}EuwUy&I1OzmR<tLR5n7EuhZ&L7%S%Om4%_uvCQUL`070c
zQ1d3F*AqfjOV!zu7nu6ieqgI{xR|2Gi+)R8+$u4BHQ5tZq4I65UaaS|ab4}=q-BrI
zm}og!K}*{h^L^pQ=lOmz2wCs<gm1@pBnq}kT59@)0dxb~&9o3nBa=lro%uZT>+>@i
zCVU@*43hzV9K(b!oe0ZvAc;G<;jCMhplA5d$-_Dr7oIg$CM9vQnH=@~ghI1=6`Ob6
zjnZZ~TqC{C>@>Mux6Y5G0qG>FQV&leVk1cVw$l1|fhji>hH-(sw6EX&w#^~E<?LW0
zKAp{#K;Li{rCg4&UIfZ(E86#Kia#s?i@=)$I}ctpZ%-y02|{xw#oNv26Oq)2x^x?S
zpX+g}*?j)185NVgG3%v{>kopkNM?XSI&qvLF;H%sw<y{d;?+<inHkk?F&(a2g7|^B
zZ|S{O2npHpMN!y6($$?8euwZvAhy6^Md&HW>!~x6pQEis4)1-yUF^|Lb<fut5aCqz
z`ci#iBNOr#!hRGi8bz)ksI9QO;aHkU><GJ&Ua^Iv3jy02dUIqvY6g?zpPf(RdDYn5
z3;S$lkLWxLx;SOn&sJ-bGIPVfrdPBj><7BThLvW}FEHmM4hg}j>Doysa=Q>o;u(F;
zGw@ndcd?_B6^WN9RX0JcjDx6JY?JQNc05gfTxwXX-7xvR;@fk)at@u6_@A?fmQ4Oh
z%8?YR5{$Bt*A3U_M-PVKOR=ZpWk&qtqTTqyz^tYowhN`zmD7=jt<q2UoR%=dtojO@
z2iJDT#^;418e42_Y>pGe$d8~^{F~8z{KvCJ{6C|#2UibS51=KOsjO44%h0#2mdVn=
zAJKyH*v=+vZO#YxYclVRD;=lq&(Fadcp^hnXfy?VI77TqKEl|0+dc2ly5o+4;Y6Pw
z&|7;262uWUOY~<iw-g+~Fg*l1g=!y+z9!#SNu>35#}<`RyG}@v$(MU+VNA6XFZBXw
zZMdvsbB**VoG;zRbejmIUFmiJ;-;vH;@}b`)go<fNhwf2`WNwa>G-KKWfc7EN554e
zve<<)=`35Hd_bcO*X$c%?83RsLQ)R?GnjbJVHpAH`A&R39esRf;CCGbrvMgk0rMVS
z2Vy~8*LtOfleTN)dGd_;cni691i?yhZ9&kU>=!SYDCkT`jg<!;EbSjg|Es0YJ}uX(
z9|1h)TvUG^hc#S?J!V0}Ote{2*$`?r)saJsUZpqVmG=0Cx<ke04L0->_8{CjT9AmM
zM;}?`F$3imt;K0Oc2Sb?wZZjk5f*yhv&b$t6B`Hc#<OQW3}me}T-jS~6d?I<n0M~*
zI08MYH!gQ26?6EZhDTARdL7Aj)$IuHuZfv!zEz}USW3huRD5QnQa8zHRi9@x_NdN^
zucc*??B+3=u5?AJ%DsasaSAam_aWiqxZBQh*7$0i9!l2xh8x)s#Gn>uV9qQl4BSN(
z#LancU06r}uJ?OJF!u`D9j|1!J!6=&UPoALDvOu;)(gbj92bo*A(^TKXjEl9b0&g6
zS7XtGJiz;TrTsv_RBxaoHtA-}Tfid}kVu`rehrE3;H$eEoba<BatP)epD(%lqI?`F
zuMxP2DXoRQ&y#%2YO$VC@RQ8N;833P!xt9)rqigOqIe0VB{l=RmP1P&-a;{L_N%Ci
zAA|OX5&^=Xfo1{KW>W>O9rn+yP7FO+Tn3HFazYbr3<5lWiDa$pub@8bUxP8>ob`5K
z2<+UAc=k<|zH&&YCzJz_D+P(~J(;xRtu*{Kw))y?FqDk4wZ_{?+$`VMF1*IlNvR}Z
zeB5rNPM(_lsTNIeo%f-ppM+`A(oZ~$Qv(X{lyb+SpAw^7%>A!Y)3HQO6He*0s?}iD
z-mMP5j)<!l;RX=`PMSENPp*OkZ#Aiq)KaG{@7=qXrA!Pdb4`(0zz_Zx?pR@L1xgaK
zLqN#s8=EO%OvbXqa+Py>F9!m5mZw;xw3f5iro)#dNYzpcl)LfJQv+UdkcH?k9&9>q
zKav(mY<{Tea$D9WM|~34z&{YSce&)o3D&QOW9hAkxB4E^lkbtifQ`fl>pOY-xWiIZ
zvz5u&Br;tD|L6Nq79oPXc*0PotOi|(gtLtZO<(wxma1CC&L;EVu3Y8Q)hHDi|H!^2
z{U{{vZ8n&OTZ3=Sw-8OFpK`j8SdhYJJ`0(MG-ufdL=wluj`DL+GUB;swMgWBHgYmM
zc6sUYs@6WgsrOGGaxI?1j|_Ny>i_DBUj$OzYtxM5(PEvf-QZ9(7jlM}nHpjJ%d`rl
zhqUar>58hq4qgzOy(hC^W%X~<VwajQXtQ@t!YQI*oia3<W4(<yxM!5-W6$Rkf%Ema
zqBriYV^}V|`#6!-(_%Kvs}}z2*B?*tLsAi+N0h~(pHP{$-lJgYA05Y$`G&3+KVone
zJ-0SaY52kz6PG;;!)7kWJ}U!L`N?|d3oc}!HKcOKoEwoJ5$ugsiSy6BA$vGZT`A<V
zs3&efQU-3YLymyWv0~GcZU-kx&I7EFU{no;-g8DcBmUxs4{Zmp8Ve-JSJx-D7AgnH
z#(?-wcpg(Ylpk&lnq(N2zc=q#hwyH^eh7ARSEat~V<Db!0vFtkH=jG<n4OjwS*`id
z4S2~kIfqzp3B#`Y!143OMK*rM=Ak+r=00(~ziZyIHh?2)J(Xq%pK<8+F<l0Ukbert
zx@Hi2cM0+Wql2S%YGPtyntUS?AmpID&*8WH%{KR>(sR<o`YFkVw;XKVMt_8y!5Nmu
zeEZf#bLwjb%`7%YQm+0Lhb%5P^xLw8nm`GrL#IF0IxV6#gie?=cWM!vfKKK9HdVVf
zNVv_~$+$Xq+6Q)%X(w!BPfXH@dQJGsV}bE%p|U6BEOx_3-~9HMJ?QDTty;Glk=yYS
zBCN8u%IWHWF6Jt`pQ!Je_olzs+o0OR0T}R;v1#kl(m^UJ^Al*k|EGY>WseTDt*PL`
zOa*0RaC5Mi*G;zSJ!wq9I{$?)k)2*MX+N`%iPL$_%UORgGtt)+`ET&I@u^<!2JXW@
ziD0etCT%1SE{6k$$v;(p=wI1{ugz})tny<=E(`_b8lg)o5a{f&$7OYXbGC92Zv*3F
zda75+mc=i`SN3IewhlE%)kt)RA`?7*w9!%sN?H(HU~=dL!&6`#<uix3RuyH{W#NXC
zV`xoPNV($M)7E)z1`sc2#X;)R(xsvPMqH@hgkKY?dN=O~!x6^fEPgQtrQnjI>Z?mH
z+C>$FM)tY72;4aeN*C1Pm`OA=<3aWGM*DE%Di7OopGWPJb`!zzF!hxd1r`D|+1GW6
zml{kN*TnkER_i_yE+$Is6?DrAdc(>Ipi$UsB)8Nkk8~i{th#WZ_@d^D*>|Lr<%1!T
zw4B~v?=RP)O55^kUj0$FViDX~%6pq%u3=n%tax4JO;S`@iG23o*Wg34mKyo9e{G1E
zU#Z#|FgQi{j`lWak-qe~GNO5li9Zx2%af9dAL3o!%q8eShj$CeEEJ_^vcC;W1LhlU
z1@D>~=E5(&@Xj>fzC+V)$geJBc*1Hd=K^%mBCxJM7N`lVxgWc$DodbXhFnq@i&ByN
z6s;{usk5H-sd0>k)_<5%lm`U9^wHSm_Chh&l0*yC9GA3jm-TiEr?K)v@qxIHq68cX
z2Bzvn2cbDXds%XMkd5|nqkx^(nLYcYk<=L1a|suW69?Omh_zO7iL|oZfksuOq!Bi{
zF&Afx*I)IlB%In1BpgW&bsR}hUH!~GSoN{4-aWSe<3f5sLT_`MmK56wUGlD0n1K5_
zI#|1L=Xc9$mf@q@mCpypQW$MM#*xN%*vd}+tSal7Wg^Vy4MVWLJaMq!B*S+Utrhd`
z_9TRGXO57Xwd*NPA7oM_2fr4Yp|%mw%5@uSr{!q?6}G5m3qpd_xzwc0rJ@tKZ1d)8
zZJH|q;8ek(1^eJ6UX)#;v%LC<1#ITp!+29SV}$+Pl`mI_G&axn(Z}eY8`+PvP<4!x
z#HaUUOR&(~tqS~gdcO-ud`ag;4RfhRLjDpLmwc)fhsKTJK8?d(qJ}gVof8tD<ylz4
zC~3Q&RC8KS>&)Jh(<U2hkFohc_;Q-CF{P2d)b@owq|mld?;7^U^VM758XyWeo~7Gd
zvw}F$<XhHdvLT<plR!W=ABiQOTp~Q0*h)EZQw6wN&iXclQsFowWGoxHA^@`V;Pdrt
zafU3QTUP7bjYWT6=y*?hSi3WFm1cYMtyLy`BcED~ypU*ax&x2Un5?^#XK)`Y)%2&4
zN&yX6oPHbdwxE?R=t_=A>=VZMXNX?EiHi;+Nbt)SglkeuG;rbpRD4uStv-ig8ZIYL
z!=+bqBX%3Z&6Hk`NUNPAgdmc#b_!Lwzqt_181S3L`j=2JtH`73aZzLqp6PT-!9e(l
z+*-spJ)qTQJ9lARSES5hf8WMBJ79#cN}r3!fVWDzG++^&aO?{>zpKVBjG3-iu+`5$
z_-bRW>UalK!Yez(3Y@A!7WAQ9_gbn8c}HumwrM`n*y8xeL4ylXF}sUPOfq@Rj(PZn
z_sM`L*^?B|^^I;$9)AB(A+M-0CblPEt5VxC#s|u*hywpy!oJVHkvS{gS^tJq--c-*
z*L`%QUjh|3*VbWavT?$!<-3~-kjuI7GdR_1JwKvFhE&)+Y7_^@mqxIL!AQePDBa9t
zJN>Fn>I2|#NT)VDXgyl@z4;KP(DF~lyL`EMhLun5UnWtB<;JB39fZ`F#oNW(>wUo-
z9reufhV26(N_>N9Q2L5Q%__s>2+<cEt7WKjW$GxwE#LAXB6&*CEox^sIGv1S6>)~r
zp^{WQ8Fe-g?39E<1Mb(18gg+fnhf<?18}n9`Yv$C<&Vof{H0>6afviKCWwt-lH78%
z7R=kr;Vx&x<oLd4Cf5CQ>LAY%M_w<|R5LTePYga+X__AJvW!bAhR(3-C{W7gBZz!G
z0=5*hF-rYsPyWIv!=K(|4N)S)5AyyNFtB6IuV1!gWxnG(_Z0i#t0`hIB1JyUr=CKZ
zh#yk^d%N?V=H>1-Nr+X4j1I7AOie!Hck>O|oCMh1A=V?NqQ3e(O@+D*w#WQ&rK`dH
z*zrlBD~}ZeM&Bdi<z%MhfeLgP&Gz7|(~Bc{Nd(4qWq+qixq9OQPua%-ITkkyx6Tq2
znwr%hV7NutG<A`OAKe;x&c%g9ll-=<_yE9kXJ~R8Rdn&#L1tnCi2uAUDfql(l--m&
zO9za_go*b3wNK=n6)&cDXvOI{lSqeX9cM|_o3ua)@o)*|JxEm_R*P2ZDP-58_^{bG
z`FJRU9mzZBnuxY|6#w?%uDtgvQ7Nm*ReZh9NJNmW5D&oC&TT5&Zd@UPDb;kKE5Vpa
z$ju12-}^0lJWZSu2b0bgz)+}v4+0PRQ1bP?hy5>0_7HcDBLnm18jzwF<pt;&TAnNV
zGqXy66!Q|K+!V==IOZZ_XpL-<-Lucc#g@tkS@Z*@R_m<?aS<UftTt<!J^s)sq@69U
zM`-8xnvIW2rK?<iS>O46u-S;xGP5FMdFN26uOr@LR>BL~Dgd2Zt|1~xQ6h3R=_6X&
z5xKLJMZ3xJ!3g92?kI>M%%ksMIMR$2UFjDuE-5Kcu4FlobS@C1=0wyOO^DVOdo{~r
z7AsiMd2`L<=)%1plCCUpfN})od$=Da1KUWNCgP%^`W~oRmfC9s7Eze=(o}v8r-ylE
zFEvRBEQ%{Y_N1O2SE1Pi_7_;htF!|oE{i`GJ+ZMWNs1}Mj$z|Dw1ERUI@~O4v)#;B
z;0;9Kt6NuW2g159kcSiV5{`@_O?T0U>k66|d>y;M-4<R<LJp-C1>39s+RC^mO?Q|2
zURUR|fVGDSKN&S17lJTuuBE7MxnmQgnvfPHznx5Z=MymyX(-0`Mm+HFdyUnkkXX`>
zm!epkMfq4f<1FQt3>A!MC9~fl)=S3dA*Fe~*eP^l<GB~~cXWZR$%T9mHL#oRSY@sz
zk0IrJy7)1r@<-!@ZwSfOTK~O2jxjE}PacosUnpcwnpT_g<1NQaSsJ*@X`ui3K+g?@
zy~)SkcY2C_1gB;52SCztG!!)WLQjhiWxB^We^bu?`b`F>5(2rV%V|Nd*kT|2uraRN
zWI;wawNrGlivgRZypwhQp~u<ry)&q^?qkVv>iE{greAb%5dmKpErMnCw$)}sZcCu0
zDI$-ZP*`f5?KYO$9HRY|=8D9*XD^HGvHxaP(<w4wLyhTkQW%dNXec9#nhO(!kVkwl
z0!6Lag^M<cp)(GSJFBH%=zb&mWS2Xg%ai)PuZoHg&CwQCpMZ+GrZ4ps^vPQZwC3HU
z9bFmwP^W6)?%aoM7pw=Ak~0i<_tl`c^K#sF=;iTyT}*Wrw=%DS$J)&IJ+2;l>b9oV
zb6AVxyb>y5)`R0+r`K<`Erj7(Z@N!U4S3y6@|WEROb%@YT(#BzL@N*7&+{jA<^wLV
zH(I~$>{4yO#8Stxv#c$3nF%LrG%9dHKPFZ-sRZyUzuhtjOazle>*lz@!+7f<%ksnB
z<wMWKqD?~+H#39BlC2rBi4_NuwG7g|hb8(?sFFQS0T*ljOWqgI-Qk1<a^v`?KXLMw
zBhmhx8;u!vXIvoyaT*ZWGLyUo2?S8HMg2~Pksk=E?TNIyA#Ai0Bu&rg$1;V`Y!_>Q
zC)VHU)uS09#Hc}0xT@5&HAjg%$2s<R;DcyGM9-#$sM<L6;Sn{!Cnp9CEVsFqHQm)j
z&oMzPKYheSdI)J|9S42pm8s+b{h-rIJd@>$X5F4I<kew&111P!zgoug!5zgj?nrD&
z$KN~Yh^AKPXv3TmH(tH(tNAN?o*lsgj&s&-{M0$A1f*fok`z7aTt;omfa?<GpUMIQ
zTWygTDXMt(gj$RQaJ7uN2L1h}*z?(Lr<suw1do}|6)SzBNsiZ}%T3B7;!h*5>78EO
z72GwGANoftfI%9*EoRFlLdZk8q2ZjCMY?zqPY5(sdd<Q8VXGA4?Exv+)E8Pc3+R;R
zJ#hW)&+Mt}(_NW)o`N=<DFlZH3(dOi?joyWKuGsL_yel7`q&^%<j{;ufTFa%y8U$3
zfZsyR@5i##E|3JtM**l|B1K$_S&p6EKSRkruu5F=D{au5ej+g5Zl&M;6S^{dg&ys#
zX@3Iw9#U%7O8)pqu0|5{4Vx<@zM`w2F*|H|bTlue6qsiny?5Kz@8&McYM~zQjBo|U
zo(KevWPOYOnOS{#pp=uY7K%#rD04aT)-9zr6f;`g0kGP<t0R>w)B^I2<=e(YI%Y_K
z37DF67_s+H3ef8bl29^EkA8k07O;*DbE-WaFAs&o*X1P5(f5|Zo~JeMHbFow{UsCK
z81>{(K&=oh+Rw}fiv$38(R!4WWgbj5z*<o473LTV^jvzs@zyD`xhWG-RB#UpwHn5r
z)4iPJw+A{|(b;9Emt$h%0)tv1(*K<9BeVSKYZgmtJKn&6|NZoN@vh%fgmvh+mSzAO
zGgx|@kTbldHBp+wJ<_N8qox2uysZ}<)HY%K0cRQOu=3?Rk_=#h)8=+<DeZe$6$3x=
z*(|~04Ozm?8bbPj|KuL@?C3$uYvcw(<Lk$kye9Alt)mndXT=)NmG;YXtlUypElv&D
z5)RhB60nkJ|05L#u2R<A_U`5{pkgrX(vEBF6$g@;lbtd9Ota*qXj?^_5Wi$Ne*Nyg
zBirh58`s!p*Jq*o8F%SKF6F2}@el&6?}Zw%ENuWu*pl(QsCWfSwvUx4w*t4J%qxhU
z!q7&m9w9%5AXVG5+pL}IVg^DRj2gl~rdt=}KNXhYh;jltS{PRsOcI7k?nR(yi$|8a
zMG!#At?Z``AD_5yhJoxZSHzgaarwyrhuu%O@;w$7BcEJPsKQBLAz3G6W>Uv9-BmEa
zAUio_(5$Dsl&mbgpqsIp6bzTvW~h}|QH=Z}5hiAd(m_hXjCY^Yuq8xl^=ixyr2TSw
zLCmA3`KmJh>jyT{s!e_;BO+!x+Yc~A^EJ_+&L+00RQ`S9v9Ka0b~m?-clgKPA5<v~
z%9bV(bS}Sd_vu*r2!>@4sLsDrJ}0@P7edrB>umYhRU74X#aYevkWk2fmnxzr4SjO!
zJCPDGTV$X#GGw@1THNCv=uMon`p&5R(boSp@4neXoRJq;y?DRKB=+43i<Bg!xslf7
za*{`1fxzi{{ho3rBLaY2B2Wk*vKKh#^V)!p<S=SQ9loe&yFW9y97)euYAS_+8B&Gr
z>;lhU=S~${8&zdrlI&^FHFt(O%^KZvR3?Xu#XOttw~cu1$1i#b>8dt<26)LcX(1E)
zrswXPB5=hgQ4{lr5-hp_y3c9Ar;B=%*m3%|M4TVv#Ew@-ir~Js9a6!r|KyYHd6uO2
zdi?nBn6sfhv|F>I-@rZLkquE++<vWikfRE1?<<x5T*YYX<kjAJE2+nAixzNSRz*do
z*=8QyEqIKzw|V{A@w{MJcyr68;lQ=sng7JkwQ65-Lm;Wi8B%8`x-kih7zqg3Iv8PC
z@}iBE+qVPodhKR)o&`)6dRU=vdK_Z_)1g-cGr+21>PWHG*%vd_6xo*)ZQ|yMBR|K?
z1Vix;@S!9?BW@;g5v+Lk)l9eJG__HMw;7HZ)oX$10E&YY*$V$w*MZ|>&ikU_zUTt6
z)p{hbun$UUsKHJi8VYOtFSUS|4d=>{YTWx^#@JZIPwiY{lXK;y$|j+Fk1lMnavvTI
zkgl3P6qB27*Odj4Q2!|Vn3kbzwcd|Vlra#wzP)$3<Lj^A=Z$|%UG~M$Awf^i4F3}>
z^>waBBD-`5z9J>70F;Ar1*JR;9@>>l!y%@aErfEP#HT~Iq~6eM=76{=Ki|m-jVAV~
za5@>+`}(k%9jc%+?6~EErvjRFo2wJ^U6NiiGEIsKKK$<*$DAM`&zIi%Nj0p%PWO*j
z*XeIGRM}WQ=j>`M(jJI3J@s_hQZU|4k}gv=Vh9k}ML(x%h9wn}llR(FWR4}sL;Wk;
zxM*DASGfkPOZ&um#E^aTTdHkRfTvTC%N=q`B#ubTZgbuhPe&$1V#qXhTb_8&UjP@H
z)EtU$SN3Ca{O`qGZ*U#F72#tV&zGBTehJ7%=3TD~jquyn)jOSKH#aP$Ik)(e;rn7A
zLDfuOtFQy+zN{CUJ6(Gev5BB*>$B6PaVpehjExSJTvxklP&JjiMxIuHD{$O5t^{vY
z1=-c0!4vJQ?th-|fPev8;P~xwB+qs{T92rB7OB_GSyEkJ0yQV?d!GW71OHc{Hfwaw
zy$ipKoK9+it@_FN1b?<k4IJMgIY!pd#t&p&e`p9%yrKOwWu{XmM!dMEi9_$h2a^wr
z>d%^BR5m@Ks*uY_Ws@l40=SO&o0H?C3llsQ&Od(#M&|n8of^P!X?JOE8Q=kVDBC}I
zkyN^h{n{Jy4NtOX@FX*?$GyrGXQz%5H-Zmm5xB=1@=@l{0N=A~fCeorwV4vMjGih!
zlONLut5kvjn37^M^0v4**VHsLg_=&6rwV`YApaFja{7c$w|A`~FOO&j09Yf8KIC5Q
zyz!FZ;$S&X<_bk-a@*c%E`M8cbdYBFr+X!U5klGJC8VKZ1(urXfg7;9o9enbQ%JLs
zl(d2HH3tg^k2Wg%Q4N|NiL2axOazuj->{7At&m2yK4qsX7V?#F50iW3hSTTL0i5;a
ziEz5-nTcjj{7fdkAKVu#G{PrY8P+_q+_q0pQgb{1Y5&a?R9*F<>qk{;gQO}D6SLyg
zYccJ$MOBfmk+y(bKAI>rbL$zeJ2Nbe`&Y|E1!$y)L0*=@*bV*~X{&tU@Q_1`X4R{e
zN6qOXMKwm_4{%?vz_4<3v>kkJ&Z)i=ky*vCJs}y3dJ8t53(KhY`-KzRFhS>;{z*@y
z^P8ZuJieO9AE_U8B_6JS#L4L>j;gL>3@Un_cx!167@`;?a5V4{!(t1yc1F$JI%E1S
zLr3^hjKXM)h$yo|WDsoZ14p02$<^g!m80pizvdZ*(2G7!Bp5d;n@4j#BQWZdxNl^>
z4l6?ppY*z3v8Pr|?&E8YrE<!k0nV!QobW76eP=u(qN2sFTa>si4^9Hgj`LsYOCS1X
zN0r3njfzIYhs9&du0YYp*48_PZT7p)2zLTJNBrD*uIyLD_pQ06w2A>;esn4DKVt4T
z)Xs*cQnRc~B>+h?JDm>5mIy;fUg<9^*{(+^#EMwV(=V%x_PWA<`OwfIb*LdWIYC;V
z_z1qgJHvGFf<Kf1stq%&0sfA&Z$sPOhElrCei#YGIHm_V_l5qi4<hxvI(Idcny`en
zZC58-nlJJUus0+gXc~P?17}ciug*`<Mk+f5lFeux9*3IBZ0*@HI0mgKq+R={??`*#
z?oLf&JWfK-gJ{$o{sQmn#_(oid<0-(8v{bq7~dOMipt2_EaqYO7%wwv{@<a{AoMmv
z_$c3r-!4?eWOyo~YpyK0B({I*&pxHiX;n9bX7FgT$&I`3&17{J<9^SI$f}VVofjVk
zVyTuprI?3I+8^y0JYC!Hdw;Izs~AND?)%*B-|p?)RWSv;x0{}xmZ!eJ43nd+MIu=T
zPJqNtLvuBCZt8pZI@JI2H};Xq{A1Rf=C*x9ehF)_f26@ii+(ghU`Z=f`pTL%Vc7qw
zT0`DrlC5*ZhMYF-?Ol(Y;w!Hz=d>MbFEOu?5yYZ7C;VcR%F>j>^w+k0*M5D!#kb@G
zmAei3<VF6EoXpC&peP!hWr&pR|18^o{TXyf90^g$Z!z0+)&Ix14gmy)QcVLC!yv~0
z$b<i=-G4s95b-_(&Y+t9|1n;}0ZEZ*Xbz_tLHTce{kOR^k>6)vh$w3Mk0JiIaYJ)x
zNv`%$)G}n5fBTC5m2nC|{?BhI!+)Pa6IsUkKfa{Djkk@$M_IX~kf;(Q{7<Ut|2+8D
zU8?NRe{`pZz`>wXh=*S6f4%ju!T*qJI020uD7i1l!VARYRqVHbhJhK_b{eo~e8cEW
z_5a&9|JTJ<A^gi(VRROx-0v{mwNLp(KFto$vD0C_ulv3yE57I*K|!%cO`4eh``-=g
zJ6GEB#8LWgGShCv+4VLxUWSPkJzz%kNBBtQWX%=bClsEh_r5>nF8r@N+`kbQ97}uA
z8BIf)hNM*q1b+iL$S8W1Eeu{NESOHm#IvQx;cWuS>7oA*?hy&<JI96BhVk<^k*!tl
zmyG{0WfQ6#m}^wgSBFV_w>HRZIAKnq@V`F&A_g5mrhuh<H;(+YQeax`GB|bU_PeK&
zb(Dgdj|<<%$W#pDVLRKN#Upri`@-V*lDn_v78dHgm}dnJbl4!^SDkm;iwYq&<eLOm
z6I8_I%tjS}+V7aKG3Y`38;SqE=;aOGl;Tp;rs*fg4O8d4WM#3KQgc@J+ld}6!y?8F
zNhIxsGM+FBu3o(pC)33+QZJ7WohtH`nTtk=$jX7AI!ww-3;$u@K}lJ(m3&|H<baSk
z(7e9#kwO&?4|GxzRXAKyN(XMh11yY={~Xa-;O<o_zHBpsN30EDHTH!r^{5$gHD<j+
zWc$PRp2qtB=bv|`xah<zgAd=yMrBCKFRO!ZZz7h9f>bXg{R;~qfyrpI&c^)aWCj)j
z8B!sV_~7BVML1`wR0+$E&%8iiz2o$Ue}2$5$4*P|VxeOw{O<4BkZ=bv(|(#=^Spjv
zk%^&1g_bnfA}z?M1~0W|9Rh#NH?7PsT5b^LXOcDoUUNJrr63enU8*yJHN1Id8v&@0
z_~3WcayqBBf=Cj}JL0~VHEai@JJ2bPrsfC3z+)^#W`{Ea1SNj|56_wnA}SvWB?e3q
z;Q_2&X9^W4^Kid+c3;csKCh_$PW#_U-jdn!#8A?FmI~J{-p9^Yi*M*gIa|X#+COoj
zq9!S~KKu<G)7aXce(rFD2J&zOO)d6@GEYTGqY&;q3Pfz3MxIML?8&5eo_;Tp(WNMw
z>aaEnJ3d*evlZcJj8W_Mz&S9|CKgGNOOmLK#xccaE0nn5%T0#kl}bLD1v!C5K8LR!
zik=QDvAzC&z8t(a-X1iUK^KiB5CF85sh7*6G})`d@aT8gE&0R4NGU53tBJ=8v%xcG
zaZ8V<s}g_mCKkA_S7DlaZ&k9un5imJFYPEg{?t5G<wE7+!dZ7cMZb%;LX90Ktq|~^
zI;j7Wuw`D5IINjYEwxqTq`mHJ{2EaY+`m^JE5BytymhwaAJ7S6;~8uh|N51xbbR6E
zAY9V@ihp*#isQNvn8<Lu3XZjO6f5HEz*Hk15pYFJeDy_ML2JiAYi%;wY9!m%?TBw7
z#qD|+DmuVPiT%TxAg)c0L(omc({gHdf}J&9gED{C(y#yJhn2W3VJighCKom<>Ur?T
zG^mLDkJ)@4=z)QO#4V*3<bpLEpM76g3^&^lV@{OQLvPZ1olyUL@_;bJR_Y2D6e{pK
zDR{n+z4uw^Q5^pGg;ZsDYq3XMx~D-EBNmH{`8|d9zeL_Yt6bjYrl=GK-L+786z+SW
zOsNCm2Ph+>fby3*D`pyI-RfxM-lkJv&7xV^6!owP55?`2H5JLERCSw^q@>K&4_Ze_
z92Hmxzayoar+pn+-l6RutIwvd5lU=fv?jXO9Zu@#(Un>x-I<!h!zAyAEq8i<putj2
zt$%aSX4APtDN!?F>tJQ;-M~b3<@B?o<JRy!EhSwI%f|Dn3G`u3oAnS1w&Kpk-Qs4^
zF~D&r=hG_t#Y#b2s{yBeEno9pjxt`Mjb{J45TV(6m)?Qbn?l>=spI9<P|D8<of>|M
zbT729_iTaxTIj#_yJ|hOpT?VlqZXE;px4#i@kJsA)PyxFZ7=$x6wqmg`bRp2<V-)n
z>!tD1>pc^}Q2HM0jgM@9uBHrz0XG_jr!(b@n}4n*Cx~aB@~fV1)IzmEfl4g&?x!j%
z%~~D~^+eO_ax=r#B4$V^!Goy^p+YFT^fo`Z=ciw0Uz1f<nrsojQIgfZw4u{By41O!
zBKr046WkIlNQsZb9sp0o1zH?{yp6mc89A{wl?;PUEr|~{TFS4+ry-Xr@*7$TDYAch
z<{N=L+FAn*hy`3eAT3b!`}f?8<Alqv{I44R0*_Xe{p=HU$jGK6SqN>!y#U-{4JGZx
z&tA}gm@}0y4W>6Tx-UPsgsc5DC)*L3Idj2U1SIoz88L9HPOlXIL<@})_${oBq0Q4I
zB=vS!jyLnQlrt&sTS9qO^5yo|2rIQ-;RrYDsBduh6qjCvgR#)LoWs}5QK;PgV7iDL
zg3z0$4pU@3VxbJEoC1cp0#i12YG-+82tmWr5b(+fHRWVXrkFHr^87$`or({3?x$do
z2!3eb#vESarZ>`imlSkqrR@00{i>peYg_2->s#eigkX`#pxDLql5Z~eqe#qj7mG$J
zIP<GJU3SEL9)#}4ykWoxgIY2)^#oGM8c^I*bA`>KwbZRbGq{d(Ra^99^$mmSq=$gh
zM{lwaKxLu4ourgUYZY@M7E$Vi6k)nrm8GSZ6}e?GQNjPm*l_xR)%Imt(%fHdTJ}vi
zIb;N7A5ZZt@SLbvjY=)UYDS&lLaV(=6}c?^X5j4^y-c*iqcc>S=!BM85*GO|><)qE
zrOg9R8MnfVyzhux;o=}2=R_qRH&IHj+siN;y2^5NON{yQM5%kKPM<D-u#-San*=iM
z%{OnOnY5T4y=Frf$JqiaVR}bWFORDNM~OUqfhD^Qr@@$;g3@HFbE~P-)GU8lUd`f5
zF8!5$h7}6EHYxE&W)#TtT->i(-|Jx_>*Bt%X7HrA8<|uAqXd#xx7XrJLp*w$6=V&h
z-$m_y-ES}c*~IIPIRe#gWq)KMX91rkTfgb?KdCWUcuM_HlYTL3uDAuBvth<%M?*;x
zG8j3kP^K0!0;F)#B7taoZTe;#50mIvn$Bm=j3oi#wIydmS!AzdN5hdX;=L?gD@NI|
zl%+1J-P$PnBM>cBMQxV5_Eti>?0$Dop?Ec3^tNjrV^1&4Ra~AD`#dNYmyK_dlAz;@
zG5<kEL*0(=4)R8SxBo5-5DZt26@N&m#(C{c6yV`1ZjgmGH6bf~oDRbb4gTgQJo5IA
z3qMDQZ^w;F3F|Q!MgDqmcCBJExBlw1w<WA^Z71U)&!A0H3J~qJz5ID=G}R#|w8mD3
z=5V&4t`O<>)F;NIqAUTrtHv-)kD!l+vo?3x=AE@sI;`VMTWK@p<XE@py6ua%TBd_|
zjX)jV>{tZV<oG&Y{S+HptHVRdY8h~Cy^|O}y1f|d9-Lxg_@J;b4I`_USLQ{n>8_ZR
za<L`ETc`qxfS>xL`u%h&p%KyLJ*;FX2Q7$Aa_6|5044}O*tplfIhca<)foqcdTxZP
zVQGISivhtfa;kcN3rsWqT}RI=aPF?^fC8K_TcAfOHf&iKcSqG1<#JdhVC{W^%+zF7
zh^(;(a_wltdfc&w(|T?PKc5f9Bv)xq!R)NS<@O`p$BTybn!FbZX?MIn>fF6mt+0%g
z{O(=4Z|AcY5%vni7C+{e8E@n09~!~lTS)#m+hhOw<|!~~)N6kUy%w-}EjxZaEQN>|
z51O5PK^ly_y{koh4#!Wm`_Vl9npeAIjR9~i<2p45qL=Nz%0+Jd)OE8{gW3$ZVdo*4
zU|1Cu{=0q-X8hVmt(RG5^5Y!?DM8@by}ydvVETs?lw>%p?K@JlP&C|klL5DZz%VH}
z@4KVZTCBt6<qN7I=Mc_pGuU-Ny13V9cKgHRoL06fU)xv$ugD|m9>{TMmeR5CS5OJ0
zDfmb$z2OVzW(c0i&M1{z?L1C2QF6LX+lP+)>rTuzf=cQfXM?MlE-VBgV8QoLfy-J)
z%boFeprI>+Nj2zcN@q{ZTr%#&Zls~?WzK0fa%@UR{FtOgDA*-7hc&9W)vw4oKlnMW
zukcTrKLqcY7%o-{5W3EQHI3X>-V-PZ6eFt){aKiHzFSgkzMmAuL=j@=iMR#<iGpQ%
z<ZI5)PJ*vn>kn74D$})&0&~^aam?82J%q19%3pR1)T<-B4yHlV?Q+atayBAsrTydM
zSMU4H*$ORkh95v8d19w+s#TdH2mp{0$Xeek{JkjCf3iE`0E>~%!y;e8h%+FQjmZ8v
ze#kwC5dfO7x0<p2uoKtrbzA-Ru~^%`n3m-ox@Ea+vkEEK`;IKC?sV|iWN(N@`KO1I
z@j$bHW*#r_Jgu|OxpI}Kw#@y;I=ZzJ;J4tJ=ZjmhISxgQg~ZzJMbW`>1L~EEJ;=AK
zmuk*7YP~WI>|{Z1!)p^yo9BgjTbYJux4@DW8S35dWxDHx{}Uu-o0KR0hR2!eAXyNL
zYojCpuBRoHJ`HoqR@9GH>CKCYP}J)AGU2z&e{;YQbzc|h2%6w_y*Q%9`kH19<P7XY
zs_rn3r9C@{Tp#IFWn_aj>8<)yj(`0~$Fx?La^LomtGh%b*YAQ<GXZ&^1*h?HFmBvR
zmlg9JT0*iwBXXfTVn?pTI`NA~Ewe4&&NErbmgFcw8w#%52`6;oW+0LH!Co1an^yLX
z#EIu@^}|gkLAoG-o?n<-+<>L`?}x0u6xpq0Ni6OyqK?+VvJ8cbJa&!CgZ06Sou9{b
z`%7|bZ-01YUp1hy<{3Mtp!F|@OY^|Yh&aN>XgIUQZFNy+ED%ljmxRk-evtKVZahFY
z+fYrtY=kKyGSeR}J82NB8Q2*$qZ{!uhyFSY+J_8@b~*m!eSprn+ojA)<XbLV%w&_w
zq#L62UTs*a51AeAEi3Gk8SE&uM)P4I#IEc0lFrZQ2ZxPxBn9^^c7huGv@1u{4yV`F
z56=UZp;oX5p7ft<W=)kSDR^*xwqS0^cVg;v!>etLy7xLpk?f$X{pNUI^Fl{SE$gr>
z#~y^r4Dsg+f|8wyl?d9mKgfj!cOd50o52|C%^fn8o;Yifz<4dJw^-Hy<smE;p(raA
z()WZh2`48ukLs5U_s^n+VA3{IT~=a#Cv2^dP^YaSv6qKi-7%!vIMVKp0_RY|pL|VF
zvw^uGHJ*YIxM~hnpWESSEt&e_TjPg<pb-%Py^_HbA!xZLiFI{O`Z<SFRnD%kQ4V4G
zAJJNBvqP!x7QAu~2Rv)i$6kBlj+kqJ@w`0!19{TmB$<1&m)&S9lkveTU}F-uBZ~A|
z0Fljd;&xU&00Kbm_jI?ZO5@322LOu?HCsiNG#APa#pg+PhwJ<ifC_c!#fvX=fAAR7
zJ>ky@mIG{ra$ob|PG*JxqpR7jQVaN+{c(DH-catEVSTs}WxUwVy@zGF02fEYw>Eu%
zabUI{=hTE645iG?uw|`qEbG1_u=;)@(#n%?IL@1l-ZF;$X|R{_c?e@H^M+ZQ+aX>+
z8o577>AklL?Kwq>2csZQ8;oH1r#e{aoro--t%DMrhrK~wwQ@0owZ%&9!%w^0uj88K
zEKf~JeKXZWN$14Ds_j}SS4n7pGmLd`gB1e43;FS*bnEl>CqRLw5|_=A6Z0ZsOp{%n
zChOSf(Kek)8}AxJ+m0ZSv1ttXe%c8$F#Skq4@)6Z8&S|;akho9ZHC#vEC21Oex(Fd
zuBV?3$P?FSFl@ix-QP7cuxM#fM)IrdPWi3VOm?<Cc8Mh`FzT=Ig}!n0vQODHa5DhO
z+PxuC9D#SSW%iKuaVq6T^$!;0I|QVL6*P1GL5g%<$1RcemRl|oT0DNtnUd{5a$d+S
zSwN%_NCTq`?7qWLlBM+VY4hd7S#*n4PM)$e1#2PsaKID2KF6Q0wNx4x@c9bk;99>R
zILCu3=Fgne2=55&3u~KR-3+`vcS4SRtE|Ej1#>VuPvm~xrj&+`Lcyl5zJTFEC48^d
z*Mr$Ij^kCYc-a0S9;gHUR*y?2>|rjTZ=QdY^d-%W9e$+gy-?(#f(JO|v)D}ylIW!A
z{dW95nc2D^@kSHwVLQmmdbr-Edz<={X`sJ**=i}qS;NX=hlM}%6Q_2*ULMB7R`tH=
zj>jbpWA3XLqDQt@0xo5f$7~kcOYZ)~P51itST}AYEHZHAHumzszP89QYh@|<w0}_L
z|Izi1QJO7D+i;g{ySi-Kw%O&X?y_y$wr$(CZKKP!zv`K1=A4;#zJK>x_g=XpBV%Vq
z#&tymmk)Xz>|(fnD7OeOMntvER-KBKV3r=--h>x-;l^*NNX94UQO$JsV+3k4t8dh6
z7j6$YT(e!|H&qrs4NF^5bE0z%n~mpANT&5?k-G#~nEgle7SAHsJl2p$%4<$zR2a(m
zrA($iNO7`XjJ|+r>n&qRl`*gXFd%_#$nVzTj8-V#cX=VVS098;yS!e98cTjd*Zp3D
z?;)rpM)JIp-E3wSE2_*kFFKYqT{#)GB4a${HvN>*@zl4U`TeoChV&0>m$VH#Tbb^t
zfU1~2yY0};3ElhvjJ)T_b>bkqYjB(0kKw0znp?RhB`AD3)mzk2JC%Md$#*Mh$yeux
z&6fLqPiU9C7@|=#5k<_Usx(Ma?a;~eVV2|>AEMD}4O_|8$+6xA0L2@nDC?9gis;rR
z^m0m^jv6&h?2uHOxqe}4H4JcgqGAb+!I5_&L6wX7?7hEow?|cLeo(1ruLVDG5IaZ(
z!$AQPay?^Se@tDY9DvBt)fo5sb&z2dkv%n*V&_4SnC2PYpU!X(!lq4NF$;@IHY8)(
zsCx)HbE&J==@JTSpd1KG?#QSLn$c^4NE<Xc8|bOVrvOs!we}A!(4w%PELj2N{lcqD
zbJ2nVa-lW<A+6T_&8KGvoGGP!#eH4)>11N*YU2%sPIU15r~rT91*dizm&L7ZSFfKS
z2A~LBROkfJe??j~bAU%Pi)nv;GbPB1iHUgKdWIBHgf~~=TzAK(txIeU7Ag2cmsREV
z`KIpdVgQQ&I<GC2&W7TnoSN&{z?L5*%s?YTru{ti!@fi(WEY6hf*cA7lAHqN5-aP|
z`!yDc-f+I?$!6Z|XsHP7XXyaGmjk5jZANe?*K6Z%pD-VFTBSP<R$DS9GHxO1OWBJp
z5S(9(APj*)X#}v3Qai%zh&50CQtBziOgnnl3A$V9B9x4w7*aavE-&98Q!pee6fH{d
zqDHIAAy3m;9T^9p6^o%9lWc$Ff`pO-#~@?P*4>yq?ly?A+Y_L)3;-0A1aFu#-a=O_
z{ooo%S<X=LzmnMRyBs}<V4rl6rLo%B(W6sW{DBPUvL!>C?I0%3E`wG`fD7jl(wxJ_
zcEnQ<TAKG#0S7K{T|yL|$%JAN$QuNw(+U>=miTkpLbhb#kQ!v*Id%J>a~kxpf*9&Q
zL%ZDv!rNyn16CIqh%!p$@MbYf2|}}5ABO%4{NQf|;Kgo(As(DpTk=`PB~3|FSt0Mo
zmR#>IdBwPvK6%oj{h%`aZkHa=OMa|<-A_EHv9nj(gib$~YHOA=vHWl?Fmu!o*aoq7
z{CS4`Q7vA2I4-o>uU6NZJG{Wo))Ip|3Gse%SaGaheeCmEsm3{f8u$$2oB!Ye!}C&x
zW2Oqfre{Q;cH8tp55raKAvs!C8Bh7D-5$v#oJ4~|<{v*_<UQxot?SPI?$Ca<*oMB+
zg;E&tjtw%2es{TvE~9Q`{Cce@5ucqCg6S!$iDu0I4l1AQu}`<>^)2W7H9AKz(57yB
z@#BXE%mk$d-N_hzuxW2HRsA<|9_dpIj;C>)Tbh$V9^ZHv#_H!ExEHPOn9}+5fkHir
znZw)lyt&GGtH!Fd>T5+~dO_@kG@y><QC5YKgGS1I@&oaaRh?;mfm(rt-+RLqp)by-
z0z*Sok~T;L(WrmhlMRpcPD+>2+l(6*DmR&N&0EhmD`{ETZ1-<k1eeYD)2obzu@Ykq
z|M$KXif=uV8^R*7wYEh0b9h$#>u&kM1Q>pefPw?X3PkYv^bX8+&u_e80-o7<j(TUg
z_Ty9~;{oV;#BIg-bI<DP21*0nu0OIF)Z>~=OW}r5k^Z90ihkl};2e(kPE?1#A@d%*
z{2oiYJ3~Yw{O#3bA;=Ya-?YX4mM$c$pp-o};JYsg7=|AL7E**Rp_Lad*4j*-rJu+T
zMhhkq!-H(cFi+>_7E!$~8h6K}2i?=^zz;4ru12aVKTv9Q0wxy3>wz8QFdr5V%f7TJ
zgPl6OqP>O&J6-6ozSGZ-ZyT5c_=iV&LIZ=n$OjQ^x#dc}c?9qnsD&X|21EGp)T@sJ
zOIFeXvpe?o6?kE5xE?4e!dAZqpJ?gk3PcaoH?DTDXbCpUhXB-5(8EcXim`%b@H!+<
zF)2YeZ-8+-8lo2UtN5FK?wp)I9f!fiEFZYmJ3r(0_xBS}5v89hyC<>gdK}_NJ>77(
z!r6p}AKr}KPI+JdTCoJDcwV+P!-<mBw`bb0zpGX<iF6Bu>3tGbyq>DKohh|ry*rol
z{st*o3j9@*mIgn3k&Xko2&aEmn%vlHj2j$jLTHchKRxbBDZtiMRvsIGy%S11zS+|*
zd;oP=DbH8&`eJ1i$JQY6XA5Ai(Hnt+ahZQGOwgH_j+&US(i#oDe+_P0zew?t5hYLj
zt`h>b@_Wby{A#afj|IUeW(*E!vXbM=f`*FRYw6U@2NhRMXBBFvgLY$Qho08whaU&>
z9hESB+||J7fgFkP*Rz0GvC=V%VGATf%FZOWzvow?aoy(QULV?}fL;!YA!q^f4D*mG
zm(+DeoTLr@aCkI4qvpfU)`{tYKp$m~g5;DM$S@o_HGvi#T3&+`dGiMPxFm$Z*ko}>
z4TOyd=yHur8=F-C=&lcu{(Cp{t@a0SzopVd?qS8fnl=PXgaQ1DRRQcD9Js8!9~`)E
z_MjI>ayTrRw+Jx^2LuJnp(B;UuwlgLhOIK{7)l)8G%Wo5JRp4$>t~wFCLl;CD9W|G
z>S57I5#}gZ)N(Wl-<d&C-WEAQTNw-vtBpW~L;~r9D^R|gdAbgITt`sDGxE5BOnKE{
zZ%t$dz&f;F%e$BFd;L8=<Fl2-XJbRJpr8OhhUV<5u6^1+yu%8_N?*B^$?XQqY_@n-
z5?aIbJfRg0`Q=i)F@M#05Q@of*SGdW<WGc;CmJH(-~(ZV$tf5NkT7-@YEcG70Sowo
z^kvJC>_QGg!geG2`1Jw=A`#W+r&ffAkhf!I3;;tmjdMCgo_`h!L&Z(TQ*wwnH71WW
zq4l>OQvPmsb-sQkz1}hrXR|Mazu!~(#o-?ynpxLk8&t1&S0gV40Shyr*0#{dnkuME
z1<{v_N~TxpK10ZLv)-ueNMFZGYluXtqbloDC<Q!&AyrUg;{L1dfMIRs;g|FFiqW(T
zaNN!ELE7KJmTnZ$FA$gVB3eA?>!>Iu19TlkGMPfBSipGQo1$6LbfV?ZG&9;?sv}Oh
z;bs(76@Hb`lBaw)lj1*UdadgO2~g?9(h2vGFAz!mFATQQ`VV-!118r>`vo@-Akq1&
z^aN#jjhHhUT(F^StrjdXO~d?7l4w}urhjR>u+O?~S$$K8;C1Y%1!d4K^mzRxKD_xK
zH`hwgKO@43$`9gyjVO#X&8RY(plly5YwH3@qKYbdT=DmrdBZ;$0IIH<?<9#5Y5Wg_
z;UAc1HsBY&s{jCB0P%Or_%|#luzf;^pF6VPBxNA<pI+s^aS9N4_?dh_d<mrg{eSm@
zC?8;tw#Sf?2oW%i2B2jV7H-sG?Rl2H)IVVl8eTw-j7agxeeSITC;fcUKg0NRfqvoI
zADBaGBILj{P=F>TCe|&QH&<?I*f7Wbe<rzoLz?aHNSvxvsj2q*d2?BFC-=|cDp~&M
z$U;<UkPw(g5%8o(^<79*v`;r$W6HoaIbY)+!;gh}Bd*rf*4B67NpQvdYu&b^Nbnhx
zcvG9tWd9U3DGt(hxq1)F0%makqnqw3B784ePhzr_{}bGk6>t~-r7b5R@IQTwe__c!
zlqrAs12;2qf3LptFTMSFstfCDmY%Hjv(<lJx9$SO=yJ0p3AvMh7VYUS_|ovc!jbrY
z1y{dh`p2ubONr%bd~}r^p_|eWCVTjz-ewfzu7x=c8KQzt*Ei>FI67AOa<g?Bj1r;$
zPxSw=D*tX2ne1L6q^3RyKYH+mGF6f4kzj!`oFUnQ9+SGHU{byUiJ9OCaA8Y+1cusM
zx$)2Yz;6h$l~-|Me=Pf7)BT&xm=ei-&kb2S7HCt6xZ1z^FkZ?=1vD1k%@r2k{UCfY
zz5&FR6(6!AtP=cml-7fV^p880$v4pLorOuJvm#C}uTsm@jPN&*`v0*g6!Gm?VI%`R
zTdl0fr!Fwdz?4LiPDDPS*h%S=oP*ni>(8?dFkQuiP0%aSI=7~9*iqctN0E491`yIv
zR}f?r9$*9%G@43{b=8j0P;C$dFtSl=I(^y|x4FcNn0k}NM=#mb*hF74U5yv)0`W=b
zq09VZ_Rn@g!X@9QWU)(<VvGAdv+a<zz+8S!2d<9`v{{FuVp-X1ZFd0xNI7pn<m_)C
zWPJbrIV!u|4(jW`nNgg89#&+Dr%j-{tC7KXT$%?+qH<ihr{EK#Fc!R-LH{%=V=ZxY
zAV5pgh9h%~n?EQ|-qDN=%chiqT{)Zfabw0D88$k0PBkjJaC=AfDbQ+3&As3o1oiiq
z{oi{J2(3N&ksw5%PiJuTdVGwiI~08(^R!=Re^;$5{q}5nJcs<`^I}#oPg(nXkzmHJ
zfas_^3$bB^<C{C#L7Zko!ItmI<e*m9dmHXKTIK5OZ|q7<lAz>hB*{#(#%f)PxXLF6
zT0gn>YN9DU^J(_zcW5@!HR_)19?{_@UC;V&6_8nf2cD!f&V`(=_1w)${M7{w-ez#<
z>E7VZt!YsIB36zYfo>A9djnzqW|C{P!LM%0_HHfM)tT(x$0ya?7zWJPPOU~n=7S&J
z=151PvxVn$cZ&at3PM6;oTr}626cY(gW*SxFJb9Gs4LYbjSa%WC=nGGwqR?MXqo!=
zS=Rxd(@MNZdJjx9YPC>}^y2ygX6fr1o&!~rQtudwyt-;R(7}7bsE2d9YGJJ-t=Ot&
z=TDc&q}C_UWcM*@m*QG8YU2;f^}!-@cL|?Rn(QRCR*F+0P18VnEn%v5)F<vsUO1HZ
z3Pr<biZgcdx_V9Vf3H57bq&a*n-o&s&J=CA*Je9ZQj<lbrWsEo4p%7Zy=g*ml0;uN
zC`U`TWKLgY!E%Lz9g&KLFX8d*S1EZu^S;&Qb{l4kG|YGvY6@#Ty4O7EvcO^-oKV4`
zDBZb8LTi3Y(|q#~2QvanLaZG68e<Jk%%M10-ML9Y>#@dPqB6R(;j+~qQTqM!Cc*L@
zZQDnvoS5@t0<Ml6wYBC9b<w=5jh6oX#qii%j=*V7iBg=>po0;?(n4we*5=F2I8{?G
z*p`xz=?rah4eHFgwm;;LV1<IlPIB=Xfx4`=zF;E^K2_3#rL^gCVI-zd2tf%El3FSj
zblst^HYwFB`2jFSj*FA@UP?RwdDmxn@~~|%>}oDoP|*G(KOT%?_-Ez10A(N~UIsBg
zrTWsE6ah=nNI#AeG5T%s@nEl#0BR{`cM+Gk(tvz+OAUjn!owcl*!SNuUU#`kKWt?t
zKQ=iZnOaEy`T+P0P}wfadi_Xcay9BeiJ_Hr^*3)KoXz*)&#|_%STDLe1YPwmul3y<
z%->D;<L1jX^$iW&3Q1^UW}iFc&|cNlj<4XN`j{(DcNVf5#qEWnv^O{i$Mpn#`fjPK
zG}P_<7sChUJ|AhJO%;$@Kpg#n(QE8S1lAun0hfUguP<K*a}s9)tApVy7DTPHF(f^;
zz1=pS0GM~pc2{gzcl=~|1kY(ybF}>tY%*GR!dP(Voi;zO7H{;qoIc5*uf*N1ck$@1
z-!FH-%Oeg+BL(A$F&0kdg`+n^l5{?4F&{B}Ib6W#o=T$V9QPy8m1rd_E8p~@IRYe9
z3vt>ScO%hwMARE0kS<$roOHBhp)0_X$TRM(clFf~EnR<WVe=$X&v7JqFuHiQa-{;I
zDe{43w85t>l?xXNOKZ?*ZQ7rBP*K;e&)!I=JE!!S=9+xfu()*n#wzQ9pxRJTHqn2e
zL9qa7uyj)JWO@HR9D@;Y=Od6|NacoGgj;o}Li-J75r?`Php;NBOZ%ohItJ-0m(Y6U
zYH+^Bx&hNqROB(X_A?>vb(WZ?Yf0Ukp9f4CUJWGWq3Q_{uA>gRs*4fmdPl^9rT%to
zCyPtHLlyh0`hr)?&+;IIr8{4lO<FJ4m;LvGro-KWkvxR;Uj!suvkjV4BfR8;?SI>F
zC#n8yel1s@h6f_+L_jT=1;YMLE{|<G)%p{L>#I#+i+Ag(R)VLXA;nl4Fnc;#0p(mR
zEsq#r20bTV<fQQ!P$aa6HI@4>$jn33hYSf+YX-oIb^}n$8avRz)ZanFiJ(|SFqsH)
zCvlUWRg)Fk4^won#L4jIW-AangEd_yHV?eh1!v?^QbCXLm0*M%C$8t71=VIusC?dK
ze~0QF|6BWlZ5}`|fR*3+vGc_SyYa(5+u2$*y6luj)Z4gbc(WZ7sMzY<<_r9mIoqEE
z_@ArHesqRg^zAKNis~!L^0MyQPsS{X=N!IYX%o&SV&8o8!(!C$I0$oz&~Gk^bap3%
zHKrd+wVhprte~wh11{$XY#tLLt`^$ru8yLx=+0IVoIidqCbR4@VzW<rhdgqR3`vmS
zXHi?Wq2Nt9gPcZY`K$5hl)J1{w@rY<K=`*+f8(cq*{%?^<d;xEqzYgu$;Olv1Eef%
zQ<wJ_?AYuuBIHSF16Ybc_ZjAcNFBaxld+5@4nur>fh?g9c`$#$$g=uY*>(&n7Oo@^
zW1F6T$Swt9CDR4-=-6<*QCJb@A$v{@@Ll%zunc=-Z#f{fS;ZLzS$-?P3#!Ng<*VD=
z_2NWbn0i&|PNJx6h9)BZ6^)mQwt?Yv%hl}?9zo%`E|X;N?8#yE{&xSh5}UrYSwfYz
zuL=d+mTQI^t}t<ez5Cd4+GdGuCT=>1-G*{&W^IYlfPtb)r9ipX4aP%|P5@TWW6ZaN
zp?o%Ki_f`RM0b6XEKixy6O|L`u_oM7>{6+L!~Car1qND&@}XU+!v->9Wi;8J1DD6S
z)I~RB9G68&f*n>|mm#%{F0(tbe>nm^yhv<SB;c+sF)QsBa6C^ttov$E(Pkq<k7bSc
zRo#K#zY2QptXBMJ@aO`T{0WbV?CozF6C4IR<ivn)9(k5Vy5X=m`h)b+vrehCJ6-3k
zusrm{9+a*8IQjLJW!}OWLw!&<+f&gcoPIZNtFgQECO*vM7oWqOr6$@Mi`C%x<q`oW
zB~q403piGs#UH}T19ibnabF<sNB3dZnUJd~sOOKHAkCOj*0>Xr3S;>#Posk0JtR)5
zk?xeSk=UZ0G}!O?k`s7Xth;#ur(7meYW@?XP%|A7`P68~6x&}Fu{qk`4``P=53Akl
zEaxmW=L0I$l^(Nw<NKU1gA5QgNBe6X)}jra`le*xZ-ZjjoNj=r*x8r8hy=A$;Ijw$
z$vLzOdIA6wB=|gObs_s0FFk@mZV&ffpSN}gGo`1?=e}G{Pk_$%53q4h6N=L3kylNQ
zyp)4SzKyHj`}%#Rbz_(DO_GsF9)Xd)a9LfU&ER$Q$<rolXDng$0%H`LP4;NW%;VF{
zd3b&4s(6C&YKB9xQ-}$L6RAPvXXeZL-iB7Vos|^2JFjj<>chrW3lUXQyEvlaRjgu7
zd{av2E-mag80y&#cXUt4!*h`RISESy726WODGlPb>>4I5<EG}@xhj-{Th&xf%@esQ
zP_pLEOPXX6>WfYo+vy(JHl1&|&tym9r*NLfV?GzIO9w($&cK3zi)#<+2ITcs(+5pl
zoNuT$wNFA$Adbn4l%egm<5j#)8eWpJlES{~n?H*sEDbo&Qq<X(jiO+MjXM@T+*>Y=
z9p=gd?zz}b)+s&D8)ZI~*_3Fuep|o2J9NJAanp^CE8!7W_8`&^JUgS>-&fmCyh-}<
z=t36Q>0i?0xXSFSl!jbo_2fIW9t8F!zAmz`7Hv*-Z}Ks3Tn4mq_pz<5#8>BQ3CanI
zr!2p1hqwI8cUv<g`hFcau1dDc%3AOy1W|9r1?7_+kiFdG7KaCb+;}Faqz@QyCGeHh
z^(Fny3pPSz`xFb%bm+Y4dVVs$mhhK2jTt}VYPWur28X8m^-}(9D_`2z_3}tI`MK!1
zan-%{*_W=PG8Pd8L~epnEjEU9FTFSLLuo4h>vlqT-a6UbX=J89&?x*n=lw?=BZSi^
zh@p?>Cg%GDgF!9C2#AVBIHF&9lO!K0H7Op<!LC|@l$QPB@VBxP5<yGy{a)<^l?v*X
z;xwZ3R;81Q6Mbm8Jrr~srY!>1bI|iAfiUG+8orI(`h^cts0!OSGFIT&&N2C$Q5B5U
z^XJ&i@ao*zXe_9NhE{N1$8B&=-q^6~Jxk$@Nzv&73#@$X<q&1kIoec{5zJc@5SmPH
zFI{*d>|9TW{l{VGxDBE#Y6gv@_3<%UKVbU#i2~fU{Id1gCYEhESCVvBFKBFAtPclC
zujKtlo2kHqC-W5mE+zv&0vJ^H=N_!&He=?m*gYaLU7lx<r?c@JnMpvdBE6D@JT>Ja
zZCaE;kY+N29&&h#N%He=tRKy;gf|BlTjsDrhn`Ei>o~06`AC6i$K+ixXpiF#@q{Jp
zp`@_gD5Y*VTdfvooj)?vjvU8;*Eg#I-d0<$Z`U8`oXmJW-nX^rQuU?se`#FJ`$1K^
zT<RgCwoaEH;vd^OVSNF#PFfV5PUk<zoo_wPxKm)_$btPTyKtP=-I=9sTB<E)RDZN`
zV^AadUB%Q3)e+!Ub>3274jx_IkALbes!Hl6e3O+D09t1>Vc=jEkFU{EO2a_8W$uox
z$B~sz3)~=gdD=cGx)yXMdkObIx7e=}Ga4RhSF_SR4@DVn+$W$bWwGou0tBtM$_F8}
zm!bUa@kV1fp%LmnlBZq~sE&(+wL~!~c#wAzUE>9#{V^rLWQ-i9gG$>wf(`Zalw}Af
z&$74iva3H<nv*CBkjY{TE{<d?!k><}*#NtU{jxIvWQ>JS)^|F92B?+%R-O=^>~KBR
z5&JXc8Z%K+SNkU>IBbYe^on=3NXGS3v&PjaE8chFZ05mD$A$+CPy0iP_K!ig<*zhq
zwiEfL5oKq?RW|>!+lyQIN}kUsyj5?~i>!!>*@gP*=?ImMpq<W|Cj8m*AgxWP%dQVp
z74t0+GoLq*m`9Dz9o9V^R@ixUnvYIhmPB*Tz*JAQA9trL5WX7I*=np(nKxd=I*iyL
zE??PwE2;=vr3frE&lqk|1-%xK0})M|5gL^pfE>)7iOJ`hE#DY7KfuA}><-RxBlQSH
zb{bC$7Q)|Lez1SqjqI`Q`r2O2-Bb)uOp4ySPSAVq0@s(}k@`g&{ak#l+F9FT8Ch1n
z@w{iuGimysY&%5_&QhBA<7C`A=dXJ&8=B8;l+tiOo1iZQX{^FblZT!A{kR81gq5IX
zB6<+EiH9v4J4yyknW|=Dr1Xj2#T?Sr)r4PzkDlGZ?(<I&DW$@bwf6dV(Q0E+#Fu-V
zU@Q&d;fN^-lY?Edm)~-Lh|kZ%4J&e-44Rg;nyb*PA9^{(2q^wc5RSzf&>#g#t(jxF
z54Iyso2IB(ZJKn4qpbN3xdg=1yW*Vq0<)3O@%0s}6NxX5ON`omY6_|@Nu$~gwl$;K
z)f%$;;z>Z_18TvvzdZx^qdKGFR%X=)UK7sLVh>0lmGl7?B>LuT_vZ5`s*F73M-H$)
zKRr0WYAjrLc7kvPq6X!YuP;Tf=U)8Or&(@?0m?P&KrBtD8|_vArMzy<>|0+@xt{xf
zHQUJHnE;@XP&ab<h*brcn%L}5)0D5h1-Z){U7b2*?KHTI(dq7YBtHxjqR*FcmW~+t
zV^Yq$eU`AM>@Xnj&Q*DdsAme^IQ}}gd7h;(1VH_KB81Fu2x8*zi>fmsWUP}LlxFCo
z+VEC!=Y=XM1eR+5)LUn$hC+3}V%SV;P=aDfU%%xX+~UL_^~Kto5ycyFNMapao5Sk|
z+p3&7NhH(~=W#hFmU8)p`_&QwA#V^`Gy>e~jqMbK>w326h^8lR2+!l2UL#O4+YY};
zjA2iS3e~L05HG0e-9=FKG@t#+3fvM5mM@D<PPDA(a%`jSL+?TJ$qT*n)kg?;!$n^l
z9JgN{2E%mydJAp(Jy&7J8wL%YYui3O#`ot}qNt#1-i4F6py1LjgheW<_hZI(&R5dA
zHWMn`moEC@&1XiDEe1s1^WokMB;4+fCfI>km(K*t;IIZ%chm6GbScWz5jOca65en#
zSEfNys}66grL&}S%W)4c4j!#eEGHg1m?>#D_>aZDA1?S<f-l-W_<2yTjTYT1808uc
z#iQJfFmV?hP#Uq2HkTf8Hjfoe*)C%obmF?BZXaBS+F-mLKwXoc=q))gL|Y}zH9BtN
zZigV_=^g8HwQ`V&lp8&*+8!_@yifS8%-{oQv{FN>?<TQvuxdkadvmNhL%sJHPfN|O
zbk`Re*476}=%2$-!|~q&Wz?h0KO7LW-9NNkrX;#8Px_7sOt@}`iN;@C+8$U>pBi;+
z9y=6cv?`c!<8FDH1*zL__JN-6NRNL~d>Y_#hEHv}070o_bq}|Z?&iE+_!}%Ca@~Dh
zEr#8k_Ig{KkMq8Ixo;Rtxt-}jpSrRC{I&m1(UTi{f8V+HEcUmU1qndQe%H4!P2@7e
zV?6gq#?&S8Xm9Uz|KTShRR?pQU$Y6s1VqI`Bqsz91?*5UvFR%Fwt4-(p&kT4Q094?
z)_kjyEP8`gfVOFddy^<1#5(nC^=Q`)u((A%DSlTj2PRn=M~PaUMyYk-bW1Nm3x$yZ
z6?ze&mCWV}rtJ)og6G^bE(wsIWb(Z%NR}we2{X5;NY|~gm<48L#ML-?AsUXc`c#Rn
zMuoRSW>NF{rv<_A)rsL`s<jB`a%9#ou&#B6QKYrD$eStS%u9!oPUXIZHuk{#qcRif
z)f9|Iq@w%|w!XVuK;5cXrjkCvV7q2MxRq4I-?|WJO1l_{ce9$MSnf0dOsr}}Xp1b;
zgFhL$Y?goJQs|OxIbLCaN<ffSuNQfBgqiLXBxN700P&Rcdadj{XB7{FT4<yiiiPM<
z^ITf3=Wlaen8~q2LurYj`JP#cNAU~7BiAm7#`)EYcI-^!xL9q?+n|hP@8$!?T7QiL
zTe9i<rVBWh%>K{rU~R;38}TGeEKK{OfMZ$7Y5w<GCyOwTQ`Oz!&5fH}-o%e96otOj
zUz>Ka`1JGMxEre@&f;d*x4X~Hr>T>fG<bt@QYjDEmZvL9C_s_vNKe*_QAe(~z*5+D
zevOs#FoZ8#OaQ!=t5Mgg4e`a5<KRSD${#xm(`~A7?QfGqN7Ef(FTok=j>VNU4EN96
zQ9OPK8CWK#yYIJjyPFup;}fFkIwXdkjo=%iGW{NTRZESm<uoqg&2YRHJl<}vEK4`j
zEX8=U9pbbVb|R5pz)jF5Wfha`jc9OP&q%mlmK>||k<ktr)n*59%Qap|=IB%vqJVTS
zIiw993sIF7r$3LKy7XQf^Y|W}&2^eUwJMu|fLa@;A28hBnU|jiA?L-zlcuChD)izL
z#ns37bXR1dswvAjc+#Fp)JaO)xxz5ro9t;tf`Elm9Z#c-vXZ^OtyE|vB`&uty2(^}
zlaqleW_nJheRa%<qbZ`i=#K0&Ia;hvZQr^B2QLd7%F2jbZ0KuvFHO6lf2nz_KG-I*
zkD8N=Uh~cb65Z=@6ER(DYp@DMdJWP&?!B}zt1^7D`ADiBaOgMt%nUvG;IO}3M{HZH
zjOiKa8nRGri0uN46*cCTO8c<2!3_-WU}%1FT*kKC&o}7RyAqvKv6$%;=UR0-qj+}S
zJcLd~&f?(t>o`3mvexq@iA^x2jwRHx`?y?)x*E*)$}uV%L}#sUa#Y;Wh>c^|KFy$=
z>i=EQRzUk1fb(>(#B*}d=fh+Ypf}kl;Voo19epjPf_EI=3zSxKF2(}AqbHWoxyfz|
zq#I3g!%Ou9dv6B3lL(-?7YKluZH=n?TQqBLPq{4{DtM{zMp|-8UMJO5QZEN&BxPmw
z3Ba)phcsV1<=JxiR_5p8Y(p|jIgTOE`Zv7E4`^CXZn%h_g4Va$0L>=R5}bH=<8Rn?
zi)Vo}bo{fE0-@{UF0(2aY%w(N>+c0oU6Lw>!|0Hr7VOmrV=T{G+QvgR<dTM+KoAY5
zIflisAAw|FVQg)hLg^c6J37z?vHl8LPuMg`85{W&ZsJ2(NKJJ>&^(BVgIf`5Q%$Ih
zaRwA}*6@L@a^VH#4J!4!izt3x+JXHU!Yh*@8gz~~S4|ILBVaMU0kxNl6}NP*hch=A
zRO%0qyh^;#$c?IQhb5gLN{)uv+AG}O@x_wos21=Tg?+WWk-6IZ6!~cQnHlsDQ@nI2
zT~?gFk(1OnDSJ_48Vd>8zV$+JHUgM~%nN`dGA1b`HkkgRqT9)1bKrEG+`@y~Y~dzw
z;c*u{v#!FUwUV>^bAi#YUJRSD_Vg0Qk(BDJ^Rscta=H^j5<XZZvj!$-HCqK`;qw!&
z0)@O&Ju`mf!VNcE#kFXtr6tQ+t9h+8DtPFY&(JrwWg#jJrlS<hg<-AYZ~<NQk@EbS
zZKH%bpwjQpoZ;NH0%Lu8+%#FrEy6Bh)A{|mt-((@CWPWuWKsAK<*xz#;$a#1)LzV;
zirMzpRPjE2%H%}#-VR-!QB_@^80@i0;hnyMrDORI{KrA25DwM)mpl+6YVb(LL!%LC
z*>I2vi@w5YPy1O!kueb(*^cJT)nmz|Mj_a22aI(#?uyj9xvdN(x*9_E=r{ZF)RxB-
zE&3m<PuEQgvj)RtT6+3anB-Ya23Z=jk5N@oPs#8jlD?+1Fr|8Fu;AdCAs$1F(}dsA
zX;KV1J{Y26OiN6lg9X-TEUu3izba#!$_$F<7Zv<E@n9ec18$yYU+!du@QGo_jEv`Z
z*r6wx7d2;QPD_*GrnO41&gKIi&Qc1Rh=^oZenO#C*}X`s5`L}Ru$gFJ&8`C8S4ygk
z1%fbB-i7;H?4}M}vpPFuR4`&FCdsVF9|Ldi{Pi;0k^?5R>sWDZVZQelaj~rp5D5io
z3PP`vx2TS%U}hP;<eT1v#GnP7Oj4L#OK?J%ljw)|`t4KQ>Od?1i`!cHinI7jn-^UZ
zhpA}5w!Q>nBuUANk^Y&#FVo87mhA?`uT<oTt2(D8(>v@YSXhiC5Vl~?y-Z)l&ITsX
zqpO7^9o>mmgW&jM=|>#tm<yg~=beVn?XH@I7<3F@WbxNzRtu8@h6j4`B-vHhJQTRD
zt5RgG&NkS)zEg(G9;}=79TssH@3VcuX3N>QYP965!Ma}vnQnmGMePBaEl-Z4O&4&o
z8R7I3Sl>ljzu|C`S4b<7I@2IG3xOz6RxDdDkYpRjY@yui91CA?8fZoeaoxU%qQAW|
zxHB5DWOjbixbqq#YrB|p^^O~C$(3TA6?0Tvy@+n@KI$atPA1vWA5W&y>(A?R5zNJ>
z8Au_axXS_M0t=Dkn)P9_Roh^AN=|uu{Zy>Cm_s=~75a4_o26Ts;y+DdAtwu3;K)gQ
z_PuM`Q=TF^o2P_}*TbmGM!d|&IR&;u_LB0zP|FvqR&q*Pm4Jyt8|zdUBxD|@<3u|j
z5HIsvNx0f~l89D&fhoi5+0a3n9vs3KSWwJH<MIZ``C5)KIE&EDX;X&9xNz!R3R1l9
z>XaO^-w(tP5*K0bIh{nN3K;@L<Z<6YB|E7x6JmmZx$O~xp`&#Z6ElGg=kt=EC#CWX
zVHE(JQDk(O4js7edP$pYr(up9Tr`AU)M_jyNTzHM1zH|-_UI2EuA4pd84%0ZYYv@x
z3c2p;f#rxy2>?j8gd1jWEh-M%D)#Ll&`RtOkL_gg(@VoM9lb2w>G!_3KXo;ryUs-z
zFI5stwFFf=#z8|@p6qGOrwtw!n40AE@(qNoo?)mL8Yeg#zdCET>M!Q5USF@es8Z|9
zLp0|)SqUkXRjjZLP%}t4z$tE65E&D=73&6%Du9>@n6V6&U3!EjjCm$JKBFabT)@8B
z?>Tev8q`Z=Y2A6=>knl8Evn;1V9oDGLP3kdHWFinHPpd@bU6y54wjN2LY;yr)$-U7
zRbw+&8MfRjG*<c)B&hCftonKqs_?<SUzqpQpsBrjfTeP2cG*mUF?4{nl4t8fwY7d+
zVA5$s-cqGrWNEHxnu>j{A#3uk7gt|@Xlp{fG&rRHjbB{Eth8cQLGq>Mi>G{ZXj0~Z
zGn?A4!BS+!tzXf)BKKTk6@7bPNK8ir=*P)2PzX(#x@6}45wT}|H;tNaglf!+Pr?0V
z%kdx|qfLh*UHHd~GdizM_v=e^JJ;-NY$q!9C1~F}RNOD^B}1P<M7KkIW_$Iwt;api
z>AAQLMb}+VCydd_D`56XRNEvIOGeh5PQ!_HhINb9sEpU#5PONPrt_u_k{?E##9*uQ
z44T>yXaF#ab!-~qQwod><b=@6TUw5okJKyD0uQ|vc^9-fp1I`qyo!ZASkT`E;mKKN
z`SqA>_U<z;*fT3uan)7x6|1;U=XYFFUNm3F$ybYK?+P{QOOJZuf{eejaXnz)$_15H
zh8@-hM+hOS&_1j9GWcEXDk?Tu`*B-zVS7<v|BlCSxTC+P``7`qQJa8QiYg0`GcnEa
z1r^2{8%Plb4Z^p$1jUFV#*;1sK@Or-%5E!XNKms9pFbb(+YO+c`IQ`QaeGBZ{XWk<
zHlPIqQvNYLEDO<!OmsO^LuCShgk4&}S#1Lash?i5$}G^Z9k*%F7vi^Oph0Reh}A@m
zrJ-sb(_`b-BMbQ5he11Xz*OMVtWq%fa4IM<@-fJ<bKd2#l5B4V89p%cJ<#~`_mn$g
z)Ksz`(l3#0{`xN9?Xgk^j1X&-zhFLZ7L9WdBRQWqs^d!AM@hWh0XNZXLnXG%mwl}A
zjpjW(sAS^=3Xg*~qpAaZl<lkM-phFD<6mF?zC-6!$8kD`x|?Ip>;qBZ;4kuSNj&$6
z;TeXtKzmj>v}q0u(w(S^w5#>c-y`K1r91_YJxR#L`GBPbepZywvdsG=>WgL-sO~2P
zogt5vicu$D*&mG#2Z&S~?#LZ(PH}2Nn#(N~oauT9S8<l41(%r%HWa*ZZ$B$E-%uLU
zt@E6c78wF6P&Ay*1ofTSd>8m~d04Z*Y|fyK#k!LoN#mTpxycEvLdk-|Dd4&xW!ZM#
zI}O()@4d3rqhY(uG-12W_&z?(x}j0^6YJ^&ZIA9D6U_Q^IfkJRu3Fd-h*8BX=oGYR
z!E#YDS**H;mrC1E?>M5ws)J0CVU51tiFDtnP<P?vp5gZ}PH{zR#M6FBoNkClVd4AB
z7`xaVmTz$}+cWlc@-woeuztV1A!Mvq;k0vjdm~z5=R4QW@c{JMGQx6<ksl3)K%nbf
zkRda(AOoau4&@w^OFv)|&*KvrI>R(tbBo{S`Pva?Y}lG#;NBWP;O6Ppt~SSLclb<6
zT#<32lRSVc(~-;79*`W(s4bw4XA22k9WKd$dL&eAFWL=`NT?lpdEOu&dGC-5N5(mR
z_c9%GB!uv*!o_+VaPQkeDz&&zm5ffNB|--G3#HX~j;WV#xzlqj|Em_jA`r=`eEZ#Q
z*zmACfU_(C#kZ_1k8g@uPpp}#_F&;^U|0L$O9*p!w)GXNFftm5Zv}8Ok2+IAeJ|JO
z%Plmh9@jLe7czZ>PO$T!AeWrmBJOOLp6l!v2pEjNMf_87mYaVv3!K{bMVF<T0Y#KO
z)?em!Oc6U9#bWp`QmJ`6fYlWQ$cUQ6==WXVv=y`{F}>;U|J-VQ!JYa_<NtS*%mB(c
zO(DMHo@=qRTf8v*+2*ioYYwzRk(!WZ6P@Hxep<r4IF*6vd735M#TE__&=(%jI39qK
zdbnwSY{J*{es2!D9dRj6xX2q395RZpd4#druqJqu>d}`TJeJ0BQ`o^SINo8$C)2^x
zr>7VJsd7*=P+m2-;FhPq>6Rxz+f)2apme9kBr02eLbt_-c1A~FFdJM{$-jOv*8koS
z>i5T^hx>hqy=n|Sr2xU{?r{)lu3>aezl}_bNrg%iiuz(@)ZPsBOsx#ec_3%43Zv#s
zBY9#*IA0KG%?XXB!oqhZ63hp>5P##a*5gHS?qBe~A?GZ6_R=1^*Q`3ileA+hDdI@Q
zD1lARb;0|SA#fT9-vA2&0)PvY;kYh6x)cY+F<cJ?tFd~oKGHvbUboBc-*!iuI;j8Z
zwqQu8CS{b3M9c;cFOML1(h5T3d4l}qsS$j7;R)M!;{Ux+B!97Bpsh^?)HWirB*!CD
zQU_7f?y!$+K4_<_ZfhvFif8erSi1-Ybc4pn=#pPJiUUJP6{oB)=z#_RASXC9DzT@!
zz(HGn$M36Sx<#CgC{chO;bk1TSJvRKIFfFv*ZOm2cvjJ%UU+PLEnLRyHt2BESY6eV
zn!IYUZ2Z@KgcRXpAoE!AIJ~Y`5n$2aU*6%*-!TT6jzU;<+)!w{o+xmWo7D$_V=yK-
zV0)tZDN4`g5=4Esc5G$dh~X?|WI|*lDVf-Q$VBm4X1oEz^4xNfM8uKj-ILtmFbNGB
zsL^PpaCylnpC&YuoX=2j$rje)Qc`1D{M-Ve<+`WqEf_QO3HREK=eK-)xQJA)(-~U2
z)G)vUx=4AUvTSZmc<?M;>xA2M*<){K*rS$8xoZobBdCxV-$7@6wypT#!{8`+FNR??
z0Je&a?Vo%S!|*%YUf5QnX1mUb?lLT;v<udkaPNA*{uKeukmlO+UMZHB{4dtiBuRFe
z+xch7SZ`R9amiSe0yRC2cAzqy!FieBR8zq!G^g@}`U&sh3WTj6W|RQNQoxuF(v`d5
zxsa(T1tKD%E=v|9-&;fcWM|VTDLFYrObo+&qZG)8Dq2yVT&JEY<LVPjmaQ33a%qZ!
zjC8^2F-=k2g@efRq7DfA*(&Q5Nz2H5kBV+ULpGn~jRSae+LSItW&DD)V1=SzUur=}
z=t~DhwYnVsTu_;{sI?e6;G6X9!oXqRT9E*33d#_5#p1XE==qYO?>Cwt7{?~<w2>jK
zUF&57-VE_UPYx6*xjnyT170icgaob8bYd;+g=S1oAAayyT_027or<)U`Rvuwg1}Tg
zVpdKhkbq1d0l$O7EuvG2rd&B6%)E6EBLl<GD%=l#eg>3UNkcswlS`0GkCqePpS1R3
zlAv`DHeVQOv0A5XErY?8f)(!fSkW10VjkQ~A48nXyHG?WgQgLe>$qCC+pBr4!;}WG
zlk;d-qcW3YgX%5t6pZnLO`zG;UrVxhJ34S4{!RG~Qbi(&$+I8*Y}XI<ZC48)@b28V
z%1>i=lMIl`*UjpqHFAZ~Q;BMWN=WUxB}GfiMa8obijyJ0g7FDX@><**KT8ew<d63?
zY@>~0N|Gi#XLrezS|ug487#xQ<_}(-3is|4Qj%Y1!mJMrM~z~ESMr(Tx_}*(`ciw(
z^3d6xi7GuGfYukuWk9DAOtKAHO%oy&rMNE9Ag-R{RWoG0*e`u<G8GRuh)qgqSWY^Q
zwUj6`1dg=}H=$0P_&aneKoro}i}=6itkxL0cDc@N6M|6WdP5o)6%^zcPNc5#&7;(W
zQz3o12tJ`C(OFqlT24d#{l-}tn`%EO)!8X+UET~d=W#e4&#X4vpYyvs4{ub>3bkO|
zXhS|vde%SFf$Q-@)@5Rz)0>+W50L4S-|9d7iLG9UgSQX8)bYE|Xo1+qqzgh<PV_~{
z7r^;&iUxV;U%@1tu&0=gOgB<2iC}C6OL_1YcuulfO<=%d7eR$jC+*W$Eo0%-8jAP0
z!Za+y-}Rpqwj64+)XonfoKeroSZ^qd9ZWMuMQMjbgfk@O*3SEzEI0QS@*ox1h>j4@
zu>-Snr$DT@-5+ncR250v5Gbf!=5r&JSyw+iiT%FP_BUiTI~)|gYPj6ciUErCc*O=e
z&RyD-kBTO6XCJi}FPUD?YbEfv0-`K%DhzJR;hHXDEwoNj^@RJj3#1T};3Z<GNDtCf
zDCZvx*Su?7udQwr&zZ8l5o`I$0GbqF!|dXq9GD2(lE9s(7u!`P4BrZZgeqaoA1fX9
zo#FWxe{-Q7hCF{0o0h3!DHYZ*Lc?Mu&`)GpkQ6^CFdUITcs$$1ARW_%jlLOn`@&S;
zJr$}Xla|~z7rggZ<u|#AK{9|{xvbn4P$YciZ*U)zR8%(KB#Npmw*P(u=S7iw1lIgR
z?@@9GXyL!>h`C2yc0;=KsKAx1<V5klvZQR;cofSzEVxk|N}sbSI=B?CEC2O5+FJXd
z%(}+&IKdO}_`3uUzo>%7PB^4SUO%e#hSF`L<-q2prYNc7j_0J|lH*=8;$WtH>f4=8
zBcLK_q;Q@HjGpzr-lY#=u+<_+++_=j$VyRpkB?-LDyqMg=jM6AQi9BoQ=5kR)={W>
ziSe(+_?=6Yjq*@L+VhJEMefAOBIh()a?c$Ph1uKiAy=nE!oS?tZgvPdV_O-i^^kuM
zB`JKpO?P%l{Wf@BM_<|Mz3^o6^LxHmQ0*ci#w5ejQp+oiVJw84Wa-S~H=b8@qJCZ|
z1@mFVYcw!iYbmWn_{ck-1sozMbIPduS99i6!DT7_i-YPDO4gk%F3d&wk1qoNGF`sA
z!WV|&RCa@8LcU6T#!{UUxd>Ql(s@~UE4y`|pNNU?UOm&2tH`LhF#S>V6gESjO1G#!
zl^jKx{ry|zUja#EG9v&`>CtCkI=6oWOP;U*DZ~i&JeBH&BRXs!9BGQ8bQESzx^MnQ
zhfPOhW9IHIac~#;3uyT3yeMt|=0~FZLCyE=ujtFapBqKgozAC1sm%Mg>-29gDti=a
zIGF@HxN@`$ih}#wR$syga_xWfPbsp!<*k@hyMNY*A+tFFG(m$yWL&JnZD;;_n15@`
z4xTQMn1wTFqZtZ>qS6~O^(g#f+LsiiDVYl6uNC~K97+rTg!b5r`LP*{s7>+Sky_&t
zAxdXSGDV7*pfv_^13Z#cIRDs@zGr_J{tF$AFY*pI=?(Z2v747Ld+9VLCME|&dYR!U
zi{6Olk31A*-mKl0bm$ajC_gO!p^Ro=V05MyU>SlkKA%ziY#PtJygd0IKZ@TKw{RJ(
z6)+~T$Nqpf+gWIGUW`iB{rU_&Q&VshN0Wcv@+GPqE+BMjd=STNJ|7B-99s9u?vgQ6
z?}077v4ZdxSUJld8F`W9_>oY^<h@wY>7E&>EsOq4(I<?&J9}hc-e46un-2ouQn=bx
z2}&b1etQS%AA*q~UVUW9MQtAT|DS2Z2Xza>r8a9Z;FMFXax2V4D7YxayC`^nmCEx*
z>qgn*sz&|~m3L=BY2IavTN`^bmCfhicfmghU;t#q8NNNM?cn~$lmFCsd|NjNOlq+T
z@g^#<Wf2ra%~vy=Nl$PlEIOxm&-S|oiKB>2glX<q3E%+!cv~-|>TmyJkaQaBo<IUs
z{@7@Euczm<?OM(qTQ>T7EpC6XRJ}w#@z38O!QqfTb<+SSbP#ZG@u*}9_)SHxlgGk)
znE%5#$>cl%(eevIAbpAYMSc!WB=wQ>#Im10><EeAf;N<DXx0Ve^M)VI0#iET3|+y(
zOjqbp@n|$);Zbh@q5+W($owzbINtz#Gd@33$K8mFu`bwrB*dKQ{qi=f!Qw?Eu5`|a
zOOl&wLw73B$a3qUzx`T^ZiIIG$ZgDj+x?$i^UcBs3bDkRBjbk$-7_uP?hiwn$n<ev
z8PL!U^sp0x{c~6)4v(gIwKbBB(9*YFT!sJn5wdA*`vObPBj-Y~TnLJ2^M_#9R<Ka5
z+rnp6tp->O%}Sap(spjx!>i3k9QJ}quQOPNB5bU(4jchk%#d-2VTlfCd}|sDcmi#p
zchz;PH-lIHndX#5aZ9F^H^0n~4%0fCZle<a-||n&Z@0G{7B6DE`r$J732v|H>NzQZ
z7LIF2{vu^)$W0y>2|rqa-g9e+$Fi3liw*w9=qmuIo1h!E$bBfV+0q7szFLA&S&kB1
zIBRA+dx%BEmRDLPaU4b8vHDYYL+%Z;WT<t+q;?`3L{^DU_&hg`!^Mw%wUt1Q*)uHl
zM$}4<@e{crI;PuC<9)7i#56>}IZ8RGgx|KoqPFW1z9A}=U98~Tu@qXeuq1NEkw!vQ
zQt^hWrHeEoH#b8sEnad~^}wdYorv2?-S!*wZ{2m?cAQR~b^whyyKGh$L)M$Z5z+t0
zp!k$g*s8KaAc5<x5`$whu=0L&VA6?a^HZ~=a33B&pIYx5x30&#)mn>LAH)r$&2Z5`
zsxpaBKVW?yDgn^*dfKDo(dfi^o@FRtE6qN)@#Hn11repz!XzP}G3AueUuozTXi%Ry
zN<=TUutUC|l<x`Gg?M9%wpe(FUUnk`c~!7$*!33{!XG~qY21iVQIO>=LNR+FBII29
z-h%?+h#nCf3@$R~kDk2lXwDVwA6^c~uJTpgLWdN$!ZZ+{a><t|3`T_gclWjZ4=P8Y
zuf7$W;)<%qJ*F6I#H_Nj@!w?J-I=gmRM2|~_m_3CWn=~;1=)kkQ9~LXO8XMif|y@r
zva_cPK!oO7idDEJW=lcC?A_EmXdxN}ik@EcRLsE@>Tck%up$EGeb|!YeR04FG~&~%
zM1C^18(92!z!Qob@kb)9+o6K|Fy?#X|MwB{FMe=wF5n>slZ~GJ)NkV~bVXlUam#5q
zVuRl8HB<gvM4Aw}^3^O&Y$kcIg;2<WWy;jOrH!E)Bd=Isd>TzjFcVG!pHQwRu%KUj
zeWuP<3-TlKK^GNR1j~A&K7tM4KK0$!64ALdh8rtD{4`)U8?L}u>CPW*D9IhW_?4~g
z)E5>Qegf=^WYo-nKyT3riGkO6@4gx2E=SJ7qV3Gp2vpAjbdu4<-LZZncr-n&d#LMl
z*-#|+#bM*??!aIm1ae<Z3gd!Aw=}}%L1C^}t672>#J2l%|J<2KJl`lE3R~&)h7XLf
zOuT2z6IZ_Sk{F5P;(R#}>8|5Y^Z-cAH`?$XJzEi7R9Gv|R#0Uh%pf!7$8;iB?4HOj
zQtm13dk~yGl&p>{0)oLAdP!{Z<-E8%pY)h{Hsb<JfHVX`wx+wF0y)l;Up{`8OOGxB
zQk=Z~>s<TWNw1^~AUhX*Til_g9v!a@UFsHk;+pGP8~<Z{ph8}vJP{4;*Q(yajX_+!
zqgsN#@TcQFkrmpTK%cerZR(G%N45vUWxaUY(hCZV6cgvOG8FWO6IS%AT|o13+ijgM
ziXT5k4rU%O$cx@VU<LZ!y5{=xf$NiM*kHr?UcJP{stf$1#|IQ>I~`cxM;qevhaUPg
z1?u<OsiTYg8rMEh=$A+H_0MzAX5im(&s{(5d;sRan)p{k2#-E5+0j3?wzk8A2azG%
zi^)P1)zkbzkLcga3eewfoSqK+QE;$^^aiS87jJK`E(^eB+WEEW<4|c3n9KHdI;Cq|
zP95*u99b+s&8ZR1NVhL48;J4ueP{ATz1MuNFFm68X(xvshp3vhTP0R*8S*F1^pajW
z-Uq6hcP0Xs<Ms5q^Y7B)s{VG1{)g3OOF*WpP78rxX=_%))_HD)*k|$Unu!4CxSXF@
zui#`3hhRzwT5e8wl4#Dbb)v7*oGwa?#ew}U@0K@7$z|1SR{282|3JF?yK57oUoK_P
zSSeUuqJ2UOl~j-{E1r+CdV|=w5Y*Makw*2YF%3sUdDJQALZDh|HZW)!0y>dFQpftN
z$M1{;w`|a+jm}$iSbff&BJ}|=K=zapvBqZlVoAHZ3LPBKAgtfp_~-_h23{+~?1X5G
znw+t7cJ)6ope=<Y`3gLP`NPxE*DEkw7s9^nyTmP91A{mZ;*0adh7Vvx5^yp?l|>!&
zT8#C*Vm%O&a>};eoCPT|ur@mchee3Si-QHtg`c`M^1Uw89TOagq@^+=;1{U&RlT)3
zWc?@_t5N$=%?u;Qh+0y+#_ji5c(6}MO$`TY<yEj-*H8NYxB)(;<ks37cJtf0qWb2M
zs!;`clP4Qbx=MITP;t6Gz>0-1$KIm(Yh#NZBeT}M0o&1h;a#OLtKyG{mp2cy)K7PZ
zyxZ|u_fS0W=JF(_$qCYHkAxkvg3uNkVC*vv(JllaUfARF>K(&m6te__!KbfIef_u&
z`ceo`u?!W#iN-;cQ$;1=CxnFe3!u&mFL!)cuYI&^z>1>UAwCWS)?9>OC8$OAQ8R)K
zjU$QI{GOX>0Xf`l-L!?UsS6<i%#=7`uwqF$n6nbXiK#OS^mG!f{~vqr6kXZ2g$q~g
zq$;*;RBYRJQbEPGRk2;MZQDjA72CFrf9-wtK4+sI|Cf8)eOqmfwdNe7&+h*9KKF<0
zOLsiA3iMPeXUsLTM|2$tVmHEGrorP9AcHCWb>50m>CF%neLC-`vz?@ggX=jS@<282
z@+6`~m>*+=!HQ;l+K=jGfN9qH<KjwE$h6PhcmST;KPXqy(&Y*!jhulgrIZ69hg1ui
zEZv_$33x%?az)>dZHytRs$8pEdL<Y*>a~iDfRP1!8RqB6!?rMaLhW_5l6uj*5C>|W
z=#Xw4O^~US-R1nzXkC1!L9r7)M_s6xZsqsccKC+V6<_x}^RQK`p6PAy?U4<|Zm<O7
zVO73tY%DCasP5a`i|#bti@lOp$nc7giSuJRUm~0n6)LCU2mJOg(p4x67vo28YHhoa
zu~S#_oo*c}V|a;`{ozJIMqMh*?onUmRGUD!R|7p5mAXIGKa^dSMQ5@=H56S8L#)3B
z;x*)l7D88vT?n<H3il7X0}~2&$8GtCW)$7b@YZ)?+KYg>kBsHr_<BhH%eXZ4fzgW9
z2}n0`Hc4{_3?cV)gtY)!Cw@F_E$O=kqCvb|9KjhH8=KZpj9+j8(kbft#$OL@yIiF=
zO|Y_16v0)$vCM1Or7oBS3TfE-VlUA*NXig66#enDbeS)y^wD<7QZ~8R__Rc}hQ7(F
zdgw@=j@jTyu5-cnfRs-rYivLOfQ&#nKKGqj3<M5l|F<4O8mpT8QUyLe@~66zsBc*J
zTMIGBWim8fH0_*(NQ^e6V|~-~Jm3^$ahKCApUX)?C_AA|iiCFy>+LSvW`MCunBw|0
zY<4a_VUL*y1_e6#dLKCDEv&?<Am5#=hNZJxL2bBb#3JKq#3xE<g0;@rIS#t9VI&7|
z4^Br{iiF)7pDd33wPg4oUh<_Rv*Gt61vhQ~DN(R|t9>$M)}41Y=ZT7<74u&2<D*fo
zk=rK{h)<+la7WWzIw9|UUko#>-b}wcGSfMgw=>z1tLB=+b3zuWryGhg5d9%<h>et8
z1)|LK(8U}uu*1&CvyGJlo_)&B;Oz`~#$HV?>5cO{Dph3Rp&YqE<N@)Q91WwiXbe9)
z!<O|t15pNZb4#uHVz7#XgV-}>Q#EgLoWa_>Fj)`BnXrqXPEh<OmQs@2xm*!7dMh&(
z5Z1O<&?wIq;3(Lb@2=pE3FzN62Z(LAMiX2ghSPJTKb6H%gwA$Vn~BF_I7faJ_YuAA
zh*5T;7?r0G>}dNTEt_Dg?==Vlvb2$H-eLwa%yHt>mg<D<orkt%(*j1pt}@{ptK!u$
zLq^4?a~zWrAK1Jc3kXh_>Z}#<5IU}rRMIw1*fBZ0|6*@{|HzksI$7^|U|>BF)d`pF
z2gzI-w7r|^HWbl`m07+RA;_39c+Kh{=m#p?HX1IRTJ^>k8cw5tpvofNHHNZ$*>AmE
zZ_D2HtTiNxk|(#SqGiT~h*Bo69nx00`<-8>lrK_pq%sgVBphB)DH>y#u|iD8SMV;$
zRxpp}h%H^lxbBi=^nzOj7{})mbKaXTDOzNKVVLg@;m?Rxt7gpHqwn-DvyW_qAcG}m
zbO3}I;)D)HkUmpKZ+GtE6wM$WbICVCK5)D7p&v0m5!%<}@=nA2VCFMyq%tVXm#*ar
z+RCzXSVk6cNAd*phgxDueDVEzlT!+}H)qaE)e6oBQo#vVScVF_NX5+>dLpBFH80Wj
z4{Pb3lU%e4SgrXr$gMf?im&i&yPjnQZ8BnF(WbSM4d|uhyN2w4dWOH(Wqf(jh9)LN
z6%-J^eECvGcQ)HjoYYCWaef~4-`pY0)RYjMQc8U6H->XMzZAa(W11NagR!{pI;1zI
z`3bZnqkfh1C;X9IXI#mCjRGKg)eCi5-{u^)DrYy-?o@pJwuINnNOVTQtv?9lfNMx5
zh1XFV=9Pe>*VMLE*Xc=O3>JS5i<(Ut5(`5zt<FX@%5G^WGPou-$z}@5vOeZebMNyD
zXhL6^Y5}*KVv44r;k^;*x2EG!**!e<Q*0^Az*<(kq&cl0o7z4V$sI_vU9w>F8e_tW
zY=j5&Fc~S+8B)X~s(3*}W=4lnK`>9kp#3Wb`2dy|(g&uYRMkZ}eOV%G9m_AB&OyE6
z@$ofvUc|-+%6|S_umThs)>t;NxtZ}}NvMl*R#6h_#X~CYl1~%QU`bX#YuH?ljGnvJ
zdM=JtV#$)x^QNFUdZz<Z%~f7$6e!0JDmi(Mj%+_#Z>ob!=cwyq`pkdZ8d?Tl7}U={
zwLF0FDe<F8wS}x)4LbUSxmG1^M3@~+e{R)QI?v|c6#0?5E`E2}izA_b#`r|+OC;HW
z^Nppoa8$PVQinFbrS|u<%HJQeB>zSaxU@u=m?Y$c3t?ePO#Ireg4d~Ka}F>G%XcUB
zFr;CG_G$;D7)f<s$A71tlw^Fvus&a=DBYs_f=bX{1~RWPjsH8A>mnh_0-xRZWm`D8
zoP-a5oC3bbUwVcAmkx^uWWzl0{wd?X=VTZG$sh`lZ>4`b(4VFV@Gpe_U;h=(kzNr#
zt0n9^LbOrAC2S=AFYgo)3O(IPlZ28sOv0BDbcNEQXHp!4QA_yGE&Z7_+b7T)V{bd<
zg5S?ZCiezv1eIR7qv}>s-1Vka1O5jKCdK;5uiDsU^W~#%xHl<e@}Oq?-4WpvM%m!2
zLb)BQ()x#k@*7#=O9ABD9hn&W=Vk%!Oi>Xa8KyMD)N3dIFXx6_uHv^$85J+n@9D3<
zpCBs-n%+b~egby%Uq=IE$C`gztauqq`};nBe`2AOzhz;$nW)kJq{UzMy!+c?^A(f*
zKS=P~Pbf<O=lFkz{C`jK|9*BI2-ToZ3<E}Px&b|L;#{%1&sSxb3;wGx?UQFsAL=oF
z|6yx=rn2^%oZe&Ty&)F~08>y<$oV4O2KoJM6h=vk&lB)ZKq9=lx>~vXD50SPAooj(
zgMNxxS5SR}gQ^_@wS9jPM1T+{pll?QD&Ni2ZvE~1|Ky(2qyhT6_Rt3F7ecJ80$8JT
zKT@~-g%tlF1tifI9hxHkdYb>-z?YH=ApHs4w`FX<xawCVy~!O5j+I{&OaNO2lte}{
z+*E$0aB6?6FR|cQ{o8QKWsUr%sElN}sbv1H-hNYtU5fzQ!k!A>_$$?D1cv^(xTY`z
z<rlhf!vgR;(xiiye_@o0Y5;3Wi;5GW|E){?@6I+XfI8BTf?msC5L`(euvT&c=+pj%
z8fQxdsK&3;n=HQ|cu5&x?f;a=NUyS(@*BVLHAAs!(-IqL%5B*2t6Jsj4eV2HB;t&_
z;goy>?O7k=#o9j_c>ROE?*V-JR`7PRX+EQyFJv_axZa9g$jClb8ui)JwW~er#MF(w
zF1MOiH)F}b%8Gi+KR>r!Y>S-44GOg8nh`4XXkfv)^$i4Uo~_aREHo{bPy<2z{vYnN
zIfSx!zcH|QzVKwbDz_O;l7C?-@yjrH1eZAfDx_DBdGK}u6KrOu4n{*Brkn^Mv{A7Q
zpvq+<4|-Q%_@$>zH##N*#(x;!dtvd%P7a@LfDn!yfzyE+ChoHb#to5M*1QpHnii-r
z=^uU%+gIPyTArRn=QY0l!h&3ts0=$xBc6SO=51cO=**Z%z<6^6-iT&6)rpjd3l7Kk
zM*;f5PLi$$e($gd2mqgYi*EE9adH76&G!2P#dQj*c@2trNLqi+nlv74?X(akNd1ts
z-mLfIcLtN&1%s}st-AGh{(1X-U%t?p7k$ht!<@>|v)>zK3Ll>m6Q@v0IHCckYM0kq
z`SISy2pAw{jOjFq3BU<zUAs;OrFBY^lB@`{395Y7^cyZ_EH!0d35|%<?EjJ9tXP;G
zTux|JeFDV1Z%|1iBy#5|n_`Pq6?P~sp-G9(bjmMqT}O%=nTR&cD;aZ8Co$KuF}igg
z*fMA*c0A30x^8kjz%r(fhl!p2ZbYJ*<e5wt_x8-mubX50NwVI$7n!`V{BhoEY3vGs
z++a~6sTM695X!yXwTBKSSzP^p0vQR4uFl?st2$R`nt3^^=H#se+g<h`fFx$v_s1##
z_IV*INW$w&5;_r9kBIH@N2dJYE7-$sKkxDQN=e;sLiBV~d-V&^OcMv_JEmb9?q6sv
zWx!;QI7-hab=O~r<_}_kF8prT^bdFLcQ=WW<~Lo)^IFFBi>rPGlz?}n7`0>pH~=^x
z=F`;a{JqI?%v&RxzbOY_dsM*h(u$h^<#st8VA@s?+8|IC2^y;;m>&WVD}~mS_50s-
zF{McRln_MqqSb-PzOF@Sl3yf&t;iS}?sR>zf7umu{g1+z%VLDw`C3TC%38^YoM4pK
zwT?>vc1q-m57?fsw@{Z4LAwTFUt$E^+({4&IF0HoN1m|<oYs5;s+Za;#9ewFf8qRV
zK4LSr%#2vsw`S+tzNF6beyZ!nUcI|K?}7lOtbtvd_d~C*92v)Sfj(Hp#l>pv+aDV;
zseOKAiMC_vn=CiM9|?i$hQm%!NPqR>Anm9{Z?8D=)m$b`n`Za}JwSdT3yHn>z!{5x
z6GxYk*I!=OFq`TpU#rj5r>%nJy{ma^q&PrW>!iE#aFOhtvoPilyi53-%UQ*w2&fsa
zfND)13fKrX?iIy&qU)9~L!>H3#xDd*;vyNCZ#GmU5xBn7o=7(ggEyX>i>qsc774@T
zxv09an4&?Ja7IG69qjPNVH;e)H5FNwv_?t@G#uV!j6$FoiWkKNA8UwgmVZl?S0i7B
zU4z|C&f!uf_<`9afB1Y>Izskd>bREU)|grT;;q74-qK-2kzQ$?9%ezg?hms5)__U(
zRtG`<OvFG42_~c7XvNwx;=a|de>zerVJBmMLc8NW;rN&k!2X9-k$|-DzQj1ut_Rcq
zDSw0r3hxf2@^zo6;XM7|v4>bF2qIzOU5ajn!qg^EbE2+!$4wPirSqNV2p%uY>?aUO
z<0T3hWfg$sQ66@xOpvpDM7v0}?V*Xg<Xi5;6~R~xFL}TNK?Ueo$0(~1aZx{@APtRI
z_k5uUSaYGg_=Je-m-PWD?M?tHu}SaVF!xo7MjV!umwinaCa)<?Ca-X}ho&3CzZ);f
z*~Ir#5(d5Xs+ZwDXH2T<heA-r8*q@E9KkvRiw0mrBMp))JGW94lp+Q&P<+A}+0hA#
z-SOdJ0D!(Sp1N~Jct7z<Gw<bY>#9^w!p7ty@GCdox~p01?Ti!30u(fiNY#uiO#?8N
z9SsW<qd1?4A8!mpH@&!IxIoB*p|M&WV2D9v!p-2?Dd)wQGw08P8t`N<Y0a5X*qD^2
z=#*IKpiH+j^%Z!m8haT1q<g8n2aIsxeUX+)HfU)5c>Aq7jc7B+t_h3SYor72x`&@u
z)%Y~J4WrecvVpb^xjU!e$fo^(*;!|M{dYaLv=P{YD5(ekL?Kjz&fF@P48}CM-r38k
zB0nZdoxHt(l(`<UQxAy^!s-6t^O?Y_@{mLY%qP~5EDOY6S7|;9%U96tVOw?D$&mW?
zgAP4=GrQj#V%oW^cc5`iSgkS!5^lQJguYkJp^SzXZEj2}xhMA%Ho11eM2(sqle`Iq
z4+AkaKfhf&*>g*NrBn6`&Rtw*_hTY9g*om^UYYM+Y-8)u2m>9bVg(S+MO3(N=l)fd
zkX7^d;;GkVI7OiVY->u|&S~vn?B))7&;UYW>O2?E5dX)mSY+}?+7{x{AqjvDN^0>z
z<%q#!)mep`??bnpF%lZ=gDhVXA1-#;J2q1Dlmo`I;!a_1hn;{m|E57{Lg1~}h$}m<
z5nnX$!3ru`sT3thG|*WjsmbOPv+K0VV0h`&<x4l}3QHTrnHg638{>AEt)PCbp~2)a
zFaA1ez;nfUz_DhZS$a^Jo&D=o4%~zBtS=%z6bgMvDN+<fkOSZRg4~2@Ojx23mh+ac
zYbyO0J!jZR#*L=s0QmZz`qRNU8M9qocXC-tbG3I`^wn&Z5(qax!eMb!#LsHJ%FnfV
zYT$KdYsgUuR*_4a8P+y-wT!mYSTHeW_69f6v`y{WIORqW+Q6JlXqG+CqfXtYaQI3M
ztf8eJGhb?ud>LjhMx<BeX(qACCP&$rXT!|42MWeDFJGoshY~*|N&es$lS0PDUcop;
z%H08`fkNs~^JjsYy;zRS1*|J~bO(5)r*8T3(C90nh0}7PRxAZKdMyUEd9-r89?Z6*
z;2y6-H?%p7B{yP*-4~dh=MG`c(mR@bt&6;Gd#A*r7?u3p!&DaQ%BSnNM1TzCEBzTq
za-i3{HMrh)r+dcVN`=*PO5QhcpV?O+>lGl~(ZPr*@Y8H7&V={nim~;Q__YJQljo9{
zvHa1F`s4b$%8i!|7d9D-Ubko5=Ezvzh`Uw)$PoFB#|z3#Cp9qVUPn+p6OWJbTi21k
zNL;nzq~}i6^prEQp+P?qg2BXyqYe5lOG8&k@?1N^M*3mZsgD17rW@SsGRejQg1O%K
zxZh7?e<#HZ(c|vZy1H0a+Ws2RLdnG)7`o=b3no?3AW>cZ>kPR1IIB_d*c-h5HQo6h
z3SWYD2H2!d7Nn&5(lCQj)Gq)Z8=tC^?<ileCu`Yu_w{}#Ny$h^yJS+cs6;7&Kd!{C
zKwTDE3CLHk7NZ(Up6|+5>cN3XfQXP`_h`;#GY}X3Vg!L+WUg<N)zL>+pO)0K1DYic
zl=G?HxAQ&~*>#L=QasGxqm9EGtD$g_zD^Sc_G}7q)Csq5>X!2(mH)sULgV)3H_d1Y
z)`d9_oB^$6IM({$fx*tQ!5aTX^w~l<T&yV!GR5g?JL|}opSOlt8X4gy^SIiCaLIR%
zbZjac14g%7pQ7W)#=qo)g~apH5+I%-4bpqffeT5*Em8pT`8~IYQm&pcbr!a{d?WXR
zKRh4oju`?(g|;sV$}hVTlJp-s*5#P0X^q1V@O85dw~FcJ2*&9?Xq!C{X@ifR&R22{
z)K&UVsJ{93w<_3LPN+25%ZcV08*P^Y#<*zKC>1n@5b=T>$6fy{@FdFg5kJH{0Q7e;
zmt)NcG!EEaIIGcH{-A7o8in_8b9aV{XRkUHVrd{<ww+f#oop7t_fqRb$)sHi*mE>s
zsPckku~-T(wr|YV9vr1_am1D}HteMn>R^wvp3=#D#p>Wb>Wepb&++nsq4R9TjN{b}
zVc&ixik+9wmj&1T-K_C}p%rnyhy=7>k;<GrfkbBwM^5PWolo-)7%A%V`&YnKpSSN<
z8DCjKTEB2&GDpzJr?&MjUrZk`&^O=(my)f+9p7bEzr-A>S%eCAKD*`g55+vZ9<ol}
ztWg9Pql98!f&HxB&D>0)kj1~;Bb&4na>h=-$DQM5f%j!j&GI}aC7I%Fdr-7^v?JhX
zzXRIB93*t_r8HDG=c`|>-`OSj+K;$%W)}Ekf;+5=9H~L36L0jq74DOCQnpn)Ir^*r
z$Ejj64c$d7FMisx$IfcC+Z~6Q<`*K+W9Vv&D{?5*(*(W|$)cZZz{RQelI-UA=Uu4O
z9oMwUE%3cQAqLT{MxRu;-e40Y+QGS9+-wSkvH_a+W77dY((QQ3-EFE2;rIL$D{Vx-
zGEjiOrw>{u?y!^UKWJRp1#bEs2;27ua$w=poG|O-b{dK*7K0Z@+snA!OB<;=RpV^&
zU=VBFY)0uBD!Zw8@`DcI3-D{*8N;=|KSPy1>=v=w)#?_A*y$2#B%dix&F+UXR~exh
zi9TkUFIDCfKpt&h=qwlm`<JQivrZ#$e&))*yf-@IUC67bV|8U7#;pkgLj?rDXNw{6
z^YO{ab@_ccr)8<~E;Uz&Ichmt8l_CE4{O&05k?kHxxo~}&%4h!TyM5!{D|+%M;d+A
z#@i#cXL<j&PRwM#w_;!Ia174gzzPBkNsqB(kI6b>k)YPfjzBeE(4)s7pvvh1X@zz6
zxWQT`uDb2-ENBhi|GM3(C$-P#(OeIz`(6dQt|3*WAx&=>uh$F;8yFPSbMm!6xO?@Z
zg~P_4vv>DaJTL}h-k>#NWp$v?#ukBgbZUw(E2_0feqP>>XIGd32b_>;;^>RR6e)Jq
zWA`9kn&Ref3M&I{$x`1thF>RH)wRETHyu9gV<)p1<Xj#h$StkIWTaFy?HMxEvQ-!-
zlji0?zgR86t1gt&1|j2l<Oaiu<Jf+@7UlEuxT6*R&Uxu7!C;)mgZP!ic?!4FUF#F=
zn+^BeS7kk^LJq9+)iCEj0$&<czHv&E7z{A&Gc(gX5Y4xH0zc9<pP2b{h=grSr*)!*
zS`*|3>Nj;iQnb_gn3-?ZxqX&BH(%fUo8%TXYIK=U>AE5x&wFm8FvPIgK1fQd^hKbD
zJeW9sM)UG~bWC=a?p+A73K)rr=r{(-qkDi~_If+a$_kOx;pDF|lfKH9x472{j;m}B
zYYV>=OO$wbfAjZ6f-psJb~)^PusLzDc)3J_N=b_t;vw6*d6t=(D|S77T6JJR{o$#q
zgCJJkoNiuapY5S{)%DDF7+bx>64EPb-e}J2ij@EKA?@`B=>VPBI`dh)6V=ndE{cb5
zH~p(*m+*4<d%eD|F-(d{H{v5uXgGY3u+9b=a(q@vn*b%#d|rH`zM>N#zjRT|cghsQ
z;w94FZt3z<{1visJTTpe_WSBU5nSV9Og=DhNN^~W@Hcf&)XlEB8E6{0?4zU|l*D00
zr_<E0k34k-)W(r#5z{S$_!38fMH-}(X&bTE$GhXr;$Ysp3~|Hc>+T=14FfZg{iP)&
zx>(=mg(dBkF-VT2R$pF8u=I6Pxv#+ABQoc+=j*avuC6G=CdPUTsT#L(6F3R-MeDk1
zT1NtvpazQ6J!WjOanv#Fh@tL;B#nC;7-17~nv&qe`RtUcSUiS^4J=2mC9;y79O18n
zG^a#V(Zt^K-YMnEBlWMYMSbe18F^53*K8xPWp&gJVC69KtMyS2!$bu@%B>m1H->a0
z@)NT>dc&|xIj1gkp$tzcX_L?laSc(Gdyx^#wW%B(VG*??B3D_{M93&Q3GB3Puk&;!
zQBYc=7wGIdeL^^N>u1E|c{z38pU@I3)rhj`vlMEg00`z~ZDRgbm)fQ9KT?fZvyd)^
z!Bvtqy0;u*T$Re=t1O(9iJf5xKQv0(3oeu-%9|LmU>}cqDb&q$3yND&*jx3AX#0D@
ze$4136@7V3&}8W$=rt_Kb4r!3;haTRO)AN&{HAwOmBgmE{({Am;T7oQ;j;6vNCG*Q
z09;!$+Yyy+2<&5vmb<)>S#?trqPA>+?xy1g2QHHe>&?uis&n2%;?GuK?RTPF`yfh2
zNL@iR!f00q5vs_l*FQZ$=q!r5ve|8uXAwJZXMFm&rV>xbEDt<sWW#%Y=59@8=ghCG
z9*k#P;x*iR^;BXus>1fdk)sgE3vni`zSatJUdP~T43$zO5J0JBHyS=|n}RG23t#o+
zx<ZQUeo=s0t3^X+y#%e<QYv;8fC*0F=X=dA68T0sXB0yp0Ig<nNPJc0Hl;jKU{)L<
zS%hJ2W}I5=s`gqLx8b9a=P|q{{DtV2nvxtb+<S}*4Czb6!`A)y11$-fHivWHy3s?}
z-CJ`;JMj~M?CQ<TaOY(bNtd;VC((CJyPa)*UxpnP?;R@N?oI(_ST%27-{IY54EraR
zeL-YT6)i#2WAE(bQa&(_;~S5}qxxwXi!0DHx9f)tUiS}nOf^OilbJ(BP8&~5vI45R
zgkf&D^Wv8auL6)Y67`~RuhPrkBMX!A1ynV=q`~|oBqcXWn5W>ULf@Dq>B&W&YM5I2
zo~sus*Xv)0Bqe)yD__Im)3<GY9w1GUOa@1JYew=yxAT5B+aoUaB@_;54|`%S(LVMp
z@-3u(bdAFcr|6A~p|1T<)RghW&M<uG<`|=|@}s8x`5OL@#1b<ka@jka@MFRO;<B`k
zY*T(&5)uJfdSLcdhm4WA1ZHX5kS!5@w$p*sDw$Lgh{!uJY{#WBMHMAo!wiQjP!6jQ
zz7R0E(Gl3NR~Xm2gxmn*i(z<^Ti}Xn{^Rb$Rd&30Va0Q2Mhr75hB5c<wsmxe*(a9v
zSK7CheY2B?E$FoCGlMHcdFaYg#gQGLXH-{dl6@t-CDq-+%~DfE{V<$Bq>3ig&DWMM
z_s_EWtE}F$78ULBv058$Ji>O8RfEV2NdDF-M1n2mPx*>?85o40%qm>r8qU+&=25{s
za6ijut^|Gy(p!7ij(7`6zfU0{8`vhnP;^qw;@$IZ74mZN^g3$a-@<{G%PNNy+Y26z
z)CN;#6Av7M4TkQ=GZog*>(gT}uvkYwECS(#A#uyesND&XCtD=uekp%Y%(yUu*SLx9
z<TewZpz)>A;5P2_3BWJYk}m;M_(J4YUlpL3VdzhSW#mG}TNaao3Wy_G?+hyuN@&P6
zp1CSxF=wz0f<S|m<$of6e=Ja<EE7%DR;#uOo55x<Iles-_JeI+<Rqz{gJ!0xfXe^&
z_+Y0`+wpFXW!32hZG0o)quT}U3bz%w_C?s)^u45qaIrT$V`*I;!3izi;3CT~IWKac
z-TEycK|Q|;RFu!VpiL|qyqUP(!MS>D!Qj*<E}wQ#H5GdI<?0Ln+A!yiVm2aFOTcJ2
z2UTNUPTQFLvIvD8DL>A6{7AjD1v4v$BKZJ`=w^Pt>4S+hurd6~ecJYEU&9TyQWLey
zLyqkMZW$xa>VwH}=Gv^gbv;GFy_c$e;a+{Ze8zORT05ugbNpCk15d<KkM4LD(fk-G
ze_;p+62gKe&rJy>_W=XXABAcY3Sdemr*%<IzRgI-huyPhVi*H_w{*&F4enXM$f?E=
z3m8N)sVO@__}ROzri@tjR*Y;ASrLJgZbj7AUFHzC$|6P%b5yFbYyz7-6@056q2W-=
zu^iEt4aNFOD}%RhbY~tY-;AP$F1`*|B_L2SvQ&!RcNo-zB%CY+^vqcFX(LA|6iX_o
z?ez6I>j<2`F)!w`zrjCt3Hsqr(V9aHlQS#f8(l)*9C$x@!9g9(Ah9ev2V--A+sb=A
zmv6J43U)ms9oMdv=(EpDVRh<u^|{+50DJB~#$6sSjSt1hf;(Pu{|=7`LX?xOz<Y1O
z_<F|yHKFB7$@4^oqK-mKak2=7)FM1o6%41AN!1OU&|QF<4uzn@folC;t(|c|WP2-a
z%lK+R`nI4AYp#yTSn9U5WSX0Wu<j?(j)E3-RNk){esy2eQiceoU{N15Q`uyvKypLS
z-SkCB_O$8<3HCNbyf`J6<uf*`3?_9iH|53n6^@IiH24|z9LV*XaZl7TwEpeA;Cp2D
zgT+q;Y8hokgn19>?6~03wCe%<Asq^4N$5I1!(I}>>@p<<fmyEMBTzRa+zt!sHT6W`
zPJGk%;K-rjC8F*e#BlMlsVC>fV*lu9<wyn)#29R25%rD{M%!U(u4S9mXtkH^Hrrrb
z0zt2E(mv3m%S<}e?Rs5>%ZEd8m*W<3wJHWpKS^WQ*qqwVGOaLK)qOJ{)biZ&BVHU@
zY$o*42AaOk^=FJyg%*7U1#~UOZx>JD3b0(+bS<OEeY9WeXKd8NuAfEpejd?0SQ$VO
za)Qm>C=n9Tx~?gx6F#FteKw6MhJa%;H<W$3xRV(3I!Dv`TtozY6)H!-tC<9U8h-sO
zx_x^79v}!zjD*x1ovG_*<X&QP%ue))RGk-IJm^X$r2YJ%P4qwIC$<jYqh7zz@zIOt
zmq+@8H1ZdtPfp&gAMUbb(4R-HgO%zzKL)=6h5=byx8Y@KRSI6Y7Iqs@^`C)tW=|wE
z66*7Xd-&|k@CYfii>KJ3%yls0!4ydMK{>BRR6%<0l)d5n2<At39yUY=@zbkA)9=5Y
z$Z;DX7rGS_d0(upzV<V}xNNSaH<^26G}mTk^m@c)K&lYFI^cOG$bX|pNKM=)FkN9w
zzMWlo`S~T;FK2_!o~RT9QJI%z#T#bqtU371q)RtyC4$kO`Y93*&b*&;aWD|>yaP6D
zTWN>-dla)ZZTuH|28}&Cy(E4yY-Uib%%)Gg>bL@hJPbpNZD6Z1?H{;*w4fgEdHPir
z$n-#YzqcZ9-3$I0S>K4nh^$7FS*eV8DX@fo_-vA6^j#?6%TaL37Uyk@a3Hw;R27iR
z@iktQ`J_<9wJKiynP;xDuE8TZpb)eIrqm#^6j|Q1$-U8H`%1r^=e1NwXf!+fu>J)K
z`~@Ea6Y)-t0S*9zt0WgRD~72hg-ry`?n+#Bzvx06)sNe(ZAi0N;dw_`aeVrqMRm;0
zm~i6f*!mIolV6%0mPJ08%T}s#lc#|0SO%9+X#LXVcqq=n3Il9&0;SPR#Dtf6P&ZDl
zgIv;w4?HX4Li|dBUjQ%llB3yQY9fWp^dwTJXdr0vu;JPxb_i4i=2mCyl_&;vt_zkb
z&vElr&^jFe#jxhA_GWeUb0%UYLy+~T2cA_(m?39YEE$!oE?x0I&i6D!9^b2TD1U`-
zRdUs>#?<Y9)L-d3LudH7KsgQ9`R2|MOH}7aK9rD6ZqHM*h5G1l5UL2yM>i-t@gpV$
zr%P5+Wy9+`^~F+*xZMf72DpU0ID5wpxcL#wO_T2J04qK|7v{tS2hKHW#lXJi^yU1W
zLphn3F;yU(L$+k4)x$DiD5{Gmw2I}LuiE#RgADQ4YVwJK*Rd``eh(=&KN?3K^SCa}
zFH-0^`5!Yh0^!95>;+zS=qQq(9UI!%0>(;+6-7p!Skt)SeF>;8vXQ~xECr?YXxKaA
zRQ5&4`Y#Z77jS?LO)&ldhVj85LQ0%`>#EbO-o6Z~pRnNCOppHjtbfD%t|jCgz2CG%
zVtVA5Ogs%s=Y6G4-Fj<onOB#+OiwYOalI)hw=dMhDQu?sEKH_<6_okq&>um6+yA|A
zmf4pbQ~W++elF+^GhDxM-KYL~t#9gl&!CIQ`pZS1Y4S@8{3xzF_UQS8G?uZ!!3tLT
z*Fd+_s{1*_MId3A_po(dPuYxKZhGRI!3Wh$ktQY6346AU>Oex%J*B)38{UR^Wq!OB
zZAM94L9I5!AeTUczV=4_@vwKmP?PiC6%q`Pyn~YrYc$i|GUbSbxXcuYZAJU)>-=W1
zID~Dk?&<@^LxBfj=Ru6A%5}q$O}O{A+5+7~_=C4DQ}^WoPD@R`B$u<3R~}t+3Fq15
z#<ljii`iaQ^KZA99CL-8<vr!^8D!s}qZH-UD9}IRqQIx;y`mvYJk_~1I(`ltS*=)A
z1q+{<{BY}9d9S#e%T9dH4h>}cZgPeVdw>bi3j2M-&Jg%0qD|5-*wxiFI4UYgo$+Ie
zLG>ux0@K?y3G|g@6s6i>;wF<wDMri{v1M#tZ0wapeBuyNPAFuNuKwd~>t!sH4ZkRw
zOv0fnjf(ffFx&J=o5Jwt=qd?I<J6L7L%0h;Lld92$9e)P)!Fpu_2s1&{3EV6exP7j
zmRup@uM`w2`_V{qZ{OuQkIf2Fiazoxsi@>ONhv2KO-q&t_!t%hK%g5QL@Gj$sm#of
zvu{j<E&bqS`=I}3JZxn{NY*JeFj1mG4ZdRc_??YvBrs%xHo%+jgCX&R*Qx6M++lcd
zD0IB+7p|oa+InkC(lE22qfB8&?Hqx8ks#5EQe-pxqE6|n-9!Swo_rybI+}M=_R-=2
zkXk2>tcW8vI9faMTrHo+Mk(PoWO;M(uu&bF?>I893<f^x1)3GDMUIr)+g*dlR`v_e
zS84k83%mQ>)cyAN@7(f(&Jv&d@xgY(V>f&Ms839$0jpD~ZWUrx_6v`yu<o1Q;c6;B
z*DTIn=-`Yg5bfB|;aDh~D7P~)4j+$j;7OVc)=K&awg)i|)8m}m&Rmun;k6s?;+{Q}
z;2bR&yV4!vG)6bRaC!h*G}z1!H5{OmCTdP((05lLj3L=}nNyx@B-__+&srPf>YbII
zXXFUWPuIZbDz5L2<(~0e+CVzjYaJ*OU)E`w_{_?1Y#u;ZxsT3EOG=^>5=bgBa(5hK
z8k=6_@hY^>OzJhNO{WWRhKGk6aUbkw3_q3vUJ>7G178mS;5ThIHtoVGeZ<Z11VN;9
z);j{R?xCoC#y-sXLUQ!2S`k>-$~7B%I-hAz#|@n4QB7frW&hmM-zjf!_YQzccm<~1
z?xT_Y!oK)z37m2$+qky4)kK!-YP1+S2}R<Q3JRQDH==cykY(vz^{5gv#&<w8W~p42
zbC&Z%k%pOX%BX>^UdL0{S$@$JzP=Mw%IvPvwMEf4EObgiDSl{f$#(ZLMcL7L-j69E
zAEhXs8lirsPL@S!;>`@rwK^+_&;abQ<aO<q*|KOj+@6S4b#D01{eHHg>{0f1f`AFq
z$Z!_a{_aluI85eA#W&oJy^$jcb4p1T>lnL2d6ikrY4}amUiTWI-fCSXsF|!AG0bDO
z@nPrT7AHCC50Hz7k5AhdzgtKiwOZ^inkdNZHu8h_)5h#vHsjsvnn#Zt+NIK@=fhgD
zA!YvF{+7%VS$j6tKF8*njVM7!NzPbn4cxx3>u{gzy|1=fB?e+kWy=xjktJ7s4C;$y
zwY3o=9K`G7Q^D0atJ^-s>Z*7{U6`Ds&5%{OH^vR+tlZNc#Q}Qsb0f2@W*M|tAP}Em
z2h3Tezh%l4Y{eRAmU$fzfngc+lxvK%yNPZmiW!eLlVDOl+x`|@lV|yTTEh=s;kCIO
z;)ok*k$YECYR~>qanDx2NCJT?3gcFEjlJo1&W^QGc_(D{y5=>*-CVbLQtoXReCIx)
z=sf>==Kidz``&)6)D`eQ@RSJ*@Rfc88NEv<2IR6p<3dm(flU+N@~3)*_UMUN_IjpW
zq_u~GVDS4_DiY~AoR`4DZk$N7Z^W+RC%K9WIpOc;VE)KBPqvS4hKBQF##v@iMHKwX
zN>h3@Ig<16=rg%g0@7A59k!ee`Nn3smQr56Vz`r7f?I@gT4_PNjVD6#-yrrgS)hrY
z9t>uJk)o@q5IAdU815rvtIhn8n@}K>gV~F}BBZU*LCH{jd?*ahmzADKnCN^I*)5_a
zbI#!-0^Or~LF#;LmN!x~MIV1<E%*e-5i4!jH159s?wgtaYUZ|S{Ep;GY`NX=Uvxtj
z7)-z|_or!I7l@yq=1^B8Sjy|6AGk~u2>TIu<5Ea!Co<G3#bxA+rD~fi3PkwYH6Ql)
zlcaz+ET#@!4pXM}D`J%#!g!4{+2L8ao){CYl0u{F!xU>Ip3>=|bypZrgh}#kB;~u@
ziEZr8uP3%wNrWGsrE6^#qazh&s*yLdvx~--0>7#nZ>{j#YT&)O_Ja*AHK0a$c7jKZ
zHG^8W-w?mOYGeLr-O+lnA3#Shq1<FqldrPJAzi<Rrd)|#S{+#%buD+1^hKq??^IoE
zWr`tT4ui*5n9f<&F0?Ige|2o>Y5nhUH<F=}%X|-3+LswP@nmN@Ks_)&%NJu%o_ee$
z@owhvtkUPHZh56p@-f_})5WAFkS*eLa67Idxvt0r^f`1Jph@>t+>Y8jcJlgo51zR^
zXV%)xgCWtMc30M20h!?`dy_aGLu=8qf?zck@a@lk!sE6>B1OOo2jiUEqW-RMwNJ-8
zu)g*L#Q+r&9KW&qRL;3chf-jDV${`-@QSu5Oxs857&kJ?QEa^>B&9(2vVFp^aI=5j
z^g0eU2^P?u<D9iZA{>`&qHwQp$phv=nH85)RnAVjxU_se9X9O$R|H!Y7~})BUG|Y@
z5yMl-NYw~S^PX<y)&NGK{?!GLLhxX~DF(aCT^wGu!#Bh4V%Y+5pwcDz(K#)Zfwd2I
zF->4w98Mwv!JjlqdUy6ljrquc(m$k27Nms=m}HHi5-y&v<x3b36-{c=AHNhsMiYAb
z8neRA;j@KFR#BD$8<5F#ZNFu^>^}2W8*k$dBmb0KMRhgbv&|A~prDy1YPr*sd5q_*
zkkk!8$9CE3{U$a_j+{iOUdr=oRV0+%NYa-72OQ-uaOJFg$j{s+gx!$J)Q)4p{7ok_
zafYGfM7S^OXbUy$U<mCmKspaM5P<nEY3$8lRjNv+ijHeGZ-(JAXTIyK`Fd;fVe-`c
zsJaly;ZGk<k-mC&irvV<{@i<!S&s{GRBzp|k@OX91}>=xSwj!y+#Bmj=-sOFbOxWg
zrqWYl7AH0+C?N;T(7pq%NN0hc7L6EKL>k=6rR(VBT~ouqm75`n=L@zdEm$jQO$M1&
z;~=xkFA9CyX{v`uDOx65`!|5Fjuj{qRN7el<4%LU>@w%<1?PM6x57Q|Fl+C37~w}@
za+?vYg*TO(<9VFMAt$83o9Q&!gGH1=*du>+*^WqVcRLSMwx8ns{Su-b$l73u)Nk<4
zo)-||D#b<AG4RYZ<PMv1tne7LGv)5ov^)$znG@bP_G@a;ihR^OE_bv-!=Llqpwf0u
zS0bBbPrGW*ow|0Dw8J?Iq`OAL62%KbG+`3i3=8lZ?R6)G$UwX)L!o!ZP+{SrL_%pa
zf0QyxInXDk{wVLh<oyNYDMdR={CsP6rcDsyZjDYaM*|xLFd4Rz9bsM?C+gI_MnCB^
zM*#RIZ*gs6h(e>PClbfznq=Yj)1dCGap_M5z9TCe<a^~giKj@Vmt=*2Fyjn}RB!Y-
zG^K1^1w_VaR>|>%az>hB`GUL8UB=GY5;Y<%&gb70Wt|LO7UCE_vwYyJO@j;#@1{Y^
zj7*zBE*qy1MDzA`v0z~<!6~Y+>*^Gg)nYdy^h)?{D?u!mOJ6R+?PR4LMAKimiN~rP
zK1qk#s}B|9Y3cH`jVEUnSAN&87MbI`@`u;-M<(b$m@@-{$-JzPP&+9c*Pb=lI1sFr
zW<k)I`OU<bSGO#KL3pwC^xaeoq+<3jm6Uy}vh5*Pl7(LezAM^f^Vi54lBPz5I!SmU
zK{y!$n&7m9(_5Vk&I%Q(ZfAg8HusS7z=v@?T0D?o*_&-78pOXO(KeX~d7~2_=e0FK
zzPr8(8X6{S3}z<k+1Vjiuz#f-u-5Ty-J|Q*Wwam6P+*m?pRygbw+7JmM;{GZIth{E
z$wHeI${kgn9UF2*As-g9oT7)l=__zsc=<bK4aDz?a&igmA*G~Vhrc|7OjoMDWOTkR
zE5xB*Qpzxn6MN$;znC2Ul;=Zlu2~53*Yhr%cQ@Rh44YLNH{`UGLh8*pBD~zVu6y57
zoWi;W&)b4By<UK_83Vq`I^kl+dgd4dDU8D1b43;n(LW4NrnH@C#VapnHEPHuS7Xet
z+!J$%1m&uQb|=OwZ@p;Z#c?|@A`gYrl&Wrrj;H?QpKCo;9vY@f<RB+C{%%t8QppXC
zo_8l3-5)N%GuU`FdhRRyhO4n-P5s~Yp2#R4dB%-dV(iE(yJTRHC|M$xxm?7ek%@2Y
z)F(xEyE22KS;PEDVNnI}EF*O7l}RawoZ3U9<1r<bh?R1}n(a)tGZbqjf!D~pC|P2D
zEF8nM^4>meVatbnP6ab0F|W5*O>1g`1r7E?a_M#27=ZCF*6$3gW}Jnqk=%gu5|S)2
z+^_e!L$4`hX+xs#IG^X?R*S9DC`Qgd;+UhQTMMQ;uxlO6vLkK+C9=#=IsNIFw}AS!
z5_e$}l0dGd1tD3bO}AjKM`|7?eu6yK@q|hrOdkn_D?ixJG6lTykSot{k5G(JIHg5N
zX_>fT5?dY&N=?jX+h%l4Z^Rc%BGt@~4x%FZ+<bnvwqP&2x7^xBv?7ad8A%R`6b<3r
zm$}uhnu4T|baH{Z^V)KvBL8NH2&^hM*Pp>%t8=L<sikE6(z!MNCi(PtmIs2a;{sw{
zSw!B5B5+<0(zWh{+Fb;^MrF?doyH7YmX=02i;xV)T-Oa3{QbjC^NEBdscO2%!;k!3
zn9md@IgFprJU6x1Zxq(J9^IDo*FT4g0vtOJl8>Kuf|{p;Hq(tXs~DN_cAX&B?Vh0<
zF`|grU8=-lj(MuHn-2PL4+sQtmG4%4r^{IlkX%guR6b^4GuM@(#uwo@EZ9Vu9=NGG
z-Y78pS_nyo-PgI{iH`<3JjOKvLD}0y)nXk_8ft$2yPtH*6J6`!t(4>ZNS8Jr#4o!`
zJOY4`*~Iv`yGzR|O}>jCKUEKt<LSUL8#TIJmq%oBnjr8@GJ=|AOiC;C_URrmKWdgQ
zIU0858EN4(`27whUMln%iDex+E=mRh`E<9?DX*;q)HqFnz64Wx7c%w5ou)EBFW!IH
zB9NIL(l|_*6cEP3d*H2psa)`dGk2TZ=_0!NeY_AHWRZH2!&Lx~YmS^OwpF7hG;wLf
zBk1}Ebr_c>Qj?sDbom;XS%=dSK!WE$vnyX8>Gx`J)+%(-zP|sA+-J!KKOG&_??xt(
zqB^RV%*v84G12p#lvadzd>G-R=+dN*A3}TWG`14VilkvvJ`?v20zjpiFeb7W;5cP&
zafZq0yQ94}ArlFy`#x6=m9yFM1jyi0DTB$Pf7oX15T8WLFACjA{vMDdczm;Y=eWZJ
zO{WaVa!5f%n4}&!j<7#H9Vo%2JwS(h0U+N9G&xyRj~<gYw8p&uTK8KhlgdJ+IdM;_
z-|}c1NI-jFj{z|d0EYOZ`2AnsEvp;=@SmEiAb%G8AC&%2P3$8J0P$Z!5h47d?Tk+o
z&{B|Bt}TBT^dGqQpMU!O9+{BzCR<1%xPS-$2Xp_4N9OZw05ma(YqsW`ApC1LKEOPm
z^d|er!nq)Sv1a*O+eCwt@FL!y?D?0|cmR;7A+qSMAAhm7lmb9wTAqg1@cwHzK+q3D
zKKw|T^jG-5SgT_O^bIU6p%{7p<xYQoya)kYl}CSv|IaV}a#9m>;DNo9=;cGRo6TGB
zko5zHh_wu?fA=K<;J<swCK*{F5cDaq!4YA;KNp%54UPAERE!KZ^4Kd`qW;|)p2e37
zhKcsm<Yv<hkmXy2gn{cVL|6&9*ys{D<$mq>TJ5x|av(iEl_yf~i}hFM^}k+UC10&D
z`3f!qwB(51%rQX-*)6SGJ3Nq=%7KxZjNtN2D-quRc<C=>8K<74=0{4O0ZdV(?ca^+
z1kdfp*JfiQ-g0vNi1aBm$*LLq6G6nNh^a9QZU*qF1|M0sWZ^Va?cz!W&cfd?+;zr4
zNuwmY0_t=#s`HbL{7A#Jwyi6ZSa3EYmc}9#b=Mm{A!cn$6;sARl7Uyh4F-wK^m+0x
z>5w8t3JnX}+}|JMtr<MGyBPb+_K?}kfTG&SR4Wf>&E3zBUvhcSoo7HjP(RBv?LL4#
z=!<opskPYot4t~zrG2hD$d03q51ePMTaV#7b7C{JZ=VsDU!<imxNPE{9Ihg!MK%!!
zK0+vgPK=L_$7f<f%FfP?pxs)Ded=!bFEayVCaWE~sO&N)hj8K4>Gama-SNV)(-ZNt
z?IKR_DSE`<8;c^LhRDmyC^Y(50r+x>A2^4$J-C$8Ko|;InmhQ|uKUH^eW@WwX5vS-
zpWR2+eu9h^E4bh?m@hz^q1%L6IX{7bfQpKW_(Vhk=fF{l_x>)6brwLk1VtJ%C-q0n
z?ffH#E_mjPG}e#h=5~{PM7<Uw2zWltsuO%34s3v7H#Upxae5~BV%eb`XFsU=a&$?e
ze_Dh=;5I@biAM5O9w~WL>49NG)QOH?Y{yjV9C2qSHspB~wPE0!CC3>4a9O8!^In*#
zB3e|NW8ZyXwkCB{I8brddQz~LV&)Q8GdCbK(>%qBf?*IJcG<d$X*xY*jZWVW=$=9Z
zW*>L@<g%ecoRySmP_IUfdV1eYpsr!{h$FB2`$WF~Qq(t*CQE0clrQ87Uul-yaI(*N
zzEm7APwZndqZ3<3re_GMl-&3cCf2v0N}l^@8m$gTGE`a}uOUm1>M7FGTFHy;E@3c9
zskd%)c4`a|4q-iK6;f1M-KZM7R)AlBNQ2I3_d&!VLO@@iphl8%CrCCb!Mu^Mvk38$
zyTxFoD+6+l^J4l4ZXrIF;&q;giv`smQQ&gF1zAa{L@xvg1pL;2SSK=~SU8zw(=ctO
zl}ZNJ2AC1LrpivTV8(&H%JC%wcu*7oRZ#XeY;Ro4+PpM{n~?aMY6WO`H=J|0j3Q0i
zj!z~ElR|~8dW%n%$?u~QW9Xbp=JKuyaGbSyA1o~0<UGe$>Zp#RkB^rJRilc1LcCqb
zxIC5<lGiw)TkS(X&g&CSIa%~5zk7kSUSTJDj*}!aWg|44{@^zZf`@FxjEPJ5#@TT0
z>;6FDa#kWvuacBAWiU|AM7qWM?v6L%@dWV%m+qrVhZQ_+?TxJIR7BX+-E=!8IazE1
zgR9kqr5b)nP>n)ltjh&g@#3KM&}5i~%zkIo^iUGV1rHXf!1rpa{9T!nas2NtyoomO
z5_za#8=AFtyD3Jw<rhGx^BtY!;o1JZx5Sduc0GT(nt%pmfBmuvmfN(cAVf$?FM5e=
z&_G_$q(C}@7$^>M%=1jSt=<qRFdRK%elN|R^9Q!Cd#7~&x9#WcR<Lt}Ims~khxp5f
zjfU?o*XgVmN#o&QNm4>@caBXj!}oG$mxG?HIuWUK99X)q)nHDkBW5xBypAJ$Y{Usd
zv(}FW!w5}{ieKBfxPer;U$|=QDCLao8TIVAydYhE2tr>VoD#S;#s1BBnTP^Q|5*HK
zJQO1~2ci4!CyDz?H)kOmM_45S1wKSJ2j_)TNm!(C49d^etc$i&XwmD=TkfmqM=t68
zhQez#+&!5g9t<5_O2?0oirnZpvcuUx**exq#Pm7@%T<lTNyNh!g~0pz$=z;LE-mTX
zyH^J!u07;{1C)8yn?Ll;;;EIAa%nXi?gAy1ypB5DoS&s=r|AjhKkZ~42he(+dy#|J
zFtvKS71f;OB9wNR^r<QZz5@E7o`{iaJ*cqZlP)jDy-`(ep9)y#N0=+d+Kb&9?WU`-
z@4-@-zE;{KU9lZFnXd`{Re3y1V6-$bd=jS)!|<w5GkpWTDk0%Bfmv-Kq$Q+6mhEbm
z0F1F@Xy#61%Q_NE^4};1u!l?8KGuGu^)_ax7>y+sC5Yn0dK)#RUy9Z~_Pn*2aVCua
zT<Is(wn8g03e~kv<vK$&OiJ3yi<A$BW+rNH!raR;xrq$n)0c;qfF6y}R0xb!;4NEd
zLdkq<K@U^4;MdV%FVlvu`yk%A_S40?mv%Vs5}&q$lX|MY&Vy{_t)$Z}Io+yhCvDD#
zijd^vHbp6ObWuo3_8@_yvKD;dn4d=xfz-46CFd`EhRAXsS$|TEX%fAhf^9e`xE>s|
zjF3ru=C$1ofPQ(Q*#n=)Ya5K=C5(e4DliAeZ97D4BF@S!;FMX9@smY;@wGqWK%-mp
zfWm!uLXqKh#13?V?P1cT5v-StvPu^qA?Oc(h{TyJR)l>bBi(#GPttqdD}OMS1fuQG
zBW1)!J-Gzk%#a))^1er<79SM|u#Ey$9&>r{qj;F_nN8*}#ReBvud<hwUe<QPa+rf0
z<1nCpTS$xS_qO~tP6331Vz~8pL-D(U<qJc+@SGHKlm#YKfeKFJJ_0>$VBl5(f?KDF
z1-xAf@Urjp1HI4zoA0;_twJs%mrr5q8w0M{O$JvV+w7h{6f-LXCat}Gn0T)OS_Oyi
z^Le0G0>sZ>hk4{{LmVRTd=5cc^m^7a`#~l;;Pz3bZN|a&yVmo1_fD}cyEHR%>qh)X
z;_Cr(xP)FT9T;_RqQmRLsj1ayd}G434va>&;HVO}!ZvN$j%T3Q^1U(NmO4P#g&D`I
zWuMPZDXjn2o%J7$Y7**0d%3cB8<lA~B2Qw1`0*f$iZqH}&S%}Lc6i2F4Tb*u{VCnh
zkFhv6a_I``)_Y{Lf;4|LW+9QiCfg>xI~ab8Ains7gsiG8t>v5Z`;`!LH*}j3=_q{W
z36kE3G`9Pa<BJ>DR|eq%#I+_G%_S3lAqP-kYFvPeW?nCUBf?&EvrHps-IGiB@!)HP
zI+<X+8T8f>F~}fIE%^73(*)SNM!V!R<?+-=y5M2(XO^ulLMyx}oDd)_1KnpzOz6KQ
z-~Zu0VyFAen)Me*r#cank*zOreJ4ePEF!P$sXg~5qOs7D5~1ri@Wh~(|4ga&b22B1
zA}T%7?qp57ge6|;V=kydn%D%zH!mA!E$1^s>Q$BC3UR1p_6|Hdr+j>}Mmb~fSPo(i
z1n6sfIr8cCBKw1gdS8UY#x)ZmdHzqKI}vR%bb@|{YSGT}%Pr|LhIwDj_mys?oBnH^
z|7XZ18NpJ>OmdzmFMV2o{81M@q3mYT4@FnsUveK040({YWzj=_lBLLP+USkrjb5B2
zg~_R%tzj+51H}X;3WAv{8H=ylvpB%={Hl5Q62+t=YxweXUOrvh$V({^ZSxXsy)Q17
zVe8zQ-zY&k6-*3Fz#|>XUMXTn=C2;$A1*jH62NbV*PHVrLd2K%52d6mAu$jMTp60g
z`S$=1K-^8|8yMzQM;G+uP6dSY%U{U;76<G*e*M=(HGoge77mC5f`GQnexXH{3IS`U
z*Dba4zuKh;AfD;{V9WeZ766d@R1vUt=eoLR{)?-^69HNu^?jOB{;6&O;lv$a&Z_ux
z+u6ylt{Mc0u6F48w0;#-JR<|*IZqwuyI)<k7ZA_cq2pH+{EJ=XvOEE8;8Q%6obJE4
zYM1_RZQ!sURe#a2J;?(WE`8Jhap6+;p5lOR`86G$qrKvAaP!kYB;t4O^FaWO<S^N?
zb<biw+C)Rd|Nq*%%BZN?c1^=bcMTv8CDJ7zDJ=~{cXu~}q#z+fmw<#)Bi+(9bV}y{
zf=CD`ooC*&zVAEldExi@b>_#cz4oj<Yw!I$&;4B29oOA}5tRcBbP%boDVW4~tyhPp
z!f^4nDyg9F`+X_izepY&q3uGOMvbiA`R+v(HA=peDHo+Zk4ok^!)rhO-vU;TU+@3Q
zM8ZL3Rv!Oe{=i`IX~Ewiden6HP*DZ<90jhCQ&vCMot&bGWMoqd<yx-0wJe)Q&&HWu
zd%)}>*h^YR0(oc(6;nd1x!HTH6>6>{g^lS$TFOk~>F0P`kDq~EBmO69_BSFaXpAC9
z%a@RPDTk)8oUk>3#*L|OmcSX+59B1yNxMJ($dCSd&=DceLcf>XEt3yCh#I^fEsoXJ
z-LeQi^U%+^Cjg)u{hX|qdc?2o_g8rPZp~|MO;mLbF^l~h5eC-S8Zjy^@f8I_Z%cl*
z;|Zf~fZ2ah)kxm^s}O&*QyGCBJwGtMLPw7kRHAdnQ_x9epWv2o0_*3bI(Aku(qNVT
z5?-I=XLU~vM{O5AzEVJGnXD$kSFf04HznHdn?Lf38-MrjHpvI3ZmV!tHX8N!a|Fww
zaF&kmPhgl*P5U}a|Bprbw*x{V2@R11Izbs*+&>qZ;v<eD=W9dZMZ}Px^uEJcifgYB
z+YC?*49jp6Nu)9F9rh?RRSPIaV`fmx|5i}TLjLitjcT{S%2p2)$!fiufE3Bkf^xR%
z%Rfp-R6*Z<0^4o8`=iB`4vAH^DqZrN{+v#v5$)#F9&G*r{SC7A+`d4gkfK`Bo8Tti
zd&@ev2`z4KIS6F1mYOGc8@0@}Q)R=@0hd<T(MCjPSI;*9Aefk^5WIXq!tVQ8oH;K9
z&02{<Jb(hmd}$_SPiE*3N{qnmA+^a0ofR_(4r;w4UZSP62i;ALQyvfiTO}jl{RC8L
z%TXNJS9ZurHpT(O*cyyO49u!AHNL#MU`azK3XOek@aem=*FvmIcxhynB|n2{nV_z_
zz(dGhH2IILu-7J8k+sXcT>47-FXHkG9(2xI6WONbMm3bN`sOE9jQ<*-@cof;{wJY9
zJ%=APgj*W`=DSPo;s99hEz}a)+}w~h4qNy1cy;clWxs`vWkd`gd$v^hLUC3n3M@39
zD*<OP*Zg0+F}x)g_+&|6D}@t*_v@*VTka%05-AP0#2ZuCOS!9Z#b|=D3;)Gry~Wzc
zr^Vi1H;-ty$*sB)>lW3@LK$UwBk+Hr%h?HNI}K0CFYzq(+2g|Iq6)aax}b~#MJT8@
zJSrWRy$6I7Vu5y?|M6r0&Cuvaba0ov+Nob$BcDdzLc#{7OcMbGy(f_Q+4@-cm5!N2
ztG$chA+utgr#$%9abkp(^AkabwgDH1z$IZn!O<6iC~dy3c!dM5S#902@Q9=3O;$?R
z&Eu%Xpe<VlM$fKh$V#Xj2QadvK&7XqVL4omlL{Zw9WkJ((ihV(D(#uBM`V}9bs@9y
zv8KEyi&t*oj9<o;hRE<|!W?-`AAa)2j_bg8%|ke2QGt|nuq6!Gtk225AqOe@o3;4Y
zVXb3`^$6emq8A{sn4XJvpd&aLENUFnX)aqrV!qr`gk{lnO*qX><uf9Ty4gHy29t8h
z?;?2Xhd&0pGxBAEtzMwqngMzp(r`PxR9iyXe>S=9D4#D%jpYkICvHN=Te=%t<npi-
z4<9i>YCawTbrQPV#>z#v3j>`6?QK@n0|gWgt#7tA8#kuo(u4Y*rk@<>R2oHG&w;HU
z*-Q%=i<60P-d`NXAzRp)#r||mNmG0i4mCZW?rJGW1;i01k_|a|BSUK~c^%60zH&4y
z{G8=D-b`TnlwiqkL?#hwLlRs`$UUPQ{`MlT<tvlar!FTc1W34Ck1#HzX#+=`NnaTd
z&=F#V^<qIya&i6~MJVog&Cr4Y0(gju*;2i?-`j+p{W6T=78~aSsKj_?AAmb>hreoO
z1Qij1c=yj}l#cy+r@WJI^dW7tOOHI_k)5Ab`-_nAJHn`_-j~z7OlW6T4kZ^Z_LZqa
zbIX?s%YD8bpOebe?ep6*8xtdgN|${Hwx4V!tTWsr`b|}Ou-tQRE=h-&rR06el=IgL
z16siF6tSFo2yyGBDw&pi>NmUt(1z$eBp{*q-*7$@JvCmQ;$>*nWu4CF3V-R-JxJ2s
z3Cok$y>x$qqlPvTCmHc51vWwk#3|CU#Q~^KMtrx1wE9_m6bN<j>zxfCLwA2tq`ASc
zNVyMjx}4osEt14emuuq`S)%?FGi4@mc0TP)^E|RkZ|?5QbajKhMPs1Z3ra#N1LkfE
zKrFzqlyokwAEE|RzF7KnqVsXL-x6LCn!~XER+RVS+kfTA{(Y88#1I_%jZ05+9L1>g
zq%(h9S(HpsUsKOOZ0mxlG3qG9Re-2QpBbeNP9#+SvmW@U+4(MH^=RSDK<#M=WGwab
z`hw<I#~+v)o9c+1dD`eWsU<w*d3%a4<Wasnq25!b-PC!H!BXf%v!;z9pB;($S4NAO
zLk=F8tg_Ue<j$zl_LqUiv-J|+AUi6K9ARX)TYtxr5mxSgFpMlom<;Zz$Ze?Wx~NBd
z*d4Kd{$^7)S*u?yHxn({LZQdw0gvi<aPU|d(}EvEa~DX;tVL0@0Neu2{Hg6O<mvro
zv5hA0t1S*qaUtGJr+NxR&iEGR;I@TKE71&P?&x^PrBja^-3FgJyh`eQaq*X)v36_Q
zZtG}lk4kp~R#r=4QyVL>9N%5urJ$b-OM#nyEb(4+ftQ%;>s}gYGw+q3k*zfyfLwEc
zKR$&pn>yH2wV9}gJN+aAPwZAX&2q4@mxL<Xbd8n;txYqwas_Uy0lqV=kFl4qus<{7
zp0mERgPYwaR&t<RMG>D<!d^Zw;cSjgRxmu=mU6&dx>=w+FtMasCSo+%ii}_AUGB)7
zhbi&r5&w){*?d<0*Hhs3Qq?>{vr2s>jr2O;=BCzyz=H5orTjED!W8s;`+VKdPy)(z
zNPhlHaI#RXFpF@VvDKt}77H5>${U^qrWX|wJPu3xbl`F6IvE=2k;H;HXcAlMyJFWy
zD62YHUr$r;v)jw19SP*7Lb{RcFl3_*(~9hsiw@=U`}!fd+$h>m(hmYo3kg|S0lO1c
znYD>#46NyHjfJJb5tpn_IV7XdbiroY?8Q$K`FBqfcHYYhG7vM?v>0OhQw)2ZTVg?m
z<zv_LQAnU0@~+Y@3(s4t$#hFZlZDH}P2)diLsjy#Jy!L6A@^ZeNa|y?A4WkNA2z_6
zTLRzKQ@`M!czsFBl#m6DmRh%{XE5Tjy%&p1^_o0%qY@OMdjMC%DFAzlZv{h%Q};$O
zYuA|MDm6g@S|DrIKZ@!`h9y>heCFiN4}#51ng52WN%>rin10mXtiq$Fw$wIErh=5O
zHJWwEQ$RNmlE%Hnf&93k|LwQ?*BS*fhk)pEK%F>R{hntBi&pi^JmH>E;S=uPBTE)d
zv{dV>b8#*Vs?``9N@=kk+DlnnMbP6o7U=EhX*0B#Ts$y-*IUY81;&%*KVfz^#88U+
z0YM#mfGq^;z_&x0>|LUg&ILNw!a8CabRJ4s2}V&SfeWTHp}70pGl>Y7Qz3$KIsN%s
zt#c2OB0u6&N6@POzwrO`<pfvFBhXsMhWAif(H4oYMA58+$%wZK?LBAVUuf)HzT*eN
z+t1+kBAY8yd7FeT1}R9Kf<f2ZM=<__N%(rGIlF8AbE<$TblQmf%MNk9aYvCPaYHxY
zP9jJN$PN6FB|?IlxK2m{FREMk=}s@&Kp>9LfPlQYC4S*uDCH7AAt|gN`7mkIPY)go
zWkLx5++2C}EkQ?R+|92gm-(m=N!8SE9mXhPuvIAI{8n$G$;AzkNR`yPy&rOvNQ9&^
zz>^Sd7}9ZQrZ6j3ywP8Vq2Miwrv$qH5h5m}CX0S;{085-B(N(ssk_<@^?@lJmnV^=
zDI${ilxUHgO4T^XtN?|{>&pAK(X8?J7l1x)@>fVh_*Ln<vc)wNFpa@eduRl0iNS-8
z4Ezu#Ol7c4q7bi&+>h-;sc5H#l#taKCsErE^WT^sb63?Mh_u86PRyg7#?M$~gAqq>
zrqLwu+;{+SXm926d@4q{GLE^fF7k9fI%8F*Qwj>9QS02_5*HFB5aEB;@q~DS$P#8;
zd&FkX=C^yb%JnD5=CH4j2GfZgZqsX(q%u>;EM{v(Os7_JjutMr-sLgY(}L*&YxZ#I
zr9QjG)ls6ws8Q$=#bt;qeuE42VkHyt2MNnufLJ+bKZ?6!mjkK3Id*0<d8af#;9-DU
zgcMHmCB()~p!#>MvQko<usx-m_dVaQI2`)uP-hxe5@Hvj`fC-H-mH`58T3$3T^BMG
zRoTcO@+U}V?Rz7E<5EIImpiqv*IuYY!N|G&&sQXKUTPUE_L-J-#i6w;CGpEDfYNOo
z4SOpS!+|{$-fs{eI>@mJbIo1xji)`+<ESoMDgUWh3EBpMOu4ezxDwIALW|Tt(|CX8
zgR*fjCud52b9kLj=)>;*Mn(R8C^&<njGZa(aK!)=(Tp?N32Hg}#v=l%*&rb$={6Oh
zao1H;@@0AQq)Sa-g991Mgg~B4$_4f%W~^%<`}*)0S^;l5nCWKZf5jHEhK0|cmurar
z>R5hfk-P}^*L#9isX{5^NG<AbJINgL;-oUY!r%@NPa*2%@vn%yYzwu7j}VvCitd~i
z^X-va3hpn=(eBs;N$Ky@vq4pXI;?Hyez=YrAQ=}vdOr!eSjAt+HH%SRA2ch?U$Z_^
zEH$l<Fr5k~cGU=A@Gd;)(oxjTTPnO%CoVoh)G^%erI9PKfu0HEi^2gc9XO^;doNvI
zzc{~5Bjrku<ws7ssTVw_7LNhE5&J@(&m)jeM8u5{!a-D1huX9o<7N*$3hPBGY9$ex
zr&U1XhELUu!Zg!jLs}b=teknvGrS+&Ufo9e9=9@LKG%3HZ55sFHpH(3?+U4sR~VC0
zD$+IN-;~aJJ?7D09l0?&#3{4-xZ`KBtn6E(nfJX@IpQ0?e~7~xd5bpYV`M?h%$OXl
z=(8V134?;R2?MG}W1AWbBRwK}%?)J5%F}r;$Z?c=-XdV>TV<8uMg`Q_FoaJ2KMhr;
z>R;JWA4qh|n$wjrvV_bD>i0%_e$^^bfD6N^GTq<xZn}3rH4($clNXS;RpaU!5e{fF
zqgjfFzi$BOv&Imwxn&=9_!T6ynK5z%t_OmBuU%(PX5pEX-;RzF-@6Ka7R6+@pNpj#
zYdzuEYTc9=JjKZpT;mIH9rBEg!R}jJTvA)EOxc7dMw-A1v+NChdp8?{CMlE*&#7fk
zRi*vBg*h5;o__zTBrpFCRz3yH64_(}q<eM*LfV5HQXM;cc&*{ndPVR($)NSJRgFAy
z&4-K)P!m}-3A1}|;Mr0|uWT5avMgR#5&lT$FfUAkQ<6C4!mapoZT=%GQjM|iT%9RW
zGzEEH93@WfaI@vftT>u=!rh{7W)n79XLV9m#otHmE^i_hDc((FOHs2a?Ir|f3y8vS
zs6&3-abwrOm>o_mK`&Td;VVt9w%0p#@6cRSYH7inW!iJ4(<4uIgGoPV5Ry?td~W?f
z9H}?%JT>a<^DG6I-pHTI2j|=@j=Gj-&A0kT^?fi--z^&4eagE%dPspY^RL9Vq|ek1
zvy0XJ@sCBk_b+^JPod*NVzMZ>-ci_lCZL|?jnreM?^`7D+*+$vVDO7l(==iRZ<R^=
z4BxTM*6D85W&`7`VB_e<QuA^ZAIhxXw!xOgQw@TQ=Skx(SZx98WWz#%NY}^C-~~th
z@t#HAx}s8(eA37iiv`QC8$3mr$jJ2P*98!_dCiZHmo0i*XAMIS=$ZkoiBC+Ep>X#(
zMmUOY8Cm20^!b}!|Lcs*p-iR|BP_A|;-7*TD9Thh1))HwK%vA);<qwQrPh&bzAxe!
zXM532E<wmKQ-UQf7ss<&8V)@Z#h1({`$2FE|EQOipSR4s^o3w?6j6EDvu2xHqCB;-
z6{LPA{S=uz1{~m~_>h|y>&qu4L|I5g#QvR6AWmaR^l|`9Ocik3a6fl9p+$LDEkf~v
z)PaY~agroUtQPW$XM(Iw*<3dqO=79I+#AGQjx9WR44Y5XTCdew`$5;<o!A@0WqWLU
zeNdm#7+|UDI9d_DveD6QIX9L$g3be!qXPBu>ay|k9!vo<@9r-<7FQhf9f&z!HL|^R
z+T^;%UorzC9^JjTGYsl_%y&&k<|Ju4K+o^(^+jtROmysJEb#UHYVrHQoufO3A}1>^
zTl}v0T5dWV1HSr_RuApHi`fr0vZFp4BzHKP|LT|(wBpx)c5adOjKIf85Kr&L^L3q)
zUY^RL;d4|}`&ZT5xlCFDuYin2#nRD(r?9shvUzup<&Wk7JeUy25`pAidfsD((_M&-
zvoPlB7tSsxoh)P<Hx4o5l&GQd7Ob$BC+AK#Dm`cNp|N-`jom28%C2#re{^SGX}My$
zJ}A<1H3;QW+sVE@8-Y~0Lk2t4ZQu{kgN`bK_}}#U_R@&`xik+W39!m$97k;RXayVg
z(YL=o5(8tep{@7}icjk$cj>3XsJ0Nc<Qs3nP?zJ$^68;BU2h>|rlU<8+<wPVT>eW$
zjZfuHb4FYT*n}Z%hj^u&S)nydA0s59qQ4k46XCbt@DH+zvWyOO98jaG8Se*w(+uhT
zpiv20jT290?|K19NawR=gUv%NDMlXYhP|v5DtlF}r9@<T^w>)WBR}zSBQFn`Wl*(S
z*(D$@yXi9py_X^e<5_1oq8QLvFXY1HO^lzolbph5Y#s4ire7jK`NLVf$Q(teKb!RU
zd)*+pV@vlsfgyI+RlqjUSoS`9pWBq&i99ZT3=X58nteJV`=VC8Z-9d>p(JXxw_1xD
zkqwn(@f<hj+rH-@0XgxLC*77<u{c9dpGjGLHljXVPl&E`E~2F;%sWiVRVZh*-<`0_
zps~;H+f3L8FHV8G%NH`AMJqzy6>|+(m&mHC+bJU(3{X{}`M|E3ouy8<deafT;t@@-
zBxURXtWYpDjyn!BN@y6t_CaK6>8oUtlxfR3`Oo?dQ)1ld>{$5tsh3Q6BnlW1mG_jw
zmC;U!rtE#sK5382dHgVym=&DE*Ys?pc~-UiPu??*g$$iWWcofYLS(%kkbRVX2A<F~
zsKfPXKj+YPT#kY=eT>aHqS<wNrDsJ-#%2&n-mc5iZOId$-S=rFX&_90Tq>0DLg-?F
z$zDF;k!i6^(ewU`km|%I$qH<roay!JR6b-kS`P_laM@GDVWKyo>q~T-YIpm7Cj?X%
zTYMPNFxRH_Pzag3UV7=L)P5FF%AT^BQk;xKO^S2$3wo-P!M#IaPse{!EiC>Jn?z)O
zsUqg;Md_~y10EGI{X^_Fqpws_mtKA0#FzO}zF0~`pID&9u*_sWHp4pPW*-|n(Q;}&
zTWu78+BOdBocdip3bkB4FhGRg2+<&SPp{sLdT`RC)>I*|P9AJ36B9k<)74#D(`Iyz
zNS6F}6yZOCt`QKtCO2xPWnnMsQHgr>`B^(c_A8Tp(U(^gPk%O(F20r|tqkez8X>DX
z&nQ+tF_~#M=Y0>vOFSbvJQuLlc$QoJ)br9>$P@c{YA`_<Bl|T~mES)HOd<pZ0RC)D
zhS8)L+{f04AfGk|BFOiwJ=js~p&NbzHyi(?XXvMP?=Fzg^`XH^r%ycg29+Ah>QEh@
zKX5(CVO?-0&8&3|>3|yzPUg9OTHizJ&(n_@mz}>DG&o0k=IU1@mAL;$a`x}9Fyxfu
zua*}^&E8h+=j$;sJzZv=3#^K<+IIvPstZ>T+1>s2zKxK1^N<P0kd<xcRvNRRfBK`~
zjez2_)E7R#hBFagibH9ftEE)t!-kh9t&&Dpv9%Gh%#^W(T)r*6W>y3cHrnjwtr^^X
zZQ9=}gQBV<fj%Sk_OElTuQIQGx0jEe{w}jwbvt#=AI-<p_AvOd25N<3(7M_ApzL72
zzFFW$^tS5Qa;<H?t?B;9u*5Y4H@NOh)JyGi#w<;dn3lZ;wi;KETAhe_!v(zBbuiTz
zrvtx?-d>gcaR%)!YiVi8?9NuKUUXq|vgx<_pO6WKE4J0<_OUcsq;QH~@C>C%woRqe
z9Hd<uqk~#j>3nyMik$IV4g!_5?RHyMp$2t`ws73j>o>O@R||uvGq35OuMK?ezC!*y
zIO@!mCZ+{B-=-Scep#$st*oK0985bcb9!xmU4>rR(;XmA?$oz&)@46>H)T}R)-a@#
g5-@K+YqxkUuEUQB9h*k8LqdEMWK^WfUz&#g7iZJeM*si-

literal 0
HcmV?d00001

diff --git a/docs/spaces/images/securing-spaces.png b/docs/spaces/images/securing-spaces.png
new file mode 100644
index 0000000000000000000000000000000000000000..a94d2c36d4f5d4a81df8aa794054d02933e99351
GIT binary patch
literal 206138
zcmZ^~V_>FDlQtaNPOjLtZQHhOXJXs7ZQD*JwkP()nB<+^{r20vpWXf0=h>?6uA{4t
zs*Y5Ymw<=CfdK*nf|rsMRR#hAlLZ0-HHCus`=wT^-vI~+j@(K_L{Umagiz7h!Q9H$
z3<yXvGBq7iRYeMO{4|x6l(a?g49Od{L^2&m8w|KIC^i8MMH()!z*qtkT@#iXqvotC
zqNrL~)OLNE*sva!n0l(KA{su`AqlAKMq`fSbS8VR)8%yTyN@Gt2B-jM7CE|EkqxLx
z%quD5r{Kv*i7ELxlVBi*BDl3+_V6q^q^N`hkY?Ccf4WCI5V1}D*0k}T=I?$CH++F~
zSRfR5uGIAD*)U%)pzT<iv|qr2XQA%R*j~mHq7^8X(glJOC(QC14dF2==(t2Lk<ms%
z^1y<TQwNfZz>10I#wRXIM!2cU6LG|OieR14O$-_X2SQ(PUaIcTt`k+O3AHNy(aB%!
z8I>eVTse=(>c5B?q=klboiHp`zu&mOJSOLo5ax{_Xw(RyqZ5y5eH=2EhRtL{eU(yh
zu)(!Jf5Q_g+%O!KgIH;PCVWHM)5G?$3;+R@{^k@qNPs8ImS#Bu4O>qqNsJHuvUCn4
zq*p>FK$j{ThZ~iE71c^a7IBgW_kCv6`0WyG67IJcLS#E}2PlFc;&tCvoQZxL3Xz<k
zP9XSYJ{E=;>!(C$C>A$E7Mo}lwucM4(K*~{cw&{5fE6lmLXOl#5`Km371Y5vs%cA|
zPO?@2$`zc?!(^<97*Bv!^D`Lzx7fW1cO$ctzTr&5x4e`3V}iiy$UIEyh8$7*uaj|v
z`0MH5Xt_jK1ZK{oBJ_vDtizr&&QSIoXks8(Fkte8p)8oPU^qhC^V(bRVLqY&P*Os?
zyTCsQW}c!&JrZE~jRioTz>$c~5@X;~K5v8soBc7G=n6gw<hQfw@e^PQL>5Qh9Sk?I
z5(DJ|HFF)1H(b1NmE62EOc_|Ba3o<!c4g48WC9~*AoMeYu<FoI;dBJ%WJ`oNt6y{o
z2ULZzcNvb!KZQDAQ3g=YC_W{^_KKh-Y>$K>V{n*L^e$dD4$>4`Y49UH1pg@V%ndvR
z@bN>KqXc{mZtE64ZRvb?Y?cmJO~#p~)W|(k=zO1*8&@B4GmEEfy>O#<DN8UL#Xf#=
z0xr9^JsaS^7f^Mg@W$v3%Nu1hQPmMM)}?BIyQA>Z?<Y1ri46e5&7%`frbC=VMg-&5
z<M`wA0yDGNSq8-4Uxe`jEDF!VMsk?*Nl;7RUNb-)IuDt)$ZJMuOB)N&H$_do292#f
zW)m;2Ax>}Ec1m<W{1gz7knw)aq4i+<4d_5As}AhdYL4H_ko$-3b*f4A4F^q-z>53+
zQRF|t#T{>(!mznOIriZ{g&46Qiv)2cK~xTWFam5Vydg3`F@lH{LDYj<4N2Bv+ynRw
z1vtSjgitx*=YnYp(6_-}4z$l97=#EsAt8{!h=^E2;?9W2BEXHqIZ5y%7*JwF37I5O
zl7dP|h()7jgfNK6B(a;2H{w)@`iUhHmnO(c;5(yTiTNe~zfhwJRaH^hMCle5Dj;zJ
z!it^F&{*+ig<yY<o;kbnX-D3OT>e}-Lw_XS4D1vAU<#lzftvwq9_MAmzz8KXvC06;
z4o5dR)+AF8W*cJg!@C^tZj9$dE<cjp#;;pr<i$Td<a*`pLEDSC9lX42es$|Xy&djH
zu>=DR!W)bpAeSXAK{ZE;f;tY-3(+3pdd<Ed?;$~ngeyW{!2429j=&z-7*RenKLkFc
zG6pn8uPYEIx=Oi|5-6iZicFE9C$c9zC(0*nO6`;&N>53TNzX|WNl!`>mkO6Um-b3i
zq->_<QNbsyOkkKYIHP4s<caAE?Mm5`8jyG-LsDL#(L^DV#U%-8Nopxn7UmT57WAm8
ztFx;;tL7EZs_GZ?=)V>G7CV+dj#q`RqDvLal}%MnSMg9$P`Xv#TeM`A$r7N;Oq0-&
zuP(|h<SX)1EUf0NXi)Q{eo&)Uy-?j$)2~cYqf-S{Ew93;NUO$I?=9P`7FTapHK}x3
zKB-izz*Fn4U9Feb@KBCdo>ym3+pGQ|^`{d;YFL>>Gq}7_(<FQhJC>eXoTIq;O!uAm
zUH+ZRyPaHVNjkYUvrwz3)1X<bSwTj`CPqDIRkjwU_DCBKF2-omkfjNW1}hw^9V@>D
zz7@3PZF9QCre&*j@AB;O_43Xw$_?Rcd-<(odKrFoc3H1fr~X3`ajkhJyMRN)A$pgq
zSKm+0&%v+mN8=aKA0LQ{z*?c0LEB(F2o3mm_*gg*_|Y%`+&tDZ4pYo$EOX2%RxaZO
zQyJg`2R3#ME1&hp;Ic6UV{^u3rbVV7IRv>8xpML~IUPA@nR?lMS!fxgEJ2pi4DZb1
z%xVT(_ERPxJDwxoMBnbme30#d5mAGth11|+Z)vJo(J{)j_w=bcx4LaLNVRn}<SMI;
zz$Nab^d*2@6o8m5n?1{3+g4FqT|3Y=^qhrfeQHk8vSqu*9>qB2l47ZPT(R}6`T_Le
z`(gbd4;dyBB2p;QJ6yeRQk*PNkK<?bs3D;-PCK3(_maz+GscC^&Bop9)aG`=t--nH
zSlAiTG2>z7=*2f?59dFV#^j-UUU#II-of7e!^y=Xxnrf{sUy3)yu-n{|GMxT`C941
zX(4$Z`;2R^dGet+JzFDhji_Fr_qvy*_r+U)z=kbN!2NWco<M~lZr(i~!Jy0`>Xv;E
zK>$@C&Y*P9#Gl1K@0<SH0+<~b8~6i6ADkOP8pH;4uenFlMXNlhq2Oo1VL_T<?EdS1
z>|ngGtjMBBmB_oWo`^+w9t=rHXm~A5_bj`q%ZA!jpVQ6JNgNMA9zGs^59^C_h+P<E
zffFB3!2a{%9+8-iSS;~Li7*PUmHWb|Ma@<Iu@QO%dI6Q1oHy1fDihU(C=H*7&fVdv
zyJMgO-Rb41_NerJ7P<;L8MO*!mjZ$;jm%vZm(S^Dght9+YN#a4RM}bhcipcqslnt`
z`HQ?O?oP|!wN&aV=JK7aY7W+`%STJ9<xXXI@<b)1Wmj@<Gm(d?&hIK4mD$Q49ke&x
zH!^tw4)FEix5Era0x}O$G%`MUH_3h6y%PHrl$eh&T0^lzYuHBEIxM>u;$}B<xHHl-
z+zGWQxk-MiB}7wbxw-bNekYIYjkz6?+lfc1&Ftk0DD)et(ZA#;?IxB&!mp~8ZO#=I
z=Y01*qdpN?P|R`jD*07dA1-LOw5HAZXrQQG&Di;~dAhygCUZhvxKANwcK8u9)4A)t
z`ZhjCAG$F^=+~PQniyRU975wl%|iX@q;;1&)*bJIM)d?jzf|=~lu4<&dPjUFS4&@&
z4;ItR=%?9fKeT6P`g9L9mGysjrs#OTS(N9mee-tk+IdaGw4>{&qi95_?`j{nTPtLG
zYYAzsUEEh+t}?En)xX(Xx3s2Dji)&1NoY~%tu^u+`wc@pz|(N}?ozIMHWN1-4v+`S
zO|$pz&1`M=jrz;Xst?za=?K`N+IKhex%%jpnwh;J9L9a(DR_`y_1r~|GpKbxx~E>f
zH|ex=n<&iWHLKmIsrkS^*HwsDm#*-Akl)(u5VZ6cj`f*;0FMPG1@9L;?nfJ_{OEO~
z{8W4}iXUc^ppCPwDqX`^BXVoLc)tLD!h@HBx04vhv$KD+ui-m!wDm}qQW<rsJ))6U
zl&9rq@@(2S{ieFF++8{^@6IY`+Y?~9pNVZoooma174W$Cop@ux1fkFAIdf?|Pg*N2
zPUoXvGjQrw_E>qczILeVUuo-TUDk8yU;TNpvANFPb}ia%@Ns@Av^KwIxYyy#^4ol?
z_EpEjUZHQtDcs}qZKtNY{`Pne(9ypSd?0i$(i(mo4~MVzW&iLIh|nH)lq;00K`_qW
zw>Nt2{YLsSd3rOdV5Kmfk1bH`ee>B<Nl{Y%G+KhW!!XJK=^g#0_-(R8bEzTm_4xf@
zy*JW#vzD|L>>#~&(YNzwEu%l{qxgfMclrm%UEgc)O*kI`AHV)<%Io>YK+Jr}{AK^T
zuhl2c*VCZk^L{}F$-zWC2v&`yHV%-3JE))xNWd=4JYq7M2aA^w+KUud;P*(>M|MvK
zup%g6gDJ-iCLp*$`+d3|P0$@T{sFQgdRh{Xy3>k&E=p6?bC}2%3)j~M3aAn}fFWsc
zFmN_F*uY)5(F2$>wYURyD(VWMYgS48dMtb}{@8%6+mR?!(c2RUNDxR$R7lkm_$n9D
zS5@u(#Xotn<V9bK5Lh?>s1Q>K*oyrM{L1dyZRJmQo14eeN-K@JZ3Hp3SczmkbgrTZ
z2q{tT3;(rWUa~9}AvBSwv}as?W~a+dXSwe!Ji)v}UeUSx@R7MBG6*IiaPwr0*e!qj
zuF)Xo{*~F3upkr^FcBeGNB|NN$bS?Z`B6B9$(WgcTV+2uIWtrI^Y4FE&5;2i&d8B@
zXKwrdoBr3&znwbjqaY3b>gl0lruyHz*w_8H3c8EwjiLWF`hV*p@F6Jxiv0B0E>Y?a
zI@m=OjgqozOxEVRc{j(h8e2|%o!xVfYFmClVIRaOSt(;1)kq8U=vyeKBP(J!^MjI>
z*3wtt{Hru7Lb=(2p#28+%d#@$6WgP1n%cgqWz0Kw3I^s<wP-K(G)={{ik{nN#fF6P
z{nV8kWz7PCzi=P)zpe`k@K&;Qi7=F_GDx(B{g8x?3!|waL66rpp=F#-IkHQ-?Laz@
zGn2QaK#%)Mz|q`Px(S%G)slX-lVC^rQsa~gZf)i__!qBjaQfF5<@R+Pg@a#ZUl}d|
zea!HX9~UEbAs7aQ1;sYA6VwgC;!4-~1{b^9p@G3Sw27(0OrJ>!4hv5^5;q6OEBA)m
z0Pf@K@lt!j%{uHnzblPv?PErsD_Hzj8y?%^uO``|mCb>jB~(N`{OEf=5be(2>y^Kg
zm}$4NW4r5_2gmO<dvX7Ve9XX&j9i(K%YWrNZuL%4#X;`>rd*tgYbUN`pc$C=`K_pI
zCae#Cy<FNNI1rNAUpICYQiCy<uWMH|H~hPm2YI;^a$6f&=5<Of+r#+zSyz|Gp0UsS
z6~@<h&r>!UUi=#<KADFfz{W1`c`<h2Y3&+6wor9<QF9zIZ+aQW!jQT#so8zWIOOwa
zuSR>22=@f>OC!T^D<#p>Zqt+3&C9`ZTIO!?3Z7GSk(~w?0D!l(Yo&+?wdg}Q7y9Qh
zb`=LPHd@5Kt*WWi0wLcd_x9ovG|-70g>1S%yR(<OZX=KsL-wNb<g(1ZnCJthI_J{t
zX8;fXU2U{_?kFYeA$x@i1Biv#$fR0NQxClfwAXCn!#+P27Y%toJV{)Da<qGW>+5Mj
zyF7ajSr%5snTddc9eEn|9@?7Jk4;X`4}Qx=aY}%Aac`Eu^zd0ekHuo^ASn8yXH-Ey
z-UIK0oUV^RVF9VjQiK>5_EBZi%p7NE;my|N&0}=%Ok({dQZ(dbCJS}=LTW5$4E)%}
zEsL{^dQ>EmwW_A29g@FxJATtc{p#6acu|2h0@hXiAT{~nRH7P;q@nZK$Oqr)X8srp
zHzYUgJ*a0fLg2*H5VDGE$r(~l?Sh1l5q8gHB<IKB;plnmZklT2v~@OEzFv_%311HN
zr5AL+Z048Mg@c8?={f`1>7|v?{Y8k7zDlw@kJ=t{9<7LYI>s(eN+3PVprewYFr?9t
z4oe<`6VQj?mI26@TowC+e6aL$RZ}C(AVS1*o)YfzFccK>g}8eT8~H|iX2%stt!>Wp
z{bKN^#)_ard3a?TjzC?Mh;So**DKgBg0^tf9SIVqEM{|{9z5D-B8Zx;4%E`;ybf>2
z7xlFs8y(&%JP;;t$7LrQ+Z$Lu=cy`FQB%euzVo+8xDlZD9(QxzB-pBjo#cEj5(M(n
z!!^5>FKyHz5MHN06@5@ImXkOW5ulI=2d8#cl&dyKTP$E4h_OM*c;9$P)58+?JbXIX
zq^$29n<Ql#Sme(L;h<XWe_`_<Aeoyh82!Cw!=7cxj5WUjd$RN}dwazpz3OoS2KUGt
z9`bG^-2q6umKCe5yvJr)**~Q_kGMb%(dS2CWC!15G#t#=VdQ88<A&rx!%ROcC0I37
zGVaTgHMhst&+o@WoY#&Qc?9jRZ-)P&pB*snA0^_|E7i*7O9@R-BQ4BtmyPFU?%Qe#
z(AQ1@;@8p0iHEeP8zDv^gb?>EswjZE{q_O^JXjYtHwGqdtK@xqWAE-{AaG#f!BEwW
z9~pc`3Lvn@<R>OaubtQp7rV3-fS9r=8pO6^jvR!=V;;q>NEqJQh8GP9_uT!#sgb5q
zf2gFN8{Elf81?Y^eIN!RC#+45|7pwBX392lw(d;|%JAI;9{=3~n#!)tc?tLGyMXa&
zvOs?Z&&HV}cRe9p*d`zUm}H%@jHB95*N@$3HVok@@hqWQp)ozXj1AwF@T!`S8E$~e
zoCQChn4K85C7>r%B*z7^ebwN7Yqb4#OkI+~t_f$i*#o~MU=Tg~*4lF3F666?&rE%x
zsG%K(s7^3&6I4~kg;hQA$3l;|kxJR^K78qZ-r&$_-UHB3z8s+449|)KdQ!s^LGXe}
zIY>%YkAw5B(cDmluSMooQBg4#Uj1xL)Y+*iEoVfp|7pU(zTjuO@fMM0Q86&)wza_G
zjs;>xXGfPduHNe48?xaXG94zT<20Ur*;u|EVCca^yO$ZmWBwW0`<8m~8R@Y7Rp)S+
zs9YXc4|?}TpmVoeuVYl;@6UorFxJbmX5<r@7{bd_a*}?)fuf%E#Vda$+XwrPt0quh
zyg&;U6+>n$9#^n`*L&fl(dfv7ea+6oCVEF=vC&R}*-l=2%Q<IOYf=-F8~8`kOdCRn
zaRK7Vp9ais%Lf785m4}Rt##?_t@OIHFtKPDD*lk;%;xbu``n0fJzbnMd+O0z2il><
zKbalmn*`jo7~)MhomNARyu8H9t(~;4Bzd|iLi7S`5%+H5dl|r*+a5qyQjP~G$DMF2
z6Hn#ahQiMauBK>N_oK}wj0qt@Rw6@=quu_-hN@s)ORaz-b|XJ=zOR?FR4i0!da4s@
z-rsW|zTHH~8scw(-|{iP_*}=;iXG<%=mRS8zhBOUYi5{?#)gv_DJSs8qHJY7Ex6Li
z&5d+97(Vga0a~pHuQ&HpriuGtDsI4a{ytQF8!0h`9PnlQt&Ewio`)yXj&=-j(MH1Y
z;4=45U$!Y(5Qmf562=M_#G)#=85R-}6>P1~>bV|Z_aDrR7ppq^>qWdiHQ_X2&*NPs
zE3dbRG<VZwg1Q`>AjuzL!?TI6nNJz5#*q6L;hpjFA=$kcD_)fucZ1fx{d{=!G0($3
zG)YJc)jWNDCTP&AtObp6Gt5^?S?X1~N-ef!MpUjdH&k=6t0>%uS~^<sI&}nr6b$DZ
zKc{rdYq(o*SZw)x@8$vFhO-|uj%y)C8Mx<CE>)%e)lChS7BKb%%i!D>E?a}F%Y)GE
z@aN{(l^gRtBHd1m?Jyp@EFgA*#qW&C35kxZkd!WhN?uIn^jqK(4hAD&9YO|L5gZ!i
zg&O^Nug;s23Hl-7FwBle;WYPD&>}4MyygeR3zkL|)Fa;&e+mlyn2y4Ps=g<)5AWN-
z!y7z&;i@E&YL++;Vs#kAG!T_l&KN`tG$3>BbS$>6no5=bdB5s1f@NXKp7~FGNVp5p
z_Fhc#?b~AD*%>M~!QO3U(OI}?VqX#y6;QMX?<VRUob~_&lBXx{623IME|GG2|1fq%
zb715VB5f{;d$|b{Gs8|BGM=5^29k!9<-b~?UhfAmDGA9v694fvte100(w&Hggj9BE
z5U2)HV|!{5sw<pr#PEL4+)bn9<n*=RtH#$oQ&BitOCW<w2R#>SSz9xj?-Rx45@bfO
z8<Uy*Q(RGko9fDEU}JL|fxLsG>uP8s5vb{Q7cP?=9lJUTt%qx?B!z)Y`-8Mhbs%s%
zZq;Ec_NfH{0AP`p>Jf4Z4u!6t-I&HJ?tZV}O5lPn65%x($G~{J1(`AR61RvcYlE)*
zaJLiB9D^j;+IJoT<@SC({PR&i5S1(S>Lr1*o7IfJmz?oXzePVPXaMSdx;!wrfdR{I
zt5U;Cih>;>rtZXL4TG1cXELxP;=>w2woMdCR!$u&juWy6rD4FZ%~T@vX??@Zw+HAF
zbg*oxDco=OK)8;Qz`z~UcXo<`Zy>=;g9{N4A<Po3U!7{}c=`$cI52P%Sj)!a9(U6p
zNqq3*eT%ze(Qldzv*BkQ@T>187FhRs5oIabs2e#iV@ElP%&RcRo}%tbdPvg@F^W@)
zQ^JKp@k&7wt@!T=yYX;ZyFLSaNPQ)#A6(#DD<=N(*yPFGsnO3+Hy^gp_V^2^D(_)L
zBh5;@s=X80|8xh=w!yN{Wj!Y$Hai+Mi`bzoA_LQYbk5LG4^zOZCw+)u+e-2#5`%H4
z1Z+UnCiB?e97ShFW=;^G2N)ot89pW$IW|&6!()Ks$Y@K$<h^krkcsm=!aR#+6hptY
z7(Exq(qLj>a@Iw#Xpw71EfAL_?1fd<fjG?Q2akr!EYQs$D&f0N6dE?0$2K>?oo~{?
z@pY3Pia9@Y_H<JusXQ1qd5o*|0>H2U&0(U*sLy6;Y>}+=ef(Gl$Aw_ndDYFZ@%~r0
zB|^7M$sIy0%H(XU3f$(6p&svTs#*pX18v1-q~5Ho7x*{<ic!5oqk=&ZfKdadMZC+U
zZE+`2H^V>Tb@G5!d$C^u$WVprOm=kI5}2|$Tu8}bFQapO;ddiBvl)#iK<2yK$u$60
z%4%jp`qGjGHqqb=d!jQr4DKHMHbN&i-d4#W7ptCFxh3PgJT%x*wb5J4D*ofafHO%?
zdKqPV(O!rSLjHOP54}C~+R=74)nntGRnn2TUf7#wyO#BWH>=62^VF^JLIOS+hdI4y
zKGJ<Jj<IPY4)M6!BXQzvHz&u{#B~ea$<#1=HXn_`mL7=g3FndnuExQ;Get1Y%^@CE
zsJ(AH+&<#V6ao#~VUOzP{kTX_r`v`b(&zgJQn7#HgR4ErxV!hMXYN(7frOT9pKcQZ
z7uOqUS`LQ_&$y}SYaB(v;K=&TtFHy_u1*UonVWmYra($q;f{q0lZn$dK3bOE9Z9D@
zn2)32tn}5JKdhmma4<7#0G*wp+w2vd-8tsx)iT`7R(3qaZBE3N+V_A1&DV&J4%I&N
zwYpoKy(!y4keV0TcL@6%^02pw?Dx$b1#(EVmJPWL3}%o2ZHf7g7A;6%-E6i-l7X%4
z9XU<L{0%|%80UTL^S1TU4q-!%=kvM;0O6NYlyXKB<_EL1<8&;^WLX(rD6P5i$IIA?
z4r*g(PgFu;H<H${D@EY1W}Wc7Wg{)|DwLkZiA^vx)RT@y&v;uZ_Lx$vCv)dY;+27m
zFRQJI#Z~IF%G_=a`^%%)d{nCSsz}{%+-)YRsGUr0`f$`XqV7cmkJt#iPNilGRw&Yi
znS8Jci~6(hOLN<S?rN0#Ju1HfvcmBE$YRsLkUDrF-$@LpH?9>&S65J;&_+>ns<y}d
zrj?(q>5t=&UxR5ENBkl|-TNzBT?I8ANCfn|QJMZ%10B11Nawrmz*ijz$I<`P*Ny-v
z+%3MGVJRJUi@o~wkda@i$TD*Wy&ali&xo*NNd6MEQWN4>oeGc7L_#6{&h6AanQaHL
zjbmUe;Hr9E<iL=egfx*vX+r?TOSy{DJOMe=Orx@aLT!76IueN`<-6lFUUbx8J-wNC
zXIp6+5m!$nh{ROkc0>P^6t$!$DUtZ}M+6b<(Z5dL0s>mPhVst^YE$zQLkID~Cq}wB
ze_fKNQHXQ|C~<FRoL#ME0(7+%#uZiKb4!fpU#(1X^m4U%9k`_Jots@aFuGH9{IltJ
z_W;A+Q3Hb2aD21vwl!pz`FbghW**-B)>T!8HROTT-$F1^I&p*!9F{F}8QWWs-Ka_T
zOY~8w$~q!WoKuYgWT0B;t&Z?_LJkZ*GkV>SA5GClb=AW5^1xA5kB&uGBD7(jjXdCL
zt!@`x@#?pb@WnOCv=7$j`r303JLZ^GdJ>a3k_xNBQ*7f9DiGp@J&XkTwi6=*{6<i2
zRuNh*SKOB*e1{x$!T$4_u83_=fYnnSfwqxUm>Y~h9|%ap(J;P<dHQgP1cCQAF2m=G
z9my#gwR;`+o9+0w$Wp9jzL1e#2pf`{+)#>iAcMyz_W=!=b|W9|PTiHYf~pcMo+OqD
zx|l^9%wHy$T71|~ZjLXm!<Npo%nO^BIQjFd7E~7hWMBqD74~}=kA5zexqgk|MeL<Y
z0+t_)r7^#9Q_*uo2PA`_#-Wr($FNl(z>J;_Om&gBV%cX^ZHPV4F{IXKf@Tot32>zb
zjXVrD$D;>641$%S88;1A*`5cTcs(DyW%&!QS@mob8zpC;N*+7@kmTI$##i67j5b%4
zJhmLv)k)SHRYR~)TR%FoZW!*Q`K_lm7(9uoouTf)JM1u{DD@WI|N5moquC13c_y!}
zVIT`l?XZ0ne1v~e3WDpN)4~LujSS5q_ed5G9IjJ>>oRquy_v2Xc#+{SIY043yBrER
zOv2IiTfrJp#4*uN9<=Nwj?)lM!?MQ3nH~dIc~^8?k%M$})5ZyVjvKg4@qQUGuA&;4
zlIvzN{Ke|Y)3(w#5<*su%6MxD-qV}2%tu9EC+@js$os<z4Zd*DEgezJ`5t2Qk;g!z
zi^@AisbE#(wi9MBard>qa`>LLQ)!38gvpn(Sq8fHI^RP-a+2>4C8IqQ|7Hi|S{Z)m
zs;0s!J2&UjwyG`0MX%BI_`@%^MxN-=s)@N3fJTUq;ciszdWRnaJzyDgJ~lqg-;+`t
zg3CzFnywD}XDWkDqv|pKSXpl-mdBc&Wi<za#~91eho5a&TgDGB+8?{^a1MzT?5BOx
zck`Fw2ayCvjvTdn>8ttq27!T~-iPN*e9OMFkGOZeq~&y$u63SoWe1)Yr?Z}~OJsLs
zC#@@{e?;j`T=M&I!c~&)9~q?XpdSfgiBMtAHvlZO5Idt?qKzpW|DEs)oKp~7x(*vx
zcvnhYf);T5SUKCHdt`_=GA?f()rP5h+aa)7F@IQ>uYVX$N6*6sX0iK)+55rko!ly^
zBaKjcO~<@mq+mE)|NfqZb2V8hsESDt1v)gQ4uLyG88$fx%{QqQRtw$a{JTLQ-8jP1
z?F{n-k*5ibs(`=9vRPkED{xrM4GnFjd-9^BuPZCaU%iN8rBe|%;k^pRw$R|5h7w;f
zpdIl&+0nV70%Zp@_pW|E-LQQF-a$S#RNyw}oWbe4ki^q_7ytA0z=kQYY4eVqi-m{a
z<3UDheqmr|1D;7}xjh+=nr6zWq@>U2Q(Pm-R=;=`!Y_yy5Q+<$WF==Vp`9F0W>}6a
z5qEOvC<Xpx1?s?oI0EJ~I5>ylWone5Q7c3cwJ{{xq56}Pip(2lJbDpNr9w*tuMK~$
zC}qeS?ES5fAlA*8>6{AO$(p+-c<A7Iu`PpmTf)nVs<svG*pyGWD>+NYHiKc5z7a+5
z4F5`Dveb33rL(<JETEjnd+F0H)}Gnz*erqqHo+PN0+$MZYT!;VRViFnI3Xh~xY%sv
zSKncT5Sm6=lCB>s{T!5&i>SO46O2u!o=8ka7+YpSmKGErA1WWtTjqo_*^MJY)nsY8
zj3Q9cr(_4wTKcyi8-afskI9z_>iMqD8QY`rpSpVLV*Y02<yJ^&C-uuF`{fxYIxVnk
z5}5*hJzqfnT9~+2XQ*T~lL->v_;bnUibjeNjTVvG^2%`V&2@r(Abb!ZTYY8CNZ=68
zBl+NL;exWXfnK1ew>Zrc#F^{!nb5|<kT2D+vL4&BO2hiq6g5gJE7aX@VcJ-_e>F$k
zK_n_f#l`vk<iSz#BFTKH{O-p4=_T;M@s>45G0(0z1pke{k=J14dO+r>gLJV2CjaUm
zjkw|fVkvvJx!~k7LM;340CnJJMmHIj#~{wanHuyGE4Vu&(tSAhmd$d6*2md0oORNd
zQzRz=`)_3WUpiYb8(I@A+2!QhSf(G#;upHn$)OusbifEoHDQ#Uekdy%2qq<PY%pY9
z{O@57otOQE-yn}q4W+M?sq2Z#0bhRICYC(LI=Tgv^k-HCyd8)J4wB<@HNu>)??-)w
z2bhoEroaC|Q2j07k~qqPp~h(`t82y1e`^M#ND=s6*-tEpi3)~8*7d^mdgBho4TnzD
zvldk6Q<TMB#3$|q8<y*a&=ccgo+;zuT^$@%3@;b<GJ0vUg5>JJK6?k!E0@vzQ!;vG
z5DPuVgU3Pd->LbXrhLrI&fM%I2;kelUTLZndmsUq9gwx#hJ9nQgY=!2lX4YQand{=
zHfEGuWMElPmXvX0XTVI4)>TQturY#~o*ujs3{?Lri7P*dh1$Q3k<)APTs6C%>{%i*
zioyc!`B>ai)E)<b0Kk}L=A?#?+OQ{A&r=0aCs8gIOK|GuQq|I?28S;xiDVLUZbhcI
zL(&6~YEN>s6r*Ol5h5-XPd@+&=>JNA|9kL(Gjc!+U6ylc^!6TlUGSXKj+@gQS|<YR
z&HE_wlA=niZZA7TjOM6-FVxVOxbV3DWhWqTXL!Xe`TL$80iU;sIV}Vda{oHqUhT=o
zgFqB_HhU+s<X?j<|2`5DNN)Ck*47`F_x%pP@P>pM{*+0G>?~JDrbM-f(lfd`uCyq1
zez}yqw$8=fudGX%i+`T1|BRXh!iEb*V~}4ZE#48F11vi5+i0bDvtqTTSBC|K$KF!-
zGj>7{EKUYD^d&CAtvO8)SMJ|S|Bo4AQUqdvqx$ghaBen67%BoQ#g2);jTDh2L=_n)
z<pgD?HTnHQOFf{Oicry0bGgVME<dX;R&e1y(&*2TA(juOEdj%GK4Qv-n?*1qw?UH$
z(Cj-&IYfk2@RchD8V+N-$V#KNtqH}k7unmei-<m)eXu>>9K(M2^pt(3Ikf5cLv_00
zS?l|M%uetj2-<GZCk&#<;H8dn(R@b~;7GEva{g3NRVOAU2XB4xSW#JD9>bB68uol*
z&7$DrayfL*UsZLf`o13&bcg`|+nP^aCteN$MF<C+AXTVb$<y#a#KuIVT+*;$jy5a7
ztzR64P&Q>}d}j&1k6)h=CHePn=~Rr&(F9bM-<o4h9xdV7-89>}Iq1dIFqAsl>Ty|9
zSz$IcBZz>k;9k5Plq!~=nyn++77pPFNdD{RR}p4xQBl%L20Dm<xf2sL&NDh#vYg}b
zoniPJd-|W}u7A@cM7+evretVDIU5hj!v9qR{(U91NgO}xwyH{V<zanxQ!Z<$g)&Vo
zS>{5)gS))>rmR#96t%++e^W0ny+9m<D8DB`8IitZJEYl(T3eq;0emm@=ckxvUn+UZ
zj2-9gsU0srpSGARCbil2{P~#SL5YP^6@Tyh>>XHYpGc`(9G*tD=k-F06n7B?G@Uj?
zs46SPhLD`U?zbOv`u?&^CLAf6o=qO#Z(6qmQ_&$nVc6Eok&Ia=Xlla<HA8<*WCs7!
zVX7B=3=K_6+aUTBHS&SDBRmAr@Sw=Os#36_Gmao3D+&co&aH}a`S>a9%jp2VYPYdO
zy4awJvegc0kIw^#EY!!EN5gBy8wXI4c`0dW!U4RHALVjID`_j!Xa11y>Q*NDCm8*Q
zX6$={(7}+KvMyK~MZ-}*`aHqhIa5R@d;daDC+e;MTVZ>;*fdym7@qT!I@P6RS_Lrr
zIy&&W&w3tvtB3}ThV4X>rX{FB)3w+XAa*5-!DB);oi%jKS454qpEVfXO?Pqfa1)Nq
z!-`0Xb{-q#6SC3Cn0*_)q=(nxM>9&h_!>JEXj1W;I{mKiu2(5qY$yF;Ir$W+=a4gj
zGs+x)LloHY)>JsIcO!W1%d5+DG|A&MTung2M5Pu<ZmY#?q)4#MX@2K){T9uqH*5?)
zPnK}AB;qh%!pUrEWn#AByeRg6h)qoKv&hi7OBYwl5(@FLbh%HTlD>N63LVfGQ^RR%
z%VQg{l$&HdZyc0dP4eZml`2hpFvamhH)bYAmrONd5@zft7D>oF8%3I<A71AK?&RF?
z;G?c-LMmi5{#qPP1sI8d^OD!yg_GyO@NEjx;3|bcO;mVuFrL;9mZB^@lNy@rYGREj
zJswi5l!%F;NYH3*di+Qan~tKE(x?b7N86y~NFE9HUo=g8keOZ>orheD$1fQ(E4;Xw
zEWUpcmG+0LjZ$c``X(}aQqfY0p336JX^z^CVg03z9>PN&6T%Y7WCHmt4j0L@g^DuY
z8BvNs>+ruS%A5)aUY+^6k~ppg1teVTO`PfGem(gba@@F+aZG&k=&)$egk7>YNtq5N
z+pkT%Na|Lm@psPLCg<@VybrtW6=Vm&u&_*#=NqptI~<glS;)O42M5Q2%qSe|L%*sG
z(%7I0sqd_h*rM5Q1nV14C#yy=1Nrmro?Rutp=Bx3{HU-yo{kX}CG0tIO-3afjoa{L
z2Tv9D;B}(lQJ2`T=6+qM44<BVgw^^q((?<sEgA9-#R(B=5EOS2EHMxi_DO_;8*SBr
zUTE(AA5eb+z0PW|^QDadk*%Q|rs%BZ<@C<x`Sg{IjDu4EQr6bLw$#5UDx?i>YKOc?
zhJ>icrtYRFq~-m^=YtG~wsz#Ir_8Ai8;yF!Z{kH4D<f#{RC$qIE6YpOCnMsHLkWw}
zR%eAIgY%iKDOpMGM4GP~)ZrL|wS__JST#8+r67zNZzhsP)n;1TluRqVejOQIUJa`|
zu@a`|)zM%%M2r+~bS*!M!D5STLS+m6ue8vAqPk`7z<H)t%Wk@}-9bQEPv~hugYMX4
zyzuRvAdG4kicR~Cx?4}>ceM;AitSCO6Ek`I8KQ#+Cfjz*p2oplAuE}1&duwUu!$7k
z%-V09Dar>~dT^y<!UozO9SLT!Vzv7*-1MyWqUnYqN(1YJ)<?I;(EcduMcrVP2OHO8
zL+2xJnn9=97jHbU>^X%Izfd@pY0+|<lB|$q*ONpg4yD`gkj#3A2F<<nzeo=sZ}H8~
zA)c1yqy9;h{Aa$zPwqej)V~b_gDY26E{vjKVGw8cdMRzDW!ep5?NbJi$ISpKI@1Pp
zS&rJj{CE6KmM&zd%Eo)#wp0~Y%cfX(8I$%0(+JZJWrISgNilYuN3pgg>LUpKr_Yo5
zx!hsKd8~8_Wx36zZ)MY1bUDxH$0?0${+d8e*CN>NUtE8vrz)00M^e&iCI5PDYX8?H
zssC+~oTK!RxUCp6v?R^wVrqJL^dvT@@*W?fLuwV2^`smqwWU(w{!LF1<x6gbvg|o}
zVJxGv`20Y7b05izFdo|-Is6;S>)ye1eBy97(cjxX#Zy5h1-F1_G7`4(fJG#YqJokj
zkdZhwb;2?6!4Q);&F%%wcb@y^Lb+f=W3KT=RbD^dyTRfm$%Nl3D<8@%4Ihr=QPk9y
zJ<f2~=z%m6aEhlFlfT9OFB$$WG_vdz6}zOBnOd_kG%RJSY3Lxpqb=@iiw;d;n-Q7?
zqfXRG>D+)kt7h8?h{69EbqxMC{(IM>IBRRKt_x1)$fJ<3Uvu=+5^t7jF3Ee4p0O^)
zFAP>^U3HaRGg}sqOEHp6_j@JD&C}(i-nRk<mRf}hiyqRCEn$5jNhYrJPbL2>DI7fU
zB}%kr)5o3Cwm4Nd4V5}fH&UZb!gJZAToANQ1}lYit~D+f!~c3g8528>4T@G#*~lVm
zMYC$GKMN~>2mzbL88wRfmBagzf(QD2c17M5c;cH^r}WJ}E$ntNqc}M~MBQyoaoQ@K
zdjtY8cx)>aLF<_1STQYfgMj)X9Uhf-QIo-D!(hZpmOv3lBg$+voEC7mfJL<uU1CJb
zMMW7ok6o7EQ>sUnl9rejCV9FfXreQ!gXgv8*h$9wUTulFi;i)TpZN78&N(5y@<PJh
zxQ?0zRQ82|u})W~rFowCL-yBiM(|kFiJOawJXgq%%VCiIi+lrOGW#)L$=p#2%7TFk
za&)iBj($c~*rQBD)etlzIe$uNMp-&7rm)tR#&(mm#;PW<37XKs%b8bIR`Wdk-&CME
zw$E!#!iy#19i4Nz_}0*NMVnj0j*q1dr&&1Ul<N4m9jxv7|JqWjjO*Ig7F0@wLZmQ>
z)d(w%ibvO%(B<OQXy(QRUW%4UER^QUs|3--D9C4^I#EW(C9;CNWy#SbpOkmir45c|
zMQ^$>WL8@^+aBY3ukLyeR;h9;Z=UCG6!-nu0&W2*jz5s~JMC!d{x~w#m944Weh1PB
zyn<@<_d_Xsx8QHZVYIn4nVXtn8X73`S6$4X5!s)<I%ob5bl9&a`Dvey+ZH!b?um=r
zkz(S=s=;X@&(>MVdI~Z`EZslBxXozK`9r%)zq6%fUCAZ4y>Tv#dD3<-H)4<Ddg#dn
zVlZ<gilXjs9>DHbRV*JXD}aL$hoJv8!MXU}#X}5BE8X$JR3@|Ap69~)Vp;p8w8UgP
zK>uRdWKBWwhIxi?c|JR6;GMW(fjC43bdUQ7n0b<qGTW$*mB9ib6^+6D5mVSp+(-;2
zzM#8NB@PAidivOt)x~=mQ*h&lBF^u1x=HFUX_a7kUqv1D5Ky1z0tc%H3?;@(r!z(3
z&lbIS)K_lMq@X5h+*w))PYr>Pt_>j(aaJueGtFi?Y`}~8{_**dqnYb~6@!}0d5xXz
z`N~i~aQRN5?*Hfh{I@HdQvs?)hVj6bjy5eP19`lOe7D0TU<t-K`rs%HW_$??6A+t{
zBRq1wE(54{mn*OIk^f^u#a%s6XAAUz4DOT5*ukNji_2uDDe%c&BcSfEDfJe}mXi0P
ziKKb?ru}kydJt7D!44+h8e{bKX|-ZLV}K4x7s+BP#_aINU6z7qBs&Bh5r&=T`Zsb~
z*+p}hahD@G00HX*ZWL21H6g;UJK1u{%l6CN6mLnl(ZTfB097bkkJbt?6BqhrMZ658
zX!R8rD%DwyTO-0Fx4WT(?DWLgcVFgS-Q(2iAAQU5oJ^_mCAQIYF0Zdg+Vu-=R?53c
zlbmdvA8ne1-42V4x*N?xf-K2Cb5$L=o?kDbzRg6)=@Q@rU!>VAP2$GUq;wVm+|Ryk
zcIc*V#-uhhbl-aU%lD1+k`>B+Hgi|E-<sjh|EiGzNSrPp<-H;Y`(>ezuzv7ny^R={
zv?>Q(Q&~7EDI5e~tBY|0ba}iSy39zE=USA+)ll$%jCb;evJXC!lxOs@6#&KnTRu<G
z&T&TrT54Rm`N1s#2DKuP`9_C!q?(;3ola1?xV>NzY%l6LX=trcM}sSJRpH8rqZfj(
z>}F7K54Vz7)|I7_%L(u>lM>uH`jOj~gYBNn0BOXTHK&t&SDec)kG?^YwHT3?1fcar
zH?`JQ&Mb|X<E<AX31#ZKq8c`nNtn^;S#UPfP!kcm-xH-4?2!yToqQ>oO96p#YF3{a
z?M~%Qwv|L0B<L)mbxUi2yKM`XJ1DKW7*beN3P?z2A!fq(?LzizzK~L#7h-N+s5Jv-
ztOMZP2|9Y4=Up~9(%V%qS#NKM)z3(;{(3<twPBW9?4RgI6mnx`XxnRrN^4cLQ)Al%
zedA%dk!ZwXp!xgy89&BdALC){FX(ULZyRa$us!rWuz%$LfmgSa1KRdEY}GIjY_P#&
zuhkEG>sMj?bus1y(tY5JZy`#1mAy8f^=^L|xI2X>Q|vPGs?>{&o-e#gu0~nSGBDqG
zkRS41<@`6w0C+$^FN&*~u$7X`LRv!ih=~cS-k~BF0g?Qi1AX;%!GW=Xf3&@1taISJ
z=?nprnQmP+U;7eywReGuOKFzL4Eq|xb<~O%+-9so<h@q-$S-RnPH_Kk8uuUeOCUQk
z=d~VmIbvOf{jPIJDAZhpilmd=rZ#759io<lu0kEL!K{H)wj4r-S69F35;`gFFVoYb
z(RlO9LaiRd!V%?HPmEHQuOEX`M{_nUIKDjoohXv8U^<bM2f?n{s?zg3*T;za`-X^+
z&c{YXVPg28qxO}BXj4zIH{#nI1}0RWervm?+X?_-L<JACr$Jq6Do%Qx0>`bF_>!aM
zy|0kyYL=-=eHjc2Y|_o1*MpZTKpO<-!eN-nkT17IBZ^%|qFJ4<uBK*?hQJ@_x{<}a
z_rrBcbW&|>$~5Ts^qicqJq?Gz@^pZ;RsolY4L*MJ114(P%sW=Se-{w)!k>j|3oz@b
zs03$5e3wf$ERi7S^rjpU&x20P2A)=^;PBXhYS0FcEoI(5FIauAOS>2VTH&S{`R&Ld
zUFgJSC)B-<%R;#V*aa`Hk;rxW+&fggUl&qh?*~bh1XxuxOrkR(g3A*-t9(t@SH0)a
z>4M;4L2NC=V|jtJoE3iFmpT05QZ*9FO}HfiWXaEmr_ms~^(5^G#Ijg&p`-P^)%%CV
zqwrF|-Axpl=eti)d_SN`TKaCbi0<#pwec7$k^@Q5>&;dG;%5Sog@eZ<>^*7YVn9of
zu`hu}Xk#$tpAIPUag)^l;Vk92fs~VF<WT!D>ahLNF&nYEv|cwewXBC~I^hiBOIaAx
zKC`qTsKSG0&%rJ$9lDpzqM?g~#6T{I8;R4Nf-tQ;Zs1(L(2O;fvy##}a)TGLlsd7@
z0Rb;5b*o;UiZzCfCary%#B6JU$fN0}o}?~I3PD-T$;vi~9PJu0?p(x0s<a_AtQxy0
zbvj#g0OS8Y#Oq+UHeNXvqpWQXP3}q+pZR|Nn<}Fmb86rZ;D`m()XnlX;K%cQ`M(}k
z6EISqkacWrD4q~wqTy~tTt9){pOhOITe?~fbB@9Ev~nUGfQlbH%<qQD9C4~0hnhYa
zL5`bfZ)5Le9_g-JR5v>A=#w6=87)H@cyitCg(LUZZU%NNTkA4;5$gBxLLi_OkLc=z
zBA(WduiZ=B33(Fg;{jH#bemL`?(VZlpf2&_=5IQ{zUUDc*VGPTxvCjG){JJNp~qXk
zh}K&KP|bZTe4Y15AD=zc{IG4P6I9H^8+fQBmH($xcbXxX-ERDMA3CdBRAU}x*vb*j
zk@p|3MI@mLX1{(FGX10)46c=(D;7QsLLr@q8YPx>yh?6MF<E0<>TBF<dt6#&A0I2$
z*_y$9^L2T$yZ$b+mSAGr-nLCl_d)|4q7EdocW`!kkxZ=V;a$osHS*E}`-SU^1IGYH
zQ23Ei_;560F5*&3f+uDufMw97wQ8Kk{>1Y+$<iKpv&CU_VzbVj?8qH)cEA1P9B0O5
zdtB)Ac%uBdr6F^4|7*tV!tE%A%+t>chL~97ZswK$;&xS6C&mjB_5k}TxP1Is$v85r
zD3}F54^3p%P}_DVJx<#1A<fX{8IK$j9}hnRsd@y(jSiaRB`zkYRy-a)+<67$3fGo0
zS%oj{nkQ;8D~wh_TS7y6>3X%!Utm*0tPTa_Uoosjw!kYn8g)}=5we}!1T8URsF8EM
zs*rEgkde4bhS1pCeK@Wc4XAZNxR}pxl1;dP3nVRrYc|)WP5vlA=e7?v^7{>_p8o^t
zM>JkkWODt$S)vH?{&^97B^6zntP%to+4aC4zGuN;R>b_zd?6)!a@G|bRSg$){H7wp
zcGOxQPU8<(wKewM4bCbjgueTOMkn$G&f>6vy<(%BvNj9H0sky?Gy}@qkZA6vjH#(w
zanX7D*XO$FiP(yRd=S1-E2@H5P9q}yJN`jB@ze9z!94kh;#WR3(wHtqpdC~hC#F#Y
zqUmfz|GkL$N#@c*%L%p``OdH9BpN_^wfOUJ)pBe`t0haCt-?@B2BR()AqXERFMvML
zgXmxFtN|`^N9n<kV9^uw^!5z?4DckBs6izqwJrO`k)eQ(uAIe}8!73+5!{r_;@rdN
zQh_%#kX5jj6!=Jv2i*3ujiGr!e@#kiUUA(}jKjO}`E7KA^ApbJZR;r`O${Qx_irg#
zd^R9&6hb&tDx=fe_<^5_mbG>8u&^Tj01Z!_Nc^dx@TBn^P4Cz~2o~=V!}B452IpDp
zo~MgFCYl}w{2%X9vbYQ1F}3ub+PD+13p5h@o4Y@LYNYPhDQN6Vsv|#Rsu^oGgl8oc
z?#gz>Vb{3j$V$OtHZ?IT2|$>*{H{zi#&U|mr}L#ukO`14?pg0Ji5<%`F6=0jXb*$q
z3luVXeRjCf?7AjAxsn>MIqv?O_!pevZ6(0#g{{@r;u<dxMzQzLSopt@?Ec9AMv6z5
zLX{()tdpkQu0HH@BLGcrm~snmF(#!-nI;ejpQXC9Mzgo2c@nG^Pc<T05&%2EG+fv^
z2x<v=HRCO7pcU6uftc48yLI4rLWY>UgT^0}SuHhMjiUH+AEEX<^~W!Cznnsq5O$e+
z%lnAJ585#7tl9S4)jk$p@w5xPV%g{M;{h~20~P*mibEeC=z@V?2>tG}-F4ZDJB|*|
zZ~x}txfO!>_~;=$fvX`N8I-#nJ`+mvXb1%Qwv^x6GFk-}f}7A+HL9r1g)rgP7ZY}K
z$j@@CB&)-T1&7l9&F1iV-OnhGPfktzUW<*z*^qSr4!E_rn{c~GDo;Nvkdv=Y)J8NC
zGhx%<hX0+3<dgxUWq+W6A3t}QrmjB6JW5-FTuaar=st8+J=m*pL(6ajD;;ZnFYGJs
zO8-Ic41#aEvVVCHSUY`6R9tdGibIo5JG}5I9rAo0d-BD2mBZ(>v24}x5l5qxs1&q#
zNPX5LjC6P#Xs5Gks33kW<=0joG>*;l<i73pfrb+fGLx3ayY~Dzy>_?PS~~K08$79`
z&*@4C@8VuoZ4JOwfO~Ng64%CWGsDoys+uQ}%3L>4j3pF6^rXbhGx5{H2?O^U)YOQs
z=fG`I&HbIc1VD^Dk8P(A4PMqVMRVKkrz*$Q#raPT>p$rqLNIN@pFN?_f2wqA79lxq
z&4<&-ayH2GM^H#IPj&u4?F=#6)t@YPGU<sl{+z{DOHJv^U>^UQRgNb#u+UCn-)#k>
z|8@t-`{(K*<Hxkz8S;q);FG%POfzIdfG)^jhI3nb!$_4${cswwKR}@#_-v<_W;^#f
zG2IynHr+l9R!hj!n@hO3dH7MMemqV?U`&RgF9PzmH`w_8wYaMZ?R+wlQy66UkAF92
z?Xe#dfcoxO!eEHO8>ol`Fg7VCRpQh(z(xy}w>yW|_?i6ilY9Rl@=pW58(p74D{T4;
zlpv*9MdlAHh0nJq_0Na#C(n~8O*nFyM3Rk8Pq%ydD22-q9tkI)wdC%jtZ5UUqsv-}
zM*AgvUW-)|ZCk9I34My{B3!4xiMQUGwBl}0Lk`pIgj=iV!^9v+CzjElQ_{ZOWZ(@e
zh1vchf;%S?3EKY?v^I!-_81DAtgWiZCzyZQdghx>Mwsl!aL%@HC07Ds$zQ#@hW5r`
zsnD^PQ#+1xpcOiwJwZ_I{lMJXZeH!5d3(M-{|5Ixif!pueu*7M9H`V$I2{p%XfAFl
zix(conEJBYVCeGsNijAS3)Y3+U7$pk6LcdM=Kb0gHai<R_v~FwQ-+!!nx5weR#4zr
zR!u8hEg0;$ytT{<hz#mm&5mKryW<#U5{OzvJaoYspPk0Ek7Jd`k40U@QxNz;Aj~U|
zP`9~k1wfP~)y_C`xEw*j-9>*v;EVClC_UO?gS?wt20q*1!TIj1!*O6x7?Lrl4`4Y~
zsH<Wg*xACH-($r>C64QyzUv1!_f{GqQgf}-&tS5H`|5W5`w(nBI@Rf;a3zDvCoQuH
zmdp6pU6^}Vmh+6R57OSc)q$x)a25`UE5dV!v8{j16>*>ez-cP{U%86Ygn+Uw`1pKN
z4Tqu(G6w-S#4rho1hPo7OluJ&N&6fF<*=!XlUfCCV>)-VoQLuiod(k#_Q|v*WI-M)
z0^AYTh3@%c56wHP`UX-4z@&t-qK-|8CKvZB7z9z3#H&;tXR9fdGbtIo89Lf@`7W3b
z1&8SKmC(7HLfbp#?EKK+FSIkM^q<N#NFELju9uteaqjR4{G*)`iAq%x^Ak|gYd-&v
zxVMUmL)o^5gS)%CHy+&GJwW3QA-KCVZb2INU?Bu;NRR|~ClEBa1^3|g^}hG)bI-}%
zdyN0>f8v4auBuh5=9+7+s;<^pc{RBn!R_=6w<R1Bxy|M#N~F?iG)@4g%o{BVS~#)w
zJ=fM3CAHQ41&65fBHHG&l1Yq++YAiz`MRO!`@({P!X+BO7Z1ycg&L+7+&mx0cJa0r
z(!#QKtof%cT?{$uM_5^Gnh6utId+w$%w!Zj*Sqz^qTNT5dlo)3vnA!X(b2*Nef!L9
z((s1<FMJvq<RQ6+oIW@>SZ?%*YhAL|A6I4m@_ofO%GwW~VEfVt%1hW)a{AxFm1xCt
z1h0IW6b{z0UzSgd?99eK{e{)7>7V~mu-W&WkLt4ypU#fhLl}30DLX-JD3>q7%aGa0
z8MvUk&rW$i175ey4vbNh>c2Gd#8fAqKk}uCAp7Fyzk%!jS#KV9v?Cjl)Cj3pHj3_j
zwuf=qXCL`j#BGLxoHM_ZCg_0G-WhcDM%4$mUXN%8+SZD&+`OS^*#{yeKClsXS|)&a
zFEmkgDv8rW`ZTA?fA^R_zfYa^Ta|e?L<RLCE{)4wx*1`A4PX%Tjf*snhUT|Z82^Wy
zcDa8Pa>v4|MaID|-5cisn}1u0heGT-U0BQRNmfcBmfzIIf7QN?6X0dJT8K}+R2lsD
z3DiG3dz}uwLs-3$lKSU>|C@q$_9;rjr^cVvjO6?^?Emo*kRD2m`PBcv1DJ30*HcG@
z-l*)t^Zhk&Imp5q-T$-un*tvxhIke~snqc}k!XOypQiy}{sd4W4j3F&j->!5UMASq
zmW(N3P;UY({&t#VNt-Kts$n?fQf|oL&&K~YPp6q|XZ-|z*A^!%VEO419>_K{J{}eQ
z76&o)wwCG?mSTN@8|TA}nItUyvc8o8&Qzr`r{)Ha)9+uz@d{QrAJf3V;LROvmhlH4
zt)CdY_VnZ9<E}nF3T;68PdBp0xJT+4g6sw2oEp0rj4|-urYoe`Y5(nMyVLOG<mA)h
zsYEPcO6Bb{`5|ssS66FDKjh(4)x8>yw$0wFdr8=E|9kxZV}><pn$CNb6+8D7r=dvq
zIqQNkT&~pY*zFldxC;EgBoI(v`6drLdq09khiXkm#5nffKJtHt{e}bewmsyyslNc|
z|91ba0vYNo70%@V`M>wZU1aE;Sx<PmJ(+*_|EoVbc-5ps`1>iMe+|MD9=fK&Va31x
zw)`!L?8ypCk)t>7Sd3pQPxsD3e!m)quq-%I9*)e&sXUA+{<q6)e_BnL36zMVs))_K
zkMYOZ(7G&UWAQox*jCYZ-|eC4LA*)y)ag!Ro1)SPd^{^{p67V9k{-j~?Z|fx*n(DF
zy^b%X?Cj$0b^6!Fl}fO2wnA`o&)`bV2B+QVa}NJF_`h+wUh?h7p86Xmf<MRbyU_)y
zkn>W^E%~$8cDG^#D8CTsCy~FK)d3oUs+B4P)3W0Y+e{5|dgY^vU79$WufU*Y`u9u)
zch>y;&dYFQ%On^f;-{%Xf8xOZ(Y62SCqG&8o&e3gXY$AV+RVL+Beu%!ebb1*dVC~X
zN~*~V-U0S?=|ar$L}DRo(r1CkH}#TdJp)OriHlDcB$)J+IFqFyaO;0x+xqvu+ra^O
z+YPN}G3X~zM3D`k>un5@c@S=Xo(Ps!S1-bqn%|aJA*3h8)qPX>rq1GCy!C1smfmKo
zbGZ-2WhDeIZ#UH{$J3LW1f6U0A;%OERW?9cYbU2dq9{9%;O~5w8lFQM_6S!MxaE57
zK2V}Fz-HZ1wHU=2a*M}rSdF?nY#9MD#R@<Y>Ai~YzPMfqwV`^T>V9ZD>m6v&($y(9
z_N*ZlBL+BozUFqonXP8KOFhs~T`kyEka}H08_r^v6x;s>TYZ#~-4f|);9L9hi?}Y@
ze}wi~_#fNgo{I4M>%*uTP&;#FReu5kTUvUoycHbu#_rwK5hynN&YT<};E0l3k|dI^
zR3)qK(i|1{nyNocO@!O&!PQvCO(WQ(J*CY%aYWittn0f7f7ff*E)Sp8SeBr`A&L(W
zvl7b1>yw@k=n001@C9p_&Dfoj4l<JwO!MhgiEt^EFF0!5vKuH9x;?Aar~_{-QevuY
zUVai+v9B@xTq0i8z*>pmZepcXk+}!7lCjTVpCKe-{J0amx8-JKP?N6lJCyyeXRg&U
zedFkgDCeu!@ZtMvl6J-@CRW~6A5kS&Tugg<z?RfGdv#OeLm?bDT|%!n{|3SwOymqr
zp|pxXr*xI6OL?%kEQ+GL@4AmA7Zkv!r%V@G)t`GlfFQoVa#XnPsp4MKT>bf507cE0
zGuIH2GUAi59Ju>^a$-lPw1dR)NsOW*XKNCj=)6|TDMR28HBMxecI!jX`muHN#*}ti
z<{bD#*n58sA_e?R{G#R$sEvtNuHF!tAQSdqm!-2GI7aI}H$`JWDoQdJUc+^Cz7Sk+
zNX|~x*vnEXr2)x1IAB%J#`w39bkV?U^}mvP)YGIQlq(BgQxy37P1?zVLSFkOul^Q-
zXz~y^ow+qCYLi{W02Qp*7%`4Zdcn_6H%R<PO5OKKYD{c+AyrEds>{z_)_fM>huyf_
z8Jp|-=mPpgsJOYS*00?hBX|XA-*##0z72|H;S%0;bq&F7gqF0%C5}6F^b<PsPip!j
zis06bvJ)|kbhxcY;U6w$Cu4qjfEL~jOeVZsx?jO!W}ex+TCDBs$-Ih=F2O8IPxrkq
zA<63KfcIGr;-%d1$JJIIi95T@Ysvat0)O(j2{Ubd*qd7T0E1@`E7**<7Q(p%7j(`q
zDi9!6;D3X;BwEUpcldI?FfS(4?kOyYg`s&}efZ^cAB^ASm32N|Y_C(U+rjfa4x_sR
znD*}wQ4%@N1a{!QAg_Pk+Z%(B#w$%2NFtT25=&>(LqbMY?Z4p7MG$b!NYnHI-M@Yc
z*v6(6%dj;2nnzm0S?uu1vU15n-D<6of4d!8UBWQ<vYY2Q-y}wIW}hB|f(B|BkE#-s
z#$N188o%Ah7O4$wqQS#@*wJa_ae=!kwJj>Hg3Z*(kJGOuQ9789?FhL-%Q#e(mJa6Y
zH}k+SExMx+X<SPb=;+UIgfsR16`X+OB`fXBS3}H4jssI;U2Q38UHDox7PUKN6rlPw
zh?J82JB7q}Vf4LtK~kvm<jqY%MO_nj&)6~?9n$qcnb^|V-jc+r?vi+xCxxBYcRj}`
z^}i2vFMc>#Xm=jdz6xt=dliG}ZL+8Crsf|7|M4z~sxWa0%!7VNnF#N`sH8Gc{H|{6
zNm@EKw}ID~oI+DazZRhO<lcl=|BH*PQq$A`CO;F?8`GBfb-O>V^ZchiMa!hNe7u*k
zR_hOPSvopc`3(}z6q8ihO7~}j&%x5{e)9n17SKlF&DypWL{VcYoJrz=;PaMk!}V*1
z;uSyCxx}NS5S?5m`PEnl#He-2eHhgiYwTZTLcjv;=qBgbuA;O@U`ke`e<}vy@kGB&
zxIYbbZ@4T&oRMW!SNKUtI6KOoc@wR-*+2S25bRMSmy%%Kdt0)_Hnb&C<8*AEg0R*f
z{Lbg$L86l#MnsNEqG4FUM(W&RzgQ`ez8;|;%wPz=$xJbe2n(aN@jK7t$cM)vGh*^>
zZq^LMf!jY|sbh;q{Ns8jpp&d{LMHJoR(r@TN>$La-%@}*m7t(VS3bZNlW^-@#wT<J
z^W?s`{7N!GXC-$xn*9$2n;EZu5^cT?MvxX0P0sekUUdKH+Lzpgyo(!$5+n_A+fm2Y
zw&GM^r=|6`8h6mJcskHnJAR`1P|5ernE8=MZSa*5XsLTDDvOCW<Do1m!jt3gHo`kT
z*rNunqOqW*CmCxB?fAMERI23SFD~@^*W-$~KU9AYhwI{4ZO8iK(5x*Zf*!*hJ{d0A
zXj)|dSdW^`;JT92d;oI#wytu*YbWrLkR4-6M75%-;qW(^&4Glt{$y8uM}yR;VZ+X1
z{DmJmDRo{1&Vp&7?UO;L^X#c-`wiFB+l399YP3nw<0%_Cnss`(T&nVL2r<>sp!#`V
z!Fe53Am)a0F$#r<4j?tho$ezWDpx=cOyEmCR3CMoqTB|Ulj<LGg!GBZr3(-~OpTx>
zQo}ek%i`c0-DERNim!|*E%6wAzR<gjzcZQt;U0NLf5hl{UHWjIO~Ab39*C0)Wapft
z3Zvz4+DGL85o5vFqX+LQ39i4WJ&dx#Q4!oeMe|XWqc0<^`S7s|i;chHf+8_=$<A>|
zy422^XqSQ<d-*HpliPPe!B_Yj;j5cNm-36)))}${Z^sGfEa{TX(!xy^z1Kv{I1}1K
zP({(VV<hrGOwkyfd?h{>4u&v+K|z{nxsfvgI%m_nPt9+(yrDPQBhOOhtrY9%Y^#+S
zb@17}9TyTG91zz*Y|+%5P7?g3wk5^mcp}>ITrDmxztEQwBT5ilug{}+(FZG>65zhC
zQ<us>!{<06%s8rTK1o%3yJ>8Zos}cW?}QiB5heK*J~gW1_33);2v^t?nh(aWzCVsk
zDM&m}Mq`z+T;r<ajXHCZFGf_087~{3lE*USsb`G@Tx8JkF>G?yanMv^)FY!DPvTuX
zUz4|N>`G>brv$o66g>a*IaFh3&>+Y9NJpb!MLU9HCwlR1ImU~Zw&@dLFie49-Y2p%
zzm|DX7jAjEmA6=CzVJ5bGp;^v{R31Tk(@h#&eK7p)5(h@YOxMflZRypTQHq1U{z|C
z(VHGzYJSv3zO=-N%qBpeoF&U4`9r()`jOl-XkR_>aaf0$VT6>(9fwtEC7hcxP?cM4
zULoeE3?Y;DxCCq-LR@voyjL8W#CJyu>(VSyZ4PJH2jjzq1|$|1meS1gjsQ}0GJbSZ
zQ&ZX;<E5miD%1Z&&ox-4cYpknk9E>yyCr>Q`cqKAMrFq;9F>ngLGR_Y+SfYY14?BI
z<0@mzrNJpH^J}gp9%p9%D8vd-Fpx4@zvIEcNjUxERQq~v$8Z%WB$;X{k9@E@lD}z~
zPa&yl)Ny*6lnk~)JNE^udL{1+tyl@Xl!*+tAS-%T4W{CldWq+tJwA0~K`$De@gS=8
zbf+n@yPKrCGvme;CBs=MB1eJgF4=cHI9Rb1W!Rw{r)W(DdOuY{G10)F^_}&E!xDoJ
zQ)IjFeatj817nM1bXFA-`U+bFL>Bs%!tTt7abG(m0`nY`<?VBZJd~8lkX=Rd%%1My
z@1WI1F%%C96W@ywJvc{pO-;?v?r!Pn>FEy^c`UAwq@<)D_=}5+m2V*hJn~8{H^{r5
z!VedP&%Fv%LGZzZKuLo-a}ciDR(A7E0g?gaKl97ZNVQH->nluhLDy23)pm_SP^6L!
z_4M*RnCnrZaC7zAG+HW+Vdp1AW~TB>BPQaH+pqPmlQ)%tN^%74z*a&tEo>m3lXv>N
z$w>g8?G{)NEF(Pxk%makOLyWbrvKO~wfkmY|3H0_did!TKvAgsM_f*2eIm`ejFnaV
z$0=NZQM*>GNGs-XxDJ7SdOB^eljz1StxB7X*kRnOoWdlqC@R0oW<9VwvbK_$rAxc=
zsku68DMNXvxGbXIC8y+z^vXB_OnafXx3{8(#=!aZ$k_l@2sINE()RZDhssJF9d}R9
zh}>MV7W-Sv(Jb!fUsEbL6cp6}^!d9|Uc&fvHJLzaT$r+#IBPqRg(&gnw2+vbZ-b!!
zv{5K_vpEVh6YH*QEHcwi#Vp&nniKCTleyc7QbDvbPjdBb7G`6<v^Gh}F$%S@_Bvnu
z;sn*fv}nWRjBnTmS-LjyDLlwjw2rFVjrO6(yh!Qa<N*yoHhpri$7DB|(+*GxIrsBM
zK9$cjaT0%i@CZEXBT{||K}HB1r+tFVD51ofRa8{OBqcHFS0|l4-JfjkSJvtgve?-*
z+PUDH`gnWu$Hm2U#yR-<Hp4TE2i(}u|4!h?VL-fus=ninLRuQfLMn5PeeS662PY@h
z!A>(%hz$ix_;GP6T3Uuhu&wS!EYfR%^qpbIUo{^N%$~dF%tES{+~(heBH-89jiAPx
zTgF;+&((Q>kjl~+Q`u*(0*x25$7AR2&qp||#&Y<GMSZz!$MaB_n99|^uJCR%%>AAw
zx~}8x3SNc<gJys1G20?1=jyy$GMXmx4xqUv^g8a|VPM-Wg$E+9&n>!iRQKX~SFfEo
zDs@AY->YVaxo!5dSVZ)}HF8*tfG-c`tXA8D_5+)omvfB0h4B~@H^F&%3G7CV?>>G+
z{rvf}TDO*+VR_YGvo&+Icbo8dDz*4EGD|7|uB{8GU;+}+uQja(FwI-`(q<$ObHmnl
zJo%?yBF8fr--yODlOtzTbKL#flaWeH>bqRK$Oyh6B{T)hodX@SEpNvO0kd<4yjGAf
zlQ4i2yVXUxSK;hjp6{p!Bw@(PfJl5GJJ^u4aPeH2-+Af7?3-+?uiK|1Q&b`6fjMj$
zXSd(|DMmvFoSY7S-Zj*0ii?CbFm!TWJBcYA7w*hWE+hjk#NApG%`L|i5`P!!UQ2)y
ziBx|`5VdF{=kdbkJw|P2xN7P{O+=J8KMxE%A7VmAMSU}z=&=DWbb5dxu;jY*K1ZNu
zW@bh?)WQM%I4P27ysC$6qb=at^80%=<<PaaH}9mv({3!;$z4SVnFMu@#`8sVtMD;}
zN679&Ltp&borIH#LI+h=I>hU-FCn2Zq^GCPw*?4bQi&(Dwu+`@WUv;6?+}oaSKY<N
z#c6xZcE3pKtECX}UduEK)(SeiTlf+Mx9+|Q;HU#`?Cg}!TCnrG8WHmP1~&E=DSjU;
zHy;F4aW&P|aiNn7VyC2}#1+Z~t{?o+&f>l93nN&SD8Tag>A5_bIAB#2JvVyI%gBg0
zXY4WN78Vo9i*&Q?b<PxT-ioP?My?Jq^i34iZ<i<+8TdKdrOL|6icLf`*Bi03b9`LW
zzrF*iP8WXD`tv8X*Y7!AUJg_`Ew`m-7Z!q9dCf#m{{f>x4&MAAcBddfJ(dCB|LK)4
zoYPRAm3>dHD<MOH-%k<(=5)EYHX|7{w6w4;t!Ies&rbmi!ga)5L91SKCal0JIj;3F
z@pyD{*{i12U>RrUn*AIESPoG}moG@@#G&N{{>m+=d;-zXg6_k^#RRa~wFuYLS6x&<
zMFN0&8sC?AQ1cZtN$e^M7X|ooy#?~Ev%-C6EVrEhW;6;dUJy(C=AH0Q0m|HJC)=@{
zvi)Wa%J9Wnldps>ZI^^sC#$ux7?g$aHiw;^l6+Tq8lpwLR1RJ8e2&|12h1(@PePtW
z5K_lARSDS*OW_lJR)dJlf^W-kC4AWdAB;mDFPpD^I1ors778`Eo^>HnnLj<;?wg*u
z&IaBDC@La5x1Pz1KAiR_CqR~%#C?SOx~;c|(}yqFxVg2KpYgKmBnLLn9?esZJhSq~
z152y_8)LCytMLSd9#syGwyUsrJ>h+OzW80(rt@bd-OdF!t`Lg{-Y8ir8WBz8S`nHE
za<RIMqoJav0ngW?sXnTS8~L090j#G{OWM93X2!-<{5yGm(G63sWX>ZyRT523i&6K-
zUo{Lu>Ow6|d;<yL#P1Jz84w|L<}C&Hb*+LQ*wNS=l`fzbul#Jpe`VC<th*56iwWQW
z5;=QpjNFM%WcTIVpLCcR406GZ++=7J@LrD<kCr5ffBe~XA)MdsVLsl9NtxQmK$x=<
zc%k+=SbQMp{K0^DLu14kh;6wZJvW}gnGs+~Qdqkw?0h{ga<Z19K&f>dwX<5#eUU2`
z&`6rf9^4EB0>!gYjG9}oR|0$=&IZz5y}zjb;1y{3T}}n1qL6o>3E#F(BZJg6LYIXb
zT~=%OYcu*1sU%FDdW{-5AfLo$m|T1f@XhB)S6((m!p74-Jv}Kau3N428lk#eJwIG%
zFf_UvxwyEf7K)n~q}6Q?LGkWm*x32coN5tMzik2ntFnOW<Bu-K(bc%!L-`RVn!b*N
zXm^(f(M2-RtUg$#yhgfJMosD{REPcbfw%6LK^wiX`~Kc@kY+N7Z?_()sD?L%g#bbP
zjX6#h;9|#*TVwoVk2FTe&TRsPh@L^}>E+=QkKH&qgM1wUg3(%C)-PyeYa~YNn+owL
zBs}|>>(UNm<O~#SKtSsNMp%wuI1fZtdkXT8eblYQw=1AB>yak$uskLo&7A9+t2_Pd
zxu?CY+#7~IXRzAv^QX1R0Qx+8?A*XaTIA4nrdeWzPWi`RgBMnefEsQ*?*PlWN+PpB
z$Z~i7CHWTcKZ)iaWsmQ4)L}z=XW-fVgcmM>esH<z>16;MU%ytj<C#kR=-$e;Cts_v
zGuE5$b94GFhN@XyQZ`E#Y}k#K<}l#`ldbl)G~w)YzTYX;i;;{ZU5(LJrY{0(zwEQx
zoOQy&#S=QFbRKg(-%f<&z~fP7%7LJBHL$tO7WJ!-Bj`SADUc&y`OxsXQ;)gTmQZ}&
z#Cob!>5VvfPvpG~8ve>Wm6-o4laU%Zv!KiL`u(~XL{R}#IHH1U=!A-v66epuCm;wz
z4HM#(v%_<z#E1PCO&yOI_V)H~+79nL?vI*E9Oh~Us%5->L<!jTWCu2fXlQ8I40Tlj
zT{jNJp*?10@eYVtNOgnxbC%!Fo5U?%_;D;{?DTeHnN1WAZS=*veOD8(fD$UT1E-#8
ze51sa9=F#wE9YY7J|CG11GV1{c-R)jwQ%7DQ?^hHBxdtF<>1a|mEiw{m{5YgH-tz8
zT!2#|It}PLbM*<)nos-F5zsM}hX*KheR(Gc$$0I?Uy)fhvaVwYBDr3kp1vlH-+Wsa
z)14d89wjgX$fzqrbXhZ4TEB~?^hYNDklu&ly<?t9>+Q0B0EnD`oc08{n(MB(UR(kk
zfp;z28AfUEI(M4QyzMOr10C%roT?2@x#!N}tJQC8a8!WFO3KRJQ5a-75%0Rfk;1Lg
zPM2;-O_6G&t?KGja4vTE>P~yYkf@rPPKn8@y!sPJeDC(kb+L7SjuP?%@=llhM1PKY
ztb6e=d5>8*kc!(G;5D@!H7=&HVK%Kd209-vwR|)&+8MOOM|x*7nb1dU%jY=H#gOM#
zNXWP((C`HsTXK%szM?{6`i;wwLC+H_UZMKBj?3vwzvP)f5i0>FZ78&IQdK}-{yJK@
zX*-z04>1^Nm{ah3+VJ+UQ*!>%*wo1p@KXUTLyvRf0!$Ia{=Y)buL2_iPFQ#YW=FGm
z1IAVY@L}X6aWvuo`~&JB0#*K)Sv9K3c#r&`Pfd;5$b7=6M2*_eoPcaWyNbpW3(FZ-
zpT>mRyv11>5g4}tIOdloj&TR<^i37(l&eP}OK)U_xSJ}%xVfbqY&F4)r31<Qh7ePK
zC996!k7-nV#YWk9vS3WvbOxt|taZZleCZuM03lIwo#G3P)o<%)-(MYJpb_JtElBM;
zgQxWYFX5XWTr-46I3&Uvl8LlyfR8aYvDhSju{1P3z12!f{`4*t;k{Hi?h5B$(&@8e
z(7?cbWX5x*ZIt6%3)&;rBer^_drI-Z`Q{zH;VFkdXZr7XzgxrpW-}7jqwR5rL`$t)
z!F*EO99It*u5LDqsb@!pFc10U%I*=MVa3MNqWT6a4dbHW#D1n(m8&3BNnL2LBa8by
zm@N{U_kJ5>%%+Db4L|6^JLL1dSgH|U-0!?JrF>d#5at#SEdS)bYPS-?R2Wv|IL1~8
zE+1r><<w^S9yc(mKOPwwNuoz)dyCs4a|&K<8A7`#APYj3?~5mj#(t^Y^Z<@+m^J{X
zF}O+7w=0<@Y`2o*u~9>&TRiu`>tE>g1kX)|hfgS5IDNq4X+(GndWOT}Sa>uYrG;5p
z$U+|FSz8%09c-|1p|tOing9K#^N8kM#L&@tnf_`xa?D172+A#Wsge|f*2lg$DcDNW
zBzSB&(?MJsURf>v5EbLM58y4j8cOM3ieMghwpI5I=KcDyV=RdW^X7;cgt#T95JnvO
zx!94oKtfq?V5BNndQg`)G!Fo_xZ8|FmbM4Ir1!JtR48hqwT|!4?>TJH&S=h5Y80#$
z#Ug<`%Whl35N4igwez2B^@C#WZ&@;vi8jQohV!lqT07)8Xbe;nwsn5US<Y-_Mw3JD
zK8pGXWNoF(h5U6|)pXElRa=$muaqFi)C11g!@|PQ8FZ`gWcLIJmcCXuGXKEs)IrA7
z*&FB75X!u6Rf^g2X(PwmHUTp~y$@qAEVfP}<r}WkOc9N2PTo9c@gjg#*uvRZ6AiB+
zv>rA>>e3qiV#+f_R-v*IQ0t=+Jg{x*5wQL+o;z@!L9=a^WS$ZLFJRxX#KJk0ac>;F
zdhwIfZv`2z!Q_N6^}%}5>bG?WrFC^cX0~v55Zu$fW`->mjpqSy5Y-=5GDC_bp~*N!
zoBt(iouP`5AHij7c08^#_@%V(bd3pFPc)VQ{#EWW8>(-$;b(MMIplYK7e7g0Y$GL;
z>3ic3yJ<x>V*-+UU*oVLx;-a%zTd!ng*`-XGukTayg*SN{CGD9?9AHn2tlo&KIQ~F
z>#Z(bZ$EKdFYlTPF&*XS#^8?19Um++4fGY$`|v0gEDh9Lo1BlE6d3<OT!@d@jsi=d
zJ8mXn&{gc#*|VcS=ifl`uk8gAQIJGQ6&X-JX;r|+j%-oS7mk_&=;Cfjd;6u_khZtC
z3+a)E*m%itXGj)qP|_JqDC72-HrA$3v=XA;4q1M2juA;|4u}DB41Zz1u2*?`m_eu9
z^pK%Z(S*(9mwx+j-acamE{9j-+fJWg)%{3(W~5pfO9ss~SBJd>hBxJR=tC+Rl9j=-
zrm?xS5i!Xseo81^8m{T>)N{(X+G>q7;{nxfJcZAt5-2!nWT|gvK0eNwgOdjR75@Vj
z|93Jml3nl|n#=^C5H8r_cTI0*_H*(zq3KX`Hm@D&R%`|H>W8>u;Hny~jUh7L!e@Et
zaax+i3raEn=^H0R`?kq)=2O~e=I45f>OpotrGlXQE4~<H6h_udf+^XW^w8oavR}IA
z(3cIin-7nzzEmk1kO?@y9LC#Nmp>nA=>P*#u5d(qDU=$$2+<=Ru=DyT*d#U-6JtlF
z_P&?D6&@0EcX5W@vOVJPMPam+z$I5zb&eWX1r3dD&0YNFaGlSru*z8vwT-Q_B1kY=
zVI%2m(Z|bQcMfZ4<9<z7=y2Ol(T9^`vtiM|L|`XN+;Zrlz7L4rauZM*#6&?|Y!A98
z=aB)ZF{<aiKFp#$-%=|MjW>FmhnGESJ<Qy}V3smN&o%0>WqND$#k0a<(vtP!=WT1@
zd%j3xA~G_EHR~0t4VuC*nN&tK^bzt~j`~NaVle;3tJ0z?#Ymk+CK!!{=924T#K>Ff
zDZ@V|QYl~qu$7R;DLCRR>&_uyPn#91iu+O@wr|*{rQD#wR-T-g#>|-^`x;q`?i!g9
z_m{45XK(TDGg+!pMYw6ne<0o;`1im`3x$Vg%Swm*=ZH||dN@RM$%T3w3?g(bOSyF@
zpL$sk^5j=#+9qs=X1p*Y4-gD~e)NHcOC-+r8`}1pjd*f_Bng|~c%;%+@t`~6S+rtn
zG#WbV9=6)num-yc(zr%)yhx)oAFW>@_eTP)(0pUQ)vv*A>D66iXfi$YvKy<&3>4su
zpL(6_pu{Ol#HYq>^-?zNp;uSVICZqOk8~3%U5!G%C2!WlB>`m=DSC6HH#%bY;?r0N
z0Z?i#Ob7s)V`JJ<MC2tO*o<tF@Y=3HGmtM)F)anEJ^@R;3#+TE%w|x;QViQd)uYXP
z7^;zDly`so3x~!C%G!NKjs<BeKb18z40#XWTF*I(*v~PjWNZymAF*x^UxGj&M2l;v
zd`8xB0cQ1y2d&ipW<q9I0R>5`tR-@~wvCV%Fgg{FTd5iezEqZSG|KhKFw%xqW*wBp
z=D9|2Xe8A1pkzY#T6p!gMfzJs$ysRHPeP}V_!8e!>s`pxt=-}BSE9@P8Q#H|=4Qcg
z>*NVEA`WUAnl3@6xaL8&Gd{ycNBicB!N=m=_zm_gWvD9g_C>8xqhr@lDicOZS;3qN
zxDY56GcyR?i5Tv3Y1a^|0ZZsb5N6X>L1}4ebd_9a!=2`jt*6~+^5j{Y14(2%5i!KV
zp3Lvna-$G2NQrwx2RR^8^ieT^E|bN5PB=JoskgQRYI%{pIQ2^VbRjzLRk>pr+*(rT
zjbIAPMH0=Kclu`b7VHZ7wuqW?7L~#_J3(;JUNOVbai)~dGv|45U4dLFS0is@;kTR?
z8;_3gOXgVr9d-W|gC${TT?Zm!-zsO(Yti4VzLhJkr$&`I-jdvwOr<?tjR;Mqu1`&1
zemd!RZkJ+?iHuTWj&bMQ3a8(@c2~zY)9SpqIuWVPWZsw%yUt4~2MWZ<g{5&q<Rd<%
zoR>M?@}l707JLo7efsrX!)p19R}?G<A+4n@#G(grGi%V+lyjC>E)Ks7x*C2aDcgpS
zK!a9ah!n0;zFZ;{m`H91eP~EzF_pCSvUzOK$s^N}4^+?h22<z+J$IAc@(r*WIQqLf
z_9P%te)|>W=<(pQ&4C@DpCTEW7LC#=L47a1!XGL~>*Lj;P|%vUY`VC1d*Cg(DpVHA
zv%;ZY#iA5_ZJkMmcgr!K>*OV}z4!Syh=Rt%Yvd&yhZLK!-a#o1^IIa9B9~0P!D1fQ
zHu^d7sn2iSs*O2AzCS(k1fu$N(VNux)KcohKRLrkytJRVA%uESZwwBdyWW%BI^Phk
z4kHaB{f%9@dj2=)N(D}g@SSH~oAM?>Q7H_d$GCC)z1m0spTl^**$n?RZ%q{Q1-SQd
zdx)v<B|t$|Ug_N6^BY}gcD$Uda*kiN+G=)=t&)-Q$r5J-k0!QvMz&^1LtThN4_g`#
z1AWuOCBugGrv9=z8STA0XGFvyJe^l^b;|ZvKXvO&i57h@@F<2M5}TNj#44}3?-@#K
zz5_OGn{wu2XGX49LtNJAOB1J8t5S{WoOvuwE-vTHWU7*CnygZmGK~@+hKW?I59}7s
z{Z7}qqH+^i6iiinl|P8xTRcBKdc>qZoKOFiUYyR+tZAOD&(-ohHb+7gr7EDHEpd)s
zWoRu?ZO@G#+nQn@Z3q1vrr(`Z>ukBo_}<_=yeAbmVT!)xnt2P|I3pA1<9SDXDEmlM
zUtufAp8z&l-Li%{H5s)S5I^#^Hx)Y*7v+IP7K9B~ycKT~1=K?}pq`791}Nb>-*Si?
zAumuXLzp{pfmhyO=2PtgD2*i5($W%wmIukTgZ&KIk?pNm4_YpWvU{cFs)*>ZpfU$a
ztO6~3l;bno`A}gm15P%BS?ng*4A+moCc1gS_>1RI^UC+{-(5#4UR8i`koiu6!b;W{
z>d_K6qG)+g7^TILN$9`cys83D-Z)ui2^1bYW(da~GLBDigf%Gj8=r_@G#fKr;ufoV
zkKjN<sS0?I(HST$t|TVMpSs3%lBqEyv(Hc?cW&|&F^H@G{-H*IJLP~OIKJ6?yI=Ol
zOt0*Z18?pj_S|6ozfhh<8OdMx`=U}_`_m-u0~|sm3#e}x_4Qmb&Q0ltkDMA_3b4se
zu)!k4gepl6_GotmKa$JM1G-;DsEvdzDOcy=F&I~&$ogf_&t>b8*is7Ir-^O{)6mhs
z{*axyWS7C|{*yz*r$Cw(*?<NLTkm7Dw@h0!6k(O1l=<N8R+@W+rv37l%R+1JGoBGH
ziLp)h!b6VKubA#{2WdmX#xD0Qex|RMCu6-obbpdR-|^{4V;77u{_HS^h}7p`{c>@x
zci-O+*`Co^5j=V~Xcs)xD~p`{b1c_Pr@*fxdm!H&Y?ke>`WJTOOa&5QR6QqTsC@J@
z@gT2=vDb!w8bXfg281-_%B~Z1Z#bt`2(H?TyFZVm9WSQn)-@Xh-wyegUvFpXuUH{O
zUMz1}fvNp$zD}NW;HHwLSMK~JRa=|IX2zD683arBwQ6<v_c<twxzZxLrEt%Y->ZaZ
z3Z-SS;A-;MRwj{W(xW{YWb*^_*srJ%*s*P}MN0#X2(9#i4M0MR@y3_TyBjYh{wwqS
zcRnbI!|V%>8o`CbQ~c)k#VG015+Cjri4aTx9c``9RpukL*81U3(3|uTY8pn=9T{4s
zy!mAs`ew)Mxb3w~b2;lAv>biTShEm`h%M{>JZ4E+8P^YU?QAPY#xO2{B3Md$1-tXj
zqK%Ki#1N$l1jAXgs1n<%zXaHS!69>9Or_su8gir0#;|L-lV!uCQ};&fwb>KVPxO5Z
zABCq3Y*^9bU1NBvHhyd!)7`kle4|b1!%mVyW-f*~gM8kV_+(bXTkv}8L6!{eY8zhe
zPRI1u#2IWq-GT{OHlp8u{@4XQZI|xA-y^_ztzh?T+3y9mJMLKWi_HUP9+P`wu-?i1
zWv%~bVQxaC-bn&fpUmhdbUuWaAXGqbfS;MLODI1?eX)tNxNdn3CeLOz`;42De%-$>
z$5iL7!sSR)?#3bO-CdWW>Lx9@0CuHazzN>t(dOY<-?9XiN0WhH6M$JtQB%=EjC_OQ
zfMuZr<N#)^A4I0D5@FX2Wec0SF=&{bqPt)`-$1OD99$3v4UVh#WoUV(<5$)eZY_=>
ziIJZ#7L*2O8jy$6IU<OUhus-yN#!4izJd}S{U6Q#elD8uPyF!5B;B&u9`AIAewuV_
zRwL~fyTtF$d)bm<!B!jbg$3C1*d7Z;g$}cSdj=WK`~QNE!>@_bC^(3ew^1gJP(p9Q
zdz`pY5{y*Ny8QV_{CI0!CFU`7`oqsnGQ^X;AZ$Q>BGj%z_-5mCv{p|OmuNl!84IIt
zv4PNH=jlQSBXdZQrJZ49BfI7Z$DJOVVbQxsB;O&~-GWOK%!>J7T>plo-LMgBZ1Hn{
zw8oYE446_;QK@@FS7Nhr`>Vz0$rp-BspP7c@&A?J|2y43^`UXqz+p_J=akk!vYJ~E
z^n5)@9GU5)@Uel4(pe9si%Dbcl_q`89DA(c_DE;X7z)<aaoErHW8#NxeEKi=@^kX(
zZnTU9$H6Pe%v$J?dHH?Fa!*}Nueo1csf9JrHA&j2rX{On*7<M0$y2-N)vvwm`LJ^I
z%}XPBzJOTCo6^nW+QI<l^xAV^*6Ax3&mn#jmzvyl&GMP+BTr01ywp$}-`SCa2KChv
zjVPZ5*$>aX82y4kbfSq!%awMtPcJQ84b}d_5dNiQoHo&Fnscj?U!WB1CkKtjex2P?
z=b(pqBJDv@uzs&#wQ#)2OsEMnHj*y8@KIN@yjf)SNI3Kt07+1>3U7*ZgLJc#m|nex
zgZW@P7Rur*db3E7zYwD_@d6zapA*C=RS=gw@|tzex8J4uUgsjrQ&A?R-LMG;vtYLO
z1+8t5`7$$Fb!$hw<i=$q!y%8EIq;$7>O#nWgJ|CK{_@7+!r-OT0&M#+KVZp?Sjj-|
zP}m=rJDc#6y@A4J_Wb1cXM+ELp8r(hC_u0ft`v69@E%&OH&+_;=!Z}$%|NrBY2oJ9
z9~Cr!ou2$UFLg7Pr9x3zeQ2TYJ+%Y7$mZc{6V+rA|3Fan0o`B&Dfv_}<e}3(!)L~@
zr~AN`(>V4;Qn2s+C5$g0H>L{zLzKpji@9-%V=-N(`OlPJ=wybU4y1{4#y@CxhhHj2
zrbaVOy><h$-5dMlm^qyS2ty}1#Zir3amhcOqLGj>rLpggq2+NM?lIAnrX~XjahWQz
z=fJAA9CsD}1Zg2+us&*8K>IS9uYIx+^5%D8d~=F`V|vU_974Xk@K+}i-eW>&;bqFM
z*eK3#oSy^65PWWAhFi%4DRVXC-UW?Zy>@czo1_cCCMKMyuK{Bd){|L)n9lA7Yq@IV
z<wU<9h>PB9a`qad^n8h5;*K8rK*p}^NY82P+s6JqPC6LoW~~otoxqPAtGxl%Ld*W<
zw0iDa#W!6ZMu|x$0}kK)?C8na)hMZx$IxW9J^3~~?d%YF9>k>Vgq}=X#V=gQ03{~3
zWp1uvPF}J1|2RpOKPEZNypx3Kl<WFEiwqBOuCfn=C#4vp0+5`FhzRFHk#G_TYlr(<
z2PA7>^zNjT<jcgil+!MAR=WZ6xZNH4jT(F<yB4TOtd|o@!S^Jo-%*R^CxD3G@UZf~
zj?>e9FmDS)s99nk82FAulqgFr_!2dJpHKecywCjY7x(2C)g*dsq>WA>i~Kj1%Xftk
z309J_ksDeTngZD=6l)&jqn=MuLM^X(m!pi=PV~u(q;@=%D$V}h8DZqsPGr{-QSel}
zjlnC`q>@j^FE1%BDXyplrMkBg<!*H*Ez8^v2XXS$_7iwmispT9ilugA7|_w_@Q{Gj
z*}jMC1-=kJIpaj-(99%(Da&q%uL3nKts^i{5MAR}Ao^IYPoxhGCw-Y6*Lf_kHo~&6
z#>2Nv&F(?(D~qV8F;0e}L-HqpwcCINQoP{FAf+Jx6DN!s@f^JA?rJrhG4V*LeJVe2
zxmAprmfv|bqUn9jz>WlxIWQ@4_gg)~R5Nd4=2x`-U>-ue>pX!*u_qmb%YTF8e@deN
zBM_7!3%&}x@!}O7U?)nGtG77JohWuocfakwZ=Ok@w;kwo^KjjtZs{-=AVv#R$&ApE
zXO-?LdC_l>qF8&pBDXd`T}R_d<9-c@K;&b4Ck-i%iF?~UE>rHtAPm~VSlifpYm4FV
z?hQ9pp12<(Q*rA0v7^ju=FR%%+jl|}x*U6vn@qkOJSgJhn8<DTDA&?*N4L?kT(Yqu
z)pDqtxF=^EhFP*PY~)HWvteBDa5u0iDSOVzwJQAOUVg-Xq2NG@S%@L`twlw##3l|>
zepU^8C*hs{wnimh!Vm6}6`ndjNIUiK!-T5<a&t?|`pwzq|B_dQh*<pN<Kun`E8;o2
z!WR`yta<REYPP3ys>k9wr?D9nvw(AqB@%@}@S*i4KY#ISk*UZ*+g_#=3Xj(q;Gq0u
zB5=Y1bEccRB4+sZ;CTGC(#mcANPdTfNw+AuLA#qM7N1SVP(m^T#5^Ii1rQEnFV{|P
z%V6aF*h~n+pjy)>6T<R)-u%Z3Em6R>Kvl)7a3yu+B78sMP?6*jsZk--)OeBR=es6F
z$pwi4T^woIxHNj3T=>|>!I|fyITHrMnt~KEiaplU=a!{gl|EGx`u-8GN+o{zu+=x(
zzti|X1<Yqm_+y|-(}|;p3F=x$i8pKH-`nmFFY*bMe6q#$NlsZQ{wH9F>ud`P#bvx!
zR(T`#7k>M%O3b@XY|ZY{&Ue!Z|I}j5R0=Aq29z;;ru?U<sA&$Bl(o$@-^l+{3)fm|
zs1VjR1vbR`M<&b#pT@<)#mq<dPc54Dp<~@LwO6W+{wKTO6GO#DeB!j6lz(cm#P)~$
zUHhqY_8+*WCOj%S)FDvOmB;?7%l^wq#{|%^w&)vb9~AwQ@e!h+rbj?5vn~Cn7T2iI
zu`aQ(S6u#IB>wO441$$`njSV>oA)1GCIA6C*5mYyY5)JLwfr~QNP?i17bTEX1<Bv~
zH}qrw-`vENwJt9!g`Ewpaa2`M(C`Hk(k)W%m@RpxJ9$3pr{*wxlZ$^EC5#+35-7}q
zOEJ#c7O3^f7w3}`5YL2kCdv#V?dn}mO~XQf1UF%Ic@pimugX==)1a7_tT|bV{6Ivr
zwziARgzLX`gB~`ayrD7J{yeeu+HHe(E9TcP&tZ2fr95Nf_16uwVsziB+1L{?`y0Gd
z7oGDe3fdUp$(69tgz^Mz>am7U6t385z-V9C$;kn(Zf??u_X@LP!iuKrPaVN{NncNL
z!ARVnZ5}=L^RZS4(GHSr?iJ>wJ~CVmg8RT>$7{Fd@1vdZU^e}%?zc!nM!DHiFSzZ9
zh^R;6&?^)46W1zxUQa9nlsNyLpdTB+AOBz&ux)kCKii<Yw%WFnIU8fs*Z}>!{PscF
zZ@O9&vHFdE7aNvW*ZFfR=p;%aX@7>5npbSI0O1we)r3sv&;o+}*`(m<0EgpZ3*3Nu
zp^W>-8EOsZGJf?u*En2Y@=%Jh;#MT@jm;xJefi?K?%>!tIYqsz=MLhbxG$x2p0Rif
zT#rIvL_GJNE30|SD9`2h#L!RvztUZeTZzMx^E%>@Q7{w;^OA}E;bo$p$v~NS>%IJK
zx%7|Ihjy5+9H(%*A;+1Q&ERBZhH~@!)#X9IwgC3D=M4}B@zco!PIjIW?cSA*x2vbL
z;V42YpEWZ-c{_5Z5%p@{#^l1nt-s~t(LmV|k4`bS|BWl)=CWDJ|8ZGbP)KO?a-RBf
zP_Z>^k}hg}uEfGI{_DYNhybDh>x9;6OJuuOiRjbngq!N1qSDs9CyIS`V6-*b)|R7`
z@hkXoq-Zd)(m*>!$Hv+aTJjmg;chMQ!&P~V^7h3o7O~FLDz_fYzjo;p6LvEj8Xk>G
zYpWP{2EEeUdoT3PZdxnI!3_y~R0JI#9bB*+TB;~ZG~*20#*?krWWAmZdj2oE;AIF^
z;<%6Q!?P@$J;SpheBL|~mUB-0q}iAh(2>@7IX|T!4P?ppV<Q(*qFI!TpjQKH#wjE`
z?;3c`fnV_ouU$@55T@<v^V|qs$0kRb!^stauh*gNL+hQwH0x0;y0}Y-`X}?cGK(Kb
zRJ8B?T}HDXIHrm@Eat|8h?8^Visjx9A<%s<9C<R6pq($b8fWUMdpKoiCXI-Jt48E8
zXE7$?wGG6;V(nM(K9aX|zr#?f&81;kl3rWScV#nydx~rm^ac})Jd&-DJkdPy22fCb
zFvGO3mwqtIv(^<6q9qpbp^zmN^3VZ&Wlvcs<o&)0@mS?})f^&;3G!?cjQ}Vmeu?2-
zcl%({z)$Y@j6e**G?;z$0C5uFsk~~or>N0y5)tEAet9}A)mcu?dhbtnp*{eZ?P0uJ
z1M2KQr3J`$d4B?8<M`r33`{>j%Z1fF=VU%7_>UbY;_<0$;}nJoG=-d<19-MY?HvN-
zg3fu1ZJ^S@0q8v<p}<Q^BGtz&ujWR7ip_)e1blHeh2YhA&&pO2=E`>Ar*_2e;6E4G
z0jJrcKkTZh9`@o)C5hBJHfu}$(GTr??T?7Tkx6enPxW4MK@pEjSDA({GiU1!SVi?6
zoc(Qg^aTkT-9>ceX)kYUk4T^4!rVR!)A19V1>RC%e<Muo@JEpo1vCe86Yq5EXmyWd
z4@ZbGCN*bfa}W}a)AK4K3JbP$(lEf6C<KLNiWkPXm&MWYF<fdeUTqj!t#9cp1s}ej
z^lpN$<O`oe9mkBiCnbWx*j6&e=<Tbv-wD1cf<DI1_H+D&B%vV0*ny)Ah_8vZJzW1~
zeP&{SX1Rp;wPW`o`C2!@WhL4T<|om0RFMPPZG#Wk)(}S>t@>{SO8eH+x~lao<@0lP
zHij7WgTSJR@+aCa;msIlBm#BoE<=m9Sw7DOL&*g8cDPbupuEo`7B($c4su#J`e-Su
z-V_FYxhbW`>c*29-p%`{lH}PPOAcjVy5@M@XcK<RarwG)f9T8CBk*`Fv#Nv}KP4X!
z>?)doyTq5JsyzMMd`_7SXZqcmjs9e<BBc`b+TVR6HVaajly3xSXu`bSBY+nO!R5&o
zh=}-0TyM*93k#NO>W4>6EkC_YHkl%%EwGZOZzsPL_iq=VNLMCMkT(<#to+;)!P21F
z0_L3RdyG~(Cc5Q)+ge6pAW_M_cqsloIPZvB*~6dT8&Mtq+sf01sWn}V9-TzV*t}1|
zRq|QhIW|f`Q>NXza;uaywgYVMfvh*`D9@-rYOuD30i<zmb)oLY^{29cNS52UE6U&u
zru_QCGs&aIj}#{cw>o$Y2r+kcxvV_Va27*Q6c6d6fRVh9fc`_H1^3URxBZ_^`n!e1
z#;7xT!#cAcrS77BQSHTNw-m%KZIeyljih~1qN=lcQF1cmML3&Jds<&vqwjZ-8gOV8
zvveZsXR^lXW!`ejv^NrHyAXWkCS{yl%6_!{6&uNo49XfwtYX`&%=9Vu?)ksC3E44d
zDg{%eBL%)S+*YP$XP?=%iVAcT?wWCh&=hDlmdMpbfjVBjs><V0Wz%Y`NZ@<Ft+VoF
zei_x~@Dr)v2ycN++ui66CEjQ-?GZJHZB#nafLcJv#>L1euWzlf-9S`LXX|)(yA5wY
zt6!qp(&4coxPxxdpn!<1BOc9&u#m4s8~WOKUcvI5-{5YOa}6Qj;Yox(<2WH{|CN-#
zVGf1EtnM(uweV)}Y#*~gVX%W}bT22}*SGWz3XNYAq^|C4cKZ0!ZSf3Bt1+60al-vX
zAQQw+i~_tQn<=753nv&5T(CF|F<DTmyY<<E0A3$KCpI3Q{ou*gMq(XahsAsy&fv#e
zYH{BpswLxw(|!dVa~8vb2~GsJwJerLaLD+f)fD%kllNti+h?^S=gO&PcqEac2_K9B
z0Zf{HUK$RG^M|YxReO<5zYRf#%XFV)QL@A3xyEo~JNgal*01#gFYPt1<Vv2;zP7?S
zj;?|pCC_<`FJrz6z29M~JTo1!=M8ugIw7;=*o+x;YPUK(3Azf{VA(95?jjzzQGZz|
z)ivmQvgI#fr!Oh-Cmn==KhEO9i9AlBJesVufwOYIoLnNvdi;)fKa#|W+wsEeCY?F1
zglXcutT5K8gR1*`5l)u)hTk+`CrP95Bwk^KDyg&-e}&HFDollk25;3hn`_W|-k0Vg
zvVUQ6nPEs3%#8;LY5N(nDT>yz=w37QYc@nNpMl_IK@&%p#DQ`)HbZa3WEl;{BUK3D
z+c&y9TY?leu&nPO%x{bFU3uQ9CG^(!eTw_xMNF6^y*sr@^Q*a*U7NFT;CeMUQpbYk
z#{LQY(8!F~DL_0yK3#cRwKPv~<VV9EQ$%T6sL`FD<5DY{k{+7j>NEA7_sI(Z1@&Lr
z#iu>3UazO?QLbDJBl8tF-znAFxtaOJ<6M`^kHrB6tzbl9_cuT_?27Ndg@IBRRLYYq
zNKl5IlOz&P*Cgo)+@+Qc{T4&<fbkee!H+0tdXI4*w$P`m=5j8BkQq>0+|GAm*z7bc
z*NYhhy~W|h<y4CELRjcH<Uf0hO}4q&l=enhopn<|Y$mh>{RrjfOoLoQq6z!y1z1>#
zD>I)XD3CO$@s64GTX=*$gRs>qGsm+(#mVw?eJW$J+y<A;H%AhGGbytTC-iMy4L@Z&
z>|%2iYz?4Ok1X$*V4!diaOvAFeL4MR9yLkqfjW?-Qt1>~%ESEH&{2#yzPxZBjmn4B
zV(OANmCI)w*7shZGkn>Ingf76Ldf1-V<qM4ekmJ2-gau<bahHknN6Yu<Z^&P)wh4^
zeDskFJ{FsREI1FeMLRS3HNe4GydCQR%Y=Txh;oFGqq}U^Q}n*y^<|ajp`im+B9dHu
zI_=fx6b9vrS6Nmt<x39*Vz#Hrz2r)<7(M%MUxFk8Vf8m~wE*vM{ly=U?-Mv(AnRN0
z)i?HioPtC+D7D=Tn&qY{qTh-L^~Q4(+Pb(qlX%_yJ+!9x?zjxo75kJ7FVbraks>LK
z-+GJR-OB@v?|7v*!J4hIB)<-C@qh4Rb*_w!K;HBaM#wW30o}}|oqu4qoj4$I8oug_
zEa(oqm9RY7Lpx<94Hd_dNaTN8Nun&{?@rENwG<PCgte}%3W!TXmP}enDnj9Q8&n;b
zok2_ase@-4%T#xm$==(564fgD!r4Fx*s;Y_wepE#C>xVmr-HB`XitunV%j^;N$`^$
zudVYvLD8fevo3_=PIL;3Plc%c{RDDC@o8y)1oRxV-@F$+wzC|pt68ORFZfn*!_Hs(
z<!tS{glJ3}QN~1`47rJDO1TSR8;Hw=wCbZ9U$+*zS<s!(l8SzJ!=pd#@wArX{3nEg
z@bM{J9yHwpfxaHBOU9w?;p>GN{#3|HMn=MzgPz44C>%K{AuM1WygPeA^U1b~g9(Z4
z>Y<UeC|3P+D5mSKS_CIOBNB1!$7YJSnAT`2s_;Fic@1F7g_TP(GSb&Z{KLl{h0SK-
zTDOZQUyy@*{tS)q`4<{3u8wB0wcoGcItjy<02TeJ*8t!b<VEizxwt+IjQNbDt36P0
zf%K@&`t_Iu9iR_k#a?T^&WUInQe<&))%u<&5O9{o|0wd{y@kucnHxI|$Dq|@gY~Iu
zJ<3m|>7CcT{QRdt9L&6Usqz8S?h+@5&GQyIVDFj5>YjPC+k-<u2-UB{CES`~f>r8R
zBa2sqERIVzWQlpAkvE@I(`sk2lg_iTnD^~N#043v*0btt51dOE0itGDkA;4?HgR`r
z=L<6AnHlSv-{gGVmMQ{P!+on%*nEW+Tu-mZfS-JYx;MdE5Ir5yv#k>P46$2u8;j>F
zFJOy5-Mt<F^`fO}wT{pKdJUMH9`jkEy0>-_`rzFTeVKB)T;=%kWIM_|Ub>IHLv+>4
zs%$ZW%BDk^^*8(pw}-UDa}H4j`G#HH+*TvQ2tbGh5w7-kEr_?yFRPB~je}GfPen>a
zmEMho)HSVYzGIi=Z`9?H4><ZmWn@=H{||*gdcRA*XHdh>1G_gZ$D&mm5zDRtYWM&E
zKmbWZK~y+z{^jeU-{X&<c7>80%N%fa-)3ywdlCJfdIW_?;E+8+WYAvxv~fQkc(gyt
zdOP6f#S2ihQZpn3Z6|(vP_D`Sc%^@DSZLvv(=wFDQ2c3G5+8CHBZdw|x^HJp{%kl(
zvu|3{Q*hyI5ZtXrP@}TFH%d&J6FWCz%7*oH&B;Ky>P_(Y6aC;{$dv?@17gC0*ruCt
z^h6+HI7SClt&6^o^tI!V7>~vCmZC(>1_=IRGxi)g4JWUn=+gTUbZu1+jzT(SBxCEw
zmDu^mA&y6paP{`X{d}jiYh1%1l5=+{>Cb!EpI5Ef%(jl_vt1eu8@EO82Rb0_@@f3E
zZXaq_^~d^kYjE~b6#OeUMF0MeqiSg%;bIXTdd4p6$uo$ftYxa#=UCGRmDpFLE*6Ij
z>{z!F%U1u2xO6K@m9B<IiEr(yzDS4+#iIFhjXJpbl)(LcpFrp4b!b&+Lvm~c7OwaS
zyZ0S}6|V3vR|#EvJb;F@q!uz<lOmu9C<2PWy@f#btn>CNC5n0BVudlNS104fA2;pB
z?B%~2lUJF*%8JAI*ZO1G$k))cPE{@>a215B4q<fD88&GF&C^p+gQQ9Cc1?}drrRt1
zCRcOPRk>;vwBRJDNuxSw-lQJt)hI`qxPWpO?7x`hJ~!Y=%pKAf-p*8{b7my`%KG_~
z^vC4?48x#q_3o;io767f(?<EeWiajIH}Q0<@_&2z`3m(9I4CPk9>vSS&&LPLW=zH5
zpb%qaPuy&TERhvS$Mjfy^WiJ_YR1o~+Mo%_`J~{Zx8K0@C0mJeIx@M!<?hB+Ig*63
zPR57enwrbX>#09B;Qe>s#DpI=pi<5H@b^i>=N}Bk$Fr96xp3oBe>@h>pN@ggKZgaI
zkDx@6;wVzY8zD#k!1TFGk?P=qE2p<&%%qu!Ov*G?>zrBC))iAQb@gv>;wt*qW#41f
z)|196SZ)EFT`btPWHO!~@*gC*`l2~w3T>SC4F<pWIpQ*?%q3pLd&37~&CyF#+^KYU
zCu8Eo@9;-x5(0`B22!K&<$HrLe$F~nZ`2e4o(cG1`0JRtd?#0yfmxq_hzSceqjH@l
zsLzS(se^wYI5OT?>ANZiC#JR(d^hGDy!Yia_*AHcmbEKk!w=u$m7yQtQi9c3`8|1b
z7e>DKE<XP52NbVZ6Ll;4V$rvs;G=KmAf2n+CbBkucTSJP_Y=op!;uS=gR8Mzu@67~
zJHGwqJ6y?hMMl&qyff$pOkc5s<UlJ_^mWI$_lDtvuje7dk&0zj3YO2Ai}icYaMhTD
z19RtkE`D1&6Kgj7ZmiPBUOa{=W8cSfFAT-0E6FHU!VjLVT+O{&v7B#W{gA<N(MlrO
z_~Tgfr|U=>C0#j(#Y<Nr)!7>j>s7^}O^Y$~!><vQ?u6KLdog_IFr19CqIJtwDCU@i
z&3g}0p-MxB%^9v-9T(zB`ji{{TXN(%d_QdlF2^Rr)zuk)teb-uUw##*cz=VMHIP8d
zmxweg6_<?|%9u7+tUhSdq8S{MBJjt7!^q+)Z*s(G40~xH=50NVCQVzyIr0>Sy!s-3
z*>jfVIWtDZWh`F21Tj`;G-+55=k{*I8$&<Bg_tzPtZ=~L9joy6kbxNW^>jE;sVG{+
zi>^som_>KCS4WM5wU8ebu>gdfIfGOx%noe3jEKYdWXu;xaV~|%H7jH1iWwMc#5Ezc
zAPT3M`25*Y86)G}moRZ5`yUnGN<|&<?btDhicg~=NWy{Fq$fmR@uH=OXS+9PP!~aa
z)?@In{~#nb6^V)IaP#scZt`BDg#ignY40<KcHn0ccSXxrMkNw8^S}NG<7X@*nd6$%
z&qNHd^2thz!}28yaWTn?It?2l`t)v$7%~DUF2!^8+X;vF{f75OjKCK&enLQv`l#XW
zgPEUyfX}BaMi#Bmq_2JVpLg)_lqD!zs~PH+FN|5^zQC#2ggnoQz2agewPV#Z40>${
z&L=pcevN8~jR?UdlAW-|;gb&s<I^b%;8&v|np7^0rBgn|o9}%_g^%KMJUXy<vmwt{
zGglyhifi>!Uif~@`;>1PEs-)nT_5gjd$C|3hi6!+r6+PRW7;^p_}mLve;@><iWP@9
z$Hmy-y?Eof=dp0}VG_FSP|7P4pA3BspG{rC8)+qQgCy2RVMq62>FUk!ELjnC_&onS
zdn`szm;<XL3BIgUOdkDjy!qJ_IFX2}Qo#=)rvqWNIU)M&cD%xJmvKC-R;xbTkb>~A
zFr%OE-?Y%c=2DgqS~ahaJwMOJbHhd=Jk=3lht@M@(0d5CdZ2BK=5R}m#Kr?BAcNJ0
z`BU-lvD4vEsw$e-uZJt=PT>Rt(TmlR+3Vz8nn-^!4{x>`pEV(Uz&VAJV<vw5<~<C4
z_ZwJBl(Uz+VlG}7I07fbli+MF`tYH5ad)RH%uam#<qSlp*vD%ZJ`-z}%)_*$yWr{N
zj`j1t#4AJojYQ`XXw#|%&g}jPFFp4X{s@dPtffK^Zo#Y>^AJzBN_i$Md~RYd9>vVr
z(-9t@%5gpu+t)9`8!!J0<L0b@dr@B$CGmXC^OM~+VgZ#Ndl4VJI|30djWGVZ_ep;6
z7|n+)$iTX#bFl4?69(5K1Z6^WAU^zj0#LLZYE|;b+8@8eEAM`S7|J4n(XX68fTcfg
zgsYHI)%~&V$BB6N%ehEpyCEY1>*i0wkioBG)1h!QZP5yj(Wmj&n{Q&>p7X|-VoQz3
zN)pg#W3o`cej_BD+l99n2j@^ooMH84b}0*=#k0S!<k&S5u@){yv}g)TVmN+1cnVpR
zGco!CCVV><Z@%?0Vx0=3alPu;y?QPNz5D^rGk%vV`*_4z>3^HxUc5BwRx5?oeCNFP
z)jXtu<EgU)R?QrP*WUU7aSlGHTe%{_L(U<Zk6C7NI6io55N563i8_3L6hb71y*>!@
ze>=oF05isq#<xGL=JVVL^|+vM=J0-;Js-_y>5it<W|j3*5l{pa0Y%`y6oEUkFp)`x
zFzID|iy<Z<36oZkEFtUe>sK6cbhQz;gl$L97z#tkm1s^@9Z-w}OKe;Mj-NP#rQ7!6
znXawTvt@lOTua4MGz)Xaa#ujnY}4w6Ay4<m{k4kQO-yAX!_}i>r%vFbd8@cu5K1Lg
z6eK3fET*iIL=nj?gB-V8sc_YalO|dHtx%>6nv_bUqQDhuDz1)H7-S+Y=bT;L(WF{g
zBnK7Z3W|M&!I*62Rsf_(BVX|kmdR?Kmut2>{4mU5bL5c&#t(6m$TkT#CTNtOzs1_e
zMar*U0r7$Kx&AFks-)>=2(Vu`dzZ%0!EfN*k4EF^$M&Oj$NOnr&;zZxk|aS4k8R(8
zMcabu13n+UTUTd}St#W64CZmQxNom%c;&^XuxZN?^nK!aw5?MHX{jkW)+J`~Vs`Ib
z#2=%-9FL}zOK>)pMvIA8F=fGGJkOQk@<O(7CCxpc2_{bd92L3x#h!w#3%1f^nyiGy
z9o-*#1an><O>2o@^l4TZsdOb;vuPhXcX`!_LtvqjCFIC8iP}(VTnMJkT8LJU48g<?
zpEW3*wzUG#|IIPj7x)rtrtine;0Sy;dj{@rPytyTo8ZhJN8nPiAsSWo!@f1Muypq&
zDt`;ny;&t@Z-u8rfBeW5=RRF(;?VwcsN3Z^41eu;qv)4d|8zdkY3!3`5;7xr4=o>7
z?8Hl>Cg6>}?Tk~M+tkP7&%K2OYxiM9|F)bgTafNr3~!GakFJd?@S05cx}{<KZwC>b
zXoa7<xQz%Yk%1b`x}as1Y50W`_daYFH_Ekh%Uak<H$cyh_3-PGPq8D^g2{8Hvt0t1
zR~Bjq6vI2?reOa=-O!?(h1j}MfxZ?q7db|AbV*{xla-o`)(;K9r|&%rcPc$;hI#%~
zvv;}9)y)Nawk*NJy?>JjoMam<V_J13`7_kOTdt90qeVusij6UiRxm!^B+8gtR4Rt&
zhEGFSWCA=coJJ&#NQMs@jLr?p8RwG|6X8fx`ijp#gH;>1qi_Fb(Y-+>T7TGZ>BuoE
zkZx4EsrE4V=JbhkQLg!8m_B|a3cJx<oV({ZQc+wtWhE63KfL_raMUkD5)3aODKQyt
zE}2;I^8y@>FN~RsXP|z7H*EiU7_anwh@{S9bZPz`JW5o=#P5Hg@+^H4=-#vv9)A99
zBSux#;$`@ZFbFFZ=eNd8V2rAo#+V;=bTj7C+VJr=KEtSijM2d{PY6f{Dlo_RUE1%_
zH%4MupEgFGjVcwvpm*mYEGhvd%5eM?KM*EyYdHGbCal{Xj-g-A<~ySykJ`|nY$3e<
z*(@2p2{-$rZ)HrHbydc0jmx9o!1r-7B#M?GPvOkT1K4=cgNoHKIMJOUEh8Pxdq0KN
zkG>2yVIG;h9ilP+@FB!g!S!L6Fos+yjq+N!0{-dLS!^?J<J!k5NB2htQMnDHwNW9%
zEg;j|AEU-iM5`L5cufYpZ3$R-_#mxo1|a^#b}ZiT2L=rP4(~kO!N{X|eSbVP_$vc1
z<3RR*Vuh3z6N+gQ=b=W2XEEuEci`<pS2Ectiv+~c_4Bc6({T(RHw({nZeZNirfGFN
z{rYEEzO^4->`~hwO|pCf@SpLM(7c*2uStiOEe=Z$>_?_Ye+(S>0)AV)7407R7oKll
z)o>e$Iu~VNS+aI7O#1RYl=KvLpbX6X;%l5p^TnK*(^0<y->J5zP`SkW7&~_o9(k|}
zD!cOidYzQPXQgJxKKQZgQ}ASel;rP{hL2YsK|BLlr=8x3`K!0%Un9m5mrk_qpnDAK
z$)OBWC(XzCtTLEAbvo)*D#7=<ornbc`OJwkQN6>{nD*6MT-yh_HLr;WpLz@H{s=<-
zh$9S=T^O$o9)kMii}9?@uwwPFWZ+QXNffQtoP^2{6mxUHivtHDIfd*|hPctmrTpL7
z1O5Ir5c_v-hDW1r9M}397PJw8yD)X>CiHv#Q+)7pFXOrH*|r7xKlL0IbN=)G%YA8C
zl4_Kf#qqlDV~=9#>z`xSVUE`=D<O%>{jb~hq1(g5P~3JI6Q(ain@5M>i}zlFE4$#M
z_qW80{h!73g+HUws6ocq<I1tf<YA;9j(pDKdAE}ybcN#BmElnoqsLD{(`scn4@fuq
zwow<Uk0c@d(vwI!4#VM7p%^i4G^#L`Nir9$IC+r^_}*~0yWhz5#2}3pVK2P$K3;pI
zwH!g4hE?&*8)LA3-!tgnmIPyyo_zoHgD0)iBvo*?V&v?th)Ns?KOrV*bycltS4{fq
zLlmZUOiJ(eh$I<*oK|(cT33d}t0YEFoP)yIW6Go5nxNN%199M3D4Lb8#r|l2cZj=b
z$gu-_n*8wkn?q5PM5K(bVwLQ~MU5Dil|d_!2mkdZJ{;KFXp=6@YT?P}-^Dr-8-pHh
zfvU|P#Qau|Q&#&_w;Zh(KmKtmVpCs2R{R-E|9&MpKQRoSz4HQGn5UIvw~SNUNoZ|9
z%DL^r1!z%Kp6UK@81Mw<{O~g#ZBY?HfyYs=-J=-(#w(;=K$0efmTFvRk>E_46ahs*
z5l{r~IRx&AFcB1F_ZvwE0)uh!d>AS+u<N4tU&is^FueKg9E_uj&SZC2r18bvwS7~3
zJfJV;Z{CeBXDs0s!*tKNuNA5V_@M+zm+-L5BoD4tT#U@`@IObc`h{|G^xQX#kix)c
zEx0N;xKDe`9pR5BMt+TbK{3W^iW8R#O8J%K3ojEFFI_hL@`c>VqAjO)@!}|5)Eg<u
z@d%5Ep}Ix&jYLrzS4mwsajD3a7i&rqLc$~M6D>|O(itltEj<;*e7Vxfz>HTeg>wQ<
zrG+nkneYga;>DG_fD(m}6d#9+VUhN8oYWW-bH1qke2a7S*Z~*lzLb$JE3yu7^>l|r
zMk*%<uBb?p-MH8oL`KE)oC^ZV`_U010|{)&Bza+zK+$yT2#7U6y)Jz)t9o6mU-JuA
zty+!OXp-Lb`QaEn_$izZy?~@NH|*WC5@+`OY^-XZIv0%a@FKVzoeVE=!C>3VM9a#F
zx9K*LTLPKvSFTnCRmv78nV8IlS$A}5-w{77`4Zub_fs)|Ci|SccI@>qDi(F)WHuQt
zRKm?9@d+x{Z;86)xH9?6CiH1l4JY?+$8mPOF+JMRH6kBt2Hq?rVA2)Jnn)5e;uO9c
z_Z9n)BN8tJ(e)@1r$ZwR<<pU6M@GjR#U&@kA&MsAeg=yPoV^%~6xM&whGjUhgH{;q
zk0*mKA}rj>Nv9inKhg=KrjEm77mlGHT@c!|Y=)wooSHE?BvVJa7hE`d9%-%>(79QC
zPAXH_Pl0l^o1;zTA_zQil=IPchADH&%GFVemMTI#SxB^$_A3WB8)G6F(q;e0Nwc$O
z3A!kB!8<d4L15T3sP2=1)$9L2yAA^p;NysuoX}Qk(2%Q&{s!hYT9vfv+6~2L)5QPW
zCA6t1B+8AGnD;xo`Qeery1|8kb(5(~=a({RO%gztlV=|9$>)?-M{JM6rD)Yg46l)!
zI15L5^5AytqkBmTC)cqNC*eq?B8$&=nYyh}v*tn!ANVwSJ=71~y5EOJH7XiogAg^+
z&m^8gCi_|jU7B(d^G%D7z{$7_k{P{F*o7wJ$ti}i<d~j?I;}X?E?I_`o_-R2AMS(u
zx^zLUivDn5z|M>3Pt)23ShHvbHga2PI!@sdiHo?)5nO4{LQxk-oIJLV7AaJ6X_}A{
z6Hcot7n0oenpsJN)M?rlZ5q`?3j4OiNw|FOG~G?S(Ytd~>guUTk+>Ti<LnY=k*M-R
z=Y}=d4;b&q(V6a>W#H{CmL1pPWg$Uz@mvUllh#11hSiu=igA5|cI{Dk>SE%-u}<=3
zpA0&>7k?Z)X1GcuMPK3yw8$u9VTKX+LafQsh=s&|khnWGKC4@|Y`~e|a1xwWx)($+
zpYjIAIk*~Mm_Lcri)W5u`Q8JF<&H!tbOEwvkxa{eM#KfQbdB1mUcLnTS_&-;Tu_GX
z?{YeVeIJOraF%%#!ToLP8FjYu8LZN<1Il}U&+#J9c+DG<;v#T5$q~<W>j`g*m2F7{
zlJ#_R&cwOXXBlsz7CJSmZagDd%&S_%HfZAe1p*JA1bWcIk@X3vSqIh17R#2$8D)IS
z!TBtoBg&k{{=?+}W6a7T4%RGDoSEph*1b<ZlyqbNk$SMthn_u+TFqOcD#xxAj!O=F
zpLXie9pjh$ilY}Jx$E8a2@}H&k9}<K)>Yhj?1Eu|b@4DQmn>dXsvQv?M2k2#KF6IJ
zlS7s<!5+^di*6$4&YwlY4&70em`b_Q+r;`IB|Zwl7h>U4>?|gI`whoj5^%JbN@0JG
z2t12QJ$j<dob`C=smIZ$-=ny%YbVsM6hJx^xUWMyZ1`X--Af|z2;KZTcW6s1x<W=Q
zAE~}QaWO=mG2$fcYGohd<BV9ktyx{X(797Hx)!D)neTePDs|DeRZSAlfk>tt<h9s;
zI8Wd^p(3rJ8dvxRE7z_^&o-}-gx*YxB3BIT(h<p*PvBy@8=mUa2`=2FMs{TL@~?r8
zZCYZ|;nU2E<OtjQX35I2re&9hP`^r<9E|eb!zCT0aXfblD1rJF)3IpEWZc*I3sfxP
z!uH5}wa9OSM<H*tAPFbqwDi?#b(^DBAsa3R2Eo>`CdY^*{IPv4+w>yi0cGIQnNzgd
z%C0=Kv|63eq+S#FkW5SF;+czkA(UqMV!6qVY*?v;ojZ(`yZ3X!Eg2a}aeV(#QqEn-
zf8-<?TWYlLiQ-GQ;khRtquUSL^S%zKS-!OW*<%~Ico#yG<|I-%e#&D~xlS{ZgoO}v
z{v^ksHneQaz@BYea4hfwEo!U?JAH<PINxI|FDCK=Lg0--UG8H$q#=d#Eg_NINcfyM
zc98^LDmJhB5j*&_ICD-GcsZ6Xyg^8!#b=ie-AIs5!4u)9(6@JQbZp%WMd%V|#-Pcm
zgnm&36ahs*5x6H1$TjP}z4`={kkuPT+oxhLtiSQ1rIOdKesxTJ>v;_N;(J71i7}4L
z3cD8rzq(Ta63dG4s93`-r;wKi3UQa6OMFS^dQaY-AlJD%lM}w6bD^+uh5j5TQU`-W
zu=u?J7|hrNPkyl!jk-R7v5&QeUm-6}<g;j+dmO{Y&BvL`S?IyZ)bO5-P|A}&yVf)W
z@!V6N(=C9L1E<0PnDx=SC|$BBCr;^DzjGIrww1<2DUB1IhV@!uZRZE!O)@6tau`N@
zzXaP4oHfXe&i8f0zaMW0e=n|wbJDeD+YY=x=NC?P(ovQ7jeF@n_|p}GIttES2*$gU
zXXC(`SiJiBlc+%@D8s!3I@I*#O7kyxXEx2iUmJivjj9@i&zXoQu9C_+x~AJjKvutt
zGPc3fgWg2H{!e4U<WDf>`)|>YF-ByS%f-`%D8>y)Nw5bD^)Ay4Pu1}wF+ht4Sya49
zvT+tDaW`m-WLzoFiYra5U1?S=!4)NmdqG+HU5oPlrzDmzT$OvUYdefyvJn>}`(xMI
zjVMv0B^uZ8r-GFBr(4Ve4xI2h^O^HVi$>@r31-UelAYbrqwgcAT-*~St5rm&Rt@pR
z+e2{b{`R<dYCA$*D`IF5D!WvmvpC6hX8j|%?Q$Y*{y9fQ;qoofzo9?8IPvU7YXkq9
z%`kuAGOp6SfvMG-;lq(5sVo$~CLV=6-&roSs^CP`j)F|iErx%7Y_|J~VByD|hCFB~
zV`JI8!myw+>yrCZ$jKI+x})^8pRj)WQMi>0#p$RF4CvmL6I~KW%-fw0QqBr3$0!TS
zw@}#^l8jAYmm~MUL)mh!m%^BjgLf$u_Hh5RVw+1C2@qSBaX9)u*vn9|q<%txX3Dsj
zeVq}&l?v$Ou_G~S%}&&)*A$KG)FAo6fUh!9=e6#|E8^>Kr((^rrS#cf#<(f7(edFy
z82RQ?ge|wAxeCwuO7nX5RSz!`1=$uFQb}<eD^ay6CQO@!WlNW0HC>M8&zgZp2Mx!Y
z{kySGTHxc5jJPXT*f&xQd8@STjN*)`;O3ZtpT7MJW9F};D_K3d<kT@%<1-oO$CM|N
z{i|dlUy{hIFBj{L#BwbT?uOft^cP9e=Z!>6K{p*Qj*lkkVg%APfwEtf^S=Zjb@udN
zAGY@!$wz{w8Ww?kYmnZ?GMdMaUAPHVYu7{L2HXjUgg_?8W>dzT%=ksflH|*0@Zr!Q
z*cY0CW>j=4S14n+-Prg%=S`w0ZTfLMJ{q?WrK{IM{l*R9&UVb8qAR6K64JvMx5W~X
z{ZeE!;}}S_9QpiP96jMm;>BKPIZ6wG>$WNJqveY`tvpOpM%vQ2i$&UKWnd&8kfTCH
zc~dzxT~5XN$iIkK4e&XlQf<hSJ<ix~{PX{EjSHW<GJf7v`pmb86vjSfG68a1_H!gS
z%5y}Mj6Y|_BVu`(!ELWUes4Io9}gpLtx1HIr-GfzalywxPJ$CVv7d;W)V2LYkhRb%
zh3%YOZz)7%B$y;^oRN@X!{yL0r1II5c7C95AG&^(M4^Csm@;JsRxDnGHLGS~-kcfe
zGhi5o{;LNXc6}1l{i`ze$ui9P<`cTJO~SDEN27b|`o?pcZ$+{X%6KAu(UtwdlvPeS
zxp9{vx)d6+<y_0L#><!EbvL|6@+O$??~NNbp-A=CBsWST<;+o|eVs{^8l)fZlXi3^
z83oQaa_66&rSWm?Hryn3vYZ(UMu-TG>$xw?^<DC}czWZl&&H!n@)11w>>!N!dK$j@
zXfXR<e%25|*4TrT3*7c3_2v&gyVlfb{O4`D*Bm&9`i)wkL5)fz5J|cT*(HwyZ_09V
zgI5t>j>C4TL<X}Ti)F|!OQzB)W+wb9)#ZGt0X#_r3OSoi+nI&3xD5DKZiX4tzsHJ&
z3+d7{8FOb%$D=Qfz|dzOFs_rJ-o|s4-DPE5aP#08&oVPfZ2sr1*Xgzyf`*Nn(Y37-
zk`pDsvArZ2QN$|KmHo_=Pvn=xS0;&JZ$xn+&4D;cn^a)Tnp#D<P{_LW9Pow_4`u1H
zMfhUmP<-!K2OoYi3QcN|oXhVWZse-}DFTXsBA^KTQxUjh!bB!xlG3Swi3LUQ`A`h{
zW;Q0i@eCSM30wZ@P(&~Q-_osnv1r|PbUb~I(c0sUSSB*TwDM0TI<mUW_g29t<}C_D
z7XQR`=G4J6*nK_$jmnm$qDO0tm=x?ib__q$J;<kQO?*C}E1vIg1f#cH#(VwRAY$(}
z3|zh&_3G9^8E5f@=fsRsx_Noy(xD?5JaGZ;zpo=+>Dn2G4(!2-5T56Rs(i^}`0j@#
z*d1@f2hTr-Nv}SJc0;~E(JJ&Eez`l&9o&b$jDOLhWowM!3UVebSVqj)z*VkT96B9{
z&v)*H)w>)f4D5-43|#rbSF2E%t0*0~ZRpuEM=<jHtvGf593Fi9Q9RYM2IesE-B0v6
zf9+pSpe7aA+)?ri9@Kj;N152$cRt_>G*`Uc3Khpg5BA0ni`I}NNq{FO=MK(=jaVDC
z7^p9I61S81D0}CXz9y?y{AbR&axRsLZdg<t5*U0@ln+_44x>MQWL9CgyGx$2#<g~p
zP<q*)la*%D%{o2+_c<FG5Opo%3<RS6Gow(P_T1$0@=p}aLYEAQt<mhhXYt0PEv~sv
zEEQ~=z?R|8RfVp&p?1C6Xx5UG;6_bQiVBykvbxd&z~Wj2Z@e`URf>xN{M97ZGO|r&
zvyMH{tZi2W9@&FogI}fj{%SP-?0N1WWH)uUQK|OyqN_`M7@`@B)S0e(GQZ7AiNdK%
zDe$Sz-F^65ki1H#TrDTRZ#GV*iv-ldeQoMs_peLfT$Ywy)mo!Lb-JW+V(;oz2%#sV
zkxYv)cPgJ^W_{&iD1-GSpkxsV4w>ChMw@ZB3`b7bsRV~p`C)VABxz6CHRfhXo;#yX
z9M|kuiz1sVQOQqYypSIm<gxQhpJL4O-Hnq+*UrQ*>kb)xMwF(aer56WD<tlo8GyA6
z^!mYf-=Rm(E@)B0KFODzF{D4`70JQk%D65WhDC;>bA32+(k?6VqU6YA->+PCBWA+W
z175_uDW71%_zCE9UmLm-l2|HM1ONVbwBd@9OJXFDSonUy&uH+#8<;%mX{xYbjEL1(
zwSFVzy^2ZhddgvE#&Af_ipB+6s???XOeV=MA<az!L)=bGvLSbQfBw!foP@VEI+O}>
zIsyv08x|%K^i-@<L^(>23&r;fe_@d1VVLm26NZc-2UcPw71UfJ8d%t4m^fqKu1(l_
zBobfEUxH2z${WQ_jy{4@hx3q?d^cH>W3c3hg{a)-5ls2|Es{t;+=YEuNLMhE@R43C
z4Pw?WcRd6fM-p{unNf^Ak&NmbL(&=R!IqZ5m@7iM<V|+h3n#A3hwz>1$biI-BpD>m
zhJ}i(7YQ-P$cqfNna+43LYzo^ifFEWXQFPgqWo==9eMNp^KZ%1-k0oB$p5*YKe76B
z_41)5B=IIR?(BEc9+BrS5El}0g&4S%<WYV}wzNHabPLw+K8E+dTZF!CY8jU;PQQd5
zyx-nWJZOCs$>6L>sLBNx3BD_CaE`>q(bWlOgCh+q2-&Wis2DM5(j6q0krfTw^unl@
z?Mky*ekQGD()kSdmaBq+!~c!`FT8+76UXA4@4vzW_qRb~y69AC&<5`{Xo(j>f-v^q
z!|>^Z1!&czF5N8U-FdZ7i-0n(k@*Q#ZyMheLJBQGLNCXoNrj@6fX_Q!UBb^?K=Ep|
z>@F>|EHRS=x^MnK4;1@h6_zYni@kIg>h<CP6s0RrxQhp*eZ#}9z_D>TT6$%$&Q_ee
z98A~cYIXvN?+ED}@(jy+MPg&bM8;AXzqWntqk>s#{-4tCof(6rT)lP}Irv`~G-?K>
zkf<2)czY5>*WM$~WeP1z!ei6WAfOP^NG>EL#UMDAv2;j+TnYRgKW#mP*T>Gpz^-<e
zuywXz{Biu?)#uF^Q}dCG$Fmp{Y{lX^sL-0v)0nrxP3aJKk->fEt<N4euazf@_xM-f
z*!9kbc>1N6@B@jiDbv3)g82H7XcOz1$cR`t)%N8g6uqK2Hk`i@g?g=hX>qg*%Xb{Z
z(646W`ObBXj8~@zVgG5yv|&?QNbF?Mr96!7V5#dzf`<!Y2HrHb;sTYcyDx@)^eIYt
zT>F$7mR5A#YQpz%lXmwZ_~ahEHDoZ|ch;gl-KnJMr0onM_}c2|FGWBRPy`f#e<%X^
zywz^4CYMQmNGijLj?6P;a<O&yAq<`TBTY=x;a|K68dfQf(a&+$klIxdb|KvGW0yBo
zAqL^|ro~ALx8M|$O+(APwPNq^Doz74laY{|$jQ7jS7GT^uy+$i&)<lIOl~6^8jUN_
zRuuL3WBys-;uUwj@PVJVBmI+CW6a#OoFH)vJ5C@oIC+12D*gTs9mA{@8xcjT62C%r
zmm4lt5QDAwa^()}<ZcNc%vets9DlSbQv&T<Hik>mWxPIl9u6Hkg{jki#PXAuxyw*}
zlq|-{;o-v=IqPRcrrMAaeFecW$tYjg7qYM;R82<wWeogk7Ur(l#20=t`ZTVIpd$zH
zpSkO}I|PXo1`th>Nr1emHQf>dG8v7bd&=^kmg59X{}Z_zMOe^LOqxCuS5O84CH=TE
z+6n>Iix@R(3{IY<qQa>D$M)~SmaV%CHyTl<(=wv5XWwze(=0rd6Xm=uAY0Xj9NUQ>
z7_%giZUMnZf5-TVKcEbQ$X24+ys`D-btGn!8cDVRE>Wo-V_THRcb|=BP(xqzY}?SV
z7`e`^Bn}u$!M`Tj)vbo_>ASva>wZK>$55$0jdd%3MFc0sTw2HJ{d-Z$zZ{AeWjqEd
z{(&cs<8oXIpHvIYo!g>h%2|9k>T{evA7a%1=)Rr!ZQCA05#IdE2AVscqbmdn3@U8J
zJ*mWUlAGJMT2`W~GjLwjQb`!c?U&DTf}5TagE^DF#hxpfG_!8PD&$dCuUDyD$1@#V
z(5+W5gdN<B8B2C>=OHR6v=R_^m6mPpLo$PNe)s)C#H3_!w~iC|mOC0*i&kf>A1WzM
z?x<YW1&4Ml$1%EPWTqx!#jFX~b}G!U2Fg{;O}~mllR#I2z%xMz3=HJoX`DGr7X(>#
zmAef^Oj?q|E&rt_(6pO=_~(!9!M8K!BGKkzD2mbCt!U%=EsSRpOJcwkB}x~gqC>Jr
zZl&TTv7vt7dyu<5q>$XBrBHT96N1R2SOB^-D}}{#CS%o(qa0V05y;pbL6>6~Nb?wX
zCfbcFB(N>69w<%AB9SA5__b`?9nnWO;Ufma6t~34%i;KA>lW;yf+q^K6U$Abavw*x
zuJCh5@%48z5Sh%|&BCRAxstfNl%-jGnG#u;^z|4VIUhmy!&n9)rTINqck?3^a@~H-
z*9?xWwVO0yJdjX)GkLzTn^gjp$_Z0uafcx))s#W<qe@Bllz7A^CE-%gVahm@!8R#l
z_S;Q}mB7=d5p?kq-CM-+gi0q(^<!e=kerl&o$D83&XO%g;Nfco;18*$lO>aQCLtz1
z5mDSB<cqHuSU84(H*+&<d2i%zX*MhCP_AAJl<-K$)bZ1CAvzJsap9ObVH$#>5}8M~
zklFW(Wl|x!&vb570`q4~WT4DbhKt_mV~jNv5{(A!I>OH_1Yds6xHk;;D|t;DKMsMJ
z-ssHOJz@cJ^F+%y_K%}~>|>iGvwa!2A-gZ-+{->ImI7_tbwTL94VW^2CC9Ezga;nL
zIFfi?WgDSErILmfnK?$~+-rPc-zV8BE<iHoBqb+d|CZI5HJ^d5#kz?7qymYHlAiIH
z@by@n2#rDliJ$$HDbDJOcFo%3%(i8iw&)kSK~aGZ4#MH1r`XT^(XC58ESdHhV;}9H
zYicyYE}r9a^9w>53^ju8V_SaPNq0%QtUA+z&c6spF$Vi3A-ebXZQSYTDC4Xp!_&Jk
zw~(i65T8){Q<|$5f(2uq9A-?LOLW6Xr0k`tF{rh_7bepU=+ODgw6sXT^10vQ*CS!*
z(7G+H1!-lH3jk4;i}+VZ_m*{Ou{Z|7D1k0*8&IiF=RBhZ?yu*MX%oK1_9MZ>A{A?w
z&BhW2xb57rt+9)jUxo6VuY}N=bO%!SP6<A?3lr!3gw#xq2YK5nSGj-wYL`j~PAhkT
z>G1d~c<GUrnDxc`*mf|4af0k~mz?|9AJgL^F?ad|5;*Zljc3dl#@>o>D2!%w(=lSG
z@%c%iTd=r}9^17JQ<koSmAf_FSS}MCTK$ncPEJhV^OQih<?|T->DSz4N&?wlTQM1b
zE*{v8E!%$Q^OnGV<AoCbh3IA@V<Pk8*yPB7>GNk#!{PHJ*GO*uF!@UyiMF6|(?)Dt
zc^3HWvR{d;M|P~iw4XL2ld{Uz!6nL7L-Wcm401k!vB54NB{3ey4)4MFD=FyMqZ^#!
z_TZz@Um_?p9MM-IaDe@12VE0sT8v#=*5J@dzV|qu_>f3)^YG!bOxGQTlbtv2BfR_R
zRL&zQXAZFXMG;U06ahuxpNzmATbS&plJr=|W+X+*p%AwKOkl8AAx(B2K80vbEIr(0
zwacDrmMe|l_cKlbUx+e+YFVqYK|Y+JJJ01SQCvm2cG76xS74ufxjJ(4RFpycQW-V>
z|JXYZz^JOci=UavOnUDH2mwNureHy^D|TJbRV=7$-BqkBHoyY*zU#_oSL|J^AlOhu
zu>gYf7D5uz2<gd`@7y<;kc40fQ6ZeGVP;;r<@esadH1}3sr7~8?DJ2-rH2ke6dwna
z^GSFNqsFh`5Bb)-4fywCZ{e0x4#88CuIAH<^|)*L+j##gK9%4PbY1mU`oh*(Pwr{o
zZKbX=PjCaJm^a|&slJ&=my~Vb&nNwAQ)%|jw5YYb5!u3<dgB`4qZ`G-oD!Uv5y#Il
z7<KZYxc+bZGO#71)bpuHL{u2oZtz!ZZuo1;3Q@GBg6UCRw1S92bZ7{(VHELcC7--e
zsi|VU<unKXJrj~ZpZC;P^90qTES+}O%_t3uMto!hs>+LC3rl1cnd{J}Qxqp-12B2=
z4VZHG!#MklPk0W6(o(7z2OK-jGUty-?TsV$8_XwPH{iV&lX2v~Cga*;hA<Pwwnuly
z+_zIoSImFs8O(X@8QyFb!4aR0Td%kXu`UJ@<zY5Qy5+Gm%gnP?|4kQP`BdwOV-LrR
zGv}kn5oa+bN*w*=Yk8wd-GhI=zzrwAPS$7c>!ZK*#n(?p$!)jdrpqrxa$<rdRv@e&
zrZMYHSn(#fo#j|I_dVRZ>MK6!^q{aH4+*{Z!M%4*MX%n&aP!3LG3CDh;;gZ=5X%e?
zB_+i;=;RBr@4h`T<Aq1@4R2QC<6<~@D?w;tKm2>_k$h@OSAd2S%LL{OP3nmouDt=1
zr#{T!x?j>IgDD?rg>}KTx8NuSn>B%?10!vEK3ZH_U1KJr_2@B>u>v@e`8Y2U$B!Ij
z1wc0D;XU^|95-CG68AsxAijKeI;~w8O*JYFw@tYbnelXq<M;D~voFH@Nq6A9GfqP+
zg;a+t65V=qZ#3C9=KnP8Veub<ru}Ms&s9Mbf4`sm7S3HXn~T|F3RSk)fq3TWhZuvx
znBDU!H7CMhN!@Yw3H#!|Pv4CtA5FJJkG}o-A*Em~n{c2kZx!yGI2m5{Gc3r9Vy4j?
zIr<!HV(PR<;_rM)`q-nl;d90tIrglZaL#@v&W(8jZjOBj&c6J1<V>1~iI<&+BxX1&
zr8Uh(Q>UR<)k55G(*uY}Nwa+V%NU1a^m&({b9@*=4>%S#O~}Us)BcC~AHIk%TB((A
zQh(aTcVOQk`{S%}$K#IwJ%%wq%%D|7EmOGmLzh?v&uJ*;$-jxC5nyDFbx3>`Zk>1?
zCf@oVi){=aBUjc%<I$I%<F(%O)lh1}l;^Ff!z^pEloQE1n&j`pj5L?vj)(pae`m%F
zCo|5(o6I)JF+4nURf|r=+2f97P~t~1`n$K;#~O4a(=M?k)}iou9XOB^+P7xh%%GZ#
z&yhI-ci%V``|mRgQ?9uXPcWX8m+XcP*$1mzJiRyKLr`c8jyr1{Cg1xcP8&TRLG;1P
z$nMA3KYlAIgCTI9Hz2WI%rY|~W8o9YtSl3+9FH6Cc?4rm{hXE>JQvb3(JL#-`h94+
zpJ~(Qh-4t(JCQqa5++<cj>j?zrA(iD$&^Pi?vNpvbnU-!GqX*NJ>?@#)ay{j7(<ue
zcq@iyC;jsG$S7~DKQt-{CyhQ3_c5^L!VjLoF@L`V=Nyx1>3U7CLB>^a;9(~-i_%)U
zxlF;#m!>heFw-ihbjOriub~L!Kt-iFVmxw94;+^m;Vh%ifjEwt>K?h}3TE<&r#ns%
z`VJk0tvPhp;dzpf(i>AJPr&3U(=hJz(-`xDVxlb(k3RPV4nB1pE~ORT)AwDE_nt}N
zZ)XYiIpI7^W#05N{xyMdmTtja6E4FOj2GsqtwcTVHy(Ooe|T5_fSc}ojP7lzU_=R&
z@LWG(+&|GfBbL@uGw|puUob9G0_v+PC_Y3mL&|u>(&~c-YyQG}1t0Gf4nE{~e0C3G
zRE*~Khn#{(Z@8F&!6)Lz$y0H`*<%qG#+1nvmCw9l0!}_;uZD*~4Ru&A6et*y_Slm~
z;prKlGLFy@=$6W~*>t(FJ0o!6gh|*m>1JGU{+YCR3!??%Rvdoj<v8c00~wBksqOn8
zjxmRPh$n8pj%kjQdEZitF3c<#%OKv{z9sCp`7-@N@$njFj*k%+jcZIjsa$mB1guzi
zE^eH9H(s4Kk?S0k75v5ApCx7WMM%jCoXfZ&P6iC7u7~m0+=RiMnX0#Z08TxmC!V_F
zT72|0<J#2OFo3QqWlPHZx-hFTZk)|e2qQ`{P8ZqQT+uk`xUrb@5YOK+-}3uhkE9;G
znZ}o{N-eZLV{NpF)*IJ9^c*4*(<$cHT9#F#&l``fiQ&jEFz0e4Ga=<LlhasQLwd2X
zxDw}Iek~5_p9Wur52uXmfybv@gZG~>eYMkKcql5DR#?~Lpr~YiZ|=m+lWwJj?wN?^
zJsO`=Ve-RIG64EvbSL{KZohvz&idkgL^5b`(UvVZ@uKT7tWRgme&aFB_`ZbMq@sDx
zK!H0pllO0<7*x6v-~I3<=B`P`_{+{^uv!1O8}RBy1VlgtL|`{1V9OePnfXQiUBv`N
z&FGYj_wTrhmLj3J>B-meES38p#xOCzn)lKz=fnetSanv@-+lC?hp}||TI)A7DkchV
zO}zq{DT(;McR$6{$6nz?rFB2(-_<E=V;axaM==%XHR#2s;)h)OD7-Z7HNM@04>}mn
zU;TH?VQheVKP$(_cb<)p-}wMH&zK8$SPGt}Ddoncb8*fcFIkhW@c4M_HE00c7>>q%
z@m`Ezl=yQmxEQCV*Wh4A^)K9NM`G8Wc=wJ=@!Au2;jyL6MseR2nD_CUxa^Uc*8HLG
z;6w4=&0{e6);o}J=onnsI|w7Lyo*ovImw{7al=hl<Lpc?#y$E0{(Jo;SoiI0T>0E*
z45k^1X}4aAgw4xw_zjQYmOCcmg!nQXJmDdfR5BY%csgFa?`l-j<n)x=p6AnY8xni;
z!3TF<ia9f0!M~sWoJ`xSh5df)f6*T1=I+(0<1wIXMzbKJzpFdEi7d>|Lt$|->o9I&
z^b7Brg;WLutmo4}^W|_c_D%`o(X3`195!h^P3oN4iIaYwx8`QEb}Lq_Sj7o}9jTe!
zkP>4|)%{<qV7h}mIptD(Rn#4KPd=N`_19W~SG#o2X1tDY1{$WY!kfmNjhhgYn2M;d
zV19+n1cav1Wu>(As6u)MC%Wdon1Y=#1JBu*%ao4kNM{;J<2GY%M~m`uQ0Iz8Iwyd2
zm0PfJa~aaoGc2EbJL9Ez>npKh`3h82(>;RYNlov>Z6opE)n{VX<_z4&8{i}ct@H7z
z`DUJ1|G4aWoH3E9j*l9|3Aqi$1-Uel&$TA!p)^nL+=b&0aiXHM2piZR6EM%t*eF@u
zx>HnQTHjXuxJ|p|MfnWKw~<ykUL>V<Mz_pl|73&X-BPldmMV+~k(SCQh<=wnBf=E&
z$#Hsmnw1%$`Nhh_XQ{$fXB>yZ&PU_%yRYLDM}Hg+bFnd5B=VRha${Z*C+R`xWHFB*
zbN}qfq{uAF+kkZ&3%I#i-vhx+f6NEaNK1`JT}3H!iz>)5ogA%8+jggx#XdimPwI^{
z+R!_5>?v+#cFv#xRfUZVuA9s{OvWP{-F{Z`IFwNo4U0)cHdF5Aug^n#3ZGKaoGdRl
z2b(#0GHHs#W0R2GtqWa+i~|5g33nBiFK2q*I%Xv6oQ32_2Xb-?{dMy^v(sJ2OG}Go
z+@^xANFkvVfVyR}UItHHzs?e}Jyg=-lG4zPlP?n^z??n7e9D~1z@!^C6<cN*Q8Dr8
z)G3`AaLluLFV@jIqmULRAz{(T?$HgUx$7zZq;V2KeiYa07<M`}CDszd1Au~D!F1`_
zgjICEFcT&76gHFJ8536^x3~%!Jg3=Z9v3=T(7Go#kCTrKa^}K@uTDc%JdRwJyLKhr
zAt-v$GN^Z-UJPcO3kPGT#L_LrM&ZQYM`r#Bk3r8KSt!X_k8lb^;rwlJ@cLMgvyK6}
zOXy+}i=Nrt;jJpda;B86<##?gtqTKu2U}TsQc_Yl=B8&EEm$b>Y-IcSJQspO!qBs4
zHnX1O!pFeF@l^hb3-jq(;^0I)i38$!%kNMH#q3gk*V58VeLNj_JucX=mW(&^JLW=<
zK8#;ez8N(XYEzqBF9Q5bN?uP@8J6+7QpxX1XlN9&vbrFYCt?sS)=Kj?G9YsvC*X9q
z>XeDD85BY(aPV-lKLx0vP?VP3q(4Q4ObhF=`eQxGr)AmlWwc&l><Badl!Q=hV0}qx
z84WRn0{BfTW{!W|YRlS!7Y}4+_e27-Jeg~k&jixU$wg#x8lo9HqN%HvNz3b|b<&FE
zYj}O21!qb+GE<|mHm{UHag(iUnv>_r7LH~023}j)WK3KN&%IRZfeNFfF#Z@bN70SX
zxc;Sg>dKVsCPg$m#0L(m+5a+QF+^5LY3UpTAJTC7rkoAdKE{e5Ix!91Gc$ONb)%-L
z969T9P+7w`7K}-f-nlE%dEQ#r-~f2*mB*Zu@3pJh_Lgd^j;<NWblqgoSw8ewwPrn2
zWV;cQoNmRx@ln__zY8skgV)2npWems=T5>^_dbm?NAzkG(#`R8SC?VM%GK62IXo_j
zF<3Gw0=oUzbdJ$iUxiiHcbVTXx{7wsOlR8LjY!}z3gtPSw<*^W^b+Ek-Kv!inBS0E
zD`<T&gRXXN{BAjTT`Vgq;Q3sNj7(<M<N52LFqlBA+S>9`6xZ626zRfho_pmCOdX$^
zf$qFsn7BYj@$~RFXeIkq$#v05>B#C7kKFZz4Bni=2MjzPa&r(Go5lwawB#_qWjwMb
zC3H|&EUg$LX^Fw}Y0YZ3Pgk0daP;bxjk1z_*h0CU-{-(@r#YFu6qs`PT`uPDpgFf<
z$-Eogs?FFoE}n(6uD%BkJ^ma*EAp6XoDZ7fQ_zdoOcPMaXMUU6*A>fFF>_Kqk5>k|
z(&8w0Ly^C)?1yp3t>(ihb1kT$&>j&H$M2cR{zZ#ot}A5Q>uF))<8N<RR4h94nr>oj
zRhAWFUCt&3P&PrNgVCA4d&$vZ{65xW&B~uqUKfVGeY>`}mb5%W^jQQ%Km<f!S0)e=
z5`v{mm#*&LzyFnOnpNBRW3n+PAFnY!$vH<Ih%3h&g+*&NV&NiYeBe#R<fmT4+JZuw
ze#hbMx!>XEmFvv>g*UDa+<5lMmRPcdH{jD}&gJhfZ+_alnE480jSQeAOFakMuiswy
z_sJvSC@sMKOl=yLb^y&aK?{yev@UVuun_~16%&MYy!&+0v~s_J*(lh=@qGUSW-z|V
z0b_b2gp)&aCvV2#|Ht2H^D$7&1Im$uhhS*-LPo@Q;QW&gpxyfxe8KdVvEMAizxF={
zmmPl~?t0~0^yJh1(M%n>@T*zOKH;UM3p3;7<<csp2Ez^<ioH@Jk&|z3HvGl3Yd!tr
zO+X!k>CK~m`}u<g(&YDh%wJuClMWe)1lD0DCn~>#0C}claKh9%vvDV5PHoa#28wwf
z6`zc~DQH-Qj7=sK>&A|gHDj63f8gHMDwCn2wM;o~-c&~>q+m!iUD&v#X`}H*ofD|8
zS>3E<fty8ha~K-Ko3}W+>`;8Ljw&Z(c2_v9AbRr#d0RW?EJ@7BvP1?GA1Ej+2Hm^S
z`h<Nkr-O$RV;jwod+#-<@q98?FYfvZtXY<ilwQn&!OR0Dt*4pv=ka?`$EU&3ym>YK
zsH4CT&A#u=NwQS}<7XWaoYeQ{x<D~)wkDRC^~M}MoFc)XA<5R}#{IyW<e5*bGnO~I
z@jTDnWaD4Nm@k~XXT@<+9bjOsG2aD>B@|%3|M*3Gy1a@{;!ohTos*)5^`<@(UnwcQ
zD<_m$)>1$7z@ucg!}TU+NFpbUrkM3Ugd-}(9A9R=2#-bgD8t{+(b}lRKNkD+Os3N`
zPjIcHWL+PO;A8dK5r(YpUH!*`6F4K>^yKx(`d*uD*iL5(e&&2KaaGbYyQ5QA|F_=M
zXL$POLY#;P@g|(H2h3XQJY#c>b(`bNn|0%c(0AbAhU3g*Z2Hb=Ojn*WS=PnNpr)|Q
zZT-D9SyS9Jb*BK+shc&rK)cp<+^1{rzTB6q*dKFjQo3eYmJH@xP2gn8h(;~l%1qX%
z@c1MQPV}D}{x<nt;e@0+zXRLOY4$E80^PbZ)=9(p+8nVt|JY_`HqsinnBx(~$+NLa
zvVtb_T<FRyHO=~%m1Qw9V{ucQPU80?r8CFJvDb6#LE&*2FgU?#%1o@yso$CDRs-kW
zwmz6K^SEU7h98fqk1;J$x|oB&{d|b$q@0JpabGiejo{d$n=CWd8i_nllG$%l%vcfH
z$r5{7yIxqwl3e-^@;`WB$Nk5W<1s>R6t6`?IC(V1xMZ1$oBsolK=HzeG=Z^L{YhY)
zqK5t$CN^Gk`ZQb*%z1D6(5+jy?T-O@)wyjHf_pHQ1S?=M=U(92Wuq9|xqG+9^TFDn
z;UB}*!OSxK2l-=NSb>n)PWMh}jeRpIxFdOv3}K&537jWpO!YjjnLYcVp;`Yq&;5-^
z!!HAR^dHc0p8FY??~)O8x^(Y}OrE#f>hquL!4#c(_HX#^ai!^BU>w%QjsK7}V|R4z
z;XkKLUrgP`qRqwgcdtSI^Tz6H{WeRw#@+eGh?frcR!o0tIwFz>GAk7CMR*<uiaEZ<
z#iZYW!Tv?&TEJz2EliunZLrsXf&MX?^O(n}3(xDoH6g82rWrVoow;srU(9h1rpVcy
znaG-cx6HLBiswTNxtrzTRz2n%@LGZ*4J-K`=rhoNtue>VT)VBpemN)x_v1QK{KwRb
zOlIBkf2Wy|scR4GoD2j~HP$8mzWUp6Q?yOb>cQ`mIY$2PQxeZ*!!xjtRXNw$DU>z4
zcCjxOJ053K%rW%Xoaohe0FN23XcotYV`6@r+1KXhpTDnxz^q0*cSgiBfNf$!lZLao
z-uu62acQ0S+uFHtUEp`${EqF#dxAhQ-wE@3!xIzTdJo|BfY+HO$2+i{UPV9zL_h>~
zPXcWcOw3Tt<o#QPAawu$KmbWZK~%r=T{Y>2v-xCU+7)NxnrScL%LPB7l-Y6afAS4(
z#UC)<^cYv2SjI=Ve%#3zJ<>n1y!(|8v0?qDcC;=D901<j@W(wZy9Zvn{R#>)PAdr4
zqD4PqDr1DK+Ej^jeRWhEOVjs-;O_1O_YmCOodChz-5nN}#X^E>umHg|xD%Y<&cX)w
z;Qno%``$;AeCPBZvom{ormLz;epTH~u<Sazsu~je#D!)yURI-6sBo*ZXx@z&r_^@@
zo{-3>Ad>RGOToj9uiEwp#;vRkxHNwmHS?$E4LrZMcXS?YPxo=64f50$ELKSmX1U}(
zKs=S0HtKE}+qy8wjg`5#*w{>diZ76k-%PHz9(bn{jacO$vGNLj?QKRvvWhS=HF`yT
zjxkQAyWgDopz8OqzWNbAyaVAxsFj?6EeDc?E&Yd+JB3^K)_Ba5fVpHw1x>`f$pa?}
zQ11I5WIym@(>2pN=VHEmE8o!ok>aBFV^LG39pW0U<(+BTsEsNWd|9+L{7gKXGONoI
z#)5xG#}Vh(R2#QfAlJQE&&&5k*!B=H?Pl_v_i<&GV5W|f`?G$C6F%EuUhg0~g=LfU
znVAguT7_G0XR5xU>)vQ-O&5QmdZU30j#XFE|LQ3=?dguWI7mONTP7=_;Od||`tk~8
zEX)`_a?G}SW%ox;>#QjUC*y9_d!w>YueGs+irZ1QJR8K7woIoM%om=Mq;}%peh@SY
zI_V0G7q6u(b2+THty9vKKabtp-4W0W+$pDBR^)KbeIZ<E-DsdGz$+gcJZgTu7n*w(
ze{X%XzA0Eu`<(?%u=Aq;{dTi`=4eLTXF0##xr*GT2U1(L<tw0`<2QeJx8wQqs)i}X
z<p|UY4;If_+DE07x8hTtI~(zL=L$PTK?ccXne7foOAGJL(FUi6zs&3SFs)PDt+Hh)
zR0Q!5+1Z~B_*-S<YFLKOjb~a4{0JP>ZVz{Pd)zZGQuY0^6hnLU7K4SGz&{g@P-%pX
z)TqwD?$O~+h<j(c3b#C7tI|YiBB}UNXPL(zUDwbK+9BOR_i3%6EdsU?wT;`MS3f~F
zFgFh4o9%5l*oJjQ`jkB+k57x%Qgh_TNWi7jqr#xO%>0$n9jTp9h4ms`03H-31{CJP
zBSQTU4IR588y$UsuSYL<K1;!9oWL&Rx%)xNJ0XZK9Qb)cpn#wlZH=xKS((o}&El=;
zRlq~Lic2e|=I9GJ1t^4>1+=P%F`ya6(y6K?w)Lmwhcw4=HjoCda82H>NseN~;7d?2
z)N2;BOVhQ@4-4{u&?hu{6N>hW@jU|Bx>4Q%?6*?*F(>nmc?>KEO7ef9N+)%G3A3Et
zW>9B;mkd_@Qbd63U!VORrx&NYVfVu->Y`lIYw+7>*z!F$MJBlOUWc50i|gI6_Bu{A
zP4&LNOh;6eH3HYnIPR5kB2f3k$6tqM4?e~)uHc9X0?*VVn#~(WN@#9h%ki*c7kl%W
zM8zl!I3FhyZ1?Vnu*z_~=$V~{X{fKSef-kcn{RW%I2t#l-1@!Vt3-Fk3R;4Q>0=h-
zKq;T8(ZChE%7a%@&q*XAu*rW&9FA8%1Pd-0B@QT&8~9?fQ-xcD{Cr@J9?+`8QTkGw
z)A<-u!TF7gh8R9!g`DG|Qdfn*tEQt&fQkaz4+F|jBjA$j=KEt)bv)oZJc{N1wU`ia
zv*|$pTA*u#-SO=QDLW3cD<0nOyV!~LQ>7aEYMB4xAO_%yYI26gsssjmnvyz$Aa^3u
zM(CA))!~3}MoIfX*lT8UJx2B9w>v?c+n`0S?VBb$r<%fi52j%A<aOm~;MVowJkjTh
z(P`3WPelj&EZeaoln=<@AV<?2f@$URd%LM|T}O$Pd8<RsxAt>amiW3T&gntz9Jt%Q
zZoPflor`trEdxtK4`vQ3(|*e0aWqkg{I*MVT5liEPIgWb_UbzWrd7`KYYgnrr~A7I
zfOa)5ua>wYB9!<qMvf`c(q4e_ZmUCSAqD%Q4_ok2JNeOD-(KrQ`uJMr5M;P{YqQYy
zCPmknq${5@6gWaQCZ{e6jPA;j?y~%XoRRB!pgZiBZ*VQ&a!*ElPBGlSAUaTChd*=a
zWmLWY1tBUJ(xmcAji)SAv;I=Rt}{o~sLc`B3gR_(CI^z$pig^RQnE6J5aOo^#}^Zp
z^K9v9(K&H!%ZVB0TWozhPN4yyoy}rVW%xTDRbYyb8rk*h<fp;3vnVKZ_W-*)D;B5N
zf^|+jRjY#T=aQb)gGRk|nL6uL?3V2ojU>97zaMsiZmRZFr?nVj2=J4Pc#a)grj4H0
z(&XnKAZHwQc9iS`5Td$rq`LY#*~RkSJjp@}>#okdYHo=6``Zy7zQO3`wm*++#aSEs
ztBPb_QwtXeDC>(ehZg=Q<qv;>9chL<t*6B?Tb->^8`t%b3K}9!zqi&`fGZ6)U_&^j
zgteb;kGscqT+Qx|>62L`^#b{<zjj1^NAyox{oW`i14HD3OQKu9VSszBX&8U+`{$kN
zR!nQ5sKH}yq)Y98#ZLb+#y=s=f7((~Fif&%SZUe6@BH@#KO7VyEh(7S7Uz%sAIXY_
z$O-glzWL)*(ojg(@h&7>NIx~&uMOb&lA^ni)TE5@w?~ja1LDOXT@Uic6NUdic7!NV
z0jxyhsd)A`AO84skOI=R8Hr4s_<siapJC;ZBFeJc$fT9Y|M96A2Bd2ah+U`r1H-5$
z<6&N=)l)0Jq50!e4g^{DJ%T~Cf?tRGF9KN0Kw~K`VHTHR{Z0=k%v}OV*X}^@C$&E@
z9HE{X!iysWjW>Uk2zL}n*Zc!6GxYx%=s!G$+*wKzRTY?Ps9?-R7k+}`UN~%Y7`asb
z)A%92+6!m_nzS21vYR$TwB(ObV+hpJFQN3iyQ6?8q02{N7H?1m9eMo8s%Ua_#F2P7
z#bd^lU*Ow`*zr74|A{CR(5*0lY{=Jn$V=Ipk_h5R3^SHtY`U7xOg<5C<l$o#P=Sim
z)YUX%XTM}}xOJO8G@Fw4^!8#LB8i`+RM0QzhqSc#M$@+TmF6iEKnIS{*ZfZ1g=~a{
zr@zdA+=#S>x<H`Nm9f6t{<o-jggV;v*#-{;S6+~-qmhNDG?FyxGV<1kS!Xq77uVL9
zeO+e#2B_4P`<IMg^eY8gr%M-V?)HnSwG9p9Gct%E(tj{%`}!C8_CtUY5YiDB7vDX?
zl9NffLPV`?Z#mO5o+`4G^-Q5jNgGqL>JbkK@|gH~IyvC*@g~sv#8Fl@N=nLy1{PZe
z+|t;2)~%;<P2Opx8f$A`4ZpZil$q!PTMOSH<HwT0j(XmlCS08)QXGe;v=1J~WH*&_
zapA~PrhAv1jEOVTSk*UvDef2hn_4(T0o>jBLQZS{SXc;CQ&YnZJv^SmJ%JY6<mfQx
z`7Om&@ad_9*W?D{;y7#0el=#rzYUVw1q!&rV3|=7&(BV)_xJMBA8Gi{(2GxciE8(S
z@n+~D5qJ!N2R0jg2x_&1W*mmP+rkfw-3|psbLU@Zo4;~weNe<<eJ1h}e&#|WsUZ)s
zQ#c#)Vgh(t7X;jVN|{3-7{Q``S6IX)Vx_mNHS)W3dMZJ)rXrh|m@G8AP`B$avM3~H
zAK7HWCQsm3bn(f=1s8~6M464gqZF#c7*MWUNsDw!sT$mV$FjRhL%KSJ%~7p~-zOcx
zb8zzR@(VpPb9g(cBrLZ794=-oF)Kmj<CFvoQ?fJ@$;kJ<Pyr)f+(8l%xDT-+y{YR}
z5!u892N26_2V2FZ#hPM=(R8i;wdR|=xqw>HtOx7G(G+1gmmQQJFRQ@$Yj;LNVA6R|
z#PUY%fIaNjt&TW{*NN<p+<0uX^p(-MCTk-?rHeK{A_Lgl;)vsGnE&wu{%fi)v?He7
z1}H+#3X{UX#H^XF<og*Eg#{A!$8T2P%ErXiMlF3gJf#e%xK?SqW}toE@fmrv_$vH(
zHq{sVjatY;;0Jj?E5YoCH_q%jhvRtEk~7-48$U{~du*<$7>kf|nzxymv+pr!JGgTl
zU`&`QOasTg%<RT}V_u_4O3UP})stf;u*#|7IQ>vn)rrOk89RL6<MBbKwI=u@;;I+0
z9F@g%w1v5{d{H;P;S21XYcdJs{1@2v0Fawgw~&euy5AP<4DmG@5|wZjdMTleY!p)e
z_D69XocG@hA`k4*B-O0TK7A5ZbfuayrCtamyH`VPJx6yYTzdPJ)INwhElnhnuj3D<
zs#OSzvy(F)f2p8ej-3NqbZ4f}@|a6Wz-=xGo=TVz>$bm$*XFzG01u)~OUqe66<(!4
z9MjUxz>Y@&J6rA?rDGoeU`TInU$GJsN6h{9Oj2L1^yWS(()4`zR;RiRW!}hL_)c0K
zMov~NHH}@<o~37`4*%nNM`(?TEi<UHw>5XXJ8ojMkS2sU;F>U|6dW&e@}1tB@cUH(
zTW4Pw-Fif1vSSbjJPisRxhn<M@SJIP&pZYWY3TU`KkN?rNvvuN#hY2Zvz78H@Dt%W
zRf`6jpy%b=PxP!1^q(*a+4Ey<8w|S08Gp{5E22G?(vmmr!<{2k&G-4H8N6R~3*=`j
zF%;(xr-c=CS0hJMBs#-4fq20KbJ1CBbdr!*WkHl7R6P2MZl&l18;3Jx7S1_}0pFJ(
zM)Rf>+g)3UCi2X&@QXqma~chlvqcP2+_=E@*3FSG<lq@Sa+yjxEc|R&7%DgIjhSe4
z@CR7fo8?c`9D>wnn23AL_wS}LG@1y_oLcak+U|wog*MrN<g<gdg^2D;J9X3y9Eghy
zXQ%8p2cMFa2R=li_xX_r0kIu@2~HmMBZ6}LxCc;%KAOa!mJYcPtTDk(=LQj)(TYSj
ztRd+8t<}iJqc<{ZKws`RJR-`zwh1aOQ~T8bdBQ?Nb(>q=O-Xn6MJN?nR5Tt~GRMoT
zr-z2J=7wN`ON@U^J5f}5E0ixgTJUd(G~IymZQ@(I1qY+(rR-9`l{>;cA+YP<{*(D0
zZKHU*Tt8yuj%P%bAa-m=7|M_!gVt+_6CM2RaU*D$NR!o!xUVedo1nl@6RQ9v)Ii{E
zLZ%ignl|(kcRkx2^Aje|)4G68tvR9N?RvRRM}NGT^f4;&i-C+&mb&f05cu_5ED`1h
zw1iRpn7m0<82ITMI^*UaJL2kgzw?x;dJx+>Ss@;iXzsgxPg&gUZq7GB?jh`xpa_8+
z?+QxiQdE_SwP14X9Z)zi>k{kbDf~L~62o~~wvaFFuAP(=%gUu^3^8|D8mQcZ>l0Ks
z3buCtMzL`Z`^yL9*tn()f#WbUm(A#H7O+ts8B>|vx3c{{(ONMR%qS$}fie#o=jo|_
zOvO}^7#TjP54)qg?UXo@zz?c#rEm=*vha|-DuPT3QWIv&p8hX<`7gBvv9>pyi1kYB
z`PHggwYXlLKcL7uE)<)ymdkE!9F!#n2+b(PO0Zi7?HTFC<$NqSyUp=lbd2X*hl=Fw
z=kjghIS>ZXK6O@{hGMEe(3}oC)8a_qusQm86A2rpK(+^q^|n?5mzIam<94=N_wcs?
z0qTRY)zK#T?j2|B*k~XWR55o+cE;F!`lcJR0qzm>_KKkh;oZM;^Z(`K{Io5g3EFC<
zy_;;7Wrla75B^Zc^737?B_!dA5sEz66T*npch~hW@5+{R`=q3ePjU>Bk_hG(dhn4`
z!Amkmk_Ha#xO#;y{kf;bYRER$<u-q%r5udXN_RR>g_-y6_tTdO5bTiq{FSm56!p%R
zoWF=B|D_Y@+%)*>A@L;tXn7o=^Zp3(=~)j~^VMWG?^dFe_sKE|iQA#cf&dLcLR&k@
zB~A{|W4P)PkooD4Ufx4A%o1~2n(z|g%H<G`aF5r>9B3vqaw97LG3l#uwb@NaLv7SC
zAKUmX(TS=x$6i>4dwT^0eI8Lv#AoBYvu6TwiE9&{TYZ^fpObBG?cjKleIukKnt^xh
z^a=#S0qfk|@*#~q0MC)wk6`VKADia9pA84N=K??1^sj}umH0VYEqk0|Ozx9gE3cbV
z$l^+~lggdV@sWwaSv}jdxAY`NqdDO=bwR<L4fy+uoxZxIFi3v(U-n>x58nJboB!qq
z-OtjAw;EFUN<ybCgnOY4=AL6+eVi&?Ywfidgxe}K_L8w#WBuNH$+zBD?J8<&T2QUY
zXZ(jyen4)nTPA^95P~ZuB?lZAE-wADu0?t<L3x6=Zj1MRnVPyf;HJ=fLC}M~*e{78
ze>4Ld`&iP%gki<K$OR6bnv#;J=s{mY#-txCA-<zb@NSjRgd2UXYNS7=ZR}Io85QNw
zj9$MlQ-$x*nlBD+>f2+v?v13c$I0POqvLgfk3|0Myzpchg}nNQX5uJiBO|KgI*i3(
zVKS85!&@gW3<5Ph6}t+X0zLM<Q9wRc`niEB96LpWV9FhFb8~a{ua2iDiw4Uvzq@H6
zFlA+BiMhE6eSMN?r}#=j{DBHy65`_3?t4?SkN4M|wFWTBq6LP^x(3~>ee55c-MtB(
z#nsd_BHMbX-hW8Zql%6rebPXp>k~FRGnqo-!L;(vdI_I$3#2g7w;{SScTm|FglTAy
zmmuYC?OhsY=Dg25Y93yiaBM8PIkUUWXdHdHT5rMZmN7@Zn-E0U#JP%e(cM|}<PZ)C
z*|hSklYR}W4!dENG}spzQnOM9yAYrpbu)4BaLnqeqRQjWkV4DUtF3Vmb&oG(0*a%)
zWsImyTd+t)2RlzK6lv|V-}6*ZS368wRLr&-tXd9g?Kkx$!wJ!-HvJzq{EJKYqz`?>
zn5JXUB>7hiZqPCBOvbMt^Y_H5CkBWNi4?EimB;+j!~gvRq0>=xe@B=33@2$k2;+ZD
z1lcQ?TtRE=*qgfIcO`c-jac8QFrF(6!$l7r!~tc5niFsX_0XJ;A>4#+lEkq)S0WNm
z=<)KMSx;b%TSpnRVzaNHI$T0G_}YL*yV0ny=)<pC|8xg4F?=X@P?yC+6S_kea*VG`
z+U=s?%q#4vmZEcZiym)%k8_Dn#sf!2%qUl2ZkwdE06CYSz@+zDzY0xPuDmE7Z4jd)
z*Bl4p0w{0kTR<1P;3?=4p{%^?aXu^lIgpS1fJeK)Ntb?(`4Nt-?S^R1iBZb-x`X%f
zV)|Q?!n^R^@38AB#4B+=<Q?JK>$#!BcNB*Kr{8$D3aK%V>{&~g(=K0iOk7j;ze(WB
z4MOyiC5abuL5UZ1#t6qJ$D7CuM;A$tY#`>Qd`*ieLmtG4w%AFossSv?@xk55ex=sz
zO@>#+Bz^(~586$7<nS9H)@f!WCv3m&;j_vHT-?agwzz`J(bu}l$pd5ded(_FF06rk
z8wipOyDEc%l|;XU@?ANKkP-X+_%^?={2@3Yg^H|PTA-{=4B_J^45EF>r>O~-?k_u=
z*^3Go*u;RUHD467iD!Jgtq;8enkz~p_*FtNv25*#updMvRk@BkZy8r!9pO&G6}^4?
zDhRJwu?5QOX$N*eqPKc~`P!wQMjISCOPkG8eKV4tcK;~f_wuFjDtazxD#$Rj=*!lr
z598@ntO}@wiFI%#*KLDkIZWmx8^}4%56_8T30T#LDIsqoy%xNPcr#H_B^VMrs3LCi
z0d*r@enn_ce&z1wVEJ-zN$2@jl`jfUMS+}*=FZObzB4|!cdutZ7ti>iDD|W1wCzK4
z+h11t{w%M|LQki#*~~1Ym~(v2Tu5d_a22fDgQr=)Kuxb31q)2<&raHyiK!=~<_4ge
z1Voxny)XTW;6{CDL}xlT$f@SN#vqHfYH5M>9Vud!FqZfvfS@44bC8F#cw>d>q;IK5
z9OXDAxHBO)2F&&ekR39b>QoH+5shv-TRgUljjw1&K<s-Iz*{VI%T86!4RRWMK<z(!
zJnf{*DeRYL82A=rZm>o*<7<1$c#pm4B(mavuUXh)i|IcUed9i-h?9HH^D@HzV8Teo
zkmc8iwToOrG-Qap_f5mG3yePkqAOM3cJDRQ9F^T^P4oUc4daqAxu@C>QC|<EKYzxF
zm9Kh?pr)ZF`~bU^#}?l(YFXE--3iOb<*13r(%)~D5zzjLekmmHnAKZ1Bh6c=TE<H(
zVN`kUsWf^h3eCjB6TWR$@AR<#{_KZeZtpfQEL6<KA)oTJ#;KTHAE{Qo4#VMaq{l3A
z7fC{YURbsUCXwEJI(%2}s-&_EhtGrT{mye3vI@C`Hu-dJ1;Vgr_iC+(*4UlQuV#-Q
z?I&oqqhtFrh!V;xK#2d6EG&|&g}h3L7Yh67o^>rF0B(Sc`>*b#jZ>DY;HI@tC}^5a
z45CUjt1gF1EU*0^4nsn1rFYiuK{*Wby<4RPdI`v$+6eD@G8_-cKYbHvLzR!2Kd|_Y
z)wSnpdaF$ij=#_8ad~dR1yArIjR*&jrmnjOaq<g0I^lNsHW#eopN^Y}Wa;;U8a%BK
z4js{7-J|ucHW?z9wC0O+=gZog9!-5V4fqvP0icOfuq*6S^nPQP1XWRk&ZhXo#&VtK
zI;(>$>B(Al$iCZG3<}EtL#%q|y}g$-bZQUj9<GBD%p~&B;ZY96+|a4@Z$7D<&SJ(%
zM3|cmd981h!zy5q;Ke*-ebDLfkHgh$y!}daWmB6-1h1qRJe*;>6teKGR0D41jZ_-n
zj)bN_NQU{wMn_89l=)6^?jr6qxwb3{8sQ45NWeYIc0kkUzRFqzu1<|VOGx9qQ-)UY
z^{*PZdKnv{fgOVoxPm)#f>AwN=3o{d?+Q4%U!)q{vSoQJIyCQ`&7XEzn7Pa@j+}l)
zM&GQPCzr}zj&~a{icFTd2&uB9W>E-f?&LW5YrMsl%5~Vuyn3GL%v@1WUS5G?|ANW+
z^lScDgbfcgLWP_l6ccXoUX8%+9QcaT545)6B<uCC{@(6XU6Hrtau-k-28~3k$+v3@
zcAA(~C3o9*CbS2D>K+ui`uh0JT<=}x6~&eN<C?vuyamayBR8j5c&|pwT_&U2GZEOw
zT8hzs9p5A+!a}XIk!6lTc~qC9OxMok#^0rsa8d|Cff?)k2;^fNg6=^K=7}>vAPNjT
z{PUcF-r{)d#}y@KfzYI^_q+I5Y4Khf$I>?>-LeWwTd&An=c~l_=7_>%1`F)0f&{TA
z8EL#UgtNMnWaWWZ^GBuq8C(ad1~N<ulg@?3C6rXnUmD*U>PCHJM4!^o0DW9jGtvWu
zgi!U-7EufKMGx1S+J7C3?8OCqcFb1G>O{n>kwZXlq)rX+h>+Bfj5hT%#Iaw2fsvu$
z<A}%&pkK_2<qvaaMtrJ)gqe^xRXoAyJ(>`ALjj6#NpxTSiZ2FX0?Nu5zwhi&b8ujK
z3ePlh^~F6@tRf;Jc25;4XkVYKKM!x$Rj=!YHey3zT8nqZhg|?^b8qMH!s>yev?KPi
zCsU|<N+~){HU{sMyNloEe|<MwU{xo@A|g3JOZCcgS)C3x0XU8shYX~j&I|&)%WA3E
zx<Coa(|P6>c$eAWB%!Z9@)Y)98w7o{`<n;Mj|A1vzDF;k4*qp^{f!6n{KSJ%ix~fm
z2h;z=gWpq^y8LQ3{^e2D6aU16Bh+#Kj0fZV#Dj;EW_bVT94*C(F4ui$XJI-&e>lbw
zQt~@K_pRX1V4e2+6B-YR|H=`6LNnqrn(i=U9S<ahbX-FYcLFkQ&rIZ-t9(Yi$MzaL
zfmU`)`oC(!zh56n4B%$Kg`h??9N!j7w6(*UvpOq^v>J(K3Xm;FbLNMMSpG-@3_xeR
zXeJDHd8_-7ORG>98cg!ioo^eD6D1n?6n@f1entG`QNBWa48q|y3=%T3+QhlRKXG9o
z6IAPJ{P*wQvt1pYDjaMC{uvse5!1TW_y^NbJJ&V5zQ_IRET3Vu=0|d~&lPt2`)4ze
zMxe>=_N45jJ0>pc282U0m=#AJDr)Kt*DoN>ngGpz{7ZZU@4Y2`U0vHp%LM{-<$vBQ
zX*~b(G!lW<0{6|$2{EV3O?NLlxXy{A&51jH(dn;ZL6H~J>lxuY!iwGC`6siI6`w$4
zWi}RLe=^<fv>sxt)?TPgiD<xs=!KIX76KAd$ZfLmRF3AG)SrH^yCSqS`+uOtg-gW4
z_r|89a!QM;sz3qy2z|FDj@^umD4UZ&By=Y@GO{2%GG8}5N1ts}|0YwGHS^&45?Z5(
z^!3NEI!8a87X-b1WZ$iW<b~PVX5{!SEIz8Fn)5DB+$|9?8>NP#`V`@)EOpAwHd|pO
ziq=|@dBy4eFN5>I*w%H%o5fqwfkSv<krANE)b+tulr>#-wP@lAK{7V~3s~ALA1bOI
zap(SB>a)wKS??d0>CN|LZqAc=YXp4N_&p(^XE^=uJ)3UwbWFX%O;*y)oVQFuF^}te
zVM-eo9q7jl;?;N_(KAQdUh|%*X>zD|AJz-zpH5SJ)LEV)>L2v=*LNydFuhEw#Itm@
zuX9+Q%OV3DRXnofTi)|m9DN;GPl&i1703OD|Njkb01V#!lrJ+}_3AGKX0$@~sAZLv
zXxEST<lf&a5?q%0A}59Fu$6_KqZ(LWFNDKC`S5GmGk2*;-0O`1J1a4@80~CNr~Gmo
z>~u}4mSfGNbAvObkK)KXG9wWuCh`+Cdb@1XzbZEtSeIu8R8#Z5CNh`;gDR?e_^&F~
z9O@)L>@LV^rf5^WX2eV%`bN*nB7IzJ3KJPl$<K(RC*Ra_gxFVlN=ZwLGCSMwsp692
zwIEUU^n*v`7z4;tI{eHjbB%%YEXia+UtQ8uj~JE+IqJ^<&O#Bw&k5`zhNXdZ`V|+9
zfww765Nc3N*GI+2jifDf!Cc9|B}+T8sO6!hi#2LAGDR&^WMC$Ivm1$>^d1l^gW5mf
zq2RpMKJl?W#zn!}Kwa}jD23S)oqjIMdEZ*!>jFbkW3;9>v>zFN^8wySx`-Oj>**f4
zZ`M)j6>R)_XZ*TcP4MEpVNbb&p!d~XP1@O&LNoZ1T#0LU$_^tZmz`)r@Epe#3~xGh
zCV@Gty7Q6z?T!Rn!5n4`F)L9lHoQk@vbaWjD_NaLdMHzI`vi)_GC_lR!9*)M)R(P8
z;X!#JTnJ+U2GPNRBA!JB`5phKHM_20mT;hEUqZX^W$(&$7s%+=LNYXE=qu%Pmcq_2
zBCb!q1SnK6bGRrk)e+!l6c!SgOTllP-y&PT?Gdd~4$9LOc;ULlut|_l-IRxLGWvvK
zR@sTo)6PL28iCeJcwgLe&`8b7NalBa6qX?DPfWLVLm@m~+8bVy4c%(Rl=9)09db&e
zB;0ZZ0Yk6Mal(Zx{&ppUxS<K+nrU{y+nqk1&Tf!NFT15PR*N}m_rl{nsFcTWaASTY
z;eIVMc7kxCUj|d=-^%5`@h*s>nWXLRL+O`bN}hvBNQ<go7gWcFFKUmSCPOo8swr}>
zvv@mI8))Y6V{DM~?B<XhgDf?e1y@g1^F#tac{@#B6(gGY_RMdE`w^S@$%cl^FF@FS
zT-Ezv_-rLhO7`o1yx8jI29nBvjYNwHY=wqaCCh-9o8?9{p9n>WM@mX+{=&>6LmVFC
zn-mS@Yu0pGgwjFmiS`(6D>lGU0)pqVYxN!TuQvOq6EjH*?eGJUgF_JsS;2)ow7qx|
zx5UO*FvwW5^HLJ*ht2+Bm9s_xy1&iux}5y8W+%Yn=uG#7B{Eta3qN&~qTDX?&0c|&
zf~?L<$Cg8PAlV!?Hw1pH@SyG<qNwsLX{gxKhBABCB^HY#?b_g{=pdZdTpinC5Ij~w
z9?WrnCE?PHACMfvaT(5LVs-dV@5zT&`b1(RBZ43N)+&(+#x5l={=iUvKqP?-FdvED
zJCz&M^WAD~plKvFjnbMp!IE?q{*T(E^Zie4Qneg9GA;;J5OF-K$Xr^|FN^U3R)BMe
z-~gLCnfGQ5fyOfXOq}BYy1)7K0lY?+n5tlhF*sg=-^fQ$UYLhOJR(T&<yuv;^Ne)3
z?4UxCN1B-f%H*EZn|>f}H_|WHk8mRJg5_h&MOS$;n<z%zHjKQ6$>5KT4J3F2U-`Mu
zy)p{t&MOpf^+zb0srEgY>sxv2lVF#t)4=9~#njV>QP`+)`%lR)u4d-J;Z{byKy;Dr
zsDSJ4%M$Wf_=&5{sLUtyH^QkQop5=71ob>Ae-`rr^+p8T2qis^q`j3yvGI7M-XkXn
z5ZKi7rr#Yd6A0(wLp*ij<lI2)`^zK1G}<b@Mzg=h86Hy{o7+@gaV42v<9odjX+QRw
z#ZXnPYN&}(-6%b2^nsvCK5X>PTiD^WZdzehJPR6FXDQe^2K0M1=n^JqIuhT%)U8oB
zuWl=ZfS8Kd5(JLK)zCE@j&i7L52t#-Y-i~B0^=XuGMuWan&E+G1E@oBZB%oFB+=OD
zr19pu2{TD@it2PI2dOc+sTBkB>&!hLsii@nC{?)N2G0$VKP0Ch;@V0C;6|eLWHxF*
z8zE?$!Kqpv0~Kd~tJ7et3^>GXyL_@jKt}Eck!7ED<0G^CJyD??tm4{4*LXk7qVL9R
z+T+jw{Zzn_o_XNBZv*FS?Eq(OAyxrT0z<-AFqa;NG1O>n_d}7*dqr$D-ZO^H*R|(r
zhGV?UA7<$pOE<Ya4kPg$Etg6ww(cV~&u2Lekwd4|@oPD|hH7yYP94@Z7U;f3@QA!M
zhka+z0<wE>mo!=lx`ln>XL|6^;&gD8_vJ1&@IfkrEG}r|!`!|A<ydVO)Mupd9+v-8
z&hkGFW>=+5o>E9OVT4P54Ivv55+Yg*S@K|Z7^I@!czfjpRH$RB?*_C}V4ptJ`k=jW
zg}>HYpq&-RW0PKcu``=8c^U~~XBFvqrRe9&Z|VPoFv8pmFtQ_dygjDVB8+ZP^nurG
zGhm_Bh`T4?!;SA5(NYBOhKqKu-pK%L@^Nr$B~g4t{a2=xfVdZfY|<_+3?!^{w!_@u
zkI`OKeNxxCA6cB8{WIO>j1T+nYg9VP5YDws*FJKcveU*yLK&6Y1@Inb2wn`yM~vu2
zo}^UuN9Yf*smX7Md_OH$|HGWMMu&F5Q-qEqK6uxQzCsLtF)<*=BlI<`#8H91MuWL#
z`SDC1IC;AG5T4fRP2<Q5=FM_DpiV(n@zYI#xif3eXlB51<E~f_jspsq#>5411ksK;
z`^a%XYQg83w>+PObzKw|cHWIi>5p#Ff{+vf9Jqe)yt!SC0Jg@j%FO3rvG+QII|hCf
zwlyQv?cmrO(WQQV+kjQB&D=D%7?(IRNsIp}s_R%P*yuCG0Md_dSR>%ARMFqe0Y5#!
z0aM4zG?-R+D7LQCGAo`dE`{1+V7BP<imO%rQx~XOSTW$q;KKZFtumbu2tW125Uz*T
zt<z0VGw?t-pBs#@iLcxY)Ora;Nkg$lz(HM|{U#Sv1=zJQuksKJyqOZeSTM<6S+74j
zfnT<(F&Ys*s6(j7hk~DYexS+SFiJIuM5Xa?R^7d6r-|y04^^ym(C}WHcNpsxaOwz;
z>&Jb#xj#79E)4p+AoxE~iSayL^)w!>G)nV+=R`pabTn>4m>G8!XQyG*M9@Qe2x52=
z+&AN+yExv>3<0&bYO}|CVO{|<`}qhDLohe(<t$@^*T{k578Uag8Z|FER~h?sqAKou
zpc-3Vu~*x@qhU>{%#74?YQw@N%Z=`&xhll4opLPyABl&=Q=)^^)#rG$S??Vf7|bST
zd=&_4FkI3RKel|pqlFrY>-wQ?Ib_r5FlbhW8QoQd<;)A*ig=#*O27@-B8o^DUd{P+
zPsHldK-)FGU$3v(qKW?3&qu^8DWg_0y~1LO>qn_F_U<ZfQ|}m0rLN}*``p)2Ke)D+
z4mvS!R!y4-JAYX{?!NGI>=szBba1XZr^+9c6}&nm<}Ea`Qb1|o*=q`QAmS_bf$SW`
zjo6Uk=yccIJGD?%y!;yYrMs4f9q$<r^?=#)a|0m3hI*1thEt1#lf_xl=<(QF;4oV2
zm%$$9!+0+B^f_}L(=X#HYkrQFjm52STs9>RzyZW7cA1=Sgzh|}TbwO^(mO{LPQRwk
zQXAquo0<N`ITV3k+!?iH$3t1Hfes|SMn9ZqdLeC3ZyZrf$hkK7an?@NKqHd19S#J+
zMn&h}6U=Bk7AKyeMZ}XtK$g>wdyDZA1TI<d@-KZsrICu7@(|fLvoeyo>nLzu+K@1D
z)81H3HR{u=6Bhfh41j_s2|phvh`RyV3JM&Fcqf?3$&a};J8aos5c-nDuhAhHO*|4M
z?X6;9V}_7-c#|W~Yg4i`<DE=A;bbz|ee;`y;@ugYPRhX$3-61t5b+1>O&j$`^i)JC
z$%^T^3Tim|xm?)n7(36y1mTrAv==UCym)iVbo%|=$+T~MyuVA)5p1D*Qsyss(TBXt
z{llC@h#gz+hZbly)v!-HR;wo#!~J*;RVK@sKjQiTrgb8YZOw;_txbrysJ?Pfz!_#-
zVCQw=0OWu*H@+M{dw$<|UW5@5Km585!<csTJAo&UWBMC{<RJv+->lAL%oHU(#P9@>
zKvBQEt9HIBZ{FKiIP3oCPx8tZC#12m*W+0b-R#+gi`&nPV?RnF>3TJ?c|SrRQTw=o
zS@6f)QyAZQkYwspsB@R_BganoGpO-CN0cQTV<r{cFrU*SGLRj59kdW8Eadwt&g(Vm
zn}_LV3M=+9NFFp|gthBH1Sikvgv>dQY+}`qsj|b4XzGqMIP_{Ane)jBsj}miL$f8o
zIYN?(kr@S3jU!4WM#kNp-nPlU4|zgKhRiIDK+Jus*2(3dkl1-1>_p|4yTNO2ZPfNW
z^Vob=IjAZ_*<e2gtsl5&@%3x~)Q0>FaJPaY^Lq%QM~at_cPD6VY8N!wuYkbp+J^o_
z<v(H;(ahjn(n~Cn4Sly@AF9iOb634D=7>)(?vZQO#bh=U1MUl~dl}zr&Ln<7B^M6h
zVNG);?`c8l`h+QQ2HAtXzX-e77`aZ1udU%G?J_H9oX>j`oSQgys5N90U0uVre7&6@
zfUQ~gzp19KN~JslW<}2<$}%si>H|!6En1t!dl2CML`*)7G)TbuulU>L^sj=anu6Z<
z{WzS#P(#XD0k_X4y~S9CQZ%Mj63RUaGC51UX)soVj(+!aINEoK;^im;N6c8h<S{l0
zYti4GJMmh!>u&Q@&=}?CH!bH{`{v0f1YPlcOQelQB2Lam4^B3L2V?_rC1mEa%WOm8
z$d0~HBW!m9$^zGdqdr>>=H!<=`u;r_b^$}f(8WmTfUU+}8s)}=XxaY4`{z*10F4R<
zQ&QaKgWg<K<!=^aUhC9e3e059SGpJSh=YL87VrqH*<{1Kap9m0yPnnohpPP*MRP{I
z*&D@;moIq<Oxz2groGtmag{m?*t){O<Mmnz1uGl*n`#ENc+)w4$TGP+nAe6LwGEC0
zEN_*GMR1W*jDWp&k`z(UiaNSMf_DqlySU``4s`_`I!u=dzmS+r29g3G^ZLpKG5`cG
zn@L<NKPE}m^nqdZG1U;_fszT7FIZ~&boeEuWGDoiV?K(rh!7&j%8%ZjvOKieQtuNg
z`W&e!Y@o#0vs2~kh(a)RuySo57U!)Ofl0Scu6L~SM1}U|auKWG^Dt?Oj_E#|VJ8yT
zXU?7F1m~S4pHnr-uLk#=Wwt+(MqV#Uyh^4QtzP4w7A~)Oa(GG@1WU_b+nZYzIlqAO
zwp2`hABMvJ)xP!)SFVW^o-t8d#~zWk$mc*+*YF#C^Xsakrhp%J3)p_IrE`67XhmE_
zlnt*)l?mOT(S)pFu&5<e)tbq|XSq%*(;{0>^wD?-?F~9J92MW_q-%%t-b;NPup11-
z$ph+8<$rH-nb-OmDE+%tmtdZXM669qSDeLk87X$jc;RZBN}I83<)%{o)sLu`?7nQs
z3dXX<P%b`SjUr~{f02Bg7ST54+DBVLIr<j8X#&Q2%lOmJ>^ZAV(wMYm-8ZcwbLu&q
zFPM9b1KR6>bq+!r0n7f~2%B~+Qt4&;wlB@ydlz>MgU97us_*I@4z$+O-8Y8ZXA#jY
zfk|-J8C`+L{CR@_8RPG#ul0TQZkw+LGM%5owW%Ges9iP#+tW>UQq^OL<w|^NHp$gy
z&hUwqd7t4FgAOUp2X9Y7h2_rs&Bz>19+>*yw>B*iyA3txTh$ESgoECr0E>{7J1@NV
z`Q2SUroErx`{MKB?l<gL3E^u`AtFjUE<hw%)Oi2d&H;{NWXu;%Is0)84&v*u0Ew2y
zmbMy(Y0}OO4eM6*24K!OZc5pxkgtV)pm4Ww!1Ac%0Lc~?c|CJ0ox>x06=D;U%vie^
z?k%{=2kF_@GE574*%9oPS+Qr-K`5~j>fR`KC`-tZ@q!3++1^NSXom?H5ZByHw=UGQ
z;Kr=M;T*n#3(;|SBt}j9O*h)@(Bh%;1+g#tG05n6nA~MAe8>1sgB(<;aNj#dQ4@+z
z6dRNy=-rC9@&*X#DH?|ZShb?o|95=<uWMOI8k8SZ62wMfJT|LGphi$rutl=Qd_EP^
zCzp)a+75T%=Bg(5&A8jjX=9^gEu6_(4=*dlG@6T9BcB=v5tD=W@?A8qzcq?urvD2q
zr%Flb=f@haPWKhg+x459WeY`g!<dE<yp1AsVKFtXYtCcA*VwmbBVWF<u}WE3G|*_(
zqr|ls<SO-AdY!8`!Nvyahc@pLG~3xF<<^lI1qz|-mF-(&PTy?}dar~H7EuFPrK{Q=
zxViCC^1Y{ZSMIxlk~DO-)+h8ruh+8x{Y-No+un_Y93r^gfQlQjb5`&p(U0R~PFgUX
zg6>G=6%=YrE+@RNFVpE6%j?uxGdT`*Dr>&(k^isj4iL%`T_z(v*_eFokGb#`+LJD{
z-u2zO4!tsr+5>_M*IVfktP-a8tS=qiiP)iK5|+rPi}j=D$>YLV=y7@@$;0|#FH?9;
z`cUhF6fk?Xt0}+s`|}?AE>L5!pKZ%2-ugi~cHT1x`VV$GPggX7=Q2w`>-Y&0{>)~6
z@13L;x~Mt)`(zg+3S9OV2RH8Eb9#r)*9RyEb0W(JuPpMk@xj?Q_cjILF`QpbqNxEj
zX`i{3OZL#KU5?;x=;N7hHYMzJFL1&6n$%WiXf3FMB<MoCxI=1U?qi6Di>LeNUAW7H
zU^cSYOmc6$lE+hFeH`O=Egn*xl|#<Xil?(+Fi-A)w$~0dEhE;OLof09N9WtOGV1O~
zJw?eSrUw;GpzU&2aeaG~ecNHo9A2Ck===zc#sUY%s&6$CevA1IgM(S@E-bQQe#RLx
zT{5`|+9mOW!Igxc+@94TTYC;#e&!Ga;;ZZEL_u;$mVswh@{55ZMuw*QLn9*+_V&#B
ztVoC~V=TIhtBTW2IQWx9R9J`{8&3iBSU5O1RLuPGrT(ETUN~M3xG^z}RNNd%izZn!
z2xZmr(2{SmiO-@-Wfc%)0_6xdH?b;kx?wYsF$t4{PZJ{oCq4R=^7E?ekq|%k;+lWf
zB%x>dDwVz*QU4vMnSRCFma*D%)pvlyWZ0mXTv<s;#=N-`9W4|8V7^jHs)4xXY)Cc+
zxqo}CC`!&am%dNazGzFX0zVq@3`dCoJKSMT)4o4t*!Sh2fXnT=ikMtN!D$yNK2^`q
z72nMVqfS5&u#=ca<Pr~!c#@E8fY3%)Q3nscpPUZ1C?v~+enlNEk_p<N)zd^5Ja(%3
zHJY{{Bj%O;@Pv#~cI2i8eT(~;q-0d6nEq{gNYt1{XoKBcO^_oDpMk8hl9W4)1|g@X
zyi2!bGxX=6UJkn@k#_u_=w&vIv8iVIdhYx8I7rR3Y#IM%mZ%@*CsUMO|8Z<AKKR<{
zvei+wK$ZVabIHF=dmwXN(t=q61gp`TB~KAJ&yJw*q59H<))g0(=mE4|bZdl$^d_z`
z^dQCC(%ue~75Y`JX`%bC%){s_$;mf{kxPFU)zyVdg?Ip>e}U{&WpQ3j71$JQZn)|!
z54<d)PT7oz<d75`EjDwD$d{?=h@<B0)=^q5hHP}?zL#?3Rb{eT+-XB-^CVo;gFwxH
zdS|x(s=uBT3p4J*T3~<Jt){G+B>mn?0*muWr(Z9@)N-^Yyx**Qa01+cXf%mcG-MH#
zLfx?|?EQUX`5PApj2xjs(#lY0IcBqdG%YdupyN_BPz=41oZb=$LB#rXwiXDUUoy37
z8#nY1oN~<ZMw^p<Dsg$y{%dg$fEFfWR5OElRu4j9k@vyrD^1MO7}i?!NUsenC9#@X
zzdR2&UXC?6d>)K?#Zu<5=xKM!ee4v58^fqH(#Xw_NPt<iC*N^BzZ1$yg}IXh(ddD`
zj02TfachJwI$yriG3(_<g2&qso(Td7;)M^bnOKJ#8U5?g5M|U0r?E_QrHRhC2!S@s
z4ls$NIMi#0^cKzvZ~~viV}FT-uZ$r{yDLy=Reo$2xlFKl>^y)Ybp;4T{S*<dpp}=!
zD%}o`((mDiDw?2}te%edN-<$Y_iR!;%s2Aig7Qzb*@Fcnd-!0nJ6nz5?hHL39#JVR
z1b^u8$Q3_Vo8{tUl|I#M==7f`{BN^kj1O5kV~)>@upffpt^?f(!kac3{0#Ud!|09x
zt>l{K8Fglj@gM)>-;N68qIw$g?!(vOZ~pt{zpp31{ahqtEu#tkl~Mmn%q-YIJH(i5
zsvOyv@lTT0I~6rmcW)<>)x8kc{UelIjf{P>8WKHmAa#<n>U>Ap3v%U8zpL{(R>>TT
zSZeWYW49tpsnCbdH265g>i;my^}m+n?_>}_3*jNKyARyYRTAGL_QJ10eYH`F0g>Zo
zaO@e-OVe#mjN1-LApf4lT_8nxaP01D-WYv2rn}gC2WO><;r~!&lTVGdzv?)8=ZFYw
zh=yb*8DMmE^^O?8bG(1^JWv4YQR~4|Yf1h8@@Y@D(4BhhH5xB{ZbK)|y4%R<qX-U?
zwnL&3?M+uaha2Db+Lu#7lV%5F!o|kM(qMRAyr?+)$(WyOp`8DFE!2Y;%u=znbBK;s
z3$9_)V2s*S24%E}Cu0Bm6kjBGQy5&k06T$3uxNX|`<V|^WOA>)>EUL@&JWre?L#yf
zvtZq69;fyoeb15tAE)Mo$oq_8-MK}7iGZbKgucPSg2qNX4-b#i9}hOZjz@ANueJU~
z6@U>P2qYAl%mE4s4K>luYBGW^X89*k%Jy=SySvXlP5diVFC6G1G_w2Qrl|~A|B79p
zLS4&=u`9^v8DaJf*9=((Jz<6Y`ka*XjqJhPi-30_9M^+eS);YR_QN}<;+^fjlzjYs
zRa@SII=QI{TnFb1?@85Mh89|#=rr;0O}eK%PT^iXsxrI4M4C<}+DqP*aXgpIqBtsW
zZ71vn>P1#OKAA%gwDhgqWMmqqj?h4kZ`rQe{`r~4UR1_`oTDe<Uz}bAxf-lx$LHKJ
z{>%NYro*z%G!{Rjp#KUW9wduhGniWLsvz$$=zz=hzob4KxGPwV#gqwgxm^qzOnW-x
z-5C%#+k5BVg0Kj>3<FI~tMp^GZ-QL>HV|qHIx6v;#vlIT5#~eAZoL=;YiIrC<b#RU
zc}4bltg8OA3a~-mvP#%{yQL2ExU?&2ekBgqPC=(6WU29fV|k46HBa02!2Al#NQ*g-
zfcJjo&sYkAf{i*!gHBW&b;tfaQ6H3{9W<D3%ub30#>;bAx|*pah!o}Z&f0B?I6aSB
zJMst==C+?q7$W1!Rc){BNme-1g{n7zFW^DbQeX0h!6%p%(%h`~h(Vp_u)JW6vxyqI
zjrV2=gKbWDV5=7Jq$AALR~Sgz1=XwL>;+w~C6#?|KJ}F}?|l08(+$hh{zVl6jAI~8
z+OGcJQ|5*Sdiz@Z->9YWH3dW>!pu}82+RK23!qL-();dc(c59XZQVlM))B|nmf$46
zv6914*011)PcUY0BxPd<0(oUwx0nPx6?m5KD@&=9{qTr4Hf*MXs<uuTydhGLODL=K
zb)PXa3k-{jt(vY=ugm>$q|BOL7*Y(qnq0QaX5#TD#&S_>9WyRpYUnY9UFl{*wBKu=
zR#UphZ<E<S+Co-r4L2Qw5;l9Z;38Spb-&#-H5@)K{%aG~delzN^c1-h7%YT*IYgzF
zyeMdSOdMRP>Z2t*ZG7fW&6VYy?G^1_qH36$nm8DH6jHt?ER>WU@AkHy$FnsNxWtzH
zJR{TnPQH`~UXQ1puT?Gd!49}heO7=DBxg?YVE;Vgb8|j{>wR0dH`!mfSq7xtj4!a4
z36TnSoQ>QyW|zv-IG<x5x#|!{ykZQA7Xb}~!RjSW)g$u1RtixWSpMkXS08n?5!v4w
z3UE|d-XKOy{Oh;YwI~A$V^M^r64sxp5OO>W0Q5m6<yC#C9j8~6_onycJ=-tb(`j-k
z*GVRM@3Q@}21OQQ{(O8wRQequx#IGRsw$XFG+q~r+<0%NCq~|t;gCK$Q&~<$@29{%
z$wBINWgM*v{g4yw6N$$Z7L)fnII*d0y?Lx-E*c3aqq-kL^HUr9x0Q(5?NksWB3=v1
zL8@<FibDV1N?ri4u@&V*JJ!6$EO@KLR;kCSRhU%=J}-ZU?H4rd*X1Kf9OW@-uJ!X{
z@fnLcaO`qMtT5%y%!_r5zbcJRYm&pk#&i>;+CE&#42|=vJNw2%%;EDSkFy-0%AtQr
z31@!18o^NB2);VkE704qzp&2=R$0G=^SJ}+5;71|LSa$-)_4ODv(k*ILPC-5?)ENV
zO--h7DH#R6in+aKbe7M0SBk8i_4+z9v?Z*TRnB$+;e~FA=}^x)N8pelrtQlkJ9EJS
zl!MTGAx?I$M{-?^`4_E?rWbW5)W#gcH!s_B)u!(En4oL+9t;&9J@}3f`C$@Jh=J_)
zf&O*&*!x~Ke$GuRw7-25<SThc5Pp6ZhUVmaG~~SU>$+!EIO16xQhzGr=9gXNhHi^$
zbZ^RvaZ-ktKcHpr${-qrkO}cqj_>vet&jGtpz`T5ZirH#kS;Yyh#<mbUR>JV6gp)`
z38tuW3R;52R!haAzfu*`E^}9P{|HDeQ0Rpj&3$C@w8AaOM__0Eopq2qRy+VA*nl@5
zLwk?I+6!A!B}T#uN~tz`3h)6^Y<MJFY#++z*@pYYYE+a7nqcy{bg?;3AI__7W^I{Q
zGnkew!_pL|N=S_!8)cc5_CI<Rc=KkxYLtgE9=X%(Nmyqi^cQ@mBtz#0DfKwPa|n~E
z-S+2uRDp5-$R;O3R#RD8VUl_|=Jf{-QUInSgIOQ<{m`z8OB=qyJ_PplNpD2!RY~iv
z!eCM}*3QuL<ZNYnZKkWx_3k-Gi>hgipwbKzVB%sUCQP#~`jOx|Fm_9S);Bf%2%=|*
zShEI*;fsm^Dn7<%G$gV|bz$M!NST;mw!KqcFs`Ly90oqLiL;EvFA~L{vSTBiBh%#B
z_xszT5)t!TLd!ef-|hK*D>gw|p)w^^LHsI|&z$G#>YDiO9hHltX3k5z-$nr7Ob=dl
zl+n_{!@|Pq^A@k7Ddfw!)nUf_tk>jdCoMg&i|skYmxA_2F)4nGxFBeL9~@Y3t%`0m
zt_y6iYl@0eo6eWzH_pZPS%f#YZecu=eNO;Rg}nqke#u}`rl5cx>-LxlldL;yG2l%+
zn$eG+@iA;N7-wQw_gswKU`B&!n&tcdaGVs7QHCP}^HCj<ZMhm(1OKzAyeY7`Mw6f}
zst^#@T378h5r|1{%eGbRie1(ib(7B&C-M>7E3-F6{<5B5W?9%?Lhw(D;H7gh7Vnpk
z=qUUzUtpWBKO~sEA}mLs9nR_nd)n2AGFp}JX^6S5{8<dq0m+PM^okk%kvb{OH2tUf
zQeVbNT2lRFgJJ&AK$=**dm+)>d@gn-e^dYz0M78gjs(WvGxfW?`(3yGg$QxO=^<|T
zr$x-)6fflOUFqV%Aw%h|MZC(taTYSM0iD3VV3RvhxCE&FIL$Q>RN477DscvV)Dd=H
zQq-)Uh%h+Rsr}X!pfg2OwDzLR!_WZ-iMBy333BWf%uFi%%a<_RnMXhp5qPEF6t3!r
zVBK{>l!j!CW>4KxNHK9zmyL>OG|j$6gRYv6&L>1VH8r)Rdm9mNw8Y;?mxlzEI}sTY
z0{#B|d(n!c;W_^|jHEkou*qPUfqg4{sN|ur$w}4kTU$0ptd~Wmzmt}?4uM{q1lN(0
znHfd8phgQ$rMpmzy*7z6DHu!U!nd6^?b8HV0=)bOO{3R;niQeIx)TgMB$uKq_S|*{
zf(>)!Hu=Wt8X<zuKpIurH2O=mfb=%QD%unX0nOML;FbS({LW}t^m@ys1RwU_5SvE#
z$aa4xX-ntbLV~t1V!o{G(D{SJThT%_R5JO^4xrGd&A>@Dx=3Sx8e^LwL=6e0`;B?@
zbgFJ8IX{YT0Kbv$UvfB(292XQ9)Ixl?H>&GUx+hQP!KjEBr7HTN#wFfVQh`qP2}h5
zz~dn1KS?zSt*T#0Gy)A&Cplb!m|yC{XQH{_3G_=oP--fqQ0{+e@y`@2;REOnzr#)x
z9OPf|P!iFfEqGzcY806|5QHAN3K)nZGM-87aP|@MJ{!qROizDdAbYg;x`fXNE#XgN
z1fjfCWeSO&-;<V><^*=!y%L3gs8|nAgA{Y)F&l;tN~4G;aF4xyEzH4B__%V<9+6R$
zqiO!Tp!~GSfayfhI7OlN$non3QmJT!-W%ij89E=gcatB(`_YuJ)pAFM{~udl8P!%7
ztX&+6CP1KQako-ji+gc`6bVq=-CK%laW7t6LUES>1&TYx-QD%$y?5Pjz0$Sv<0L29
zYxdrgJ!hVIX66&Cjr|^1Qiu85&ZCpWgH3@y{T*MRrE4N8&2&nj(Zr~%T=#w*u<vaT
zuaWiPvExf8!%noFi;C2B6SHGq79sZw_ro^`nn7jK$;)3pNvn`pihAY#u@f8I;u=1I
z#>ZKvs2&0$>Py$;;Y1Pt!;02OE(aju;y2f5oJqM~URsT+N_@@GMmdI=Ev?ic4Xj+<
zWR33uAa5+8a;`^xu<ay~DM)(Wgd(h~3uUEhsElK$?P~eL&ac}muAnQoRMB!&vX?DK
zQ4~Y>9Qa9-4ywVJ^l6w$lfzf>7vCtD(K978Y<BhHmXYVfEgw$xw^3PA8ste;G*qp&
z>$ibF)0I+`sg!-l$j>P#BE;3?rxOPMt9j|)5S4z?NH?s`^HjIdCVHRUkrSRCJsE8_
z=ckGSk_b_9yYo!DN53<Rg;YsE!QxP-E#V076@>Y_9^Q2jzVUfYQm#suI)J?xmrMx*
z+-@hjS8Fr!G^SKYfUn7cWuX))z)==MvKRCnbG4X6U}|v!jH1VhH~y^^*9Gz`_J%GQ
zlit0xAK64Ib5Y2l8;K<wHzt=mte+h(Gc{_Fz@*(eR$jAVU~YSva87w&jLMi}^>$!%
zr&;2oAV2cQ(*NqU{U(r?qC-NFXTsWlVW%@3*RS*Qz8<)<^x3sCN`CC`a<@5WK_ws{
z$^6X}et(&KIVOI65{NR|AkH)hZ`xnoaP2TE_uOX>?4?Qg38sFceH@)Vy*%h;+w(=7
z--<)iKS`Qd#G7`WOM#U5^IiGAzJtOT854y>c!_E%7N5J)PD+2Hc&VX3L+s~(WN_YO
zWH3?V`%5eTXj%v&?35CN$AAwNTW<=@(?SgmQ|?%~DB+8ZI#o_QS&4ap<B?-A_}s*~
z8RtmE9e0;T>Zc&%YG?eU`U6S%LzOW~UBxBSiR2G`6;0tcQOm8%UN`CaxEge|N<gv}
z+t<i-c6pK6Ikq&yrU+w;_*yG!{Yr!4#wz((JbyYc&Z+FhSoti8;A-j<lk`;)OC;^r
z&eip%OMY;74G7eA1T2A!%0norP(Jvt*PGisl|6VuPO55B1tJV?e#ykpTDG{~zf)Pw
ziLy~~8?!dS53vUvQ$UTV&TUhG`|q`AClFzjJ^r2-u{g%ukgM{RpA3wE6)I|avXCeF
zFXwNmC6Z%OoL+ccZFW{j;6xK=YohCzOne#LYX44pw|prx-U#1(-sip@#<`L}$O?d}
zjCf=mBP*ECRgwvE6HnPKF^xqjIT5H*25~W}M)lRtOM=@p<{acXDKtKW-jj99Uxt<p
zcSwc;0UR9Wv<CvG=ujgw$vZim(2y|ku6SNRWf;^$`a8Fh%K`)lQKr7=!rjYJf$-Ma
zF0jZYBP~Kw+Gt)5j;+Qd8GN#7sxlEoHnCX>RH^U@)7axNFMr2zqC(HgECp78Cz=lJ
zd_<U?sgcf)<VF?PNHvvOqumLC?mE1#z+r88uV+hedS=tnKq3gRjr;H6-fkhb9Do#8
zby8y55~dx?guW-l=OH5-BKfWU_x@rglQcZI#Rgl4r??`N$<KC?HCxVKOjLs}tF&g$
zLn~G+v<znoc1t+&2J>iewv=nW#ma1g!+phpX@$aEL$%Gqs##<cd4k{_wFEi5v<fSk
zrysnpe!XnKC-D5)l~H}ZJSX8gUNlU^<GvxuWR$Hxgn{TNk~EUH1pgy|hr3k!OOrln
z^amuVd3z7?35L0_6(+jnAzfS1qY2b@l2Ff4&E&l2d_96S13RDa97;N(>VuG^Bf<!7
z2w%<@Y`=1yKre%gkYA7_+Cp_2$HK-u#OL0{Y_PLB3{lHG$$a|G(r$E)+m=3h*30F_
zH0kARVH+b38NF92XZ#jVn@PQ0whFK(vPRO|Uk8Otj0g-y6z-P^Zlm>EqSaBCT|{Z0
z0_<g<n8${OIn4}zp{N03)CsQi+>k!rZ+GmqnfBedQH)uLJIawtq$J3!b_OsQtQE06
zebSJKe~M~GO9~g=z|~MVaq<wFX)xjoYCA`g6QosqD&iNh{eu~9-+8yJ>=cMgGED|e
zReq<ZadTWSJJVns4bCJyzRffE%A|>^dug(g%fM+8!_2f5rx!tq#k|mnE`Q1YoQ_Cp
zG~s205#GxM)H0cD9Gq!hLiz#*)1Q2Y=?7#I+<%UF-}ZTc+y{I1Rz`55Lg0K=>8<@w
zjrv?KCvUC`It-sxQo*M|=U;QCxGV4A`%{@`>Kri3TaWkz&j-EV+Dv2BT@B(~;fmzs
z<f^c7t8!*SQ^iMlxsZsT^dc5>Gked*lXA7D(d~WG5R<!r$DO3plzo}OR^*-_o|ZFQ
zqMDsgy%k4jq4Zwra*UsBtmPW39Wdv$(>M&zpH?2(wpLcr*<fv~b_}+h!q#)G#N<9#
zxVL>!4qSq)$s1C8p8{%!1h~#JmF=ku?_Vho#I{~12=|rWaa3ZSQ_%{^zAI)131c^h
zoP=K*9h<g{=IS>`NC&T96H-eAh4BLY3y;lB^5_ibVQeFIzvPo^7edo28i8nN0Nyrf
zJ3SX)#&0*vxO(1COvz14XyHr*#=>{6T%%(keJT~KOn)$Ia`0Rrg?L@1jCDjkk!w|q
zro0mFBw(mb4n6=h4}n{W>GrEf^f{PnrCII9l)%TIS~J0K0f*IxIkJ14AXi(*d_Ie%
zikWI=;Gg;dnNQ!Kk6(jWQ<PIdUi~mbS$weM*2`9rd5<djF`IOhBYU+R7z}5VYCN!u
ze;p0hV*b#8Mech;Rdq?w@jAs4epUEvyS@nA<iz89Z3@S|5w05nvr&=kzC2D)QodLb
zuEc%s{YdI+vlJ@ZHq;CE{>2IeLzS%sj(?&Ca`t^NM79_qygEf&**}Vfh?1X~&|qCA
zB7RF{yr=9dsJu6<rYS~MMAE5`PnksY>TIt4we9->-zUr^*4YST3(VyU0hMLU*ZH<p
zw3~#medC2O8p69vJcZ0Q;N8o8c3H#3QcSCp&T9kc2WEfTdwv8;o({%e@!enF`_JFX
zKNMobGMMjF(YTwAiCNFplV<w1;qm9nUK7UP5J!G0K^@n!hP5i{R=VrfZr-Y|JBQ1U
z$9(KI{)4Axzl)Y$DIW!tivZ@XZN%_o)xg-GI=|={p=-T?OzdVGQVw(~=++L#fU5-W
z(9qH5cS7E8HlOQSDU|~EqGx_q#_`|b_`LYBH7tFyd|BV9>$INl>d$0F=WEbHF#Unb
zKaBbDL7(*2zyXP@>5&o^8Z7e-#)_8UPT5*2#2%yz09kfkerPzB6~tx9sEC+hvv5i9
zkZ51?m)3mrG|DPvfz62Plqw;ObsR8)%!s3>g7oc15E1eV0*F@C)q&2t_7rm^$81&a
z8!AkWepnpx$|do}zKg2*3hgPpW`{d(ZRTMeza>ziGL%;Oj2RO<xtXm}XQ=!;$eu5q
z-uVuPW|QM_?3!iw<pDjbsOaD@9wmqYs3nPP!UR(3qGJ`5A{D~`DroL%Xa&GKN|2~w
zOoV#o2mH)(In}B0CY8J8>K(5$h`#xa?%)>P13uY$UZd6chKyqytp)b_KRu9JX0)SK
z=uLLcQ73{v=)CP&z0f_`srCRj+oGR3oz=W6&MGRNIl#JqxWOLH9rV~9six53QR+Z?
zrC4LUOHR|A9syww$%pl1B-e1DJluUi%jgT+;cR>NE}OXjjTjP5WNBI$2hZhao8PK>
z7j3eX$=AofjIVO-B2Zrg(<f*WIb6hO9z*&As2p@A_~87CRH9zcNB8EaM^h!pxiA$Y
zEo0$X`1ftC^{h-b5F4_;>V6}60r;c^@m9xO(txk^G_@wPA(3l#m?Ig>!+zg<3-Z-&
zdM|+m5SFMv<`>$YKV!r=m_dwgyW*oA0teN9XW_Ux`K^4D6I_Vyp**^&(b{z1^{&Q0
z?Y4g_Ns}vt{)g3;W$8d02For@I8F4cOvO~@avgN);}Y=I#7ue7T(&*kA3TT&qR;(S
zTgJBPbpBl^zyfLw_~xm&WDp=$o2DrXwINm?jPywZgl#%tO%t*|TZ6p@D>jJ*Cqxi&
z<0$S<j>3YDw%B^37E-FRu)>&n1wZAgtE2m7l=eTgig|O{(UjL8s3JCVdvocUZljIg
zYOalk*S}t*`iZ-T-ZJ#*kie~rW)Qd%_o-$v*7}!T6M`|DMf7iEyUuwQZ5dgmo^Li*
z{*=S-#6C}%?bJ_fy`gybo2@xd?V#{h%SYWo^Nrg<`z<_AIjKEb;ztl9Z6UbY(}l)K
z5tLZ5kl%ojz|BBc^qyjSvK-$vuaH@|b5_ki!;8nTO%0N$H%XjA(?<Dz-e-&&b?@6j
z8V<0WwE~+4O8{d0jG{k1XF%|f^cm#V5Ul5M>5VGx%rG65ooa9942`FLbvtm{nXSrK
z9IAj72H?F74Tn`_608+u%-V-oY38m=l+IVnr%8JR-~XQ{`uFpqfZ{JySYkPu&+XNe
z?QGy(#a=W8feVc1>4B~_<A;QvtzL4iGuI;+s_$VY^I}3qkD)h`GEa|QleWK+nzQc3
zu)N^cBQusMSa8-)Rb6M;Zs$gTHZzC%?mX9krs3M;!pcIU5`0Hk7A`)kg_qE(5(3`g
zVz>k6)avKf1&*_tsGPIwN^U0XP|4LwszZJQKTb3oHQUaa-@#Uir2RRY4O-uN;ZkzP
zSH8NFt$xdeAvowbgoQ`xzL_W-wuLG=$k-a13ap*FD^nhLXn+Zdc5(Njfl1)fkZYCr
z7KGfT^aw3G;!oI*0xy*S_{<Q~(}QYq>W}@d0rV<))$Tr!lhx6+7~%@FF#IuadqT8)
z&pmdoNP3u=Z6gWpQ$;?w``QRZvAr-X+}?z~1=+}FIqnp(ixZaQ?PH0b_{qJJi@Y}7
z1Ez$;5NTB+_S!n}14cG!YD}83QocA!s2bOWZ-mKj2u*G7gE*w-7=@OO+~j|gg*xO&
zTgnNsEXqc=5@eSU#m&OE42Kdd-J#mOCs>gKf3uYg^`aYC-EmH1>iv)RYli!I7X#js
zU*yB><W+j*dj(N6<SL!R*?i0%Eb<U3m$>Q^Uek9%*Gm;fE%n=iBDWxn7BJE_YGM)k
zBaCycwRf@Q?u)}aIf6~oUaNc7A86qi!AfK8cmzyt_(Gkzl(0D%l9vO!uT%iI@w&x!
z#@ZDc!jUa`CM6S&-PNNgP^s(Rn%ey`7p(UoK3^h)`CPZgJb)jV&&6cLHg&-J`c4dB
zIVP{OygIgA<0%n>vxYkg(_bCCReLD8EQ<jEy(j5h4&LBFJHF1a#;8u4vVk1l1>maK
zmc}@kk2B)~G=(lr4!bW~knH=QZz#kV*rZ-b*C%e)0V%YX2|%EZ5=h)c5!EXzRm0I6
z80kkg*HEkYaf%LCW8)F2O@dvvp0OH%mGM`Bfw))&2E@VB2Y7W1G@kU6;=%StbhrRl
z$~>7~3Wz^0z(O+Ag#Q%Td5+H(3U=V_4wKka@oi1FVo#wy3`eENM!UY8^`r1xV7@;X
zv{>~-B<$QZyyv`XuXo|Q6?#O22cZ$Eb>-+Kwff%bS6d|KAQ1?UZpI&LsH;<pC57n8
zZ5aO-aN*5GrSE`QbIUUi%WQKEC*cyec0)QEUG{1}nwUhCj~e?9CP+;sac(h7>O)D@
zzST<;$4G*PMvXKFg$hh{T256SAGeU_&pLxsad0RT@#yk@HnxE!5GO+&Nmavrb>F?a
zaTSGycivaoK$lV7D?eW7l*V|_%M-Xn$=@+=h0{bXt@S+j4pHYU_WxM3T9eeSox?4!
z$ON0qk(tA2EZ)v*>pXpwD~^y%1pvN_!Z0@8<Vn2T0Ik#ab#>C9tfz-@AR=MdB<<rJ
z5ho#dC;>iTF<Soe44qbuZy`T>!&#Ht;ZgYD8IQMa{Manwf5$aVCw;?<A6&(OlBQAm
z%=+NJ40Vxxge%hW>_X~gMTmuxd$(#aTb)XxhRG_56(UBkybY#O@!tl8b162}vZ#pk
zhotanANM!Z>;<^s#IMb$Lu74jStpVxwe`v|7(cO~|HqKDzmjavohrY%nY(3WWi6M=
zk)4HEwerW;{CHQ2G$pGuTi2ErDom;aS=?m-HyEYWZu%Yd&bph-yx{G|+`M2Imvlo7
z*;YQY9iUZS@S0t1-Jb!}C73&mP-?qs#9Kx&QDn=J7JX=l?($)^sy=n7d2d7BTv2L!
z)8t$jO1vRZ?8~c19DG=jtmooGR&|u+%S2vruT2~Yp|J==zqIKMU;5Sl<qI2Z-HdY?
zKtM{9#jI0>Gwj>6T<zEkowa5UZP$`!b_V|!Nf=Uq-(9Km#A$Uq(mzRlu2iFF$sb45
zu&%z-{Pyt+7c(A~ENLmewkQhqp=3b4M<JMyrXT6Ms$LZ1meblkMb-kkXaKCD2$z_~
zR!sDxKHMp6PD=g*v$nHk?!?41GPPu4W=6%pfTmee!yN?U{;vQ^6mS>HdL963YHE_v
z?PYuMQm&+QM$&j4${BfTr4VmTTk2wZCd4$@t+D`pqPfh_qhGZbT&h>JqLZI$l7aTm
z5SqcA)o?0tM)Xr6)dB6)p-1#zul|kvx9`Y`mL0`+NZG{eTtyaz?5S`xi|g?)Vx5d@
zD=a&=9-2b>v?DUrsQv{Ee|Aa~)fS7U3asTNN)KzUkuK?5qqa{3WSKiAeo$5l{x^^+
zhZc`U%LOOakw<&(&iWrU`YXVoE&Ci`(Du;gWB5;0;4kDf6(`G371vWR>EA>DwRFp+
z)S?~hrOl=3cz+sORPj0dP=qG*P5uw?CbhjLFw4+UQ(sdl>`!B7(LTpTCIZNYY5uha
z|MQlY3GEq}XJTWbll;@z%DB()xTRS1*1s42e-M-Ogy*5t6Ot0*{unhWM0*C$xw3nm
zWd9WM8Ipq!`r)YgJmYi*M0nv>MF#qC9)U0TJ)nPZ937v<P`aU6elf%V565;Ng^3!^
z{H4u=>;6!1RDR#T9Xmr9gWveAbE5ionN1eD6?O*2W_o8=-@nCf-}x&HwBty_8}%bq
zv^@^R;PL7hf9PF%0_JryL^0=k=|k?I&<o<_U+`g51BW}5-@pLiBqjw^TtY&2eD|3A
zKYRPRE$FYvQ4psWpB5V8{V`cGoZn)>v4E2#D&Vt3%egcvd0vz}n*09orb2L?Au9&d
z$4G{dLSJBIi&1tc?cY20s0v@hnta^?jHAH$s*K_3z`@&@bIg`OD?s)6xv&aQhQ!L?
zli8Ch;aV;Zkk){wElkTXB40u8q;YxSiPXE+lzoyMJ)>cTgS*}G?@w?4drc>orHLQ;
zi5Xd-+9F7$3x$#^9}B)!E?gX-692VR41Nn9u8oSgTmJBi*Ra?P+4b@e>!)EdhC~`V
zoQawVN}A;vgsV#w>dU@jCpd~NnSX0c!E*=-jaH61G(5aV-t9xQS9vSO`$b25F^rB)
zgvS?RWzTgBbQx09#|8$6o?gPkX$glVMSf<p3$7n2{KeDXP5a{N@qscG9JL?iln1wa
zj#@9jJbPh)NNvyjhoifXN;#aBkKbKTA1{%&dh{c~OjZE!LQWx~yXk5v>{yxe@uc5u
zrr9Q`em}iE?lP|TGfSN40nXQCnoAe9uB0Xw`b2dLt{3lJg`NALBWYm?L5}y5u%u4~
zh=(8Ecg8;!BL+o^JaSvEM3gF)oSgkavM0tcpF08S&2yK5bcE0puYG>@{}Kz~BSBjQ
zbvt?^UY0)Kwhd`xM0W&$7H+eo2jbVPKGpm~`Ij+hm96|kl`6y?prlKKx<OY3L!Czh
z)9<Q*00nPzJ&{*7L_8zxE*7(dX|?-!9qSn1H5W#>+^C?`s6Bh7<;YhV2#9)31)VKk
z`dkoM`_tXKWj<vLrw`D#pMeDLkAnb4$d8nKZJYkGQ$vwps4ek%P?sM=!tpF`E-uj|
z=6Alus%<wxc1OI^!R-2*P_%*~!_{7%iuquuoi}y{7t*lrF$1!j4Pi6R{Z%q*Y33c%
zAu%6FGSNQ5+X09aXPna`_jk22L;tLUt8lN+mdc~pds(XYE4>bnf;Jb?C!t_Pm~<bD
zVCrDzOEaZ_uWsul8#;0cM7r>GwcNl+GbJpa0!FVU+`+ZG!q$j|99PX`E4$e5po`@P
zADteEc)uF9HggWm!_fR3jeT^mSr@LWn2ppU(*TI3LoJ1XAfJRAsUlpY!dzq_Wy<My
z13dKy9Rx<0=#!=T@N)#;Eyr!`UOf38dEHyt(;a*oHJ6ZZ=WYIou23+d^Gj15HTu3s
zLQ?Xzgs)vOh)t6@EmXnuAh8X398{5SsER+LQm24S)!EsFgVV9DuD_Lw6_5W96Squ_
zQ;6RoA>@M<jViu%Mg%#X&mRe=&jx+qS7FG3P>#0BB1E|FlFo$5E#n(WnvU=lNq%cZ
zx#y?mmJu)begUxM4*9y$^?BZ!d7%=4rn_7fDStCp8HBL;)1>)y#D;#RnGoCW_{Xm$
z@LAAo=PT)UgDUhMbEsj64YRR``-#2<zoXx-LM#`ZTmb$|w4RoLVt{mp?7aIf6?GMg
zbM_!3m*!bC9F2AH$93|Sdo~y~RJEEE-{#I4j`!^(6tYzGxXv&WWL4fs)>K7x(jARE
z`u*MhJMlL;3rIo$kt?h1)wC?TD@_#AE!uxuB$98Ukx00v-3~r&-v~W6^1%%r1hn^W
z2t1+dA<@x2Gk`BK`aEz?Hzsc!f1JJD!=lMapUBblyk*B|+aVIP_wbSkxK^>g>I7Q)
zzXJuWwLZc}N2SpnqQqW;dvXFu69%Qb)m1<omigP$%!np^y0z~y!J+JM86S&s@|6;u
zF7n?`A;2N1;;sTx39_}T3%jf2ioC}Hv*TXIMv}9^iCYsBLJWi#$Cbiwcbk?kuSd5U
zIo#Ky!fD82fKH5I{cZ{IQ`L}Oi(`v}oTW<N3!-|ASErFBLm4u`6jTNslHz2@%rPO+
zSR$BGgB1U=MbD<nk~w)>f~29=OnM>#gAe4;)o>A}U-|ok`6xRQ0-Je(gSjdjK>kUO
zF7=B+06MxJt6Q12I|;@dU3lxeFBR>$2*bUn8)qjobezy1S%}{&*_~~c-~}|x39`kb
z>tVdS=;)>t_*BM<?TbPJ&?8Z_Uz$v+s(Y`etYPJ(UeLBmFs`atR}R23@zb}%7eiL+
z<orpPB|Jw#ziHqj@0aLu!X0}<%hLQm7CHPBwtpdTX)@3-$+C_`##J}$4F9{%uJ`V!
zjg5?(vX%4;ePJv5)V8~OlRir3C?h02mb#eDr3-UA6BHFRN;mD;M|b6*uy!_5tg*L?
z;+XCwZyoq^zJ*xV?GR_L96mrwf+GK&akYg9*{`16!0}Jhfi`K}kjY&aUgdSMX4IG>
z3(V0<BLtXaU_x}en)eF>#cQl?ICN$TEbFCKq|wjr2VUk_;i4J*ClDqCy#A|7*v6Nk
z6zsHaf7F3&5f8WuT!C8a?w~S(uM8;>ImT--iHmrV#Q79@RbCpG=TLl-_FJx!O51TP
zFy=}~%u+3~#ZF<Sj+XBemW?iEJ-wUARE0rw8F5_)F;VztS!%ZFIBlgSXJQpvqn!26
z`5(jr8?AFrugRsXs8!X*NBDD*I<ffJKKZ9JujBK-?dg+s(Bbr|D^HqvtGn!aH&SRr
zP;IMTQ0j58V8qm3%aT@U(*;_`^NJaHjigA-CH5uWvob_uu|u-rAra|ojT5nE`G+VW
zZ7k~VQ_>}yEF<jsuJc`3hjG9EetuHhGoq2)YMnSlNwJ*w41?)s)h>SiVrW-DyKHoF
zqgCCVe0Nse$S(I<mgf8U;UZk5i33NWmzVeXnVv$bu)&W`-l4-N@CWTC3F>^qb&U+D
z)t=n^>8crhl{|9-PDcGo{BrOSXLrA31F^))lG}Wci5eU;8fFZDJPggiFKU_q4>E6D
zm!qEyuyj~v9qJW7itfdB;$AM+4O))6?6cn<l!-(O)@D}UWYG<asqld-0O!}!h${zA
zZ5iJVEZ`WujOk9rHt@N_BztlM+)IVgN;lh^b#&k}X)gb^YYUVFZS<<fo5soN)#Y>w
zbfkY})l|}8;b*LaitP@~L%M9Xdb13=Li&R(AAY>o+qBe?bL3uma9irS?&FLxQ2qqb
zMcY@RQve>pEHS0yKpFN=PeP#s!*;6qB^y5qRvQQmy2iND3~@Qe4^ORjewG2nspf&f
zt#uJFHSEQRGN*#&(cY&>$r2|MBerIQS;C9D>^Zy00VC-oxUS<J-Qf=AGQWo*WB1jE
zSM1@+cXI?HE2pj&8n^dOkHhYpDO;7^3#@oa@$K0?7H{O|qwHZ*vb`nbQR2}cm*pCQ
z)h~4h9VlzG6asVvNRr$E+YyyA^8_U!r7o((M!&=>R>E5GHF@E*IE4KkB=3*TD!4id
z3$t*1zaWi{0t%N3k)$GTL@;)6@e&4*H(2|7q>oy^*tMqnX9OZu{th$xAz&2m5hN!P
znQCfyj_?%x&Sx$@Bd5jhWRuGMG{a(B@ER21Wy-whx8nP1FZw5geaFh=O6zoM8IHoe
z(*5y?mHWyd+Du$haBL2QmqscwRUT|kPgFx3fR@=7f@noEEvphKSgzN6Ga+&^MW+_S
zw8fjQ9}pBsMM(*4v8zXU@;Sz$1{V`_7Goq5|5Iy&a0;P@IrEydgWyl()UL87_4p4>
z)!n9~oRuPNs8rv)iOIA-HKemr)55~Shwx?OmD&#;*q%Ei%CGko6lk(2PN?0%VCH#}
zfrhKm11ezaug*Ehgf!p79P3n0^nLWBL+F5c8lcytX?3vXl(w}ad2XYvMbawskoNW2
zGpOaP+`hBU$>NOe$+9WIa)Gv$(bwwKi`Y1Jw;tw*)HmcAo*yFo3|!!P^lC7lZY)b+
z$s<&%0kK*=@7u4KI31>K{CX=(P}bs*h@qx#pEu#1gXVEbHqmgvb+)9>)h?N96??s1
zLtt%aKg>GG#|V9ImR7>+2kIZ(?X-o*D5+blnq%RWl+a@Cn!ih)%idq#NR-a1(RYBU
z0MD7L5&WSL7AXEr)rkH>FI)Y=C5gg=EpYC;gw=v+SsK;dA*`090GzoE(4@oPfqq>7
zxY4cx>8<_c11vESnb_V`%#3I#i3d}P<$=2ke=;$0$A;0ZU)Fbzm57}?gj=b6M#awl
zCSK;As6-r1d`R>Kfjf!!{MryTVWNvN-aRj}vzfWCbR6TNS{(+b;BjRkc%E6;4L``-
z;mTs3ya-R5fzC(Ci?>1E{-`J7J@wM)?J`Tx8TOOfn=^$ecrjvT&1%~vG%`1eTAPJH
zOeW9@InUyYUM~Z~Ykd6GU}5S{OTO16PSa+T+>9?1uT82;l0N;i`Tdn`%69K5JzBu7
z1%ac@I~ZM;)?z;%J*$e6ft8^rHIn#v!uSc;v1{cHV;O;P3><w^DwXn2UvXPoyOTEF
z@6GJ8s<H&}8O4mE64<~F9A8^4>AyXCMVrW*00UZxsP|kfSYhXgGP_26Wa{k7HNw2e
zk||eoP+=AJx#398$vx>8nwC9C#iyaY?bcyiN7YWVoI)7>2Wj`SF_p4$hs2&#w+IeT
z8Z+ANE+9N^RQ%4Osm^rMFtmQPFoI9}nHY4jPg7s6Wv1|<x@xLBwrYpyLX#!+a~Zv~
z1W+6HQ*5Up_^>m7aFu!xO1_uG+IdXiJ2}=0+F$hdGBt|X!!T#i_$!JaI2(xd%EJ5=
zf&V@wicYT%06^o{KJe!CGGqJNl0w&%PaybVHoCsh#!7FZnSnWI@U*vuj7jS$RIBX+
z^&Wvxk53z(I43LS$6*FylBHoC_}ST2Ul)vWUJW?JWtMri#FxF5Fuaao77)Q24``+6
zI-q!PVk|MNJH5pN4#bQxJ-^kTmT-iruwuSc%Oa*IO<qFN%J6uxEM#8EOCT<dA=#v9
zu_^_T+Pvf<<h<4Y_2?uZ=UUpcCBh>9`#0NYV~WrgkM&?xhY4DDyROt4bhM5_j`_JA
zIB{*MPE?=BLr{kwakfugaHJ>T!ImV_50mt>hu0fP9K~+kHQ}C{9W=@p?nZbkxeAvm
z)6^0H2rbQw1X_nmf;Y$GKUq#fT+#uN0_PpL(NR)C;O>Lr`B3d~T7=NDQFabIIJa+L
z?|WwduvfP~k=<7!>)5jfJSfMnV>07HXWJe^OtopxcT@EjyT_L3mKC8=9R1#_#BaOQ
z*qS4RNp(YTUKdS^cp*d!-(kt6r?_tfYK_!QqfkyD`h{T{$=0tKV87lk5aBq#O&ck<
z;T&Y4cN^A>@G->u&H_d=>jNo}T%ogiZ}yx%R(qr})6brx2<sV8!Ue`TY-CZ?H@orh
zp8XijmQ~i9<v%hL6tJbdkG+t(m~n%NaNJ(5$h@2k)g9CEz8XI==dnjD-lkD~ABa@D
zwUwh%a_N39@;+O4&lzv)<7$2{c~@QvIu6ZYm|A!2$MZ<7TwmwG#~)QbgPwxIPQ?24
zxfKz6>y6n72<s^Sz#R&ML<b+MG%)+e+pBn51OXA%L2@K04k|Hptp`NYz5E`jmTV5@
z4&sX`=jg(j+$dNa9Md@kmS$6jBCKtgyEl&3&gsmzwemeg1g&XY=zirPJ&IrMUegF`
zhTCK%A(_9^2Uufy#9DC3R%((WV-N=PmLGkVLBmVa0#kC(Qm!N+sn`oK$s<<?wj^3p
zczV1fKPCw4^A_f(4NZHO%>MOht5I;|6`m@-zp4Y;Va39$s+#c_(d_!KBo)s_V^;4H
z0^acDOUya!5(*^a6<QT`NG5#UJ2teko80YUy;5gqJbFc*=vPtGDBMt?)@XP;5o(_3
zZau~FVC(bZ;YqWmz}cbul@J6G#OjVnc7wH1wxF-y!BEcb+tOc-1f%1TvV=sqGQSag
zDci?TpLK-4;X-8$#Cc^S)tm=TRQ@G4?0<VP{#B2yxOr$)nE8Ik>mKS;L2FLS)rOks
z`-qkbLnhdg?dyYJj^#I_nI>p%pUX4j?#P$EA>xuFs7sYOaL)s4%+KWUG3KGq9yqN%
z7m^Pgv;)a=b4m%Hye!}M@U`&L#Av%)nrS`7ZWi=FyR=RT^ssVU?jMRAxNBPP|LxGH
zv5__xTuEDYeC<;Q8I6tk8Ml|ITd#SSA#jbNNAQ)|<QDIK>jK+;dU;5L7{HWDPUjb9
z9c>~O>zNegjzivd{fRccFw8}bIP3Q_ng1>ecjIaZU0lq#`Le^^*@g(u;F+d=+`l($
z{2=)N<*#^Q8~UXBx@c`Lsfw>Y(s)7hs&kX1>7GZz7WtpFUfw{&VqsUI#m_%?drY`P
zJ!;>KVs&%*u(bz$NU1;U<Kb9`PP6+Rfb<qh(D`c<3ZRtA$=zcT`L8cYDfGKeu(BO}
z5)x<yeh?Bn3Ds9yy{DE4b6<lR4;`HypCtXL7U?XRNaENr#V7h&Fs9<7cG4aq|FzBs
ziIwDrko9)U>Doq@RRO{WWUd0gN!_rhQG($+(2Pmv=sV-Rw6O(zqGpOx=U+r}+JGLP
zr6{%^B#QRXDaYS+I3yU4Yetpy6(`VaMxSRNZiFR`y{{H%ww$E0F5*@{2}zUw4CCk<
z7?f11t#=Bz1H58z0_Eao804#CCEoVA7^2l1eLXrhV~gk^y^8E!og{Xs=W=S_Q&Wrw
zL8(jDgVbuTWR9%rO5@!nklpW}{}s+^4Pey;K8j75>T+_Fy7#mRb#Odb<o;VCw?s`&
zVZ|j_ZY%nLceUbytZ#z3#HY{k0A^<~nP~+rVJ{ENzm5VZ-k>CfsGv_Dmd`0M2vqzI
z%yD$(vk$*W?<S%J#@q*m-5I&KMXBjI-C{JA5kV!s{&s>oPkB11O+14kK-(4%_h$iI
zUIg2E%<DVv3cnzgf3{XcJpp*mmH@``sMU$Q0Wn(#huLgnF9IIMivFL}XADfct!kim
zb9NOZS7-%YiB)GM-qCm|VVC|}#XcywCALdOUaNn{i9b7iZSTOQkAC$zi~vZ}f&O$g
z3^0#XMLE;5i8U;Ds&v>>I$(h6uotx%x$XCL-V742)OI9=$$AFmT}HqVj=V#=SBrC3
zGbcW(yt0sUbX|KOCs@58W`osB+jW(w`S$8NlyMN{D2qtF(KkWSqM9S$$S>jNQZgmY
z4O)v2{4Dv6@@jV+(2_>eL02v@r)Sd2uZBlP;!N=^wf@C(<6u}fW-j|plZ*XNT-}5!
za44H;zPcF0@AW%vrPm5o?4))oS0R%AAIYp#t}HT8yJVrPD#rGGkh`&L?9~_nuY~Wt
ztfVQ9eQ0RXI=`Sz(xtlWC?ZOCXq=l0y@%FNG5|VKf-K{*Q%5NKO?k*<7%eCAU47+}
zGR7-*1OufEDot`t@3WKN*C)S2%}4VI9(@m7wwInD0i<69ly^d+Pd9r$+b~JqV*pm#
zLuxY^O9hIBIH>XJq8iAZq~;?rfzq%xAJT7r=G4NTMF3WEUL5gYgK*X|#yR?--{FE4
z;K`jptrOaL_WGoA4XB=0n~-e*0<Ek|d9_wjo=}BeZAD5XgUEf@E6y#*U8~+;qd4>|
zly@0eSK8HR--nr#bWNGzWuVj0a5`Kb>s^|(#DOo+ix(Fq<zhS#O?vQUn60BJHx3&g
zTunY)^@9c&Jtv$<dDT%7uC=yD^E+k>^>wGEL<wkzaJHld{DQFq7W^vw36H~qt}5I|
zMj@>CSpIjmyxdMQ0@;15Gp2Ax9X?Vl5(EDm_~}c_@PXkHblpudK^`A`WCL$F{=DKD
z7GH%l4iu*<`1+?*vRJsm*HWTL?mKBnGIow+<%h|>%v2vq|7Pi)l}|JhG0rpe1lXJF
zfs=-cyvJjkRFHHU(1@4k=_c1cJq!FnP5H~eR&lJFO6W~0Wc0LV<3g@vx<Ad+li#J^
zjeU2XQ0SVn`9j%A`(9R5CX^`$UVKQ~NA%GfltjUC#|oT&-G-qWN`vHex%^|Ngk!VH
zHu=#KC6sHqV^@ezhS9ZSP5u4v$#F*lez(2A%nf|nS2UUx+MmtZbSZ5`PGW6m(9#e^
znVE#!<llU$H;r+MKo6<Hz44U-%EY#R@3msdIh0k4Ffrsyl>9y~g^af7;j$K&L?fM#
z9~FmWvZwiq&KDCVw|)kVUOvGVAt2xit`8=xVP<5!uobhe2B)nXb_FR0SCa!{BBqz_
z5Hps1WJ^0}jUH;fXTo0|Z=K85Tissqw*7w5d^z=lmyPD}t5dXJaMdWP&TIM;O2++d
zTdBcDY#6L4)cxRs=XjyQ>1(E)xb2Xp_w6D&aA}<iqs{D@pjDxpMUyxh_|s1JSd0Dj
zp^vL{A4Qu>v4MOcVori#anI>B<LaBU6GFk`b+ehIEg&w5gF{4w#6tC3>hA7NCQW`T
zZd-nsQqJjpLZH$YcdLyL8<`p}-Azlf<Cds>6krZW^dKYzPY03WvMT-6_=t>V<RtwO
zcrDuGN=E~@QyWTabOQXW-xP_AN55wM;Yib#fuR+r9nBZ+?*62>Pady;;+V-Nca(zX
zYag90mhiN=LtqtFwTAn_oXU>!1{lS5u%o>n%kSq4&}bK95!{^?vGy6pvd?ZB2qy&5
zZccwcUW6&kk5^GH+u9699{e5EOBX^^0<({X^Yu)9@Op0lmN}x%tRS4I-XZ7CoA;Bv
z9T}jqSw8dW$}c&P*8_On{Y&yx+99Q6fWmCTKG>6gr(@l&z%a<9*<z6%pMx?7PhMw5
z5pwWMJjnJe!H#ae7V$Wyf8WxrD1)DY%1rKikG47VJ_$*hklQX%q!OJpRv4@byi-_Z
zd>#J!J;meYc`$omch|Cm;Z2YYBxW_vWe{%ua(f(TIK^TS{^h_1T=#-tzD429=}h22
zU#b<R%E`G7)kvN!E&wGXm3RR9wit#VZZZK4&Tr4so4}$fwa^K>H;#>9@A@r~Yn(A+
zZ1EVdH}SUYxE85xIR#rJNYU);jIfKt*#|0z0Zega9tJ7BQ-zr-dy?{ayy}!Famklo
zxX5^-J&~su@892_kH7WiIz*RUXi=>~-Kn%5(yG79=2f`e)|QwI%a>IiQ3e4}B=Ce1
zRohI>ny;1UBJ}Fum%KU1)V?dlEX7m0XLP&or9fqr__43%M>MSD;$($blhZCbB><my
ze>x{9IN7Tt2~qMB!g##8jtK82%ziRV$u};dVm#al)!V>a%$0fcXHsJ7Y(ckJ4X-5m
zf@{^L%J1jp3>PhZgY*3xlc+J!;rq)f+20S)Q!9y^7LcuckYYV~F5Dd|UFhT;Tt(eo
zbsr2TF2E!Hdz~JUssK@vnM(;j<@uyuaL{d1FI&+B%D7%9l~fu)l)86LkK1N-N56kS
zZ{}bowEAec<s9Mp;N^XLr=#bx6}YV-g0Uxwr;_JtJ=h5cg^vJfRi;>7nfvz@FK7cJ
z1mOv|`T5}Dqoa|n{?0K^FaJyBRA>oo(Hw7kl0+=tBTgE8XAF|5k=$imSx$+jV=xsf
zaXdxDwa~v+UR8wV-Q62IxZ2B%mF=nt&1&?@Q@0dx;~iu!^8qLEiKohXgT@*P8}(}v
zW7XoDB7vcfG?Cj;lTBOz3AQuLq1or0>YUSBjbJ%JhF@+O5=Jr?osNw-+cQuq&-3l<
z1%wWP`=3;2Oi8sc6L+G5PTU;FMnr;el+656?A=h}p{yW)IY=w<Zev-eVE8h2lBx1N
zd>#>o@HwG7?l;f#OpQ{emv2bvYeQ@NbsEUOgN=7rcZqGgHKz5V$y;x6u0$>c!)Pk^
zQu)FwT`DjSh>;P>HF4AqNYO8<uoPuvhH(h8NmsGgI&ws&jKNnQO;Msx%f-7u2e6lU
zq>sK^r0%}IsIJeGX4(6(yVJFoAbF^?fY_J3i;#EUTM>sIQl4`^Q&Ux2CZ#uqrr7i%
z5msCAaEyw^^LbXgpM=5PNIja>(yKJHCgs6587wyY>~qAw0Hfw)0Lq;dOnY)Lo2KC1
z2z|NH1_jB9Q@ifF`w;x-6~o^j6=Pc6u@BwXyqxXEam43%r0RNHsyP#q&EKZl8|eg!
z;!<%`A%@pe?W_Ry;`BxdQMhGUk7UhIdp8btmrt~B=)W2-q|vQSr||v6Wok2+Iugye
zy<o3zCC`-WcMCRg)@`;R-+k_Dra!aul);!uE%NtM>3#!INsnDcT!YfTic!TXlj;ex
zVzTTYnMOJ{AB{Q~YNGOSDHzX2c#;C`wE+Z+cRkupMHChWdo3nAd4>)6l*gi&&X<RK
z$V-e?Z9WQr)Ox05&!KxURp{F|_iz(P`+v0n)_iZqNaPoGb$J=QF!MpGbaVA#;fy#E
zk7)0#E#nx+(cQynr25o(X(B6>Zl2T`m74N8xq>Y|s}8vCDP|MCy|?|9a!nzuU9D?P
zp^gz>CFzBVp@Tc7l||T1IY#0&n(eW78H=T-iZXC@Q&+LnSxg}`()dm<f%fHDxM5_-
zSB}uvmQIv{RhH?g$)1YG%eiiA!8cCO3Q^=-+-VVu4nhrVADX?v(~2`3-bw&l>!Yx+
z`=x$}Ssz9I%%P~cc_Av?DQEFA616r|frfT7%bfyvW;|vlLNRRvY}PRTMl!Z-<hsoQ
z-L`*crSL&S{QCDvj}>{&Z?E^1wf*hQK=WF}72wFNxyVlN&StV}?}TiR+0%A3gFKJX
zX{=4X*$&8IxUU^o3-JfqD_Bks<CKr-#_|lk962W$^#~J_sK&gn&|JafmuI#(dhI@}
zvrN*Q%_0kh>t%<)8OZSPG6S5x({uA7PPr(&s{Hz&$&VX|#cC-1*kotHVQp5?H}RZB
zIr@mP<g~t@U&VD>O8&aS2FVZQHQ1NZMYnI>>nY4qYs+9!jcJ^deA0%G3X)Mk?fdAX
zK%=flsmh{R9UYoPh(*`S(o0>^JNcuv^U1q}Cci}Rdxd(u!@FL%u8}5Fx%`%3--sV!
z?XTZKOzV>$x^$CA%7j^M;-dCRt&SH3>{iE*HZ4>1)g!X{H-gy~zh;dRv#*D>nlF`;
z#^OSjoo3nnZndsmjK6_(5OGp*f@fsHT~mh$!{R|w*R}GliK5((M=MW|eQ}<SVkd}I
zIq}2YrGJg*Fy6uaApy3;);bS|2opJ<ZsN)mpo`sc{Xi!@f1%0Ma5B~-x$0L?MNeCJ
zkV+t-%Yq_%%}z+Tr{3##rD>F^5W<c91^=r>UjjZ?{C#yj;oWMS6d8P~AdEW{;aelL
zQ*Td&r+p;7q|8tizb4R5A6g{=f#LXf#cQWU1!nq?cK6UhAe*fe2Zs?PWi42HzQQ-{
z246UJg6zSoT6FZWjPPmmxBF9gW;U)CsVs5sh2#BGfZ?*~^xDC&pJet>2u+*Jegg5!
zlPf>HaAb%_)d&CCp@$2U8DrhmGJ;IuBL7gLCO$zTaWB`-5i%S0m90Q`k3-M-siqo`
zsO~s!NrvHzAmtw>>Msq)AK{At&a)~YodMTPinsIr_5jt+-5v@>_&#5L<Ag-1n?;Zd
z0Dnum5p31+G{Cstf6-X)(PHVf{Lj2)dMafBe_3rSvy-OYl~1~mMop^}$LH2zY67nC
z96*>;$5bReYk$(+b1mkJPpB`aei8<dX=Q;!cVAE8tijl_<sDxJahWsE3j42iK%*;f
zQ~Qy`TGadZG0$k%MB03OLR{jhDLafK*_a6w)P3*;wHK?kv<DX0cEZaU>>xvn-s^`t
zUsQMus2svOS1LCso7z7|wcK{Jd7x?T$LzE1u8*zS&m8Z?JAluBU&Z<`A%kSKSou0)
z*jViu_pC+zdl$W@2W8}$(|!O5uo{t%?yt$Osk^VLZgA}vYL?{FDFh&IZkJc(*+3l<
zszLJP8x>VU>kD{kLBW|m7+uoBA<bfJu4M*6D2J`ME3pSZDW+J<fy5Dtw=&AxS^40T
zD9mfuOS|N22RsNhR-6j+o?a9LFT^U-pj3bNtwng-(%ZuMobRKO4=4BI*vpGhw(Jqx
z-g~=eMA5>4QV(>eFB_?*ryk(n>0RBdu6mc4>iG6(oZth0K4gyk4)Aj^NLmW37aa;X
z<_)XlDN%-3GI$y1!}18$E&ZvL8rg_EIs8M8X4c%fZ^Qk(<DL8VEJLj7Y>3FFLVK)a
z9N;^It1sOK=w367i8-*9eXC+~xACpaxuN(iv7r8(UjkL|(oCfdlct&1Xp6;jUAMj$
z)U$nJ0Yz2SC+1Fk=Xz!29Bmu{G!O|X_{H=lWCPl8CZ*?Y)cH26VR{(*;~JYe7<D-#
zd_s8SEWaef>RW0QP;s+~x5t@*Y){`p^Wv$iWq2FYCbDyv$^PMPg|_!qHwriL76+=i
z*b16WGxMbp;mE|}b<{cU)7n}}4QeRbvH$d%OmdXx46g)!`$~^qkHf+m6&C4qo>c!i
zbR+EdTE{-A?#a*0@XGg~%NiAhk3UR&UXJU>j6!7;6eONIc_(P)Soa1XBM_Aci&G!U
zC3Cq)b*oZf1y0&TX)U@FYdKqnD+8Q=-F{;33^$A@{i1v11^*m5M(jd%`=l~&qmcMg
zJ|)qHtv#!C0f(H*BC-1xrf)4Cx<CU$P}z1@F%Y~ubdPAUvcD12kIdd$7C3HuT8z9^
z0mM4c>UqG++N<KmjuW-(?Y=Rq3XnaXUFMBM@$qXqCk}cpY>YjPy&XD}Y#uP+J&_~$
z_ALe!GcD(7BdI?<UnK*nrM!iRl%`3m9+l6w?@`VA$GcS_sv>>y(7IFXh$nB7#<%4m
z4cR?z-GkW6Y1m60lSvm6-rni;eu&F>E0au90!9Fp`a&(gh<eW#Vgo%yF=1NzPcOP|
zT_loGnP{Q>3^Bffn}irG8x#>~>~MZfwy%Eym%13IORF4WwR=d?3pA<@)rE7UR2!1n
zA?J73$Abj+Dg|fMIF`Jf5fnNgC_D7pe5#n`_Iy{{_Ct==wDzGD4K>3+l6W{7$U)=f
zqR5!rjviK-mdkq;Uo8DQTZ(eOJu|(F&9~n5{KPz0d!LXUql>btiz^t%zj`e(!!^3-
z>=O$GT{XSXdW+p#vNY7S%=3Mv&wwZQ{S|lp(duTt-uX7GSg0)gva5AsPN<ojR70hO
zc;Q`*WNxF5=gKqi1NsMhM4cu}zU}r~aWrEI*%k;by%rH3xNy2xa3q-)#1Q<958I4b
z8tupJzvbiOlaZB;L7Ib_p!4aJIO@&$I8U*Gs~u`+(@DI8bozUyi_i_+dEpts-Dr5G
z*+51}*N=lH3T@C07Yl0vsU)|oPYJv@Np^s=l>EocER|F($SvM%*h-uevr$Y4Y8jCr
z=WC1FI=iJPv0z+eV?rQJmz=71^;DzoEfYN>AchJ)24D)J@*moRJ?=kL;?J(cx2Nkn
zq=f+C=xA!lu;Q*It=L4EaJ?>%lC1fWwP&QMgc-<GrVN{u&|)o_&_1$-;SJ!&g*7<K
zpuMKE%0zT#jlZVw-HrfBbob`k>e)A&PRd&&@!E@yk%n)tILHf9^_|AX$4BG^6kqi3
zYBk?|%}8LGdV{noOwHiaeM_$}hC~-){;|jw;>+XuvdMb|2lAGRHXBPd7E-e*NI8WE
z3cCmou~h+3vL=9n!NGXHCj~E1ht9Tj>J8rbm>&L)7DLNn%#A(zgnxo|5)xHxKE3wU
zOZ-g)gFG>fexNR+#1F%1IDkt)DD10>e^nJ0KX0wfEMZCWoew>|YgRjhjlAvE_D_14
z&X=Wk2}MQ93aL3JO$vS|18z0XDVTYvvO$hClJy`w*?XcSlbDy{VR>@pdhm`)-@2%l
z@BzvFzuebvH|G{ouYvlccm0^hoPX1d_E)m)te{10ZS6S(!xlkzfjR!IWmz5S&t3mV
zcmHna$WCgT$$_XO-yyNR!7s<YyTve*l);clmC(Fs0wuxCL~H?b76#sg;?bNFc3YaN
z?_q7@48#}Gb$;FY`;+zab$Sb;r5Zcmt?|zvNmOQ1@N|Kq>GjfrG*JFkW8iX9!A3EC
zHkDW@jdQHedO$Z2pdAlBjZQqEPfU+z>XrHjq3@a5n&tmY0DTF%mw>O4daa>{tH14q
zl$ysqp=Xz~1~kOu!KO(k@r(JCy4s0DamZsl=h}(1n$z)z9C=4H^-}`g22!XCkarrD
zesq0u0C}Z}h4{pHNI&#!S=k~nsw-FtjmCGdZ0p{$=vvp46Q=Pp-n0B<-TU7{Em!=-
zD6YsGY#ri*r*+6~*lbSRPMv#UaPZv74>%3makNOJ?I@K;LD9iS#~XYpN!OtoY0mhL
zH#m=5OiF=$dy5a{EABtSr+=}S)g+$jvkdUVw!<v&46&&$=N@G-bUT(?Tl>9X{(}2;
z1RaN$GM+jWCJdiV{LwyZsP^>8hRsJ55;{k|58#gu{5RcIX1RjyFFDPI$cByJp&!wa
zzrP*P*AJCn1tk$jgX5nQAn1#92V*b$Ut5@I|AT_}Kb&GEmS>7_L86G4NH7|`QNZd?
zK5qp3-G6WuMBxj#;6C>8m9b%?NdKF$`qww@8UHHof<H0)r#!Q-?G}p9Q?~H&;N|_B
zsr>&C`De9v&$o-RhJ^pU1OF?Z)nCNry@9TdKV&XHE8@$)ZX>x|%KlL>9o%cH=k~-e
zl-d3nqWP;7$N#)|5m3|BJE)hhx{gjLVTPahCg5{N?U7%v;QUdVAs2W$#g1bypODD#
z9t|OZY`-n;kWh@?LY`jZ?o`E*z<~6<c|N~C&T~AuT^68lPewlX@omRn<lghfQ2Wq?
zzAkca7D(U6Fq(ps!S?Jw&Jq!AqR|j|d=nE-63uhe0&rO~uGa5S%#614`xc4wBW3=N
z!pbaH(<$$9DBM#f-}{ITJ3=J@^vn*T1r^_!kiV2YB9GRq`-OP@@uy0{pXX}WV<dR9
zjX=&;lX?9=UHCsF*wkdhcj{2%l=5#n^HPvw6*=Vy+>=FD8!#|MD@Ehv!W4_jge69f
zWyuRCByYg^&mXDWGA=o#lRLAgDxzLDABSDT939aL?}pi~DE~l6PI>>Fi%>lNTFK;N
z&2#A^0JWeX#;DO0qp=FYr7TI@8+?k_{$IK+JJj4Ty0<t9R)+ESvMcg2_~F{%w%p7k
zCuWojO)K?bu|QooP{qP?0d}v!yBKI%7u9H)54r@Q36$mcZa!;>zP@lY!jGgfafeXd
zQp>3KTxi!m?9#Mrk<xa(tz1qgN6{ZCVd^DGh5ask(>xPgoHED-IXRR8K|$a4czOS`
zyS!^?GuGUFBTP~lHOiK5T&(EI!Qk*260BD`|Bt$N46kd8{ze-#ww(q$YTVe^v2EM7
zZCi~S+l}osY}i<hZQR}ez3+YA({tYM_kLJk_Oth1>zQlLImR602S(orJfol@cW3iO
za8HeFOA*NAEg$-x&9j4@PT~W|`-QRY#Gxg#UP3j!koAMXp5M+SdGLaz%l_GwybtFG
zNtZi;G0d^Ew7ilh@z#9h=Fi42k~a#)k?;xgN$*zR;b^RVhTE5$F=}KozlEMq(u+F%
z7va+wKJc#L+@8O0l}u)oW7c6L+=(>KR7?n{+$7C*HM!oRA+$`GjD~yGIZRt!>IG8J
zmLpCYiVnG%b6Ymj4om$}PAU#g?CTQ>9=VN(jGSGMYoYu3Z)G5kCdiI@3I-}FkgC_>
zPgfJGuFU9i)sN^JevzzVu=S2n)3i;tkFBBFOJHhu9Nme!pWyxKx|VWsq9#rtQU(IA
zlq_$0i3|FxT`HJ%%jC9L)a`w<*l?U)P26Ag{DKM(O<tNQq^$HbBC{8Z`1+i6E7v<9
z*s|ayZqf3t+Y)k=N?{2LlzV7Yzo6!O?(U}c5E}~gcImWw&hL;Wy2q~<eC+akz><Er
z;q7>NMw$#9)G$oDg9wk65*@!GZ;gbnGaaYr_+^Mk-WQH$;!N7e0tye`XAG9w`O&pp
zPZqH*B-1Y=F1D5WVpd=d<tgb9W6((zjK_yle=XZ{q%<K(*`P3HNY`psjr{nr*rk0W
zHTWMP$rM%oEA0^`5s@#RX8K4^a?{YH+MVcPYD`7EO4M|`C00SM#9ek@M_*?9sPgYB
zXW=1`cr|$LV9184>~QKUXZp*oPHTf5@`N@U5-j4%=E8GWzEKbrDvkeZd-E1?jd!F}
zbsHEvJG*{Qe~qDB^?*>oN29YYcpvoB!~4V45js?Mf(LnRWdzL6gA`ykDh}=^wU}7r
z+5?H?d1BpfuNM!seBr1Pk_@DyLx@%m=Tdt5PG1qX3<a-xbow2HpPk(SKPAIq*pj|U
z5BYUvS2?H7l47qCM`qc!!4`V91S<sN7pm7ApQ(p^&VBjN#^wOQC7YI8pZZ8do|h&t
zkm;2Uz>yjzTb!f($rEkS#~u840GlEJx3nqgfSQMJxK&&|Qkhfa#-b=T9Hk>o<#FBF
z4APb>CkFAs$1fg{yVY8UmGw>s?jvCeD%HKWk&GHM>&$kDXn!e$SGyRZV&VqW-Rp*_
zqROs49k!3Kk?;I^4%^`;d)jPU9tW|@t?WgjoIBWzSQ9f@M9$f6>kNO!amXKrtYh4S
zC>n;`(O?F$I1w+G%+j!%uY>(qUm;#qeGk~Odyg){I=#5cfw-LIw{AUp=j%^dMCgqn
z#NVF$(cSkTqUG?aqPCr@hCJA;v;5$$5y58GWFKb{AKCugJXD^+zq20UG(%I!dW5G<
zRZ9(@lBxHC9_DqIUDgF0>z3)PU`R!iN)89HNB$9ZFWygbK4#A^JPqakUOo#!{9eqR
ztSI^MBP2w-V4ZxOe2u3~O^jM6RAh)G43@aKTZA)h9sKy6^~A}|J8$=?iGnuP8$8d!
z`f`R|w$u9c>*UoX&ok5?AvZyR)8U1$vJn(VD(Hq0nvbLKAj%19!sgG<P)4&ZX@q2{
z7#!J#wMeSV$>rq?5@i<YPpgvBS?vf%3{NFyI}Aq=8(?8l9fCs6=JPD5yjh}K(|3q4
zHCf?|s47S+SN4MArXvrgfS-hP0|0E7UN87Jfkjsxh2h<ymTUI0l}M-Dmr1v8N{e?e
zcbNLyB@K1g_E@gu?~$ViO+89Jnxy%HN(flU*{AsIn@x7U(9)hA+$L;KZsxI3p3TE0
zR%sTp6r{sFJI<t&TVmtanMU>{WDf=ln!Bdh;UA1&@!{Pcfw0LhhAA(OIp+N9|4v!t
zy<p5`5%vi1Ec@z{(4|@G2BKC)k%rJ0qtq44PPwx~x!<p;*Al&pzmoe-CcIEQCn_n#
zYvrXp^70x+-~hI0MXex@g2PA{?qPsVfhxf4p_t5_-&vaB<`AtS6B1Js!oIF}rd7)!
z2Vspu$KPTcG&WSlWmaNUpyR^XCnAhj7DjmjF52NX?Y|erDSW#(TzsQFq>m0`<slGM
zMMv5{=&PA$fZd`_mj7C~jKtEY4zQ@)WlTtuJj-;u`Ecg-4A0}S_koB1O_j&h2TM1H
z3to?I?NghwtaL}&jkvq|N3h$d;!H)-<$tGp;sU6pUHXbA8je}+sXX~SQZ%f9)U~Ut
z_gX){$mU0W`^{Q+^HLgyZ3-tm$-VMvxU_M^+-fQZ%Xg{od0vK}Oea<%gg+*}3!mt;
z9-6JaKf=`w7Xb`a@^OgL;Kx-fMb-yTFE%k>r>h02OnuvkJX}Zn4a*uwb_h&&SMt9M
zlg%0q3CeY)wl_I+!bqSU2UdJiyUKBoN5P_LlOop(U4@nsM=9v5tTn;FN)e(bQlo6P
z(`trfuha_*t<v1?I<D#IJ|hS*;l3xK9#q{Kb&P8u`1*H}{U^_MiWRtpL@yQ$|HR~a
zgTljXddM`LtnOG54v-{QFbuXdF>#7(>l~7!iXo?>L4zn}j${7>bGq6**cw0>pOzi$
zc2FtS{409TtHI&YUr^om6EZ&XG77OCHbofX^`iA)evVhIu^CtB-5HpiFI1OCgBFiS
zZ0;9e1jC>#+*NPfLWPJv?oTi|9exD#l9%wqZ>J7w-B?SVMy!f=XMGI#t~<*HgboLL
z*!oXn!Z<FE^3LH*Teo&^80^rz(KHzq;q0l?RN8ATWJts-aX!C)FHy4{YeEX^acRU9
z?)d*>qxfH1144P4fe~^-)}cD{==aeC;ef2>LZj<Y7+8d9e+oj0MINbS^#XPktA`|a
zM#=B-M;vWzkU!&wkCE4DM|H`!qJD&kMEMPW)_V&T&ImyZR0=;Jp9j2j&A4x!X^|U`
zl!O>n>eXSutG!W27}`8|E}Pz1&En(#v>Ec<n<U{>FSnHB7)#=zyXz|e=F>n@dK^&j
zye`zZd)|C_dC-K$0VJCpbmgQ!tjF0uMW-`eLpN4nhr+VQ_C7H2LE^lov+h89ckId?
zLg0_MyY6xmY<r-^)~V^nnhGk0h)E)94Za)yoFI0%h=-w6WD1M<JC6Jh3v?c3nw7}K
zZbtT<IQl#(KCwnG+aJ^KtnZjuW|)^95fq0I2H)nL*Is7B#3dEK0!p-KskQuBduT{S
zGV=0(F)wR8ZGw77zqju_^&27cTpFNYu<I!4z7Reu&TctML7|cqEaIc$SO-X<)qKw;
zx+I{+?|z|7u_BjGtmP8fl<$lBIlv8^#6`sqYL+?bPf82A<-YHy-eMn{6WwE(!JiDb
zQ%0^b>`%z<AYQ#U!HW2lC=Xy1FG8)s4+*ga@j>!Lf;fUTqnBFlKi!p>_0&AS8)^BT
zzHj8dDkeU*W1k5>i$>T>;99W##}R`A7hJUhbG6xK_0I*nu<lV}Y+NXHEqb`r1^C`#
z85kt?#eQ7s{n-y&3L{;pU3eT{ktlIW-l6Ph>Dbj^E;UE<Axcu9Vhqx%j`eE)x;?=x
ziH1*->M;rhCpY<hGN}l(0;kawM9vl?;uGn%hYZW$ik>Rg=l}*1T$i2-fs>#`;b0!N
ztEAv0b+uTqAH>^T+E{yJHa;<62|KJn8hccOPV#?xb7&mChOyo0YBm>oxp!Xz!D-W<
z=5=6F@A35>K1d{P-oDQ@6wMn0)InksZz`TuFVFzvaLPzH!r1`?PI@bm*LO);>b4ef
zb81c+FSYFXCCgZ&p)wvfjg|thD4Us~ct+w$QQWxy!?Zy!O>GZE!;U489ZoM<7xWK~
zTY`scI$|#2HybU39>D#Njnp4<iWhtVO&Ws&km*kTXk{A<C#EnAAORc@0jtyhb9SDP
z%G>k;`#(uaIP8uri-c7CTe1LjD&;7FWuzYBe0^wh|BsjaDWLohl{pgb$A6v_v*-R0
zis#~TqyC+*gZ{fT5>#m^FTEi6-%3aSuXI}v=bwZ6{||2*eQ<LG8Z0WYo`dV&^ZPXJ
z{<wc{kY?auIkM25U8X)lpb>(V`^xrJ5nQ(hn=K2`wj~QxlL1Wj{(TnSoJWxlj99i7
zH8-b1fD(?82GQ3=86D%lr1+yrF@O1jih|<5w6uixJjkWwF>U+z>*7F%b>|^6HZifN
zDJ?C<yJXAPcckz|H+PCb9T^`F8Z;El;c~IGmPP{pGxPgXQt^bPs!42Z<tQpD5;(o?
z>+6$U@y|rO;Iwe!098Hsz-ja%=6(a+-5-8uC4c$%RLEuqry&<Ry|yIf2YgIYx=ZJ<
zx1r4Q4VbU^h7PfC=Q79luZPuwrIJHenJ%Qj`<RrOH^MZ<0WL{ZR;E|*#rBfrUlV%D
z5u8=wW0R?4x;Q|!TMvU^Iar8!?#Q{I|8VT^+2;tVty(7u{%T4TyeU9HrqyC0)MXm#
z?|Xts{Q&z}kRirS$hx_}uO)Lx^+|gU9gfV@k1o0;*akpga&0(ca2RAk&sH!UJ2Ab7
znh#a>{7L_=`M+N<=o41q%_2y2KxCu!I?8=CPH@+$mbip!C)R$g@wIFRrw@_h+!rR_
zdHv{<UmpWh;gw+*d8x%Nf3NL5SX^4RwTzGzo2K?D{O4j9&ohNl)?&PD<2~G{AX~@t
zqZ0y$pi%!)<i&ks{R_i_v&}qJy=9FReTCh|pM7tk+?PN%gITFsfrT16ocQmF^*^O8
zORxY-fX^+cm?RZGIPRwH60NRS|E+dYK!(=Ag9lJT)3L!>$qyBE5TO>FmTAk^g0BmU
zIO|xVjJHO4XTE5RNV)ow=&^Y0*nf^WQzDv4PKvpja)9*T%K7ia0Y|VDq!`*WEuRhh
zgx_Wzb9WhV?}sp6>Yw6h&f8BD*BPZsV;z~xGAK+8eMFs4K~kHDr$IvrB$z<-?jKPP
z`*ijTweT~|7KCl8J~O~u#JHH=e)c$l5+JLb!>pFFo3u$gW`7uB@4_oLIEIYn{^#ER
z8p=F8$Z|k>sRtLE)l19VshrI4m<;#DuWeRMu$(bMyx~DoHa4^_yo)<3JS`rU4%Ia_
z!&dih?I38eTMRoyx64M!c$l7t3bC!dRk5A*anBSF$5OP0v1{NpRvDE$l^vc*hu&2U
zhKC=9j@mF26B7=*_opYexZslMpeTlRjKzB^3L;u&vj`aHKqD_5dWl5*aD^bK&AWA*
zJnUXz1ml>LXlI(|*W~DmD#_)llPmM{F^b9cu{;mye=SnbI=zU4QRWVdSSDAoef#!G
zZzyr!Ot+bQk!}O6IQ`u~D1?Zj5LMJ8r3@aEUhTPOj}Gqo_gov{(I72QGF6NP85z_{
z4TaYlwAe`n&QLK4nK4RUtx$x=!3=E`iq%@_(d4m*`{#>U3t?P2UZD`+MybLkh>vqb
z=17DU$ALlLm29pr^7pSyilL~skeq!l;zzQB@?A}gSPRs~z-Z0?k~v*3qC_4HO~QE#
z<4UPQu$r0?6QAx0;?zXitln)mQR@k+*+c4X;p<YuLB&B3bz|CO{tO#W4U+Lf>Z2R7
zO35hpcG|&0ocY9zp}~glNJxLUC3=-W+xn}Zvewh7sayEuUm6DF_O|Gy&H9dq<`mQ4
zG(LK^C&q22v1-|Gj0mngJ|4Ghr$#;NFXoe_H(9?j1xkEN#+j<y!%QKrW}F=*q-x3N
zShH3yINGXbi(&GZapf!&&ei2bt#az$o3{uILX!&YGrAaQ#kaR95w(wO30>YCuH@v`
zpG||`gtzurBkqE~>;eb=j0hEhYR+^{zr99~elbTq`We-q<Q6@Y%&=ze{01-w5gGcg
zpAB4F;4e;Z7%ryzgxz1(v&Lgi`zMwyPeLxB*#?f$he@ceKW%F@2RaW{*!hHidu0&p
z5A?yg?NeU!nQOwC{e-|J#VAw-a%_rLZ}1=->U?Ciexz9QJjUT+X=NpF#Ri9<Q*;>#
zTFZ9Ueq4Lzh__Cfom_DJ#MK7fv;H6ZmwhOD>3Xc@8vcIeT4@RjefJx(*?a7LcW#uh
zMTWTSk3^YH!kprh+Vac>+XLU-W%%)p*o~j>uv)1y*Sn?mTja<Sq!^VOUN9BN%S<N)
zwxogKC}?O=Go6|SJ3n)lT;@L(CJU&JYKq0;MI3*hAKqo?672TU>&d!y1NkB<v}*Jj
zcF^a-kO!D!U<clpNcW1|cZZi{%`$B#=9i|SkQ_sklDFBE(nH%x4(9$^CZg4S<gRu<
zvhluIwT<rDm$W%?`{o<eb>9`<f_>75NhZ4U4Ss5Fh%F0zy1L&Z{dPwV=X%Z9yM+m!
zB)@kh9c>gMX(l?Di%I?I8T^Lu-Hzvr8K<Z7QRIwG0m?=rDp6M>@4gQ&`oYE>i*9D;
zN7V)*xvp1MB*Lj;b&!7^iR-^J9F7)PWhoF6b*a{L&efaM50IUBUnsBJZMRmPf=V>s
zK(=4C8o97~pWhXn3=D=8+@pzrh5wn@jV0+Gdvt9!OCtT1Nlr+s+@w#Bk2NQFuJvk`
z$!I~f(R=}~YNvntp#$qsdol1wnl<oi@aEwQ9}X>3YpadZ$x<V3jht3=VOg2``!(lM
z^4U-b?}{KbDO4d+7Moq4pPzPIvT)hMT?ryuwNY|-PC-05U2!;hl8n@7Xc3d3fiBYB
z=?ZifC1n2!`|uqi{^d|hR072o$GOiN+1p6G;{@*t_9R2!RI|(R<x2^_(cTcD__&L>
zc#L$#Jeoyh%oiJe-PbcUkn3+`E_RLZx8N1XkB6u@D3A`4y`jI_6LJy)5LXp<#XID+
z6Mq1yIj#R=_6dM5P{?=26I?Q0j(>aGP%_m&>e#CfU?*cGgZ}Z04KKeJ?BNG{x411D
zMD@u==X~ukR8AZvUv_BCL5;r}+YR;ajFHhXUO-?(rt)t_P$?kzG!o>px=yMAtCNtM
z7`&&2yc1d>5{~jL6QByIF)7}B&`Sv(E_fBnaSa!rY9sa~3R4nI!9t+EXud}FXJIVD
zcTy%{BpQ|+-9GQ#XxXdC(lyF&c^@DpaVAM{SM`{igFhATaZE26&IF^n_(hUo`{HU%
zo?e%JF_DQmbX+!(kAq<$oeh^SY{clCaCy*YW-G$dfBCiespHfZp*4@aUg^$IMm5z`
zc$o^+dHjzNxsZcZmSa?C2shtOv}E)GWE}e#g>EZeW}0iWLm^!fjbhC7rl!T|9<b6i
zmB_VYJ#3G**S(8#5xsA)7)SIJq-7J7lvDTaAD#uJck^OmBjeHshG9DSy+So>vqzJ1
zP+j)#IQP*TiW{nj!;qAt#USr*>I1`|`zZQEBXUD!$7`SNQ_B^6w%ZEI7u?|pYvH4U
zYo}-H=t!7d)&1RrF)WQLo^MHOUrdyo)G{|dflJ$J!lj-`h&8a~n<wA|Equl@Jjw=e
zST{sLOqA_Br8Qp_i1tv9x~a6Leal;5L|0)Q#i1>3{p>?&>5hl=uR7TQPe9U&#^)M1
z%r~aJgTX@wU39t|iXOwEkQ_}3q$F!pA|aX&vB}=VNxSR)VRLe2>IINUol~Fo+?|+w
zmQADaxN&^d=(}|4Wd?##+9(zQ*26mSq01F5JC9q04nHt`E>Evsaj1&}xCb*Yh8p>|
zu;oyLDiwa|%|^b8OCm*eO74Dle2srzVX=!vvPp{1P7KhfaNXQszWYV?y!o60&3IIw
ze~4l<;Meu0)D~ghCu71S+8{He@Wt{t{&9Rm$v9H(AtX;MNWI96u+OoqdMDvvy4(ld
z*m@}fyxo1kyg<Gz<Ha5imcadvyA`=OB5Q6#E%Axc^zoN2<h^;oLtRkbm)!Z9GyaU!
z`+w;maY}3!x#`fn06n7C9><0s^tWveR|-&xa9AO2%Q%#}_Qb)LF713`O|0Jhd#!2w
z%Aoi^XY@vO1bU|vhG=fj+2FGoUC&%^Ew|%lCD!L-qf-8`74ywk>eDaUo~&Fp&%p_8
zukJ*1)BYW{aM(NXyWwJHmTp?>xK~x)-}*A0+JeX~KfA#SR<CngB2i~k;Hy-J&D9*E
z&m#p7QzL}wOFQc~>1VhaAAUlcqY#4^7d3;m1>dszo!;nkv+bQ?KOtguJ$y<n9*4-x
z`d?w*USN&`eBA{5+yo;djs3-rdt-H(44*dwyi1UoTy{`VH^p+&p<4Z%1Ig=HNoYr+
z0U#UJ*p_eoAh-C6P-E^>$QM^i?~hm0mXeGK2ZwH6`W6^rOUKWOw4A4M$>@KLUUn3u
zbBx$8Ef>XDKk<G_a0zE=NWM%EXo0;-FTbTc)#(Sfp8jaLOo==#b=It5O8iII7zfD_
z6l0gv4;2KSjVPokD5{|J?&v!WU1ieCCl`G30uyTvMMWh2gSUx-S}ccyS}5^0-I|*e
z<MQ${ZBo@J)DY5EDiI+aw^6e=wD5t7VvQ)MQgrh^Q&{M+CQNavcvuHS^cm7`<#koe
zAYLaudK#^2#nMSg!!%+;bQSiGls=&}3g6NfD%DZ!oyO<Ou{mTTfg(Z(qTFbLQMTjT
zhl?dL<jwt`0f+osCS}UIXiihMgTRmy@B2O<^9?H0YDw^%yV|$yu(94k$kLk|XL1UP
zK2i@8%ktCqccoS&qAI4|f%Ds59NcJ6IbB$*p!7`Uq@BND7a)x^u^xIPm@>s_00o68
zI5+vQxkCC7Y|R{v*Okp`^XZ=}IO&d&IzxqlQ<%9Z`NF2=1(}$av_K+>bcX!LS<gdD
ziQ(^~$r2G-g*%SHcAynp^veeIS3JP5FRCKkNBz;dt9aA}aIrgztqa@k)Y>N6mdJ2S
zL%-3^qhALu{koroqM?2vw}%T3T84Ib)j1s#onR!0GGN*}kM#=-@pVwbQn#1mwND_i
zHe2r5xTNTXX)85z53~;+qmqaWpd@jA=*(j8*(czhvRWhX$r{)i$+sC9bNK0AW;)67
z#_<XXTw)3r$6|j&12x2R`OL`wSEv5}>DPzB&Zp}a;FKE|O0u-=EW};z^DdImbAi8S
zGAs4j%jT*V@Q#nc&B79Vb`T~2#@eJj(|r8au_GFCoOlkb_@-ow)8@NvB-MSjlk%?3
zT;!f{h=|m2H%dFO?tuH|@@}KKK$4WqkA(@U+WN+U@5L)FXi5%kKH~y=;tuhj$y$XA
zzl@k>O8y-$%=iNEFr_h&0GUN4CR^VQ-YQbY=#mMDJ?F~CG#vN&{f{aIDEC5=?ydV`
z<W7P1@-Tft(TQdN<i|v-!JSL1b-D%IG#^WBu<qfYku6?S&Qjr1=IEdQdjFgPc|#x3
z2c^xX$A^9ub~e@~JAK&wty^$qeEB_RWRxB#n;NLAEF;G7mBQML4=iPuwbe{&K-Wo-
zPA{6cY!sUOvW^H5|7TcPqhvESyx9x(c(ZB0adaP|+gf;VX`W^mR_4FrfC;2*gnj{{
zo(hM=a>t7@I%K3sVkS<c(L53OSi`_9EtrEM(zA0iGGD6`dTPxoTsKTk%<2uu69q9g
zWXnZ=>j(c%X>#RV>o0NhWkPIMi&)lfnf@3z-cX*=0PnfrgUgdwBl)6?hl^)7;_W?+
zc2s?vP%yP<5MYT`<?CN1veH3F*&KbvC~TQI@w{d<c}xfCnJw|wb48qfaJi_A3as~V
zZX!<=p8ko}{Y$xW6lw2=w@zrLt+pD2v_M&fnAM%RGHi?H)0HMfXe6^9+V{jtolZ#G
zXhDfil7>MV5+gxH6&ithrMc_hjXct_f3@V~jUXin53Q_$e=0Weyx`@eu?xZ9-4H_o
zOy!<N$|Y&ak&1iG2<5w}<#;M(bdOs`(%ySo7*8?NVl0F3cJIiYnnPA@F2|mHn(Sp^
zBc)KS#?#{IpKtd_{;tPmmq8vHIDX^fT+y+D6=%ae^)tbYdr?GtI-g8wFCv`^fjL`x
zIJc|b;%;2oRSBLs)wm)%`+8vq+oo_kE_}J$z21k(o0T%P-m$7rtJ4G}Th>U3g{AHJ
zmH6-K#-{Wi{E)O?U}N`B)Y|7Y`$z5R=V(T8T=S%P_vY|}&{=67-`o!3&v_5Lx<Ku9
zh=d?3Ig#uMA1R0TC9il(C-KM6ghMi(cy4-&72xOIqa5B;02S3D;Q%tEOPBu7+6<hG
z8Iu>^uWEfC;jEvXu-81%GhGiut8-S#mONkZmNG2FYTbSiovbt<|IW~Wi3%6J{z*7p
zCaeXiO5e42Z}|STbHu3?1yf7U8dfBq4kGKPUC#;~xBOv4fy}e&;cOY1VP71>nXy^X
zR!<l2QkNCGVzIQRygFnii&e~-4i_nh|GRN2k5bqFP9Tc!S(f#Gzx8Y8H>f^uM0cn2
zfkpauBJ4jJ{UHZ;W=LQFFGzlaAXXKuE}R)E+~3e&YXCjB^(%(TfJF$Gk)@mnftf5E
zQ6?km=eg_6B$nzRTQ7pR*zPWld@I~p{sY<J+k2h}o(4=cz6+vt-;2chsKHzWiqEdJ
z510%-w_LvOPW)>jvJWBx^^lN-2G`XOKXw;q3RPa=UXkpyLl)OP;jdNg1Z;i5PF$h0
z>Dg%$u?Nv`!bMN%d#-=H!~3kV)14mNFI}8x+4UfEBOBhxBr%%GBT(?(VYn9W_9&=R
z6~uxC1gH)Sun)b)bp&LIxzL|h@GU8_ZKbGf44imWm`r(R%*6_oz?(*i>>~nSLH((B
zCx*=<KAX=sJ7E8ujy=nNlsT6lwcE<y#lT&=;WKo(qq)-dW$K4hND6}Vu32DzYE3T@
z1R#Mq9HMF?Gd+F4$yyYCSrRNMCY{<an2CyqumdCVxZs=6tjCAyMj~YRj%g=@7w2y@
zmnA@n>7z|*%Hi$bUfxm7MdtnW)%_s?I{ugn=xmK3jmovVY>hUwGf>TsrGH|xb1@lh
zH(f6)UgiO2;Q7-0z)o)Bfl7!QF_cINAmRJK-FzlsS`ERiIx*C_lbz1{?8Fj|M0HjI
zQW8Ur+n~erp)fkT_ZVqhMkOSSxd?~ZJ=o8aA7dq!S&1C}+KPYR@`m~gUnFhHq7KTa
zp8>v(axk>Clxp5;4FeJF$Z+w_Mtr>9VB_bW`^DGxY3nKELv8;0#tl863pnD@9r%W^
zNUh2JYfq47nhAoEMzR{~up#?Di=F}Kl=6dEhXdT#AUZ;T5o{>}MdGEf7w&EeRw7wn
z09V?%lVRZw<2U1~;iBY?i#9)E$6@EdEf$pl&Yvq+W&^58_<Eg;sCvHLD5gn7Ro{_&
z#FBD>zj}6pC&f!+Wjo8!q$0!aqWrh!ADMh-yX)*n;VN~T;PiYSxbQ@S1?(CP-<w$<
zHXCxs@B_n#bS@qS99r*3)0n)@NNF`2KWzBkfAP(D{77$3`YJ6bzTAM;UA?N2pUXU8
z&e)Th0_K$ub}#D*3!h3me6&z;c}tlzBe{PQbrAR2hqx=dxkE_LN?D2LVxFw^y{m-D
zX^Mwdw-IK;_nFuC*#wLJY+13xP`Z}#yl=7FwtV{h0or#$yA|f%r&F;bqP%PToVq93
z!>ZPPai-iZzTudyvj33XS5&g=xb^-5{GW4DU=qFbEtl779V=EG+>94YMm!;#f(G8Y
zc`8EXR4ASt|6TT@7-PMQ7<p)J`hiePP$FU{r*atJ%SO+d&#D0ooWGcmKGz*?=#Y!-
zw~jjEDIxZ!m~?+LA_B?+1%+d$-wW=)5+a%IdC2ynZ`C`TiDu8+;h0j<_C(^WhIqrQ
zXy_UZvfv#i5f=?+3hknLRjs8YE1bn<@>h5Ii{1Ew%_!C=m{k<G{ib1fJkPP#t_JWO
z`-0bmp`&V&I}yL%*&@(z&+`qkTgJ4D>V<?v5rqxwhu93iNxBidGb-`uBCSfP`keR>
znGx~n-cfpDX*w8Oa}BS5G9#d;jNRqfx+4^GDXYhp`#ZCy1uK+o+iXYx0fGf=K1ntA
zn=OG4+#Ig+qRezK5ulaVJO5B6-`m@)Z_b(F&)@p37p>1CUYs>w<+YU{kGm(6&m-OS
zeu9Y5zUz%}GM(qiHp=A!0+mL0RVvd`<CY%ykI%5330KO<_9y5(CwQ|EGu@8&IZB?5
z|EQCoPY{CLO1Qw1IDrd8-KGrG#$7#5c2AR>L}rNISJ!5Bd|=v$O+CdUB^`;H2Zx1s
z1PDG_E33dQf6Wc*@TOE2j}Z%oOJgGLHPjRgC~CRIR?WP82rGYz7krChh1IJW2W$y(
zjfN?vR{g}liL!7*3S_OMWf70rcWYNTyd@JjYYHEZ*7dkl&J>L~NZf-~uh0}M&hq%H
zLU|Dfi_?$C9I(azZ3w9;$iIBSsy@6Sv?Et=^8A*x(#i|yZ2qyEymfl~8y6`l98waj
zp6zNdFXwV=mx-1-V#y+yG-aPZw(Jdo1H{p;?I3a#n_zAmvK-%|UE|xn&j7TFoHpx-
zX}53VZ91hfOaw5H6Qx1~mQf;6C3lYc9s`!bSC7Q^(SXAA$0P3XA_!(c9(gMXAgPh7
z?=4l6|Kv<xJVfxNGF$%9PzaS+A#t_ngs9s%iCV!n_Hq58L;dyI+WUP@4kS$qP;3Bw
zOL#u}DzC__mgloVO8M7D>qN&~W&P9=Mq=U#?P!s9B(e>N`5Npn=ul_T2K5A=4vz=R
z8DjI9eBRI|iTJO4w3_X(=L{==;_S}wm>AItc{_zArOQ@dH?Xd+El3--vH@!#x2vP=
zEvfbbjfpx#B~GP>gnza-H;K{m!bbTahgPjn!DOh)9EY`|qASfK^?0xXHCY6mYo;=%
z3)$XPtv<Yf39i(k$*C5T_wGAy{`{GPLZV_ItLF5*<B;`<$eYyzt>anEs4#evV1jmF
zDy89KR_oWr{!UApIpX^gxgF*fd8WPssq5(X6!uWd^*{t3_xE29j{D%PgL8f6NCH4(
zokrVLa3<7zak=#vmn^rDoMBj(gtnJ_1I1ta1Iv%Rt{vQOL><hp(7U7AP=y-%(Lxof
zHVW(%XumB+)w{QVPHE=j)4u63p5(;hgK^s$j-U!G+J16ei|-qRT*TScvdpXgl~=8$
zUT7&*2o41=$W|*bti(p3f=%X9eHikk?*0RxUJkg9fO?(uPXGL})aBg@f;M+4;Y#S?
z#o3xn>peVn7XkZ+gr9St>r<+dbN`W!ZJv<zynp9={z|Q;ECu^8DBOpphh2xAgPb$-
zY5k+FM7?DwfJOW6t^Sb#3t1UvxcNr8<9=8(+HM2WAhBY{nWe`1=(y=9RKHk@<tTRX
z%>~((;2i<s+Xrc{XPKMRU(jkdwhDAg<T4VNGFMq68mu|W>ZxesA}zG94m4e<kTp=$
zdsbDe;BmZfETV|N11_dNrH8DZD^c!zSCPw;uU1<&X7mw<p;eViNvq&$^VuTkxP3)v
z-SvQkCf^JgCLUxZgOUpQDxWbIP8h}CySG>!{OkS4*AO{KCSie3x*gU0D?se!W9pH<
zT|^MOcZ_`tif{saxD@Ql@aL5dOci>Z+t7_@>$3m)DZscwpRMaxS%)-&y(w{T34WaZ
zQpm51o{*}hVwNU%rl+VF_1wg;02$J9O`^Yh;mSb*DXZz0(f#zGvYwxyK*&1IAa}vk
zCLg1ukctd#LX3O7<Q2_%O24pjaa!jx?t`+Bb2b{5<M&K8w9eE<-@>8oy99`0jGF9g
z;=$`U-VlfklSQes=XSTa8@=w+9;TK(iu1wd4unGysu{5%QVtIBcC+U@Iz^RX(l%k|
z)~lbx_KWF);S0f01@U=>&HYp;d?IgD!w3~Q@;slvR6R`<G~m103WthO5`E%B!13iK
zBJe`oJ_bq>Vb3I+6f_DyjxbD1iBIXpIG(W9ETPggvm<;)*E|YVFWzlja+^5iGd69X
zY1K`pNX5`$%k!EmC1sVMaNETwkWVhg+%|Apgl@1ucy3^{Sf_6#XEW3LewvQz5%|w#
zoA(653Ml6idL{NmpvKEI^cspz_`~Z*L`)B$Vfq@v!X}}$eA}@-iP?6k2b?l?tu~wv
z?3ev+zX@o4&nU6??X(}QG)TVcj=Gq@KbQKN<Tq`cBMQr%al1gdluKz#UOX9M$M1;`
z9fu|U6@^&Sr83UbB@*~CM;taXPVXnNHf3dF*wg07O5C~GMChn?Do0Zv;sVb_xgV?u
z0;(Shq{w0wBPc5ikTabKluBHD6Yd0dm;xDL>-%W(IRP>`&lRSXMPsF7l9sv)Qk@lQ
z!xXpEGH6h4b~8BGE*2qSVs`?$p`?|ye|5*_alk@%=W!%KXE+s<c%AB%P0^dv*iF$0
zc>~U|>s~a1@(|0H9PD6SU{G;b;xt=1(u$axj%#zIhSiC(eU7X9eu$a<!X)yi4a1%|
z;?5wsr@P)$h}GN+0#6CucDG4yZNGlHR;LMZ7OCi-A9MUe^EC$ocChhB?0g7>4s?N$
ztRd4QTxbP5sRLD>6P^bajWyQ<-`Q%ya*oxuUf;W7JdTk`#1p$DTkx!00{abA^LZ%v
z_oXcM?pH-N6J_b*>z(K*-tW89JN0?Ng90~`BzYGs{OA%!!ZX7Q#030_yqK?wGGjT2
z${1oBgMNElMEMsbc})b6VvKq@D?{2ItyUgFz5QKR0sJ{v7ubAAp1jg~9em&NlT_^y
zl*q$EpQhQqN#3nG)l7~6)L%9S2NNwe6umem+XaYS=}#=RBhnQmPL-8r7XtB9tb}Wl
zj=mIkx0t9pcRkRoIW2(m@T%}|Bm8zZn%!y5n`Ae~q*T!*=Nb4+M9Sw;v!<qVE&hA;
zJ6%?xR5Do9zE2c%>N`!bW6Vekb{~0!3ZWuy$)XCneg8C3F*;J$12c=?yVZ#VoxssL
zUF&gZ1uA*56TG8Mt=A0>NH=JyV^i%!W}MelR%J%CN~E*g+OjIMQ-m#TZO&{&{-*jJ
z42wWA?ES))hx5#{0}ltrEC5l%6`8)n8v%}eYWN5OcX&dBSybgbQo@9OtiR}m^HlxV
zx~GR8@#4B=^>Vu=%U)^`(t4wTI7zKY(qdn}ZZ*oE%jFme^M7dpxG+_Ukas<rAP#V8
z&(fkbS8CI8$H&dQu9C3D141i2k$C=DTv;HI->1~gS@)Y6M$->vohDtNkX^>`W8!8=
z=y~S{t0JB9kU{-bSV%!zDpRk}$3;t$xO+>?66BsywB%U(GLr8%eLP^-1O-JxLnEo1
z0E1Lcqfid(#&?e(dS?-7U#6;*-VC3_|0oKN$|NDQQhF#36crUmN{sXgBJD#ZH4yW8
zUJL)h_ly_!%c(*+J0jj5FDh99Nm$#^C_3wghR^F&0hm7imJ@FI6JCigCot;SSv1~#
zo2m|2CuQwQr0aex?0s{V)mmWo8KinjO5XUA%@rIf_DQmQ6$lK?F9$Y=q6(50ENB*@
zU|}hj??KI5gtGI04Ll~dreUGN$qz_06Wxz4UnGd@xS;QPdC<}3tS@Q)`l-#gVA8Tq
z98IGk7$@bHQHuIR9+i!Jqk^T5vnMid`}Y2H1q@kl9;Lhb0b;T19bZ@18%3ClT@+Xf
zL$dN}y5=Y17kz{h!Ej(V01~wBdpQ4T_<J4UQk<GyV%hocW{<oK`1h$e-@BIeZ9kA)
zGHv6xE2I%UJM?YRi<v5jJ%&+=3H26eyGhNDoyslKncvgi4fF;A`Q>8$z0>$wjXtda
zfPHiu?S8ZKrc0mw>g43)#0(8dY3u8%%3N<3)Qk?AZD4HGi7)%11?-wEJ)~|D*H{@z
zHOr?6`0Yk7tuG{6K@A{CqVrjN)3Q{>q{&m)g4*d~M2kce+=@2K;V*FwA6z9OHIt2i
zS5c7AQsI&Cu3_kjxhi81swc-Z6Jq&NeQ^`p3PyBjK<kX(BV(f>az9ZpF+Zo+#VY+4
zt-SPtOUO>7(WRnKuL>ZY82AJPsxR=+L!X2Yr9&9YrlhM_`C{y2_f);b%t#68pz_ib
zL(B;Iz?~qW3Olbj!6ch0<v;RpWM>C@UwSiT&S%fSz|(&h1JpEe6OcYYe(Lcw<W$yH
z6x9UOASOq$17v*8vvv8wgBuKg+k29q*9dmFNdn3E9UYwj%hh6%ve0DOK-zZlou;w-
zZ`Qng#;aGx1U0JQoQi0$_~fYc|3t53A48tFaw{q+p`xRc4T=NEHu>j?E9=FUKmf;e
z&?QT?Y@wW0rl-9D0bW!P@)FiQzLkm?f!xo<DrkKPf^D^jK6sDjjwH5vcUr>)76}FS
zpCuwjNssb}t7dU?|I`JSWML5rC3Cg68&y(NMiry%E(IfXR~DmH_`D#+7uS!LSkF$0
zUqxDI<$OtT=`LT>Z6zv&Lc`%q)vk=I>!GqRQNLWHjmk+&19jv=Dr44Ipc@pbvTlhn
zBgCnrY|W)EGEhbypxi1_!X7bwjcphPLw9+LuY9QFsE^T0s;v87RF*i9GO64rs$bTe
zKNq|gX><e>FHb*VyGSQ*@dO5|bd+r4@ciWt!l4093Bu42d~`ADzj#XTx>}TH_*V5R
zhD_rTXT8p$Oh<tP3}>P9W2!BGFzT<&LcJ(R?=C~=uE$ro$>Q!CQQuDi4FUdC0Z^zY
zMo^L>*`*h=9RRTWEk@0OIiM0;MT>mgk0=@3GFJL@<sW!=f88DQ<E$PDSPD-E8xL=F
zx5n_Od8(!wVu+e>s!--`htn4h2~l^kZZ^lRk-eAR-kjP;eW>O$P6VAY{HJBa%nEKd
znBe;}s2XK%>Z)*b4Dg2CP7d5U;EWQiKJxDJrb@vCzw>8qw?n7mznil1Umzs|_bXU4
zBL_E<vla5~OzME`RQc=x!w4?EL@obh=~Zg@(MyTnsx{+<fR#%9Y=TmI*wf5i6n(M)
zJjzc(p#a^KLAvr_!&LG@EZ7<jjXL0Rnc;aop(_WE$fKy`nk&*@r$rFPM_%#|s;ns>
ztJ4?R5iYwJq8u5i1V0J@c>pc(@ST#bq>t5w(aQ*}{>ydV71z9Vl1%vze_KMW&6R-D
zX)4m%K=XpDig}yla4TpRfmKm7dXlUar)G<Ml7ovUxve0zJ-sI8&cxMzS`|YK6F_?Q
ziBv}RIZd!mVnF?0smmYcttR*a(x`$ifg~fW60Dv`IF*IOZ#L=dW(<kZjC#RfWe>(J
z3fR#$9U(`_OchDQtYYQTifK9!;D{x`!Lsr(2FFLxOIw*A=DIN2a2yKNbe?$-r~6|I
z;z=N?On;qu(nsVo9kNC8=K`Fg&(-w>Kmr{J@r344x_apdx-oz#pqehXQuUggs*~cF
zss(FrvVd)Lui?s)G+|A(PH#E=r~^-ERog0ekf@Ab)3F<`!Z;eubh!PSwd%dqA}e>~
zkm50GI)uZ$Ne-jijHop~4XlSuu?Ce?=$;oVETqKp8VYPLEKPN|(xgG`>g4zd|FB6v
z{J-Xb(*Iz{5Z&8TBXH(AIX&6srpJtEg0zW<zh-noc_q#o3)2I>nC$3L6^w*+SBq6V
zh-**t=r%luUjGoTF?C4qq=x;Xb_&cF7DAYxWS!R@+#dc&hnFWipjxyyrng&6Yo#p2
z^29<_POHF2I*dmUE()s<UWZeAuaB45aGJ>}NRqDzHW0?sLR^LaGhq3kXQ)$5K_8n$
z2#5d>4Gx9Q_b_Z!?z`BGgAhwdJD7z;%s{G(aGCjT%jkH0I)cVPkm5$l$tzY4>4AcV
z8|jK@l<%}!XHb(Y>k=+cYABP#Wnh26tsf7EV^egVKVP_%lo&Tn)z&RYtL^b|DcxBa
zNE1*TjHzMe?u^4VqVB5I<tmf1#EL^#ijN*Ftp#>89|KGp5g>@KyQ4U;YG$`qMqYHb
z03YVNyhEL#66W!pG6~DVdpfe{=V8^yX&f%>nj7mZ+V5IfamPxHs~R01toz5o^bbi}
z5_|ze+8f8s03_#xp=B^l#`(BJ_7xE7xDGd_)&CjOIrUVM8dG|nuU;buhKGX#+)6}y
zx#>RK9TYRdf{Io#5(++~#=~f@&|>9Q%B048LjrL&L+!h<Wz()^rz6xNuwi5Hws*9=
z$P~Zb3n6zdhG3gA^jE4tJ2-St;jFSjg(%Ll&Xb!Mh(Jop$n<yS(haRofIFYBLfGld
zDh^%tkY_CsXt5DJIfJng*BL$J5xHOV?O$-{)M`#J*Ast4g8urVPn3v1xD}(I6K_s;
zWy<ONKt+`O9a190mxr-{m@D+y01m-l1rnoSDhRL|o98g+4vb)z&8yXE_o1ZlZqOXM
z-U+;3-O<Bt5e{ERE`%Y@x<4KE(W4JwVgWy2_eJ$aqC656&sXUt!s>+1eQkxCOT4<6
z9g&s)sA$(($zFZ+{c<U++h7tEKj}jCK~(L$$MVIj*sOvb-s?YBx+FMd0ucE6yTee)
zPkiyM)OP~Fe*-X}$80Y>jK{Mxh0R)~>YF@LhNeGTfu!gJp-1GS&9NDXNW<#5#}Ny0
zD$q#=QnP~CeRaaD)-z(F^xkn-PkRV+vikD0fxDjW<{v=Si`Xp&x#0(mEEE!0-kPJ-
zypXn&)tqQEU-j5=-De^--)6XNw!m?204X^eo)Lp}0G$@wP9k=R!M0r1;7-4PnG=>#
zkWSn|m|MV?YZ!X3J#KAQ6HeMX7bXY!&*t<*^~<qHtUESsZimNCwWO0FAbDl|@p68~
zlavg1qftR;-WtyDKq!(9Sy~F6HLz#b^Pza`?m@y0P({TwhOt>q7}eng4ao%9xEv$K
z_xMrx{hADGM4cVM99mA0?Q2FGk}b*m*1eR&>+^Ljb%nsSec5GLFW7&;Z8s6f<>`8X
zA+a5A*Pha8Mb(cXCYapYq=7T_zAVbV=yVu@{-r#4qDiPeS(K^Uml2Znd-70Uzcxt<
z$<{|+1t#lO1t1rIjDp+JU&WX+=j8<8VPzz&)BT%KNj0r`{J}4w5+;Zwkp+EI5kI$-
z<a;Cm5iFIkbz#k5k(kIn$#WKu=%6uQ?{A-q|7bFLO@&x8x+d)*jpZb5HU368q<Trg
z*{$=%IRZXRPRI>hC`do?7Ak_Y;a!}<v4KFGi}q35SOW^xwg4z?foUuBHTakIbQd+(
z0wOS<eAFffCnWEKNfJ^Sw9@5HIk|BW$h1um|78li<8!`L1}^7=&#Eo#{d6xm5m^Lm
zM0k_<9tgDq<!lj3VW5h^@p_mU|Dj@{l%-t6@1$>=&|;Py;tN}eV2R_9_;|AA=W@c)
z39+#Rf>xF2IK_^ozc+^e!7|HN#S=7@ZFKS@G7yOOr;Qh0^iE=vP_W4NDc-n0U7fkF
z?G3t)HsqtFL4DL<a@B`+w$p6ExPOL!?=gda^VgDm|LH!vxUG>)U+X(gWQ=T1p-YTt
z5M>+816#7($bioto>N{OS6=$XJ3M&m#ty1`Jfe_|yAMcvSspnI*bac9;^UOJ3Wcjg
z)#;@i<(mi)bhnrGi?$|;IpN`ER@Oy}3cjJLNx9LcT}_MHdiCtZRv;$K{29c}01cmb
zWe^jy=o~=-duy*02t&?XE;crBHkwF4>R1#DuS26z84YkPuO$F*J*rG$aHa~w5~AVn
z7WcU(GcSBs5pGlkkH4U=JuvDH7PS~P*eh2Ws3-t7G1tpM<{8Ejx#+O&Jr)8I7GfWQ
z{#k$dpMm>B$V=5P;G)SF1`yEMw;9l<`H?e`LcX_q`0ooQsvQF7zN406;}(2RW=oo(
zGK^3jL6wVET8Jj4H!d;O&xauo@^r?yM<Uy&*FkFUuL#*GE$8U1OK5HIb2?dVfY|BM
zB>PGP#q;HiSsO!<oFaKi^|F+z%|_dhS9_TTOUaDBSL^fLr%(0t-`2T-SK)`7G$Z{(
zK^lkHYS0Fzys0*i=yKxJdqphVnL`+s{ZpE)Xy?^D<f9IVnI8&+k-ORRIFw6`O<kHx
zRhk8JTrjB^Q2Ez0x=^lNjj?#q6@c?j5z%qjm!bplihCvI*;o7v>E$m~h6eJI(ke;G
z=RH6Ej_rTQ53wj5)Pq7E@gN^$9D{&VxK`T4^hT*2F3hPEew>vqurAFm#5Tp=J!N<H
zQcISxIblN$MlB)xYV)6hJmM$mZNF>XwII!f0<S9N4TI-@BotMu&PO4MeI7+*t~H=q
z`#mNs49qVeF8*c}Hby3ljukooF=eMnp_8k1HxS7jr)XGLW^208<&|+)yl>G*<I!HC
zY$sL*J;6w>Z)=yO@`vMgCVcxRk;EToQ}+cL-Ym@Zv$e)bu@v@H&r*$1<v`>VA~k0$
z0v>mm(K|MGb91+{^p1~-1;C-mfvzI*lLo2Z`nW|M`UM_27`O~p44Fm(!=W7Jj5`9F
z&E)+i>axH4_y4I^{|EdM;FS3%>xLTrI4exkm24*or0$kr@T=N&(spM&8V)v)YKB2C
zu$s5NCTZ^hYv`{EnK}98gM!bT*`MS6p<NMP9|p;PQa9YY#C^EPWUGJB>(ae@=;7+@
z$sPmC@bXQX#SycQj){9rm_iCj*b>}S%K8W(5{o%a4lWl<L^gPerD*N&!$vsU5&5<&
zwCuSQdIOG4dL&xtTl#S;(fQVry0cQquz;N9_qRL6$j8DE_w6W5cUNO<9$ypw$#$Rx
z&IX-U+#o)4{O29wlr%U9MY{eofz)5>npcZt>z{C4OUSJkNZ5H1(MxKEjD)$jLad&!
zV*o1td=JzR+-_V6scPZb;Fspqs(RXJuE_u^H7g1J!~kM9)6Lmy?mV|REce~cHg%f2
zidy3Tq{l779&+(NX-Lcu^PA>7TFuAB_2C;mnd3jzsGbk37qapAiO3B|fiETAZG>pm
z@=;@wwX=w9U`0GwKe~<@)Wg=_GyIxJThl^6rx~r3WZPB%S)RFwQbTKd(jEm!#HO4Q
zwOldGkg>55)EQt&_+|ohKM~;!u=bM`$E$c47ZbMvD5X%z7Z&qw7p`i;%|ts}VIZ?!
zm)tnuZEM156w4p>L53<*`>NX4cXHy1<aN5J+Vq{R#9vQy{S)k_L=(v!StV4L2U-~+
zGekN@Mn#$@sd<W6>^)XfTu3Ex2Z>si%CF+6e&D#oiCuM<?zYjq451N(2dB%6-yqM<
z+K|F<vLd6o<kEPYU<Qb>b|w?DNiu8N&}wwA>n9vwQ}2c3h$jxz5QTuuhG)3u?}+Q)
zkk4?!U11aYbbT^pJE#qQeEvbh%S#v$5mBp7<0+BzAl{MmuPrUF8KrjhR9r?zL|Quf
zB;eNXcv@lEwqgN9IQU=qv@1r1Ef#1cW{2bV{XS~&ARQh&Wxi;Qn4`_=s1=Lr@+0Pr
z>a|z`SefO<XBbklz<9C)<!$A<j(Qtb$CHE?s+B1{M1~r;VNyUVK>6F@_wT)Ng<@Y4
zJb@ADB816P1y3F(GBmxG8R2<PSTR*U&+gkDHm4O_#2m~M^t8I2gQkpyTCgtB*puRd
zA8?{AwV>~^33m56$=#xM=`Oh(HuEH-E1o3XqdSx<%qw<rQ0oTwsEvwS+muZT3|+^_
z1^~KL&xw)c>*hP=i;;^Ov2{NvjU+G$t7=;B9y;jB3FAYg=6IwcrKe*b|7**iGWm0Q
zr?R&!%rSB@_p%2-mLfjKW!-Jn%f_G>GZ_tq`qb`;Q$=50#ivsDMPSt{*^<@hl#UXo
z48LU=0eqEl@sv~i<qc?2xmXg42iyVPhfLQktme2Ygl<T`L%2mYFW?I?s4-u9?C^^U
zVoO*~L~eOaBjI+&TUQWM&bao!j=5s2Dn0VKe1GA5)Sh|U_VxbT-t~X>o9rG5c#259
z2)E!nje&s1XzgfUqgYqnkj}$#l^JTk^W_oUDhBq?=yKl7*kE9$!H}8pW^VcNx->xX
z&xPJ>^x0N_R}TLCZ9}*~3=D<JrMyW{lj?e5emVY+J}1rASohQ=z?P+8mt;LnR5CG!
z)Kp*CB;Y^N;uJ{P41GnCo1IGFJ$n=lQZXm=Z9z9!|M-7I68UG?+ED9LKhehce@#?S
z_}yed2N}O+1~_s36QuEfV-5pW<op9A{=fNSM)2=*Ad1+3ytY3>ydu+cc>mq1C8RMH
zGFG_f{C*ts*6=^R3!>lYHxe!>Hjp{8pmE4RzVM++t-a>W%}5=wkQ}i5J)rheD2z`&
zT~4NT+K0;`0_f6H)c^<9zrQ5_-W2>Hsq1GVwBVQj%oQz>L6TEV2O868|2gWKAcI*6
zIu8_<|5`iZd3S$ofW5wcr27jQ_<!R=O96kpdjFqWTL$_Q)0aRXg`sOM{LaLw4;{A0
z*d-$)Lyr|QLyYr&*?Qq)AaLc@wvBUD+S}Q=-^KjL197<harSk~<yF%Sf{Z1%8Ll^x
zs`Ko3<%qf~!W7-;zC}KLTA_2)DJOaU#n!?2+kofk%4?)z`wcE93VE%W%>AhM(%s|A
z%zhll%xavo6$^c6-5<FtJE~jf+hPQ@9B*V@TxV?IqvGYbntzGicf24wcN}UqJ38Ur
zemOmvp-o?(>2EGl2%ty2Gvkzvih*978mf(Y+8lKAo!+nT_STHvB>%_g+lQip=5r`7
zW2P22>_pBTTc{o%8kwkG&_X-18sqFaM|9ZP|Ha%pzem=5U!XIwZQHi3j%{_4iLHrk
zV<xsaNhY>!+qSKn_kQ($?q6_!>+a_~-F?p9Rkc^uT5Go<lQI&<tP*%5V@oq%FERhz
zP)O-?1JCH_{0&}ry#_AH{J5B!((0B<(W08NN5?ZHw;G*oD%YE^fBK=$bo~ljvy*JV
z<n&@UG~xscju>OT?r+nI(6!Ca{HGXJ&-TWH@A}SZNe3&;0hOS?kd#48vwFWy)*!_f
zZ1r<3?3ZZjir0yoPV?@p5g6rvgwUTg%I_MkHu)ey=$tHvvj^|UpPv?0a7-sqpfV(R
zrP*elqyiJU-|&H?Yb#Lr;kw0-=jm<qxcW2z*<!}x@uf}w2p;0xNjMAMwGmM%9+^ss
z9rU!J8*}pm##oasU>;D|Dn*#DbbsBOlnNfm4%IEZkaw*sZ*sU#%ESftJ?XE3OI46r
zNk_;|^W3-qcd>}3^u+H*@=4RcLA$Tsr*Rw%TjJ`b2yjJ0LBSAc*}M;O(YcA-b0>d;
zBMq>`LqdPAYj*qO5D60cWI~6ZOBxPTRU#vALh)2796VUL9!D^tKR))J#=9JeUY*rl
zI%KbgVYtv=MI!xR!vW46*Sn8WfZkZA+PB<?g+=(~_Gtd~X#~~c;H~f%?ir!;em9Cl
zfbfR)-cJ7w-Z<em6m~UZrp)34^dW$OS+9lwC#CArb!_SJeDJUQlHnj<ChJ_^k#cG@
z6&*}A?8B;jb^H>c(Wf1p22O@9mWwJ%O);OUWVYRm-R==Q2Mlxh7w#V2L2MhL#E73x
zYw$3%*Q`NiOLhp3P(-Q)WhOkoT@ABRKWCZ#FcqQPl?Vz>I@P+HzI5nLvcpVpY`<$&
zxo*HazQi2pCf;Vk9u-6*bY!XBj=z*u{i1VQx$N!tT>RQB-ZBK!mP3c!NB$2g*Bp|6
z!nzPV{2)+j3y*y3u^Su9zsV3k>5~IiYa~+4%4h7;0Ro925@H&dAe#4N4W!s`zh!?r
z>@6LNf5Pzv@?7A0;u83t*zkSM^)}_0an_yBz<(K`5^`Mdl)3yZKJQMi;tNF-Oow2X
z9f;{~x=)LDd)<As{~RZsD%6A2b(=<dI}Dt>UX9({`r8dU-Qf+X%XSANo2qeENlZ-3
zxakdP>wO1q(i&lNw|qVFRMWKcFc@cj8%}T0bQq(<uJdt!)P6Ky59@Jv7R#IM2HN>~
zM>`OMMX}p3_}tFeBa>Jh5h^>KHu8CQP;B&u&uKhUn|Qro{FpD=+HkZ|iFuK7M~F8@
z3-cTB?)2TZ!vn17y#;BK&kNJT`8;?~KP|cf6!-e1lW?$3OD3+t7u*)ho0+2hBljuh
z7aOC1`?Y|sYrl(Tt1)MX*P+YX>9|511u-{|_p{v3>34T*$g4R~V+Y~K2lMqJQVCrb
zS`51l6}}X{Y{HJND;WlnD*bkc=`9)i@f7AJuRf`^2Vtcr>4A@Ex1$)VX}yK178Q-C
zW*febB~PhSgOtn&%&d&CZtn@n)i09n&n}`U-z%4bWnJ<C%S&3!@qzY4fdCo85Eod1
zp19oP?ehKB{j@Q`LtI^E)hxBug`<Ub%rCAmJOEofm&aCz<)Z0WqV472@#!XdaQZbM
ztI76lw_3wUKP551j8d+zS|%jNskq_D$H#Y#eOv8pvP3=$?Q47qi1Xz!Na$!e72kU9
zMx5FXGNvO+_ss%p4n6o@cOcztdNk{-79rL>GGbe^JuypT@-7o6vjRT_p0Pp@Tfy{r
zeo7n?csq=)Csw~3%2OxKt)sZQ47wam*YNX<@QX_5M{}PdnlGw6R`h!}>e9EZ=Exn|
zHUZDxmt2X|TGivSqRa@>{kq#d^K8-)jwstM)1Nq4Zbv)t3lpzE|0B6G$o&5b@@DS|
zoymh7vVD(*TnM|hUp_K@a=XE+*i4G@$3N{(ZH8n$un~If{z+mwEBnTvk36E%!`RH3
zM5h(hmZD2f7|x^L2t;>1%M5=qt#nu)-;JvSB6qw!_+E`ryrwH;2T%TvC6B};8bGF5
zweAA)2C<L&_E&6b<cod+v3^dTKi$nLT<sJ<0?`@6iSuo{mTc*-rw0wTjw#`f)_>rn
ziMiEy_B&R@F!+_5%%1-=UX1vmxo7R?wS4#*9jw{vL+<J=2phfX+H?OirvL9Tq4A0*
zqv63IM%{@wHO1Pj%)twxzRwG`vp^>zgsZvY_Vp`2%Rr0T600{tTH|q$C!rVA>7j4v
z<i-=GE(NTBy9XbP4P=eSGT)d%2S&>j)?H@~B+sMuce4dkx{OC!uNutV4cw{_?@0o$
zzwf+jUhntjIJn;ir}3YjX6@pUXCdKtjIOqOf>SPSBKT_BZNpKcH1qpVJ1G$r)|`r=
zBu*V>@gH-4;FE5A^*&g0m4Wfecm>UyN!r@*ybxBby}jNDWdx2ss$9Pf8sutiG9S&h
zqU!cMWz{V1G~Vm4xn7F(VY3!~wl*E-z~7q5b(dkQT)ojIGQT~%+Izo3EY-WCBkU21
z7#fOKh5Gpk%|%9ZYj4VnaquE~w{S>`=z?)fe&RH4xMDi*@H;Q|QO0)wp^MsH*j&#>
zyDBCP#QX+{Cyl^;o?HZ?AXq&fE+h5%dAfB0Cmh=2ON~E}^V0SFMyv1w=Q}6kFSl!%
z=54|nDPjZ$MDu%k%bX2)tG^=(yitugoL|q)PWEKgAa;%$1S?uWwN1cPXxE~!9==7W
z<F^8PL=gc}bBj+$`-9t!5IgIkcF3`)tTAWH5TffCZsvXFWb`^=pFUr<;dDw*d-srA
zvYX)!jWOK;mCaZJ2N-qHtRt5_7=2;M5v*p61M311qYdc}hu*QoGoD~}?XLu`l$eGa
zcZf{BE0S){<A}^2XJBhnGz6=h41>tX4j`Zre6=+6!J+?IpeX-iPl6`kO5tw=LK4uF
z=>d1ff#f8R6>(gf9AU@;ahf#IyMRVH5RDVGpI(%_jWXY7%^`yoQ0m4?JBT7}1Z5Y*
z`T1B6g>=6?(F~{42-mmqYrQ%gQ@T1xDMcKLIX%M1MlB_Hg@WUl?VEx8Gg7!ekC@I4
zlj{s5mh-If)73mQ3eQdmt2^RGYAYi4F$Y^XoZmFr?FiPsH}fxgQ{Q0<1MB$HgAxk2
z+g`@$!!|D66$-rGfwkx``Q)wB$qmW2F?2#jDt*etntQ_)=74bJ;4u^$lW;5l#$vC)
z3pwLB-+LiEd^c*02|d5w*tN>wi4-!iKFwnAA}<bb%zB%WYk+nQGzB!V^7I#3j_psA
z1K0sSE4Y)oZ9i!8&+anvo;!O6TRczv9TJc)q6}DV+b<-wjxSYMfvvt@wvSH4_hiAS
zMg0sgbUKy6qaJ!xgF%pMmSZ1h#F!#ahew@BBcV?DrfMf|ua8w-vN=TYNe=jG*MruS
zPG`Xo!8;Cpj~fmfw@h06*iLTP^h5;GMnw@5vNNh0A6i}C(fewwi(gL!=rpR+DG2-!
zhCA<}%$~z`M_f-3d_IzP*rR~}g-^`oj+Upr&TOD+6-5HvlX^-!Df4rq-IvM6dQ)90
zz*C(mWG9tVu-8W8o{s`g3j0UhfZ+(D)t<_9n}+Tj25nN6$jyZs$)9jT<!QY6{igB#
zp)Z|XaNO0)5$73AT@-A0(4bgeqA=d^vG$RyVPJ!s-3eQr3|#N{mzCd)e=pNzGPo43
zFY8GJ*WKBo_y)Hn%HTex(Q^d)((g8z+bC_pM@c$;Z>-)+FX-$xZ^S6a$)M17lo*q)
znJR&SORJcz6~N{0W~?5i2H9O15&Go&rI|JVFNE}~2SAGadx(ww?zu)!0WPfCburB(
z2|MTihm-*4FYQ~*mzukj3^ri{V!LcYAq6FzEq{OA8f0j~wWfJBj~Hg|^8MwfHADJ#
zCj#!3$6A=34*^eIS+PGG;7`KBg5fgD2~8O8K6R^!-A0Q8rW~EpVfrAuaLL;Gb3jKw
zt`#ayy$!`MJ=tZS;1ZkXIzvq%{DhUZMmj^TyA@b)NWNTeOqyn%JV!)ntPnu6{H(mp
zz3-Hw13=4WgH)-95MvcAfN%WeW9FZM*J$l{Z$AR^a)+fwlcdT%5tl1E%`_Ja?&LFb
zlS=nyig4FWZ-1|djNiw5;5JUgd%c%QZI6j_b-0p>#j|Im%Vz?m|FP$}=efSr!3*jD
zpGO860{JDdkTkVrSa|Qivao2b){b0gXC()f4+JkaYY!wY``jXavL5)X`AOiXq^3pq
zslb>DNWGIb&kX^CLedtwY&Qn4$+glNy=XjXxoAmp(ZGZ?`i`#3BXz0gQI-3c1}2p~
ze0RCVnQDRpg7PEY@sGUehG*l)g?I1Tt-Ka=YdaS9;cZ;j0zAEy*mkWiUnoZD`SpY3
zE)|c$e!QKvys|&Bs(kvO?x4+h@3FVmR3e4Mt;h8YlgS=tk@sMXBIe=t+CCrPYA3Hb
z3}6wMD@ucz6c(`1Gx`Kv({XctLb|(HMvaZ~fqypTg-$H{KqtgXj?y>Db9U=xE2y^(
zN1p76y60`9kR?ORbC0e}48tL#L#7T3!nDCnjq~MzeJ;q``-@@t@YDEusTVOv<5C~%
zX~{f;`fuDO7D|B92WjeZ^$DER=~s`Vq%fYKYOw-QOoqg7(!pQGJapUZ_<|D#GG9mL
zCUJ2UPOleI;jsOoRe}Ihqs*%fN&^+=0s~`LGWJ2=ly9hpAhLeYOy4QGz*4&4p~FHw
zGrm4-0tZ{$8x$+#%suqePkAdQtg+uPp<D7rvJl-6Zc+jrloRVko{#`EYy<YrR1X|r
z9eOvEY6}4Xc|alk-*hr+@?rA4{-=xdQhiQ$e)7(eEU^IC8&VIs1f|^`<O(Sk#{n8P
zZCwGI_*aF={?j*fH5i8oyBjvr4-bLxa?6w3Xl3(E^`m7T<V21?{W0gK)h3t3Z0Ao<
zIEyeOvqc%W=)t4(l!Hw|Ua~wdk6&^fX!D@nSxKohWyX4*yo6!O;Vb>8opQt}pLaYK
z%;qp0>hr6aNYVn2A8Zno_l&u63eIGxNTI#ESE}aq1q(2eCea}&;s>IvMe_Y~b{)O1
zzMkkZn6?9BsRpDZC60$xh4@9?tx_ALn7`U`j`NUchXCol=L|rx#kvA?vh6=;zd?5e
z-7u<rny|(_5&FY&+qW+{b|)bpG;$19Zr}yO*xw9h+>V#c7%V>C{J>Q@26o)7uBYpk
zu@<^!zu!2k{6UyjnKp=)j(Ohwh*t7_MuOMAA0S0U6jsf_|MWWkHXd9YHRXzo;3Di!
zOM%Ue<~pKQlDvU?T;EH!0V7U0q)Nj^x~(o-zhbh}05<z&y-{aJxt(40i9CvF*L!!I
zP1-l~nW45fJovxC{wMOC(ceCM-fZ5Q*ifk?g{a~ST#f>Q;-H^kgJWEJf_(4JrQB^R
z^pyW3Y}zX-2`Oo*?ct!O4zk93&xcPzk>5-Z^j!puqV-dD{5>N-9I=bDi>tXy2#|GT
zAm9(mFLp%IT@4~(@zrWQg@I#sfPzv?pbnPYx{35ovY0B@@Rim7P-wef<g~Bp3J!%p
z^h<hJ6>!X*acw80YJwvve-*8)7s17en4aW2ZC8D{_<OKpw1CcLy%Ei^sX$6Z1qDC+
zT(&4F#rLc}tpt|db;ZRe8sk7q0qK6tF5bUOop!3EAP|m8K<GCt!)i}F_!bF*nmXcl
z;*!to`>uq?<q9#MwwQA=zEtf3O-F+-A_qYn9GCVBjAq6x7OB6H&{l__fqqp&R|nX$
zXpm>>hj-{YK_MK!%(*J(>&lI9pI9VwD9~HD7{IvEBl`JB+;G9`za70pOgUTQ1c|uS
zw@ktoaW8t2D*EKE!0@)4)|2B3JdNp(16LiS+>DY;w1hy**zgxjoMMRcAnJ3g2_c%v
zq3$YD8@+aG1uHeMO%Ej58B(Gp!lNn2CZ1*wf6QOJTehtyWow|wdY{F0+bN}F@-Pt`
zTebg|`rJ>(M6CbM$o=<lrYGwHNz{Q#EN}6JhB`+<ww(tYz<i%iC#I(+Fko1VCSxHs
zpC*dvin|0yLE<`A`wLz)DSw<1nl?pu&Hs>r{w&U|a8pOT5}z<<`pjZvd`|Kk=5p36
zULnIN;jSycKSx~ToeOPTJ66NM4Mpx$%$V|7i`$(TbHuGwT}kA`OsjRL4T@4HmwqM%
zIoF&2-edHoEwRY&eFmBD_6q9mJUt}v6w|2pnilK9$V}|igp2fr>_wYLKtU_~NAPXw
zdTahhD53HDiyl<@DuVY+f;4Ud)^8|`K7fO4eUGrdjaAWI!4Pxh_4pbhvl|)rj?Fw;
z@<g`qz=rIN=nWxTgzNT5{Oyn$rqM=#d%^0qU*?<*PQ!7C5-3luMXbP)vK^kO_Z!Aq
zvV8szX}$?U!3b~6eXPf0&n329SXuo{e+-LKDCfi7sp)*h(D~5m9O`p}V@PJif?Q=D
zPLq?_&*s7F_Ylgf!D7Pxi(F7DktvTiCKvQHSFGR|fP+06KBYi`i;};RMdqDw5!tr1
z?zb^XgzZG%&d8H(p0RX3WQ|*kLigl|I*5^l1jDle7uERolE;zjO1JBCM#V-T3d&Az
zjqN-K*SU6|IGBoe!M)fDd(!Od)l*<>p2nl<nHE3f>SX%$QkXo`@jMhlOmL+=z5vcG
zg7%<<VfPz#Q(Urw7oU+Rb8_^6mp^xQC*t#O)G(q>9?A#2zQoID@kk%g>FY#B=I2dc
z|MxQ`HY=3K+E7H&-M<*SgB{U7HoXI~8#2UhImUr?2K_a=l(`6U{@EQU8y#^^tp855
zZ>Ue`V48+Ev^fsQ6pHbF+1)``QYbuB!CXOXBrov&Z}h20!W1aNmctO=eY%NFvV;^C
zhs*qR^GF!j@Ro~&hMP;HNOHn<N1bIOu*m@sqEcVtb}GbFCMq@UprByVB{ZS^;XGkN
zSsNIeXd=7sRKwe*=Bi*I=DR0yJf!#Zd@wLGa71><Zg*9meaNE*H6EvycuPAHs|3AQ
zy1O1J4U>Qg{Zcze_<M3VcQlCQQxH*!2@CPn{nZ;$&ESSMn~0y7&(Pr(aY3fg5V9{u
zbjuqhOmD-BR}-}PWU$2b22?$H;-A46!df#&7GpEde;q7Dtc<CknPR+Jar9pAMA;L6
z2382gQG)?#P=_9AhF#F0&;~7eD2nM>T!=PsS^YDbJ|GiK>ASPw%Yl@+>b)4=$QUI9
zx$v}x9hSl3I#J`NobgprBqn-%vEhR9!ZjWQS*Mu+%qo;5580msXW%N;KIEzD@q*C@
z{MiA7slS4PpLd5s3YTi!*-gm4!Gv3cC~UYRvs0%j^cS#TAu+gNj~o<Pw05VkUHnCR
z{?TSA7I^e>RPJ{BsUH9!4O|yF4QOf&03~D1jBt@2bmW(KJNCwFexo^1cn*<`3Ah?c
z%#TOu{H6ubUZ+0i1FTaw0+I=`k%aF;@jNhcC&?$hU9&=T`8<;i_||;)!2!2!`NsE}
zjL4Ly0=h&uDCK4(c|RZ*k4D<txGNASQr;bQxY4(n?HRX{06ZEJG(Mchvrgf}*BQzv
z9V8`7u|kQ(=k5!#MHICr^}0U?YrCI#)oie*$aEsjlkiTF^_dEm*s8_e+}*VE^?Sbc
z=}OzTMDbdlF8XwuLP@V?B4t@%=;KJ^#D<>l+11&dUDOw;C#vc-+Kj(4`=_q?zgh8W
z6>7*5&O`s~ii_F5HO4PJ%XQN25u8jd)<2p<K@Ff^8EGBy^2HSfjUH(IUL{Tc!#y}r
zm6pF|(Xx)<u&e;tkeVSxyNVP!7|E^)SdZ2#X9}rZN<UdszNh)bfV?;wBfgG4F+K1%
z<%CQjOL@sKmz*eOzo0Y+Ss6>Zhq(B6Mg&bMAqhyd6v9dRxV-nQ@@AVYsV>6a9){Eh
z-y3Lfx+dpXzex+pjjDC>Nl6=hM3-o~7J7Z*owRxZM(KFlta;`F^dCzLO^FY_J@Mv(
zd*PmFqS$Il6I2Rr<<H+g-aDt=b1i^1n!|k(3dXb+VH?&Muy}iM;xf2DncE@;H!{H8
zn@x&Hyy8lLSDZrI3|**|>A+eF<l7=|8KAF)sDg@%Q7@b`!40Idk2}gh=Sr_i#?s;8
zLENm?4YLT)DOy#3tSlveCyxXT6*3Ls2(XlMy>ja&o%G>?dTUf3jhA6r03}k0c@)^I
z9n?dTUMBzoI*R4K=+|m8;XSJQMt3sA_&32&4$_x2IvB42O~siU*=S`{TexDrPMwB8
zqe7<Qutx+o!{oL=RmB@3_S;Z`H(03+Pj{z-Al;WA!qTnN7Kz!PBBD=6wI)3Ey@Pb}
z+e{(f{1j`=u=t5X0ViJTp<zrbMFe<m|9K0qAc9|lv2MJ>j1gfcdj^)aD*l|%UTidz
zvcFEh5&l=z``_8I)(AFc%F3YE5~Rp7irLBjqsLbtJz)v;hlvTEf~>4pIJ<1wx0qTM
z|5IeesUrEy+D+61=uG{~#7sP+6TWo$$zcN?jAoj>TwJ|VmC&dlFrFEzYq_4zAo&?G
zYF=87i~=HM0VVSVB9&B#P;(gt1Gp^JTs<BwcO4qba-;qq<50wrfpy4KN3_t=vOh4T
z1;VMg_p#j>bT8ZN7fuc}eA@DY(o%jMTkCr2&frC%vuUllQc}6WR>XK^P*$SklVG`P
zVKUvHX2%)FtJIMIrPUI`+I`85k=E*bAUxbz^*{9_##~xPIvs!G2!hR=t~j6T>ZT7m
zNz4InDg$Nnq(aCFBV=j6BA`-n=y%FhiQXf@T*WZ61<j_%Tb0Ma4Q(o0s4e6yQlUl&
z3?CvT?M@sPGZpwvK0=73x?G=rsHau$74zRn;=iA%YOv6L=SI0Q=;4olP=>B(7d$+)
ziY|@gg-7T~_3+$xx1Djpoi1ELVBgk;BD4<Gj8RQ_wA({w?3H=ro|QyD<yry0sDsy$
zOYsElB=Uc*IZbL`YmQ^Nlq3JwSN}p$#35n2I0aN&fFMzMHLb-1LLNY~dRpo_xV$g$
z#xQs-%CV4f31g>(Vw#kfe_4PSUyt{d+CPK$PFiiKX-NnS{(GM20=xJQLdVn$Nf96V
z^_mL=h8~B*#%Iu_{4WA{kXR0KJJ&nQckW<Z+qsH<MzcM<|0t_vw+M*3CZR6<0ei&%
zkz@b&rZMRotgJ1)!k_5>d}9A|MH3`cb=Mw2iWmXNf8O=~)OYq)&|eoU-0ZFVYkK?F
zT<7oU_w@@G|9}4rem4v1gZ0e+FZ}%Pq<Le6;>w)(6tCB%{I6SI69+S4!QOLR@NCjk
z830LK6;E3Q{tLBMk!?9P+h6a9hY^nK^oRe~1HBLg+1Uj7EggJyb@gg@)j1ocWq8Bu
ze`uQef2)CgE!diEBN-JmJp2#;;c<~&uYbbm?-}NYl%!Lsj)sP|CYs-J8`=Ys$m<)^
z6e^oD0#=bEqFI4JHIMUj?D8}}NwO}FhOU(}bCRq6_r%~gWdJObzm7y#@LL;5)A3+}
z{H5e${!Y^T82UOsSWuT3*#c8D??I&J@IT4cG!NFc`MKeXXzTK>Yq0;7&C1-E0;6DM
zQeDALg9t{8{=L;a>sN?y;+Z`6NchMgg*zINv_3V6F+HOxo#xy-xQ&v#E6B<p`Mm18
ztEIPb8YaQMx}tB-{nJo$A1wl0x05@)hys%3z{z|SqcO&ZL*MvrrMO`CNR2#GX-Tqq
zsMmdpHP?zPK}4v^=m&b-cgGJ;l2F*yudSH|8W6o%9lyqz$G(CjgdSjX1a=~YQSU~+
zy-4^4sAR4}Xu-^B<E`jKbFXHD59W&VW$4kj^K<L8Ril4J#)k3>fUL%3;I=(NHC3M!
zUov@rX=>m;rb^JMDAbytzt3O480d=xDcuX={;j-%;rL?^7?1;z(AB4x5p6MRCW^cQ
z<%>0s!I6v?LIWj(aH$)Krzcmia0?}=%P_-4Z1dab_43esD$N)B)K?!=Mk+rYEd|Z^
zb>KdZk}F;wB+*leaUjVPfz}mI^7YR7sIReUHTZpXVK=DbJI~*)Jzv+(cYXBB%@%}F
zPW-+cC51fg9GDN_yl>T?t&wLH&01G_%eu1(ki<<Jj3(g!mJ(a8$cFyI=Op9jYqel>
z%Y!v0^AK~E%a96irwHxR5HcI+8Li4eNW^r+?3SUk;N+!Kyf*zzI_HWO&QoPo?eAym
zun{&pEgdtb4MwmPt}OLRrMa_~Ifzx^nELMUAGz@;1{x0EZvaixJeB+>^OfZF^ckY@
zwC9d*_z1ivj^t>LgyX2m;E@Mop$4<v=Gwd&5pH*AK`+_Tl>w_3l-mI2J!wmgat4iT
zE~?X3!uxj*9)!Lg;mM)j(p=~2DUmjciOsPR`@?qiDZu<w9zoJJ3?Uz-`s<nUDq<o!
zY0FtT5j@OrVX@81B$AQK0ChXRk@8_uPNTg@#@<TkD<~PM6d^6CSxNb4@pp!=Gjq4v
z^hlVa(sn!v!Oj`x=I~TeuK7HlBnk_HOvNc~;c@Y48WR|BZ`a(CYAD5$t>Rlgho9Wm
zeIwGvb$urTAgqnE!gv+-Dui%8Ei(sggkX;%tPaHubv*5Jm%W~i!0nkpDT@sh=}g@d
zv(7;S5oYHpH(2S*td8b2mZNAk(`>6B?>`fl)rfU%EjPD*Mn9|9G()*+chaz2&RG7*
z{Hau!xPVF@<#;+QzKde4jP%ovMTNJ(51hTy_cFt?iu-7zTGM8+!h2c)hp$h$UeREU
z1^kXYqq3hZyKdt*4g5Od@5gbSPBU*FbNM+oN`YUx2o`#g9WT$vqXP=JHkej^O}y3^
z!+qx-kClz^#epZq_uCW%!Om5>v+4i|%*uBX?N^wS#>;lHN}Dv=?lI}d7R|<<f(sh&
z?4!JsT$@M=rm|7D8Jb@USxtm*<`*M+#J09O6btUm>y!+QAUr!12jX|}wnAuAEy`u}
zQx<$ybE8tCr)M4%g7b;1Tc00Q0(nO7h0|dr^hP!#<_(cB7WmU|SmDM$09Ov9do%4v
zo_ZC8%vC!C=)-`=*whQcR1s*<=uW!uOT-hwb*l~mh5pCXjGK|;0>dM+kUWNKZ;N8^
z;_2g~*S^EnKNTV$egC&M`s1QpEyJ%d5gM3)$Zqj~of(M&(%(+%Pf3Lim+MLcNEHQ_
zRC2Cnlw`kj5%ZS)z{!Tnp%H373MRPqS44?d3K#xVbCpiBUB@x~CKPV*{;Ai{Jf}_n
zqZDO>mJ8SAYKMLiI_>7~&vo&NW$#m^i=s#II3eJ-rX<a)y<r;huETTLii#$KleZK*
zTQq`Ls&%EY6|sXMkD-4|8ol<%gk@9M@W)>TLR`aZl;0VgIDAr`=vf%{x(%}ee?HO)
z8`TmVC1WtyY{*~e$1>j{Y@hAp4V9eF)lD4D^26iQSmkzHYIlMO(rZWS)}s4-2OiDX
z5k*&KnOO_?;y)iU`|Q94^$+eI{mE>yCr9)tl5)PBhmCQ1J)(Y*M?ug;#?XKa42A#l
zIyB^hVPUqrkYzjmU{baU-ro9Cui0@<wi7tN^w)_IX84YZDi7xc4kw@p+K3OKLXQbC
zA_eX4bOG-W;i4}JT}O$Z25PnOlFWxgY`!FxV131Kvju(0`v@%pUnp~+lG#hj0PIw4
zZUE=4?hGl*!xc^BjX(X=3G(N5DEBDyU8$KO|5Dg|ZD+qlEwbY%_?e(13_>%)_zW*8
zvv#QXZSsz?Ji@OPBIgT!Bt30*n#S&1A_pLB>U70Q9jwMpP?tyu4tzRrXsZK?)oq0@
zwFX~sT+c5Nvr0O>TbmkxswD|Q#jMJ&T{FbNcq337GiF*Lw(Af3twVTSV95Oml}*Mi
zivn<AEOqJU9$ZEpc65n4?mHxcNIMsBVXrSD71h3*08Hyz{7ld}0n9-t+Cz@XWJpLX
z^{yJ$scKmeIJyyNVtPPA97+&Q&uauVUv(Yd#$}^%-EW4fNMFk8;UfD0H*V2e$2cg0
zksSr(U&-IP(HbjidBEpEfP^-6e)(2+w1nTz3w2986SMpmr}lupSM4S_{{dEFQNQj%
zhoeBQ33RkbK`58_ds$n)X6p}55Ua+%QH8s~Nmw)B`hz!_pK~0OWMojEx|_We<IyNI
zS_v-$Z$pKCkof2#Y3M>yRFGz7$;ZaI&J=$moXnzi!UcfRrlNdazGo{p5J_&g)6tRB
zC#993-b&JVHOXd(nu-MeFOu`cGGV4Rg~!10?V|jO9%@HcR5eb$z2&28#&8Q<^FSB^
z|4Y7St7&0RnXxCQ(HHn{N>P#O@Q;!@UBTt&DG&*xbG6ls$~?4|f=U8jM`T;veVFSC
zB0wS%<h*u;BW}L)=HWK<lnCp^dv0TyPGkfJ4o=G4;_Bu9Ve5pR-iaIxzK`_n(=vk!
zz+cv^@!_2#zQ0Pwlr-FUL><zlN6=6>>kq$OCbNeX3(evOI_gmnukq|*qyVA9g*&@@
zr`z;1CZYHVtFpL*vN0+K<0!Kver4lDQu;>Y{Qx^_E{=CNgR_>$M#14Ic9|mtl0U{2
z7r^2s%XJTsx<>i9lDz?{>69HVw4&Y}QBDdT#H#L0@Rr-ZvmP>tnA*mZfmy`OAOybr
z6wQ$c&x^#y;<fm`@<<qN3Qcg!XEiMz^=^%#%mXK+UAr>0)C6J`gPx~UffJeZ$NzUw
zm_mG4y}bFp2%f^`6XU<iW}1J>kdfvqEeiWtu&8*4FnHMR5v@%k&D(F<Y-Ktxed?+^
z)oBhlR|sc3t~mT2_d=K}Q8tC}YkiD^-B%~4<`N=)`MgQSXN@ZHzZPJ<anwZzlGL6)
z${7vseBsAYNvd6roujfFK;%~Mg)VuRhdP{*i<nT?9!N5{e88BWO;?~^Nx7Q|<n@~T
z(!$55xdiZ@lOKR1Z@<mcH?la8{AW@gY(BAHC()&j)~No+3&6-wOz{}&hcrD7o2@MF
zr_<g`KC(7Pl(?oUoW*Z6QHdCX#wwl220agwb{(#m3*Fe@*-lA&Rd#2on89runXBiY
ztkZSgc6XJ8k?-m1Q%fb6z8?70?4z%E4y*KB?tGxD57}bL8{SjIJ&0BqV*^2x14K-G
zIPD&Y0n?eGse%(-QO&|nv$cpKrkuN6(aasynkRNj-D+n~?&uS$Rgqc0HVrHWceGTl
z&-*M&t_NVD@*rmp<q3-8tm+Hil6pY!)>;UPjZShH_ZNBp7#>7DW7XQ>8lmDCPgRG;
zc`|^`9@6_!xA71hZJ-6aFLSw`p+WZ?A^QSYF!#3l;`6DfD271_Gb(B|o1ftlbn1Jn
zA!qF^FDd9!-}x6T;myT+{3fn}bxH<)7J_eKE%%mrX{EA(g$2@R2Zuy?rX)Ob;i1nv
z%x_#)&=#=$+wuCPO<tCW0`GfH=6SeAL)EtSX!_zcEJ(!26l^6Lpy`N*@f1puSk69m
z8+${1PAF#45&+R2i;12m2f|%Vf8@YWKB=$f?n#rW!IJ{-c)l;A*(HqHdnQ@r-Ln*I
z<_l>-Du}&~`(&w3<Gs#$-}K$;5XYZM=$72#RtUnNR-UqWonRQ+lh_#A+8^6m*VQuw
z98g-0)@ERBQS$V-9Pp+jWDXY?(n6v`9htq5?t@K)&5qKtg78GLx8}04ua`9vm8x7Y
z@1*|(_wp_n-2^e_aC{KX;79=8b=yo(Ny;g6aG|jSdyI~Jv_iEa8*^Uca!UwIg&vw&
zn_&1Y7@kiw-CAm$#ucz0-;LO8SHahD`*v>%WuTy;;u$b7_K3q4#61pIs`oQ{e+>%)
z^%b$QC^lT3z9U?2Mg$h;N#!h}*7RAULN^u3z92ZTfBFYi-`r9Mr4`5G_bhmaPR9fh
z+3=>v)p+9<c|W4hkrAED@O@8?Iq#z+(~Yp6!-&0;?`w{-N%$rTwcycE7T6O&tJ!Ie
z?g}oMr?PlakZT&0Jp*6<%;G4ILE7%^sh!VUjj7w0Y%JLAE*VzmbI$^s^udN|Jg84`
z9;<<LTqW@_FH5IY1JgY{KOG#z@m)AqaWu2Z`G)GjR?x3bzWqvZkm*db7HyU?>K4kv
z^IoE^6J+#2wm-Hn?<0LOeyW~tb|+64kJkeY<9H)(_oProv%!uRr?3ck1bRHw=>|4y
z#t<-L-jgWW`efcdgp7_6BFbuNxa!Yvlyb)W%G>gj_kmC#@(wufa6H7}b#v?{Mp@r4
z>Ybouf6Qe%krhoFjL^ncM(CZ4v2}F4Yp!d4Ez9uk!h8Jsdt%;PnJSZZWW0Mq4Yp=e
z5ahhoMMBK*TOJ4>$k2?)oBzM|1ULbH;1rzD5w*-;8&7eia&G2xQnGKRC=}7Jj0ci^
zd1~cs&KD^VzWAjvvq{1wV~rOqNT4l^31t8>$V#)14}k{j6;Y5xSIt&ub`i_Qt}sZ5
z83<@|F$!kL*tW<@oyUAFcz*SY<$yFf-rZ7U(E`fpjSem+g*XT(bfQ~-zc|f08(6wR
zIc2YR3MsjW5PD8LS`C}-f$`ROtW|{SeZ$*^_mbo_jCm3G4NEDjzObTF`fBqFWwAa^
zq4Wg;v(kr*-Ri_)(ZGfFtDzi%8Phh0cd9dPH#jrKy>G)xnxYC0q$l-#`Q+Mk;q@Z%
z*NcxwrEmHuDb6%DqAx_M2Y}uj!0H9o%BT~4ms(h_adFP;)ZkR9L))*)D{BbTv(7LQ
zT<$4yClY1}AP!lAE*|YWv-O^exjISQ^s>|Sa9=i%gICH>q=?vrWQ!df`T2**%arjE
zl(V_6Tp8)-8&GyRC3=v6kQ^Fus^U9>^?G>Zq5RZ+Q5Hu~s(&${G^#{01;zc9m;t<R
zu78)5P$Et}rU*W-#z_GJ<g^gEJZnaRd1W#@irHY-L|vF11eKcy0gHH^{@sCcXRE=6
z431Ykv~;P)f&GSk`e~IgOW0b`{V)w4<-zdO0$aP@2DH5{n_P|r=p$?jm1kgt>Twl?
zO{(t>Zgb)pgi$Zmdob=B(>;m%n5$idF(=3wkaxOsOi36R{({IRJaG(X-H`#%2zr(w
z*t5j9(3=x&H%CoKFPK^$Nf>++zPgr6Se6XeO6C?M#1ZtJD_cZj7WQDXSXoQ_JqBE;
z(uVN9H;M9agR+_UA@v70vKQM9co=g|#&j&{^xa&x#_eVqQ;~I!v|y>l88X8WeW!d;
zWETv_V7I74F4@O*`L-s4O{R>z*!a%4H}@e`A->dQvD;iPjTib5(YpI%Or~I2I9{p*
z$XP$#eA#=nnw$HpJOmIU`iUJ2+k9XJMxiP~b&&&%ly`G8{Aod;oN!8Xx`w+{=R(U9
z|Iph2PrD6O5j-f#AEx+XYo7MYk2Ms*@O9!mp-W8ofJVfP+ilOhPT{6PZQA~No^&Zu
z%a7yOrtsAl5!ye-jOS|3Kw_33>Eu|a3E8gWm3zTXAgo(2q4d*aB_FnXs5o0xnLY8>
zpbh;mS@kkb%V6YQ4}dmfy)4Wb-xIfTE1Xd01bv}bM32mq#|wlmc{HA=UlkxKY)aXY
zP>Q>skW-|bayzwHqKgQ6HX+{IQIO>?>#=9-#o~;Y5T8ZX9CW(Erd9g1fIHG2naN7c
z4_aso+<ZX&w>LH)?u=ZQt2q@?;7r)CB}nCLfZah=SNz60l7eY;$77Bv`+9-&ix1KP
z7s;^2nr$<VH-S6KdirA0#5LjnZbA4#ziETi&F*|5vo1SwB#gyxjGYghCU{(aa)MR;
zdDy5muUCM!m(ali!mFM|ak|t!x5Ok4KXy^sp@~)@PdZ$N*)Onu#5C~s%0E-|GhRIu
zKlu+vmu8$?hw#lXV>l?hB_|an-Sxu$>jlLpB^mGa)2|%ZlP<10TU}HcS8EZUPv?}_
zA6u&G$Pfrt@--YZWZO;wFfsz9UX0U4oHT!m>b|2D2Ll2_z>vNW;;N+yCU>0EJ<-Q&
zw`U#p?HzyQ7<|CZ-#^PtfO%!_T;}T;$!ke*T(NrP=#neHzfLAAdt~R>%BoEq(|}-N
zEQj15&n^Y?#A`)QFkB-rFrUmmB^X*oO8G_OWocP{kVn#4e2Ko0@HPWu)ye3u!3qp4
zD$K#5@rV%#^u*9AL3Y7N5pjF#WMw7t#8TDEwAfJ5yJ7?K6{~gl8bh+9fHXeLsyIXP
zjr^W?8QcjbmVD@PB0A)CN2pE$)eU(Na&ua#??)a87V<-N#3i_g%d(Ly{?qk}q(gqA
z%ZEoL;PkARB6%dk)YXlRMD(C2QfNbDFo4p`8uvrYr>jf599w0Ul{$bZ>rB?oix0BP
zhohrRPqKQZhtVUZ;1;3X8+iDzTzt|3Lb%Hg5vfyZc``i{W>(+eC$d%cfGFOC-gqc2
zqs9>77D+a`5<4zQhnObGiuF_-dqTryw;ACZDEld=*yw_VdHPJrSgagiFyleQB!OB+
z*|LYd2c>3O(9@Z4;m>Bo7_G*3K|}4tVNZ%;Pv8Z3p?35VP7Qhe^t+gV5E{)&Msn8m
z`_@CsfY?lvwEXDYcXLff4A|KH9#f~hxUss5U{kNJv*KBPdE-I>-KG?U^F3)192|OQ
zVFz<*5z<Yvx8tzqqSbV^V!qq*IY}bo7Hc`kL9(2*PK@Q`NtJ1nkqbZSKOB|cW2?pH
zD7BrNO~N9=sMwK}6MRX6B_f4bNbe}npQ#f@@%MVge>FLvJPMo3qTLmyN!lJo?ZFmL
z$>dhF1$@n44HglXNw)pVZy!+1go82p$<wY!Oh(e1{>xfnQFd|%oIifxa#VoM@5l{}
zO^Cv)EI<F%9`!}p1oCt$k|lB=Q~rA#se>$@rTSO}>t;c(Re|kU^5byWN>rhd(Psx&
zQ7{g4)Ot^+WH@?o&~&6DY8@9zTN~@%kqVMkU}&>f(R#biP6+<4Q<aUsjtd`WE{ssP
zvWuyO8`mi`9v*;R`t1M_^JU(JST5Hg@U^bVQRFHC;pk>1uKRo#aU+jB&D}t>Ib^Pm
zJ$V91%b%laDwwbLR;6%%+TAQrau?HcQ%|Tdyyd{vIjAbJkrXDl#t1x*dhGF^x+k9~
zV{cvVnrK)iu3Xj8a{#lV`NMS!M6z!8PmvWCyc5&CVxAHc)$JJhTq58tw7!TosvJqZ
zCL#BmjAld)!mLKg(k`Vn_9M>;0!j)cKHVpal(7u}3->QoJJewjN%#jY+#Z|?&&}KQ
zgGLllN}ZX$`#JsDMl-zCVrB1Q_8V?1fONN}TMzK0*kM4@sc|bYM<(F8f+8s-`$Y~u
zuRK|5w}D-Vb6=z+v=(d3jWsenL<`q2H=)yRkRkzQru>}Au$YJV*mj7U)s2Mr`F1~>
z+(Bre^1l6hvF7I^!&{pvJcaK)wCmY<jG07Sh<dmkTq*D*sMw&Ru#lFk-Iw&^cK9dL
zyme6B0lgucWsT2<$==IQ1DYc|NOWO>-%RuMoPB0z-5;;S%NFDwsn02@f(9}hd=xgR
z4DE&h1||`l?5q4dj+eySHLKTCo#MmV%b#IfyW9^^8e>(s1K%9MbbQLl4$FMBV|&$=
zMrv&>-eGfP0XG$aFyQT&v~94_%)WxL?!O-se&V~wdT-*!=Nokf;{wV}1$Qz-fhws}
zdDPFmdCeFuYMR>4bPLSylBe@JRX?Nh^kcUc8o@ca5gtMf!a=n*Y2Q-+Rqv^hZ@ua?
zm;K-t`~tAQQQ~qXyj;xp8HTlreg$(#A1dg9EcZ)=KD@zl$swrr?oi>t_p>u6V2;ar
zl&v-x4?5y%#xL6plaPaOGh_&eOlFr8P;lnClAQFVRXaR`XtFBgE7j^JEJw`6!}tbW
z<^Ppy(a2B~XkEfO8KMjZ;ogfS$$ar)UFA~>{kf~s(UC5A!<X6l{FcyH2D6OL!qT2g
zd54gVtk>-LU7gtZYF$!&32)O2)fSJq6On0tAkx=Onxz*cqS{#-+rm3ekl~U)l<(^Z
z5!F>&0C0tRhc3N2@#_Z@HYkyZEaB*wBoj9c`mp0Z+e94cIK-Z!CK+Jp8uncS7i2mE
z?~S9lL?*J>J3Q5j)5tIu0gBx%12@uRh)85cy*e=@fs;G3iX@VxI_SBJB`$xLBhxeA
z<yAiAWxuo9wU^`0auLtp-!kK;#dL%Bpz?NNBLNKO?y(s;YRMGVRFk;QaXqjb&5P3v
zpCOJ~)`rl4+0n7@w90k&E_k+}GC{jcjrc^+D+O<Wrsuj5^TQ7bAT#KXA6b+$h8j5}
zo-sNq*f)Gi#^Rs*q5q4GFAd<n7DIw3;Fk3U&+ea=(fI_9WjN`WFYW<}RrRxWO)QWC
zrHqR{l`CE^Xiqb?NDcS^$e^tzncrmH%u74nFyovaaDmWzKBk#7gDVI4WEs_X&(dVL
z=!$veqxH?;AUWY9p+xBw%P0DxMIfmD-HRm<5MSXgAV#Mn;Zmw&u#^eneJl!)(W+je
zK1rUev|o4dguUkd*B*#%g3z<UHm6ot?bl(OqQutDG#s6NBli5sTyjR|!H-1NDe_w&
zY?vhe4es{Hc!J2Dt-b*IG_m7cG+ftB^DKZ|FD9!LFhh|eI=Jw3bgK3AWQE_-V1oc|
zQ-^@h6Vz0MKV9d6HA7`I)CijlbSx3nW~&H~G>Z|%RYIh$*&__jf=jkR>N6F=OTI^h
z5iBU?99+6Q=n*%?0o7qE;-Hl=NfMDKMvTiJiAsY2dxj+brMg>H8XF;fNG1ov&f{zz
z9NU>1$c$Qdw89gdQJ0{Q&>M=pS%He9acjLXqTSlyn+319JZlr*_||;$gKyCbQj^&i
z@F`97t7>!>^_opDs+%+1n3xHLT~Zm!xR4c<m3qu^GlqWXJMFV-Y9kE84A&J!X^dme
zXd~@@{^{>)R3nH$-*02wlGP5Y`eb6}HKx;ec+Jk}(YRA?CHA|f$8~=?`jU4$B{vx=
zw;5WZWK3^76OyD4L~$ap9O0~_j;5Fd(Be(L%rmAUKO&Xp&Eo=ikY$+fPpfj=%#ma*
zaWTfy0{EJtD|N_~5VT3jcYnWV-AHm-p|=Ie_jkz2*zZN4$l=TfuBrPa76a@L?Z{Be
zSfXK-WOHvM$E5_VH~xaSpo$=$R`o?Z*V^;&5^g)|Rn$kzm~NHPz(k)c1hEUk9{#<N
z$|sG<Tcw&R6NR+KdnNsNZT`N#QYdoXps1SC8&<N3L4O)5^X~j=ejdib`e5DVzsqet
zQ-B<fYs2O6Lbt~Q3Wxq$1TE&FtrC^pjJFy3n(v})GtB)bi{o6_pMq<wwZ{FHgG>!^
z;NUlG&Alc^+3zL|WKN}ic9NApUIP8-FnV$#@%(6oKTJ)a(h@IIY(@`_A-OdPX4+Ft
z(voM&P?PLFU<iHK5ZYTC0^{>E@rSv@I!sWeTf{RHTnv0{B0XsTJhuSokvi?a1TQDF
zO~XIqlxzpqjs<(lB84nrk-I|=;`NRARb{h2Ub7zmO#gMtdKd{p**_`i60abQ-{cH;
zQPo;iCP;;$2YA}9o1w-7Ko%iAi#_@h$O^1Ciul#7-*F7QIq|)Rv!ySV1D_lwjQYr2
zh1Tr_schn*rkiR!uJOchUWCMv(@Yi8{rOmzX@1{z&pzHfHrQ?c2NAAJ<O{2-<@UR$
z3Xy{ixqwd)EXVS{KFpXZLx-+Ipgu>s9mIcxag@dX3|77TZSrT9=)2XSd@sw5q*1a3
z)7^FPR2zbgGc~*UI;g_3NlL9fJB1>a?lwh|QHqh~Zp_U6ojzjTQfUuNM9be>Gjwhv
zm)zN@lQ^|UQ6WR5yEK$uBu8azAzWep;H^8k`(emnYC~pK=6l7_!ApNT0xFQHSUg%E
zUMK3{@OL<Ps-Ux>4r(Ykl>65ON=ZW@A~-Z3jRJ||_NyRK|K>;y<G1fD&$%6=Qu~4o
zg-*>U{r<YS6wv`U_t1jK!bM2Kp<#`F>W7FbNY9@+>kVT%MSTSlL5=VvsKf>aIMVeY
zCs1T65V2H4Lh;P1CKN;oP~4}Uav8HH@5n|dJ~(Z8q%5ycFa<0Sv0Vl7EH952LF6V8
zH_QIxakMVxOMmI*3An-4!bw%yeTgg}o`Yz}oj{m51dW%uw{b~^$PV(`;)L&V0jmOa
z$Da_lMLseDx_eNORiQEGIysuB)P#D1=#x=2eQYaCKCkya9^dRlWtDk&3clY{gE^Mt
zV{5XULcYmr6Df4QNwTEFgeaXlM3k|F0Q-*2nDz%tpMX8deba!R7^o<p3*otNHsw=>
zr+A^UBaH=(X-a$tXf_m`moqAczLp<?#<welWOeq6O`D2*FGEORmb6j9c-F4@QlhDw
z@&i$TO(a6>XMF(CcOep04+Y-{SO(+e7x+CQO*ti>bEY7*FBW?{nN3;Hub92K`Eaeh
zrQ394Pjh{X+DbM<q4tJ3SQI*Nux{ntY=(#ivX}ZFvpB@vIalK!SUfw(5eF(8+<&Mx
z%T|%lR`xYJY@r`)G=;YlGmm%-$yzw<V(YvIYpfqkDu}z~6ir;5&*EaNljTuvph6pk
zzX+MG9*a`T+H)|W+>2y4KoPnVj)JL%Qw+mf7G7~J$NbZ+Q0fY{)C|RlTyAe4wyy%Y
z9ck0o>DL0S)<M(!5&sZsk*3ToCfZTkK$Hai1Y|t38bD)Cc-rkP)r=}(+*uY+Fh({x
zV+yi=YxyuVUn0zY<|H7C<QA+cNL@k;rHD>K`_KpNd??+7%nNmw?ddl(C_9=v^$?n@
z0Pv4mppv=s-It@VdtTbHuc#mNUzl6cdivY3_D1~8$EKFyFvN@)rxiEHBs>)lYW0fe
z!5e0m4VWnYI<=dAw9O{e;MWUCi{;~<tF9~I6j>!V3a@MK^-dx}j_9}w9%14%{&$Vj
zzBce*vs~0ReuDqQyZNHm<V1j(utV@0d`v5%({7!~ZatC^W%2w&6ZGK015MxMQ4p<~
z<-SIn0hqEZFE59Mhx<#YG-x%+$Kz(X@|;sOXqpF#z2{ICN_e1Lu1_5*xh*w*-hvan
z&90hDDF9%HRfWZIZ2~`5IL`Yq(6p$2G1`o{`1sVtGjuYuVjkqDaCljwfE-!Ol5!}z
zqI3-f_bS!+=Q=D815A${09CgW7rp71UQr9Z`dx9ZS>wz15GK?#e!oRRPRwh|b14s$
z-_e45Xrpo@q^S0YgdxO#Twm84=69qQcF>kyzF56nSj4^@t{U)AXDPx`7WGhuYgFn#
zdDzcr7KCBVWl@pl{Rxx8vQ-}Z8CL~K&b?WHEK_QPFAvGx`CCa0e&tH7jRK}=$SbHU
z4oo)-hcCvl{YTs37+Qj+bv1h(a6U0#ld|SF0GV6N2go1-L0#yyw=I%oV3DZzce;S`
z+(^#t^`f%zE)xvd{TZz}=wLN_A?nI?m+0Y#%gmcLeVr-Y+@A=J`nzB2t>K02$r_4a
z;LsU&bpU77+MD-Wb#qcZMMWsy=TWA()EJ~Ox5PQ$ozj92kHk<|Y=K`<fU(lTCe5<N
z*fAlRRiWf07tMGD1i5{(I@Tv#vhLI-e7<*=*>|8s&Afz*`vqe5A1Sq^$Z@JV%~HNf
zZ~jWcG=q4W(_${hrj$}U2A0H`SM0)inh66&!0C##lkj5;5|)&bnmPSGGGX_)&@QUC
zqhc|*Z!Y=vvu*=J`(tvzLYao!w#}reKx}8ngIyiL3!g`kSbols$O`9)Rgf}C=d3!N
z9wx63Jv3z<d5_R#3ub`ErgQu49&&ODCg3qJo-IjrgAt!b*MXt^o;&CnhWSAvo(5M%
zs{nhFU-We9kl;3{%1zMyAe7|LZE+ud<zWFh${X9+{_(S~5jTVq(uJx$wtW$w<AtE$
z640m{{;h?v?Xmfba6oHXqb{XL6XavtlC9_58F^VU(m~j^fAR1W()-ZFG=bF|X7cQG
zaNm{?^D+A$JYvs?j3fX_JF8g9C2`HqpwF4OsH48us9pKhd0f<_;4ruR5vMbm(vTzF
z;dq8TC`6eFBJE4))LJ@k86O|-z{kvdU3k+uGSb*9`NgVQBm0hw-#@9Cx36S@9qT6{
zu3#2;<kDU+Gc&8>p~rYUylml~`3;%9w^;9m<encRT{XQP%IR<-SPM6LK@R1QhRd-#
zzKwvl=ax=3C92I|?^QbL(juS8#b}l1kMOo0i~I=v4uE|6(_hy8(XjEXva>wZ3L|_Y
z(Nj6}s_<J!;=3zTD)&eF-Sz@btkLTvk^Q8Ds;7Ic|A)P|jIFb0x<&&HQ^U*+Gcz+Y
zGcz+YHJmieoHWcy!<@8XX6A;Ob9Qg+^PKn3k&ZrnKVIq5*4Fm5EqiQ_Ju_>Kq0p~*
z3cfCC*zIlWSVMw>`iwt7>vNY>x0#xcB~fV^B+?`m%M>n(t0j96ZFlI#{}>x9D{07N
zMg;-&3Gp{XKCRT)M}&>D-}ICaNoNrtS!U_<0L-8k+LjNio4Qw(Lf*;qE(7}(G+-aT
z9PFT~LYWmTjOv6umm6XWrXHezFn%Ud$rgFcghp})pDs6~>^l2VrF-74&iA&Ew(;5N
zsPZ)3t2u!|1prh2q1LXt^rBsDgALW%kI>P0ZASd#C@d@lDyP{n$Bo3|{=?)?Pl<{o
zpqxgc;MDaZ)usEs+v8Tf@ksoLZNdQe`#1fH6Nqo;E`%7@KIy8roWW%&c5wGFHh8~q
zcK1xcgp0JrVH^QBE3)35x>vp>`v(V!5p|O<d(LFYr4NzsvS(EH(NL>NAA;3j5k0T(
z-kqKG_ZM;uucw#__i_ij#qh)$y3RxIs`^K=OhMd8fxq=+HH;XaV=iRikwHmz_N}sD
z7GCa(rgS32^Oe+@^DIye9QbhoU!KQ8;=?ii{4quqC)fv}cxaXvvYTW9X~Ub+fx+=8
z@+pj%X#}XCFpF%yK|CKGb&gOP)J{1pG1!m;%oMukRBV|~b9xtL>)7uZqXqnzYo|L)
zmR|tjc|4mZ5?#+5vAX>Vdb!C)t8B8rJmBiA?YviT`RKgkUbpD+?B;S^?$sz@<du1a
zdwwItpRgTVl$!&qcB?b}LvsO@Wa0fuSa5krcz9VTyQA<309_dH4hM|Np^V31i6YHV
zL8QfD0G6QTD!{J|9Y|y-&lSU=GJZ6lg}Tf?-dq0g5Ol9!ni5#RSKVFfl%nrMF<Cqj
z<o;IMgW{W(3Aj?MZzb7q^k8G_p-7vNO^Kk)#I5~d6;c@d(0~|U*ofC1e-PTG;q>}r
zHZ}{SucI6;1RLF8YVF3hv1vBIP5->Pvs+%u^~D%#m@!d{ty&uyFp>bl8yxFZYO=uM
z^Ws!@y>Y%hPWTbg&{Ss93qwi?ce<^6K(x7@_NFozeKk&SGK+axKTjem^^I&kdo{R%
zJeL5ufw2}JQWlnfP${`*&_D&JRQ?j;lhMWZNLxCZnFsB%MqZvdd)+rOF0ZzoxFzag
zciRZ$Sd4{>8v=wcR@nRvt|}IwK@2pDh1G>WL_O8T{TMCc2Ilia_Q4k+PHjMESIP3H
zFQA~L48(tAyh@*6Ek!d>1($;Fd_L!+cNuVHw%R}-#s?r@X?LzC$Ou|YrI;(Rqeq2)
zUi2eR04c~^Ov6kNwu;j4dtW2Y<I;%Uk6WNblS6FyKDbHi)q;+3-V6<gffEmBMNbUL
z@SC5ink$k)YlJOqm6hZKb&7hm-@K3qQ&nviFz6BFYC<Rc9E@v%j+C}#R`UkHaRa=9
z{1>&DEoULYgMiPw-gzx&O9?yr@0-=sukKdtj3%;q9-=^~A%P=5=B`>JZM+h7(c76Q
zWn(MVCr&i=_V!NuG1={J$ZTK@tjBrl>_=g<*-}`gJ|t{S{Du;4QG=X}wes|iaP`3(
z%%J0=eYCZlVh85(T@Q{lo0ufe&>xRVYdJ}Yf_i^MHv|oSFWC>DU%DL5K(2W^+&RP%
z<3p9$oT}O&cE2uCNZ3e2i?)(-(Pk$;HjffvG9#Q>{E)crhr9*Oq1h}gI=F6=T5CuX
zdSebwC~6!JC9wG`ZonhQ|3Hh$?OyYVz+)$x?c%=c9T%6=ITr}r^@xcBX<)I|s0ad*
z?aIk<BIsKr_%KLfn|WPJ`EQ*lg$53j3hF<0Au)&u@{T7DW-><>*+c3@kwkZNL`+K!
zlz*=i*Kbr@CJ=wajma7lOgYZ8Z<#g6&{IQ7c0bNFSL1cb9H9!n-PUNo8=CqOmR<P$
zWSHF^X}*Q}^T~dG&E+S0g9r(g;^=Eez>b8D{4p>t02D%U*<VnfD6`FW?Hg(s0)8^H
zRDOQ`_q5~H0ih1MZveRFvthbN+&}H?eiidyjZt#9($P0xnv`%<7#9}ZFCI29R#i<7
z;*AhDWQ>bMmduAAgZpW(5dPDDxp6Yj%53;Vm6A{_Om+?NBOU~g26(NAEJus?FXiIH
z&krdB4vPVlB@4m$li%990>Itf^4F-}J<|jNfX3SZ0N)?KA?7F%3DU$#Mw}Q2`5<A~
zPWtwU(DUK4b3#fGY<f^jaOa2uw@52d;wdW&gl#^pP5`A80qH!$3Wo#kGzwt@Ps%+|
z`n7?gf9Sv0yFXh4q?hp;(aR4n?AwTN+n7yU&H1(H|Ltstc(()y!dCbsTdTJ0^wUM=
zPmWZgHRID>sp@x_XL#J9`Nr$Z;|)F$>qJ`dN_^40V4Yp#i$RwgEM}muFkB3tH#q>0
zhpq9+QZ#<o8wQM;9q}ouqTbdY7{C@eC`jN4$)bc&r?1<ax4Z)`V(=L((r3dKTe81_
zxHs95az7>)htoeiirVELasc<BOhq&Z3V*halg*>q=;`8pgPw@il~p*%ES+hmdwV%{
zf>a*aBG4l%9;QF^`ALw7Er;u?h|3Voxp^(e*Zpk7JCvjMNId(A*ntYp{jITScOqEY
zu~7RZ?2n_0A5tlKLnj}_YDYox9LA0J;}E>txq8dNJtnY05YNsUdYm#3IP1_@*e+6P
zKYB{sm0}Bde}6xJ!PKhRjeE<V!n0>X{3u7k#KeS%hUThd5W-{RBo&Wo42}9l&`}`)
z2c=SgomPR8`|}`?cRnEVBA5so`-q=}ygb1dM)cqywXHs3VYikvPU`{FU3AS)VdR=w
z_|BRvk5UE>5h+|<Our!RzA(UuSZcv2<3D}`U4--=J^f8NnVgiTFjP?KgSKkalou}8
z0c1#|s|_8w<+w&Al_vplwPK(Kz~{hK6h`f`h63=QOiw<IDwG`#mCgw+0AR&8lM!*i
zs0nk1$shP68>^;&qB+Hv&_*X$MG{1>?+O|S<b_M|Gc3WO;@ku8=Yu>=!IYL|suBx|
zI{t~)4tNgohqYwk`Ize$>75f(HhW_iKEXj46<^)}2|JC5wuLeeEJl%=Q7t4eZXiQi
zsjSGIs&61cA^i3i<G_s~z{<_W?TEi+MS9bXc+=JJ=dp--yCbOM=g&nY_6l>yn|X)`
zgp=NA$fR__jp+`H^*-2jj?lSKutLqgK~oGx*|U2u6-=pIX7KRY><E!#;L*GvPrcyz
z4`ziWl9nu}y00Gj4E6?fP_pAs2yTH7IZgm~KF0_N+-Z!aGr+aMXXTZIIL?|cf(V7(
z2nBb+?`K9n9F;6BHoimR*go}?Gvr%%n!z4sgQI1<*p`Q2oBmodtEwPLWr2F<+9n4g
zW>j2$9ZpGEU6r8wgMV`>Rt0~tKtkwSzdk4O-$lGWIDD5YUC6_Kny(Jc&y>dLQYW`?
zT67v?cQHo4!{Lj>^YP5niql1^l76zpi3+gG^{AvL*B6V|32<HWBxdH1tfWHMUyfB$
z=#r)BpHBQnGSfA1gZey~r^YuM4JA4s;uH?a+6~A#P<WZMr5}S9gzx@=^Vvi?gA*J1
zgt7f;R^D2d1KY|qr>7<lfnZTCz==$bziKYNj^+1|*5AhL0|`jG+Y^bPcNWwO2(VWz
z7;6T$LHv~YmoLJh4E#S67(Hmyj45Zntq|OtFDr6psB__%t$QM9i5nGaR90QUlt+~0
z_%t;n$tS@*4|+#h*MTCW0HBfcujcb6^mw?lMa;1e0N|qK36~>kpROnFQN-mmAe)s)
zR8BLD+O=n&rZOZ++I#=p*U059U~yU5_^XTGBiR2m(*z*oM-$P^AgI+ie&Na|al4Fg
zk&W2CyE&Grd>5()yA|j+&e*NUC_&1>*>IXlA!L-G^gL4IJ)Jlrh?YplTGug29ClAE
z)eKNoDPA0C78GbqYcP-9h5i7|Tb_NcqNK^N%wF%s;c@RhIpkX3>_G37VfnZWD6?8P
z4O8rNm&1t4=dPZvw>zw3Hp?i$wIF#CeVVzJ9KWfwe{v+yeFR|t>43I>NN=V<4zs*r
z+&x^IFFW$FR_jHQFp(MT3}(3>6`AFd9R=Gr9OQ@dnnZj;+l~|D>a`i{2V@V~-|;w{
z%p=||5Q_KP`Y@iQL1TiL2OjJ#w2!=&+klsr@lu2_StvmXa{D!ba&Py$a8N2gkF+n`
z<w4ggYFo2i&$5dZ!&#SB{JI%A-pNXQKK_^aUi`l&?B6o|<;Oq*h_&nkbdDj23R$l3
zDfq}VmCw26%g>qfn&%sp29|jF;9m3`J{Lss8}qb9iTd4}Jse@>*ifc(B6u9Gpe7zs
zBX_yjk<q*{4&~ralqeAjMJ483pVT>Ac0Wv#7i%}eVto$ZsUvC;C7M1KOKRKanZyc=
zTdu-ZoZ&J&>yNE5pHaOzUIrGB#Qt0%ivj0pr|N6=?@sj(4+kI6&dY!v{Iu?B!Z?qY
zkE%AyA)XWzkWA+G7sC$n71$pzg%?HnB^VQBeiRda4kmLcc&W8MbIu$~DR8qy`m$Rs
zT%x);9DvKdN&pLX5Nmih+FGO3kDW3DFJsTrAo(@g<A*6hKR;s%mI1rdHb(Dpqj1oZ
zOdLiR2A?krxCrP|fvYh+;{@JNh#~5e^Len(?#*q*T5usal)YBf=58z11=FB{7vl@J
z6}PE1cNkyi8#*Jx)jLbyKI1?8?%%x$@Jj#1yE;1B>sf;bacspNg17E#TH}&n-wsU-
zymQ5R_?WO0q~N{JZ7j)y#ZnQJgFf2r2n}-*XF-1wQ8Kb+Ma~iKVkH00o62cN(h2Y~
zrY)MsC(Hv6f`;X(QkFhbLKAXB)9x8p=yAhjC`&G8LBoEXM}hYFgopdeZ7P%Xxv0L_
zAgP7)C5!ndK?t#{I!ul0Bd4`?5osa;g!3-f-jo68ury@Na+bZK-pS4QUwo<mm_St|
z1mz5e9(o7R3;UZ)(wp!ko1|R?OzS?t5_3kw43=}OZ?<euti#HrTwK@;3=EUz%v}~=
zXv1(#r5FI$i_U8D9kSqsReO}&ZJxe+2SB{vAbb+VP%x(r{Y<p*a3ucRPo_a*s$Str
zSstcaPIQWd6{}4M#oNC08T!h=tu<FMlG~DT?o!vGfW8Yz7AsM)C`7k}qQkTRk{7K!
zsh<%VBT7_aMdV9edZfHQz?Q=KByxK>-+%tsMs9{=AIHzl#Dr{MU~q%0_k_@$wWM)|
z`sXoe)e&U7Z9}r_=k?XqM@&qQA3wWND48?HTAYuN1ci=(SuD=fZZ~8qRU@OKqW<29
zI~o|>sk^X&TNOn>pkm{8mt`ThqF^K&(E@J1Qd>BCnme1Q?V@Ou7+x{yPB@DKB1d}*
zvzoY22HupkWy%HjLGBK}@uL2jE8n5w+`wc3t$wM7Y>{X#@D9#=SCP{G9lQMZxU5Qo
zR2Vo?SvcxQ=YjwWxx+<yTQVE=f>LR33H^;`P$AxAA*=jq=`g3cwfdJV$dEp6y!I9W
zm8?hsf)mXtY|XAYi1NoT@u^?DbE4D3{yL~Or~5zTQJ>V%>2<;qvj2J512_fHfvan@
zD{0SRF5mL)pT&Lv*jy8tS^(z9-|CP*36gxcImuqvtbVBwozJ8KiFbVT4{}>M6r@3f
zVp*_c(bHHD<(cKjE}?^86g>U|(%&d}@+u(PLv{CJ^^=SSGKpW2c3*x~9nhBOul7S8
zaw4ROuw+H-SHojjntx}Z=*jTE=-<7mn;MK%4-SL<QKK6!@Z~F=E|JH^`8R>pB3#pe
z5gks4Rhz%XBfa@Xy!l-4_=e3BoBCJCz5A4;`-%IPSO)(+vH#9STm}2ZGDVk0a*O}#
zFMp5TUvIT^{CdI5!^!F&q5Q`i-8%e$_Ph0bazOvB-@h|8{~4M8vrPbM#zw2hgimS1
zfo+}vu3rj-F8Q&y1^SP)a*uy85?xHS1ApsybC!PrJO0l5H9YUT1KtTQV`4i~+vS!Y
zpGfkO>&o*@m*wPX!_Mesz5P?vwci}t!rz9_rspp)@i2O4|5lqD5^yujW2;)N$AEXm
zvTs9!nQRG|TD2}kwa2z=ZfPl`Ye_k?-X8ucz^Sg^$VJt9LNt~{w1~4;%>m%Cl}U?4
zqm>W9M$Y-l@VJ%_6aXu2eV$CNRi{F~(&lM~(38uAi(CUsu@j;_Z?UD8a9FM&&wug(
zqg_XG#l9U<)Xrnuj$?K=hgC5!Xhu`hO!;AuvRqvXrz}z6{rS&Up6P>p=W4NAW%)-c
zzh);Ah%MuY!clZ7dSPF0n$jfw)<ih`BtL1Q04bdpxa-*@{AhO92MsW^Qf5)-!*v9k
z^x1$4kdYaPCWG|^l@?87LWKY%nVGgcGf!w?nG`wv-qEFN`#VRxT}c|wd;HH0yPAu&
zrch{=OTmT-!XJW#xAGL^2o!CGdUJ{me|GNJkEn>-&O!OKH3WRuiQ2n1GnzT;vzOnP
z3)P3kxgs!Zd`#suq8&FqP;6uDpEVEPLV)*IIKmWCn0N4Ib0Dpw)1p6{iT$WqfQfgS
z6XOKYY%u>~(xPY{p!hRZmggx?#Zj=;p>@sGTC)?Vob5bhZZA;Mgugi;XsX4Nyx4~i
z)3E@rBnD3;U?5<5q>`afPwk;>m%Y^vW}i+c8i&z_=)3uRC&agA8=~4_&a{9uzOlYX
zDlqv{=R;0=c1<$Xq4}iiTH{mKvaFV16j;nvYynOZ*J?e<gXUiAdL>^PO*d?RSqc}b
z$%DUCTMPCtHneRj$r<r)wyyZ$W<uGd%cPL{?b=W(w-uDGXN6r^H$Safuj3>8pzkG%
zAXcG~`h;-iG9Y<`9}C*I6g?ry)9@=;iRVwnszl2RF+;7O*z{)m#<Nn=!T@60n>Pcz
zNHOOjUk%e|aW4{5<_~19Rs9Qm<02V&uTuo$!Bnki9}bPxZ)ZMHuQ(tIg~0{nZ*mt)
zKO%;1LNc@Jc4wMsG3f7#3oCX4?#1Zl<Bv9}H{DhbfJflF0IFzR8m3g{-yyzGcm&HA
zI91P_m=IjKxr2m?6)@OW@Mg8;CQ9JcH?Ia~ueBm3_2EE!QqvXNNjE6k`Of7Bq_j^h
zHbh9QK&Kt1R5DI5xrxC3*};9m6eSgj-kaaA<!WN<8Q)CMgnldUj0UI#xfV*|P@M|C
z<o+ef<5S$%oJGjmuRk7+uN`W{n7jQ0bmHZx^M$0@JAE)o$8|$&gTe@D`9qiZqz7Xu
ziAC=!Vkwjk@&!@|#Ve6RuS;YJ*}LVJ`TjBY(1FoXS9PujI{x7G|8eL%GXkMqUbK>7
zaMxGYYv*wVpJ%iBTnwC@;{-kZg}u&~3K})u{W0DEa%y<8#uqn};}UD$ZY7$uu}uOC
zS=W0GtC8QmQg9bNHSenu#By|)K51n7Xy1xMlY9)io-b^pPy@-5PAaz<Q!iFyU(jn?
z60}8TvbObl0|H$7J%99}{cvVLDQZ2m7d*a@VkAMGBZa7`Dty9>qC%Ge@z+RaNo7iu
z1Pg@#nV8}+apWRt4pB>~Q}n3ix%?W-E>sz%^n^}`8k;Rfb!G;POF$gA%v}4{a_7bY
zYvHa#ylSbefse5W+A$3#Eu{{SB`T)s7E97a^SW-6)Fu({H8j^_=h&GRYN;gFU@RFI
zW4aRTD_OIk@F~bHdO9I7T6*P>{0R^(-bQF7E1a(H3BxR;qLfSg4cNxSGKf&4Fmo9)
zLaTOY;kU~Nk9*$5Z_NIhghH;WXwGHPlby1!35+j)?G0|kza$@BKj`y^0sE)qwLn}m
zKpmo23Z$GEJJJ|2^AH;R6IhRWcLxPy^cs5@AV1{=l9hc#L=Gv~wd!MQmDn*{TD4Gb
zb)a*8BR!mxT^v>m4`h9B0&qv*;=|#uprwQ*ASzg~w~_OuLXfvBB8hHVRvB^DT7h@&
z>_{CT_ZmjzXY|BC!cE=1A5=zl>L9U`$BBU@IYVI&BW!)}{MT5pX9oQ~Yxt5npL1cH
zYBH0PjXFSXQ0>+a$O^)szG||dFXh5Sgmk%SGqOZeA(f2qeKw!rTJ{h3bbqSdN@a1Q
zc&qirJSHgu@N|Ibr&@yPMM|h<?n==xfjtH_*egWTS^PLvZPyWe{Gm9DKwZBoKnhkE
zSM8cb2`cBRsS}CXkohstqG)pm(+y>z^+bjT;Tpu>8Ze6(0&v$1M)Te;Kk<KlRAa*w
z3WXQ-HuonV{yS{|<1d5%2WeE>-y0XeOK|=nIGjIXJqWM6)9o#~tUhwMwM<M#s6eUD
z^%iGz*Qh^-^+j;ffrJU>dug!aq~pZdKqhJi{pO|GWSImFimBP=*gctehF?giwAZMb
zebF#*N7sExK8|D&h}pOvg<7n3m4D&~8X8W7-c4DVQf`a5I5|{1%gp&K?{w$xfUNh4
zb)9Z8hXy~O_q9FhGs3f;ptd$-91!5oT2dW$TE|cGrBlg7V3H1QWGz}q+JcY@+u51#
zIct%~hZ%2Wal9)CGLFq$T-RA^9T{e3rg8>Hbu8?g`vF^P=AE%nOjCXrpg7BoU_aGp
z!rUeyAf3r!CNV-HbV)?zueJ?s^ZYq^fJ2zyE0P}4;V~)7;uPp&>pGyyB^9bY%-Yx5
zdCs&u!}U^VhvtLuQWwh+qnHuP(@DK)G!iVlh{r+_5V0d@whrhmpR5k2`w^BR6x{vJ
z><l$VQH<krLZd)HS81fa^~OQn-Z)e*;5ik;<yosz*W10KxktaPbs>i&Nu?O>p^>$7
zxY&pI%S+%rkipad!PIo~Y31&If1em9IfwyM_y6bdbi(MzLj?)>-h*8bb}Kl&)<&Lt
zN$i=0*qFf@R7VeA&UPwb>4_zKz7guwTsM`kFo1_ce_RF{hR6v`WL!9CFq0lVOewD<
z2gPFv#uC6{ZaB}9@i8YeG((NZo{kqr2AgfLqyD+}+4#e>VuHibiw6n?%~ZYx0sL9v
zh)#hm5it!Ix-9<CSSo~gL`-jwky%`F76Li~oBB*}X|Hd!E_YD4)s#GT(#3^yUUzVD
zgEWasMO_2GtSJtWT|WUa4@6@Ia}f18o~qq?7&GNUM2D9BmMmUUxo(KRgs&$KJT6DX
z?yNO?OH0q7rhpuDzJn+d^aBQrgZ_f)YJ?Ym&ljadslC#Te8N!+={WtoIjEkZ=fxIR
zWJhS0{1C5GQ~HHsqp{^Nad&>S6k>Zm26UQqCH~z}-xGG>J*kQA=wT;zOa~Ybj*-Q-
z_qdj-XdfE(rDgf}vJ6-{>TVFgBUi*fViQ!tc%5m1rVsqr^Uw?_UfLGYQ2?quAeV^v
zU8h>c?k0azNEnAFUL-%vq>?k0kwiK3qw84_@hqZX;9DN@VHs^FYN|CicAnabD0_=9
zRLrD2>V!W5bD0tRF&#)qC3>+eZfw#|z@e!boji_UAdW$4vet+%N_uSIO@_)Gn*wFN
z%Dq#;$<uPwefOuT;m(!FER2X~pUN&|)+Pdk242kBYLpL`iQz>LODWtpd4Hm-Zpsr*
z7Z_;CK7D4P^MC?#-?+MU5<yWOtR{i$Wd-%FLkM<v=0U6KsJ__|;#$iYU2hlOOgt9q
z0soo^^Of#4!PXm*C3b;Wo%MRF42;ZLCpbazlH^%pVNj+b)QT}?^}Fll8*&r4_Vk<n
zkH@EmR15iH<=+;YO$mD~d{OP*m(8_T(y3wPIUfv{XC2gA4Inz-_bbd9yjPtYh$9&^
zz#4K~P}<}B_<NF*UwbE+C$SL85Vkf0cxDUwft<YD(hHkl?rF>9rCuO@tpaWy5Ty65
z37A(-4}*XbS^gI6hPN5?$;Am|EZp0v%0VJ$%=sCehS^zVcTZ2jGG$dGE8V2OmdYC*
za2`ZB;GQhD;}Ax{91Bj+QS)Kx5yRYUVi6H6aSEVZ#pE2n0%N$XlK9Y!NgRUN=ic5x
z5H!PcR11q`@GNjJOB%Sy_?}E&GO4>VTIyU5@k53lXjGJ|Iv=$CgQ-aZD4y@?P(}2Y
zkTjl^;31YQw-<3e)6=W7*ulI(bIc{5L-E?E)Y62CJ{G%F8ZsP~9Ym#nFY-?a9fXXG
zE9oWLa_E4jRGV9YGNGfU%(o9g0fcL|c|#=h_#O{oZqjeCG{MwoCUJ->DrtV4&Wc|b
zPTJ!}U}{Xd1xliMR$_%PyG3DYlqwr5v=@CVjSD3A946<JbVSo-Q^ZA`{@Ke+ji#!K
zGECWw{r0CwHs#RC$;tU09T_vTvMhKhx11_H(G39^WULmdL?9p_x<+}V-)@e#aet|w
zKcDVI#JKb%F!Jw;Uz8z}A*-dz7Q#bR=72-4R?=oBQ>H^e$o9GvB`M?$MBXXsB%NTC
zT{3!B>#POm5^RFILs4JLYbMdvNWdh6{bF^<>5UB(X#E=M;>e`RC681jg~{7Y_Ud5R
zBuml5WA<GY$Y~DsilR$*(PC@q6RFB@5NwPo#fl0)DT|@0s4HtmzZ?It8r`8kxWgxw
z<R-93{<&cP{Pff2FIMg$>qcNj^RB*#rMgP~_4~y+@}^w0pI(+zgvLKgbW@K+-_$m;
zY=TGc)OP8e@)IrfpE_3vWVLUX5Xm>-A9V|+o?8s1>;~&4L&cX8_Q%h;Part-Wu2II
zJ-@WYe?RhlVC?#eeN?HDL;tTbz}xaZ!0@Tc8&S>wXqMl<ly3d1dJA=Q!02zq^B={X
zKoHVj?FO~}9ie}Q3J7M_9#Hk{1@!)Q?Qg&S^Qy9*KPc%O+YZfdo5{c3v}^%XZRrl?
zbooCPf2HdNPCU-IMEmdV{viMsZ9vs5?SZZC|6}nS`li3c?U*~vzv}egUIk#$0;<N+
z?a}7`AB&G+?7It}OxwZ!o|C`#jUVn;)o|7Nw0Qqx@$Ij%@L^gH{I{e3b}u*dSJk0v
z^ysnwWAXnE^M8%z|Ifqx<5+V4?_2=C&-Q@-9rAw`?Vn%%cV+*VKx+8^uV2|--@pLQ
z{<!3H_(s)tXY^f#R<`5#th9j96KxFq#_^38PfJB2L&NR3w4`^ogWavQ0~0eM9wuzh
zzP@vw2sOzWKf@#=ep^>?Mn)%ncS8%_hy+Kh|5%V0H2{^3$GWAap1TZE%QkLwP!%LT
zK~qs<<7r6kYPS)g<$$^UvzDxn!F5yLyX#Il<QDICsEH&e*C_>$9mnHbq5S2v+H9RC
zpsYaXVs9eDm+vr-uJ;Aq)L=I1J}%D4pO6nTQ4oUoWZ*u&=+&$-H~Jel^~(i^^U)$+
zG&W0b_lQ%R=7TX2vK#!F@L_kJdduzfd%@dm>id)U4c0qn!ZjTI@zv#P{S5tntK0>_
z`8}w07{K4OnO9)H>8L&DL65dI^bRX_Znj={lP%o}7n0^q><sxNL-ZriPt`{)y1TmW
zH*Not0np}Gc2z#K&&bH^Ek|a-p}b)k4jQP_QM|SI$YHU)#WM>73-vPz4tKj2t1a>B
z1|4Fr@j`ApM%#vQ)l<BdNnNkEftkjcd|pTkcB1dT-5)epTW|uHO7i2>$eE9C!=qz`
z3>7JF-fQlzUn9LP9}%STu51EZH^v7>YjkT=c+#XymxDfJayVc$+wnd4&E^1Omfbt>
z@xpNieW15=pxFi)&x{c?m^z1GPuMx%nq8_FAE7PfL_m_{D`NK{E_(ljcC7Hlmks_N
zSt;-Fm6|t#=f4Lv49wWiU1~iJaPUy(w=DLb9fd`Ds(v9#6gMy>4N<nVG-o^Hfn0%S
z3rvjldz`x<AVdrC1jE6x&W%g!F{kIZu$5g&6EGzWYL$d{(Pd3gWYRy~1QFBv0lfm_
zXI#w7Z)(eHjccXiu2-%q1i_R_WkNnYChA&+btfw;Pw}1YEm|HOP2j7%fUT*p_K6Qh
zA+)<!YfAF4{$yUMI1CJo)A3lYC^Q@@V|`tSS0Au?{VDm0c8C6?rF`j>KpA6+cZ$X#
zizUib4N*}m*!r6biK#^)<X4g~!WDuijFD1n8_Fnwp#BzN6ba*ti<{s&Z`GsI{C3z+
zMaF%-^YE-+@S#d?X_5qrlp#?XJP@~$5((ldwvLWsBr}MqNH8@#u+*2AdeTPAH4Uo=
z2#FV9K}C5Z%M!hm)k*k>Q7O_|<<%E^`^IWdc)m9G<`a?AP@Ct77M2w9ld1F$j8q9e
zrXyfR>-3x|{Gj7sRh6@~%tA!lmqgh+kmo58GTDJ_ro6f%*uuNIaeQ#+h!_g7_wF$d
z7PgH<P_69y;YredN<uzN=dVm#;+dSXKT*1%g!?r@GNz}%jHu<6{^0|7awpvjQL$ZI
z--4339^rhf1sJi7mT*ymV38tPN>~iG=NLaQYLX<FgaZkdvk3DS>gdn}%*~Ty0S|hr
zwJ^*qGQn)BS+}FM8yGN^1f+!ABE}^y&c0<ql1?i|#<+OsrQMw5Bp5Puw?)mgbvmiQ
zK*rsa#OlzjAmkI9(I4xSZ!~N)U=|!6H8o8k^@+rVdyI*91QAU%fkBbjCzM5%RHH(U
zj#yF9FfA?Y0u<HW#ykyF|8d;iq(IxW^OAGebC`d(08t#?Ee7|J0Ne*^)U@jOIt$!>
zabiuq=qT#VLVU@po6QQp_RUrBT-RsHuA3hgn-v38Oj_tBNPC#vorsxM?e&V~>HZ`J
zjYczHYvL`n&7QB+hlciBpfvT{iHGygStyxwR*{sm*NeS-uF{2oizZ+xzRW-ix~`zc
za`XbbSX%Q14{F+>{Zv-kx328a!O>J^c)G4POx|=Bu(1p_p^T=}kDSjstI~8x3*Wr$
zVM1^5qZ%_74CWsY&6mE>@UFPSFHM!u9~2!un9T7C=Pbn%@_22{oG&C5RZsM_)sq@b
z4llJNJ^;b+dZSNt-QyxTl^*Hfh*N4|inlo6%=Cs9*hKD|FW13=$3pgv3}+OplrnUf
z40zw1E`jk3m#a;zV{lqyJl!Dlpu;pp{M6>_#54-K7l_;+o2rx1ih_Mc$hR$uJm2FB
zAHbfN;E#>LooujxaXwi_-6{6<FO-&fqz0rt!@oRkFN#yrw>%GQo+^@(!|6;G#x;bl
zb?xz+%4o8ZoVQtV8*sAoiCLs>Z1IuR{xld8(@hr1x;b-Dl5bP4>b{kAUWzX>Kyo!H
zJL-D}_VR6o`IFhi6Bq`!J5gsg7y7H03-LSJ;cNi{@3SwDWO22E86cg3<H>3sT>6v)
zz5BEiyK{3Kh&D=b0a}+rO7!`<Co-K6H~yuBgS)}BJ#5Y$nj-Y~yH2ZHZs+qge5$_c
z?fw8b_q!1E+WT!D2B+g2VQ*F=B2E|cXwxw*!;eLNEuVa#$uU?o+`U%KrG1{McG1Z!
zl+Cu*%m(#`Z`>@xqsx8_&zm?+Rr~2VThCxsYBh>(5EfjlOhvv6ofB``?$Sy_!3lUR
zH<?Ir&U@YT4)IkXHLuk^iNWHrVn%j8g8Ohai_MtQOcuP$Q$x{V&!f~@Aqzg=iyg?~
zmcmv}Ro?TDzIsSqwi0}pW~@C~xt}VxGHWoOhXnvYyJy`xL--5FWqX^?r3DV|P6w__
zwI&1}j#7jK$z@@;Px7zH3ib3FicdA0EMj$ELk-66#HV83e>dplnZPKU_AN~@Ta~FV
z(4kPa7~vvX?6;7{vpd3J(1{(6?sN{x4;AWAc*J``cE}vK1R&KhE`O#}8}xkR!FWG5
zQ*XWTa^Ef9UW`~dWT1vUgIArLvCbB(_6OB+%@gTTc(_?p^KU4B*qv#1pb$+(9|(7G
z+USqOrwwyEFi?N`0n%_c(g$HT)-AU}H~Eaj9o`iRz+P>(rmP1{vtbw{3T>WQD<qK2
z$aR1(*lG7%g}e_0a9KQ@l(%B6Qb4XGj}ElyrDDB^Pyn(<J+T9D6)}kntr(bCp}I1G
z@^M-I*Cle>%eS8%SZw`QE4UtPc050!HGfT{#UJ=~nvq-I6f8%>)t|{1Ru3RU5{zmn
zo{e{2w6RiQO^juRSBe?ZU$0eP_K8&!yiE&8XFq~(I|9;nEl0k$-*Gm?+}2p0TDC7%
z6Vu{xfCP!yz#eblX)u^E?4)V1<5+cjIUVfmq=;=!zj>s-<;2EG8Ts}$SN7k-_zKnM
zC0_oR#%CZbME)|bxu~9U+xwB<(&Hgd=9M!}z9C;?C>s(R`7;ok)`|8TgK6gzo^vC}
z<(eFyq4@pN!(K)#{d08dtWfwi#W#@E7EeUIE)Gz>v(9ip%GX@K1=rHmq-uZC1RkfC
z5BZ5Q$Row_u_-%4O<O<gI)(bq`Y!gwob**v{pompA;hXl<YS`LpZkU$%r7NpEf=9S
zd>-}K_xcI0Ou@lsKO@3<u5$U|9T3^^+aAO$&juZI7bmehKX$4QiQ2HTzSg0zo$cq_
z5c?hXAO|6v$r8(Cx($WTUGw&fNvZbGw3MfI8r|s#uZ<UGD-9ee)ll9|lW2D#TR{^+
zmSHu7N4Err|8!F*WUC|_Q4%7&?aQ3#8W6MV@(+%LxVZFkiWj`@f(*zKqYWkE#9tpu
z4`N7VIZzsXHl@{kR;nf`DsWHzL`Jr~xK;UZ*yeGF$%>pao)&PD%9MKjBAppKfs)vm
zPpISpPEy=)g@!izD$e|L6V&Vw8e`F8{~CL~HPHMH)1k%V{j$e~G1m;LO@m`VJ7skF
zOt)QW*PK6+E1~|)9M5t^(f+j2LfwZO{3%nto$WwpbwP8p9xU>5?wPJ<MgatZu1yRr
zY~x>V05F>S6BwmmtlyJVKZ$-omq>Tix7(7f#v|gR2ojS-htv_{xXHNqgyF(qPvzk<
z^v~>3f#Bb@dAuQFqT38!3gufyK0#*iU~%QVBSm9F^dy9iVpymLs+J6WQR^Bsql05e
zqJBox&1!?YWIo9aX+x7@!$rZK%IV^RaIw@-BvuMZG$Y+yyaP?;Ddo6TRFFr2V1o6%
zL>~3>K~h#}(jYO+rfv_qJl)<iKeh?0CB(IV7p24Daz=`<Bu0Uzgt5V1ETvMd)CdGZ
zS2DU>ry$;CUJV0B5->Q8ybSW%p2J7j5f+9OZ9wR+4SJ5tw2D|N$O+&WASpC;BqyN5
z?Nm_IaisL?&*NctWd$az_6|}rjV@un9hU2gRO8i)F7<-4Z$*l9{)`-*{zR(DW*4Y>
zo5f(a1CGU;$G-!_X8m$$mMKTuFQwNNownnp_`wKh+E!%qT4pO;W;9Q<0}GroSkX2}
zc1?)h`7k_TP3>W+#fLAd4L{OF3qDtB7(@D0HP+L9GPnqaRq$*IiH}zO^S<vL1|Q`I
zFif2qiycSd4o;ZcJ;tl#-sx|&zPk0$py^&};?27V1`o-CRlybP{scw3!r+{e;L^Sb
z8$R?J+A@GEhbr#TcT5%0zRfWWRp~tIpH4w<__hJbfSxdz%9|OxoCP}V;l&dd5V8wa
zf13PQ+cSH;{}c7O)@emG%JP*cp$fNW>*v%V{RP<UZA}km!55rhBL&f!oI<512>qW+
z;2XZpKr%1Z45Wp`p>D^YBll)Xb~JQpfyj-OMf<#rdmVJOTjCD(33fSV@R#$cS9$7T
zBH{Zdl|rGnw&m+oFTbPu9xBA8z);{yHQ@ncaF>FL#=ukQ2pvWn=NhOH>%PI_bMq;B
zuW9B4X}s%1+YH&}4jeW?p0HwY9p=;=x@e-1ZuGX&C2yHJk}f|2Tcw=)7g=#ptGA%Y
z_}ExfMr?oc7+I*bUSasqa27_l?uB|bFUf2_ztw+%Zts172#atQ?2TnhG9$Hxy$Fe$
z0XMKXQr~a$==Zz1$D;Pj$JT7yYV23$pB;#O=l<Birm!Mp9-fwb=p=S|DmW7tn6Mzt
z7n1uK2RK?M4izsXXv=J}HGt{Pjt7#-geJW?&pHN)@NhcMCun*Mx8t~ve2H@0E`P++
zpE?WP0}!_&EkuWdN)W6b7cdm%U3IjL<N^NVe6LM--~9>eSjnZP|4TyvR%#Wmz(sL3
zN^idXg;<+t40|nK65gwpFfcq6m|dayypy3tO@D*Q!25lkfk+O`dN9q(ouN6GoApK~
zy6dfGzTc4kw-Gz6btMOw89hO<&^C&+$;ozNvU%U=sx2yWAL2U3?Yx5aHQ8aINCLIR
z#Y4naH_)@juOWv*E9RY%(#&<&h{zHW(PW^QtfM}-V!qG(-p)3jy}0HU)2oX&)Xqm}
zf$K7^hEN?{X0M8{IJ_uK#d0DxatC2`g?X*&!6IT#-H?&2WXNphZ|G$2-!AUx!6HAQ
zxF3o0$j{?x295@Li=PgQR|;I)(oCKs_8>9Tet$3M>ygeAj=Zyx+_-FZ3qu9lC}c*6
zsU?6}sAs;godya(DMdsJ$%04+=i0o9t^?8;8PrTCX3tg8bH2Lly}YpZ{5Ijl?z%~!
zcuhkOxLJ~+#Q=+6D9gK4HyUiIMWFAqH~A}2&h}IDec{ci!`WTmQOb$f1I34_evt<W
z<cTw#4v=zIyP;QzH2KM0CW%@%3tP<h?IgTwA<GEDM7{3La{TQ9hu7K`5i-DBMN2G!
z3jrP5BHk4gbvj|To~~eypQpj@9<P8*bK5>_Y-(}vMgZKd$zr=6U6i!POkqpC%iIhN
zXB|WsdrT(=_r4!3uLhg^g*2!=N_aP3@@{SiLqI716UyW?Y9TQbU(Wv5JUp&>BYG}p
zc3#~&a8NI2!4lgw2HWo_u%|O=iu)nIIaG6tp#g5z;(6+npLFQC6kJnu#vjt3Qoy9E
zC?o0Z)~gMTs=vZU`|N;L@M4Chki`~^2vy3b77S$Icf}^VtWs9kQoE&Whzrq4qFEkK
zmqOBTAG7sWSRfP5nU?}nNi$LfL^k8!YUJ|AEHV~9s(iOmtMl2*@x*df==7*4h)|50
z1r<2NB))NFfR47h9@1m=*18d1@CU--a{Y2P-nM;m`@tE;3(prG`nc#aoU9JTtUoGy
zl!%+A#A28UV|5l?6AOvBNEb};cy6*Z58KiM%;2RZ@4<A+`-ZC-AvBYkxu})&?fUx%
z1~7)$FAH%I$fYS!$Y7em5+-}}1*h0v9NkM(5LS05gH2-@HJ(#+>JMur><#ZoP3I4A
z*|JGw2$dB=9Y*AKh4KdE@!6z(mF<vkf;34t)L&oT3f@@1R1+%=q^TBhqM}_Iu#*5o
zTW)43oaaHKnrdoQP?fbZfydy6ujRaiW(|#RJ)D8sTQ1^ttjyEs{<smUup=ZFI>Iz(
z8)(aClQ~jqR8zlEZkl!(*3`)aKBf=)$;GCBT!F4H^z7k^blU>u-1l_8(I2X0GGran
zPx(4!y9s;pbtb{{#Cos}mFl8rMF~*^`GEG_y@{QnJPwrxw}2!v8y+oBC`H)<-es9a
z+RGH$*6Q@~C2}I)q@FW;@tKNOqh;cYkO2=RtP7GyxHQ4sRDT;V&GOVtT&TjNf)!`%
zq5FM>PFRcpn5pj@s3sg<K(thf!Q9<iDvs|*3cc!~dgSF4<1oM9Jwdbd0YlB+mg)wr
z?9>+r(2#P76ooopz@%q;cl@QWTM*892nq2p9~Il*)(;MsNFizQ*6m%WSKhX0zUv}p
z7ZSVK2X$mYyD7n$&wJ1Zu9eMcwnM_{K*2pDVx<+Eb{;ivH{(AUi1slh*lG*SHX1uy
zorG4jP_ercCWTr&bg!!hK#<TJI10t!Ne1i2k)JT=zYv_bn^CO49`e?WYBNw*bO9_c
zZTMh*iQFJAY8RB7ymhubqe1R3?Rn&&Y-g)tiSVG8b7FM8^Yh>W0&hhDQ0R2{mM4nx
zqGw@K284S}==q|Gp5J7Fm0ia%SR6P-d6@93rE&a8Rt)2$W9MHx{3BMsBaW5bPd;Iz
z+dp~|ePg-u&nAWD`L+YJi)L%z)QAR(+AAwn`rTv`;hpkBz^8pz$U5esDXRDuS1M4O
zWA<Ef7H}~-62aoHo{O<Hee2A?U+>#h9`^e<#AC+=hYLTtYpQ)aQPMB|^opE9?2xrj
zV}WTLn-AgUAT7SZ*!{)rE50T&)WS|&LS9&70p_-CrU(j;$H-_Xh-1Ti5toAa-0<a#
zRF2VpjVS$Br5bXMG*9c6^lA6icM5zkFp-PWHJthl>li4bGB)|4fEJHeXxss3ZG{WL
z(iNuX7=6tHPD4qrK01OGefZ|5H}O^<EVsJpNxN+-_v<~(?Ps&*H;^p*H-%+IDX-ba
zrrz4{#1>~_%+sIgS6@=HVWiOM)V0zHnPfi0Gpofl%PdJy;na&7xFfhQTdp_NKiCad
z4PemkvuL+EW~}e|M}&{P{~K@%z#^AF%5Z|CCPa?_djkQ^GxJXlwa1`r`~o*CKV#`q
zbe)btK1>Kphe+y#il$@9dZU54*lYz>mE)4@fzBMa+%iKSd}O{b89P7oc_l?oO<YK*
zLozrU4k-ktSPm!Jg3d>(4;@_JUYt!`f%w+2AI>@B4cHXH94tsz?76U8qNrWPG+x|%
zQE*U)o68o~^VWil_i|ra8lE%?3rMXfn6!OXfOx;daIsI^?d4Vw^T%!A(NZ(tOQ&ws
zwL-l4q7gMG>lNi%RvbER(vL5=#CtMyZ!?N^$)P^rhT`QpwVpjC7)WjqHkwa_3{UV?
z#pE^iJ=_l~QhBX8pFioK`KG^v-eTn1l&y&L#k^i@GYOIN(|@o*uNsug;f+jP5u1$i
zeC}8JNG@^|Qgq$b-^s#f(9`5(zEn$d5+A9AUe&$Y0R`~$$plKZqW+XEo!JJ87dD85
zVj?wIcvzq}dQpdkwg?bTXLfn6ZNs3y24%i!5_r?8RPW+UFTHn&%s!Tva?xSjh_-)$
zbkVG%Gtio;B|6cQixq3?(}xy3_1zI0#o@v_)q)_33B*o0Kj6m__R;-ZE-d9zNj8x{
zi!$E0l4qCU$qam9QF`)vsL<;pRZoIfzs*bG)5=qXAIRghZ?ud-_zJWd`?)*mfjf1s
zI3kR~C!#krwC{ud(4A2#D+BCpJFdggu0f$vjl_{CPZ0UwrW7z8j1S_x-z)8nn<l~4
z120ZzqC}sOwq%{K+$&<t&}W{sU}?<T$A|q!d2N~t;f(zr@!06@(-Xmlsy%9WFT^W-
zS)uVJx`z*Wvl;y&DS<94O)~{)D+cOq1nNa4J+ij4Lb3Ckw+PpHk)5F|VSPsoYqJxd
zkA?D`d&8mn94^M}=!vaSIGf=_?}9!owy+H$Y;=UA-K<NU(+a%<6Jjiu@SwC_wm66E
zZ+RHuiO$UvIj{PeSLK46qZ~#I_hlT7aC)*sB;hU;)x5y`7BA(GMg&Arqst^|hc_tn
z&vyg9xdiD~RXnI06v5rX=9W~pET>`ZCac1i>NL}Go5REE7+}Sma>6DxGRfei#|q0J
zPR{^top584)$0foT2bqnTML`6gyZ^Amrcy-8dIv)41Yo`{fx!1hr6ixxY?GIqQCIu
zf+9@c-P3_*3E>|8sqqCXUsj%Xj94LAR7F*=W{|3d#FGV~5D1<pUoEdY>fJl4Sr3cu
zZnLJrRd~(QW$VmV$-pTo8X}1S!`9ZM1Jc?@i-0=V(=J$y$XS^DWRJw{#N^`UQY>yX
zj1;FR57(5E84^-ByN%0yTy40*a_ff*)uxyn{Zh^QCqvsT<Q$~g;tgZ=sRr7VyHi0)
z=vyR*J7Gs}Mlj4_nlsw5lsZt+??XR{mkl57urGF2Cu*;EeOEce1PHQlI?Bi*;=uI$
z@Xe9b44%KP#3@ep4s@}hb=={AWZ~n*7+IY9a~j*(8R=@SvkIB&AIVXAH@jorS+9xB
z7|YvzM(FC5swWLJl$<25{P<BBofofa7JX+bvN1Z*{OH({rfT>2BsA2;Qi(39&O3Ew
zx|XQj)aYw-ywU*ylUDSGd3MG{pM*KfCT9Co39@R=SYCuW1!e@SE-x@-!)<;<NaQ`O
zis9j+0=p;=r8g(6NSmjL%cqlifh<n@LMYh~k}r4ynMnmbpDVY%_!4O%Wcn{qyf&g=
z9Zn52fWS$m-Cd@LC-_An$E!Io&%^Q@SqKpxXDs3w!KYI~RE9?PWTe;`o^}?fw?5$=
zyWvDtL);JL@1YMw7?g!>onrd~iG4RJlEdFpzql)phNJ3pU^?c88)MYp>_=yK2E&RG
zYC{hU6-|RCCJQ5c>L=75`7UJN*6E&@U5fk(_P)*{^1btxlUJ`5v5mDNNKD_z`}$Q4
zg<K07LTW}SPINRAv|}2Nk6JIXKrB}Nqu6JM*CEAYBx#RJ81^Nw?V+ObnxJuFC@>do
zP_6EbABc=Ui9XCK5_q4xYI6%;mx)(ge)rPbY^{NBp!o~?^{2(fqQbw;_wx9;Inv5f
zqE(wkwp-loZNcve1nb#DaUyJJW2#!)J+C>$eu0C91vNW6TmDU!KJV%d;Z^1c3KucB
zm5P#DkT~`Y%E>=m>T;ujD8GqDWJ7`JqBpR^-N!p+d+g@H@d?P=T|6u?%q?8VIyf7=
z7g<mejgV(c?{OjcK5EvfAl%avGBKD^1r?M{a3Un^N;QGtb@pKO7h^l`^4LEpBc)qV
zP1wmkwWr;ibMH#G?2Dmqu&CM5hui@RwehwG#w0O!#pniO6G9zNAq+<a->K;f(qm`A
zYv)NNm*9C89z+wz3^aDT862<X3jgv(i*IAkW~>D>xfF+Y)79!%PyW-NW<x}_KO(h0
z?4~mE9R~ula7@|eF{|-#)?B7uP4@&58FXT#>xq;xvkXePQqM-$DAUS~Ja12Yw?Kc_
z@yvvzQn|(Is31iL<=GlsT}3%8)z@B9UBx63sa6wj(>&tyK0!f6o1Td=Mp0r)(t$Mn
zGG7uWR)@adrcfsBfie-0@Z=+m7g;aq6am@ceCS<lq^m*;)Ou0Aa5-JlwS8bi#!yws
z25p{=81g+cn_0Q8=%_@tAT*iNp2A|IR}1w{r~PXS{B1Z=_62b@O6$}NJty3poytMH
zs>}gckqxC+QMlZI^@ZN=X0~4<zkmR6f`xiZeSQ6+sprZ473EcFei*oRn=1_`JNtvl
z+n^fQ$F6>mIkenC{XO-FRPYYntq(N!&Dn$W80N`i*b3+lr=(yuqc<(y%s4-rb%gbQ
z1lYUKXJsdW5(|2wPE(Ip1ZNi;$-aNp#6zd1(9pvH5flJQH&d|=Pj1(Jx<-6PU9YC(
z>;0K@P1{b&98A^V5aK+*M)@Wu8@+Xv2YGA{MDt}>LZZ9%`amIv)MZRUqW|**I&skc
znE6b9i6Dp|ec|^ItS8B*`?eoO-=&yF1Wk13uM533W9!Jf-~&{c%U_yn9962Pen>h}
zbScwUS!=a#3-usv-M(|YhFO(3F8zRz3NEBtQKR<|#tS(O7V&0g1Z$<F6WkQS_+D6C
z@=*Z=4h>CZAulSMRrxIo`k7X?;fizb-b7R&_p_MpQk!GZ*IovVJNWm(-!M?}$Y9_7
zsw*P)b{K2B`BZZS?%z@`Ps}S;I)Q}Ts8PJQ#Y+hfH=NkleGh2Z%ioqEl9x3#1S~Hv
zwDI0i__q){Cwv$o?$;lotH&_tOr_k3;(9yL_Py(YjJ&3eB0b7#K`5c~7d5n$s^g%y
zny|EVX)%7=<hnP0L72L_;MpPG6@iPQnbzMup|X8w;Eyy~nGq@V&y``$s$x{`S{|6v
zMk};y^^YvgO_FQWxK|4{Csy5Drfuh}nBg1F!yXEaQP3<1l{9<%e!!?wc79PAy0p-C
zn@lyE$_M0Uc~U)*xM5BXxgPzk>le<D_EbAZrDWqKaA@|f*C1nEkN339c_n&TPkwfI
zZ$lka)HYlA4_!Q-kABh#YF^MEPPA7EUv_>sr2WC(D1pybUeqM6eg8!<{R3+A2g}9+
z0Km9eR0c3je#g`N{r#c*10a6>zyJO(+5LZ!+8ZH=sIgfwF<aLmeggjZAfHSw0UHb;
zDoy`3!#McpQQ`lM0Ko!NgZ@PVH6<%8w7>sTq1pb+S*-!Hd3=2KXQJr0T93DbP77gM
zRq#4Tn73Aq3MdXHtp16DFSE+K=oWYyL<O?Z5F--elD_^Rjd$@sc}4&UN|@r)vdBm+
zm=BNKWrgxI??1WqSo{L{bt@6-o9cDlKFa};cO+8FYxsAf#Gb5!SKYBrz6aP1ixwb)
zfq~W3)&@wEmS;ZUKXI`!fhnMmZywefwR}X3I80^7&<BU1vLZJ&^&^*AFSP_NV8yml
zs}j|W=kVsq`l?&@Ft?&GRBLd6Ia{R#A=wHn)%8SIWkx<(5wKy@yu<b$4FZm{%8rjM
zH<ah|Q`Gs6cWLkVQE1VV0O|JULcpr@)esWf;YWwNPx-d1!p_dj`RCB@w#2NwaCq5x
z^oegh&hP5BZwy)@p>{nlNf1+2O4#HkelNapx`{#2Khy}M48iQw#3*wR(Gl#1?)hkY
zw}{2;FGZo38*MHZpQyga3=HLX!@*RGUR0V~-(zCBu-7^9jIWLfyz<j=pA8Skbj57U
zpZZsN5#Use)?B8vvLh7;WDE+#uAQAzt<H3r6_BD!9r%Rq{dDUY?LofvUc;ySLP`hr
z!!J853A<@$c&i|e<2g5``KQoNo+b3C#cz(huDa3!C93}q0H#1$zYU<yPQjNSeF}N4
z+VFFCc(S|V)L4K8Sl~|(&}y~F%gckMr6nX1iTJNNyAj%ksi~=%^XJds`(#>))!93*
z%K|l0z<^7~cVorc?Z`JM;9AQW68fT=pL-FzckRZEH{L@Ff0sY4<htwxY&{x<p1u0O
zM)|m}#D7{A{_=#4+I(EQei>@Z0HAf<$L>EpB^HsF?_luIfv_<*gHEl1^r^k```DuL
zn@>PMuh&AO)BbKRf<LmWl%!}}xsnF8wm;0}@;{OU40N~oz{a(>l`nyloi(-RjS%ht
zE3LfHyj2Sd&i*?;+Vxr;w8CBb|7Q;qy{-_~FGoS=UI*<_8=CwF*tl^gJQ{Vys6K6>
z)=4QKQ}H@`>hNADoa>=^18=cTjT9<Z)7^Nz-tdR&_=#;~)Z_l$>$oYEVkjm0xG+)y
zHHxFITtS150}$wH4lSJrTK&`7L*|JI{<#U!VWiclp)OKG_;O#>a^=JUoVc2Zu$eEw
z&(;jq_HI?J_Jm(ELPys?b@At<k$S>t=-e{?-N*A2E+r?&0xZA+|BJxC^IO&bBE##j
zKs5yJUpbBizpR5>gLarTdI$nMOu-R#UKZ}gr@+t4Sxil*)j(&ILZy%)H#>vAj7ni+
zXA2qK5f-}KX6EEkZyCVW-T{izyUzv`7OG)xPG4Y)3XnzXm?>0nuq(T3dGqo`><_<y
z=B+zGW-WtCrGk{Asbz~1>cT?E%`Ko;7l_?#73P+(v$hmh$)_O*`Gp!-SlhwMTv4`}
z_?r<~>FH2Y#;k1YVW}!><QeD-l}2xbN~u6zPBt|H^{}?Hqr98GmS<&9!;s#$wR3<<
zUiH0tqh5z1odM=z8ks04(!#RRezfW$7|oQ_5CpO^GGLI(VQ1@x=VreIg{=#8nj&Zn
zQdp=e=3Px*Mq0ONyMgemUkGPA6*Z<b#gXQU#ncw%k$*m93JbEOMreh_fXuXXXpIt>
zTbM&ewnm8*=HzT*CZmjWvH;bmP}YjglHBY}>dLHzTxm}Ewtnp0T47zG%eB(nit5Lr
zEEm)uF4X8~pGp+uWh1XZ4MpX3%GNIZ&7dt3j~N3sm4xG}Qr1e>(`nT(NMvLzK_=C=
zmOLFC9qHICUB&bZ1p+hDGoYis7Y+{P-ls3rh4iIgJWkd5$jK{$it=Y^p{$euP?(=1
z4v8|8DPUu3M|bLJ6>)nFZLcbQ|54@3%gGWwm2?c-Sd}v>-ct?@B`Bg}QK_<kH67z6
zMG(%h^vrB(HOi@M_NA{sltFqyCX-Xple(d2WK#Rv40aCoC_N>MH_+2@mz|qOO=BtS
z$hM-D;FJlSK{#ftU~Ngq9xZLU3`bB)Eo?2y&Lc6uRJRJsubqumaq5r%VKf-fux(E~
z7d8l`V^HW|l$PsVBBU!GGZxn5WL}z}c+SzmYHqGX5!FRrkq(wtHgpbF@s)svmZXz`
z0WvakFd0yQrjUB)nJHBjdd_Lpg>)WDU_o^#UVZ3T$;!&6>zonRHg@85&y)!Ris+iA
zqH9`FK`tFDg)q0YDK*N;N*C+T#@30pDXu*_K8oo061EYB-sI#JKwinK$~#Cx9g4@R
z6!vtyKI-@{#i3sm7A~0n>Z?%EwMAGoMcK&KE77q@3)FIRhoVxTOIMJIL%VjuzmpB>
z`8m-w#B|IH`7xt)wMF@KoD@K&6zbP>%@q?a{$E~>>AGibWee*n&KGgDa^){ED}N0a
z)-llMi>CDRB}=?E3+LCsu$ky1wSbha*98<*5)4bu31K_o+^542wd%CS>#qjD#ZCCU
z(o!9k{|ph<q|>zc91^apj#ZpPLfsY8v8AHV8U>vYLg!E6_mXp`<XTu&Sxc`AWM)hG
z7Csjrwd7{g=Z!`qUIWV?+rnpoL8=h<ot>2lJzcYH=`%^(KOK+hbS&tFYnO0sdqncW
z=V4x<7LHENFsgI$AT<k0I)0stKNkw9zS1&;VObK`(0OlfTk)I~hJ5Da<wHxKYf6<R
z+{m-Mw_uo<^nlI_z`;gE*BZ0O-u+BV&4I0h51Q5Uhm}GBSqY|IL+54|m4~iB4o>vB
zTc)L<&rB(OPms~OnVDITm?_A#>d&71+-$m@YQ)dJ^2cZ8^GW#oaZAZ@ELWJ5xwTkk
zBb|S0`b<~RHK8Dnt~CYpxlrkPWJ*(y?5rF*4t21ww1wqE-$Q^LauvQSsOY+HP1pUB
z+z6j>8MG~ZF@lqWUBxVlpI3AprdKU!zg8Be>u|-D_%9Y<0Ty_?Ko#GP9=`#<%K|J=
zNx)cyz1wy}=29EeXHJ5vWm!W=X=R6cb;~}$Bad#zsaP%DC8BQshfhIc;fZ(OdJSpU
zk7CoVLrBXhpgWTEMa?Y;qsELyJs(Hta}%+6(Qk0{^us;6>-iu%2RaE2Cu!FmVI%t?
z?&3cDvThf2MN%yM{xfQnJ7LDN)8Xb&t|6(<!Lr4RAb0dY%I#}NNXww_7S`y}t3T{?
ziP&@a3~~z!VPWTn!K22YU86wp%Sb^+0yeB&hYMHlP=g6Dw{t<CLBr9tWdrg3YZnh;
z@5Oiod)r{&fg>o;S>dI(=fKxihb=2t;l!n@^aWl52N!P)8y$wGL7tWHfcWbdv0~?O
z_<7hPA~Fiu)X=tea>wA2VQ3rdPx~<<eB%-%!VA{w`#5qo5|+Nr@#gGMY+Sbne(eUs
zy)X*v4##2k%QI2S+SFLl<|N>U9~Q#5<p4Br&cXWddw71<B-pA-zGjtV#fY01k7MnI
zZFoTbkSfu-b59H#)EAa?h0IHj$GX*PaOG|iWO8bdQs71i{+PSg#jMGrq10z!GnMsZ
z<aIHi;^^v&;iJc*aey22)X>_#VGWL7yh?YajntTx!MA>EOddC!db(7+{OUD%*tcap
z_MeQPMkfvAl3Acb&jASO-4ROqww)P!8H?BKgKvO4A}&TCC%=%s5K|rY9*mHlZAu#?
zC8ZL6UOc)3+Yg+iK#*`;=}^nNK0?QaA<)gX{A%LwXZEed`FIMN>2q=Q=3Q~_1@E9H
z2pby;9~V<_E-&>SR<2x&E4O2*QDO#nzhI0G3xz)oIZ$WZ#r&n4(5PiITsXK7cOK-U
z$FRv5)vH;#ed%yw-!|+#cpSO(C0b%IgQJH(#!sIHPpaXc7O$l=eR2KbMWoZ%c{8OQ
zdJP<geqCFLU%vBGW3hVe2HcEEAWtndMlI2i%0H-wsr*`X4)$zbkMNV1!~ma^3<r*w
zjNTpUAtmN2R<2ox+ca!NN_X1>8ns1O=uo&=Kl}w+LS-w=Ou(}5zr)qLu@uWOz@v6E
zj0qb7F9)G<WWd?*?bsE58ktlNdb$hm;oA_QVPoJ|%Nps4x3PBZdfd31C<fMKatpNY
zGYG?bw#BteN3bs{7cb2m3z<3{o7b+!si<3GP(ezK(4a=`F=^aTSkSTddyAP6AQ2id
zB@L+J4YY+>*tKaL4xPP10a_z9gsjoEZwUHzYXc$K)H~<#>-O_#-82CEcke?=krAQO
zUq{#Aig&KFlI~#Ts&!P3c(J~{f|??X>f6g+j@@e);!2tYW<56<P8Kp0WZuV*biUa)
z=#0rjd*beu)7Y?O50b>7kpb2Y9vDK`mX>wBp{5=i^MCpkj$S@=O^ZZob}kf_j_B35
zFZ3zb5q>&~0;g&?x(CqlIu;FlU1^&n{5bzNxcT_tPGlrfsDUI=SfcxYVd!66uF78d
z8F5&*VihjkiluW?3J?E!2puCF|7F+Y%G(Hk>nXso>9-ZA-+cspRhd|`aVs5fYV2RX
z7$^4HV)V2ZP`{Sx`l=~>fJHz4jJp{HNIkp>Q73nxO`oCY-NG4iYLQ<)xf{pV-KH{9
zU`?t*t1i7TqJIx4g~qKxO@Wpz;`tyn1m%`a=s$QQy0<Z1U(4sMFgG4Q{k#h9zCO4W
z5kcwY(51>6JqC_I|E?{?p<|Ip_uz1J9_rNs_8vS5o!l0$zWoNS@85t#tETAgYrvv)
z2Ql=SnP?VJ+~ZMSL_=@BMS^)lJk!M!%jp_3Y~pOxajAHH67rH7dlf5IZ9p{L1TfOI
zETBOvIv$3L*IWZ#zjkh1gQMrK(X~rPX9xw9DIjNNX^*fevk+iw#K9e#usi%DHG1_>
zSh--p&{62xs-D;z^W@&G*h%jR*99TS;^Gy6unCh9;8HOdk)IxmRVz2*R%|>4By{32
z(4qGr454d)5R?etxfb^{6x`6K;NZ!N^qJ+4w?B9dl8hLv`E50#?j}(BQg{cM&R1XO
z%E58U=eAYY9DW78`t?Tg&GU%79)l+R$Kl1$-c-N)=(yg6gw$**qYyB0Mvsu;=+{N4
z11%11Ux%&xPSEw4g8Y;pA$ZWBX-B$_4ucbYH_+s!VAaxJaO(11I_C{=@t___1#~T|
zA~<BEo=$r<uEfFfSCOwa;ERvnhim=Lcs{HTlA|wU&ALs9PDrIFmJyELK^Qh-6oUPQ
zb6AaSs~1A&6a;PDRh*{li&Ibsyz}yS3ZRrNY8vXZp3aZU(Q)GS)F@G*b=STaKA<ZU
zzkm5DO~|07y5GDGM@~nI*IkKG2A{f3FmcLw$g_pdh0XBx^}y8&mykgLW;q=beTRgi
zXS>E?ojr(-#OjUPaX*;?^>ke~w{k}RVWH^UypFgJZC(bpQ~JlwM1dISbI%f^Crv~9
zMnOot9f1|AH{yOuIvtY=)N9fKV?qbPfdbNL_pXUXx8omBT^XTJTA@S#kr>jY{AW^W
zG58l2U;!3*q(J#==Ob6*H&}oL9xb5FO2nO%3^Zuhw?eR_sx68Nb8!05QQV}4K*)%3
z)RVyuc9sgH(U%kNdd(2hus$Tzh+4U9IkxQDi@=#<Af>xVNeTB5aWfHp1`oqfzgoC+
z={Pp-+6dQxx@hl3|5^uQ|2cYp;841At%99Z<-7U@q$MTbc4Rbq4;hI;el9pe4Zh7Q
z7g2D+3qwbQ!PQ2J?W>n!&8F>WQ0GP1$qTT0$wHjES454BiPT6^;ncw$_;t~Ix&!+r
zIyCTrhI$f29Y2KI6o?rRGJ@ulv4gk05<6Ec#GZ2r7#TK^{#Ib$rd3$HU<uxO=Ra__
zt=K@-6cr-o$^|56*TaaB&%joxr}fuh>B2>DdG{>@I$NP2Ck^2zPE(^b7$cvVD)yAH
zkm-;Z9}n9c4O;qn(U<w{I2m;hL)x3ZWZk`X30H3=q3akw6viGxd}0dSZG5;^Qeq;h
zA+ika&AQ^*F3ph=9fegJ)<H&%m(hJ%;>Zqa(B96(v}v>8VJpFo)k|<T-iX=by1-hY
z$NEK!u|FaWqrxV`le$aq*{~9e7B0mH@4trB$P?IcC=x@*PoPGc4brI&QZ+ItAG(uo
z#G%d0v2I@kdJh|oCKMEjjy#S{tABw(ro_met;Ak5ar7lQ=0O$)4I2p`Crh!>zHQwK
z_}8tA#@<ym0;LFS)CP^}1wl^@&gDy1V*6fqJU?Nu*uW~UQIMaBGe<8VxOF#7oH_#<
zYHY4vvmT3nm1E9J6Jd@V{I-Z1$yrK_n=%ttl00nq?Kdo1D#6>YPJxV$(}dXDG_S^8
zwCmm%QwMs$)hD3*E-2`86>B!{LX+;p(V?+F3bNC2H#QY^=5iQviV%PA4sP8`$Dk3z
z#qwP^x)W=c{{kz=TIkZqivlEOkXhIxWK>r;+nD15%`35!0#XedH$-h03mjO#3>yz!
zLGM8$(9qWz$w|p@r?LLp+$1boFdw;A0hl@~lx|hVWBKy6SVj%lmnIH<sMmp+nG8v{
zufVZ&S4^7L8^SrhdgVGS{?!a`K0gjBAwWSrjA}P)kKj6i(B;Ho*^<@RdB6+LhV{eY
z9cytd1+?ufSjY@CBqACX4i2J4E|obUi5mOVV7_wpF!r9jiBS{jJaIHfT0$H$jFw_A
zp9*k~`hx;L4=+0GUAqKZPTZkj(HPYCal(yrhp=V&LTbHPU{I$<5PE{dTtACj(Kpef
ze+c~D9O36D%+*o0=!!D1Y{3G=XzeMW^(>UyOsb0&ShQS*IWLSuyUv|)=<|74z1f#~
zxpc?&HNW9@su8cXZ!HE>&8XGuMAxRC0~=DnPmRrV-mKZQ2f=SlqXx1TNwG1wdhY=p
z%cBrT!H4i28?f@1pW#Fezmel6!_t_IHNP&yn(c@1-gBd=QK&}py%=1-myD1hBM?C6
zQ^fK8G}p*ty8G^gu1y0=GcVi;7aE%@7X6IKR2jl1&Va31AvUdCj)lLh!rQM+r=g4G
zZpW8yS^Nv#l}@H>iwE^Mv-9ypr*7>Kzh*a@wC{mnKR3D#l=Wnj$*s_-OAo}wu7ZD)
z_GsC_mjXTBFzB-((G?+*=CbNHXb1(rU2yI60c_c{7G6}w&P{x9A$%*AZwf~*x+XWR
z?MCyY?82&F7Q)tP4q66M)T7*D)T@yY6O9}9Q!r@g2>4MT;UWb{*8jQ)c8*Ty)W{D-
zdAYcJY!{-P{HVb>8ntX~D3~F~kq1dgF7$zO=a$f?FU4^RIyVdGDW;yCcmqey-9#5U
zZYk`AxcE2}3SA#6G_9$ZO@1;K&R>WuOJ7W$H3CLDr&cXrgC*2+<@ISpaOL<OY(01$
zgD1>Dt3W55+OrW`PTs)qNuhLIl;hm~HTZ4I5%e8C3XT11;ryW;Sh08^9BRFXAVnNj
zZrY1xy@sJ9l_QVNk(l^&*jEwE6ndq}t?V&yWM{b8THyS_t=LVb^&2%tJr{Et2Ahpz
z`wqa#w?2l4O`y+0J6P&+G5_cJG=$9t<EGA{ziIxf70a=BnQ(2JMCWKZX!=zMfP#*n
z@ZH;}myQq=ae^n!Ws`O<5=(zwL%oe;sMn$`9A$+#e?9^mR{aVWS9cm2>JCfl5hYPr
zp>cy|pieGDL|n$X<9p#*r#6OlX-aw9f+OdzQ*R@4xcm4*m;C^#ITZY^B0wRbpj1$B
zYdlEFM8y3<3>ij4O6_Z*Fgp(ODM*)R<%?&g&xD1c06WOwN2;GU-+UcDbg9YCN=5j=
z3-E8)3S%cuft6jYhpzcjx(EqD_g;gjj_7mt%IUq>wtXXNH)u>lh)vh4iZWII6%%ok
z>i#U%$up?uZI8?pnw&O+dZbcxHlG~t-@1;NqznuhG726J3Y^-%oz8Wtd#AV2l8$>b
z>S1F|^RkTY83HSn5qmeRrW-Zu(J*)p9OZiKSoaGZOZN~mY&hz8I3O`01@4Y6D9pN#
zpMP2iy=y~EpEU*rX)##2Vk3T2*kE>8SM1)l9=Eg2F>(4VD5;N0EM12kUF@qa1i#7x
zEWiSf5vcSr@t8IFEf!#bDh2ZCPM?PEh6+PbN|w}nx3G1`Ug)T?E1`x}ed;>jv5}AX
zrAR8bL)fJ0Xj7-`Zf^ZnJy5@uu(eVAvevQbF@z_jfo}Z5g1-D4sGED^4t+7AZx?YF
zbpjl5_R?jVH9re>Et;dYzXuLPWT9b`rf{fo4ilQ=fT9I;ns&yh{$0hpI<-`4T!_4Z
z_WeeoTiZrrx<x(jVBV?=;!ODZ_!~62;eGUf<~8(aS6_U;w!b@)-+d1!jvq(+2BS=O
zx2d<wu<=vSv$?6kQkZ%N$1dDN+g{_)y<Ky$@nk-*AHJBk43}fl;NGNSFB740Bc(6F
z{YQ<bMl{`Rqs7BkhW9_6hcgk;2<+KdOhf75jj1!}PNlP{OS@4^Jq66ns9|D&V?ZO+
z_jW+Uxzp(1t`6ND)8XvN)36H&MgwmrT)9VsDvE~*i90Cwzl*01qtMb@>}}viy;JH0
z(jDxG^N6~92}63ez`fh?@NdwD8bYSVf0xdkaB)dETwPsJm~savFWo_hzLU_cO;a&d
z<$w%)@zV-ijmw5J4WrT1-9HN&?hsJBE^5=isuo>dBHazWjHaCjBeY*vah1B%5YJ0V
zz|o_}sfR@?x&tW{hZl7V8H3&(8;a|AQ%|LfH-0qrj6vD)SF(?0o%+FaFO7~Xoj=;0
zJA(7{<PKq^eC6h%(38j9(Hj#chQW;*SpePTR%hbpwI^^tD-`x=*AN+#jDb_%K&!?=
zT^rH2cRUuYJ%rfILIhF%s3Qh~+xEqj(SyWetRx>LKMgt!&A*|ip%j*M$1#xR@TiTZ
zEllqgW>X$1SFL*vqPw+i#24$)ygxB_-p9oY=cqyG1(lsACQO<nzGom?dvw6*%fBKq
zON~H_Y#cgu6)n0B#pn=IV=&lsSmVmEEx1RG`RUWfps_Da5Nr%Y@3@=Tc=QsoM-70J
zRapaANL-i?L}l-di4(`7mZcy?7KIu3dEE)zOCO55)L3oRbs)r3mK=0iAGD$1$5pZw
zVsbhfDj<=X!^X*#0%Z=UThCNqLfR5?5_-4@?IW#*?xxdED{ET>)d@hII`xEA{-;Gw
z!xnB`I)(4kgdQ+@a@Eq1z&04r+M9Zo+@SL>6hnJ;5Ywt##}C;_@i=nq1p0JrMCYwk
z?8e_|Kp0&QOxBfm8h;}a*AlWY^4Vw6yrGx)c6Q=DEZ=bsaalC1D4-dh8PNxe)^Eqc
zf@oZfOu(=yFCnOSf>R&r!83)?ghc=VKmbWZK~#zU35(FXseS8KSby*yG+G+MCj>O8
zP1?Lu9}J}4A;MyzPC?}Dwdg%`9NIMX5nqeF8G#+=?^BNix;spH7LKphJwg!DqrLck
z{XkE|#k`G^=cCZ2T);$1=XyqLBrZj#()H^_v~6lS@3blR@Y9CFh^F38O{rJh;}+rC
zBHX#Rb#_Bb3k}w--wUsRhG-J(T46J(%#yCVO<+zvuiU+Y(6ng-@%;iCTBp+(sJ99A
ze(2R%e66;Z1J0hif$R(#7Dhp%V{~qNH|vBUeY#N4P6AIy3tWo$1edQ}LkkL+2**h2
zQf$_)&tMGbW^%1Zz1Z%@yn|C0E{g#ZaR>$Vx*9>BFP(!;btVq25so(rU5Bh|p-s#B
z*mM32QipVdv&sw+=g&i{azdLHbd66xL)S@Rcu479#b1Q5T=d1$xR<HHWD0;Z4itK)
z)J9VDEo?h=8tK}BG~sX(%xyf-vqKYVoPvV)y(nlNO_QoSK}o$ZkJ7Q{*Rm@H_v$1L
zX>@l`;^L+M;>z_K@NaBRLs50&5IQfvAo04;tfjc?hyJIsb)##*MDcY41vc#EopAIj
zP5w<iK0pBzA@2$bc2Au-3-vurJ?Rpz970rV4o1wFhL*v8w5<dKs2A8TyUrsfwEzv=
zEGq1$r2G=<p*CpbXmn^^4>s1;)YEY>G7ELEbMwcbkioE%sga+NinCYmBkKB13Yd7H
zRqtVNt53ZGX^5#&TY#LDctqSurXDGobRuYQgC=S=P@uxIVOzX9YXY<nZes3N-{5`*
zoe-55>TwoWKNyKu&*5rPE}AuKDqgoQ?Olz8d<ka1Fa?c$OaTCQ3b?-a-q$!6aScA*
zg2iLUh9+p8_3Tu*Rl2^F>_$$#y2ebJEdD86Po1nNaDVI;vQyK5Y6ML5G!)E0-!GIj
zq}M;NE@VMvpL3K=dQXZj{f47gC)33~(903`-gytFs0XSLFmdu}h{+R8*GM5)W$f4t
z^R}EtMxFtdNWh6RH_&Oocnt4rI*&@O>lgO!M50=T*`c9m;3d>`0Pf$sjw2DLkQ>?&
zI`Wp7(a>W$hkaeBw{L^slA`lZ7GMDusFnZ+Osd7jE3?4E0!kVWE~9b9I%)`(EW#Hq
zp&_IxqB}#8S0Qt6A_h!^FC|v4UZ~?!{!6z3u{R@eApAIzX*{wpE;=(c33B(cMi#ZO
zP|MTQh!FN6j7OH!zmj=M#5-d2<zA<yy*}d3seu|CE>3Qx4OwBX1DRY#4T7>eNfMg3
zK}va)P+GaUh16b9B0%ioYbu#UNsT{haGnz8UlCuT#;=V#8U=crR-peE()<!e`tlof
zVkbU|*e^C9HTn6-RqN?XEq!UE!50-5VW^5Fyj;r~{0^R8G`8Ccc@I*=RfR9cu0DQr
z7t9naskpr${eSFz1$<Oj`t~!HnYg<rBq4aP;O-7ZS}3LNzW;B#yX{)H+uiL}w%xjJ
zOR)k)i@QT`2@(Q9lMwezl9~CQb0?FT7*g0SwCC^(bLZZp&yl(3J@5Ox2E}W|$BXvi
zLV*z>rVBW5IvYu&$0_D4!Xr|1p`5nx)ie?K`0c+Fd276Up>iG^#6GnkG(3n}4;eU3
z4HZ8Z4fgHd3l+Hr^pq)xwu+tKfh|jMcJIo%wwAK3S(o$By>n0W>2Me`KYSBwscq4<
zM{f-5oeVdT*ddsxc_f5mK@l+ycQq8$Bw%go5t_#c77eN*vwwmk?1DCplTJ~8Z|ZcC
zZ|69DbU!w1+JPLJFIYGz^Rsf`MuAXM!OY#Ln{N<24EDN3MnrS-vH@3$DxsrUkBa@U
zY4JDMvz$mVKVj={G*=<F$cO}Q4tk9a32nF`Z>j*^^Wlr}@cupU!;=4yBzX<Gbm@kH
z1N$M+%i6DMYIX#K*vE(3#SaN#o;WP}NaR_Xi*>8l;#k^Qnk{j>({#dUAqJcu<_g;3
z^D`_au2Ja)9DimrH4MIbA4^$Hv0*AHyh8F{1M*2^*ic|1uy7SvILxI`)=RIgM0Q~%
z1t!iobtnZJw(MftOPHOC8eDnsX+;4ZbMMPd?TOE3;qQNX1qrR&p?BW_=-e*89%q7B
zF4}bIgXF^}@%g|0jukQSNapw$(6cjKoUZ-TEXK50dwj{ozzN4qNew(XXT(^l;D#)?
z-dNHjx^+Buu0E&m><9#e(5f{xbD9f9g=HK<HCRJ4l&#;3{wDlI>~ES3<`x?fN0YzK
zgT~|JsWdEGzY{%%O~R1QcI>myoxr+v8<9c5ufV5_E_t<1cC85$H-iEG_H|H8A%~9h
z!pqOP0TlHTnm%f3J6NYLX;hgeJiwktrKcd08h6{S(3P-5Ls%S2$#o=%w>K}Fg}rMu
z%G|6Vr-k4WDxh0nTti^ukey=sA-)T9$)<w2maJ27!`OqUuM<K8?e!(21)O=BuJFvz
z9H+d@gq-yKc>T4LN*gVlOIJ$D;9u*~S{bT!88Sbb1BM6KF;qKyA|@&TDcR(8QsS8v
zp-8Lv#-3KhcoC~xw{FS!VcR!2a^fNew5O&Ag)LF-`Xbyz%ikUA`d3$^!$m<J#{<oh
zmVEOeR&as~;Y=Zg1;%O(@=DAI3-Co%MLG_rW*|Pyo9q8>nt71Zi5wl~stTp8SJG1O
z*S{RIww0UNT=L*#lOM+|pd-zSx?%;_g?(HXx^_)Q{{j6GRJ$%XR0EYId04-C6^@-g
zuW+=~RF+UEO(A40SmHO<GcXP<Laf3Pk+!s;fHS@tYZv|p+m})B%zNeJoGPm{kz<GR
zw}HS!q!B_$->CK&Go(kYt_}HkxZVk#jEcewc;ipM<q9iS66VHnR!mbOp#`*pCV{)C
zb&{Dwo+qwRI-TGg5dtd}H8PDT=2|Jnb7GrBDAv0)wT+1i#F?B7QEZbztVd#w(`t)r
z9eKPsH(lI(5b9uB=1C2W$RIr~=TdOQS_vG2TeNOgSRx9lDlf*i4Xd#KXgVrr-ee&c
zi1;0{igTN+N|QGuX$I4${V6Q`<e%8QB9>#U7y9+>0Z(cUD)8u>Id1*y(&{~Z5f$N&
zvsvPOfZ8w=WUgAZfqZY5iKz+|3eMz^B4$RKSr*sm(K0fkF1_tS8Ix7znD_ZRSjhet
z^FA*p8x>kl<d^F)c-R<ZP^<E_-@lARY9RIQHxQj##Wu8Hv}GqhB?1xwi9oXmT>Gu8
z*`)G;L_i`S5YW4mERh?W%yTFCV{bhH@{5eeqff`fTzU>K|M4Gnf(;8_pqyQuxv#Xp
z3TLM6$J=jy3~zEI3?4X)n;uu}{$VCg)Dys{;OglhEKqh3;<fJv0^cU|bfH`ql;nH~
z=ZjTcQ1Z3ajW5{ZCA&c}^@I=Ng^=#Lgw48R5JI1}-TI+jxR;V%Ir*f(CYbj3O$ToH
z910SbqF9lS2xjiq1ZigdQj|w^|Fur)3a=%bu<t-B%CzYyws@guSDu<)BUmT|a1V^Y
zuu%h`6)&a?VngFZJ8Kt`hx8pa8k?x?^3FfrfVYQ^8w9HO-#Y_de3r}hTUfVt-3Ope
zh`Ul}TU$dZXwp%$<bkLEA9|ih#kNfwv10C*IB+D5{1x|+OGSu4Y6JVG0nEw+1#1NY
zKINz2xbUL8Pg|(h7q*+VpBYDX;_ZKZMb91-N(|`<H#Y;eeE$_LS)14(w)JJx#P(aa
zRaV@UI<Ygvi>T6(+yM3%I2ggMR+BHGJ*DENHa5f!HKkd+R&$)zKdp5vNTqegsHu-2
zse2!!?B0e=Gz;6icORZ5!Da}B9ilvw*cCVgp`jx*B2?sBnE4U4j?R~3`0$~K4huxt
z<&&7T#440il2~DKNNu}h8+1MxG-N~_H;B;m(6BxsH0@~^M0>3`*q?~+VqEGt*U!^U
z^*ir=gUF<w%(FKM2%WHg{ujvQDXW-GK`lDsr9Z^r7&VnPvEM)Y*BeNmcps*Y>{C0U
znLnH9;vIs=Uic0ArXIys##>4gxkIUE@cg59b2HVP*vVR_8g6i+s8KfU?oswi@~ZUm
zA?16+5hd0hVMb&P<Tc^O&(qcRz4o@_2ji=?2J{|0jG746nJ4;NXoIx~bW>thSCo)!
zu}sn45(Jw(d{@jHirFvkzVi;uKCu`wU<d-d+;C*?8f-hrO?Pb&8XQiXAGV;(dH(0P
z9w~jG48Gb}4W5fhA=U`TD7O5R&Y}RXOW&c0qFJCATcXcZ6ecw^KdMV}D=$QW6prX!
z-5qijH|;?P*`p~?>)RoL?H2b1Ck?2<Ky5^OH2W3XuL#HM?y&t_f5e(2f>;j(UyVy$
zKi5UHKIi}bu{2!?alxMbN08`}g|zHSOrF@WZd}$+VgDw)q-e<<(SP^|c+_&{Sm%%)
zp>8_3^cjfwJ$v!ddvDQv#Tz9QstuzFMw>8qm?-EJ^E#$IH?8EIaBQnjNE9^%ok&dk
zIFh>c$DZBWv3cE6*6$ECD4s`*gOJ?J&GEM%y^X!+t1xWjP(+53+a~)MzW9Ed(%quA
z0s|)x&pH8$(gNO7>GbG6U>HJ3iY|gO7Py|q@;9ofU}k%DBqDa~2QhZUVSuw&Bn98p
z-D5)(>=`#Wu{DnGUWf0OuYyJAjxPO1pi8T8Y+1PohfZB)5#nG#Erx_L7R_QlDuH8O
z2;!O?#I;cxd?@Qa+f*;`yK<|x!eYL=H6d`SOT+ba@yz$J_E0tk4I6>@h!9#KQDgA)
zWpz=m_d-v>_WjSih~CGKVaN7OSh?^U{>~l4bI&|RoH;gG7e(k}%aCJM)K!q(R+Q%8
z{kPu16*c*LhV(-a4{$CX+K6Q-=WMY>rz)7)Z&<Gcx0K$+69Y$%rY4H@cSB&TA#r<v
zGk=Q`lkwYETHx@ZeOSL?BR+ZO?-)GgF-)Q6sCC9P%u#-q2uK7Z0!<@uwf#raDdb&=
zfJC4k0&15)bng(4*&8=w<K83;>TKoE5Rp_(s5grjPseaB;{*y#B<FkNA%uI0ji?2C
zms?+|9OGSWb1a^Tmr$XKezkD5JRH-Byu7_V_(D^S)RPy`o+pMPm@9K=R+9stxI_p&
z1m%@Yc}r6sEB`rDC?m)y&1MqFC3mwwX!eS6P31UqJ_oIXtfzvxXHP4nhAl(vr?b|#
z!DcgoOF%R_Cx+wTo^`lHbDgNRNr-SHzHKI{2T!ysPUa)JWfDRu5NQ~S^XP>@<Ar-4
zd=TOO<OB$$Af#4iA=+xy@^MCTw`ST(Awztt4$5E0jZ5(U%vHElM6MZw{RC7?n|x0a
zL|#Zwg}GnL+L!bioIHGtW-@+?;HFZ+x%Q>FVI`aReul0@E46_%LwOi}&f@iuCIAcS
zk3Gj^Vlz-q&8FNEBiwup%A>Tjle9s1CKm#|%~ZSam6S#^&Otmuw2yIH9u+0l7x?QL
zW1-Or5PyBTw!<rLd_sPnY=pPu*ri!X)&=pR9IIqoRh&tli$Vl;_2JmdBROFv$x~-w
z{D_{``c+<}77*LSIi+^-f~a8zF|_oEt@lFg#g}T-@KiRq1-iAcpLE*l-tbch2Fi#<
z9?2NPYR5$S*)!CpaYm?@4r%*I@M{Rg<4-(5wS0kXCDv2$<`@jFUg$*5i%vcJV(v$O
z#rBlLG=HJMq~V)7wFX+Y?WFv*T{#b5e!m^r<>L{_KFcpEqn*ERvnQfL^QvLc@#NW4
zWx~1i6SQB6wmzmd!>MDbaP^O&mJGl%b%v{tB~Oyu3XKZAdnmefs?EomTkZeV<QkfZ
zqgfVAzi$#x))!;Js#x4Nsu!}(asHMAk39b*x<*-rE9rYz)oy7VGHI}OI6P_Mk{)Mx
zlAl2yAR2xt&uhx^aFX0kK@GH;M7Hkq=wqQ!Nl&wbWRj>h42riGn#Kr$hC7AWHyt<z
z=~${!Xlgzv&E{s^gX?`xDbTsAm9Vr?;(9kIOreLbj4aW9t01_lBo}FEnFyl&N?p;{
zz*H?Z^IbaNyA3<BwA2fF-zaoQjHp*qQ(t`i+!a^b?&L@5mf)~1*G4WU$*E9689s43
zx+jK`S0(`NLc>4=3M<^n`%*;vj4o_z!zo~mMBT&K1m&-H&-VEJpFhFLv<noN*v&gC
z%W`o%EepLSK7w&Wt?TWXJ!h>#B*#n}VBkS-K4xkbxp>edDLKwo+_gWMk9AcOQMCx9
zmnGpjtA?6H(QUe*b)-MN&z0fQ#Y-e*4<=s?g}2mparN}Uh;d`!TSY>3YHA9hil~y%
zMD^fWs?IFKq1}7Yvwb{Cj!)vm**yNH)b-#s>lGB_gR;^C{LRdRANgWL$j?55Gg+1B
z=O=zwYHQs92PI<df7SF(b>jGGwCOt?Q^xdH?q;1VY9NqvOmVGi3eFSTD}Tvt7UT6V
z*HMF{9Pt$Jt4-ug%FINsB<ng-mYaz)XL1lVGyo+e@jcCWGoHVfW_8x*g(tUD#v*>J
zDEy)T(4D4F$IhNZ@7m|Kn)s5iw}M(bek94anI_qu***=_X6f2z2><%w^SAzrJ=^z@
z6RZ<83=60&M?(50yr0?9%1?=aL_i{7LqG~lY)HsYiNKFWK#e{l?!xg??_%c1Z{tL_
zp6Jw}Ej_HzEQ4An`9<`iAtVqCLRexV=Z0hO<PW;KssQWPZ9os&ogdh`4qH+$z^`Rk
zZ8YntV#612anfizwbAPgFy^FV)!Ow)Y7vZZ@<Vtua8GHCZ-4z0`H6du`HK9+Jrg&s
zo)L-YnG}b$3qFUdY6{|cs=Rq6xgd&Ec(iYC<)zoe_S7_JkF$R)xl7t(&Z^na)D)m|
zn^=_OXW`VTD;PETE}CC7-khko5nn~^3q#EW1i4gW>HK-9aSh`OR*ZsyICZvRXvfZ4
zf4gRi23>o0$Hw=*#syN8-aE2;oe6|^`EtbF5sOYe24l^(ck%W=-^8fl1K~|CI%&s`
z!<|HO!v=OF&qM{P%Zre*V=Io+L_=&+{UYNqpmz^=1jV6$_coZnd?r*?dFa?G8YO%g
zJe8h@yXa9RGi^6HPR^rq=Oj35s<EE}5aBh#llJY7L1PHSFnW3Tc-~5U<H3_q5~3d4
zy#ebEUB;;C;~{7?%89e6cf%m+W5>Y$)XR$=mdbZwEyq<yat`d-xC(p7=@8n%J_hWu
z#fhs1RrD<M`Db5X{Kx^Q%ud7H#p@B-VK5@OvD16CLozo)i@*5*6?vmcCK`Y%m(Jo$
zp%zmojZ!xC3a(dqNzczXf<^07kkGCZ34#qco^lYCW+(XjdT<=(DqcnQY+6EdEH&DZ
zxp3nT-{W$n2BXP;VW7)sAD(0%JGcu6<9txT4Z@OTKTw5SochwSrfV?z_iT-CS1-di
zJYDP%7fODI(+EiDj!vDDk+6C_zJC8r<cuDPC~p2PoH>O;ogY0y3`G6j5U8lAvY&xZ
zKm7vZhW8^Dr?FtkIz%N6r%=-sSLpV-rgR_HuGx%sQQjm&UWxq~`JiS!H}&-DwD@b}
zXhP9GF_!B4mvJH^ha0MRWm7B0v6yE<DeF+m1{^q^gHD~>!^u*CgGZ0k#LXAJ&Uzf&
zu>>D{yB7C8`!WW!3w7)&<=Q%i>#rr^fu1}PL+DlLt7S{zMH8|v>@#8hwC!XeCO*_#
zX{$JW7U`QF3D%;*TP2}Wi`Dq<%lA-{J&I-)zR0|gjtix(m@#=6(sr-Kg0+V+{J!Tn
zPujy!o{6s(%|(1%EMooWT9<^UJ2$O{2l<aq?%#oxn-4+bZ4<Q7oT|aNwXTg~EL+PL
z|J&9h+Z`>nZuV?g4j*?X@@V*D2R+Q3q6NZZU6Yjc$QEDBb)V=YuBVY${Ow1mEEt2t
zm>}d{K8JIcs&V&>2{2~t!=L{7H3m+39ODNh*@~$9tUs?B*S9XBxZvE;>n+%}bt468
z+=S88DA0|onu4)IgBaD?Z=A;}Jq8TykAKs%)SDlexsD`}*S46P9_i@NXEf)mbtCLp
zj*gPrT_nu(rY%R?Xdi6-VG+{Hw0M#N5D~2HZ#*W%`YE2-LQ-;fEL*va9>*?V(8Pzy
zdu83M+kX?RF>UEY$~Y1nw_dv$Uw`-xa>+>*MbB9m&Yr>*b0F>;-;W-zDo{zYz0-$x
zqx2kwZ7kE3WX*m14M2#GI|dBshxfl(iZ?$rv8^3wLRUz$ptI;Qa6Dq2&SUn9{UmN}
zhhT3P98K8|Be}6WyzClCqDDHBsd`a>d3et*9H6P5;LBRPWR*h9sz@XlN5Oz)JBGl7
zF6f%L0rO~*SDHJT+7$lCzHk<ob5xje?^u#JJI1!=A^N}JZ%)_V{jhEKev-Ur;Jtso
zj>r&ylosaVLcS4C{`xgUMg}T#yu2s}AHVTel1=CH_n(qO3Ry(IlVO!SB%P3Qd^xhu
z9KhdSJw@)Ja>aB>l;`+c>{ugPzuHDpi_X1~uy!lH{o(^uO&ALglwm1}%2j?bNbVqn
zgQCAh{cR~6bF*G+>2lbU_@*D)g*}Pnq@i$n>7r$dJ8xS(L?7BQX#Bol%k}L3_1JJU
z8||s_=0PI#UHeZ$OV_{N{4F!ntW`%M+|49)_RyOVAMA>C^aht{_Qcer)^ul{0}m3r
z?%K8)fi5IAKE4l2*Y1Hy??cSYJTTyU00o|lm(7I-1t+a2q{=v*j`$9}NwnV&vGlC;
z>A&B?=#j%nDC@#!Cs1sN#<UTg=(%SeDx8AQu4ODrbI#+;1)5FLdym>&iMgLp>#r&j
ze|q@|DCY^b#>h{JfJ8td&;$ZfVA2FA@|Hy4MiFrJ3C9!v_YyX&T8?e|4&z)JH^$;9
znWy$qEjyuot?<K@1b87q)%Dbc<J<Pc*rDgJeb)vY->ZRlP!z_FrR{B=HJ*wm(7_?0
z4Fn(>l8%PZ%Z}CjA+Bu?4DXwUlr5`qY>yl6d+M1c<NJErg%w)8D?-T?;$3TAA=>Q9
zQ~L1mP;Tb<0?ilJanl}!)-aFU2TQP>?_N$kHGkxp=aHOXwUJlihXg=Gw+9V|OniXq
z%u7gQx&vu^ffgD7KEbWX`_a^r!xt(Se{^ae%MHLnn!NB-*gXVK+&_(;d93a8CijZJ
z+DF+G)s>^tB3NMHU{Vpy6Rr-e;*qNfRMequaa}2-2n(j^0J}s4U-FaaysfJ8J`rv3
z{BuuY{=%hLv3LP(#2Ja+QwB%VqeK-2B`JsCOm7p_m8B>%Y3PZf2>bSI=ZRS%o}Mul
z!zVvP(}G3VxN93ul59@2)i1O)oVdBs^H1>8q@6sh+}E=n_dWU`f}0Q;bsI7Xl_n>w
zqhRL5zAcIi((%(D!^m0}h&qECLPEn}5IWtpL6}U0gmP>+H{SBM?c5)u(l24p=G8d3
zT@C-RIE>*&=W-c|h;11-d<tUDpcaXU_A+6?w_j6pqXv<k24mVich%D3(3RuE&%)#T
z`Pj2%4fczA@P#(4U2moT)fC!=goMDIf{o^alU|R)?6Z8iKc)1AMPr~Rm-~<$?~7{M
zp3`*%x^(Ky&G<U(+gwHIgA1lU{1l%H-UbWqxn~k))0@WZnP1Zk#6S*>F}O^Q7gvSz
zLxn-(AD}w?0&L#B5viO@W{L+!#df2|qX0be+zVLr-2$q})0-0OF7^^_dk<H*VH(!g
zne(*&;L$KtW#PM-Un%AU5uJt+i*d?^sD1Jv45gdtJsW?(UTTpAMkZj)$WUZcQ%q<a
zY1L-z+rAD5c5a}6jikikoiJtc2qmqX;2sDf?+QCXPXR!B>OP+I9^@{~MAA$@%y@VT
zJcXwX#&&geX|k_`223F5uD;guPW}1|GqS0uQaRJj=LQ_v#fFl+a>|2GVkiYlA~-p_
zv#-d>Vw({4Gf=*1oV+movFG8ra6WcZ*p@=fgrFt5(?FQGvEQ<7FE{ohFs6TdC4Qd~
zlNBwot(&)^(?jDhar9uUB_Zg4PVAxSQ830&9E&5T$R)vct0*i8<5=-@Aft4m7EoAN
z7&&z8YlNqVKi4QhoXsMHfR`@6yLRh<jD4FZST-ta)IAS8h8}GqlsdS0dLfi%8e$5I
zIXszdcH^AhO>a5}ce4J>BRnoy@rrbcuBj`{T%TJ+DQWBd$8|d}G=xN-*7Z`wyp(xH
zk7i8;4d>>#$>T9=!CHD>`5Fm*#$xKgc!YCq)@fNVp%6+c`MO#2ZP$Agg#V7EtG8hO
zyc6teVNOCV2%Ba`y~5ajj`^+~J0N|}2F?#7^V5^GlU`|BSp{mYBpwe5ssH;TvhXJP
zu+i17(IzyFdUR`#ou`XP0&DF*5l>6EtD*d@5hkXrEz<>}ntV;lGgp5+^z;i@Jbym6
ztX_`o9QQ&t+Oo$;MPRve+kTkog-JzkBqcP}68u6(4yKUP<Sbr#>1ibO8-pi_<1%ja
zznhmzZ5ginByjCb&Lk~O<BGDlF3_8bn&h;?wfnex?xnD=J{OB{M>~1i-I&KUV9qyR
zlY`5Eo&(3?+=;_<VQkfA@ur*K5S4emd85|4W7;G9O(eg_9t!cqoE1XmSdz0U3SvqN
zZU3p@=}E6R;o%7Oub+=wKn$Lunb7j3%P0iRL=m}_RP2-XNo}Zo=t}LFei$|QBK90T
zL%Nr81je+(s5U|LR<n%<1=io2&I86EkAkHw`%aJ>$3ib=eGs54!|wejC}6P0vDL)(
z>FVu+pio0yn}kc|hn{#E3+FGO+xj`g-^}-hcszH{6hu(CE!+zGlIT=l`x|G=$MI7|
zm(=4XPsOZxOR!+pH;P$Q$3BA*dgdeywTCS}^vDw;wDTC$G;a&ycy^%|zJ|eI(Bo3t
z5u~N^caCFNW1vRn^al`4k2nRH6a-OAq-&>kII?*qc2LttO=9BvAH5%K1!1k(6;nyP
zy<{ENimy&^ZSun4u@i7IHI2V@VzJPX5dI;koEKmx50eh@x6I7-Ba-h;;yvN<XP?KS
z`3tdr#ZtvIP?+eo?@uivu8|sZHGlusaxE6?unB>2VjUg?BY(rs)7w-;|Dm94T?UDO
zL_i{NO$1ai6QAX;lME7pI}ZWz@;?9d=g>YnjH<%*Pn53J8rw-)PEL;UlCI}Q?p6g;
zwGkCnHHy8mj;hGI`qG4Ei!oMKDsFF`o$W71%|>qKL1hJrIY|tvrw5H&8LEwye7WQH
z)7hngaOCQx)KnRjzR`#}k)X7xaE6<ow?AKn-~a7T@OM*_;Isx#h8ruVseEtv9t9m0
z6_tF^B7X^8J_-%#Q+w9npC2y5bFaRJHW9vcS+1V>1{R;v;ctHs?w7^xj0P_PBW{ix
zwUzl+@|oD68`v&oGgp^W;|rnPQ%Nr?VlyBFE;k!0D=PScse+54@r$lw-mB-lg-uyL
z_%mGyldYH<0Q9OsQqiV@k*=Wmn03_A1+IOA+f>}9?uqn*5YfrWS<xyHamvX>@XFsm
z!nmhiMW0wtlyg34DG(BZC&yr>Ag6-(=y*cv)XdxxZgc6NglQYkKcm2d8ETt&=2(vH
z+Q_`vtxaN4$#&2fh}bq>KZMtsN`(wm!?cZ`+wvEJk_yffvH3J`e%apNEhNP(Dm9YR
z$lWS1s7rAD7bbco67%V5SY1zUw*D3bmO4dXS8D>;#9$Vu;etm%1Z7UJpA8&Gwsu`l
zc}>NsEIxzZz49(bKlBp%w+lphg^^rPPMjmx9)H#Br)mPMCI5<(65oV5AN>vc3j**L
zx;Zx7Y~^YzT*I}$niIoGZ>ST_Hr1Af_iSTDxOo+u&!$3oVH$q-`wuYT@!z0ND}SZ^
z!o=gp%)h4czma?5cZTd8oWFX7(6r>ralG{MI~X$kIgIOL70QYHQa8=Vd*5xr3$MO`
z1V8IqB0ObPQYfyb@W{~McUQQWSJnmMCx}v;3l`3;3VN6l<NA7kUu}6QWr(rB`R}BR
zW!sY*`!rUTb6udBnDX0Je+-H;Ok8uF*^cIdNH44jU0s^zd}=PO<9)H7iM80-g&u+&
zA6)M>1?3gSD)N5Z93JAJK>W@LObiC=@299jLFOU6^4iyU@c({~PLb|h*ZJGlL|N5b
z)5Uw7o@tv|*7>t!{aw;=jx;o3YB(ls%{OrkuHtwRhgZ(EbL--<4fxZ$-{a}u{s|qT
z8*6ge(#lVXfJETVMxdO;;#pZ)@b~vu-b-wJU)S3z1K*odQ&ZF1wr%@j{Z;;YbCB^Q
z0uq5{5zz2O%#D9H8uZuL&|Xh|V#D>{2s*y_{fH(hFGk#>Tr-FhGNGa`G$vfGC&4vy
z{1Fj&BIVrR<(2P%d=IQf=H*KW^Kzm#f(hB@Ph;o741~q?W?k*Cs0v0+70Y~upyYak
zcma3i->nK_vwD3&kPp@<!UTg5MqDM4c&WXaAksHALli+~?aQqTRl1uBY6@svuOXz-
zQQ*}ag2J=RjRZaOYA%S4L32TPG;+C~e&oi{xry;1JYji}_u*!OhI7gF7R;x{{Z0Ls
zX7;l-VTq`BvvcA{HcE^S!5<+uKQ0aC>eaH;v7hRV2MVeDf+8`Ych6fUED`04P5AY6
zdBeJ1?^v<Uj~j1)!}4zSd!yeO_KVms=UvGn32+z%5h@hZG;!0;gNiHg01x{(7No(=
zt?^FmCwt81Ybg!|u4`^Jk;V0v(L~aExAaZSSz82A#<hY--_#m-t#l2a-{^YQFg+zc
z{N1|+TY;<m&ee@uwU+a?>9TYb{!#vU)!@W;q~@YD8k4m-X(-fpZg7BPu{dGC(BWt$
zT+GWL5s(N-1g-;trdO`(NGPL71SA3yfm?$By*%)wny=iqU5IU$Om7IOiuaQB?w;hQ
zs6uH)HG*S0;+_ek;AEGV+;(-p(F%#C2yZn1%OK2I#6KA%0*w){t`oOpc#unC@c8MC
zi@2Td*u3G~hSS5%FAjH&?2R8bFD5V1I=aOsu`tO_U426^{efxlcB-!>c00o?>vn4q
z5MG>wdfDyt`ySq=7pAtkwe6I-NdzPUKW_x2NzTu^e}C4kyIoCke%7G>7aCVtQiyYx
z>D4BN9z4kDaQg)du3Wx=yn+(ym(Z@?KM<h-cJrLuuf9L7M)}$2kzc7rOk~JSn@{|h
z8knogk$#3`$Kf&XcB!Wi@ME%*X?|u1SWHHoKAi#IkVulgHgD?iGi!ETbIc^sO;0~Z
zexyiv(?$607>e?;k(r%GQxh}X1P=)LWSTRtxE<>+>vZc8sHrMLI{AWvBcjQ*CD-*^
zkFd;9A|MfH4gqPB(;PDLzC=JGaK|BFaQ8w&g4b<aZxsSUBKUV3SMe59%_lGdKDQvB
zADe}mgpqLx2|qTuO!qTKK#*VmlE;TISG?WZ?@6yX;!g&NfDHkylPiDU<85E%r$j&^
zAQ8BHy<>Q#%@!@%QOCAz+qP{x9oy*Gw$-t1+v<45?$}93H~nFsz3)BG&A+u)<$bGa
zqGpX6H77A*D{idQr38U#(O;*&f3|3U%lT8bKz}WT1c*=11O#AY{JGspwDEtPh5YB2
zKML_r!)-Le&qkkR@Y19IZ_oI<B|kpskKX;Gh17b||JyVEem8*VPa`xS%7#C0v&Hkb
zGzN2Y3`z}NAA{V9Zk!0{f7L-rRRc&A<cb1*jXUa$O^eCt@g-d}q$$Lu2A)x`Qq)x1
zHb)niJDTWq2Ti1}mNG1{U|-7l<!vV>zUX7Fo05W!PSLlER&&!*P>l);N<L@9wN>`~
zcfb8J#Xb>ITP&gUKgZwp6$q_q83D^5H*ED#)OM;V{8ac(sz7FMN6^-5KD!ww@_1_z
zvE5H_q^L#>`hl94J;Be^uKLUyGqnAy10C1DsC$O2?7X91>#;P-Z?F5b{YEDI+)+;-
z%~@6f^;x%3x9qRii#@xGJ>4-=BXq2omwrCC8slHRZ*ngc_3rn;JifiO>^7<Ek31VO
zHp{NG9$V4qbbuUMvCy&aQSiOoDQAsY$$d8*PASsgxsN@}n|F?$tUju1!;<dyhHgl;
z>&#hUius@M<+6Tm#BUld^j0~-dq3d(Bgr2>Q%zK<bKbKV9rQnQr0OfFOE!!JQ5mzU
zq~P~3R!y9d(a|g(aCk7GqSGDeF{c9C{*J}t4j;EXwQUNyXJ6FQXTFw4A-p_Oq|xmH
znmY9Wc#Dc`sj92yOIajRY?vQDT4F?ZsxLHZ7<|OAa>OZyi|4$d>UmycI!i*de}cm3
zj-y=({(B?xeHyoWtOk>dtT^kc43PKO4Um}Rv3qyV6U!)RNeaf4toIx@(iIst>0=^M
z6%;?(MHhw#eH+vKytOl{O1=L_f4AX;1-wER)zv=BS7s6#2#R`e{?r1wlf&}bpfO8I
zRTrpm3rSp}N=31}Kn2KfcX;$JOcl{pw-sZd0?s(NxrM9hH=FHmH4RyW?Ce8^T^r~`
z&%xvaZf~Fzj1~KmJ=)ujPmPk$(C1+apt!oAJ9#&LT`a3$do)-1>y?NSPLWbs(Og|U
z1V<WgoEmA<PqHSDBL8})f&~D0w~g$}(FfM5v06Pm2d3H{(u=-QYA^5Fm%)49A461$
zL7NBSHBBkcqi1o)uwt|KH`u5@oh;6BFB=ssF?3@U4S`V@W9tAqw=ZVdw0A_G2NPS{
z8g$gP+nPh0a?zAwsVF+_4OfSPJt#`XLNh~!c`<9&G$13zW_$}cW%cl6EO|S-gs$$G
zX9mWo<7TK8Y!s<IIL!1l`;h&bsmn$zf||;|*MMKMs|yw>UC%I*8PL!R8cJd|%F$ij
zKa_sN@g}&DruM_6?Cb*5E@-KA9=g{a8Y{|Z2Q@{c#?r%Zg*pspS)V)ZYTQ2Dl!n$d
z5imcLSP!SLFnd18gfxf^)R~n=nq#MaMR#-eXk{zaeyces68$VeC}^6D$d!%P?JsD*
zxb7!bY16{K`LN+z;_Dk6+;$ZkEv(~A0l4$Duo`JED+l%f!*Q~t_4avl-^!Vm05p9?
zw+M65^JQf51mWQY{8}@Pg-k+0rEr=aTZPrTc;Hl5)dWhO#^h3Eb^In|5<oH1qQ@EY
zO!AoheMN5Z%5jdeMHJWB=#yt*Tbna`oVFRttHB?}sH0^Y6xqSvs6~GIilzkHggnfD
zhhy1T>E?nuP9cNna~YOs0}ySL9FFXX5VkKZ5k6dEBs{EXi5=Chh~g#%2E#Q?7Q@KW
z&95`1SSpNwGUc6J+(0o7eNrebvilzEvb~DLjiT+PX+t9}hzOQ_h7S)9kC7Dyy>3cU
z4UEp5dxVNAT)}ML>BTyp*V%|+ikciW^#wm>H6&kVTTOB3xxf4Vt`r+x2uVFI6S{B=
znBI;*WgX!<gmdije;lnX9MDVV#nb_@vNWh~Iz$>Z!^^^>!bxJ7cuDNu*GVYh;kxXn
zyY=L>*ZoKf+|s^!52sp>Eyc9fve{p}v*yPbQJ5>bt2ntl^{C9~7efp5JkbdHr^OeJ
zYlz-_PK0EiP(D(i50;^}{WZ$rXWDgf`Rq{5s*nmdhMea`Xo$sR!=*FMaUWtZMye(t
z-IwUz{kgZiJ+r&*L(vuIf-k;Y$T2wb%52hl{)lPzGc3+A@OCQGZN?qf8;=wAbR`H>
z4NzZgUqhm^Bm6hC`ekUN7Pn?T?@PTXm@*A4QhzDD%!t^;-K%qaNY&`#hP4c&et-Y1
zzk|I1B+tWvN!RpblFJz*&-ac+`cv%beM0^^P%cyvo@e5>Ra;r*;P_=ve#nTVZ3flO
z{%)XuA-R!8?8A7-f{Jd)BJ`orc??J?Q-jXsm#B0O)Gn?;_VSNs<Cm-Ri1RSG``$ib
zaYZFHNcJs+s7yzC&&KGTuZscqxBTM8T)@?+N42B}41mIpZT1<NzSlOV*@9(I&=lO>
zS6cMzvzi>Cyi8RB6<ue<%eNQgK^N>u&|F{|fHU3<-!lOZENq2A-*s0equq|94k3Ba
zJiZUO@n>lU`-5NF8D4l!W;3F{R;`b-C@glwv>-%ugtT_bz%N6pxzM*}GJ>;1<tYOg
zbMq)<GPq#RjfD-$DFzdsooe5D9ZW&WiUp|4RhjV888I)uW-1It*+};c@4|vB7CH>~
ztf2qiPH}&~KCy33QW`MFTe{?tF^mSYjE4Smdz4Z5<@-&A7~%P-tM}U!u*o56e4)tT
zG9d>Q+#`S+q^b}YYp7=p*2x9&a3(8y1AL}%(i`*R={9$+T-;9vpBWSr$LSW0<{*vQ
z=%W+?Cp~Ozp_qVg5FHKb^3eMMQO9V#kido=4rf9@=aJC;qE8aVV@3Fz+*h-y^w`Fz
z37kw;z;Z{ujWL6*1UwX?Wv%4}d8^6+tn#X97M~mDFcmYAR^!M|uS-Fb?;X5_YZZkr
z?8f(fMx9qA4j`vjCoiQp;Q}W^$Q-H3v6hyzgH4zIWy<7QBM@LA+{^R>kNnmmVC;`{
zc)k#iF6O)x8VZNsAv05_g*+^n5`<Zv9N(z`_oI;#5w%e0G^__{_kG$F&=*mV*@28!
z?@}^8zdS_TxeD70!cNCztN~t8z@)gZ0sTA0RC#fXQ9i)?Ih(QYW*^_@;Jd?OcGL)^
zJ>;-9f4jqZ#&}?Wa0TU)yufsm@|_$tpm?)zso&wU0U3k4HmTJh0zY7rKiUqy7Foq<
zYCy4?^3!EKA{PT<_tk)&9`+s$uOkJ3rox!2_mx8mM31@$7))_SxY5OxRUy%)GQzt?
z7ATzy$x=iEo5$W5T;?%a!-o=uYR|1wjaSQ~DOfTz&{;jBy0I5R9))DT;h{~vp{>JZ
z?LILNaC2ZGU*?3sIpjZ#k5T^<7ycd7wO{~^xJ_zjHBHJ9T|o;7oClyO`aW46u)$#S
zVbs0v25m-lX+QVdIf$y{fvZh=z)!Rk8=vti&oRxTlRsGZKQi}hL$+WKKiWv22NLOY
zCk0ztCa(y&m{QW|cZx)Z4U3_$nsPqfG{DEJ{qpa)^uy?$rqb!w0hZ5ctYA&%*}3m8
zmFz;;-;4RFYgKD<?Pjr&Ps=6pJHMb3;uD?~*HNMeyo~PIm(v}Fyjo4Z+d}U8y`k{5
zeyf2#WTN?P%NLPtd_AcAcumrYWWKPlqfgzt+U?DTR=E*7=e8B8wzIiX_uI?+?YZR2
z=NYx}VhtSgXd%7~vhOMX&A|RXV3W|wZA$<KYZm!7rAqkHZ~*b-JiPV`dlE_l*bg3b
z@cDX%Z@bP<9VfNlo`GqySg~ofn+2k3sKLH8)W!jSuXB?ZpJ1T3)^0=ics^q;0t_OI
zD7)wLD)~F1WbCIj5C8DOGkLMB_1wXEJzAJSxC>2P)wiXfo-Ua+fG5&&9C+O}wtp-b
zj&8<EPo?WCX~fDVCXREu06*h$gfs3Kp}hKmyAg|A(!jXijiK_RW@u;<hkEWCuKQBt
z*&WE!aiSf<oGC-`-FX=GNoebHHh6Xg{sra|7<S5(;CMO`&-)WIglmfdCYUT`s*3x=
zyRW^m?vc+kCmRm!w%9u&sF!8!O-K5E!xQ}b>ybY3ORrkxiZe<go;L!czwPKuXAre&
z`|k`nfa7rEdHD1Z-L^$H^>8${$T^ZF<Oz)i`-_!#&kjY1^2$#-Hi(l+yPYh0!zC``
zn{B#iwrRcUYMfQ7!4^p&3I}didw#kc9+~`JEfOBqDmm_QAW&If)o(DzvrXLNQVsE1
z$Km0|UwcRBAw*N<cMIY9{pkvb@qBLhEGlm5EFP@ApZbp6pWW#Dw^jpo&!jcv4FxNv
zyRNtQ2DYc_eqM#jNJoR4!}~?`m?OMWnyhp<V5-f&R_KmAgxxL|Rx*IEKj4Zj0}Wgq
zUqMpLa0(mF^3doYh8<ntOXF7l7L1CY&<u{q3ri42G1DFH9x!LHU%`k<n+<sL1ZD2g
z4oMb7Z1t0&|A7yPpf{rvs^BYREVl#S&*BYvj`S6XUMmJN5%iTqi*SC1xL5^C=1i^g
zdenoG`AP|Pr1WCBT-SgBFoj}aRkshf5-c)WGU;2wH!~hfA;$QuHkhy*U~m2Sl}6tS
zBL@;O!bn0@6jRcfzOZrLR>`<{c$##Ry0}*XG&&KDF2_HO!3N_MaKF;!%9x_;zEo|j
zJ@~{TqAXePs;(O!+179*jK2UfBO@;+D@r+?#VIaJY^Nc!NHN*@eV_~zgUb?FY&dlH
zEM8Zm)|oC#r;E`>#I2NaZccHc{39$ptl-NT4%kFPD!sUfw>ZoxPK@xnZ|_k<3UNB{
z0p7WG9tSycwSOPV<WGBB?~waYN5+HAP{hNcp@`>(t5tLT9k-fSd?8*eNviYY6!rfN
zU4Z=$x1wx`l+#s+uB3$sDBIvuD%YZMDMt{v3#g+!&}-T6dDh_Fzf=!T0Mc;9Z^B*}
zTovTOQi57F_Vu`8v$>lML~@&FXJ18xnIXYF0t)nM09F?3eK<^VIQ`*HMQLKu3BESO
z$vo@LErb`LWse&*-i+5KyaLPE>kl}?L!C;Z1_err14G0p%ojcIbG~XeDL0)g-pw~W
z^4?P@6dbmwV}gRpK#>(t-S2%7Uy4;TU8Ob;BdAwu-@a(MU`Oq|B__ib=lYVs;e4<^
z;EnbA3~&*wOrQ=~@{=^xRAf~p04ksJY>aTw==5V(g4isOt$8)+iw^^W+oH1^@ma+R
zlAbnyDdBj%NLv=hsr%<>uvzm5v2BDJY4p(X_?c}C$Mp8G^YwNY9>rl8RpnL@0Od*@
z4ZapD7Y>#SBJbw+;p=~}yW&fUpAlGA)ry$+Q1INWAiJccRX9<2&)Xwg1lU<~H^y8I
z`zK{%%+bm*?n$h+LGwABQ&QaY<u6n+zSR2GJ{-R5W*Xjw_46i<P-TESFdA~S*}=!)
zaE3t!e&*~tkq-N|fQ+jxMmhHKa1#9Xu^J?h(Vk?UJvc3FK5I27e7rEUMt2^T@1B?e
z{8^!CTlyReSrnr`iIR&B$l=urM+G80MjRB(t)v_<7vm#{3;q*DKQHc>g6jc4R&wAs
z#Te4AkwStC<ma`7fvfIp4zyn_W4T&FGu_)I7OWN=F*;@W_0B#}H;%XVg*v5F8N8&8
zC*PgKm-iaSuyMH>)rV(ONGIa09!99)`J*iKPsvttf&2KopTS&l_~iXnL7UKIAV?l!
z`F;62alyRdqS@U;cDr9L)i1(4w)GYQwYavnm3%qD$i5yLhWN>N@px~Uv_=qaF#(~=
zpAF^od(S^8<>mco{3t0vOEt#V9u-7dpu=1sk5<@imI*5+n{)L{Z7U$*YBguh5?b5#
zKS56B8g2;_HoZoj)OD()Qzqn57|!v6@N|h8T6=p@U~&Dz6aKOTLdnn(lqX)op)qYn
zc^Vkv!hj83>+)jQ_=^uBQS44}DXJB1XOu5B<fm2+2I^GX;F{u0LM(Eh=L{E}ZYMFr
zp8rd7JA}7RMZ59xbz7^Bf~0@=Mo>+4eG@wH%P-3q&Ww9d(9nUAsqbv(2}vbp#*mYP
zq|L_i0A5#w^{<Um)_qNMxL%JJ13`ov6k*PNE8iZeuSMGo&mv(@AMyyO6CVR=ofgnQ
zo6h~gOQHi+Q!Ap8T8JJ|Sf!`)X2LL!*B80a$rMH(*1)0TGIFA4KlyH@A}Jq#V7mWU
zd229)g#Q>VsIuApgh($j2b!*Su(A9&oGo9+E({o!`uKe-dmC+e#B~3lted-aBM1i<
zNpr+tb=7kz0k}T{cWb<YQeSj<BE2liD>i9GIYsX<tCa)AJqxc{+BY`k@Lfw;T=<9;
ziuUK<1M5?5bX6%l<N-^0inKp3Fqmywx-&W;{M>`Jh|d#e-FgKYW1&kpB^aYnZ1?dt
zLwdT~bFoQ(Evl%`qLv{Z?294x$v8?wv)>8X74Lji;i;)6ovkbr{~@^p!fHnp*eQxa
zdTdc#xS+_=AD!2haKJRf4BoQc<m7dlnrXFBxi+uKPf4KELC7;ZUAT>l_0`TzJxQ-_
zN%>A*!30Lg5=;ViAy5osqr+{OJQ8kO$PhK4oY|g%7d(4JK4_%|ImArZLlLoD%IS)b
zw-4eLAMu9%KmZjh04ot{2T^dv{SZb@za3bAjk@Se+J7y3jU&lYB?*Pm3HiZJFX}D{
zKk4UiJyViedR%sTs4cEnp?qlJ)5AbZEm?qZtrtDa*+TRohY*Ppf7*&*!DTRmz~^oZ
zMzvl{aAyt<u_??FH@0aDpBNpCH8blhiz9%0xA$;Sqs;?+8rlXtL)wBe49TbPDv4v?
z@huf?8rG|eB1g#M8y^gi;T5_!LsK6;RR)026UEH@S`KvK3uE2&6qK|`{dfYkMvEt{
z?80<{UkES})LIl;whvydPEXz!+gB^-ois<JPCC<QGk;p4E_r5;zyQjh<<iqkI$18I
z`xvPC1*M<QzqWTnI0gk1L3kOkHr-?5Qd~D1s$S)=XTpBdYBQL*AP$qq3L=OJujE2s
zmoYCFa7fN@;-Alnl#0C?6~HOlzVH+lbzobn))6)w@YprZPnXB!cexLyku^EoKZ}J#
z4%u73RNryySr2`X%$~E`CLj^hkgcCIV?9!gBciDzTP9?x26L@4<QxQuY!>O_h<CvM
zPyz`tj@p7A)F@yGdr+eotr1a~xzaKW?*djW+P5Tfd|{^@DoaxRd8b$>A2~YFfBy-!
zA`+j+A0+<|V5c4S9VHDQ#9*q{qXOC}aj^k?x|JJCY)-fPGsg!)#v*csfL%o&Arr&a
z8SA3F4YD3u3L})f*J$q>^sdN@rJ%|3%4HbhZO;=1c8qS{72?1gQ9|ZTfYX!NbV2(r
zt<3S6Wu8=bS7m#sEK1s}3xQs^RUpXAgW<q$Sog~*pR`W_eP&zvSqrOp-kvZ2GP*`n
zX>$c1uHcA7+mo}cfP5%i2!A8n8ow}zCX$T{@~9hjF^k)^4rK#!J*Z{-g*`qx5J5Q&
z<sz-!T!v(Rm92VLD{g#Ex-wGJZLV0Di3i<oxchAcp+rtNd>osXi+qXK?xJ7FFb<s4
zNGt{qf_9xOAmfcj21RED+($fmSj@7c^L7~f>S1;+GYa{l%Z;iDMrBkHRL;`*m=(iD
z2%xF|)ikRV5epY4JChsF{c!o%g$Q+>-KM|%`Gc@ToJ-H!h^tNISMv>#>Yf64dxF)5
z6EqmL5CiGB15D9R*YuYSA(MGsd+3Baxbsw*>Udm@Cf``&#>^hGx`Lk5DX=;HNzF2J
zez51-if+c4uqu0LS<LR|E1$D2i^0)&VMJ7{u=)w|tMgq}wL~m26l_~|^l1=nqWBsN
zh-J)4nG-2GqLJ-1fR^z{NoO_ux2{k_NL+-|mM`FNI08|_*hf&ZX-id^2|x6zEN^RT
zaPRBue9NlBVCfx{bvtq>9xW^%7kjpbc5tA@VlV<m<G!Hib3|xPuxXBHAZspd?5-TI
z_|X_?x%F=*p;!ZI5$!J5V_$OJ@p!eNs!6BWp!j})#dtAoA}}(47SBa;TE<mub^JXf
zrlehgkn6*fiRW=v)u_*T*zdi1DY@}dC@Vr+f_zFeEa|QiWh~-B``1~}ztDdQ(I4m^
zMJ|1n9@W28O)?B#&!2Syz3^CwuRS^)!u*1pHRmT<9(W{k8TogT3P}hWF&sYU6g|8G
zi7QGASQmvkS_{%KLK{MEYLH~WPu8XpN2iCNVk-2JX>;O9_O%qyln8GeP9Gp#uc(11
zLaq6Ka{&y_2`9av$3h56;f-;dI1^(F$A@RS5qQF5`Rn<-?40wz!+}4Z55>g{Y|AZ^
z2AtJ9rJ98iwJ9RWTB_X<v-Q6+I}xkUuNap4Wj>eb^6U&dT2-srcBznLkoX^_J8@cw
zHlQF@XK_XYc8xNCz}AhqE?m#uPOEi*3+Ff)VZa|M2R!yrGmM?ZT3d9bOX!ROq2c-Q
zlS)ttnDTi&(6Ay+A|#5f4!?SE$tn=NZXkYE@Hi?P3f>e9(hOcb3!>BQU>j|FsE`V6
z6}fS|su>s_a`z(}<A@|zFi`Sip2006BB>=j-@kyCuYNz0!w+qf7qY=u-P?~hW|4;q
zYEW=+fGE1dQxUwSsY+yShrtMztMZ9!_EIJ8ix5u0cPJ}B&ojVi_`Ibo$EfvHd)=P%
zoCIo|Y8x44kjDyqMD_QCMnbePi}4BPnQs*Cl5p8bS-sQG<1+d%#UEz;1t~6)8JH!z
zZP>g6I+EP-%uET1Se48K%%?czLu6Y^A?;BRg`3d4UL=N_hrAk!*59QSfX8G+z0L*G
zTSyM?nKa@YPH2YU`$?kxMaqt5^z#)+#KJ30w;+`^Ey3RlC#BPWLX{Ji)nbv|4C73U
z3g$Y*8r&hAwo1{;wCozwUzDrs{RGBhVS?!oI;*Maj1m@)$rC^IXL+gHCTdd(0x=o-
z5rV}?9$VbcN`Z$3r4)nD7jgBOgvEH5g7hO{vM_6+=`>La8b8A@o6iRgHHkLjegQ3u
z=NLC)O%2VH_;l^3&Nj0l)}hRKWr$v<wZ}gc#edHa_`d>CGCVVuj<F#5e}yQ$<2zpM
z!sW~EK%4fbon<WxMj9B4#E#^{WlS9WvDL0I+hz*!V5b?lVSdYS9S=^Zfdvdauw6bq
za@OX=XlqZ8qQ@gyuyn5?SQ0OUj6IO1c0NnxN!m5x4YQ#8nG6akWZ^^;gQ1Z;U=-W&
z*9zVlCkC+e94QTXzL6wsI+EorA{J;rOg|$;EHZ1OlSShPGwR;D9eQtMj^?iMK%Cn(
z3*BLAzNweK=fZvewm<LH_1U7ky0R!-h-)d;*id-l$uYYvlhJFJfxVOH?;K%`7FsyL
zcc3sk#61IGAWvwfULE7XwFBz>Uvp^hJ9QC8fei5um64?#j<K&0ROI|Hc(bs%le)o=
zKNpWz%c7eA$|uMCwosfBJh+*~Iu&i{TAYtgNPzjhXeZPZ-$&fZi}>SY6I3?HO)$fH
zC4LPQnMs#N*5kE8ZnmxuR=QFh24idXp@Db_<AIqJy`PII)lM~pcZauho9{=N7@Up#
zouec1DV{hv`&yW6wZ!EW<ES;{9g;}iNw17%57B-qJYVllfaGnNz@6;^pC`=c=^gO6
znj^#%r%8WgQ}*t^6mQR8<E{wOGiP&?_Vw~faN2`vx#7FBAh?EkLblXtmcT7U-@=JJ
zzZ95OxWnKBaPj>fLAuH6Y#&_}IqI!=*>J{&S1=Q|f0g<V-r=3`n+Ku|v9xKuorAAj
zm<XAndFZv4HARyT?T6;1v-F#Zfj(qnsPDF|^s=LZ$~E8ZdaToRA#|I8^F419%M_o4
zCNhF=(QABZxoSS%<jV@4YlsN2TX+uVX`H^eGR=&^1%$uV>6MQ1MVs<h7JQlKgP$zW
zbMc{8g6vD`+NyLr`(Up$|17e3_|3+v#MY<Q^~n6`X(AnimjF{;4!1vHv7>e8u@ZZo
zsM{thEMd)6Y8cqld98jTC|?;bxZ?_IAa9#$7s@|B5#96gB8VQXYN!S0^fSQTnT@$$
zabZH<tYgICKdZ=7aJQJ!kW^AhbwJ5N(;wU&l2(vgCov=|DehfdmW>>EaV20(_%V_y
zZ%BDvrgWtkVZujK)5k@agE3KKuvAG35h*R=tnr0zE^|3~9*gAnQzCS#C%bdD_r)xn
z_jMKeZ`W|~U(@$1o;>(__-Fms!sr9O-5f$RY(<Shp=}t{DRjaP9;&o(TzAJ?_>{Rm
zp|RaJ0+&BTP;|z>Bg^8wIOIHDuA<$d&lDK6e!)c^Ye{s2EMcx64QB$W4lZ*)Uv!%*
z*h1l9^sv7b(z3eU|M<`L;tyO|js0oUZMLN*BH_J@h!zXQ#NJuU#6L(O<xkQFuznu1
zdtx;~=(I{|$j71qKu@w9W{77D4BV(COZ1(IiZ`9mQ);&SIhkh^;<h932E-BotgzE}
z4|5C_S#MX{iSmYhuV5>815Bn1<&Q7}0@>_jTfCV1GrAFA&OK#hb!H>o#E4n0QCQ&P
z9`u0DS41qC9E4LnnX$FxL&ErcL1%729*HIW@#MiuvmvXiHJKlTDO5Obh|z1<rqrNq
zAbEd*)5th1Hv|7$TEQTZ&I8xtQrpWcB*$ky6{}R5yiCB7`^B||E#Mr?D~QwpaBQg2
zMGDq1jVJoifhTIdLrWgup%6KU*67I|6e8N+wj@(BGAqf`{m@$;&CU36hghWJ)}!DV
z`YkGX#rhWjc$SnBZe5+Gpd=oP!z*M@vYi<A9?8eV-%Wr5xba?>y<+8IHcsK`=RL6p
zvzD8{$Wljq32Z^LWNDSBz0+;JrZDL<;~;H<VM4CRr7<h!b+|<!dX68|7OhT*sx*4M
zM2eQM^F0qqHMeC{@O~GkNK2(2)N)ijaQ*na5ROJIGUnar&0SO-2H!K`@dmo_UNx=+
zcW35ekpO9BRY0tNKz!sk@%ZU?)JNEAzO?I6me4wNby4SEyujo$`v$k;q7v6(y$vkJ
z$807@QD(eL=PMz~FD+ChkI0vPzymMN3JgspWc=a+G#BYCc#+H2q461HR55*J@G<>$
zxY`PGsck~Y!`r`N!bT}dd4x;9^<q<z$22LV=~j$lE+nBNqw;hGA{bp)QqL^1L&@{K
zkZeHF59~g(Eas_62w1c8uzBEkQ`Y7;g8Jv@%PjLSmM!(R%Vr0x?ysh?TaoELW5w~9
z;LsJ%n>Omb?#EMbP{2^xam&ZF9vxr@8AQt`X4=TZ;|GCTaoPnvr(y{j=3m(=fX9~%
zkBlcH3+~Q~<5P_ECu1|-@|R`ZY+`V^!o-xADOgb4d8_OzKn6}PPgm_>CVc19T{r#!
zBW@>mD-G0_uPU#twJ$~nkqOotC{b7!51#5+a^O`Q;3k3E6N4LB1-=<$2-##tdfak@
z?^>uVS}sgKgXUdx#gFP`{&tl|Z<RcazECXN4-h?NcwA49SW<xZgyM3$V*sEip)0o7
zV|*6%R!7wP<p0&#18g;#vQ8r-gm73BLKhC)a!H{0sV$023QDp~RCMKr*!9ng(W0=7
zizj;}_|OeUgTA#gS>dV8)3!!%G#0m1mtMiNdbLu`e4=kLBcpTm&KqnrGTb8P40)F;
z5^UPhh>3XLH*GN4&ey^hLcc+Y5oY;`@Hmfa<p)s9{=9<?i%6C^@cSS0w*>}Log6gJ
z<S*|Ck1|yX@Abn5GJO1(+6jPPO58Z5T_|pfOH3S?lEAq0<R06<Kb&LOY!k-5{@vkp
z+;s?lyuektV{A)N-nLq)#zw&<9xiGlqwJDA50{+?v__W0J|4#&g^D^}EMhmijK~HB
zkN3&AOK|*k3W=8?<;VLd!&;!n3Lt<?ZHf*?GBcDDAyR4*gBBh*`gu{B_w9QOXuej3
zNWNmc>af%hjrhI|dI?L!(s4-m!Dpt&7Pg0zB-p2Ab*t;pp0{wih{Z~C*esaodr+}x
zruP~^ZC-sr!Yeja3~RfenXvqsR&WcSW(2z43$<488vA91S+{>tN%mEXdQPBuRf>Pv
zco<dAlT{-ZN4!N7oq~eWn7NSuK(DJVD*rI*o{)H7qS|VswiBb1x|ZgUg9q;35Sy4E
z6il=;qzzGcY2<BeW@fW%`18-7-W3B^J??~uG4aN7Wr2YRS86DlqTYk`=JpP@N~6Yx
zJ!-Z3E@$c$3i-ZeY~ES623>Ur3d%MrfIR4EB=QWL2!hW2&g%|!1YQHK;;1v3-EAmO
z6-!Im?X)VEgo?1!@I8%Y(`k7yc0=Ie1FYf(%mhv1u=)y%gp#?i`%yM@8VYL4B7^b!
zlu8dc)%eu^k~zR1A}KYMn3@{;{rw#<py4rN`vdc<<#6%mUyIH9gXsGDaP*H<hfnsC
zKNsjE#gEjGn*{I44_{0`;W{BD-H(g1z2FRNQ1f?IbQTn<*|}j@u&xH##GxD+QMV#G
zSwPE3YaMkRrQ@N#lVFvDk;fDdDS!AaD}+Qgg}@V|pi`40E)$BGL_dqjP@?M*HrNVb
zZf1u{-)yb?sG>0=ro;6s7-+{_A|fYV{dDed3<xHK-D)hI#`!KhEbkHvB%}N$>~FGM
zmTI~^sD`i*L5OypteVS`?UAUtkOSRIx3~M|igXyeAG%W}4ht<q0Ef15KwCO+R+#*4
zLxL3M^6_$JpE$&FhSqoxfmYgWSYFAOnlXZ5>w&geg55=Xt9EP4v{rU`Pym6~v+93S
zzj|GW?S1UVmb0^?C=j252@UA_*mK{o$t|QW_fZ2*9ydhQ3tXKN^f9nn44ov)rCnmy
z6{D*~Uu>O0ym2OuyklT(@leuK@*4}VK9A$}av+J11^3y4l+`4O>`_5M%PK`(xTl*d
zRJ8aK{tt=llWB$ehx|pgJt~gmZ$*^nIxy&EmRH&t0)X1Na<Ds8xzE5HgZO|2?bjmP
zSw$z>zMRu&*zHl=jNUIJWgp^&=MVKyM~~N6kZK@7?L5gRTiLSBaUy;mYen+^AO*H0
zN0;&0r9AEeeotMDGnM`y^s(qK^f6f3>|sJ!ATTZrgT*H3c0zd1)vC_lR&4Ld?d5C2
z;MdUG%ZIA`%5;(Kc7(iVT@h=5i)eEEf1#Lh5CBRDiFJSOq7oC{{~uD_7(yIyVlIrO
zX54?nJpXd;{ytlEgZd<CIhNcdRsPM_`}^DfQtv<XJATYROs+&hTIm0o$$z&of3@D0
z6a1vJT_ois+$a6_bpLN7@;|qNeVIy41^-{K_^*$D2IoJPJ+EA!^IzZohX(jJh40nm
zPb2xSO*9h!tyBNQF7)RH`xA>PdrB?cHjC%6@PmIlDRCfV#$F_wu+i7o6#VCux%C#Y
zw3<fLSC9`13hMKwN|5F4;<}2iW{~XZG9fYZWjP{sB%Sd<JM1V`X;2vtx_<Wyo9~M2
zRr$Al;r|>|zXJZ6ZSC0chu1p@4a-`S!<RJgWp@~CHki*c6@5R!bB4wy`*XYL>P7zf
zrzcUu+TF}pM$=sqnJjno4>H4FQK1Y@t8gsj?3A7MD6u?G7>CsWC)F%EJiSP8JP#OZ
zSMx8bqECl`k9Drgiwioe!p{o-8NM3<@EUjRbp1Gz|2mZaE3?=2()wjz$34aC3%jtQ
z?*Y#P&P-58CN+&2a=9hVEcZ9XtlUtk1}Gq3zWZNx)ocZMwHQ>{czk+z_c?tgB650!
zEL<R+oxFyL_F8FVHF*$Pf!v)uS-A5W3Zssela}u8&)<i}|CKMlF{o6vPG4~3s{3nE
zDq=ZZe<eNNfWF>4ZND~+Ku=0HgIapt@~MKRT9i~G6kcDr`{kP-aj~(w3U+jDDT}@1
zQ(b9UnUHKWlwj4@oi{)5JYz?a@^X46c-}@VSzZ$8TSr9@+*fbj(+&2N<h<HSV7lsy
zS*yj`t7Yk*f}qN(oHx+Y`EJ+WLo@UBxSmD-Gc7IHz>eH59rt0CGq|Aw*U8cp^z<Wf
zhJ_49$6t!xk*%~HOimp;uiqUTzaa;?oGujt3PiVdjIZZwaze=U6<Xe}U^ic^fgEqk
zqIXRMmfs7n*7bQI=>yR)!P$4K-1z(76OZzjI0`?WPM!uL;dgKPnx57(@prG%t&can
z8DFc#ulk9N6&wy=-rr-{Yfon#Fsy!F!AA@(eDX6v)<pmgY2#4;_=(<o!aSw2o&B?b
zd}A_#Ir&&uLaZpy2i>erg)p`hpQouFv;wylP@2ph9M&D-t4%v`qn-X|4CAZ8{Dt-F
zx9J7<bN$Qw;8-Blp>+4>6LbR^tiYq+&qh0L(0R8u(f;9V4qZ)h!<`MEcx%ss$PtF6
zik!u|3x?kNc>~0)OaGy0?si~JN}<%Lh+z2FX*sN?(8m$(4{w}rpBF(c?Yd$Yj+}OO
zPhu&V@rFU%Vnf7Sd~A~I{^Odil!+BS(6379bW_L?pD+m!5E8>mOBE)4URs_eUi9}S
zg8}Vo$>{q;rt6NC5|RVN^xZ**W3-<PF}LfJ0vjnDcy@e}dz>Kt&fioQzt*v!d!E?U
zE@lK|=fFB&Pd`FkMx+?_PExNv%S%|S7Ld}29$j~Ay?!Mh@4ULve-G&RO}=}}?iWkS
zJzr~ni!`azifL@d6UqN^{W04h4KDKAbMdq8(Lau)cLo^<S`>Mab+NRXqOUse8^avl
z$jAWdaDvbeYu(tME^c^4U2%i8R(}O`RO6TCbB;{am}c65xO!7!He1dgUz|KIJ!v*G
z0$Q&uj-#Ge+MUqpP?H3!%9Aa^<Rc+-dv3+O>wZBL^S>bZzTI_kv>sZ$?j;6O6cZfW
z_jH2zIIF*&-!IRu$p?d!kuzG{7^vuS`s?>RVeeZSUym%m2M|^TUbm=!d?%$e_sz*B
z(kA@}5aoydvwoS+Mb{&KNQ3GCYwt|8Y>Li2F-*Q}*I@8p&~;u9F$KHJS1bw0Drdgr
zys?tS;s$?SOW|&Wx*w{uQRBXH<pnpsDHY`LcM@`U$LQSn9_e8^%F_*BX6|%73SF~3
zSGLFawnNU~A_H%Nvleb_ev7bH4DD@klQ>&W3dp9e^LeCf_3{ubVKmx$2bp~t+zI}8
z<k13UXSjaW2PU0J`FjEI*N*uvRV60tLHT}DLC$b~LFs;97%YLq@bxV*z(UKo_(~*H
z622>{<>S>#1}h$h%3GjfLGi*+sQ-KXG2T(YfmO2tf>Gbv;%VNs{NR<K?lS-;TTc2M
zzT<c3tXWwZO>ec$%Qo5qq+(z96@0YFgogatnh%TzXWJ;9gHS3RNZd+72Bj|2PCt(p
zsmR`IKCQ$Ajc{m?NXBj}VZIf4Db<Ai!|1hkO!(yg@uDqIpPYE7inyfb*8;>a%Y{!!
zDm}8$t6Aav3IFMMia%ex$Hd*DNufgZ>aqSN%7O<3@$e#CNtu&Ms%CpJ)i-!?T^TVR
z0bIT+_~C%-m=$dwMQyfHEc9tG&$IQj4Awqn0bIJ5UoSsgjek0QtN#uyqKu?;>buYN
zS`Gb91*f#b#|@apmLHDZ%fy5PjO)k8SvI&g%HrB^?s>=RT@C`05CkcLCwd$lQJ91}
z;=1Y_bwqBLLB~TtsYdnNS}malf@s8ig|o!>yUkOx7vIZt6JcP;ptxQ#kC|9gH}g-z
z#SwpII`d3tks9`EFeC#ISudy-B2YUV$G#M(m<aKB4ZhiyBfVHOCZv8e4yh}6B@}Hz
zK}Qy&0iv;V_0>R-qVe@Eyr02(yyQxw2mROR9%$SyREcup^~|V2<idO$&LK+*oY1SK
ziW-GVIwo_6r#x{LhF2kOW1ZZGr{4qUaW2-Z%{Cg5c^7*KXLKX{pT+0O&sVzN%yBkv
zsaFTT=(f8GD|~@|F~`Bt>jh2wf@}axC;S}@Ih7Ly5T7E|tD*>$t_01>TX)K60rT$T
z^tGAR9Vgh-^y<f0Q8rm(cv-N3UvFA=7^oCK&MGyA2f6EBEdP?>?nhVb(Pdh|J}$Mx
zRCLFW?^XW3wkQ-cL2sc*jBRcztQiD;@TL1^I=<&bG&$_eo^33*KSIAded}Sa?g8O{
zzr>~S-9vtDO!QtWf#Xq)<!Ageb7=w<MB4;?B2^29eFfmN#Cc{2SL23IF9?~7T9;`f
zdc0uLJzHVysonm_WUx8iMp-BZIuKYT=ymkCU{<hKwE~FDP+Q#{7?$Rwb^env$D?p7
zDr!M-wGuS$+nQ0h{CIdKGiO_LU&uO;7HqwcKDsmL!ls3691VeGzW<Tkb~&g9gTo^6
zz?&r_=)>DRv!2JJ*C5;pJbyOKsh>9FlZ)U{o`8x;f+VvnN>3gKaYjHo$M0pV!6Quu
zuRHr=m2?G)Bn}4y=I)PTh%KLI$a?Bgz^b*FL@Zwz8G3F_3J;vi7~~4{JkX_W>*Zk`
z#w;<`7M%yoMF@+?v&ATjCp6jCGsC{5pW$;mi44XDKA7o2l9Cb#|66+E5gJGe_xRru
zJR&h5UB+V8WuHvC{#xoYjlP7B7MToiv<yRntD6*>7-b5QvOn_2Sm4Fbe|x|t0@n>U
zd?WsGFl}>gq>aQ%V+P&!6sJ&dJA5pOd<A&P-SH<^!C2^_jyVTF#pV>&8a$v%&`Jj8
z153!t35!``)z?EaT0N+SopECZ67vmt)$l+`_jw1MPHFVKd?EWdRn(c|6j&qw82P(<
zGQEosESUyG-o``1AUoRB#HpZkGI>o%7R&j>ue>-b?S{Otb8xxadK$lfW*;M+#cbTE
z$X8ztjvDgTzL%g<u#MTT6VDi3q+QIeb8k;`+YUTdeDsTtIkbB3(lo*Y!U^nPQGVM?
zsdl2&biGn7Rcn!^^T@Zl5~$evKh0!b8muOeKKTqSE6i`DcF2Qz^YHH2FB9&}lF@K?
z27BfYzH;M_OcI)B7`80!_3jz{5q_g6us`8BA~rHeY<XiBE2c#!2*N@Gcqho+Vq~(G
zo%1DLq``+&yil?8z|VB`J&71xWb^5e++rq|+F@>ljc?lYe(VaiUd}Nm{-fIhmf~W4
zdg#Ijc;63tYzM=6GbI$}3^qqsM>(3&!4qI1l&s>??1Sb%2`BflTL$t*jC`IBKze!)
z`ZSt1Y)js^oVq<<9<MNh-0dxQegzKT|7Er^y$2AZT+<p7^<oRCh$K<fMG!DIp<;z%
zdU}K~MW!fEN{i0iJ1J>j5bbA`Yc6woz`KYB44T)bBf}Y}o8wDUGczM=YZ-o5Sx#HM
zv{OMRnq%{}DOZ%kCe@v$&NwXen_mH1Dj1veQQFoOYI(t?kgQO!dFz};QOs%F)EE~Q
z1cQZuhQ9R|M&}?TU_l1gJ34A>=DseTP!iBqw(y#FyiWfk{%s+Mm6LXIqi^8^^#z^R
zqqtA|kJgpz^}z2Y4v=Z~AJGf7bu4JuJwA{Zs;Sf!Lo%uK?bUNl(a@jH>5n1$7n2z<
zV8kUS2Y>(mC4yY?D-J7g8oP<URu!7~CvgcA8{11iQ7dibq?nap6#j$V3W*FRDmXL~
zZA6Lb>S5gF>FshOp(z|exs}0xNkTvnNKZcZH>BdQ2}{4o;k*!_w8%z9P=R8Gj;x$=
zKtNYiu>^v$Fwe6DG_$>V&-8Cs&<mOo@LdO#t!7R^#GYFtg3a)HVWvPl2!Hp%y085_
zz4iK9)V{*OUuDU?R>9cmee_?|KY;k@L%tMd3pIhH&u{1bI@>cFnDfLf{Rn5M(QJ>0
zx6mP3oO$DE`<`|GoDJDX2JDZR&ERv0<4h7sP51A+wV3@WTQ*^3?ZK_L{4mIOBe&5P
z@oTnj5X9gwRHZe(O~JTZ|J`=B9fBp>K&WrPHj}G3MPpZlbkYDX%?0dz%?(sD-6Jmh
zFk!oL<nq(}5RX^9F!Xe|Dw|*<M+W{C6%4Rc7dzQhj(82T+BNVWAN*&DpiK~vl^z#^
z7Z6c;ynY<sC+s@48Cagk1~_{v0>W=2SrzR9qjd<u3acVuwnoXO0hN-4y;-X~^#6L&
zf1dO2c<AW-ixFi;amhJ);rqJv%+GyhO6@6~rZuTqkEB9jfcp9%NF0s=xQOOIR8R@g
zAQ49mxtk{2Vz$!%^yc5E{A~t*6eLA5PZAWF(V5nCP%-XwYBd7Ah_}mm2rg4K)Es>?
ze8#Q^N~)nrQ5TUiffYqXS?qUMtr}#EMeL^@u#>qxmRu$Q2mh;We=R)!=QXptkXgDr
z7ROf<x3a-=pr@Ql9cal|SZljr%gC5s)=7GcV*R6(gn>#>iXv{&TB_-lp){f*Qk~<T
zXurM3btN=nRw%Qrrr4~>n7N!!L*dcog5}f*o2t}K5pdBWzR<&BRzXlFuG!?QJ%Yi9
zWB*@9_oqX2Nd9Dyzp02P5+<{}P4>|Vv*w|e)gSQWf2dAntFH(GLw;UvhcbR~4(wM6
z<9EdqkP@r=NgEodV<EAEKp!j>8IvtE+u}shsp@LY=ZrHVS1h^7WyubI_X{@===@DV
zB`xxNM2@HjCXM@q3FcS%NZ7=0Vq#A4k%s!~-J^=y7kfU_=;U~>7??RmT?da?3Jq$h
z+VfG!ESc$$?7e~I$A;~L|BqPybX+G!AQ6&G^m$05&V&6Tn=gM_&<qu2FBTV^!0r%+
zlZ~0deV3&3r3NxCHC3Q^ac@gmY-jptYvj<~*kvn-RmQq!qW0#!jDmtHBziD0^oZ+f
zf8A~`vIqK#qU~bx6g%i=C(_gNQ*W9Jj<j2mq1Ft;XtE=Z!vKv5-d1et5>D^!<K%$(
zWoJa{GKt~zE2g{SZ~IZ0gIek)3K^a->Ku3c16P+@E78TmJ$UrQ??Xmq^>poNUI#vZ
z2O!@okmJTo6v|Yl)?~ZCvQq2WX8j2aW{DufXqu#MDz_bXKr=#!G_6KanY?dqJz=85
z`+IG(E$=5~s%bw6siU$gdFp>zWauuf2`-|CZa`gbLv-42aAW~`VA;FsaoXeLo?cJD
z+?_8lWITS8JEoP<Kq1-6;cbL#&J^!hyh@Hb=RZ9>cQ85_@V`15;TPY*4*bsT8L`Q&
z7FG};d2M3CiI5M<w8KDiRo!kk-x7EAhs~dxQ&31`3q|cy)V)4#+~H`ofquVSSd3Hl
z<c;o+V8U+u!Ww<6ta|x8l?<_eaL^}5r?We#a*}c&)wS3CSIC;yTSP=q4V#~zKYyRk
z`I}&EW_&zAh|r8k=Wm<Kt3pN)>WbdAhN|PEpeU`{vq-qsuk|F{^&U-zDrLb!K~LJ&
zr}qi!Fq7&1A=s5ys6jZg&`^69+O*Pr6sICDJ3%#0{bQy-xr7q>gwz5ZD+WRyY;s@e
zcAM6z$oey*nUojKA-tU%)ax%58H<r&C~6u@H-OIu%Q32@yXBXnCES#LqO&oYp<~Fs
zy1@bX%c|8FkP#&dXwD4`=u{%=2x%z=ExOP!Pa@j<14G1(9m<yN`^$F`OEW@~2q|`g
zzEJ5?vhCATXjU)~v%ViL_~v-He;i9*K4?%{d}ikQ?62r@@@h_@N_Yr}?`b4XfBP~2
zW?2CpXc;nOsbjrl=>-IfP6HwIZw~o*PMZ7x249MwCY(2SB^CDj5<EE{m+bE5L-@0&
zETdzzL8}TtO_^}eM|$Bqyajb{7QlQ@-*};Jpd~rJd87Xl%1i2y1P;+Uh@L*bp9dvk
z<b?e&A?>p+$*XCM4>KlG|GnMkb<sNovbJNPM5W|3L5Q9R%LK-VX1dphp1QMCA-4A`
zU%1Y562klA_R@X7P~V^iNoNrB;BG8@O;@@~J6`yF;`m#v{l?CGJ7lfEe0wZ?Y|LK~
z?l|ZZ*8aG7=*#dQPv7bc`t*C&`3$>8El$I6IZIMQgi$)konRb2b|YrFM?Y{;`=KDr
zC<P^fGcF`3L65h?U@j^gW075~e3`o)MC{=rVqNbIqpVExbG>cc1^!4>tkw?<1`wBK
z(`GL1?$oph<>wPB>5B@ejlK!w2q#UA#2g<Z=&(}&f9BJIc=WCZvwT#b@w-I?oz>V^
zVW(#VqVJCX-qHip|N4A;HJdc&Zho%D<Uqt2^h@KLwQEJ3J{5GZm#C&Mp3j`Y_ZD=y
zw0ep!m9;eSg88;QhvkRQ(SPs3{<Bp4<K0`sK(SoN>E|!uejzJM(;)gh+&YdpwM_N`
z*H3c9r@$gFLf_33Hyd++WtW|&%(L>KL>}o!gVFmcd~0%$^0K(Q3O<z{4<~u`?fkMl
zl?@x&fe&|pJ<Cf4g-I!XwUs=Qr=*}|7@=?U!+8MJgm%8k%1s7~bl@}n76XAuY>*5#
z&#UlN@27c7@%X>3nugu{957_**D)k?BZ77o)O9%B4_|S<BY~2nKtyPw;zZhm-<IeD
zg~H&5->hKkFTNKF%7m=(ZTM<RR=x;oY|VnR8TWr5s0D++7$jN0k@5I!_hJfZ$t5jK
zFZ!-aHB+M(i_kh4At`6!w@R7O>|rCCUgH|Shy)L12A5s;$pXX_^`yP^ti3o+8jko3
z;6z4v$T3RyhnJ~VKX1EE2RC|>AH};JHlg{WV*$xD5^KTD1Cu}-k_PdGKk~lR_;%u8
zY7S|17!s2W|K2ICAm6*8>$n<q)2`)a#HAEvOWOZoIH&zFuy;$gcfqM1PZ^0R4tIuz
zXgCubu-sw*Y<;s70FURE{g<<y{M6C8$?t6*|Ar$|5_t{*kS-KFPk?~Yw%_N)i@g)V
z^lg(_6}H05kt>8ltB~&d$)@hKv*=pUFhioj6x0m@Wr=&i>|0e)yh57qYTiva*zY>f
z^i@dTlKMt0n^jAA^_~W)Khs>0O(25Z)ZZ$Yu?Wk((N2a9oXdB|ARq-rL`o|tne_r*
z^nb8Xx+JPaKlyxYrx=SPVr+wiu7=@AwOG5&POr58$PcYmT|!=M<iy(&<!JmN3+0o*
zqWhmn?mvp?4^1>{(I+BY7LidvQNEkYBC0*j7GyzW6tRD#=<M0<fOIWwvKx~uH8si8
zA6!CF^F>q%H$qowz-H98frwjKqy_yGw`rGBVQLEqLS<G`Viqw@wpngPM!UC0gJznq
zAKavRoG=O(*fNWJ3OApNtxWUowR}}sqlrDlYMqr387*MIM+^-UO+4J4JZJi!sK>uq
z=+6Xi+z%;6A!Q%-izePcA)i1^6;k{}5&y-VcfXX+HzpFa(jL)R?JAR^wK(0>t!DZ@
zp8*-?8p;p9dbNqKmZZwEF5ksUY<;y7q#8cUL;k3~tzVdwpqPrF*!uS(^M8V@UQjII
zJjH<U+CleU8#SY6Z~b=SR8{QLM0_k}DxI*%_K3hqhFH{Ys|qS`_Vqswc`1b4ia<3q
zZewB96F*D%kb;ml?e_l@!~V5(|103MK>4Hm^EpAN!L7nOpT7%qfd&;@Gzv(W>)Mg(
z&6$7>QjQrB?*sv-&tjI3tsR7XipL%n*l5$?H(<cl-1H}F4BTVDKb9qMN<8b{_v5~9
z8<El9jIg)esKKDBMKMM4m*@a>nm{Befd~>O7<s)`)h7rZnr;*xUZ7U7b8!I&_RJ5p
z^MjH`Uz>*Hg5%!+7M)ljD=X**2NAuoew4Dh)XtgZCtl99DBZ_&K==ec(FMUjE&ZFN
z1t3V#po)EO_9ahLH8da!=O}>YESs*buLVowvJp@}^U8tgnMWo<zf_G@03WTB<ceXU
z?1!A!u2Sr61$P+gYs|P?{cSuJlAt%SxC1rIdLTu^vim~u5k&>ShQxFuX+@WfY5BDV
z^G0x}ZjFn`af+_wT<IJl+lgAp%1naj-}Fm4&i3u*!*(aXn6|LlzWmZv!lzV3k<GzP
zeyh~$`+HL=D=!d6Dk>_v((Xd7q^w+o8)hokk_DCF4jGx)*vLXcMrJe`M|gE}V>I_8
zK2(UziGZFMgslh;=v~iVLsmk1CZNQR0?;(RmRc-!5y)=*_x`V0Fpq~D8w(zP^4&`M
z{`&%(UEkpdUg`TL65nTskz$Y@>tGS=d(9?8qd{SVm&BRq$u$FpY4<g-X%3$6oaNz?
zmm0KqzEPks0!^>I(T&skhG8%uJF)<_^nc8u5yfQZ&_%$r33E9jJ@yiNb2#Jal|XXC
zo-6X+Q!N&>tLND0ZfIXAeNLbj2M}RYQc}`(EdRTJprF4AujB8yAbTQ!gNUS*l#r$-
zCYf9oMcYYj(b!4j^u2Cv<K6&!j)?yULg(u&Eya{nf4|>Gptjy`jKr6qc<G;D5f?|l
zfNRYEf*c%yr%zMt8F|$m+6&hPc>qI^ZH*`%;;~D=Oy75e8B&u8jF+c>9khWz%=ySt
zGP&kxk*Qho0CtvXi`#RkeGK{rlViR<7DXfFl@w8k0@#;{>FHtp-|)mIS5|A4@02i~
zpH)p>!+o}RzcjEy)GhnL_4E>WdQyQ#Da&hGY39s2GKrSy(FbBad+7-^cj5m(#JyEO
zTy4@d8r<F8Ex5b8Tkysmf@{#=?(XgccXxLP+PFIe2o68<%FLOWZ?4aM_ul)ldaBl1
zRn-SIRX%6<nO?on!{39z2Brejc-sM6Ms^ErL$QvIW?DPOTYn??h})OAeA*sWMQWj}
zmht*Qxh~d$P`WKGF6>RIESjG9WJ&q#mRvP&PT9%mm1f?KWObPiqrumOK<AqDA2Uh|
zLgM~)t?5UyCMjjq6igv@GplVFvV0(~f}S3s>m2#ly^*-X0n(F*-{sTtcV8U@64pG@
z?Ry8&(SoZO9eE@poT}t`F4bM@{im8S7G+YX9DEoVnR`|4E!QB12X+5Ib6P%9llW1R
z;~pO$LqkJjcN~8%>0HkUwd5Qe9FWq{on<bSKdrWEjz^%P)@*0<(pJ;UsNLDJo7}Y?
z`-#uFIdnQKS1O$VYpyqVi$Z#gvh66E*S;_7rCx2uls7vSA<?C_%*}3fH5h`rrv6gs
ziOmU)1k=yooza>p6^|8-)ozCsPrDu{PCcj+p+<Rvgy3qxHmIVeR2GM8Y>#PiiXDKh
z1yn7nmSbz%u?g)LheRp>9Ch|bWmgxqg-HX`z+pK(%7_PGRlf;GHQ_t=C6Kthk{0fl
zJFL*_i<%~g;_+a19{9k<ATlQjoMWPLFW4@mu%sds#U{8!rW?URN1)ddanUhhn1ebZ
zp!fO4QEoa0N$?0S@-6q73)nPEso6?~<h|#2sfAO*CV{qI`;uG^<Q(z+hQV#&GR;C&
zwQB0k`3Sr%_`w4|#S0}=@9phbjiWMui;Rp63^gRB%*Y1^2k)7mN28&kiFYRzLq<6j
z8(>38n0?9~gUJ(bxe5#kkp-3W&JRlkhP&k3w!5Ae_SDm7)p2nqsQZJa2c{(BZ5<p3
ze9~te?Ng4FkJReO6lV~;TWO8_E8yRHfeAfLMgD!+vWp1(c9_+2QeJU_E<eDo1Wg;m
z_Y3;ggFoB%?UCm+%NHr#E}}=T(|)~ay(WG{6`4r!9@9ivm3H70gcTJn>gJSgIj<r6
zms~ntw2e4|ij>wJC`>uPb*X*MDkVq|s$&uF#7etTY})skXyuv=$5@vmPE^uc`_#|x
zfFQ)U)>DGa<y)AE{UH0;>Q=>D_Rv;G<}bhH&fX6gT0&w(j>9gMGpR&#bh`4S1#D!s
zBivcdYzBKV?nQC9Kx#GUgSp)}5#Mi-!&rt%RKJlBAMiN0?+BPwbwZ7La`u$l_ct{&
zina?^6Vr|PEu0gPd|3kX$bxz9?gIOq1C6cHoLk9+WK|t~#N~J5avBq!3C8s_9ze}V
zM;SK&8v>AhRU+|NeMd&dSGS~4btxR2lvSEQ$A8p%U>ieb-cwJnNzimQVnuz|^PfV?
zCS{hS;D@ov5JV(oN3+lY&m;{}9f_Sn5f;Ygw9Q1XH<?UlkEfk_xZd49I0*h|icU;L
zC5g%=rn{X@HW1qujtnN2oE1Xo0iB}n!+p_qTE#;zFUHT@>V5Z9!{KU6xa0lpc}^h9
zyS&0iL!WXWK0H&5?|#7dO3{NOk%jj&_4Z6+YxB<3<I?xDM}RjpQ1Bl&)F0RA3nBr}
zR@d`IfBm!oEzB>~5``Zw2&hJ3y#_t~NP={OR~|3d!$nY_^rkaGR58Z;x6(7ukaOOW
zMdOu6?MyOAXR~O#)|zqn@5hpvFW)FAeII|wBE@`=90Gj6)+R9_aFe^pmTY)wbz-MY
z+=f#}ESczPab|uggiB9?Ik&3Hp}a+?UQRQP7oJ;*>sm&8uW{O|n5=-B-yVsDmqNd1
z8?P>$2}l`<5C~}IcOd=!3wpjFhj{A)B3N{|Am!Q-K5Ky>da)8cn!X)5+_f{6*ogsy
zOY-2(f^tW$XDqtFI@)q~_wRdX8{jHUtv{-Bz;uC)OR>93O0TMa8L$x>I5MA^QVnxQ
zmD=H?6PHSvj_cZo*&{E?zegC)qh9;Yug@RY<EPlaCYZWYn`yQw58JTHkGx*(0~VsO
zE=#3}00iS9+pgA_-48e4#=(`9VOQL%@cs1S2h(5#svs<?8OKFWFwp+MK&KG69~!Dk
zI`F~#QEBBvSD;<%qAP2pGQlZ}iDNpKz~S$-BWq>5@4(P$H%MtSilI4VJ1@F4-TfM8
zG~OMGa^H>OJn|~FR8ClI^CdOmFI^<=@T3dYb%V=ado(^jtloV!m1Xvtz`l(jJ{9}R
z2cG!~E_Q}W@*B=@@3<r<xr+8fkC^cB<Z~3iiJ)9YBS(7OHuSEpE(SYY6}053X{4?!
z9^*dA_W(%?%}F(LF9seIq#RsKD)TS)aS$Jtcf@bYmI)*+%j<~`bbHB%O9B4{WT*~e
zguey!*H-V9)e=J4?@J0Pk>{)EHc&@S*g_L(|HTsiL|7;}iXi8LEfAbAl=LghBj4SS
z87rx!8m+BdF4D!h1g?e`$i(zlrmF+HZ7f{5WD?)}*h;P2?T?lg$9eGQFx=|~dxMt}
zhublt)mqT)=Hz|Unw4By=mcoLiIO<U=crU7I@>m)Q)w@f7B$GdL-r<&mXE@U8rg7Q
zs}-&;vEfXEf<YGr5TeY@EvV=He|i-^kN~5;@DL5?)x&#sr$&V5f4Ob<;RcGf$y@^-
zu>Rq`u8|NAz!^pZRGCo9g5F<l6y?&{U`R+vP~qda&0nAH=EUmFbg!KiP{U7!DHjKa
zhGY_EJuf>o%02Jb-DEGPTtBLxQheR$z_IIo<q#X&2?jr^Fn439*L;Yv_FgsY?M!;x
zBb{k^Yy0-_^}Jtdl%Aw_VBPd-jNlLaqd^^X$AcwU%!(wIPOn3=?YCTxfG(;uq5BpH
zjcXXPY)5CO4zN-3l1Qo<+L8S2n)k)ns7RDL^SIFk+=V_gMs(mIjKMcmi^<_pbb#Qi
zEI2+QPU`?50L}LuZe@6hgw~cyB)ALV2S)_c%yF=hJ69yl^8L@r5rI}BkGhVTQtC^D
zFzPAku6~A)b~id0baL%fYO_$F@CBV!Dyu75jJEOvVy@Q_A*wo@X(!4>&`_VC!(Ivf
z+`L+ruZBB#LxNGE60}BMi;^6Q<6)VXyUwXS7qwH2$~l#be4s|$>5FA&+Ha}?sU@da
zuUnV1$1{%+1P3OahO4j>01kDNI&Dc8v|EAytv5QBI8w~k1+~;F?EO~N7vT}M9p~{6
zw%4yoNGNkUQ=M??8uk=P(8F>6!snz|Z-5a+aWjxN`Uao+B*Mnp$E`{EMpsU=-R&~E
zdBXz^4vQgC469@?><SAD#5_n7RoX#SJ3y0kh{69`%3-15V+zsk<+^0<oM-&Lfj}fW
zr;Hv(ZaXE}+r*y%&!ngjKtm!5m!kE6?`}a=<!eHx=e-CYKC*h$&eI}lH9t!@MKKa$
zZ&gZ8NJdOGcr}9?K2%h<f2D9IfX^ok`x6}H<PB%f4;DWO6y!x>!t>!is-6U(4yMW$
zInuyD<ahp8*)sk#0D|a2&Pdpr|8KNzk!srFysMd|<#g(SXw`OSF0tGq)lEZAQ5>dE
zy1`QeqxwXBeriaDTX%K|gHUN>amYKH#wbsEPPB!S7Q8I3Aar|h<N$LMbmG`4^t++g
zieo+1JFQ!BB49?7YVTw<9ACa9iPaePL$F)vlD60b_W{9s2GCwla*0+yaH^ePP@4n}
zt33#`cSFG&)s~MPO3m2oCGKMZ)WwBTKYO~nOZfmr9*~W~+~+t9`vR>v@s%Z84ns{V
z)PIQ36tOukVxY;_ZX6q_65%uBoUb<0Zg}0uL(8JY#R+LPovk%1qRR5bR)3SttXbsN
zLlrYYNB25LbK5Bq<p4HbVcv!wgBq{e0`G308(?zuPxpr4{@^7h#e@L*64Cf!So&Tl
zmmN3J<TDWulsmZU`ZK@GPGk}|PH|@aDz^)m_G(K`Y?}EPQx>^L;`tgjc&h6BA<#6q
zQGqcW{|KNsGQvPRJV;BQq4$2gW7-lN_R%gwJ&v036wO3{!?e!H*ELfsXi9@9&&R#o
zpC+QJY@sFSLTTBjN}GJNLfgq@i~Agd9H{TZ`Q_lt+4DI)zAi6z?QRJfR~wW{vw)Z_
zKg1Q{mAG)9-Bp-3J__@C-t~>R-Y?97A3iAA=aPM*vYf<5jPX38zo{A+btb)M&7olM
z`&0@^c|kZ-Y2d$w7}6Ghg>QvPY&3@i<^7!pX?3s2cQ+xZOpz?-kzFa<CZjDMQ<1VY
zGv;X-gAVP=1j94Obxe!(4|ks)#K8xpR??q(#M;cP*o2-mISig_N7rO}rN%ITJQ_N|
z%-7df8s7mF<$~h_epbOlNVDe=PcR)%-fmpdOZZJD&}_Habr(tjE?J1ok(_LJcp)~?
z@~k$I!zwJ&#At^^$7YFjsP)%fWA6YHYCW^n8&H(8T;CGRzPIY);Q7tR^X3?cG2Hct
zio@$Bvt)z7|LHm=tn8=MHw6y<(#E+=!IniwjgQ9QVYGx87pi#Vx!)NYkQUyQ$zfwx
zzBQk2%lmludfNrZ1FX>7h+#9?zT3j$qsO}7=SyxzEd=-yZ(q8D|JH`~{zWu%<ifW3
zv!_7U_vnQORxN-l91B8%+!{$ymK+9K=%}VdNjo*HBal%^#TlY)@&WOrk&*P~DrKYu
zrm>G6yO*#F{a#GoC#X9AHl-xi`^tLRMEU9h12m>aZ>CMPGO^sd^-)sh8MR&YS)zYU
zDnG0U{gFyTbQ?wNnJ%|vK#PeoQ)o4ti0SG={;B{kbAA_2Q_l2=?^??}aNrA+yP8!e
z3hTbw-q5SUIGu?Cg9=#$v%`m}&t*qL?vrwMW{W1^rA(uO!^-gY2Yq?ijfuwyoj);N
zZ*x&$Qb!@5w$vpBZF4<au9aD~!KRqaUY6k7MiW2VY>f$S+<IypNK^fxM$(dn+5LJ8
z=HYhxo#q*O!|PHtH4^=*=>%v+hN(WbM;xwcMtNi38}JwZ#)jm#=-P?m2XI2V=pXXL
z>`_>Z0^v7e-tHz^^4Exuho_(@R%&bYsd2!Rvm)Sm>jP(i0AW^k5xvLrjSqz4l?SY^
zM)k+G4=I~l%;_11xGh;TH>|mk7cWa$#F99^j3=fYd>hr3s3LcAdG2J(YgGM>0|ogZ
zowFJi7C6qAx}&NVBma@mlyW??e=<FrhW-`hlTz_j!Q~}MI_0SIuy8(jT8NTv#vo)&
zXc%^fLFG|!13)f21lahx(Dim_e%CeN%=7iZ8oFc>!LlOuVVXy5`VlS*3Ni61uF(d@
z)%S)PqMkw{=ldtiv>U<Mm|WY0!fN*VZ7Dy4^%vyDOP;z+6g2nj2Hv!5UNnnI@W9;9
zbdnx-CqV?fu2SkmMjfQq->F6LQN$lSB2rZ8P}c6w*EGVd9lI2drkcAJ{4j5GxN^qs
zx>}yYuxj?Any(-qQ!3cATTFXjx$3;>JDjZ?P9!x$6s~UbsC;h4%jQ%wQ?MUSrYATS
z{DY@-P5(q(BBX>QF;9HR)8(GNasxpFPJm9=VQ7i7tZh>+RZX!U#)_8|n8P6}BxhCu
z*IF4GX6-`4ytm-C?JDY0^vRn%9$NMUw@95=ZQPn3tuNe3!+D-$QM$bx_CcfGcHbP<
zQRJRdBo<{*xj(DeY<(=Lk3v$|$^qP&(1ZN#5xH^&%`gw1e?`(an8T6BE8u99aeX0E
zZ^~j^E6>a~Yy9B@7xq(E6oSU)_xzn`lz`9g@dZ^}0SWvRT_F?Gn&0DAsM&U1yMx=w
zi2&em9!kK4N#renN?DHq>*%eb{6amE`I#9lC3y{tU$nitW6I){^y+|$DE3OBx0}{m
zFr&g6$nYol)_@B7^j#?ZbY3+2tkMG_p%3l)>T<C_JTes`0n;J1B|$Ei0hAphsckXm
zvhHcM!tUGpIo!7B{yLm@mA+qPe|JGXS6YYv?Gcw5%%E8-sx|?CS*0jbSv$MlhjvFu
zhmsgP-mpJd8k6k#{<0eJOgkaW9t#EJ*VFBB0E2GZ7oCiS%KjWh6#I0aiiN!$sk6+@
zEcVPD)qS@*4)o8k|1hb4Aj$~jxpVEJqJFEpz7K@zqJua(EA;An=bI5#_0_z_S+oom
z9=(AVKc<GA^%RuPEM0fQzqTlT5Vmab-;u@mR%5<PK0sgR*407NVuVlk8A+4n{W6ow
zML<P13audxi;7BO*(oe8mhm&ls^TV1P>_-eMbB09!sNWiw<|CdL_b(yQUFB!iIYy{
z^yErr_cWDYk(r*Svx<cC9<>p=+&MSkvFyFzb%E=!{V)*Wl#odRJtq|z-AoOPg-mRS
z#83SkNte#{9Yezqls-(T$bL26W5WAmH}+t_gyMOU1VRfJe$+2XwCZ#%^d>2Vu7GX|
zv>z-O_WlFl`S84?h)dn{0k6A^Ka7s#Kc|LL4R;9$JZz8p_7B$^qS#gY{GvbG^o4g+
zOK>ex!^bBSJ0%v9zyL6ig0wZ4b6B;8w(skHaK1AW;8yM7Y&TOa|706JrU}`PQiJ9z
z2h^|d@aYp%vXt?yi{gOHY}i_9>UTsPRuIQ-$<%6im^8%Dz!pGy%6I4})HApi>!UDM
zIJHT*44pp!zJGz<KQe_9U@2LG@WlryTCVqz@{nt#2MRXk!`(&D&kh6bFWX^!^e#$%
z>{rX>x}YHYf^fzZRx*=knxMn#zbvu~Xy8T}oL7MqBYjbUmBXntr`&NUx^UG0C%5ny
zm~Zd!(e^MkmdU8Z*~u|nhjebr)NF6AW*S`<98OuWu&zE#vKNplL`y~NbAaOGNY^Ey
zm*TTLCh2<}LUpWso0F8l1Mqt2ko<d-{Ymi8j6nlx42(*6(Ky`*Aa9Q%<=YWudUb+|
zq`k!z92_yswe&Y#59@)pwMs7BgW{H&TPrt~?X@oAuE;p8qz;yz;8J9Je`57ho}+Gm
z*8=#%?);O5ppWc<fT855hsZnkznVLD%FWIFamsNKD5C3I2uXrHVsaNjgEgg~*=FHz
zK0z~+ShQWw-cBPEK^scxcyue1DsL9P=eu37hxwm#@|U9MfZ`wIi^%{EcOmDS)3{t9
z!~-!iEf(i=CbT#|Xpq!%O1kQI!8b~jf|YPE#CF)-U_=Q{W74iC7b?1vJIUKM;bRza
zcZ^vooI&lfrWfQYaTDfUcrn_=2vR_l*cD9sPnmO#Hr!F_^pb|mMc%Up1c>$|S{U;r
zl(16Tu22_}ETiiu`TiP<(czJ?Mxi`QHrH8#|0aq4m=7UVG>e6-c4V+Bd~RsFO(#*8
zd(r@~tJ}%>iteR5Lk$3`&t^?Qm709pgxD+VPn3ZVw%{`-BRn1u&3pBcgn|sr_Y4>l
zuToF$Jc7XkkG}{fN(!c|nHn=;1oq`Kx9d4?I1m)9uibfQSwMH2q~73FFvOl(AnJ)e
z#Lj~EHsZFo>GhhL6FN`KPr%zak0oVWNra?03eT@smv`&e#%ruzY*?1$98Iun0%988
zpOF1O7xHgWNP4VL0XSM3z|RJ1x5n#LVFHI==|sUY2!)EZjzTu_>B)^L3_SRAMby&?
z+ma(m@{xD{74VgFx4i02YU;C)=9MP!+n_S=Wo%e#tkz)L=BCD8P6J<dOhiZu`lUg}
zB(C(A5CFCfz>I6R$wJ5?$~;D31>|+2OZMr)m+jgNUj{M0dV3LQ*?Bv3I5R;+=taAq
z$_T0HD{w!VMh7zSrB`Yuww$ig)a;jRx1|UQtLN<}n#wvMq_1^afRkGn$=<GYSp@76
z{H03`fZ_V_1+SwQ;>(`(3`Eba{2u|pkI+y0Na=3|94bt4c{RD<G4#*)o;!*=Wsgf+
z_9~EOf>)@6Ov+1}vW^-kwF(U4C{<jl)tN#@VMy8DAC+A;HzjB6uAsddEFcLpS<qvC
zDD(hlYc=bitbuP+IY*pU@LjFG3<A%;RL@u|uGj8%V+op(IJ<tckKyz1U0<%%*k7<!
zu6n>zCP<AcA0O=EX9R)cs)*H`R}0o~vEg6JpMKZL_Jq?~f&7xHN$22bg>cyyH2#%C
zqusGFnE4v}&$E(y4L;z~`)K7wi?F70Hf+M8)`nAWzsY3rr-7ddhY5W~WssN5ojnOk
zgb87o+x)Q+h?Xef4(Ps6=~=2b9YI-l1)%Dqr?>Qg^|ytPU5fD~+btvEX?cBpwq||n
zFv1RYy$Jo@jan!-Vg^^l*ED8GqAY51tE^I-6}$BtdVc&m2jet0TSuaRx)+M}ec;yT
zhM5HjB`FnIRuTFwV$g`nuh6lxH6PRzl5CL2a;m4<<t{LVoeG3KERceNf-aSf%EUI~
z59+uNdW2>%O{OS5F!JD}%{{)f@WJwfo<jf9b<ry2be^&Hr@sTTM7GsnyI|E=wbY8a
zS|9;OIp=;X@?)m7=F)%<agag^<cn@X0Q5q+zjj`59uT}DNaf{(+M=Q_(kKCihmqcK
zj&($v9Hv<=JL<cFC^800G%(Tq<w237gLg=(|1&)aO3`PEx}SQWaUIK9J`r{0Vth&4
z2GVXMBxRpDD);>Myteu&RjM9OTVnOXj89HaW&2XaJ^H99D|a6LsXdVv0$>Gdk`6du
zqvm8(P*dA?c6WC>BcLjx+w`?1{pCJ4NQ3S?kyXJ>ohoJo&cFwBG4&Rfi<0U@X4MTy
z;TRp6%}S`_IxlIOyPcaD8s$3=OnR$Y7M!tB)}cB`eaM*l2Gk=b>QLbk5QK7LAZdam
zO8LQN>6eipf~b@LO3@v4Ea)ldhHHLg53c<lFO7%Tzee)K@ZyjRmlwz=k@X2=(6c!#
zHoI8a8t6!3=v07#&ZHqjRv}R;P}bg!&{uOk%G!h9eL9Trwu{M@sWI+K^s3Ns8J#Ub
zr%FP1zz6-qWQjgs;Qyh;S%Kk#Ky$FMP^cZ?Ms_%NP>3G{mbV^iOuhc%{nI;Z!2~(H
z8~&zi|6`*OxWN`?K#GtP2ovYHG`<Fgq$`NAL1^ounitWkP*8mL)V9Rgt3pA;NfH<L
zfMj}I8z&x`T2q+G6;0%`5`G*rIp7&_u)V+edn>%QfSGs!Ox9-=GC?;wI&UMkjQwa?
z0G*(Z=0^T->cMJKKa>|YL_g+W=c&~x*6=6s&kH{)TkHVfp7C;GDvZ83F3e{uzK;p+
zxIGkXvFf9~MVujK{^7`^US||%`RZ`EH@oc027&jRFkn`jf{DG?y){f$w&$B8YBy_k
zsott_ujd~QLklQ~gD&#m<3^_Uj<u50+<wy^R)#*}`%T-fmz`Fp+vEmEmI3LIq)}+{
zKx{?G@8k_U7L#v33-d`_rgcN;xJ}IPdA_0gj0xRFoqw@B7P-Mxq#Y!9Jl6o;`Eg!!
z*9mU4GGgvy6uCb~R9{c6_J>}~V|lMW=QiYGllYKl&Y)$K`tUobP1{F$yVGQUyMar!
z>wx8)ZiBQnA^t%4h_fHRQpiLiVk;2#z*RKu{2n*H*87TtDl>OIeo??=ejub^8HRMe
z>Q4j}yj{**z??6M3Ngm-7cO!mo+g!*fwN=*3p$k$f73~`y2tVNRm~Ro{bu!Jd?Ory
zkiV$+PiS16ev}w;CXP5`2pH}ep!ptc$J8??D-p=DbvJOMx<zF#o}+e}mP2z$0=;wd
zZVLHf0J8okeGQ}ewmWD<XGxmYBXo>V;;Np^<6Y#U&jY2yIg&=%QGm$GREKfU4(1A~
z7cg%Jat1=A?gvUQu$SB=uGqLF$zH=U`LQSCX6)-@Dt)7$j9uvSVo?)keBlX31rBlF
z3x0kOG6YCnx0wE=S#@(PiOKPrBB%d{yy1_rReh*bA<$UTguZD(B-88b+QBExGlxD<
z9gbBxJ#id9`EY<pK;v^*bI;Am6g6}w`G;W8Xbr~RpZd2S$PF#Fc!^24^w7z$W+pk~
zudG0*KoX-A6fp^61@&b}v^;Sg&$fv3ibIG~qn-wCvP6w*4Y;-c43BJ}v&^AO<{G{F
z>(Knm4gKS8ULxP>*tcujfRT;HH4>g@2L{r|^^gE;GsV619?#vNl@*6tvb~ubx?v&5
zJnGEHF+1+&J<yX^D#Wwu!<fx=s0IqtpPer<{)aU8!?MoY`iGrHU1##6ViIBOi@Tp^
zy&J-4g|{42zuE_d0c-+wqB^wcxXncYe*awVf0MylV0@%ul<`EyGpS(64jM4Uoyrwu
z$X9TU@j?H)Yx-9(B)8Q8&8F7y^JcYdT!XSU@P8?LU12`d1FkXrF@I<}|Nis8<Rhga
zAJFLC_wB*IotVFO=$}(4v_{e6FTKY9o6qt8{)~?{<8-MDV8K|d|K$$-@g$p+kLTOm
zFW-#(ajyUCEq)%*H3lk3*m{2fz5n@x2HlV6H>?{^ll@10@%Il;NIpK0-@u*uFD1!;
ze8$ZG{}b@NPFd9L6Jp4%egQ{yW1Jjh8bI9|#rJ>6#y@1K<n|l>Vf`21MT));jUzY?
z2H}=+8E~W;GO&wC^ucIywkCE%Y;gYH<5d#h>HtRznMCx?rRsxp%XecON&0A=$Q76r
z-U<u^l39+d=7^ZlF3@7iKMarlmzwC0Jqa)ZMZlB`G!0wSiHR;~7d^aGJC1kq%fea>
z9nuM_5uPnf7>T`BR4FPNg=iYj_#Z1T_mL981}q7#6n<$B6goXzAvcnCDG5>w10cSq
zy3V+t5C`J?k7(dSq?rhg%aE$Xxc<UFVp{yo%WUC7yYvnhMgF(SuPyKY^~O(!6sb~v
zS{X3fHzQ1w3tG0x|KqUz1fP;+viwQzZvXc-`uA=B39XcLW-GTEfmGsx$8o=mlE9T0
zpF<~r!=+UQk@rl!eStpBzYb&+&m2sZ+XvRtvzI1SHyYV3^#6LFPz8m(%zDcVNxY^J
zdvYEZ4TgGxnw9(^7Ibx}k`Of2ZJXwxZEYqBthj`qsW|RlF#4=U(JI*N>>IMq-rhlO
z?uh-{wGK6*tN}K}SmRo3avBs=7z1gkjqzYg@NL#9fCp5f9%HyZLdncBk9508bl9^i
z6r9bO;Y{ed)QiRz{htWR--A7&nlbSYlgkSvAwz5@dPbu2K~Wl$BCcKCBK(O2cG;E8
zvSq<20*McG#z9||#f;Or=BfIN09D$=F%kV>Yna~Co>(Aj05)D|3bkcXcqe$VpGa}t
z8_w*`nlbMAEFtE4Z;W55bQ&pT-E4TBbGkoiqX_$EWR055GI##efEmwl_p8v|`)8f4
z^en3St1&xIg92mQl*l+-^SA}jkSSeTWpI3Fg~Zu!bJ5(QZ6BRGr|8S?fm;7=f$W)K
zGIK!fqqA2=Ux(<+(Skc`5(gk?W#V^g?pHKw@6;$H_&w2VbS=L*Mw>AhGzN&_U`Qa~
ze`h9e;Yy8#$&m9a1>t9YA5(s?*thC<xZ_zSaAuW#$LFA3=lWu{k0KHdpb3ep1Sjol
zmo*xlGtJpq8o)<C*ozwyF_KH#4~O=l)vB0jw{JyJCyS?zcaEVuS&>S02o8x8E>i9x
zsaHzQlj`uigy-uz6D2P~7cNtler@><a#PG8v}NxBlC52fal;rh_|uz5q`)ebA_2}h
zt9=F&W`@S@G)#`~eIBuNM9tpgUBM;}G$!re_f=-XKd_a#4GR{AKs21r4xT%qODMac
z--quZb(LxMNQ-ejGcT3_Hsk<uBJN0QLLVfKMo8iFzH47jg?{=aIdKUqSb+^>Nd{in
zhEwz?7_jz!N!y{-EKi3kcgl_c5vEdoEZlGi3@c7|o(U-y9ppu3+<-Q5(muryH0j}5
z*JlT8njz`-5r!k2(!L>Y2PW7&v9h79w{-*h(Y`9tV^mb$)`uhKY;1NPuHa#@t#Y4N
zdoI3@64gW@D{{$P@iUH7#)BAu#GaB2BxC1k#8iH!RdLUebt6!A=$S_|3uowyj0L32
zs<jyD+qIurC3k?R#Rsx~H+U9};F)H~lPp5KFbLZ3LZ$0$HP~|IE<u(jh|n7N6cD*d
z6?-ExykX`7ntl(cyk<y5@Tn6=D|X;M9={2Jybi=>a@bKx)4&Kzu)bOE9%3M~Ht^xI
z{d{7ryVoMLn2SXSV|F*zdm1mS1|mUd(funPqn=<g8wM+-E;ouDV|tVj5j#X!qev0l
zKtl6oV0#IC!DUh{9UXb4n566Qy0M2!I}1S25<R=kmel{{)+EdE+Nhn4-Pkq;S}8Mq
zH!TPo4{eI;LkmL6#Pu26R00lmEQ-E-^S^d^Ei_wako06WudaF_aq49G<O1*%CkMld
zU8erVf$aw}nKuv_88=k&vIUi56pHC|MNz2=ejsF;VIW{hVdw}dd7C*3NuaG33$x?5
zKy=YT&u5L@CiCQcYAUc+2uwPkUp@fd2HuYDR}3@Ui~<>K6kgXEgoZ(*k}LX>KxB4^
z41RZKD#8b1^i6&yRJV>N!W|mu%Cx54Gj4PID$GV9d{Z<6Ytu$J^@tMzw<ZKMB^6{V
z+N|ozM3l(?@=455KOkDMfqSJg>fkWI7-T}5580SJkK^z)xm%_zH*<4*Dha3~&rF{8
zr;k2kLnhZlqRrC<#G#1b-)K+@5&WuSqO;r7wSyBAc%$?B#A+q*O@8F}$+MP_^vFm3
ze!GZOeL=~}XeW=&47+QfFafnAF&s3=cMXg2Tcu}YMI(!LalkFZyjO!Z$!F^>(25Z4
zCvbHDo!YF-0#j;#h}*gN6Z!Z{vkUkPD$kIr84ep)YmH@E%1mND3`zb&Fp{u&9jY+|
z)D^bWgC^WQY1RXZlw}0(o24{4V1&2<mQ2h2;oAv`#z<^pYG_M50M+eGX(mBKIZ!@w
zy?o#$<6!5y0*XX{27+qdk(L$sWt}?VO}QOfdFUIJig8q_#!ou>BnPW)+^^cV!{wX8
z5rklF+5dk0|8UKwh-aMrVPGI|t3OeDchp?&##l%?KDZo*Z8LU%dS@`i(xt2A{)%2c
zAfot2pmfadFn<Pfv|l}hSK&(5IU!*b26jD+Wb}3_nBYS~$B(ZvX2@+Cr4;*}G(6F0
znHPIr0>0-BjF<VY7HL#QBJ4TG3p(HhDE0u0uBKTO$)&C$T}cVo0d%=?N+D~GUM43`
zP^w^|mMX2)sU%-09n@fu6Czbo=+4;#q9(@Gl;&+3Lbt|1#ODtGl`#Hq_br2fA0?Wc
zn1`;e0Xc)Oi}W3}*pu!kLhyiJgjQmqNTBOc=pfvINbx*blaBeV^<_Y(PV-KI;En<D
ztnpxz7*N2KWkcD+Skg#<M<P%(IVZS8;8h+~L2O2Yd$6cxEt0y7Dc|$iej<YlUpULi
z;W-z&Czh)97db_-XmQlw?vj4czD|PutC}&&0i`4$={PKYCnc1vzOQY-3ab}`y~THx
z>&4-SYw?UHFrI~^rN+vU*_WuQsTw#3>($AR_^e9f%^qg&@zj}md?`I3VR^V4%^lE|
z>zSHU;ga$Eci!Q@oNkMs;OTNqany06K><Mh%p$~T^uuy94=OywG@R#{;r?-y&@O&n
zSxEfkUjV-Q3s|ql>rbCY>cE+HqwWQQ8ee1ptTjl%_p13Fecus$OJ;wwpktUAYXJQB
zvW+PW_kK>R8(brNusHIpaVa@Lc0SADHNPFh{fvg=bWdxYqZo@4&!h4>J$E%lP+>?Q
zLKP>I=oF(VD2<(zA-=L;pzi$Md5zL#ikgGHKbr$ti=q6e6`%Ul?=Q{zN(|^)>6C7D
z-%cUG7Q>Mx%whQy2cq}Wdy0(2bUp41on9@5#(m6CN1krQ68k0;9!q^V@zODMRg6wn
zdo6a9)HI{0eJo?cm@L*r>(o^1QQuC!QDUkoG~Df8w<{LE1d#qeE_oimVhlM2yVrc*
zlJE60tQ&7vtQ~5yKk^uF6%`f<lNRw=Qssl(?>gVN`!754)GCzJ)fK8?+msi!W)?S@
zt#5E0)0BmTdv)Je8WEhL3H^!Ig)lKNm3q`87NRYXqG3_>1%^vDpG8XINq9MPcCwc#
zYQ@UbcIy?p2F#r!$jR>ULOQ`28K04fARqb^K;@Og{Ob1rx0|7-XIG!J68V~~c;EP|
zI3)%f1PhGc2ze$57jRNs5PSPKzs4<cO0Y3wU>H0ekR5GyQ?;pH?bl=K&}2WDu=BM!
z564?SEo!l|l7QR@uK8(T$`AKAHENi{(Yxdk=)eBrj2`X0UMSp9i7a@MFru62?G(J|
zWly;qd|(jPe7vW8N!|`-v?W5II4!s{-2IQl#GWGP%+1|xOqSV{xEYdxNL5A((+d)t
z(lL1n9#EFnhRT*w@RdYIO_TmOaAa*7G7bD=r=RZoG8A;=_9kX~Jr<5iu6S08p%nR2
z=OfB;A~Kkbs*hQj{?w2`4e3uRuUazv){;Kzh_KRhWhfBp<>T*-1fXW9KQ|t{8Epwy
zcHwLHlq5jl*+I!e9^JQsv{DTBFLt@Ib=@~&n+Ul4H8hC&>f{{`H<EpBB--II5@*Ub
zL`JJ3IdC8ZtC}Tfb+?6lgi#zL5JY_Wt!s5AMy41=+ImTUqD{H)4F0D9@k<un>Y$UW
zELOeXkmnc6fDZJ4x#$Vxn#&b2ia<6xp+&Hjtm7!_&U#us-2V~L6I@VsMQ&Y8>nWbi
zT=V|?i?PG?T<X^1P_?tFvl^=S?lQ2tX>fbA0!o8X@DNIe+vkM}fl$EXBL`93$Wl?v
z!@|nufC(=)QAdHM8RH0<I3V2UB=b!}Sz9wuuCDTz^U|CLDu}dZ*&Ld6BZYTuMqHe#
zzax+C!wLHpS+68|Mk}aUMdX}AMQny{q>)S`!PzN{Tl4B`twthA!3gv=Ki1hH%#UDy
zvL$LnS%^8uF@t;s@K}uKl;N_TmVI&Y5$eXCfK~LhMcuPfYWjf1eze6pmBN`WHgf-9
zi0mER6%8eQcIpXQ5gHdtrXHwfJr|q_L<AF#2$Q&jgKgp3Xoa{MlyTSs0^2vg2ltJA
z`y06UHe##Ha<vuOkg`nw7hHo9Cnd31B#4YE>8!w?nId~CiwydmxEChLBDi=!KK|Uq
z-{vV#NwQ<fIVE^n-C0IT_o?4#{y*NCHm4t;?p9FQDyUi^N}-pnnaBIr&$f`wz=C=*
z#%5@BjLDMDZ_(fM{G}Zn3B3xAAanCbMZu6VS{_;UlKM2o7(UAbUBTLWex~+_Q(WC&
z!$)5D6yrr71%5P<u{a4uU@6zZe&dS|o`YrOI}(|RjZcmZCs;A#b5~RBXg3q|;ZF5y
z50Ox}OHYcAgz^Oj58#vCI`<ReA4F8b^73$Bt`n%gbbRAXuKLlSpd9BuyOI+K{SlbD
z$R-gv*3VyGg`ab!DZ?VHFKfg$j_n5+U7zg<EW15?O17C4F4gl}4@>M@`x=nZ%t@H)
ziZkR|g^sys_mMitLEa;SQzdpllNEzRm@NR>Px^T<a$$g+@Ar)Yxk;jQpWj?R!Q}=s
z#Owxa<&!nm#;UzPVDqeIB(cSd3BovgS@lG6(w3)k(ETaGW#;K=$6kdaTt=R{#7B>V
z7*bLG7>d7k(`Adu%O@9K_oZxImj*pRDk|nOEBwc)>sDzK0U-f?D4rl7M%q|%>i`5r
zZF22uu>4L_H+L{&$$1cL)3!G%Vc5`Fax=X>MW93p_a;RBLP(u(C2Qu9k&O>MMzI@y
z{pGd>XS~LFpYnw;1rF&4ECnUr7xJTr1p8lm2nop2!bR`xW~|AVa(Ocg<YF}Jsmx7`
z7uc&oRFLMe2M~Y9ms26%F?jC@Mbd?X%KF=6msU=GSSmD_PJ@`}@H6EXK*qeegE#9j
zLxc4z^4phHjT14jfbhO;Tq6;_KYrr>lt?zSghvGA#_>sSdW~H*WEe&h{3_udqR?U^
zwV)LvEpr0HSI+}-ugj0lEd06Sre7N!!nyBs{yEE~y{V?I*FOxI1y;eVpML}m#JPY9
zC`XNQ3Bj7r$HRn~NMbV#;{iH}W6Xd}%{fB~ZE}#3e-o=J40x9wt#Izo6Qm(~B{-9r
z5=I<cKq<2G^gTKX<{ntfn$u3$7yc#=27$)wvx0`ySuIF;8zBsgOVF&pC$}X4g7BcS
zo*fwRy}g=|tG8^gJoeAd$_FF)Y({xgm^q_-rc6pe7kVs9f|@PyMdIVALo1tnba(!#
zQ1_O5yQUJg`u_TGua`-!vQ?B(EtDz|{fe`qWJyaeN0&%%eP8?aqXn-YmTe|<Q768v
z4=|dFMnLwKUxTzSp;CE7+vI6R6aE|>zP$__$-4{Z^4$eIW!)a9vgq;Q{#UnQ?u5GH
zG*LJ*y**tCI*AFh)5DAa-_1C)9L^fijc3qSPJx5F?Hys@lc!;C4`L&)^kL?0A1uD?
zXb*uZq>+iI;#uxf^-B{`wn^{xKx$P@9QW{n_vo^spAD8gk+k<bN#awAvdAJmCEBge
z8}yga>-i0Ez$PQ86>6%Sc<Y0+FXBhBduYKQpkWXaGAQ2Zo2Z5uyDfH)lw2JmR|n^v
zBp+qMXRDhHuE*9No{G1ZTQ7;bRx=_(s)>TaP_i}a_lY`cNO0gNkqUe)u7~w~cLOFZ
zTZ~VXB4ciQ?bhzMy9LjMOk#;BU49ALRK6tr(^t0O0^wF+r6zt)#&<peg7AYW^6PS9
z9B!9kc+Q#%3Bn%{iyG;Xz(!7*dv9I|ILUj8b8oD>BcB)W8XqTq6gnNi7q9`)p>)H>
z4L0TGBD3gw2)RY87?l%`ACjWagUJht)2Nv275hd<t&W^P!cmIgp(xs_HW5nVtQWew
zU4^KKX5@^gz0(mBB&rPyt#JH`HqG@HLo=_8ssGwn@e%n^2?=_R?u$zv2W0IB$cMzm
zX^3E|v%r4-I)H^<s8(2jX?pBJhH`PLKw@X2qK=F5UPv-1!+9l0NZ+$h7OYfm#BK(E
z7Dyy0_+9sS5PNn5k6Sv8E7fwqzm<%+&WX2dba3f*_@Ho;;vT8iVBIglWPdy6UG6-_
zz_BO{9;Rm}o)6g00^)Kff<2@uw^t>?KxY^S0u6^ydQm=O@CBEiFp~${+n-iE@vvCi
z{thammY;?Qg<o`*mIJfX0xskybcA?_!)*3L{Qz~A*-i`<3H`KR$^~ICGr{K{97d$#
zHykf5=j5PkAqKNG(KB(WYd!`VUfujSIx%rILjEx4ZR)jgcQVt<7C@GU`Ubx8PNL{I
z;*J17(bs}@ne8BS84SW~e$a#pap-nucy!YHdO$#{=tt5-PJ%t#=65|1TQ20BNR@in
zdMGgwGe$~lBu5(_o8g^M!f;tJl`b$@vpXTq^w81V;TJy=_v=f#JzP1iY<=jc5YDPx
zp&k#OK?OYgAWk>(S%y1um89MFA2dgc^q`!#FbRMHTWriIyZhqZn10I-e4A(N??P9p
zJ&&ld#?FEs<!>4+ivy;y2B^C0J-x=#)HUS}YSqvUNWXf1Wvp+ZY-x1rO-MRAg)2)X
z=lR{nj%NUa2cuLVTHnXeaV<tMbUwSnjmaX+9IcO*w>Varmt?4c*&H57-*n>AhsX4}
z@bFjTW3atKqgRc5kwj0(gLe%9<>_2jG_A!&NF1C8;q>@KQNO07XZt<7(qWuNN1w8l
z?l~T>x_WQOS{(7NF_iEuFcz*pq}~pZ7d{cXe^M6-?T)u`1YXgx8j&2!YGy*Qh2}7p
z*Iw!FA=9&XHbK?}vz0sI$fnmvPelcxcF~Zv-+)Q>l?fed9xx2bzb<+*YNb_Dofa2I
zm_ILIGaz$$HeGg5MgljOMJG%WM)Jl6>5CgtA8LYIWJ1Ev%=5{%?{f-ZcA8Gz<4PkE
z)Y0uXIot*@(HKC=Nuqra8qHy5mdnX0TuCS=pp$<~-1dk)!X9RtfvHF6=IRq}w<N+v
zes*em@qYX`7eUD<H-}7xyIvIqhOG~}mb%!CtJQFcu1}noefksYB;MflUFEjbMde|x
zv1Kk)v4=KQv?)*PsONDbTkzOpL#a8lin@AT>f)Rif6kC$?zHe5p}Xax)X3cin_%_#
zus-Xf(Ja8kXx89Y>Y$Y>AvrNBFK^jT9iv<#VjE~`R$mgz;hG-@USLNo`iP{FFvML~
zPDB_UkF^Hlf4Y9x6UW@Rja5<@PV<pXs#5NoEJ6NO*asf}p+g@o+of8irl%95e7uQx
zE<kR(RG#aMs7MTkqs$)$7Z1h%Hau6fgoBR9`uRyY%vFod5}t3Pm;x2~5EF&9U_cWG
z`Ag(>)+s|Z;aHNay5VRe*(~?bmvF<{IU^^f7kDTjjgzYA*hN9u2z}!RVeLM_9Vdnf
zK*t)e8Y*88BTv2cOJm?-p+-UbtPq(bE}oW4dL%~sHYLtHFHYaHiTBo~`W$(C9Uvo7
z#h8?_@bsRJ;$17~gh%*lz@8lZWc<{_kjkEm20YrMT3u+dMA>pZ0msHZ0-<j`BA<r{
zRj62Y+rr*hPyY^RqjsOgCk;~=dpqweRF#L(Ek(yA;CWj3AS#nmpN@ruZ3zz;pK)AK
zMa85`Y<QnCET2RO#pdF1-)DuPD;?rcWIVnELUCMh&OsEbz|O@rO6SC`4(Ce1VM|#>
zJ=<Mt)-pnL4vDKOZI}d#1?DTp68_F_3%Cg%mqF1@J#UCP>{^HZkt^j*Lzy>Vt2QSF
ze<YnusxHd6h>t!z3TN$xPgOxy$3zN;6%zGy7)wG!0#ToAHX|0sFteZzBJUrWc#-xm
zw94KP+zV86MsSV*?@hXo|5izajA6r>_2K;Oi#ybVF*bh#%>;j#XV(i9++pNk4^tZs
zd-B#~PSZ}wtJWTi+>%*(HIU5``rr<sSBG|KJ9UzXD2~0_;`7CbA@HW(X9C+7$ChAD
znk^cm+phPXhSIBMOUC_+74;mkiX#57am8=a&d>v)hFW{>Y-S&(i#9scoa#5Yj0oV>
z^^byb@nn}%*PR;^us6>`a%vjc9k3jmK#f>V#CW*6S%V<?AA@JJ{ITir{`}Y95-0j(
z7{)f-?T73mi=lK~Q4KNQFWsm+I_(qdxN*lPnMQx6@^#>`-S&K)^pnG;fy|OSj9x3&
z3tp+sTTsMXv;l@KHIes7oK})kyFWZ{m!*--v}a+})uUbygd1Zo&?9f!@gjoBYdk$w
z#8oZq7U2!$6=)PO8Pbh?xVrDrU7}Bh+o85|4_WU?81XLCWAw}4I${Y4QK3-P%py;M
zc!P(D`GYF+Mt@N)mG;2mz87~VwU{4Z!$<Ml%}i<Pg_igN{cRk+B{A%>ZH80A<(s10
zF>F7eyqN2<@H|`8o(D=@8HUWQgSi3N!C8%IiKvGN_#-8KxkKkz&<Frf1p1snuYIM7
za{@{iW=?(##n_5FzXp|bGF5-%otruNU1s75INp1r0l02L5tJ|qF~s#YiS0+6fDv4+
zpuhsj>t)90I31&Wc0|W|_3bBV(b09@Id13UPChEUh_2P}TqV0R{x}%bpd{>4W+!JN
zI%0LwuJzwG?bllVAhmnNT}E!Oz>bdV?H~QMw}<ja8&1Rw_tbs5oA|wCH&p8FZM<}*
z?hg?^W1q#0W|0+v?~}@OU521-5DO0|GW_;iCSH8m4-SklcDKX{1F48veb>OqJPXOi
z=^}_$_eg;64(oUxRsE?-eZT+-cYYt}^+e|Em3`u_=+pCqhklz$-i1>8b}=oa!N&LK
z_?g>ByS1ywjV~jXM%E<O9@F1HbvUnEI7SKDOzB6A4L&;#d5ej<PVPvEQacb(Dhc{w
zJJzo_u%Oi%vggQsS!|vODrTUKH^zCiC#xl|3C`EMBs{~=?4rf#Lcg;5+7jX%P?gJt
z@55xcRBK|AW<;xNRUR0Ze!hS%GJw$Ptg2V<-?F--+5xs|c<fKZ<;+4b-b^%9hmmou
zXhx$)HI9Mvm<X$Zr4!{Xvjge9RE8lX_zl0=w+U?hS<HC$=ndLQbt^&ttxtFs#JsHb
zhf|z;v(n6wQXSJbXE}H}wY$MldD<`M=@=CP5oUDG%GFw8JoYF(YI0J6ExQtyy^ZFh
zAeGlJeG3+LmE0eRnzlS&6&U+(X`f}$XpQ+_(Vx+5#%V4_x-CdCB(P*>;S8g8h?|F@
zJ<{_oSHJ=|sJ4pi-iJP?EA7R`IzFof9MNFuvQ=U@lhl%YE+@l83<KvEi-!%`4#MI;
z-}+Pf`471#fEXkQ)5#-n`{Ld1l5eY^e2(L7LXPFQld4cugczpto|HP*-yh<vlTK5x
zxy2{vqWqLYcd#kBv2v@tC7d)LPU?~XRfZS>)UxoN<A(oGA^4-l3V1@z<>M=*(`oDB
z+oj0?@UZLBDY?WLtH4q6s<@e45Kl)ng4t4r)Ph37_?aiu;KU|qF^Oq=9wXzbn*Y)L
z>u;_|Xvf~eTRxo@6SC)TtjLGQ(M9c!v6E2&nUk80f@mebtWp;<qIs!Pu^)&{aqRrh
zUyZh`)-0JdwySB~wi~jr^n49aGqFu;4#hb78ihd~Y63YgsbukpM9S(Jih3OCS|mJ6
zi_9COaO**3#=h%M;Rkf-xw<>8sCV2AVg^dw_uMoq2GQE3`btkX1_@FczP#?TGZQC}
zeIw-6ih!sOHk7NO70~HKh)6yUw5t((yFZZrNV2i)!oGZKfm*snFiUSH6sVeNvHjv(
z{N;H*wGKLlapQZCHPZHLYk#hBH&vKGs%PDp{hFF6Gs^&)EBm*W%TAkzHzf{2Ld?AM
z=vOG!njDmtn?A6{M^@j5nxhrQB?IGP7{zriLQ(9W&##MM?w-e(5)Lhfu5!eL-A13X
zpB!0-;1vfx%y*y?c^y5kE0y7$aIsMRtEd-&Ltq@@BL*ecFKzWY!PLz3nD`MTKFQji
z1n+%~uC>T+pIVq};d$i4Q&0_wNB{~^)OO^ROLN6wPD<tQbH(qSlL12eV$I*<;?{BM
zm;Rem8G+CO(0qMT$<+E9nNu?TXz#1hEdw7YG=NcJB(u*>V9oDv<wBz>dQkR#B}yjc
zQwMuB(b>sq&8a(w5p_5lWB4|+gdP6g%^+1ZP5?L~ln4C95R}{~BEs#^#D<@?%zO0f
zumj%!k>X@lppZn%L;LDB_WX?Z*y$`;6V&rI?==L`tyU*UJ*%S8Yn}?9vnLYv30!KO
z-XI%(hL4-5=op;i)e%+37BXg7v+Z#JZn%S@R~wF^uW0W@a^6R4ZP&Ap3a1(mX(y9Z
z*>+y_Ae)66yR8mjTb6c1-Q8>c_pW<8!o{tMhz^6@$Gi`#@smdwI}v(!-0t4;xV9>w
zfJh|AM?d~}4S(X8p^>r!KA($6R~Sk`H?n<qku66urbavL>>}UcJN(C?2ojg3BF;f{
zEQ%aX+K6Vtq0;Q$Tb=#pXKoo=2}%z0<Xx<r;+;hwOc%g;e1-@3{HC^~=qx@!GC;XL
z4^byNYiK4IJ*_U2G`dhVY9JVZ>PtjrLNr-IBuQb!^<!+R5`UxA>Bz>W>XFE2ROK!v
zCamv<IWF|U14lr{Y>c4$D2ZB0RVxe(KaQ$y+frn1_AAp9s&@deMv#@j#cTEItTGN-
zwUv4zn@)Wf@22LYVr^-K;O?hn&7C_*KB_-1(nJZp-y7nxdmX+Zi4U|v;6!V<Ooj9z
z@}yT!u6Pc$YGu@D(AC{V-s@GyvL5|d@xEQK{7*;#KQ(NQcN<c5Rb|lVQFO&KM_tp(
z)kI;qE{vmtaiLTrrXvsC;sGCSQ~76VVO&vEq8+5+N=^M1=0tS_n<|V>G?5X?q^v@*
zVr6#ldyX?2I}sshXb=)&@IWC+<RdI1i2F;VUA*G<&%Gu~e(+zeINh}~_uX`gNJ~qe
zPJ|<5R398KX(F+KNSwc6W(e8V`J0fsHtHcWSYho6#DiAv(w5`YLUBkWDrM+JL^3&}
z53z_JohiI`e>u=qU^Yj?&5<g7UAr84s;IDLLwjwR`6PB_O4F#_EmLH@hWV3WZT9(#
z*lEM;tG&EPOVf%jS$_@X5BTmau<YKrv3t5tPM!pVoAWZ*y<@WvEn?@a7D9A6Z<5x}
zK;}HE<g=;%b5$s#ua!kPH^k4$-Rtq9`kg$t_VuE^*`B_(HtJ-gi@XN7QTE-_#!xZh
zjj_UWsV;*C6GUhg^Z_eyyZMMa&o+_{jH)G32UcE<oCyI);D!KJwDmq9-B*Dxk*!OL
z1C>4~t8e#nschV=SUGlby&Z38vsB@;YiDZ^%;KM`TDSW6zbt7*jcAXA;@aukMIwET
z6i|*MfGj|Pt0Iitj!TA0W1Ot)ztvbW@P4wCXM%x=>I3ttB^$fV@|cJ=-y2vIc|uBe
zI1$7BeXy{d)-GwFO%$;_Pc_$fTtOgbSdy}dhPJzW?;^x_Ne!4~ML3PlBu~(jBP&sa
zuC~J<x}>OiC&F2kqpO>ldn@-jc0q$QGBXO~=r$-O<0$lwFhv(iG{_I{OkmB<W`*3v
zRau&BOh$Jg7-Z%Be{FqbR9s8eHtx{4HzW`|1cEyW8r(IwySuwfaCaJ)puw$?5S+$c
z65MHA@-cVj&Yf?)IseXDXVt3Owe_hw&*o+sJ=l&PK!zj;H?dIbKs8(W)yNPGNySUr
zj(nVq=EBugAj14fDqnOD12pao>eB#%1PoNGxc(TYrDp6#U2qKKS5tWme4^BEb#`Mg
z2Dl{w;JqUZc0`bPM{{IkU5jAgZ_29snyJq7tF_sM#MJn72Ul74fi7uVj_<I6UBm{%
z>Gn$z^4Zp&8gr4c38LtMzX{<4%YEoVrpSISAKyZ<mE^*beUD4tGqaX$hA2$$?)ukK
z%o*v9AYR>i9lkz}c9dpeeBv4q7C;DwBd;?7<BWP6ys3$~?xP#w0&8lBh?C#$E(Mcw
zmVA7>;irPsznLRfc{a0^=diwzOP{ZKF`lXFSG{Nngv+YnwH!?RW&O2%g~FH~Aw3<h
z^=)eegJ6Nf&u_J<dm`a?!q3*2XtXzB$SO9^*I+;9SW}C1ZZ_!^OK4_PC{r^e8Vq0A
zTx#HJM$(rNUlB$eXSVmV?CYD3`$cX1-GO}M(B$Kx5r+vVPP*VboEJU`(v|1An-*6O
z9s!pt&Ah~DigVxh{)!e5GpF(I*_%JX`<iDg@HMB0(VWY11{!`qiagTlC&e;{4+P3T
zz+4PhFElG!GODsXMl08w%fJj`p%O}}TjMf<=d#)Nxc#JZDih<9z#A3s>zL@l;xg*n
z!_vxx_k2jGKGO+aQ~=)V6OS<AIX4?`oLK+v6(^L#MDp}_D+vy@>&5N+siqa6yIj;j
zXWr4Et$l4z?2~A|dBtp)@m-4>TOL9v*I0B@v&vd%05&$<zuZaSCEdo+e)O<l=UJXF
zNf{|+WG#L6?G1`pcm5!UnT&16Y^9-?WHm+mHD%usbvUQv2l00GdddWS9n|hyYy{p}
zYK8`4)GLDTMhD;X=rDRHg+7O0S(fe_CkFG;Nn(KVw37;*`-7N}HZ}C^hTv=cqracQ
zjFORrznp_-!c3YhbD7a2zUrq<$xtWwYOLLoc2QtMe-M~jeNqUA;f2U0!Aq|+n9tpl
zQW(^v`Aq|mo}L$Y?45WvKBxK<5<USoFstB{)W>Kn;cOs)77>5?J;E-&8<55GW8+CC
zPVp1t0F3ebxzg0F`;1^i8@D07;b)_qI3cf?1s;{}W-WO{SlRUE0w@ozN5<tsS-9TX
zOz_Ci0nDMO^XuKpIu8(C2{gVBSoGk4AadQ{frT}Wg)%Q-{?^;u<Nj5TZg_{0T06-Q
zMCE+&0L-JTiR7NUzCTU6cb6Y?57()}XgGngX>lLQ!9rl_3e7C<NusO@$Q@EzNuG!<
z3MWFd0-pbz`4|(k7}>7>IZ7|#V~eXQrR;H~z(MB6$?@?I3gAI}0>Oa<1c~LNxAgN^
zmG_wxYj(21R@E$JdwY%ql+ey@WAr(d@9kWDI5L2pS9J<-aM?#+)}&1$uY4HyGK>m|
z#!iKFL8vMRVrbF(8pfwVkJ7-cjJ0msa+pJ627*Jw@CmMB@Y-Ue<?S`ABXnrV3z!H1
z8D6hXbFN(-Eu^U`+3@LN)Eb_r3*Wt2Tl*UA`&*P4k20`*Xn;DZPga8=_BXRGNPHUW
z^_jlNMjZouI;1rNJYm;kZ-x<AJ4Vz*@DX$N48TR+pZRm!V?S)lq5dwg!49&OBRt4E
zd!5czVLoDk9*lmHi5;%thEG+hJTcji>Y&pMT(^^%>fn&LJ`U~O1eMv|DqUcq4z1gh
zMH6XI^pFXk1m_e{OQw>DnF=7=F)tO0@^r5V2_{B%4mmfPg@%Q0CzQj}!|mnwBiY{<
zj2`VqgYW|?784@&2_p4X-Z+4ultlAH3OY)06M$S1r+Wr51mukj>!7;QFA6f6S!=yO
zmNj0ITEA|x^%L1y3@2ZK&a&~WO)`qu_>(Ee+iiHw4w}%y@LV&^@${Wl4zHmf6}dvM
zwvi-1=qtr&_>CIsB85%8+-j>3*EzpFlMpEeUh2#yREvizh83wVYw^Q~nL+z)i@Xbc
z++qE1y>pd*U5(<L;1Qq*V<A>avpVN`L+Zq4OW4~SRSOwzH^Oyq-!Z^jXH*pLI+kFf
z{fxI{7NQ~pQrqG_l5Y+OOj>33RP$#C&SD@wA0?E3I$8&uF7j^9=EZG1#Y#3(stIQ%
zAzlvYMg7O<VP8+eBJ3?YVm>i+=_LlyEGN}Hm=Nsf;7R#M%^j4S!aZ<MhhOz(ufb|t
zeVy|*Sf`tu!1KEA!7N#PcFXK~Fq!WgTPCAUr+EK%=B0HzrLpP<nw7=8$V+Pu)FuiV
zp2VjteFP(GX(U2>fsl1(?O4&!qO+M03%PV9?zv_;D;&qZ=U8+^T<a+)CdjeuVV5g9
zj`l0p1BXqi_?mVp+1fD)Y*u0;0N~#SUxdUKWMG7^QW40VYAd2Fy7sjV;BIoz6kcbE
z;9!)O8<Qy*VTunrAdjXeZOw_?u$<<&UL36|_Dr(QDD215Ns?R6bac4rQ~4%85KHHD
zX0JEF;<r>S&h6uHBgU*e)Gt(VfoAj8=lg&bzt@=>q1pDc`+Tnu4+=mI7^asSx6uDO
zW}Uz9F+HrXsg|Iu;`C5jI9*>)m>da>^Z=zop^8ddVDEf$o*gNA2iX{s;PQ6s%6Dfw
z<x{I0#!drZy|JuvlxvAAp-HVmf{Rsgekk|Y)#gdGLXC)&B5Vz|{cJ4PMFN5Mb&+QL
z1F{&GpemEIbcC|yNjzkJAoi-#tPI}`+1p!!n3p;LZb&%MufJAUFO;5JP}-yWd_+q$
zBgo7^G49vvt%&FImJFONX<1eCqL4NiQmn&UlC~Fmt`;Lja=(qeTuOW1nAq@!vui<(
z{BQd6*m9)5$+QEhqeB9)UkF!KlfjqsvHjLeHyiJFgs@_uLz8<39?B7l3N(og7j=P1
zBhqg?Jx?@kH8(G<Vgp6Drzgv+*<2=H`S5*jn<MM)@?^wJOAe~pO;d+ZviqSIX`Jfa
z=DWZ7w)u6PBVAd4)LByN#{OQ&WC7cU*9QAr^{-d~|9*_vtMWWP;I4hv56U2t$0-AZ
zusA)6xk9n9&n58#%o=l=gyqI{qxGYf{<?yXXHYqn#%rqsZ!njYshBFhUaNjn5`4kA
zOnSEjmp50As{Z3<fuTooi6vu4A}@;oi;$Zo{Sz*39cwS2x$nH;3G{p}gZ(r~BEF}1
z%G|68wJ7W5*OToEcJx{xC+>W1#x@|Pl8(Z_Vjo`haQ3t^v>l6}mBho|80jRN6Y&P4
znK-h1HST0BG>eetby`6!ti1fEh|}PkEpKiIvv$l2HM?L9+P?#<4oBd^f<*}m<>2yf
zsj$UGOpQUtU`UDhYVm>P*};CnkR#~=V1L$$tZAr!59Y1DCw}zZ7xS(3&B=y%w$OdS
zk+f2S_wCZg3+~gSrdjF}yw^G8x~u{P0DZyp75?=NVU9fCC`+~)B=`fX^sSNVx19mf
zRb$K{8B;{fpp*xX<=JZayi*~sPE<+A1+n2~V5xarP%WXdPFRri^)H(?T5aDk#wO?U
zKJvIPw<qIoOs0uI3biQE3!__yhOGgiq^w}+*Aw8`7(Vp@Rjq(iOX<UXvVkF`Y<sFV
z7Fiq*MN|q$3peP!#y+uob+DId6q2-0dPjGYHEkVeQj4JxrH<W<Lu~R6IV4K>b@i7i
zzhkicv$^n9sF;g5p3Qx8(5j~5$o9sQ9pfY#g{b2PpXBV%g5k22dM&K^OG+?GVeLlx
zCgK~IBvf8nP6(6!27f9fcwqaCBRi98b|f_he&IC`CV(0)rfLQCzkVM(n;RTFz8BOg
zTY69Ji?u#F4^H!=E6N0Y;8dUE`6anoSP^0=M!skv*0AT=G+W+Bh4vcD!*5L!<H9|Z
zU-Fgm4R*y|PD~@^*P(L==<zp?Gkjq+<hhK?83N<)@3nHfUD0AN>S4=yo%0T_w>TkD
z7B%p<9^7@Kvj5hPm*xsz`h;n7dUmq_R$;Y_{VXf%@BsOPaM;aM%5WK}Vf7Y^Cmy#<
zxRv|19hsD~Y5EY&`HE9f(~Al!nRGmeo3A+zUzKZ<dbcSsud&g|=Fo4>{R&*6Y|<z)
zks{9|pfNHL2}0y^^GmjA5adKp>f?b@3R99GhI+V<;b2|vgc{6C!2Y0ea5Y-y$IK+x
z{7;eC1ER|p3n&-ttaA{hMZ$=dP{=A%qe-R@_Pc_S*xieJkQmw;21&JSKQWFLDu~)@
zk@$UL`6ZgaNlbJUw$=%k|Je;2bS<C$DM?xFzCWxlV+2k5h&6<IrjefG>^E5B&_Z@I
z&``;b{)cd^tE~75=+1+9GVcj|<K~>4!oqENywb5tKS#k3L`UtSR@YefUT~p4#?}m4
zU)_^m_-Y&)*^<CEt+C%TS2%4qQ_n}%E1L67T9+#Win4<}k|I8oVb+O>*QZ;Ttu)fk
ztE^zq2*Mh9PL05{&PjC_ESaYJl~Zl)m_Ld2o13{_D(`z+b<#KC6B3Fr;omL5@e(IA
zz`I*F$Vc*blg^D9nulgK3J|Vbt=>r6&u&Ia(hRg$s0Ehxz*L)Ucqy!@!wEmN5;r~C
zw>oX81E5Zv!rFmDrt23aVl>{r+<GB=rEB-{d1-kI6%}!K#T#7IX#(yIE+S3Tbs$z5
z^rqVkuH`C<GArv`by;vP#GjWVjZzZb#;JQk$o2V+JZdcFgrMttLq77cT%TAkn>cJY
zwJJC|nj1;{_7w{q(XxDs@#NW@veip98m~rny@4o75QfaV1?H5ZuXZ1dg$FmO%+{dR
z%50}JU@HbAa_A`lC9cfHpi8P%-?_Hu7CGLl7f`)57lL3Cl;OJ^`oZ5{4+c<JdYlxc
z@Nm!~)vZa8%S{x$uA}qgw#LRFud5Gw_Oh>Do7l5}AHc)g3hHziNf(Q|*ozC_*Jbw~
z_8avrP2K+)!&cDK_!<QBZIn0=+nK_z`;nN|L5xcO9%{Slo2)>Xv#@K+_^35r;{3d1
z;hzJ6;jMVdFYqOORvk}Uy2J|f(##8D;QRm;jYH$ikFOof_{quOrTM-Ia!I;hp!Pd!
z3~aL;#u<J5Vc2peSye`Oh7KK)(ZDMCnC4@;ypbsNFQDUJWlGwY03a=3Ka}!9w#8A?
zc&VB%f2tSpiI{V%2voDjY6!)CYl5(sMFu%Lxu;^D=3H4P+w`fgiTY-b?aMCmrTlUu
zwse59KUSoN0D8`&Xp-+AN#pc!dEq|1<hm|*{C0Qkt&KEqxse>J6Ia8HAq)($u$0(G
zRRjCcJS)^dAQu%*e5yl>aS6*CkooJF{ciM{t0AnCr?Pi(xm~X#1>rZ>zfe?FxPnmd
z!O4dDC8%05AFyMUNo*@uxi5R=^t~(*9LqGV9XZ;jErd{>?P3$!bA@DIM;V}@#H!;V
zz1c`Ol71^SjKE0-#X=usXAl0GOBKNw7gw`4WbE~AI{X|HZELat>cr#@CeAVps2-YI
zBZ2jSq!exLHKON{fA23T_G)Qs*`Ud+l5ai%mmS~IH!oM$tv0(Nc(yC2^NCY-y?MvQ
zPW7FPMgDZcF9o(-cEIt{ZAk7ZxXx<#ee%@IEDIGzw`rSCfK`J(Pj22Uz}~ii9-1d|
zau{iDhB<g|49e%~L3SPYFg!8oxB+8H{4O@+gs&1@6>vnC)ONW(8(7cKzPJZ?pRJy7
zR7+vS?BwDNb<o_`_kX!GAEv9jo<x;E+Gn-Y)EDp(&$fk-m5j0OA3KhH{Y1Xqw3e*{
zMseZpaCrD2F`_A?utxr))xDK8x20~6_~R<w+pm!~ky-jMkncrjc(GRIQ~E>N+3C2m
zEQ~M|SWBhIf(#ugURpj{N7;hs7da|t<MHivPX0*h=dZ3~>~f{@dhRooeOg`vbD;|R
z$EFJLL_letkgMrfsfDc1p@0+e5tpWq9yyjz_Eic4{D%O@gLpVAix5h2cuf0nhKMGn
z(3(p~VQeII5Z~s0Rx1Fq&?Y@4KBhOR6LG+3o8*QP*nq2e7o^{Di*hf1o&Td24tJuP
zo}ei=%KC*l)(g4^iyVF}SgzqZdb|AX79wYyfIa;qe)W!fzka>Gz61Y`V;Ic@S%i1Q
zUAy4ihD-9hql;^>IgxU$t>?@XD|a-wM@?z<=BJ{Y-&%F3<I;)aCS>+8FXQ}&a)<No
z8`5%DpC_U<szuSiaY1*wo@e^-@Y!h}wKn_kWapV-s2;^vDN>hk@@o+$rDH{f0S{yU
zE>IT_0HUuK_Dmgi)~opFd89t!Vp0;3C&}SB^21}~v;OiIv{m|No8?Xdg=(Hin)opz
zX&h>frHVWu=Yus-83lW-R#VhaIvSg%wpeM{`5Kk&I%fX!%f5%m24Axu4Q!s>b)?;0
z{zxTap4!Uw$Et!klX-LF!QplhlR`cY+&f*}l>T}SoU}{DH*cT35TD)Bizo&CIKv5>
zy~a3nguM<e_Rk1mQoHfx8lxc}6V?ehmdD0ldK=~C?GP+Xf11DEU@iqRoV}r=qm=pd
z$)ls_Iq5Tnc<Nv1s0|8_BhM-Y^V6tJ^KAz0ENed(c=$<HvNIpN@Lq#2nT6pW9Mzqw
zhwP(-rHc)(WX^8FkCnP(%c5p<3rQ&@)cPNcXQ!OYUnZuE>?nw*BtT<CWb~<xX|=d1
znI$5XOKLv@q)BQkKo-3biCl-~ViB>cx|d;EJDv^eB_UHK*gebVmuH14TFRV0U*`51
z7RScHA0X;Go`(FA-}jFTgYk;Q5*5t0J3CuZA|t{cNb1C1^Nm~;O*v^WQ>DAiGEpDn
z{)N!|1^E64uF)|=;HqAZ6Sg1Dk1S(9X?NqfpQ3MUh=PYiss8XVM-t9ETv3~eLcT&M
z>N=ze6O)AYQR7{nPsFx=4J|?@VfaWeM}|Gm4yQ0qTpWw-S#x=Ka462Yf1vScX`UHH
z$0A+h8xMo!PgA*kNT<m=>ozB+e?;{eVNjkpXbt|M?<M)tqsSriBPUuWIz@s8b+fe`
z77k=s(%1{Ryfn-OLT01J*Kod#5y$fyqa}c69{8;Ix+rSSTuxUGmlCquPUwoLCzKCx
z;nE@k*qASVI%s*){DN7{2cZO>h~$3}-QzuTjKT|tBvJi40Q`kh<wXZHWbsqo9-s{b
znw1J_$C<4VWV)4Ldflf$QS40LfY?8~JclHO6H&cWkrCKuaDU#F(VmP&-Gh3?#9<B!
z&(Z0BJ-6W&vbDT7{jkyLI*f948BqI~=#)kWsp=R0Uy<hT#kSGGMzZeb&dX`9ildZG
zx$R&bhZf_NI_^F&@gC`5bo@eUjMf2KN?0RQSRb4L!#iar7<y!!C8o3F_jefSn&q<U
z=PD9R{~qq&V{g>cy$TvO^^g38z`_YjBuSlHP(HQ09KQv@l%lUtec@lifzwS0Ac?!a
z-kS%Lv5b;Np<vO;j>Q+jL}^YF)TTB{{m07xQignI)Chy=*2iCatJwi<Q!~zQ9Tha_
zR)iP{xv`?efJ4d}33R#>Lv2~$)E#|%*vdCXLz`GY@}teYjWS<1@wct?RrL-3#RFbK
zZI7vJ{x%}s8hz#r@zg;bi17%-l!ttkNQLlD5)O&f{2)f+cn6ZJa5}4bk{aLri8gKf
z>ZEJeBtaJX*g;C4xv)%PptwGUt2^z>Qr@WZzjNJ4#NA`<?H|n&Q_%$;#ayFcq6bwr
zB&CwoUi@-aAj+rj{)8t7Jt~&LflI@Kbp=~0CeU8<9n-!vwHw(#(97K|6l#zb!m0at
z(b46k{{M*;D4H*dfTv;$%+}3$Z`#i~O2Lm1sZ`+LTo==kKaD5<lhEMT_#2;Vh&s89
zAZ#ZaNpfi>&>0bw`cCviJ8H^=Yg#MCH1^-A#(#(I8NhC_=q>IlA&fkK@3DDunDC*X
z*i-55BH^Q7i~FF*3Wp={bDfdk+U>m4*zU(^mrO|F3zPCc`udO6<}+cp(D#Z((ug8K
zd)pOO5EZz0opa;KATAWGc4$Ez0_V`r(fd~)YVka&{N?TH1OInZ{)TB`U!Ps#T71K+
z%owcs`1;x7uAp_7CUqfq4ihhIt41qn-&5JXy+uYgi(xC>YVn<^SOJDjhMmh`PqR#;
zBI)Zt&Fce-juqT7p=`3@Mv-%kNLlxd)^d8bBQDuB(5`MQC?g362y`13!(;DMk!@;H
zRAQY=6MwXrN*+YS|FqKagiS<*<?SsPBQL+VT1vM<9z&JMp`6I@M;W9E2ELpPGP1p)
zqC(J!C!VBzWqN(T8HL%h|IHt~^V68Q+1b&l-&RFZRNTeIMXBhj<@VO-<jDFgeqAt1
zoJAlGkk?A-E=Pt&Ey*@jD5=d`##j4XRMT@oL@5!G$NnfHQU@Iva+v?pBSU-CIE|t8
z=FbauVGF$WOlQS4w&~X7;b*%jOmTvmaOM8KC97I(R=^`YS|*nEuo1x!=vYzG)~><i
zU6EEJ>iDjsk6cSJ<#DCqZY&#toEQh%cCq9P3IaREcjK(vtOP!i0#y;BNYS(iOogn0
zCkv{QAH~h{o1(;Jls^;as0m=YriS^B3i#WK;h&VMP(LdMPEC6xQ=-pn&0D*2y;U)a
z(XNSF`sN5!321a3OSS&|gYu7J6v<~tX;fe}lz9+qB*!TY^P`N`u<fnPW05rU!@-d7
zmiu6F*bmnsxVgO@nz+RlMQCg5`g(-HWG~j^ELDpb?<l0Z^TGYCP95bH^o^s#RZv<f
z&Yh`r<0Lg-7fTH}F*3jx7%s3D4IJL*Ql}v_1bdl)oayVp+^pEXTZQjA1W-&pJ#XWJ
z6wUN-pc3XW<fPF-D?SJk;)X8iEXr)tU!kRfWhL{`Yiks!Pxl5!Mi}Judq?~p_{+-E
zii$d@MMcOG3KS6uhJK#}6XNXWPeinuB6kgOEURq4xc_;@8@tq#cD?;WV2~6OQ-#&p
z-eKNGc+;{${)hZX8o6c*-tC_T_L0h#5git-1EI`H38a2FN-bsv2+g+o;q$4-K`(&_
z3Hb#hkxs}O`}D;NzC?!`on@VmVphCV$;_#zb3Sf}KhG~t_^saZAZ)9C4o>{4H}cLk
zK;*}{0O^{1&nhI`c$^*Gv0{nrxATzg-XYS=torMQj<CbQ?aYNdhoM6m*7Ji558E|O
zlii;^#qK@9<P3Wn-TpZGC+u6HLlk{S1%W(?o}}*bWYJmSV#X)>!jhhxSyY))Wb>kg
z=>PbMzt47G@VG{VCFXS1c?T$QmQf?OMJ{c4e4dEJJp-|7NQkr~uS~f)R2--eq{UG5
zICpUl2lz^N34W!dUFbEi4I=DQMqZy}6>tahWb=H5|MvV#MKv9Gei(iN?sTphNOVP3
ztXzT=mf>fTc3f{#b<|dhOaG9<$P*yQ6XZh26X`ggpr$Qbt&nkcIJ~r{W@tydJZS^|
z=5{47sagt9id3Q>5ejTocqVAQk`N1dNK(QYl+6>b>!<wvP|AHa)h60vbZ^sfvmvG<
zY=ADb^5w_(WH<d>Li1PX|6hpx?@Qn%t%038)#z|X5Upe#yCN$ICyf5{GtLT!u>cf$
zqliOk&P4Mog`T0vf0#EUrD1kzuI>JQiO?%Hat!qXApRu@OW&^($ul&ijDCD*Xhgl&
zWH-vuFqgH-P{ewttAtc=5I`2mo#zJwkUx?9h$IWC^GIJ%d9~#G6U7b4ADda>RHfO9
zHPFxBXb;m&SK7-&kDn*NPx(z&`h&bWR|Rn>Tbn%(6Q}WG|9RD=&?pe>nd<jm&}KTg
zQT$>T7kkpj;&!pJNa`#8A2fLH8DZurXPTO?u(3TgR*IpTVtpQr$+GGWujha9E+iDO
zpr$P>6GrZXHbc04wuqg)P^=1Ob(QUUVa1YknN4ch*W65ZsY`7rADyj|mKHOV!$vKv
z)^&%i?6aA95hpolU(Xfak7^6qcwe6a{K$m2na^ENSRuXq{d%T?p}FjSrn0Su5aeps
z(&DvoIFYt-otCzNP^6XHdZYe$JA@b!eH{qgpP!!#pe6?Q_D1l{wHiJ6*~pEU0;|7)
zEJt2?0w7cwMNV0W85$a9iD-Errak?4=l)UMja?eWi9qeBsHpst%c>h6B1n+iFCY3q
zWAkaHvMC3zFob5W$8u4;_dHy<EIt>Q<jbF!@0_0Gy`pDw)7GUbku94Q6%eVIm;vpO
z5mvwcPZ(ODQ62US`J#C$uF=sfhU)QIgcR7wUd=|~*ggbo5*%dYxs=4AvSbu_4kku<
zvzc2%6b|*RrS-0$V{dt*y_x+Mt513CpDSz&JACN<(iPQAMO5P*5ZF2CvtkY^nCi@a
z0W=>VRv6^mgp|ULcqhaJ(LX!TmL}%56eyYdPJ-`bdku}tm`TXV$77b9cVO5YrBHZy
zc?()vi0Kq^LrP2Oj*gbDSRAF6Xj9Ps5yam%+;fLhR$V>Yk4ux;($<!{F2B1_q3a&b
zcwbOlhJfC!9jQUt1(E~cQc7fXJe~>Qr>Her44x#ryw&dxMyflu5{bTVL?p**sbM5y
zVbO~O<aH4K_Hl#l(r&=h0&${XqUGCv!d=sABho(}8;s>%2@q&tkDG7b)ZkVSQ@6sM
zE6ox4t;wlc533!34B?!~o__Cy7G?R0EW9;o@Ref#$<27SY+dkYu424d$2YlUw_+W9
z{#>b)^gY||qaSpY-lZN1gf5?Eh6n0-*({_*QM{irkid2twx5l|^f1}-y*=Z;JfAwq
zVdZTp@Gll#yE8y_GpYDa=8C|O78RgOp7LSq=qTpm!pX$c)UxQcZpF4#=YLbHe^MF;
zOBBu1(`3!Ulgk+&Z}gklX_KXD^|AzquFnma;BBw19Vzg{5|)C-F6|+@^vL<4ds==X
z1uf9lrXuWYwaJy!&hI^C{CGx4<sepguZ@VK7D+uDps=e1!QbN&Pjx&eP76{K!bFhZ
z`{1^5=l@RB5=0{INms`(jA*LXRK}TN92-?UT-m!bR(U4X0w{?ChDXK_-x)5u@w9ku
zD0<NpsU9(WO;1R5#Pypxzg@-Fz|WN*dIWSySlOY5&1X#s=Yr7yBrz91oP5s5oI1Mi
z>7$qq94GRG`dRF=gZN7oBm^NI@;^<qVjQxtlQLvJet3c>A!h!yw^#P7rCf&_B+>lK
z*qLGJmFu5$XaGksm*!w?Jl8A0tNbn+N4Bc^FX*AIH^Mc#p(AU5akB@Su)gX}y%R&}
zl*&w|Val$&JvC2cI5PgGWUKLWt!35MSO&ZS<jx!%p)S2i6;=jj<`?3**wh1~l84H2
zc>sV?fk%mTm|qvBL8?^TrOed~jogcwQxua<XMLltkad4^dl%#xi%*!U`3^>$3HgTA
z=Q)k;i?ahJg=Pze(Ao(-3-d>DnlZB@jH)86aXUK)XGalJQ^Y8A8Ri7e4nywuHs1|g
z0=}iS)28FIU5J%lguD~Mw1yux{k9+rUSZMmL3pC_&fg(N0-N)D(tIgP!<8B304e=X
ziT;neObVjVJNDmy(21lWGQO{%D5DhcIJ5Bac{C;hX<F=*sLkGvy>t_Pa$r2k<wB|}
z=&i<Ot}g4pV178;nNE?7<y|!FqN%2cLBDdlhQhz!bQ!m_#Y>SW?nhU1@q&*BBoh)9
zCf^MHND5sPFrTxe#{RrxLuH`K6Hjv2dY74Q$Xf5$6ap7rv1~D;;!`K->&hv=OW;Jp
zq6|JyzE#%J3zUvSDGtFt?6UGFz$rT5sg?k4y;fZ=e(XS~Iw(?pBmVZzb8%$q|N2kh
z#~xB8Bj3{qJ{D<KB}_#jvV;A{-I4jNhgkmiE%q3+fTL&_O27^#iK4n*sGuaI&S@8x
zTsRlhw5ZOy7m;MqfCXYBSsMSWTsRn-l6qAhtu&F~*-XI`G>ylbsW_c^6Ja`&#kJ%V
z=ccDgW_oyy{q<QzYkgTI{D}GwiE<hsFq%-710Pcf?-#!0oXuKwr}nEYuDOV4!o#*p
zxUixbjos}<VU|X*6qn*iTlXC*TOznWnD?YFYC69Jt0hc+A-&5zR&{+=K8W~@h!l6L
z`n2pHf+aTGF0DfWFT-w)QuDtrr~F^X`hokUh?e5+4w&}&;|L=8VAS*%M8ly(x!})r
z)TAz|11ol1>4=hT`yuM5_P-D8{(Z6Tf3z(DVdi`J?Cfl4Rf9T0QrsIRSJeMIpMQP7
zni?={(%0qt5O<DHA;!AjoTfzj?hkT(5s?c%thu?l$;;Dyx06+=X<nVPcDBxg;UKx0
z?8TQ95NT;DfsDLB0?hx$?rNs;bKy^7jYUl#GkYOIHtRg=L$|kGZa)6XN6;SCm#vG`
z*$Z#>%e>D7NZ2rL;>rEddzb2vzjQR!GRgFFlc2$(Ue?T_%?RSoAYbEbtUu|2rOxDa
zvNY98jh~6bnl-x6?G8A&a8}g)ylhiF`Uju%LF1JHr;=b^b7NDrUhRC0X0_{rojJeU
zrs(pxTgF(I++4ZsOl3tyMSvxbWz1WxR_pm1Q2_}-{Y;DZ!FY_L{gY?PmVDKn$rgs~
zD}443H6;@-S8LgWqK@6HS{bb}Y%PUq=bD;F-6%5%|D;l{5ctwQ-~|>HFpQ-wj#pY9
z%GlcJn(MkXyQeti&n<UV?$7O1kIc5?O3cUz2G(v>X0oWoYnv&HNRj9_i+uVFkuLjM
z(;)w^51l((hBIudAkC*^rL!H36>AMC&eg)pUG?(+i(LF2&;zh7gkfpeva1`L*W5B(
zm##bS8Z(8LN7TucmbF50mMstK=hjj_6-F)TG5rP{=oc3op)h#DygX9k@?te220{N1
D5D4f^

literal 0
HcmV?d00001

diff --git a/docs/spaces/images/space-management.png b/docs/spaces/images/space-management.png
new file mode 100644
index 0000000000000000000000000000000000000000..bd58605362024bfea819cad1b4e0db7fb3420051
GIT binary patch
literal 161175
zcmaHRV|XRewr!G*y<=m?=-9Sx+ji2iZQHhOCmmZIbkMQQ*XQDW_uX^O`&m`%t6Hn(
znq!VJ=88~|6Gwo>fdv5pL6DRXQ33%0mjVF+n}mk^dxwm?84Lsjp4?JcSV2-)m`K6N
z-pta*6a+*fA|(w<MOhMa>`w|QDQUC7F|sFWu|yh<7C2}{U`#wXiWGc6zL7X4x&|CI
zM)h%Jcwv>2h|Sthpg|oRkb1JSJPIMjJ`tqzQhkQ~&s5e<hx4DAuU__yDUf`eX+Tty
z0xL+P=#RwoIf0|$ViWQcMu7kf1qdsFtf6UiC=qdS5RK5yzBKnX5TJG4=1-%KrmsE>
zR|5VtI1m&B&XlyD)1ltrAX_mssRy6}$02S_*guTMMaoeur1AyEkC^1t>%*dz(ea3%
zBBBfh<v;}@Cif&3Kot^BjE<Za4e?Tx#$$oG3g8_ujr8jMdxD?vKUCZvUB)X{;%k)q
zqLMz_(kn<9IkWEpY6n1iDZxP<M-20ouNSUQ_lcQA#92c~8dV~gsDwjWFZ+zeAyb(U
zZ^dLBYzWP7w+O`Ym-PE(V3r#1@n2AOba1`Q{U9JEw;Y0d@d!j&Qq23`Lf6tr65>KW
zEt~>~=oA5j=#r&l@FU`IBAN*RVMi$l??(ppTjwC-FrS5BVw>@6+(Lvw9=9!psi>F1
zV2N?+c)|m-(NLrqA4MVq(by@nm;}qv9lUSr9YY-kN0y24SRwpJ<j9RAVdsD!f$a<<
z8aC8vB&+$~ID_)I8I3fM;t0{I=Yr60MQ?<;8kijQ45s40<Q&!R<M~&HXJJ#;Wr^Dk
zj>Zt<E`A0@$tJ)dGI8t|qTl__{M~)b5yF-Y0|bEs2PKam%!Dlsf+w;$skwp};wAR~
zMoNT#9q<uv>LF6tEe@X7kPq?>8iC{_J_<4E^+H6r(HE_OF7Fjjel?vIHx4dOY`*W=
zPJbCA-e1OFJ<|?#$;lI2!No(vn2sd^PZEl3TM7e5#y@NdMmI$Srv?KZ_MOm-Y>^0O
z<?}n@9#uiib-F{+oM1Z~N<Zo`#k+XuP9coA&AuR1G!9d;?&;I|UaCS14MF&uz=s0&
zO#g#FFCU~CivQcdmQKOLruLirM#)g+M65}2wd^B>_SbQlQPpoQCb87bCoc3(C2=Oh
znEQ7Q+_SDNk9vf!c~tF4{82iCvIc1lR5hgZHOXqwu1Nf}oAC_~pg!(U)5!RP$sos|
zA>o+S7{S;q|I{>gratiNlPHd#S^jazP!@AG5qc5g#}r7r_FaYzVAT+9aeW@<vaqp7
zzoDhubo|LB*zqOHR`ELs9|a^7RGd#!NFDfYJvvD8ialGEs>9b3)b4M$T9w4Q`n^Ud
zP=#H;Nb)%dF^8+hP;Aa`?7Il>f(%$tg#vgIV9I-582&cpo{;I^Fam)JU}}La1|(~+
zZvMOm{2bt?f~Xt_GeI=@=v&}Vds-)u^n!#QP>{&r#KbJYvB$vCa0sI?4ibWJdX#7p
zB1Q?6#K2+_ph)DDAO<m+1a>1}JywOd4=A3nI8IiK&=KVV<Q>O7K#eR=Q9)%D`942i
z4u#_%TI6_)#)3aB2sbx!?Bv3$6>%wiHn(_;eowv;&@1xB=uc$~KLy@2#>0St5kh8c
znGT*6hHiYQL8cbOI!Nz>f7b8W5XS*1+n3oQs9j~?A^7u~^O>g`Z72L{;Ox5T*|i(>
zYN!vz0{mMb{y<bexeRGBsu^-5^kJ}Wu+|{wbJi(&Hwj7vd?ETg{-;_}IQH=Ru+nd{
z-=M##jBp#G*5rW+E|PAfgi2@;!jmNE32gC?337=WlD~?Pq$Z_CrDmjvr6#0+B|;@m
zB|TCU$r~xTR0#3Q;}|CNPG}k8xuSZ4+md#q`Xug2P?V==G?7STv5A735}NWA1=&SB
z`Q55&YHX^HD!KWzDth_ddN296qK9&aaViLv-%~_$WKxvUl--r(6|a<b7A#n#Gx@(~
zq>5|HRTbtG@D}<g6jX7P*Q<I^->FiooT_Z7>QyAFepmUXQdWsko?1nq)>FDsC8pM-
zVqD?4bX1{Qj<4EPvr;Fg?yeN4G^<9hx>MyV`OyI>Iiy6Q5meToVH`G!9Ye<@#$MEP
ztn&(dm3!s%Y$I1(luD|}D9|kI&~FlLl9v{?j#dj?k*R^L+1J8{k2ahzU~a^s!3x7_
z!^&$$X!+LsvhlOox_Pr@=j{0G`Rv*?(iQP|Yw4x<=Muuo^pb9gcHNr-(rVLkRzAD1
zebhE*kDiaLkG)T=Z^I|?hZkgdK#gGZfK3oSq&mVYLJYhx!bm7C{4CZZ4rBCt3{&(9
zRu01{V=3+%4qVJCRvwG*z>*OpLsR-$hIxh$IV8Cuxl+;v`FHYfrD~-&r6HwIGK86m
zQ#?}(Q!DALSq~YwS#j)n#(K8Cvw=2yhQ#$6=8gludrDGF3lC9#dj9;Q#-(Oc1y*HM
z1+~Ir&3}e>CUu6(CW4EUC6hJHR?}KuQ&rR7I{280Z}rEFqIuJ1l`WEC(mB~e<*<D7
zQRNNf&HK&jO%5tlI9RwqxM!$p{-`KPybj05@LpY9eT;T2C-y0aC3}<;or{&L$FbG*
zh)bPg$DyDjxP8jq(%}d1s2#lDR4Svp&PnaQZdyBAm#?F<ds6#y`$KzHS6REgQ{P3w
z3E)EU)Nwv(7yFoVr)lD@C@o7pca^w~zvrTdx#!7~pU|2$mEY~p8XciBVeG719-@A!
zedHC}4kAA)f2@AVj<FxJU+x#(mpLdKC^qODm>vWdq!gI-x1FYL4QI`=!20~T{NMSh
z1~I$OyD<ZCLNdY&!j;0WLb}4{VY#p*!69KauwBz^CeG`s=e>@X`$w_dxN-<_2s>Dx
z9D{5^DDxZy`22S7r#DEz??BOn2SuVt{1&cL!)8?%x%&o~VVHSTYI2?!$H)v+XW~=>
z?(c5)=Uwgn?dXnA`!)L|H`6ecFiEJDDBBc}WT|9sGI+d>m%}uYo|1#bp(aXBLbtUC
zpOOPfD{`l~=Ug2Yw>4C1%4TvMEUNZaD@*%}DrJtP_;SR>q^0MwFH;e}Rh(Xx*DJD=
z-r8v|xh|!1`Rx(v!mfts_xYvoBx$6*axas5xq8HRDJU`TVKoP123N5Sv9+1E&BaVF
zXYi(^rnus3l5-M$REmiw(Q<O^SbUD|*&1@%CAJdwQ<~Vy<WcC>Q=$&!CTzzSgTv0N
zl&nwW7iPS7-Xq_Um{H8|ax3_hS?*40H#L8n@zOw3J)5%eWpQ`?h@Hp|apw91IrWPV
zDI<-m?nm$X`^a4vW-#4aQ+y+X^PYW3Y=~)y-*+jUrS>(4o4^rW{*X@<-C`wDs?MHa
zuZfkCXQjP`R8zX2Y_xA$Q#8FgzcrNfZab2-Jzvbr@>aii+Ieh${Df^o*H%MOk5t>%
zI&8C&&+ya~)LcEisXAL>SVgOQvA$?-Nt+x?w$~Ncq|jY$;4|_Wg1keZVfWsqT=QrG
z*8lD&50d@K*0VFUxz#)3Cq1n;R70lCZ;NWz)x_)KrCVZZ`hxg7_8ni|o&3D}I%<qw
zwd>w3<@~i#ySd9)ek!*~^-@*U3*oW0T&${OnfHzS%K8^!b6>$|uh|>uXh34nZvOpl
zl)kcWk1OT7!kuB<5UV(CtW9OfD#j|YYt!lLDZ~Rlf+T{i_!z#e-Mw8k?~#Lzdy=H`
zh-1w@jhuoUEgz#t<F3gU)lJ3r;z?OoW*O@aKl9C0OcUx%Yc?Fe`;GVb3o|AdU3T}e
zbHhpEYDrNVFWsuXW0#Wq@`KfdeQn=zYkSL*u5;hY-0Awp8e8jyNSFTG$(i8l?2f@s
zyA$)R*=EhNw!58t?=QzN_dhScs=Mm04tH?d`*uP11aE{}!Vcr$2~<Dr?%o0r+hX@~
z1as60$M|}8MlL*GNS`MDT#m?F%Kyy6=CAU+eDAKHC@y;#DaQOoKSB@X8TF~~WxPmp
zrY`<@|8-}zGu(T*nz$NdFST>p`|D#hy)W~v=#8-Fr!V_;?{m;)7%w3&pWbuw^T~RD
z^lb6$S>Kws<vY&j!+^o#Zhkt+-gq1sR<(r|4v4+mHvwrd|83Y=q$D(V<{yG+Pm-Jg
zU&E1aS>5fR3g2+o8M9qs{e$YYUVql13Ao|K-9eQ{{gl9`?y#hriPTW>7$Ww@!t=I<
z2B`q}(<crL1WX47>AMLvxPx+}6t$yHMxG;fPAiICjD`)w9qO}oIS^+kczS?<2!Ke6
z2&#C1p6fz+ps8Z=W=)qqZF3U`lOhXU^*jNgDb<EU3n|$|Y&073!y}CZBPEjbl0X8G
zp+QlUBqXkS+HAjknz|;)Nm&wZ-v|iTsqFPQneWWDGn}u`f5_^WgUjOuydi^@2u0}9
zq~$kt-TAC}Zkxn{i2IZD19qVuz&XJ1K>zEq9TPCufr&e^IsCt${EvaVc0~OViCqC)
zbxHsHhW{ED;DrJzm%No!7Q!C+?+0}SfKW(XLY{WZ{p;!c<7JnU;2erh^0^q>l>eVW
zkYJteMM`=U;(sTnpsyX%*(rvFmDN8da8*e@j$@^u`U~WnFbNh8woXf)eY-2TNsMcG
zwWWVY2*hyVSxS+Br6JYr*+IO5nK+zsdODWg6;W^Aznb?J#y@7GZEz5>g#>-hix;4(
z_~RHG#XqjpMf~SWC!XIWZ!BTa9b>&ZCT$+FH^0kCZ8KwEGny;#n}-(8FNcqUO~3vC
zG<;g0L(cTG77@KJWJ_JL-i;q9eq)D%#83xl-CN^p$W3AogGs!+Elszk|7y|Kb^nNf
zAB39TaZk8_X%Cv|vQu_vazJwd=rxnQS`3RCn&I6DSn@KZf`Alc?uM{HK;9=8tjlpA
zdzgy_y>iq=<OUcXJU3KXZ<C=LLSit!3+XK$TlVyr@V=)(bR51F4z2?+<F^1rjPH{N
zH2-&d{Lf9WBjk@t_Jz^dz2$`n3SlWxT@6oEQ#ZQ(ti!W9R#g#WzQ3pdgs6remfe(?
z^<SFe!Hbd}IULjyD2xIX?8U;~l{z8;9+;K=mhnX3;z&2LcVS|pIlOji7^wct*)ynQ
zLa(5u7w5qD<Ez11RwC>Eh0j<cFRp=m0{4K1c4W920Zy9AGB`Q~Qj76wkvuuyCyx2N
znI)vA9br3W?8wxVn2ZjYzC;1i!($s_?A%yO#8rf$$0oMs_y}7LeSdloa3e^^@q>}T
z5N5<;DaF9$DHiMUYGJ9a^47?P&kY6>&dSi(FmU1{2>HN*?p(gx8%BLn)PZ$*<g)2x
z++KmGe+--1%RR6|BvzNAsDZr(GPcpAx@IOMtP3g>s)Ie{*NV{O2=jOan(<>lL5&Je
zjWZ1(PZ7+E-JBK&Wv-cdc(cWlllTN>p@Np11i~$MS|mdTs)x(VKnzL$7_Lk%;{Kc`
zJ6u{=Ns!e9$k++xVdSk&e|%P+OdA=hb<T?)Ry0w9oM0K(mqlWR0PWu(0`>C387vE?
zG+E-{Tt8SH0O}$a9r6kndDn2J0{jhoYFJ(tC6^nEwb}E{2ELAM-^z+X|9=GZztP~5
z8+<tRvuE3~YFVlSObX(yuAAmdlm!6sHj65r&kH_IYy4RLS>ME9O)nmGVNOR{xU~l6
zGc5`|T|2aNnLB5?nqG*QXBQRN5rvOO6f(7hg8D7{M1yMO13OZeGsdBfNk~zW^OM67
zJ9Z}ax`|bA@KA(y-3btu*htL88iER=(wf&B9ez$74SVYkDmzF&qSp@<ret7YDI*dD
zmK8?<tk4Qz1f{c}{XX1Hh(z2V7M+k|>qtgIm^EusFfa}-{IO+Fs~kthe>Ii|b9n8}
zCQAHr@qFlkvU~-ik83<kL1r+akLk$Kf&8des<5<bFjQf39w96KoWk^s9FU~05RE`l
z*T4A_T`x7X{QLA!5kKDGM7NlW8`H>0G>;8WMx=l~W;?QC6a6V3-$qh6$%JTq8(WA7
z=@5pMvr!ES33vK_|2o<*=CV*BMF69qxfq`~7q@mxf5%}Yo)_CkAk!kEhr@3J>bk@2
zRBPY?+QIH_2$;sY7P6wqfo#=#mwevHm=`KQ?8CX95%Ai5qXA?xHG+R|^^cW^knIv~
zAnSmgSrIF*tse9ol(8`lxtzgJU{f=Gxq@nVbV01Pohl$n0=5<-7Ik?P0_jnm{Wv0<
zA@N;WnT0gGxmtCnM)Ha1(<gu4JU>A>mP-7M0(p70y?}=k!RxEnz)U(S+4orz{r&&9
zFziBa?LaqIP#Tg>T>B0<G&KcAr(U@%6wyCnDls`8{Wc9>(hs<D!S(R@@`JADY*ShV
z*%z{@xAmbla-x|V8vzr|;N%dd4k+30uD4caOqQBH*CB)>zza!}kx?<AoMiMGp*!zN
zj*<L)Jg`uK?~sXr5_=qA_VEek3DT9@9r>j>US2L7U&9#K32y9ez;M4jW6Z5}K4!&q
zQ;|#+pOp|%ZA9j)!2?YkYnHw^gukywAP}C%?tQ$rPeI~9TLsADWhV&InYb6x3^M26
z6f}_p8+}_BlutXQpegu)`nord%)YS`&aQSfyvGBf#?OrND`$$hZgOON7Rg9o2r=}B
z=H68jX1ua}_zp&F0MZMV;u418M%mjnGeDrn>=AiVg>uB>CV)77Ya-ya*#8P~!;cE{
zFcNuV8wpd{eIW0>o0j0XX7CWl&l;|lh=~sF!<-*_2sgZewbxxem;!$!><r0RI+&#N
z@p|-F04cpn6&FQUmom9igU6b3^ewSbjB4ab8_DoOQYqm6NmLvdbR<g<3vm#yF51jy
zFfit~cYmluOXN*IN@l3;jg2vl9U3O2B862_4FKwr@o_m|7&&vlznoL1C-NMIysJdN
zQls^WoBu}FXJnE(Yp}Rvn1Xdc^Q5h+3(@!*{b<(tM&29s&lRve4A~-!QjvOoc?{v#
zF+cOS_9RK6q`svspbf9*tDM@;v)4ExqLj$-<l!V05X|}v8R^${myurQ35JG-F#&e#
za~o0kQ=y2WKdAA#I*1uEp^!|oit&?DDamuJ4E;p>rF@EHgkHEzpc6JILUY{&l9oT(
zlXZhLU&TldR|TPrBqpRQYGc!HspiMm5L1uUrNE_fWLk3LHHA<eVd#cO_occMk3P64
z?G*}(t5KF+c#51|EDN{Cq)j8gB@pn?lGTSvCQ-$#4MW>Oc9z!?ci{nfQIx6-1dc@a
z%;|`t(Tur7^pcfxD60&<Bfpy2n8t$UvJG;Tx8&&37Pwc0L&Ki7DG8P+D4(q1N;WVi
zlq0Vf5@vjDNiZ?AjilX;?K!xhu!)-QCdrOnYY&@tb9)g9olggQ%G%P-?FiQx0VElU
zw8h_@*zhJsSiuwv#nVGa$Vke{;Spk(RFt%1mbO+qy1}qCHH~flm?@Jc(BTt*7q#)_
zy_X?fbEAb-;u-_~_y!n}GC4{U=*y$;<iy(lDO(_MeiCF!%m>|Fns_AU`Sb4oA$9)=
z@=ri8TNJYD0vX9c36u)Y1vd&D`V}%lP%`vqw=u)yR5gJx3DjH;ur_qi5<D)kqjYS8
zs63QL#kpBfKQc7M;;e0k`PC9i8XOdG33=I(pIP#SGPPlHGpP>jDuwY95Zo=2>4CES
z6ZYW^E3VY5@suJ~lsJ|3zvC3nC8@&Fy71q}za;cTd6R+0f-t{N4r62OU_6|CD8*dr
zhYy><DB-6V3!0MVO!1Xk!^2bCleL#cX3{q{3+qZc1QP38ak7rvD)aCwNtJ?p!C?>*
z2%Bls8|U40H`dmOhSsNG8GM7u^wpu-+bhR0umQwo2l^ut3*J`^zS~N`q*BxZ#cP;L
zILuoF=ORfPgFwX(A%;qMA|s=u1_xtOwXo6sGR+>zi*Lt@n^+^ok|<i{!DwgZKLjz3
zzTC2f;Lh@kqFA}o!xMxNJ-OM;!+HzA6IY~Inbr+WRaVB4GsM=);jVt~3z18iAxqL;
zzZe(YtTt%8V`l~O0${M_hLEo0PC-#`Z3j{RnRH)&1qpPCOypb^BFgIEP*P9Cc?~6`
zsY{Sf@GdrUBS6$$>5B^l&;R1ueRHO`8M$<(w4NI(rmIz<nGn@LAzzj{CuUADDuH3+
zVTYZ;nBuf%rSt6$f`%LwV&D=Yede(Ic@<hq$LS^ebFg(ysGGwcjo@^05~`Je%b&jR
z6x=j)cnO~P;Osym0J=5w_4*RuUr^V_z`hWOo@_)0A1!-*Xk4_xqHS0V?@aBrT&!PS
zQNu6NbxdhsYaVo!i?yK!84x~Kz@$1Xm8BUR!zBW)OOIYQ3Z(0TM@sCFW4>_eDQbQ^
zJ0@<IHkXNx7B?Z|Tr43iwX&`}Rg@R0rK-@?psp+z5e|Z0G1+t`dPQNPCewI&w|L&n
zSkR+_W&RY3c+JL+bX8Q=jGzVvOy4)Z5rsx)U%a|GjJP*>!XCDM8k?9!gpDB$XB#fB
zxpP7OeAF3Kvp1iDvr{W;<_oQJ{+|NpzjA>PY=b$ZYsGWA_<U6ua6rTylSJx%A@lA|
z-RkTvChsMD&Mlvyoo>}18jh@_Y(a74ClWS2C3>*bo&YQf&K2i*VM>TkQj;}Gj)-KN
zx3T;*m4Yuxgtyi36(wO>P`=qe0n;*X%R$WWQu!_73GvR0H{X+l)SZ1X4py4EL|%yk
z<>DqT>I<5B6)7fZ+OpfuLPLYupgA&~GN<JA&^At5eQe;sZf>F{H}<C>O+i&z+SjHk
zAvsqV;80mRv%P{*S)EW!8DT=8zM}wjv{TfB=5vaLwz7R(itbp}(>>^>^fs&`HTp6o
zw6we=pr;)I=NPe;q6k4@t*SyGHn)_RF^7akRh}yZwVH})c$gqP*VHUT0nD))UkVj%
z1SH&xP?3rLthj@otqaK25?ol_L}<)ps^&n8iaf<(QBx;kEyGf3z#fHIBO*UyVjC$g
zDyU7pRRz+q!gVYo#4Gid|6C8&#2*d~J-)P)Mzoy(kEjLw1(*M=Bm%zZ!7pLfA+tE_
z_z7ah)4?;-w^3zZzqo#Ovx9*-0fmZj2uZm{v2f3Wi>T60R-=-!lSPS9yo1BR9|E9B
zJfGtiS1qRWTB5SOn4DP{w`vf^%fcfS6cv6rY1x&^hBxQKaBY&8z%-MDbX=U;2Gg_Q
zjhJai_A4nP$w$T}DT<FJRfwzRpoPNX2P>Cvq~E2De}$sB#-PQvC9(7Us3&~qdf6Xg
zJbb=9hRBZXks-F65SMgh4Shrq%&$Vo*e^d_<?E@Av+3I4k}y!jYA6`9QKLjS-$sx>
zQrTbiNm#?g76%UuoZ32NaQsaKuE=4uLXn}<B|b$MQ7I3Oe8WwSg=-K;5B$x@$eSZ{
z=ege#!P}fgL`!oT>A>+D82C0#Rx%cIDv1V$-4YWHu#RLRC6CtF<mt(7aH!8ypkrod
zVp<emJBi}(<%4PL<bv&@9ZiH1qHJy=fP{4E4|OhM_<G~5&-a}84$p%JpEc9<*VWC%
z*7PTg%^pjZPAjNN7BsSmeVC0Kx>xLp*YU)oIr07w0=R}l5G&(RZRhY~`;eJ>?5_^_
zH(<*|yC~}Dz<5zmz+YMTsqVZ${<AjS{S*^8VD;Hk%@aXCNHduiMx9R)iu~N<lhO#z
zVsJ`*IlE*qOkC#~>go$PtoeEZ7!*{w*XRV!6eD&dB<rh0q5!$MxXYJd8eh3|h`tDY
z?br_f1Xb{uNK8<NZ1qFqOXl=zgz7kbVyi2FmS_YLv3ng;6;l=}H2b!emRHmYNm+gi
zxoojh%3xVp0k-Dj_#O}rrF)x8SXVl5^?;~~_;ajj6v2f&$kNsbLS=UMy?yBE_+#_s
zqJeSyROU(eOHZg@FSJHI?`BY8i7HxQaVF$whd&QGjYoViltp-AR?emu_N%C?0$XGv
z<>=I8kJvjz$tV*}iTWp$Yz0Y&4$qY+sbFQq*<LUc@hZ?FIZC2cs8vc^Iv@hGtMlv1
zq5>P4(3TR0v?<_P4B@cxD$Z`oJY6I+3X)lOr&92e0rUF?_F;6fsi#g^erUx<?TNWC
zG~!4aNrWl5vMGm$?J61plcAoJ;Wmv-O#<w<S3tlFQoY@*-udLhSRAvE192TRLh{(+
z1gNjuG;!fw6f7W1Tg+S;GiUrOvP2{_Pz&Hafn7~a6`zq47hDL-B)SmN6oUYUtp}#L
zB0-(#ZK9s=11+Hy@c^l`2{lI_HYqz(J(7kjMTB(1(7+;6FV~F$Xx_!+_|K^Nr4PNO
zS|}n!DtVqF<9)XZddnz4%%us9_&4#{!~3UE$k;W`@h3{F=?BZ>p8CTEq3UwCN-AcG
z)1y2rj9K_R-Izi<^<@QEOyA?^7z$0qLkU{>n6oXA{{?V>#`a%`@77MUx=<-em<hu8
zZlKD^=|qqM-r2T35pPjA!T$0c;5Rs#r>3D<Ma&x=Qvld^7srVA;B4vdVypd#$A{HQ
zJzG(>eOb1NNtr>S2TI!FzotvCJ30RaNGXF~!YU4WC#tBd{to+9K)G+||0PfVeY?h*
zglHg1IkbP49s7?`q@oD1P0vLQqpJYJ>nn$#yseef1=FXOSC?0(fDKUa?6~)fm((Nf
zUwpw2E`VDuxt^h4sRG{mi9lFQZTlj|L70yq-4C5OVF(mosb)(;Y1{<uTI8@&ROU!P
z)>p}{p&Pd%>CYZ?_&q!$14sC$Gp!w3KyARlv1d`n559lSO@9&xIOr|K!r%~4Gep!c
z4wQ(sV4AiRQpH5Po$UcgB*ZgW*JC2iHju73u|&yP*Krh}u(wZ-ftk#nAr)D%Nq%kW
zVD5q&jWrzn$&tK%o#;3<weUfQhaJ!b4ilR{_@C9ne^pyJF!yB2g!sYzD`iFwU$)di
zkR83T8Y$R_Qw!^ukVP?=HNq&_!JRNUA#eOb5kc^uVe&G<5>QBc?TmGGB1XT_iK{Ea
zn!fSrUgy{Io(loxawAG^?d-ck244vO)iVFn*1UuPzg(-%3jvJ{?~2YTC{r!{E~Dj?
zl@zE#l<C537=v!rggf1kxugAE-kIm?@PF&w|4X5FKZWvjMPZnE6+cMy_6Z*&s3cLC
zoNnHF_u~_g61=G38JMA@W@f??a)Ui9M09<=Wn6}XFJ}3z+4^$)Gu``d%k>Ex>;i=h
z($kZn_{$#+mdV<%5>C*t0AP#k1$@TqkP90@>mjKt2IE%>#yxu5@8lD%Ro=eXo*qP@
z|8j&&U|%8zhG`rtu85Tgt(d7!ozO7f8Ajkc>n?-=<j%2LHbP)5gN-+om&)%ds1;fw
zGN51{bgwjsF<pZ;%ADk?&}IN19lqSlW4HhI55A`X{z|=qiO#wzlFs-YL{8ZSh{E93
zW$BW?6i{4M7ylHexZK*N7@7^uG;|y_0K|gz#r%^;<MS$ll!}hJr)Eam{;(JZ;J73b
zj0_O}r6=YQ?y90DQQe0_C((t-NfJq^71xo%d0zdUxXg)~x=KNe6q!U&OMJ~R!9_#x
zHT0E%ojoKYq5(wdyP>+CUWgWKT=g$VwKT*Q!Mx<})tXZ-<-MhdC_cRHog4yjt*djM
zj*{3oXSfAJg?AQYM^mW)Qd+CHju7mrX_<VAg#6wDP;^z+a@sny(>}U}B2{wzgMSnB
zem{hO)F#`S?K8>YIrAh(vxGu9v;1)e78r9$xun}rF)He_Q$-cEh=oZjmW590Mud<f
zvRgs9qz~6OlK9kApXFga-GiLBg2!GKdlXNXdvYa_VB4`-qs3f?f}SfrZm3`0IuL;-
zpOg9t3AsM1U0dh0Hxs|d=DU(G&m(9JVY8TkM07e6!|K{dz!xboRDcK%lvxaZ@W4RM
zo{=%4HSqgXOiXa66?B~uP($M&FUD&q#0iUeFdV&4j_>(4Lo={K*~N)GR$pegy1)nd
z;83bKjBc$V1A^??^Nl!IRL=rvjwOkLavYU0^xD5Ufx%WvUeCgc5nEwxA;Ou!1aO>q
zw%NB!UhFWU#`%}<`=9NDcANmW2$YuV-=`!?+Ua0J;{y86R|b}Hut{QQ$!bJtXh<!t
zF+#QcaXEr4qIs4zz7}nBewJa~ilKbGVAos2dx0G?j-u$XIr2olLgETR9$Xv!V<U>?
zzx>hgaG0?#j-I=?gFaT}MvE~V8=8dVf%0Z_Ul^7roI)&wr5hRyhLl@WI*w;10+Yzr
zO6lEi<0`P+)j|5L_`&Hf;>7(i<=u#<ZuO5-cneh{dzr@Sea{S~^ly+il9phagUO^M
zolpj^{g>Zwo6yDT)3dN(Y#oUL|D4FLB<5i$bu}w}>9`W@{CCFwGj}EWM+&n?g%AVa
z31V9v8e347$j*>*`vZ*4vs5tHwYM)OXC=T%l!dz)y|Vv`SSNLxwV3Q`?|^)T#M6)$
zviagx36$2lfT>s|C)oIOP5<gaqc!C9zx5+r0Bt>S(rlpEP~&#F4h(caCS`??6M|$g
zxWYzC@`sYLKK-*dHr{z0V^3f>DZp?$ymt))C&FrDHqq@DQ%Cj^wPs*talDM{)`cxY
zN;tB1<*I@{VO%VJ_y`QzD3;N{7qoKpc=@&!lWQe$STkAiwc#W-KRX2vOC!Hbcrf<H
zG@+oc9)~pP{4eslV8lEA|GoJC+b|kKZnqVQDAo5w+Z$b)1M%T<7ntlP;Ba~cGdb8S
zYC%Gh{q%cFdm+nUHX{P-*$S>4H2QtR9zto>%VS55&xaeA*7pwaAR<&h44pnarPKYj
z<^mM==lkTVZ*En{XpJv4xk&wx9fo2SU%+d66JeoJPVG;UAQQ)x)=0uBt1Q%7tNWl}
zV}(Pa`+$uxu^aL(AD_USIvG}Zzg{SsBU{W6Kr+Wll9a~>kW3{XJ!fbHi|1lSDyWuK
zIzv^6%OD^yx|`@5>QlH=WD~=C{Qft903yC?1^%~*3ww0Xl3xu*S4{iE_)>&6j~}(R
z7BP@ysjBMhsg;2c$OOdJ`Gp6;jHRZG&MEBU_hC0Kap>4oN->2AM?#jK5q<R4tNbTH
zUyIIVaApA><H+pPg83jlB^(Q1SGO`0fI<CKKSf%WDv=<>^kEqB;y+))V@qZ>IV@wM
zq04oUthy?I#8^yZcqB`!36L}rB4?d42_q9rWw;GnF0f@ANv%6ThyJlfSn9MF@$bqp
zUO+3r!Yg&#ZTrm5^awch1(nswY+gr;aQ<5y7M7wK2vuBAM!$dot0|rI;>X>wuDy2y
zHEJZYQya*vs<zYSM<^&I)hWQYW%DtmA_h%d%@_Yr5GZ4GJHc7`jY<;h#L&oOPDH03
znzIz6^qPDT(;XO-Z9_W_L;FD?G?LfaFnqnRTTIt_BEFBN-V{*7To@{f2Sz*ao+42$
zhX6B_%<TD!(*C2fe{mo+dt6JYYs%2xFqV#wniYYjD&h9#-?t_OHlerJ3WHx(DT!M|
zNM3H|(lhI+*E`872)BW*5ttcS?+st=2EDiTNo4pF*r&G?<FsNqlM_hekJrqBO{&wa
zey=nXg+-~!gqbE&*^P}Nr1RB|K{p5Og4a%s%C^?~^mj3X?-^Sfh2tDj5C9r#2pH$m
zpWg8dBjJh36rgB~e`-2V!_gcuC6XT}lbOV8{}oIAuS}XF2WyL=q^hbEWxXpaaEhNV
zWD<j1Vqr0GQ0Lc3>=;KXJ})O#5+%iG8+YecFD}k5&#!NnIUHERq`m#Q#y6nRb^$Wn
z)}V(0shNZm5o|CS+sg}fGqArHf;>@;KW0o%^1V(0nqo?bil5bzGC|BOzA6F*GNZL4
zy0m+xuabwlP^2mDMXG`HVSIIVI-o2w+3-`AuGplYxKaxG*H+ehS@abyE#88J6z2a2
z|1EF>HieQ^60hQJPczvhQN*&Bl1>8w;8XSz{%JHAa)dF<+=xZZ#qatg(y`f5V+*Xf
z4AJ8W=<-v@8?6R|$miVXL4$)z17+fy@msrUM&C(A`qPzIuv60uOFQ*S=rXqGMTjKV
z9$UNyuWx3x*9+sZ5|~UCkOC+T6|FXyd*%=Nw(AmAzW?I>!Ja_+N12Jie4ScFec^=&
zB`gDkk)IN$Fqlee1K3onj<hrTZ+hARUtnNgYnl?@;Y6$4<Th{^*oe(h?*?xt$&&z7
zvRghnc=Zk&lp67Uh$U(k+bd&VNe{3<dstYhhKp-Sk<l_}(RJ;NeHfs0I_!QPIp@RB
z{6MI8fCh|cN>X8IBpPjWw!x<a%gOKvsiERNh+5bZEe=BDZqWhZQ{E{FAyuXeF)P%v
z3t#%3`T(GMS3#{QErj#ao<<5yW@J$*c@ci5hK>ri{_(Eu=4h-+aoeK{&c09ad^-X4
zW>lts?aR+swM~E3&n`|VbfHk_;16bgvNzz@&o!y4+w0H7w41}(O$TOz@XAT)gtV+E
zZ&-J|oi#Zm^q95lWo?bm!`X6cim1nyguIN%_F<YQ7QKy&o(xk_VT4H7NQHR)=*UPZ
zuKSr^XY7kJU5ROYXcnWy%U1|GwC*JZZF-i1X0S$7w_6_z%pKJL1O)c4Zh4*#xY?e2
zpxm(8FD{Lz=>*vG=R;gt&j;QEm4u|PGqMsq(-F~oopEtXDxdeRAYlPJEfhL3^J~RF
zo`1rx{`?05w*dnDiYYCLzDPt_A}p>n2W0FbBS;Mo!doK)YMQRw<Nk6X`!<5&FwPg&
zc_zaS{14-YhWKG6YOh0msD^?fOwwjPFAYK)Vtul-q{WbO7IrO6<sk;w&^aU{F4_sk
zv!Bdku;jee(M#__$;ruz{4NUeFDw(YzpyDNMH+>qW(=s9Vq$X0qL-=B#M0}>*$zAp
z2uaCgoiaa)pE))J(tw-eRE<d1RSgvYJWB8ea+r^NN!F;zJAG-<2t|*l{kmOl8_?W5
z?p-!F{m9{Qtn9@Hf$u%mnp*+=LX(|fwA#I3nlCaHqKn3Ej1j~2^^SwP^ZN{*5`<XW
zfu>oBdf+KiIpm@$s1hsyqbFvP*U!2nrAXzlCxeeX?gV88Fir$J6d#}TOpU^?HSBbD
zAMpE6#vX4kfC|gX?$WvhM+9vIWk#fRF7fG(<mrz7<`Z#MKC<fri(I&?Wp=%Q!_GkZ
z$1Z%k7Pd93Lco1GrHE9rMKR;twbp)fA!uKXM({;M=vuuiK2HsN%VY;{lnn~qN&$h@
z+R>)+Iji(v`C(}N%=zxi2WOfxmC+hr3&We9nPH?x=*P3R_$J5pC)2h^o4YQ1D@uOV
zPKZR;$H{GR?gcRKad0pXKrNLMy~;;?LK2(8#BvRI0kxKz6nk$ywYA|@4|&L98yHi2
zBe0xwou#G3nY?*v9FeGW=?}~6{^pg0>$k05OtyP4pLEQ8N_CIaZQglL&ngm7oa}+a
zuRNj1$J;Ht?0ZyODI0rd_*U<`uck9W525@`n)H={u}z>(aQ}LED5=1&rs1aYHl2q1
z@kr*XLMtsJz9!~Oo~mjzQ(j-#Bb4uR?HN~R>at&24A=H3>pyJEe@FscKhIX7&<bMM
zpOutOQGt5lS{EvHjnEt|Cb5OGi55;w`q)!9$M=Rl4UYQl2AvCbf|)^fduaf$c}$dg
zW+3DulxtW*0G}Qy>rdyrcMs(f1f-j>)3)4zWP*6Nqf!TRD-`XYrA(jj+(Dt8kOg&)
z6&Y9<Tas&S4yVu_Nmt0B0aZDy-!}&XlE2exW@Z{ZhWl!C?IT-B#yD9^1{a?T5z{h~
zWO=$j4!GCxhUhR^JCT+|AT9q9dazoE9^iG%l_&%=^L0r=a+Ae=I;(50#fwOz8>Ey#
zH+pe<49YN+v>069?s4EgGcu(*jA_qK_7BwZfj?fvheW|oMnfm!yaXQ{5_WtIFt4|n
z$HUrQ!lxU%%Il4#{uANhCijIQ+w0<u)XN+1e`rr1TI0*j?j1#PIh&&F#cpuZXm4<E
z5CIq(8(dt0S5G{VCeUTa+}{sJBXGQOji%#@$Rz*_ta7g3LcVt%Ialkop_8j!9{=j2
z=ybab-}vpF9T7XYqOZ2cAxi$X+tW5b(xX{YD!n)HP^-=+96|^86uS*Q*A}wZCosIC
zZn7J5m}fjQ*arA*=xjdo4ItfjjyP7iuUYR@Kbnq=xdxcRjH*hA*Yk(_q3Urx(|nLy
zThiNzoc5b;pjMgC#jOb~d}X1~TLk}C?2uuB$I&#>^>}!^S0_^DDE@joh8Jvfz0tf*
zIlQ$c(l6r~y`1@yUc}MY)nXv)$ky`CRC^MK%Q;x(K^g$Z6}u_)b;rTW<(RWnd>_Uc
z<4a${2xs%&BDxDB$(_#y4uk#!jlq5Bn)qJsk6BQ3GWhV=$i9mXEJ2rM{=u@w!vGV<
zlP~h3xSPG>eQll^vCvT<5{8U5ut$`u)8P(ABt9WH_u=XDVYN`$JLEq&-_{tk&Y$Vd
zi`<4|nrKo>{5`RxtOPJq)#Y;FUD{v8A<Ji$%FI)Yx^NqX?8x?5ibjyh)a<7Tt^aoq
z`@EFK?P-Y0>4>{t!7CdJN1vbv6CZRPj7M1PK}Zxn?9SWOx&3HGJ9Xy?!Re(|+{29(
zF&dj!MqWJd&v>xmcEfNE2Wc!YPDfo|A9`!%h)xg}Gr<|c8|Y;*W<eYqCb<+sX+B#d
zd63qY)aNy1G(ZIad|t}DVJ0l0x%2#qf4zs)8IX8^H*=_LZkbUYW-wP0@@cnyqz;m{
zQ9ko&0|0s`p2Su+CD(5Eg2mGMVdeR)@)-)>x*%KVW;YdRsFE!<F0t1T?ECK6SlFF>
zwP^V~{@~+nywHp)9Fz!t&amsG6>=eU2^;Tn`#!6V4T}&6D3u1k|6<uORyXb3VIQ}4
zG&n;HujV!ynWUflHP%`o{#W3u#HS1NJ*@VX;<?)krj2sB`RLM*;B7<_`o6+F4v<_A
zWYrPPRb|+uQ~2R^vA>5S_34Gp_C15{_&mZ!YiC=}Kg{+>5HjoQL}aX5g`bj~wm3n*
zZA_**ezF+NWREoa758`9Eq`ZX05dR_A*jy2xVb|e+B39VYVIp7#CtFrdi<j<(kLML
z1SjiMn<D`jy`6t{nJ&)1)v&!t6)y(_NFf0y-D4VSwP#qh=a1w{i&f@c2>D*9cz9VQ
za>Qew!+ShFYLMzLp86PE4cOCL1RGmjYd5P8Vr@uAmMetE*>J*BH^5-b_&><ab`sd$
z7p2fR9Q^ruvDOE*w)}&jkPJ_e{f>X_&Q0gioM&&Pos<$buXeG+KqyUKY<hvTpip?f
zzEI!aIa>yb>FLKrYW?Vv>Uylb$Q+cx+a?T<3{cLTM8QB~<?y{lhULwYL^168+gSHF
z`IY+P1?Rt9viCFSt$yV~Q{42$h2OVUONwZ?wn~CYQMOf;H6#&En=`tsFKhH(r43(;
zP%h$1Vu(_a8P2QL-Mf~ATUHr8<>;v?`%l6m8pxmk(bnNi<l$(U@u{hyv8<;+0K~Z|
zbN?cCLBbyhve8RrObZkZA`Z3hB%97|*@-3zrf5nWKsxNBQOJYlWn>$n!hA^f_zG!=
z2S&0oXumw3u)nP-LBJ3i4s9Y*mG$SOtB2WdhUd-=Wv}7#iaK#f$rq&D7-1JB9P)d(
z(Ye|j1KEP4Gl_^o;SV~Z#hiyQd6@Q6lRs6S<r%tF`cADV9s5SsvWQN&;}o!lGGmO&
zrRu9T!%fQK1^WK%2@H^ftzb-ET!H}i$GnJ;zAn^Kgkw-7rNM(VmF6FpT7s{68nRtj
z0Xy!Z`vo0~4#eJ2kA!g;@2psw>xS>m>sa%B)=`*d*cD2T?=1i?A(9C+K`65ox^zx+
z*bJkD3_(?z@$tT)h9K^nKe68etJQ5xV)szZ3?|D#12tugMd^B<AEElk(dGF+pk;w9
zGEsjIt$hVvJ7cHwerdYg*zpfHCr;U|-Ag)?aC<-+&D=Y3+|A&SnqyW(pl~V~&l2Bz
zU=<!~nWh?YL5^av7@?HL;!5dDxW+qDf$h}2fc{u^jn7*PX1|L|c-O&1EtM7Z9Okpx
zb_bR6QSR=$M+ldcU7<2TBk(aOpWAz#1lsJpb0dmphecnS!*Q!mWpg9>bUm|yCgS0T
zB7~vTU!R0IULLdAtUIGUz%u6g?tcr`ST;Ot>oY!{3RBGUg!HrH52tnl`JS3?G&c^D
z&SQurgRrzlY1-~_3f}tBgL?A9qNjjBj<IsgZ9qC2gAdO<q@6}eBk8E9q=W?b>U3Tv
znpiI<0WWJ<WGV?P!aO);PJrfiN*=A{Dab2zlS}7urURtr^uLFCe?B}hIKmCScPMMi
zDiyE2F0zNyvGqsI@`7?3!<<gSHMs8Aad>j2I$$Pv4&XNtWQOUv@LQLi4&vFo?z4+z
z%NKXFU?J*(rnCAI(VoCD;AU+~!&<VoUacWkWRRqG-zvc+ig1Wk$K4?Dijqe-KJWK~
z2J2_XH2lh>05@s?i<k$jeXOzpTYrWhEQ{6=7cp3Gh@|6Ml_tXm+r7bzF%5ep)S5eg
zd(fDf@<F^DJ-YBxl)H6v(+i8u3A98FO}rK98j&Iu2{GDF#h0M34o)BCgX5;>;qan6
zZ7ixc`z1D>AEwW*AK;VPIoEJM@H05CLXI~!>~ic<_f1hp6jqFSVQ?EkSS)%-!YR9k
zzGDEp&`o*iXN-uI`aJK-#C9o!<e(dF(s}O$NRZ4*>lJS-9xrb61LNqbI6ZMmw;&OJ
zrzgi=20+k($+p+uiV~=am9XDMhYl<gGvzw5u??jNbrE%EPuZc7b(Vs4Zit<Pn^n!|
zI6XZzwutA>B|rmFT`dmhO7mx>SX2-wRgnQO(DtLoAsoXqf14gB65cAI(eR>%phB<K
zWjUX7Hj)sB;+bPdUimH`TzZ=IsX8|ncSIWM*T;ypZ4K8dlC-X*OA_Nq9TQqufaB$E
zH#+l;!h%OhV0Hl!wQPD|4OBOaGIxQ-{N`8aQ2NWUa5&tiB<UqKld5X}(kQ~B#Xmf{
zMIH3-RHhFcjt)qzSL<;LI28_lE+@Qr%;s`|O`^;LDJU(N+K6SpGcXATPI~-|etz!9
zpJp0uRA-FGuEp$QI!Rt)hq9+03G3DM=ieY1z2_6*t=-T7QLP#r=9B74b*iEgZ$^-`
z8LUQy%cUdxTYJJ3HN|HZAEp^h&P8Mhn8C$7Ga2zIr#k}s*y_eAG(6df)qZVFN?k9K
zTUUpz^~22eHG{0k{;3jOwX-Uzr9>|<oImDu<Lf*w`TfR^L`=62aJjQ!8(2p3;5-8N
zeKCe}ilio5Sr)!ZNSdD*Pv@gNR&o)5k*X6hJe232cR!bjzNjPaR}p7dIojP+-4R@^
zLdx}Wz_XHaayS(MM-0m&`txzmQ0zE0REK-S!ve=QW2KZT5jM^5`z^$p{{Eh&pRmua
zFx-D+u;UitJc`q~G(oFPb9&T@nqH!$!I329M;aBO&-om)*iHd6gZn7aaU-!9mcE<O
zUF^rb9y!^2%n2uV%rzmTEywx;px2B0bIUnh#^i90xn-dFgxQdkv9M|WbFHG7ZFO0-
ze`*U|uy@)RXq~mz53UAjQ^Co)l58}V%I`qLlPTkp%ux7e?>+;`P~#~!Su*0eY46$a
zLMwS8Yh*yT56J6D&v<Qy#cBgRbN(yXd7`<@h+of-8)AWrOiVsc{7FIleC?j(xAU;Z
z^PsUostRjK#`96u4x_~+UifWc!^xE}WmT!Q<PP+Qc%%6n15Oa@6Td=oLilvn3JDi+
z*7ldnxXdc#(Gj^xt{#*y96hb~jU<+|wZr+f?>VrrCV5mTJh|T0X>88Wm@#>2{3&zY
zlKIs8KfS+qZfKUcLUs*4xNlS8@sARTT$#Jgf3{j`s5QcMtZ}N#7Kz^XABQT_d=NP2
zRzNRojDrRB?1)nrf`Z7z+!z8ylGbhs{Rl^1bHsyXGe3Y0(0z8?ODq!xmB_7eK3me#
zKL>?>_J;ChoMFxRF)j~~lQ3mkt|(EORBTj-r_|Vv4z3u7=coHoVPjyJfx#>YwAV|p
z$T$v8enkpB*Ajoxk{5GS0ENV4*se4+Av~;8N<XH?q<$_ANo2BSJ?bs1trVazwP?zj
zM8IS~oSaD?hbYBTSIW!znrQe;q%qgiut<3@S`#IfxUS=5e_Hn)zHoAM8#5af#^y^^
z1`+TI8{{wgrz-<Iyd=@2(tIO2id3b5qQclK)f$2NPa;EQ)`Y>}o<uZcv9~?c>1@*H
z_?de}l25O!gu7?1P;&*+?$597z_i<1okwaqGP=P=Ou~FjR&9^<<KIK}>cUnh(d>U>
zFvx#UDSBP6PpUc)GJGSDn?BN=4$=3L1TyANgf_kqlweLE==(+2>p*b1-iCCA5Yy>%
zgr!`47Zpswqo2hk8xN1NN@1y3DzFxh#8C>481^iuo+1Jgp`wuZFg+1}al3paL1~UJ
z$$_0oH(nDwd^rdqdfuNRz#03H=EM#Dgp)VExs_+Mb*P_POU#DHTkna34t5F7<N3z_
z1(LZNX()3jW!;GE_zogBoQ*0o2Nu*-RMbHCdv?s=@Xel>qz|@^zwUJq!^;Iq&vV}x
z%j=bxqaM}gyh=z;i`sX+5&a_+30Qcrv8H2PCt(CnNN+8Y8#M^Hm1MM3Xme{?O*7ve
zdgAvV-ax?T(G?u}HbcN4+cqO&{Gx8nxV3|W(9y8w%Rw*{78jgXB&n>an&J3-*e1(x
z#e_``iL!)Ix}T%2FX$l!@O-!w^@%4UK1%lAOMK#^P+}F}Xl-Rc_^GEAT_4QjLdX&?
zp&?Bwk~dr>jVQdN5QR8cT~LvU0oTIvgUg)^36z&S-%I=r<1JI26pP&oy!DDdYLQ}w
z9YDr~!kbK<GkR8+?O$Y%+|9%L*XoMS>wN|Jv!8Uc$6bf4I5et7rnC=icq#_JBg_-0
zKe0(d!(FW&UgftB$nt}J@9B<DOYpDb_r{M<ALltg{E;smn~3-3rx_I2_t$R9;O+$f
zk*Hq=x%VkGOCx0Il0C`E+SAT1aW-zqD$9xx?lP}x^p$5_Z*wU24CxZ$H-=bVMJc9r
z`@^PUd8mGXS7Wa&J9=trPwYT@A;l)R1jD#K6}HT@Kx%mYxrc%q7kAK<Wk#!ibrc@L
z6n)L-9XMlxw*NL3Iv@-JK`9|Uv|#&Z_t-|7&rpUaVHpPXxIG%B+Q$v=y;>FZt$FFE
z$LW&<n(E}<o*@*R6OW3(jQgy42Ana(j}BlXG1wJ>L_kLk1Q`DG#1Bsh-*w!O^mC?a
zUyJyB_{c5?n7A(j2wpfi@Of7f;4MW}J3MZjy0M9bIZ#UL@#wK8!5;T98x429SWQ%8
z0+;&wLEPS8s1^(S;qse2H)^L{;myo%Oozjlwg!hwh64K*Q%z{zPPjiac|x{9&;tXy
zM2V~W-b;+#o^&|$-5-D>ctzRmlwwHjkCV4&+cV<!S9d{7oIjO!%=I6CQlPngA@iy=
zAo<nN6%}%GgNwo*3krbfVRE`6Wgz?-8R<e=*|922lBTn>keLUo3s{uaL=-JbDZx~X
zbdXSphkFs`gs9;tma^DFad<>cEluU6Fji@oEHhmJ<bxt~w0`L7QWFDDMM)5UPkH!B
zW6}+WNCC)YGZ5`*7!j}5Lx1gQI>5k>h7S<C5JIyL@`v(K+aM{?pnKGR3Ba?skJkB}
z5A<F`gL_4*>N8hT8x6MZJ{;00)|p2Qe0viTGC7TP)!(%jHXgS;H-BnkOyG=A3<Ibe
zh7b4z8Z5m_g-BC8?#J~#?gpem!T6Y<em?PiA@JdU+dDdeurwuzwb2i|Yf!(w$c&4i
zEM|&0mJ8>NFy<b-p{bxa-{KnFsrv@ISi5_LPz7)%#@_LL$`v4JQZpON8Qrw+i&@L|
z40gGKMP=fpnw%IGb;3e`2eyQvW%Yg{>)UT3Abr`f_;x92Mm(SYT1ECVCEoVjBSx2$
zm8y!-uj^m!y9n?pBf3Aq4xh|M^KN~2#hUL*6Ok9)ZQ#<TNT>za)aWRP7|$IE|G9oH
zxBKp}G_#|T5{H!fePA0^eXd8}uU$(b-h&RM?tAp0v%OF7kN?BjHwISPEbGq1=8A3G
znb@|?iOq>^b7I@p#LmQAvF%LEo9{d4?0xpW`~JB<*Xr)~t*)x>s<*4^Y2!d--(wU}
z2@@Dz?#(^nn)3SeAs$eZB3&VNWSO()f+eH*Syw9Ehw{_dAq<ad{7%CDfJ6K|29jI<
z%4V1ng!5rZ58HY--jBG8qb->!*Rh9*2o49b3XtFW?tV~a#2NKF*DDRM@w6QMjb+MP
z)};OK-7PyBQhYoecReF=F(LsYb*CjY*E0;?w$|B#Hqf|p%PTRlpv~&KX21fE@v<oX
zPAs|77tY<6dFAfx*26UTE~Q);WADVWdG)h9A^S5ty4(wjfm+>2$XPvCn9>n$U>L8r
zB7M%qXk+({1XIJ3G@-yh|HYg_44~UU&nBrX=RW-c!Nfs*SU+)(W#n&9MMLHi+Kw;Q
ztWzPQ_R+L5HdaQIED5j7J`HVN5xsxALm#IzkDq;H9S0&&SsFM#0!_p3K_Gas2tvE;
zkmr6M%wd1q^NHt>AJi!}n8gzy>p7Ww_*499TYIX!YjJw1n9fRl=XaB~!SQsI#aNm`
z<(muQbCfSGLEIE3s*=cvm2~aRd1`IE9)4&nmLJirBlBDQVVpZ3v~QxWV|R8h<`MBQ
z1&zA!-ZXs8>_Fa=mG`Qdbm$1gIgOr{auDdteQxhGjE}A59CG|u{1VAQ9&enR#DZrn
zb!B_-DF%0#5;;7<{mghw&SU7?iv`p<0w45sF}@H}c?64c``c3JN81_av&zp1VN|T)
z#=I;Ug54X|%dyq<Ym55UC>3ZB#(@zr2s-ZvkI(zH`t2pYKnz&gXbc!PJQpWA+2C)H
zTp3&mqQ(U_mG5CAkPuYmM{1hS+o_l{4T-fS>0$n43_PL2hT_*F{fS#f)sc~heF_%a
zp$qyo!8KVY`)Xn{5-`#gTjm?@zipMxs+$OB`+sUSAY(V+5_G@8<PXaYiab-}Vs7~+
zk4A@QG4Q<^vElM~8Hh1l(vsnQz{2Xi1y!d}!XaixIP8)eTprui9q#>jls(;4aZ=f1
z+FSa97)2nDib&S{)`l)_1bcOMBY$=DxX~x=E~o{k=YAmi`nYR%w0bU_K60{ilsy3z
zDL;H$l45lIIvS8Jpr##isrD;)^F9uxsw|`eL#kd`QJgfjA`54w*2kQ?r*}Dd9NdM<
z*%L*!cNkWR?E9XoEW^1nz9(7@4-<40s^V<wu#0|Yq#eh3Ps%$9lP@hvviWO%%`D1T
zE?3JjM$C4}=DX06BFpvmtZ3~##UBwz)~CUjn#BI4O(y$C`zScqVuqy|jX!@b8SgJ*
zW5ar2uT<7URZUqP*qVYier7|hG$Tm!X@`Q_{R-v7FMo4Z-o}+h$8Coja^v>`VR0F}
zOE#sfp;!=s{gYR0yKxmzokxZacRNt=EwT19qZ4y^9aXvAqafqkx^~r&!gqR2edWLn
zUT)+4TO=h^1$`W=>*Z#~O8(@?9C`BHbtdY|pSHKZUXHnF9y@@-`tILnNcXpxXxCFi
z@Eo|@Z4@BWL1*`Tr?>#>k&M0`{NtDFf(pwc<^d{nC7uy-?haxQYPfR#i6yW;nH*3E
z0|4sdR{3V!-XRtXpqGCV8PNr2LMB2Q5Ob5C4MNvOwJ@u`3!*KVnN#z%|3wT|wz$+<
zN+cnRs~+t|PS<~FtF4wvv8;0v7Z@YkA!j^WAYHq6j0K{oCQdrYjD7k3YD^~<eFo3}
z&DeuJq1=Dmi)LT#@wNhSW?@y4lKaUEGd|GH@C}iFM&mk-u`C9DHHN?WQk(&Mctewi
zKrO(DoQt^mBY=ZnCz`F>Zn&g|pLmVMnl@o6)j(f{TJLQORt5_R=-ern#g0`og&!-E
zWB7RTR?>7qMW(wt?gklcoQ^QN1Rw{Yt%BHidbEO5r_m|@lXx`-8yV)uAN0gB+`l1#
zfg$ujm>yPPwy7H(DpnTupxE!Ro%TasaAyNmek!9_HMKY(<HJ;r9}$-u0(Qyv2xAWh
zR+r`$!T!^E4|G5AS1gQB&LY6#rSN%wH&elE-AbI|8}^$VxKbDkiyb(vp%=x64g?h9
z&bQnSUVZJXjmd}9lc5o_BZy`$L>BKSHt(hwf;*?fJze#M=+gg&+l9vyY?T<Fqur$w
zgO(AS$jkxB^6aj}cOXBCv_JUcCzmgio|kpGAJI{NUu+KTpxZb3L`PB_<>wzLB}$R-
z{9ci;B3Ip4_hvu8Rfqa@CRJ-6xFui1Ei;K<?G~@Ic8&K(aAX&oF?XsXBe&dSsn_jK
zZ8DmVAi<sP1O)6+J`*-W;`55{G{kO%L=u9=@9u4O8yt)C3(3e$ugbR<x~7MaC^|e|
zbPl#Ueg}y@Cz*-Ph83%tw+#KziR~OtxEhhZ+&*3=3A#@)8{AG7jl4Q-C-_Y6qn62e
zpbbHQ>J3`1F?bz+a(6e{EG{>b&GN%AlNHmgfqpz`YLi_RY**BEeY02?Rw065g)&i>
zxIXdJH!$K~aB8R~1+Age3sZ)4BRrg;vS&%%I@`_)qq7;X%Bk#`f5!`U42{>iFB{GY
zOxz^okzD$vq!pulDBnkIPP_Qt3WuF1BP$ARx!->KRkDK1EB@~o!K*k@>vrCymZ2Y(
znxm2wAi0cWZ4Jbon{|{xx=Z+{vP^=^nh^BI4$-a9xCGSsN0olUYK1OmND}2rL}Kx;
z&*bDqyM7@jZ)Z#G&XI<l<@e_1&5-iTRbmsszUk2(mn<ptX_&Nt-Q&u)JViBORI!vK
zPTw2KliMuD!|i42gdm&68H&++>ql;F<wnSbRPmGtKw8Co*!mUF7!j5f`ZqOu{m_7<
zvZ0Q4ScAi{HL8dQx_gLFhX=O0!9;m7sp&h28O!O_?eECx(L6~Y!=BAsXgsN@=#M>G
zCOE@AMu+}(Hh0T+ud^_Tp;Aew>Gh7M{i&ISlFuOWKIW=tK}RTAIn{wxXL+EB(h&N{
zlHXN@ZidWbpQs}xF?`0QtSP80drW44r-bjgY9i?wB~Hs18N4}+V5)10-*gt#64a=M
zz(zAh%}7#Y*V(tpk=g1%G2_;BQo~i*GajZ|Pe|4{i-3UTTZIJ7G(oNSz^h#fg*;o%
zM6GXJ+-oV}A$B!&kIwtzM+?iK;?3^?hv+$_-F*Lp1u$O1FcMiya$9MzL&_TPHWUBp
zfGML&_OZJ_U64^W3yhJZ1U$!`1Wp<{1Cc#u0PHgYnt`>T!v+WF5<Us9xs?n<J~s|~
zb5@K8rIIKqa~mv}iQ*3;K1#G{XR0%mMKSpcB7Ng5V2D##HSBG<qXF?`X+9GnY*hB?
z^!zTWEBwsNqj8C4KmE(H?hh(b;KwV&E6GF?!jkMxI;CKet<C3<oy=m;K6BU7%Iv=L
za^h4UaJM?Ak2h9RhvQX=n1CT`6SMH#Jfea~6603b`5z|^$1O{NPi9IY#YAy?V=p%m
zkNfOhlP3h7Gd496qsT6xpc6&WjW*_c&G<o(FzeI)mg#3w>SZmp69i?E=2Qr(^UXd=
z#{=Tf5I}{HtjBcp(Qk*_Js91mg9b!Mb$A^t3mTb(nTdnJkV3Cg%(C?TA!+ZK6@i>7
zdnz^CR-rsTNh1XQ7L`q?r8By{b0kkB2QNcY<uDP|qmMCF?QKcK$-da7i6iZ+6DzJ|
zG@ZjFiy<q{^CxGDML4I9Bem`hlY!1YITa_Z1<Y6kTcgT^<tBV$dQ6t&|56iujvRTN
zT$U@4L9Txb<QH*`*yrrBg5S_-2mDTD7=)GQ4_xAZgh0=F-rWb^!%Xh9p&XHkm^X%4
z>~(*gIksd&K6<_(RC0tXEYfUEDz{{@k|{`9qma*D6iKMH!D~ktnvVxn$o%p3kVVQO
z62y=~PSE1WPyBE~F_DzE1oN$!Cn_&!aQQ0mwy7(|2B1U|O|ko(Pw=30;*%G7xv|8w
znBfW0F6EU=uQUa9^}|<GpKJ5C_0BYMR>!k&Npa=~!~%F)ws5gYklPp0j~P;9ZHC8}
zRiZmb_HtWgji*=X68mQ(cCpzvQ)7Wkx^{9*4i8dl$9!aum@-Bcs*f?Qf#OtytDhF1
zk6qop*u+T`zat8$iLa)2t%?{ayJI|J1MD7!v-F{-)KGIEm*nrxv|TbjeoL#Do#v?b
z>#hkQHPjwBTIZ1XY4E!ugP*nTdY~_SC=rrMDJn#rWUd>zP=hcV6#nG2ftVkB+r$=?
z*;?pxF-RpN#e6S5TP_`#>EAA0Xc!=g<)QscR@Gfx-={DUc`d-XFk{Rz?C(dQlUOm0
zp4UPbJ}IOYBVeXFLEDm=`Z3XvVbjgs=7tsY>D?g}1o9%+*`dY*<qhBG<c&}LcTEB+
z#-;!zc_n=Y=Zgf0yrsmFKz!JxFHtzt1gbx%BmmXw<fKH!p%4uz#g^r#^6qbBgG)`?
zh2@E5{NLa)#mj}!B>S4NwK_<GRCpEC<{ETWrL<hh;Ksv#-aV+{N%+#Odxg)}3rY!*
z1D6d43WLU7sU3HaJ($s*PoYPFYv}+s^$eS``<w2+bH=tlaQtzUlIE35m#scC_>q{L
zaK5|FrASUj3yjEo27|eX!@3$p^+|_|Ek%c-asMg;eTN2#D*SV8X&NKI2RU#%G%I62
zs*s`$2Ft;~9IEK6s;pja{2f+2z2}e}*~?Kyfs|O+fsD`hMKn1UY~dRPwiUI4yq!c5
z*BQ8ea^-r5(RDt!#?1!D;~N~~MV@+?j6#~W`Ay?pg|NQZpF{@3!PVbE7#jB=$0ry5
z7%6;_RK_6z2V$~R{HHL)F~Pgz!JJ8PW0E2^69uJs9v6Cjdks{(va}<m3}mbsrQ_j)
zuzzw$xw@YXJigL0Q020##!s+HQcyCP59~>_P>i;$O2N$113C5ZgpvSP<xHZ{=UdQD
z_GdE8i*e4rAB%)h_$=7MAqa#xk5;H(Y!;R`ni1AR4EEJK<3$v0WAN7kJ0XRyFHUD9
zGC#1<`MH~qt&aC2nK&JGz$OQWmBXB1a%9-A2KTO$%aSx^3u>xJAl-(SZj*0?JeZ!{
zR|y%eaplPN3EfXvIh85LhVqq?ko;BBkOR$fNZ}S3O3n(C66|2Yp!(Cbm_3z<Tk_HM
zzT)4S>YWZK@uDNhF&08;EfN28kvQ(9CBR-FjhXIYf0sC=9<48r&rehIHRnHteyO*<
z*cMZ4Z)}pj6|y}QLa|i_%mSyNU<xYC-N>k=VaoKly1d<(7VG7EPF@7m<dJ90LlpJJ
zybD$24wzAdwVkgYkQVJ85xKZBIqkmYr}~Dt>3bt&1b7<Y>Y@g|JOmdcTY|Xtn>M8?
zlJ@3q5FMdTe>EF5aTHgfjv-GtA?ZYll|2qM^Qa&v7^h8)mqDnqpXF!~VMN9;J9<@3
zv;zaZA<8H129%&GIdHPW)|nP+km_KM#-c5kLMi=NOe#MS>&=O)8S3s=Jy#|y2zV+(
z*?xJ8f4qarqI1nb5~QbSAmg?vB~3(1DZW38xGFRTwtq%I%@~YLa&d+dLGl|K7F3Hi
zP9W~jYAPxPG@(zW;djgvEayx)yIyyATjR>3$jE~0tH<fcW{W}W_&xx4s@}bGO`6(j
zl#eu26d$bR<Id;DDB1TH<t|m-{`mB9anJ^adf;1jqU0dpjLissp;>8a^v#q+zQS4d
zM_!a;Sm=AwQlB-h1`%6vacV#8d{m2(65E7N>%`|Mo(1yhXA?h7)n4j8+!G~i_Ovum
zD?ZB)7|CUSK9fV7X70G*g_9nuur=KaN|}0^$NUYW<9$PLkMc>Jh8lTXvL7)tUa4PQ
zA$%braYsxE+w}s-)4Q0oYbp;z&)h#v8XM=sdfhy9-7hXl#uPDr=4}5AG&E6-WU?AS
z%Hv5<mqVzT%H$45Eg^{)@>$utl~dQ3C0ZO^Zfh>^7!o<wcFR?saqKZD9z0uF*sH3b
z6$DS~k0C?-ox;UNml%IcNfM7!d-9fg)I|)3b$d%vbY0{>ZZlSXWK@_W{}eSov9;8z
zs<HHne2m?<GKdus^&LgBq2{i}%)rj;N|mFKbZC2|3l!LKiKO<c4HKG*VW-IqzYzAP
z*F*C3NBM8}@aX+?5c9lp#*8674+hHOQ?#lLHrA)ll&4_K`}_815`P5mR+Dh91JiI_
z-#fITFmeJ@pMH>F8&MM&+?+VXmUwn*)p8&h3xNlm<fV5&QDjbU&eu*x*I9G8qa_>!
zbZWG8d%}<Yzw<WVg`pa~c5MrGl{{9dNsA;r4gHpXD`Jh-*I;ZHN9Wh942&7w&tjk|
zACtx6&o@q@if_pg=8_uitw@S3wW74|DF+1M(xG~Lt90gBu>Up>=<A}#=~<YI#%(G0
zTCMFQ<_4BH5rRk}RA%YutQpFfs?T6ZAu@Cnr^=u6RHg3EinT)C4=AM*GGG6q_l9>Q
zH3esho|a>RWH)*$;m=hu3CLb=&o!&5-pkd%2yNacl$RASKkS|{#p3c;9w}m+ZwbWV
z@|q*^MNZ%0;o+Srs`%Np(e#QU3L$ZhQKJ^!nDf<SZX?a)ag!)BGw^~75aCk6*B1ic
zZMae}wLN-FQq3ISrlz^HLXm*kS0jzM{SgGcTW7tjbhdH@TO5TK7USyi=si)Q(P4-|
zo8^rJ0E8i2Tp%qR5++)o2Z#SuXoY$UMd+Ve?Q=*{A@Tk-OhUawIffI>WVA=PEvhB8
zEr!Or&B9(A@=X_XV3JK&3a;PQ#Aw^ZLJD<UYJP^zQW&{iOCI~@X2AjX>P2!<0SR2x
zt%6LVqAP@!F0m}6DgZsNS`9)PHWhuzK>JBEE6S^kj7{NGxdgk-B41<*BEAbci-Ut1
z)F9hQC46+Kb7V8zw>GC%P)lFh^f<w3DTCmTcYyd-#^sxX{R2BL4E!+0Wx@w+Y>d0n
zcEwM|+GQ?tWePh7!Knc_??CPXI|Ff%oXFw)?nxtMb6k8V*U;#p?C>l;Sqip0q*Za@
zFKJ*S;NqQ1#F(jX$PwPqgSAfeLKqaV?uk#*rjlgr%y)6zY;gpHWOx;x3w{NY0%($_
z`>e%BJu~A__khKqG9ryn$V+4c8w7$T=)|H<79TA}gqKP3t=K=BK<7P>_Xvr;R)0Zv
zV`ro%ht?l!s%#eT%$rQyn0$Xsc{o^t!s4jC?uQzHaxnu8WTyRO1Ii<mCD-}oYF~xZ
z8`~4@2=M4CMewt)PRWJD<>|<fR;PfoYT?i%nx#x!PyB{HTG-`Q;U@FlCmRN#SaIF(
zVmo6CmiW!lx-IQ1$qmshKY#8%oEB9JQy5L(+gE;^;1v$S1yVc}bNkp6)RW!2TR~7Y
zRbTAfMf|e#6_zCDI_vtPtn8gh^g$9Yu99e4%rj5sl-fGdFENr8EkNN&sINz(L(?t-
z&`H+P?J)wyfjj3%D)Ctsmm1NDf@&r=t3zhAhZgC+=<3^cF~xc`dC~^TBLsf~1J895
z__Bt3t|-DMMqiR+r3$`1I63HIU`);)RmGN%2x3EyjcB@;At^o#MUP;+cNt;+)g|pL
z`|AE8ijW{VphQiJ;W1)vDZ;*#Ix$<*QYmkOTgz^KCJ^yYu+RsEEN0-tX5L|+eg<RI
zIAur1n1b-6dh`fYLk0yeVq-NdUVHPmM5F$>BDVOY_J9n1^@PpT#WJ?WPBB^0OI?c5
zU&rt|F}PB@;AOQ4aZWa{cE5N`P3F8&r>y{suSb!f9j;pfN6=n3_b9K6L`boGAJp;I
z?|m#4F1lV>|MjKJPclufn6DV}S)Dol5cXXc2d-H*%wBj>Vs)h^>p?7K83W2rT)S0)
za_H9iX1vPg(u)NAiU-%<7yhd^a3w-9O(7inrV`Qd3YaOvsyOd6$L5!e#w9x8(i0#m
zy=__CS@T3Wk<dtuLBs!q;({XWe6u)ssb3}Jr%!P^3k<YkZhkhsu@_cWesuR#q>XDv
zWr@{%SiLlfyoj3mw1B+dxY<p|BY`oM)C<3z=fs+)<(!svq&!oz>%e8@oDDYXSb{0_
zX7j`D)wH^Mno=*dR^caX7(IqaFnR9;Gx@!7H!I)KKVyKH{(|qAdxu_C!gdxp75Z*6
zS&U%6yPt5#ZdKd!4~Ts>B@iw><OakGlWJKMW!V9HrS}YuwxzOK?qIiq^3OXMSjaI6
zSl%OCrlf1_w}J%v6nS*d<exPZRQ6|UXws>jK--rjlkX<N3@gEfQU)jR$)GAOu441h
zCb}J={o^yRd@(6OOIU>%96hVWHr)W^VYytLa@daxBH6?AvT|&i@M%M9s29r$x$$L7
zvUr~6?;aB<9(Q~TKgi8Go5vdqkf#_t5;LJ%URv{V5!ua?#7SCyA?R5WV5fU%ebk@U
zx)_P{j1T7wH!lA{5_~6At9k#b@BPXZ0MZp&lB{@o_F<g`l@%BFC5ksSsLG;=lBB**
zjBeAYa7i`A%EUH7_;3n1Ai#*&>dp=Axf3y6qK~8|cOo`prh?kLv-cb5PE;c4XeZTW
zCt?zzEIB#1Dgze8q+Bx%{4?I#btH+pWkm*!%!>;7K%C}-G)YmsTj0$E{PD;GvW~|%
z@xku3|9v;G$6(qt-z?%sEPrrVX=<(I#KTe7324NTkR=u~EU|Ar(r>S;6K(04A=b_|
z*fXBQG%?UJP_2@kF%PATqrUN&vXEO!6a-!VHm*{l!5G&<L{}XjRi-C1<iy1Bl%<^S
zO6%>`%|72Y%o=~Q)jIYA>jcAIFDRv8>lJimgnk;bTn!aMAMLr~)Rv4H$(;#<aPfQW
z4Z2ZDAySFX<C#223k|6Kx?A=L!jBZ%s?6JaTngdTB>tfJnU)xFHr<$7$;BFK$*u@U
zMy}QCMun6Y%a1IA%pdt>)+5|7iYpszvA4Ne7wP3R?%{)l&c{<7UODwj;Cc9!K(wvt
znj&MvlLY#hXns0=L&QT-QSd7=_-(lczo&Zbx>ZqFei$&0I3R*>*7Fkjxbs1ey<?Lr
z(Ha;8MhYg;_rsUA<J&&nM_ShS%Q%${&GnyVlGHg7%axfA1F@wappJ)9g`A>y=n+(=
zLMejO4LakW5CxAqJC~ItZSBeNr77|9f;CyrGaTiX`{NGLRJMY;Os4Y!XWBOu3A2v&
zkr`~2v~0EZ7a{6;KE+~Qtt#t#xT=>Y#e5%?>w%1xCXksrKftic>YNckc!wu?3ZZwA
zribd(2yoZDnOr87TX(xOfeq*KUQ%gK=-#)VmF~|8J6ZD|ZUt)KH=<BbUx}t8pys_f
zHCb4@mZu6zSTjSKyCT^cX!5?4s3&X}7vDheT}`l+6rC;+ZRPXN!=DjH2KTrS=jP{{
z;VH!9M)W78t9F|VX9}B$l_x-GwXAgrW3)T)2i|EnAEUEf$#EoXdWG1OC^PPsaa>&o
zq#BmQ3=b3dR?GBY1IxZM@xyn_+hm8#0*m+5dt&PaZs$=YBNBw__=ywO0&nTRdKt^2
zUOZ>lUe`PNz?8PM<rRVQW;ypB3qw+lm`lm#RIftbSY57Ms`2o9a$Aoi@r#<(Z|>pc
zX1FkusbgJ5*K*y=&LvSi31)>ZhLNuAr3HG%S7BtPr8>Z+8}30Q<GH~2zQ3dPQ8r!p
z8MgElKO@)2C$lg)4~@Qg)^h9!Swn27cVj9@jr$px4SYJpiHfYhXKA)e<OoB-&S7nh
zJZLKT%a6*gemVpyX1d}^r+S6vdl(UmC>jh9a99&<S3rh5+|-l}`00q&7s&5uxSt#2
ziq%OHQx$c<w#h6o%$IE)<B1SUv#Qwu^_2C!30~J$dw#C@u-mOHY!ybx{&^}Q%gfI*
zGO-QpH7?#Ef(g?|$&&ER!A8QuF3-KVfdHeFl|;_Jp$uj#GHo_VC8mDmP}Eh5I!7*R
zvgAU;j{KAK2~sLT!p<W}R}2XY*gZ&b&1NHpe!HrTZmv*KZf-v5tfI7vp$jJyrwS3(
znhC~4#GvL7ag)-nq^B9Y>C9sT`5k<B=WAp|HHmq*S(jyzUOe;^WvQO}%+Xz6<ON?w
zZ+rf-voYEq=je>1R=rY0yWi{`@QsM&^$YtMchzcRuN!KhV}x;oe0W~&s)Y0+wJ#ng
zTyi+*>zbqs(Mzf8o}Thg2LxXN&Vp5$9}E*w`EYXLRMV~)t*1p$)lG_34AzDMi%bA*
z5jR}RD%-u(h(6ZWR!c|^`JW+0k$i)PIo?ufzwj-Y<AXqRY~QUgWY$)UX~WyI@$s*2
zZ&md0@v{Mud$!K5O{zLhl>R7Z5}ZvO3kFmEyn8U^`qcJY)|}VmG`O9E2phVLrRqp>
z332T{3zwAa&4VL(pjOS2k_9T~=*>q=<_gggeK1$ecrS`t8*#X~O9H$ERcGsz-{Qar
zzpn)E^+i^ZKgKFj)T_`;NDX0+nY)*vV4g{B=Q-A9OoG2DWoJY|jjfrAJY=csHHOKL
z=XU3bC9#c0(H;U5NWX+rv>2_H0j1T35xE{!HJ8f6YwQ{`jj`DFpVSkOBXbtd2B)bS
z>K^};|G8Waz3i4Cow;l*E20aD&52kxhRh@8fKPk6(+#|Rh?^1;fP(U06wiI{M!3ab
z&ZrcDiJ(dc;g2a*cE^I$H`%<EYA<VbkL3QQ)2rTvd?6%w;ZyL%Thv<aH+#KOkN^we
zwA&Hq<6A41{_7>E#uk$^?0umINjxCP1v<g;_tuU}ULvUYM(~BNZ9(I&KY4UxePKT9
zh9X__SQceK@q?Lyk_i!UJIKtHb_i+p_vm+2{J!=6cADO^1704`Dc>u2KHVAAnh88#
zRSp^Ibk61?s1L|k{J|RS`+N>ljuE*iV%R9Mu+j0*ilyLHCK6?*8(EH?@Hd<~yIO{|
z@lW${>lfJxo;J2h@&aUfl{3Z$2w_2wjIXB#$Zv?sqq*_CkZ<^GlbK9-`^`Ff#OZUJ
z&V|ADkGAUYh}21+W%O0+v>{m3Jq<I&fg#==;lpuw;_NBl#<F$W2tdoG{~C?nwv^&3
zdd>Q{W^O!PgY>akHxR}W;RN5UuFAODZP$guWCib<Oku@x4NNOyLa@;fd|Mv@nVgAI
zBEIZRDB8>o(=k2KtFt}k2eVPL?TJ9^7Bb!rRRpw%sKZ4qGk8(E^79key>9+?zuitd
z0_=(TTm(zRzz>!c5|5{`z&48&x7v)GRIXmL7jf(QnGtx#JsSo7obG@0x?Td%rsz1H
zuvc0YK6^j5T5#6xva(ldO7%(MlFMU)yP0`9UNZ;*uR9;N57|c89P^XXKNOi=j$BJh
zzXJXcLlXS@Lr$IjGZLwrU7}EfhQQ~ZuF(}AlfwrnYJ3pRpW53ZE3yRtVKAY7*_+FQ
zvrD-eh^+b3<a^=n)<!3$kS0O<GiSkRuJ%mHpBmupZ(^X96_cTXx=I`-G9DUqD#F`L
z=uZu$#U!bd(~uk=!3+z)V`8>fOVJ}<MYkpx%Lm`l=cxylr%XHwK?uC>o3I1Y>oIOy
zV{))<6nv)>_GU|SaH9KVaI+kOePK^MSMZZY=OrxyMM|!3w}8>08Xm5B3Zfr`H2YZr
zYx6qO{2an{nT5LrC^QH_dcQjReGENYZLI`mEDR7a*&JeD+}-z$l71<lH+-+lb^F15
z|0pDlml9{`9&G%@7V<#R`YVM}VLmepm2NfDMediF&JKuzhc0tmpf9?7!rkCorx)cp
zyD4ZMA3j&2-=uDb0V}k1#YhxiQ6J13m6MEiJ%~iX84u09SbV#25R$01d05W^t-9j(
zSjelT`@m0F&u{Sf8}RF4qd!+mb{=d(YfauGDMud>pJy-|0o^2QT*#1!qK41LP9to&
zC!=hziY3i&A#VJQL-V5rhK3433!A>e0TP@cGTGw(A{9C>A+oKY-S2Inzxh4T(9u3Z
zebxiw<TV@Ae4eP}NHGjIaNK&s>!)<8F)^`~Q^>4H@z*0JI-YYu2kn`d3ji~K$`{Ls
z_&Tb#0pQkJFWuu-q7kP?`e)`vN;OIIp3frc`nPBO1s6U#Fa9F+SfNeN>|&re#<wvn
z%?`uIs?O`}DbLzdciN#k(fKVTS`xRW51*ZYGStw14ebb<Q{NuDB<%H{U>jP&I&xxb
z++Vaebp2H`MvItDNIk&x!zOmlg%=5uB#)+4X}0)+>wnDHc|GLte<u1qDA{ih)in^(
zWUf-IhqPeS^h(>&=8g*_qE!?oJ!+VkpEF)B@+DQ-FnhcTf?Osb=2DLg9c}BPNvB0M
z0&w}9p+GM(1GBqGj}UP~k*1<GUe*uo>zD>=@y`{6uH(Bt?xm%gvJgF&LTXSg>)W54
zdq1`$>a+qnc@0GaaP%``E??m{-@2l8EX4C@ijvKGZEupOfUbLJUXLeEBiS#E?T|0|
zzc?|dpdC0JiP0Kzilbxz3&0?qyvk_mtEJ-Z>8wiFDp}Ur5*#RPDP?P!rO+c#-<``q
zqARz?knkd2p7okZ(_!Fz)Fi(Z?rJCUN7Z;C>#j3h(VwXV<_MRQWgOkWU&)mmzcIYw
zJ6zXiy0Q=l<CsL1WGLT(-ao60vYqKV3*XeM=0v+bJvKrxEm(huOI)dCpH{y3AhBwb
z);zyBOBCr7RHbSN1TzGO=7x}pMBaRh`W|1eLMVT7B7sAe;kCRcRoU%~V8?8S1!c}2
z`yxG7FN*F9_v5F->-WRR>-*pG{oy-y0L3`Y$wkMG7T)IJlqDIps<qeap>MEP*JhE|
zyZMN<uEBKcJ;`~wxtU61uDy?%)Bw`#l8ggU#=GM{3jB<+PcJLlFtKF!q7(38Fc^9y
zm>72L4RU&n#|vBhZh`H-Q?=Ub#{$B`h<Xhu2vXkQcFci=oi+xNu5C8)vS*Gg*uXfA
zE!uDL?p`m~H@P3wg;H&VLMZ2aU^<Dr^oMnPH#kgt(s<pdc#P2jfAvHd?)&HpaRn7K
ze$Ob{TY6>N@cuj{Sy@q93?NpSzAM-rp<-M7noR1a#@drcv5+}a*i|54m1L~8APJ+S
zneESj!B9|=%I@5675xc?g1Oqdwb3SDV7Bh}i;d*PjX;G}a!d+pSiJi~G8Io)W7<Sa
zSH_6W)B=ljn{PZ%26EAB@b)}hbMA6r_HuDMO<Z0H0>b!4w!|;Zjo;68cqzXy<}&yb
zJsR%lBD%(xUr>|NRy<exJmV%tc-Z*;bYG+1nrq|7IhCVqZjWbh@ZL?S=*UkCwyaA|
zcUnDna@fe!svf6Ug1oJA^t}|t2t`!#zQb|!J;jdHS*a+Sm95|h{vZrf@s(B=M7@nB
z=;DJEz(-KPV1l%Wrz5I|?S&59S+Q@Ig@uxyKcDbru$w98#*Y{!wbfOU)OxzK4)C3}
z)Er@c{gQOP#W#b4t;nZ87+Vdoe1q)_ACb}gK!q&<wi}5sw>z6yBISzeOEI+z_v?uk
zgPZMPjm|yq*Xuw!XeCj~#q{mL*!BWM)iu*EMJV{Sk*|lTyTIxulax&eecBJWeMv=)
z$8+rT9?pPu)%tqoEdfoo1D+>Fo@(Yhx>NLRhfygH<q#{0YVl-e9T{2~CPxE`UySMG
z-{G>HiTH*msBpvyIF!9)&;gNDMdDPZwM=<3oO2Wkamxs{Fxhf|-Mwo1Q4LRW1gHER
zsz793(P9nc7DU9MNnT_CP}MBiFwDYaC8uB`Fb9EbtF9<qN@||Dyuq$}vbBN#m?7!z
zC=g4y*5I7z)#-}%UICp**h5NJ5M4NB@!$%fjGH(a@Oyhz*6=aLh*d)&dkV!7e5a=Y
zHN<sjMBuPIx_Za=o=2s+%0*5<x`c3?oakz_1>I<rgWqtQCboyHl;eQG9hSiNolI9=
zuiuTd&ysS)ifE7?8U`yYt)2fVNboZPux$)UV!5d`zWxj0pj^r1Fr@&o4W8%iC<z;b
zRc`4GW)S)Lk^+{B?F?4qVkfL`O{SD~^zAxr$^H_!!B$|5^9#l?zPtuA?)Nm_gKYok
z1Nv?jMo#ggQcusQ)Aiyn3n>VkcA1&HYJAeWniFg<!L`|i(FX~%+m=A$5z0suR3k-^
zrI@~7I+;9<VLIr`jzu8htp4<Ybof6m;JL-0*_CMXSkE(>2}5rrqOsXa{kh>7t@oh3
z-geQgm)qeBJSY3ce=vOR;tyA+i24RE1l>Jx%vQaVI4%5~uoY_6WMu`e$MbFguQQ)s
zCY0=pP8UqtyO4FOdA!y?N0OEL-3efO(TrqnELBw;7ezqyZbj@v*u%yYqrqvmtf87R
zr|KR*BRpgSN771q>ZpusPE!tL!~OJV_XML#4F$sG%ro5E?guPUN+!3Pq0>u-o_u-!
z!E`(Rp63PjTY&(hpqaZtGDa|Oa&@-8YI%mPJL(PJkM0P8ma$P}vRk+57HNX<^m&3)
z*X%hwRoz{-%S`xULK1BL?hi!P+vR{tacU{4B%pNXv+R(u{6sKl$!XrssuS27FKvH`
zbXRX^4L>4IyP6u{u;Ay=bkk;O`U~iAvo7P^q@qT%C8}vCx1W?S3(wtw&{*GIXa`lK
zCQy7+q5bTK$x^{!Y1-6QFeC+)!^=G2QCt0yxp&#=R+rc1lyeoOp)kYURME=_mscj&
zGp5oylMq&6C4BObd0=>0*!V1{L{HbRBLq@u<)A^M^#)So8)xt2I2cx%X3`)9rW3&r
z6q|BT=F^opw@;f9)H5N_(_?qTv#zT-;m&2c94bE{q%TEQ%pbldO>dW(ohZ)1cBh>&
zui}VCAanHnqQnOB`cRI!Ci#p*U9jHea*TWyhu<TcmWAhiL4bym+SgeIw<y1`q(2Eg
zQJP6KAU2!=2mC_-sCcyiD;hWemEJfFHoFuWfS{+5r@<5yB2JSgXpNgW(<RLKS%Sya
z5>S8Wej4hKTf#c{S>y%a0%!{r$#mIlAMeT<<)WGX7!gsiMmf{r-BulzZ>8kNQDh3Q
zb-fFy$<VVG*5zm24-1PbPD)g}vN+YO@NJj9-E0_P;L9X8wM^gB{N|XmDkv?#wKE61
zCGOpIMW`J((qI-RH1ibwneD#W1qzL#%7kA(hk}fbEQ~57-1?(Q^owcs^m;RzV%&7?
zl?2RLnLp7WLM_>cqdtszNo2QzgmJXAOt88DlC|ZaTOKsICbWpiuo4d}gL{03zt5<Y
ztN@GyJj|8q?10*AAs;(AMB4IG(qwBuwpV)p+!TRcwYr&XzEuMuMc{auvVz2-bwsW3
zvXRajFVfy=*=pglZe(j1i-gQ%o@6x>_`bFDsyiV|8o3CzG|ae`=gp|5-%cX)*4ZNZ
z1%~NCX?eXL?(h_9KMJ>4h)PLkC#u(x4pR-PHW3>=NPJz{UVzaT$P?`s0ezE!IUfl0
zt9wgjCz%uH)<yLLZ294W)*u}ki>Uh;xvK&V4z^=%tLEZOLAbQyIk2$_wcy%@!#KeU
zQ2-YvpWykn=mjZ81O&~7H=O>ty5adlPG55N+DSwTGf1!!dJ-*4H~i@Nz<7evT=SiO
zh4A@qRT*Wk#R`2*Zfk^p0qpCW7p0TR0)v9=1y_lDjv(J4cwMnmr7}gcSnj3^ps2Ix
z5flwj(3f;_4{I&n%_K+UksJ&n_Wk=l5qHZMQBeRv$fO-A3g)jhT;!wthxsg8sSVv`
zgl@77gWWk2s#9flqvK1`4oLSFhZ2?D=ggza(snpAW91Q)sxXE0-r)(X_sPXDIbt_X
zkNmYowU1*PG9%PEr0i_rh4^Vh!(i8or2535xOAb!Y$t~@DQ~Z@%p5HN1mI3K!v17!
z=3~-G*$IL3uON;ks>=5A+&%zA+T6wKin8+ve*2JwqaYPdk2o?dJPZuJ`)%a-(%eey
z-miRYOV~cMKKDAD>(X(ssBc*<^{xWi+>5R$s*9wO;v730CGVlj40MA*_=}tbpFS>Q
zORhURZfxmuQt5&^AOB>iSez&=uL%(i6a&n`@vffs2+gFVsEialk2k2Hm937I?|SN9
ztAt2m2VTinyHf(cW?MOvYn0HlUs7NR`w2`;YI80$Jj@7k&Tp<|PU}*#F(o!M=Gy#H
zKX4<(zw-tV$LhK7KDAxBxD;+uLX(kVl8Wc#jZ-m@th;ckd0)efC{!VfMv_X!W{Go+
zfChq`?&qsW^~pG6wk;@NZ@Tg&MWmzO)N#3;u+|^7^e=hl_!)4UjoYVyoOHN9^`wdT
z!v-_k4T>selC%8^50BP7KeVQ8&Hm<;0!*cL`SAjo2k#Ib4popeddnftrB4$Nz=`&%
zA_G6SQ9iv?!zxma$=wX<NM*paxm^WEIl=~{#uX3rFcryYclk6%>ye{ZwSyTZdDAvL
zUsiHKAKR=d#qD#a)ksn5O{B4GC*{>CK~v(c<*^j;6?^*a$vi?d7RWfXcbj8~P2@y4
zHAtvP2z>?5qA%G*bODQTK8L?4Av|c}Q0+oHG~2>uq9uw?`@mmOSaGrQt-mji5ihhB
z@$K(F(n^WfmM|)Z2U%$eCD9ykkPPFK_hqp7wWoK23J|gNyqAy)BcicG!`m(QjFNhm
z6%Q8gU6}yAxHVAhHX$P;%!(<~H$ak75@vE++-1Dr#I51uMb(S>MVI4?76!{JhUl&5
z-~Oiicsxg;C^$?=POgTWKK45tSyS){qA4)(y-BQ_=!q6A$PdYU9}F8Hh0enV+S2$?
zG4`Mb@Ba~GlF$Kf*0x;<u39fShss<Gz3-4d@7?AKyIwl~U{-p(nuM*5?@xm!rL_T7
zG%S=$hCID<+G1w-WJu!}`xvxFK@UYnX90*lsgR?TWFE4ciVdy!aV}|6aPn)^Z5EoW
zA^QdQA+|!wVg)6B0QVLAf%l#Y-`j!eqN6}LizsPlqOHYPU67#i<KD%wx70UZ&y3=U
z8tk3TzhSkzcigON(CX4R@|xt;^0H)N@MEGC&#>5dl=nuHEJW!XelG(F2}Ee?fL!5n
z9hd*<{V0|HSdtv;z0NyFZ@Z+`x>;N*d}FrwV}!g40$^S*_eXX!Zl3ZlULb))llPQ)
z!;bb9WbS0+a$<rHvj-Yj_@KhB-H2Dr94c9@&8&36(?-$MT^@bEy}bNNuvAX*oMy7n
zbQ+rsbS1`nyEv6t)mil{UmQ^za{dA0^`3^6VsO~oJzcfxedTO)$__u9xKn$#WLL{U
zOJIy|D^Ks2S|i>3Nw5Ianl;!7nv@3EsMHiWdXs1ZHK#M%KCGp8MS2202gxF-tfa~b
z%3mE>x%^uLwXdncd+GAeXsDK{c^FM8EA9F^Y}tkj36}_Npps_6z*qrR`T4(osb!Xu
zm)^IlZy#;KBFbb0)u>nXXDWMcOWFb;_GXhs9ekK!sb`FDS$VjPh3HZzPB$biY8Ozh
zjyS(O$YVt&pLP$Qk*sdXIgG)LfY6iBVYQJ#060#G#?u_NJLyHL&?Dev{yO@<Vt}4M
z_4vc^kUSC815ZX+&A|caW~B!MfPh;_0)m|RVW^5saV`yR&)1*Gy|~MI^ZJMF>6efm
z;Gq3~cz<Qx^J*god7?rFHoie|KeVCYy;=>ww&h2p4-Tm^MNbBc5v77ems0^NvKqdv
zfP<67)xVDRzkYX!({iAoMn>~U-w9Ln!i?w^O{d4zT_r5l^#pV8XxVZ2J^i<2)j!ea
z6DoEoJU0bEh?CX?9%mc>Qj^ca&98s?Gk*zRC^s3UH5_kL`xrUd5c;2g|L;E0<b*<!
z1v8^D|2p!2x(IwC=?Y0&eamOY|Ho7Rr|rL9F#{$-X~D|9toXlQ{Le1tHh;C-h^q{d
z{5MhmZ2OyB)^tB8vS=}iZ!rIvz^dra_Nw!+G57zP)4vUe@)tv8w7ku(FZl1-`>RRi
zHs+%^soRPRDpDC3OiPKE1-FGmcl~4nEPfxVa*krA{a;hj;rfa!Rh^l3HWLMf*|-8N
z!xBKNiwwd+^fekiENn`^L5~SerE30BslvamjcT4pgX&)x#r8S7GC?8&E$pw05($Zk
zh85*O?MidA?F?^dpZv!{H8|hekMFH|Uony(R*=(TzEQ1Ouq?*PF_~ri2Nk)?C`fsQ
z%lO#Gz<nrl3u0pn3+Qj!+DR2O3@vSy7$Bc-)Is*|MR477nOgw|qobb34wD^4%fha&
z`-jM<$DqR$X2%fitq8Kq%BaT2$8%Bg3Y!Qlv2s59EQR@%twHOM)GJl}bA%G~$ho34
zuj8y;uwTl!lrw`M@qZH0mL+uKER>6Sr0D(Mr2H@a`fpj-iv6X5QR2EofA7Hmu7v_n
z^U|NX>QOf$^p7e3ixjuMlM)JzPPosTj{ggD|M5eh^Dj1IMA8EO;>G_L0lAWMpjK?y
z<}_@6{$D>TsI;QhG>e&;D>cap{<B_v#{SlzSfds47xL?c;I$!fZecBAk$Jg$CwkF`
zNTUFN)EyBKT6R3{=+d8HwdTYDl1|^?3;F*eeL-JPTP^c~=p>?KqnNzc6xR41zj&=@
zF%W;N)b`|IcHnHr<qHfxZ6OW_LKR*SkNAg-2>(?e>8Sn{C{n<Mp}tw%OI}BYp}W)a
zC>jz90?2+Nr1+$O*&CR8+B)Hfo@S`)hoOP5>rA;$NZER?B(8Wo(8<@TY@3;!Qu_aS
zzW!<gxz|$QZL65&D(+7A>k$(9MVG%nRstC~UIQDG;I7<?raRJtxt<eLM}N<e6ZZ6@
z<xFM7yc}R`kGDx6OKbH?k_!LdqW=`uv=$UA_bL1^X&UD*h6~(zWn@wG*T-)g?>A<J
zMc=7+AUhT@69&V+hEo**N=!EEoZL@4Hj&VC;Be}Nez@J6XlQ6sGfAgo7mHPeggmSN
zQBnt4XpgR@lNAML{iXB&WL7yes}$w7U!^Oc@{TFuTi<>vUg*``%7g+IHnqQ&3rKKU
z8<j@_*=S_LW#1=kwwSiMI8WOZBp^8{FR=!L9PUEYD7d|yM)tOtEhx5|pxq5#Y$?vb
z`E=#$IVf+Ql7&?ea@7zNuZK%XPlL}Fv*Y;xxO)ClSK?{PB^(=5vUZ4<-cXR112lAF
zCUA38c^uF&=t?Cl!b0h9Q6~#n{q1f70yyegf*xSdD4~7%$gb=t-4|RD79`JxLfy6+
zoj+ph8SI?yL<6Oo(BAD1;G&L21WhZr!I|lL>l)0Maw_#=g2@vHBY8hj9mu`@Od9so
zG32t7c1l$E7b{gn_4;+6qLH05g$rBb84K*rB|oP$gbm<YMvE`Sp5UbsFc=w@egCGX
zpvyWCvATU<sN)H8My{ry;5R#~#7&P8)8AyLsr4Tu>|a5ao8Q)umWEYXSy_IttFCES
z5QJjepg$~7bZm_5AR!@9R!>TF8h79O{<z;HZYWabfA{-(L}OrxjB54GXAA72qlqD4
zwY_(60=aDTn9*P+HyozpjZ{2)xF2>Y4>$t$*5Nk1n+UP}g2Bsl7cK8VOpQa}{lFq4
zt(42IL`Ba{j^2D_-xAzj2^h7|WHtOQSU3hVI5Pq6nnFG@HYuv-1MN?79=zu2-WHh5
zRqt3Im#hgzQlDE_&o25y6S`A_Ylpg#u^6<NSUpE+r=Uuuw<-D??F1ZBPLh~KvLt}W
zaA;%%E=0^SDcNd!e?Mk6pV*Qi=VVK&P=^Kt8%82CD@zt62S!d#&KVc`EwNQiH_0RT
zZ}a#syVVv77`1s<Rz^m}_&F{vZnYMz#ck#E>Vo9)cQD!eWsttOAcW>(%!Q5y;)L-J
zLz4SUo>=)qS>d=6oOeDC^!=j!h-4AR?+9(1NqsR!Nx*5E;DI3WWYAJ(7YC-v;Njfa
zdCcv@J_l0ruN8Xf{v|`V{ZX;+y`^2e+d7!ByrD+ZW+M{6xLuH5bt`jK)d~5S5E|Ye
z@Mix|GyZx1c73&l1Wd;wiXDhV<kyeVpE5B%2vknqcRe5<nV1^7$?@%tAX$EV9BiYM
z<P4!ew+$NdQ=!A*@Ve~_q(tNoI`jbsmk@LixII`x!Wx5SM#2qN{8rm#h30UZ_=SPG
znod%+257mv6+X%f{CV?^IQ=tCXU92CRb4u_wpIaIl81+<`gz#7$vgh-Kk;r1x|S`x
zsE7;&6}8ui$I9xIrbfgrR_w(U6GvUsFDc%!0FyTkXecMB73y-DtK!SbgKjn@MwnGe
zOg-{!w0g}bO1f=B!<JlX@PP7cRM^^ibXQu&=eTZymz$qj7tAz?2S4op6U6!c-mj<*
z#>U)eZQ^&@BG+yjma&04eypY)T^~(_+m?n1&&?kg`_;nL>yyVWPM;m9BGz|s9E6<y
znR()<pRAIaK3CH|YaLrOXVSF8PO*GJ$fVA=vh)K#-&+WKCa{zDEy0}6!W7TfkdbqO
zUW(<1&-}k?w0&p8f3&8{><p~4UnKpBWoc+*9NER&VPN2ghW_4&Ed7ufP@L|dOcd{7
ziE6-s<JwZ!(t;6R$d3I){;wwDb8|OW1OrO<Oiory3Q@DJ<dc$=2>2gt@8u4x8mK1`
zMrfn#?HAMPi%|I~JN=oS*u)toF+v`;<sgkPr{oKTr{YyR_)bYhqYl!cMn$)Dg&AiW
z+FTFyBpS@<$`}%!hHiOc2M*0{J(gb#{ki7RWF}M|-&**uVKqB2wcCxQHjzk!vIciQ
zUZ71Iw=Y-k1x$B>I3S&cy^g4O-kvOz;?XAB9*vwIkEmp@7vb$b8X)E2y9iJ{pSP^X
zxuWoZp!;p3KosSW54rOoD6M8Xp5zrZLt}Gl{0n3_bwp2;M9NZYQ|JS)dfZTXa=-OZ
z6_>TtYNEW1dP{UE;GNi-jqO-JLm>LUISRSS$XjiAQ`gnapBxDqM5JE_?KCvDD}W+w
zxj&LXCss`%zld=)>D&(YHc`D9U7<6`Awm}c@|M^^`eG(RA?0L;-$qqh5i}-|4^Wf9
z0u!HPHPf*7_W_j2-rjI<dGzBw0St@8lBa(AHRJu0Q`y63dAbH-i%iY8+&O6h%n|DO
zP#8%Uz=5%lo#g48GnphSs%EIRA;5PN68g?Bdd<xeJQyLuRKb|59T;mCuO!?*45wy{
zN2up|de@NNeekY!Pvwoywg1@rVjw0ZF=7Z0<_juo`Q29XV5X&i+UiW*r3-#^NmBdM
zrd=8~*suTYY1x8(UDvs^Jn)Qepd?B*<cB5<9xS>lPU<drcI~gxelV1|q>o4*VRGzP
zcHDz=&4v@sN2yhjP5T}-QeJ@4Oj>SFs7~)GC!R~$ErCpwj!h_RSb+?08e3MWKw@Gb
zetTcn_wH+?s3C=AR*u8UJiD{EZPQA#1IFES88%!J)oV5NdFN5ZW?t(r+<Wo^Kub_S
zZ9;89nTqn(l4Gf4o+Du-rk0>_{=DFKz`#Nufb3IK;;wG`tDQ95#XZMyi~MtnunFFr
zGHJzV0iPGchTeY`ntgm8LdqEyMZTn^#UmQK3KCbKv124SdP5!g2rQMbS^S;B^=~dz
zHRRXqQ>tZioMnwqBjpOcEyM9?V?&Nx?)q8WV#Vl-px=%9`8iSKH0@E8^XN-}WUR+#
zZW+|^A_ZYz7{*)i-jkR)yGy}nTFz7#IqEOrFU6qEqDDGPyyFn5DNCh?W3sOMbo&j`
zQ~l*R&H}&Q<-kh;%|?2F5TAF$6OyoCmBio;Bic@4qA+4Nqx}Hl#D|qgg0*{(NJiKt
zAgG&Bm=u%l<R~+_d)TYX-~zESV##-!X98zd`{8Js#r*PDc8+>UBr@h<8;0+NEYCF0
zVq^sc)9}EPCi;MrS<|C`C}Re{_e{<}tCb2^3b|yahKQ3|{XaauQ-NGXAxYJ4xT~j?
z?&)sjFRv@DTMNgijF*2dk@2ufC^_1lyKy^$7I1O2t$6s2QHl{x3(nqW(kH^AC4WII
zl493Cm->k-AT9b_(YDoM1~Pvkp}mF6e)<kNIdBkP5{U;#Wg9-`N6S4zc38&sP!Ot1
zX4*y-m>7xICoFH^t3`cZ^MVHog5N_i#hVZHjXeeZ(Q6y>@#Ik7LAnRm>)H21(C9ld
zPnM0n$t6AQild0bpk!=h@BOri%=w9bRYwd-O`MK5+@Gt_h@7pL`M1ZD1&VlW1u(0z
z>r9t-K*+CJr2R9oqM~<JfBpp*PP;<re_s}VbEYc6&wq38hl%e@YoDfWyEDu{{f8$K
zz3U<+8BId;OU&++a7o<Hcu=;E6$PGHe88{?3^b{K_Jx%2rp-nqNB46upYohkZQM|k
z{-qv3eqebWi+vBKVCN_0ya-v*tE`mN=OvNQiXesmhpw*-i*sqx4j$ayg1fs*(7`om
zaCdiicMI+ggS!nbNr2!M+}#5qd~?q3e!Dp*@4p!?rn{eds!Q&^t9q8Zj--xtHZ{pc
znR#u+yT}5_BUtkpErTegr`$wESzWA1l8W(+c)H$)wU$GgT|0${R}S9^LC(<1A|XCE
zWcu?uNkhZTk`rgNar(65*nGq=iY^Te@2cwYPN*qX$_Z+M+Iwcf1@QF{4sC|bg-^4M
zO^)P@5LQDIBf~K9IP^m_rD~c5-qO^FCup0VJk_{@L1+d_sVVO~sKSQ30Q@2x?ChII
zNAPOVh!lU?JUYxl+uOz^Wo4k{W$i0VtD5J}8t_!H3AH@IkbYP9H3HLJJpsrnUn~d3
zqgp!nA~uu(?*3%yzj~nzUY~e|58k!mVqn)vZfVg9qW3D(-owFV&D+GcZNb3q5|r51
z4<Q-}g=8ezD7t;ux}8pTF1&G44aLDRWY$p};d47a@T*$s0T!M6pXQa^21($v(<Z&E
z!$ny!6NyrG)|O}t`d8YtSw=RkE<Uc&zM<ZriBCw8vu0=B-GUe5;|AId>X|OiMK#N8
zpqv?iHZyg@$W0Dch)^_HuN#yB$Y>0`$whNwiq9l>)hjd3wLx<zvo*-AEkC!9PE=6}
zoDWYwxp$~QMLx4AFm{q^YwP~E#r<2gc!K*i5UJLzS{pZS`?5VqM!x$b3=Ypj>|;sH
zC)RLzdTF`~BitZZLw0RM1_84FoIM7jwG#zVqXSZ<#)yZfhqT}YlJh=kOx}gn(x$p)
zoW%VXMDXvl7z|rcPP>Xn*`r~_hnU#wMNSmzl3o0#IV?AzDe0wdgoS4X{<urTH~GOZ
z#V$W6z3e~OlYIqnn!oSoTjKHOIr`oH%JbbqnH2s581*?DjP-neew4ZR4>O#|fM+;)
ztNZD1*zn&^{D}vQ=6rg%O4|4jGb|>7XIMmU<)r#o*z{j$lmi&b;JnzO=)wF)1o7XI
zd>zGKcoBuI72ppz1bEe8DaL;Cc=!(@u*QrW9~+$TE9Aw`kGcjRBOxJKJG}e;2?nB8
z6Oo321L<rUN6i}!G&Ba(zCCfy1<Ttx)U@YciVcQL2_Y>o*spdU1QOG-P}2%|WjV8<
zzKKdF%P{hxe~MIdUEBXYgIhN8*?<wfup}siF6IwGb%7T;?S~J>1EkW4xoN2HF|)pK
z*B7e=IAH0LG6ByVq5bci22zE^?i`k4)1!Yb#G-(kJpSRa38)hj^#c!w<STR{5v2zy
zI>r}(I^y+brrNU@(O}?wi&mEO53|1s+p|_zSD!7>HBN3G`bO5(-Yn^=8=8#clv$GU
z2My{U5G!rggJhyQwBO0?JcQnJQAfXKF5lO1s20e1wI*F3xn};;TMdMdRGcmP8j?=#
z$_1dEQGS!#Mw%aQ|10m&{^sM)Mk|^hk@E)F4gzMUX!3+JZTo@dyI7k?VGK#xDX36s
zcr9~*NvMA>=jrmI;D34n{A-JVA!6mePNxp$q%fJp2t<BwpZ?Dq>FPalW8TemaUr#h
zwRI~<tB`p3s(=Ey)3Q~~jX#LwZzXf=dCR$yQyk1F*{*KQnQ>;bZs%z*Bf}h{z}+tU
zR$Wt5yjC-1gSIa^dpB{C^`E0yjzAMwsHlDoY$jmh#Kvw}sECcT@ylQVKY=<rujA&M
z`}6gf_Yo*$TwH0!FL<;pN=izhp`it8<%);%)wo2&#4uTZ&^JA4NCom#pp5Z>W!yP2
zq_x}2VTa7Fx#^;gyF%YIrWdkM7LPJMs2|wcfW&ez^qELTQ>`+rkgemF9`jo}6Mi{A
z!$~lOuxMUgHGmU*MRPBX9amXE<5y&={-QB~i|&xSlf~kSinmf&tI{IZH(4AOmtZ11
z?WB;PpyTVy!_GKOes`f?`p7>Y7Y&jJ^Do=TYiLuDK-25LAEa}7?rDM^Ut&I|<Nmof
zk=Mx9J_sdfW9;j=gsYx+oK_Ll!#jrngQcoD85S<dzI*1S##i3xn8|GQenS-fh*%H<
z#mnU*4TFlhQJAjJ597sOm}AV~4hZDwdQF4hG3dX1{ycoT+|=OnV4s<t%}{^s%nw%y
z)G8{xNtNU_X&hoN!4saDnc4I!`L}%v?Z2a#rWA+wXtO86_&9>uccPK{h(a&deR~OI
znSvRQUhf;FO0^pTOK$?#efKzc$$~su1VmuWT*BNbqHyA7hoWy3oKe@jOA%o(hCTaW
zhAqBN(<zRrReBgjtP{;N5W{jRozCT6cZg2(mIITb9p-lAm4qbdU>g(oq~{ywsHTsu
zoqM=gufnMBnPmz&E9RhoF`3RZm?z|8Xk}ITlUv=?jnj6C6^WQ%T^k1<KPod5PeMZC
z9X&n5{r!C=yBXjl_+2sj@3!%CU|{-w;3<9~!)cPTjei-~$?#AGQDXw^IfZa=0WRMz
zR|g!sg@oUd+2sO7_+zjV0FSLV?;RW%Y_;4_0?uM1sJ8@*Fdt=wIyN)$2D{=IkXi^z
zD9el6^^hqr_-YtGt7vJ(PFSN4r}h%g-VaNfHIu?K&{MQ4?~~fBaC7lthm~qvX;(>P
z049!$#fO$dJl$pKTd7M1mZmTkG)JP}ythW;s+AHmg6Gs}q^wXLT$_N{AaNfXpM0-l
zt*OyzCPcg^b(3~qA1`WUMaONoQlb@eSR=IrW3kd~WjG+wXKHR9Y?28y#K6O==mQA<
z)7d+6L0fK=SE>&TujAY0G8xIZFz4M+S?rT@6>om>f&e}QVPqtdevz}fht`Qx29+SI
z6P&IEyb0UsG<5!Mcp9@*YKZ{_cN?f}#-@2H09W7dpUGDUhJO%4g7jH8d@Lb5z4()q
zizGjO6yA6;MF*h;UgY72cx>nfD<q9ih~?b$bH=(e53D<|goOFv`d$y|zjba1gULO_
zuN?RMm94Sl!l}8O{;H-%g!O@kRFKmhPxXrw$n4Ux+tbD;S*N+8pq+{yifO@CE8?|Q
zAlUys>~@?L=GKMGw!9Vm!p|!KVZAm|YvdPeNybW}m1L3K-Q9N#G0?0Sl1uAl4&T8?
zD<)Ds@132ULG4aE$NHn1I#yOzTnjqP%*@e`Aj0yJlFh@JV!$b;{pjQ*A~?bh3Ja6$
zahum4bEBc531QN0ujh|pZM8j`DULASQuW9W?`^`vA|#AyviO=DqubDkKWcJye=nu1
zj8;=yOSqz;otK}V@U2{l;bp7S(*P$fI3&bo#Ah7Al1g{a@tKN>Dw+Y4!^y+r!%D`x
zj*McOlmBBjrk~zA%D|dn5>E9r(NITt&b+@sOkr~K!q3xb#rH93JSuei7LC7Fmytj?
z)q))<Kh<GwEPo<k%wsQ63!qiO$0uhKjAxX+W^HFtI9)gsi%McRKio@LnpVz9m>6Qx
z&p}^XP;-jwFagyb9+`&IY#79fWBSA%q6aoDmr{mm6~+|{+48<+&^4L47#-e#5dI>$
zi3dCeaFOrqG`OER4W())S~{a{Wb#6{5&!&Tr%;8Ua4!G3rm~jX^8Es>fXC?o!_|Rh
zvR-sU@#t1vU7pP3cyNq?wD0wjx~VkDXljCo(Wc$t)lg~|I%#fXTExzwGyoZ3bp?&}
zq0YLE>DTGz=5z&H!{O!hdsMQ#FCux5EC#(qzkdDld|3BLdk1861@;fv0r9qWc0!~{
z{ce+)1sP+3Et4a0gxKiRLPGlJxLQ~H-tr0xGp%;IYi^7BfLLrCMP?0NytCO-IqbsV
zki}zY+`5<tH#fK83YFqZ5F$(e)Krb822qOHOpzqO00RR9Yesqz6({lM&!4Hnjs^tu
ztF3l}83z7QDKtv-J6rA@hnc|kp<u)=t~e4Q9dsjtD!KIEwp}v@q^nYeYSyMm3Y?)-
zBw`Wy&gEmPiwp~GSYL#|QxY8L$0_9Si<Hy&mXAy)X<5KL2$lw=kbem}EZR9?JX>8i
z(oqXGkN0@ZBb7fj*NUPRe_w$Bwrh%Y>SLBR*XWLqU8e(_7apGa3H#4n%#^tYV2*y6
z_0!;4(<<6Sf;f-foPo|)c=;-E3EJEqwEe=WXN{9PXtL7RIrP#=jV|@LFkZ)(ryW({
z6Ydf_T@x$zLJ192+PqCiwi5VUf3`x=wE0o#04Ge}GEWL@zDKuL?byr(Lcg9|bSwPO
zFN*t*$BQPkG>FJh>@BK#7KZ^$St9t^+2s8jD1AgCA;ha5gNb>19(U6MKdOC(Q-rv3
zbBIhixSj+*>ShMJ2c5I3rBN_4kqXg)Px855JgrkPs`|WxM?w^oB0&ahTbD=6s1*F(
z#y1O}AN_rhMihL|>dbX~-7bmfk0gX}aH4X^$PT}^VfG5(y|0Z?R`q+Ub4wV5%xHVb
zH!z@+Kq^ufNz5p!XEi=Hrd%WK*%$EZ2V4v;%g84#n^c#Sj4QqgJN4ONenv+5@lPqa
zxpA*Q4@A13iW(ia#C`APKLB#D&Pgvu-R6G!A8{aZ+#Gxz9SDKLb{ZKO*)Q^@rxkh(
zhC#$C3<+Sdg)ufZhWz*??8Fq8@;oIwTUX(wGrB!an#2qG`Tk7p{@YnGCIA5u5!*gN
z=pIiohc{^PqmKf*lk4-103v67-!J~T)V=7{MYaQ{s{=5-mXey9Tu@LC-Ekxqzqqf<
z_cy4}vJ{$EB3P;GjXXtCsQw!1qc=;mto)|W=eaq(Qz2EZ%fyelY)t*I+2Sc|PKFkq
zI#rj$$3l++^o07I?nA{PkejAfGB``ikH)J`L<!@?#2S}(4lzDYuthO3ao3JQ?83w`
z+@z8^Q3x*fq=682@+#&#5oQT31Iz86zCWL3wN?an26W%EPJhiCibOaS!VfR)Dn8ue
zk9miS5}N*WM7S9T7w#$w4B?Z^n0`mbMQot*%myPx3Az>YmuIi>6LO4+K%O|t^Z3@w
z@%Y1%(~AxdG`EIf^3*a|vB?eO;ZZ#w=Q$UOaigJSgo&b<;|yMXHu*ArZ)szL;N}H$
zpBoPXF<BUy+6T+N_u0HxJZCMldZ|35WZZCt)E>s>+8z(fYt2*oD-?{z$<7I1?A4B$
zuyzUzO9@Toq=FqwrzlU#%T~JLtx_B+N>;_f&d|dI*4PsZc_V2*+=37J);E>Jqr|ki
z7xE+DwOj-r8p^Etbsh7xXDf^}C9EgBVqt@u`s8{ZJbwm=oRApvYow`uER^gkEWRA^
z8?4eZiv}2)T7@|~`xsu;4~W-sYbt)!Vtux+_-1l7f|_mhQ|i*$92c5GkjoC?$Eb$T
zzy}S@0<GGINlT!r_KfP=rR8P1ItnKzr-|LX?_QwS0XS0H1>_IxC^$rq!{TpZC~eI^
z!4jkK#9K#4m5~sPlt4FF7K@o+$#@iEe#5auGF&dVgIo{e`6`WQIkc`aaO50V%ltTe
z&eG+6rV35Mz`$Vpy_Z<z<rZ`QORkTK5M#UV^*Bv*+FL{}MgTBIu3Rw}D=8QTfrJOQ
z^{vsB%m-eL>u#?bEU>nPEeS<^qd+AU);oejB($Xi*>f^_GHN$M_xAQiyT#R^{0e!P
zktU_{o1b4VS0XhNz_Gce{guFM$gJBq^@&Svt76sQ_oPCH4dPSG{n;)cIUIJ<BW%_;
zW*6BVx1cE7%jr}G)xrnqVoRz1-H;m6qzj!FuYr1eqHgC_%(#AHN?y3%%y4^Y2v7Qy
z<4}m)E2#1j66ug2az;3Q2{Q`;3ejav>bWb+n$_XON-Oh?q^V<3q0ek;FuAGfnj8m%
zK=)NYE0PDtfQZF51c%R>ND=8;t^DP6=eKE19~>a9@y>3r(m5eyOti0Uf_w<Rna|nL
z1x)?>!blbfd-%&h2V5mn^8-T<c>?}q!|S<SF(BKF@m4&ZR;P~9eZl=005Cd!OXP}p
z3qpKAlCWJM<;6=2i`N$ix_T?&rQ;a+coNt~1?6LQTzvC;m|BI~**ec#!p#eua>k~<
zJrA@;!O3he#x?Vr4=GQy6?)ZgQ7$Sg|4QKPot>8&?%=;%A{`A`ntXx)r!C}lEf`NK
z@S!OlS;3PS7h9pi)m(5QxcX;;z6SgD4)DyEKKy|=79zZi*YEfpdCIlSSbKpfUUF3u
zfftEV-yNGU>izI7e4Ek2kkc4I31o0}TU`h;F}b0sT|lF5?n&3PKV1{NdOC$?1$QL7
zBCU}IX!33N8j*yreyr%~C9~wB&SZ08r;AF<e7*)C;HZ}Y>1a#2>7%cPy5t<$sq(4q
zVN=Cqs^ziVVvnnp(pwlI8EqZqF>na9+6^I0UVpu0a#|&CLpopdJkU3A)VZoN5&>h7
zbyehZc+qW-1{N@hvUh$Q<c}7<k4SA@O5QoC?;Gh4f?~md<NY}C^6<UB{SwH45X007
za=Y@k?I~=USZXvwB=Nl*&|zjEN(gOwI%KraqU^ZneZCyRRHAi~)vC0p#)&5c1&^{$
z+!q@x)asU(D3~XON+N%J{q=k?I67Kx-b5_mPHT+N1>1l&sL48&pzqwC!|w*L3R!HB
z9RH>y5@(U;Ri-Jzr+nUEGMZ}G@$z(6U8yVlTSnDv4!J8_#1%#(^jJKOYb^U{X^B!L
zx9_y6MVqJNl1MVAvW+a@)6Fi3H+)2w+3U$M%g%r{-NB*xxd-N(kN4J(T^FquE7Aq~
z*@Aa%k*T<9slxmuJ3ZiIo9z)A8`Q!Rj+8_a{E&<QL8%jD$4Q_+-no6$@JZ|Tq`t}=
zsc!e(m}Tq<Ni55~#5?AussvwDdpk3^bSBuxlMB}Fmr;0rWhtP0qZGanD_4_S$qx#6
zHoh#+!^u9h6jexRB~->dKf?2K%-D-@IWigwOpjLwVuVTu?9#orr)%id2T1*fEQmz$
z3<I%S#D<!hf!YRk1LI3XnOa$cO9dEp!gg%A;LfMdN?YUe5tjD0fodLW(H~&FOcFDo
zenlGckh61Gh3!>^CC3Zr;jx|KV2}}fm``fj8vDv*dnwW5yq_v5r5}3N^>wpOT59^7
zz_<08ca9%7-MS;OR(B=LHMmxVYM41{R7n@r#5W)1vbjxE#gt!*h)|gKjqVP|=3);j
zEOduhZaM@eqMFtx!goo+G%1q`qB5wrH*UfF96P~S+U4J{Ijv6EDoFFl)XMr=f5xlv
z?OoowOOwIW2m(Yz@0JuZ`AY=I1D1oF)7Vy8og~O#A`wpJC=7JDA#lj@e9rlXqeEFd
z8PkDjgBJOIWm;Ci7C1!e5Lo2SF{aYOq^5WM=k(w#pnf@2625i&@#oD~?5j|Hw|1s4
zC4)y1P>_(;t$V1pS=Spr7xOx0&mcFU%YG<BvYoLcis-TA)YKBK>O*LRjr5&tM^<eY
z7Z=H0LJ|LN<Mjc^q`J%dpT-QRFQ6g>-O9^WM)C$-Mg64EHVa|fu$${i7KR-or|@BF
z`xwNo{mWl#7R<twjh9Qeh;0F@c5QSlFMHS8{}(AMXu&LCg$Lll&H|X(=Bj*T8~ORL
zg4msdwjvf67RoN0xPw$Gu|M`aaN{L;1jCz&aFuz3Z>&wjBLUyhfHyspy=IwXq=<Ua
zqkjZZP?jhzfTt{_?i^64tM2dUAoJ`rm0)kT)Fc`MA;eD+8j8qt$5ar<XT>OWd-)A=
z#nm5ZFZz55HOhIa#MEDb-m`_dD@I081UzsR>=;uY_A{&{4`wePNeMKOznRZTbv=#y
z+#iyAHU?THf;qDGR7uZQq3{N+ZV>I4t+~+CGfmljMnANTZ)#BC%}p$CUjdRyz=u^{
zx;TYV+3lY!!y=MaI%~HzwiZ*tT3%QK#K%izoS~T7=JF)<26%a2m@=+jI_c{fmRc6d
zJbF9OMjOSCC@oz-SkI3dJeu-LGefC_4Q^>Cht`&3Vz*^iz2VY;1Jhc3s1t^Bbblsg
zsl9P$pq)@0Vd)x7O0OIKN`t}Xce>ubm%eIfWfv9P=&Za8TQW+mhLmbKMaW4cAn-uV
z17$*qg*8}LgORr9I-$Hz%q)mbJsvJ>Whuh2#^cOd=`5PR0d?i`oh<ck<c;ow?VyVs
z&rT0AiKjhC`KN-?{UjGXhOzwRKrkwB7Y)XxwzXS@KJ8V96QcL9F$}7!7|4KRk!}PL
zG7R(O8ssFU<!D$K3YF`AwsM!eW2O?gZnET7)(Z+!(#|o8L38KY;{K8=;E|-P`n~sQ
zQmcP6mcup|1cDl6-MRr+xo~tH97>?K(i<%jt$VDyBlk#4OEdTvbqmE%gOR&1)F`4m
z>@ToG=R)8gk)vDun1QEa1cK=i*Q*o@7s^j&?%#~$2=^I(!)iCpsYDy-ktdQQ@ueW7
zdB62+d10_2S#Ef$6h6x+(}wyw!&qFr#o>7TlJUw?TT$X=6h@wEDaQc3QfDOJ{<bMG
zF5a8ThxLm)Jk^T}yV8s5(z)`5=moUyq7gIUfgz1B_NfyXyB{}qI&)~+h*Bx4NjCht
z>F-#GM^5ER`U<-4WBWvMs)TYi5Zon{G$(?uRJRtNI#Km$Qr5Rnp*lJUc8}84u{4cd
zO`aqG@#En|OmmGOQS?`FD=K)_=5%+JX!M?p<OgU4)oL8a)!V9tv@r$Q+Su&pR3%tQ
zCr$(5B*{WfSHGH-YK@ogyl%mPL#5`RC}`*x_-|>+MnLds_k>vctRG8D4}^Bxt_9_G
zFYfn{q)wzGuac1@poyVjq)FE=&@_iYQqIRnNrU>Kyq@0OfIU%TSsav{cu`Fh-L^M3
zuWfI$yI?4$2Vl{$4DWoIv$)Wiei<?T+-4x+pC*A|*5t(noHWK5DFBS%B{_t9Z7}Ei
zh{v@hmG?+SrpskL$u!~mw8F!{r|G*!Pg(TqER192tw=!M;jc>#ukSjaeL#s%KJ?V^
z4Ng|3BXjM8E_B?D=OdVzd@j`Rj%~D%uw4znFj%ES?WxW0-@uMFt)NnH#^NC@903tV
zSXek3M(X|Q?ZtOe2F)7fV>2U3T#Az3vku`_ge_i@oG+PuO|+ortH$t9)c7#a0<j>h
zd-hi9Q0_R^)ps0}^NDmWM$l!9WFi=fU4#yrpC4R|2@Vb>APdcCS}I`>^0`-U+;$Yi
z#IaeDJh&Pq9i2#Hz>a6^2LdU7*EDKM(T8NBg!kX7nMjDxM1u$X8$+qV9Mf;e)HVpn
zIGt3QBtaI+NMCR>&MV^mWS^%+HXLSiDK;H!#GPngN1g^7C|NT%=e<%KBUZxzKQO<4
za8cIYsF#SkC>)L!K{0&&!Pv-IsEiuDR2Yn|Ab2N9^eZPnD<t24HRcYh-%a9G5#0UD
zV(NG&;m5OTnmw<w9+t8uNnC64eh!XfxmQhDGg50hPJ4MdYLN*h>r3_7*jKu6p7r|g
z1gB+(<OJ4Dksm*{;;^bf<DApY7ni~PvOcE-UQBEIc5@U>5R^RyRVGzNv5#tUTZX-I
zSyO*;65aUejjUjOXs8)tO+*MqwSC?q8>B1iq?TN%ODU(W+jp5z(98<g;FU_4o%a!U
z+SKtOkMXpK?UFLK?b{EnG+bQci@NtqgC~}dV}1Emok-)(C2xHmj%q0yiUSqhH~LBf
zPs))9hhVWKBjf0lhmvOJI8856W$S@5MYnM)k<@I|$9mAUrDn}~QRU8C9;Iy=zP8BF
zyh3LYr2Z9JnU2;U6>og@r|`{!zoz)2Oh0YMu+U!#!6M-)UnKr$8(pAvTbH}#X>D$<
zLFau0O%=(ngXnzuGEc&h3H$B&e{L_)=(QuixNGrN>MretnG{?)L@v5)>W~cfF|Cmx
zGTI`8>OW`mFr;(o8LWdQwUmuj!VwW^I*Xd-w%TcPbTXG6jUI^ny}Z1PPL~>@vsIOq
z6YY7texnn&!@s?RI;og`YpZZOYM0BuIaoQOC6xzRN~x!nnFU&|!RS&{#mVe+;l`l5
zW=8<>F%o{`hutcj>CnPVQ)K4DVjmdBZ<t{N*vd&+iZOHK+2u_4>Z6T7FNx=7S0<L~
zT1!q{+U^9uA;rZ?Z0Nr?Nxf=Fz}@(?MCxEC9K`8d+)%g_@=;T2$(J&?8>0$gbgJ3K
zd8D0LkryK^N*-X5lVu=ZNL8VzF|TQQ7+lb5$Lgkx<}P7c;HS(w^0>S?w5&X2o<Wy~
zytjM3b8HIb@xbkwDS^}bZQskn$zAvt{MY{CbwN6H3F(@m7bY1!l?-eOGJX^zuUu9?
zV^RrKf*s(kF)&8ug9n4HFnZjnFW0=v`i$oN0&QU^eyZyJr)o^uDjCfz4t>I^CvAIc
zodSx=n`^d$ugER+kreYO4WInnNZV1q#HlM)uGD+OC>*<zqdn|xTjl?9j}ykayA{W2
z!Gb(x2C<2rx9^}xGH$h#=RkxHqxv7za1+_K2-~3idTFp!{?5Pt$k)yggL66ylB5Yd
zTyXhhtVlSeNzAAU%mjs<?7i?RGs0<^ogjUYP%}`G7_n9fc^<O2&A@OtUQqdfW`w@0
zDjuU)Go#&oxHzgwQT?G_bGskdf`X{HhU?!T(`-3I{u3NP0hE`(%K4aldV7-g^|#YL
zrkpqH^_r<zTRo)XRmQ#|^5;a6LASGM6KjmIC~;7PS&oGzrSoAHPG(xYR;YqCa3&K=
z!kHjzgeWAvkFWIDU37WlKhRhNd3r_i2sC7^T<3YSHQtDr5qfLoe~7%JNx5<rQL6E8
zMi!D+>QALwy?ml3>~_?pVayZwgb^_f<&9ysZL)LqQ0S;WYr$-5W^8UAHY#-=#I|me
zk*emX9nF@UnipjjfmvCMwHTU?o5(P&h6%Un<lMnlYAalM%j*0qox?Or{OS$r(9SFE
zo0Cqj9a%j#34}PVlu&%^C{kEh>zZHB?^gJbK>EcF1Ns!zBkr7x!R$|`BMdeuJ0YuG
zMgyrvTz+$@ScU;wM2$CCO?ajGwP$@JU%wnlR0|APfeA5!;+x*+z?PQb6eZ!xlFL1K
zK|}(g4?DZ#DHG6rcB`$pZecJm?%GD^p<!`P2=$BFK9?71O!BT_`sVGQ!FU^k@moYx
zqL@&VJR}l9a9hxOu3-34d83$=CkcGNfz(w)r(hV|-1&&Qp74#khXY}tC8zVQ%<x@#
zp`RxoB6W^<yS>$7UGDb65MA<OoqkN;uO~zzxUgZ2R(2!m9ID7Hr+bp$YbAK#ApAXZ
zrI{Ho>eqrV#yg86+K8i&2uxKbHe6(v$0}Jz3PVQO(zo@^50sJOt=U3*-Z*nOUv4jE
zPYd@G|8n0~R-@l)8rPPQ`TCyEj6Ju>6|)nr6Ev<Bvg1@KLxw)E0K(Izy6xA~2+IGp
z6gEwZ>bacxj+zY08biGGoHrcvz+`595hfi=iz^o-nxi-+9<~AH<A0f#M35kx|1&=R
zV|?oMBARvw3@^Yc5b<WxaL-okp#zqegdiUEp`<7yK`1PScCZjA0dQAV%tL_Hx;r2t
zijS0vjDgWE!P>S|r<b2%EM#V)_8>69GBw{xtA7P41=*n)T1cVV#yHXP$LR$kjo*-A
zJ+J_z7Dah@bqNYffSJL)=H&0;9cBvXL}Nq>30P8_9}6engo@r!^y6!XqmsrO1iWaV
z1GHQ>Klp`7!sCd!;^5rb4HmtLLA7N9t)3tvc6nS#Sz1<*<6Uxt^J?|&EMN>^9RwNG
zTTs}SS1aNQ8Lim8<=;Rx(MQKP28<lIyV2q`K`npjSpf|={@`-h5TsIOhHKfwV`3C-
zNW9t0Fxb9db%+QF8Jy>)dj1`DM}uVaw&b#=9HL3OgVi>5Ed1f0X7MJ%nzm@OQezAE
zRv*$+giBj1UywK?#nuk=JpICTF}g*F;Nk+jF>Kv78JzU=vx10XY9_UlS-{)l^`=LV
zwldIv3!9G5uGR?T%hGdA<*x>@9zqkG6X3>EBm-7UC{@Zd^jGJ?nd9LX2OnmmoMgci
z9hDW$kwH5K$+$6~mPGh0Zs}K8TKX}Kr@Gkp_`3M<YOnDpi%R0?h+M;AKbCwr>)lu9
z$yME;YR?s<>*kT=VJV??=po$ofAEA2hgDS24(k*Zp79YP$3Xg`TY&Gw27?se9v?la
zxZl?AAf7Z^eM{vf;UZKIFhmc72@hwK(6Tgi3R~S0ZU{r@y8gKe!g+VPU5sh$>i4Vd
z*}z`F!oq?ojNJlzTeL}#<eUbsu9n4oa_>0h?q8<vwK1@e92a{}(pWT(SEWbMfU**w
zsn%qxz?@VPx>84%DpS4I1mZnS_*`2(d7gT`@{@`hO+>ii^3JxZPZ#3Lo{!g;dmDgX
zC4R~;&(x~hXZ`u`S-6+7<9LO7(kHMX<Cz<c@mY7y0M`dOC*<CC!=P_&7Fm4F>#<G1
z#KdgyxcF#B{uLCGl9I9wsrEhIS7leUit)|d2VP#r(W7Z?WnjS!7##Yf;N~Rf39&ew
zPJD-r!@P7YVZo*9L5M@_{cv9U7Ohjbp#}D#uMlJ$R_AD_5fBhy7SO7=++>k}F{RP=
z>wB+3l~CPagao-e!|brm))|Xg+>OI(+S%_!pZ>Ua{SO;^rsFS@g)%>hv;5WG;w{EB
zfhjvN&CM=qn1(aPpiubsgFK(hv$pTs;5;5cpohcY*_fx)F#`sd9H#Pw2pdwZGbG_Z
zj@D6R0IVjNxxV|}Ag43ySIrfM_<s6H&-aX2{?$wl4F`^wiY*4F6Lfc6BeC>p2kecM
zXCY4(Zk}81Rxj6FzS8;4*j4v^e8?IdanjWCH8k39`|dv|$I??`nm=PVc+LyPazQ_T
z++2Y{*&`f=IuQ;!v&Jt)p<aT|r%jLNT^G#G0^3j8uG^`7L>8eZb7^O*ZGS^;y?)Qk
zD+z5|fz7W!Z<OM)QQ<oG<oQ&87lmjHrKq^9q!W6tej8yQ34pv%qU=GzjfhH0RxK&j
zJG7tbEwEr<fmBe%f&o>raFUtKR%`$gI)<F_4fyZkQ00?mWIN!MY19Z2RDBwT!9m>c
z+(D+YiO<i^SA|2w;7k4W>BM*|Xx)p%`>;^Q?e1{qeFOQHztiiIb0}10JOLMAIboP6
z-UPJl;rUXE(AB)=_plyqIM^Vowf?cy7N7TyO}CNOnkOz!4ZW!g5w2#QW$he%Mwr%L
zP2`yV?N_7d4O0}rwiXoh!R!0wr6c$Zot&B)HitXwWF8wOu*-BDL-KNKv(2`0w%5;x
zDv&8gNx<V=9ghPu{&^N$4X?wd>v}iV^*a~Ek`4OMe<@M*6=0<UDc)@51+Wt@_z20U
z349AmC(rQ;8%B<QE^I2=gcqqdnF*!2%FD}peB4REj!E`rC<#051*Q1;TQDHRe*m#C
zpP~!~ziAuKH}L;q2F{ucw9B7aczN-_OqgL%7-E{8Hj>f9yD!ayVb4Qus6@QVvPM%`
z4!pd!@AuL^d{kl7;zeUh2w7E<lT$MeI=tUva}IFbSzxlD&iA{|!tiuES*V>b-pFTi
zx_vHgvYx?}adiW>z}FwJalqkd@T#HWZse`*fqeOx5p?qpkJU8C0)Dd%e}5r=*UINi
z@HXf~R5Zgctd>`c(XcR(=HiLv<46Pl(n@eGgMH84g4}(qBvLE?mMt@*C-4MO>F1AO
zw+3EJ42&WzZE(-DgQCuMI~?T=-y4PY&dvpBce8;|gVS_SohbMwj1P<o-90_nTcHot
z^^T$ok})`2>mJ`Vph<Gy77|hf9DKDU17-Og<B&{7V>4WW@!R4L^&b&vHu7Ll)?-dK
zo#OG>#AVMWjic)vt#_g@Y3S4WyJH__;=;anFt>7g?IuYB?brE%%D?A`e-oXQGydk?
z=Dd-KMzeH+26O9e?t*F1wojs*-S)8W3}`4#O-*SR2u~qhgb=zSfK>2Z3Bbu1<^uYz
zY{yMa90~%2s)?5!KP}40_;^i;m?R46Z7^v_z4OcD5>*%zwN|Xrme_%}b4LRem}Ri@
z2{?&}h;+(4SQMP_Q6BRP#vl&WRP>?~Au=|Jg{f(Yu|iP{1;}JqxB<_#V{X6}8}!`N
zg`5z9_z<(~NW8{^BYez2gqE@H(_Y_+$9md1Sf@CZ!6)|{8OAaTT5-r?b3ifxusMt4
z`N+v>ar59deEb^QVcv7l0ri#aal_!Dpp`8y>O{e$Vq93fAPIVDxP*=g|8^KMUI|n`
zk_zUZ1R7+}pP!#^F80w0egPvz4D|s`e(QEis-YaWhZaYbT?+5NFWW^K{KIDaUGYr@
zu2haIq<;PlEC1gwV6ro~p7t6zQSiIH`Rli}34!Qd2G#0!U50JFGp)VoSp=;}@I_{~
zjd!`E?BxIAyn%_S;*j>-IF7)!&{kEKFrSHio=<N^Gfz*C9E-cI>Q`_JcMXh^<NiI9
z_@)%bW+;*(_kO0gTq4Gj!B8@x7iV389e}jBvZ6#jyESud&|rMp3&!Vrq5@Us3Gx7Q
z9750t<|ZS1jz;)5C>M9U-=j<MP4jpCQAqS$1Z(RIZ_Kc*YXpd*a(-eY76zy80|JMb
zOibQCwzv&_YjX=qNI`yd<nlP61CvEh;Hh3PAn(vNu{umfV#U0@`RN%LW?F0(y<3wd
zf8US=ZWycubghMj=w<itL+=7`OLlPzgV!9JCvLmk;yb7kqKBDm)J!}DmO&dM7z9w*
zI>B#eFrJo@zak!Wp;@Xznwy(viUjzlEYPL>&QA?W7Z0S_7?BE}(^vECSQ=apV#FG=
z4vIO~|3Ut`?g;5yv*aux38D8RsGhASR-Jy>?l|1zoShiV4`mNDZTa0s{uhxI6;klW
zKFBzVOrgJp+Ek9bj_32v=G-?#VZCTARi?zlcmttq?rKRe+qHU-EcZ7hMuU9)y5aXm
zO2y9a&8vgL1@>D?G;d^m2(jpjr8mRZXwc{<P=t{^WEHfe!ui-L>invu@G{`@B?8Ej
zht3xP4{>o(Pw}@hn<4~_W)r#J&u!hm<oGbd(254VQWcodkKwlyWQA%|zRDdxdDV48
z%R~=Na4K&ngZLG@puD5bt<dOwDYt~m2|8u{PZZ2LJBs`^9T1cQA+ZX;_o|9Q{Qa>V
z9%f<{{!!r(BW+TjIeRP&T8v25jhB}bt&OKPLEzKe`*tiFl_TY4FC1GDPof*{(|(d4
z`dBh_89KI{|9_PK9gwHF9~%y!$9^524Q7uBd(x0xtPx;`{CtI6XmsZiTrMTnwEZ5z
zV$L{nE)-$Nn*EENl=Odp{eM>WTGEdV1JIi-9T{DOqkt2PS5!E$dUj&xL$+}z9T`Z0
zXK!sm-U{-!)S*CVn~RewH@}-{ROEyW5Wz?MU~m2*C*V5mpq1{wAM^iA@fag|1VuHw
zK4Qtfxnn^(A54h?|H)Utf^OuCe)!z3YlS>!#y6N;b#iW>_Cl`^9nX3Pp1J6Xz@)D)
zh~rs&OPwYnAyffgvXB2O#Qz=rH8qePORq|Hp3<wrh0wL56rD(Q=&r}W!g%*9M`B)j
zDYi?kUJHiK1_qP|ixMvpbIp1)qLS||u{)^%JPUjd(#6BOZoeL?O!Baglb+5iXO3ES
z!y<~=@1w`lucYc0=Vjl-VE#eurI@rD1rjhkkik%wYkp@fwTh1}#MDzC>7ghmk4;Mm
zLk0p_USD|qeIC5VDJv_@GAhs=Ft$@z54*<4zI>LhrN^GB^^>b@w>kRcpH!*`J6EHI
zXh$jYt;&qz$2y(@fqELKv6EpXeIoJbb$2I|^N{TElidOI$2phYLUcTiQ?8%Sb$FIR
zSuva!)`B&y7q}nsMNoXO{Z`a__E-A|z>Z(_cfA9P>=%5Hs#}jri|i+vpoNJ-F`2Iu
z0}p*HGmw<n^r7#BI0#|9V6-}S-Y~MOJL;)c4JqBeg@>2$mcqHe5D2zX%`drFZ`<0?
zB{Z7-iJeHo-{`A-+KY+O#q-g>o94WVu*9tTuz52M6Ap#AKVm0fbcNVyc70U2oo&2#
zI-EJ(#~c1U)iwkHwvx1^`&hUHgNvL&LwpB;kCkAKR)ig?QOskX4_Ds)JhJj5yf&O4
z)jN~Lh0=^Y_05W1*I(Xp!sXmWLM*HN7TQd561CDTi)4B1KN~-u=Uery<c*)kQ*%|l
z>(PPMn?%WP(%C5dx3X-`LIcuNiZs`&J|f#8>Y|Qro7xIiX;#Pbk@iKCh6~0O7zX%q
z8KHOwJaQSAR)5ZI;~EY|4`I8U@oC0<`9bJ0!Pkq(MFB!5sDmV!<tjs>$%PhIBwmXU
z$a_Vrh4YOS6JZKgvgGt9xkl2Ndz&mOWrQ}gyB}^nlT?AOFMC{j*!(UGL8<}?Ie!yv
zu2zj$B`w5o8rR*zX>1242I`!eM?C|wB?&utE7>p+M>6T9VObxjg@~p~M#Qz}Mapxt
z%!q?Mmv{~k4jQNc-wsXAP-S-3_!;C@{U&O_RBCT*qC%sm5n32&HXd{!=qtE&UKXMf
zOx9wp`Q8$kupkxn_>P_*!Ocbz@O(GcB1=daIUMzyY5IFt1<k^z(icnE(TlT7%(*_Q
zCxh=mOBpnZ(1ygaBUl(htrrTj5P5|kXNQa*f-{{R_-q=i!Y-%oE^Dj<>r8nvq;#C|
z=<T!BJmqS?5vH?0K`ku?VZ5`w<;Y=lJhQXpw2f8Pvx*AU)jZHAoE>iN@jc?zrv_QP
zTgYgx!}0RaznkBh2!*oqvY%r8a-~NBZJR6zB?5Ug{uKQGKkzlXkVgXF{^Y-93Wb3Y
zwP@S^>UMIqg4)#l(kxR@WHn{?xD$VVnSN$oMrk;vq}E`3gFY_kG??r0J*17qF2<3i
zX-=uZc<WP(=gooF*kntA<_`Dc)3N|MwVN)b6uDi(V4}mQ@kya;_jEnYaR(Gi0@|7;
z1C~qr)F@$J&5#ev{rkm{8P@36hB?khKsx*&<%j#;t=a!$M*sfk=z^HauWZbT<8II(
zs~P&yK0mQ0*+Tjy*1_O7WF%RE?PTXeVscWP6$7`?c5s?yz$Ptwsc!s+WvE&s&8bcs
z4)JZ3jl9ve#Bwi&g>@-!sa)K+T*RP2yzyWIBWJxHy0G~>0Y1X&R{POzjqEK<ZPent
zPC}*D??FbBDVOFC3z6TOA^j|B-VcT&D=%A$DaN}FCgF7Y{CMX+=`Q#%OzqmyL;>r5
z9B8MzU}Bzgj8Xg^d%Wz&cE<Qp<{qf)g>;aIMKHRRB_O<?K;deb!()4MA<lEZEv>y}
z-p=!;Hy(IkYB-%KNlPm;+_~=4;CN=v>sxerhKRbE#oSi(I`*9^b2p}yEs59FQDB3h
z2O3U^NV+XRD0)<9p<gM*!g!%I1@CgVPq~S_gb?#RmD#h@_R9Zw$p10!o8}m_ZUvOG
zQf(?~5|OUCNum*Ajj{{2YhfRHvm#l*9tt7o*NPGp_^y{j)1p}KCQR5S*>uMNrA8TF
z!S$pMhGO>q0|v*QmJH0_0@T|+3GVJ50Hh+(NicZ%fNn6tG4+AR=mR>_lzgA#`vF_*
z->qcip~;MbB9WX&YknXaeQp80!zY)5@6=LL+O8!nCud#`#;QgUTIH6gs7D~^XqHb*
ztJd6}^g5xmgzR>B3%VskEl}7)3*A^jD$Akl{`o>lB&;9U^Q>5`ct^XoScNV%r5A0|
z^<d~JPHrt3HXuYpOv7=FzK2V{Opft05iO311O02l6E@tADXF0N)kr@-Z?_9!xRMr9
zwd?mEmy65ocg5xJ=H({T;~9$oW#881AxlwGZG~Ks65MR*U?eEENDm_z>5i+|<+#uJ
zLYr&!JUhFv1s3X5Ax>IPXCcX}sHIPyxS9(F3)SFd0E$eEdOCs+8tr6BL_On(V#2-2
z9Z8TelTa^teps*P(|CER0hA11gGB=<P>y5A0Fi^67v(#H()`;IZ3ZLbYBX0zkJ_0{
z)(Oo9sJdd@HM7LhFn+H5AxLpGjl5r4`IuM^rd*g!O-BdFl{64}`WL?<r`KRDYvu`F
zFmp*UF1fKIuWKM<HHn=2Rd8$^Z$J*13$eQ(Z0=kH?KFfjXb$TlHYO*1%Brqi{k(|V
z%RY2H(5${xkTL2ymT|W)6Nk0#HEi;=HMZ@aY6NzJj{-re*e)7wQVX)8lyc!eYB6v^
z;a0d75z?wgU7BuyPOnMZXZ!oQK>PYw5V;tv1|^qrIJSTHx7w8(hE`J1ys3a+W30o7
z1_Q_$u3`<cSL)@TVSR#-6?C{HVq{oqRs+z)GzfOid~}UpK*N>~Kc5e;H?)W*laowJ
zPGS`g`pYB(HV4E8uQtnf9EY~TSPV|1A_4xYv>FI)RbIQ&3b+&NjvQT9&y`Z&oOr_D
zd;fSxH6Lb62WfMAn_N^~#_{z8jcfod8(Oo7oMF3obaiVkKJAeA63Ug}7TcY2AK(M%
z7IfB)Yb>UYn5Vu|C3>5l<X*xX+bWzkKz?V*r}D2*fYuQPlIqJ4iyxD9`<mKp?mkbY
zNKsh^X(ytB@o~RV0{{*SR~S!#n4)ZI^pWc1YS+TVQB-O~C1u8RNWhOYbrZlk+vLLL
ze?`FegQdo;=(Doss|<O#cBAws&Wfl^sk`atsJurfL)1f6aF?Tdeoya584_4Wc42rJ
z_GAaRBOFX7d@6T%{!GD_>ALp}R>i3I=Nn;Rgi4|Z=VZlSu&BRV!V^+8asx)FO<9SX
zZB~$Ktv`s0YC-2E>CgbnOy<Yc8P|cR)UPt#Yj^I@o*l(*5$=aGlnAT$B;r!Nn8F}O
zek%B7FO+6$;t(n9ZYteUAanFe_)1AS6S+3y!l^_}(oE<l9{bp5hw6mQM9161ITA4`
zVxq8lmq|eK$-l#gHFe0+bMIosmA<S7<<1#(=`(ultMy60%aubqExPxw<|U?^)dq7i
zth3k>X5um#Iq$|Py{eTwTy4HdKxqc0rqFD+)KQu-oCnSui+RRb%H!P^K^xCm3MksH
zw_=mNvZG4xxNMcLM(mBQZXX@w_Yd|U7&<Q}lCSG9Ci`ullg1XZ+)9QH1anqH8Eue&
zA$;SZ;WDdb$_2;>=uk=wis$;ywWTk&T`GMD>IGw)5&0qn!M0r}10?+wS8C`CVJ17X
zA9kv}HP|+PMND^`<zC)BB+a<qn~cq2M}Flr-mmk#J$&L_ahpn!$0APVaHg`6U^j-A
zh7qxC)bG08nK9<{h8t1H4dd2$+Uk3sCvBeR+Mh(0-n9Dw^G$C8C)4H+CJ6}HX^o1U
zs`hhMLGfrswc1?c=cA5@da`Kb#F$pI70<riQdB!-Wj@)%i`nD)K3DPd&OJ^A5kZOF
z;q&*5Z8i83OPZGzk<!&)Fd4}`R~dyqLSQ3-o))te{JyiYgpz8Ie(<5HAnq7)_lPi5
zmvV=4Y%mDf2Zdsl`i9?bY-~!}Qv!yw3MWVul>&u0xiHK`X`-=lV^g$U_K;i_QjDHT
z(t(pg>t29`0oe<OI5@ZjHrkb|O1qfAI{eY_d+*?q`)M<DjA`~PwoEw(8Gk3nr%35f
zbGX`FCL+!*c2yrR)&zTI7|U?zeX<+G(&av@=m+J<D0~j?LmIYC7nO0gF2ku&c|HSo
zuV@Q+t253%kk@}q443GzIA}kaG80y(=uw8~{ThN=<;~NF9Dp8IC1t6f#9U5CA9;}Y
zAm;4MPEJm~x$oXu_GPao;^v<reg7R<B29|`7%xM^z<}(bv`cLbKL96jSYZh15`efk
z)F*dofg^u4&dP!){rRJ5sZKgyPGK%61Gz-g*)_AUN^~<~O1>ti3|H-$@NGKl*b?oE
zsr2M!9BUG6R;LcrNaG_wiNY+2Mu3Emo)C)|E)#{68)`CdbnC|~72S;1Kv&LWKlLEA
zLj;HF!vt^n+{o&?V}LtT@~HY5MhnSZaOFYtaV}PCxn&3FtWu%E?!~QZWu#>k@j+~x
zX2rc37Pr31v5xS;02W}swwUfC^<OFS{|^A1VJ7I6Rgdd<B#{^7)|0f3#Bb&<FP!A$
z?F8pqVRYsy!$l1oGWR-ix*;oO?Dp%v2k}+6z2j4n>PV_V!B%e9`L--NGTc_M-?8MY
z^QPD|aA(T;7k_{eu=w(*sqK~DU<QGbw)kEj_DU$=DgR7GEDurs)g}vZ>Py6*ya-_s
z14?SeU3E%8xv6Z;MmwSn_eJ_v@XOY@{X!%4>Fk*#GI0*eu&#!(<cnj`zZ^6e2v{r@
zU6y2`d|yKQHaUs8g;Tu`+m8P9i?O2`)SmO7e^D>G3<Ch1?nrj!rDjI({2{+C=)a?O
z+}g%n)MZ#E`6t})mn<ETq48)tV8_;=|B%S;y$=jZzP{pbNc(3H3(n;ApderYb>QZy
zV!ywczx;{l4>ZGq65nn`TdF?{yC@1C)+TUD;UDnFU+Ym82Cs*X6x`TW_TR(ybAgB5
zC3xq8`G@tSqC%Mbu%y<N4Z3DX%*jE@{tTO|_`%;Jn5q1Caf96(a|WV$6aK)!zz1Nu
zO%p8?)#6B&ZbuZ%sk?x$uWvId%-vT1Kk}dc&y)qs1iFkkyL)?SG3(|9C3@ZRwx(XV
ztORkaS@MqjxqE&emi+%A;|!{T#gjtjcNrN`T!4v5hGF+~Ifyhd)l^B<+b+HHw}cA6
zKV?BG<ldQHWKgnd@3da*A2KjPC9v!WFSzzd{@}Qk0pM2xfFB+HgNC+W{q>@+KB}Fg
z|KXLCVu9aRs^fo{a`PAoRZnm>0>!%9bnG?f52J(ijM-5VToE`3Q9ejFfVQlVOIa=x
zD6#Hz;~0{kfNRUH=xqNH!d6pYu6rfcn#9f>zGzHqA`H<6^@<chc~cOAYoq;1Wzee9
zX>{HpWT4=sVim<r&*`6fAH<Fcj{7BsrN}853XLrjb87gKl2Q;+oAC8@xclvpZOE3u
zcX^g$^1<K`3FXFyWxE@#4(wdsUk5Imid#$JY^SIi(gE4ERLxmvKDbiA<HbptT3DED
zfx@)9+?lqwx10NAEG=mXz|Nmpzq7!3Z$jtIp45uNIpXg^3kpyzP!GZ=*IPdK3y?<g
zFG1`UT5q|>)v9HkNVC6Fb4ExLn5PddQv2pT_PI?aap+CTR0;z`YOeIo<!vO}*yr(#
zQ;hqsbVnnrJZ*sp$+oMl$b%865q*6ke-T-3kLMAo;n}MK$E!4|FK@po{Z%R~kw7AZ
z$Jo*Foq5gYH#I9jf&pOD2HoaGRg!2BQL3CdW!NV7Wp|gzDbDQfZGq8`A~Yhbz?>RA
z_|zOiL%L5F*Zy6b&6VfyxE}!yoc&fFmiqp4XN@`POgQt{;!mVjc8PHXHEk;CXM3G>
z1`ybk%N;H>;Yj$wqa;4^h=~=W(Pd9}Cp+NNz`shPF1I2`t;I07@{d0a{$ta;fvJ<<
zJY8NitE1uLILV<(=4fQ|K4*9Bs--&yWaK1&`_=9_rPBiQ(%JkzvQOzsttwo0d0xv=
z%)wFm1$O4`Ei0%p7)KHU6W;hR$K6)I7lFx`U;unM(!6ehm__@wSb&})+?4Rv<L*37
zVsilaY9!r=d*YS;+IPq?JS1->3<-w~yPXCRD*|=x?U{vNZq)>@hA<D8o66l|^=RMD
zcDmWb67gaDRZj&j$WjKEyD;$QsRL(~$(trCt<m%uk3G{2;IUoj5X21j&K&RlVRpXY
zf|b#9@5_tl^?B>;d>QK!+U`Nz!ktb3=pfXyQV!_JZ!|GAJ<3}pO<AB3(!P=c0*UTY
z$9cu=6e~I98)d%=4g?}i>;?qhwJA$;^krbGbP{=Hl|TX_b4P6malT?!IP-(s`}6ZO
zt&StsTlzrqriv8y48{UQtQKZbXM<eIDon0*Fa0R>PJoK$#Ik4%JQoE$87qwh_i@+(
z$yre3oW544J1S8)NS;t*YGE%mMP&IyZR8pLTf44gzamKHu&?=6?`3H>daa<<3m0y6
zlGgsG7l6p?Pqh={n=y(6%b*01d}$v>#b(q5v&y=&|I6J6-=9~b0l7yQq--+b8s-2<
z;~m98>d~0;Hd1=c3R-QGfP6alsO<LU<y|~i)7&AJ9g6~$gNT_TsZ2bX5Z-^7u68NN
zQiRkBL(l-`6&QCElL@R}P{(#{7b=T)e=h&QaP{lMPII7m6Am)l)!6}>KHDivSF`6N
z^X|d^pdt6mUdN=LC=8!%$2i{Oj0Nkl-eomjRDQ(mK%NHT<wELRBQgcJiWkVU5k7_4
zfRV%2&(aUqnj?tk3#rUCg)2K=?!-?9M<Og78DI0ZOK(}kb-Ni_q$E2YT3y`^N6ElI
z;zQ*dIZbX9xw2Sy42CQQ_byELa@W2Fi_NA6%!02%$X&<Gh2-4VzQYsfZ|`m-#GNs=
zcfNrk8^Ll8zze)mt)YdeCoes$Ck5LPCkDn%L52=<j=eC%oxkdxG{4(1^!)n1coyYB
zb%j?13UTz@oH{f#^qB7XH6$V|{KlEq3!J|}JH|3jMEClhAL9W01yINHzH$_O+b;P1
zikls^8xpom;la0xPY!09<1Jzbn!nlSAdJ6-I~5^AH%*{dM5qwuR`if-hei#N8ajux
z#-i^exc+s4nvTyPcPuj5qyDjVa!*vpIU1VN7MS((-4({}?jHG;Yce$TE$g$U=vQVB
z@*mUuwlDU`8{VxV$IpCQBv{b^VG@jH+5bn~I|XLCEo-A4+fF*R)3I&4W2<AE9ox1#
zwr$&X(y{IH^;&!VXV1Cje|4_T<;S-Ms>Z0No~jzM8FS9@4j&AGy7$*<J*82rL9P0{
zgSde?GjkoIeJYrGFGf16SRhodwWbAsXFz$_jTd+Nc@i3YX%-zbo(}-?sif_9U$nNw
zW~x+hQw{>=4Mutbj+w4j#_z8xv>^E4+<@Imjsbuvk~cB~)$myNcRtxZgfeG|uYo;r
z)ZR)7b!f!|!BmT@0Pc{KdCN(wYJ<57ZBATPR#Z+-&KOLBIAS#cEjkQ3U7+c~uOkN^
za@TaHVaX^l%QTTO3Oh;3BxvE21K(PyNc_a0!k_H2L#gikC!L^pD(Fer$CAd<C9m*M
zG^JNzNvVb2V|(VG^Dp~Z57`Qvd*-|g17h@RG5b{K98POy%0TnIt9*x5N)vyFQM(rq
z{{#mL#RFcRweHNTPNE!K#)9m3Z@b#&1HfJqpLt7As1j)v>(BEpm^fP`E9X)b2-!jL
zQfsx7;Wsxsi?#b803nFTm9;nqM}C{T(?ujr)hdC<&+;K5?bckILoNoF8PW17=DoT@
zyg<rlL_BN`92NtOz4)y2>zfk)Cr1IvYwu<)cS?Dj0JA2?bI@vwM~H7ZULX<K91wep
zxV?KDt-HsY(R=+PM&oi{1pVKUuyck&YW8Yg0^so5S7H2LHvKs~;E4$P$jGC<!WCma
zk~QZtN-8t#7;IS43FrL&o=TovCq3h?{8-;U?zpdhZZ_A>QW^kZv4#K%DVWfHuZ##{
z&y8k8Vt5cYu<S%4TU*DCG*??OzJ(~-;iy@6V7NADwcKJ_#d_8>(<kQfk(9EE%m8G7
zVA(T?!cnZr@ntNjN>J4gXv2di%G~c_xkaBvwQ}p{*KoK^Z^GvDNeKBRxhVY~-&c?G
zQ);}BqWZ~u&d_`{H5x?XUsy=LQ1xKT{>_kA#&v&28EHA@b7myH5M!iS+7CRBrH0Qu
z3`9?#Y~k-teCygVvVRFQ5%~oR<7q{n>^!hWi1p1}@m^3d3a@_{%E#dK0XL<VM^*Nv
z_Ud;4$8wDW{vfReO`=T1Ra|!I!fF1mY$%*YynrUyr8GxQr0Z1K`Z9dtRC4>o_Wmd{
z@=E)LjcxRw))Ob&SCdw*mqpL))t`t#UVON(b56~gj8=~JU^;2O17*p3Yi>9-9#hVq
zO|E>f7Z(g|60oNl_s$eE&YN$hV9Jqk07k<f4pH(vA{wH!xOj|OkN~jHW-=~~9jDe6
z6uf^I>}`kL3isCtsf4CXXexAY39Y!@opG7Id0p@BFx(;eG67g3e;x*#RrYb+29>g%
zd<XR!<1rId%ntb`eIeIY`)?LE>}O$8i8QD@vxN^MH((Ced(FqTZcoHirO?3Z6U$eJ
z(h-^LC|A&;Je0zxxpjS|qJ?phW2!aIGg|$JI7oBVNb9seQr=FdmYuk3n(1aqf$Yfs
za;5PFPNtMEjX+k}zB5~=<R}Rfn;1o#T-i@?8@u)~G)2wg9~oH;*ej~O1(aNLJ5(<w
z^pldkWjkv&Q<WTfu3WTI`A$kcMD%^)o*~8YDkfewc>y?llJZfe76BeAK|B@d`T7bW
z!AHCKb+gSb`z*QD{c=`4Hb$F(+zBJ4z{76@5L3>wW_Q=BmD&%O**4+t1Wl3s^*cAL
zh&&<aqybP`LF0}r-(;tH6vTW3Hcsoy{h*IH7*raYO(op>T8GDD*M>gJ=P#Lbfb;!x
zd%M>%rc1kcA2u#iKS3eAmDd)5O!gHw|C0+^f#qa737vMPT1Td$ZTW*ov-(w-)t&c~
zF-`e<Lr{jTgSQ_G4qKkpm?)&<qgd6)RNq8Jb$Dilh>R!q4cFI58R5B7!nhq$eFUt=
zwjaqJ*VDMPq_7}rvwPLbqP?Xv?Zhwl?FiN<0+ePnJ0i<-QQg+@bRuvXJ0+Xixr-Xp
z<=~<b*pb9FBWB3Bl??(PJHmf+NXEe=F(_i|pUUqnBT~5Wb-V6B*Y`=f%vQ-obi&D0
z#)Q#mWn^W9f>32>u_)9D1mX%$o5pTGEpg#1ETT9isMF>bET1Vepnb}G&Y!_<sz8K3
zUvbedLW5_@%^Ag$A=2Sw>oQ=o)bpN_%lq`}dWpUd3w3ZG?8^sfBo>E{%z=FHS`SOq
z^il!ZWS3nC4k*q13di4$Oqbv{Cf)#$w^F!V=u|7ULIM0Xo%$RL1=bM&t&u^m`-@dU
zh7{$8duNe5zL?baTEE1+8mBdM%Z*mJJ@3`1mkO@E&<htLVp@UC4#g{{38J$#0vmZZ
z8}ck!0q-CT=o{MUkykE`2lfYC_JI0vEe^7q82TPDZH0QdpFyHk^7ZDc{6WV_d;BNS
zMn$9+8(tc$5i>tY2F@4Z!H&I2{02gb(==lG>CTzlpCv1Z5gLB{m(eNhUV$7kwiY$!
zr%|s%!w&}EX%M@hqg#IQ&bB@xXn>lnyN%J5_XXe>%oSLHl7v*m`L-I3PV}2k){K^_
zfZF^oSz3h>FoGE_28FWqle`73m>C@|to-(k0w?MvAmPh>Z7~MNzK0h-g7Yb1VyO&^
zRZCE#P)qV{nN>Kchuy;#3#@<SUm1}b%ry47);XZuowegQux538JvxilF|c`Z7~-Fm
zW`)rx*TRveIW!`*JIz5B^M_ImuXg$Pz~Zn<kIkB`)D|{=o^ad)fF%AAKwS((Z0xW#
zn=Wk}$>yV$vG<Cw`WMi^e6K@~nbz}jHC`9a-&N{C{!Og$);u@fNrHXuBejg;0^bwQ
zluI;-g<D_E2XvaMQlcpxl8B2XS(GEofo<40@U*BfPREgQYs=cb^i;w0!kG$<GH*=S
zMga6=rPDWw^Yo@Jmum+)b+I4j)frtnn}2ipuU!7bKZ?=HEMs*|-a~0$qjz`KG<PpF
zv5C~e+MPQpR=}Ft?ziovwQ6N$yBmj(=)g1{GhimwL=jdG3TEkmBJ1MUlUE5#qrx~j
z9EQ(<%Nm+H#T!Ab=ZkSgimXoh$H^Yyz=`7w5Ox}LKfA@ET?QlMa0ql4Pj^gutKtWD
z^IOP`&Gg#JHLb=<DwfFZ#qPi{$mFsk$rR*v^D$m_5;xJIzP9Ke_wrr!&7L!SFDJ$#
zm&Jk_Qd}1<atx$c3ECxh-TQ?kzk&wfLJMnXU~hWATCICrcC6a=lsbndCx5rgH9%u-
zIjwAC05IAC3HHL8zu1}f80(e01sB*Ah5|H-R<wVn%U~M@8hILz*!JL=EJ%z8L}|AY
z_ilMkre!vME!S;B@?*i?3oP=G%tRXLl;jGUNN>_%ug*0fxA(;&nJ$g0+6Sc!&}#eH
zC`ZMf7sZ2S@ON{uosHa_#~<3NSKc~#w&?@f_K4eqaGSJquA@DZC(H6AiGjjmA1L$_
zq9&9wrQVW<Y+N_A{Y(psMQGu(*<IUuzLg0@F6T8zpJF)iJk?0kp3!Vfs)y;)hf3Q3
zx&S5u%_izC+7T>fJ49<i)s5D{J3ZpyR$5%Hu9rd}MoBC>Z_YP&c7j6b0;k&Y!*jjK
zkjubaIjCs<TWI17wHR{zP7E*e`__AbZ3mtzEY@=%YkjqpdF_5dMz566C&Gfciim&p
zm;NmFun7-YiANA7=z_=%okZ5(Miwjz^H}?Xg<X4%ktPL2ngd7UXwN<;8$IVAhQQ{_
zTX;O~Io|Itn0(&cLGX!>`l{%7Zu>}9M|$_|(B}0vTRLOoPe=LD^{+1Lc0(d<Ct7Bv
z^9=2j<k5zYu_(pLg<+sKp7Jr7VF!xC&HSwiDhaVAZ#>w&E<GC3S<GPCm**j05K!V!
z<ob5)#ojq%<0y&pclUo2hy;N=+8=Do9kV86Sj|O!=2@YG;V*cxL{!_jqMD0>8otjy
zhrnJ7D>u`}A@A<s;zi2;QbDV^X8Q}AafJY>rJl1d?XO}Inzp-(eARo%*E_W(1_N-)
zBq~Lqv&f1F$*DEV2J~&Y9>eZZRT8f0p{AFu#G~XEfk{k*mz@Y`B`WpCLQ~vngv^VI
zFMvd*4oyu7`K0g^HvEk6+Kkdk28ztiRUhv~acAYSduQYA2F8Bei|n^JET-E#cTkxb
zQV$PxR<u=rf5A2D!x#%Kg!W^{Wi22f!LZg{%w07Y8532UOl2J=&ajpRO0>$Y6*`$O
z$#?2eSRtj7&l7E=TzMCr$Zy>!9#Z~}i^kt_JIU3sl}ti@$t7jYnKYFR7d`@#W$&p0
zV_!%n&T!#Xoo*D<+=q!6IfQo{l-fn#n_`17%q_bAdp~co0(Uyco3{R98Xe`=Ct;x8
zXTD?&5djUdg1%|n>ajARA;)HYQ}ZGP2fXy=(QF6AP0<Hg{z^nF9k=!HMBPp&FNpDc
zcJEGyO3wWm$xyaYhE}o1`ih%t_+Rn7?nIcQQXb~&{eewt-TaL09}S@OTN>>GAF;hr
zhZ%QT&nC^_(8UHl{{jE|Ms=b>+@ni#1pkfwhlyFXWH@P!wwrTZUtdE)Li(;)cG|im
zNU6m_BNx*#ntPFgkcxz3ld6@pZoNHreGaf~dHO@6QE9nX3!nJxizAYW)mG6UyUrZT
zKtjX&WjBf0Ifp6y^x#lGR!rd#I*B;i{(TYJ&F_;^2oovkIVvtA+KOt=BF>gMJ<Y&Q
zqi&1Iy?w5L={hpf)HgNty=+8j-lW6vN8RBe0U@PCYjcZHCa+>PDWXXSE>`M_Z9H%#
zo+7ilvwB=b#_;I)&zTLWFu~-_8nd;xzoMX8TtH5AN(3y@b#-+}c$K0x?VL(FI(UHk
zO7#i?;gh+Nb%l&06da~~z&VKX$~W#;9Jg2S04Q4>7y~*gK}$eEJ02VkyL)Nran_&2
zoD_NZ4h}LvS5N+$N;@uBv34_*>fvPPJenfgm+7|HS4Llcp3o1rD@Xnb0t4?_Lv!K-
zd7Z*@lcpz<fKtc)gO|NfG^S?)B$2o*OS{N%!9jv2;mZ#xeV`>KISHJ15ReA`So9ED
zYf78H!Pyj=ezkzI)>g00tN?@)8BAG^n1p2i<|m2iqL(+~o?yCi4~h!-v*4U=($XwH
z^r5m}WH=bx{2o=^;d%)Jq{D^btcpzI)ZZYr?geyt7U@4>TegsHU4MAC;V3({zj*ur
zXrA~FG>^p0CiK_K+#hJZ`<}j=f8_oXyC(2&PSBq}`Ty-NlgC6r|K>rkW%9dmVK8nw
zRw25i057TW7tI0cL!zCqk^lXR`M%IeDbl~}YffPk62g;1BWb391q1}D)o7|UDgekn
zh0V<TjpbCM(qCfbpXI)-dX@~B^#q}9ZLfT5DN^g4Af(BV11l8r*g*HWIeEX_JMc{E
zQvKp)3GA`{^3a@h=wb&VCtf3F?1rraeKA1H1EC6eO|23vjHvje&u@j~;HA)L?=KM@
zKSju5hrGOOMH=r34E>z_w0H-9wtW7XU|<kZw!N|`uV4Qw&e1(Vn==_aI@ixH;pX13
zyl77^zsXB5%ERvRmoWhLgE6$0Th6|uC^xOHK;c-y!P!4-iv%{mSqMoZGyDz#`uB*t
z!cEiQ4S02dlH|jm|L|@39GX9XwA~0|QKvWWll63b2qYYplLv1$H$vT~7DPvh@&v`b
za|^*=4x#^WU}N}8h*0T@V1Pb4LrU<VT<VSmPdf^RutmT3ln+?Y|InHIn~U=A0aZ5g
zAHPnBFX6QH+08tlsad78JAyDe+|Y4GZ|t-mIe7m3tM&c&TxnVS8Q90KLMBzKo-%x&
zXnmC5s8gvnHM@LF==xisN(0f?;QuJ54rrxh4hatzhVGPB09~f0VNY7c697iP+o`I%
z&ek=}y}X)Pc4NK>YdzP3&QS^*;3Q#JdNTA6$D&E@9d!Gf#sW+STLpiKc>?MWth+$F
zq`m7AOjc{wpu2XA1?s@PHI6ZYy`6175WJzKx}<Gls3^;I7gUGuR)fvC^!nFH8^|=z
z@Nfl#p_{HEG8E>c99=3k>ciCoDi*@|I?7-vg_*2UKo7X#12ak`hvQ>h|F~%4Ir9q8
zD%m7-9B4Wh7f(hvo-`UQSXge)uCLdx-;8I>+vgqy06Zam{ztBA>r14F<n58-p7-fi
z0h#lmxe2%}IZepS&WK<LXAXVG$H90n{GPFMoSums|BVaZ88iOh$NtTy=T)&O$8idw
z+P3CcWSm&PmkIh%G2)5|!exVKoF(AU6aDhy|GW@Lg2)M5E`1fbEhViVnnxTmcUyS~
zTr8O&*AW@BI8{RUr;zA&EAk(3jb0$Qzd)J$rDsXQlOK%e<8^TE$$rp)`{5$FSd$4F
zq24<0yciqJbpAGaXZV=J(M++)^-$O249`eX&p2<Cm$GliFVmU)!e<|-eUlPAowa;0
zCR8dm%SymZ4Q(EBj+kSN&<_!WyW<@R4GA=v79rShkFdeCAxDP4n$Nz@etQQa;K<ge
zprDX|l@7`}YZDUoN>Ia`(~?!<I|qsy6zrX-jt&qFdT=?@_Bf}5aVFF%r;2&FY>}9e
zG8*WsJJB~5u<KAPTgmOff1(#JCG(d6lhTbuLBb&nB2?Y`7o~HplTIU{Z-?vo;KRPy
zbL*VjVMrrOQ>GCa>)bnhC|3xEB(>Om>=kxYtsbDLVoj~Dz>-H@2!7HJ5;JX4U=eZ}
z6<qfBc-5MWd>nmL1z)Qsn_Mv;>&Ng9er&W&yUYt4odPo$Troj58WYzmf`NLZkO=kv
zgkmbv+l9v&>{@`iHIeI|F41hrkyPIJmGUNv@W%Wg)*sB=^ZM9Cqg7;7cDB}n;w38c
zb70%=QTHg&16#C*B9&S;8AK|XZot>3aQGYzwn9sTm`>~;j;sMNNtJOGQlS)SGG(~<
zFXCo7=p+j1W-3+S=w8?0)`?rmjEPRFfhVje$h*;{oucKd&0tt9;3KNv%r=abX;Bkf
z@>&<Z^0;B69MblK_y_MbP?jk)NhsZ!s{_fl!F$L3m@PH|8_!^Ydu;#kNpWFD@bcgW
z&E!F8Q?xo-{RQXAL$XasOx$F(1f7fLUe2BYK%S5p1Qy*sbM#%kMzQB@R$+P40tjl&
zmF~<GVDbUER_F9SQTlVq20Ir*wwWcD_LQ<2!T)W5{49v&OZh|1)3hTg9Q+iF+IiOL
zTMksy-{THD=CNel<%*e8%Og;sVzl%qj~VN%o)x9F>M(W^sU+CaxC<n{r;Q?^)pL@F
zmZa8NysAc|v_ii=;twpR;^Z>5_WhU`Y%b(NLPd)tTkzlcjT<GFuH5H`yJolVitSvf
z6*OY;m?tO<N@KdHPMSwVv-njU&}OJu9VYgJQ#yqcrcU)N-YILMxrLwl8Sx)X;HNKt
zN$X}YHYsIE>XTMja}dOHU#@5>Wt#GFB-1_D{4f(nyVviX=Tqn5Vm4zOhHB2b++KP=
z0sXjpJLOvO{mE1b;|y2V=bZ^tk35gMlWI+x;reAHv-uuMC#m^@v@9(>FxWUhqQ|?{
z&X$~$mW$PPEU4%vfoM%^f`vIhPC_zR+$MDJ5}BKwZu02{iTa32LxH4uYN!||?1>BZ
zRu?evXoQ}w%OBwqP0W2eLa$ewQ%p6^HhE{SfkYe{Oiu{^mq7uO%8rn^mAHI&{ILQl
zizY5V0|phgT*wzD0ryDV6yCZ}45UBL(925sR7%#dcpwa&G3tYxz9_VXWQgcPrEn6W
z<<>2{KqMhCJP_*0waQ`<+MTKylV!MIo=}Wrs+_y@V#SqXTE_Y0dIlPy+l&RYV6MLk
zF~z@&JrIAArNo`t@*~Dqb~RS*t>%@vbpX(n8+llYCvrt|Z#u{LJGZlx73}K|ZZf*n
zpT0*LDV2+qE0m+=CjnR~UA9;nO=eL|9vjgL9hV|SO`T$uW1g%r%IyN1|KZL2uhSpk
ztN*c<MQnPjH!{nf+iG^-R9UpHy4sv)8Kr|H2Zh%Lo$SQwT3s#1nb$SC$g+;svGIrZ
z$m8dX*mXu0V)TUlU|Hg`vI-XvDPg{3ZibW>u)nptas~0M!*0PJ`+rVqg+>5F{PYKo
ziB0<wA1(RKj)0gPgSXSq^{LVsl5GUBmo7A<__I*^a8N?IK=}R0*mVndT%#GPV>5<8
z!C3F&=Zd)GgqWAl!iM-_YQ-W}fY?PVu0FC`jifCFz#p?Rpwge(>|5@1;CnE2?6$(Q
zR$Nxm6#g#^^Us*O?}_9``9tBwq6T)Vjns-IjAewELIg91C0*~^BvRU3;ojccXY!m$
zlB}1bR5TyNbC=AN%TR-KP3Yq2$W2+PuOT`{Nhq;Wn+37_Nq$JDF@oTUQtPyLp^-6%
z`Stzw6$opcRImMVDXkM}<-*!sM1LnF>xY{(u0=v}n8V*XKAhEU&_u-7mD7v{U!-Cl
zC2op05~rYT43D?&4@b_Gt6mJxlzcu9-G8xB55LB>FklLjC0Oa$HX=7ADkuqWe|w9h
zL5Qsj?+Uuu&du&9I-*sxJD0sg+`*5~QJ?sa=R~w`<*E<}DX1-2JWa(7t+(eZhqxTd
z9qtR<8M4}uo36)QM;Y9O$GOA);eM`m+2GU80{QjytFHc1mXL<;4s_#77lsoD>1!XU
z(3`5DbR?B+{A*EMob9#|k$vsWHZEpJO6$y({ek{m)}G>=FdT@MZ@VXir*Vj3@Wjvc
z49}IIQYM3-s;VMXz-#TWrP0#uy~DD|vvk7fk}R=Osb~#TL-nE}Y786~{N$VvD0mM)
zR0pR#!2!tm3T){3u`nx$=siczR!0Z}uei^5qL25w6P6FFr*Jc67QwO2=U39n$(^{|
z^sjMXi5VFYkd)o0zkfSFNNoNWYs8*Bh8zkS3JQu5+d4$`VK1W=JGq9faFl|w#XC{P
ze(9XnHXIZR&-E4Nd|!!0l%B7YH8kyxG2!Y&rmfoZ)w@De>=L0fZpMT}Dj$|fLb6c;
z&L!Wxjx3WikWaQB%~}*sN!wfbdU-v<v0SG?06o^4Rl_QQJ5?-?`zAh>Odx`(X@T=x
z6-F^0CaevjB-XK(iK%|#IP5`=QO2HWw%T0f25b>3BZ4Qa*)SL;JKh+RWajA~4Agcj
zO7l%UI20B4d?nbRgiAU|9Ie891(|lOIPxr017U!QZ4c%5Prg)U3<dq3kT^O{*_Je)
z268meZz(bwIifh)VqpA6ia_va?K9~S_L@IQskRk%Tk_TdnX=t<+LWH6)4C|c74NPF
zmeesLC^zw#B*KQD(*Nt=vfY5vvJ(w0{dP0zGnC7J;*JV;U-pwUeCe_~%*vwy76r{!
zerh0#J#w<jn}~&<W&kMhR5k$a@9P3M>bHNPHSYo-W%;<wRHc*vJ2Gk^9+RdOy?6yH
z<w4PFk||STld*Ox|NJL~f3jf!+FW3FBEU6an}iBNJx>A^3EL$TK`7ZebWx{#{%Z4A
zkL};rUI2Gzd(<M~ExzI(Q_^zyv7i~`6@yZ=(Ej0oIMDn<iF<#k`8yZn&xJlA_X`NA
zama|u-v|!>BDQsc0i3+8Dtt}3|Gwe;e|e;D4eZjupC^8&&}&-DWy8!}(%uPcW(NQw
zQNA4nIGRmozGG~N6DLc7xe?LdESxzTFW3F2k2pi15oQ}RJ#R2sZ8o5SXW$ylmx5Th
z(43nHn9I??w6SbHGcpfwp%WbZ`kRH=J*i;eaE7{vCTv$c_UaD|P8)Hr;KN1FhpWeQ
zvS9u|AI-5~mPuNc@l)cT&@;s&Q^Vn%^RNk82|;r5+pAD#EA7CB-e1FUA)<PytC7>#
ztfF+hviTRTx-FI<twVti)VhC6^e*AU4fsjRwSV-ShFm?eo7&7qSqW|dl0$M-qxC=f
zKf7NuOzA&mPmbpR;YI@XZZS>QwE$h)soSdUN{p?cCxuI*AD{NzS4VT~o{Vtt9at{+
zu9$5f8Gac#&dX1SRgl+41^YJ(E&U7V)h6Ty`_po^R9iso<+d&Bh}u=Wc&=9h!rz-!
zeWEQfpLeJ+Io!CsQ(8dfoJ*gZ+A?F)0=R>r(1bwh-S(X62i~>ugr3epYD`XST^W2{
zY~VOR0CWBh!+tx<VE)7ah>!{?cd)wNHh44W3f9fV#p^kxB6|O3y6OH!dSrh{Y_|O4
z3;H-7P?MC}&;&coznu6<ug*$Pds(Xi2f4?A2g6je#d=C)1goB68HnlYo=s#5j;0dl
zHW1N0-Kt6sT=?c3{~lXE8-H2yuXM@WE+6)EsFl(9Acs`9IxVQxzx9v%OVkoIf#_ke
zV4t#AV3GmEm9IEtY|Glt%^8&rE^<)_ZQRbed!=TBx6xc;zwPeYZ-JOy?`S<A7W-B$
zRaOVKOZ?~werZFTe|#jK+L>KK)gN60>zw=Wz4cKU=!dY~p`G*%br{76H`=(2KG1uA
z<t+5#lwhK6QC3(3*bQS!y(x)4{5^7g%}x}B#Ijx!iQcKbLA|?2rK^KzzC4HUVdV6-
zr!B<fHyL|DdLNgMmr9k?cnq(uv1=+ZVhxuQ@NgeP<|-^j1CKzq%-VL@sN`K1uG%a2
z>{r`T9l7xjqZ~`LE4Zpi@)utJkY83isy9=44{l#D>F=6u#*@C*diQ;@<9*H&@cw}p
zwy~l5FVv!Ebl-iIZa5CwcD`JAJ?S%tQ?=_Utq0ul9%?lzw@(*Q-;_NLmVa`WO`t23
zaDv}?V1G1if+=19wC_9c-N=ofI*P;3AT^D_Y|RMAq_d^ljhXVwltp-lOF;LzwlO(O
zyTSu(ghWuqy$7P}d8qocCsY%;XY^s&9zPVyVohSmp{A-qj4c_F^M?vsqvNlZ>?sjR
zE)U(?7_UV0eIXs`$$LvsUHY#N8`W6cGv)W^t`Dgn#TwrbWhKhed8}#3J~|OgTEL2R
zijZD9*&&-2A^U!j)?H1c=o)j46mJ%jy7RDoabXT=mGl^1P~66b6xT&(V`ExB`@LIf
zq4|Bh@6(F|``V3;*;-i%m?&tMZ=247?zbFvWOfm)pl1-;#F}IOEl8FK9EY=Wm4+{V
z(MKq{Rhs_&&z5DJ<S5am`hha~t`G(XGTzs1TuUz8;Q8mSoX-)JqqpL(d@9`f%&B@0
z414pH6_`AxP#HR%!`yC&J~XSoKp^;m!H#88W0U?97eCupq7EE>>D^7mBc&$<a?-Bm
zUe?j)I7QlKtaiZW4~~lt1>+4)x}nru7ei(HynZVMZ`B16x85~Dm)EtIAp;S7OE+BY
zg@T+dGPoN?xPEq-yLy>^oVHxW1Z~BtaXZ$Ez<Wh`_$noMpz+Q1_p!IxR_!<Yc)1-w
zF@^591B=+x7&=q9v>cZ$@|juzlEx86L+{j|9YcGFs^5?wAKdVGR)zQKT!IKotvphY
zT@2sya9uy{cdqWQeAS(VSW>oYO?TRmF8Av5S@S%V7=8>2K7FtBPlo7-RCV&Yo;$oW
zoDAxNluQjZ%~}m)MYt1uWL?-cVIH~m{*Bt58s4Hrt~a~C!cM!wc#qxKixT}PbSs(|
zgXHr?NX#>wQzmVsrVXjA@j_575wrd3WDMZ!j!wKeZ+8Mtw58PUFg_E)874#-oW;S5
z`}AsIx>4rv*8J+kC}8PqcJ!`^EdKyz^3sJ;^6UvYy+i!HYV$qbr+%4%IXN4VvdZ_F
z4hcj@JTgotI@)Gfb?4vx+24#8ElCPbXL5cp-5qa1L|Ukd+|+DfK0mt@+gVWeTWR_y
zuE7%%wc>%d-w>rOg$nn^c0B2iV*;q|DDE!0^A_vSQ{1m4=E7QKH2r0dMB3b1j`xit
zEC6vyLAgBzcP@4!d2kl>mod5sMs@-R;ZD0{=#oh<)*>nSA_v##y8<f2lwwdk5Ov`_
zK>9kf^D78%=jp~@4UvdQAd$@)cTeRu`?&hN6R7RG3v9LoxBUETo~P}eUR(8hdIzdG
z@0Q!#q47>Pa4a6OlH!M6)YyEWU%0PHoU<h9XQ(y{_@B|H$DkBt*JZiy*SoG?Z=9+*
z&(+>eL5+T|)R*C!a5Vn*;sf@|@<1VHoG8|9%lm3dJbk(15^Lx{=sl$R#`%H+>v^qm
z7A7a=JuAzh{xxW-GYeWu7C5O~9U^!V*1{WncMl~t9fAZ`J=&)84Y+I(PuSoMsegd1
z+j5pz3^=<;j+B^*1!ybs8QZXkHb}d&w(8?u^Um`I>x?%sQuN+jKNr;M<<1Ab==N+l
zWFtsouT$tVD|)*QpG-WteUIU2Y6_CNs|rEW`yHnEOJG+v!q47PgXx&2Y3^BsqQ~;S
zSk!b+g)BlJp%=Z6MptG_d5mCHSyB3DoLW*|9O}+@`c2nUL!;()`KC1dk2gaiSq<2b
z4MyDPyNmD<ADSQ+`7e!DI{rdKD84_XX#j<^{ULaRF}CphoYGzTc4zgEcUPViJ6(s2
z)xLPJCVlWCeLk+NJz1__+7~jxjQxHKJIwZms~I_da`=E&%Wzja*yR@#1ipc$8J6Ys
ztLl74hFP>;kOltrdByv}`^cDdAs5s%5(vfTNoR!@(pQ3xYLqb;5W06gI0nLCaqoOo
zTl>xC<`I*@m8AA;>C<8W9gyL|7VOKz2Jetm$<HsW-TrxTTD)UA)LwEM>qDmCyqerM
zeHqxJ)^(2h^X*QJ66jQ^rUbx6;zkvRz-=Q$fC_~gu33&jb3x_v;f0?2eztJ+>+_KK
zF436nTskl~7|pQj9k%239Y<{LfQb>%M%WuKyr-%?VCD3&$BctgAkl`wXc$t>_&D^k
zJu>>khI!qeDz~-^%>hGJENyS_X|k7pWWvtUj=sv!Z@RU~FvKXN`4suu=MqkMXwqe8
zjS{9oFIb_n80!F9cW;r0!QtX-1lBz~RVqxi)qs`}m!Ib4Y4i${$?y%x)mwaYj$$>0
zB4c!~!ANhy7P`P8TIf_~YQWa7iT)rJDLc&yM4BfnBH6=~>un`^{o!rGqlFeMMtGY6
z>`+99JV4DUJw}`w!x`iZUgT(Wm&e}AuBpMN8T_81g4q|R>H|~5!TA!~=kJ3s{<=dJ
zRULlt_ZE`X_IM9c&cW#`GI5`Nzg@V)+#F2y()In32z0;3DZ+Ob8NhD3wzFj%x0r1m
zxQ(Z>pm|+XLY0joU&lls1jER1K6Y!$@j+Xd({Zlf+DJbgFbRXX_mG^jw6*l8$P*0h
zFdMbLP2UC*VltXB;8`j`gtoEi^?jhGY#8%OSlmO0_BL-N>rc#P7ycgQ7^z|F9qadM
zt_0Jvm26^W!7BV>ubhBkc>_q=A%Lm-HPKgM#D(Wx&9~{f=fv%*3sHc_<+m{ALZscv
zdP-uvHpB;s@Zb$b{k^=`e}ag?c-AsQx+dqbi*FFt?XpU<3D4hs3!-R&ELCrocCvEF
zB0FmELT1cPZchA|tSC76E4{`P?g%<l`h+b4WbaVEPv6-Jlig#*g5BLd_?h@azgQnc
z&pr+RMpU%kVg`rnLoOGI$2z<VN7OpW*w~M;{<C8T{oCRYB)*8Dh*YL)%O&`bjV@pq
zjI#iVC{4DJyz7eDukogn1N9?YdEU)z_It9uM1D&DA_-MO_z`O^8QfN~&sS}spKEUX
zOi2M>ZgObRk{*e<#4AbRbfMGALi_fXZkNJo#kyFT5m~9dmjAgeP_20*pRY~-{FV`k
z(Ygt}V7#Tx_&9%9HI@}6QA^WaI&8WRI-bD+^WNIfvr|!4?YM#dytxY$?<fXawTK#T
zGBGe;qnqn3LSJAyWG;~AXyIoxe}aUG?)Tx(+mpuUEhYt3xdn;Rwz&>jMf8~K2{W8{
z?9;&wEo0q=kl*!;@QYq8=uyWVEHb^qw`hdoP@7XYfF-cXk-B)T7E7?#D>l|tq>~h%
z&*u%@JA)bFS<y%M@<8y{LXKAohb4M}W`=Eeapd4P#@^t&p~~XOetjWtlb@cH%m%A$
z_#-M#xX|`>+k2<MjvO<4!hSeH-K6AB&T40(%;l@FK-Ofgjph*ay1JCIlul@ts`~|!
z8+iMB@k_5`Xr>tU2UNAu*+r^V!sI2zs>w(Vrwu=&R{|tiutzbV<!Et4o-vJ3agK+n
z2{8^=IH3-E&`f+$Cmk-7IFGk935d5z1mS*P?~zyOx0ja@kfUUEZrXn>9fgn4E5gO)
z<PB-l9LQ*6zf{=9hH2inkvaJRBMpw=Dsjcz&<$T#BoRjB6IIA0Mo3PNu*r*Oi@u+?
z*X5quH|sQOY=zuPpB~Msjo0hLiyualj-nd<WxlJSqI}4=dt1+n-hPghfLO%Pztm+g
zUXB~q=bXq$-}l$Pb?M&X&=|<K1*-0ewUA;BxY#Cd(zrQ${ToKJeDUK#^jK_}(q`vS
z4L|Pf+L7y|c)}qU5#|b9O6~A<+wWy&5lPfFBkI8iDbYzNU|fQy4Wf=I^mi>g#mYS)
z`)9~b@{+7UO@HE#S`I)MNdOut-NE)#6sha+0J~+PC6cB)ut}9#aMD7Wgx(TxSIDT@
zY+jaXG6OS-vPIz}1%{oGy~OWK)${WG;DVRwgoE-Mj$<Sppc$up5(cZ@4wv<x_@)&-
z$NR9&y*xX%><TsJ4)d_rpz9XmjrtU_BZswNMUR+Qut|7f19vsLdOhQzM>ka;Pfr^H
zkhh%)jCC4wm1{nLgeGfUY}PXqq~Qr^q0YI0)d|k+PjB<^oWslBt58kbD<kf-lR}EP
z$<T<5d~7lIGYLxlxZrM1yy38okZ&m7f~_7((kU<0z0ixf7ERta`eb#I=wY&*%&QKv
zge*KDGeCYfBJ!dP@?J=!;s%Ljn~$A0KsqgDfe$;$$=UP+msDFc`|DHb{QMqOr|04m
zp-T^}^u#iqFw6C88a3ZI(6!<kt}lx5r(0FQIMnU)x(x)BMfl3&^#aGtf;if%(`u=H
zY1r3VfRU3z+WQG6irki<w1vxXE<}np(k|&u-*zY*xs=Vz#nKbDJcB`&VTbh}lpd7>
zd0PkS+S4`S@yhy@krEWXk$^}FI>U!A9(tY6NIxxAP!n%GN$LqjC3<qTKDfit-<=cO
zvd3m8NBT~WLc%-@jR(eo-46lc3U3%NWS?QjO)g2>0a)Ogc#81`g(EXJ#68kb;O4P#
z9G%j+iF#De2k*dKCb4^Lq;+3ZNZY7*j@j1>Rl};H+l(TL_f|^+Y3UQlD&i|$!CmB_
zct^nk%7F>`;o2TYwzS)d3Q~f9_!z1@NEe17lPIk5#7j8%kzEn~35S1%_>!JuqL;70
z=dZwk1GHMJ6`L&CXtm|EMzB_Z5#NGH7tnJ+P7*zCw@#jm;0s+DnrtQ%=ksJ98AoCB
z6$y~7|0ab%GPhCDn5j`Q6okuVd^jh+Z*;P!?ARmea{!A<aj};u=fP{F6y0v=2pxtx
zPNT;csqc*gz3P01^TRgZp3`lnOK#tvz8Ae<Z0c~hC-}wL-x<`Du>I=35Sg2K%&eO3
z)MQhR?Ok9}#S50e4=~r)w-x_J7T*SS`jO#Fc!?F;?8R!pbZ(~F1_WGaRv;@9yn(yi
zVh8m=lNyFnqN*I<9hP3iXI+KlH{r0f8wo_8|H>0t<9uua`*H@ezIqMhD(#73@#`&O
z^_QpXszbq+GnI~y)pR7(ct<NBDaW>#R2Om{{}FqlY%DY#O3LIt06_?sz1f>^x3EpR
z`K`s}@uAP^v7z^j-n%d0o1uQ&CF_3Sz@BXul+adjK3$vHY3%N$DOtm2FaABhSu@vq
zhoxGV3AAX0w8-9?2Z17RjJa^;?w8Os-FNb?a55`gS*#XGbL0j~4>s?VSF|KKOn=C+
z4u<_-h6i>qy!fS2eN1Dc?HLrd=U|S*6C452n_f6S+E@*<=J);HWZVuH1d!XAb}AQT
zuHUDau3q1cixmYRbo1fbnyLos@V))Pbff!E=2Yi@pa+^S2<FCroH-XktS*!Q4ha+n
zljYZGiJ8TCkER@xwxR1go`nXNwmGuP`?}!K)V<$lAe<wDBQkRRT>cPwPF8&5+BGnQ
zKr+(|R9~z^dlc^$A~F>Np7WzC%oZz|umgv$DZ<MXFz<eUSzm31GpR@qL)df$)5aFl
zAFt=zR{!=jQj;}cvJ;;Q-TmUak{4vs`g64le4PjY`}x%Yud&h$t#;TIFFYVge;OyS
z?za$g0eRthKvFkW#&8C;gp{BJikv1(oyUB?ay`T>SFb?_w8o(|A0C+1gL3?;$pexd
zF)Vby*0zm)ESb-{mvIv)VG1u8j4o4Sw#VH5{DA0agC0_&IK4?NTswOzUQKM1{@_Lh
z0+E$E?}ECJs9yPu>GX8G!DcsF_Y*Z5PN)EMZV7)p_BKAxZS3(<5lnKv+UA7HSGMp}
zOK<k08M5=GZxBEhdfEc^OU#$=8S~rneo?42;y~0Ogtme8f^V9K9hlU1UfwU&5$<bM
zW4^}dKitn3DZ0RXlcon1O_{#!^thUc7;yEuDl?<hg<oqb&W9U1n#H>6t$ws+{KTc%
zq|kO_ee;V6o7ma8h)RLT9x`nM067K6t`=9+$P~^5FG;~W#NQ9u6>_*?idXUQ;E#2P
zf7~H`d)%)0{<7Ui?=$pW_YL3r+!jJZJQ6S7QQtvgP~}npe^;#$XzurT--|I*L)mcC
zy_b;G8rv|M8G;LzlaRJTvIJbkIiVBmdf}$ui-COIM2Fd$HJz&UW<YeKO;4Kwt~~KP
zEP@=uagk<<d1*2|A)Y;&X5n+0#CwOMOZ?q;o01^{U4qtoHyQKdef_&~4$NBT66b*;
z{lgF2WE!*%t&QuLO5Q=HF>~r|KGbG(;1e&ZOHF?kTqW;kB=;^v$D>7@=z9-n?KM<q
z5R3ciTg=#$VEV3Cu*<G*;xLG!L-l>(ah2z``+G|^qC~nMSt$`&M|WoU>prG1^YA}H
z2!kIC$NP<+&i0V(VciXtmy+xECS;;m*jfnW?HNnbNbJXt7f9s+xj%FvFV9PUymlC!
zI^NPhGiNY~{4!SKa1B^kM5ml9zWsPtjlk?g0%^~i+5ezeK`7xNdS6q9Xz~8^Mt~x(
zNU1ji3ZkteBq>Gb#l2zWT!I@s_Cn@PbmJ+UIMJ+-x+L?H=WEu4nOl%*4FC7x?g50s
zO8=&G!q<|&=Y^0XxSjff|KWXPFXd3a^~#krR?JF2@|d<fXR{l94s-R9q<&RC5AF{<
z4vAp>vl79nyMV88J6<2>+L7OCeX;jZIuhBbk}f;8s>^R~B{hZ720Vz~g@}L=JR5*4
zYAiwZj=)X!x@}BlkPjc$ws~56h_e~7NZMMP5Ou!XXtM9SAt3m0KfF0KcNkY#OgW-8
z7MDFtcaK4*wvi0f3T&LXw(nJFWcuG?sQMVu#DQ~MOf|%<x(4*bm0ji8B?bbYoSfVA
z=?dqUA}NYr-&D4j>SeXgCIEs%At8_zDKmV>Y3Z4McM+b?j7JHaVBV0>SBq(NZYP-Q
zYp2GJ??%wPUU^`Q#%41)SCUtX190>E^}C-dTrf|iqij*1*5{R6`UQ?IMeK^$KM>JG
zL~0nS<xy)s2&mL3LV#yUwP&@7!9iFD)v71gu6;HgT$<XxAr8hY-+H4TZr=WW+ypfL
z>ADr>2DE{sSQX^Z2u@^#G&-)hy1#DBygGJjPD`PIO0UG*e0~r6b)0}p5H6j1;D~gz
zcM9Y3otF|-tC>3oRQyUxPBwR$NcIZhijYZhjT5;_2P{yGUwl9wlPR9^Dg~Q&Gi&xx
zXkI*|=)FLTf?_OKm;X!Qxr$(Rx)9k5ha<{H@@zs}wE-g$2TNjk+xoUpD!=edY*|l(
z#gF~bUxEbcK9m$GM&|D5+Ir93;p;$mEi2+v<AE?<7yX81sq5g1b9$uLec8O(&M?dK
zPoSgqhH?E!d_H{5oLsR|f^@TAU*f>``J}h`2=oeJ6@HBDKgt@89C^egh=3|2rR_?Z
zm@_igI^C(q_w)_vx@U(!sZq}Bh;7kABg6TR2F3&$37lHk*`acYJC=#^=kRenrNqP~
z0Ee$8(g;KICa<I(56@ujoE{=1(!mqE*Z0?q!!OtDk*7E?<tlp+kqmQn8HOu_H#d_o
zGJT&uWDgNWp!Vu25;!;k(v@SxO%4N-u!EY8jXBvpkN!fxc58w%!9j{^&W7L$!{ngh
zBFc#?HBR*uPmM$y4TGWwEWMqDJe=czNZT^|^z=OACMj@+kWU9ug0+I0uo};}(Hu*i
zhiA7me2@|qNN2ry_1KtMmjZ{~KR_P)35UDX-x4(|In=>SA&&ZRThL6L7c(MmAP5}c
zI9u>=BbMW``E52wj4HEhe~I*flZRHN_2KIFws5=`oAW}6!iKZ4RNM@ZuQbdzRO9rv
z^|>H_MiUE0>$^w=`iO(&^0qc^tw~Wc4Yko8O`c=emrgCR7M(pXhwp^|wxPe>3wi<W
z7c4>1f|T9o^B!^0rz@KML+ab(IWJr3;1m-OSvP3P7Zg_tC^h>^y(7a3TZ#_2s0=MA
zA5&F2yitrajDbI&Q;-4|k|wNoR`8@6S8}-mFN{INsu%Xo6e??^J-r}@&9?gQkgD29
zh9bH2f#SIWPXc|IE&gIDg*ZrE;klyT1!MT12Q}jY%N8q^QNjjcJ5ExbrKnT1;JRxi
zL;dS>Nzv^_TFHKfUY_pESxiY2nqKC)nwS`(yx>EV!&z?#k1;`~ulQH2C=^(JwR#E$
zgbrTBU@h_Sn!b_)-+Uw=WOr1hegFK`RX1|Ztu#++hUW3xY^e04jjhRZH(fOO<e#zV
z0T)VbZ>lFua~kcR#>Xd0@h+Lz`_(?bv!9UOX_GBbT8|iHi_?-{Kn`Ej?iB^nX!Z}(
z|MVQjwc!s@w%>I-9%*kG6=BAv5(GuQ5HW}(iZss^3}>F>oslJcxR!|&bbS&yMnMD)
zP4jN~&#)=tL67<sWWLEX|L2`2dMH!{U~5A&WH`=7YZ5Rgm5^dL5m+hf`S^_f*l<+o
z-{}LVxg!g4%eF4_;MB$lP!$R=a6jjl?e=LlB6FZ-<yFIxBh%(ZLYl&vMF<~+6>O_u
zX6)*f!0EdX>#fzGS|~@BT~3f`NK%%m;<g2W%r)vu;pD=>J!C}{s~M3!FDCD70;01`
zf&V>a|JnwCo&K-+>ju3b@{5BaC5fXL0p82Z<xwb8d|u1a84_)%xx53j+;VwyFN<8e
zsAvWkM78U&$Pd=z*Vc`A--fZ|%KXA{;NF;$dA%D$j;J~p{H9IGS(PBR8q%Q2wp)?S
z1_<oCr@SlTtJy2f+@Dt=p~<!6NI)VlQmT~B_t>C_^$o;@U!ZjLJ|8Kc#7FXndw@N0
z{CkuBzta6{6%qa=q7j%uo?|&oBYuC1wG}1H*Om(Qm(BHn0Pz`=%$NwJ<VtbieworF
z*W|$8s+I0=j-^QaUc(HvLd2GQZfFG;;$9jfrKGI8s98^E2oxhfjow21Fc&K@oG<x8
z=k}9`kte9u-xvy1oTRnw17<~`zX?ZGM@<l%$(NfD_E%Geg2sRTXGQ-ao@)qXf;0u;
zm)=o>o-M9wgI6F;`6Zl}O;mK$fKI*X@GpsjID_9>lsZ)vIXN3`!05dg7c=K}YtSR*
z3C(Z}l;EDVHGjO#*VACmGF`pTc74lv4lmw43{V;|ax$1Do*)paLZ`jnSlt^Y8$*fi
zmONT3z_zFO-jJ@j!*bv<iu0d!{MStVpBLRAGTW1HqQharMRSMm*hfA)x)q}2#$7Y!
z^@`lcNbw|WVp59~jd~?6{uv=MySr#VWpFQ3|5FQKht^{Is0JnFV@S2Tj2oP_I2J>A
zk+n3n9v;jXNrA&7U;CX5QNOp+WV&5^q(%)+t(h&ZT(LCYEmAM#o(vEh0BvZGP;+2V
zMRrxAYQd?(dmQ<<KK>v1{wSyPHXy!PBNCd(xa4>`ouOs38hbi%?;ei$)xLpKTDKKy
z$CN$>Y}6-yRT<Q@Vy+zM1ibWm?H6cTI$kU#=iTY*SH25gAULc<$R<LhBd3+m&7aZ9
z_@l3Fdq*=MY93U0i6;yGVT%q&Pv5kxwISr3&3w;yMle?kktValyC>P<f~ZS3*S<%J
z{ogbL`j2L~^=RoH<BRrajcqs@K<#hZ@6Nl0-CpZLlB(K&u^0MumMJh|CJv71rf?T6
zQ5N{E4I@JhuD|5gVZ@R*HAC?BhIX|7EhHqQe+xoZAisgX-z1SbK|Cb9cNAsDwMGJ@
z-YPL5YT@mh=^}CgHO{(YM|(UJDyd$_z!Q(i+O^?-DMWXlC_kpk`emV!AQY{%n(_Eb
zHB5frs(6oVxDHHMgT*~~`Km`iK=3K8>;*U`Qa{Untoe~j7x%;EN)R8sPGQSP&fVP*
zM83P;a6Vl1?HSOI&XVu>*B23P)tqH!-q52u`2@*nKQW|b{bUzyc)~E&c>ErN9{mBK
z57n=2zLFI<TahIW*$ChK08Mce0a^1;><HJ2Za@CIv;gDchl6ZuXD85N&&Jl+tiShZ
zD>f2<oR$OmyVc-Ur+m$;VEGt2aah`#K@@tOs$~OJMNzm+Q8lg{JxAy@=}O^<!C`=J
z*@ahK63VinHBY6^<Y=uCY?Ky0IH5l1_vKk$kU|9&qYq)yFojk1*JQeko|)z>Go=xP
zHWy35vxcwAiNe{y0)^s+-ov1k#CkPq1%UPtIT<=^Zr(rteF*(8jgf~24JhnrW_3rD
z3=KrCVJA$&95&zo71)oM8%#0$9*BI(sZ3ginjcyVtqG%U&#v6uAyfNBp#?nGBj23e
zf#~Z{zT$BW<P5Z0ga*w<CxX}DV}HKNdra9#;G(o42A071oaL|XI@Fv+Nd!l%rD}U0
z(6qaf;6Tl&8Scac>}60~bqKXE6z{ORA%s+40zghBRmW5+_#Y+tA2a=LVRL9uT;;9t
z#!BJS<dx|u8kQy`&10*w5qN#98K?rE;@y=Q5`M00MQJzxl=IdEhcg~(aX3XTL)Glx
z=!+~@bDTE6gZG-{g`PgyIR^5V6)KIyhE4_JSkchuRxE}T7@ClgS#e`#h^LMgJb-m^
zL94B`mmsN;Px^|{+*(|0MHfni5QMF2=7%r?Lfw&_<oy7RtqK+Br&G2@DVT$TE;lkV
z5*L%Jx+dJPcI<!3_&-;H|22y4cOm}#8G>)$kbr=I;=tt<^?ygvNPfTt5A)9fTB~y}
zmh050lqDhzzR`Nv{T>$?R&n7(lRTB$GyY{P-lG8nLvN6chBeE}v9ZA>d21ITVUV4(
zV#aU63Fe8G>N#B6Z#l2PW%Xg0FB=Y9G5D~&8S?p`o6rA};*a$~0Q2KgA-9GW=qKa&
zYKKJaj4Kexk8l5-vY4*7Eh}86-}nX1Pg$x=99YaQGxi`v+60EmLrEpHKUVPd^W4tP
z@Y><8YxAFl>IRY6zJMk*N{r1)3T5lcL@2Drv_q5xrOl58?ubJqq+$C%SA)NaB)zSJ
z(p)AOs+M82BLEx<xvo*aKK+t!CgMH*Pv-NFj(z%eYhy?ju!w^bTe95Xw`XyK{@14Y
zmteLKpdUE7`|xDLGO7IPM0$DB3ct9dd1Rmpw@K(bn)!@F`Kl8COE0<wp}HVay1n=b
zG8HxG+a2-9<56-6*%}0a0&N_;sT3ut+@AH!7Sf83&mGb$S~&mf**TUddbtIbT_5c)
zufF`P0@0LWk9(5t*r>8pnznmHe$h6jY3}i8MU|x6g67bh)~nF>Uhg(V981Q3+xfmw
z2|s`vJzI>if#|cK)-{2t^XSEiLTA-!!T8V@NnGxvR(=I+=P}`2uRSv{XpBEP`*Hub
zINLx(-GU<^cLvwW__Dw|loB!FcPoWj`;w%{bxbjN3yJnq>$v|li0vIxz_0pVS8qn~
z5P`98H)@^`RVm5pz}(9YfCzi$jQ%F;wl}F>Za<1~VYR%Xs?HCcLoX>`6w|FHdN{c=
zLIOS3bUoHBooW2=kuQ;=Qi6M#;VG)IBcn#{km5JUDPNEXb~cO{cHrad5}^`y>ui`e
zKE4STE$|nyZ9hb53=p%-)(ja@MrMUwW@iItDaR5?TwJ^xPz9peVyTkR&bm)fV#VF(
z)*N3M*a%n9PYT-m^495y(ji(jLpr$^DlL^xHPQ&HFA!>-6{rrKY0Dda&gcC#DLsp)
z8H+ghPHd@i<NC#vPrxO32@~UiZitEAD+F}{*V%E5dOJ)y#|V^$43{n|ygQZ2)Go=J
zcv5t_%IbBzWG*C1PT=Oi5c75ZHbi=H-8M$aqsj1ju%o#nzY)!&sdDId$B@nPrGMkz
z)d~Lf`t2prhOI@mmyk1~iO(BZYp|0@v>$Qxp71&@?TYzmZ_#CY0N)aRXTJA^lcA6`
z8PTLL0kxP<RZ;IAlOLlD0WUA!T9b{~{mDY^f_aU@;bgE54dr_`r11-Ff4C{IOR#S$
z<DQ!IZvC7jkS?07y$dl?FRTS66l94+sQCD_q(%gLA&Ma=1X%ad#=!%+(f>o-JN{?#
zZR_5hbZpzXW81cE+fK)}Z9C~C9d>NovE8xlq+^`?*4pPe`<%7kKmR~|s%p#{HRhPt
z_Zmwkf8#`+{0wLZ+jh1QVwt*KF4oS9742v+YW~EiK=r1-XQQtUAZGOTAlGS6MnrQ$
zC)-r{S5aSZm=5plx$}$4H`zbkFAf_r(iFCfBs2JGlT3+;4tyw0#uT$|*JE2QSCT!+
z1L?YGbx#CH3Z&u(ycxPeG;=|uy|!?Vy~9B*`=m+(q{_t(x*3dDQP~{nAMi@+IW`^D
zZI<Z=qg3)-`?fIbqj1$}8bsooqRold8)3Oy?BK>eA9~X#o+xt!aHWKM?ti`1p8cse
zMKGsZ4V6+65KG7gQ4`_)Y?_p#(Ug^p;zrDe$W&&ll8S!sa4#^gs=0RYbd>+xBYoVB
zEH5`2<G5oi*dyi8W4`)Y)Z3Rxb<qI1Y<97W)uz$PnJC}a2O)WAz-o&FA{kK32Wxzw
ztup*3b(bww3zRt&yuAAZX?8e?NM)o@m5a1aN@oFo4)T(ipiUZeEO$q%?SjaUKM{fg
zbM543YBi^+GsV4~4&)y9*ZlJNU%40JV)}y=XQZ=@E~FvgTzzar+f(G?zmn%%kZbQp
zu8w3E%=WoGi^VG3KU_Nd!0@0mWW|%v4iu?!k4Y4uX?*RYFpB%Wab38tn=M*wS4zb_
z8hC=_o`PfA3-<%eHp7&iZ1TaqO|WxCDO17i+&;RXWTvqIg@gLxpDcl|fdSbDWE1+W
zNa9s+FgEo3IgA(|zw(A?iaYvb>G7s6^=F3gi>6~x<gJ@n&30A`shxw~-p&Y3BIKc$
zgIf5YU&*By9hEmEL6!DmsTvEFJbG^i7ldnEc3qBCO=H#$%u4-YOm{r?ZXA9|!1{8`
zUBFP{A>zf!jk1jjUa}kGv6<zgVj_w)sYg48Bim4;48HF^W2v4pLy<y;aXnDl!9MaK
z7reia{`sMXpO+w1Q^4-L2FJWRZG2j8ussgc`w*k7?-x`rlrDwwl*51dZHEIdUSa7A
z#Apvdv5)5HbSyIYi4?CYw#4wlj18Z}S+0tv*oZW*i*g~$Ow8$I^cCzLaz#}DG$Nve
zs3_RW!$tJoaQxnOU$Es`^Mya(uTN9n;j7|LQ$d1|uiwrZK=25nteTe9=S3{VM*Vwx
zie|`kUa<dWY_G|@Ku}})Zk(R(z3bAU20fNQ><O3!ciW<AnbAQW%ahBzQI6acP+>rO
zVDu(NN|$vmGR_r*Qa9*Unxx6);kIww2p)O++{2?@Iw+2FGLc7@bu}x}0`{ejkD}Vb
zwmf7PppYmK2Ga9u74k}4PKpxQeND8Z$j*-MdaFUAw_vn)cgwGT)gM9da6if|cObz$
zp>Jb{E=e8(-^K3*{8d3r=;AV#UqsyKcrO>(`;hZ+`V%~BU6(fFoeKdnbh|CGRw&Vx
zAR41~@MJ`0WDZy9BN4*m;ZM0zl`xU)i|fRTH9LV74^q5)joEj3b+zd3cbJCL+=?x?
zXNDkY^P$36f5V5Mp2QlMq1UTU*yT$2o7EL!$BwS5{5O8jVCWQb5Nv27zd#{Rz0>V7
zx3KVV%(wUVyYSg0*@A-T6;z!i<DC!u2x<9X3qi6N96pSTEVcC0T)tLZiiWQ1{%eAS
z#HUvCn=8%6_iqi(bk}4zonk9QF(=DX4cenu8F)Vs&NqW}ue2)`y71vnBA;wNu2%f6
zv7C?3h!_ia+Y#_0`E#@Oqrq2Wz$V_j*s~r8!s^m~+;(s`TcNAt^TwxdWkq~T#W+i&
z?=`S-Ckp59IiOw|#(H^Uuhmnk{G6@?=S2F|e^v`ucEzcKY2j8qc>3MR<76^@n`(Z0
zn#%=AwSx~up?Y|$Bfdyzg|hQi_w%gV6Twa^mdl@(oP&q2a?v3ari>LO6^4IZ-GqJV
zgN;yT>Ek<mD81E6JIfH?BWsZEgl3NiJ$q=rND?uKLr-d$x!$XZ;V`$U*&XBumj}wI
zR;FS*M8VdK((!Uz8|&-^%|~ydCT1tUks|-Nicb2@Rq?2Y)h_JwFduPRi2+|^Jh^|+
z@q(_;<0$0y-@ik>7DL5W6&m~;-1EJ0e`)Gn54-?ohrN><h_Twgfh+aJMANM?Ts^-8
zbIa7~eE*t@4h;=-=*l_Mc_GuCX{5c(lnk2u=?8KO((7nx{rS?10Iw<Xg~G`_hsCQv
zbkrGuNn|#OMJ#>e0%+3;83F2lD@j;RU=H7(NFQ>d3QSrs+wbw?n7(%i%N>!*Pu&yT
zJC;7i?djr|O=f@9l<RDuz(~N?@G$Wf`;BAHUD$fN&dAUmz3dhL1*bmbHvyc4@P9to
z2k3~7IeJ$?XV}|thl?T0PoRXW(+~9e*C|1_+-t|z_h^jW8pDWmSkTdpGUw-84?9V$
zP48-Id4lM{v}mg5+&oTqgguL2g9Wu|JDK_HMhdDZ7md5Ug~?Be^7QZ!bmY@I(GDDV
zr78wAaWj$AC2ePnr`ZQs{3c{&H3HHUQtXWvB^g*gobKO?m|@;F*rcE{nEm<UfY2^G
zoiw^A($(Vd-8#+q9W~hXk6*S;FJ^QftM0`9`khKc(3-Iscfhr$h|TQDcDTW0h5Oz>
zx#;@8yjs!+T7kzbMK?>)3dVc0qHqLUFc;R|iHM&xPd^qxP~HQ!oexHg$Dz@wH6&uQ
zns&}hL=P7&@dOCNhb}ry9P=4P&ou)OyI+)|^hk;y_sh&^oQRl-3A-1IhP&Zq>OZfw
zPPk6+Wv>i~-+!(PS6tmX{(TVt#oeUT;yi-i@vx6Lfh$|U3JtX^-vEcy6DQVccFL^G
zWHN;4Shb2p8U`0c{6MLnc@065Y&(1t;oDK~x9oIs++}f6o55?sblQ9wS1tiBL`KNg
z(9jrFuS&#nsh3@MwnAmqN+uvTd=KQADO>v%L%<8gFR%XPKC#k+T*Cd;jvmxojlMdh
zC8f#e)XHMh<n+gQ7(U+qnPxH@^LRZ)(WuyDg~`k3g(iFRdcB@eUVr6Nw6Oga$fw!-
z9ALVWxcnVu>JoUGdRBmLP6!~t+vvhzh{ugJ^Cp>T@TFj_)GM6f742Z*NjE$nzY^S2
zf}f7{#nE4deeztS*G!r6G%z8jeX&R3e{$x>5m?0~h2)FktMVH<yP6iPiL{4keIc2d
zhrP@LsnBad7<+#0E1CutewWx$uP1;IU_t{~s(RYqXmPxkZf0GK==wrv&WN*&gd%ym
z!VkMaUPwTy&6q7ze=4C)(aTq8cOaZDRwMW?_hS&xQnc($J_-ce9Ef|Io|MnDx_JVC
zW(nx{1=D5O6nB0@JXdn%@3Bm-D~89lczrI@T@fPb^QF*Ozp*)8N$^r}SO-w=v#?DN
z_HtXu_pF;U3em^?U-1}v9=VzvBKp1)N^lt<?q0%~$Ww1(e}ZCM^hEG0#0Zy@r!u_`
zEZ_7zua)@eEzmobKjy}O5z>Esd~fbxqTA}o$%B{nq_k4!B$4s)h|TsJ)RBN++8bHk
zcm5oAbGVW5+@-@w-o~KrsR0oM41RR|fTc;qK=>*m9{x;SQ#||htsOW~JaDycA8L_&
zbv7oOPcz%t2$5PGkcb%0SWG{G2yM11V_8x{Td1B0jzjz5M+Vn&Sbi>HK0PNUxoB?m
zv0~`}#Es|V9b;Eo<?Sc}I^o3BtT2P-+yJqQIK=h^QG0RrrBDNrczbiz$-5FJ#pcAn
z7AQ*PnFw-YYnMc$gH}|T8)0*iso^fnpgz8ewM7)vFKt^pQEkry!bB_|a2VBV;mD}n
zy*do{DQSz%R(kg*EZhQT1AXu`^&EZh<LaL=+{87i<pQi!@AZbyFfmViGQ8-=aRM54
zqP0RIGc}bL^zH7i{24Mm54*o)iXPvvO)Y;xl{|K?YQd`!yW?f<rxBr!MR&~r%l=d*
z45lrGvy0?!$IiOW4uwMVdVp1<<%@<X)%pjtNVukzZMEAodc}Ca9__LylFq0(|3tDU
z+pXGn-bbedtu(xzDXiEo6`$t+Zr^H3th}mcTU4Vbrnm@!C5*YRFMqGcx*d78I;wVw
z#pa4M<abXIC)yLUq~@D|^8?hoKbh&$Usd3O#83P8cM<(}xGRCz)`f13qcRWcZK4US
zTaHy9Ms?>zC;DB45~6fewl<7E-CAafbHcnMFK4g${zBka#=CA>f1hkdjXjo6qO`W;
zL9jiGydP^A&0~9qRK%VA6Nx!?c>M~WNQ)_agE_(ks3%Lk0zgGJ^P)vG3<MuR29W(t
z2^%Jx7!OB-Oa@dN2%6ICFcux_j^;U0Gb75-`63!&fYTd46B0<*(>uqP2WR~B>TS=M
zc$s#kRBu{8I*DIb&9L@sj(IGxR+r&Q#8%>pjeY3w&#KA6A$b2{Y~n8KWGO$g|7EP(
zQnX!f$E6#32y_qSe)?!>dpIfjLwb4q_gqz%1cYuSDKxa_m+;DQB%0x?)X%B9&MXS{
zkDv{upHF$T{@hX&p!Wn)9YJES7>4~B^r|wg+@m9@k-g6U{BQ(_9a&^hi2r3?{N;3E
zWMnjVb1RU!z=t)sBYQ~@GbQrX@lg~8-Id48J&x$`HNK-q2hZ&A;;brQiF(};e`|ZE
z1r?^*U7p21*;k0;hyOl%aVDqf2!PnSw~|yD>nj{IjX7Py(<i|pN-cE7^t1f1%0_0I
zm5L}ihZd9@b=MZND2&sNkGbroIcWoR$E}xz)tYK8{4D-k_p)uq3Me!e?Vwivd<%z$
z0&V|ogC;l#oqH@iqTeZOQ{XAa0aHS~*(2z>%hv8~)qAxiPYO#NWh{KjXfY*9vUwgW
zi^AVYX&>1dOyB)>0TguSX|dH0Pqr`tR3!|Kpt=U`!h1psxQiEO&Y{mU!1tEFyN$hl
z1`-qP`gnL0DJ8c*tGJQVKpDK8OU?G)<%ixA_}e=ASFZ~|zY|_XcYl8=c--@ysqm^0
z`BjwNjJVXx?_2LZM{)f8BnF2y^F^RP3O3z>h|v@)m3LQMvSXgHUy7e$z8WI7ZDjb+
z6x+ONk3?(+s+Lk@HCbhD$zLjgTxhcnGn5yXJnJ!F?rThLA(<cKc05q)0}8d(8xb<8
zMlJt11pty(a4KhN{M2j(@Tq)X%}U9Lw2FIg=xnZy_7OB`VNA*J#L3$#bR*>;D!r2n
zWH^K=F(Ns&|6FQlBKbK&HeYau;5GEK9+ZfX?hfxypFgnQlN{7>cAvPGyy-GLsanm!
z+tF0_$qaZGt1vjfpKRb>WGy#MhIR)})@)Yj)%txD5EM4emT1Z4M7CS=z!z3ay}H@<
zf0$St=k!I<I-`~`*jF+H)6-yUu;ehd{^)pnc!+%(xl>dOYhdf~iM3PJgOVAJ(-n5B
z!5eLJ4IbRUj|ZdKK9XPJ(*0_Rww{4$0;mKhgrz`WH;q9bIY3a51|utSF55F%Q_7fl
zaSmP|6MrXlusd=8OoC<-=T@5|As>&xv%%TasgvUVnXDAheXmP8$Lw4}g(X_RQ(0TQ
z(5vsNA)jJHa`f_(CPHB<B<9jKcWg;TJXeQ{FEtDEg%ord#+?9}G7c7%Qd*F{I7Tr}
z2;-zkSS%_`?*Zuw-@@PB1M*eG4CB&(`S%$U#>RIV<z8dw_{7aK@UGLwU8b8-3n!AP
zh~f4J!CZ;T-Xu5ZAsUh#6aB*YaHPjuSi5=8ZrA$cPdo?4!0?c7TzkEt4cj3e=(@kP
zLz+yO&QLMm4o-jc=SQa-acSB8(h|C%`gp@P*?dE*MS$-(0r%gS5~=gBBDHS8qrvzL
z3cd5|*U9$@CN^q*!h6`s=^Xo-eyaZD`EK3GRD{p2WO!@7F<jIcjd#OJlZmu(C+h8u
zTPiHpXKm+#ao5c4=XX+HEXi;wsyV_3h%k28=uG&bwdtPMl~=4$y-i;J&5$2Gc>6@E
z2!-$A26`YnR@L$*qP8n?z#ld3gB9K2tsx66!`^bW0$DfaMzhJ@|D(QqrHyCvhvV^u
zIy>JR&0Yt1be-M1Gp$||1Vfxw$YpTeKnmjUn!R~MH?WVcC*fDQu-w-3eZDcv<cA@z
z-v(OX6kmIh(E!8@=TWa~fW7mIg>0I;x&)=?`^a&VV-Zoe5J)$gO{hMm*B<X`BjJL5
z-!-{v8XkCTZBqB^UHBpV*Qv@SOkmL^JB31C39ht7Nd~}81_eLzmtKc5Tw!Oyrn?!*
zqf~h*LrMhdB#8m{y{{on-0<=%*f)h>XkI9=YFEtZirJZsYhC7@t{4`V!^9JRB5mbw
zJjj!u_Nmn+vbx1Q*YI7T*`T?uNw3jS>*k=HzNH;b#_Kz|K}v<fiEzZ8s8QWmffS=^
z!^yi<zpJzmn$}O^Ru5v%2JweQf?JPWeR7u3KTSY6$O-@gZunY3IgwIA9jDDa)9Nbh
zMJ$xxY&LPnl21oQf4^m7k`pC_Bo>i%L?|X9)x&yACFH!kn%`SmcEEOXpP;1?c3Zw`
zlNyPO=Yu7NarP+o4vk}ztG0K)c2eJS6%}NXb<yMqAbhPhZ^?p+3XjI0t<P!0#})=d
zl2P!?-lt#_`Oh@sj~7ATP+08MeP|X28*95|`ZR`j<~8yL?zyUFI%Hg0F|3x#KT$I}
zUijXcox$Y+8Q1oY^vW&P4FQT4M?_h)1d8(n32AZ28dJoaCDHfTDg0&T-`m{KCIH-Q
z*~S)}yu{tF=STJ6i?=PNu6T-ETs!xr9*{Oj4Tdtv?<?e0Zf@aG4LiSyU^A3*&-Poo
zX2aC7!(wgHiYHNPch*|+lPb;h`Gac9Kgl*?kQ7FMZOs`S1NGurukdm7!qxRju(6I#
z?Mh1RUPWsK<;U)<&7W-e48C0nLEZeJ5CF#!)<2Rl(Zyw{C5MMOtb;kR;-!Ay3&uOc
zn$8}LSI)MKc9V_fKBB{`pWIILSIfTjQnRgBXG*rZVq2<ctvY;?8na_lWgGOA8;HqW
zkucD!F~6$z%3S${jcqo|$~?He<$v`}=ExF6oC@47*CWj*vkKLJX(N$DMo7(ddAp;y
z*<G@mNdb^uYXwMBQ`$KDN(?A0xW66QMc0(D7Vi?t_oyR(3;ai;(jpNcAC_Y3<>k8c
zS@)2MS${Tg^)3I@<NVBhXIH`9B?`>0qiYJ*8aA+qh#z_bID2ULl7`Bt=#$9*cT7p_
zcCCz?pFhu|OF^bH^YPW|D$S!P@nUeaki*Jl_-8cZ&rZgpHUf`w3zqvcMa<L_U5ZbD
z&U#@Hiy}Atq(hdFmIUQp!2rv1M+y8~%&~FHJ%V1S_mKo5H3%UL(n|doYm~tSE<swH
znC5}r<NHp9AXcgv1G4s7YJ%na$0BcFyw*=t%eDw$Q|`OAoM`pB^Jd0lO(svTpD+)c
z#OBtL9G4yLj-|PN&*>r3NN!5;AmsKgkY~d@fAgl7*N+jhenWp_y)eOxqQ{zl_#v5k
z7ZpL{_%g_pWrC)h#4<uR(*3WFUUWbm0-Ak%XtYPo_PgyCMcm1QMQ9zvDb&xMnTKDR
zEk6*I=jIagk|0#*wFtf1=b6?w8@7Awc-QtWvOkBGe1{YB5(5_&;P&^G9o0F~je9WP
zs#*kJ#rvL|R@1L5S0Qq7BCcq9IesHRG<$-v^gO|>#pj8LpR&FE-CNdlxu$-3I3@Y3
zRxIyns=pcp^uH>ppR4!30G-fl4x}Z7+4X^f0RH;JuJTglDA9s|k5qr7@z(9dqot{=
zI3Ekk<PS6-#aHwh@}*%HtUXM<Ui5Y_`AX}O($eDlKS?#aUBR7iNoJ*;M$T<VPl11c
z-!<rSMBv&QheY#+B$D~X8kRB`f)^@P5UeoSjYh-x=GGr;UcUF#qM6LyP}Qzvtm<Qf
z|Ds}f#%VrZk=iRK(a?D!m+=7uZ+`bCHAYoQOiT;=ZOfvyU$HHI5-{lgJ6btB-~X9_
zCr*Ndj*Gy>Tz+83gNDFnK5QMC&e5r!Bx&6eMS0GN--luI)wTIvk6ssEFQ~G}X4or(
z=iQ~cd_rhB38mg)+CC>*PGZ157`aGtXmEM6cZVfC!G{hc+}(~?W2<<Mx+ZTmYLrlJ
z-~$z}bK|4^)}P#w1L|vJhssbT?U>sk@q3Tsj&LT16xiNeJ!Rqdj#fv{ADRsJS2K8P
z@wvd?&oqUjvjyt0)ESb0An*6xpP&1iTD|__WS*km!FzJ(J6$G2^MZj@n`57LzY$xX
z!Zm+c%i_@c>6_+ByEmMW)UZaiGNoo$0Y~p<=Qi3$Y_K(5xACSZa2S7U$gn~;gUjL1
zHGq=WbO*$9wC;@#74CN%_Rfy~tWfTPIfe9+q!^2%NU^3shXb_cbUMS!3t3D5@__M1
zah?S%kjH${i^*EQv3o9|B%bY?3=3?bRM<lXEU6-Nc0F!s2l1Rx{I+%BjIBKt)xTpt
z%}8;4CHC@^BvgS{xGVXrpc@l$l_4B1&`MU}FA~GGWyOtRuE)z}B7+}3-;WE`B!5*N
z^PBX3($!}j=2l=UBwaeq_NjCq<z07ikj?J_m9CDR$18#Umo2^m#~YF1z^?k&-&5vF
zWbS>}H_49Xx2iF?EHL)_Nl3asAy%91#WP84O~$O?FvkF7{3b=NXCIvG4!(p8{9K?P
zsXV)nT=Uyk>O^R();9*^j#to}(bGXHI~`BVp~?5y_0jRhY5hh0v8R=H3y5T;=x*ib
z)Vs1*+OnKwllqcYdsNyjvw}tbM4Nf61l=i#WsZf0xl{Cvm3B)AOy!Rz5B+x6w}lgw
zriT}YI`D+DcyY$DifB_<3mtrEc3eTjULk>Sn585t?Yp6f<;1>YXtG{bw4n!zB;(cn
zuvfl;MtZn1KXBX$V*@)#8SnNuZaOHyCDl~kQr(PNky0sMXCO7?f<lov9n|~91>&KX
zm9GcNldq3jY8ZdM&o;X-<U}n<T~;xt;_81M(`c5-0rxp5ddCOgz3k|z7q3F--(QrL
zO{Ju^EbKkY&Y3A-o_KG?e6IhxV{zRh<yMc+RES9YE?prX>fBRF)>kOn+PuqPdWL@!
zf9GoRQ0YBp)Qu`+Jl#zYULrNV9P4ZgpSf|AU2e~~`ywoZnH{^>4shE&mDv2X+9y0F
zKAa)C)mr-_cR8#^4lMVdS`;}}urt%8SPO}6<tjaPqB-)z9UCVLpNRLU4jj`D(MM88
zLlPNc20r~V!V6#3lTxEW@p%Mbs!pM_x{+kY+VA>#R1(?#n#ksH5)jl(jWAQ*+{73t
zRf*9}<UFJEKf7}4`?<lb=cLXYp3c6Vv@qVzmW>pt&X&uElCra-kH`q+3RrD^9bOkK
zKt<SiA}3qj9Znvvx3K`ji+aaYMYoq4%%zOOsjIjxgWkyl-rLqb9Oh1DD~#-_KkifC
zng_~1BDx^ujdv_+i|yV|=kBT=@CIn|KfyvH$o(MwQl5ja#WTr?=rhv)OJK0W4*uQg
zhVIfCKtVyu%6gyo@`q2tU4HHd4vgWU<*CkoX=!6#5GRytOWcwl4N$lY+n~uGE_H*?
zUfXx`7XIl5YXh7j86}Ctu<UmP8x6RL=_~iKa+Qye4oqva=^gRJrZ+amn6+Rtv8q8J
zRdGkL3A({KPbZ;@d)dz8&BnF@MJZLJlZVNyy=Yk`rEwQr_ojZusW^pUjZg+(%3P$9
z^s*W5qY?REip#m^AB#V?qgQM)u>|U1y_CyxwP2UFTY0~^gf*oNt=&%h$!>Zj(p#HZ
zZj`WhpK7dFbQv~us$oE995<#o(q)FgVS`d#*R2)>FA)WI==6c-=M8q0?6Xp_2S!&x
zzP(X$()2YbPvlNi<FzW)Nq1<HZ0;@Zq866hsu1vh04CZ<NO>>`F72PmuiA6q0Hx-0
z7Mh_%(oD4F+i?#}lMwI?zs)^n#WLP)6tZ)L+*cZR_NDD@KT`0cek3(Ksdr5;%bs{h
zwWj^l-H`_Ax&R8-`!*cEU&;TpO?}{?k9^4dGIlMTjztB6%_c8K<mt-uZj72G(-+LE
zs3aCICX*H7b$<xCChE@QcNyFWa8N{7v*c_a?#fQam`Wu{U%EoPfKel1;gLk<$Nj}`
zL8O0yn4WyXz0;@>AGo!T>#$stT{4NBIh}MY)g%oBbfZzT4nMVmMfsYAmMeVg<kPd{
z<GMylV{lE(7Xi^Ykf#sjM6<rS-q!ZPixqLpSWqZv=@1ckkj4NEQOrz=u=s9O?p$3V
zvO!lDS&p7>h=K+~YE7-kxOq{}vA7gEI|)fDe*2xJ%Y5mYwmT^K<Cuq)pMI9z-5`qx
z+zQ?0@!mPTd)(#tvaWv=o&I4t!8me|0x(;z0N&I4Z7fUWsgpEXS-`^F3Lrzm!65K7
ziz6x(%^f9Fyg9W0EHk?ju0L-Jue;ufbex}FBVP$_3ZNiK7Dd2xS6Dp~;gDsqy4>}!
z78uD)6ud(h`n70pfBkqDN^<3ETIM<uX?j8uW4cK1YI|R7LVCe+>Rb}g(pQLn+@-|*
z=zdo={`s~0btFp2$cR9vQJ0)<onb0hDVL9kiV6zT{UrRI0Wh92=KDuw!z9timNF3J
zV00H3f}+!|Od|%Yi62#XD2~_{noA&m0rhz6!sf(ug6@&`gVv)IE2i8Pb$LmGe=>Qe
zSB^gES8Sh2a=RfUcU%J-OHp)QbG3!HSEEFxaKkC4Q>?W7S;C{lkARsb7LHlwd4dy_
zqu{>X^;L$gExI97ryT1tlRluiquxzL%R=Dq&Nmts9zP0oZ#t&w2pTC+X2-pU3`?62
zWR4U)p-4B;jCpqmi5vo@8^n<Vx!3@MS;x#v^L|AV!t%~u+`nCm4t93H32~zTCDs0t
zgfM~5!6TwJs2Eemo?BX;@db(*^r%ah&6&j<^w4UcNQWs5mUxaMtB*e#Sl`)y?fM8r
zLHqxje@#M8T8s7l*fnpcqxYNvZAnX0H11KZziU1C#6aQm@#(t0-6rs;^!6SlGaQWz
zPC=OfJck>!qQSN)M~=FrlV&d12{6M}>#(6Ei{FcLps1J4>Ft{A9ND?glHvC05WH+^
z{C-W~x4i3q-1mS0BDJ!uB^cwR?W)k5UY;vE4!j$9KiuD!jJ)S9FQOifZi?AsQ0L|-
zF;x(Wfc~TbByqBrwo;%?Ofr=RR1KKw=0?lQhJ7RCS8@T2to@@p3TzN3q9DT|lzl<6
zU{LBL{vr1EHfM<;bvc(UsJWAM%puUdqK6aS@ud&h-b6;KmwI`;LPQN6Pte^sVPODE
zYQV#+6BUkx8e6UKgZE*wXS5Cp+wNZ!mCfwI=|Ic_%$qR-DF`XRH{dbqC3p9dnNHT8
zld9wxOHF+&JP7Ztmce8wdSVFG9e|HA9Q{OM_P?_aHlA?@h25J%n*wv_SEJgWBJlni
ze+Um!SyiKf|D}-y2X44@m@6~dypRyrM?jP@!DO>yEVRATCH@%{euyx(Z7A=g5NjYJ
zaYx72LQYB9;LCjS<*#7z)xT6nzEVMl^>T-0cpU$?5b7}^pwZ&n3j$8qlsW~g{VWXn
zTU6`9da);8%s@M&Mjs@hg7CXD9_qP~kFTekY_GiF`t@5&hU`PT*^Yl?&CDS9T@_k^
zS_A;L<#Ko%(ZcvK5OtsZB%~nW+btd7Q`s91yuIR)_|pOLb~-LzroU?bX!jZWE+HW;
z@aBEs8VZ<Rw{Gqencc<srOlShVgm*cTquqXcNr2aNKWvSX#apa|C3m)0}6A|p_L!^
zI;i`~%Y>#=))iqWt)|Yo7ZHJ9D9!*w&R$_6k}zLkGLPZ_n-+*hRHsos<cI+>a~TL7
zWO#JA7j7Z`S17w(D5tMtu=emT{Mpk>`l&@Pe-IM*_jTT#E8P*Ff$r@8PvPca2u-<2
zaJ<lk`7*<W84YlMG*eX}TCTg?Ksr}j=)b#+8}Is;8t#%T5CxjdxPQu&iNqMvr^5#o
z{B*3KSI+*)_)XF_`-a}n;|v=`e4VnZ1DTJ9eK_qTx$fhvWu{r|JC)!<nB8lAV6}p%
z(k5*{sp_8FhhhwPBg+sxPQVF6Oz&XeuVc`Z+ZgFkTD}SE7{UjzkH<H~&bb!4i*cD)
z@(E}w9nGM9SYCty7$?zH3g^y5$sHM?i7`m8`E@E$tfs^e0;$ddFl!i&F_bxc2EJ7+
zm`VmMql6jak7)iV)X>{UrHRm8Q6wV}m0ByE2`@XeF>tRr?x?b}#z?_0o)5_$PZWcx
zhA|SEDo0GmYVAXJ(+9|}BpQZ(6(HEjRLA4RT0t@?B>i|kqwjUzD|eqhtyY)d!71BY
zZ;!o6pjgTcO1V-Qxf>#Rh1qwH;17IFI`?BN634GVCu7E=8K{L~$o+qGa)Ax91%n!j
z53pR|ZOc$jg*ZS$?3u#M!P{B#AF~N_pjRX`$xiX^VT58^7-n!l=0Dz)y3XE-c?AOQ
zdkudC?Wv1gZ8wn$$3F@MlK=sllTek~(DBNfo=T!M2s*@{G#VVL)mU%>W9?4Qw`zbA
z3z-_S-6FNtOx4<Fs36{4WQi|-16?T+Lb>*13Xq{#l6DSjWoYVT2#ewxWmmUTrL;io
z9tJRH${=nr|3{eX(Df3sEqOL;0TdWg@IGF#8y(paC8!o6;+)pkr<rb;1Z>N#P)+GR
z(LEH6VdFBvY<BGjPt0?4Uys+<LWC}e)qA*{sHoJUu;>r7eb9X|4A@0#h~DaHVNq4y
zzYb~o!2yPZrix_{)4htSh|a^$cj;8`*)%bKxDq<PW+oqeD^Z@A7&+#Q6fwR>@8ox(
z@1GV+f=xgH5$YZp8wm?HAhHhm8lCoxQ)G-n1s1A|qP`D<xlp47-EHp-C^hXB#Qfy$
zLKvmWWPLtcR;nv%XhPrLjT)8H*;^iAX-!BY5gX`1b-)H^Lns>g5UE-ezWb&VaL^!@
zqVZqJ<G;x^DY*hsV9DY{qA~zdR3{NqvO;80B1t)kq2rOGNum9-BUlThk2u5;crmTV
z3A+pR;d2`pC?fLe5DOpZvmN^AZ`adYRsjfh+QgFfAwmpbU??(@h83!f#D`rxI0w3;
zydiT9nQWOE_jjPxo2Ve}0{*gi94N)v8p(r1BeYMBs~R)W8Pq9zAIpzh0p-bAb5)~G
zC%RyH*&mQaD(G1A<rKoq3`UYqgdRo{j;^))Vt+SwuH=7=2AO|G4q$y=D4UvE-$*v9
zKbh<LFFgDx<kE6_IJb()??%#SbWKXQbub;oSyg1+Wf;B}PN+h0u7dN9!y6oLOjm{x
zAQk83gSm2Z5S`X3aZSgZ${8A|JtCDr4sh7?BN!{eQmxj(47A4P&%Z&n{&5m6-i^`f
z@j4LQ5Cc_}Ir(WjfGbcF<}K+di^m3~^PwMvt%Gti$+Nd(G9qLsNu(=<raUI6+37{a
z|K=i458J;0tw3CD&ghD!15Cv_p(>NP|3iv((<7FG9m<?qr=IkA8`j#k_dZ0IC<B@!
zr1^JU2w6BXJZblCJ#y6<a?eHOKZWqYvITX2grU`qTc9H2BZsTibV>>Qitl^snVghg
zw*Js?kkZjWVj81fzh+&yI?*Pt!$>nO&~Z2wML!g$*K8|RLv(ephD+O%=aPI2UR@fB
zWWjXY$qEGf*5*o_nVTF3)N$WE8D+U%S!+Z#aUR0mSQ9j2EWGLs#F}rwIixoT1tIj4
z0PW?rjV#N#7nPF-9R(&!%)X}n^!TwOuUf4^IPF%YunP;kEr{L}bml{;p^&F$qYeYx
zJO0o+<~73M*K_}7m)$g27xtmp0l8ac0of;l8sF{U6J)eiBiyD9e=~bMg|-ElraLCD
z!T`~Kr{)cs9)6H`Ihcp?em05u^ySfRu@7GMn$sPzJ6w2%&1ka(C&<2L(to}qRCQQ^
z8pwv6;~n)K`-4B3#n#&nkIUq>8n20-C*<NTasbn(*=-Kb-Sfb8cpfD*O|Lgo!wYmR
z#9W&m51t!}!eVu9ZTC>j!C`oNdgTr2x&c?u8}F~{_C=Pw6p~vF-MN7ve!33lI==tf
z!+5b_Qrj`>XTNed!#~m!UC23ZVs@-cZeJHZF6F*?Rpw{{+8FfZ^8Q1c{6+TgU`X!+
zd{hfy&zOQc_C_x+01!A)O@<8SQ8Gq=o8D~W4BpjB<RFo^LLwG$?`jS2uDLgcb+h|F
zqnb{PpiMT*A{);76}lbdS)r}l@p{7vV(R#&ok9=*<`N)qce)3$Z&Uy*mim>1O#+d@
z!NLRbrPv}ECxX`#ROQG{*kcf!w!ni{YV?ny@(^AXF>3PXYCtq}<VxoS5y`wPfO#dz
z9Hs@(sEA%MBBeG<VK8*$|4YPJ7jH=s<^Zi&O&W-!U5bJO-a&Ne3`ecu3l=E-J*kn^
zQo9PJb7Q2kw?=s58$u|&P^|S|#Xhw-7tCbE7PlW2BTZy<!%^&PXChMSfSuO|<MBUL
zmWnMHx;fP&fIvVAUK`=;TMB?Om){ji#qS-r12Mm^iIxtUM;egB6YG#>E8!zcn`XC#
zfJ(ORLX1hkL=4;I_;Bw??R>%IdJpBN=?%s-Td&!A$!Y3ZSWCq3x0zRW+E{;Ni<V^N
zJ6v0$SZ82iIT}idI0>%~RQMki@~!S*(&t{JgWu5gRQ-930H<m-M0$qhrsgKV8qyU{
z65%K-;xseH8KA#8#;L}yfP8&_7;a}BE;-D_JbQZgAB+8`Cd-??BRDf~!K;g6UY4+y
zyT$cqu6W{b#KdB{_u2c$9ERV>5p57PlD;dmxNJ*jI@2ysD9*m=QbjAsy5Z0Q&Lg7z
z=U^$1e?r+yt22oQ1Hwk6TtPx7OOPlROq|9bN|D(u4a+{nq>bCqdPL@^wyW<`I~8y^
ztb^O-D3NIYnv%3cSD|r$0feE1cFZ?X`<wcK+3Q}G>j-+>MU7bb+)SAb$O^t5p3i&1
z9Qi`EUg(LrsnN1o9hh?INu(;cR$LKtrhU>jiWQQb%xk(y&dy?9W{I1c;%69tqZwF5
zN|Gqam&nMeG1;u<m|yrj?^zqX7W*+7V)_Hev9XrBaS#aCBY(Tnb#YYiWBy0}`UgUI
zBo5?hH~vusyHCDYWk}f8_||U!C0@`i+RoET`qLweg7hU353e_v5;}Wfo5=y~WUtgm
zp0rk<lpv->yA)SSYITa;Ew+u86rLt{|CS2N?w}ttK}!mpE0FPF9=@hEKt`3|jVc)l
z#^UnDW*$Y^8;{=-<{*qxD_RzjU}76<^AaX!-c3L<9G5gk#SUR~9A_em`ejq9iI$nf
z*<jcQD*JgvizZJ3RXLe7XiNMU*;xqlq==i9JVFi#fotr8!`CWMyu_D%zl5w7z?Se$
zuoUslxF`P&j~nw5OKmb&?Wx&(fdy)_JbX&E7qXdbAj%tEB&NOmR{`@EIUfdwm{@cY
z?T?zFJm9k{eC5*%QF_quN1Y*)-<B(q7p&HuZc9xO-}Qe&Q2%;&VF7z=cXZQ&rYg@?
z7j7w!cj7=IfhQGpTspnZXgEre@u(C!aV%{`<TQ#%r{%hHXS^kE{61V#uVVWHMXRkj
ze}o-pTi&+beYLc_t~-HU;Vt%fTG}-i(C<S($Y2v_Y5#bpRTHk01qNG7+B5B!ifD<`
zUc3H~h<>1(X>voFfd0v7RbzDblT!9_35<b%7Q2H4RjFPV%9uV(#->OfhFm(^+1S`$
zIs(!SL})_nyzvU{mna{4Th|~^cjzZ8pZNV*+`N^x?igF4wWa5nC~Ek33I@z6A5xs8
z!P#O@RNWeBEvpgJA?pz_(>JccBe&jc5ijC_-`G?TG?nT|cf7Ef(UzvEw0vXfwILL*
zKSBk5Ez|B}-|R6e%yv*dw8;$2n%rzDE!X{;U(&Z-Tc%otDKmD$AQlD>DQM59khkRz
z!ml5lNrqJq9y@S)vSppDa5ZpXV*j6)YN=4c7jXuS%k!AuD+rVEvbvpzwOPuB(ftX!
zbRiID8%uzT5Uz5VI-gYV<=7NT9N$brgTS@QQRG@`Du<Gt5;cwa5evUxMoM2DdacYY
zc5fnHLyjrmPZly5!ZIwsD=W=|MW5GSU%@)k#aA$UQc!Hml&Mi`yjhm~brxk~`%;E2
zE6yiB2p|SXNYJx8(;75`!jHucWt)WUvQ;wBlJRE~$T`XW9vK}a#>BjBL9T>+-Y~Uc
z17JY6;K4dKX?s<FCo2d{qg9!c0%JP0#N=aF3RsjiHvK)8n2i&^+@lkRJ$>I_{iq)n
z_z)@hTV}Zy*lm(dq|C4uJu7K)TJ7<}l5j2K_dunBM2i&5&1%l#ldY`6#Ot*gmQ;dc
zk$K~h#qN=BhvWXNcE(G;%G~-K>bxTvaWE~fB{NzNAp0;gvnut_?A0VJY$-9XDv{Q5
zaAnSi>Z(2wjDcm6fmB1{jS}(p$Ay?4pR=VMhPF<sG<rllI30JBxXGATaoH1KiW#;0
z*^J)Y9xA=s;@oEM^S@QH{|6<y!~|`q3?@%mc?3#h9`qZR*fn~2_`4D=R0;|S|HK+m
zE8Ti!aSGFQF6-gK_|C&RZg6#*8-8=}bx<PyGX%Y|Bl&$0n7W&v;8D031?$D7OSu^V
zG!D_XAyN`2=4;N1ok`M3sGF-0zZ6M*+i=|JHyex$C<7=)H23pK$YYCIFIC47!7O;u
zQROu}mdIc`<WTyBTRPm~6~Qt7-je;P_m`XW@0IjkmSqpYR85VtwSH^{?ALD8M?=E`
z>#w$RF;g;;N#N=v?vJYQ{(;bH*%}}*JFyH*KsI75JDM~_YimSGE%-FdI6gcyKKbeJ
zhQPO`s+9D>h?NYm!DQH!z;y@RE?%V;b9ByZ7pFH}IA|jI!G6Jd6G}4%C#Gz;nKP=5
zdR59p==w%wX}sJij0BBAL*%<fn41s`qE##^LtCc{bhMGhOjVpx2`F{{XX+$*`@W1T
zj)W1C;tYm9&HDoz$0+_d{p6#5;Twa?-<r@LbJO}lBGLkONJWcwXjI$u&;nm1927i!
zsP?b!*rgVYMUwTO|0DI~sf&gMmcot@D;_*JDEc)AT5?a)h)kMMGLlyMd~ZZj5o!6N
zW3+u=4h4Qm-dAmv%s9QZgEN_usQkWO=;3t5>mH7LDuaTr){!J}pB~*wi2=QkTG0#F
z&ffmRghoqvU%A~_$}u6xECbn-9wia*BzabdZ)zfRF)|k_3Yr-7c>Yr|2mRHGuP82)
zmRZuGVAyRj2rN1$hzW0aeioJt-Ad3X!bm)hwL1g1tws?^t(YHmSiWptewHGZc$4#?
z#_pF9xlOw5_eeUisEpv8-TM8q(rriQq~FWU2*@$1VEN~?FhySL>}jTj!d4CdAjHUI
zvr8SKdPeH8Yzfv>8Bt4flXfC$Gf?}u+|ru`ymfLZOHiE0R7mtBoX<yzjT0$_0!j{-
zLmZtDo&7vMIB_+d>?r%`$%CrGNlKt(E_%%Wzj2)Z#kM0df;cs<0)gPf#Ke#9)R&T!
z^|kU+OCU!hI3|Y;vB#^O{BGeAByYMYu0nj?lWv_nog8KzOxv%iIwi1fPQ?BiGI^AV
z0^*6o;Gp3ZMyNQqXBZm=&B76ss>f|4deUcOwR^4ePCT{3J2xj%D7GOLPV>s^83^#V
z;27aYgNLzsEf<Zj0EE~Nv+l2X&+BPk1<lS4C}Sn(!ubrF5iPIo{Y46=if%*=%!xX6
z4p;U*-97?~RH-ew10`2ilaM=tj{d0of0+J*pZwqfb>H_=vCJw#fYyL&iq2YBxc5|t
zOrZ)}chTJlJ&Q)?Zs2Y^BateUx(W6c3D|^1OCMYu!2jSU*hc`<m6;aC0RE^?vUJYv
zRqmJKr>x;1(<R_A`G5Gee;SNyM2-fnn`l|JbshzV<q$AM)NOJ57ij$vbQn-t9P4&6
zNy4bRkdJWz7hOc_i8Tq{@v4AmEO~gJD}7Xg%>SoB^3QYFhkng#5=7f;ck0R?`z0HD
z#(NBAn??$3edIlc-FyBYYS3O0nQa456W-rvhoS%ZD*heyZEjH76y5NU{Qr~x{;%aQ
zMh$`?J$6bneP;fj5Bbk+)sTLneLp0hp#R7EOtzpJ<%?ge?!N8(r+fT=UHbpe8(4<`
zsRF_UPkoF2%Z{_bq4tXr=bmvZJh>%9ju9*N5uPd!>faROH`<izj(-85|8@6fIRU_u
zf#>;h$6Hg*{*%XrpYxpPe$uP_o^N3EgXF|yhgf+8s{-k5|Jw`T4v!?+*+KGbaB5QX
z?U6piL9@6OU;TXbHw3O5KApYAPhN|u?l36^{?JA5V(HSJxpULcIft9KwJqUCK^R5R
z{%T;@fxq$As7z^O=&SKRQCL?29rNbqM*J_6j(`8f9H*fz=k^$%n>3JRFi54b3+Ams
zN>OuiRT)oyS1cTf$$A%Y(+?R0Et$6O_;A?jMx~bX-FU<!II67IX(!@)+3G&P_VaaY
z*CWUkQa7}y5@f|jbRk9lmi7JVsxc>DO-|=_wGy;y=S|YP=!R1x6$dP}T*VNEuJ@mb
z63dPe6Yz@~`z|1s9Tv}PIe+y0FLpWVi~E$S*L;%tZ?R9o2etQ0z1iC(WBd{cYr5Qg
zJe6-RzhHOrmqE$`VmLdzh$tSup*e%+ELek@gl-y!BqysB+Pq?JW&{~=lj-7%qI`j$
z!GEZmXf{){VmZnt!qj&VhEY`-XTKFMN*l*wT}?#`7ltSw0DhPfap1Kn!<#vwHfR^j
z<8JSt`-sfj?9iK(wNa&3zWvRHgV=@Stg<sf<JgONf|AXCVC#OPp*5gPL{=$PhNj4h
zR%_isqG5wp1*Ym?57g%ZO+#jbgx{et0nxG`O=F2}`ZU@dj^C9l78KD)SF!H7HLbd>
z)%xD{?GG3)(tkKUAh_XWHUAn^LIh`0ro!7q60^P$`R8TyzDpKlknX>8%H^S=QsRQa
z;lNjOw5hnupzSkPe4V@gq}KRXsJ|>Th@c{(e>fQQ@P1jR6ASfiOn%?o+<XpjKJM2L
z(wLUus2+U#{z=452A}7L&ggvKc)U>Ata`Pdcfpx=5SlI_fRIU#PlNFm)%1xcoHhhX
zc-kYjOpL{ItTbv()?=bs=l#mP@3A;EGRz~Kj}s4m=Qr>mLQz1x)3?O|wgC|@{wa}t
z1dE9wNACCLg(J*;FYzf)XJ_J|8|tYOXL#MJG1D&ojn85z%Cpf?ULW7#-Uh5qI&d5l
zVJCV+V8>JyuHaTMJy5~eG#{Z(hUo~=b`Y_LUR2c?qVs#@?uo^4p$hEUYBOzSIN-?e
z348bE==QJTEBnxW=2icER%ojK)Id^?yRZzu1iZG};N5h*m?vRN5ZRo%^u3X6<}H=+
zoHL`#nD>__RNpnUgU~P48CjRQr$?@pk7@dnBTL1f`Zm0G=PVT}Q$t(UBZE-_N5-S=
zdNZ?F@H+1Otw(un_Hayw6VT57t7yTM=s9&x1LA<Atl8gsSYh{<0r=w>#z&EjGZ|=5
zXDl!ZvFBu39~rDxn$OGmE1ryaKmTYcw!ajA)=|v%$jC@Rjm7lDZ23KdLz2)7iS24i
zI#Q}K!v<;J57NAA8=kF}QZ9EQ_G>RDF5&r_Gx)uD^2-~<g*Qg?th(YvY7G6QR`*H7
zxhDMA`tTJG2u*rD2j4kKkptDbaawu)iy84@fqU;7r0l$=!yQ?Qnz8*7JA2v0p;&Kr
z)&QNNG5PQON=9K=FR4$Y-jLx)D=a%(R=(YFb!2#boOrDJ2Xp*rYUu1sTpCJ)S*%`%
zOOLl6K6!G$6d01E7k#vytW|Y0A;VDQ76BPYxDFdE1Uq*ZjYflTxe->aSOrL-{jlQh
zHXsa4H}HYzyL84|Z^0CAkacAJNJv&2FRgH_?mCR#1f)>@60g?mz`Db@2yy?F21vON
zqoM$pIhqnH6(XDgcEQw)0E@P|g=+Oh7_D6~@zxr^^1JT1-+VrWd)yWspGUZP-`9C6
zRu7<K&eot_muP!KFo%tn-byVED4^062nLpA*!zDu^TC~MVfzIx?$odv?Py$Wj|(Vl
zpFlGdSEfTWcISrPX)s@}wGj5}snuz=^?z?VT^i1F8Le2XW1{xxAnnzPvkirj+Bv(a
zqQWl@g9|L@0%`2d4|U)Bp~?En*Gd`lWb&f(wAHWTahRH}1f<cxA!Q~<?eTl%Uk|BG
z5gC<^=ywqC4=q@wV{*G!RJJ5xdQJZ{`twGp*rCJ&NBEbO9&a;-q1^A=R+Ji3r;DBD
z$q#4&Ka4;&odS)E+m$wR0`eXK=v12;p=3q$?(7HlCH;iG<WYwKx>r#CEMD|>X?&);
zwo_B^;=Y>6GsUfrpMVrV?po|oJ~ph`fg2XPEr8jCp>J0#O(L}XgwbU4Ul9GeKbR(E
z+owKio)R``LT*L?kTiVz^pA?GySVzXXdQqOZsE9JK*#a#h!EV%1)}Q3%um3EBkuoB
z&!Ny?8!<AO5GDt?p}|7@5??xN@Pgs%$Ozeqln@lMHW$v>S|m2(;@twG=w$x)m%@fx
zntrc)`t|$)(jAmyl1Ee}W98i)je3lihbveEOmMIJlOshI2bG<ey2HtOiyi$EOS<c+
zSmCE<ELY1%sE4cd@9&LWiOAkKN6w2_t2Jz<>dscgEs5sw@xWyj{iMU?E*F&?foD#7
zQGKvgHJ}0PM~F+V{*%*CI8rkaA9qVHux6v)=+*7(sCxEo#8>npUcq8Qc-o72PPAc9
z-ehXG3+sJKwv)NK@m^QWU^|lIXj^bW#-qAyLmCnwz0hB<8E>=`_WfAEgOlK<p{+QF
zBeT%)ap2X!KUzLs(S+LX5YYL0=d_=M8^^^2+C#q)&vfM*4lTkh{YvAV&9r~9<;3X4
zOYqCyhV-I9z!~K?T3)xuSuw+Gl~%>Q>l+Y?mMbar)0g9WApwkLM{{rHfH#uoC7hse
z<X8tU|MR7UH|Ft59m&Ik7se5NX+dHw97R0-zznoNq0QNlYB^IL&u>TpagX91(!st2
zX<@WBrbL@$%JEO#0N3;(&FArW$}bD$BGQX51G#^yPRNjNuw;lMu)ujA4`{q6r?ju5
z@btM~7*1bKmoIaNrbe$6$x2Qa;*`011o{D;%>NGjlLJ(O;_m)VAVjS7L40``tPdeL
zaG&xPpS)o+1Rg(v4U)pBchC36qi1+F94y|viTa?W%WuHE?^d)2WQFI%<lgHI^yT3!
z+RxXkP`$M1hGFErM1=?I$iDxk!d11q;rnv+!Oino@bwZ;qa(R~bk4hXp&NqmU6xQC
z4l3nR6wWW3rSTqOVioRWwFm~F9`aU>cu5HvDHSk4Vapp4Lps!!%!rJf3pFZ4)v6N1
zITpTR4LbfH60kd3eQzT<JL=^64%6xF#ZoFy4x2b=GBPnHbgpK7M3fTo;uU2=Li^+1
zl=ypt6S7!|-osr*SQxrb$?$HxzatXRmAEfhH+K;0CpUOpwN9A(0Ee{67t$dnuHI}H
zLn0g*N*mPK*`?T_4Z>p31j`#VMw%ds@>4Me#ob*4rJK^SmeMrQ#q~<vcI^iiP8asj
zx~sEyQ8vdy`ot*Y=9i#|QcTF=94wRzw!FxAXJ0!mrwmWo@~{h%p1ia``iv1n3Q+fj
z+k8bXRq!V)8HO_O1UJA(?;wE+FBU+kD$46X?&uD!yV;c-w4B<_S6L@7)$K^2Wm><h
z({{R{2ln`1H6S7%2o2YMt71;Pp~BHyQ&jYAKLU5N-YzJ2tDE;*y$7~>jc(}Tc)H0%
zkpR<atOBEx=wtR!WyPWq(uejcR+V~9@2#4@;V5B`;ckipW3_jc@Kzc~Do#;zIUMrv
z!`|DUU?{5<jLGaDLSp3(b^gor`^vnrGZ^tCD{2TfW#||vusL19w@36~u+c!H2iB7@
zq0I`#Zag?Z)X1^7>wd_xVqqK|L{unfE<^}KFB2`*-*1_XD1nPK#3SKgq^FI#ZJ&+q
z7y)v6c36JN&9m*erF81+KNxi(2cDg<n8V<+2ZmDMA!1_tAaE}S!oIw97|<wxFUaW4
zv3~d;m7%QmCm3&V&9JvQ?~lqkPkZy9L`>so77Mlc*d%p|M|&6+d5P6@Cup_KFxChc
zzN`o^X)Qt7aUM3$LMP*{7Wn;v{3YcqA2czB|8V>E>bT^ttf~1pvDsCv|AHL3!bD#E
z@>ga;yBXG@`7&a4u~MWma_~XVViYC(#ayml6#~9*gi65VIG08-tH|+xG53~HbuHW0
zXo9;t!C~R<?(WXQ-Q6X)yE_DTcXyZI?(Pr>1PDRi+WYKtzH{GqTYG=sui2K&*{Wt$
zjp}1mAEVPtgw*+;QJ7LS5>v6wKA-`9-VVY#g4J<;#v0d=9LS}QjtSCjnjQTRq1GrE
z79+Yqw9%AUw8p%}hP;7;kDo!8mE$%LD;$ig_<)@G8k5s63Tw&23ePai|FA~6J|HlN
zfU&+K1cde6hv53G5P-f15fvSvoM9)ZZ^r_y_<;LL_=12Fvs)HBQfQEFDD}kQ*pxAh
zt)5)ufr~)+MgoOE5cgw;D2_Y2t<WVKO6g?w%}9QQ&h0{D@LkWwND5(SvuISv{xWJb
zw#xWV+Ht)?ln6fD=%j)Xu60J?{q3d_vzcgVHP^~9ll9VBVJEpQx(*y|vp7v#uvnSo
zFA2Llg{n$qenyXQ;A8%@2)DgN$EG;>XH52AhTCbASB6FG`6u|-%=O~OTdMEJ4smlo
z86_jf8;6S(M|KEw=BsBVGx)6n93`C3sJ{xj#1b#mBg$yMHZ!V%gNOYJO%EoRR4a$j
zksct-ra+g>gs=z-rY1$mrCb{IcLK{1azbSSh3I}jnkLFfOAj=fO(jU*V=&_iF&U+{
z=+)`-H-n12w1?fxteV`p-P^vIl15flq5FNg6O8ffg6#DxqxFS7DxZK@nNbi<T(pBM
zd0W>$uy6sRi0*e$H~S!qa+v5OeYX7jy?g$KSd(XNa`midf{z)*BA4ST_z*F|!n@LS
zhxT;-VQ;(c2IF)Tg-V1UJ)NQ!k@IDI`FKEkoz=zX<l4vMJy!1sEGZ)+WDUoeS6Y2w
zVuxea4Dew~8zrp*?lDUsDOXCi^K~f4sl;t+G@{)R&WM_rq(o+C|D^YrACs`2Ije@#
zcCN(4Bjk&2prSd0grz6OP3ZP$+VZ6%36}yFhlgz%d;5#}&?e%P;Yv#U-P6wD(yo?n
zpC{bq%4;Zsov>fNj|uDo`VW(*9q@>_9^@8B1ZG;|ekQ_dg9jo8Q|`qI;ZJ_AS7f%^
z{$LHm3tOY!rWelrI<7QNy3z7#iUS;LF5dK+BN19~C4+<>L3IcAu3tog84scrdnr7K
z=z%F2BMBM2=@Z8i!R5D`?XGu8h9s`%8pV6wLmR02f-69pTpo7ut7E+kJ{QPAQezb7
z-x!a1y%`?Wjwl}^pcSJi7tr&>ndG)J5DX0u^yYIi`*0RfQAtX`^IIsE#u4=61IT3r
z*l%}|fOO&wX6U%PqUQ_6#NN}i$&1ZE%4@i&Ps!hj`X36;&(EX8i4cQpMB-3c(}~I1
za_HpSrS&H|VxFb+Ap!^6L=^MzPsJb7+Xi4$=)j<I)|zlDR^HF%3TI^TwI#k%ai|iH
zbLjc>FOuxO?U%SkaO$$a&TVPg+sNLaBkP-x(o$btUz0SnhoeVUTQN_kZAnaDgsasC
z1S`-);DLlWZV$WF6V`YVmV>ZZpdIAiZP{{4AXCv$kKiZ}oLzhxI2jFhD$na(ltdI8
z_^!5T_oA77l~Yh<GV#7sDP6IwaazUytUdA6{mh<SC=mdyvb`g;tnxT$Gpsw98fW@O
zGST;8YES8Wk)6VFR=<#cY51B@GPD&M?f7*Q4$a4vNxRGVqFG|lFH#p4+St%alB7}D
z@O6pEC`$lwvGl7Db?ULm+*-f&_xV~$#eKdhgKzK4%-tsP)fvAaS7x62k8t7lM6mE$
ztFy5%b)+%tTU=184Ylymdy6^zo(XsTIH>DlS=hA;^=1jvmf_>qJKV2yqe)Y#NnDg!
zitt>FOepW9sVOuG8$k5Y*wItgQzOT|CQ~;uiMJE_IWcEk3ApJh&5?ckSAHCIE3S4Q
zM%xH8<7qvynU(!}U|)e`a--5351J0^*hNj4@u(@m$=e-1l$`;BUK-plpIFiR7djL=
z#+*--w`>rFMMX|$b0lh28i;pycR^YU-CizhYkWTarhv(;L%{J<48KJhxvem#hjKc<
z#aQJscSG!%BOr+dK7DI;{uNLEL$a`+@W-jIxxl4k2KQk=TNViqGv*lMu233Hwo2If
zoy4}a7WZ%df|rVDPUGJz;3-qRIP6&#*Pc!}d0i=knzzxxCnn1S8U`zh_~93ydyizN
z2S@q+j2x`Z1=11{J{cJ7roWtgTg}H(x!LyZKkb;48fRO{vOgNeT1`*f(eZY!@ls=+
zgWiY;rrg))9V|i`dTYlSE-oi>{LHdoXP+6MQlBnx>7yPGUS?0cID_k;`RHXT`0Z4|
z%^FTaA3-!bD^+RZZXo;Pbe*BDD+Gnf+~^`94aVg>grZ5n=i$#UZY1u9GqeZX5A>7j
z&3MkqPX4hp&*cw0u#|0ylEO6%mT|gXaL{29i@J3d#->V4Vh)fWl2pB-k*dCo-j?dN
zTq9TfCs-s}(3z1KkMCpU5+2E?isWc~4CF|?0*&ONur(-W4yQ7Am5CSfY^=SQ2YVMc
zkMLnqzcKJSMBltB78XNs;VH8eFs`<8^>ZdA^DjEi;HYpw1=9)^BZ`*LC4gr61a28(
zZ1R@9v#f?UoC@n1Z(^_L^_MSJ1+%ZYMugdzvES)njtCvzZA1><{tUiFq{d>*%qR?#
zwdF#`n+B@>7^55{ZwyS1hOdsXHa!;$`jk|aiX){pIk~dP5jx`01PgojRA5s26mMBn
z?gHFxqMoZJh#lDqi}b8t)iO3$&{LalUtCzOCux}aK9UGfV8bOfI$JwnyghF;tX^x!
zIOe|!l}^@A4ssIp7A9DNj}{<OScPw(h*N=&t86wcHa8cQ8}Q4`B_LYU41n>U1evpV
z;(jqSb8(e21p)|2$o+*9SuU@i<dbRi(WUa)Nm7~j+)oiage}p_eV%v5!nfm?;%j`7
zBa}wW(pnR_yg+-CP2d-Fe}8|3FI)-yz7#SV8dwJh2YV+cX_SwA@?$^yFu$GHM!Uou
z<pCRvaYIy1Z^0>NhN60_aV*I)uPV-?Z=BEg$xEv0pSIZdqsI=GP9GB>)7a;ur}eb}
zi%pDtv~VKkcd@E+cG2UK>TpGl!spQy3i^nY35xxe*daTc90MbnUnAGOQF_{LY77GG
z3}!K2Yh4_wf6jU~O6nkg8wrw~a3yF$-p~c<@(T8yMs0j^SJVIw6v<mx@A{(xOQyQj
z3dkuK2>oxkkR6Bw8B#F5#>%X@0Ek&^T)k#!oRo)5&_A{EFiZd;+xR5v76Yv6STaXU
zrRc`itZed|0BxVAg4a!w1A9+h$=fHR;`|Ngglkw~IPt}MG-G+_*;2sN?AP@JIUZb_
zj0@HEKRUM??Dbfmq1v&y2EQarN$z&AaLm(bNolFu{0a)~A3CvzRNSBan1UD|6a{gA
zA)}<Gt0m#SQYz7CmyB@0$~WHE2}RlLpNR-U($E}K<W#f&gljoGQ+dXl-E{aJ(2JaE
zdaP1Eo(kDI|3{J}!%mA3_`rqvs9-1vITdU|+pZ}Vq~Mpo7UV<ZsQ?z)MOm`^o!0bo
z60-c-q^|3gExc{950Eq7-vKlQ;h*#%!~<8gq)p5PJH%xM9Dvd>^5JVj)#D}l?QLbV
z%@Mquj+88zh}m86gR%piYhE(Y7B5Eee}TZjG72Rn@(xgucKfaNK!z0eTv$MvLhfL;
zL+|hAW%yGsFE68m;mDwt2o6eC?9G9lA17XH=WA^7Gnn#g0_MO$F?7H}cSHtt^>=K&
zC`l?3lEHxq!e6uyhC>C5K`k)B*5V!}arSZL>MO{>rEhW5F?0ixKRYaj3e>^TD^3KC
zCkvHB7wU_aQTQWqp3o1SSe_YJr05wL8bV53lQ(>fZcfP(y)VfDZ;$cBXgz1xNo|^g
zuyZuoNg5{h40z$Rl0OEs<hIoAP|3wqhF^?vIwc%}vfHrVzbs&=BodD()sS+XR2R<U
zr~8V)p^MP}R*gRIvCG8|9xwF8;!3Mzsat7?W8O7ypzkGI_~I>nvyDd3KP=m6WmXl2
zmo>jJXR2;%G?}YY5-AYCzSLa5AW5_W8J+mZ`edKU=8vh&6$YqfgD(vSG<K5QCB0mt
zo`ts*ZS+rZo&pjCC_@D1l)W!Fo1~Mpt0mxm)f=!4OqU8vTb8KF2?oW9p@Zw|^Mgs$
zz-?;0#<BCplgKiPlw>&=PnVP2x;0VWzhS%z_<WXGt_-1-eBA#@@BI<+<<@=I?`*dO
z(d=7cx<+zbpXNuPyw9w#BJBZ#{kI3g`an5gnmsYp!Sq0ll!lt<N9}hI<RR><;fbnL
zf2+3`a~B(?=pU#-ctP|*w!45n?q^ns39Hd+wxz#We9E&BGDE=ShC-w{($c_fYH(Pj
zq5ES4y};%Tp-~&0SR`2(6i-XfRn=hp{)KDBIyysDr{T{U=90r|ym0`e(e{Qvljjzf
z=eo3$;grml0@Hv7L3|J8EQxfDcuVK^yPYmkrO8xzzF4kSA6AW;H~a}8R8~FDP_9N)
zEE+CU+?V($!cfYgx*ggnpJ9;IV@wuW^n0t{-zqy>E#tgcDi5NAOY-49VwhaE3is%2
z^~=;dv;zU`EFoo5X(mV+^8qyi0s_dpAXuzf?F^VgH5y3Tm{54^1%83!!{+uMGc9<y
zOol@Gs;hMdAa3lbQ3t()1+3TYv<Pg|8qQh=#i*-QEIj8>gZC`65!kUrpk5i$Mc5}s
z&96Vlyo&+Kgx=0=4TkSuQ5y5rG~981Dmchl>maJA^r)(9Yg4BS3;R`6aa0c+VUC4F
z5>E9GK@cPd=8DpA`!GOs6;h*Tj~&~h^Uy>vo-i~qFJ2)Z<U|%un9BDa#ML)a?ka9r
zkl#yxBmDilyZhr>J9fO?2^RHKv|r`pgr<9BWH@Ul@5bHPXwVW^CY&09t20}O*TF^5
zhZUxCM}uQI(&=(&jic0;lW;I!J~Mm~j9vd`O&9YZ;M_>&VzIz*)Ex6XzlrF0BuB-f
z=gV}4=wmuEX1wyPs$6#k9GY=k*t9WC<2T0HN;OueCZidapPcs>9$(1l_#FwjOhO-@
zE)%uQjq;o9WT^T4(bl2#`U_hewUi~w{$1$9%~gqfc=;EE^Jlw5ShaH9&)Bu$duy?#
zY}J~OhnHSPBMp~lyAuR~an4s;9uNiIkiWlM91Q>RESFNOz&nahtg$Ib;cp^m+CNIQ
z(Q>B>0ptOwOhKM!8!Fqkcf0KTQpMU^6X|F{KQD*}Emj}6UVRrRve6g`AT&SL#|!JI
z#Hh*d*B|+F7Kdl8i0!R2LU;Tx#%s52j()QS&);6(YV<e@{12Vi`tFdw3Y;>=WWTbP
z{BrH@&fMLr+p~RT>*A~_jBq?2_7hXKRsf`!mTixfvftmX&ImnR?qWNny7wE%Vi_(J
z$2VBr<E6N$?!E4$;=B#GHlO`s@Lq!JUrF`f+nztHH(zE^dsH%>t;7YfGv&|NztUMl
z(li{zci_DFv1u^o!E;t1X(HPX@AiF!%BWuyT<Z`h_ZoYdQtl45((}&SJzEM>b@*O_
zmA-Xivg5Z52K0g#bot{8ez0Lj;=%g;v4$v|{V_VMSX%hK9~Nh^l;N>9E7;&eAiyYZ
zHY{E|YBl|-^Dd41v%;P_<sPtAK%;s)WN%6nH90}73Qk52#7Hwc?+vIS`a7gBqPV9_
z8W|i6{&>Af+1|ruvr@f=XW=BF^`-I~zfV$^uHS_d$El%llv!kCWFUQqQQFZ@&^mz+
zSuRngZ|7Mnv>*A@z1YCrxU^m_M)b|@B6G1=o#s09K3y~<GB@cfeN$u9Y+=z}v`PN*
z`AsgbiF21Vm)8qQua@^GWh-F4GL=%Dxwx1<JeEc+f45$Nf_%8ten_R+7OF5aDd`W3
zq>2)P*SBu!xeWHfAyU*-v9Y;fMXOV=l9*S=7E(0^O*~R<uWk%9g#lZs5i;cwA!|aN
zZIAnVNi#vsVG6*Wf+qrf`F-kXP#voOI|jtr2Fuw<`LFLX5WdAERTMV52JHCZemddd
z9d?4sw5~-a#0J6SQM4dg)?7?lZ->n!E<;kzknOgE`a2b{tYzwGk18l*BB1$O<35+J
z?w7fW9Ntz!?#R6Ot+M4C?ea_0P+VTdJ!3eg5+6*enpiG3TEdF;M;x(V7me&|s9yr@
zNFpsk=WskLDf2SwAd;vHhS?TxL1{Wc9HC$^@_TP2RxC|nd>Pu5qW;*QDI}xwawHhX
zBx7(O!dHKCtlVr35qck5IxbhlBF*xKpFJ9m4IouMOH!=d_~7t(-kri_-;V{tIrGZ;
zONlQVtt<&jU|UhrqiAT>uall8N{2M#QnCZD!2?pP+9vw5ol@P{VbW~pwR$~h0(F;>
zMW^;g^Xrz)4%&$Ce4~+$vE4F#EQb!p6DLDBY<CuNUzWtqw7H>~U;LQRHAw}8ic}ul
zEHDa`HwQBK-ExRQj9RCgmr#XvKYBdkf}?}q=rCXJ=@G7%(~2EC{U)N0F3up!m3j&t
zgZquaj<i)GGt^OkA0p#E(T^_t8kD(a!3YnBh?IKSp}I63to$vj+_H=^ox`WFwp*=%
z+ibl`g#QFxq!Ry$uGqEg`|fX)<gq98$5pz+2=_O^(b_3xoV9Vii~!H{s_<Rx@8Q^b
zr`5x{QN&NUSanjKG~FL&C6z{xuN^S1EIJxiNrMeXlXe3#G|$r%XLdnMR?{e4>k%jq
zcj;^1?a1A)H2wPT(`}zl6mEAxPNC8P?08CC`F1(1b^3GS&(F?ajCuWik>r1#en7h<
zT5Wf_HH-pHYg4DQLP{Xq3!bH`nG!?nXmOxJAyW`xU_5`<e=|Y;_M0KH1XHK=56*}*
z(}4gm_KKe<rru}%wg7WahzJ?Z)C>|kDr~1!nn3OLUL>8<+Gu`;%oNX8tiF?Krh(Z8
z33^rqXT5{rW~Vp8!(TgA4pE%4j8|XYo#XL_M?{03PP-1gGzJIBzzfQB#;<&jeBk02
z?cHSsLiHbO9KPaaZAGwfYF_ZXw+1wPWL?p=f^DY8IAk_sSiTgDY8ms`rgR45VMW@4
zLU<`zX6*}&x@cea-A~b~fRgpg(mu|Erqtn580^r4FPwFkeZm1i6N((3h}+F4>YjY|
zk{x(@4tV;s0b&LkBz|*yv<p*eaJyW+`lIbuN6I$L1u*3vbI9o{ph3WPXBIxsYdida
zvK4ts``+{~v6Lz;ydkMI!(&<JK%Dj)01fnlH99?K!zcf%a7^>bF~1GYipaW+OjT}<
zyEe&e17u=8c6|0NIW5lzq{^l80Nianm{Ybp)%@k|;59<D`1$1{El&Vk&2Dul<4z^R
zRUL@g*k*R>2w(xfo=R%L{<XF~L=YX;5=PmfP@jZ1qnl=FFax0~hisdhbGMnFc01vO
zq$n*tx<Bl?|GYWhFo$=P@t|S%y!c*Oa#bG-L4^D>+e1ZrxE3Yuq)(sYv$_bz0-|;f
z*8?_ScT0gZFhl>IcRYXm%EMT7etedYM<(!Gz2)1wb);LyL7XQqFnP_em+Fh|c7ii0
z81n>;C$E&#`6RumFq8`p`Xj?Q<JG7zAiYSTroTJZ85$cdNGcGmLLiv~9kl^>obAhy
zMKbjWA&>#DQI(oi7ohe;ny=1HO0yVpbqIY6oK#2K9GNQ)C5^RLxY>yW$Mafvih}u-
z-8_vh{S&XzvmZjCFCUH#>E3O|y<<alPnJA!5s}}$spv;HL`cX;fdJ5H8&)71LwmYD
z^_0j#nZSP>1i(N`p#Lu%mMA2g7&1a)WX~|Y9R^I|V@wP|%!DPKhP3$o^H?b%@iQ%5
zxy|`P39}`N&J7#3J90`^Ru&~lIFr%JKMzP{bVIF!oI4n2ays!U5y&8KT_k&`9U-eQ
zh7u)PSn~Wy?#`Jc?@aN<UF;JqRq!UqXeoG^CGYz5=~g}#v=&E)i;G7{UJs5<tG<v#
z8Y1LnsjD~!@oW@8{9$9UvIFbficPtQ7`Qx@HWrxs=k|I%J0dDNWYRF4;^S(h1zr;+
zv!*{!b$29$1F^wu7ZXjVdVl{U=#BTu@a*KUe76v?_k0^8&lP^;sHH9B8BvCotdvnN
z%1+am`RBF=bG|Gk9T!^697vXC(Q8h(f@^f@@);R5|0yz~wyq1`e;_dUDI}7BJ30|w
z;f`r;(PwOa8P%Yz3WgijSHf8sT@{7X0#+JH+gt9V^3Sow8p?cBD>hIsbGO&Hokzwg
zZs-0EV|zyrFxnv%b)uMuDDK~%z#<<cKE(3-^Eo-2Rq~uqDzH40>RuQElCU8%W)xbs
zRaDWJSt+W~ws8lpDAn7yGh(L-pxf((O|%oAuZ2dZ;?LpxZSH-TEk6g{l})r-WrtId
zoH{Bg4p6JF&v4Y6KtwkixJ4tx1DkEwsZ=S0Y6gIbl$Wpyr7a{wPskF-g^?mZKE@;$
z;(?L{0;&6<^=n&Q5%KqRCb5@yZ6mYZ8IG_j0@)$&A8#j-)y7}T&zJ^i5@O3;RzI(G
zKI$RhF`+C^EZjb<<9k|MLEn<m0vbb&!?iFbM@XCj^K>6CsIMU|4;ZK;FR04>5+yb$
zUwgXGc_^?!+MA<(O5nmRm4iZeZekBTdl~|t^mpQxFgFx&+Xbq3atb%njXeM<X=-4Q
z9o77mOtKP;GUz$G@OW`dR8c*mz7;F2ym(h@k*K0jg^)n6upI7KC<kQG?8^AsCuO^z
zzW+?<zfAipL<X<yz!e9h4EY2BqDx1GL0_+7&0s6$vHMWtWW5jJNvUd*?A_Mg;!zl+
zmvm<yd9gTtF8bQJxhdU@E)1YSBxpDUqnh6n?!#v1Q?|6)yi(YwlLeKn5gBr97PNAf
z<Z?glfko=uZHuD$Qc}pVBK-Nirm{JU7X^}cDVbqAIqhy-YV8H?waN}=bo{4`xqR<W
zGV_RT+G$X|7*qW#-wraAlw^_tn7elC@m)^m?LFq$+AB4Y0O4cerVi>H|MLrq*WNe2
zNI~P*U$c-1<?Av^Cs95z-Mt^gpH;{+BKG8}_RSWz&N~}LG<4~bib$g&q0l8V@{EG5
zkKxT843p{2efJLy6B7gEnOp!Nt^-AyQ#4wAdt5JXjhL8H<=w7=_&u9TWb;Y#yJv{z
z%4cdkBXDta5z-1qM1x+-$F?qRPC<E;*+L6YFXiPpC;`?-Cq>Jut!Nu+qf-Qa<a702
zwd1lOS;C}jw-kAJ7dYq={M6=iMR3uQrd0_E5Ge+0#mSf)tt`T3N@ZL0Uwd7NT2oYr
zbBvo(7_lSTXpiCfep~#MWXujoY2;M0#80WZ!wT!ObN|zPl`O!j;c1<EkEe4p<x59t
zgA%!gpZkI!8B8Pa{4n*Yom+77BW*Z#D;fU1B!)+(0|{;y4u{>`aiB+uawjawp5-<8
z!uX2U4*r_cO8TLQ)LYEoMUm$9W@1~E!4-|WSORv$>^!RX`{kh5LD}uocWnOq_@nrL
zj?6%pJu_6p8-{RXB8eXFUrN1Sy>z=hmB;PxN$I5N#;$}jTSP=eEO(6J!nIO1<-NT-
ziSz3N8Yw#Xx|BpXolgF6X}bZE5ur=I@UTFxELa0$SxOua?a9r$lwm~%^Rl0eMrMl0
zlPvS1r3Uq>YDh%2o?P7Ai(Gq*T$9TOI`z7ou8KhiT34SGDWN;>inA57q)JN6g;M2{
zX|zc=aI5E9WG%kVcQM;iof(K&1Fm#am;jCH!j&0%bf&S!`N<<I7;OU?apezcOHT<&
zR%q%{AFAWt66Edc5tb#192i+I4TL`jVfnZ}Cn^U|AE~K%I`F*B{dVP-u-6KyG4NBg
zQi`U$N4#7XrSxr%*PBPCJ<1_|W_YyLg>~CLy1ly#`O^o3DXu;afsP7Wg@J{8V><B5
z?@v}}mfDColNY|9X)Z@AutVgJ{EMkk_S)-!nq}W{SUADp=wvl=3dUlg`|$#f_7J>6
z+#{7Jv!bULJ1kdPZEPE!#%RtDz`)K4JX@_kl-1pn<Gu<X&o4jxR#zuhlIlGh`yKP%
zPS$Z>N`<^ow#hTceP^_p#OG@wEnEk-a!A~cIOc|2y&{nUL0fi;Co2X_08bXxWs=lE
zi2fVTelV_}acLjgwhkw$O@*3nyC>{&wucD!)29coDgnQYUx=?)0V{}A!ntUYZ-^4n
z3_W`?4EZOW&Kpy90eBc2-@RsDl4);`iISRPdkUHs9Z${aCZEfQpC{EDTRXw98+ENV
zo)IU{Osv9_d^kR){%d>93Xmxgk$?&fO_&Jj^Z2nte`LQ1itCCrh(vYeef#!pt=o$g
zRJ2UJcoWfvk)B>YVjDn-eUzm8O`fU%pRE;)vScYog2lvPwH~TAOuXPU-K9XqCPe-0
z=KICIhAZEUeiwc5Z8Ir}u;{>-?-!zXg=SXahbAnJWXjPRh}i>w@(c%7Uytro=d4mJ
z=L@+jwb&+7Sj?9ORiJsFpG`#aN+Wum(B8~zB*SE4GI#w#I25=qzq4s1hJgK^hm}B+
z8|IjyIzEbMelRtyC?~8;Umk;}yyb(5Sa2}5%g!1MSFwKs$mmpAteV|~Sv*heK%bLa
z5_Y)4A90ge;!N+CqLsY17WodEHVVC^CC{kA#Z*(QW_Y#`TA;JFqY#C$VBqh^5(|=W
zL>@O(XLV1Misy=qQlIz{I}P<`>1Q|{!I|@F75RuGpDh8od>J8QZ8XKKkQH6&egysM
zn(Y@C!IhijB4L#mzmr~=?=`|~UxZi`(mnGp7~J^2Jxz$oC$Tomv5+CpX4IRUfoOpy
zQU|aqkZ+HVR-Ulbs9@8j=0#zw!}&~$JL>yJ_ORGDq-fw90SSk8-2%Ktw5EiiAZ;`@
z7M{d7Qb^N0W7Rn~lx&cYVj^}r{P}%zZX&>?3|Ulo*Cx{{vK^NP{yVg91b6a_u>B=W
z=+;#eZE1h)Ba#An=jrMgST_r+8rFSy>Ld6l3BN4Jo0%?b9_dTujYU$?6rA=fBD-#p
z__#A5RTU(F_sfYo#yHy&3QX2}tt@gn)eizmiq{BT*f2vTv=q6IaPM-ebfCF&`wfc}
zJ;;(K56#Ev#-8CJ_qt+Apxrs>@rK7ZQZ%ohx4Yc~G?vc-Li-eh$>1wT;3*R%1B`1E
ztBNwVdNZQQ|2iA{8v}-Y%9gwspELZi(_^{Q&E4sC380Iq&mgz`6OAIhCIz%bV`OA}
zIA4@(cc96*4kJhgomXjUYChJBrI%sJWFR*uC-a}k<HR&#H2*p~&d!jur}mJdGNM@3
zr3?~F$`TI5S#QDI;3!Apg!Ykpu|tf@>!NAz!=Ti2PtHpH5(=pkZ}OgSqV+ZcGrjGM
zlbG^L!uT-Y6E^p-(}@*D*F^JV$2`W%lzG%c9^@z2qEGSiI?6nw#K>nR6QSYqS!)n+
z7a0pZkiB{yXuq;K#aZEmI_&S+P4S0aMF+&NUA9Gh2Oro!yqw~aSAP+a3ng>uxoZ>z
zVy|MBs*NYe-&m`@3)swu;Rwe66p`0~yCP3ti0V9+XO(9%!w?Kqv0tP^NGDr7d$S#c
zg!8M&7aFxjlOv^OvcZRIf6*J89Q@sx1DlxvNURn(nMu~PY^+d|vI?5mAl4*|LQJU?
zjKzdzG@f#TtCka~P6Cv>QTNk|v60-YU}V`*)?1F@(v^9~nvR?t?8UevO2L&p6%Z`f
zrD#8<bEs~^ZG1ylO$*VXJ~CxD1{R|=nin`V)U;8}M12dgk{B5_@;BzIxR4Mdw=kNB
z<key;{7!b5r?mp2>u`a!GW2Hfm<Ws}m6sF<v9EBTaq;kGg2QHSF*y*JMJ8p2BCXIS
zwxFr{=_qD}g58lw-u}u_&tUSw^zIvI++vDG0$+Lm32A=K6Oc0Rdv}v!K;;y-ZZ=&r
zn61@SAaF$Pc!X8r16i%p^_eBgVJJ%KAYjL&Z$Rg5jEps!j=E<2VqpT-IqJtyR7y~7
z+#hc&s5lT@Fm{iuu|4xyhE>_`Y#vyG#1H9(g+6`#S-ysFxxyJjTDJXOR9eUh6aea9
z)BlN=I20gvGao*vqBbBq%T;9ZHRU`IlAQMd-VRXUybg$jjFuI}<%v&YO@%!levp4Q
z(I5rUCz0G<<S8_*Ub>G%K_r;JcJxqG!+Q(F$YnYO*d{_mWMphHw6yI~!<Ed_W$M;)
zQ}L&Z>bI?cTFA{#{||w!Ety{YAFMDG0MAaIB4M+pb03ZoD%c)$;aY~@PS9&?5s<e0
zevfz~U<oFLeRcgEeoCL>a!Wo{KvrN6xzK9UZ}r&GN?5YqD$lND@H^oEyKq8MP1yB3
zp{bg}6Ss^ryi|i|l69@tASU4|5)(zfCNl2Sh7+*bEQ(hS-fb$w<fq!!WZ8?HmjY$i
z(P>s}LuwGS=3{FiC}(p9k+Wy#zt_+%l=mJzOn0N6AzDxBCs05XPH&DAIfBg!?Rj+@
zICm{}smi+A=Q-FJ?I-|^EJY|w+XZb#-GjFddJt)$rwNzUpNV7Jaf8mGZ;UT)-Oq%W
z#UOeTVpvWb-l6gB#YkG@F~4#(lf`h;{%GCl)e@}u1O97$&C9Sx9N##Tf9G-qu1BYg
zELvlz#uDsY2(B$=fwYOV&0}!M@A}S98*1rc-9)}BPl3&;8C7@p%Psn^*p3-3EFU64
z+l(W6Ex7vYA)i+45alTo?>2JCJW!zkJGfqL4=h6UAf`T9`XfA&`i4hccRbBQ)_vT5
z%8axt{oFB9t}aYe$uI^`#hZPv`Ut5d;y!GeyUeF^b1_7$P0jj6Qel$Rpsxm89*8$P
zsnQr2$`@B(l|jM!R&r8pEc2E@<2MXCcLj!epW)+!VHRpkzQ|q@mp|qmRfb(?aGkny
zfuq`!Ir~EJ(998<=ctw{M?l32R#m4*I$$PMHx;kKyC>b|Ui`-p#JCFc%ZwdFDL;<R
zg`ivra_(QVED&2Hz%1Lyo{=saftF4mc8cSkR2*%E!KKW|Njl>ad8$#hp6N3M4Go;I
zurQ=YYWpej&N2VMt=8=#@00QE$U!WXYy()@wSYot7P5j|$i>;oQkGn}qAu(}yiMy+
zrV3=;mQT=hR5aHk?1uky0lBpne!at!eGZo!*1O*~$NZFjAkZ3aG~<(-28US)oAJ+h
zL0DRw(VU4qsp_$fWm>1#XA+qvsX+XpqC_EFKJt`QA@RW5YRe=G@jJyZ|GrOvM!JR-
z8^_>k3)d81QF4Xi)X^VO3G>IW;v}nz`FCec;{Z;wZ+9pAby&Ni5O6R47?dev)jGza
zK#QO3GhqD0@Q96#o}iJTW6Mhrw|6(4Bhj*EYQw_%$|69GN=eGHcXcL;1<)X8JL=ob
ztOC*PsFdsq?AVlDn_c>chQuQG#fbLA<(V)W2ZO2CYMUcI%Tm3g;8zIOh!(~z6et&K
z2@4d?HeA`V$Ayooau8ATT^A!C?9J-?fbFE}6v;07KHt1~G<0aQkB?|?A@#!2J~=<{
zH6=d0{=zRDtiS-ooke6u_eu1DGCnTphPHLuCbXxZh~(Z8-Z2m|u@&-(Ker}XiXX7j
z;vsIc&YKM2RqO?l1FWg43NSl@`RN++^ksLEAGm3Xu7bs}WfJA{YO3Q3H<^fOb!6A!
zsg*uNHQ*mQZ9B1xeiV~#FkQHr>Xn8g!bTxqn#{i)=zwDP0qC9$5E)7f9WE9m!ZNiM
zP)(#p@dmC|8_m?M4!d!p;YgU)SsfMWw3<j}Q)%?gb;Wj`)&(K-_?Kr>79*{}UW~-7
zc8ra44RZMzAFB-a)~x((50?x-b1XK-htX`xSyi0gXdvA&%pFcRLZf4AIb(S?w?uA6
zC|@ZSU+NvVx<n74x2fvo*Hgp;-^{QmY;|}b*E_HYWaFugXm}+YiSik}(TqcqRPz!w
z%o;5zX8HCk@DKz$LeT3AFfD~=sZM5v-Pd)LbqQo?>rMk%5?BVhf#(dp`qBegdYB2S
zgjt)^pn?z8VGbMWvrVI(gm!{;JT*rQIJ;aZi%5Esvp)M&B^ZbLl~A}TB<_~so#k?e
zM<u4H^~zj__v`m_KUU<oqGLlP7{gYd7pRDEqzVmt=bp4<waJCsPz{Qdy9V05ICHjq
z*c=IuVx2K*`X|zY8bBu=7{dKgSm}fIgk$O9CnV4M7{L9>x#Fo$F=w0K1a>DjRYZXZ
z*!08iivt+Jl*w4}w(|w2LI?nC8+Yt>pKIfgguog;vM+z)^+dC@qc>uC3<ukdFm|QE
zf@vUKEM~)0Q#W9^ACPP33zJiqaDBsj!wIjmjye+c_+L5w-dqq#RauN=3;*oxlg$@c
z$rp@uX?{fFXBw}WhnxI>y^!q0!n9@|Y=4p@?aw`O6XoEj){6Mf8%G*k9eFGRtyZ;)
zg+BT~dDj~ud@uhuAnOK$fGEg1NoVX*t5lOl5z*4vEQD*~@xldDQ1<ouw)yS)G6)t%
z9GHl)Y=VYD_-Czf#y`qVF2<{zIGN0nPpbxqKyrBwHX^n{LE~I!)WJ1P8dJWvAW`rF
zqrj~A72Y*Uke&nr46iTpY>(EI#-JM;VJhrUwUzIRujd;rH7wBgRjii1V80<kPD4}{
zF1D@<eDbAJR3hm35?DP~ppL#&s~s1lTt<?7pvSc~sr-#@$&+|>^&Zo=T3<&RMXRCm
z_FikO4*>0zh6M3vKNS606U>!S6t$|}>iEamiVKQ_+f`guILCf^onUBLIFWZ-wH#>(
zYGNX6`C2}vwdTXnx!x4@^V=zvW(goG#YK2J*5=vl+<eJq84^4!R!m!t>0~A=7^Vf*
z-;WcI<0$Lv?|wkeS~q^r3-VY-9KVzKrSn&2Cxq%_oB0|m@sQm0pna3le3dcb=e^u4
zt{yuI0YXl^1vCEwGdBaV?R*|hTZ!uvf;opX%LufagEAoNZN&g#RWDI2zE8UGMh+&%
z$0^wo{biJnCIhi{WwEF8hfDy`U%(kOTtW~T>{HPoVs#~$zn%p%V@lcDC?4-h&A^U4
zhGF;?0$e0HV>4%WLy|=Pz&JCEpmT)%Ypt*dXT=CfI#Z&UxlK4$o<Af$3(#*zT<nJG
zc=CC1_TK&+q$m~?9-e-CPpWfl2O_Y7NNg;yXD#dHo9FyrpVlo0I*WjZ*6q%vWP>6<
zK9Q$HU@|;E|H<^yv(>G^K)U)7ec5&ZQ7{}uXHTF@W3my?in2GoMXWQVoE|cZRX4PK
zC#o!Lq(QrL#fPyg_l03;vDAuS`0+f-jrTF%Minlq+noNY(tWUQ*B{2bZ?#+54Wi8^
zoF5uFQE9;dCjZBo3g)780IZ|Ay$F4NY-doW<WT>L;NpStMC&|Z?5=GXkJ;9(MDmFU
z?<@A-F2-LSXoqN5`k7G-A*h43S)Fh^ZlckTd<a1(5&-=ApxuEa>G%5C1DPNI!1`A4
zeLZ70AG3s>9#p$NOD+eZ4=R>$fo6C5-;Ol~AfHo8sS5#?l)FpJ)av-?A|r1-zOg=+
zyP06~DL3D6QzC;cQ)(eI0Uvi#?DNC*q<V0=>J3)DeUmu~BY(hcyDLO0MG=N|k-6bW
z_oz6U#ZrYfy1#BzDfuVs;!+9{002ENhDb3os~j;GtIas6AXXM_hFMvH2DWAY+%&Fa
zki(mcdLl|$HWM$Pk^m}yv=$y`qlXNy%{qF9-@8yfxYEmH(k4UjZ~XZe7aP<~PzuIp
zRZCWEDL9gS{HXYV;CM!!@4qp%C%>6~jS$>BY#lu~k($T~iS~|{jUgKQS6_)yh#R)0
z0@aV>Zhi}`agarOn=#n<f55T6Z^f-RJc$f>V?3`p5``n{GmQmLagUmkZc4e!)J7I-
zfuV0p9<PdYRp?I{iwpNif1u2;D(AmCzn6e&<<Ot4d64Gn)ER+$rm~Mw868B1m$6de
z`|2|vJtV?XJl>eyjU_E}by{F^*l7pD4z=c+<-umWPY{p8cPgAN_k+OZ-?qvT>^Eps
zlV*bi4<Ph;KEsN4pZo*5L7N>ABEwHP1-%^Q{(JFYf!^j^{ic*$-fQjL$n<!$>(}11
z0kGXF(mJwC<0Mbo?=qv`RmqDjV{V;GwH!v}Cdtc3w%5jANwSvOy*Y6dKG#sS@ctf|
zGMlUFVKVIRe>I^aY!HY#PY+cvZdiStlTf%R%k^1M^tgI)!4vr7!b}P(AqlBTINpvz
z*BkgRM<5?1P<Lulg!dWhZ+`s0V}5}jSf9yU+$L7}Lk3vkky;5-q$gHpa5))sC2zNV
z+TDJA5y*PxK2TrxDh$=KjV(Tlety_AK*7U|o*MJm1Ia9)Ds_R=crO@#S|&@>HaVSy
z)avvSJoq7LGSZE^=Ewr4x6vz28im;DdJ|f&YQyw6)zR+9i{Rm4FqS2VbvXQ+sz6ZU
z!caIG<1q)=TOUxv`Dj1#lRX;+iy*%J%m*em67YEx*ZCXSbDtaY{k-$v<^TbrU3`MI
z|FG=ukN;RBC1V(+Rv}&sXel$Sw(ujgqI!=YHJTEm4a2ir>F2A>a~x(*CR-}UOZ;oz
z!kTL!4%IC`twb=AnGJiG?|~Nremx|Q8`f)O^FX>md{~Sa0>If)+<D325z3t*H`L5!
zSxGhjwE(?O;=}z{D35j9k7#bwz@LkC(aZ;X04?PRjl^jJRhwqi$0>|f$KqGMG%O0V
zk}pVcDg&2lb&5liyQe01ME4Uv#o%pxkiR}JV^bYx5G{(8M|>RoJ86MXL<nQ;@D1z|
z3Yj~};RHgT84RG!tu1Kxr4ssCq{<@hd%VHgWO5+b3<WuP|LQ8|Db(%V?5X5`UIRs3
zz=TwxI94?|oD^L(W1|&5`~^)ah;(kN4z<AANSrplCo>qOP!*U+CtU10v%olN<WnlR
zGV>*PsaS0iU>np_#T!Xuu08sIgK)M%P$Qrl*DK$XkXAZbRYp8}HO*FRmec|V%O%6>
zLv<`y{n>Th`izRLO2pi6rWF@NKs*yuqL~Jh!Ge^SonA;djzk49^42DQ22V8}di|4{
zL6r&7*w~1IjSbDo$r*9}NAw}3L4rOFK?Xo2K=VJR<`}Wi3Yl}`3YC_rb6PQH-*}3<
zp<u^|L=vM`y(0xrO<YjKT7Rm&N;Dn0{uy<0teQQ%$BUO%;yRB~rBAp>7jWZGP-A#%
z?3Y$7e9YEIDr2h9iv#@s%=|)_TO0~;<^9cnfAg=*k#89RfhkE_#hl`~a!|Rh5bz%|
zpjhpH5=-=z!L|yIFnx_Y+y47L&uy4yLZ&avY|c@%Dz2!sdbb13>yC)Gv@f4}Q~$LB
zK~@10#<AcC(-YMb`@ip{f`xdU)Ep@yM@ekKXu)HnffYSA`Nw)v4M4PC%ES6O{hs^p
zTmEBPL0|4o{Polc&%2_(arS@z^q2Jo{UaX&eNROC|2Ge@<PYNb^hxNGw3x8k|7WYT
z1lRW!y_zQ=UXT+bX0ZME&G=v06!zH34ViHChxG3mT>fp1|1rv-i&8g)STS_ONL_Ew
zs0*fy92A+H1evJ}H#r*qnX9)Y+r|OKcbh{9eJ8MnhK4!omSR+vk_7DkG5P*A7v6m!
z<V^WV(x>*1kAF=fzjwe=NT7*#cW*Q0+o3mC>%qcRAQYX@4YlAGpa6kAKMg&hxdRVK
z_pYz?bk*;?|JM=w#u|7^n!=P=th`P0>?G#k*~KGVvSRr9y4>!~k6~=Xki>Vonxgp;
zh3ZKlH>J;P+RgiadiIa4>xb=T0~=vT$)F+(cA!>#<tr7`CAbO+tl98K^FhiDYms|d
zfSSZV`L|*DzZ$Z)3xnZ<ftfrXvY)Gc6iHqUo_S##Q4?huCGKe^*v%&u;Nq14?LYc&
z(D9!w@9(B`6N8P|C=UiTDebMi2!BR)?JFlvoBk<gRfYkkTglQC#f~4RTvkNfhy{ia
zU2S8BnAn~XWVOJBsJ#ttGVM<qlp0bmV78|)DpQ&;l)tL-N$DFsMINpHU*yRDrLTPc
zU?VgsOim&dYW;D5m$VU~Oa}yvwvZ)oBi5;qqUN>{MHA?~Hh-kU!I4XpO$<p*D#Qlm
zAai;A{FrPs3G44NrlBzp<X3`3F~h^t7WU!4^!7m!M|tZZY0{v?NC2C?OBNX_ES0q_
z|5vOE+$>5gb2$lcawLK0x2eR4UT+*C#w`;pJvyVGWB*I*{%-Q^77Ru>PvR=Kc|&4q
zYABm}8p<%chh#z>c2=J<z6Qp4>bh6NndYtr;(VpM*=xHW=Vp@68S6XyfMr6VL-?bm
z-T>-3?zD<Hf{zaFg6fUQ%LTnw&ktvPAt1n;X$osaU}|{iWmW~RiL}uX(|BxPIIh4i
zD<)x+_aIlHMoD|16(~yG5}3HqXMTZzA{zc@)xpF<n~nhfB7UB(u%5UzO#?t)k5gd>
zV2B*nSStInN}i0VYkOVb)?B8q1Ucw*!Zt-Z$!Yga&7eQ1^qcX2Sqp#9p>YzWY7y8f
zR@v0pkR>@ay4=}zlOjA2xm#At7VO{voe+frj_{ssHny013%)mI#(+L_R3az}ljdOY
zbMEc-c%YPGR_rx)QK&U$+)TN83EdYl?VL_`c<Bl2XUG>J+c{!V9%U3@hLrISQ)KKC
z9Mpz$rX;2$H1xo4=)EDzb)tqPlWVWPnX0u~Kd~Z*fYiQBn%D6P{5*avl%pSk%X`Bq
zK!%gD$}+-`%H^P{_F1ddK=^C&hKP&rUC6uSNnr;j4x<+l&m;(uwTAis{-pNHS;ShK
zw00*_B1~pVw2SY1=p9~8a%P&my{37?jaAna2(tU&jzAs+Z7i}Jo&N2P{AUq@hQ8lF
zUFZ&$f^Ep6aBxk4U_N3vd<?{@BNWz_8Fg`DL`_`FFC}jDcDCU5KY<u6H8VW)Fkz~8
zL$~GaKoB^-+;5BbE-HlXfK6PMetENu$!vl7#q+D*haCfyGQAF?IF}$F4wgI?Cjo!T
z)||^nG(n?cG%R6RZVx^pGH=;DsMI2X*x1x4O+`|Lo6P>cTEz<RaDa*whPH`>NPH4u
z_8WE9jgk*5Dx>WE!i%Fv^P5<<DqNRzw3h#4FL;F4h`3-_H==9;$wUHSWW4k^q}5af
zHi=YZ?rsWFYT7W3>MLoE?4{cWK0#WPxB<avDte-l#re01(aEUl<kw)``H!Kn@=cao
zH_4$tv;X(v?T4pGIQ(%JW2YTKj_%VE%-+%Pssn5|<yyJsp@D(_aKBo-!44Wv>WXgB
zjcVs*ZvV=N`A&%B=;}0_;>5paA|n<bxtsqR8a~1BI*|HpWABJs#^h=*wsv_^M3FS2
ztB*)q?Q!sYibP6=l}Ua?w|r;oWgW^Jz{i=yE+jP4nXyp@S*y<#l~&X%5s&LHe4vcQ
zD&ZEgBonXC-&G`QhWxe5kvc2pH`HRQfy5v8T;^sg^+pw=2Hj8Kz+A5M$ALX_VXg)f
zT0Dg8Ai`bx(Nh~_GK%0WuXZU?M;h3^1F{9?V}Ja59~Y*io2mj0+;Nu6bN>ZZw{}k&
zGy{aKnB*=ISuj$8|B1N&wX^8s1a4V<EOJsskON{apEv*ywwmSNmJl#m8kgo4hYjQh
zhf3yraCki^df#36?Z~jfr`icZXBcV`=~^S8@Cbkr3A`eP`PkNfxJji;L~68K<~qYT
z7eHRJ76VG86Dk*ajl`c5H$xLMkznm#d&VULouZoMbsr3$m?w%gawikcS#C!z_(7u3
zBcX@kOg}7PCe`Vni9X;g6@Y=YIeh`*n+jyy)UdLvH-pE2w7Y>_H1}PoL32@&(P0NY
zV&-Q`ZNhp8b~@NkgZ3t?4YEus)oA)MNP)llaz|>i?-C+QP?FIoBkX5yv-Nm6Nb$?n
zc<A09aezGhbfT&gM&puy<^TS_tSKl{)stg2`-^PS9eGmsZjXF{0A#qh@o+Uo5b?qJ
zL5M5dPdxN=s`i=)>h|;K#wbGuVGcNGPi|h2eoz)zt9GJUILr>A0M5byzH#HsTw?Te
zO$NDXDZp?s6J`1eBLwewsz~*aSS(b3Y(2sg4%=AOGDh6au_b+|SXETEmfN_owt%Z1
zCSHajcLW=a*T=b~L84k)yf8KuWlux)JQ01dX<w0nM-I#gl}0N-Q(c67^t~O1=+Qcs
z8T=z$nV-k-eZwxJ?G0i?#_P*`Y5C5bT^(Lv)fg!i@8Y4Jj^cs`AT1;ukocSqyDL;i
z$(>5{U#I2&yo(PbFl`x)!g(ctCj1aosEDx3>Bnf{n<_j7oeq376;H2VB>8p}nsgzP
z?I`K6a=%8JFhC&g9nCbYrNmR^v*1gm*?>}uHbErPl42u-)oKOFh1XR5%QL%Jh1M(b
z-rAin&aYFFi}+X+gHT{w27-4EkMuc6(n1(a93CRIaVU%8G%=MvDD`39F6$`^MRCA(
zM8&{!+^k(PjbeJT*f;<_lG1cpBv4O%iP7HzS}PiH&L%cNISk*!f;$Oq=_F;8`+Ecx
z|J*kGDHF#t9v?W^?M}Zwj^LS{ZJ#T+2ju>7pHrd$(y!IuIEawHef8(fA5tPG$}KW;
z{}06eH(Ci?%?yacI;g3sAwpsNHs+Z$erYt3MByb883~y6hC?0bX6A9bc;L(WdVKMf
zry#@%nJq;coYzDxT_Y6Ajh+r}$l{ecg1n;;23<;D&FDOwfRAskYABm&+)la5+U&tf
ziO{Kla{}*>MWvB~3nM9Dre@Q`w2;tZC|P-<4uiasyn5RoiMdVGiHRI(`(inWfuHbl
zHav-aVu+q=ZTx2l2bjyt5|G@zI?^HhseeqiwZG=8U5vFh;VJ`xsG1g4Yffh%F2D7`
zVXs~Ng(cUE+hs`Qj7En00ZV_i-1wll7<SS01cC3aH+Z6l!{O+goM{QDU;$HNR63d{
z@sAB^X0ikD|2Q68fd|A1xv8JkTan;O=#Ma#^8P}s&p*&2A|m?l4#)Nn4uZ_TQ(3`y
zk@3|fB_)xnz3qn+ov=Hd&JbMf^zi=hlJ>t<15w?%HmXEb5o{N6bmH}d4lgkGY|AjT
z^pF|plDfGf<a+1Hm?>}p4vJrSnt5Syj$Vw%M_;Z#3};4*B4o>ANK=rWH}leknOmU&
zzkWc1qZ4NIJ3YX>Z}?zIC<9gqdt*vJKXQ3opphE05GP?=;~5pN(MDo~Q}9o9TQdSe
z895$k1oVD#_MUGNUiQ9agdj7|KpG5}-G3D9tQ-Dmr7z#J3xC(+E%LYM$HSvD=tY`R
z2ooy46;<)(Nn%y6Po$mi7|AZ*YJqgEj`l{>sD8^<!A{1XB@4;M9?Ncf;Db%rMmG~i
zvn?E_h<;~|uFip47vR4(2?fcJTgxKhzK5fGvcn8RH2p~4#JRmOY^Ne*Xzs)7q2JLz
zQ=iakHsr2sy^NGd*^W(LjSTqQR;wR4zk)9OS>KCbwU}~mYXrqJwJt)4akcw;_Aro#
z9n1f{14-ToL5STy{d9iVM)maEuIlzWCsb;3A>X*^^Rw@UWt8yahHIWj3dk9YO6>3P
zd2)O>Q(mgk!FF<TTI=#))NZkctaxb9B_v!&PZJ}LHa5}jTsso5z@qC21*X)Su(Gnc
za3-dQMXvm=>DP6Z(ME-Q^!$kYjvm9qzw*We8_u9VmLrbOZ0(3GSAhEw>!Xar^QJgF
zO5Tm~loj5C!$EG%v|F*&K^CoCSo%ywcOzMA2Jg~<sw0b{w1NM4M4BvD36v9w;_jzY
zrz@N&6Eg=7)|WJwIDxfNzHV^W^6~z;j|P#R6P(c%%s(PVtvZSCt<EDdXi{!3b1rKy
zRV`S}XfN>X)}x^;njh~;>eY}G{<1kl0|AsU>#7Zo;of?C?;cD)!X6nFA#MxOy*?;g
zXp6ddx9N%P@UO|^Kw1X>THq`4g!Wi!?(h&20`dIvf;AOBy*T)_Y=)>EKMTwz+HgPu
zP1yD<xK5Xz5sjn<#fzKJiQ4+iRRZn1oDvUrzB7Rbmy}q$3kTl5snf97fQY-!(N4?J
z5z2GwM;pEl87Ud5(}4!*!nyNPDHm_*)N_A&t>R^Rf)O<}0M9=sb}%4~ecwb!&bmW6
zdM|sQi|`v1JAP3x+V?8x!DWTVX2xw7{vUp77+87n1NkfLdnHr=sM(gWZf9ArG0oQ~
z*rxZ<$sQf09r?(5*)ga4UiOWa3I{K(NYAh7EZw1{<MX9v1V((gu$*%jH6C*=TeHvk
z1{3%Wk)HE}955yT0lY2Tb@i9M^!PAXN#?1I3DI!lx(x#VcMkLxS#H6rE93QVIDT04
zopB@3f^?((t*KEZGph|~ZVUVm*K3dru`kJ+ZnUP^<mKu;#``~huR1w)&w{p;TQP_X
zssD$ruMCT;X|@gS?ry{21b24`4#913ch?|;yGw8h1b270V8Pvjy9T|yNAJ1kyFX{1
zJw09B)xE2$SFPo|H-f=o{TtqFEV;MU<sc;Yqt3QaG75J}ATA;{c4%iX3Z|DzlX29o
zu{IwarxiSzovxK=GujtxCKlP<EewlFobI#q<$YX&6bNi>ZQZwoRQkapd>8#}KjGI<
z`jtS_ep7t4?W+?z<)4%f%nU<e;VB=?mtK(yN(LKDDrER#MgeSFFfap95r3G_Zt75A
zNkQnwbw*VaXEbh{4?jEuHr7rrSCq0QWCkWIW1e9JeH;n3H71N>5FV%s(8+!cU}bKt
z>~&!SE$eSqzb3eix?xI}M)f)A0cwl%*vQxu1_sk+zgC}z=heASTSvz;3~1fFnNR2v
z#d5!El3{gOeX_u`=QOnj{NTO4KMK1%=wNWAk~H4JGGX0vkeh$)&u1AaW%IFN#k9N|
zTbLmjmu?JByB<`UHQ6<;xsrj`;jCbUr)Et^;327&UgU#N65w+eGgqbTT64q>6I0th
zBo7Xgh^|rR{6mH~bjXY{Qy6)nHm_?-lhLr`ehd3^u>xM0pZ&rTGm49(J>ov5{3Bn3
zAd)4sreS7d#FQW^1$h%Z2#uqC5@Ba*+GpTM#-Dhv#>K&aIb)_|wqq~h-jwPaW~W^J
zY-DS@Kq3T4tf~7Dw_RhKM-Rbtzv=DLLiDwRAFegDedxchb==Ir{`B4N2c0RJt|XgE
zq!X7S9qUMU@2JhUm?R!8oY4{A<OCjTx}gM4gr-*GGQ}hm5`^E*tuKL78Iv|?l&Tv&
zjLFKIcKYL>o07X4m-`8aM8N`>Zxa=^-gbMxtHZRH@sBu1f>IP_hD+<!P4DPJ6Q6p<
zZ^%VzSE5gcZK-W$0VaQFE{rXrp>NXU1C#-*Gd~OD6bibCRkJ7!ln@hh%N9iB7HYY8
zAB16iZ2bi*kM1VAQ}ti0jfNLc9G%CTEk^~F%0~;p7#OxGk{xfZerD5m)G1@+80Te6
z&(SF_4wCm9<Jr*Z5Bu-tshO?rSyG*;LedQlj>UPkI66Ti!bhxR1Pz3xbVAt@CEr52
zOvq?&v#WuMwpWVQS6$O)#S{h>Q6O=+e7RycJbqU~PQQ1e{D!YO(dU6Wf3ZH^s<af)
zh>-w`sT@fyE&Mi*i`Xc<&mZN&SRV+nzw9v!<KsvZgQ1f)86)w!O9#}?Yo@}C%yL!p
z@IK5FfppUh?KHGyz4}pYY7=HR)7=yF#`kR`=~o7169mHWn&MQKZ{PRP1^`}%qo0k3
z`!86?Y_nrcAcw@qv3{$mlgOiwHX6}63nKt<rJ(<YX*E1Mxb5W*kfmTlPV`h-FM5|A
zTl85tFo}-{vRZRqN$l0~B>&WbHJosW<o5}>8cZ$>SAyb;wGPMFY!E%}bY)y8R5Wjm
zYblBPmYj_pW*ECENrEZVeWZ@n<cgJ+nHsdjK_b8?iP=V{QBHTsxPFPt8)5ofKdKs4
zWmuLBv^eGa)w*1AtMr#?&Po1}-JuY!NO5i=xru<*2)q8aPD*)SZb={zlCpheHV}Bq
z<A(t^cQ(^#UiRXxm5qCW1A^0z%&>fh;_eG&l-CVF4?DMFZClJbR9i<=txIgpbtE&i
z6No*siS4s6h2yw&LtmksW1-N9kHEfWY{M{1vMZ+)qCp0X{2Y~=(2(j2EuKeNub3k*
zWk#e`@ZY!n&ZQpaSg!coU`jV+KU{p;@jcN^7`FaFzwg%h?UG6*I@_>O$ISNnKKRF6
zFcu_<ADtC^MiB6cv0TFdRHX%}S*J5+Rd&IVU%V(PpSze!?U9Sp`74o<W+qj-TQSaU
zsnMT6!)_@CTTXTg=wL?A-TQ;A6ArH}*2E!q@H=n!_E@%7=F9j@lTQFL*)+=Rci!J;
zF3+qE+n9QBGDQ`Zt|(0xF%HrX{jtJbLv~K+K$K@PXRC|NmXC^(@XJ@}eo(eA-kf>0
zRF?Z)t=Ax%Ud)(8HQJBDU=xl%?`{aW@}%I`sICu|k70_d$br&?Uib<f6neP_gP;CB
z$VW4jXxEMX{44?M2J$a|bd%j!kr=)Bk9yDQeONtuRo7y_fI07KHOB4n`8$O5_V<i`
zPWJU>Y>JX8BRN?-Y+*7P<C9CL`Cn{hZ#X2){b-c{fA5=e@gHuy^jw-Qs`RT4#9wJ<
zUz+zkS#qzSLTZHlpo4Th(kZ=le|&q`1f@Ab+`Q`r^Q$<G03ikkx#3NQ;>0UOxGS<>
zao$$E2%RrHqrERM>A9?9JbXC&cf7ju{Wn=H_2+dhA8&IewOTwmcVzZz>ooEd9=h;n
zs~MK|t0tp|C#+mBlxg5C?$7ewF+tcL^11%OEDaVufj+lqNRM}mVE8T~@e3y`V!baW
z(~dv8MU{VzJmwlxiCiGCKFf!qb}M9sG!ECZdR$R*&|Rc1N*oSCJ$ju}h71A4f7VDh
z2VNvHIE@R~gpI>-8K0Bcpr@1s^=)7UhsKB<Xt*8uLM^<o;#oOL={({Pce_I^^RW^(
z9R){R+=T|qBfD86<4)VGTMYnyBe@R!`ikU~-F1?@yuIXc%*Qs{K&x8_0aV0~V$1mx
zZJ&nv0`~gCMI~EVctJ+3H+np4nw<C0Q){`F=c?F^qV+t?s2Axr#BGQSMPQ0Z&GZH=
z@#RD#dG3sBa!BrdLt&_KJu?R+c~T_sPrLD8ztWPD@e9$tKnlH^F+Fv^(-Hp7TKy%D
z+^?y2P|(khHQf<A=z%?N|GTWle)M9g<C&*!<XVfqS^5t4>}vZFBA%fBa&Z=B$!`yG
zR)!eBuloCF2`*`*fad8|@ukg`bG9)<>*Y+EN5tuN$nS~w<@D~+=1Qz$y)J7bO6sEy
zF(P4?CeK~u%_fOm>m!cdf|mOfSRjFkOH=d#-wCqpt>8^pzN!Etkg#RQ*YrJRcRhSi
zA?<f^)KgwPJPdz>fV$3Xb3Y?w)@!+x(@xxTt4b%Wap<FAw!O|t|6sD+{ETjY&so&Q
zu9@Up9!^u0nEOwn4HtUA-BntO@>{ybkXj;pjfo5K<e=TOhZqX&Y!Zvhgh2?64R~}a
z(g8K!dHhoYfhtD8#fMgd9|kiIt{a|j>G&)~)<9sJncw!ngj#7!Yuk*{Tf%5<?IY-!
zKriAKx<v3$V-QQ#S5DfH`OjFCeSNGp57cYng&#yOkI)+M1JUOwj-Kxn-^Wyq<<eli
zxQnHKeeYYz((#@9LGZmHBE9YkS!a<p&W@&<BIMYj3IXcHG`;f#7Dm9m=dX!H?Ww>Z
zNurtYQb#w&;V!gV8=<qIu)M84Q+1Mu!)6a!yBJI8td-`C5oA=WL};kV#Tmz~XF0+~
znJ&<SU7(}mN-dXr`s&BJmh%pf@cw7m#1gG<`!3?&KkdfvgDile6VQomT>jZ{o*&Fj
zNSr#nEw3l)xDr@YQY^B(9cjbC5by2<0sl<5<L#5}i!VAE4j4*vSEbn5>*caLbSdCk
zU?B%dS~WCuXFOcFDo9x9OdW3_!s*fSPPWMA8`<JHn7z`VYqb-{cOD_VQy81<&MlBe
z;Woy#zr*_i#<qnR24$Umm2as~sa)q!W7!r3%ZnYmI|o%fK2Gr7pd(Cuti<$75;)M#
zy3hpuq#gC0xHBZ>$2ny-G!yXc@$d6i6!YD7&Q04vuNMlLg#Hq^y6YK+BrM>YM&mfe
z^#V?&-lz;qZ6F^7bdppzQi_X-{L>y5V4W}0id`s7!!#}eN{52klx(9=w%HE7*qDqP
zKI6(G-{T`g4iRD?7*;=>2z%EpK<{C1I9PVmFeavpeA{-q+)0}Cz8wC?;i2Er`*Z5&
z18_2uPwmB_RrF$<XvRv6N=#6-*@|X?%vI&q>2{2X3eDwk!PmouG6Lda`H6zXgKBU~
zrWT?7J^0nPF!({4Y`C|~UE25Z$g*e-;PMBJ-6_u4lIhVO8G(c^BxeJxVB?<W^S+&a
z>F%J%UxVOM;tw6%$RKrZDY5v#DNig2={<$3K8!v9M>c>q2NeJ8-m|nZnWu<6{6Ty4
zxLQU0gnSbANlD3*e=OdUhJ=vF;w5g)HrtMk)nkbJ(Yy)M=0H&t>>Z=BzlUI{$51%8
zI=OYK4?A><{CzFpQ_fi^{6y91YIy!`m&EHYsH^4G7{@f=vM~C4sXSCk%&DkDmhJcD
zdK4S?3(?&C!s$Xog6~Uh$n4!u$W;(2GnKJK{;&5~dh@A+EwW_2p%ui6IcT9N+4>tc
zePq~V5biFv3K;VmlewXr?rZ&Vu5)V@?p^cxW7$}q0k`-q>L;Ob!X$yy?5iw(*AiOe
zsRa(JnJq3)4jugV^glgFBd1n=_hp<huzKy_kEGg*tm<@qAonqG9eBW8>rciLA!z7$
zzJ$UPe?u85iyuK^9*6TsJZ<mf$F~Gj$n^JrP$mqU2;4q+i{lfpC@4Y33(;1O1A8I!
z>_cKWUI-tAtg!==80j0`Ow6Pk(R7>d5gQ*EYt{I67<>k2k5r@MHJHQcW`@jE_F-Y(
zb~C|y((cHIuIt{>y8z?8gInI&cfn|T6_PX=ftR<N2$|UgBJJuw$`$~l_wD{e7Efb?
z&Wdj7dlIq1*!~#-hw{I@`}$E=yDx6|Z`-E7fipCF@2C1OzUsq^f()`;=cMF_f#kh%
z-_VI8#hr92T5w85>6G(}VIuJuPzO6Loj$7uK_dl*&>}c(nx3`aaAnzwJ%REAWDefo
zpYKOUmLJ?Ley#bOR~ikBSB!p%^52PAQ<RqzZ+x1(GO#0CD{S-6xuN>0SsfFKii3`h
z{_Tq<S-!y>mxLT&f2P);e!2N}Sn)Hf?T+SUwP|c4lDWz4!01w=6YtuDo2zAn)MYa<
zL~IX#M9+;3Ch+H2hrp7Dq&C4Ee{Efz*hh5)Os|%HYq8hv;NW2IY$6j|s-X{cK}c`!
z2xdtm1r4{fw{-c0ZQgJURS$-zKJ=3E!P8SY{Mm09;cT*42Dl58i^wb<9|}~|l!<uK
z1exGQJ;D(}YZ3xl+ugB2?BBNbkOVPZGS%sViJxstP&F>|N2dvOaNM~n!ptS$E!R^U
zC283bS?ph(0J4=<*Yls2>FCnkIPjOP5zJjHBBDJp9S!^t^B5JVR^|(pIWW0_h|*Fy
zG$5tfOAjEzY#o7_Xcj4T@vanhLirv}Zy$hJIUsgJR&3Hbg{9QZ%+rTYrBojISCaj>
z3?lz^=@z1J7|(z#)0L>7hn8;o?r}D{EiYN95Q^V6rDb~Q6<h?x=2UXeOu+~^>uw99
zn0sy-(cR)2KxZY@q-c3&A3KLo#v$`V)*%P-2id?jve&__g9=oaxvDKs0Me$d08|z$
z$xP2Ov9yxGKr|J`p;Yi;$*&SEmr&RvB1Mz+me|X>0wJ~IbK&Zt-o_xRr=~JE3m+mK
zvw3nsCY)I2s>6M&DD~N)jMoEwt<|Nis1;O8wRxQ8ckgKPH=#@N*}lOwcx?$jeb4kD
zVrnR*7*3xl<D(S7t-UT%3`tDw`$hYs(<_|}Y_n9_PsO5s08J18G0micB~P2_F+IFy
zXAkA2;T7|x`w+RXWjNhw3s>hu<Se+Inv~|pwjzCk-ID<wHH3HAhQ$xy+!%+~&Tso~
zun=Dlt3jZXIFdK0MRww=;S%1<S{j8+a|H}M|0oTw_kr{{o$V#E=XlU=oZI+8eo*n7
zX)uPIl*Bd8ds(t-M^!X74p=v{Pef!uQ{;zA`t!P@H*=#qfBJ1n`f%*Pr$)l&(2HO5
z;q{fV?q{2LijJ6f9~ISx+asG8hvMZ++O-c(d)Fo%!dL8CLWK*ZL)(5n@kd%@S$LC_
zN}qq$J5eo-W8>fSU%(Rxe!A1MA_EWpw%Z^PRv={Z1T|PLz|&oI);y3aRD{#=26&R4
zk1*_PRo8FZE7;i(hNOpa*F2Bp;wwrZV3}Y=M6)<QP2n#T+f(?bqO5|LUytMoT+j^d
zy}wQPVpwxqMbYzXP|X*^-YNJf8dxXS5K`luGx6Tr>4qXgkX)W98TO=$*sPVZBD=V-
z*t}lgKdWf+)LsS41*NV_fyNF+#W+!31+Nwj$;jCR2uh`=Cg!l07E2?g0s~p7<Fgvi
zDr`^#m`tFNX<hdR&hL0+a_n(A`SXP^;-1`%p4|sBo=o~*2=*ocV)c2SLK2N$7YZ$=
z)4Foq?N?!4+U$GLuzG2`fhe@{&&SU^{(rDBsG($h^`NpcCs}M3I4Cy`LoFAGBa3Jm
zH`}oy3fp?4J1&>3f#aV>qC0g~76F(bq4nld1f(E=Yd-UAfB84Myy(zgnZ)$n-I@Na
zU87HA7a*S20K5uXuJxgxk8(EI8tW>4Gg8C?&Z*&v_7byZ+gqbar88}CFQ>op+ucx(
z<GX%+FEa_Tpv_Yu$BvL)x?Yt+KH2y#&<fZyvxJ8tggS`^+t-hRnI#mOb34uB4+=8j
zm%ULSEm`|8E;wyfUA2ruYm>Sed^d~ialZ39V`4mr&lCsPxN_l|%#W>mR-5@W+%}2$
z%VBd>Z-k+RD)hHNtcRTVo)%lK-ynVOz?I#6-T<3jp~QZY-ddO1l9WxvWzrEb6yJ06
zu~S4skM@<#uN7KdARr=3zSZ-3x-H8~E8zbj&~-fITD`!n<F++~u?3&Z1Zhm@T09`s
zt4Y$FrxIs<$XCH-e)=;A9PF-QiAaPy>!P`{oK)9af<7y@jR%H+{Jg+in}B0}ZxtfD
z`q=~#gEDq+Y%LIWD46JP;#&mv;<=EBCA~u1Fib&J77or&DM&9-+s;>fZM&C|n;oH9
zNpmg!8knCeN7W%VA?cEI7{I5YIuThb<AKl&G4625t81s>>$uFmnys~A*_m6($tOC|
zufh(G`t4wW2+kEab*#v1uF3vC-BU&v>pao^QzVfMKX@dbsO|`V2N%}9N#KP87aeLL
ztQ2dgJ1pdpiQovFFBoV)a?S0(G}PKTtAl4If5Kb9q4UoBZ?m2v#`gKxt=Ak^%lxj=
z#4&8X`LRp+xEe8IJxV}~7&F}RNt3dgqo$^QaJIKnxwn9}qr|6O<Iq4WfLag9D?0oU
zTMo(q<}6}BTRv&8<gKgJzLMITbhcI1x;_Mm;x(#Nvu!TG*I@fiw(>PZl~B`dX!@^D
z?U^b*AC^krpUjCbrt$|Ow-xy@XAc~z`NKmtG705I3T^C&;P5&b9`ZccN)6nmVqaU&
zjzv;C-S2(L7=E=>c?f)N7qV4vfkvu;+S}l2z+@@!oKT@p+(5$-DQdSLk}Pb=2xZ(z
z(WB+#(<0c0HF0my5ko_pHl)~VRRatdt=FW7$#>)ghaOcJPl|9{)%N#x!iCck#BI3*
zP%7+%3y~aC?d>3(3V6z0&L$Hs8~<+Ul~D?poY#rj>XAu=ESG%c;QCAQV4S2<9VD1+
zP3Nmue&h#*pYPupy3|aaymlMNgUO^>1lavShjr)=f-owYb30*9l(&TmG%;o{vfhs1
zQm{GtiEhA-RaoOPtg(g|L%lKlDFUN8Lf#DyM^q~4U@xI$_C&WfYTipGTuzGQ+TR!u
z@r#h#4t_b-#4|Aw3NO-Vghm1L$MI>#Y^IDcBtJXC9r&wp<OY=#=sNDpbn7cZ!$+vp
z+2#?P#{Mj{qwxnm{ztHuaTLg;-Dv!HlhtKZV<KZo^YNGYgN&&T?)8od>s`H5Up=72
zXX{@7x~4q+TZb?2?3@}pUUuNra4Zh)Z;qme-t!r~r!JEcO0>PP`SM=5ICNy>im()E
z&275Y1#N6}K$|~nCw7Jh3XcvBiuPIfrv%xXGXI{wUKC8qjq{{5mCA+rt36Tpa|w(5
zChZw=L(S9#GZ<I9Mf`5kCGcK?eqgwfUPo5slyqZYs6c+=F8g$iu3e`Eyyfywh^CiD
z2-zZ6dySoDP0e%R&L<Dzkd<KvkmZ9SyyXm`zR#^hmeiXBZY_g4ypT(J_*nf&z9fV)
zts;*XD=hA<aGaRi(nC~`L57({2?Y~7+2V(y*V0GgkAc)`#Y|Ar+#JXzGlzJI`)l{z
z37QA;f(!DUAu%L>NCs0X-gcvdproV(GQO>b$gfu8emyxS$6(@QZ(XYMb^-78INAUE
z#Xh_v^cx&J3+wh?5%#IBKPucJ*l7E2pyk3S5zR$W-_IBZgvv~EA&N8|scl|LEDl=<
zhN{}_JwIg;p$^k5eFksiejXY<gqXhA@qDejVe0RQN(0AlqTxlii`JR&lbb%6*g}e&
zk?7g!vBbP)Q3az9NqdYutxJ8w8o2<kE7+R(7IXg;MA^jID)m{pR-FME^2%kk4)^#h
zf>_uv695KvbALeua(saYiN`t}xH{FgL>?-jlUHY(wJF~iN?lMNPm1d|1)Hb^uz_AX
z7uqO^tu8;m*Ao(hJ^~cS>Z?tRqJHE}I56h&HQ9?cn>im@zF}^7y$oMg4269AP+CjL
z^b4i}8*=z>MA>m^9B#XESM4n9WEEuEa}25i(Ru-KMR98k$WDFN$)J%QVidp1T53kD
zQ$-_^<V1WUPDF*-41~cfHU)7MKY!+p6!bm3P;H`ElOOF=ZNG1Z;M_Vb>+;n$ruFaa
zy9hJ+w+_GzGp`d?r>pHa?A`caeT8Sxe1|M_3?VSt?6k8)!AJr!$@X}ir-n{m*7kQ$
zh#w~*<+&WXH<-4@=f}W+0^{0e$%jIS1n*x>gPK)H)$d^_3BQT;Wdlt53aG+8pD<#{
z_#ifcXCn-<p+=du=Bmentn2Ne^jMYBxC-k_avfc@r&dKk2n;WeV|j&OJU^2G1~<{e
z`b^;WlD+)-JS%c!+Ku$=<#0!qW;fVf!zCByI(J6+vbog6>|6N4P*f>O;;UXb{cW`w
zl*L%{onJU5jW@<a=gv<h^zL=xEG8|-D>gF5d8o0H17V?r3UPk<oELo1&o5b9BX5FB
zwLUOS_8T$UNO(K1PdVU&%a}S*@?6(=Lf6yaDIh91j1f-__a)q$^QT&=Axb_Zrxla7
zw|5>$*(4nNEE6)Mkl8=GjCIR{fl(le<ABCNQB4D5rObNGTk7S)<6U#oNOyr`f7}QA
zB^>*W1~tg6#f2O)*Xe*y4R4KDU7(oJJ~|NME33<n(RUk+Z>4Z(%EeX=t`7RT9^SQ!
z?(5!0e^VoPd^jOzv*5^`E+ub1;j-b<G<+4Citdt4PiNqaJ(pS0cT_v(Ocf0CR+#I?
zPDM4)YIVnACKi^09L~D>8y;x6VFQV)NEAXvgbSJtQm|YuqX{CM4~gNxqd1sSMtN5!
zd_|3n*_K`Tf<mvW2LHpIwP5hMQ~5@)YF-W5^DUI>GL{k@2j?qeI|`Ql{32imyqerd
z6CtF>wRbkr=e5#gSKi&e#D&#mVO)iai#vFq*3A8#md+uU_F{@Z?o*a8_vsEAf4_j9
z5CPH;9eYP=kDciv`R}V3p%A&6{S9|}LvQm013(DDZg>elVFFwwBvHbnq{9I^LtJ>)
zvS+y8x6}?$4v3#yqpMMcd)6Oy`nKk$KXOL%9Uw(}B-`{6z37bRTBzbmGZzjJ<zF<D
z_Qdu(fmARsvW$^NZvI(SY8!&A;~>z<hjdHPmp(Qg7#0<VWPM_lbU5ZxfW0b5_(?jU
zDk99x2{Y&#mV%LsNaIf|z?eZyqnA9Lb^i&7oK;3eNJv~i0e_B@jd5sC6@9l1_+~1y
zr8^U$Xq5B`!;FgV8UWf~Lu?J)&Z_DkuZLWD{M(alJZXYimHM6GP*eN3=@(AtCAke+
z7R$77DEoM((NFGe3xZ@VC9MF!(4TbSQb8~H1k}M4xb*H5Vt2i`p|L>GJt4z2q#rde
z9(Llk;ZKvR@BxCcwgbaS2ipdHGCb+JvjCYuuIvvOo%SeyB0!05h$~s9f&;S$M-1Zj
ziHWlM=Zjv+avnR*4&^yUZNZ)W?Ag4+quWKUml>(y#F_LIVbf`J<QI37(La^&{>ibu
z;(YMZCmbiA?ln!5*Ms^7#Db|3J|t<zg9uDKS<KqTRP!jQ@DF*DWs<|a2`S_c8aT@w
zZ_drq+r5-aP$FZgW)x7sX`P$JXnMEn{D}0J_C8NaWce-a2TnBfI7rPGlJRj|OtvqZ
zVKO&7t%m~n4o{j^NZ2`4waD)F?kxmPVIy6nV1_#i?qFHRB|_9xphP%JV#4_*=2Ui5
za>0A{8iUDni|nDev9rnZ!$4r+Fzv}kc!4{1_E@t47K9T7>$=^@kCuB6_^x+z!k3@+
zA_|%=OGI-PB_pEE8-5^_Ym-IgR3a=BN)Oq&5{GWgTYMYrqvZr7kJD^NinRnvXqa|q
zPW->th$*a`L41Xe51;u()pxpn8x+6hf`iyWb0ud&LrWk#Bajso_hJApcjJTAHz1(R
z+wwxklF}hh<vG8GDw`Yy22p!Ci;Cx#8E37bCXzw38bjp*+C~k5t{Go>gjUct+K;hj
zVqjP%pJjGOsrj7t)qpS~-wJM4BEOre+`nhhhKtf&PxCv!5AnIev+?#rE&@$?Vn0h(
zjzi=g!@Sl#IhHuDpi;`rMSnm}PqH`b=IBQZ-f;)da#3@0FjeTZJ9K$_JCMSliB3vt
zK)d$j5D!2Gz`?<-wYr2QqFHt>%OSOc?93z(=Gf_`?v*xA_FJbq9Eby(2_d)|E3pqF
zW};R=la0N55SK!#p9TB=>^CQ1V?|Z_5C@K}kqVPM!k@f7!Jn=08PC@UJ8r2nTG1u<
zQZXeKbcIn38mVO}5+d=b5lT@Pb0YuLCV<M+7#4YYu8AOP<G#cYbCI7!ju$bN6ljIU
z<1Wz$6!@N4i?%3woFd$W%;?6LJm-?&p8Q(qs{4yY1-L!yJSHs_N!s{IQ@vyA%e?Y9
zXBsb)mZ&kg9utlPqoGD`#ML$53`g<cNY6(E(N)z49XnrGkYqntf}2w!qa@|nMvN<g
z8$oBr=<<h)lfC~NITJ2a(93k(WvSX|Dk~;<5y#Hb@!TGO%y?S!z0V1jt17ajaebuo
zy9V5yqD9sR0M|+bHp`Y!Wz49l@6E$hOr=)hdd)u_!sePeQKdPTU&TUGE?T)+3g<<j
z2y5Z?T3TKL+kVL6DCO_Dy_5lO49@t%)_I}Kz@WfTcGyFHf>y7VaX8S9zwaxCf^li?
z*2_FmI6P8+FUd*GNskpQqE6!x>R=)J<Mk>GJOavaOq7Mw*0d8J5ZvBO_9o<oZG);;
z<V;m-Hppnp<D1ms;hMwqk*<T&zAm)LB_fhIoDcyH?$^^?K2$!3hkwaCq9m_>5F385
zF?rZ&Rpx)p_k&VeKcY4m^z5c;WZfYKPH9EMCDgVk_QlP8l)ciJO_!=g$ngIhk3XOK
z0@rNRdz>Bag&C7=^9Quw%b%R^BWCNz@6*@VnsLP8@NF!oguZ3UK2oFig+>6RpGIl5
zY1XnL))${}+Wxr=6X~)E{Fkd|L`LoIELEg0NIAL~2!G@pk4|Ov&=3Z9A0_e~=&j>K
zl9eY(o{@+8=d!N)ckaTAYWmpQxwn3JWuZ^!)6mCjL`GiD<rsFXA`1sLsf^cp_4*RG
z<43nVLa(89#<bk(Eon`&4_8iL809m!U0@~T!vJ3|v0h9Q(uMXduGi-BT&B+Br3`z+
zRSf4|eet&QA8Kv-or(Davb#!SreA}F!n>NV3V%!tR<?uSJMn^0#x<tv@f7Te9mNpA
z(QR(<Y603YmzJ|3EA50)i?4xCB>YK^jau+@7(&lM7t&IX#{x30*-Y-$k;&oXo^llV
zXig!}f!ubRAt^*n<N^j?dXB2-d~t~K7vV@`P2Kt55XU9kAF`0bB&4_wH_FkNFZ4oS
z0Hj3XV&JgF_ee>b*!-_k{x!u7+_>)cr6RmO3(Pt}?I0ESR(H~*l9wP;L<isd#W0y`
z@%9??UDS{ncA{4vWDl~ixf^3Rwd;F!iq6UwAI;0fvoKHBXTq*GXUy|r+Cw7QhkoUk
zRu(76AMS9Vn-^KF7AJ1fQ0c8dDM(sxtImk5)SQm?|CR}j`SfLc93I~MG$o?=xNh}D
z7l2T{8WFN4E-qdh-@$b-nH5ID?_RS$$jB5^ccGGwI-abSQ)!t{A@Gp+5JPo|N?{}t
z(o;nT=VV+9^PR-fjF}gYH34ue>%vTcL4o#$*xQ1;?fB3LE=wSE%9r&N%O_Apgrl{~
zyYHwHMu;2uX%nZCE1@n(N8;e@Opp5=IX|M46FjFC&+`*aFE$jkvtp9I)<h^!iHw1p
z5)NHP2ODo`t~;i6vszsL=zGHJJF^BC`nNTF1ieuF8ydZ4&A_pZik1vO^5Um^i{lAI
z(}rA0y7P4xEz2K_t5ZM{)6x-a)NhBeDy(}J(t~s9zWEhs9O6@uk#*cJ&eNJpdE^P(
z%IU$WubQT{n(RJ!^7els98fp=djxo;xUR({U09hnBKi{5(6){Z5X7M(fu)p)4ofb4
z_+5Yro%JDf1~h$1xi0MWR|eIVC>+>%x1k9&ibv5B(duJGY^t1?`Z%>qf0F=D9cyuf
z+f3$$!L^BSXiqhn1}@0EGnCr1J%u%y2^diTK2@?7@lzAhgONsBpQ!Cw$W)>N>hC>W
z=6V;g=ATVVUX=J%=Ee=BmXX1D=UcY&%tA*8)D@<P2dNe5au!&Ksgyi9LI)%dIR#!Q
znp$eeUmY10D8sSqix7OhSZXD}CO(UxoBPS+%1}%A445H>XV|a$@)75y;K6a+-5<*?
zSNj7>;af=}qTZxXLkhTU=X0fkX3nyMr(gz_KYjk!B4d*MzsL&3eU!~(1My{^kQgld
z0~G+yR%bdeem-uZT2=DT9T6x!YwF8_KOJC!z?!D|Swv<vB)$g{NvwjhbQWj$?}Q$`
znc9Y!+EP=p?F(9MS1e%GhM>v{PlBiY)<r9@WVdfHZ<Ge;aoI1~iWzO5@UAC$N;r_f
zO3;!vgfZ@EZ?l8I{{1gMs;y3>Kr6AI6&rt*l1)CXZuOH^oh^m`lNo6-4GGQRJ*_49
zW%tSuX&5B}yRo*OdB}wCnQQPd&f93eM3Se`<%8u^a5`W@nYb-eqvqP~Th*)7?)C2@
zeC{2S7S4-^V#C|u>`JDI2oaD*^H-&bjGQ1t&Fa1*K_WUmCbSqIr2&gvWPoY-_o54C
zU0tGdobOXrAOq`EcP;>_^oHVX_9NgJHuZGlOD@U&gUVjMRFVPyO7%K}-$Ctl>njvw
zNMl9}ll(+v#|z_khTY+#IXai|&r8m?lt<)^1G9tmbWHcv=`5+U26Mv|K!pqhH6nQM
zg7rF4_pf=Qx1F!}K7nGohhE9}{Gb&d67ViP;$j)uZ*1o=E>71iAmZ*saKMj*NB;^9
zI7x{d(5e5l`B$iD1t!pEHl}-RqRh<RmDCP3OS`R^NrvzdO141`gl)8W?DM2BDvGRH
z?^TM5{NEk(#F0-0CvKBNcH0)ONU9yd(<99z&qZd{`H!(7wVIW=QNjyEGn9dt`qB!+
zH2r)CcUjY~@B6o(>Ap-k;B%e|9Eqt6MF8!l2Tlnk6;l6Xd<Z((q?+uuZIWxKc^eUF
z`rf^&FRAiP^@<Bi9X7NU#jzz1;1>f{RtVNtmX%vf0}rS$Ru`HUZuyn6vE?JtXne)L
zF%GO0Cudt%vZ^N&{x0^0ay>2QmtGWq8~Z0lvVpIG5iNmp-WfpPuv@{_Z+FMpc+UbL
z^iPBgeg5_9*W+bB8hAQ05h>;LyM&yak%ja!>3C~|fRC>#2NB&t_WnA9A$(25ZEVJ_
z%6PCVg$(hzS+oM_R}Kg>w6?6QtURrEw#Bsl*5H%MqF()<BCdyN3>5_k3|}Y-EmdEd
zHbe_>E$0=8G<p*uqK?KJ)v?NJ?yKWeYOjR@GN>h`j0T3HWXRJDfuujxOO<CvQFm7s
zB*m2~HKf(mdAin#qTxm*My7cgNj%erIIpycfKR2pDJK+<e_6abln;YK9V>UvA~s>6
z#WFHtm)oaySim^=s+WAv*Oe!>q0eR375FQJsecg;+jbbG+^qxez3rmAJjnX*mE}fe
z&cf3ZD7g5DbM4!rm-MJ@zmEi)J0kH+LkrXGP^^3wM0n?GtSN8^Hpa&p78fngXl8vM
z@B>Vbkzu7%(-1&E`RuC6S&YtJuze|<?_#$3RTvvbbuL{T-$QN1rL6NO|BP^}zbz%i
zh2!t?<LlDbilTWHjMn)26kj653vHGLk~OA*NB1L$Js<U<33va#zhbSj2#?mQydi);
zD(fQDcr=~_;|ZYCXv4O7iU~_2MQyu<P5E!huoGnNKvva4M&vaYGKS$MD&sH=CM&I)
zcSzK*;)DZ)NfN8|t3q5i)|UJ@mRc0F*5Dbq{u*a_e)YVYjN)mF=k3(;^e+Wq)MQrB
z$VC7}%m@anS3L{wdX8u#3rCH0?NY#YpU15*_`8OQWnzC034ub@gj@(VtIB9{gFGn6
z0l*G!wYo})fB7!I?Vb7Bv(}f`_tiBC4X5}>vDiXU?77lX2tWzi7r5SH!BqAAGb=F_
zFN6I$O^afcKSJl%ATM=*y_J#nWnYcY-ULyfg&K|8+=Eu)uzz&C)^nH)aQ@_rh9GHx
zT1R`55^5f<!L<M>J2W=4R}Av4Ms<8K66!kE#Iictqmv-;u%(rBl{Eo;p|{#+!3!X0
zy~)C9C~n|7shT9GSn{1^VJ&6>n#?MWQh&xG@Txg{0#1#J;0oprsprs{*&735LRe;|
zpebp5>+5ge4aBvyPX;;X9<J&SY#t)C7AT&G)6>MwrGS2m3}AG28-}R9HaEMyYO`Pw
zA&fC-=h{<?3R5pdu64DBAeje2c4{npvlRsiYb)W0AcQW*WN2@f`gqYPs<}~CAn2<}
zpo}u;DFg!WvO?%W<16z33cb`@MqjS<Svl-4c@FGiK+2&jfhsOiS{<ng4>x*n%!w2e
zp?3D=szGA&^)?#4Wu10HR3bAF4Ldhsb^55LusPPBE+|N=cw9YPEBoB$+X}tw1B*jK
zyEHaBCZSkG3>!L>{5E@<vD>=r`n^s_?yv=iL{r7*H|1EUcsCQZLQWF+RIieyoQ_EZ
zpPeENQf+UaGMEKBAuR@Fea^bA`)g5#sYn~`L=;QhKncnrzl7=zw-AHihf5zl$XbhR
z%Kj-{C@&B0cK#>n2@A;>g?zJNGypwr+Arpq{*egwztC-<T|MP`C!=(JdNpWG<k)QU
z2#flXz?JjH$?tKFjT@oWz9D6@!TTXrRny#zcgYZQ>XqQ`Qm`kfymQcz0-x+rP$VxB
z08tP!Us&|D%r?{X&s>qA{J^&u-pUUJgLD;TzC_uj6xQ;-t%M`T!|cMMUN>)4@ccC6
z#_xd&+HvF~yrKl8{6yFQb6`obMoL`^Izj&ck@lJwa{@D?WaV3koQ$9%1&fpf;bDQ*
z(l@qj*eR({Aj^*k{Q8mh<{6juuku7I7}@lAm57LNU;f5bn*NCYlv0JZ&=6GR5KVj3
z@g$HMeG)r{?VH<sOm&8fw7Y}#$z1_g;mO&mQAIvU1u6595L^D|jck01f^p1;PHU-U
z;;#^=h*BfESn47Ok+c(qp?R6Yh`daAbQe{^v_uP}sP@I-ZwM-;rZWc;SC?#K4aQPX
zmf0zx1Vongqis#dcK0FjgfHyP-nbX`2FHk{RT6Jcf6&P>$+_{g%be21%13JzMVD$%
zeem%na}C<8rIO_jmr1#@&3CgvfuH>ZyT4IgUXbVYHC(+WoD+vgCP{a>r)0hWqL1eZ
zGc(Dy(?(4|if!7w64URkR=g#Z0^jy^-$jf9n^4Oc<NSZ%FSodFq-nV@613kt1k-q-
zI`4kuuX!NfZJ?L--VSF9jX+Gc$iKwU8NU7u0V-rBTOn@Y9UWZnk8d9wzy$=nTPRu}
zO`a@Nif3`zDOc(^bv9WjzLA~LG87c~KI*;42|*h$N#`-5=kcBp)#EYg$W1gB_trB^
z4H8OGz&546Gp-D1yxSgK5KuLHGw6U9xv3~+p$o|%O;S^fLs*@JUcYj?FZGP1Lq9YO
zNC{!!w@Ro_@Zv(+Sm1Hoc)rOAFo+vlLi;>DzsCS;_bLYjP){SGA8FXxS!s3-mJ36R
zZ>4#n8rW=UZOcXmf_h5cd>F2cY1#Uu9QIY(4Uv&%rRgT+`lHRT>FI+tXiG1+rp^Ma
zif{bPBEGTlLm0+AV{`XY#WR+F`<ol*#gr(q$_3<*pTe<1a@vLO=!B2wCgRnvxhSb)
zNyuk<Ldglg@Ye}N6R*mnjA#);2nd(J3?X?Lbmf?)lGUO=X^aZ!VV>QSom2(&-5T=9
zs^XGCeh&V?UC?4dr!Tr4{K|%j^Ux2RsNV|!O=fWqzr8+#kp-yn6bS-%Pfm~=E-X6l
z-tg@FlH7#&#l4amuj+Uqi32Ur<1>;XyS8>OC-N6pddD~lww!Q37>?u%<p<FKRUTKe
zsLsVh=`SF=^!nQvGozqK0PFr|IhGXBl#cLsa!5=QB4k2#h%!L*k=i7h;zDtf;b*9r
zksfTSu57rB!h><Wp{afNmvMNR>3{*i9#JQL>+8!9s)O?Oe{un+9B(s2)wHYFgn+}S
zV#L}f80}P+hr<T^zpyQ<He9Trb=|G@O%@_{FyIyk2KWoUAb(ufe)#Pl3?mTN=|zCu
z*PrTvX=$3Qvr^p(QZN+hPtRk!?te2yQ-+noAIjFKlz)`*i&YILellAYij|8A(%V@x
zlFlUGAC<slzqR>_#^j=YS#cPS$mOjASG}ylE)DlG%MG6*iw7o>-cq3G8K5s;^sBaw
zqESHT=DQnjk~bif&YQqM?`@}_Yogb!Z}5;3{BR+KkjRbs!;5#}D6)TUad;q!A;zAi
zjpt7<x^3UjHr~^Oy*3`2VFO7EPj-ivW!8{mDe4Bk0Zwvof_;{U=s5u1)^^ePo19<}
z@2ItEI0R@<cNwb-%s*z||E<qzqr4aMlgqy^ua9HuKO@ld5!8L$7L~(07VLFDjo$co
zbHXq2WEv0sIbY&<_^iiE8v8xE!vd^sSkuVpDj~Pcm2#r2Q>_H0+-PuQJ^xvYSoj~<
z&OeR()7k%O^W^}2OJX$Ooa%tYp9rI-_%dC|-zvtJw-{EvGe;~mJ^4C1`fuSYm;bL0
zh5zek|Itd%YTTz>h0fPp42SIi_&{eo;0@W+si)?Lv;Fs9{M)mE*MU9n1{%%2TO&Tb
z|GOLi(Vhse$TuwN{Vnl5{r}a||LS<2?MIhom$yc~Z2!O3{P#1&<UJ9I&X*L|%>VV>
ze-7e**{{q6pB$6UPz;zaozKIQvylrh-Z5N)WncL*GtJs4CF4b35KRmoZm_s~|KA4v
zw|yNr@Eu$#1sb#zoNN+c#9u7jTw<vLWGb}?%76Cp(1G8AgPBe%ClYc}f{T75@6DEL
z(Qk*0>N+7^N_AL4tJC8ofUDE49~7Ds(x(2^$ZT*xQaYE$%Y-9&j-NG#V>YUSpBl@J
zU*POiHW#5VuK_9v7NeVJq$V4&{o&DH2KM6k3hiExS-3d9C3eUaU?tWZ4N%((`NATC
zBS(@Ur;?h9X*UF7d&(&<_eQby4zQd`Z|c0~gC5=f-%0z&#w`-bZ%m{_L`40|%YQ2`
zdKs{&Cz6WP#y?FEZV(OasT8nBNJLBdZ(KeQ#wJhLwk)q6qGGr}d$#j#X9enS?;eLA
zF*I3guKb0rL#OIec|&(}bK57S-oG%}7u@;Z^Jjn==wWvCm=cbO0>)IY*b5>EZpWjN
zy=7%fAP9WjAGrx}k%OGA{wl7A<P)tg{YzAA188Pt4Hlc0z#zgG*sU$lpwHL%Np~wP
z7f}7fjNz~j9hb5en-alm2!0z!K6wADPay<VUa5$k<!m`_f3;6Jy3vFG=<|D}HMs-w
ze=W5C@{xa*3^wJZoIC`U`5CD?S*ke@43pB-+vgbiQV09Y44vkV54Fk>Ix*1l&4~6c
zIc;rJ!VG1)PLe(PwFc^ixH3<r3~Ag5I!;<4Ao^sJAjYNzhhM{U7RkP*?o{vl)y-p|
z<&IS)QxtH(_^RAmrKTy%NVz))f4!DM1SGrmKl<@MJo(WB!}9~2$5|WdQGC#JtD*;K
zzu^<Ie()BWIg*m7F*<{Kf4`u7l0ZN`<<<JImypjUcF|;a>2(o{zgdWZfxnkefscW~
zGMG-9edSf{{@8Nn<7y8<AeuuyF(;8yowv9H4MQb?&pKd$6sM+{&K&_R#%bdyLwiRw
z|4>3ZoGIrIZM-i&^W_uOtX%j~bh#3=ehN+*?NDxTo8zRUf}XFAisclf&`|3Pi8@#E
z5xkSU)R|$>U9`WJ0NGh=uz}r9<_Ed||Le+A2(lX6yFW4|5qI?FbnoujQm2`Z&BYl5
z6C*~)04GYnZ_E=bve`=xtgK{oM(F4v5Ia)jyMvePSf+=dP|gECoL<AoE~O!ZY*xB!
zNO10s>q$%mKJh3N>E*>%q!Oi8vM4Gp>hIftaa%t_Cn5_wc_0-RA2u%By*vs+d3@G@
z{7|Gdu`HJgZ!P;4r%9MNmz0p2Doqe*TB_TQNWYv(MF~XYKF9gYA2DEOr$?Xf4#S{_
z)D<jAB->2Q4?#bMxTidW06Rv!XCpt|Glg}X{6Wl)6}sk&_<*7EJP2EAP*4AJNq2{i
z<jdr*U}!{v@MviRQVd`<F(g2w|NUQV{{Q9+JprhJnm{?qoty$$w_M|I>p(WshgKu`
zlTFF=qFm&zC{}$PN=7cy_Nlj5WR=A9)QH~=u8Dh|LPx3<1qU4<X9_E;(Rl6Fg7R*>
zKkr^y_!z7@&|E<&^k~<5l%llqQsM?gxW9@TuSbnse;!B6w+5*a6K(BXiQ{))f5NVl
zd$j7)QcwQVJG-KHdCtPlI&hT)$6|g(!PCmSJ6!8mYrYFqNA@H$SWs<&g*LXyhFxm)
zVNd<;6O=1N78%>sR#(j9e~J#Q5P&a^;5SzwMp`}f<ni?EQ?KY-lPp&*cEj^D3oE?w
zIAPf-6goV$`%;mNT%m*uWLs+|3+i=QprV`nge8sES6X5a0z$2zeP!Dx?wc#3IehL%
zlo%@NZh{?mG5Qns|MM&5b97J6&>$Ju68-{4jFP&YxVa_gJ!HyVEDXsU%;i?E(lfP)
zS*XQ<%1g^4vwdu+%bsGQ5t&I(DaXbo+3L%oZxTAeWKz33yU4EAZ=}%xdP)W28Nocn
zs?fFmU<nxHaIfi7iNp1JBEG*XprN`(OSUH;-})1JordG^?MWN8(wIyEi|8#=iXo4v
zR7%TJWX4wf7>!BY{>k}JRSI$R3QiRolLd#>D{{$*q=VS}{vyMgTN&D?gbkTtdiO{B
zBf|VshX+0J@`Y@c3NNO7+lVD}gOI7Z&F1`@WUr+c4@!BNdT_)RTL2zw#J~zBM4iip
z0SCbyiO{Aqvj10`JReTomap!^rMO>fZ02z}2>D3VnhkL35dGSXunLTMWv>yNQMyC^
zRjBaK_Olmqi3lvIi6?3%GrG%X9~n!aV&}&TV_ug?)r)1GB;2~3M}KiU!06CB1%a%i
z5mC7uYa1z@_xack*BB88Tg6tW8SZoPE>kt#t^W?EMoD1Ox+K=#?AUo~R7nw1E?i!h
zhw9v`R`9!E@m46#;wKRD=cQER*>AQ4a>7;rgN)5`Cmw8k6yPX3flCPel@RH8w!ma7
z=!Z5MLC53zk{X{<l8%R*l9HMZ7Dyyk`SWK>R-MsVQo~Yh5~(>Txb}SdtKITy+_txv
zQ08ws+EtNgBF!q}qgb_;8*)|nY!Dgz_~%J^`E9}L5SbVELq-g_G9I5h)I@ATe1gC?
zQ=<_<U&64{Xjg$qxqJ^*{Bjv3NyFg~oPmECT>aaI{Xw0)HLs0$O`p;1CHzqw`Uz>w
zKPfW@yj=LyH?RcH&izIa(u8bJroI#oVFz_JI6JxIbc}f|<H<om2eZ5fQjK<`6?nem
z*7~#gC5@S)%tHLuR)fgums<kvU-+~O!Cps7@4dZxiWCAdbJK60Ua@(+l=-iSlun84
z&MM2(%0>zJW(l%<z-VIQD~b1H6)ivsc1^`{2+~PXvLg#uBBfN0zLvYcJ8B~P{v{)A
zR(4Lhk^vVi<Ja1d5Ur@F$QlnsN#+#kNIHp3nUVgG)=U<=wDe0_z38!lmRhK-WfsJk
z;{{Q%N5Pkr^xGj8v$OqwfRg{?UG*Oy1FxfdY%r)9Z-M8sl-{=|;RbuMJEkUd@#F-1
zW{If@5#N3qfR{M)&a&BoTOfG>A>BHJ41#5tJ@IWivo?wZxrAF<MCps6e6^EUblI58
z;f=e!$pY+KA^fBKkx6R(M1hu7Efv~WLPW&I1Z|z3(FJT-5O2|A?=RyuX(!0tT*9$m
zs!4c=<3fcaze?(E%4~@!HGeDD)m1VgP+<WCCn;*RuJJ(u1qVELHEmziKLaU&G@LLL
zPFAIV>_jLe{w}rI;JIga1P!dca7Ug9-(_DM{7XY2Vnw_}ws`Ar4_p&~SJsF(T8$Tg
zbIBnD8lnV`foBwJ%IR+Uib;hioF4kD`ZM&M-K32}(;N(hQ>DVup`7|fkRs{ll97S?
z8?+E_>Qf#sOIjDK+LJyz&*vwTm2d8s_oYFf!`!76bP-|=T0}vjdjx%KH}TEkzZ!}n
zaJiZ$n+9&jW?^i?XG(QD`7${xAozC$Z29qm#^$YePu?z&%#;XMQ0DC<)bACP^Tn2p
zJL|MbD(otRG^kF3LmJdwC1R9w9i!Le041gSw!x<Yyon?1!_#AkXF3a1Dw-w~*{lpv
zME^Qi`e))lhxL^EBxC>X?~`X^ue%(5anpJ^GUB*-7+k8V%qw!l@$-=@sO&$e8jOio
zmK(Oo3n)cyCg{wQ!1U6^FF8P`qa1qGrD(yPhyRPg?Z{7$g2{jcP%X)hp3sv)2JpCU
zp?UIW>=fRg&6GnWVAAt0RILWx1+0gSEGfveXC+Gn)x+q?`ulV3sLjcYd=&?=A`Yl@
zt2$fppU`pTv_v}ym&P?3{xzCxnoO^^;HKx#+AdTinQq2n;KwUpwC^1n&qvQt7ZH;q
z#7v|+iBsl!Rs!!eaE!3A=a*#D5fFs`ni4T!CMgW~`xkKlXhF`Y84*cp;8=$(4s05P
z6TOR2X8o4bNWeE=5f0(fM6RSjR;g@H&^I3SFXG*Qd#Q`?N{j3*?_yOtAKJJlgR``>
zGC@Zc;?pfsR}H<4D3{@0C+NO68$<xvNIvr78Y18y3e$a1CMhg-PJxQ(;OuX7pAT)=
z&xD8xpy3Rf@bEsvifoc?dz;uF2ukR$A!ack3Gv?6WGO8=J>9K+QEy7QS#1!oxK3S;
z+NwWMIzk7U+XHWD1mKCE{p~wr$!E&Im?$dx<#ejRvDm)>V+$$LF<2`@ePI$XtI@Yc
zq|~aE9@x%wxUW12F$$_Pr{jhRvaiZ?zaOo~4)8Vlu_uMIV-A0K?O~{OWniKteC0Qf
zm1aWY-ot|ZY$AWDA!%x0Y)rYfwkAWIhV9(?4|MWB4jz}E$@4_Hj+$g?8Fi$*?f*Oa
zRn~yt+uKuy{vvRCb_Rw=(RUphPkr~!=k{)7Wt~OFbS2>rV5(X}`z(-{nGwT^#QkFP
zagnR_p-C$z**lQY0$EI%JAy2g$U=1y_wv%W8<ftNorFmgX2X3>^~VZ#K*Ha$lNIq7
zQ%5TGI0aKuhwlzs!?M{@Qzr2A6cWgdiG>l9<v~Wp9fpAe`1Hk$X4rB()=zP{!cFd)
zaHdgz@TnL68)R4T{OGX>mT#*n1eObftNm7(_1DgsYF+7u8#l>`T^YcSu`(tYyjrpU
z+vJZ*8fHlPkd3xbH4Em%VH<lo3mbH&cUZ+-p}5B%8O6i_AGa&SF9KeGg;Sx2AUuH!
z4xD=j?O+8sMfS<(_YTQTp_ta2v;?^8aVE;wgTUQS|Gx7ILXSn$g3Q?J08E@Dh5p*X
zNxdFU!hEQOxD~@GTm0{lG_s&>EygGzrOS>7R|+ale9>#<Ugc{Y4TRMn?5}q2;VI%g
zhq*ViW+#!K8|_P~DThCo-*1V1C&mi9?;rXcW~>?~BC*jKI5X}}Dcwt0U_&18pP7(<
zPuW1im%7w~uDJ0zj94_z_}(U9A}63<ctHP$sdtRBY-^fEyKLLGU0t?q+qP}n)n(hZ
z*=5_dUAN9T&-;!0e~q!%*turT%!teg=zrXj2UPKR9Y2O#OXJhi{Guu^(0YWfC;$8m
zb-jIp-$AM)fK>lkkKIJO0vGu3DET5|GrY>~&;IO)lgeBBzpr9v5uV)9R}{5ALBeS4
zCdZd(6S{5(;P!}FT&HUO`c0Yo4;jxLYl!#rui@chdbW7N!1{{=lj8(eD5A>oq;HSq
z-M!2IU;5q&hR;<-jVCY)!NmT)2N!|8_@!Bp&oI<A@s5C<&Zpn2GK3nWHj8P@Q%{kY
zyD*bhy^N=m07hH2Rr{F9<xZO<WP_fll$AEjC<U#%twzpN1&R`JQi0;GmyR4Q{a3$`
zt+~z9gi6IWQgB+wT94cqw~Nv1>(k*tQYyD1J@^<hQr7}xF8!n{9wRE+jG!XO*tk%T
zCZ&IJFlbHi6aQMfZ@qQUeXT|4MovXk<1;Y5%)XAL?4wib;E+n+z(glbTiz1{MYYzY
zSOC=g4P$%~0*|J+{VP2~UExW%3o?>cK*a=<*#Ia_(R(^gLwptckok%!AiPrSyT+zO
zwyx?Hoqhcz7=;OYbYlGnM77KPL=LDXP&Kp8X|h&2JSLz@y<u(e(;vIBjt+SEO#8xn
z+$>CL=9*{k{s)%)VI0@NPkdy@8__PnLO%H@PNB5Gc`4@S-1VUWj+*ibyd3N2<FbZ)
zc21VF>`Ht$w)BDL9K|?A(MX;mKJ@}|9Wf@#A0j|*CjOTUc6cLy2|wi<PgJ*h?{mrM
zcn4+sgS0y`%Wt(j19Mq|;QwY;P)pOtFFT}AYjHx5(P|6DCWJ~N#8`X8_CxUIfc#lo
zgPFKRU#e9c)Su5Tps%kAWtkv7<=he|5F1KZWr9yRizwTc_UkGG_Wf=HiBz=~<T~vd
zlft35TS51lVf}>$XFc$I??S{T88tl|6OimI?Df2l#@_14&1hw*Z#3OJD&Z5g%3H&?
z=z+_Ae@roFElE<}hqws_)3*b+295!hh#P7!8xY)zfdL0Zs7XzI(d&j>BBFisnEMp`
z(-Vt?b-SY6qfz%|iPp&_`uQw!{Jpu4)fK>XM1w-D;xjX%cDQ%cH`tZHWy{IeHq<4I
zWvsKBvI?uL*x9XWaD&GH8MT@<y@6*x5ZQmu0)v-@0Hwa@qTidRn=Ow4Q!c^hLc<re
z2raDD(}M5@ckf1z-ui~mi9LgXn(Lb<udj1|ta-VggfSXFOw!|vYRBOnG!^9W!-xhl
z6qwp+>2hUw?GUde{5rVO4Xra<1tmT@KpHay=Cq{Z2da6Gn=Rch?EhozDL*j}Au9W4
zaQ*>Wj3(>mw$}bcU==xBp8qENQmsy(%s`<Yf|KHcyIg-`kWPMmKm-i#e|h2%)}Kuv
z37mY^D7yIi5Vp3ZT(DmPx~kAFZM!`7P#F^`tFr$L>31tqQ6T^V61q>a!ioes1oS+m
z9Ec~x8!Ll|Al`r~RhaJ3|EkSzabTsvq!;E&sEQBxi*;Z0&2VykOZwAU0`^x|W>7C4
zoOR#VI(RGxDSTNF63nLa@b+$-RxdYhRHRe+Di<K;`=*h3QGK;qeLCt-OoNNwSbalH
ze=Z53{_Er=M?wE0Ua5ZD_kMcQSF;raaYPq=FcI%JqO)h*a9hpA;X|Mv!?oj_-bs71
zat~$U3J>Mldl%exr)vO5Ln`!HNdD2PiqT3vf<{S_>HeVs&${nFRq&(__R6Y%HomZY
zzFa7^ye#sxVW_CHm_W!3sBb6W8ua4v0#6fr1Olvo4L6mBCY(c`%Gwwnq{WXmR7KzB
z_(B*B5wVVdPBIW{3TrqkI6h#~Bh#`nR%Y@dZBM5~zWG-ARjEbS#zn4pe$s<Rp+{2S
z!3^eLq3yp<i}tP!BMp%G1W?8>QfGW}7f-8&fpVhu{t-FS&ttoJ$Ll*;u%+k8+`wXB
zqt!e5z>rHAnT*YGD%x!VO;2|(U9RLld-vR@4aWIoza~?v(ZSlp@{m(gWS+|Dp$sB8
zBo^5@rz`I3)~B1q-2_8OmDL+xW<p>-U|P6+6mdED{ZZ$MG}XS)TWUYByKfdzHF3O?
zdAgl1ak+V;B)Z>m>bSE}Nmm?W9x)jNzTpKAMkSfp@9AgzUqf{l)|*KrF;1k>DU0pT
z=GU93#8Pbgw|5^H0h+?Oc?U-c-SzVhg>tm!)us`W_iD6Xb@T5`D<qku4z92d$iHRl
zODrLuIv_y<|HzXyy~z@P5Gk~vvZ&!7!oQJPC1++!xrnTXDCW9iQdac0nRt+W<@?sL
zf?&KtCj}*d@`NOptb&fJlj$w+f2r2ZrxoR2AcMWp!;n{Q&Y#sBiIE*uDh1X-x16;6
zFV|iB%Vkt2vv^RcM~QM}jDf!wVMk=L1Tw>cW@|-2u)~yct=E@kzWOOB0%HK&L(C{(
zpE%3qv2u?`boKjlVFj|By)NvZ`bEQ{WkQQ1FrRIMbMJ42f6Ug>Zu>?q1L)5IchqNh
z(~Y~KI$Q`y=TWiPX!xW}new<ceV=f@UUp4=H#Jwv4H$OLQ4Z4M!8kRW&+<gFSiNsA
zgZKs7l(nPme+DTZFqt6mo~;P9O#irm8Jb-4dx`K&T90z3b+TihH=%H;OsXM71I1%~
zgIhjb3e1H~)t1ob$LmVbRW|TD!(sE<VKc<`0}x86sUcy>iiPn>xFd#esxwkw@j~ky
z0PGzyfQ!al<xLMFHlvb`7NejR<$;7qeZhXNFCmXVG=k8=W<;nVJ~*>Y6vcV`K2v=X
z4tze7Uq8!}*8l7E-}RED3(PLB;KQrA)!+*3znOXnC{8#ZN$1m5Y&ownfkOD<Lki~1
z4NZ>whN7*cQ$z4!@jr^g4Gck!JgIcKn99o3w%32YuXL?|^a+P2vKgl*B(g0&cVB*m
zMj3bNs}1bOB84wILW>$%-7TYr5}!T|IRr698E95cGyxoKuHR28!aFmCh~onx#D^v4
zXURt`uI!-jFkV6(xJLh@G=8R3Ofv96_G*w=5I3isJJ=Xlse<n>aWta7YTftfE}(=V
zQ|pTg#Rgph`oOS~PzH7(zkwcvCz<L-yFFML9&>0s2h6eUW@wr7FUKXfVFC`)BZ^7N
zMd4&bVhAd&>@VbwW~=_>bvOc6W&sa@#$1a0iZn!&{#Y(+r=EU7LMNjG|Gg6>epg7N
zVN$1P$kz*_d_pysf$>Fef;eIjQx+R7FiRO*0mOKUCl>`R4*tC+(J8`Mfg+(ZY%Ymu
z(RsvbdTOeIwj!cG_#>a|%QFit6m$7D`&*mnz$^{O5+)hc#VIMJ8bu2Fp3p|9wfLK;
zEc(=r4}GKZ+BXvcHTFK+CQfH-DBSJN0R?T9H(uTU@jT;1fJGmjNh3CQJodm_I>1*#
z$9;Z9g|voD_{Obi#2^U`N_I^Y?{^ceZJq4@7qlPQx{4(F#v8uSVxO1$Uj0T#@!m@z
zm|-U~=sL#g+++>gaG1yv!>?<ynWE)i%oWN&!{ubHPG79ALT1v^l=n|EtO74Gw^tN#
z=|loV-{U_Td`RuC)_{1Pj=RV#;m*qURUxc2Sc3e80Qd0b>)qVgl&=sYO~&V?p?gL3
zu2MWpaln$+){S}WYmv<OTYd~|gVbqyJ7EkjW*1J-gnPYn_!zV5sA&uhyipPqDZv94
z66gFXh{dotLGu)h&}Z{7i{9Mu-jDRbv)O3nM&I(1de#Qo57|Sbb2=;td>n@DK2ce-
z$}|tMD<zzP<{NYJKVnWp@7QV`zY<Yx1v{=jXX<re)FK<~k8AD^I`XObJ#mO6tSH~~
z7yL9{zCv$XeK^1=<n?RIwqd<FExXj!9HpWPYe@j5Ofg9x#<yw%4Tv7Fo{0c8Tt>dQ
zJ!_qBV^`{~!F{yZ(H1ww7E=Fd-sNl%eo&M6v(C=`uexi49|=N<6@`Fg8m<B_>zh@@
z*EcSA+bw?J2d=b<&PPa%KXX`-$?mV6eE*9Pc@MbL#TqQ<@bu7v?bN_|*Hfu-ANDIm
zKe9$9hDc&K6j>~O?FiY+(*yw^{3(L(d{Ea*lC~7m)1IOm%-x}d6CM|?VaKbUUW?6(
z#hh2AHbXQs2Q<Zb1V#Nk%?*EScF_!y)t8J?m>7se<4dea9~(SWq0ngwxk7@z&hKA|
z#l8ThP)tgtO1l^Us+-A6PbP7AJu(KxkZ!B!CoV)ZUj#8hgNA$kH0X0G=UooB5D2IT
z;qn`eX(-#z)7Qkv0?2~6lnxxi$1S(ZMV3ifBOptl?(E)Iz?~XiVY<aK@R0IcU0`(q
zvw|ejksg@yapvnlInigb`AsTzj`eiz2KID$rZEa)3QZj7vcBH$P9izDpY~t<+)CGr
ze4~KGc~TstjJQXdkXBx3|4_(!gTem(0KqHqVB1)Yg@weG>J2}PoIq)$_jSFsudlDu
z>D(dA(#I3>=l928CwKG#%`SM7DR2ZF?u4VP`!+k^ArJsc5%u2`Ds$x_C9x`X9*?0P
zDpl`iPZKD3yfl3oBwaPj<;GFn|FZ>&{=5QK51AhqCPm#WYzKiK!-l#F+x~Fw_lGwb
zJm@Nf+RMHaS5Z<Eha!Sz4dpIQUrgOO#VGKR%U0U$U#ABgCYS~l)sbf+UcPDE&sx(9
zS9FFk<N}@xV4{3z+N`%oArnr5ldcH*+=s?+{gT@KQ4;1mdp=<}wu}=bZbdn`0_Y?m
zm0JI<?z-j^mm)ImAWD{$Iea`n0^{g-g@{cK|Gx-I+i*$1C21_@3ow$)*n<bt-NR@|
zp#9{$C~RX`51(&ScJxX+d#i@v<%EJ4e-qPQ&s`2IC!xflL^4X9lOc;NZs%<?L!9){
zi`$nZ!l)tPwqhw9%MFyKS;2c6;U-u=!+Q~U6I~-PCaG!QaU1}SZ5o5SNO7ppri6YL
zu1z2%^wes*Aw{TqV{=9kMDwfPpRe-5W588dS<PmPamwA>z;%e;oEt2GKhntH%(D(i
zMGa2Ryv-KMe{WpSAYgidlt}=k{az)Y+Qof)d<D)L_6^<L1Z;Y|{f8{}XA9}wABnZ!
z?FU&|Tgz8(Fo_#;QnFZ8P0!Azb&K(OS~U$0=Jk4k|1n~w_0rv9`?=h<c=fk>T=4+n
zgH-m+Rut&%XfEI(cFjS~C91VhvTv8HM-SZ_r^t(wOY%|LTB_qa`LX?v@!?%;z({M_
z1GZIYgMiF&JFAO?xBJKcj?8$TkSjGFrW5O+$@+X+;`8-Tr98#Zvn@iVL_}N9bSp{@
ziW$t5=doT0OXZ=vOv%tQ8{z_sp!3{G4t{W9<-}kJ8<c~ZZM9*ww`%#9?s#rZ&SA<R
z-tXa(Jam|tA44-KD(2PsRC(-VPG9MNJvp;4bAd~1KK0MN5>D!NA|j38k;uZ`;r@t}
zHRjs%zkcC_<_@IOQ@?*fSvlJeBq&pv@9Dt_P6W6_8rwP81yM{qYw8g?ptLyJ`<0a;
zAgBLGg+IeaMGuOFMft}k=@bam`3z7><z6rea<D9FlXm_v%6dOzEoltbs$M)k*n@==
zd$YA<Z_d^c;=0j;e@HYLJ`f=aGu8?;zvWxKKA54?Ejiq~)Z}@8aMx_hken{4-4e7j
z13eR1Q&G`TU{@DHcQLOb`3jX$IPTzh!Djr_AThvq?})Mip4_J}dZ$4<A*q~5iv1CA
zstK5NCw^H)v^gTfxfXoFF-X`2Ulpx~Ps>(Oz-G|lB{#(9AO$F@F(@-$6$R3K5-hg<
z&@ePnFfa?-*|SD9!h$FE-k^T3K~RIBZT4_pSjF#BzGRUIo*x@8C}Y70?iSeCx%%Bx
z#aud~g{gn3z%5`v1Ox;?al{|Z7c$xGos~L6v(0wr^f(fUB1Cm{^`VTc^mOrqhV~U7
z)QEv8X-P>cm+GXAcQr8?ccysLSXn1v7x#0lYuVqTenSseX}@us%t$D5AUe8&>XNaW
z0}|5Gz<<nI(B-M`zsEypC54p|l0cb-1Cc+Q$sMv2BI^jC)uS40lp|Ea7GBfkMjg#-
zElU0-75K{cHHQe@`d}G{M-YEJeXBbe0ppSy<q3eOx^b>^Ia&y4Azuv_4lE8~ByU32
zqjEVe-Mg68daMI%1aYH2!n$pZ(K&te|J7`LQ3|@HDWCs!^+;Apr$oVf${X8z`PpM|
zvH`Wy;mh=AQunKy)71-&*~TCI&KbGZ%gLS_)VmwKffbjZs7BSh`|BPL3M@AYUM|6s
z1;RkC{54>k_>NvaPOJhzIt`>?JMY8mP6vP4mcm$Bzj!>Ah)EMR+@E0buT;<sl1N0u
zzJ&yvR5yfBKJqt?0qw@5VO}jRr6_Hxpwt#}h>#Y&;?ZG3j5w~lO?a>!_CP=-Yd?Q-
zz#O8fB4<>X9YaXO`238!z!8=O5tVNL#{B8Cf@LEeFCHP~_vHBLi^V676>lxX6|05=
z!01ToKs(V|Hw)|Ek06cjN(S5d$w{q#QD{X+MRf2%&^SpX$luX|MnW9uiCdu&X9!rB
zkOwnNpGGezjnWD;tT56d$jq<w@YV8qcPFv<<x42M(Wk)=QPleWeQOF8+xeEs8EXmg
z$wUt$32Xi1dax{3)OiGSs351Ea`tJA<#@Q5OG6><iQ!?hI$2o0aGUFo0wXo5`cBVp
z3%J^wAVsOYvVv-+#-{VF5OE4=(diIaOy;#dZ+4ZiEJM3AP<k4edhNq^sy}7GP7}Ny
z@!0GAF#<X|I2;_DR+|F|o6Uw_MFo{cv(@XGk+_u=^-{Gqm0R42fCsvG{}(z$zZ9G6
z-1Z2n)vBvjkwo&3*OlM$nW4JQpTxw#mlwB{^>rwH!OE-}g9XQ_#7;=NkBk-o|2v=S
z1dblH@UX5+_+-7vUU@KmsX!zV`0ydjAH8p^-8={27;b1qsC0TUk44$Tn^#RWhgS-V
z#p(c-z<`Jj9Loc>`eVi~x3~}!e&@QK<ZwiMA~rmV#{MVDVtFHj%Qn#y_#H4&q@(zJ
z{*!?bc5K?=5$W=N6$LN&FG}Yd%Pni*l?DPtQX5L6LeqY};;hD6oidap@xXonsYz-{
zl0}Dx2EO#BU=)PU97Wbw_&RpIXvEc3WHc*cA_IjF>N@qEGuqiqXcOb&24}lk@u(^0
zJL1aB9(a}!Wx+&BsUM%cXAkZ=Yfr2dPDL3R6J~M!{OC!Cdd7HJ+y@oZAu{ocG=c0u
zYLDV5^G98gfElZs{<XJ=eE=0=wwPaqLbS+C<39QOVnLryff$%5%LQ@h<9for9EPXn
z&i5t^?&&AZ&LgW-k#%(DB%7nFg&P@P5-i~W!Jo+C;i#5uP4PbqxzU&Nv=IkJ2<}AF
zLLwR*$SER?H*tZraXogIF4!49T4f7Q_4UL;<7%s19km8lHnfEdON(T)74PXjj2{m%
z4VEj86+N-iVo5?g{_b0HA{ld02tq1L!q)o6Cm*Kh0LErw*C)@JG^K^}`Qn)IzhO~}
zNB_!<3>Adl2oVT^z?rJJ*R=<?OYD#lR{j-VFKjK-yU+nc(gd|jC}gMqz!A-rLiqW}
z(742%h{p~mQV~#4f^oS$cGj9K`x!)1I%C>eTlMA&#RFQzSmX2G^872cp0W{0j~=v3
zn3{Jcxunv_#wrjI+UvKLR4ELven9vwVPN27w>Jj5YtlhTGVQ^{TCAJ$zg!GLqq1G$
zL7u5*$`iV2ie0RrR(`_2Q3nY3?AREvSa2dpUBqYW*pV{DE4+k+kSlS|&I~EA9Ph$j
za?hosBSEdGtqW%83F(xGIevVa!!B8oRh}Zy_`3>{*-&8mohl+KC#BjX^qPL2?as;O
zi5VzIYMJew27(1W7?wgB@UaG*B~S&jlwcA^nbT4cudrl(DMp!@#BSE0pjCUFYf9@X
zH_uH23l;%ZJW`poA;2V$cpz<kGrhlb1p<gxh)L%44Wv%h2<!2Ie8v^#H#7^+1_JF{
zrH8>{y%bT9z>K=w{80!?HPdbR@mh_W54~L<z6=v5Q3$*eCY!cE|2|E<acn7A`4CNG
zFa=s`^oH|fwduWFp?-L^0MJNEJJ{fCLF29A32P>nTCFj6HX;!<9Q)J8?tM?YX|14C
zwhWrcg99WQNbJS=XsP8PRVJG{-MhJ|Vz%gwy;YME4Fct&ztMPFs%IP}xURaRk_0%M
zZqJV9fOaZ$<ECQiC(HYZtV~%u7J&%XQq_0O2^+5y1R(8T)-RL+VxR~WMF<m&Nh=JL
z?z%s}Uv&Wf(E$$ph!xb%c4c@l0wh-zfp*830FRsKmqGKUr&h!IZDS}=CN01#h57dB
zVNC>+?vDr4mz3VXkoztDGo(haD-Mh}e}A+4Qf8*zv1h47AY2nG+BN+6q3}<Fa|cfn
zNe~hd$>%l(Fx<MCgqjXv4%JykpY0RVCf#YbT4n4L6wdk3D+IsCJl*c`)mMJL-WIj9
zqyJIVR%@;4v=*bGQl_)@-urxw#mBGBQn)MBtEf3#B^If@h3%g|&y+7y`PKFYDBj}Q
zJ5xn9h}=RQhgh@f3liR~>{OTAdWn6}i5s3_U4fF~b}=jndCed~QkF1y3t78#pg$dM
zxnfU+xhf<^57D;fvz4~cO-oHq`f-$nwc<&K)ubI=_jLheL{+55Q4G|k-;nICJuC5J
zfCL*lFn6nby>#Qu%nuwc^q0#HC*IsW4t{sGSl*eS^2lC@oYcA}g3Ey<yY7{IGR!ZX
zBNqmDyC-trUcqbrFRFnvsEI8P6c(B3MpRh;e#vj*QZoL14xX2MYwI+4yVvwGHLn{+
z8D1#@6Ri$P3jyrN<SLkAXSjf99j=b*<c~*fe!k$a^O8F2iJTK&FRo%QW^i8{jp!Uw
zZ$L#+yeLdIP@gHr%8YLypBH@wOdE9}V63*NIf)A8BFYnbeE9l}lC=9vrAf`*h;1KC
z+3Jtq?A``+Pd}n$mmaYFFH_k!)feDHFeLs0<{ah#+!4TNBQj}#B~LlI)`8_hAI5tl
z;YfDW{844PUNBI`ghxKSK)OcZbrwq_W{XGOTJ277O&N`XSiWejitejrsdir*B+z-(
z_>%?&1GPrCI>0~Bab1o#2nYgeL-#uZFZ!C^WhF#dcPrk!DXqvh#CCzHr0<{AFDf4`
zPjo|H4FI}odqTa@pE~Zt7hH|w-QYEY1{}^aEa*VV4BE)f^*P^)9z;j`dwa<CBMn)Q
zCmpiMel=)U*>)9X{fupBKr}W!B_1L@ou$*OQ{Pa&F!OG>W02~fnF<|D037k3l!x@@
z;{bL~JR46u33NFcPXw4Zo68@VO8cHeOV7%R8f5VPa0<lPk$;^#ccdXjHni4G{`kt9
z{7QSBTA!?BgYEB%06=Q@rb~bH+fcWJcW?SLqA>_~g%gwLYs$P8SSBB0K82CrzwKgO
zzP%UJ24e;D4*m3RMQ_4}%i`~`6&EIi=rebsD;c5qXGm|`1EYi9=@!Nel|~^YDe9vv
zaDw_F03ys*qEMCIXC1FFLDb<B6eS>B71CO!Wb@?j@Fo+hvFZUd`s2axI#)bDc_nQu
zzwJ%w%?B9)M1hm8NN_+vLNR5E{1pTQp&Lbb;0qWfK3*&zmmxfUD?I=qgj4DA2N}%M
zF01<Y9L`K>Rs{G25XG(8T4R%|4R==K<BPWA?A|ne?pZNLHHCc{{R>gw-VPmPlgF6;
zF-24QYcL9Ma`WY9=EtEp6X)BbX0?aw73^JH+M8796y1cmThmHt(YbDfh}vf<%&)b~
zfb$yj2#jS={p(#Mx8vokn-txHSSM>gk{+AE1aFKqo=zx@cl4XN=ge9v@le$_)}^Ty
zRxjSg4acNwz*n9tw@n&1i#cwMGp}<y*^gFzFq_V2`6!H4QBLRQBqH?t1H?bl)A4-a
zU~3b?LY^H_i%ei_`(4r_P3FIqt$~zHch@q>44x)ECFj<jty2kT70kazr&!!>XVb$j
zxB<SsEwH&rPFy^WH7Yl}!4<dPVFha<njK1he5_1-1Jk0wX7=B<+};mcW*Z&Z9!^zs
zHStmbX&yJ9j@6RaZ=<flR%^P$?C2iZ-Ykf5)&rlLvr@i(fw|zsVP;6vn>@(9aGcY>
z^@-lDwq)*}qJa_xdaF2oN&5T3&v14W=-;cDy}+$&zb<kxo6U{qg*rb!iB`BIe=n@&
zWf>SE=k~gTOra6~q{^NrAN`>S6pgrp_Va40G6ILKVOsrQObx@hHAx7EE`8meTdg6D
zMb>CcmiC~fitXaN<`^gta=By>Y7?X%$tR*h8*&39F@H@cHY3gc8R~or8I&^FW}F|S
z64IA<tlQ1@9Q4DU5CaGc%<#GoDQuc)r_BW+t>wLR)BlhC``;xfS?f_rMc$A4Ph^+u
z6e=Ewq?4+Bb$S;w)s1DIdN*E*Tq=G%Q&T3D%I$#PJ$NH&njSlS6^ldpAXLrQg3S$Z
zJaGaw@jO?p&C2Ak*wI6_9kK=r%Q`2E%ow(|l6=q2(em399L?I=qiYcm<+3lzgB|7#
zpl<G^EbUuG>h#SQkpsIg(7#0xTySLs_lxDx=hi&@IUd)HqIA6AclG)8Xw*7VTQat2
zl2*~rf?1aWh}S4a?I_7yiTck(lm5h4K+ij{9+*FJEhIvSKI`wMM%r<)N?S0Y+c|v8
zv@TM7I*HKvw`VUuQ$r+_dOLZTrYSrbtR+!|2~t&hIdq~D%b(8~7!<jQ(WZ32Qu`=3
z_>4{qT$JsP(uxUqd7xsVOCw&y<$x&quYLTHj7JWxTqeil*N7Wz50CAj`{OLGAxBTW
zp&LOttT(Y`crwd{?OUZA4op#qLGCY3i=6ulgq#lmQc2ez3PfD#X3qgcJShz_p;T`y
zRo6$IF)}*iu-L0k<<W<eh)8gPr>uMKd&3b_;%hZbQ*K8WHEs=yaf-e0QhKHB3<!G~
zHb8eD!Oqdu;iR@epv(vZ7bS-DOXkJm+#VtcSno8&uoMj^29-bCLBE)1f>x){?r^Fr
z^k#JmNn_EQ48jjPWzX%h@mIJNQ4gPXQLEy0h_jWaSqrU#>cPxzVp<&)oOI@dT^Q|9
zPV2<lK_ejYC^XnS@2hykn1sB{>$RB_>z|K?cy(fZ*fCVO$P5fV$RxApiEpBu`-!BG
zCy-+;c>Ht*bq&-=0DXU(6@;7!BnowK=VimgJ~i}%*qDt&1t4H*M&b#Y+y_q?NtEPk
z;nyRI-<+0jr7|HdZTOditWjO}J}3P({b9S_2n0iuKI+J!O=U~iBuy0!(6f*f=_m!Q
z7_UBzMJ0U|lCDPA>k-pv-m&I}A!@1;-nfBVSll%oxc&(S`D-&1Sa5-TK+%C+#C(ZL
zbE)^63=`9;aV-@}Y!uqmcYidb=5!*@MRS*Bc@5`)T=&;p{u+a?0YJB&^PX%HRyu)g
z75o=Dxm*p1mEvE`FfFT%=7}n;%Ek#=SNP#D5{q1?b45@K42uTd+eVs}UCJQ3%B<}z
zEv~C5EEn;g@3ojN7F;-x3-ACGQWmt6p{@mec7J^k8EzR`J>~!@v@pRUGb*O_BZDyh
zaM@{&&~x>CK|kT%3}8YiZSYp+Wl$(czP8|;wZLRDT)uyvER++xIfsd)X#!+_9?4$j
z%UK(yR0zTqKy4fn&ilyQCvm;vcPY2VBCkjFjT4#9w&>S3hd)6rPeTQAvc&6lFF`4n
z#Q4RAhN6y&(R3{}{dC*jEQ<y>WhDyjY7y_&*4NG5Rdp|yymrr-+eG8@eunC(QCLne
z0><QUsTl;hit*vTTEs}=^`fxWiQ~5z*)Kh8+kEr*mJEAUyq!Rf4y&w6JN-WL>N?c~
z);CkW+k;2XCi>%&bh+{sDXm40KyD!7Fi2S#eKZ~VY9$^|9p=x{rzSKF5=YFR>m2W7
zQ;)+!Rm%oGDTGEv$OcIZ25q11unLA`=m6bCAZeHDyWWs;et`d+r}A#U@tKuceV`w=
zifUs!tBqE9s03(q`ki{%7798fM8ts24%Z2#lk~N6N0<(IZ{_RtX*Md=SJsMiLr{tG
zbE*-aWk3MuIupMJSwU+N^sY#{evaq>l3^4b0G(Q+p@F}2Y60lRfe6XLr?h==%e+1V
zNQf_Xw>Kk?(Zq53bzk+3&DMP(+$9Lexc+RSuFKi=2V~-QLNMgy+DbL!&y~GOVZ+k-
zH$A&m4EBADowaU2n9?VqZ#*_PPY(QBbzV-k^YD4){T6LQ9%YpCiDM=AXd1Lmd0J_T
z#2A3pZf<g>jZn;l#O!hw99k~{Kd8iBdpSvNdHs5TRdcra^eTv~l8Hz>w7TLz?*|aK
zd|Hm*A#Y`X=X9~!`+Vw)-KogJsh8vJ6{C>ITI0I5r%n?=qSFBWz+wm&I}+A2PVa;)
zS4c{ZPk@NRO`+@i_wK7G9^Y1y`N;-5avfvm@pCKT$MM##T_WL7^$~XEhXn!$*k%Ae
zL}lst-P4FXf5P2yo=>-xy0QnvAJS|op|9${Y8h^Tq`y;l-X0lhw_(5^kE7U{m$O^`
z%YOc6gt^6Q%6$-tV}+aL7-rQ@aYE{4d}F%<p|?-#wwBk@`T6<dlP(3#;<B>KCSw%5
zMI9Qdi768)cGZw_7V|ABzM<-g4{o%`t&@NjjpBj+kqDTJ*re$pY?bGZC+uFNP7b%l
zjuo*kL`MTB6ina9aFS(at_#8Gmq=FA9Qr3Hr@=^d7-sAFxB?qhr^ILd^<wYtOX4)Z
zY{Xg8eQ=&JyS=xDX?M3AgC(OIY>Y-CG?WEG*1A6O?-hidG9q-H?D<ems}yNZi=^o&
zBLM(e8G^cT5%1qEh!xM+L)`@<wPr&iUfri@OHql50I%-9U!3-Ru#*I8R$rGe;m*{W
zh5wE#e$}1@%r}ecxX?<u2ft`Ds`Gr_Gar35;%r;-1Ysu<F*#aw?OrA$%k_bNa}Xqe
zYGlY4reYKb2nr(XsB<_sHKfuBoJ-)~U=S*PpAn!t9`jMZ?-*}*UjO(#SOVgD-slJg
zyIE*2V`<5Wn#eP@r@(Bqjn>x3&EQ*OWmTYMyPf@JwwLJh%<&2&M6=~$IhNk=kOt~x
zI~I@1p$Cxd`5;Z0b7<lqlfmV8Gh1UPzJ7(+ABh?0w_Tp7ROkke&*5B0Ud2^#W0={l
zk;<JVUk?I(>l6MNF8%BVU1bC%<0ZqnHQk5zeZ%L;{Kme*<Af1sghE04e}^{J?@};P
z*Y^{Jfq?;?*=z>oFL9kYMzq4ZbO<5uO)pRyt2L%bG^VkpvV-T-#VTXNUQ%VLzUz4R
zyW`H7`*@~umlQ}wY9^ebzgAGvx7n)yh=C$<=@?+ST_L4QISnIC2+N}m_mVhkI3}Y4
zCV8!m)9JT|JI1c2Sx1^vO0F=_EAU2u{$+jymSP_QoST@O2u;g_O)O4$CjEP+v_dR@
z=+dlyYgr)E-DahAYkMn!7-T)>c(6eiH}?*dC6<r#x#81{64%!}KlPS3=yPLDtn2k@
z$m)daetJ!jcKGzkU(k)kbq{{bC4598PP~z4tS7xoR#PsvcDN6&=$ljy_@y~=j^D*#
zA5l*jWE?MJalontlTnIEk&9r6g{0vC7!bGgoTu^WihkFu7b9=2Qk{&AK)%u_J!^}1
zA{Ks9-`A;k(u!}Uf6-UqBhhH$^;wJ51*6+x1`@7qmUtj$#V>QjnU2Sm{$Q*vENAQR
zAXfeok;K8SO70zgG1yHteo|$P_J|rzuxSy;TH>|h*{!-Q`$@H8ax$04DA>{FbUneL
zjB_Nd<nH<ka6|J0sJ*iV>pKi;Tb4ma0Vjn^aR}9nLYI+roEF{+m)op1s5VWb(=8ry
zoe%Aw{7!fz{5=oooez6njh;8ZC%bEMtXX1gJ^%|yCkN^p(!rzlE>KD6I~A*dpT6sm
zCt6H)`$DfNDdM!MWc;#<ey&<MaR6m5=gYMw4U@4l#S+?y3s$tVe9EJ8?SbRNtQNHj
z$RuD8_3a$p(yFuW>IWQSk|`nM7&A26yIA3fBjF&Bo&7qtUUFgNR2$9+)s*Vg=jx?M
zwDab>qXhp%i7?0IH4;5M@VcHF<Z<5Ww8<>NcY{W4#mn`^p;#J?0pS3MHG`YJjUPMm
z<E1xtdSYxST+9Hcv6&f+Kf6`hz#0bz^X=}T%{aBS(a8PONEEZXSD9~nG99!oR|~jQ
z>rE78zH{~RNM1h%DyP4HJCL`9IVDGmQT(bv4Xgkwj_Cy0udi=X7mZ?E<|J%4)MHbl
zvw-PN<MavppsnxdTxi?5eFv53ab|CJrTc0jfvw?ThUY#56N_BZ6}a|#<nHFk@RNEC
z+Uj`eSLMY2E^`5tnL4!iJ9>V#r||SUYYKmQ6>Q#!a?4?8biqx_`uE7!nR^!UrM-Nx
z=LKpPuwW%Y?;II-m$w97QitgSwdSwCLq!koOZdX(6V0?ENuzm5%KSF*g$LuIaBXAi
zqe<yDTpQ40vNCa$FFgYnDB*IvmaI~31GfYqU&{WvDZXIKqcN?`&YMtA`!mD5#^f6a
z8?QT;h~)O8nhQ|4H6P;_h5J9;D!_(!s8rwBbJ?N$OBx_@YZM?Q-w%J22V*H8y4vl{
z`IGo(sx;X`WdJ^8OL9ZzOP^&dUZTfoDSArt`c0?)@K2=BOw^Ry$5MT&ih+o95_=93
z&tn{!99jzg3UM;~rAu*8n&MM+wmZPm5ucQn2O{a^9nE+}xy<pUu@&Ty$7hXJ3j_7a
zh6A1Osr=PnNi3$YQP;Bw8viRi*7cO^k@7|_vf`wW`<<oPkx6Xl;Ch7OJxa!c{U!Su
zaQ>I=JCqbe#LD$&3(vT}^#I15@ni`mY*KbsY^PTuuqrisdYqrK=$w(8u(w+h6_@2X
zlP!f@GVsP{|Lsd*d|H<t?$yc{PQRD7-PxcxGW)y15z{=vt|BYFQu5nWw-OwHa;~g*
zMp!;zp|R0`w$E{UIe8W}DaKbC2})a+mzS|ieNT?8iU_6>PfCredGC}$T-5Y-PN+-4
zah|2*56!jpUPj%UurJnkCk4^o(b`t99aMJWR06@zSdsaekeKD~g^_={yGsG^F}MA;
zntqxvM$#v9T5wOYa85}%IuH0ssduX4Wpn1{x%7d@^F@i!64TC~>7hery(YuNO9u5D
zvCxUlqxWx-)%V5w`1?P%IVIr^E#9y4UDh+#0&DsC$1g0&8lA4%AN;SXwGtE2sHgOc
z#dZt(2V!mXZ5P?9S+Mm;#z90lihXT)j^ou6R{IexG%#NK+jp5SS^L4I#c-BkqUK5u
z+TvspWD`A5Yq!tu)#;I{GLmZ~xRu98gJS2JELAxHPa|*LKFYcJv!2m}tS-|bKOb_k
z{>E(L+lC3{O`<_N#2{;u0gsIsl>XzKjJRdEtRs~D+C!J?DDusTE1KHvx-&Ya=&-Bu
ztH+O?IjowlN$D$#P3fBl(sPF#z)^-$$Me?RjoBu&=S$7suw;Mt0wthhIL80CJ};_o
z2cY>W#!a-9zqn#ao+XlHh?vZrIdvKv7F7$LNS<)4iFL=s%F`IQ!&rZ$tkl3$plSTe
zs^rRhBJbO_3mvEv><H9!xBnH8=kB{K&tNu^IXdSfiXnW({{LwKG_qa{ky*~&KFsgu
zT6mxx{TUj8+Ui&3wdITNRCT?N>fLA35h!V2P2)7hWxe91Y>+zDbGjGlnKiWEo;e?f
zR_9EeNWtSB!NQ{+Rv#O6U;*8~szb7q?4ecb`GDf${MI}$!nzrK0oy%C^G~Pa0?^f_
zMfHBc?f!TpGn#meOst?ImB|dp>S*Rsz4wawsj>NjL6qe7wjpCyT-)UfMAEq2>s2Nf
zzuecoO*;twHXmE;Sr-A4c(^l^z+42C;#+#$R`#i8&7W*t(d2epO}uPX)g7vFx!^@4
zQzy<j8LoS5Dde(3IEA_NbtAnds2s0EVkaV#TcaBD`Jwp^FFYqUgtF;$zl(^YN%f{L
zaHSnM_TTW)3H>ykELHSqkV<3#+i~<xNp!TxcBOpsxIaQ);m*9(BP-#GcA^b>)E>vq
zQh2_+A7@Q{zPRb+^L@v9SCP|uZK^!OE!ThJ)c@4qo;8NnJ){9lOZftR6$^E~?Lnn|
z5Z}yN!tKBLeAb$;(>7js0KGNa`gug3Oa3AT(e%*?nO3b7`POgQ-_1NP5S|bl{J#0U
zbUE4tOWBlmvn3h3UuE1u?=rV<hIASV6e>f=+>eyg{m9k5>a4=4;}_+=-sX+f59Ia5
zAm*TVNyx=+%-X)i0|57I6Bxbi8$wnh6<|85YBpO+@;3hPpnFL*NYfG%6j}ktMa<%`
z>zgye1m!cl2`AOxRCTu3`(+6J)FNYfE$7K90stwO3kgv=DL~Uv3;B2|;aa5NkH{io
zK7R|WwMqYw@a9d*f<!i5Y|a8sYd#XWu|mB{L%A-zC@k*`dw~}Duu8r7_`nFvr&{b2
z@Tt;t&|NMrpHh<Y$L(kGI+LTra5)_Cf<xt(srWHX&YsI@SCbe(DIr9hnw_pK-56!t
z1FFRZ?wz@pn^3FQ;tJExEYVL}R@&+Zi7Bb!e62aWH|uFLyB7X1J}@q?Xun<1K%d`(
zoRdKE+)K*!x++uEthhD{^J243A?4|f5b|VJSoKqe4-T@W>=>;Poy?V>1sqKY?=Nl6
zcEmb+t9aELp`6cnzNk%RI`>Q-8ENkkFYFTfHYzo{drbOJfB0}-xjWI4Zmx>1=bG9&
z8x9j<?CoFeh8|U|=jr5vRkw>oD1YuN_zgv-5|++Or`->-R~5^RsKC@(Yx7oqeY$SY
zzrt!Q5@JutYT9{U>#W_(ek3Wrc<fH2du=OCrkQ2E=6O#0a>29xi{$uY;>(puk~{Oa
zc!eTwp3NzlWRuevre-I`!h{;eleSb52Fx&Op~z5ccfa4W&l!cq^zEwJSx6X|I-M^d
zO9N@w+5D_gNR3lMq?A%94PXiHhJ^V4xRe1m<BC(LtFCouILL+=pOAzV8jz&wFNo6c
zJ58FuVLH2c1i^K0#8GW0f{ad4(Z*=`A1zvz`BY*C|JFBBb!9GBEW^8neDLe|w@2o4
zMkTLr&6gJnOi-jBr8b#jG*mZp%St%jFkW*D<WcqflZ6}!D9M9L>jq$n%F##NRFDvh
zlajyj%1(3Lm*GAZs(LpvW>qh9TJ2IlIy2&BYU`9-8b~9iFxT2nbepj;No<7SJyTx5
z!mik^6T2?D?XNv=x?9Yz@aMgK3;p+*iq>Yi{we8kt0~2#pot2m49;pmC@y-1G>=|9
z&t;^zKLvsEdVv^^nWE$5gei>1?Lp@S^WbsoUNP(C^ekac{y*4@e+ISOZUuRAQ(irz
zz-Q<9WQRRHEr?>z2au^jm9NtR*+I*rS$MejT9TK-)$tW19G&Zd(V=?i7CYnRra|va
zg=W5LA;Mp8CpV|r=DkxwWwBnE=jSUw|Jg0I{hE=KKygHJ2D4Q%%CLMHA>;Iwdb!5q
z2wm^wynIyWsdD)A=21MK$C2%38I;<_%ZjB6ftEFn)r}OA+-7;(UrOt!EVhLkEw+l6
z1x>me)l0?5vgDgO(h!!`18WfP%@@n!J%!$jcnubcI1-PtC<bwC<e+G>Tpp65AGH>o
zPlJ+q+8qWa%`WbqhrnLkPHsCMM8glP<<DlxIxh|?8F4WGM6%QykTREmiM{O|IOR_V
zq{Yd>b;8qE;fwlt4uv~!9;$of?$KU^kGCyfSV;paFa!JJK$ZtuV>Q(^LZm|F`sz0o
zOlx~vuk4nfj$Qn-rcCp*mJ60h(|M#UTGNnih3Z};UH9OpD|KHh#?R>P4G)@B63fJb
z6-`D<zn{;h5n_PA<>yi_K_CLQF%GWIQD;PK$#|QDyJknhJ?+1^<^rfcB#6YqkZ(!K
zqg|*`f|HG0NuioichF9bW;05O3|XpCB(enG;k>R(ezH-r*79V=wU1^hsloyaGVc{n
zc(Ct<V71qo9HN(<pGP-zjr;^lG!ep44_ci$Da{N#Hb$7uW2GYFS}}vNuP?WE*NoZ{
zh$KPh0NM23=qhv-Cy$TMjeWd2qtV(-vqN^ZaNCLlIjnhlutqOGo#OKAgi_RBBEVfM
zioqB|dol5e#Gi;LmHEo?Vp|J#8NFK(k4a(4AQrOYCPr0SA$<gV&eZASoZL0kiCZ)o
znTTg1HbTI`3F)iALU;Sr*O18!kL=eVVcftyiH5!rj80GX9}(4!CNf@Ag6Hc*?!^6a
zvVxDgSfI8_aDG)t*7gQO#yAQdY@`kf2FbVgLm1gdyjix#xFhyYA&oxYO<|QE<?+By
zX9Q7_63AdB3IiSS{bB(?0dlk|O7Oi@a?|^_c`gkBM5Ky$rC*Bc<8{`xK1aa6*1Vf6
zMOwrd@DTa7Mso}S)>Wz%_LehjDHZit>}^AJU;8@%cBM|S()9exgYEr&29s@D@1e)I
z(JQ*Q0&Y7L4y|UGd*JQYsycZbhC`=!XXC1~)!%bsJHw>Ov`Q&i=(f`%#}J-IxE}oL
zyohi3j&W$VFNL_LFe$oNoh5z2=BEWRIrVf5JD0~G%QlJ;$(CL2|6a8k5Cu9ZjiK0-
z%BdVp>8Nx6Apb*1ixT<?&s36FK=_6YH=GJ0sWgiasFUHUT}6$kVHcZ&vOobxZB)TQ
zh?qT|WO3G;A=jRMYu!yFrgWg`5_6zoCWtGM<$iz~Ao=Fz?ZwIp&TaI;sZF75b6zfJ
zb-QLD^*p9PH})xQh7=v7z9#X5flY!`N<#sW)aL{1iOeX^v1ZE6k`Kw~7}d<s;@;@3
zeT3%&MANXI!J(JMt?<V!hX^ejR|Neq*2Y2v)ug)xGF(CY<x!IZpRZ<%ot=P!0wLC`
z9yD|+<Mt*F_vD0*qN<vf@)k%ZA+h~c4)9DeZcsUZkmqV@#qk9l_st83(UJOOu>mN%
zEf2)WL8lt=hTY+e8TZ2p#wpv!ZNHmm=6E6s99L#EbtS$f6F1UlBS;puX!q2gaU!%d
z>cST$1U3C;@LNS+QmY+RNWKQ{|6wQ=Iez85C4itLksGSh>6h7x>eWa20>~1>7H0Ff
zC$7rgT-=}h2U6b1sw}ZW8}Z&N?z!-AQn(OouX1BUaiNFXzQM5Z0|?m2fVS?oX52Dk
z@{OG3n}p_yB(HBv)*)D)EPYrFIl{RU%uW`_LEfIOxx&j>_I8_$M(n})n(ro~;^9Nx
zL?sBbxi}ldkH%k;vAZpa1TQ_Y*&!tj+IAw>A-f9fPwU~+J6~lYQ61L!S~P7d59=b#
zKcgR;H4#CPp`25=Zy1rj8~BgU0rEBa+|W2PK#pJU^~m2Y{Y?r{PjSG~0vb-DBej50
z7(QVApi;dRi6VcPZWNv_Uc&wZe-rtF0ZGn)r7f^c+lF#OTt>HvA6t|*Q)p4yb4*>Z
zM4_3;xnmx)Ghm%djGENE9#6LG0C?6M5Ix|0p{+3@tV0d;pi7C${#d9*;8K*0r8PO>
z$ovTt%@_l@AJ&fbToc)^;Efr}1jONrs(!hQy>xRv1YkC!@U0bf8N88kzP+diV*feC
zQd40=Q-TaP<%)248}l$gYZAgvijc!v>+qRHkne_)t_9vDOKy@OZC>qGFfK<JH@CU4
zVllsiXLD@*M6>8Son7IiF4qAKc{X7hjFR0t&KVSWFw}jiv1B(l!IoL7B5PEwhCiao
zX1>=d=(}9Koo?2{wRuFOQa@d;RzuBozr)|6GxhpTD(Jf{k+;_3LC8$GwHzB5Zo8b>
z(+q|eJm2($rc>N}M;Lz})4aTN+qk_?u&7Z8+A<RF7cHT+(0oS^j{FawT_eW7jtuA*
zJOsjBPH0%_aKq=KhV~Ij2P}58PgK_x7$7|CO6uHpd>TY**!J5#uh|K7r`utAohdFY
z{e@HAA*xx!2D+OaTCx-T`+9#DOjZ9TO_V|3PBbWF$-hL?{!GNa<EpzG93q*3!GZyu
z!F?&yF7us`$L$isix970T`S;L<CuTuxM*+SnYZuw4nRfU9|9q|eFubMIAX)-VzU!r
zw~MUL43D_3Ic&*WWGCy@W77BDTk3V1?#^GHK&y+0q2bxiI?^TZYNXeBq;@CRTn!sF
z#{Jqmpaa(%H2BK#b|^r#PAGuq)o!R#wc1}e<SOlOpq4AKNk#IOz)kR{r1k@35y}<t
zM?}$cGk#Us*eD~gvC_r^7z)-B{N$RUqy)xt#ihdaFs!QDz1WM=ktUKDmAW(U%ORUG
z2uIfBreTqOXvQ8%prLdZ&1VjNO;_t?g1dhoOL8R09)*Pzg@X9Q)%byY)tXm*5T+LR
zyX{n+-EJ)`+ZwZ9GvGHZqt);U#c4V&;!V5@HOQ))=_f%I`D!<isU39}j+WAJ6mwjB
zMwnYqJGzrJ)obG*4ygE}(=FpTbB(#2@B6+YV_c%SfR{r^%Af_k8az67n8+6BMFdU%
zjt!0SQL#`~#0>Ey8t&Cn2H|bVUY*6eIkJQ<Yu1?1G(PuN%O^SG++kv@pr|~tKVl%T
z{n<F)?JsvCIkkfTgyp7`=8ZVIfuObEkba!d#-w=`&mS-QStIMTsXK1*6JPCI)WLE3
zL-WxwjJAZ?gdt3l<d2m7tN(-kX>*_B_y$EK54i<T*9Uq_V_s~=2;FTJG09Jvod8i`
z5&}wwFa~w}chlZB&eQM(<slD|=*djWgiRY!UYGOU`O@W&+A|vo%c?~Rka3oG3rKXu
zSnW^klQxx!ig&(4P8$Wv&+1(H$cwvgbfc!@Tn;}IDk?ZPHvi0CRg2mWgn`N9^CL!f
zs@~l_&223Y;c3Ngnr`0o!+1|8?&b-$V1*P+I0wd&40JEPs~3cZLPx6z78|3->jEEj
zzB4c~IUab&Q*Dq$s@6dD0?q66;=mb?hX$Fjx3!PGvp^7wuU&icet@GDJiEsfv5fit
z!}ZGLW<Vx=LOI8i<yjd1NzlN$pCZ=3Ee?Fy={`reAo4XkfSZ~Ztm%gqpWSdI*1<|V
zqwo(5wK1z%T&`vLemc{Bv1&4s73&qMVU!*(&RJotSg5jin)Vir_wqJ`K825t>Lo86
z9yWZwRjMkEP!f)xL?cT-tFB-bB4wh&vM>7$o&+BHd*W(_@=$ncS)))HGudf|(0yug
z9*XJeBpBfF6P^ele(-{j!lXEq|4XkVM|z|tbe_KPn8gmJJT~QVATBc{DtW|+T`sF#
zV?WQI0397)(Dpz+2Afl)SW+c+!4TylF3`facXLpQ3Y^N&QyFhTie(OjrhD(AdMii`
z9swl+oJB@7rJ>B6{RfpxFK<?o8&{!LA?rg~H{ecKn{=^hX6gI~_5Jtna)BI`GwkpS
zW0bo_`jaIYNWA8l@JT6N;j78jS?Rp<)hv*0cYm``e9%<oNV#0>p#x$zwOC#9yuI%1
z%qFl$YK$5Q4TkA_t){h3+BtcDh*!#C!*l06CH%H?c>lbQap<j^F1&U9`j(2?Mbi)i
z_usFsK`D{T<xgo~6%(NCTI`{^j-l7l^ljm~Jy+|j(9KsFAEv|O?7=+#`P?JQVJv;a
z_c(^c+v;v}+)~YfEgT^=T&z=qzS>YxV263RT5cLm4lpdwPJ^6t6Zc>6td1V;{`B4L
z3)a+Q{Jq;28j_o8YR<>cqVt4MD3%sAR)rPA4+C`5x3_(BG+aOr8nX9I`kZ=t=R|*a
zu;aJzeu8rp)!FIg)nU&0qZts~TByYgT~}=O^)iAwsq3l0XuD9!iAWg#sTXgB+*TKh
zRTdYnG5*ZYJ(c<^5;Do_=JWc+-ZtM&BeJ8sP8MKy7jZitKg`>(oS;LvDKDBS<z9ZE
z_{#;p!`eOd-)r^X83kkinIrC-QZM_w|01KLlB*C8seEBsi`;zYkQ!0o64`!YL&4Pd
z$F{A`nV3hn1+I)yGE&0R>0ytUA1rwlK$0irn%!SBvoW<}^~EL?IXao4hB7U$JA!yT
zkuDtFM@Pp@z6Lgf#WKuCerr^+u{f!eFOb!zs5S5`Z%r12X>w>tnNZ+!rrewu)X6$f
z430a-Y!(zJW8qPx890zpD%dWyaq@hfbx@WQc7L)A*h*@0;DjeDo^oFcZfxey@Gid?
zJ60@;W@2L$!lEzApj;$JHcRHvn_86|k%zMXqavB?uA7Ra6xRR8-dlggnQURBfk1GA
z6Wrb1f(3VX3-0c2!QI{6-Q6L$ySoR1>+P8{bIv5pA8_yezF&I1YrWl7yS6@i*RE<8
zn3dLBJiK)uV)~Yete$`>sp656QuI?yvzDbgg%$S|Cx!Q^_7Oc<iG(}F!4>uIQO|oY
z{@%;_Q-1*2StgG;LZN(SFRlu@If2i2ry~4{v0a18$$Yh#8E_^uek$@F!jW|-vY{jd
z5Yn2K_t=T>8SxPN;tHwq0f<6Uy6$Fti8@l7!e3xhTUVkY)5Ahjzw8haZI{i0(d8)d
zwX)<>(-ZRPE_Q)1l8*R`^zY>w?Bf!P1OOM|Wz#dr-w2eBoWxMe{p?R;3md=T*S?!A
zv(_-Ifld?Yo<kgBjfp4loA?5_b4{YS;=Q|?;CJU^nSlYs1`)bNcqm2fx&32WTVXKq
zPj+FwM3l0+x!_`R`r3X(yeVT!G|#lChCaPR;%s!r2s2S$;V$0^y%VOV0@N=?#3g%U
z`!Hzrd0fR?ic0t`bE#q=prUmuDVpAq#MDGZM(M7~=-CoY6A?>X%I9VEHWIqkv0(FY
z)bkhIz+BvMP*hUK*Q~K_U_?s%k>dW<AoJ%V4-?9Sed0}!x!nL!hCd|cH~+h>I+@j7
zopm3-l#g5AX7-(&`B{=)8tf?dpW-}qmSyZ^*5KNb1vUtVh*hp0xyr`+iEys)9i+V>
zm<R=iAEbfM%Y>CKbX9aC2gsdt<6laquwQ_<WFzN5FJwswDJrDv6WDQWxQ-M-N#yr}
z%*hs&d@#HazwA75rjD@2MV5myP$En^eZ2~6tng;ANNRvCn9>*JL|d}i?$mV3QqoxY
z{OXFyokq=Pu_8^ffN@5zPE4d>kTw+Uqc^3K)IO|>oGAlD%%qX7Y8Fw~J`8*0Bq>`$
z$lsb~Z$K#agN&m?+EnbgBsGW1HFu=_vNg6?DDi3?7ZG=W*udm@9#&T4C2HQPYvFjZ
zxx7O$WLLJiOw*HzNn1xJTO1yX8gxsP;z>)CV<rAqJ_33q{CUC&!FmS<2uMkVTj~|(
zJCRk$<7Be^M|+8KH(y@MX7ZuN#>pnCsoSF#&4{nf3$BIqE!}GF;pnHTtF#Q7orjmP
z7U_}8nx$v6;gAonxleL@z==W{W1T4}%y_{Lz2YaMqf`B337vE4H9=&dDvciFJ_wtg
z#+{Vpbqn7F>lqXZV0@8pjX*K8zW%cAFu7nu4h3)TOWUl0HS|t|x7kU#q%{RjskMSV
z-`q*!zFn2(K<qJ#Q!#ISS9!^r=s+$uBO;MuPQ}b@KXWebN?}>nhg{VvvyrOo)h{qe
zBDT)PO`*{b&<XcP2>FK|WyV9vlS^lx$a~=m<txjDXpUNI<@QLmNM?43W1Nsp7rWP8
zgVXEZ1$6bf6pAO=YC=WI(^ltT4R*cC=Sv1F&dil_lS^Nm7E=|TPeKqhJ9eHTc+w6%
z#E@+Lm^exk9**xWQ}q`k@<H6yMJJz-&EgRfxUJ#PUi&+o{g0LzTyIe@QAVhi%m7GW
z!l54#ldl@Y7jVas@NMp+2rcHOk-9@gg*+mPF68O2SE!AR>|K050*g(=NINN|J<jre
z3jggN`^O69MSuoCM89Vw>wQ)>^drNfmjzs-_OuY6mF+`tPcKl-Of3q`@4}=3``^6r
zA1o>^?c9Zkm0z50>&A-N5QdS;Z0gSZjQNI(8<&t)n1j35`p3T*=wESx0LUO#J_j{K
zqbwcR&yQZCCV4mLH%WM_Qf7XaWo1)%rsbbK*QR<Q-YS}h24aeE<mL6QQ<NBGB}xbV
zby{yR1Zf=XmX;O*M#ih?n@1LAgUp?E>3urWI3B<mFVorkOFgn*r7dp=1nB7bSu)VB
z1O;S1mt!(1=Meq7Ehvw~t-t@5Wk_c#dwC;xQ2c|p|9$k<0V08g+PM8<kG%1je)c*}
zx8wJzHGm56<veCjv0Mecp&$y$9NA9K{Ju5*v48Rxu=$TBP|I|ZZSSm!t@x$LWtxC1
zk06keo%9(ymh=yIY5sS@|0r=GJg}q*wJtSMVL0&9T3L7n`lI-7>TLp5nP@ue;l9A}
zi`xHZuJX)x?}?P)QUd-gpuYJft+Z^N7S7EZ5&^YV3erxVA>`h@tbZuW-;ae$z|gVs
zr}F`AfA_@wPsgP<AR%d`Z9uD>N&khO;(7o*3Xj*?=YNm&58gET0ESiPHNy`6on-)e
zim5tzME<|COfR|FGi+BO?<E4OqYX(+)+kaEGjGX)fPw~`Yz!trVK1dq-oh<I6S9&1
zeEXCQj5Xj<^f|KW<&{wWr^}zBC*0T}h54tG`~GJ?9Brv<U~qm_3<WJO@95%J^s0b5
z{;#Jj=NtFqEO^xxq*v^?6io1b<#>r)`wGxa&CXOZh0O&?9yhF-sccwUFV!#&k{*aO
z+$$BiHBBM~wAN3`W*p{%71X0uPbmU->mOORe$HnI2DW7BajgA?`u>`^xcyzgn*8&8
zAZIBNuz(*5f5W*y5%-f9&d%|$A5LbOC;DE;1+^?Br30ivE+Gj%8JmEOlqjmLHr|N9
z&G<V30fEX`cSt`!;>3^)hTUCUIy!jcq{Td#xE4dY6dApGuB4c#@ZMZKVWsh=+yY{e
z4%y)=G5tX#k@ea>vo9{H=r%S`FZCTN4<>3;ve8ko(H5@CdvmhNUbQoNhqjVQ`{p0%
zr{%1f=^&i%ZPKUmhxEvGGsk$#Xh_eZ%{xMC33GGPmhtWv1XoyG2x0TlCYlsLC=mv$
zwLBir7@n+qzs;||0=lTi21qQ&1t0b-FNQv<owBrSJm==-LX|gYC8eg8w$<N^UvT~6
zr8YhRd>?CnRGD-q9<YlDk+lOo&o1ta`2q@G08Ce{-(zMUvbxt@Ps+tnYs1BUloQo4
zA!YOX7lvK!+MsgZxDd@A#{i9s%Tkda)>C-Ty$&O8d&rC@^yo4Durm)0+qaf<Qq_tE
z;~oetN;JJ-PziW7orHYucHm*{kW$>7$WcK3^!wGOr#4UP#aM-?%7I!Q%V9Gk&@)Bz
zC~^f-0xiVaOZCo&)=t~IY|3rAAA>1fX3UpBr}IDi7{Iraeh-cEX!WybW7nOXqN)6;
z4EYe|i9YS`NMW10o6+in1p!1`aMl&h84wj06TsXSuu(O%4Zlf665&Sa?noV9x)!c3
z$8`xgaxkI$4m;!Notrug>34~)0n4$jThrSf75~-)nDQUY&E3-lWCow_!GYT#E3a}`
zE-t2K2NMP(EUgHMKQqH{E;IS((IPVRhxTiqhby;kusLxggnest0nIs|0HeLChj+T&
zOo`I24na~8U#P!vR9|&{=TckgGGn<8#iF(Rj>A(cs9RfUJHul#ndsAXFQQZ?;Apwi
zPL$C1##qlE*YjH2fSrxb$McSlT3YLuCHH{llYe-g!rXTZqT~>Rt7IFjKv2*hNE(;W
z8TWP0=cs-#x^zpVQwp<%58z-&a9*&Bd+vdLzTJ^$O}mHLCK2a#Q^a!%UAxmCa%4qL
zD5|T}{mJh3+C!t<yah(MuR?Ru@ccxzW%Dx%u?Cr@<LblGbsKWUNV@L;b}JawGNX6P
z<fy|{^m6J>&D~kdZIzA~0(NX?H-i+{ho6UGpSX9)di9EHL)}_$?vUK7c3Jx+oKeO(
znUF!jls34fT7%^w3=T%_7uv5;Ar3}-+C7vYGC%tRrKQByTDHX4?a{t8Y%meB3w-UD
z8yC$G{Ms`QMQeNJT1h-}KvdI*Hh+Z?t|G-50Vb#(u$%FW8sf2B!gR6hh_hYicWkxX
zi{_+zMq#8hj@4nw84T0|*0ny5M!}uoyRZ3*@ZKWBOG(oMCCrWf$3bq<0*xlQv>uYP
z77c_<k+sw=%6R67PaH2?Adk(W{-TTWNMgLiuxW#QR-BKUGA{hg=Hb(Zh>_0iR~Rk2
z2iGp2Zx(cwt91PIa!2aa<ZjNCwA}pw$7i=U18@u?b17kP{@7FgTVS2qz^_-l1wF96
z{(!&$1;xt7u|4A5=Hz@s5$!D<xWLy^Wo$`LJnjMv6unt_(~wcgHiwwu&VZVh{an|d
zJZd}88MXam7spe3g=rP;?3ubA`*V;Y{OHAFh3RDFI1f@P`!~*j?a3NHc+=O<{)+GO
zd&Z@`Rz5QTAMs~8mna$$X|;_{b5afWQ2|GAKVy~~BjlPRYcp!!Ju_6DN@KPHk8KQ4
zEz^07;jhdTgw?O<Uy7_S+-qR6{lu{Yw~o%DVOQt;ifJ&O>h&{@Wp)TIZE$XWqp1Lg
zFEa#$qWla*P7vC_trER}IFz>smnHPmtFj0UM}1KLc!)>mOUKwdKu^nHI~Mr)0y5vD
zW*%rte*{{1hNtTXZ~LB17NYGOz~4FV&WSkv2**>!fbp@rGha}CYJ3JyhA|5;<a++%
zLpWyDA}tbixt&-WKO#*KW48-TN`9B!k9&9$EhWnC8O{-g!P38M*%1bTNX(<3SlAi#
zT<vtB(|SFp=5&~sFi~f!^r+A(^$VV0l?H$(Fr8{LNO?gXFf2&O%Sb{dzG}p9-Ps4M
z#Fu{jQ1k^}Q)V_!v~-y;IJ7+_n@<@Zs3vh~!97K+dh1?cj5JB$Qs&OP%uh9b45WVw
zjVg^=-<KGm!MMrvO<<8EGSqgOH~3+R`Aw!_HLxMW1$-E_Uhp-=qH8eg8PF0NJuYhl
zO?CyeKjBh{p#w8kh<u$~=dG3bF}y!-yEwb1a!@*P7fQ1~->+P@gD+sGmvtz2kmpOX
zUIQSX^#<{7zCLqU!woX2k*24~#y{#-0u>2Ps2^49V%axDJBtAY`BZuBShRY13aPgP
zMD34%A|}qqGSn|ECe6=DSg{!59-uQ(Th5|bsu{tUmY}yIoM96a3HV>sst&g>*YJuc
zo^O)=M})X^Oo&w^2({0vq1a2OM6U$ia0)#F`|`{nxz+rTka_LH0v|+YtaEa5#C(W~
z+efw|xXbMgC$j~d_R}2o24~FF-LGd8Rs_y|#l7mS09=J?*+)fYr2;BHIawHgdU07|
zyOC;(vh5$%8L{pWvHW1~Q}C2q{KH$|MJ@<3FN8^Wqf{1k!>62cX=|Ii;p^@>+n_y6
zk3H5B?|dC7*YXpT;v+Lpy3qUDkn$3Z8L9Mp$Pdt%K{y>+p?*KpyXS{J287OA1HnCS
zr}je5Rd#%|vY{>qlP$EpuN%n)vuX<QO9ihES-@qwuvN2^ee1iCPmjUGo<Ax`2?TuY
z=x9*8;gP+Xl`TvY8Txq?i7;bjZ`0kZf4-SjfRg$8gTq>GUlRO=d3)!qZHmg2FnfKX
z<>FbWL1)Dsu$3}xg~^rdH8h={<*k>El$T5-BowgM_L%9pOgdymh9E?;;!*%YLU<sT
zB(Q%HPRk8-IVJa<F(xhk9XE~Rp=%Oq=?L?_i*$#FJC*X~1m8zvP&Hp)-zuxkFC$3|
zU}+qVT=Ud_c0T<Nxm*1KrD1#Z08PfFUVYir2S7@?w8Y$89|#7xLL31_(%6({e8Nmv
zn}~|;EQTU*i?5?+!ffqe0WpZQ)gFZo2REnX-A{Sv8@^JoImQF+;1_m+1Ldo<uPH1S
zDo0vIOZ61pxtamy#xwN<#6$C=?_IR-+#|FHCLs_=jg8dI+h&J(GIMoVlOsc2UhHf4
z!%tWIVi&|23%B2Y%z#sdmenGvCHt_x(0<Z>Sx7sIK1e&<q+w)De_(ybj~Q)41#aK)
z0rf?G;3D)}MCw3A2enXJILk&KT7)q#K@Cz6RqRF>m39s(%X^jPcj7K5Y*#06-d-Eh
zjf>TCfQ#lzK`BE&(Hl*$wM3;Q`QxM2Zc}xIiK#*h)}AbYWIW$f&<6{4sp*KsKh@C7
zn_y&fMEC|U<=cr!2nq;nt~##w{T%0xXmh>QS!;DRTCP7Os_P2-C4uq|h5%$EbS!5A
zKmkyR`bR6-*;Bx1qb(nM3O&}h8ImLnc=pF9H=8jg^Ue&NPPiks`vwMj)+2+RZ8g7<
z<#K+|T$VkS@@2+?(;4g^)3|Ul(6OY-grn+;`jBpWF_7^{cUX_M1Wj4xSw7H>GoK^Y
z;Q@YO)9rtK99i;HAhKb9eO#;{K!y6raMTSlo@{$VE-`SCrWGV2f7M!HTiVIl|Etlt
zgOlkTA8o<s@bt2rD5oP_MXce@9k4UrOr%3n@@VlW+qqj(&eX0&P!Z3v$Rx+~0bj=m
zp6>K(r;E{w3DX^2@Y`E2Eos7V%N1{ZQ|9b;)E}FkS_54RHAV`lI=W-yUu3l*UjSRp
zm`~G)e$DuRlY%I|U@Km@Np*W?lke#c{q7StWxceYoAI>hx#lbvLbGlqV@na=r(-&j
zgx}ls4pfZ$NHwWgin<!7*)$C@cU0GZ3E<)r-1g18-5%QC*Ey-=Qoa~6GYhisKkoTp
zRN?*ng6his`LjAyy!y$_%CCu_RVYB?!>#owkP2(PBJ_Cp4O);tT14&HS$tyHlrdvt
zMdW^IMT=Nn1{?3V*BWuP=St6D5}@v+0=JlgKbLs^m>m)@%=##hrIj!@2;(3SQ6E;z
zbr@z(chHX=$b`dp9zM6f(i+BEZAj&zS%WUg&Hycl^R%C|KUq}8q}%(VN9jil!e|n5
ztOmAKS5P2=6$cFR&9VP@oC^<)VonP$Cc_1}o!4@s<m0|>63FKfVus`^G+4)>t%)JV
zHh5X?-bYM^qXnD+dFgLAN-#W;WQqp2Nu<}DkdvqN0Y7?oIGAF98n}Jh1~U3r3=Kux
z5jfd3xIsP&2H+1!nS=;O8qX%zk^Z<!;N`ui-93&>O8*ABPSY1`4t6n_N_OBlK;SgG
z5z>H4-4{Q*-i=?Ubi`;B5M^O<q>Y%WXMo$5ahO`O7JDV<L;nH~KL~L{<}A8eG@lQ)
zH|`8sG4hHOGxrRhR>G3*rceD)Tcl>d!Sy%5`483s9BZO>S?H-Bxh`H;yNLvL07ki&
z_Z$j|naKBORF^MdM?>u>Jo%tN$shw+P%L$(p)oGgd$pBfI~ZRqbtHxiRHrp#g;|5d
z&cvEvkg~I@*P}Pr(=*-Hs2cc;UF=l|>%S!qwVaG!L~cU6FgqOSV5?vJm8mDVCIy~)
zzbLQDdI(tj)eR%w;~Kkl1eBh$9Kr%SeX6}|cWU`*1rrT6C!C;Wzz7KZnB5*aEp?vF
zfo$=<P388htEL*IlRm<wO)eH2m{i1N&)1Q`q3?0BWRkSaYFah;bYdLUD853R--e>S
z>7S0KiUO3}xjsfvFMQJ<Zs+0DD$&yB1*8<YIze5y=8bVzWGoa|0xn8qFAuk5(PHdm
zj+7>i5qgWMx+vPtX?o0AZiuNGD;qkuE{o^mfA%E*x3ti?3qKfj90<5Q1q2k-cwS*i
zJQkT134rvy`ZY+c*g$4JUNm_`+S|xbTL;jGBxmhDCH$;@X2VC&_aQ81GM-;m=7N*i
zqg{HB+)6h*kpwJKZxw~6r%nwgZ)4A5BKI@iGSBTt!IR6iGFHKad}f&q1NwMf(C31H
z$(oZBMsi#|vXL0BJv_D>X!>gWJg;I<2$G1ei<h&7h^v?$>3O`wB&ZPngG%>(t2Jiv
z!uQwp1E`R92WjdXcv|ZJUBn*|$oq%_Q2n@eKV7heREGx&(bN2-PW@T|*#=!;9c}!L
zq8fzpDE!d^%WquM9o@9O_+w5l`4}cQ==q>xBGWd!lh(_bQtt9f!2d8bK*b7ufLq-F
z_vJ&j@Ou{%PBicHJT<6Dfi$NPNc4GQVcDJAT`?w%qBJe+*-M^%`gvE=cwf%IiiH}W
z9wRP<sfsECpSAxf*{-V0=GV$oCNrP_B#WVCpUwbE&D%+Vi$wLFS~~#JLbX7X;HfS4
zB#&uNiv;s1<o60;Fl1~Qy2_+tBhD`w_FqV+5C~8mn(;!7D)<%p{8^sx(gpcMY8^_T
z_G``JPbOx500+?X9?$^}{4e8%!+*`}r3*Ln`-L}uS|Xsg6To#CCwOPb|K=Y5OG8)%
z0eE+SwHo<f%3LO10ME&^A+SUCYuV<{VE`3_52BdcgNnb1_^*23|6Sz&TO}zk&QmbW
z>yC_!tWXLBKq<e8T|tmXW4Xw*^*c47G^!Z+s3ZoY7TLSFh-PeTJbQ_`VEo(nkt!jT
zDN%9@3VQnb1fb&OiN9{~%R|l>0Od>;f{N<s>i+TPkiK2gDQr%E^-lbE#^N*{ZEZYR
zSy^dm>34u~hUjgEceE&Cwf7NuCVr@-q@;9L^vQ{tp1!`qyqxy$b?O-tpzExLf`S5v
zFr_3j1iwKZk+K)X;#HCg52u-rF)1k+S1z35#4(B$y=Khw7N62Nf3+HK6a38b-5L8d
zbekMeioyZFa$`^<R!ftCj{*j7dU7ph8=0^B-k1|0nn4B^9<!@;@~<j7XbXzygEo2A
zp-OWL*Ple2c+!9V@ACdKi#ll@jcEnunBM+=o*)UIhC0>GC~o;W^k|Y_^G-l_1(ZA&
zNnY~%%3r<zU(mgixbx57|BDIFxBx8C<hkJ;(7%{sB><1=#B5Ogy81t<tkVQkUsYeJ
zc;5XkRDj<w1GuRLLMO4`*8|ucE<^pAnLFnR1@}KM@<0EO0&p435Non;-$@^Xej+Wp
zUIzyG6(Iac^#9SzD;OsFN=7d>jlxrq@M@oMOl$VP?uGwx7LrxGbJH8a)C&Y0`X->H
z1S&daIx-~=rmd!?hkX=KLwYN!&RsYwqs(4)<y=r<Y_v6;=W-Jm%a1H4+-M;z9nYX8
zbElCb2xx~rJJG`z?9~$gq6V0_8<jjkeP;e09Ur-z+@Mv3gyQYW6zo9O((O?5T|ZUr
z6x2nlY*q5bWBNM&8wp+nAef3H3NTGgp2Fw!ya;MwFdsOvahwT`zJYczGY-^;|8<=D
zSL!p1!C48Vv#Uj(fZgZ{#g>1jD|uC*KG<8l4{17RT~-f5j?czF^d)B;eq*A4P!Wr4
zC7#J&Eph|`mKok*xi~k>X|jrofRY5hucb!G4)P6zfVNYJc&CV8=;TI$7nSNxRzB$F
zg$WM(*NW<YG}RR-07O*Y*Mhz$3|+@It8ZZ1DQh;tISoy~@673C6XNc~yUU84v~=Ra
zPBwH-#o))Jh&n&0@Dab@#<R+{wQda$EJbl7spH$-D|sw$C?RI*`V556gQFBYQ6R9?
zwYmCx>PB^Z^F?S*!I0vY3Pz}%6Q<Kh7(|6R672*@czMf7wU70Zh2rovMbf5xtHn#?
z0{6uHOy^#=B(VN1)Jmqyv!hs4M?&~B>k`rOGm+S{`S#rQZgYB7L6>iK)JdhUK{4q;
z!;)`U&dd;WVy5Bn_^ieno}72Sl{T;Ze6L2x3N&L57q)hq{3RnJSV8Rumzaz1I3Cg<
zk%&hpipIAFBl{>I(|r5khdr}yPkRrm-DgFNxb2g(AVu@!EM2E}Q&R|4yPb5odTO-Q
zS}b<P7W@s=r|`D)@Iu>L7u^HvUmw>9%^!4;DU2s->6#nN-pNURU_R##-YyvLh92n6
z9Wxx>|0T!%kERs1di4Mk9g-d18LT>dcC!WaagyUPy{BL~_kY3h-%qvO7jvpE?DQF9
zxf)o$y$ukvK-n<q?eTTd?iPcpe6jKn5%Y_-o~m|Na%0g4mz`$#>fq2P4iP`%@>7CR
zJtf!}abUANTsu%~$g87*#%2q4Gt9i|(;T%rM?k?jnqMPd%a6<8G$-pRBe%;jQ>Wd1
z#81|M+b%d;!JwPiXfakIZQNKM##Oz{YKC_s;Nw!U&i`S`e?LmY|EXG#{*o0vVC%2J
zrpYY)1NoEs57|BlG;S}P2wMn5Aw6^fl(t@5U?{eDZbvgcVhy)_L!2qrw-m2ny2^ZR
z4>PRdII|dh=^DiEbxT8v3v8Y?6hmF`P#$5iy~jAAL$p!@F*qDMBZM5ajRu5ERbG($
zJ)S6z_yq_iU>0nDd<uQBr>iOg%E@s3cu^z(Zax7wCfnF+M#eAfOPpve_VKCCnE?Cw
z0PKMCd83#GuSD1+nKo-jodzxA?Y^lznYXAAmHabo8VFWu-dVtR@+Qxl*B=u<JPv5&
zfLdBuw}r)lHMN={j~hgpgJO6gv)J)yNTgaS{7+bIqF5oid+_0Rx4-$8pE>Q6Z!VoM
zW3w~h6ZmW#li3TJMIo?RSvUYyUt4@)v7!A8P5r};u4iM<ue;XnByjx8`0?Y{@D>`B
z(uL5p$1!2SK+U7d!3n$&k!tCwsHh?#s|yIEWc$Fvc?2$mPtK>q3an@;_|!$!iUnyU
z1miL0|18e`6~3&TLCCR5W$d|fH;f~wPp#&!=Q{;}amPI#uwYNPefHNhzBR;`f15n;
z|5h_ZIymMR(t<%8+6up_#?<fM5x(KOYZ^)Hjg0)+dS@%QVXRcw?jwJR5zYbO^0v4*
z<xPLux1rK`^4vmpA{P=Z@gzprTTSHfo&p^!b}|e}aw~$a$dwr<arb-kP^>8^z83p|
zQFm9J3rB9<ej#qry}+X~5N<uS+4|?LEiz*gQhpyKkx4XY8|Z-#J|_`<|Ar%2H8W+s
zqpcC{oa~f4qK&<|Gw5J#6P~_hFh2#&?8p<6ByQq&MaNTNY{D;=OAW*?q19T-;<PO>
z4K&Vk^&T=nz(U0z=#8ym%2hMB8k{C0C%)`{U~OU-;}P=zfJRuD^)sNEjFK@&J4ZUS
zogH$W`W`NZOZB5+gfyj#F1rumyX*vQ{-6QaZNDa=i~er7758}~akMG0^YS%9G$I2k
z9$8X`r$i{R_eAV$CJv&}sTmaPcTU^F9<7*4px$=0jq<6B7c^{Yx&NzZ{*5L!+<=jr
zeU#*m988u=#UuH#a0ln1XjZv_Kf<1c^%!o+;4XvSyJXwj<;Gj<tOxDM*wg(S%lgE<
z?`|HCMm5{x;S0H<v`AJEk>2^8ps4YAZgY_3K}X7lT9w(zYk}eMqRSC%)6B{z1RD7}
z4e6J1y#Pj&86@|Xl*yL;x&x#mZ(VDFACRTKLV~wK-4_H4?#xh8f&`TJ_oRbNLzQ@l
zE60pooGdqeIFAu{8a@n=lM>ZJ;aE$)?~9&kb+?S}JQ_X_E8)!iB<*}6qKJ&6QH$$W
zAh&W@`Ii9aJxnE?#S;{427R{FP8gHxMnb>`oZ0?je7ICicQgmnUld~<K13d+%>ddo
zlt_20tGCMbspkVsCutjKlQWxgstYuG5tR+)9<;bK8LPu3lIESud+e5Wn6=auY?86m
zu6eZ=A3QuDKbQB}$Fn`B8mc|Gi$p5MMTxhY34vi!1I6oeTm5sqjj!=t2ha10;;$y0
z4ymDiNze@R2$I`TEZlvi93Qr#mMx=a;($-qYq0bobDj_(=jGnQ!XFh72iXCfW=d;U
zTMt=~jUEqAgz6OD;oqr!4co#wU1538I~T1e=_&hltOcb5xmQ-NgvBIy4HUg&aiWs(
z5O%7l4A2C(aS*_9SPXl6NxBJDh)r&=>kiWNUU|65giU#}ONU2B6ZTW}SS8@qbEVA^
zYtx7Yw5AzsgHvLjcRX#ivu1Ryg@h})M?jl|g~el<iHmPUE(}_&6TQ%7>vsA?jO4i0
zhc#`Kd(8fGSmPf!$E1v>k6!fK@a*Cup3w*7R;wS`kVQw*-*S6FAVP&hzaVSYVGWeO
zD?u-gNlpxvhe$sl4B;PL(^VVsBkmm#O@m+5q8Ts24N{$P$oFweWkt)u9(>g&z%^;<
z_5n_1LoTVWuUBzEEW>*FPc#27@SkTEu~0da-v@9;bG&<cwQkBVHZ6hX;@dF1NF=Tw
z2-Ax(8AN96y7Yq{Ok=DTUPQ=znr_&2k*BKX8dj6fzf=l5<^DJ-5Epc@qXvaFZ3#in
z>Jt2Qz%I1x?|AhOj48bgLXJc_8A;gL^)DI<1UW<KJ(Z2gbXW?w;O1`={fG23f&XZ}
zc^CGdlbyd>voymWnL<(p#rVIq&_MoC2LWO{`|>Md{9|mMQ6xZWV$fdxnc`otEcqXG
z5YUOn-wHN=4#Ok|$c2*cn=ecMA>6+o3;(EtAoFbh+d^i<|46>}j=$HuMR(HwKU!qL
zu(j%5cXo({qGhCVn55(6vMt}g@R-!92?P^^wCbJY*jD~j%)57_og)0a@*lqW&wIyA
z_c38%c%s}l-9yK#mn$Wn{!5l<H3^K0I@&n6M`^(D<o5jIngMb1{M1>-6~_G%=48no
z&c!gmVK+N`H0*Eb{8PES+Pr#l5Dh{=0f$bkrjGF-i1*d6T(CZ`tY#+QvFtDJrE*+~
z{43dLpqS{SlOk<VSGCY9ocr#qL+(LIPv$ZzB=*2hKgI|g2|D+;swH3Mz%%|i;eQo3
zfwz;+8zCq#F=S+d15KK=p^DBhuVg<kda%Z%CDjcvnDA@&zuJjBk+-PS$5MkvYkS+i
zx->O0vtD#enIs~1-_2Al7iUfV6!oz_Gx{#G=DQ?EYC|nEbG4CuSj@$_pKq}|kGH2*
zrYstf04VV{f6(n+FblsLB;DuJ+cMfl){NUyJJ}Tef|gWXgt)~mf0>>S-9*Q)%Pl|e
z3QJsHx6hMAh%xZI2~V^kNWY%}H{yW@DyUOfklJUdo{ra1&mWh~H#f{KnanQFsn*Rc
z6_=^?E%`k90OO}rBZ9+y`SRsPzkYpR9Ng3^61q2f{#JW%#Ib$-C+9xf{lM*Z>bOeD
z{(6$`@{c=*<&5{Y-a<h`7mzb^WSH6%JMZ_$V&Hh*0fGGEV}Zrn0E`G;?ThW!U{>?%
z<33r7oKV?!nwh-)be&~j7Hn~+QY%wU?W%lFz0E!k4*cM6+f18xy7tPW<j?v`l%Nhr
z5hYOw5PsP)TIw0u3|f?(LD&`$QKOMTj3c2{<ExwTNGjdB8K7m)R5b>r%H~(C?wafQ
zYA$-IYRNY9g6sTWj#3$fI~t!rR-Z}?YqMxcwZ3c%o~dAh<9fXV{^!Sp3-BnUs5-dS
zQeu?L)&tq(yDs|<sd>uP+h-A1%pp`U#l!V;&#D1aoeS-<>xwbph_sKWk-a1h^A`kQ
zrbf5WWhxz-(;dp0m%;1;hAmErc30MX_GXgt!66}aS+(B{zB@6xt|1`D$&)=!@G&|l
zd*(U&CSUA+ac^@=<LoX8Uu`}LTswSld$CbaZ1U<Y$P$8<b<^-eDI=d;B*`e;hCR=b
z;ft7Qmbg!Db84G4T5NJ`75bIkJny{cP>d9%w=NzSZM$UKp1RD^SPY!(ppj?mRFf<P
z)Eh>+jm*AkRcLk$jAOKrDDJBZN3T=`oVDEBq`5oA&mqMY3hhID*SM(5=ei12MEzj5
z8YgGBeFvo4Y~V}J;V3iE%Zj|Se>|seij3|Yjh$h_U|{lH9{J)p|EJ^}O@^mT#LFoI
z3_6#llm@$a!P;deN`;l5+48Z_dP?>gQHcHR6;rd@RTfHb@8LtpxO|~g8S(3gL3}Jo
z_NI7gzYxbiCGw|$CTzS7J`iEYAtfB$XuZnRB$Uo*B&3)5H67b^m2o%d6SY*xY{h5a
zmBx#hVp=$ls34Lk3rA-?;&_UVyZ@*QXW!%Jbl+}jJ`LTz+HO!f+Op=m8gF>bF3CtO
z&yhqg=vZ;fN`IbaNLD+ZuO&m2uQf}je(Vb=4kSDrGp(2ji|Hs~;npZ^R%LPRi@!2c
zs$lvmC#cRDpM>)y=IC%<w4S=ECWqssevd(}pn*Y1XdK23oF4S6YI${Pf+TCG%$}NU
z8$>)^mwja1?OH!9(Qi^5WEum0w|rsHz+I*=IAfAPs*v;HMt1Tt@8M@?1yb$C&h#z!
zR0k^R!NCjLcTqYrD0Y*w4HMc88FTwIs^SY$>a~J$4OeoGzLJg?cmFvH%K5!+7?-0u
zwBWmG#%3iUzp}D^SeB-IYB)vvu*c8YOU2|0^0R?1<zdFwu)kR9AF6|Dw0H$82D}0t
zO|wrk`P4^|?I)w=DI9j)DRCW`u)eRPpdSW`2k#tR`l+NsGR3qcE;c^1`}*ExyJog|
zD-<ej@mBfzbXqLsGX8M32~>0(4bHr_b*4LpN(}?-OCIFH;tc<zq1eg{ZB{R`ulWMZ
zf*;Y@0M_JI6^!MP)CJ8i_V|bN-9kWAQDV)|0+*kOFsl<gL4i>az8$IaPWvx>9hmet
z7ZEKpr&y`1841tmKhq$^lnon&H9n9dR4;xCrpKD65=&#htIN+7e3_ACZx!<o7K<;b
zZTx~U{9QpcK363q{@@&^t>V^@N>N+e55d(u*dPCWS-psrcKK*xP@zx+U+mXa4Fx25
z*2S=S3QyY7NKS?-T_1WXx1d-{x=O2F<PaF;v{-3eBMy{vV`teDXd{T<cnSn^BY{iI
zD{>Wu65Uv4J3S?5f81wC+Lop^Tz$L=9K8e5F(rrb>Nd}D^BhX`PBww7&3@co4yhV$
zz);M4j#4YXqvJY>c$H2>YK>Na+toE(lGC|V&`xYN$8t<wVz8urb=rI@NNaJGy~OpF
z8a;YiiKhK$R=j%+za<s*6cMUMp}jXqSy=ATfLwo((Y20yVoF75V;xHFo&Bo-;`Q{Q
z*3pPu|50EmNSUhI`mMA^*ykX$W|yr`?l%(YYZ)#4bzM|lQ|%ukIR4?)|KsGpazpe|
zlUifd!Vyk>i9E;l)Vp$&dpHR@ltoHu+JrEg{2uo`_&hhNKF+ddl1{yx`}2K#xjVZ?
zL#jiqhwCt036^ZutLr9>%aaz=tmOhcdi*M{LZ1GSagBH@O8M0gc5zL>&D`BG&g^Og
zXT^rT;qmv7F@<V#w5QQ(f#%1id3i-Fnb}L{heHguhpvMz7n6gpyXC|4wQPzzOdZl|
zP8BF)5AqceBXevd5%VH^HcXC-kjSwM@x63du06u{VZRyaJK#~|A3NgB?H5e+qsEgy
z(XkFg%}=$Hq7ouY+Ng>B$+mby)0Uo@Fvn13?IJbD-_NFMmp2XOd#F6C+Khqm?qjBA
z>TEgU5)z7?<OHs!mS6XoHJp`GC7W+N%E+M?WwSGhCE5f#*gXS@*B&xas20Dvi%Sa@
zK<5$i*Lv{D)XoL5jG@<A2bil!43t9GiCxZn8VpAqg)F(4<x4C$JO(KxjA1FrXl7Mc
zlPgu~%~RVLWPq$d=O^Ga^71`iNo!1;e(v@DZB;zOAUYg5y)XM6)!C{MZFlk4#m4s`
z^ZOyj!dtBBJXI|{rpt(6?~zq&@<%j`7`V15KSPjP>L#@c;bfZ<r{zn<qm)RkYc^Z0
z;3Ai5mizeVEKd#`1v}xBQ<F<qnX7H5Z-y<a=FMsj6zRzYiBd9NIJw`fHPk_!Em_eP
z+B;)pkK0{~vcA!tjb#$J<;>o&aeBbri$0d?ks3Hu2bEs=n^qNCu7~>eKQqcNgka}`
z26{{A;U<(aMrU*@#-*(VoJ<q9zeKKLxk4H_c<h}mZG3*?HEPp&PJE;1FvMyyP7Ivn
z6=DyvNHV4gm>CG!*mxCY>n2xS)$ibk^?66n2wCudg8^Qh9;mpai(fEd_$iUBq5R1y
zOtWhwSE?~#|A}k<v;ZRx;1-&_Ne5^LEHXbuN2X2a-$^m&@yg7FaT|h$f8!UDiFu@_
z7)i>%youn<xPUhw+V%Vce-q_9U<pKAQsZPqCA{B>=D~miym_xh&&U5}ynG0_SjN$y
zk~bpAgaL<(t@Wl!!h6F6o@o$p(d4~eg}3qe1K`b4XTk^^{BKx~C({@hgh;}6i~KF8
z-UHs4Z-^NLz8#Md$R|3V%^LZ4-htNwc{dt_(cuf=PkJWXKf<y&f4+3$<Vf9udGl4=
z33T8`%vk<zc<1d_QBkp~buKaS<n`0QRm{R-1r6sgKO*KPzt-IQ#FgJe^E+TFl!by!
zLIg+(qLMZj%xNjIw5gqt+u3nSV_udcaufNxYj*R*j(jdVJW6A4;)b`p5(7!bjBQLJ
z3_2wHj>aM_l4Pv*K01C69Rh1f<%dn68EE+2xQ2O$+LDeKYa{9#O<1btnGR`Em53gB
z(TGc&^e`1hKxA#O8;D=kgFV3WG|5)S?fKoR0h&?k&ok|daI9ftP&^C2$j!j@bczu7
zl{>z>*8lzZ8!Z3=sg>d#dQnHI@!Udf*M1`*p3FnwN2FNBHkI;!`R&V3kYx3dIuX7a
zeYUkma|yw2ZGkUY#H$ZwEu;vF3l8_z0RzW18GED7MK~Qo*f>cu4QCwre7_6(gs_ro
zcHz+1-NO`5q_F-=N_?q8CG)2?PPUwwDHr<?e<Er|HfbSNxP`o#paIB!mu)wRBcEea
zb+_V&>*3lu5y0QcAQwB?&bH4RR=H55H9N|DVa>J2U?$Vi4xvz7UYW=fN!!PNvpA!A
zo)I5}2pY+_<9MSRtXr~)s)DW0D4`3Xp$^aCbAiXi6nIRV?@o*mt5k4<nh#cj0I{fx
zdAbUX8oNSN4Dx!Zz_#}5Ve`RBBqwrim~vrMVscSSd0H`4_*i&1*X;<7-Mp#o&d+m<
zgp??o)tPf+9o3}%wTo}e^TecNL^AgFb&xeJQZ=teO}{$=?`NV)%h&ym1kG>eNfI`a
z+-X0i0i}2FVoJxLy_KJlT&}E=x@T?Tkn`h=i((8^cdR<v;;sGRm|50rBC3t#T6j{a
z58<Ekhox|G);riGxLq$a{0Qnp`(Hx7`Jj}}oL6sOFJ7XnVIvkp6)TN<Pe$%k0i2;)
z33G97CT(&V<A}VqfO(EsXtw#cY#`|#S5t*eo<ZOw|2$^wJ`(gAlCLcvt|wzyQcE~8
z+*F%PnJK98xRxSNpcB>J*gvj6Fdd92`ok_TV#IUqHAb#>gT(Cq$0r%&`<R(>v1mWU
zN6*LgNYGCu9h$ke7O!PrJUW`M4)WBfIfd4_Zz*>xMyGMs)O5sbTaV^$;nL`Jyx5(N
zug+=qOg1mw@*K~y;f1anvOwg~5(;Cb%M@opXWFE+!dP1)T=WTz1<vRtUfr5Ze6%?{
z3qR=h9rrkkDQp8rvvvq#yC?eOVKBN*K9Gtm#9tB;*Uu+HkR0@Sx7qj02pP*bcpHpq
z8PtfG?S)+@ynkb$s#=-aOFbTkA`8I&xuueq1%#y13Z~wj-eMpt(J8DYB3og%<esB8
ztIv-e#wsfOsG;nF#bwhQIfBPwj}{XW1z|Jy1>y6@w=0=70fwd<fx6c{RRM_sQc9^z
zyp9@9*$+2o<*3-LB7pmFN*JVA1tV77(y&|gQt`c2)0i*hIq!3zW{Z5+iAO+?GiF4%
z@4JwjUqWSW+S?<|JAvc)Y(E@5Sof4_MC7MBM4u&HV%d)gS1po)l{*Z3+(#QD{k9-)
zU*WGEBczK*x?O=K_wZFoDAm=4W%hRnPvkW^#ab0qlZmiH-;d@*9G|{slh2LJJKu7Z
zh-$^Bx1YN_&kGnDotR4<z<M^Px0@A~JKwRWrZ&j%R%mfI-qM+`HA-TzfL?bvu9k*`
zW8}ipNXVsyQB@PcS#O6Z1I_c`mTouz3AchWL$%+3Y2ccbpjmf`F88==P_56BuCw?6
z*|J$XmjOC1@LLr7it4=pMpW)0<kmV%dLejhw=?Rb6;~%>GT+oj)nYulh{y{?XEv-Q
z#Shp>w=*(`riv4pH&@a$L)5_kE*d7cpId&kfH(A@#*LUuuU=4mq>3Td3)$0uIAuGo
zs93GFm~^^R^MEfhbei2YNL|d4W`$@Bj1ny0wCZ(YuaK*VylX#aG3~IqSj4vWCIEDL
zAOt!~BT!PwyqqkeP|g&8-E;l!?&$qN^Pb>-`4Or9OHrA1BN1KDVcJZAZFBJ4p6b`l
zs9{nQvwE?DtC<6bHd7nhy3%ZE1x1El!<OB~o@Yp~ZM!~w)T1%m@X6{~XVt3uiQq2P
zH00Zw-Q<H1e^2#K)52&dsPRs#+><?s?gl+nPlCU(?47q|0MCgJ0u(sH6#cH4*z`(4
zMm1(v$;b;I<B{P<@}HF_@3Eu5;p0&VAXIW1;Rj1uR18zI3h*&JyIh5_sVc!&e<_8h
z(rD&M;JVBoy|iNBz(>(kmOxa4+^$Cs$DR|^aY0REaQU`Jb@#<^^};m;8L>d^tXYD9
zL)9G~il2ENB!|IpMK<NDIgjyabnN6<N%v{|8l&4RO2mR#gj>Bl2`2bb&C?_rF-*o!
zjNg<L2t-v0*ML`~*P%(|C^l!Z<8F5jzRBD!XIO(0i8WFv)em07b^l<jgeEpxmT~9D
z3wyI6*y!_#-1AFXUvYKi_H0s#-R#};bt8?2Rw=oxWJUU=nQB2xhARhpVxvwuHU&6F
zy@us?QxnEYAt?=;?+`~TmX+n$i)zJ`)oA$eWvWe@>AhVK7et0feNr~|LrEkhLe)wk
z4I|hWi}gJa7bu;|f(X#_pZI(%xLjLb>a3F1lG=oK<LXBWw6ll2`L|SlkAAq7Azl?d
zUQyhOyJos1W)J*(SsHPX=~D{@%VSMRNNOJ09L<dNu=>lh%bF^W0%Dg6N}AKv`hXk0
zTyD>@^-A!jYFy)+4fDxl<%$h8oi!X^_5F*@h=Y)(%$CRIW2PjxBhX9f_#R4>1{}T*
ztK~R$sAkntui6XeOTFINrHcj!$F>y7@_po%H^g@Q=92G!eRE|gFRPT@z^zqSXR0W6
zI>mGo*u{RF2vkftHt)kEpc>sGnn9&rruqCZsHReCT!T_l*eL%pGKOw@g^T4W%+f|@
zn=Y!xzGm)Yejeu@w;#bFsKH*VR9NI`Xf725Pw*>DJ@NG-F`T*%lb>0r162yFdp#5?
zc0ZR?JGMP>QGgm-2#xKlr_6VA7YT9nv93|8kA+*D!{gYjTQx+lCw0IJ$B=Uo1S3){
zlm(<f!NErdOq1g$o~>=n7`>x6R!ouzvT|`r@!8SQ62+7s`Fm20T+4}rBoYrJld=fa
zL~63EVyH?Wga$S)Tu#x-X-lb^tB5$uH5yt;2ugCk%qlFYD=KJ#>#NZ?*L?(re+<|3
z*!Tc*I?ZRleEPZeql6XN@2Hal{A775<u#HB9~+AGW=;WBr!iw{G>^Qla8TD&H@hp~
zV#c$6bO-~rfJY&2PD!5M7dFF_gIO(oJFG#K2qn|Z;j|H*<YKx0i-Wr{t9lDcOQBJZ
z;BDjq0|wVN%kQ&+*S2>$ybg5Sj)AP+)IT1AFQ35P+Ga*P{K$ros!JwV4#4JEpWJcC
zt`V#EBjIT1aeWJeIK9o~aFQnire*~c*LtXkf=)M&(iM^8iVSQO?3jhj)C!p1{OAu<
zF99pM5*oCH3`(vZi%K<j)E#Ej_VG3wlpAnoQ#9o6sCv0{+NiSism<>-Re=1<a3`+v
zSWvz;>g1YoY2<(Jw#mExF0cM&+S1a@tbD^{Hs1!>y+(7kPw}<q$kpoKMgSlrkpPKT
zD~>QEj~eQS=}KSm5ccya1k;4bT!G+~&^Kuk9o#}gW-sSNS#8ka$j7;*-VN7Wh&L+>
z^nPcmq2nct_{LDJtN@7-CgwUp&hIJCJMT|`SH16|h~H#W8ykQWjE%KjNboIKrvtnS
z0>YPgv%1bMJRWHqE4PSH;5QCX2apFMyys7TOM@?;SLV*f9X1;18!hPtWSoQ_0vX@Z
z02c6$cc|-vlOFQlIKe9d4QKq823S}?cILb7s)zK3NpSB0uRh^UfxMvs6BCf_feqXa
zlD=UQ?gzjtI-Y-#1}iJbmJU~_F#o2sa`pOT4}o**+JV$ahJf#znZ0<RL3L07*&a$H
zh;Q)E0g4twr948CAwwV$4cyEy0ivZ=V_Qbbi~f6^1^47P2{sUj4hdXLCLty`d6Pyp
zF(!xXemHu0mU~THax~JZJ}r{$TEEV->ll99)!M#l6}^;ZM%mrPf;{5e3INZB8sWrN
zCZRm)L?my(!AnsLBP)q(LRR0s+tD<Wm{J;-AZi#^5qIlzRQla9W7E4ns-ev{@&p2D
zrvjz|>^%t6KLrB09PJIqr6*U<)8#GMq+*PvWm02JUvIxY)^ux^=y#7qw>4V>z2*5Q
zZv&~rK;^Ev@>TXjRPNN3+(^C0O?9g&a1HA*rxIg?rI)LQE&JZ?6syjMU6aY??%MiN
zBU9}qOM#DvZ)JEw^T)<bdG}!0enxS68v9w5C1BT}AYz|paX0yR9J>Njt+=M6J35f+
z6haM8h2=PJvw-VrA&+8NQkgb-iB2p4XHM?oLi0W*+HS$iLsa4iV!WB$)|)IJtc<6|
z2LaXM>TFfR5Yx5SLR%dsdVlR+8TI8(#{K3xSfgA_M06%^9gT>^mtZbn*_|X$H=kIF
zolk1rHb=AZRmf#;4Cml-T5u4@5`H{BEyU5I9Amz6TWYQrtU}?oR8QZ2e9rXaN-l-J
z<D#Ya*qHkU=Ns+;Dn>s|Vi!h25Cd+MY_dmdjdqmVEqu>hUnJar+_xHa!gZujc?-dC
z$s1!Wm9)0f8~AAuWM#5n9h3-JW)#b;PS+X<lrt;L6st98HW$ZeS$fc`r5t^>VUS#j
z??1B=(8s8!f(4@zzPKy3`(6({l%d|iC)L9VkI^w;QquVN*#ZnlOf!4fUcD_&n6+7U
zz#ZG1!DY-m&1}5pF?)P@lR@nW@p&Z9bnz_xAnwWcjmHC%&2;7sy0+pu*Klkss&T>g
zOsA8JXlIllN?{(}k67Q1Mpl|(BFORmE=oaZ7uZ)x)%oMWew1k6NWOva`KW09X#Q0_
zGjbMF#AsdyYkHfC(OTP2$sG)K#xa~--FVH*T;sErEy}KiQn20t842~e6`qhm!Wg=h
z6F1EHqClL0fXi{ny{cNHil%3EIL4$_9|lX2m}I!*K~j-^iPGWqZM$sQtj$ILfa#A3
zAasr$>3ga{l^>%v?p0=S!D1!5QsUDP+YvL?i%F_U4XTzNcX{L{J<Q<`R>UaewQrr7
z1fr3HbaYhxHZ_X^lYR5W1@~dv$M(o^A8#Y!>I5!AqTcy&(M9@c9h!vmYh4xwf)dB@
zvCq{F?TOb}*pCAVm%Sw46E@^3%f&%4%nXDE3n11xg(Ae!a+*g|<gsr6jR2BU=bBF?
z*iSzLTAck;;J4-_lr+nSdYVn{lfT#>t|`coVCVcid#an8cbF+laF=>7m-jVO@R<Dg
zq=t^Y=GC?N<U)z@CbZ^ip)aQ{E0agt(#PX&6{7ih4eYAn-ec8snkktvyClAxVrmyr
z=s0`Ro#{R*L0-jF1CL^H^tQ|RcQ1Vt!BgWKy~Mr@W6;ura~?8BsnTlDHn&rrFg_Y+
zH7t2!_06naV8TNO1zdR}I(<nKO)+3+)DH?tG1U!5BT!NWf}EkH;Ec<&_7Y`m?iSla
zCN7Hb`SxSQOx%82nG%<JuGjH6b$}XzT){xPJFk>0uxh(mnqWA$fM?qwX4*_!PP!I)
zd`nq<E05gSV;G8g;bfnZdVY%}S{Vcb*W3l)L$MBDI`R4?lsWYMY>N^}*%;MCVbH#^
z@RZ8y<4=;Sm4FcY%U+R(XC~e2RRV*frU)g#At(b+&X!QGw=uZV(c6H=NkvJymG9V^
z3raMc`-^AC?FS8~2P0=HQfr3KH+HcKiY2ApM=>Wv(u;B!EsvB)kSEd8-^w^NIP^<Q
zqlG+OpWV$Vixd@%qh9VJ&>#ourVr8&A<y$0&3eyZ=AD^bdaGQXJj>^pwgZ&m2-L#m
zv~md7`Z*jAW!;;yh3%Q*9`>(3%A;SH^mdLVUtg2kA0(G?Kku+>&|6eOUa}PS8>FSu
zRwgi^PbOCBUiD%r9cCk*v|;tYo>r~WXC9Ef@V?2(-s4W3WbVWW45OcF8mJa~xXgmO
zJjE9sC9Mi{EwK*+mktUM3~aStFDX|JL1sUo-`6@9m;le(lqlM`+=R>#FE$}pkdV0)
zXMe`6K-RGbRq>62Y`Ui#dhtIb;aEei?JT&>%(;H(VL9}d3m_lDP*ezW{T@!FY(k|M
zgyK}kZ0ZXX2Sy-joRB}S=^_Bg?1C@xgPMPSCwrJ5FQ3<TXFxK1$l^&eBheuuCRT=%
z%W*WIn%FO4md(){sPJ<9Jr-lac^j0ST6OiO3JmW$G#t*iiREB%>i5E7&2~g!JH6Nw
zof$w3t#c*o*6{&L6dO(*@Hwy_*6rYVDrD{LDH@Gb4H(~DIVV4ls;V(>hmB1HE<7Y&
zE`?3v>MulExM+8gLlNe3wS83bsjDlUFvz;9N9Dk>&>XqQ5h@PpP&ItMOGv(+WryL`
z&z8jE`g$C9mYfQUhT`%~K@L$-@;3d*K+KCdQKqt9_5Aq}%l*e%3%ku#(8Km9>e1!)
z<MDAfxibOK^HUQl<86vW{Y*c*Zc;Q2p7t^IXEmHosNYQxZs8nw6iU=ANn~-4{`q0{
z(B<k?qk0*gz`|jOU|utOw7%6~U-zt9UE<NG9@)cO5!Jz>{H4wO7^8HtQ0V2e#`u~|
ze0s;DOWVT>=5E3~S&OM*2~@RkhqHUSW?BO;YN}^@F#eD#qDjFr4SLB_T*%dA@iqF~
zy1Da73`Nz}+*zZe^-XhT?hIrPcKOh@pz$C)JjFYXwVSajiUvvy$fYrMHedgP$zx*U
zrEZ<)gK7q(l~$RG5tRzDibiE2haX2d_Y`sNMp}#Cam*Pz&}z8n!gMR9Y8=%I_Se#K
ztiBZcUmxbKbN&oAsIX@+UqSqreH$JKMvgoyj^)<t7gYBC`r$UC6*|`wOP3Zb$3Zf(
ziWyJt>)_%tL6K6Z_~tUFj;ALL2@k6ni$q4rf^?@)x2Q@{3i8;F8w@|Q+Z3>jr<h_A
zsTsBcccD|t|7V;t?d!Jz>s)!Q^?ez|53Oo<X}F4-GO`|;T6I6|+!~Elm(z{YU-<7e
zDmm4;*z{Uj#~$PCX+pu5w^(eymA3Rq^ai1etFFGDa<zQIJIQ-~s;)bCy_<P`OHuO7
zzO7a&huLm^J8-x^EVXoLTwU_4d3EJGy;eKT`t>>eYrMG62HE^$+9{_?KXH9}&3)%x
z;1qt0(anT<j*23+*!vZX6V+^VlT0mza%P^e4V(OAkKy6j1?^iF?zpl|u+Gu=xy~k4
z^RwqNzx`TMV32V-{L$2jHxEwReq++?Peq}jS6!!Xaapq}+u}uNl-sUJIvScfT45@0
zI?p{QnD6Q&xcl7Kv$@<dw}PCH8dgr7c=ce~+AAxTELpRUW9?Z!&y4%Q`nENjx%O4Y
zhyVX2f9l1JxT#N5SFI|m{SYbbsJeWamZ_@e)vKXex|-|fdnRuVJjA&Di-x1D^_G4%
zRaLXgM;>2ee%sEpz1sCR|89jO#w(}!?<`nYTeTujzqR@Q;WoE&G+#$~E^zg1)sBhE
zcJ+N<@rm_p)TW?df9a+FZr+uW^{Ncry6o(n_3H8S^Sl$T9bKd6xtM?R<ckXqGfi65
zwCIJZT(tLNC+_l!J$BXmLgJzp6`i(^IV&2yb@SKFFZ>RDeZOt?$4A#5xopXNyey;R
z;pgM->kAHcW#4}PJ?e$f`heWEU0mL8=9Itw9237vdv(a$X$p}HmkQQrA2{1km@Bd~
zw&jiBx_m6_c&xx}>FKeuyxW()^S*3%;r9G97cVyRUHzfVwyM}|)+3!6D^{$z7=F6g
zwDz3S+Q`ZBvQNJ`9;}ny)+!`7pW8ypK4!+o{NwB1?p)jJyzTP2=iJj**{oNPnqU$Z
zeWX?MqRNtu?C+M&@4b7-5~G0V*z3?e?cSR^vfD+Jgo=LeHz|scxL~k&@kIashy8B~
z$!b57x+^t<X$||E-6=26GA@4Rh*F|D%ofb}*fZ(v(mQK7`^}g6=H36Z{m0f;hmCjk
zK99Bu+SP{E@H=o&XT$nzf4(&CW9U*0Ot~?@$;aORj0QCr&b$GfeB5-lDICRekl7cu
zu_^&)>VES#TtpkZQD|u3tjJBj^Xb#4UKZ6qmKa@GhuPvEe%AbYGTHx`@RTh-?O7Sn
zdw&_XnNFTOdFu4()AcVFw#RMVTVuOSF!Q!jj~qtd_tu<-=)A{ilb$?#wr>CTd)4*E
z#m~;T7ETOU5FnSo?D*@_PEK}=R=mOmF&3rN)KqEve?K0(e!o+Ee)Z>PXQLCE`To?e
W=$Ec#_GI4700f?{elF{r5}E)I5&%X3

literal 0
HcmV?d00001

diff --git a/docs/spaces/images/space-selector.png b/docs/spaces/images/space-selector.png
new file mode 100644
index 0000000000000000000000000000000000000000..a1977b01d1fa031e45b12b1ddf14371da3957c3e
GIT binary patch
literal 151302
zcmcG#Wl)`6gQklGcXyW%oZ#*n+}+)R>n1qC-QC^YHg3V)f)ijva0?K~Z1R5H)7@u!
z&Z(I?KarxShkISOtcM6?MQId7LPQ7%2ozZv2~`LP7+DAis4;k0@MnV8YQbMXrnM0l
zSC$nQCs%fHvb3?cfPj#RNJ)cJSChpXJxZabrfwEFM)$!gmPsSjg@LRHiiwB8ltT{8
zH<iZ2(MI}!TYX&lwXjN6!hUsv(zp(Z^24{z@+g!Pr$mU(bFFFaqsgr84%egUKS1t`
zNr-&HDU7HlWlo4jN$<q;S&_q`Vsly$n@Aw8@;h6RtidT9I0<QK2<@<q-ZalP2ui!U
zjS172ra!&7?xezLND!DPyeVlDQ(=BE5Z_}MQV$?Sjzc|~2)s?lB+4<Z<?=<w4%rp8
z>cgYeaEK`$BBD%06(L0;zU|7)Ln<eLOb=ZbOo&rd$6_gSm0>y%8d<dZc12&2z12PL
z-Nq`H<7?D<qmo|R(krOgc(ZRYG!H0Q<U|MbopG&}|2*=&dX7&gqRyDWGH8$^L?!%S
z^mWQu7_|5l>Zg)SNbpVv`Wl5o>6~T149Z6Pcl;kXM`k48$36&%l4~B(-FOu8EV+;S
z&|#}-R0(mRuhuSs<jg7<WH_>=qsYV3ND?{;7~;-y@BHprwXR)*&B6imAr$swmqdjq
z0|Fl3l_#Sf2SQ}VKE#t9SdN6D#Q;>ujU{6zX<`y=!nTQ_*E$9}j1O%R<MBg<4{6aG
zsltC^cn7t!4r|+gNTXWGhvp5=<7YF~MvEiEuAU9Xxt6>V=WAehHZ-1$|D))vc^fah
zJT!xtvZg@Mc5pa~8h17k9Ho$egv!pdUx;(Fm$}z{%oEC$jX(*31OrJMKah!78jMVC
z530F%Hz-IE08LF!avAs%Z{a0T*ewl{*N_kK8!`gTMSA4jH{VBcvi06*Z5$=vc-o7p
zw74-CB?_y3pLUk>80o$;;p*vjxN}~C*a|)Y2DWs331q4;bca#|BpTr%3n=DEawJUz
z_;4mNOPU38!sS;c)Lr_5n9KCfNwcEuNSJ+C$8^7?!?p_%r0w@b;i3uIlMPND)^<~s
zTNp^cK8w64^H2BP1qcekT4Dw~_kY(fxZBWs_FOL+tQ?OuPp($Dr_=j$TxMFe$Hy*}
zy79n=)2S-WZW43*n}_JM>$_Jy%AYwby-1P~X5+F3d2K9BwDeWkYRIlglC-O_buUUI
zqQR!&u{-kto&giGQQJ|{(HY^%DS}KR%0I8<al#*!?gvd2@MaR>7v6bKLbU7MWY}Y@
zm|!og%^{o@Hue}bv~*jHJ-CH9KV~_oFhK~>!NS4C0h&VVV0P+pAd;7zxT-Wh|5=3F
z+4HDXPpqroZG?kV-uV(qJNr)R^F?DA0WUQ74$5y)R(!ZZ5n>rAwOwD_0Q+(u*mP*z
zAWCH@&7c-zs#Qdf06}A69+(qREFP5UV1|60?=TO$x*%8<Q8F($SacW)3XYK2W6F`Q
z?@Ysas7SxEU`9)jv&mp41{G6LN<>bI;!@Da5Hw<}#i~>EQc5Q*jL{UMbVRvP3XTyS
zU_}<Ft7CCWFwM=C!x09A6*(VcbC67lBFzpTySNGJMx2YE&Mq9|+|sTG0wtc=0_e?<
zCt;dK1z2%$Lut%x(qXc~am;>b(`W{B4zK`7PWyZs;&?F1_CI|mtzBUiAU)dS{Uy+i
zz5Vr~|MarymwPwX#b7U{H4JnRNq<xy?I-GDEKBrA_#Yt#A-V&+zp_qfyQwfEkPC6<
zNM1FQz7h<r4XN%~?m_O+n-VodttwF_xXF4@lc{1yh<~HPN#KgVPf$!;m)$Hzllvw&
zA~!8ZAvZ2ZSt3^AQqm(wm%N^mOOF!2G=^)=;)0zaohxZ5x+UvKZA9gn1o!>~n;{a7
zCN@!2M@C1fq9D6SAirBfQ<F>MUOhLTQQa`V+wd{}TJneDk2rOdN~RRaoKGpLX=<Ko
zN-7ts+w;~O@|nU+8L85GidBU<1%ibD<$@}n@_G%g4>uYg)KApcH4G~fHJH?))ypbz
z%TudJHG4|etE4oW)XgfK7Y{2m%1Jc3YL@F1wLDehRA)3<G`6e!WnVgAWd~KMw1dkU
zw9Udt2x6G|q_~Tkj`g1?pA?^XecEVM7UYs@G75AGJB*qno0R0m?V>e<mOs@X*6iz&
zAV-^w8-HxXXTT4~Z^O@PMrna=eq5huwrk#K**-l!{dIcj9_fyH{C)AUcw!M{d1}$1
zM6d2y8EvI$DJ!2_+$m~{x5p5m0B{1-`Zv5%y!gVF2iAy2_uB`Pz-pm9p~N7IqYQ@;
zA<y976S77Bj$w~p#?N6rVJjtiCPa!^!O!FH?_V^9Wo=47&9KS<(8AK1(5fb#(K69O
zmui+?m4=qWeIm<LnG~3upIlDo%(}}U%8KL8Gc$DXp9!+xHKC~2wsP*@>nTaGDExsr
z;WKfh$){;w1yyBR1-Hy$CwxkLDtAi6B|(Ii^(kwLtERQQrmCi|b>Kde#P-ONu6e_L
zg)5Tvn`^SQ`j7IBd-Z3CXTN9LXGOR$@euI>@t(n|xx=C)={iDy$*q>O)+pm>PV7St
zNA?IW4j(69k8`X0A)gk{_UD3*koHMWo6p{YBaX;lCR5ow^+C1!25IeFUH;Clo=NRX
z?RV{2U1jY~F1=?3AdEAW6X&_49fD)t?WXaYqO>fn+!cyC;hwXek3A1Q!en-wslpyd
ztIT9-WU(_Id8kIEPLUT}+o-}=!m&mr+h$)re#!mA{KpEC3z7ix8Orb-AFLdd9rSin
zx3;TJSx|lcZ2n$;s&UNDubr6wII&OS^Wv4_Phtk*R^hpbR3V|^HHckPT;{H88b5)~
z=lh4T{6vZ<aVXpPuRH@>VwiJ0q$I+QzfZ2vD48fF6Yf;VBS~8LPE49L+!Svc5QY%u
zus+ZV#5hN0V7XGHlJYZoIQ{Hu?`y|#e%P<sFS(jRs6<G@s>Ix)gQZEO@%Th6=zKoJ
zAnPMLP#k8i>LPYsd+;jTpR}xalKYdd!}_|0UQ^9dv4cay$#!{he?h&>xs*haqL{k$
zr^4f8#Gbm#liFHEmg;jm<2m2Ce6Fw)N?rKHAj`h6{EaMwyl?J#5|FP)dWY^k-Yufe
zK+M1jfeC@$$1N)<i}PvXNx4bB_?qOLM1XoR#W(Dn97hho;VoA~PP@$ag#DBzt}-P|
z=Czcl1I2NNv4xQEpH-@MAf@?fzwO_VztKKoS`z102&r-0oG@<aOjrssz|;S-;1bH>
z@A8fv&kl9vJA$3u6hg~L<E!%quKgaq>B0+PUTunRWOdzj3XKi52>rq&r@z>~`uQqo
z*g!b+Ro$Rim72b@XUKPax#XAX?tH2R^8^>;v+g7VP=8Nb)$qC_S<mOusw{8ik3hSC
zgZBht8;+hPrdFipmhO)>Tcr#i9Z{W?ldG!JW!4q!x<|XS=9aW?qsdMN(mHeoD-A-X
zfI-+B6b5d;t@o>5O_cR}eYC*}6I?yplN;ZG!(Zg5GzV*F^n@L-9J`tX-Fyv7EG!;T
z_hNsOD0$NU?7oZ|Wzp!m^+@^o)Tr0oWu`Ql+oW->q2Y^iUt2C!Rk9@bOnYIsN!Hw3
zFaorEh8zh@4BpAV-H9?%^Y3wg|6BRSByNyXnlaYCvSbB!g~Gk*<mu$y9SMpoii7kh
ziG$;<W3}MnXM4{iS+!y3ntcXEWkp6IHm}AV^FQ=g6<Z6SvaZZB&TZk3SCcVKSktZ9
zNWz|1eq)ax@t~NqyN_KPK#40QMQMV}D@M*;s-8=Cwr5VYy-Tg_EsF-Oz00#FYwN3A
zt!ENlM$e#A(UqBP<L!2rkJpwPHNW&c9hHEa&f%U%kDJw9br(OjiQ0R2Aa_Nt#9P9D
z#37SvygJ@I2covc?&pZ+XpxNy0k?<Gd>*ME#*fa2m28wI@(6^he9nJ&SI`xg-3=Gx
zZL$or!1+YID*rKCU^vy1e!cy3W4k>BJYPv%33ig(J^^mNtfcp5J{LWc^-TD4Ujlyx
zpN9*Q2?`nhO8x~}>x-T#o;mGZ^|Sd+_<GlGe7}>QPPIE02Zdj4txE{u<N+-r4;8S5
zID?ji?fKDL6#GGzH}KC;<a1VcJESr+(HdK}J7Pd^z3$UQ9kz%Eaoi1DdDMgq$%hUb
z=IKanb+17RKYU_8J9vl+i~yFz{{FzJ;9w&Uu?9~_o|K|?tZ$J&Q9Gwpq|Qdd`{RBX
zadv&C$WZq2f`AZ#kd+Ws_k#S{qj$-);l8|LbpdeXI~tpBI8Qa7NVO;MOTrlAj(14Z
z-o=DR&?u0}2**xAim$v(R8F}}RIeOUyN(Y(KuLrnRZYQDm8~q7OAvuC4hTYz-^c%{
zJ;3cJ>IupQcpM&|8`U{YlWsP39cA}CY5U6B#qf^)cn0!X)}7y7G~NICGdcQaGVjYg
ziMPN$9#i|v0ihw)B91z)GV-5KB3_hG4*msj*UYq4r}JDTH~MJe6GfckxCe6F!y0iW
zr+!!>ImHAueCOqM)?>U-ZsWrS04cQO0DT-kolQ$Zd4aN;2~#wQ+aBvO@f@;%Dx*T8
z`l8;pMyr8V0fg|0DK*LBfwNhSQ2qe?mk(z-cNQxh^$_0|PuVXyTVmc}*TDgzM5t#=
zh9xj7wfUX&f9)@xp$yu3wpv*6F>cggR09jz#Fr+!UxBG4UQ_F+tXU>ESY&cXq?&6X
zSi?T*w@U6|0y&+h*Y&nfgh*q9R_yG%nKi4yOM9+Af~TOW>7PC!BG8<BsBKb@Eomiq
z<NYo+Aq)YAvdu(xqKZZ^p6C&48#}d@+MQ)UH-6N4VkMj5X!WdJpVuubvynUFb)nT)
z8aycCZ8;kvg^jOZ_si50g4M`CEm~Jd0NG67&-wD-M=AZV(lJ1eGM~d;XgD;qo&?2u
zRC4$+?lV>q7P=~6!(+jeyjnZ9i8EfM>fgbRquh_2JUY%<Qk58NXxT`9WYRIlk#9Ug
zVspKrZppag5IG-4g@=UgLK<L*^qVse;Ub$cu<uIZwbI@_VQVMqsL!uwazoQAw=@J6
zJLP&;N<U!j*_~A_w2K9zQp#^T;Y^MQJWy#=9n%yP<x$V(vdG#9-Q8NaSq!*S`*w;r
zG8zZWz>kF__^?dqHNE>og~!oEpHYwGy=r6r+un*?u6BPA#(CFKW`o4v>!e`74=Mwe
zZ9L;+lJQGddbM8Mh~-a*rFL4~wX{=bv7K@aLHgQ}*u9JLsAIRp+nr@Ks8tek#}CD}
z4%vHHo}#Gyg6cDE5ytll34=0O$Ek@vn*5%t;x!%ft@pC2qdPvSH0h1UZuo~oZZ@q$
z%V<14RXtPz5HY)0{Ktn&^7npF^<0ap3ni{3btdXxnN%7)rA(d)TO2FOgL0?POHIVL
z71JV_4P-1ZNVAXB5Ek$Oy7~LBBGDfF$x;Yd>QjLvPCl=*`%0snyq+dHNQmq6-NDCd
zlq46r_B{t~MktS%&*PX32-RD*_pbBfeT47#lfpjAxnp;;WR918sdS}2ZOeB42#M5J
zc@zSq-^`a0jD<kjUsh*OJc8b#uY2IJ63DC#%?Py`xFa$Tk<U_3aCqpXHCWiuwen4{
za5!06=~cI1$0%19=bJHEZy@J<iQlKv>Y`y@U2vAp8M)+aX3pVVxKoVafYX!zE`bh#
z5&vZCy!knK_fU{$-9>FkDCLHtVorxgH_631;6-D*-=d9qf#w*Eb3}eJwI5@AUiT!Z
zsBK*wD&7uxdlFT4u<GR_p|AaiY>E!lV7}rBN&cUow1&0_b{4WI`PY30{KXQ^*Jx9)
z?Ob4z6=uJknDL+U#2vF~=UB5Co9GqdUi{cfG%9yO8crbIR640^sdMSmK-UK3xf@jl
zH|=!is8sDkt<<d{9uqBNs^4e_An^}YoGBM#J(ao*sxI!sUk;p9ZN}wzJqUOrZ&S-=
zCVcW_E@L$qch`rPe{>vMTN5JxM7{v=>!wDw-t5)1(NU04udz*IKhxUUC>Pj<K-zFS
zRkc~QG`PC^-zlo9&=6D#Z{^Wqs0Y$tl7i43ZG;iu4=0F^0L}j#vv~;sKM#H=_*s0R
zhG0j-9`hMG2s?2mP6NJ`D?+KzRZJXTD{LjF$e-5DoNh<Xt<XJ6clVPw9qq>pP$Um<
zru*-B27Y=i+=P>U;q#E2ah~J0h<YjweDsn&>Gq0(1IQKcGvTAS%mX+h<$u!I)lk>_
zRISa((m~thM=KFdzh82G1yT0eK9%tim|e`t?K-;Wup+iffWk^E!Wq{IOtI}ULkMym
zSlp-a@q}MoiR!e<ILg_s9K9Hh<0@=E*EIEvHNJqr!pUybo1m@;a|7!0N>m@IE}$(u
zc%YgwIR?<@Ue=^6$96PVJz1l+rc!DI1uSYsorV=5b6@n&r8q{`!w4>%n)1FbN>2?}
zGmCyHXUiC}Cm>E>togydb6j&D4{<;^$lWA9fBAHqMG5fbx^q|_>qK2Jey-4U6KLeE
z?c`JCaI5HTgny6Pui9PCl9ivbG*Z9L8+-$Q6lY6KBLc6EeB<EvQ)csPdNIz4{A{Iy
zyD((WGB9k!xeo`?zHzj(P61x~w)0Idv+nLWbv!3`3Y>8;u~q3lI3fr{cMbp$0i>Ze
zpeo9a>~@;&Os9=afUid>2ElW1#)IxnBgT5%MCJ<DwKVcR9LzpWRf%W=0B;``dQcf;
zsh2Nj>ZQDcL{(BTT-$yugk~Qq3dQjCbEcZ#UbqZyROMfZ<RLDtn=Z7@XH>>OG{;&X
zgtgwTsis-V+rLS~?jQq*TGH(^p6j%K(#)~x8RHPbpV=yra?T)l=A9ZD8_A<;MaXq~
z=2me$&#8gC+wU!u!WuJI_KxqIg?7#{eEz*jP$h5uJ`>-U5Z-DZ#^r<Wp%$iy>jSzT
z&gZgHd6*zCG|l1fYe3kaZ#t>|uR2i!RGOt$_a}`Ut1<DBTJY4iLZ#I2_%+hbzYhpQ
zB_b0r55#SJ55z%_mUr4xlk%CaKMk37_lv}j8v?D|DqynoM$S;w1n~#`3~LK|P0xhA
zQe49JgpoH_@gEPia@w!?M>1SULZ&%D`fZG{BF@H1qM=Hm%;27slo)jcC{-hZV67Tt
zL%*~OIc`bxS|=F;#?hvy@{aT+8VTV=n4JG28lj(+=@d3zfG33nphnhH>-yq#zD@m$
zI{4QoAlBl2AcX4VDEmLu47`17Z)e?<jP|caux6OQS<1qk8_$(xx(Ud+=sOI5pvaRp
zUc?7NFB=EIViFm#jt5bjZ(<&i7jMoP-uo2-^p2HYvZ#q<@S5#iF2eH86h+cSO8aTg
zab=Ub?Zy*HW2&|`Di4A`zd=Tx&^Ca6%P@xKw<^)x2{owyteq+Vr(RrKX6l+FA3LvG
zoH|NUL#575Ekr5Q)}g^h5A^BZIHUJuUm@Q_)9T+hr#BYEac0J+6oT?sMl6sznYK2a
z7leA1bq7X;at|rF_s#N>DI5+#Y$!xe9-ZoLAj%I>mpcM^a_J*~VdIpD5|aaQiu}_n
zYMRU>mQfJ*w4OwSjcqQAd=jG_(oy;ZmV@pcm^fx-2gob-M$jOd`=ntlOzobfpGU<>
zft<=CbSPHI6+#Pa@_e${(!oMY#rq8-&feB{esbEMg><mYu|>qgW4I$2XT@-b+n|D+
zK~uipWM&9Fa%MYXl`!@byk4%ahqU~Y4j?Knt-`x@Yx0FlOGUfYbVf!HD3MC#Nd<g~
zoCMP{{nLSMI+qxyw+fH3BBT`wG$TLW=)=XlDJ=eO8C~<;&ob=_<>i!ShXRI8Y|#cF
zg?j_>%t_Iqsb(7bi!zoQ=Kk0IRzs+>Q!su4o*GTV4tDQA+>%coXD3Fj{iB$lg3roq
z=dQk<w8vgK)QF`WYT-f-Q)oxx-C1BYH?HGr@>_i--Tkc+Qw#$i7-<5Gi6f~X!boZs
z10d+ORGic0udJ`k@}Rau1y0>-J+u%YAQ`oOv|W;1V~pq{VSG|gij|g)t*X(cIk<t3
zCLHwaBSfARG2KU^)rk+O*4rZvY35&_$W>}~f_rZILo54kp0lQF*QyH(oi^U4UTTel
zYrHF!5j5BSyQfA@2>#&*$hWJw2{wK2Y)N~7r3Ir#F_H9pEI*VsBtJ*UBBL3!+!d$C
z*D<EbNS~4{O1}^4c2No&a$1#KP_ulgH2CZDR`Ld!ObvI?v0ER!<+4Gi%HOKeem<%u
zhIXWuKG!ycUhAIIRJs{~Y-YOD)#cSu;a*VyRGe@+OpYNcO#|JH@MzOF9d=@QxX0~y
zT?GxyznsfRoaP>>CKF0V_ngB9<gnE0>#9qXhh2D|l4V9GQWU6~04Vlpt4f*%vc`9s
zO?gR*u*)I@c^ug)rB9zm89~&}q$p473p})Lc;l62JAQji1bJ;hqBDns+}Zcb9Pcds
z8kbzd4Cvfy_meC(kGuUh3$vsVlX_(f*Rtqa>CWFUl%EU6kVBbc5`80i`$2zG+tspb
z1t=Ue9{P@~L2*0z0{$R@P{&jsSQ&R{yg&c)QQa8DM5E6?G6m7XKz0MSb6x=h`;<r(
zZ{n(2$d=jC9bpcQQ}ie}KaWbq;gn_;xMhomQ0^odT{66l5@E$qvLOyFo87Boq_55;
zPrm>taTk=&)RzKOX96p5N#e?5Pw}^xKe*ZWTVN;?2bFlK7;%X*RK=LI?8n}GB@JHs
z8Vg0Cd^**3)j;J=Wtym2&LUdHwe$jWtNTnyI0~snUjO)-*{UXEEoN`Ec=(kW@nH$C
zilil72&Z<x0Rqn>Ol_k;BIe2J?=d41!;M1LX&d5&xAAOF6U?*TM!g>;pBL9GAf58R
zuN0|-0eNx%w)cb@fMG{b&Ad6JHTij2Y)P0+XEu^-D|6HoG?YNh3GjZ}Qk3&hKw%x;
zsB*^Jb#eK3oAV&>)q_!OimqWFURmWjVAA<dkg`$z50Dz4KVdyosgAinW;!rL6Wmr_
z?*+RZ>bSG4K+^ngW%&ibiZ*G*d$WiSn_52WNlZ96^lRGH--(_|K|}=K=A&6{HPf~J
znw}@cUsjoNb1c6TK5zcV?;3Bl1*Vm?ZA=mGQ(CYqwV9>g{H~+X#=NyI@C+QPD>cYp
z_{if`jiYKHPp&j`jPnKv0F^U4ma@-0l@>*2yBwwSvNa<)(5hmaMpX;is8%%RH5ae|
zqG7nz_W`B~!4o$acJ_BnHY*4@r|k{V7Qf_rWKHHf5b=Ssjj07|a3fs>U{;lvfmsE|
zq0WS%6Sh%T_od=nBN^jT{Iu)W@rYU$B_(Fw=$7`sd7*aKDVj;O_N0h+HO4&3ro2yg
zuQEWgm<rNDP?c;+ADk!$ZtZKMe*97+<HT#~3^@+Z%)bExipzf4+o?>04OEbN&Jb>n
zmPlJi$&Kjva|5KxeewZ>h#kHx)qwalpb<e=#{s#D#4}s^7Qb4`4I4gC*Xe&psfU&3
z95FF0Q~n|@X*ZSjI-vGhIn4{cfZk9|iJ~>E&hVSC%JiT~?psauVyJdfy^yNv<gj9c
z_3!;u3#4HaNE?0mQvMuq`Ob<tK4$(El}BZHx+CTYs*-J~sAO)BGB`cv4$8-70tEn0
zN36?xu<)eo^>*$krWiFR?93>NW|_fEIPdCpM#3`o?5dM*G>vfX6uBksQHT{=8~qi)
z*pe@7v!3y^TQHDjEWj&3YH5k>)LGXNO8~oH52=q325<5;AN45B)hD?daK<j+TXFuY
zs>q&?pPw@VbMMXNB_-v!a2X!LfHqH3VT~MA(U~}hDUx2Fb7u_TpPEHRdsb0m-23DB
z&%C1ixlmlqK@DEn1@-eo*gqNU=+ztaV})quuUsq^#=!o!0ro!)DrH}Hk^EF>19KGR
zxV96R=f$aGH2^HP{Q9U0jUFds_K13Csn+gH;QNB}x+NRN@FvWMWzS$>%pSBown#&1
z|BuJ7oUKo(&2M??yY>jXU&&T6E67i$Pe9c#sW_xN%{3w?VPrMvKw+h>&MP74i(5MQ
zbn<>bkXT8Z;B)=4_K%`0Wv>yk-do9Xz-1lj%mhH#t#JvJiGJ&>brrt_KSTkGh0fb-
zHr|q+lbZnMorS-V$^my@Mtwt<OWMk*B^+k4jdEmuZ<`WxMpLdW95#{XOA)ZW+&)#c
z^jYrICzYck`bqn41en8&Bj$h)G-JroXt))x$7Zno+udx<w4Yr^R`~^Ct1w93iRCX#
z0~Y%Hx~bd^yN8RO$Oj!OoRW*45r$jtIXT9`yOc+fV98Qh{4b<jl`QcYXH72o>juRu
z$Hj1Sdshd!#quwmZpZakw7gJ`5p6FTMmMlESYW9Y3d(JC0*mQw(KRcT)#?X~9~2Tz
zDbn~B;&Mp%1!^1!)sHV#zP|O_U0P`cBmYZsw+dv|U2BizPAJFea?WE);&;xJ#8H3B
zLx&j62H$Kk+0IbwUpiZ6B7Mo^(JH5z(`!D0zMM{_xn*}N=ogJH$)Uj^=n4IPT5yDw
zAWmN=?xK%5Q_LZ}sESqTN^+DC$(~xi$`9R^M{sPT)T*vtY;M-z;&hx<>SX?2UQNs)
z^JxOVQ2br_)MaY>dYe5|vPKQq9%o8T9OZr%jPC7p3^F*V*uqpgnSdV{B*p$)UguHU
z`XI2eBH|YDV%`tGXh?!y{zC*$2io54m8a0I6{wyUIGq^FinCnY3AV{)Y!p0pCkCxI
zel4$Zad1!QZKFJKMWWTKKn!QXMjcTtub$}5*J6Rsgc-ra<$6{SKm(sj{%8W~Ub>N6
zHgcS$;p05M-fTN>QuCf9;_IAAB}LBBX9tD1su#=}-hj*9hpqH$S<Y^ROJzC{T=mp3
zV6+FDu6R*Ym*-R5JUi+4K)K7DJ#3?`iJyGSB%oIQa*I$;b#^A9y!GybwbB1n*+tk;
zQ_B2VK_K<?b~y|4hpduh5OBUTmqvlPNJz7%!KqAMW1!r|B!iH@^#mAMLKak{{YaH>
zAEc>CG`ODkaRdlr(~dcQj}Fx$bdm*oxKC1Xv&TewOP>(iX3Q}*_X6_@_RP!!gLd?;
zIZdY)NG`rF_WG*HTzcEXx00p~g-@1yPHQ3cZ8Aj(n4IfIMG%C1_I?<YQ7vKrA%1lO
z=jdW~U8_shV(mY9qJPtmLx=d(5HFtt8l8?M$zA3`(Y_<Ge|t{UG+?!X!@MiLoip?&
zo^$tPsTxtd^&)b`5VI??miTlFdu@8)NUY1$X=ULSsPt=1f9G(K5!Ml63$;(wy&uHZ
zT4RV|7&8aY*M{b%V#=bncwfO=KT4PPKip+v<@Yj@55skB#oTN61yof=-bRC+`;X9q
zXXB}nk;(Rqn&&8hh1(cp3mZ9nPNqKF>VV<kD?jE?n%aA&tet^WzJK9N%@j=#7jA~c
z&?ZWiN*RCzer!naM4R9dA?8QRg5@(IJaa=HBX;0=6*N=}@iC=cK+H6mwA<9OCmUcP
zQ`O*u{-{~terA3qa&rCLE8)A@SraEK4LuT_Y7TQ1KL&FAw5{&4=-YpM@)tH6X~g}6
zO_kQ(BlgH1=zA6Ybq)IMHnmQ~kvCXvlnc0KSy(@tYi-EAt<cm^Kmuh}`dBvLT8)k=
zVEQ+3T){i3HbuCkO1Rb|9G}y}XhYZk)!XL$LJ<EZwyedfpKe<2M_MbH{QtnURlZ>V
zSc#Szi-rHs0nNt@Jl$1>s4NVyb9&e>0dVAnVWb<brA5|YYO1-yT7<2l0SjjJgmWt7
zFt&h2Zj{MUe$}I4J%M98#b(J#Ch+We@kX}EzhtY~^0-%ftV(+S>&Z(Bzy|nuSLsCi
zn%aZeNwY*uZ?b<HJRXMXd!xOG@man*bjixX)9)|aT-G~FEMP?|1{^Awrq@K$Uyisw
zVu0ZW=kCU{YSXh|T>2^?{U*2MRTV1mct=GK9`76j5W=q=0?SjVCc4k)c2v;m1{!|F
z>B>y9b5&y-nMrpXx@)LhxTy^-8*lE-)kV05>SFdt`U*i@*z1U~h~p6w4{7V#Rm@7`
zy3~c|DoOmOV5U$%?Vc_D;hT1$=>_t4f6M$b!8KKtgv6NPZ#@N0nZSesMg@eT(s$Z1
zIQ3qvxicm8LrXvlEd5p0xBUO#0nVgIFT$<6q1$5}?4tc(7Y(KSpDtQI_qhMHcI}C|
z)Ja#ZQa<$5i}ABQmU>bkCf7gb^ygW%Z535iN*H6L(>s{``K*WJ1R%{BUx6!09_0wt
zoIkI_ot!}4fVM!6FQ+6BD(JUDqWsV3=22X`H@Thv@8$Nf=zDS0p)uC%rW&{n7$?PV
zeliSf^tmzsf(3WQp?Es)I&y%FL;U4`;iG4#-p&8!qyIOA>#9zuwN)Pt&=1@w$Ygm3
zn2KnvTVsE=6S)?eb)67uhFwd6(RAW}u8^-)EZjNWC%7BFom#8{X8h8-mpe{XcP$PX
ze=fYg>o*q<@9}0lfp4eT8aQcc<QMwTV{lq0;(O5Sj#MD3T=`kgHp=w_x=?1$8H;;q
z8gA&Y;%N>nrm*kdh#}~)D5D^JAoFd>F@nf=pukU$-1f&9dpKv=X*6au&hDxz4SIS@
z86vqQF<+~9j<m)i_z^jGjdX}HMQjxc8s*^P71f83%Am#VkdMqqj<ZAjo5*;=R1L!q
z+NpD8ZT!niXtj^{rm1i&7{P-&>??Q!<kzi6`5{uQZ}tmS8*SvKV>Y$jr~BVkrLe@x
zO_Sz5i;L4Nz7wl%u_~+yp3tQ$RoOOH0xFMEKTy+<|I06FTuOD{3^Sd_1KIMlD;;P<
zU%~uVmin9(loep*R;|CpKv{!xhE58jCgFeBx1Lh{z`If;)5CoS=I=`d%*_tDzHpO+
z9mn?bmupovkU+Tgh1pw`^yUAL&S;sO<u*rbUqK0$j#6lOFF0Em;k<z3*I`xSpw<jt
zr*^FHowo?yB?z;S%r=NC%9*;-fhp_$P5``_pXgzj*$jG$|GeW$BGIqd!Y4G|KZtqS
zD{Rz}%Q$DKIn|jzU_UWiB6<d|H#E_ixTzHlW>x1^+D{ZbktxDZ-)OBZ78*!{6(U*#
z@LFkXuW*4qyl;F`(*A-Xvjz7yNw8iFv^Zt7Y^`%^-rpQnc)Ti))$FgCxU&J8+{^!q
zewIZKm|moOi8_Rjy-e<wehx!czfBU-a1Tr5?={+?9oCIppiEx#Hh!i7swo*gbT2q~
zU^PlUycHhm|3m4NiT&e;?z;NX1DHPKf&xLo`0@<26A&U~I)5|%F20;MN#b40aXVQ6
zEEiU_D@jx??jX&F`)QstD_Ea(JM9m)6s*JQe;pCKa$NrnPh2rL@xK2RPftx1q+d!_
zHBM}zf-;=;&7@DHhS->vN+kHU!gZPWH?^RFi(CH!la@{HTZAB<<9-Ve3U+et6`x7s
z-o@Gl*|IASNIl#At=ueP<_+`ll2<hW#`-=tx$N_8#eWA1wIMI+b(XRk!-yj_{HQY5
zy3(<g?445PlFkh<nuuB3fRmoQXUT^?X8b$FrDUaW1zK%OR&UF?Ln!@JmWt!Nq-%YP
zdO0CZ;j3z`H$dYSe9%lZ99M3qWTBQ3tGFO&+-u&Jb<hvE7vc!p(+}xI1S_|*q?pRv
z$vkA*>t|V%xMV;URd+Mk#B{&^Ce~|!pH!%Y?a$T9=SoWaNDU$&f<f?MH0D$FN5flu
zfncYUL0#q9)I$<=z|^=VKh8S`w4PJ3WVabvn!qK!+Gp7>l}QlUZ68mfKv^{+cT+>#
zjap)D#hFy_3$78)=nMxR@pl4;MySn2@f#f@T+!#xtr^~M)OSk6NH}<;EpH~xmCExT
z&VUa6@V#P}tV;zNZmW@v)x5W((ph;zrvF$%a@8g#cVCG3W2?yGw*(7RJH-_O8hnO<
zh7vh)Ry!pekx3pm`y0Nv%5rcV6<b+!$$BQ(%C;;DY4~#31m}@%aFRlETX=iPx>n?v
zx~$7{oA4hpeIror<aHN<V===x=hRF1x;7H5s@e++uYxkcU#fG=hr#22P0v5x*(d{3
zN&$(La3h@10<T}&d7WE4PoyV=9v@WB+pw?j#q01_)woKCq#m}pw4O)t2XX)G6IDuZ
zQOGneezv7fTi1iJt>c2%xARSrDun^;SCTtH$%0x01p}x*l_lxS(^huM7TV1th<~jK
zm9?`~gN)DU9e_@^QIh)f+occ<;|MAgsMoKMa?~Z66?@C{n01v!DevI4<w7HamWjw;
zdFi{Gxk)`2Y*SZG`)HFk?;Xpr*8cCc`)wv{59?*)`p4?H6PZd2pzI<(NW4UmheK=3
zvAC#(px$e4XB+BOaqV1kRpXvu-iBwI0NV0;c_<g!mOuRJHy$bwq|OK8#G1%^kwo6Q
zm$>;_2Y_E!NL*d<`d4EluyHYSVE+Bq82?I3!+O$Sk;@7r8n;LZkR%gSN-wuc>tdBk
z;<WW>M)#@9%`UKYDBYvkLi(hEvmAJ6zCmO7#Ynsf5w+XWLCbg@um`jRX<;fR%UT_3
z-th*p@A4Wl#bE}6j;WegJ|ySXI=*g<2^M&p+@0a5^Zsc(!a7Uf+FGt_2=%u{{Bff9
zzUqjJ{i|pVc|JZ=Kz_}-0_Mx-3Ec}@9cs#X-d7qsB0A0&*3HS1btZpsgim%tlBglp
zIjlc)%TWnxpd{9-gn??hSBD&m79Zte`Jyh}J+F{(rO@%1Mfu~*J`6p_==KsmdT5@i
zECv6V3aP_W#9Ii1`)!aottvhzLlqIvL0ImHeW1Fid`nYLhGBR<>%lBIXQo2w|4dzQ
z1P>|nCX3AwMGb&*6%UMPoH77(51gUgd(%*px%Df}%O((|V+(|XN*@W+T0$lAqjRNv
zgj=?>ZKCrF07an@TFG~K+^K{rwbtpP+^@vZ^*v3!7|j~88zY-M3&H~EKmrg|g=qkY
zwME?j<b~0yOO9jQSJ@B`?}g@aX(JK0qas6^ue{sf0+7FV($WbVi7n77#}u54=+EbD
z6>)ECt!f3u2t+Qf2AyYj;hQ3m|3cfQ?ihkB%8|#*nC4s|q9a;KE4y&0bF7+yQ0wj?
zY;&nOn0n6*D&$?o2~wa?H?ENhE&qbGQ(Ihltkp@+?qSkNZ|b^U8MS;>JDrnOeS~)r
zPWTqxm;N)pJR^}MpZMx{b_itl1_G(?IdlK%i-uB}-?g)ldjGvI;t;yxwM^;26b&D%
z8BxzG{AYokVw?rgoDeB)pUd1qx)?64WHZto;`Y7*!z^)#!Ebcb_BG!O0jB2bsI%WE
zO;6UGxWZTrxOVH3(!egvNn6)xyjRpZi2_r;50jlUqy9;zC-}!l+5U}|9NRMtK(K<@
zFU%_X<SG`~I$=(*((1rUGllCr%%UcislGYqGBD?xL1>Oi0$*P^TK>H|1t<5nyVLQ1
z%Ty%bOeOgrGSy=d-(HSWq_uQALC{&Rs;IB~E}v!qQcTfJ6e+1F6&sjgTz?r>@~>Uu
z|B7L=zB~3%Yj4v;+VA>_4>m}yO@Q9T27#@FPUJmFRRi$NPu)Gt_T2+`!9f)`!=dX<
zdDZR&_7q*GbWRl{_aUa3f1GU?V(g*KNAitsR7^Qxmsr9c$@olyV)woxKz(2LEG&Is
zLz`?+zsCng&+@B|*WFY8*Q1y_rnO!J3j#uZC6xhcpF*tQ5*tQ(GoLrTxovZX&E~Y?
z7eW|c(T>xg;yajkj=9x#Z1Ma9G+%c;z~6h1_7poBC#eouys7?LbbCZF&?Lb?%YyKv
z(U9x~@A#ehPKs|rV|&|EVg4nvG-Le*abFn`fZCp)v5itMJ*E%(lho-Gv%}Br?jjt)
z!NZ||SmsfjmBrk*gDFzn0JTMl&m@)iM48|y7I^(bl|RnwDDFpO64f%*I;8s|cQ$Y{
z;RO1iyRwc~M{$zLAABySKJZ*-wipE397Q~5mdwzSKPiIo1(*ogh|o0ECI*Du>*n98
zhdTAmXIScR40YE(-6K{e=RIfZL>%%&-;deYp{_D$8Px)L9L?d}j=Z8)lu>qMAHGH<
zkbdfTmyM|eK6|c|_WN(iAuD50JL+#%w<~EeYn(Kh0`V2Wm`U@ztu>Zs6;NLZ!ebo_
zU&~`xx3Nu7`hA>`pFgWV#!yA8Jrp{9)vk(G!?MYHWPbg+ULGzzs}Nn%Vu<+vhr-?o
zXK60&1<m22+`p)fUV~p}VE>9I>ki&;de*W0R<>7Wi(flgrgjeKYTZ`5&*%dYc$|fs
zZmG*@Ny<?8?P8gKsjJ~z4XC#?RX~`j#)MAxmBqI`Iwb2a!BNOVq`03Olmcm3ymQ8y
zIor0nS_GGBz&jmoJ-XJ{+x=NF*`JyLJdMt+Fqe~;{Ia)w>tD5nnU>P0U8Be0I)T5H
z+wi_3|Gn^l^ojHRM^xt~w=ODyEyOs5{&m1fEgS$CU$&WB$OA6R3JJ17pEp=Hxe(Ia
z8x8IjrIPZxoft<F7hBanl1sDyTP4i(S2JJL(p_n@Gy9{dt4B)6MK|K?##`H7djIJy
zq*BJ<T;ldyvpp^1MYv%hCbOj7A0Zx(a0s?BYUN@#kkULAYFd~}FijtjB38ZGBhFuY
z>_%D{q2aRYf-3s)#x5%?bO2q|Q#R0I;7o#njWJe8%-4aGwDH#5@)L#BYH4x#%x_Px
z<CgrLvvtLe`>(+MQZ~N`nqfHtv!q2XH7fpmembd@&+vwjF6NGY{C#`EZO+bid}=Wu
zfzc9ag|V}V1;@YRefsB5(jZ-fVC_XhH+rRHW5^IQ&c`u)DDWS|G^}c$O5i5*<ZBeS
zWXN-M7Ue#H|I^4=uyYHjRl_N$x@BIOMH3{OlFl@ky8HwwZBFsv1A3G=__*6nTK{u-
zEWWxfvGYs$cd0^GaI@ReXpk7*x;sT<5hs&6E-5sagiA{C72oD~A>RkGzcnFaj#f0z
zZ_Ggrd(BSy4}EJeja9n*Tg;CpX&UpmhnCO&6=vSxWtCtks<;z;{b+cG06e|0vsV4G
z*=8AyvVYJvPd2gG*4C;!%7A_fCRt+@MBM`B)O=EYrW^9?8m_@*Whv`)NQJGH8stbZ
zAyP)5mJG=ZKg4eO4@heIPczL=soe+eVp-L6uy%<fxS6es_b4SuU%|^-yg&2os#H6N
z0tITbh1!Mcv{x<So{Xc%mO`Ss8Q%=O0vGsVs4M61sf}#Y+9!M+S&eo{V$KZSlxa;5
zL#(E$M89JRB1TnzqgX-%)q(;>)`F%%b1a%?gM-Pr=`eU(ttmV>s}khExL4lZaW-N)
z178%0p^0r<8*G=yytroRPVm|*Mjsx#=sPQ%{Y|bCgbX`OL35_J6)cz_TI}~m%y-jN
zCwjF4^rnJ^B+62NLC^+Cg^<W})l+8DkD>2-t>J0EDPSW)p|ZdrqpLw)-(UoA74(c~
zz%E(sA0!~qt>Ki(Ay*g0%^GHf&zR>+&ba@&kE}?qTM3eX>x}FCr-385K6@ozz|d=#
zwgi&d9I9nb;vlU6;tV1d*mUKMO=?-r(i_=<fj&M4a1J}W7X#6@LDCX`YeOhfO=NV{
zcI}*g-!Fp^%Y*|JsN-7+VLDP^mX#)4Nd<oYYRoI_!YOi9jCa3mL$e3r$8#bjdC$Y?
zF2zKn1$6;-={MroF|qTz`5Ohfu!}HcZ7}J@l%DUa?;UK7vjSbR-h%_bxu?E^Tj1LU
zh*@)RQ4gEL>@EEm-w8W!H$(fg^t)>QQNo1(G1KY{utkrsfjj)HP%*;o({FRTXP@zx
zVl?<gXywrZnpW=(HK={ze`6Kh3!g(IGrY!sVHHDh>=B6!j2DEgT)~j|k2m!^N@V%%
z@HH&ni%+eqC7-+{MPs>IF=A`^-&-<}Ay(eyh^bAn5-0yWr<{|gYw;;va`ry#I^}(+
zg~~Tdr6JHcht+>Og6r?o#r+li@{Q2Yf@!4dL;(Z0)Io!6KWhE^@CQL~fY*$&kR<j&
z$57sm3^0**tV`ufc7)OHj}?M1i299qDdNyVZ_!zoFvQ`_AUh?nfF6P9DxJ1pSz#Jm
z5<+x41$j+cGV2UvH@Aj-T1-<~m1yF&@#qd!0xFeS#c$e0hwx#Whz|bgg4@lbURO9e
z-tbZ!woFr5V2N~b8AI}ru2et6uY3cT`x?;TIvhV$`F*|429DSKxBQ+rfUVo<TPOp#
z6iG8aCmJ|c4)yUp!JoBw|N10F+pVQk^LzKVaK6E{U!kwp4xea83j4_N$?k_(u%>z<
z34%Jq#4j}<U2M^YB)6}!sG;WNWsdmW?}Sg!t92B(1%1qQT?$4tfGNfjQOr|un2Z6R
zt7*vy#ErSY<?*w-Ux<~V8p%~9x1?JEsMW@Pt5DwS)-)woJz|aB-lm4^vjli0P0Mw{
z^uFenq}^iGUMh+BvHw4N;=Za%N47xFKZ=rY(f5u`L<R#Y)mpI6WEPa@IanQdyWWJ*
zMc;<~xm$;s%xBwcKju7!JM2r}{qLI@k2>I8$vKgcxBSCv8}NJ21^C6hI^gfr^BNX`
zm7ZTen>L%!$Zk36g#C-2=k4m;^Pa!0bQ--3q;(qoied4{d;E?E{_r>W!{_gKU3LCv
zEu`CynF3y{i}rKeUB7iyw(As@d{x^Z6Nf!O---75*VciJdCI4T`(0U*`H}NiLG_0Y
zN(i6A9~FJfL9)sUd_uBE(Xa+E|J7{&CEx={L>y9vm9_(#8M^fY=oLWS+4wZEoqp|y
zzkd4}cMs7ypXtiC2;W%r0HclBzQF%kArYG~hXtLnBWn{|Wk4(jvBh1Wh(r25za9qD
z3SO^*1`WA7w9kqWloI|;7a6dWMalSSqf%%DucaeO!$+bt{PX{ddTZ89EUM|JKRs|J
zdL;t2RoKP5J4p;;<rz-mQdn(u^XIi8n+A@(u!?c>l>iAc+$LC4TgA6tMY%*&GeSPA
zJr^WSr@)(@i({etKu>ovz{*CKXDAW16X42Q)pKnI@L09U5>7;u_xi)=;&poFkLm;3
zm)$&%-dnr83q#)*=RZtIYbaQ6U4#Dr(KXrtJqKuPGK|=()n|wTHWss6mY^ntGtOG}
zav>tRxKBLewLBW8#w6fSxGvyFONF&nRi^nmf7gG>sTt+O9echTcnag7g->#^+|&jE
zsjDR#@D~vo75E}}S~k^4ZseTZen}Ed$kaLfeRj2$+>+{Pu`5IBv69VP<D}TBBBts9
zWdeN5{&$h-Q|_O-CpD$J!GJJ$zaf3f5q4q9)k#h>O2?)rg=yP}$U}+Lu_8aiP5=D#
zyA+<u<X@$=Exfowiw-q;Ljt5fT0}j%q*)D~L*$!DmH!tScYG3Wek2Wd3RvCWtOK?@
z2Riv0J#-2E4m>Zq@Ne<u^$RW@8FZ{&y&2rKoVa+dbvgrHE`gQ(S^|E$-~K$`Y;OO`
zn7QZvRQ-%bCe%&h3g}&4Tj}gD>|jHL1Xaq84k@*^)`9#_4D%SR6vIVuO7^`aFKo8%
zll!!lzRxfUB7naK31D|Fg(p!-AN|p!a(zubfUROg%yI`ub@T?68tNJ%6frL4RPQ?R
z2rDz&@FwY=x#rc;LAnh=URdASUe;@*4&BC%qZPhLb_o(!=LT}=hq=`NVEBwSBJJ#v
zm~v+6XX)2OoMW|g!F_@f-bT20(wrV>MQKrp)j!J7?|knpfZ)2@LoXK9TytXPr;^pB
z{kHq|VDD#={-rQ@qeIqn@okANaHHxYzCKiecf(l12f}*9&~C2C?CF|7=P(!Be3c08
zD4KBY_`H-Y*Dkt^VOTPIMa#&*YM{*!DdIK&wP^M3jtq2FicIKB3>?3D?`L<==6BQ8
zwS8l-z5FuU=CAf}-$wl0`qkxNghlv|{=*d-u<Og~6Plma!^-QGFz9u(_s_@8GT|GB
z&C@tCG;VoKk>+4NL;5v5_Su_OyC$xUF8NpVK}5uNZ*fyem!P>#=gD5oH>L`?a%N<l
z3QMt(K`{kiTbit(hYKxld@SVQq#~tmB>)@&+|YQ@Hujc!=aJWILExWRgC!PFsDYl3
zzK&Zomp(6LrqGEdLT$yR0%+P9;f!^k@!Oku4c)-}*oV4uVC$h)EV4jd`x#xfe!RvE
zX|oju(@xs}!t0m)*0~A^z(Z|l&e2Lwh+3oZKI-)+9&BYyx_g1WQS#@r2*c`9vR2G-
zV%{1DG5${}iwfE<Puti!-?q+r$ADGH2I60S?YGZ6R|Ih%&%32AEPmL91^71OyRn($
zQfJjmUmxlV#(gF<WN3AY6+rIAI_MghO89cNPj)7B#dL9YWXD-!7B_ey@<=57jI?R=
zTTgiD<t6WV`0`nK>zFjU_f!Hcs*-P&StJWXw0`FP2!r2xH2nM{uuB)_9DBL@Yzkqy
ztM>MsLNbU*f7Fps5|26p_$j^8qqPBIC&^;MXRI&998>YT`S!%ghU>)Lu3OG}8#JB`
zldwkD`3>YIZ_V)K1Ked=d1rR?r`3w|E>eds2M(5MaMe(3_zXQDUwxFtxkP-uTWFO@
z<E(Bbe<u>aDe&(z@|pq$Tuu{{2eVCExT6V5K=0RpGf_@RTxrUJs?}T5lFp}@tp5J_
z`pgAW;vR*6ij48BuW!rZn^F-y+<@YEk2pJlx=n-MwAHf5x9+y`S^gX9u8JOFQ|4Hi
z)bzQT)R05XAs{K|;VgbRn5L4C_844qjQ2b4*<O8VxI~Fn@;`X-?Bxy8?6NW2Hg6!}
z`tqYpc;V&o&;Fki|9iYIOnz0=zk{?4Sl`ijI19^*OxQi&z=zMlYx#mCKOp^8XH(z3
zlX!aJ0`&CP*XgI(W@`;2Y5}1;9RQ|bNHwOi0fZ)YJUFPD56B2@obV0`<(`V0od~;E
z`+gPjTg4G=Hc)f#R@J2ofsm{s7oo65!hU;2J=2XWAftG!;Hj{Wbvz^|(qiQ-Z-epZ
zHUW%T+gjSDu#(Tz{j_Vr1DG<=m1*zU{aGi2<Pq4iPSd?IYGS>>R(90dVy~8cavYRQ
zoHsO2!^f(j|8^&K5peC7g!w0nQheNYH>93V86HM0pUp4EUT*mNy<;K{?82&B{G!al
zhw6Wl1&p(P)#b40KgmL*coyzkI3~2tiJsC9O`oPDq;bLzeUs@TG9R+=FC*7`NHd;)
zPMrQ&KS=v;czUpCJOQW@W)ZQvbguWeulipt$Blk({HcGwcs(rZVhP_incrqyi<<FJ
zDbp)9+oRif6-ewxbE{KI{a7acmJzxOA2^(R<&3N8&dcV-qhbj26-gdsJ-ygae7Y-2
zSq%~Gbk&wBAgHQjP`kxWytV=*L`d^(d{g`Gn7nVF>O%~Mm9~)?9e??qqpQ}Ifd8xE
zq&?Xj<SGiOhFGUesP=_}R(5-V8r|$%S3ypc;}DmH|6@tUCHr~o*tJ4p{d6f*W)O>~
zv6Nlx&s<%oh>sx_jl=Nx+VU`YSEkO+B03ZO$5UU6t#ta%?Cty+U!mmN>S2euCF%wJ
zl9ffgTq;`Uy0quqTWV+sS8nTp*W~#^rm-Zg2lux0;vgvqI9C^Xm`-?GWFx9BiKSkY
z9pop<2zkkaJQD?R>JO9P98p!nNAo@3sSZDMTW{lt2%-~WP!WN=EaKPc#&>UXG^%aV
z$Jk3P+t&j+;bp+Z^L9(wZ^sS~tfTE;{TCpi*T4t2KR=8f`8SmShiT8-d5yC1ZFO0Q
z8??^68n~NwciR^Ff75XKh{T0jwu61DP}Z!}ilzEe8c2_}JHth-@T4%mFyL=Ekh)%5
z_RT8X#XQ2=9E46&Sg&Q}v#gn7gi6j2f(XrLQnm*F7mjTrRQVUpVpIinh>5xM<)8Rg
z<m|g75|4{;3vgZaiqDvRx05T56ZK18GY(4{jmcY^z3=<quesS*AXC-DNetS1X^?pn
zvJeH=w!$|Ei-6zk!-rk)k~l2$vB%g|w#UBjyWhWJ+}g&TgNXQ5f7p9Gn944Q6{BB0
ztqUs+FsI<2z|R2@e{lleL4jW|3$|)u71POvI1}{-O6E5Pd{bWczkr8D^jUARF(r6;
zwdE)X?4a1iQXkMpXdw_gu)exI!zh@Iepr0yI97!qQKF<ek`cdhT(<9bLv?=76K5`(
z4bvrR%H8oN^y207gVFC@vM&qY$>&N|6>|OvSpPZdJsR9h;?BM8EwYU)dzp8TH&dJQ
zhIYDGzJC(1pu&Q}uy7n1B37}nt7;RZId;!zy#iTRf`SY|_zw;CVhWu6^|O))g$|@6
z@+JyJ%@GRkqC0KR7%n?WN5rF%4RXxUM>KTu8qW!QorY1I76h>^It;f(s7Jmx6c;;q
zs-AX|+f$Q=YF#N;I&sk=R3YRl?Z2!hdX@GoK-kQ&!ePQ6nsF^GJ{dc7$N4zS(LKmX
z2!5uiCSm=k>sox8MWX{1(X@l=q1xY<N#-|lu-x`dH`;&ci_qY}v>ijVMzvw}yss>-
zeB9VAdMza-WCYJGIb}YuShH*}^}8Vx7r56c*Sl4tA5%)3{UTg@D=K9ue-$0W@jn=Q
ztEf2CW?Qszcb6c+A-KD{ySuvtcbDK2+%;HmcXtmi4S`_6-8s!#|GxX&d-fgUyz<mk
z&#sy^YgT>jwWXx!So<J-^H0C}*MI7s7nZ-HeV!wrR5r+!5K2oZ#VL|QGle&P@3>{~
z6emyM{-o#(_%avo_C9{^=W{6h>}EgbMt(p)!@vF-k@pmI*3x;fc-8|Cq<vhojqiX#
z8NSuC(th;{9k9|nELk(4p4FMUs%X{^;ufkv2ONKh2z?{`Q<YD}j>i(wq0UVWu~2(E
zta$j%b^NshCk!=Vjth60O_DGQu#Ni0t{c8!uu6sS;F!V9LIupetd-J$?SbiUzY3%Q
zsLQzBIZGrOMs!Rkm~5rIgA?x?7Ia|{?M;mu2B4%&H$}`vA2j&mDW4palo2rhr=$$w
z;Npuen|9c%<}Ca%ZH5>J=>^>a0cEfgc><v^uSI2kzD<rKZ1v;zg&^B`;+8Wz`abHv
z%vaf*9=d*wlM$>=9TR}9J&m=0<M2~r42#k|WN!#3_wU=Q;;Yep5%4VtJ`yJoR{lkl
z_&E;L>G{jvAH0?IZ22A0!2~Eu50%Irp!NOg!oK$lhgDPNF;E)n2(9gAb(QmNk%vRf
zhri&Un58R;D~k^~{&mTb`J`PcJktT<wF|Xyvnfx(=!3)Hfy?YiT<bx6LiPDyOFQMi
z+YhX(Ev(0Nb@$;q0=BknR*%iOD=N5@?U5jhFDmp*kK>2gMzgJjdE((StdeqZ`GjmZ
zRxmXVjH?zJs|jW&RMmRH*Fdc_K`#zh^aco*X7?#~rqSe~CTd2iofH9?9(D#;ub`IM
zDwaO=wYuF2c1^2`$xCq32}E*>_QGWdeB$qt0-qer8|G>$S~O*GWjMhnQHKgZsH_4N
zxf68tcT&jd{F*c=medFSD(jWmmW7gk@TgmM;bZ&k`&25#lRN#GIt5-BD%#jqxZy>v
zX^7s^V{m<?n|uCN1iT;EMDacJqfkn#dfk&0nC-eaG`=T(M+s<p?oXTPQl8I~<cb+S
zJ2U`x8Ha&;@vibzbjxC<Q>s${etmG*;CP=*&0A^UuUKrjT^mb+f0lP)v;GvA`ckd;
zw^;i$t&vT898XZ!{%W+7^n&&i)q+Ye0QFwA-TD_qflmP4#!O$SzRxbiOb=Kqa-N?$
z$SWqcA~D`54fc)mw^&s*SgUT%usCIyEZkvqD~4fDz~-0;3@(k?H9#A@_GrfoKpK@_
z-6bX+TJkgGV=s5OQ%u$m<H{fuPO(Uc@{9o2ft@|7VrlZawT*#Y1iH*Q+Udz2?c&tY
zMh+quQPlsPE$y)iYI(MF1pgEupdxJlO-{E0UmQ$dZdl+REQpL7@=jrxC)j}=lVucG
zeq9CLll9OzCe$7(hGq#i52y9Fn4gp?RYtUU*!pbBjC^JQWyh$PDDI&n<BIcCw*8a?
zeIi(LgD>%|bP({=)#=W}6O<=~m1!{ysA%@rObP=<J~{;EQ+B3cy;<@j1B5j{6YQdP
z>e-xa7c)%Ht6O*My>rF9i~T}!aKF}t{yNrDSx1bGDPu0)717w9EJc|~+m{<563VQ_
z>!st!mj{e{5<tK~UZbTRi9Cca*c5}K)+O6MQo?QXg2^rv<W#lP(!lE8?2=4_BhYY!
zWx`2eeA`!_tMLZSudSmi83=<p+)w)l!(vK|*QwhIt{4va4H!A$@#b&7+YU<vW)(k<
zl6aQR!C%nq%@bCr$@F;qKJlTwrs!OFfz=cli7=}w<-`-+v!ZE(F2eHM@1SqTgf&DN
zhO|}qbZ)VsR{Mvq9`1)p(rePvL7vaA*NlM6h;~H~jm1i=fxG4H{^Pe9a8XWtYyfNP
zPxd0RjF0jY>|0awa;C?)r}Vaji=X96`oZwkA2ujT1Sdub1&Y7QV%=6ON#5Nu-tGfG
zunFQ7-9l)L^-e+Yl)Y$yqBoDxC*e~#TCaW+C@N{8IY@f`fv$0i<KR8!J7hy^dLpCU
zl_0tQ=+1%<In(Hh!8epywTtP>aSxDMgA!A=;|Kpm_wZl00AMf2oGPw;Rcn`erEavr
z?u8+>@O&$~BbO+T$Yg3sh|OxP`?k1?QLXs}s)ol$@+;^?VjaGPzTH?Z1i}UdU7riq
ziie8U^{qp!$B(eSEc6I0w3MzPfGWOq=NW6vV7lbpKMPecenn-;jK_;n7<Y+XrVi*A
zQH1{oSb+!1R>`h>VA{Pz2H<t1Mf-Hb4kN0jkf)D@p{kUM?Jzs|S5yJ_BOSoU#QVH{
zPbhTVzj+Ur@g67xYtKD<4XP<0fbGKQ=KB;B$sz_S=czY2+g-ZZ^`}2mdTB{7P1X}R
z%|*ce#0X^7MwR-bw+ks?Cxl!6E&Tc2{tMv2Y;~c4l~C;H_h>24ptE*G>%w@${+6!u
z!1~P>uNER}ppoGbF=-PIbYTWNORhvx970qOYnA|?VJ7P*AAohg1)ydnkOPc**B+4^
zby8BR6k&%zp)wI(NX-1_AIBs$N^l1K<PHY;V}!>!D1<d-1UfMqWdEyq&(%&^Z&y|F
z!{eDB79(}ie=J~^e8W(9LfBj1EFxEOKg-l^Kb(Xt`)PMDIg^@NuPjwY#raFsN&MW!
zViwKpuBRse)2J<bz0KzX;%f*a(l*2({RHwl-|;Vof=|<y<YJGEpx3ImE(?*kG>Rb^
z3}{7x^(563iQp{NyAjI68Z8&d7V1uuQ9KMaErI76KRo@7?@$cuF}i*p$Qyh0_IY_b
ze{;IW06w2??#_m6gxCh|SD!ZR=dc){w<hWV@d$~I*I`)|uR+y(l4h|%Oz@8xM(N};
zqFUaK{3dKN(@#(z8%Xi69-PWD%z#Q%<~`kEoGqy1o#n#7ZK&M;<Mp!`V@8dZJP6n{
zl{i<Ud_V<>knN0Ahu|`;WVh_#>3t%AbVnfdw`v$t0Xzk_Tu1mNeB3Aj+nqQr_^H-M
zdGyHI26nXGJGd9F$Q<=kSKL<q&q;k)k7LP7JE#&(;t3m=bvb`Wz__6fEMS`>ov1nB
zeT<$jJ;MV&)<)SE4Y-cUWOrBp`a?*_nEVVb17aSnv)skzDhRY#QgN+H-o>>k?_%JE
z)}h<5hK|ntK3b<0F?Q>0@^}9UF$nlvEjJJOl7;6%akb-qG;q#Pi#_(maGm9f&;P~y
zeiL}Lb*A|G^W3rTrL?!PDZu05fHU4OfPcQDG4I49#Wx-fTpiWaB#r?YM#NjInAyc$
z8wC=bu^E9c4-qOwqpvmI9OH^mo@Ew_>w|w<d%7yx7FA_{5bN1+<e9#^h?PXotd~mZ
zP|fr8qzj9)Q+_5{D!$RN7Q>VwH9_Z-tW8!y;w4+StKKMl_Ug^f<9znf3WO8}2ZZMk
zbR(P)o}(#AkdZ(?i#{ySNhekf@R`=dKB&e&nOydm@}dZ#xe>t?qaG7Q(960LRN`~8
zK4Vznl4P+maEjKNUp*g3iPZWx_^FDeVk22sE{9OpU6J!Vk#ZsruOOZ$l-B66a)4Lu
z5J1kb)qwlLx3NXgexE<j;d;(Z>V$MpHFOnEi4#z%Q}&OB6N^hddZ62edSepPz=0bN
zJ!i6Qb~=S%I7s{=H37L+P(6D&`da)h%faXx!1KaN@VrTASc9Vb+;hL%L;s?lhtp2A
zGei8>)V_xOJf+UV$*UX5q*K&PG$Zdfq3*(MfAk}DL>H0xUNj|H>;Z38zDdCmeqOE^
zoF=(`pv@N}xVKUZ8q*W-9cLM!!|gqum*bdij%0TCtSnVZJKJ|=jwySV`wwio{9j|U
z%Z-1CQ@Xy`0bCH-M3%SDg;e(PA~|h1eg-S!(z#J-Og<5WH5waJohlr<IB*6H6bYEO
z#^$^1B7ypZtlQz}&!A~>vE$SVr#H_d_VW@~ufVZ^NL0L6ZRS}hMZ>%joa!hz7<}b!
ziivYBHggL&fg%cJG@Po%6xabGe_r7EV`Pp+SF?~p3^&JyUH}<iz*R(d$8)ns_owsa
z>L#L>JrqC12h9q{P|>ro3&oqWO(bLnWTAzD^z<U;O_wcttunJbI*MAG-mVpa8#@k6
zrRl>4IPGs7aEIVIP%#`xGfU$7bn9Axi(QvzbtWPcvqSKZ8o?zB3(-<7dTy`(z)@8?
ze!lx?L%GNtd&$*AL7N{ZG=W)CjugYGmoEEY!BdbDjzpfMw0kvOgmLwH3g9aVKe16i
zkY29s!(_R^tJ^IU891&7ACO`K+VlBRp4A)AurjYut2e5`_p(=VS?{Ip>hMi2-#E~2
zy46<{QkSx)CYKuWFXvxQ@zN$8+mSMQf}Y0wBc=~nR_?|G>pm$Jm$-KnKY#_n{CWHa
z=Lh(aAgb}6ifRc|O_FYp5Kk@}y0mV`_}K$aAvZ?{3lIp~;=5-P6QCRqb!4456Pw1#
z{)W|iZT*tMd^)Rf$VJw#a_ZsadjPYw_&Tw3@66|i_~{`8c%67wMC_?}?>!)h(79&I
z-@2lBTa7&;Om~1Mi99)5SQ6;NJXOhbNB!B54G)gr5Q=^Xwba(v8=XQ=?mLv#KajKq
zK{7a8QZqK5m-Ee(?3~_OAa_KGPQw})c<VceURfSfCvEduj^<^S>qx~rOO$eu)#n4q
zf)~C5unj-t-!?`nhGPUBWCb@tOZ2l2RgnO!>|_#iRH-?9lEqv$cinWDqPpPy2?s4o
z%+V1yh|tEizrE~9|8RmWTKg>J@Qv@aR7#m(!K6#e8PloYbGTr2HUGhn_%C~eQWD=B
z#d|OK6C15sKV4b$&=gKshH2^aZ(S~xmHFv`QFBdv{<XmL#8!NC>`18zr<(LXLsi&&
zTIu9SOYLCQw1(b_WLWQuzT9c@1(jnS!u#M}{QJed+YG-qHI^Yz^zRTc3Xsz4Y&D`G
zz<r^Zl~9i`P=X~kjgup`_*u7#{olr2Tdo!v&^6C|X1W^c_F|#zDx6<9z=fonS*o-&
z$$<^vv(2oDN7OgIxIKr6Dgk8rM=(38mh9Uf53!x6FjvbymwuImH4kOuk4;ov6oJKC
zl5+J;U<=bsm%ktfbA<(QQj%UQ*IisGlJxjmIh=k1Y4~{+F!(U)+fzci7t&TFKtq6U
zHiZkui6jn!k;hNhROBdaC-$h;r{mbl!gYBxKa9hSlsZ4r!QmBn*#cXw5WSbuNa;q&
z#W0kFY6I)E@zR_symcATZ?XhFf_rPKpUQ@IUs6pBZ@Nj5-*jCI_|7#V30{=S>OfmS
z&}v$}Pk!d;H@D~u<i9O-7HbO}i%qj+)eDiH?v9lox|;mD!K#iw3un0cMzZS;au1*{
zFdkcfLHI>0tSj{XD{V(#9tpw!<-z%WfcSOkti|uTgH>vMz|r@y>FnTrBLLWSSyJP^
za}MXo_+`}hs%g1H)BmApllOg=D%{o@47&vQ-gobs_izEz{(egQvU`^J36UKIcHp??
zz80zj4ahTIV6>>tn;oo4#nk&p5+r2R#%!`B&3%XC{Js>ziT$C!TCEJ@cwKO)a}xkd
zb><za{6fqn-y3};@#IFTla9tFQQ6%Sgh`P>z&@Thp5GINU&2H5hvL967-5LYtvx~a
zl8mdCY^O}ykgwe|CfI<)u~~%+2ZcNf6!Mr#vahPeh7yO#9ugpC)!eUgh`&Tql=T_^
zFhs<rE?V%$Bur0dV!pOIt-p<?K7njn?9fv<#h<{emBxi`enrG<%P&NizkEOF&JvfM
zUj^?Q+v(qQA^*GvwPHZ^@c5@F_)ybHL{fQ23Yva(5wQf2VoP8zeAJr{(oYT+()&#M
zC7PZWxGc3wa{O-#m~ZoVnwN_0g#q@a4DJ-<+Lss7R=o%_g6pq;dtP~Wg?1+WcaAju
zpYmKCeJ>~6(P+iim5AQZr>=o_-DmcBFV%~WZ-*lRviF<;`>Z>PWGFp(dk@~jv5Wp7
ze}0DPB4$a}3XPL%0y?e&`$Z@9;dhmhuGE`XREj<BOfwR_K5<RTDs}teSSSFatO7Ct
zi>p^(T6-E;<3(d#7sx85pAT{4XbGfN#dVCSX;<$WbK~T8LRQ8ZSRjECi8>(T(3Y=g
z?fq95=*Xs21ydF57cxBtGBbozLm#$FR#H`4GdB|RLLnn7#mO6|zF2S7{ga<b#04Li
z_AOvjH^6OejW{RQ$UxSq*5A=8i(#U(!^cDLtBnh~J_K0Iw0>t@w83nlEFLHH6mO-G
zCEcrz-ws{0sZzCiYUD&jpL0v42WJ{9NY@TYL`;h)^;Y&(zFUQKcX?y}D_d2zODR!)
zA~u=AcAl;sl=XjD#GVzrHP>h*W0!!R@+9;J4x{)!!*rZ`&TtOb!8cg;3u@LKTxP)&
zh=;QCdEaxopFb~v=D8=l2CG_){HH|)oW$?5oNfW93xezXYu7W0t%2eMnDTmPseQ&m
zBHiC6k(#;t+QUIImhq<^ZMGsh3<pYEaEC7>py}6aZ7k!}wta=mO=iJcM@*9=?8=-V
zJy02X!MV~5Nx^F9LpZ3XTi%mE&<hOnBF$DeNCC73v7zQ)M7Ux@Oln5}rA>PIo(XmN
zXT0Y8QO4`O0hl#R|ClN*ViyR!=6n`E)umlRNIw0}KRMEncfWPV*m+Mi(H9aaZDbI=
z`LG=zdWTfCCZ9-P_60Vlu4PSbCowS0Y;BoYNb$K9T*)a_{70GbjkVOmB2expdMP;+
zIHtx3&CqW?dJ_jIj$8)vSF!!U$z~s??({g`f-7Hi0n5WCC<~LxA)Qelnen?F&z8fT
z0hmqVm#uianhqTctr1p6zV)sHMc)daose^@(lZqQ^9bI*>H%jm=Z*4JyZg?7%pSq*
zl_nZy{1|msptpKTw}7=mZLGoaKx<mKKsNM9`U;PD){hbTc9tEEOw1<G6imBbnU%-{
z0dIj>@LLIN;G7@hu0Dk4gm>M78$+X;&08?ZIBedQJFF@x<>)o3YY~08B!tkotejs%
zou<@0B_PQZ;S1^{JzY$O4KBcUGHXRGFi8y+0Lcd5V=YJOt~%FUe2LSt_Qx>qS!jQ?
z{f2Garq;UC7nz0j8)_R3OHepiZ?^j5b}0R4!f#aYeLA2?ICruH;c`>sG^T<r5(I<R
zv7jy18OlZEI`v^Qlnz(b_LRS>*nQAqoq@?~_qT>~nlbXtfx@wc-w#g8OL{C~sB{Gf
z3lHJU7X&J=n2Mqwv^4zSdMDnS+wkxa^2?0m37akbHr!EMb8(4K%G&b4`RB(}kDfKZ
zFE8p@oTp@Zj=;xc!KJR3Iuv&O{`;<Xe!rTN`xZGAWCo5OEqC>A7c7`2UEZRNAK0XL
zDyPk2GSB7Jnm2#Dm<(OFwf~?O&9!pj;r5f)&`xP+j;a)##EPKFLzSOs-~m~xmV6WQ
z40-h%=4UJbXmPlC4tu}{(BbL@pd@-94*OE#r4x*D6Lx{F!yjM@M%3A|Gz3M{`?Fts
z(2nGJ*}fju58S3sXVG1qroBvP(QIS`)9Y#3vc7sPIUk4aE)oHY`NhX6e$Rz9lz2Pi
zUW-tPW0fS*F>1pha0B4bO-4I{zs*OVTN6l2ukQIB?J*+;uEC%*-*QUbX`I_eqCJdV
z|JB;MsSUj}|No8HIG&QP!xroO^IyYRoQafyN4wpULF&)pupq=H<?2Y&5P%cDnZlmW
z5kDWobXXF1bH5i(C13bRZQVT!&UHPN$A7;y7rkxR(Ipqee$!53KZ_zVd-b%b0v*%4
z5e~zV{o3#qrI@y_9sIDM(Qer9OIB?h@XI#_3e=s9T8$<=P7uM6Z59WS;eWu&ko6fL
zao-iw%|B-(ko$0EfwRWL9w3Zs9;)cb8(NNvvG<7D4hn4%7|9=s4+>0PMd>LJTN6{A
zQdUA?T57QnaUlEk+d(W;Ewq&yBlGRlFs6wm-03G6$D~@mDtL2tt=L7pkdwM|i|x`;
zNPK9(*Wo_|pI0`?uY;pRM0)T*9yeY4480##bo>d}Y<O3qV9iv@E@Bmq!ejJqxi25Q
zP1eG#%H!J(F2+-C5+B8;al+v@Os*#<W$ZsK=|YfoE}+ljhzrp}x~O=`_90D~cnT1|
z{ov%cq((kKyUh`3#=Z#kmDHVAA*s+_WXT1ba*RcToJy}&4-@o`!z0Pd2ImHEgOVK{
z?{mc5@^4gvSAAzgIC&^N%arZkCLfwMAy-WqC8jO@2B}eKY1WGgs+)uKgRd~M?ZaCj
z|7sHlb}eLpt`?=}0LQ);MC-(82XvJ_s{&5BU&zKanrv0+yvr@c(QT=%85ShwKOn6J
zI|0A)ITMD=8-Wkh6sgLz|I!-*Y+^_Pt7yL16(Vp<`f-&KvuL#7xk{+kBp&$zPWi+_
zj?y9Ty85nq$#Vn@lZOba4o!jKcER4SB)8z#_#ejIlf=8&=A5R2i*oV!|76XY1oaVA
zZx9Fr<*OxkpBiV;(^+!~v3tvR=Qc;H{CfZJ%}06@R5b@Pe+SLKYO$|!lT<j=oJ38g
zTP2C7V;n<!1g@)h^42=vPaRLY97}PYp~n!2{SEK80-mYbEpz=`GjHyDPQRb&0&nlm
zVlSdio*CjeWvix+LY92$*f@FbL9$B~T_BOngvG{4J>1`islr1QaI{=FTlFkwkObRc
zrVF`C+MLiA!J#3K26#9(>$2@#W8ZbnK(Nor>>-I{=`U;1heHdJAKC#L2i=2IB*aYe
zK(?UtCks>g`8tZyYwgSW0U0kH4HgR<4nNOswldExEr4yH#4Wli&`vH1d^?LG?_fLI
zBnE*~TIr;GF&&4|Fp>qc$XV4490|e<gvcIb<7nwHky=m?#WIzhaW^r+()gPn8}A|0
zPU+Rb!e2mru=bhm^{Bn+zS?zld)JU?Ge)jyig)VG4&xwW_+=*QW8v73rE4q(a+(8^
z!E&tu&<L$8rW%TmbYm{H5i`<eY2o*yME{!}o<ovvz=J-yUVMeMH4>&j)o8=Hr!FX*
z_xJAc-8=NvtDk-UE{+IXoL!vThgVL`{$6ig6Y%kYX~l_FOI76iHi{!JAuyxKU``xd
z*5|v+im^4~M&3~eQn0dq{Xgk4(E|x|n6o2NMdg&he@604U8ap`uC&f;IXay;1z4{q
zTdpF-jVX$eDyft#phF0drHexOz^C!83*BT9B;*pk{B%o1OrR$;Y@$4Y`RyAF)wjPZ
zkB(_7%^ZzVS$D<!!zNm(jphop1}kn~ymB{0<X(GWwDQ~^itB%+vwB!6C1djyWKkf!
zCLrbv^s<ApqJhjV8@i_7A-tgL9FKgFlTsowIp(#EAyOPTTu3Ob?8(rRs+HM$Wb0;W
zRyl7|L62x$`8<iIh>WoP>+;aS>_o4RwPc$w=}9rimJXMUBxe_8Nn}e^Wjq|-L244u
zQ5=P8Mlzl#EQ|bnRmVBD)9LH)j0?rkt?To~S6L3*=-0RVo(`X-H^d81uzGrGe@~K=
zY8*Ps7_j`n`NEiIEe_IQUi)wc3e5jAO}<K}relH`-Nm7t<M)DenjD7jOBwPblb@8W
zsp&mrj@wnh!sB2Wo0I*JY%utw0W^XiX^{LAbUNuB@;2YYw(J1BNYqnBJOP3c((Dg^
zljE#dX%&EP!`?Nax58MCW`A|48gpge5)QJ<xNl_CKMEFL^7t_v_6}89k4-r;>zyUy
zRFr&eaG39T+s)7_hsF%f+o-(fmbNhKa{?(mDZ#Th-NM`{@gg8#rEnKIAmqxo#cB~v
zZ8W3TIR?(pQ93v2j7iE>9G=jxl{)%LSB@ljg$vgd!81q@amP9mbThU1(l-LDHSCC6
zH2H?G=uLG5B(<WRTgmFci(z#@c8dawO*`-Sy{;tgT^=^^iM^I9RS)HvVV{7HBWv#z
zSxp97GX`*=O-q#LYf7Bbrb4#;(@)PQL-SAlZIWo9--guwBfQ%Q!#!KNqpwAO$B{b@
z+eg}5$oQb3UR!`OmaCs&w#zXK;x<5%`+uZ^Mm;}i@2+x573E(16iI&FbeP(5)M67r
zpzmL6IDvR9KuxF?`?^*jOpmQTIfNO)h-Nk1bI?up@0_nos3QTt)*Y}G6HiMc-8KVH
zL-JZoURIir?P6|SAz0r@X_QbZ|I)*4BNZ5zn*PSA8*MJp>Np9~)8YLSx{^2(#(x-x
z!{v>@eH+=(78gae<Pfm&mOG&2O4kvaRDY@(Cd9RfKcG2>&zB;rw$SYjms?ZVtxo;N
z0u3{UnKhIxr?J#Mwo^z>_^4J7s&@adlels~-fEqr;J_E0^Z;Yuqpp<E9zjHmm*GSv
zGKHlQvRnXkn*g`!RUqlU=Lu<3c7|U!(AA;*l_;s@J&5?k;5F(lV9dhaoRR<C?q1&U
zJ^XB0@V(@0CnPMOJR5vvOMCZL*;)|G#Tv0o<+xQafQ@G>mCgQ&OfOm7^S>LaIECAR
zDBvm=y!I^%0IzKA=sL32;CFi<(Njx<V+u_S=dk8xDR_*~vXayfr3eMfLsb$sF9DNe
zdg%0o!XOvM&YV%fMu%_lYifDFt>j*LhlliU0knr}b&#A*``qTc-?tX)4jYLs_2ky@
zJwX+#I%n;B84TJ;<D(}&?wfuuOcM8_kq<0I3-b)(TeX}d$l;!3t^3UM?6ICoP_{cD
zzDnOV2m3iP7TOSM+=O~DEEkmQh7o5Zoj*-Hip)@v_z0MkY1@J+N_jL=&_fljfS*`j
z`ih6Pu>J*^CqjvD43CKTekiCEJC(PBgjhkNfU$iKhLY_4090hFzncUF5iJpMA<MRv
zkDgobSuv@HRP}cKDPCtr(#tC?a;;rU!{DjgjtCPU9Y3EVzyr@~8E}2s8BI;G*uC>F
zC^_~siWl=}nGX|um|Zy5*nh}h5cQUdKw?7x_H-3xFTAP%o)m)>tHa=Y5Bh&U<B{lc
zb=%0VpbS1jb`Tr46+SEvXr9k3IDY$bz7!OB8t)g=5EAiTKara;L!_#JOGW(n<azoJ
z^vM5(-p7Dy*zeZ+&tuXXdloGx0rDy?tEkihXycajK9V0O!3<Rb5dyCD)paX=afi}Q
z&HGF2*KqZ(0$|dn4+<?yxsCLZvr9V!r!v%Id|c|_$lm#E;WedUjvKX($byGGcto#;
z^^c>RZs)HpCycA1Kq!}>5f}r%w!i0$VFm(lFupx*cNu@8><STeWjQKtoZ>+mYc&?b
zc9HDBXFiOj3Jz1OKn6P~i4UXdWf=>sD0J9w6I^{d%7ZqD4rslrb|HepJZ&PL;WVvr
zC)=pFD9sj-@9KvXB4!%=q9UjRVt(p0o6#gT3SZ$(S?5+RHHMl?f2xf8PHx{ljGTlo
z)^3+ye?eXhcmQh;;lFO!Kg%Ltd`<>GKE_+uPHSN7?vG{Gx!bDZFANZ1{pi>$zGoxo
zteMXz$p7tZYS9CK9lFztR0<*x+ZcB>+m%5H`vwW)8>?QZ8yp1B`=^}j@GnJ$qYR%{
zKIn95tgGGECYexyTP%3$a29}T0R{LJrIPxh%QVyMN2^XW2Wr*Z>&VzcQbMtC^^2_#
z4Nap%B~gf7&wc(*#IClV8FM-1!u8-7)RZ@$Q0<U-6C&Sm&WF$_-weJbO>u_zm|d6o
z&m0AeQ6{3xS9_p{pj78Aa7ZLmcRdxK8wc|oF$Hjt(g@gQf)uD0%~dTSB7x)rV*<my
zf;`s5;$=i%kA^i)v6I8R)N|^PqgHhjC0h84?N|%eFiIC^W#UYnYD!{oEwM8QXp}D*
zeFt?i>BhVtIkKkvr2h+dSMDkJC<~!X>j5`~Pjaz$0N{j^40H_j$!7!e=yvq2U_p;3
zHH8i_5mX!Z=GSPbU=?Nv=$8PJj-(N=&K%3kmxH-i@@SA$8@e|o6h8ZFnI#%>&&L#=
z-TdG(F5h`if&XAr){1jk<P6QHJGS?K1ZSDxh|LMEcNnd$;u^M5liPzt2f7Rkio*B6
z5F+Z>9o|(JqPhT!>ti}b4)gcp<mHa{J)HNnGlaZnz5DrrgANaYXO;Wuh@D3(&+fl%
zY3(h7zOn&iLk^jpL>#|PZeVvK?$Yeu_Fh2|FQ&lje43Ab6;wZ7tgl%iZyElTzc9dG
zI6?VK$r%8luS46<YFur@DiLV)ZF(rI%IhHvapQt>9_Gbh!b|KggR{O6>g)O{=Q!pt
z!EU94DwssREj78Cr%_#2KG?-K5E*U6{XdW^#^B6)3L}jqpwFQs6YE%yF9*iPftAhM
zI?rwH{t<Q+p_~P{=fJ^L9K)SlTqGaIC88(8CTPX0inXNK#nQ$JSJJE{FI&g*yf+gc
z2C*N#NS_;HZZ2h~<R+>VmBPL9*UVNRcqh>%t*n3x+Vd%XTSDw&1UXhjSc!4=3~Euc
zW!)lRLrTzr42@#>tB@5HI@5U26@q1JdZrvb6QVw1AY~P;>3>5paLj$JqqdyWOYw>L
zqNndoM0OzJ^)xNuWv#}o=dvjP`^{SBVQEMc8tU$;pEbU{h2OXCxzrN4_PT@vT=W~c
z1}!2yY^?WBr5rptrggsUIoF(g0(}YH=b}jJL?O*v{1^^wtLN^{(_14#CF96B>;6bV
zhfd>^uqzn@F+V}McYYWgb8Gmncguo~_b(V?n1^4}^(aLRf~)v*slYH^<sS}#(}KYS
z4NN7(8XYdX#fW|J%CQIlc48SPcC8t-OuTwO;`&G0^}IF5u^3YT*1N@Gl+MsmGA=Hs
z^TNDaX@-2Y!iK2@#?<QQ^WQE(O?Mk)cYaFk8qu+KRTYEqbAoyJq?#z-p~h34<sxzs
zvx^Y7C87{-H!V8yfZp*YpGf{V%C=~UOW^vcK*l!3J28ozvG2Nsyn26pDtv%_coKEq
zbv{#Pl;32gMHy82K?>^<Va~m&TPqyFcOu!{Y~#hFAt}?5SvoaspZR7$W%U5(+IOWS
zFQ*Df!W$uLMBo_58t)=bV+No7Q8d+yc~%6d@8W}3?2s;uAK4_>6!d!;I!iNr7rAfg
zepx*mf|+qY_j{1J_hamCc}{Hc`|+F#Q{(FR4AHZD7BD8k{&&TjbKSxIC#559nU5(2
znm>mzgmg5fD@`-(OlVWZ6fRgHje{MYJ&`{t1m{ic4Oq|en%7>^G8DGRyZc=%OW5V`
zL&dsUAle~5JRBC0)(NE*p!4$#Cj^KNfSBzcg_#D@)Nm{@)8iT*4fL)v{HXs**BU$Q
z>EKp~waL}~25ozf65edjlw)TGa9W0yUwNG4vp#Q$sAb{wBq%a!jF#qb9JDF|)96zH
zFwF--q4KD$L3$HX@7`~vQoxW;uSJ%N)i#kFJWSSh<ilarKdGS9K7%#_r-0my9|^ke
zQ;-G5j|v-ZOWeanMhVsT!tUx8(3KP(C4BYmML&6jnT(oK+Z%tRwM57F;-TrL8U8Ol
zC&c<Cm%6s6j6*8}-P~7SYu>%@;|1<3Hx1uj6g~1@2IJiV_B;Y~?`?>?wh+1qysd%r
zs~)%Y>J7wI3Mft8+~laeDo!X_pf0vWa|1MAwD3CgY?Z2aR)7Xze?yS&j&5q%`M|E|
zf3REDtRFR}r7Xnkiv_?Qb~ZE)f(QG;Mw$wjygJQ+z1>&I*uf<0{*+p6n_YY7C2ksP
z{$-$s&Fj64qW5VE7Ib3xf{0UmJ_I6X!oE!ma@D&|gr_>kCHVKvgJT`+2Tv9I4^I^k
zImYR(wi4A2u4j?I)wWR&Hg_m7C?+41z3`oIbtC(LD%1ZBRMTEAY)_@v`&Isj?5yyd
zX@kI1x&kfl_m{DjsCaF0+t^b8_TBeSlSlXbD-if<bD#GHx-9y<!U;m<0PywlEX1*6
z=@k9%EyzE%n?AI<6>6Euv8Zdn(U){~A(W;PeIch+xfX*)lIcL8s*n+3INBQ<D)AHu
zv^{<3+H(sEo9)T*E0QzrWbQuZz%qht4;K*$gTd~A!w1mMJ7W(*<XhpOiia%D->hMq
zWH`kvnk;Dr_LVKeq!#>opseh}6f#xqYlC=|a~ZpqZ<ZwIg9AoR@sCm{9=QGng?6?`
zqpAEo*tAQFG|PQ0dsl$pu~7@2a3vQ4jYD`F+J&C1>)0MG4^Xl2g}zT=@HoHVI162o
z=m)ebsjz7g3Qp=T3ypu0?r#%n2q7Gu&$D*m>gx0dh!9;bLy>Rde!7k$alhR1*(!Sf
zF}W%<M?dRS(Z9H5j5ua@W+HA9IJ(9gc(wV=lnJbMU5tZvTWY$tUe5)ukIoi)ZZgj9
zeP^iJfzS5DNI?I#;XHspVWUKk8HaYJ{mk)>Snyd<97g9t>7j}Uh&KF3SeZylj^{T!
zydu{f_`P)E6Lb5O^2OVs&x5lPG}?=Mvwn<YNsrT|fG#NvG<l!}e2HPz34@}Atep+j
zqLj1vZ_==Oq}%+{IXG99;hp=}>Cij_-|hx^hRaCK>>`9e=(l{-$9yFAi=Dpy)<j&E
zilA7xWz4<{eao~<Ub?A<#{l&fBofqnS;uqSFw&QEXgY8ZIz^2o9C9y3av!P=gDXRo
zgup{d-QI$H%<Y*KUqOY+do@~ljgu$;e@l>b=Mf=?L*{zKPp|SfN4dn5_$b)VVMT_Z
z<w3y09pi@G5}qsnHOTn;N$^c{Gy2?1@_z4j<n<ig=WMR%Y$ux0E#S!VJ@3r2`=RZO
zs%O`y-J|PI$y9AMdJnq8_DUY(K5EOrcsCt4UwDWdN|SU1j~gFFHXjqxXt)mO84$I`
z23S=2IYp)K>1jJSklWz_c!4ph^ap4Z)h=&Jy-CdfP=x#~ZG~0mEO;hzEN8;D8b||D
zx9l)SaKK-Xtbn8;n{zEsNod-X&W>$#p+~3kD3dc>Xi5jAMW0Q|?tIAor#??qQ?q+Z
zELPw!7mnA6D7U%fm8)|Wu02qn0*KA_k0)q!`MqBq=_bRp{;>;}8>g;udXHq;_x0<q
z$et!MpZHaXb;Xp850&65`o0?V`m*QGcr4nYINVw%F86nOH6_IhE~(nUxU#`y7|`s5
z>q&~Lq%BMdbf-!v5T=V@dI25Os>7Z?y0g|`%N-y_$jmTTlF)~gMpN;{X^51|%Pu_Z
zaQEh7&v>LCY8AB9EckQ$vJ~77c$+Zfr)(EjpS`{#e)GH^ZwZhM2pOb4F&)+gJ|XQW
z?sTs3`(ETf!}MGsYzEx5yxH7)ydN<(Db*reUmHHzyr<c7by^Iae1coi{ym25N<+UE
zJoQndJf(#wIJT#bub~x(r!d^a2LuAKb2)OS@%j&Qbjf|sl%Am*{uu`FH=WAFlzs#C
zZw2FP&kzsj%ifqK8MX1+3m@#)v3m*y<lV4`u1aooSGb%OcGL36x7ywGucoRJACON%
zjbrH_6ezjaDELahNPQA?I%4YaNXO<E-2H>$*3fFwn@j1*J#KmnXIS-wd~*Zwh#q{W
znOoos^N2tHCT0P<vTi!+FCsKmptk9aCq8;!DT@OG1`-iz9mMBA)eZzodNT(SjyQ#I
z9!tCC&5&!D14Q#HUwlFHjeBY)Yaj_F$W?Gu{yn9>0K80!u6_QO#@D-_KwxO7)^7(E
zKe89qEW`KTnwduDP<~gSN%;7PzwQ0q`8z|K@Kv$TpFf)IFpORE0j2{?#QdHsufv+%
zzh0LE&fiboydS8z?tNd@aC!(Gk~*37Mabw0Emx>LuLc*4x-T=}T5zHPY<Og*CRl0!
zxECb!B=VvFR&)&cuYm-=qR7tm=JHg7%^2Ma8-u<rQP}6)xeKG3hc39hOxe-)MxyQv
zxx<5jk8XY}cWF)r&z5QTrNP;{f5^ID2=MhGnQ!Gy;iXI*;2ui%u3>BsQYNx34>Q&o
zk)|=0iky2sMu(hYw1RS>1tv(jS)^Lm^6`&6rL$Nt?)kGE#a}OKE$nPxPl%ciR9zq)
zP)#_+e;YR1__RWhj1;twR>Pv0O*5#3_mU@uGf*CA(GIIav<EJ)9Dda^YpIio6uA9l
zRt;cgB0z1QMGvz44@aOrz<>p9kh)fay2axO*tNt=VVQpT7zP#4AI&O#M!FTcd5;@_
zl2_4r&;4VY=?klZm0lAOJ#9V*=P#$ETz2`dKjSU)e7b#59g_G;txd~cX?AJ^{JWkJ
z0^S|(j|3lb?`MP+FJ7(=dS>4h(j?>i&!y`85EYZXN9aFk*n?|q!DKi+PqSkKI<?=0
z!zC#Glbuhq6FaefI<tmaSOI^HaG5r}{A#9S#-{_dp*?~C{iy1@QEs4FKeI-(_QyEu
zsb03;tjuw>eHd=R5+gb7a6#+iVD2hq4ONw7nl*jW`%v}YTh$a0yA8}DU7=}1k!YAu
z&_cnX<2S-p<Tl0{yIeHWce=rLN&lDNKHro|Sw*s|c#8)trZrZ-s@+T?(?*Tec2Sx$
z{VsM?Z52`zJ`$<{ly?iH%BQE!ne=iG)H3=o%REbvHU4)4XXG7{E1tW2qEGx|o`1w6
zv#I;`8E^VVcyt$Z!o>fKQ@{hiOVSKT;&rxpez<iz16qcWd)Oq~e3(!o4i%Jt$$n+c
zx=^&UaEt?(1#mnxB|HOPLV6auP+bJ?rtdv3<oyH*ye)e=Zxi(hpI#St8_I*xvi;N<
z<`O>29y7RDa$^<#0n1A;V1rr<nq*hac4Yp8hy}f!o)DPB@5WxLf2a?$?3n1_H3>Y^
z{XpX0v>(w<KRf;_SG3TNYTEcFFB(00$$W5zkhe^B&;xnC$)|JP{obyIH3MadrYK@Y
zNMWG3!mgs<;z8AL&V@v>|IXT{8r$CpJ+($NPX6R~+l^%+@TS>Gz6iB~?3a?FQxZci
zo}4&z{T+Tqw<dT&N0Ru++NOa!v_gCYCJL(=cA72@q{FKHeMDw3E0~<d<6FR-rYe8`
z#ZBLf-xjAisD(fCz0s63ke@#H9Cu=e_D=0yX(S@Z7AwxAzefBMa&O=>`9rSPh1|WO
z|7jej^a-@+gDl7SQxtHKpP*`!q%Pw1EHQ2C?(R(afpTokFusm}!Vm#S{dm12F=p9w
z@z{OWnMSo~DSBQNQ6|VIa~(SaYRfh#z`myk5vNVmL**bk-)isb4Zs&3dEojSAcB;!
zkm7WeXNkdord(_3mPr}`6@&SrXG5c_R{XFtEwBd^KHcsBfqLuh3=2p>(uSjf>k{sv
z>wm?ut0aCyXR<pm(4!kXz!Op1gj05b!nsf{(d8nv*|RawMXJ$$d<>9{6U|3<5lwkD
z^w#OZi3!i<905+XD#qq3JEy33v{1!S<<tT$x5??g<kNO|<i`N?n)@YR*3CkA93y`~
zA@XnmU}~az6&1pcR4BXPx}isdPogeja=gw3joeXpk}5%ppROx$K2VqLG+@K@`=yUt
zl!h;FSP`$LDJ-2#tYdsdn)eL+*TVK=9P6hFv-1^0DALmIg<)0TFlBi!lY;I&$wth>
zqv5ONrsja5HTNspTk?0muVzoO96JOQ1H01qFB8C7e$ThCMFR4}rU38j#~S~VXUBl!
zb2mdcPPu7s-`l2<f8#!N&$r2?yVtl3S}gBB)eRPq!tj%X0?7Ko$G<NHkrx4Rg{Avj
zo}ObmcZYrX&WmKUto7G8b7Xl$$6e!4WUHcXr9d`|1WeB`Q#rfu!Q|h*WH8q?0|cJ%
zJtC{6_2_QLkUi11ziXfZLM25fi*nf|z%&r_8;=#HsbmkbjzfLGjuP*XVgw`rvP=S$
z2Xnex1!#dL4V=<n(qKSe#DfoA{wo;fKY)+;7w~Zo-+H59vuqus7*`%gOz3)E9SiI_
zblsGjM2RU%G-$}A=giD5eM`XamMXU!m*ynBGuP~p3qa472%Ch_2VZ|91DOjKy}LsY
zw5fd-^kU=$PkR}vqSRz}+mgJ$K-PkWMxRW%_5PgFEk_LGvm;P3v#|s!3gnHl5DWOu
zzK$OV0R8TW-uEas$i1H9i$S{D3sKTVnICc2&3q{VdDUdM*Oh9|lkDdE%hz{U&9Bd^
zzz5%Zx*d<C75SuNl=E~;+mNZy%83jx2Do$zqOa7QplQS`8$`{685dS%d{T1teJUIA
zO!A+}qfR2PZZGrmIW>Z7J*k=l4HG5Ody_r8MxxLI-Oy_gn0W!js~>fhW<a}3lSh`;
z?F(G5VI)e-Pw^3LPZ0eu4?3p&2kgJhc>^u@e@lD);tWnqo-F?ruV6g_Gs_EGsp;bo
zZdBwgRHuBwgONGjH_&GW?_(&HZbCH%iZltT!>J`cndAxRWinG%kZD!#$!!hQ-w|b~
z%$mpHCk9diEh+P@Jt0KIrk1;G5h~IoebN1nmRzebJFfHFc6I^gKU2xHwcr5ZP<Qs^
z_P_*ZI^oQ<P$mlPyatbx8Vd|np!III;|>%WEvli!<gX_p$`^z9k6vW+{d_~Ptm7ul
zE*B|a|30jxo4x^D(2i5)?P})L^*&=J?|LTU?QG`V<i4q<3%j}BzpYK+u=a_?lunws
zcSWG2jw!7cqxwVyPz*hjz5+Jhh$*%0m|#YU_sXm&$2JA#phOkd*;4%InM*xXR_G?J
zTh?`3X)$7|)2*a26YC%@7K*dbiDXI=*oZzns9`Ksc<2i-Bx+~-Hf+?zRBp@c@{OKc
z3+l!fAIJpV|HX71bS`mAMF{;X!rS{v7u+oUh#L`y;{b9n01kWu5KIpH^LIBRx^!Zp
zIbEDg68(sCiWrTin)$@{6mm&vJqm7>@)KHF_iQzEs#KNKLaqAGbj+Ie#o}-qaKQ+$
zCZu&}kg%xF-JpjLy!W#n+YfGB6&3Hh1j+Tb-~67w03V-RXC}K|_qPyoaBA0)r>W|$
zryN#sSCz<q5^Q8ov23UR1upgvw2`^nPUL@K-1g4<xfm@d*u@21HNG~XQaun2<61!Q
zyjV{Uu>*yrbAW`tri`a(8T0N1df@H{((*jhxmeg^Ln|&%>v?DvrLf3;zY8f^_$H(!
zln+l0Yi*Nj7(`U)5jVulEYv}=QqO{bOg{Yt9J-TamXo0)G!qwdaEa+Nve_if4Cw@K
zer>i1x#$qS+oci%@7`9&`O)obtFPDJvYHNVWR=z5{$u-4*M{}nE+;Fs!Xl=6iMlmm
z_kvGO_d5hXwb9hip76>umJ}3Wbw-W?Cwd#hVPUN?_G2Ik^i3c+`afsys1IY@c|t+Q
zv-LtYiH`A*t4AClm#>ufx0mDmJ^7(L@soC!o2L<-i`j*w%{)ZW!d6(TojUuE-O(D@
z$|yF>BGOFg>Tp##1q0a^se(^Pf1!G9$+u@M3bdzF84#*+F+Rd8-z66&r9;LCwzG&N
zp~wv#rX!>VqGzmqn>pkwxR)lltw*q(Rh7K?;X@%q#X<^H$VK+--r4{TQ9Xp<z<B{z
zD`VC*Do*k6!ce!}ZsnGJ+P#+j1lN<{D}@JZbn-u;gYk>pEZejDgCMB`66R)c>?l8y
z$J42amn)!^12E!6u5{k4tA+iOmZSpx0Fu-xIn+4mkH9|i^~6?for5I{Y!Kv=44@r~
zMb`YjA9<&OoVYFV9IEYiscwf4k?+b^>$yJ0)$IG+7Nj1tg=;R~y-2%+?9ES0hApcX
zvmMe59k=^urO#_y@`X+FnbxPn)&-f<;YQV7nN^`)(3<*S;M>J;Bm)`=Y=}_g+f-7X
z&_q95YthQMKVoj3?K57^!zbNEj8=j$&eOdgQ!9cyY0PyqwU!V_2@W^WoCHe(Xv6n^
z2i!&WMOWh%H^Q+>HYH{NCNk+yaF_t0%?S<pXn`a*4Z#SJKN0&L$=$oP;WUAp6$JHM
z1iZb0qTb$`x?LxLJ$D&H@-fZ?Bxgi;eY8D?V9(1y23OMnPPJiO$Fj77BwX^8ka16&
zfE{M~yfJCF2giAAnMnlHZHv`y)wVw=20AsY<V~*MAIW#poeu3TLVOO_s^UW@!~XOS
zB6h${!{50YSQ^<L!NZ`#>9*sxnR1}Fu(JOHZt(vvxNQxb{Z@pZT;Zc*N)Qq_()3*j
zQ_m^dcF&$W6a!vM0bMR>AY>onmBsg%6`fPxl5t2X8oW_t5psCz`)<!kw#)V`x_{BB
z<UQ{KE;_7HNHZ0W)g!~PPzBPan?lkG(LoNZ@0y^HQ+$d-MkI0CRJHw-R59>Xv9YxA
z2f;Ez``AQ^2&Yh}H>+pmyo^es5TZcV-5Z!)1+#(ZDY^wgL#g|=aV{$DUf)B41ZlxU
za7#A5KDHJ=RkotZL6&z0e4>)mPppZ3X#!;L@413sHaF-Blu`XDH)JPYJ(ARnb&~`>
zLD*>VY02Rqx&CHan|D&@tHt}Rg9=%HS0IXzHK#KHL-09uDo{&9o3MATp1uf6m%Ahl
z`xBQH^k^-X<tA$DV321W!2|)zL0B+Ek_)C?)kF$d1P7~~izo?KehrZVjQB6(ejAdV
zmz^~L@j;?c*SdqTc56l851DL?&|Z1;aOu?NblyoupMl}_oG}te^g}wZL+nvIhK{|%
zGRvn*L1Q10x91Q#eE*|z&@iU1XtV9yU)JOJQStmH4&Co?<~i5*DPyxvRZ;g=yc&VR
zMUdF{(H>~?B+D7#G}N@Yd!?N9X37CZz*$yUG<IBh`kc7R*?1TPNU}i&{R?|YqF`_j
zaOk-~5xUp^g>_JV*}Q=_pJ*1f@vq3Q>UQ2L`o>H4gvbgyxGXFZF6J^Z?2pGn0w^a<
zFxCwX!U%RpF<O9NYz{8^7xTh^Y%T=5DqR|g;GF{9P!T}(+%m}_HrN_|+B6N!Z@v(G
z=S?Ma%a9OSsy2@i+qfg#n=XLb>>Zr%Hh4NaX|&-+JM@ocMn+6IFjvza_j%ad78-Ek
zgjoSa!jnXI9f9PK;|pLheM&kGiN=NK=u)bxcS`4U!qB`uMJ-1zTtpqTU~9zBsVAvX
zJuL>g$=a;#DkH@MH|XZnpH3u+wI$JLIqPI|yh=roYxUVuNFI%F_qP^+5DYRcp5}9*
z=6$T?h)>0eWwoPP?SOLsRp(oLbT}BlqJX`X#Ivu4J#`(IaUBrQx9yfax3`;kID$0`
z=j3w{4hh-hJtkl0@hmmgNt8DRSaR2iTWdOYayd-r@crHhINc;mEZY0_IAp?2d*#c0
zPlkEOQ}<Q8H2nr))nxiF?pjwMq@^Vb>9B>i+sl@w3=?$SJfTZBJ(M|rA=n4Q^{*fm
zq{hBhjA|r(gEYBV-M9ytk76(JZPJ+5)7hIKP|iaw6KN;MloIAFgmwP^^16lyXP2w^
zkLHuHCv_H;e0?mvk;h*9BqQddi;du<-$usjG~N=M7xh<Tyy7h1*jtT|iawDsTiXR9
zt{--a8q;vDrqfPLWqg2LWJN2D1_IgMVr4H}$VteMKO6bmkAcudq5j8#CNP0%vLJ5{
z{S*n-aF<}HjXBDV<t(r&`-fWB0>#~blKPR6>E^T<DmdKDcYrH`S!UYiB_1r7fQx#v
z2Iv3}*kf+&y`ldf@D7pW4QJ>5N`tkW>&!GS0&-pdG0LGm<u=tnYd&W(ZCI;K5;}C%
z8Ck0L`s4!^Q6#@Fv@$0O2W5qgRc@<=0JTy`QoW*r#JAf!OSlDtV3a>T$;25XD1HR@
z)lG9LmR7(8I@FvX#|G{rvH%pR5+uClp@LpG;SQMEqaYmJKIOI0jH0zs5`aQB6vt9^
z3RvI87s;J%Oo&M6v*EyN=@Z`u0&E2Bs`kFkRXdo)yZ3w`@BOPZw3su3P~(u0d63k^
z=@zH71j}b5;c^9Ht7n6bo~=^Yc_)|em!bUg$Kde9uZ6!$u)M1dXLhI@QthE`@HJB)
zPC>8C)ViAX#z96yj1q99yAMw1iiRxf2;jo3HC-0<3=J)K<&aL!$407$mP98yQ)`U1
z!9!9ARrY<6?EMv%ht}e9i|z^Cb2aFdxYYUkDIsEZW#Y5x5jg(T1d;6a%`0@2fz{?F
z`4vSmarevd+0SQUcrAy&L_B|r&rUcyZ6N1(rI3j??_@d1wB!;lH=PV$d8N<1w+qh5
z3_EqsIujY~KAn9&lHKUBQSzcfp-U{GBOg!#F_FGHn8so<XGDunBJLYH5yi(B8_YRg
zJinxL{ipf)k@~gTK4%Y%?+t&z*bFSN(2B%Wn<TZNWCA=Z`wQ#`S@G((ra(($4imRw
z`-uSvW5Y+%$4&y#nfl&i?j2urUf{0@waC!muhm+^;5QbgF6qTIJtbLH8A-w08F(rS
zNab@nE4)DRouNJKl-hxQmBJ2B&#ceJDnB)>SVxUj2T`(`#bXlOXrm#Lw42=ySGTg~
zWuuV^G0|A;R<&t)blQ*%s!ZBGV-Uc<B&2j1nd+A!ay4ccCli48f%)A!@lY2cV`xB(
z@diLXaK%F&Z@O}(h7BmMRt$0r!)}lpr<=9Kw++11bJ|s{XCR7@1a+eaIt0mG*IQB^
zmf>RX+b3<fAMkIU`=8MvkWn*9>mz?kJm*iGLi0QPgj<%|^qOXun!ZiO8K1}1z1O@}
z+SGRX)2F?tzMz<UI68~-{>NXN2TuS=q6$Ch0Cs$wPQQ{6xIcWT<u>z@(FNk9>We?Q
zqmGa=SH)KSX+(*czBZ>D3UOeqUBUT&_xIw@V7(A3k0Rm!i?+9niu>!5g&X(ArGsm5
z8VF8sf)j!}H16&eoCJagXf!~u;O+_T?oROFPLKe(P4a){J~MOg-1p1-nYCD~L+#pC
zwf8wcduL212^;`X$UF&xvDnYCk8nfBfggDxJ4L))sDb#FLDB9k=3-!Bw<s0VK<>L|
zh$}Q=dbFd@X9apD>&#8FKfluFYZOR78gJP&IC8_ZVWa`5P5(r*t7Jw?)^YaXHrS<l
zfMpP-%D9zY>V?>~{uL`mj%tY3{7r*iofOuE+uQ<|&5D6c!^u!$VSxR=<jb+xE4|b%
zX8tG`&11IH?6;Sg5Tn)ggqZJY)??~nqQrq4P<GvsUn>v?+Z}KieDLsq*LfDK0k1%8
zT!bNtaPjl_3G_#Z$+)H7Jy#F`7a7eb`Lg?h!&fdi@S6Ie@!c+PVC={K>&3@o%eLhe
z_O@l!3(mvXM&Y`E0gKe{ImcNMl*bf_v3JuxR!RXUHAZ`He`?um+w43XR?JqZ@?!K&
z5*C;;CY@!h%_Hb4$aLUx=Xy>cD=g)!lV`Q8RYDPXCX+u!iT|wD#my2M1BdXnXwu<?
z{BVon0<_Cz=ICLDPPo*&osQYD{Xx3`_W*JONf1^X8Tt*RaTJmKm$doN!lX3ZB8ij8
z`%K40GlQVWf4~k*7=R=cWF$LOTgamaTau{Ki=*ye$3H7`OrpTFvIJuB%6V}%A<++1
zRetPar?@Od&i>b10A8tEi(n>V+FH<7CDTU4m-^phs5*t!{8XvtdJ$PiBTQdwciY8r
zbw)>37I0fhh+6x5nUe)d-(v!02j%{A4V3xtFSrEaFQS##Z)J+YJ7vhgUpX|B4t1_8
z75AfcM!t|EVbD1?JqEWOVv!zrFofX9W>+9)>rqX$9?BX!Gp1_sF`#|a6cusVny)$*
z@?4pF*zXgyG-sUMGoX9ERUVV5Ec#i<W$??2^R2*|Vd34~Yq%o{zr*<QolH92#HEww
zxtXHh)tZX0jJ*7jz!@**=DtMic1eOBu8JO*GB%(&*inXSL052?&<TmQ!r4ELDa&dk
z1#V7ZySvK;F4SD1y^K#!ju{UiOqE1sHeW4Eiwe*YKO}>95+${BsqIHlUHn5sK>&Vh
zivCLbek@cmcoDSsfhK`w;YvXMPu-(@>Fu_NdhQ72H4DJvZO?N5Hf$+G<49eAu5ofX
zqnz-&sr0=BpzGmh*BQYPSu=t=Qx!f&^)Rd`_o9Q=c!aX3ovm)Ruu=@!w-oV|4^h;!
zc5$i1#(y*oZyMhHe9(5;dxg!8s7+!oHYiC>)-YO?pSBj%ni~-zkhrmOL|FGFij;=^
zEzOI^18%O`*RhIcngXn|BS3rQOnidV8lAZ*-HXBICn5Y%v2l$Hm6yYp7485d;xJ-B
zL#emKGm%W_Ht#s((=Qv?4n#|%?{?VO<qEn_;ox=b{j%>{6<${5egl%eJ7Rbw{t}5T
zlJT<)7qbh6XDL6=587t@cQ1^R7Re5PLlz0X#K)uYCKTTq-3diA+rs;px|S5eUbZj)
z>;|vbjn$umSIEuTZSyjSK)?`xX?}^prCvndE`;nxM!*^#VTckH+Weo>=3xMM*`FDM
znyoMZ9@<FlL04wqE{R)Ni)84+yLmd@L)};9e2>RV4~OBbIg#tdwVIR)WCiok$^xW2
zqR>tUB@aS~?ljqUI_n^+?C3+dT=N8wxi*z_nxZHpfYtRJGo|7SZE&BsWzpJ7J(6ft
zVE&L<4R!5UJHX;W0_C_SL(VHd-SZLk#=AbLF@42*cQEP~s|=obqZAGIOa@g^dLIvd
zd42k5=C{Vmo$<+;QOcgpEo$+4X+T<v0lx9qx(uy>&nHLm65p>6u;=!Bg99x4X=8;K
zAEsjU7azt%e<G|{S6f$a=X_r|YpwZIk7QC&g)Mw9dp(v%6x;ur_><ovlj`TLa^+)F
z`D0^JLu%GC$}Fu9uiQx~1CcN#tA)QlGcD_1?4eP?;YDzZEla*^|0ef-hV64WWWm$$
zt``w7mTxTJE9Z<eBnNPxMcbfCP6X5=7%#|I{_&&Yf&AX|^UykytlJmR<mj$*!$Pv%
z3#>WZ5D!6Hi^{uS*$n2EB7P$34t5B0gZ5m~laQA=Tb>D4%GV!7y_5hHR&#|0#6eAB
z2e|?;8fVBZ!-_LZL5pkWBSz1zTbT$^^Rb?IFL?OQ7>eAgJw~R(!KE0~Y(R{b`g|xX
z6;zKJ11ABb$esfUvl*aPmsR}06t<K-ni^9bB_KjkAVw_y&kPPOY-A|n8ycDrs?;@O
zH4w}9UMNF^zOIEU6kMTL&My?)HNcD5c1TDxGu;{_bvO<vJMVMYclyp2IlDGU>geG)
zzl$vQ7G4cl?jsd$7_aSWxyR@e-LGQY(VV6CZrAsNCaLj@6V>c|{sIm1tj{h+@F`Bx
zEBu(#TA{Rgt@esk$e)x*0Qv;G)ncrc3Moju0y;Rwq*-Vep;PjaxJ4haPrIDRncZ}l
z{`^#P4DCna{B40@fdm~vhHVcQQMPS7Oq|foAF_0sjeH~^83T9AKfAL#q~%!zkv-A%
z65$=T{AvhsqMph|U>M<@PY|Jy*WUUf_zTQ|w#1R9(*!_me*GqrxKJcQp{ud;E-LxT
zpPxzujI<LhRc>Ny-vGpznGy~yC0I&@z(hIfzd6wCo{l{UluN=+^t5bS+0|QGK=)I|
zQV_+Jjks&;u}cJPCqD|dO+{-bB395!&gVyWjkq<Zn%8dN28D{j`_ltf;8S<Ze>9mc
zoas^3PY}cmUFB2IBH`YhEW~N@$^i#f=<cf0-#!$kxWB#Gw&k^WyAl3-U8{UA;9!j1
zwT|CUYCpG5yv$9T8T)A7IdXO9!*0p<K^c-_|K0JQal1$q4kKN>h+SdREY=#X4ZwkK
z-?&Eo&oNv-TL_+yTd4n`X>O|eFQs&ZXaI^hc_J=59Rx8PKy~oE0ODEz@BEfkJPIsm
zdHQd_!#Pa~$3aTsNaF%uOV9ww#>bFlVb-M5O?lzK8~Jnf{?3A3#JAxo_g0?;xObOp
zd1d*gzDTKmD4I|f5$9OzNZ;@_q^C<5{x^exqgwZ1W$<{dA49ewN}QY#?D_W_K&?53
zKg-oq0+3lGNe^!eX^+~3(jG{MGpRHj&`@8PHG#Rih&njM`a2LV1w#t+F~sYyQrKU$
z@PA=g(4(((gNtiE<pw*Rum@S5E-4#>I?}ZCDU)eE&FWxYGf?@WS`RH7qp@~ZSD|kz
zT3^bky51%1<49mvUyR4yCiwRj!tZY_$Mr(G<3i(5!5yQ=_D_w^$dZj71l(@keJrSm
zr9Ivcqb{O2|CyW<7w+!Cb#|KRL&Mwdk${9cOZ`4Uw?3F)Nun`;Wxp3fRY^ley=`v_
z&v|3l30TV&OF=Rb&}(L`92f{zSvggNKF`op{UDa_7f2Z%1^MwAA&{1pe94oFBU24H
z?9EV`I5!8(Vw~Rs%T+EEJ`SWYQJdEw4hbhuw#a%^^0RkoRZ+}hp|jGQehF>`R5vog
z<5>|qO@}JsdT5b9Dufn}pp%Kj4OfSKOS;RLRK!3Tu@qFNNx(352FO%bMQ$&@=m}U0
z%)>+^J>W8L&l$l?U&gU=c4{7n^AD>GX4rj(XY`@djz4y~zvdZ&Ie_Vs5VaXerSY?Y
z6B{?&{D#TiU^RgZ1g1Zpe#3v(A5bAW6ZXog@`Mj=vO(WEg~$nVLM~-m?&Ptqv>fg%
zf76$Hu3Q^mV?T~ix_xiD4wARS7Woi!)%H76boaRVB<Q$k`HkyM(W*2}l1m*Zvbb(C
zr;$gSmx1_o&SC`6-tiU3sgo^5Jsc`~P}=07qT6M#UAcbeNHtRVQ8UC|g?of#5tAqx
zgNijBu1d+A{);T&G*G=d4#JIs^9&aez}>G3&xpA8jWA^#E_nsOWZyab#@-AE@O%Uw
zR3AJHVWfil6e<M>{BQUUUwqQyDc+5v@7{ht5yuT8kY)q0ffckq(ouYb-5PcJAgNLJ
z!CHE)F8}-{lg_C)%^P4_#ndVMi$0&W2#k&aKb{=@Uj5@g_?E`A&2En}{SSQi-q;Vn
zbIvxvifE^6%j?>o7J&2Xgx>0Xv`~&FeB$nL72*Kooud`{Q_O%RG*;Tv*5H_Z;BeQI
z<Ln$6a-g4wtdy!}jUHh3oViWs_%w4kk&AeI{{GtKiqCN`;AeyA^2$ZKq<Glxdw2H_
zg0r?}!_PB=u@WGO-AM|MDrI*@4LVvV#XeiDT@>xJt#MyqjGea{(QhsuFtd)fvZ`B7
zY17+`$~j~%?S<$b*3211;>RnA%*c$1Kvj|-!d6p9_0Fg>Bh@TK??XGXEYRHR8E*^g
z5GLTY0?Ja1?w`z%eBxc9c=UMj^Px?&^rS>#IW=?zJ{@j)qz-P(F9}qLSHEQK^IZgo
zI$VB2O0Fu)YhTSSPD*Vu$kmm?Pn)PA)~RPTGX?+Vy{KnE9AI7A3FQS8x><KEJB^=?
zTS(T==#sU^+rgYAn?Nycf{jG~B9RD5E^0WeCj!B4Vn&&nk|Y{+v5Dcf2wU@VbWXNY
z(jXQ1OCC};jMViQkB+)wMB}Kae3l_qvM`vx^bz~Dg(5*DzAIcEQ0TqzhLmpO@;?Fl
zO#~8+s#d5#D+GAgBEMzICllLm(ZRH`J-0gk@bEn$IsxVPy~D@d`GB1U(P@LnE7In~
z*GWdz@h290Z4r4KmA@KCR0h9U=r?&sOWMXx{<`J8gvV~!fqd>h<bB=39qld)9D067
z<NACnIH3s%NWO?flN_~ws*hS`YNH4^6^04tR0OnWRMj8j7Vu(dKX3wnof=HQCrkcc
zaJ`HfH(WUY*~>7=4B@3`L3{O3+9{O29r)!_d7GveS|%rQpseUKsY*Ay3aaN*AqZpw
z&+SS}=n&H8G>!#}tK}w5)Ix2iIG9R`50jWa>mCBFU|A)hx$<8AHc&`o*Z{Go6;RoZ
z&Ctl}XnN1f(91tw9xiG8(P$FlKF9;-Hwo?0$*}wvp4W;k8c`-d2Ff_ie1H7RMQgC~
zu`~qKlrRGWb+FqLsKwwA*x8yjnV$ki<Ye}gWfj*3P`0Rh2_;8-H2i}yaOK6#y~doo
z=v6x9;c;AS&b_zqE;L~O_oK1r!pvM#)jrfcM3zr(>-pOP;v{{e=QX(%=(g&;uEjdL
zIYbjx&qh(}?M@fo{7uGXUTj!5zIx(sfDvv?+<E;UkVF2TAWw%&URNml<5}_>XEr*U
znZO6V+#)Q`y%QK-{Z}u!D8KEN9I}1brFj4`u#PUROG+%VO3d3SK$Xo+UYt|Hy+`qN
zwpBufMJF3lLqQpn`B<)9;t+`?E;rJW9yqcAm~C8&qfvJfQ{@p4k6w0_4rdI81cJXH
zC<=zY(fGx09f%Z?k|jm*SsR&Ji&k9R2rfqt5FxaPG{=P>$i|*r&Z^){0Gs<9z#S!0
zqUs>#T=d^%?wHHi$Gw|^<>c~QlhjCe=qGL}QslgN@rwws`9D?UnFC(K8<$ccIbQj1
zP9s<=uOIK)4jk@B4M-CyGMvbVzW<7T`{OuS;C5QAg|;sS$ur)H?PJ9w$fk#fG<;I;
zSBxv=rGJJ8JhtsfR}TtFyayBXGBjnMZE3VItZo7}-6HPSW`|`c7%JurEOOHDfhc(i
zp_u7%!Y^o00Tyxjh$^V<{w(Y{2&^q|FzfhFV3>x)Wrvj71<Pkd(3(J0um}m^Z-8Pi
zuZj2JE-Wk}K;QfD3EyRQ<dO<ERLFru(0ob#eBM+FvbBD1h^YZRXuP#Nau(N1Exqmu
z;D~jpyprwc$(=+q8%|<+ygy4AUFA90Jm<fd9MdrFAO#`?fII5ENjDofIeUXVc*x*C
z-zNY|)XLG;62pm6bhBKrGp$yVn*v1^%}?N20x@n0&GZR7FVG{UiNiE>wD|R4N*l1y
zdZ-Cc0A8ESwaq_&niv`HF~^(kK04qv(Hsaj3CRP8c7m4QxGXZQ%<!#DKBTnWIkv?5
zUmYZIonXJ}JH_WpE^+vHLKUw><%#nCSJQXMAy<GFf<N{0Z_#gbnzOpx!i8^&UQycN
zg7#PEe}_exo3@en&r-vNY@T8e0i-#rCmoKa`M-5I6fP3I3(#+~XFLSUO*T@%mJADP
zM6{J~36h|!@DcW*bBjRp8&#G+vrHz3I{s-aX)WVjeLNCvfq}#qoYiiLJZh>q!d-F9
zXc8)IvD2E&g*9ZXmX!6n*az~qW@Tk&G&_{*{=4>Vrw7j^NO`4)5p!zxUT7&p5?@?1
zk28|tmt%e!vP%9Lcp7;=w#7%PMNnA{ch8JJkJ$%kK5jgbZ%3cXamn%HfB7aOuJ$;z
z>er<R=-8eWBZAwGCl#M8uNe#Ba;I)Fn+0%|WUcRY+c+{*j`kD$X~3DD{M@#2Ky62H
zXp=(l?Kyu=nQ-jE2^{5H{l~YhzV~N+%`%iec|y$T&wt;xe4l<8X=rU0(&1Ifl8ud^
z^e_Dtt-x^*a1<-D@RGswpe;{B#N@N*$gXF6zph7{RR~X+KPWq$dDjAA=RH|QUoedq
zQ7vB>&=hLXM=c1uYCp~8P_)#0di2>IM%s(zK2$j3C2;&I&x=R^Vgc!EDd1n)Y(7+#
zOOQetc*E1uVeHC$woh7@eq9f$!^O@;Mzs$02rYd4&+fZQ<bt=E8Tu?!%t5um?utW*
z3Qk(xT{B+?Cz{@gtbyFMVN1;1$^M!;Nv~zSX!|s7QGQs-?-08)4>WRyd&AiTeGf*P
za9>KgcS&@lKtX^Wu<ykw)b+=5h<Kd|?L&2OeZr`=jc4saEduV!D(#M`4;}~n5$HUp
z7j8>xA88vG2Pj$jsmyWg3_V!j4%+M9lzbsdQJc)cts*HMUZ76xdo+>{&FF8|$u=FY
z*yeYZ<;8iSsTiTW*W5?pUHZ#N^z!UDQ497!{jia@?{(+JSTr>y;{#8_^6bOr^;>-r
zK{o?W#elCrw$xtlxA|_rb4cj-tg<3ELy$!&etT9Nkf1SH%pdJ@iCr`?$Lj={DmQ;g
zhXI^gnb^83D<X{uI*fD*{n!wVW*2T5nA@ohkQNJw1`!bjD?xE5%Iy^c*RAJoHy1GD
zKG{SUW?7!{$NeCkj`q6yVa>aSF0zLc!)YU=qtl{lfs==XxRhP8?1Ikyb-TTJ&`*Nj
zP)pjHJ0y7-`1OeRZRR7B93#7T1a0;s0k51HJ27F5Wd)ZXdzH>2LMO|hXySJ}{WtA{
z$fqTW#@u8GyUm;5Sm0O`BL>6H*H3fjs*IVxEgky~=V!B$t%eFeXIz^L#Se<P7!)4(
z#us0qdbc0(3zX-@uQXVWmImO!W)~>W>*5M<we5c$S!C{pooP9Tn+Y4+Y;>P}OA?Zg
z86u~T6}|Ji-tCHYD;yZxe!Ob<*8Gdq(ObiF*1C}9POQ#T^wjt|JtZLLmwi*nRuBs1
zUJTj~+P=$C+yycLR?k?nc%}Gt4BIQS?;MUyF{lrkZ#ZH@CYz(f@KO)>1&>~<Jl->y
zZ?7-L-1IivV}2JYheaV3N5v@cxV6s$5!@lf2!MV^{ChkL$`Wa8L=U0EOWAgetfX7G
z`r7Ra`HrFB$=cihhGabY|3ETJXTeoBg5v49!2?Ca&vd#{9VYDG$JJam9R^JlfyC4k
z2|-5F5QrU{(pnf9S^yfi%6=Wo?KZ=za10&CXyvb(Mf~3;W@B_(Ge75xwh>!C)zf)r
zX?cD#{Wh>04y47#MK9MhZB(&S{kemdY+JHN+?V90-Ro$fG-K~&S!Ox~w~s7dk;W^p
z?!0lfxw0AilHq7`#q|6vNruw9wq>og(DUtueZ}76B#Y5>CbOqCS!f?Z_4|wUp|;rv
zqqiP9o||k9o-(gRX33LcQJP|BcPr)_jVg5(sX(vR$%}F~1t|i9n7=~y$<pJFSDA<?
zuu&0yXQq7R3>rBFFtQI@02HIY!xJqA8g+gs@_^aKK<x0Z0mA8UvxWMRYZsAOj*V>u
z4cvOwr~2c!gu)<0!MN?({GtWtflIlFLv`txRl&5^3eOU6IlTH-Hi*UtR_Ri+8LWfU
zn!a%QeVAu0W3H9=8YVNIS4$sobgb>D;0hXXS_`vIhpUE<K+9Na@R{VVB&Nn}%VyQr
zXjiuv5Ql3k)`thn9JP<K5SBZw!{x{=5VoQ@f#t-BO;zhsVZ{PCZcbmbOf!FUFFjsI
zyxn|E5j~E<Tj8HjN__N{zr(^`VD;X@oghD9_u27Y!Tx$ixYA<u*m<16t&A|KymZn(
zcK3LeQgQtF>Gj*DU%ev@&9T#DLVNR-0=b@XyJKXO&K2jsV&^Zv8&p&;!NvE^Aivdb
znWAQ8=(>VaUX4;@yq>VhTuuWeRFpoEE3E^JTv>)DIeM|&Gl?yDLIe<P!Qfr^n^4f3
zBV8O+FMB0a?X}YI@0fwZ_PQb!1m9S#Bo*Jhv3to*HCCO|{te-psLRqTH4+98Zz_K`
zyL}uUc2mcy7;9;#1Gx?{53JKjlJ7GoBdYAsMA!}A69Tjawm1v}+n=AUXDTD4Ka!Dp
zb#Mv>u2Msg<-aE1YAAjKMSAa9Sq92Q`0#MW0WW({ubBBMEX;X(zsdEWq2JgKX5tQC
z_+*bhH(ilp^t$2>SHMd9_|-djdtmA^YExd2b(61#VLuuC8ukn^;>+i|z3-T}Vi(<N
zq<$wV;ljR5%;D~yPVZy+epw^;u2A%fX+_A$+4<W4+;7iy^dM$1CAZ#Bn4zhnac>qj
zQfw~%HJ?(k=g@ND(7@zEkWPCXrDN{e?SK8wF0#MR7I<(S+b<q@VzkF6mr-1}Pu|Y9
zz+uV~{p}GYa#l*0IJq3#&^VEYnHm$w(uJ$J%F9p*q5$-SEnphY5mi<q!%APO&XyD(
z;0Hduf>CUx$hIn?vM2vsb{j#B+F#(JF~NWf{hxp<^V}qS@wWAW_^qVT-8c_$2kDib
zV)VM{w1u@s4q?0L4xlS*Q8B>xGgd$njN}nG6qhi;dx8B7Y=)OU&tn-<HG^F;(UmR8
zzHzx`3Bh<ZCB^LPoU8((e~|O(j=Pz*A`U8yRM(UOQ-0u?s&a7qPeMR#O*|bO5W|8W
zhPZJ<r-MzuXGjfRRg32eUL`8UZ*GRmwOOAx`eDk5Cb%ZpsqV@+uiockH1mC3gTGCf
zE7WS~k~$%2(iC}h@x|70SHyb;Yvrn8b@e4{`ir~xXAcV-kHofjEw3(*aaTwtI4s;>
zd&bF!<sHRpC9V8^$iDW%v9)14qF@^DPGoGYZ#7&bQI<mQ`8Rq61X=MR0E+%E?Aqgv
ze1@{)*X7Q|F-&WUy8~QU57b%WeO;+2J2fVw#3_ezUd9N+@Vwi@v!KbXX?LHSuX3WY
zq{9(ziDt;!YVlNB+=QmmQ^gSHB+fyg`KiR<F2E-u6vTL?ds>p=#ZBe~$>VO%L!e2o
z^*dW|JGbgo7JHMWvyzNo?q-BsQ<|{`pr{b8K-u@>npFx7M&b(}%6P%#dx1D>lIE5c
z;H)nffo5B%n(Kge;Zt1gQLDTuIhP<@`6gH6ux(mH_sZSqc=5YIa5Vn)R7dQ9jO&*7
z<?j0N7t5>(1E*tw75Xv3IeVz^uTt(7*HPgzp^Is?=BX=U%Vp27OWKJ~lmXhjy2mLe
zL`~Nn5zRu!{@K5FR<4_)<5?UZJv=w<J>5N5T^+BX%OfsZySU!_z3*13X*|pNucI$1
zOD3Y@A+AzDZO?{x6peSHz_lFm1C$5;)B4~7QuzbCBYuA$CtYX{LT|VjNvWxSj@8P)
zp?(Zt48gjgAAV;u$IAe?F`hr@s{tAN59Ysn{^%W!At*|%k={`GZpd2lWdFhJE>F^3
zo+8`xYuf9mAGRJ`w>9ap_znDmxUNz!#k<7CmR|#2C!^!Fvxt=iLGv}jG|{j<j6pvQ
z8mL7_98bB_TOjBGih<h_MCsJ+Q5U}1awsvS?3*TAnZn_$$>oAUBvf;Z!l_kkc%Rns
z-Vdw0!izZYWZ0)V)h+i<)9j{$T!Au$x;k2GVCrj!DA>3S4iERK4%U4Ti0NLnnGB6X
zd@L0N)#=pW3C~S2tLTRh4H$+NCq5z1M*J$VmAkv~irin}=z3TFoi4t@CrOA$d6zhM
zFq1yQEOE2a&XDXS@3J+`gV6SI?8&mf(e-V~xAmC(#I2ZEH8)qOV}1dK>HyXsunRM>
z807&UcHZ35XUc2|y{1SQNs!qB5|TGMgf?QuoAx!UDNnRWn$b!H6l<U0ogF`$;2iI>
zaXLMA4KZV+EwTc=TwwZnCPS<)y5jF)Xv`|p7`DEjj7ucWqQVCoZBgJ4z3D{_ML?;-
z^sU~8&1Qn?LnKaHONcudhIuWN*idnv?`Wl=SH3gCYC{B!zpUpU1Bb0o4;HTs>023i
zE?X{uBv2Z!V{&FNILJXEtYpObr(gJ$VrvzpH}xrjInHh>Igh4_EWzJc!E*^cOnF@J
zVaR(ZX9063Be_`ICE8g%#WXuqcSq@ToKA^yFU?<+Ju@jOHN1nZy<<#Fh<E?M%$d<U
zHC1LMW?06AGtBsopd{#I=AQbR$me_<<-liz;x|!pAB!`_T?U|!<-8KBnY>|@j3UpQ
z+?E!eh|Fd)K77)#&*{xUW#d>iWnFF`6;x}sERflGMqM__i^G2s?v0Q`Y941`XcN`~
z<mH~l0Gdp;rSq;zo6E8R{l;c<uAtjS<;B!U0_`(b{kv*`4PL!1W&E#8k|+EV?j@d)
zR`-&zFBkVXCX8pv3N9<-sdpbNKG-#8u#z%8^qJqaNak(cJ2kw^@>;2wWqh8$znJ6l
zHFwUoPT%NR(iP|BFXgXo=qz2A6w#{Q0@XsgfK$?__?R8AR|Tq!toIVM-NNfBOaVj&
zZ@MF~`l>|!G4j!9U|}qwmqftOYi0mqo%JV`AE1xzC6t~!&+{y{8z$54vrCtB_jLFS
zvguA*S=|Rnto+Jc=Dg1!nYbGzUSN#-1vcQC9szqVeGH#59eIKN0iT>^;A`u8g__!8
zu?fN~a_!ZuW=!fWViz)%Yvm-gN_}1%$7hjL3GNDl1o<Oaojv`6{A>p7#}=YlLY_aV
zr0V0-dN7GSj5wYuiSWJsK|G)IhcD9OeB3)^G0N$xNl4uPswDFNS0$~y(u7yn?vr`E
zw3S8rS|UXX(@JxqCP}}s-z)P80m)|r+Nfz7p!^H=!S9sY1_`V0)^ZXa?<;??L@%-8
zS}DysX2_O!M!ZWoh$<~BRAWA#R}t6Gtf)VCx)VPn40&C#bf>lM&i}DDv0;O_&z8Kl
z)T^->lRO!My$IGH0YTsf!yRCX@&{)XnR$#DzZ1?-<=El~fLrP{Zf8ln7yU4WdLr;|
zY2ZJV1|>WrP6)v3HQOk6M%I`>>Gv<gJo~RV)qLukOu~VT&L<?gUr*88GrOr^gG_?@
zGRcvjvjppnIERzZ$=3`T$fqK44BL7YW7g(t!f^Y+u<}UpeHAt@ELIa~PJ2<%q~w@D
zSCjscmjx!A0(;2a7c&B00xl#j;oFe#a}Vm*v;@v9_)j+`eEzcBMHouOwvN`zb=~&P
zb1!<sbnd=S_-kI$WJ}pg&Icpw?PF6%&@re(X*8;~6W9WWtc#wZb-EHOu0#*HqqW+B
zXRR5a6juB0687ie)NLlqJwuR%E+tB@KvB&~g>+(_Tu<)Jxy@Qj%#3#>wqjv<t>PY@
z$Ok>8+RwjD4HTB5baAMJLY-UFbp4kLB0MhN&e=G)lj_a|DbLvCeZx?HI|ID+2{hEX
z(V_;EiKz!7P5;y!%I=zpDAD35cyuB0`)Al`%q@&SKxn}oXrLD!hH|Fxzb)zBnG;p3
z793TP(yvg#v1~-chemEuY95xhq}eSL^OafoF~O4zVGacYF63uMB|kk2QIUbc{$c7v
z_r^1`CDf!;uycnxY(Hu^!}mqD?@fQ}W97L})$%Z2h*&V-cmh52Fq0YIxT#V#otgk}
zfJG)eo`;Z|R@+FTgHo7pE71wR{j8}5MW8Brn$@DQ@|RC4KI`a-&n_D-EgS9~pC0n!
zuGze9iPxJZPd%w{dkkTmiM&H}igG?Dag$4ydQ9>H&-y$`X)bydYSCUCz0ToPdoy}t
zA`j}!a+&vgd>|>e5E3`9FrE*J_RVi{(;1H)@Uaemd-7#m4h-yUNJw-_JKq%$=gm<P
zg+OMt9#7xsP@sc(zJBz!YZANLl+WfN0nc=EH63fJi|C37zoYEMPMir}-|xcFRMar|
z2ioKq@ayg3tX(3ud<erhFQri{UTq|SePLf;r4q}48d)p1(**GNp=OI=!mquo;~#Un
zLvYQ4`*P}bG=q)w^P}W@-xU*nmr{EH@=w@=5%#vu+z&j`{OqC4mvSgxbM}3;G<H7Z
z!tkK`X<lL37cU@T-RTI(Fv@=gtWXm4S}hTL$fU!<@1B=ZD~5{_+9!~-FS0b0t!a1c
z2;FUFyU|c?1p!;VYALKHgJ?^JP=1<(#y?R#XQfU36W5<EAg{#eognr68=R4TBfbpB
zSaV`am5fb;r&i3yfjv~HkDvP|bAc$;M}E_%H3gu#O4HynPDj75BtuL8V({TUzAnnC
zftu#!3T8(py-gw;&aIH0_HLiOS(n)dXP&gXwC8slO400<u~{*ja9G*>`Hy!{vcA^R
zgUsaL%u*eYW=!3wV$(h!(t|kVcF3vW-y|F^ysvTGBEB9_4ZmIsf(2JYm6hY|Fx6iR
zQ~kzX&pdpD$xu%;0H`)oA~~bnj6qtW$HT8>M+P19d2YpZ8tNu%9GXvMSG{%i6FA3r
z@%ZmILp^m~(7+R7TLg)=+@jiuQ?Y(+u&Fx!>b2+PAL^X$X8hxdYrkOb@v_f;b~7D!
zfU^o=h+z@<aj+vxkK=ar3m07S%jDb45ghbN?S?!_kp=j%v+TT}jX=i05@HEI{fEXe
z7dq2$1v)OZ5j3J7eE1a!OR@@~yXmD9UsNY~z^#qTEo?Mh^+<|RFPK__S-=TkY=yp`
zSX`13dzox|mDJwR<8hRxk!%o)6W(e(Fh&d83O{>;2Yt}JXn{-bV~flSg|^mTsCH1Q
zUuJ3v52oGWowft}?<aG<9W=J+`fOVbzMQ3_5{@+s_pvMSbfZ%Ha?cqX^1%|TYlfSa
z71%gC2?eZqE3(S$(cl2dy15Q(Jh<C2C)7euZRiZqYEWkK5a7Gt-zM!KvTkT~MF7yd
zsQ{~LB|iwRT>{T3p%<9^d$-}Xz17^IK&KOO$r9oiGFv_5^^2U1N_#ekg0=$GzA%*(
zkv+gk^AS`t^z@F$!UeG}i|vD0c<P268JP~grmS5!h}qyej*vA&GbNBb`~y$=d{yC{
zMLOL8Cq21MG8KZtZD<YtI>{SLx`j3PfTTo6nC+rSLrHU6>))?tKS%K9?3BeA+Jt?w
zlt)iF&Rc(4@l)ryvJHah>lAn^bIJn-iH=UvuCPx)*s2fllqJqE%Ryw&1w0SoBu%Hn
zCpWR_7(E7SOe%=OYa(}38dgU$fEVSfTFIElDPDhw@&^<e)P8c>+^(pGy-Jn0H#hwr
zuaD*5bg@bi<dL@eyo*;re6ztIqC?HA!crE4aS+`LmG6U`8vFy=_6w-CG9F5xU^zPC
zxdi}l%huH?@#IziJ8Ji>chOw4#L-&soGk++R9R{*_&?g}v9N*Xkqx$!)r|d0FGk4=
zBw=5`Av0RNv#rb+6%G~`n>YWC^mw=<S%ef+dAVBL(|o;=-{sGpMh?)cGEn<$^Y<K?
zHK|bKZ=p4tC?^>n{ZVL@hf~AH_Ti|v))v?=_TonBx}Aj?-%q6><kDGcVxBo4#K6{~
z+PU;;;!|yu<DB))aveNKt=|X2hNa^Z))v+kYdzbBNVuSSHn6x<Vl_)6JT2M<Y;5<P
zirWpkx{v@QO_)Q)y5%gGHwN|<I8-{zYJku>x5gc1dvSREy1Twyja}lV?K$n5F3ULg
z#%?jn_3BFMZs-?{jY~$6`4$7mXmRIwLhFAqdy@kxgh~EgOB~0bo<g-_xUjupTTn-U
z-2PFVb2a)id1y+Ntu|}{inDE!AW-_=<_1SBhy=0S*Ty+({ql9`1t$6-aox$)+lLy*
z{Bu`95lS2C1=xc*jJA<Z`hlK%iNMqHC74k~tuQiWka0R(=tMPxGG%pl#Ph(o)&iO{
z>5i?_F>Gz%0xl}ouow6l$tUNf$grLl0-90&;y1jITDXkizM~c2Zo#+{rs@q74^lkV
z*oQr+pV?SrwM>j>>;%MjoZoQ!quXX^6@O30H()lZ_b*LHJvN|{{v#WP8>ex!b4VCe
zNM;E;cfzfUd$vEi^^d48#M+u+QdwB|o4*nv+wVow`T14r8ZZ_l;@2ILxg4BDa1*R$
z+<b&@ndN6psy7|bf%I*aoVNHyOxu}oFx66YsSuHS21_rd2U)LR{|Ia~4^Ux0fdF`>
zk5~<AFBqvjrGf>TG>dir=wOQf(7`u9Km_>DY0L24zIGFRZ_X)Di`)}N<$v1C+a@5P
zJSalM7ahyt$^pc1Sif~RArN2Z{E2?G-3-Uupdo15>Q>Dsm(ZFBY$9N}W%~4C;~(tl
zYln~EP>XJ_2QiSNr~U|AH+jKslK<musO!sd583jYSD^V<HbmU|^Zs9l(YRuwuFwW)
zUg^?=3T<t+#weQ$@JdJ1A@<lu;=tfX_XmDnjjQcQ?<Xqex&ES$aNwg@*gc7)oei)L
zi5M7Gt~<0w4OdUdV1`O6vW}aUin63W))zsC!KZ{%EZi&ejv85#r!k5iY%{p)ZKha_
zBJO=ImdZDTYXfO)HV>5^N1qm=X*V?y806pT5oc{cct;~7+5bAJn+0OnTMj{j+vvWR
zR|628m8?qwkW6p@CtrHJ!>2CxVy=Xex|*Fwv^{z-D*(D115CBb$yl@|I3kqHbW6N>
z+UPSd<+^tAe^#z)!tX<9Z9CE5kANlf4=AdGQ>W70z&GV8O`C7-1x6yBIL5o;l-&}$
zU2Ci9$xE}t1-DH{V?Mb$)}|Us<E7_7iRHIpXN)tG_p*|h_CtN8u;Ke4jhbylP@nY3
zw1D<%D^Opf;kvJ19I=5(;sY0I%sQThz71-r3MM`y<^ejywd;k3n?R7vG&P?Bf~b?4
zRmdlE3j>5#B6$qlUbo8TFF%-qL?i$mX+9w1)Qm1jB^pP)Hy0exS-f%a>qS3KoHJB;
zyo`SPLo?{!bWZ?NgryT#6&BqAZZ<gK#ALLe@K+9F#E_>P!wQyTw4c5>y!7J7SuFwJ
zOc(fXe6pM+Zj`?TA^s3o#Qi%E$+OJ#JO-09<D;+L=xX>CzB`{4XFI*_J#=0ZBk^%W
zVaZ*p4U*HFxT5%qXT82*2UAZeb^3f%PV&2@M4Q!i<D9c^jvA@7P1$66{5-y(IFDL8
zy-+86V+8c(giFTYc7(Aa6E=($Rr-ZFFo|hJP_;)Tt=D>Z(6LGCrByBeu8Ot`+nR5v
zKXD??aUA6bZ*tI2#9QNjI@C}GbFEXSuaKBHl7~pPzl~faUJ*^bKbEt*V8=<{X<cQv
zxDJy7&sYy45nj2DPmz=AT^W6qfBudSU5@T09rlj5RFQ4R*%~!0MHnx}h$s=DWffZ(
zU%`cY$`^L1Ie;cj<YEM{tRSEm)}}AGJg`{)+9&w`YM(?dwgC~-DgQt)!w4?9vn0+O
z=*yo2@l!<DbZO2*Xg#Pm)y3^Rn1c@BlKIwy;p0KhRy|T1YyD}r&8P6l+%#@0lA2&w
z-9#WlbZ0MlEZ&f{ruZAG_c~t3%6PzM`00Za&A#GK%|&g2)E-8F-Twmt_QD9z9XQKh
z(XHn0`}PBw)OZP@=pWz}PAprdLbL`j;eAT=km^@;)Tr5V4SaTt1>1dJ+Xp`Z&viDf
zRD8t?bLbQo{uVHzU`9_eMr$_AuQ<?B)o;G7%P{FeqW_QE0i5>0gn3LQs@eZ+c)CT$
zwul>T7C?5l@Y7}+rI$}#cI}72iyWTd^E#WUOqxj4RjWSM#P{kUMWZDAr7r_v67i+%
zp40aa%7Ro{Iz#RV@P(nHHk|B3$Og}B&-wR@*Hv%>#B{f<Mq|ccCcnaQ7UK`JV1e<!
zLCX%-a1-6dwsJHs@kC6`J2!(Gd$}wcyCp6zGpIHj`w>=-c_#6wm#IZbE(Ey_(at;K
z<o<@o>poqzRGfE&df~t+A-&!9riI=+gTdhrC<#x*Cj86)M0ck1!Owi0jLeP~0b#@Y
zq2yZ!A=f^k2mLO2nETapE_^gNoi0q;F(1R&n?q1gs+NINk%yRr5Xc7Jj``s;O`J8|
zDt#zIC90)tGUQVob)cXb(r8>7qf?f1EwW)M2TIy0Nc<mkO@|E(K9Wj%HC4M0S4kU-
zDd$1$mJ&><HPu2thqu6#R-osKha!u_jiA@?7HZ5(J(8e)yY3N<QZyDi-Y(3fa^L>6
znT**ygfljrl`}?Xb|qOVl-Qg2-RPlkh~v`d-^vNKpU78qZDDa_na<@+8cE_mSd;hq
z+iY)5LJ?6mOkO15LZDiTj=k|oo57goY-8)Pc7Y~(pu3$SXT$eHK~SweORB4_Oqv?+
z*+J;g`<)37sQ8g){F-H|&Rj+*12;@(bH_qp%tl3NOghnNC1SbeWNtuh_Z7^}GRGAk
z)V0?9&vqrI(Tnm2g!wvi!_#ayhW`_XksDRu+~Xezn-b5@PEs{Q3P%hPXP2c8d$GJc
zXeHi&Aq`qN^RYFYcZI1lLx%$TjJZlID#%p(t6`n?^{E@h<oY*IrkhxKb@BnP;Wb=O
zQ_g3iO_~`+MX`5pJ41#iI2<y~?aQcCGnjKNQktt7wlumBwb_T8K{Q*1!Z4dHNqx~;
zd6rG5><5F|i&OL=iTnGzg{Fm-KXb~~M}lN~(y5Q3Etlud|3FQ?$JtVE-x5#ikE|0a
zAx)Ao>8jP}c?xJT$oZ+4wA&O?1xWBe!>BB~FK1lC79>p9Uf&st3BlA;k;FcZ8a5!!
zj?>8mAKU@9hPw!l-Sx^y=b~Vcqq8L`cK|_fYvJ8#;i*|;-)}Q+J|IYa5qN5)FDgU5
zK`r5gi0|+(Sd`$jyDP%6;RxP|16pC%JH`&L?t=wk_s-L*4kHEH+C$gT55lNlTMrrg
ziIisbGrT+F#PSj}n1ow(U*ar7T|ZdkOr+)iX$L{1slnybs<QaT-YN}-;^x4bs0B|U
z&z_hchLoqUe1-x(PQM`gd&>8#jdr?+_P+c_!Ap<4ax{4~`(YCrT-GLvhJPDr`2OEU
z>K^sBh}6oQ?T*0?FPjSLq;`Qmhxwu_4BvRABierasIjN@T)(>2R8UQjA&AXNdjZ*C
z+{L=?aM@A-b?Af(btlRFR#rMI4c!`UZIT;h3U1Zc2LGOw`yj1m)(mUE*Hk+^7N;M@
z%8-TyjxvE?U&pfNP`&So+hm>ogWCevqk8M!0$S>aF(_WNhk|gA7JCs%vcfYduu(dF
z2?4>2wLZ!nw@9EY?H{0)_Ie`P(s5lhKuLWswsOz`B@A~~1(JHft>GTNg{WF^2z}bV
z=`d1T(6jCJ=N8-x)Hi3F!|L0H!Y(}9eHg0$xri9bPcKYkq42du36I6shf%?uxrPbb
zkY_k*o9l9VI`55Sz_ax;dBHqayHgTu`HgOrZscA29Ei?4BjBn0HJR-92>jDKHIDk*
zH$r=m$4fKhg^5LO4n8l2&>FVlPTt)QL|s;@9!OfobnExYF-N3k|Dv|}|IgI6M-9r7
z3C!?r?ELCb;=bwQOs*4S1~a;Bw5-9J*$z@vq1#UZWb4~NMjlJl+b;>o$zTrCxyoRG
zvq?Zc6Cmnl=9D@Ro)b0jdRq5K>ennIm553QeePrf&L6~3us-A~c#FwC{kb+n_~k4#
zgMF{^gOSZs*4PqYuGEbxrKnCUyu&<u8YYj>LzE_$e<1S0RS-7QaO(D1Adh{i_FJ$-
zaFjem^V7PMv1jtpcx^;fRHO8?VX;R#UHl<#olLQu48G}+23-|wYztX~<uq__lyn<z
z@*NbJY$y02i2(D2D}8)fTyEEn<`9;r@KI=##aRI7Vvr7<SK5l7|3^%c`BITS3-}3T
zwr84mw#<3bMG9kNiYQ(uUzAR3hD&WnbrX4tNdF<XZ14A_h_ma1f-Dw=f=|>Y9{fL1
z8|<Xc4fXAZF}=dp3FNeap%;JB@~aHhQ<rQk5Ju90<?M(H^zB5kMEbhsC>eQS*xMOI
zK%Jg)*c0eF(tx}UY-~m)S*>bxu<1S@Sqe<g2S*o94WDfuut(BPAfFMz6e!%gq91@Q
zZO6n=F#%Jl5q5WTrFS7pPfsm`>F`O0-b=*9fU%8t{*h;f-K;;Jc<rFxg+{Zvf)en2
z{`=*K*Tr&}(3V{~(y@F8om0KEL%q0VEu;TGPW4B_e>hbMl+hmE*%MU@U~hMk02%SF
zGo#y#E;2S+Wf_=SlBA1hdOYM8jq4mTqnYM&MeKo7Vfg>QNo`5EgNrk-p?AwoF2ej?
z^#B%}%wMtC(!8QF$!%Wa)T#>SP=Cf)KduOiO>$DF1oU8m-t5q^*J0}2oX(8%F-h$m
zW&}cukhe;xi~@GgD()##3X&SH-z|e2ov#!*$UwS|p?9%F)`XkjqSNW+-z3)IOkoA8
zI-Bd*$pAM<chJNTM`N)Q?2e*UFW#_8bTMd+-QCLdK3EBt-QG*poHW)qY533R2VU=_
z^h+Gk1p7-@F!|coLf(!su9|WITcz1-2jOt@8`L1bz#aN(JnaaUgHq_%y~boTy!ZuK
zDUBC=FtN`v$c5$f8-Py?yCQn|m&ssZH*C40BsvwY0-QmEHWcJ!h!mL3Tb8AUZV0TU
zHqCK)7;f$eihjMyw85sTPt_!)S;n$|qwB76Odvol4bqB2b(jk8V-;k_9YiLE)n9u{
z>2~vaBbgcuYGr-`0e&me&dh0>&!`8yr{i%rWu^)E-z~%#q_oN5!9^GS$g{D2L9LYn
zo6tZVxuyDFd&9Ivgv5?Fq><!|#zFu)KS)cPsKR2;k7Z>lFbC!N+ErnI9meLfYwzRb
zf#k-@GR|mz;l%a@qE)+)Q7g_om>qCJdWARYxHtbz++r8}wI&Rh5oKTcJs%Uep2vt%
z_2mh5)C3R3Y#|Yd^P13))SWrk_5UO4pz%zYb8$&HARQw8XSk@4rvxwch>}Wv<jE4`
z1<?-=&GVE!1$VFjuI`x#q6!VBs(h(xhI`h+!7b7z`av&`=>nl^KoD9N;Vgz^)?~eR
zu(^q>WAp&*LgUa){w%DCRvpZ3Nb#Rb{=BUnwW{)UG{Z6~nr7zZY8iQ^y4U=?#xs>P
zmz&IoDF5xs**y1EMNP4(OBLci_jL41rZD4Sb+zX%oJ3V#fQ}+ZI3M}s;0=QuqHwOV
z<>G$M`>LPJ3G<jet>9NMpA}fdP^NdU%2)8QZa2M>dOX^E{S3$EWjw5<!e#z#sV<8l
zoE7RBF!)9G3V4#yEWO&+4H5@el<Gw_Od7$Ag2aCqg%97e8~%?x=QrB^hv^&z%guwO
z%y{wM5RSkCkNe1KMTBM1_U<tH9i*37V8|<}79zxVY9nTWTEiMl{5YYSPlFL(W1|Y=
zMt#v52PflAHyMC&tvU8A@qp}5hXy|QRDVak@v&-@v~&;LSNdh$cBVi`8v2p1eHE-#
zg^Y0G?_7v#v&m}@fA4i!8IS<PY&6_yj-K;xcXHS*nwfC9ziE!zP`@m}qaa4Z?#!KL
zWGb-}z;hJpt3!8vkyNKz&L1_Ni`E3YOuY?euW5UdcHXeMm1LOW;?w`&g<GQ^u1jrW
zs?&<6mCYTphS>Tz9dBRLUXKo&C05h3+u078z-7v<*<pA-(V$>n<<|ZyNuFFT4M0OX
zs{w=EV04bV-LfYaOJ_$7TT)Syfk0qmN9+i7SivQT>|QL;e!R>M)JamG9Y(QCoZ7<M
zF8|7X<th$yjJ7}SPrr?7&av3Fw0PqgN@GTk*g2@n5ZG-sgkwO^RUAyM6H_oRD)upr
zJM>;%4ng55rqg}@B=T@$Y@Y@qQY3jFwe$H8glpz5FnS4RqiuV+?!V?f_RJGZToh@b
z7fy*r0ZrG7(P1{#WR4^8g*FV8&$q_vJIu>XqMh@pxsM4zYEjX{Ki!%40JYV#FpIiB
ziFjEPqksiV%hdm(v0=T+4EcLLwd;L?QNc)X`ih*1fceIp>k|)tghz}T)H^G$*;T1v
zN1pWJq|uwreg2!lq}pLfhi`0&%kOPHY9SWqNFwc<)}Getz7D7svvNlPs`O^YL3qCp
z#f4335V);W537+~42DLUf1$Cg2V2mZnptSv^2xhmzK<`3hYSC!@Bjyy^?xAQoSA@@
znB$@EwJY&Gn=&=Jy#&(02^T)bD(6=z4bT87E|U=H!q%Z_a}6-yyT52uYcRD(4V1#K
zwcniw`F{=mONbqO5*Q@*{@C>d{Ui9SuJQ#xIyQtyn$2%UG{0$*7YRuhA;V}<23EgI
z9D4s1fz~@W&H#c!nq&ltfl|~V3f!7lIJ3_q9xqJfctTQ{wv_QCWpIRWSYVsbg@CA<
zPi|J4FZg(GH-YkVdurYo%{o63PkXD!o$%hHkC5IHS}28|Et3y>=cjfo5Pdc|AD7mZ
z0KH^gu^J`>SHRZahkBH5IBQ#q;@V(bXm(wm4I{(Sd#5bZ@<H)Ca6~~zsZu)1^A|7|
zW{)~%^_A^%?OXq{^aB8<6FrvqpJbjGq-Q-c&WCNTz}S$-uVNb+jsj&UED4^q6O>>+
zZ+V2*KD?mH3TMVyDfZj|wSp+voO{~pc^tWH#>ef>Y4nZ*cOEm;Y+=n1f`l>Dno(}w
zmu-Qr+I;1(7ecQi?}#syaVuDhJ{6Khn(y@rI^g%#(sY*_t*VFZLG^mC!d844XHVlx
zG^^r4={(ul2U)|b&Z1J5{D87j_rA}ef)sEMrJJe<5zS}X8Go1%hP_U^n2b%O2=_tI
zvLa_641HXlUrGn4>KHaH_>oYFk{UJ)EGHmXD>L6<o!E!MayHi})7o4N20$<2Eb}pm
zgI57zIyGJ33Nk0~PLf4|v07-Z^XN9ULkeew6=8g$!<g|iO*hzpK@1=#C9Y26gnnTc
z=LUv&7S`Ux$8?{$^*8TG@ucd^+oyW}lb<ZTBYJfqfB<XE=#Yj8`%*nK-ujC{X)D;4
za+7+~rEnWfU@<0xASMRe-&rv%<(y_-C?;6zG1G)|GWNf1|7O^s(iC8^vbIK=gY=>P
z8;TzK7HoS_fPU&ZdGc9<?yYXv2+Az|8TV~T`fuat--GS`g{Y}31z0Fg)jE`%hk#I?
z()4Q6of4cuDrn<gOC|~od?Lb)*rpRUFDU>c5+_%;oeXWVIyW>mID^*Ymr??}DsH**
zSCBFs(GIV`t-==Xe6RESHQ?YIT-IGI0p2i%gZdB3T{<4Dbq-rvX}pAe&p(F<RJ`Ek
zUoufqq-YLHj?2)RH$sh02UlPsgY1Qy=R3!D_GtE0GMbgM&($`D@%wWXpzAtq<|5Rh
z^@J7{sIIH6!6b;2e*%=hE~E9_Nm@J8!*m5_)D_u)JQ$5Y$$~XPN_`R&#!XP|aQ|6$
zxZw=89y~E31Pr&yuu~gqZKzz&4q9P-Xm@*=qA?l;6Y&y`SZ3;`iIeZ=zin9(_|%p`
zkA`nPwW@U|eeUpfVD*%0uhluQ!Q}kmSXs>$BHD6|TDo5HLAU3Xh21P>>Pk3#>QO_i
z97=XlUAe={sYgL+uufn8IqARCUZ>*6=gv$4=Yz>4qevqJ3o4&YACwZ%^Imz-*oCVB
zHla`#I&y|NWIW|(n3;9E0@-1$Rjlbh*mw$}?^RFrj!--etu0^<gYnsq<+A+qO>e_^
z%(4@mx<01iDe1`^=FBT&BGJis{w$zQgUI?Is*(kf2fgyz=s#8#mFuKnXbzsNymSc*
zgLbI5xu;Xd(X6a+QfdgpLXAEAyKuo1&<b?HthL=7Pwh7u4X1(#O{;^OBTnZ@`yD;e
z-1;Bg_upvlHEc;WMK?aVLSx>~*Z_}G?6ByMM(!1z5cMvUeT#XcffgGjwN7hM?gN$%
z;KMr+%J<C}i;f`NJ57zK<85$Eu%jcaUjB#JP?<FLVmI-q?^DEVO^WFZ5UQ(KH*aRQ
z^fz1Lzo)6&`gtD%cUmWh*9?e|`?qqUYD2kvw3{cOEXIbQ58L_~NdXz1!UlBYnhd2!
z<@X=?FQkAI^uwp6-?=`;Q7)l#bB78z8j54WTL(&5xOZMYwNNob=SG@5!<H%s(yoSB
zNi>on2n*OasB6;<^i!t=5$sw|pa9UpWF40y?kov2hA<GOKhIdi!$WA`3ZnPQ)3=iZ
zxLd?TbsR;{dRtWdAjT9ZC7l}{7y{;KKtS-;kxQ_OOr?Gq``(;y9{ER;x#p#hWPf8y
z>ZDIAfpGzqdcFCn<uyeZ4|+THA3{4FcYkg1>&SEx&dR(@h=P7PA8pr?Jmnexbo3WN
zZ<Tp-bH^^zumv)2n$-_FDqI<^v`FtUP`@!1*29*b<e@jMt*ie=X&swtEt^Dd<3ub?
zY%ZYd^as3Arv&LgMkKifNpC^#G&KGlUB&LC*fPr9E-QAl&k9k2eUEPOZX`KBX|?ZV
zWj4G7%?w=s7h~_?%?A9vkK22dYG|yYv{kEGqX?=kZIy0YY*o8PjEJIWYt!1Ks;#z0
zj9Lj|?^SAxO%RDKi3s2H{TaXS`JMAS=l36E+}CrTd+&3fJDk;bb+fwfe=3XQHFgcp
z{r52+3=%}{*1V#H*;hyFQAf8Xj*X6OV5{&iqlBw5*UEy<w(gl>^TMMU?JSs^^vnwG
z(9!KqGojy3cE0-Kz<>e<1WWgE&I*$0D}HO2AxxDdO5x^e)8SQI%t5~Y%CT0*;DATw
z|D2st(T2U_SKL8m3Yj9hn=iNFMP`wEw!FKvZX%U`yNF-mzhdpC$)r(2+u$)j#{jmY
z^~3FACz~o&);Iey-FKf{_|xyrQKnA07nAhl(}}vmnf-PJ6PDiRDWBfBU+q<IOqtP8
z29j64UfNlx)6CeruM!C{7rK-hqcF_hvu3w`*P--HkdsoHug{AkAC5iRPh^%^R*m`(
za%tR7S8A<<^+IpK+~xX;`8rKRwi0v{fP%Z=)62VJn@Ppk))?O2I>Gl`3`(x=G<LLK
zY;Nr=b)sSiLV}625Av`ryqvQKkeLzciQsrJP_~@((dK6i_Dow`YlM9|{=arFo?NuO
z8dK8rhM6ZZm6mNi*go@^hwF0Ct7kZo5bpYc+_L`xyHDM;lg-Mvt_ZL#+~6+MoqCB9
zmiS=RZky|J7z}Iv(Sr2(lUu*ZXCat&A?bUqN1kn_@Gxy!9uVo_ooDGhIzI7D@EXDC
z`)@Ht=8Vg1pFD(*CmRgx;u*H}-5ooexwZT-sgp4CBtJR}b6kP}yT2>L5e@rTc>EoH
z8H=3_FrS>>HnUST$a|;eaPA`)cE(U|ks-pX=U0jNHC+F{Q0=poZU4VQ)lPCm_jRm}
zA=trQ_36Vg4~^E<Aj{~j!E<_;<DiH1zpKP&Xq4vi#M%6pIlj1a{I~>xax1mzcO94e
zoId@3#c8Kg<SmLxNRKeacR-^^lRWW<P$u#&>#)2t5kdr!yovpqTLeP-A!$c|KuFMs
zMj9}~K2T<S^M<KIa^UMco2#fT9O$SDhotR+eN=sUckfHnf56m|%hPqa1@PCyfpnOB
zIh<j(?!9ncXI30mR~^AHFTqvD_J8em8QDTwjT7GnHKQbTbknL?4-Yt4+7483&YERu
z`4V29w62zOh7m98f2>)0@EK{Z?e^?O4>)!E5|#4v{uAO`R9c8@c)|Ij5;N*HGJuuw
zZP|^S_Xn`fnSz`?$|Jw3gc;fQ4cySm81;_0NyK$cy$eq;K30-%Px&Y8?VmuM596JL
zJJlFVzfN=^_+y2QNQ)8Jloj*&(z8YkTNO#!9yFfl29vjz)++6&zb4eX)AjJ2@dEf(
z4Cd%->-YWX$WL&7mpolT>lUuTBl$gca(Ri8ivD)JwnDZ9ASc9_Sbzw<M?_-t=5j-)
zE?06P-|ylnVw<J42bvgh8-IPsN`FlN&5Wh%w@>qY<r=hoXI?#oRNh$;Nh@U#ylnq)
zSQ<6jpS#p44hU<Q{*GSi;9Q;ZUKoAvVKemCE<IwK{l~K>4Dn-9i7}nsuRp2=mg~Qe
zV7Nuc<1Bn4H_d0$%6`uINqLY{g&@H&E~$s<R^Y?d%SozJo-FSqO_j~CnQ7Q`_hCCs
z?V7Po09#2``h|+1Hj!-EcNYl<hJz0FL2=F(dkgff^`6#_6tNL@W${<>MtUL>X+C+*
z{~#KA_eIe}S6u&j$8j1)hiqy6ce$fI(wM}Q>Th)go$qNh+8x=VAQu7@lk2-3#4oUu
z>X6swtq^f`p?+1uc~q74WwQ%RwmYKI>5H<(>a|?fU!qH&FYDWguFy~#1`tS<MwVZ-
zd7s+NA)>k~*HwGvE%rdSPj*5jbG|=|D6BwYl^=8q?BTNNMP``Nuv+-lwGU63VjRN4
zjc!Um{q0}&AG+z@iL72`vQEv6!lY$(@<onwr_`WHUkK=vym5b*9O#ql3unkb`c>es
zks*zgMNTCAwCfuN4#NXq8+0eXG;)jdudOKchqaF<vgPi5R6zl9Pp_xb>=|Z8F|Ru@
zo|SEv?V})fDJBE;lgXcc)BchPWvxWP!<V#v(LadK$dIIIZ9F2tEt?KiYs%pmn!J~P
zm3iyKF`fC;hQ_z~6<t^4fzQ8szM9c3`7c+DkH<ft&vy(~e<r$rO}2`r1ZhGtL_Hr@
zr1QB?m+V<;&pi+s+LQ|UV6>-yabGneMJzdJ;g`zc|KhxJ(02*Cf4bf0ZmEnaE9(U_
zPn$L#ro{Oet!WH%JrX?88&P~GQuZ329L*LyJl}0wr`6ig_3u&CB;UQBL%tw9_3}|j
z<bbFGLsmTPWgHqw3TH40aChHr$*;ceu|5ySTzMy!z}4|ub?Bynv0WZ_3J-4gIq?O|
z4wH1-on1u>S3`@f!Pj=q(Ms5UOGDY47>S@0GB!YmI-urPnD;SE1GyI-gG9_gvndHF
zw|?ERQ-^QcaY{U3wd{R?c06QVS<(x`e@d^te%e`xo}l8U8>Ol=#tK*Nz2~z7gv?5Y
zSN**&p=Fct%ucLHGUtLhjp#<xZ6pb@edT)-X&!yrqxyE-J0dFcnY&G<dz2=>)Yog_
zd^RKA9AD$Bv+2KdJ?Elv6fhRxrTf2+;6p#3O=*hp9#ikvq`c0yU7`N_X$CRKi0|Ho
zre|h)ja-ve-K?9<U7d0YCmY1s-Qwi9GFvq{K8j~rABm+VrSgcB+pI2?uQ?(AU#!<X
z;pQ2yj;oi12kMd~b4<OSNM)G2sqkliOJlnIhwEPBm51~hKOXd4ZMs_c?dqiJRT$4p
zkaEsd88`Mg-+O)9f7KB4cVQRirb6?^8I|Ee5~-Kfr+4e43yr=`{I$2yIMbWmwA7r_
zVs&^gM*YzE>VGJ(*ch$D{`kM6zKqLDU`WxP`e(e}v087p4(NqHA!XrEUUL*(2tl~e
z9}D*nhWybm!P^`Z`=V4<JX1}q!h9jv1|puIz@ML}55QOVc*KcuAb`?^xv%dNtFhW4
zOi(LOaBA@Kpe4u8A<r|m))%g}oaK0K#@rju#iD_7`uv<LO-1Rd7CY#FsB{Ut@Hw-h
zc{N4}x9k^#mzfn=r;^J5)olwNtYZvg|Nlb2EwoAC&^X!7@aNI`OKov3`28=Ee=kX8
z3ffId*&iyu5&7+HA;ZTsX|4Nnw7LK6*-q6bm20E%+@BnA#>r>*-BYC<L@pc6<uMuE
zBn3t_D98Ty6X1h|Wbn_Fz3klaaIu$qBQ9${neeJ~w667zZt9Lz#Y~RjRr*xhFBc}w
zjz8DX9s$2nqcCk5TcU`y7k0Z!tWYUEbU6R~r)v@`fH7`E`~MVf+_;WVnvmlk*PdNu
z=al}#^x13MMCV|curj!*Bg1fCJPDja#)?yoh#62o*9BsK@lhyH7Fl4B=;s0t3MPJ!
z%^L~DPtTo!Fz9a&U8$b^_C*KN3!n)uHCKb*?k#Xw|GHDUjnaLF5RdwkngV-v37bEM
z`r@-OSbvZXJNv*0^Y|$6PeCGRtl_wB&`(^C;lyFFurX1mbnfx6j-SeXG?S_LVf}&l
z^kXROE9}UOrr%C!Ige8>{j^7~Af$O@0W7IWcy}4q$R#;*iKFw+VEk<!I-Ung7^|L)
z+LK>Pb#yU}RYHC#I@b~-zRd;s-WuDp`^mh@lrgK$JhgK!E3w<^7oy{mOL$V@GM@;w
zHnXCM=C3$YyByf09;7vvaR%T<2})PC&E?7Yn314&FZzbdRqN~?y+kk98U3JIv&SNW
zR(YoWWgVji=fg&W1m1+3KmO)0rqMPbn6>iZ=a^oU|I!!Dpveorkv=63Wt$i+J)2<D
z56z!el(RlvP2}-sewg1Yio4Hy?rXn=sdtBRWaF@-Ib}Da$c!;*c04FmqrO0woID9~
zPvz-)K9=A=QtqQr;N?6dq(*;YCi3@<T1Mx#jkZwk7>&Y-g_|3;Rk|hgc@My8Su8m9
zJiP&?HOpXTyofpD(rTxa;rHcB%g1YPUHFyOlMKrS;_l7=a29B}_oO0CFOeNqe5s$q
zbRbF5YdIbMqc8P8=`6b0asN4=&O}FWN{~(KQ<=I?vH!_t8oTz=g>1iu;cY2AvD^6g
z|9#cQkN)>ni(e?C`|R~$;O4<cLR@NeVieo+(8$vhMX(%DI<fbA*YB9b&~Qyc9XjOH
z3GDB6Xz$f>{qSc+=59x99;RU@Vh>f=n|tYq<>{Py7%q>3e1JgJp^iH&ks*YzCXf2h
zw-y#Ss85Q#4vlpV{t~_o!tN5su-Zka?ae|iuWe($qvX$nJ)+9+6qHS)Ji4cHA9I-s
z#4cfcmwVm7<jp<gxHeXcxKd^Cwq{B!2|QM}I1TYj58WFhWO-p`wIzXu7U<ZETeQ=a
z={=mNpF>`O17ytlZm+Iv{>y7`bf`!1nDG@(FHE+DgYMBPSrNV1j?pNDZ+HuC0e3Mn
z;^>W|$=JJZ-A-z3pmvaQ?-xPmq(1sRy+6loBR!YC+v5T%2q}SHM$EE*-OKkaL5qBa
zFo&8qz9lNuxf!apw8Ze>DK>{K1Sok{(0X|nH-r)Ig8YF}211bft#{e&_a7em<^=>0
zO99qv&wAFsqX>AA%t_B<6V*<q%K17I9aKo6Hz0m`h%_WP{?Eecgs}hAm@s=3!AU!G
zdRiwnh?oryAu1|1^z}3D?kh&!un>QWzY#MqUb#|QsMZr4Skkv5EDOI1s!*0B5OsE6
zLhzyxfAH~`2WB)PWRS{RS5<uJJY^MNGtsa%Qz?p=UU~3A2iiXRYQyFtgrnhU;QG-p
zcaDJ*#yXT@je$d{(FC_As1vY@teAq~i8|;StBEF#OU(oU9aBMa<^?-Lrpg^W8~?(v
zk-T*pq-FoP%|vz!wI;nHoxu`cVv9>2Zgp=o0)iAlBVqd_BqcuvHQ0TAG|M`SBI?=q
zZuAA#ATiR^hO|lO2Y`w~8vnB6_HD@gtAh_Vv7SdSAR~ClO;~-Yu!{_CNLf^ApqIXP
zz|y+)=IQYxOgJ>7{@HtaBc9@RGa0$-z$sckpzh*GYyQUPbd8_>Msf^ef|rUdOzCdj
zfAd-Ax9<(NGKFBQ>~OAR0$Eq5#&d%}wkJK~7t9yCZ)nOsDoxV?+^07~JH<FLz^uNi
zMP^^Vl;rW%IT@!~IvuCpVU|*f04OIV#qJlH=9ho|2x7`5%ZfUmx%h#G`4-STuCxbb
zMQxXwxnl!Fz=GFU*hoH-Y4J(cKl}*ZO0J;12WgPz_P%E6jF*OETzMZ~{FKL>O-@ob
z8y6*-8#jH-(uk_tOy&8ODc61(UFP}boaMi2z{5<9P-&Hsd7&?8@7xnJiTB2gfqnbj
z-#|N$9?voccWSs#ZDg0X#$dg^hKM(WEZ-(71nE<kyn^pQ^4t^NCZ>01A8dV68yfEh
zWS=C8pIQ-DfS$sq?b*C5N&_1>miLY3$01vR){t(MfpROPT5t9=`T&{kf4V_4j|F*?
z$7gC=IO`gHw9IE;p1dPbx8)QF#-G&6#+Iro$U8MQd&2}`Bh;Vh2CuEBD9#>j5GXeL
z^@Ojs4hshWt;!KuoyLnmI%M6Ksw%OYX|Z{Se+d-u?(rY!mVTmN`kbE|WRQ`U!z+*G
zeGgw7_{d!fhf;9J!XAunAatz<0SS9Os@8T|7NQT0CLK=z!IKSJDOmr`IJG%N&8>Az
zh$9y=c?TV~u}gS5K0Ch}Xl3ZBEwXXa^T1}p+UQ0jHJla63&R@k9DrNaEP`i81~yJQ
ziohKAF?gcR1T}LW3HMH8zCr~10a!ptdVez#6*5OjBU~KZ-f|yCseepNm_)SJ%OHJ-
z4qkyyM8+qbBQN*7q@`NioESF|q2m`Z9xXU9ly=*$Ge%K-j2~?<wwmq4s3*?bV|~kX
zCOG?8<RBKc^{GE~JHLv;YjYGqI8EiwJALXc_NiZQHAdse<lBkY#{=)`zB`-w8eT`G
z0LbaC3V0JF4}66rFE`jEm(FH>(;1{LMG$%FvU`yZhC6e9&6P7O6N;zZE=bz#NPMlv
zkL>h8*wIrIJaEs=QD7UI`e8#n7~hMWLmu}KAd09K58IuL4heax-_+XZFHH&F+y~m}
zJ9e$RvoE9lvq#;#?O@on1P7LKCvUr>4feEdT3fBVTS)@CN~fQFZoRzp_uA*As!}?-
zV74((Z)E7d@zi|s|CQ?`Y{tHL+Lc&Y(1akS;-b~RHwnvn${7Z4ZTe@UJ302)`fdq{
zSC+%{oYk>+KX}_T+`6sg;BQLwR*>ZLsiNa+sD(S3pAib`cFgCw$&AJJeTtXM==0t^
z>yV%PV!g^FTgHWEu-AJ|qQWgYgfI6`m9D%s%QFvvTEOC$z4tD7tD+s<HVelz1;hCc
zT4$e^+Eh}{X?yoSep?PAG{YR)3a&&sbIYPZ<h_g<$AQ?33J!0+0po)rZYbP7+J+&B
zXRJYVww*8Lj%TD!KTzM)3%4z0)OQ~*m^PTr9*YHd^?V+5Jt&P54?K8)gohG={oMQ=
zfwLMe{^)%w?VuSc0vjy;zz%-VTuso%f58_ScFZ^@fRWIv_mn(do(7Llf4I-A0ZoZQ
z8{fS)OtfiM<y&ZMzbB(~wI0J&5A+3~R&Zx0Zx?XcJMt~n?5@RFc`<|@`Utf86#|*}
z`Mw>Dj~cv=)zk6JhYW7Byze+^L^<fsNzlTq5I#noq0ABjEr8Np1$f_OLNq*N%MwLw
z+*~{%2wZ#hQ_Ke_m^zHfzvi#~UJdj2bGiPg0eT4g4Xa&3VciPCxkuh+^i0;Y`VIOy
zf*K=r&h2Iq5WRr44pqau43ar=zN92~k$Isf35h*-nZyj73Km`FsLsBTOrT)X&ag{2
zDAOt9!D~k(&&eUPDG9xtf#xtusTu^(+X44{_a?m>nG9*1Y2W4C3W-4#T>STiL&?7&
z9t-(9gP$}LU<;vhq8N$rt;?@jClebES1=}BEHfDf06mgW!i7$i-}qXu67B~z4i*77
zD?P2|yThyKvWth@U(%X8s~zhX3jC929t#gTP4vI`x^ja_*y9C1-A|R;N>4hwr(VwS
z@OxWl?TWW&&Sy~P!&y3~c~tOMqKcA-H(8hL&21Qbm&&6D%~<F%+c${85L&nY)_dd8
zV-XL&w76H6<O~|+XUYgi+~^QUuJeyMeNu!F?!=}z^hNKqZ$^rFP92?cIWYekUzA!e
z6UucHseJcY@ow$*RqWz(;?szQNqgzsf$EkU+|EJ&sQ^Aqh8trOz)gEJB^~3H01lbv
z+oRbY0sB9yXca)mn~zP+G&`oj*BpgI1GL^7-0zZ+m7Ebd%Ac`%g5NoC%!?*Sg|D>q
zaoG)I*Ce$t-19pxk)3I?DVAipc~HQ*m6iya-x&bd42e=tS~2LOK2s!a1!b_$O&m6O
ze%*NPZ^NyVs^hKtgHN+|KOtw1|J+dXgLGr~Oj6bGTc1$p@+7@Z4ty%0(krraJ5z+M
zE^8)8w}IC_x66S3+-G>`sxZc+Veeqp<eZLlwszR1y2hY!Z5qQ$PT5LMbYBCSXq}{v
z*B4WU)x2<xey#mWo%i=cF2W26JV8bE$ty99@6oH(nn>L8(xt&<xHgRN6ut;L@qz!v
zrOwrMKWwF}lyXylwBS~xL|x#jn2X-=&}R!*$Uov>&sY<2D@z~(f$mbo;k%jKJ#O-y
z9K~L%`up44Bmx#Z6uQ~t^;vTOJ*&KP7@McLeh2wt*JcScJc6Z8dj(ZN=lbgM5@8}s
zoN8ex6lK8x1;`0?CO)YH-Wm@F{idS4LLNdQy{W&To43#*7p)4!GB{IoHl-iU<dO}}
z>g;}afPCtxJ)fT~$lGI(Wh{WH*$UBBWfucmMIv4IwI-QJy}M7xj)$_KHm{D#-2bk1
zK2b;sf|iq9ON*Rf=)k2KN2#V$<1=lzj$!6S1aCvpGUwb;HHvauM`7;@d5vGE@${nN
z8YpB$9`kM2sgpEtz69$5nVSw>-oVY={ctpQ$!%}f(sPRtylqEJ&Na<B_469JrFJ>&
zHsLk-BDt1J=j@*B+~Jh58i2f$^mpyP28@vA9~3_0v}+WEEblh(XjJGd6{`t8&XaUF
zUEhM~6OG71B4Wr69R)Y@@gi8?#=~9A&2&SL?ZCN<gAgoB1F$`ms|YNkv{f~FQEtD%
zx4$fo*yC339o}B-{A*t7ttd_I#^khD>TC7oPk!ke^Je7mv0?VVEMf8ASt25OoF%-u
z*gHISSE{lGdA6ChKh^bo;tDKKi|0|%hOGL(p5Cn(?aH9@t&xoU&c4fbTAJnY2b{ZC
z-~KCz^kZ%98!T>A`<=<iJda>^j<#Zsmy>nurv8w7Yb+-AV0J)uo$l)ud6{ro_Xj&g
zNl*CX8OOPAdZ>u?7u6<%JNQ0Wb@;@7R=l?FBe7apxR^?>N0YJ-B`gVq1{(is^o3-N
zds`X(Tk8@jXPsO$xXItyn&saw>{h{zO%>7+i{yrH8)i5J`5qi8_M!Kpik7*FzV#@{
z*^^_eA0mAVK_ZQNZGg5%5fIa!)d*O!8!1<?79^q_TuVu`8JP=@m;ooNMV@X;r3cI<
zt3?O@8MO+#I#<54w-r)EX%{&d0S^QXK2X?z;huswcv!_P>5V5gIy%6?lY1za9F5Q%
zgSq2VUi9gE0_W~`1o}m8QX;3-BvoxI)R)K-v{#rY_1dM0x7XyrW~blM3QW#{9GYWz
z8;|YBJH@Ga31PciIwRH>y-LM{Np^K3%V)`@aj8htHKI<}YH!1?wd_&H9-Mjt@2=&6
zph>24E1~tPL<F*w;z3p)D0dj?Oxf?>AR%@QZ<mZcMl&6@zLsV4N`a;yXAO~e?^2y7
zYljkVuIsD4A4o38b>1cI{BiTz6oW0FF~vP_ELaIyRuF|*1yj{fVJEV193e@Q%WqS*
z*93&V4_e(BncIsdTqP^;g|2nHfjwIl@0oGZ35-9-Vi$Q^4S9k$Ee)6p`m(ERF2LIr
zoiIE3dw+;rt4sJjujyQxzGXztB!>M)nX1k^#`IWk?>jtqf%^m#c_!KZK1?x?HrPb@
zCv9;|mXQR>Yd!tD)-s8pquM^4GFc&m6M4FUN2Dh@KLlz9yZmt}MY-0OA_FrgctZ~?
zATF^d79U}}J)yhWmymYfbHWTdi0}sT=&my2K~iZ*-LW)rvLZjQGn9y``-}Q+BM-E%
zSNKbQTG70x2nxz{Z=1n3>aSflFDUG_7){K;KnEMB>HYUHVyWDPYT#Wfa_J{m#@kz;
z$=?!TUnp_K!qhy0&|`FZSQQ1e6&Q(n+J1R?khkIZPQ~TGg6W}fPw{_t0ha!(yLP)z
zE|$`zGP)_Jb#wGb|C6?P{_Cz!hKOznr}@-a7}!Yun}14DfB7>@Tx6n)oSA707m>g+
zM}47NF|ZzA0KE`=lp{~uTK%Ub>Ur9#_r_PDDSD}LQIMnT%`R<Y=RX3OSCe*`bj<DT
zG)0GAxx3Vj*ahSxAa0`O_Sm><u=N#~W1L>O3PvRUqz7>(@aB!vaC-UajqVG`b7JiV
zmWr12Dg0dG5+0Kb;DCN_-Y+Uhx;v8G;arw1Mjq*tGvTSj(^3eZoCnfr?ozsnLuGe+
zzc0}9Nvz4;^mF)r#4v3BlO{oa1RuF_n~&9m=bSZd=iT3FyPQq8=7Iy;;3I8li<F&n
z{rQT<AoN{TM%a2HXmmaM32Y5GPV9o1ANPPmU5JUWZEK9>?J@l)bGB}=txr!sowoR{
z#Okdqi3hIb(w+8xOGk01I7Ad=%gJ^F|023s+P$Czj@r5xXx%4s^{ZAn2S=e<_4#3g
zu?o9NFxsVRyh5s)uffG}WpeGC#^eUmMzy7J5cMKC<vH1~eLFDoxR+|)nqIJ>J}Utx
zbc3ym8c){}btXd}&u(r&>@E!yRA~4WLYJ2uUSqph8@<2j4+8{Vjg&`0n%12AlqcV;
z;WrAv#dXIrU|zP|*xu!M#B69}Oe6caqQvvkz#qr2C(9NRr)Fe<?C_)=lw!1?=N7a%
zYW91d{BG_g^l>LVg*zo=#W<!Fb1$MOTb|ZK5jm+bfi{Qe{Q?t$lcA^YD9nNjD>m2e
z_0l%611w+gX<@~V$`SC>)(0psWn{27x(!phdbCnT>@{fla$3<|Z+0%Q1oN|^bjB*)
z0W^z&5w$UBa$h=9u}AdIPwtc$C+%aC7A(u;qsJoFtrp3N-5m>CF!B{IKE<Gp5!Bv5
z@CV9EK4WjBazN_L^L@E6KUWC(U~W?^MKNKtD!((bRJ0*`i3+ak!2D!TqCOcf?8&`H
zG90#>oDWKe%5sD;SYh|zu+68K{)m#juS<{IMW?sAA@89tRMpB?_Y+EpHqbNk))c)u
z&E=;Rt_A3^5phKW>th7$h?AfIP}ebOoHz*Dy@>LZ*R6{@hdt*(yRsoVlu^hwHc^}N
ze9K*#HEK~f=kuBKca6p5q&dI7if~deO#HZk_xs<%r?X0mqw6I=g^|vf{Y0ri^w*oU
z{HW&^@9ZBZi}&!Z4t<9ir~BEqF$5WI*6OnK4H=BPFG$IcTaF6BJL*p8hGKL_h|aWm
zm9Ee{MJCRrK)8v=H*>*C{j#&SN>sQS$s4oK?*CSyX4FkM@4P_IJ(2U{>aLti?3l`(
z_Qy6FQC&p~DdY-~=-*?Gj_u<C9KByiR#~?}0ac&*7hEfuU#$-tKG*K>5die9r$zoc
ze=oL;BVvifa%*jT$wlI^Jhz*mV29l|+A^HJ;Q1Aab2{gZTCDQa)KY5WE~F7oUA7*6
z_N?o{H3b(ivE6&AOFQ_(LeC=I=D7Oj4J!+;xoUJrgGk}@x=k+OD=M`*)mXDv&h4AP
zw5v;<LuYRhO50XnDIiXng^Q(6x{1p^jfwv}U)G<IW9bIjgBp|3Qq<tjr`W%Nr-gHc
zx?4GW+>~jT@t;T{?XICGPGszTe{ALrsEp*2%vhE@$ToDQad<~@mUu5Dp;<KdNg%!U
zAmJs+3B|Y!o>tKna~n)-0@u_nEOrQ(=uA@NPQD#J8tmOftkz@1l}Wtf=h60H;t=OG
zmkCq4?flTLXilcYDqfGo--sq}6o!yT`bzCFq=t`g%!j?;<jrW<jn2j+HnLq*a$Z6r
zv^of4^gJLDkXqoIm8ioT0yBCQVPVvT^EZ^jX4=CMT5lo4Ns)77A+t5i1zoUC40FsT
z;5o>hS7Q|4UfXN1-+YH>hFmZmb;v0<J}t^T|6yWpB|>l!<jl+1(67+AT_jO<;oSLo
zLJSUH%IrxZkIPQCKAq-NVf@}Yqk)G*R~9$+0$dms#B6i_^0FU>eW=?DU}ugOUyT5(
zRA6R3d23J~PcS%}#|<5Xvo}xX^&mCO3R?4v^n^$EFq8U8v72&orc)Nt#-)5GRTgG$
z;^mx1r1Ly#R?nb)mu1h#tVX=3Oe_aK7Wn)5vV!qWU=wroG~V;#@y392D@UnXo2ZwY
zDl`Mny17svv*~6y0k1b?wZYHCiK{Lz0V2h`c$rtDu_$PZ!jB7L0O-tVj>7kRI~#W}
zWigr)M)JRM{C6iSyMX`fyUB>8gP8KFxlPkB`B(EYx+T)6o#AT*)(yH@z+PYDci;P+
zHs0vHdeCZeSaBN_-PZ(~)|+R#rF3+xX!t$T<MS;6>kzWh8L`Li){hu<MSd@=x=+4Q
za+{fOb-XcD{cT9Ntd9KqUWx>H*n<(8t@A6gO~#t}jrplt=;qfPWuw)D-=eh%di<>O
znho;C<3A3WJ)YEnu#}(5+2R+Z226~~6<Q}c?6rW5lf$k{tGO4na9%%J7+>F80N9l-
zv#H-oJClD~d^`nyZums~cl(!eaXhu(S-`ln4MgC({!8Fp_wT8?4)+q3@js4hg${VE
zx6D!1TLP#_1FULmzwm9iN%3#|#A<J?a2*u5@!bJ$Qe4dUhq@~N)$q2MEp08&m9%~8
zL}4Ee+b_*75{DiwVJh`WS}b=utXa^nbdrxA1n8~c4xi@NvPJMZn<Vktz3Yrh1Ro`*
zXPv*f5Zo>Do7bE4d60YXL*S3lBvfnO$WTq)(`c##y8UUc^Te_3JJQl29&u70>eQw^
zBXIC&_-kj3PFpyqTKxre{M#d!faZlWi~4<00pU!5H~ZMcOwA$>b>`Q9lNxW2&P{+x
zVSTU*@4%wXCc}A7fN1YO?8hcI2C&+%_MQWCPIc@D?VEk=wiiUf?87c!KX<hs&U{#N
z4h&T2zjJssRb|ud(oCM?4IJk!vsQXN77b0=yHXvYJ8|pPwGK-Ts;o1U^B!+a4cABF
zdH2$-Li7(t-4KYp3xk|Nf8WbKJB<yES}q(2eRTjsmA!#SHclx7+rH3ONU`#@q>f4#
z`(V83u`;O7-np1R`Gf2l2hAi7p&=YM;Ig+J6Z+bIAZmO6HYI3TcEb10wyn9=Ad7mZ
zc`tTfiB~Rn1lr}J4%)zyhQi7*lfx`SKRl$k6gaed^7422P@3N`eZ<N^jT$8GSc;|j
zN)-Uw>OfvN92K{eiS=x1MLxH}D_Xd739Z&mhWdY3BP!|UR%LbXD_hx@+Xb~<iZUCB
zP)!?8DK%kr^JiF_c;a?&&u$2Lz8gM~J^7Yy+wfzp>qW&l*VZXJakhyWvv{|wO7lPk
zjVk{J9u{rORNjjFqX$5J^_r>TKgsXT5H3|Jfg}GG9^OW$N=7>zWJ;<R;-dKQMC0eH
zqd=*I<b@N-GdX6E3HYFWrj&=(ae=H##lXBbU#3qP0+g6}%z{(8R+d}izb(TEBzkC1
zErjVsw;4JyH3z`bfO*&0)r#(f3*$Ur;k|7>EI}vf`X|C+aqx++(>+DiqrwFf9F*r+
zzL>$=jx$BLl*>)6g7SHCud}sn4@BW7uMcJw!zzO-wD<R92edo2vv1pNAAblt>cPG^
zC7GNek)s6TCRW2x32FNsH!;%W$c5}sV|TIF98vn81oIDbMWD8AtqK&_@UzOv&Rl+V
zg9XHP?dQ+aC5P^*j}h}(B8PQb8W$5<)rIwYd-06hrua+=tQxO(dwU9CO8=!|RV-aC
z=Yp{FIPWNFqaA>#@30PR0e(p}3enpB2n1c4bKYwa<(}0vTYA2AN-46$-+J%a)tP;H
zex-(9p!dz^lM5&T=_3~7`9Ivk8Z|!crr%&x2e>cVaPKzi$5)`(JcTz8;(2f`WVVMn
zAb&X*04qSY_?2#fh7HkSsoFYiBf4z!k|JU`zoze1t7@<=i~iPpWJ3uxDYhYglnvxP
zGnUiXDCZ<pI62;$P;;XRZ-aUV$qr?{r+5}gJ%5Hp#K(YJp~JhCk#^=#Ybd?ZtO#)3
z;p9Sfa4tEy3{R4wRIc!^d<)N}tGX7p^v&rmDmeVQTH3gV>zpMdPbyw>e0sNn$M|vT
zIDfeArDim4`1Zi}gciH5gMmxfpBROV0Otx1{i%c?$<7-~h1Ci0i>PaD<5}#s0|@T-
z%ZwkKJILFa@5E{n^&DMqNIcX{IYMz@zx-9A2ajI{Ta1nkI%dcoX7!I3=&@yh)e(kY
zdiZ=G4+{iT`A*=ns)v)>Y>3l-mK;t#0e01s^kx^KX(Ljg+M9A$`or}isp=yyES;q6
zBaEI+37ay%z_~mlH%82%j31j}ygJKS4*}bl?`2lSA1j?0qhDBDPH5|X+M6N2G`8kM
zSr(AeosRo(q5jq=?E}VH?gV@pZ2c5-Nqs091TtDEVy;EefkR2@VJFEOr-7%kMYv_0
z(7TZRd%Pt!J_8PT{SazZwgoV-!;A1GYNY?fr|pSQAhY=PmAr_T(3$7wkxUh@aAgMX
zB4>{1OVclxY_tb@#$venD8KrdO>L|(L4m&E7Y@H0>PXi#aVyrFx8{l<7fN%2V}E{4
z?%nqZUlOx?;3;46wTio4PqDXFg^Aaciru0b9waDQKU=VCT!_YgtREJeI>LEDpC7zJ
zSr$_7KNgyZORU~<?Embj^t;>=mD20|BL;p-Ej&zZJl!S_#@R^JO)HemxPmL|`V(&a
zl7Cbho3elr^Ok5#eah+;DCr&E-?)AKd^_Ht_ZIL_LyQ}F`<DBaJWo5i+)HB90#!5T
zZ^SyAH7cMkU*pt*_wC*kcPWVE%cZ+n{nsM2RI0kWM~dtl?2Z%Vd+~YP!Y@1Cx|37E
zr*-@&yAfCvsq3EEwDYmL+1qMDc7PAsVOA8}nv(_Awgikm<2(}i(%#`Sf=w!k{S&sP
z3-naB6cUIN9Qamr;hhJ>@nyPl)f3G6_rxV-d7CA&_-+gAoLml|lczZQq1v?PZCg8u
z>84!ZHE#UspmtqxTv)=q@S3Y<p8}NT05-2G=_g^&r<w|WQ$6tys7TScjHwz4efyjP
zwut;qJoNpI8g5QHuN_J26bnh@W+lCKUx|hNahnY0u<XV3hSlS%S2pW=ZpNtp<Bxfr
zo-kEjQ|;STbEfoR-&PU*&>oo2%9W6$RdhKvS?d<;@v2rx;2L~7(#Yp#t>T0R7=8Gi
z1HHNs_Klu{qRFpF2wYo>4>-djzKqXipTrwd=o@(&CQp8ylqy<ViIzKJL@)5YT1W?h
zAR1y5=IH%sO8p5A`jR`@ebYpWUkS4;HXpoFMZh|n)S%eP7Sb*A?1RBh0Q!9e+L1n@
zS7T7ro$D$!tJ@947sRY{$H)Xm@6-K$w?qh*{npOGr=OPBDm&lbU^nd(tvv9F41kC<
z79L?tVEMra>iq#ZJUtpwhVtH*Q|@Zt(?9tWn}>&`5Wf^5ytXc}3$|E`ESP$j0dZn(
z3e^j8mO6oir@sJGiv4TR;2H8-4Wbz20y&wn2P?MjJup@$)NYu9PdO;>?N3W(mNh`e
zLeHD?-bYZEHb01M#VC#kCiI{hUqAMbp*|T*LJw2%&*$)?Zv@LvTW-?eiG^puIDU7y
z>ERm-jr92RG-3P(^YDzB4fbnjO~(&7)^KUypt`;|(*H(~{28{l{KqJThs*98m%5t&
zAAI^E2+{sr+Mu@~G!8j7OZC@cpa$lEfoGNlqMbYb*d!|7zr9}@$|d=rh@L&L+b}?I
zfccjlLu2XFJl@eXX_cn;M5Wo>_%z1pdG371)f)`u3fecDU2^Wjp~;SM3ZUFicNyEa
zit_k>D!P2kJ^r0^Xb>(Bh@*BzcIR^xI@pUt*v|K|w>esz#I`@XEXc>&kWi%~sFPZF
z@e4M`UH5y_l;<|5zr({lr<pjbMsAvb<52d+i+5`<+Wb{ol2<8t^7y(~+CujIslpdc
zk=GFw2pQ=7V(+ihBMlQTy96&W*n4nT-R_XbD5r&q697c`IqQK|A9=mwr((_c<b?6D
zKE`eSyuAsw=t3=SK^xro71@h<n0z`BgD{(qXI4;}@q_@kZ!!IvmwjIV{1BNoz!)lO
zATV<Gp{!Qzf}4?e-TsFSS$w3bs#SeZKDDP`ZL{b)?<WMCwLN9!Nyu#1Z0HUC*It#e
zOo2)Yu!~W3fh3v6fJ*XkwC^Yk#V7?;?Tx2ZIM6DWzd$AZR$y%m=*Nl1!b4`<&lfjc
z*}r6#)ZX=P7RIg1gxGFrf+#B+gJ|eue?n$rG3+SQ<Y%7!AoD^r!nI+xkt34z04WH#
z%vHjzfLy>?6kZ3E3wcvTA?lcIP9q&#v|+)tX~}?M*tWoE35_5gxq$*65AEOFP1@#n
z$XywW6h!}7EZ5oD6my>s-HpW8-K;gsFejL)ku+>Yr0Tbsr#m<GI!z~#JBs#W{;gp_
z^*=<jes=~ez47Q&^Y+$!nh{vvLg!C7ary8_Fl@~EVQ<TCd{sw`2y01E^6~qI%tvf=
ziMQWpzu0Zb@H~pxd`KrUb3LQ_r-%NV9J-N~np~#9)I@1+2(@E=z<}X#_KlnT$}RFk
z*`68b9n$U5*%8wps<-32_wHsd_<x23iaEX^a85;6A0cDMpNYDm0g5^42~~4+w~ZQx
z29$3$$Mk+zX*#^OdeM`StN8#O?-CQ7^ENFe{`9BzFfCCUc4-N`X_a^8ba)}=+ZaqI
zYDu{vIm{Mer;0^o6x-3$b-Kq27Kf`Rnq7A3Ww~nf@~TxF+(?F&cs!u>-ma+*)ngjP
z0@(l+H<Hoqj)%p$uY$zvIK`&KTR6iG#C8SXM5aOTeC!R7QCKhR!?T*g3B~ywJM?}y
z?-r?PgX#jXR_|a{+NYMxsx+2}EqJE7Z6bC86&P!tZepJddgX=PnlbCOnCFg9m@w5U
zZCp`psXYujbW>x+FGhr*+d>D~fJ@vDNa-TT$;C)7&)9yY-=Uk?rbteWw&3rWd%M46
zbKCRXbY7t?B4eL<f`#ZTX70VN!_dm&N)MZC-nJjlOj{d6GPE=H?iIqnEO>^Ef$#iW
zsznIDjiH%@ki5s+gWhAU%U;Ld|Lrv8J@<wa*1jr+YT9;1(T)nt?j>(5&7CBea`6VV
zR|X>C#kewGBf#-B<Jv)=dacPZl50SD1n}^PxS0tuvm{xZ6}wwJO+l0K8|P5-3ozBG
zT08kA`jSK?o=y~a@Xy+jI?I^oA@1RVY0Ng480koL)6{*!V0^0mizOc5S1an0m2<jg
zfQ*$XU%Ks4ughN~SXtgNHkH9rwu4T4$1-dVKI^KVHP8VJmWivnIs%Z_9SZE-wMbD-
z&u8TRK>M4W%u6r)KAM}q#dPad1RA+<_Mv0d%^vM*lSr-D%IC+8?viyA0YiSTNLemx
zK#c&TaNbDYYf-<rXH4V$vK`EUZ6B7&+b2JG0NH+)mnxf!Ppd!yPmD=-J^vNBbgc88
zV?U+=3@U}dkcaV;!ESA<eC0p6&OiV#zX;yshg+OVAzOF&F~ScBOz@+3XJpQJ-Yg#i
z#ND{gBKS5@od09gn<h}`(qk7Fze7=t@L8VSSF-1%=z*thj3c6%W7jGKlFs{Zo&Wvq
za{q3{e=#=aPjI-=;_}aT&b_raf+s=bHnt(v0(&;ZqyKbqUetRW2C46QuLy~}1opCu
z?+=vo&U(R`gGQw`0czWNd;lZw9Xj+!1|176sikKj+beE)&}!2~&4BO)o7i^66f1Y$
z^X(X^nQhxYaM-|zNKHY%?}N2g)>>r8V<P>>!QLOlL1&L^Hq#9uhcD*p$Y~q=6j!h(
zsh4C4r~ck}7Glg%yAiD+>bmNeW1aH{@ww?_vZ!>_n>bRV7}hh{vGs0*flQn<mFyx)
zqdvcZKPy2*Zb$xLT@bUd3^Tle9yzN+u?Ulo?Bx{BLBOpOx9Lwm0C(udffj0cj0NbK
z2p4nc6lgyN%-Vb>)nrOhaQ*POQtY|*B<u_;fQv+bo^p;luDx_`7IT@TF@>14=51=9
zx)n#ToCgiUR@MSh8Evs{fx2tj285D<YEIU{kUpuZ-#A>o<^VI-go*4_dxZf0OVspS
z^{Q=av|1)B&t@gI`Y#0Q*L$$_US*RfCp~vhz2>xzHy@aHXSbs;cS&1I5MZc)-gy+F
z{Nccy_hz+fVNs}dUoG{WHt-^}n%#FE-FvuaikL2DB-xPPcD^uCU-GM&ZRV_fS#JDC
zr!~RU>a6~WXh6;1boa20L*hW_>jQ7fW%uGwX{pSgw-Q1%RlTv@k(=rMwZb1Qd0#@@
zV@IRoPyG{qjV(k}tozDV2Z!4+QO(tkUcQpm&Fv*>x^--fbf}u&_<N%j?pb}nz%DoB
zCXejzC|zPsr)4kd!?}1@X*LU%PUv~HuXDEQ3Y#ikY#@i?=M8pa<TLypxr>rhf1IDt
zY)2sRF<O%?P@k$>MJ0s@r706a<fRK}IvVQ~))Vh^u*gaOFV@+cElrnonk1A7z__1D
zn-S_#6`t|G7VjY&!Bd_4Cf;st5<z|+7Igu_F#WKL=Rns+%{aQ`NHR3KJpOH;3cXp)
zD2Hn@6n;IB&L^y*U#eI{&;F{uy}Rp{t7&>J^F&0<VMt*AjRK}q#<VoQ(3|VFKo*C3
z0n0eJcVF$eQ{Unb$(;I=+bnNou1-JvNdso><S~0!Evrdn(7LqCGvpwMZ9xNYI`SaT
zx?u{$mggnzY4V#linjvsAjeUhc1<9bzHk~`2d9u!io$kxvCn8-%jZby2^Rgr+5>WR
z-i@^e<8SJ}t8en7aS$Z!tJw*&TfRzhop&SDRwCO$y010+mEgxeMvBz(h|3#TFsX0D
z9yRaNVC~%;^BNj8Uw*h(saT0M^wxA76bU+2Q}7k<+Hqz8I1{vj!wxEB-R-xlVqB&W
zjaCl+o)y^a>+r;))V>pvigA(6E8a}1IQVd8!?P7lLXD5>+;B6C*_6A9_+7UYo;UG%
z&-Y;rWyhV9LdR}gIAKBn?VKrmuJcO#>L~@FgF=pNE22(hu&u0fg%h~~CTW_=Vjg>_
zO&T>iI0PIo;pO;EDy)u~Hsucm&u^P}_6Oe<S`9)}DQckdWI_9jMdxNf{_UfqtZ3NJ
zokvDE%U%C~&Xx!6=-eUb4c4IA?ByhDx;hNux`sPGvpNjc2g9#C#A>%|p4IX0UKuq|
zME3RbR&6&^9tWJ^9{juz@M}G|f=ZMRxyvE8OL=6eIH*DC+X#cL`^wEs7627ik5|Ug
zqXeB9*GT`JCzG9aajU%ROZNSHVi4y8H2NrNbiJA<F-rzAsfA-59s@iWD8nM_SIkX{
z#6lPKEe)a8>kjEQlL_E`Qsu8sX52A!8htpeJKBH9mE204eVQB8(>-d5Pk(LWS&j@H
z%H!U<jB;S62vIgzH@`^2*gpVaY2@B<j2Xr**fumTc$j^3uyOu)gB4$Q8L0>7ofs6H
zn<)lZ9oJ$Gn~U;DwE@(5Y$V(Px35}!#xhc!MI1K#o&fkcySrIvs<T(@@+{0v=TB&t
z(j%OVB^D7pyfhVile95FgdhB%WyO~P4J9r%UC^?U^h$Bq{ey_g!C$Zw=E2t%HZRpD
z{fh+5XfX<`6~cvi$g}*a3@LoK<&jzlF-v2M1xR?;JCSEACf}$NtlTWC*XN<%Pq{n1
z!ml!ho&e~E`l@;UN(66+kFx-B1a1BC9r!q*jk^#x9OoKSwQ#}BdDhp)Dt_4~e0&2j
zCA}AHxN)o8nte0B(K|n$A8l4JzdKO=d-@JjoiE_vIaMe>!e7c=5N_sv<}+2bdFzqO
z24VHO#Gt{t_>NZ3x#X#>!H@nMDbm+kcx9+2UzRXR>Jh>w#U)u{5Bpj63s4Z}i3^>}
zsuAPwhFqWCq0bwAR~G#E+=f^A*0#)7%-a#=a<C>-{5q5UwUP_itQQHhJai#`mfv-~
zoUlXWOWf+Yiom1}Fy;aEqik%J{F3wXZpp6sLLm2oKSPzGK(deAtSTkga1r{&0k7Em
z6DGr;v}1R4tTO0*Y8S`)WKm9@#91>NN-wSo^;oz?NlKXBDW5o;5ETnMZbz6ZmLVFn
zdO*iMtx;TB4;Xoi+Z3bbTSY;)aWMu~pV<=iRy!@A6320&WmJ-YxC4N1z+FG@CBXCq
zkF)U{G^iT|Nr?aC5hAAI7uzle-n}dJ1@&^MnBK~&_RL@jX;JOhDIp45qh9-YyK*oT
zNwwO1iZ9|Jz90p+MB?=?s!@w{KutC;c~9CZ<!cvOx6$N<^yj8iQQ}%PD+>X{ZrVVg
z=5(PIuG-*7ZxPMIc*Z+sAbry~9k?kuvL2leJXt(_Owmn<y`HUk?-kvQxo?+3%5kTO
zwHdX@6y1e6^TtZcYXx9KKHf+Qo#-4_+vb~Hia-R-I07<fqhfX{gbqvA_g$yQy((OS
zZBKnD`Gs1I!Qt8&`!W;>Sc+>gSlh1emAs$Zy)hK=M4PCY3)}K{GW;JefMa3oGt$=G
zr2}nLQ#3-{u0O{WvY0brbzKs{J3ao%8_RwiY`{!?xuepkb4tZN_X=8l%DqL{h!YU|
z`v)IDxzDA*WY?NK+p2mpd}G|yB^Uaoasj>-LUKJUx``+)RriZUnbE_=SUqfqCQ%UZ
z0XM3QxYLV%+E83)8_ic-bb9b@&=(NNGu_UA?5;wTO#s6hI6BwbJ60M37I5(u#yigo
zz=7nwA~#PIhT6ijXi|nam+Og3ciZ@2>A8|GP-fvOv}tO3Co%c(Q~bdwjZ`K({dwpz
z^;fmm>&kYmR@hh?aCd_#u2mcuKjKCLWt`1=>UI9LbeO%Du0CC$^!=INDS!^Y5rCr?
z!~FdB=HCxJfDFq_8Rr`D(oNY=X=M?!(mA2UPUeE}cs5Z>aEvhIqjd&CZ{umm*E!(*
z7$45{pc$zQCB1@e>I>lg%`v6=0sv?mNsDEo<SV?heaTO}dxg~Zc$Kjcrg_|VP}Kt+
zU<x;1nb~*%*9FzEb03&JM_BG2fxlNrzrL3Fk>=6#vQL%AKfq7ZYhls&uIgRXl4V>Q
zTg1XyB_5B;)gQJ@rqfrqPnMruHU$BP5*q|f;^0y?rh~QP1wwLtuUZnnmwSkTXs;@9
zrP2>Nw}AA^6%uQd4Cnn@&JAD?a|9Q@vz8#oQLlBPPrF<&itXFX;sB9G7k~(Coe}<{
zQB(`gBxLd%b<Vq{eKNqHC5bm$+4xl};_vZBj6zvVwkLt%v$#0uF>WWICIVHYx4Jgx
zAMWyUvuKv`>A^3ZO7Jaqwd1#P3W00P{B1v+0}tDxOkp)gX;5lsdxltIr6yoo_t{^q
zSK!I!X>}s(ts8$hk{QL|?@jEEL67DxK_221dl40Xm4I~6wbLAHI#R9)cmj4Y`kQez
z=lR4Np2xZmH5INL@3QJVw{`=&EV8<jwl7eo1F(Hy=+cwuYJ7J<VVi)FOM`9%>&Ixf
z&kr-ECyoAupc$;mwolTU6i4Pgzx#@ly-~V8udoc=;LyF@jmo*k9%~6bWA_>>hnv2w
z%+-~fZddbZW5z`=IeYMh>C|{Zpbx$6*2%`j0KE;R5o=ETpbBU(ux%ahLs#OBHJpoH
ziH)^8C3c>U5qNgcV$mWZg}jxq;XQ8X5)F}T=xOW?5(-ZKVtr|y&}uN1tA@=9xPQQe
z(q{oHzQWp0Ajc@A{tDcQG#}(GcBGj$_Urb$*;!o#Fch#S_s2yN9k}S?Siaf0gqWXm
zO9dVsCsw=DjFV5;Mot+7v#$BKF|KAxis39!#Wv@f#`(mijfJGA_Cw>L*Ga0hAs^m8
z)ic{cHRAw1)@j_sKG#)}IvnE_U>zIkR1316X5#L~wQ}O2I$sYn9#U=4Dt3E!-LL4k
z;q{Q=GH++;>9WMQ2U*_Up(<bBJrRIV{DI{jg_^IQNVRqjhWAwR@l6zZX>DxAZPUG8
ziZ)rxwsz;xHDqw0dP&H9yQ@y=zs@SjWM_9x&s>5H98B{UZLXGwbDL%TG1TIhF?pzF
z*-`SR_psZ5y^O&_#N_4PzxH(q!?!z6TJ%#K-V~q(fIYJg;*Hy%_@IGH2$#0nc{#dT
zAQQNpjNw!$=9xBS*>62trUY_?XhZj(P;m9};;sO;CmD07y)snSjxvhPy9PrJ2i$`S
zK{wYApL3C8$^8M4R#t_h0E$2Nw*F?a6!AH{;TSbaq}{B1&+Dq=*COr-nG(GKE{o;Z
zszHC>bK`m!ewZ;0*lZabt-(BAs1vWHNLMc?-U6cuGE1*BDMx%DTEL0D49VBlTrN&E
z`6cEWmYe7Sui>o$SDZepJd{YdcwO~xeLLZPU`eRIzM|E<oHD$jn4-lm{>sEZdFQBt
z`hi{HTpe#yhIiS5XC_*?7))7n`6aiBlMVEi1v3f7AIb%&wTcGl&F=){bL!*+J%@zA
z8f2n4IWF{I>Fvhl!f|lJYw$PnT_R5P`1~1f&#F)o2*nnO=+_-dP?h-X*s{1<KS*$H
zIcaS_GkS%qo%wrB=mKtZT8HRFJm&r@b-mHE04x{M88zoUSQ518Dq92Yep26y&mi4E
z1?~h{xj)8m?Wv-4cP~<c`wQ@2M8*7oo}~6n&eD41Q5BkO<ezDMi5xCF398m;Ix*e#
z2QJt7J9l;!%Aa^z3e<9b-I{0-wS`x3Ld0vpWefVD$%&{ukjr83rm@^irr)p7J3X$V
z{FTZI$I$j#^!Q=7{~=C2)F=7x@AtP<K2Sb+pk!O<;?yXY_p8_aj65ojzcUo>9rZ}|
zk}K$4kLzqiQjm5=K+6NjkzQl=Sr7M%>@rlu<9wZ4N><}1v@<Dbp1<vA^^+qrOU1X)
zSJU$`$Yh6eX~)IiX4{^8;9|7F6sC(MWV7+G)(S8B#ILAGWa<7N_TDlo&UM=wtfGM6
z9^4_21b2eF1WQ5!1a~dmHHAZPNRZ&c-Q696y9al7Px>W$?{m-j`i`%^?w>vG&oF90
z<*E73x#nDJJ(aWcGW4>pf)y}&s|#9}AdhZkhLT;F2a7f$FU6^Fd`Giicf(Iw@W_4O
zHWEwyEHz^tTcjE^D)WIHOCch_1mXrW!+)?VVRF|#VfZwojb-@jrKLmm!&j+*E69cG
z8xfOcw>BZ_=B6w?GIy3$iZ5Q<L!ma6zJxrX($JvTeX5>*BnMO@Z`;c5$sh@fR|85t
z%$n$<Fr;m61tPEApL9%0y-yv+UAtB|u!*izsy^ebt?-?)hEXy>%^f-<gYOPHZ~?Px
zbGLl)-aQ+M92Q)Xzf29Xnr~@iCimz%#HgKZZntgFnrTf&xFy)MX<6|VB>&|SttZqi
z^hS6wMfjAm0n1=1AU8bzh`Xb<^VhCdm1k??#%05PyXZpzgrhU>;M(_Yk%O7nKtLX!
zK<B)&$8pDewksN!+|J|Tc?19I&NXV2);fqD>O528rfKBJ+;n2xLqXAgCnS=A;Z=Vj
zzjlx2j?op|Gfg0O3@PFv87`R*>@L{vU=(t3Bj7K@5Q43Wv!`g;r3g|!bxsAcVyZ-j
zvt3ltaFtbxPofl6CM5ztFZ)V<Zx_s!)Gz0R{O)V`U4I)Z$T;n}_`(~JphfZ2G;!MX
zav@gPwg&dKuE(Ka?2!28o0d%7>?K>JANK@C9XZLFc#HD>kZ(?+P(&5K%<%<@N7yd$
z-SUI~k*2EWaC5!4>lzWGOEx-pVY>Kf65-4-mX?6wR}B&f1j$qn(MY`pGjzCPe|16m
zU<mu(9Bp^M!VyieMpsAklfi|S24>AXLa3(`K@@ph{BPkqZvxlh*RJyf%_<MS5Oi`C
zYf#BX4jCKf;U*5NUafo|&Ei=w#Pn;*aTZ?YZ7rD<ShTa1Mm<M}JDSzv*SS4(yp&HB
zSEN{oI%jQ&^m&3S4ib=qzhhcx#Xb`lWwsOfoinHEVguC^zjt&3Z(CeOPLmW$Lif?1
zr?A;K3PwI1CUNVg8Ol9A8;Qr;blh5$&bP2?nj}lT{(+wo!eJQp3a;!EXs#x$(FO7Q
zBD8XB)!i(4v{;*RFl@tp>npm<n$ktJQISD^FTbLcUbV;$qu&h)uGykQ?YJ*G8H>IB
zfK27XtipS4k<soeTWzo~^!bP1zKULJ9{TnCg^2B4k}HIh6r(7eBZ%~bPNQ6u;3b7n
z4bWEGK<D&X9VTgs@YLrsvn5xqkghsc+;9^%&ciS@E<KP}P^7{%jMcT3_mYp3a?rof
zIm&Q7Qz`&6d5I1Kfo{JMy_HW;Fd^N?IkHIEj&xTHo?xkEAvI}m6#<FVx=PdGqY-4a
zR-@vb@WzWS4y$0z+5(U7?L!4|e|q(2GYZ2~XHxrvgAVKd>>TxVm^xCVn2JS86Y9=N
z?o{F|;ieLW!<Y^u88_d9Q9G7=(+QY4JGBL(0)KNSPWDs?;Os@cs@+~YE3sHfcmed3
zU=%-moU5;~NLFDSESoM#2%xz-&7MVtxu!JA2<K$zW@idWf-VSiR`~9_$p>L0%({(B
zqXylJ;iWUZp3${-kR^EOP2E!S=^FFrI=+jAC``-tlKkfqGl5gJYTxgWc&}kfVRgd0
z3+nt`ZEm^K>IRZR#R~%qYBg5ifQ#0m;?WwGNZbaQQ|Z))Xu-HHX7U8Dpgf*!m9>pa
zuw5Fz*Rx=f=@@NjM;E4*dCs7<E!9|_sj*$V9fxAL>TTjec+81dLjvwgUG0l$DC}!u
z;&5LUL$X_xtLUH))bf{*lKXt-4jKM&zhVzbd|x@*(U)OFR{Lc9yGE@!6}Yvx^D@7*
zuF+aWoC#_YB<Vg)Xd1Mk|1w<+lJshWcL>VR>~YLjr^cpP$Xu;T@L=I)dqc=FK&s|E
zv_!IQ<N_(4@2ht=P4rH=vhkWYp?f(xUMJxs7oWG1&cZk42fn649E&mgOhJc9G>?&h
z+Qz=<uChZkA8yFW?!lPoHfg}JUG4Uk3I7O~kDp>|EimfOXy#Hg=_H~|T3S^ehYRuD
z%Y0~#-Q5@VGlqCH7DWKv(Eux#F`O$mhbo!(Gp<>G6(ZyfH?tg=(>L(9SW>$IJmBjP
z{!d?o<fm<Q`bG{}4_NLDc-B|+(hs^FUt~{BJ7|V)%$m&ZOA)rSx6P7}?PK1Zg!LUG
zf|j9IbTgmwn83@)oxA)H#R?sL*RTin2rG)}C)Gdgk4ASv%|EfN*jy^wG<DEsX<^L)
z)&e`^mE9al??|qs=@Ai%O3wl@%MRc%c{oeCn5Tx1Ck!*^yAV}$T4jgpFp=!LAnsQu
z%e%<(T7+yt%i@Ixz7OLjJG@|rLqsI{Xpp2Hmkn;33N^H`a==uTC2})+BjfA`V&+MX
z+eek@$;=HAN~~bTQsWs%GisB!(sgIijyEf_VUYV@`-luAt>4Dgm3YJ^&R^|XHr<$o
zUpNv97oK7lv$j)%zL7o41xMYRDz@j^Fw3K(|B83q>Qd}gdQ+rTZ;+^)#88nKfHtDg
zQ89xw^7y$KGiq7N-eWPc2S}xD=t-?+$7k!%67?AyUSHRxiR6y$N}h4@Tm0lDgH&>N
z^1}~ut*0$e)}{=}-igi}Q;D4GzJGIoDNXt`@7Whbkt7xp*8GLjwq*ix%tHO<c#WLS
zkuD7;oTpCOT>^hMx817AqYnoYkKZqy1NUtCM>sFQsdx$+VMVJI3w}iXrb?ZrjJcK5
z{4>FHBy-J(6!g11g3GDg^I`Q<X{t%L_^Ud=XoTF<3U(mq4BL<_cLcM|co6Z>#94og
z?<KS!7qX<8$0Fa!&=rTh?W5^aMB18%6Ra`)1h>xqBHc>lq7oG{@lmJon*$-b(eSC)
zZ2D}>np!L<`E(X!Ts&?kShfAHj@#mt#jpfPe}MNad}`ggKilFtSn|#i=(;t6i0P}*
z!FF(;FP~%(W0+C3c!y<A+lETXtoI@>@>Mru;7XdS!V7)FWxJg6ra8IA^FEaydG66N
ziFl50N#n-vwvu6=(;G=vQ1xUxd!;FJA{`lW%=OeWlimm@?StB8INyCf4p^f!7-6M*
zI1ZtuAqqvK-~_WE0kkTBX&~ntf2{FxkqN@iyX#0I%KF9g<e?A&|H-uMohQ@NTxAMi
z3W~ydFN09H3<%dNJDbS0{(J^I|9l2smjfM+Lf%4t3H4oLlT)frYz_Ep_3!69#ZW}m
z#PTAl6$?Z);9I91hDrm&e=S_4S_lujM?CEB3tge1-piL*9o>&f9=Z}AQl+ocCuPky
z3lu1nsqAE^`AsjVqsSG$J^O~<n!i`+ma;MruHJi38pNl@gTAm&R8_v(E!Q9FbOC2(
zr7px*0u>?tlpkkguxE}(=N*ZctQ$53Af93BEw5lCK}J%JQ-khYLa@rh1#F85(G|?8
zXwio`%LJX5HE=sawPTeZpYoG1#EdkS{%9@&C-jYk?PZdEf%mm}h;D8l{}$Ixih^&>
zxnmFajayqL!Mm+iS2i`z&P;350z$~K_>5Zp9CyeJd+-s0U(hd?B7R8`u*18%+TYZD
zLCCs%G#ydwRu(2SW(5Ra)dd%A26H+Oz15~kaU`mcX+M}BDA5f+$bt|ig&t6A^j!U&
zH@-qJ%@Kjav#d!H2@RRmKUCXZt*q)rso(fh4z9YP!B2>@-}n39BDOP8a4Yj<HV|YW
zarlSV#<3Mih}0>mAM#@^pLgk09EY&62;IrMyS{lxa>G)pLw6JTP_B4KsemfJ9=@-N
zPbZjF=y@w$O(ifU-8O_sDC=U#>vY2Ao+3*wlU`b{`Xib8fc@CWY|z57Hbvc|KnX=K
zCx&~%5v%YnxzEOY386=xN+j~RReRJwam%;c;!)iyr5zslUSzB}3N$m`O#getDY={$
z?rv(rpCB8;lx+x4N25x}&M(Qx+s4epG#<S0NP=<q818zJjAMb`bGG}rr0k56^bN%*
zk>pM<GaAbtKfRUOFtX8LGUZnb4+n3*grEh5qG6UlL3^v)Ey|VFu203bLI9ya?aa_V
zlfptX((w?s@a}4J9P`rYA6xr6-Bwn6_(ut@)v2r$U2jxE3ez<H1S%{ny}X?XfqS+3
z2H#C~@#R$K317zOR}oHU&Cz+^9_=B?<%%8?S8{+dNh}+z6&MFxytc;}@|W(fw-#9T
zj;CE^baL<zw8nz;8Sqrp#>luzW<ic0t~AMUN}UFLKR+uP-*A;$LNRTLDP`)=UF5W>
zFqwG$gM@{NV{Q^Pv(D^hyYbQG<Y~ul)WZ$!UjWb@EZw7qB#V;yj{{$I_QTb@MlP)>
zaZ#-t{Owh<l2<R(tSXr^g{Os*UWuP#CI89~VWVDx3$|q@1wclAUiK~IWHPoRM(uu%
zta^5@Iw0@&B-#ATg->vRo9D`8b2FRB-^iT^tJ}?BGUf8yF`sADmkULNhqa9~D8s83
z;m@^Vo7!L6deR5;%=0#YsZKh}RG2a!%6L(`0xi74XHegs>WTRrD^ljYvshx`)`!Q^
z+C#~Iz>YK!>p1Pb_|Xlg){2^G+s|~<RU6N=8Sc+Kq#m;UOOonBfw2(F_F5i(QSVgj
zo=&l!pSGh#Q=V5dXKZ^o!zu`=N?8XJPAn2173kjTW+wtHzCho*idxPAGE*Q~Jk}l2
zz+BSuJfBzn5K)uLE~JYo)im$rbrGFtReYQ_Rifz{b{9gz5(#==B}<U7yz$F0AAelv
z;cqH8fjA(qg{=+-9_1e|5O_Qw6UbmJIy&>%_(={k%~62Mpr$G{tRh#h>y$GWiJBRU
zT#GQK!mnn#x-(f#wW!pFKgl0bEjR{(WWGGN9e=G&IIf@**@O)9O+*~$uChdm#MP}7
zCY-X7LA^mQj8pt%IUwO@r2x=)6E&$R>`>==vgbObng<VKxf@Qu8nH#8Lh;(GAS<%h
z+Q5wu;PQnRI6<5es*Kw6Z21O>+&itguR7mpEWnH%2$6rDeb#yCurX^`kb&aav#m{`
zb|>)M6+3oISSRz3Cdgv3?_ua@I^nC4@-lJvv*#-dk+cqwnSZrem-Ig8f-=Zg>H1A;
zVz@p|NeIR*EqIU@_xyB~Fy_{4Ijr4hz>Y_6I0Ka%&@93WUl|X-BX?L3y#hbvHU-z6
z6?Yt7P+wWFN4*}GU*^#h-299kYx@#n+2_P9g45(kZldGrGv%@7dDSGHPa_>s{i}J1
z%`>I#*ZLHL0Kz52bTFGk7y3A{Nfmo#!t`nu6s%P`A6un(6ga?k;YP3K>#%6pN}Y)0
z>{gn-W@Hsk6kILb5c~u2`P{WogtQ^w=3%NHZ<3PymB4|AUk~;2Q?#ZxJR>0KN)q<&
z?>2JF?nf2)%hL&R6$Td_p7eCaBf%KUSu1R{;R?8j%Yiqu=TMQL?TB<$Ifm-ehvPPy
z5xd$S);84$7`+y$vh0*j@;kp~ik|M~q>&3Ij2@Diavr{Kz!Lqcbr+L^fK{kyg_7@i
zOJLP;3cLDY48f=4#1Fq07~?{k)^UGlR!Wm@P_VgH6?CX$n9mY{7xpFyn7)IvLcx6!
zG^I7)>lwheVgb9I+8hl@jjG})vCZArD-;WC?&@a1esdTTJ3a)-d^WV5ZPk3zuy^RL
zKH!;<I%f&#aS~f}D10cZRS?+90*Vk5i0Q`4L&w#EMcZ{m;-X*_WwFo!hx?x8BVOrM
z5An>d;#lM?v<rNze5Z??D%f72sjDJkoN5%x1kRAC{%;0;G9I+ma7<ufvZy!d^DFFA
zRS7{OVP()=3{A%`#E!q)3xwK29o@xOKvs;D#ulyfoO^ypHFLMY_uSbz9n)g9u5I<`
zWaS1`m!L(?#-f;A({|837Rrw7Yz3G~pEW?L+TeXp>?zg*9504J9uu?gyMx?iw~s^D
zS$B9bLDsZ&NbS_w#!IehY%5JLOAKQizX7)aM&<?p$BjCsO#RPGJh)*W`6pg}Jftj(
zYL5S2LK0Fj?X%uRy_;caSn$Xt5(5e(^HE8$XsNEX%(7iQ?<`l_?@rpD#}-#pdfcSr
z(|oE@D9pw3d-mnlbg%M}%gJ7+P<1Oo$1HW|ClDDu4c7En*hI=?>$5_J1Cr4rH+d%J
za|DMudM4bT%A1#35eIoS<$bW+AGQK2Y~$Pwo{HEcD6Ert1{h{x5E<6i7)74SY+z;|
zk)8andINs0VK(d;Nm|0%-Fo0atjfIXn*Z562<=r8J1)rzomO>t6$vLLYEq6MREd!U
zs|9zWB(-?-R6a^72Yk!cS=6LP3|UUB)bZh$gk|sp%TFYxuZDhDqYd>os=2t+_r=%u
z&8U4fY_C@oOeh<Jy9<AFHt&y=zdx5Mk3}h<2Kt^hm#RsbOc;y#0_~H1Y;nc6I9#Mk
zyN>Q``of|6De7zwhu_Q+l$fc(u*61A2P!XRqe*+I>p0X4g|5`(9QC)tKKT*VX<7Sa
zBk@c!sluAUFuPRBkWWA7iC~r0M2qZ)oR_55&l`a;!7{{uVf5nG&1&?Q+f$C-kBjY~
zMFv2_RkU<sry5nBSmZ3cU>9FB{<z1M`=Gr}S8_2=NC)l3TpT)Vyr;)yYY%$^h0cp!
z*LU;iYNv%9KIA+SWe-4<*<y*t$v`JYjyh_o``qDN|9mNnUsAnK-J1rkN)($yVGvo;
z5ju`YMhJg8uVx;y7uYSG;j`Ay4zGPk-6vy56_wRJ*nGCE-|h~cCmo<gO1Ma>uH9GH
zwLSJquVTz-e5~0I-pF}DMaAjTjM?#c6#8q_B?vHH=2`0-`3H5FQ0rS&DXdq$p99L>
z7sOhmlh2twc%&K29I9lu`LysL*44S?Ah3TtWyr9e2`EkCH-2IousG1Hm|H~QLWTKR
zVT?)Z6Zbw8#@SM*onjK6cl9!Uf_5?Ty>-l3f<Wfu9*|$`(tx^MIT)uwH_oW87$j(J
zi7oO<l3wkJgVqD+u+rM<YGrzCk&qQ`ELCedv6?w?0UVY?vgS{rP{y6Kl<T@d7mF>m
znAtyNI|+)uf-@zZa(Xw}It{Ke(sc}r<(DKbL)<1nJ%RGYSL#f)D0emlC4QtY(%70L
zzT>CqARD<3p;gX5w@*13jUj3~7s;^fnfnV*0xYm&U2u?(`6oMX2Yof6%t-elnGEZ;
ze&k%0Dd&#vO>IX1&jFuZXN&PiA3|R4CaQg)T0KrcsukDkl~gvHe^;;-ddxzwJCBoW
zMKnqG=j8aA-9tfJohsKD2j;u*AMXwHO+aJHVLRPue-D`YPd^TrZZ>jy;_X90MU9%m
z9{g!r_y;ViwzTg6(raB}NGF(l2#WG(x50n&<{<C{HSA-ojr!O{1$aO+2Yvdf1bvU_
z-ph5&Z}35H4(r)LtH#W(dh$G;$){*<n28H7UpyeDCTTuUT~o1;aG<LJ<mYzJ4&)X{
zUES4W@@`u8vj@WD#uil=H(dY*>1zHGYk#Hn8a6?)rjC^(;KrmP(xTQPqj93|4EQAn
zgp*|o<GzNze7QM!hu?#|aa28<bkPpckI85{9@dRH@2UH6Ccoo#6D4|XJwwNt?pL#A
zjiEH$d}Zm_2XwqgKW<4D0PVllLNfEd2qx2B_zC%d)oe4MShZOxeZA-Fi`G+>NRny$
zEP>b2o4A=tzZ=QBl=K}}R=`}@Clm7Gy%Uu%>hevLg8k4BGIJ^xfTvK4KM4Jf!X_Gv
zPGB=b1Uui)BhirP&osl2sUM%QZ(`(=t#LRZ<h0xw=nh$a>Vlpx$i6+}*1|4XGnn#G
z>v9qmZOJw9<JGz$#O)NHJwjcT#_>Rr3Bo#3R6FNPU&R$+vNAno$xq`Pw2ll#rM9Xt
zqL!)+?w@)(uwIji=p+DL$4X_g6hC1sd9Yd7UwXU8txA6ypeVe3mAxnNq>vx|sOx<o
z9a`)3`}3%9PXEzn0uc`u(DUG;(Lu8fr^qhmS_A3^Bf|UmS1>#M&&pa41hP}P+}<08
zw)7L<zOVzQr^x(EHk0;+ipYY6<42W~re|N#M+V5Y8H91-Vy(WlzPT%4o1zvVDv!T4
zwPzx`sSeNmUA5PXj#6Z5=F1>PxtSei>06JBj;UI?P^mOOrLlq=!_`9%NQdSxsPN|^
z8|v{_5-J)gmw-&a>b@Q|W@>oJWNEgH(8!qC1(v%D#X(8G`*0xZ0&h<3^Msy0iomve
zh$93vj6hVB$g;bAUgiO423_arufk{aB$Q>SPV?ncZ6@)fB_HA6D3)G8wN!;+{DSfG
zC+q?|h{dpT6CU_-u);!TKo8BBhPov^`tBf0Z{PTkM5s*#r$!H7Olr!<={>!UB19zb
zFz)Iqu3HvI=e?>v>*+(-{qtPnM7W>+k<~CnM9-o@S2hXHFeZI{hsMdrgeE9^d~4Q0
z#A9xToo!64<PszC_<Jwb19d!WI_EZLLl?gix(`_^nPY7jn#tTU{`K8Ff-tY;qR8ih
z4~W49$QG9-I8cHp8%;xL-1yqZny6;P%}CrU_Xq*%{U#s&<^}!U-U!*fPr48r%lzcy
zq5IsLlFYu8AQi#|J3mKzW%|-m!~7x%yE*UuQtY-ve=fJ}O2aGtS=(6ycn8IHM|o8$
zy52EC-Ktujg2g?H5n4oYbraBa=gHWXiVE4lGc<L|^_=G5Dm?w@d{F!s-l*f&%HsoA
zibka{meoyZp_Lx&Fz?nz{ex5Nborc)Hg;fdxgW59mWr;s$!A$xd@SYnI0GFiY>GoE
zR=4*96qNW^9OL+dL!{2MbS~$d#KX?+B5*md5jw!B>u(jfchV1>JPjVnyi;i_ct?+K
zd6VKa1fdhE_pR%^dFk~!gTI;%i%%uRAyF=WLUrln9OQib80+OfS!Pr=tG4{hG#**3
zw5UgdIKUiLN~<i$J5&$(N=0^I7Cvpl8k%mUtt&Wk9OPd9;`2P=-4Shqrj^$!rR`Q6
zQ2>bD>PYSy$!Fx1=KUxc^>Ic$BP>(Wdz`TnTIoQDh5mY4ZBouFKjC~w1!Gm^tlX0c
zCxvr@rz~Hr69@~~YUb!p)n8g}uGHg&F^8Mu5i}>#!~$^ztwS>NU+9*P>=NEOKoe0v
znt|`CjxID)JVpr|O2oa`i29C=!sc2d|2lN+<3jFM0=D%N{H;;&y3f17L$s=z2Zh$m
zb9@sK6Ci`ZQ1{}n=<7q2+4s?kO>QhkN=y2VTL`Hy_5zUxtam++W1+0PiXBEY-MkjM
zp{mH5bQ*J6x#tFPsoZjYNti+6*(rA{<ha>MaBL#yUf?(pTqLoX!Jn@bfy{Z;Dm{IR
zu|u}~hEo7x{+1Ky7bH$QL>^8h^Wwdm*1fykN08CaL=CfHL)IvmhU3rPuuPVv2yw)K
zIE)|na+)Lxcvz2!BwF^cL^GBy8KZ81B`{terBJcd^23Jux|S4(jHy^N90Sc$e=${R
z&qh-0x`Q<+zq}On`XPI#Q2ebj)hA_RoEoA?Y+&)2zt{w#exv35TFq4D_OrE5y=QLe
zkE|KDdoBKj<3%FO^5>m^rrG}(0%dLyjfW9!hSYt)4PgFh9tG5xM1ukJFuM#UEw>NW
z*G?jU@znV$fkH~0XB>3lfC>>XX&|riqexFd_Ka11bD#txjczXwo%}Bpm(ujwj?|;v
z_|k!?zcdu1!D<ua{y5Pb0mzpS!~)OPEp7Dls-KX&di%TOAu8KWwd5`Gok%=lWo4F6
z`qpM8jeei7a(%n!6uBd2c;Fu7vuIp07w**<Y+-Qz>{4C>7qYz%m^DPEKbrRTPV{^^
zom>Y{v`55Vz_Am8AyZWWSNe)J=c{9F+&)bgA+)}JVOUy&6O7E5pWtOpLp)1}EtWcx
z*>%C|%qU588Acgd9Wc{3_1*c}r^<tw6!s-Q0+)gHJXv2e@%hIvaZ_df4K+j8pn#^T
zzENrZD2%{2QU*wr_3l><@HAE=vhCw3`=MF{AQ?F_ptMqn<{CuSUMc0+N<ixp@-iP5
zDcqSl8wjd_SiH+Gt4phl&iTkkdGKK*_yI^+T+Lk1`8BxHV#<QNjp$1l;GQRL!|%b0
z3n*HXF9#2V?$zDy*eNL=X3^83FdT}dD+h!6<BS(m0cYd(1}RQ-`hJNHvwXz~_cI>v
zxG_n*IZiYd(F12fQZVP?5<jBf+9<KhkQ{f5b?|(}5mX?AQBYGg35FBrh*j&iOM9@S
z$?lq^jb?_(3c7ICG!_AEpAo%-w1;B*<;I}&=5Bm8Hn*s1Ukc*(vKj+(lmZ|%r`@Nv
zLxT?{{nByS98of7z7#>s1{cKq5@GTeQZHM&p6j}sQ3co_zlg9Pvuf$f`<P2rgG@<>
z-`~@2>2UrwptR<Mb)C@jqJ>@8jwV-J=3R{hDdEQBlW+~g+>$3?D*l)5p{<~wg5zd`
zDA+m?mZpsrXCPbc%5Dc-oq-}{{q5Bv`~+H$Z==xbS&*5RaubliKIY#qf9(rw$1bGq
zz$%@&8*ViTQhFV9Sl&=0Vh_p5)q8PM2Gl1pX{x#?Q2teZnZpN-?Ek+lzi1;&2);h_
zbWE6@j)M*?3eN%CS$N_l$KoM>Yg1xRn3fvQ&w1DIjTIyeFXnd2Nr*}rG?mQ+EpxH#
z$qk>w><A3MxV9sZEJWMMEg^_#Ln2H|{1;-YeHYi3H3yomC8I^#oq~!@P4VMY_26Y?
z2${VwEe>G_u<?qP&Dfv~i;uTW|5yX^9rU<RcidVBrJG|B1N4hg?(z?hPX7_PGD32J
z!vdOd*%fWdVXN)d`ZP@d#ZtfM|MrGaAc{#u1dz4W)H5eU$|8HHkG{Aw!pHHX<);|p
zKa<wM4?(lX6<`k`xrlQCj@5(KG0u7y%{RMmnHIy3gx{3!eCE$;0iMPeOh<j~l~52Q
z&hn$vX+1S;?6YDi#&-QJc;TjR;jp75t7eM<yfbWtWCZzgechZxGX9q{NKGL*tK@j>
z#{te@aJ^?UrrdP~DJghq*NV4O``lv&e`dgZB+xxtRQ>l(F~a2WRQx|4{=jyE_i6c4
zT%lEWu);f?@$F5ss@8BbSB)Mmyr^5>Wk-x80=9|i8EQHymNBPeadF;DCwV_HjvVg6
z?h2M@G#u`BBQE8NT2dhsK5trO?~I4OM)3EL*P>Ozbs~Ihj1i_KP;Sbw7Os-$YA+dn
zn-V2C)ZJf_Mi&Z(-~WV!3o;X|cEPjT8g-N6WB)CP>G*H_;Z2WL1Ud_`PA=j_XI){O
zqK}Je0XO<q$vEN!)>XZ<E90TY9m9w+XNkL$HIUX3`;g0=)!`vutG<T>3>kNmiup1G
ziXl`3tH(;={IOE7(f=F0|DVjm|AJoVcVYD_czn%UJ+GR@7h<j*H3*gbW~@k%B*<!M
zjA@zpepu=5c9Yt(cgoC*!~gKCKI?z->?3NCHdiHGeUS-d5s~Mq>c6Ld)YSIJrcIY#
zn!99;BZOaN0nY}ux#le~r2Z*_V^XEvI()6v+{C!s<Sr}KY|@xSX#v9@R5w|jiH}=q
zOkRxp5<~uN7~TFf09eHGc=7=Km0&0s4zLXPzn2#Pr=MMh{26`msiA_sk18*kt9|s7
zbDGD)JicKR9Q(t#a^u^pwxW5`RSx{kzeW1884kbv0@fchD;w$M7@0`0<h~ixl=SU=
z2B`}Hi`lzRY_{m_8-%$Dz1*8|B7f}%yx|rJjyQ6!XVbbK#k1(R*{New;s@dYg?cF2
zw7eHo=tW{+SZl)dglCmKC2DVGBj&CCRXyM6uW_x!?<+-YlcSHtEuN7o;lUm;R426w
zhQ&t6Q}3$IR2u`BhZ!z{<PIR45{O@+?!fReMe6w(9{k31b3#@;mpCi6DaNqv0bfs`
zt+R<GhOqkTL0!B4=o>d&8uLpgR&?9<Dr)3?<o?jsT)TdRz{W3?7aWHhF6UG)C>C3S
zRCRQ`x{LpX)Tz)vNIjFPQ#KSWb4(4m)AGcXdnw@|Xbf{Er&PeY7h8<i`&ToQUG|zY
z<MG)ayU%vJaf02r{Tvl~(6CO|u=|t^8T*M~+yQ4=XO>#+uMzvKFxKJWJt#&6+TrMr
z3wed1u1fXE=9!3}^Ym9R7LR=&szLqE-WL-XA180S?U%gA0>Bul`P96Y4RE#%$k^ry
zLD*J)`UdkD(LEI*KYp$0nRDKl!7jPDM=6Tj;ZT_$SX&Yg@!pyN;M}z!NHKv*gv`EI
znkPa^$V^<7xUEm6ZyHuPd=!4^ZF%ksK=`Yb(|fQ7vT&aQ!Zk6A8MSE18}?Q*t~Plu
z0KUx-9=K9p^S(fVj_Q1j>lI7a#Saq*r~Q-LAHy`-_I<U}G=-Wzkikz?Nm5jQA(A_6
zO8+C!lJ9bHfW6N^zT*Nsm|{~F`g3k?=kS0bJ)C>Mg5?md(Q`YnS+lu5a9*R8;3v^~
z)L;H3Q1(r3DMTkux>mCuLJo3=!ww>Ii7csMYCyE&9V;zdX9S6!%}843a@E2XDWJP{
zehgLa4G-;dWSELev|6l~-TV@3p@HjrhvZ{drBRV9aUJV!S_h=PaAFcH@j<gkyAm;5
z9efHMo@psjfMvyeTVCFCJc$n%uqMSb`T9=pddAkU2JKF*5Rj+DfQSuV+U7@5w>@0^
z$dRK++&9t|dnvJZNc-^sB!_qCXnV9ri-;vrduY$nR5ODlo!^QSp9e_$@;2#K3N+{R
z$EJVh*GIT9-tWUAVQ?>1t0J};{EC%CCYt5pADNNXAY|5jc=z`%)vFzp%Q>_UiM7YF
zi2QW!y&64pO65n+FCVK=t{M)|LyYee-2GSDwZ`H#=Fy0$E0feQ4sz2e=t{6ik{@Gn
z*`=T3te+qac?OkT?ku^XT8a${G>w7Hj^HZvz#Ewl2(LRS)nbL1c5d@PbVV}(dngu3
ze>tgI9Ln~F|8P<!5Ng_<c;ZJN^;Mn%-*wd5AREl!z^~a|&;75E@6^TV?d&H3`7k<R
z^pWOny4ws#CEd0z%;Va5(VoFpuD(wW7(@@8oWXgD3O|-}#_*)>4%*K`(ccY7#q9?@
zxlN`HHp|b9xow(pC_PBK;`QMg2}VI*sZ|CRU~5)wdc79Al@`Z>(4KthSjd}}Awx`i
zLRCO8GcoQuy89IvXR!!W-`K(~xiMVWi<)XL#95J^o>57!We$FO$Np%VkgCO*Fa|dr
zD~(uJZ7l8ak8-7KS7M$S?3l~Zv8+gxAvfA*Iby^t1CO;}*JF1)#5JUEFQ?7KrD_?F
zn<|rzD{!u$g5HM`AnXf1Lp4G5jK1R_i@YrF{kvyP{;(d4E@K>F7d^f1C<!Y1w!Gwc
z0jWKUsavEVL2D7zL6-UCB>tQvt+VGUqaL{hPoGy<5WHn(0t76waYbuMeM*B2n`foi
zthlN5)_bJAA<xR{T)C4?Pd(I3%xVM2dHzgg$g5luHqVK*+6<7<T(-^0Di-#83hsDT
z59z_Ih{@O3d+@t3!dBFjFv?a3llaU+vwWEj5@Npv>XjZXNJcy1SkkX=g<)siX;xGo
zJqshsL<wz6AS8)>63SBoZS8Eg9~aYpJ$FlVwXl109|>arVn9wsl>Vk(h{uQ>dp$?5
zkg#I3#;$-K{c2O8HrLvS_~E#{ho6m7+*1$<sqNQi|8A%t>)Id+InJ9U7sI&pM-2!6
z{9D60VlozOFc<l<{ygeHEebs9E}%E@Pp`9PuiP&*?FLdzqTSxAC9fG<XElA}C>w@L
zj6R8(leli?jLm9M7JAy6`BbBj;Yd6ntncl#CX0WhFdQ<L?CyV5qq8uiKDO+~DA4oS
zc%Y>A`Fy-tE6O59Tv_p;#DF~})pFSm2~5g?20*G8XP@cE(BkRQ`m5!!P|V{-Ir!>P
zifu=X;Is6Avdc6TT-<9am3ZKSqZ-s<4sKI660LF?@?Pi9wAqBO`OFqVl%C9E@R81}
zh>DaV!dcS`$RB+{Ml08VC^^?YgwPty5b3-|+9gY`KO?ewt82`p4of@X)(|4W>RJ5u
z;YQM-AJ_-T^Z)p)J)*d*NDQIJwnFHS$M42b=Oqu!X;y=Hty49yW*{nZeMU_!B#~3q
zV0T5P|E#c_%ur+>58rYI+IbP3su<4QFQKXh!sQ9rgQ^=Mz*VdmfGW$hq!UDQd(K_y
z>V&DZKZ(ro%Y1Vf*+mG5yNVrUYnPjz%$+WZx^JrE@4E$;s`rMxW!4cfRlVqHx(zPg
z$dRln>Gbh>1gXi^SAJg;5c^@5<DN|PGpwMeXnFht8B-Q8T#SwoYA&xp&-iL03sa!n
z44eM9a<i}UFQ^vsXP<;Mm*VNqsa>69Ud{3aW`Z1T(IZ9@pu1h@WRGY)Apb%+&=;V8
z@@lMY>gqE5{ngJj@*Xz=**V$DWO5YS3S%>2a=})VNN|WbXe=`ldIN3EEI*48(<Zd9
z@ai7yy_kyxy?oJ=@b&4-W{*EmUB~+ys!4^8g%4lN&N~W#c<Ro6u)?4`uo3tX?VVSS
z*kfA4?Sz>2$?jO!XE_VE>rHpMh9-X9ShghHPV6QZ2{~vzOZPcR`1pJL3%9$$>m9Yb
z5PUL7c0JqhI0HZcI5txKa6q!ak*1u-*iQ&hsvZcAD=3(uN{#<#AR0-<eVU`cE;-A(
z3@AM7;NOt?JnO*&7MVEuj9zt#W(4wj)#3jXsEsp{QOEHj;Dl6%k8WxO!FuQy2&TJY
z-+(23W`W@uSQpfxFMOsunVL`VMUin!$pUV@Sv+RxKrTTluq$e3<L6$?W^1k9OP;Jj
zo0Lv=P2NFi>24=}c1j>iSH3sNYbf9_;F)m}Lh#n6B^B5KI6kQsdgp}=bcimt&Gl4*
zk25Tw1#jFI;BqdF9vdlP&nj&MFqAyYoX+_0uU`ZLs`X6&zhhR(-ERER_K$<`IDZ;4
zhSA4nuOFdmE*Gb>=q{gX5`BkDefcD_3AMK#ut?HO5nc^>zEUi(Zb$XlX-BTzB0BIF
zZJ$rmlbEncG3`*h8#pm{>l-M{SaF-@I)l^Vhu;~Av)7P3G^N3-Xj@oQ8Wn->XY9&W
zmlUEVfsMkb5ZsP@h$bGgqdo1~Q~vtS4sI0%q`h40n3aq2at6ec$<1_0#Cii_XQ1NC
zP%inBPD8ram+ndSm2#hf<a5`jx-8#=fOq9J>t#>zzj;MvCQHmCm&L4^eMFW4o$Bh%
ztV$v+SXONOxyMCKOgldTko$`l0q}3$z8W&b@})P_k_wT;Cj@g2JXtm^C`#c3=5bJ8
zm)zC8TB+IIwFq0|L&5%N=~|lnM8+PzCCDn=sY7s8(SUg+xk%$%CqR~d?WLJM<JDQ0
zVB5!$9y}F<d8BWb=0lxAsL<EUx3^P0z&G9=eZhoa<%-H{<{fwhl+7`gSQOXX%lzv6
zxoiaL9Mt@CO9ZUo!J{>xFNyrsE3^m^%$LFAmVacOCiEBIv&Ujxvl>G<M#sMQ_nw|P
z?+MpqwB%`;@yX-eVin7ajQRpiyx;)_ed2Cq+?Xv53TAoW{*Zb9Eh3V__%LSdmW3Cq
z79|<l$UC|Pvc;Iv>tVqf5QS*2p3`LN<QHwNH**5rI<!%e1PDiL<;D^2jYKdSjP4VJ
zF{0ViSs3T9UG0rPuTrB0(Q_YhCixj8;ri}sR~IJykGg=C{~I~3QZ+DgOg^W!C{_cq
zrMmlBFTBK7epS^iR%EX&@R;)Z#on()M)`>%f3;oYafB4ixINHBEO$-|+#`0*<n2C*
zb^Zc^5AeswS<BpwQEMK@k!^&LTE+g;`eLajD{PUSXMbu-HKzZFJ^j3Vg<n@>%k#Ee
zLVRu>4f)xEI8rDMszW1F$8bm(S}pVPx9^_tV+qxcZ~ZR#>qkbX&BcE2RI>256zgA`
z?@3yb)*Gmg6T)1;i#;(vO&I*a^=2+fqns8jR@+EDZg!?R($9L6<##)(jk3=SpU-nY
zUwpeb9);WF=`ry0Q&gscIe$jJQvd5OptR3nBV8fq)5Aa@du~v&i|m?bJT+Xanzh*~
z4#)bkCjspgxK|dRi(=9AuX{O&_hf<5l=8IRdZk2MuaM&ADc<4?tQbWTe$2=e)@w-z
zRI@#`JF{aVZ6?6fI2_C#gOD5zWD#;K<qjaL0x=7z|4+c{sy`JnoQdCX9K48?wy|ru
zOX&Qm#__L~UF)QmkZy;eVnh;YfOOiEubn&9Y~!$}_1IFMlB0tOw^ig1Feybg`=&Z3
zWd06}(!+{XC$;XP+4CEULZ~6x#9KwdxDgG<8wynO4~Ik~F9B_)_Nr5+ZQj#8_!@~(
zO@_qVE;t<@WKM-S!!OBqc3@uB(j+mY`_X|D-OQbfJeo9QrTOjBswCdRkx9SFpW)&!
zIubRZ?t=B|@gJz~w~6OBfqeLfKMSHciJa+*3u(%&KKgZV;C}hQdz#&Dlz)b;P}}1u
zz7wM2dOrH>N8sg3HD+1;P`-7rD6gGtgzAJm0?*|C40ugW6MIuKzZUZ@Ai7mHO&mWq
zP>~Mu!)y1Prylwh$Fna;-~gg~>3_CnLQ-1+eBHAlAk0+oQak=`KVzRQOFBO?o&0Ds
zWQOqHkk{_#nEX{Rprl$zyK*nw3_9X)n2q%h>aH~pzb%E3@U@qvkj_ny(gmHBrN>F}
zBaO7F$UeJ$v50Hdp@l4j9M@5DMEf=X(!U9N(w^B-{Vp>b_O8A}@6idGCl&oBIej+<
zz-~H+1V==2gEvMLn8y=!4pkoDjyW1}5Tvy&pDMcyTxBB9nWM!_a@in@5nL}aIOs7m
zDf$yn%se(UN!dh?$AZ;$0<oQm?UAizMA#;CF0noR;~O=^^wf0P{&b(C4K4*@@JLrL
z9;G5^0InXhszoH25Wasb=b4r;nn)TVn{5{U-fLmQZ9bCscJRNiD<9j%La+3JcJXo{
zz<g;RoqVF}UE%ris=WUKAK4@LNGXGQK_f-+a}*+J*-<ys9TPK*VDz8o%JueI(C<B0
zz=>w6#*rG)1?0S2A0=peqk4Us-R#uj-i^p=oFUiA;`~{{3FNqI|5l?qnfDL=YS)+y
z2l*w>9pTOm;|zE$_mZvA<80k6nt$(cgR2-#v4q`f-N2~;%(fsAV%)7g^S3fLuALTi
zM2{2htOXL+qg>U4z{CRkVVOs4IHpdacT2CV0rT6%z&;4Q_Tx~D%aqU5*UN?>Js-xO
zeY~DxyW{%YzCz1$ii?$@KpP3mw!n3^`A_yc1idDN&5doSUXhP)C9MDQ3wn4oh2_QC
zy1dfXugJt3d41oOXwcla+dCuN0Yzc$Poj-e1c?Jpt<~b;afeD=Llf^<c;aFMtd5(L
z3UpTZYX9@iuOYo4LxBA%8|}zaopF<&MM`bdi%jHRd<)<z6m*Ij(P7OvbRc|HlFR)f
zoXvw??4{XSNR~UPg9y<?wfE;MhaOJsjPsBTw>#b$!ITpEChcJdJ8e?wO#&cESD6oy
zd!p{FkJQf!a#9q5Duk<X>&c}1GC?8Sg4KNWn7zXRhS!D*iLR0;7uvLaK2ohx2`Vhh
z6{4@0k=+DPfJqR`I&{|;W_u<Jdok$9Y2WRV`b1Wc`>O+{knm%W>bojwg;hxB1L)Do
zEIu(F>YwDRp0)<7hV~7~_-9*|skA*(WYJ#~iEDTg5ta;=Q3CFW+r}SywB^3T$A7v&
z7Q+EgL~=>wUh+QnL^XYQ==r98{nZp*C^6q_YzOP(!nEV7Pn`P0s!L(O@CD~`DSWJv
zLyjRKtW^=KBF?(Z>3r~TyNWaN)9)_;Ug;43;Pp+A=X5rlac{yz82r2I^)5nSxM3!p
zMDKk1MM99bRoBEX5S(EOR8T&Q_K){|Eu6(a?e7<HXtnpf7navur_6JK0UD14n9}pW
z>nc>C>~Dqs&fjx%^;+hMhJro!J?>#$cPEFh|NeF|HQOOygqm<njBOx&SDH_16Gcam
zpXeBzc*`Li%nWHrF5~f32N%4XPtSs;HG!%S$>Q&-F!9fZj=>Eh(eO0H(;nGlF0PP^
zSni5S*bz&@vl5{wfK|&<^!ijB&p_`x%VUn-b|e6r462z>aDAO>rGQ`aE$+Y~O13>`
zXCNQ~oXe!;<;XJh0(0ODO=5p(<zG;JV^(7TQ?1Pg1UhW}XmBxj<gp;MdMpT6XGz|6
zX|<Rg>Np)(#V=5K2ka3h*?8SUA!y!~R86iM)a)RlD=avslJ`AZj8Pxqa7cFSv|72$
zo1{u7DgkLJoGrkFv^y1B1;h!Ee!+rF;-4b-05zcwP!rO;EBWG(=13o)ptxuNl4=W&
zN|&noFEpySE=8@x*jjHsO_t-EUzCl;2>!kqRsg$<lYCVSmU6`_2M^5I{lk;=fAgew
zJ8rBcdJ#4w9kxS=nXFeKZ#B9SF@PSmg|5{PCF|as(DKHA?gGFqA&g0mLQ$C4FY@uN
zd7RZsd-O0{6+kG&v9(TJKkC08)IeeXLP<u%_P?P{oW@t9WtTM)IT}(`!6+1{GczNo
zMoTUY8&Vo7ELbL;<>yYDc!-pxxSjhO8iiz@75!D6+#0r&zkj^|ibn-ByAI%ru~yZ)
z8`wTt2H3N{PB%h?(^EXjs$Y+|bToooDs&i7q;08wg}YZSo9pVB%DxrwoG#-^J423T
z!Q@NxQ<72IT6SOZ61&kssN<ZHcmEqqHj8o7)r=QfQ}Mgy1lf_#MGUIiaU2fHD%;&#
z35#v-Jk*C_^6KJIW6C7p`q=dmgg{%9c2U<~wgfp5UBSV-QC6~w|4YY-uGEC&y811=
zuQqY6cQx{Vnv(vZ&~Q?~RSQ^%?!CU#+F}J_a>GVoHaRLUQStq)14Gc?0zSs{Zvt+s
zIEq>J{JNEQI5%jK4AXkLJ}s$$fN<!;S5sj>(|Urm@Qu5Q>2VpY2Iajct!|XUQgt5S
zll?G(M-sJQX2dbA4WAWXxxb!8B!rt6bNiQyt83?l4}YYtfT!gi+o*?G^qnnLGk>;u
z-E_-J3EkQ?b`c=`UNsqyh8E0au*g;<E9!pAZVZ%<+P}ZRZFPOyr7^k1x1!0~MFCQ@
zi4RZcb-A6et;NGoJTb;lxAArejrV?vqM`ke-Wv1E<L@mD<bbow8)u1LkIdjmu#%{I
z!yn;;IMU|iHhYus1J(3L9}ooH-@fvT6zOG)OFh9QXW}_<ek$@sVjYasFzIv=)4ebo
z<hS!ELv;K!Prp@nsU!4&OMvU38FR7v&SWWm4M92+{2Lvho@B+87D+Mc;&7fqK<xR*
zmCw=k7#_K@<1941s^uBqB745VIqdb5PQ&R?tG1}vNz~4pQpTp_SN>q6eRwwa8+;3s
zu|TwUM7=GaUK4?Aaeeoa4c_eR@k_f1Sg>xfm7_b-&_CgTr(knSn)ws?v}P?$_CBH!
zC?~g;Eii6A3Cg1n<BTjT2xm3aU~<36aGS4xK2{(X&g3XgDmp`F$EBd$;nlEY5YMKe
ztlUDae2BNRgx!P#WaAL9v<tO`ye1O<YL;~S157b0Tr?u@V+k(VdUu-Ng$I%|Zz^HH
zX3u>Ba)c~}R}^gsu@T>FkRA2`x63R{VLSXBs4W|S+VaQ0*Oq@_vczjFUhe&s9w0je
zV-8Y4lb7jdapjUD1|T;&o<Nt8$x*5%ls`<chhO8`;biuh4OErYUvh{pjF*;{;;TYG
zqAJ4mnH+Nm7O!gQY4l_sjK9G}sP|5{8p^HvZnjPK5sSZ&u4=qM`^={XU-}8Kh7Tdr
zG>ExMr;`GCEY}7R9X4LKzqE8U)P)Y@I|ZB{ZmU~QR_(2F*hy0N;DQVs3GkB-0VI~%
zln9|A%@25?cXX6xOIuigVluoP5Q`4uyR!)7eYV@g0Wb<B?U5oDTA)+N+llD1Fq1*~
z)pnQR2fCS8Epy)%DTU1)O>7ebNc2Bv0+8tQ{48%?2`a?_+04Asq3!!Fl~bNOngIiM
ze#p2aC=!4RZH)h(RG4bZVbR1*3w!;;*4U_>A@i~U1s?ts#6hGer}L1>7B)pECmEjP
z!0mmaEr02<-aZxiha3z433w=l&TRA_7qFbyIf-yaKISSN(A+*w!vK!D`O#5x3k+|o
z-D!LuXUdq9@K<`$+K|6r2KPFTKSPp{u|QXQ7DySGmwM(B&Z&IgBc5Ju4rorl1ZB*q
z!)nbo+_nf=Js-GRcv_<fACz)QUcI6$nhXpj6jc0c?5K4_N8FeivHq#@9Rz8Dll`|_
zJh7Y?ahhk?SFhL3))X>B@sG!g7H^((`F;_NNzIC>xyR^bbC3=&2%dG|AW*aeoW_o`
zCA25L<6wfWkC;X9(q|XJ1>rknw&+Zo{`<D^d!c#}Y>FZJfb<)-7S%M8NO>i`2DLk_
zqWJB_nGZ~4KUpO@wZ3)|+H6cy>6BoPMb!4ZCnhLpjIX2g{<Ho?w_#aRkjlBKD04+c
zfX_B5tufLqre95ISx5C4IMSs36F3?Jxg{`d*jV8xN05q60ePcQf4{4pWNqvjq!p5G
zjwhHl24*XnGag4Ibj6N8fF65+9_PNHz})v<<sU5mTv+@9WR4BJ5s#UpfV({Pzp!|#
zt&60>EA083xs>V4W8ZN2pauIGBo$QDSIzURg9X`Ku^6>8Y*Ns_2@vb`k$=RRAO*1r
z=d+R>w5c`4`!Jp^6EL`=`Kqt^W~|=j>W|k~ba!_rBZq8AjZfx2AU>PiF01-+hp~}i
zFFPoWoO7y`glMY2sN~K>M>5itnbjO)hzRoTu5NlZnf_3Q5c~Pblf|7seE5#>)>aHI
z=zaJ@g0BE@%R4}bNJ#5o#1l2X=cmLYu_L&zEf$=lC8sW)knirTJdJ6hclcOg2eAgK
zOZ^XjCW=i=K&u>>^w|b`do~Ck*ODfPakkI$JS9GH3xNL1<ot(HKR(=(MiEcnyj~<?
z(%1Wla0YBHaN6GpO$`<DG(doQ{W4n=6c#D87%R>&eWzVvn>YHz^q@i1MZg{0OW5LH
z9~C1`>=Qv4Egc<}fLJ)P=$B?zE#E1^(_U-#2?Wl5rh%zU)29TfEGZjP+BrOc^bw6O
z0$L4L4jWI&PfSPXFY3CgmG9y?u?<AxITGuI<Cmh!3}wg>nmVfF>q8&pllK@q5Mk8Y
zUJeYfS-|&)bo#>XjG$UXk{t|5oYK(z1KLIVsxLN%ExG(C{;(iM=BZ~n*ltZt;m<?D
z-#TVg0DdS`Ef>Ac*#RAbpU+Q(=pn=2!L*hlPxURgk+75<Od%vrx%LQBwfll3#@KH`
zp9dVJp}^oqT5>!$=oOBSKI%z$nzVxNCcWs)Z+0}qQ5@rm(5G}r*HNWEaw9IF4fsTT
z)>f8Giy>K}>p9gwI}donXV1dSB^I9tpBX_27puRG66ZLf4UpvkyH9zwxTlTfgc29u
zKmyO6y%W9+C?=RYH7NNMAI&oi(&gAd0uS!n2F{RHSoUA6*ZitWMqC<{{%pO;QwWp$
zdao9H)cw4W8ha}2AdZmPGFt1X5njN)yP7F;%tWsmd4yZyRJv#yzS<svUadzJrSksH
z#*aXpHaS}{vCBvbUI&vPpleR0p_?c?IpKPD!V68!GR!N(Q8`p*X`B_S|4h;@S#}F+
zJ?9)%{BGGS$Ahq<B#Wpg_WFR7F}_5(xT@7nQ^z5nWsayCqC`bA`ml5dd2L?2o@v=%
zumYyIVGCbNXFAg?P);L6Gxe~_uk^QM)UkxnFKBdhpoGwOD`>y;{Qa}(g)^Lh4Z0K&
zDIuPk1(HzxIK+$SO1+S~mI0U2gY`h+;Sx^_m--nWW@~3r^@<LDBg49e(U|gpY>>YR
z+4MH`ejoN(c;BH5j|B0pn1z$-3cdG>R$8wYpo=iWoIGspUGm^Y`C6Qy<3tUK6?#3e
zE`oMUt<1aYO^F_yYJ07xLisu`bt6)CrV~0a4pd_|GT$T2H99%?#0k2MtZ>wLMMgLh
zYhf@c)1_@>d(M5UMz*f_HqwkXCAG&*w;TU}ZOMX0=IQs2D@lz@Ij;E0D<NAK64cS4
zGCZ>FSTwlFA{*NP&`-=mii<T33}=jScVD76p9tT-cu$@Di_Sok<<@J6A-b)D)Is%`
z0}1P*72B#s`DFvqTRH0=68E`Qg#uE-oA5<q#~scjWBdu+)Qe^Jbyygbn!|!09GR0N
z39;$+%}_Ym6zxHkYZ&U&SRF@FRrs+1>8j59ie?FGC^N!*vCR(HvsTN}+Fx2M2Lqk)
z4`#|?xZxVC2j@>G;w5w(<@{WW1>>}xX==Y(`oS%v)4U6xeKTaVImdsw*%KT!TbxKq
zuQK;t<ZasXkqlVM)irY_J*V-e*?T>GTYJlSFWmA=kImh;r_M59W|!Du#xJ3X&n*)*
zwhT_xm&ab9bm9@#r5Iqnm|wWa?-7@I>bSL<Q#*XsMK~<|!0$ieJo&wD^|dpHrY5oW
zfGqf^?yi{MF*#db`VQ}UMtgrPJNt|{?v)Uq09xFXZK6Gq@SRptdV3(hD}hpje9`ka
zc+XMr5I)06djENYkN+g?N7)y)OZ8IckIloklJwTf7kLHmyc5ne{_=l)DINm3DN3k^
z@gc<0&EFdM5B@j5?yujjhw>$aw!`7&+kg8*|I6Rqw?p_L8Lidq+kgHa@8>^WMwl&9
zC&MnEgY)74{>J})VJow0nkMb+27j%5$^X2e|L!RN=Y;+TL;v%X{fqGagJ7Pc{Qrc9
z8YH|0-7f{wOv<f)d+)aX^2FSJg?Boy4BC6}Zr-fPQOSG%FAB|nNg(^<<v&WWnAiGn
zrRsilcp*fo@6j@QRPmcUXkN&DviaOXC%5@Jj3Hm}?uUQ$lOIBz_48BJCJ}|M4dgDv
zD-HP_&Py5}F!wEd=cE5G_P+Wnu4U^M8h3XM?iPZ(ySsa^H0}<;-6gmLw*-QFaCZpq
z&^QFQ*SY6>cii{x`2*e<@BP@dd#_!)YSo%^&8l5hJ4gR-xM-14Tlj;2f8gOn2nLmO
zN#73y<xuN?`SyGYnke$A>;TV~ZUlwQH{uzpyle|U;mtSIbbbHTbsltE?xgJI_?8Q*
zU4Qujy4!dtuzl-++H*OFGCf)kFuv&^0&lvwzd#$!FLl;_ng+UEL0jqX>6i~eJt_CU
z-gvnN8Nc1GRCd6{u^wB#7^*P*8zxjtd;)$g!I-7e|4$K=cu>*ZdF6!vs(Gby*VA3a
zo$t2Yd`}2mrQh9}?n{ru%OL2gO{r|c`=@N`+Q;n^pVN@Nb-$<TfczZd&Y5pyO`kYd
zayy<*7+Ic*$T$qoAg>7~f}n0S@!Kdu?sww&Ykqz7KtE~Z7gEVfx43Q58=UuK8En2;
zwFyMxuc`6d6f}8xw8PSZGj4J6Kt8Fy{o>a*&r(e6;p^6IyL}cKG6)I&{D2fLX3(j*
z+03m2`~}>C=#IW!5KmuIOS6XKXa9u-m*qnVzuU9-9SV8wF4r7H5X84VxcqZwd7$<|
zTXA^^$Ue4u<J*<RXi!TN4q+^jK`Hm|`Ub1qp+4VR@yZ`zM=t2Uz6edtJ<h=mWzaUP
zn*S1o3jesYiOi(@9R+7`#ep3z$4U$9Y25MlOjw7cb1MlH@RZ)AzUBsYv*w}2VotQD
z41<>3)n9vj9KQBXRX46s#-n~yA*dSX_oo{buO~$t4X;k_iyE4KZ!Sh!9fz3*TJwI=
z*<2ZKqD@ALF4?oCq~<Tc1tg%L)6-gAeJ*>GH#INfUf#b4?1>)CF3EUJj(Mie-%j;R
zqP}^UNIAbV;pcR7w{g)9`qXvvrcvwD@1Vi$`xr8B?0eP<N)I?#tVl*Xs|E_Y`rVWU
z{JsUrZ?t~<<+9l`KWcP60BWrDbZ@*H+5%AqyiR~})pON5ZmE@>@ziUcpJ^-50<QN#
zv;oi36+3stAM`s;zoT7p8(!XkPS5XmKv6_zRiw{#>Xl^PqXFuI$Hi?G8$JhZ6{EGC
z1$@ruxu8|N&ceq_GJh|(&DXZd_|Cid$}hJ$28P%3liJ#b9%X!|W3<{1{-a+ir1Ks(
zL1nAJz-Ux$-=pODmA75i$}eZFO?(f(r8VC+$zJ`Qx;wjCZ@<-Qc7ZLHv~EY)RfcE3
z9)hd)s5qZY>SgP;o4Zokb>Fv9E#z^TI=>cvUQOzB>oxyn{n>oJkIXy&aeGkM!0>8K
zzmgx=TG4ucRax<Z=H+=)Bz&_ET2}UVb=%m|uk7+X;IB~j-@CHyGGy{PjHF!(KM2=w
z@VwTqq|I(`dhF&8sC_)1^j$mpJwo<;37Tj1vx14e6!oqhKk_@jSDx=c3(&d=)9z?)
zeLGA94Q+|fpTE4WRMK`_oollCt%g(x`>m{0Aa#1T__Ye_2)?BXYjm8!85xkQx+ve&
zqdnWWS-)k@9~-^2gI=F*!JT;>3}R(z?tDDr?&xeipK7WQzCUcL7!)|MzS%+xsNy?-
zsReI59j2}A6SscMVz%lx>Nd~+dfir0Yxqjiw`MH3k8q&v@RFHVR@1RrTghtVBJXzp
zSXo)?_cQ|96erVtx!2#&6TEgR)s#N(sC?WEc$l1r!81}@^IBY+KZ^G&ocC6D8<0ig
z7<;N@_1*QG&+9nvn>TF>bRRI!)p}W->?rphnm*Tbc<bA!6$%)hpMS+ts$9QFb|}w%
z^ZTeJ9Y<V^7xWU{mc;VB1XqFP|NH%X0smPQYPPS`O&E7aiT6Ocbmhi#>_%Cq`=tkX
z<CCt}Pi`Z;lhywFH>|a&S~r9h*XzbFse5bAgNA8$5g-)do3Ehdk9n#jt&fEuWuf1x
zpcJ?bb-yhn<7(86rY7%UJ7eRHeXj!zhbQF#m7MGCMQv7rH>Y{kBBz7cbj|a7R<a5u
zq0^tB$v2SSJiRt?1+e`}eZJEFWPBchHb-R*xG~n-pRe5U##(v)%aCT#$V=Dl!K0>j
z!guC<1)2Ze_e!*m1Ht*djgC&f8+Pz>UTfFY1RqV&+`WB4Pyt#UcOiLYs4J3#*T$E9
z^UBYg@)aR>WXmIl?A6UB>i@<eX2!aQ_seNW>CXR76Lge=o+^FLSByI@KfbPjy4~_B
z*DnXjs$LJ@eDrS`7GEuHuC6D(p<Om<cU{VN>AZBEgNxeV@;aU%VhRseAYKjR&pQ$!
z3hv^9$>F1N3iBi2BbHR^gQH-OI+u`evFid;7jG-zqu}A`qSPc4*2Ty>4j%pAmJ<*k
zVW@|xy}$?mdFWgDxA8Y!Z)7fipA?Oz!?IHP60F?0Od$%7wcz(gtp)sr#yU?Z!mz39
z6VNwk%p9c1a8=<Jl!YwyK5E9@^w;k2z5hp{$KR*1<lohezc!PjwB42De`;E{UZ#SW
z6uu-+bKozm_1PJjyx62vE*N5kJotScm)GeJ$J%}g$@$%5IBL&$9`Me5akBa52Y-F#
z)aTBRuA$3k2^DRvZ4TYu2%f}aO(xxeLQAiG2cEw}z3K><riitkFQ0(W+{Y1}Ye|>$
z!3S&yU6nVuP~rZ@@zP}8@L$wF;qx34@4nT;-U+{AMw#?Z8nbp+J>(URZpu%$xiJYD
zU686_l*6HQ`rW~dWj!He-5rMStKyC|zoGiJIOVy%sG1jA*WKUu<htOqPWTh?_Ol$p
z?uLr%Yn!gG<n<|kYq)suxqNPupDH+CKFq)l#v|)Qy6#Nilx0je4tOMGTm&XQ%N=9b
zRI7Np(yl-J*2k8|qxUi8+ZVV)Ck=Qol;E@pqDg$0<fG^?zR4_FGr8Xte3w?$lNmB0
zzNqEIlcb-Yr9<v_$M<|taHP}LC33|J{}52q&3vaIEte~<hqYYq^MrdZ-PpVA$8Yu!
zaA3Y3E>DFfbnmxZn&CXz=NSI8=ws<ZogDIznWNcj)sar!Z|>iOj;La*^cmhOoX_ui
zzD8AhXo#n-`P}6XF+zMq6VL}ZZ){JO?o)2qNJ&V*xBD{5SZBp>DHgsH{2B+hTx=Po
z2b?t0>43V~n^|D)r&OMlPK2hme~`W$xsKmid#e_0@`swD8VVgGZO7A((@ku&6Erfo
zK(N=7mH%>M%-Y+_x<En2i7X0<xr-Pta*SI|b+I3fGKy<{>0x)H#m2u_-Q9;aE)m9#
z{o>Qq|1I9Qe+hxxv{rG(&mHagVh=E8bT6Fo(|mL$p8a%sIl_7w(vMHVeEt31_IN+o
z0EZ<UgRx2=06QN7hA<yOKZ&zDXM{=hPeCBaa8tx{HZH^Srp0sjlHVlCHjbOL8GtD#
z0t$+~_kLkneH-y<E|Y%0)rx-htibg6jD;+GZi--aFH_g&+Rjl4TDLm-x~&;GPr=N$
zP<;>EW?!#!zsl4QbCJk@0?T91LHfCc==FUiQdD%6<E}?{?M6WK%itANHzxD74%>Ya
zLWcjK8|H5aUzhmJWt;$tjeW8F_5#9W&&<_(|6y%9`xzvpJYVF*b=c<kreAfqE7N{c
zmY(*Hr!y5WGT$tA!qOMW`D^jnd!{pPe=_MrN0n$sk*si4OaChH^KM0%xua;gGa1Wv
z5*D-UskvNl1}!WPO-%Hsk@!q^o`>SQ_y@>}cvKm_;s7WyF{<`9UnJ$728N!T)*>M5
zaB_pzhyqe@$?e!0wB<$g)Oo1#*)Mt-+3#NHb$)n}4ct1!;f!`lUJ)D=mKZ~l8nnVB
zlYR-egOg21LrzX3SoZuh{V{__LoZn-UxKeWrKO@fxt8bHi7rw~*B8L<^|*sSTbt7`
zRNr^z2r|V?P0!w@z<&vuZg-<~?L732NmR}TA{Y(#PBTvqj7gt~+b7^nfKmcSr8fdo
zyH5K*UxPoDe#%SI;*#9n892)e=#Bf0-P{lQ&MGXra$P$>iMCE(O}*;vk^Q@)YkO9+
z%lw(rg{?su3ENF^AZ&i8{_3FPP~h7a3u7+2mBz@PGKA!<6hDV#iO+cF{enpDy}M)~
zE>Erlg~qY?LfeSYKD?&M0x1fE>22;D#9E9eNx5}}f*H5#z$JTX0tDpPz6NPh@eQte
z$DCQHE(hWeMSf?ez2?!&%be@FoePvh3^*p;OUg%MP7FL00;ZrmkE!;9P<-}=FZNOZ
zJ4~Ldv>k0l4tw@rc`gKJT`x5EUp`paZ$!bgwX=%@J{JhhxE)`dXEa^c5%)>npG3bE
zzH}F4@Z2)o<Dberym&Afcfu|jtr|}h%!tHy>b;6XBL4AtYZbtrHVq1c{unY0od~#0
zB==-%&hadwvi_p479(IC=WszljNyjx1QY!d(K_x2LZX@}OPK7y<>7h(O4`W=eX0(E
z^kL&~=bnmyN@ZkNZjSfYQ)+r7KV|Peo0T_I0(oeTyz5`m&o2ksy?7E#r4=OT+=&|t
z+H^xDIGbZ|B_y~*r%w|Yst5{1J2~Pazs8dlEL67E;dA0~AVy7<Xny=Gv)5SGtP`-I
zz0C<ca>u~Kpk&5eP0}J4(L?i;x5F!nIY@M~CNlE*gzEpx9skm4ny2Af*;Tlywo|J~
zqj$%w_ol~qepZP|^xX`o4>`O+%6gH3fUKhfK*oFuc^*Te(=;2kLOUp5R|3&LBVzuN
z?&8$X?QnQJJX~icqAmPFFA73wat%OGwq@-Jv|xI&r4Rc-7PME{w6p313>i*D3isgg
z{vkJ&_YLqJjqmOdd9Wh2?w5S)@gbw&t8%}SG$(=v^nHJ!_Nb>HS*nNR47p$=n|E)l
zjMqNFs_!@*=lK*-GL1pF|Hp<@AV2Ukr*ev@d~BWE#XItLgkRL5qnqWDLy8;Gi$)o-
znq6mN7Gl}1`j1f6a2^RJ@lc_d8P*&1-0haN*rTu-jy*JM2~?|}(Tx4z$+{?>ByTs^
zL-L@fcOmHg#FAn@ZL>`DKe_Dh?Ce!;kzvA^Ph;2+%&MZ@@(|CENew{NuY7VW6VG?8
zXkPXBW?+qt94c*b=P{>`Jp4XmbB82siA@+GYpHlX66T%hJI9gwggG~IKIsmcHJ=5_
zBc=d*K9v{(wBI2#Jt*nWKm$ybnce#tWKaZCo`y-8jc-N_Yf<h6)mmDyrN#l5>_y@}
zvvWna^q2-7xni1!j7NoVz#}16tu6wurAl^AWb=FK3$?8CtNAOOzkD-a6oE}<Cf}X*
z{a@aT1H;*b)ER^!6Nen=PzH@#+<UC1sX|aUqnZ+HP>xJ1dkpiT)7nZZu0cWt%DY13
z^XhPVR1smfdKhx3A;T0)xr$cK+-9cqcjpr7AfnfA`L+mKW6J&NcM~E*3H2G*Klf(%
zenvgjkTD*!l-Gf7v<PGh8y-P5Y^bsik0p#@a_UA_vPhVXK!jj?3jyp8E!4&(ZkmGC
zSGgKTmp#YIW;Z=_?chYhnv^7B(P}-q&ypEW?y7_|$lx35a8bLf+-P|2OBlKLt@ORs
zC0+#TRiEMv_0D#UqDg8!ivi|4Lhl#Om~&cYdW{PaSh1VLG%ls`=Huk5Nz32;q3OBd
z)bG1~dKeQVY$Zn^JvIa}x+HU2(Io}Oqnw&QyUm`=X&`9G3Sl=ui)rLxeTb;AP!87P
z>IjwoL!KU1OZKZd%3la`=Wvxf?g?*CSHsXYyb12sT)JH6y_CuBIcv+{fy*AY9Y7y;
zjv2%$zNyb>2a^NesvkV}`?aSz=mF;f>?kW#<oShWQV15iR#qc+A51FcTT5kvHC)FI
z<MqirVFj^5ic=%BW-4S_@pV5@GmFh_)^_<dLQDo+kdXT9>t@fF;JDX%V|h%jl{_&x
z*qBg39aZ?1U1@CBraj$^dR#n*k6t!2EjGExpXl+DsUMuv^K)su%EzPm3EJvDuzO0&
zM3?$|nm*h`2o%0+)--ngL`q+uVgH~LMun>`xLN!|+fpqkX-9VIKogSBk3rXM*slIN
zKgyxc^oI<-BMR(MPkI_Z5d*TLZ(z5y2-Ger9<Pa)SGR<EPW~4mpi`NIVOXCnJJ2<~
zqW=>g0|B&%Ww;0|Hkn&VHSa3;4%31p`>^;a*qMlGS?*cCMdipWUoztQK9K0SpT&uI
ziAB`LysJMtICtccXSj#+Fzdk^-94fLA<*s}d&p6L6OVTvN~#yc^{ZFYBU?&vb`*}=
z-yPM#22xQsifd$a#gKi&uDm-)5jc{>Wvx6(tC7RpW2tTgoy#_1l$Uv&PeBG$83n&p
zFF|~1AmwTP$bCgEQ=s==Bg^nri=E^~SrjOgw4GI`E5@nzqq@(7<M69DM@*Ilz2C|s
z+2ETh*P{-3rcdHNV@Q&b05PR>OoFHqr7DwX0))-lRFQr*^4KFy9C(>C{$~91?>?S1
z##F100po8J^Uej5i#><<+2L@;I)P^|aFi@dNI{9Rhqwo!i<bG*MKJEgBuin7!q2cI
zzdXbv^3VXqHe+EZ$92LVh`a`GO<#j+$#<gCps_TvsQm^jFL08p<M--az}sZ=C4^<{
zpR!*?C30+@VPG$vK7utN{|8+8^fx9H2@93wH@`p<Ua8+_=(NlM-_SFbup?!!yx**R
z+is;1W`;cJaE)E<HvrL=3UOpjB!P`=+5;@h%+)Hzjj9P4(d!Rtur4=YT>|Vh;sd1g
z8c$oEuk+^=2q~g^`wenH#33DqXd#0zF&v*n4WeRs)ywJAC7<1l^_L3QjZ|j5vNZXm
zy_u0TM!|`S{jS|5Rcv6k(-zx(N!8DjNv-WwBvz4x2A&xWlOe+x!L}ddv|T!SwPk0r
z)Nkb_N&>fY>;<T~JIPc^jX&A%q4TBF_jOu-yV$3hbMvr4NVa6k2&TcX7GcTbb_CsZ
zy~t7sQx9q#Z9gmi4c71gd)XQETZ-$yJTZXMB(N!-6%gWAEJlYTX%o819O9zX<wIyC
zaKlmac=^6L>be-I@1fcJ8UDrQ9UgKAVkN0Rrg=@fL2IceC6@sH)(rDkv(UA@hU3vy
zey=8h77IQhe@YEK<c!OUYgW_W89kntsYg1urs%=J6jMLM?aDRMnLgd7o)HEKRSf7Q
zSw$lRy>_Mo*iZ?I8&?uW9j|LnJzs<9GiV{<#xdg;H+)rL1#VK=X^J(&<YJ#45`gdg
zuUv7P+Jz6dN9(W3wb{34`Y&#gr0k>J;ZvlSLCL#)lT88;rU_cOLPDaLCywTeuNnx*
zL+S>&W9jt_**u;qxeT+nz5-8UFBz_PlrlcMrV4~UCCEQ*gZg%(^~wB6t1-n&=A~sB
z(KM%TQKJSD<e#=y4utwP-yQT&Rf}<MIIi9X@(5p5>C_~ArI3uUnZ|lgV+;f1w@#hD
z_0)*A^J}`O*e3=ivAzI4nYMv=62Bda%FotymLXX(YuWyOE5P$*M-v|PQq-vvN-*3w
zeD~1AKJi9MGJK2DM)Ui{gPDbFgV}RR8`T9C)a)iwo%2Fvv-3~oD{M01pWHT)Cc-u$
zl*{<+?i{yg0odveq~Rh2jti`v!uy@i=x099kOEgrv(1lD)Ertd4NC|yy<-Q)X_v+p
z+4x7{+X)b=ZK8eCHpAWuNxt{8Dpc?2VVz8aX1s^u?%iLetA__Oyw@}%>|G#@e9l;)
zy;51Y0VL^B^&?#|{YeS<Av)supGArrBRH!sQQ^}9Rcv1Ocy6yl`X{T%`nC{0v6Xqi
zjp@4}Lp`|%kJ6|T5b(GUJ>cyKvvvj*jK0zCw2TGULjUkZrrtTi@9^EjPoP~SzSCe9
zV-R}OYs9>|N@LNP$+20w=ifb&f6wlB1&t8rB_B8#ir^ve8I`%OetQ(HPWTKHng5Q-
zrblC)p<)EMo%bj2q7w=7rZ=HuViNFA)nc8Ulu-XGAA2<t3C4KvT4sBK?NhdGDKYl8
zDo?>1S-V6&vML((L~~Ny-eYNL*iMM5^=@zwRf3(_dmrt9URV^YN^Xb>004gXXpM5w
zRl_r>MJmfHiUu{v)XQ+E3?0ho#uG`$$uwbxhfS4P6TFugC{Cysel7v%CFIej>Iy>-
zd6H)_)#f&+TP&jE<CisI(i=7*nw8ymPp62}C8g0DtwTn{A*Y&11-S+#Y7xF-@+A5b
z1HCMqj1mol*+tbN(`#64%7<88yM=j>O|K3&#ALNa0$tG(_f9x+Wli$)Nb^<AwRYtk
zdro-5Dyc=-{0FY_Y2wr8i=F*FkDKrVju|<+K|Y80WK3(Zh)(x)yV5@nSaI&^*vi|}
z7aFL0q-<0-cXnbYKW>CCS0WWZjk>^d@)UooCA5`6FJyzWv01)q642uo5(QA$j%hbR
zi|itZKIqEGPX?<h6c$mcsHiY`T`rQ{d`WhYbaXT+fl!N#hh&+Lm1-R<1G3`UJS3o#
zQNJ4Lygz@}-oE_#fV5pw&yyI(mSB;R3o|Q*-z-Jz1MiW|P?9L{1z_1V;z{;kc5qI+
zl6*!5n~p<IFMY$#;|oP?LK#2VIOJrO%K24}u%r+9Iiwez;=B@9uq4?Vkn}<MDlwH=
znfF#)K_R69L?0NC-xYId8r(=OP1ZGVNEBEWVWRuPLTwah)cNSq`SqKD#jtZyz;ONv
znZEAp{O#5561%(+l&>F^%6@MEFegG7>Tz>^5SRp1oPm~Juun2)WxgpB$QcZrijc7}
zRfjHh<wQy`&zDK_7_C2J73FR0EPVF0X`~Y6LntmAHp&R6Ao#4+NUZuaN4Jw!{FQj2
zjX<~kWlvVnRK>izVu!>?G$LiwRJTsq80xLykKaNf&ILfi%7Wg6EKvWIKyAKZu#K$U
zW3>_vaoCPw>|6q|Z0*rLC?6H4(I2T5w0<w+f5J?ddTLCWP<>q~V_163<EYhm)x0Qb
zfC&V3s$6aAHNGZ&swn-Q;#QyNrAesN34Bn9Wi41>9xc11(zuY&bbPb*(rihcPu<gI
zuH4r=(mqd*b1Kj-qlQp%wBWC4H=~$ndj-Z2u1b>%eu-qoZ4ahiA@RH(UyiusKI%c;
zD^O-Q_0E-h<&;Cpj4_w4zl*=|e7-Do+)|v}TBw{z>X9n3?7NgL(TyE0_*yZcc_-TP
zeb+FJw<WsRh(kS%X7AmZl?{8tZS0ZfEw@R}$>5*h1T0+L{XSD}-&NsDhnGt8Q2jOP
zSfkopuA1SiYW2B=4MU!^pV5OS{gXnP=2P9a#%<<^c*&m9Sl6$ntOgT4=R@=#Lz~_2
zKe8s!a&|<Ut|eKpt<2QxkHiyvaF6|5Hxh@}SRFOEju233E`R&crgI)r-J5t6qvSwe
z^=R-(_DYT2*!ORoEUN{a0M(7}h-d#Qn8)SOEzx4G0^pZuj#e;Mwkq^Pj38WVkr-%b
zk~4N_llsylWNGMxjOpvi)?S=lreEon+>~vGBerT}R4^H<v9r9jyBekXKXmm{*`)a6
z1WgZf93Fl0JRfDfoI*1m6@Y~fmz2j#K1QcxR+YO}eQfJR+%3@<`oQmhzj1u;*>B`Z
z=8rXiDhyT8rqVB4(jvz-B2?3gHj=}ru`s&N5>T*TnMKpc(ltaQ6Ok-xNiC8;P*|RQ
zkVLNdpr<k4<;%CsH(#nbtJ5j*P+4)Ea<Frr{&xJQ?f8^9y;i3RwT-%4=ZFp7@A+qM
zl-Pt0A|97lJCCK1vD)gVUg_UBxY=uFZAq9nhE@z(v;d6%rENjLfV#k9*W8=m5b@vY
z*K2AZ=<9ZZG<Y$ke#uIt>v%#9ozysee9%iJy4v12?>wb>$rrVJS7|k<omaQ1(ktf=
zm+6Eq12okPz83ZgVSLM{S~hExPs1C^u%)SkFI;mm9L9f#cRqBJgksdG7TJHv4*7wl
z2q~_Ei4(LHjlqw+q0nhem3j)<znn|!B0-ZCtvJK0IQq^S0b7skrDx2t)uSdFF9~K0
ze>3n>mhLmIQs4mfzXn_&07XdzEk*-mr~1N_#-#u9VCOoaj(jm^t!Hb!S4#M^qQJtj
z@$YKD(yKfgw7_QaT1EZE@Bd;_e_e${)X)wTO#;a|3H?>ezXtgKXoC$9Ayg>dcN{MN
z^Y6be{HewNzw!S!&i@0R(`~RuU}q=Pv|_0LW!oLh+5+fII0;SJ@bhhc2^;hY>&NW%
z3A^m5VV5aFY6{Ku|GX+-nQKu*%+3<|l#W)i$iPIV^hwwWh&UJeryw9*IvydZ*??tt
zZ?6Z~wCLS`d>(jD07K_k7`SXNWnx0!-qE4_TnD@E#Fyj!u<6L7BQzJtsx2EdOP$X^
zRk9b7p1ydbce+s{ZOFZQa3G$F)kxC(vhw*-98o1dDUgAT2^T3iIQX}7;Y|34-{JGN
z%#38V)>sD2;71TbYdqxF5NSM^aAYd=5x%W4AcuyAHu^B$QypneuZ@i<kkD{)YOsnZ
za}aG5Lcj=!h~(75z`%g@aVZ%Ycwb*%TTac2?c~%{7-3;yKc8F`#|7)K7H7mcbMU+G
z?(c(AF>m~gW`i(s$W`~m9UbfZP4{Fy3P6`Yiy3+qN&qO#T1g2tDk=&c7guX1C~14!
ztV2M}QdL9*0{ogoz&$y7M?L7dSQX7Cm5t-Att~hIPH%|>iAHi&n2)}`&o-j_a^Nn=
z!c)O{r<oxsAu(qy`t?V_nS!*m^rG+AW*9`3%?9`~A~I(zsjewik8oQvwQ8w3ca1%1
z&1N1j2;7KoF4dcRkFw&lmzB%H*uUrC$p29gT$T;C`uHv(DXFlDN|jj-<XrJ3t`En#
zip5z&od?$hN98^Va3dn()}(q+YkQ=sp4>X5ieZ_C_JMlrMlIh8dXBep1lA3z_$y5#
zc&~-l&V-8cXQvKq>oP!vugb<Lh`;kIjV4!_9kyF_ZzKS_O!!ZEJ*3;~!k)%~C}ygc
zrpz}414B~SRW2AMLy?^CAXFzsTr=A>u=n_FI3gg<HHsX0cq^u(G31r3R2&PqJYnaH
z-28cN=ZamcugW4F6In%*G7lb%fMkAyZ`twhIhzCtoVX9VA`2f_nv{bE$W_!2oD{2@
z*iW$b69KstfBjrkU(G;8<b(~%;)}Pl?T9taV~fYWzz%8^ia+L*DRd78Y)XI$pD|=^
z-;Kux``+K65=Pf;mmJotomo0SrLuV7m;)zEI6Glw^fz4nCtO?@fXSkO#|E3_f0q6$
z0|FZ^1P9T^h;hZg0s3!v``14=TL8#Oo@bq=BmY_YH+q#xg00$OeE9-))Bp2ww+jqD
z)#a*RU&=pNRfz^$oulC5mi$X$_`4$i0=B>dL^hf2mZvcKqW`v<j|;Y1E@=<^Cm5Z?
zF-iF8a)+WW_1{)Sn88-nqL)^&|Es2ffLz9I^2mcTqOURk4bDM&*kA^MTi-(e57;aK
z#%;{WHEsoP?D*di9sDYdblv2#%w{g?|Ip-~HQ*-CZF9)r_y?=Ds$e#t_jCX2f7`?c
zcjWg2nppa4Xvi<4Fs1u7v&Hx(fq9wXwmE0ez-$05MjalmSTaYU5^WL2IwYi9)}K;r
z9@YG^Zq)JWoO@B`PIFFztz(Dser9KI)w<tk^JVK*>^;O&QN!LG_6Z*iKCM*Mkm(4_
zB{;qqGu!3f1duJrpnm(L)!ufXY_B9QS>N|=rL58nnT-I&8WTI1F-gBjT}L8zH=VHr
z0;YmBp)r8f-_sTswdw`(wopvBu4V)d#ma%~r`vJltB10<ed)yfB=kWs1dOeO$>M&I
z&i$P7(yJZfi54ERn}$GHR0d*#>rvk4`q@W{PF<OQ+pT*Dgd(eMH1nvyVoA>~cGD4p
zzQ>>bo(f|=aV4n(!LO|mz{(ZJOF(5q{Pd9GoN3;)HNCO0Wuio*fQwKM(&k~<*W*qW
zuW@}HQ|PNYL0+A{LH->RQ}gAsV<otYzM-8B!f6|Yxgw<K6x){-9e?>IXv#V?c<X>i
zxwn|-)bH~q>AMKD%)5kvp;KuC@N*TLJ(k5gF$o%vz_~^L0Ln+S8}N5Nnqd8?6%N+T
zixIP*-TVc!wE&K496`qJ{A|}<UUYStrd;|Ura--{e8875<$wnBI}BRV77FxtugEDW
zzb?4Di-M$k5CF!+OCcf4na<%0M6fndRw_6Je6OlKgg8uI2a}&v3<LkfQ8&uE$ClDW
z8c0kBdaOCThzh{`Uc6k0oV<}1td@Wf6tGl%ed|x)_z^gIH1I4PkN_bI*&e&jMi_HN
zxhIkHD&yi^gyw#(H25_6s<T41N(zQ2gKk^!)<k!bbPc+jdzN9UdXbA>YhtZC5BHv?
zqe9%B_wyrul0kCd@vE`DNhW9FBE=VDl{{#QZ)uS9J6M32ndPdvfn5~a8W{jQ^7gnG
zZ1hILR35Fhop*LUw!%Kx_tcxoAVuUv40<+TbO-V=?1dbBP~(!%;;I&cE-eBM>eyk!
z0p807CBqYsx^0=XB3VTr%(E(}9V|Cb`X^~zR}V0O$Cdf|Q$XUK*}R%K192`-OUZ}G
zwee_T<yCG4^*%hu(Ut=`rm`K_-?ScD)M>L;$!S#fHtx>vI^~11a2)03G20YlMYp{c
z(JIXI8;4X6poSMtNH>4cgQK0AK=(ToLBTrDsZplNqO&lZi`9;WX7vGb*`4*bF+uP+
z4^qdv_{o?(L+oj^R>f)gtQaKqZgaRapBB$Bc6-x=hJLdLkZa)X#ik#kMEHLfb??3=
zwK85yaS@utPT1P1j3Z}NK85)mAn<-z0X)|QcIvl{kXxP+-_tWRU@V}KIbSqH-et6l
zx+DlvDr4@Z&sf03VEiEMVIK2}N;Pu@BKg^_%DYE(g<$LU4<o=~OIe>x|F->BDW5&k
z{^5&lO$Q`Ac<Kzoy|C0mG#Ls1V<Jvgn={VP?jFqdTC^A|ECct!H{&5MxiB#Pfms7m
zM!T;mN2<~9>}K!uS=4m#5d<YL#6n?DZKl}$p*syHxFK~WNUKWR-%u?!yL-g2v3d8T
z<oi`3VZ+DHcXpziKf_Zs-lkvm1@@Z5EPZDtIfCJ0=ja|Yk%bb_$|#Xy&2QOk*aOvL
zB=?g^&2DJummoVXUvIj%SO}42Fs;Yt#zVX*Z92sL2xu~6S!;$yropned8z~DN++bN
zLMy_E&rvmf?l9lMnEpXR!S5=5E!tsndmX&*n&vwZKra#`MY$P90A+j+odfqHWZF7-
zi>fE-Mp?Q4iub&ycb_VDzu82JC^``KOA6%2n3Je4rNcKO(cM=u^8GY|)OhkndeI*H
z=LvVQYV6K^mfuXe%YgVU`X8y9;KP>HI%P!lNYlEy5TdQ#qQo<S^zU`7Q;siiU_ecQ
zqBR)Ay!v%p<4B3x`R|(h8xMsZ5%8%U)!fvs`K~>-o48pejesn@zt&=bl;?nAgDr`m
z0ETYzVd2yrXIl6}JWj6`HqTIUClgj1%;Vsmk{<69wm25!;Jyu}o^^)_k-Tzl3Oe?z
zpd>8l2Ur-w&OmJycwccb70=%gSF<JUY-vpl?A?*=A#HDkJ$`*nrl|B&2{6Pn8l6vN
zMi~!MWMw|>;Y}p{WJI%@ScDN)pD58cn2@(HjJ&yt=VJ$`F%q5Lc*z!(Y>U2I5D)d9
z3zt&xj|Sm(Y)}8NqY7JJCtI70>I*6A>RorG)lcEvg^KX9^95j{JK^m0ep*cE_=w>g
zw-yz#gm1%K$hVfN42$`~cJlAN01`T$)GbQM0;39es{8lIz!ST#1z-SvLywDo2@PC{
z?Y0``arq@U6ZMnE(1BdhhJ;RGE&h|s!Omudo6d(KcyS|7WFyG0Sgrfd{dx~vFmzKQ
z(46#?a}77AAM2m@&`h|}HeNmqc|x(!vySaKd`K{OPlRoK0^q2K=*PoTwl0N}N$a?z
z%=NjT#a=G9X`gd!_idm0=Evk5PmD#^!pQU?XM)n(JR32=8rAo87cJvyTMHY9fA=;T
zHo8AX>m%o2hXb;xT0Cxsv$2Chhh5`m-I7o}^HQr<a4SRae&%|T?9t5#p8K>xP66~y
zT^)|a{RkQNe9Mcx&tvl`O@GhjRW>MqM#UfLJdb&@gw8QIumZZ}grg?VwZ-Y!90?yi
zVG7Ve<_i(&w^C$%j(ei_4OL1$)crecRj31)%An|qBs;-pKi*T?A}1x0l`^n0pxMkN
zAY^bOauPzi>G@>F!XsTKX|p`vcL^t&YcdPV1rwrHqUZ;#MT<*ESwd(Z+3(;4s&c!f
zCBR*b@^_isR^8Asxyy<4)2-R=!bYc%=?5&uWpY;sRl(*Ax{BWY=)p8Fg`BZQWw2^c
zg)ft$+{&pDbF_et13t4>^#lD@3unfN=I|w@7vJr4TS>T)!oG<(G*`yN>hQ4!sBdaO
z<5ThCFi$*9Lhlwz#)_I<AWB3thV?Fv28vgv%e(N<KX{HF<YhY3BhI-%HjUDcgGyR8
zwn~d*Wd$ekla(P6vo*R|8gsIJ+kCCWCa;sWShe$QRkS{o7wBnrO9*aB3HH-ay@NF5
zgBAUbyA|Eib!?tlHYrE@p{r>+n8eO~`(WIQ&GV_yCtinO__H~B3gIO;4B_X%3Wkg?
zlwWUJ94%@jA75i}2Hqzhn91@cbzTb6%lBf;x05w&+edz@xL}|~eC7w!>(?BzbRihX
zrUoX2PxGX&)9>hHhQ*w;R7<Qc=&Pc>tAW!g1M+X?9<KPV?|$WYB)-o250zNYpCf1N
z0^gs*EMDh~?yBcU1tQwwpI~0-G>Zp(J`YuY+&Ox{Gw)tjO~~a^>jBG<75#JK{yS~q
zlp=g!&3$AbuMO$dSw*X9Hq21C<XGQsg&SamDP#Je3X>P0mQRXQwp8}vJ)ElHK(|@L
z*3=^_Rf4yG_{_I4-8wkwAIw3<GvHIFxRNjBKu%VfuJM?g8C0Z={Dj_SoRP3!wz#q^
zO{klMoI4D-oxrIBVSz{`MsmJCgW?%+`$jqAt(DdB_z9!mfG`+TyqQfB5y$t@7Pf|=
z$yS}EX<bRCjr@OYUo4p4pH(yKJoa!At12E*r+4BOy{^zOPh7oyn=W6K3?pgbr8Y<R
z41cUtQRv_@+Xe?`EEoeI?eoqf1w}nh+}R_#SEdIA6_bo0G?K1Q8U-sO-td6|6ss4L
zk<Ih&&&CT9uzmoJ5~ch7EpH`(qGG*PIJj0_TLJXL{q!nbFmY9nm`~iNVZ+k7E>7(N
zQ^YVs%s<MHN&g^L2o_s6m1unbn=Z{x(x*W$b3T(zYUac#cHEsj@FCFV`aAV@T>}dp
zyn6+4>gAUj_|UCA)9m8d)^mWX28Hiv+iiw1b1#!yhjAa^k32AtvvBCUe92Yk_alIA
zVXJ{_zsgcG9%jL5%ka_7?ypxRku!>x;(+>DtI%nFiB{y1Ee{4fk$@(kKR6YdV+`_R
z?CfoF5fUgM=s--kFmmkpm8!r5qa-RafSE`{?ZZXVTlocbr(@8+SC>-Hv={0lMW>zm
z>cehkhJY<XoUY+jF=4kftS4HM*gM4<oVmc7RN8s=L8P8{J&!ArHV@v~Brmtldjt=7
zU=lG2GZ%6xrWYfX|7IuiaLUXnd`)4U`6a>0nzENq;B&W%1J8{708hn%uH}`WL?HKx
zfQ2+?m_<fA)6k<iCF1NA`Vtjs=a#=Ow4?db<rpQ55`{^F=MmbmMqj1oGj9Q@Ym(&y
zF8D!RFmvS96;FzyMl7A4cFa~W>7{c+Isip}Zprt;4#f^K;sxU3Dq?hcP4EeU!^7ug
z8Ds0#^R#k<OD!x|?wPTcGA}}08QzH53L?3PsOJ}45!SOvKZ+O=a*~3_goQ-v=Yv1j
z^eq8yEUbOcjloNRu4?a_9UGx{YZ5Ead9P+K4xaM*zOsCVMGc(xy^7AYtxkUbN8QjD
z5xkLmt1TAIWI)lOm^(KdnN#09hn{;lOUR1T7rv9<XYwmP@2t-BR*?`a?;RbDXz!D*
zvym4<7V2!aP?PqQ&-kfn%G=2DWhH3gMXyM^RHPXRsowtv!$!BaRPT9BX!9d>*(88)
zEaI30m&OAl&fXIRuE`&+HX;b#VMeX>*W5ui`)MvX{fwkNOMT3xY2ml{oz(Vo#`&jp
zVvye6Wmjgvb5!Fjndry>6g-FxVtn!xwn_ZM*FA8uz$pb;B+x%lsF$p9&pvAR0f<2h
z*0f9!%JRdS9N1v9H!yo3jp}4J2ucN}r3B{(Hh1DhJ=`VA;vqwIVPw=pn)sqGz&p4+
zCOdk^o=2{nogxGn6Z|#=pJohThNTzg%UL5u8{<V1nsK>n^58b>du>l*pCrU3aRINb
zBF1xU<AkO`m9n;{P+Js?uj+e3UpyxCd>T@}^h^&O9Jav)2a-~P2Gv@nR22?Kz1P>Z
zd#45UnSIS%lbt%sfJq?s32*ToYaI9}6Yq6z=CMw-eBNb`I#n{(G2bF=wk$cb>ztZ4
zG)2~=(iIJSd(}0`_4}*7`-kK`wPl+WfiX@P!s0+gpyyNQR!wN1$q>WOtu<YqW?Cq%
zF9@d-wozK2=9?*4d|ziKd1%HJJ4*N`(rUR(*6k9T&%V0jd!Lj4CRxK-Sty}k9E?m8
z+?o1eS1hD7-1%YUawfS;Mw<w0G#1wDH=BB_wg?D^;a-&xGST_xAyI6`kAruVZn^Ei
zuqAh>;zO19Bwf~JJOMkQ<`c>xe_{}1VkJ5xeM$_jLxy;7&~E^--VcS3>_ho>L6PIr
z7Wa-n-OnTM*K;g{yd?0Ts08fkrVgR!)^>wqT(LiXl(%~y@R=)F`u<2;WDnaP14DD2
z{w<~!99<vj^GV0;zVC0x-y9wO`apd8NCOh~1{QC-h`>6%{Laj)_q_B+@J(^eWFJj-
z#9e(uaevJUzEt<lcl)A}?I*e91cAaU?Of-(WyR$Epk2IgM~e&qBSwZTcu6NhS#v}W
zF}%D9Rg933C0&KSqQ)XS{QW7`J!coD=vIMaTZvny>Ie!w|5)d{I?t!H@ku=F`%-Xf
z`K->%qAe?u3>aagf`l^i)^$MDe=M-&bGS;{jI70W#N2h`C&naKH8uJZY|XLQhI6*b
z&N~6ZU*5b|A)01cQga4q`kvMDO_A`6iE297kkHV4$O;mJBJ2nOZxC1tGp95Mjx6qP
znUTI<#PxzR<j&!cB2)(`oJ?P6iRvCIPa|T{B$IK2RQjdk1ct57Z|!&SbZ;J*PQEVI
zp^@*`Tq4MD{@mRFtU0Vx-N3Pyi=-g)6)tl3dT)=d1f*v~baCpj25b;7VF&_K!DRlx
zF|~c;elufdmikY~PTKXB=!S^y%8Q{_iBtV0rUWDXC!fc5<gapkQFKx%xF-h(xT$<-
z3t~)yXeMTAq;mSqr0+9CG*Sq0L->+|`Ux5n-$aGp_gOaWY_1nAb=?hJ#?Ny&W9=7@
zY8XMifk72i8JNAZ{w~Rro>7hwd+@v26{_H+-+a=~1FG}I#gq4IZeaE=n{&n89V`D%
ztAyAtFw-Ip>=6N!-6BI>(>vd=%env+E3vkw-WAFyDx;YiD!VD^Rb5&NyfAd+fEkkW
z;@R@ffSJ?_Ma1XE?s9+Smz%76gn!V%u*(MjsC_#*gT;R@ulP@0%kl9KRr5<T!1{+<
zZ*;&)n0NbihU-7bWJ-B|2F7HP-9M<0V1@#g`{F%Fla;_)VEzJ(z{90xi86Mz8#XWj
zfUN?^^+oh{p6)LS2kXH4kjgA=Ag!;Lz#P$}fwuEEj)P8`S%gW-x6w?y2dE+ez|`na
z-;cEA7GA_dfE4c?(<>yYE`}N&kClT1{<xa|9};70*lo?#JGufr4poGam7*u)kBcAU
z3*l8whQCS<BOww6r!$tT+o58a79VN}g*G<=sQRRJyJ<`@#Y=$+EFIlpT2-Q@fC@(6
zIX-Z*F%PDj!iSE*MM`?ih6#t$3f9On<8u#laFj7$!U1EVfD$>|5?poLPnn0!-^~rY
z)QX0W)V=mwmbHVY#5859@Dgxe67X$;XScj=kkaS8TDh)mv7dr6t2!aNm@6FSt@nwu
zQeujy;CViASp%E=wPhrAkFN&z9J?v1Wd<67Xb$r;q2L}-p#^+g^WrYdqUoct4Axi6
z*K?fvOJh>efrb@g6W2=`s%H2z2&<7YcC{{lhCfpBaX@f2p#aC3h1Hbiw&LYyOkDJ*
z3oWT?T93!{xVK=zL<|#>j1`I|dj~GS0q(?|cJ-{aTDy!dc62Xn-d4KQO3L6@UwB&-
zAQjs4gKlI<09}v?tAoH&5%>Da3oTbkN#T-elSin+jKB|BPwW~QV62iF#`YhfD@VlI
zOg-lH5bOD3j)_>OjqtV?Agf^bL4E!=3zyTHPr=)oItC-N?7!4A+NoB3CM!QaM5MfD
zjFkXEK-;)(cnQ=dqoIB4twZ=9`SFL1<64j7C|DizZmip!t_;4I)?>UScI!Tx0X6u-
zU$7T`lxH<?OJfy#UIqq+TU&w&JA=<f?GB*8NT|8Q@Z*x6N1*!I&pAWtGK*3FcK$K*
zWB@58dfFUvpOF^{SRJ)?Tm3L;lH`PLk&O**#=wv84JX*K(i=o^g@CpODb3R{5RgOe
zVH2#^wn6`?i3oMjge<PBTthdA&PG=4s88>;k7}pN>$_)}<;~-FUhtZb$<B)8l!_YW
zb(6a^zMcaq`pqqXk^d`ct{6=`*xeZ+yC7~aYZ-lj>401&@Ml(AjB5^{E7&U9C$>+y
z@4A0T=GK#CApXOM1N|9}eCv>_0{<{p!FQ5JemsHu8vG9;Iv*}rM33`;;09+_|1o|2
zm*D>qtPyP!JO!2i=QP0I+JAoBAHjczq<j1yV#g){IIwsQ_?s~NXGHm*$q93CXMjB6
z9IyXLe-8u4j{g^4GjRERQjZ2FHe`4s{IVAe8zD11Jo4vwk8xtNAKPX+r%GT_41aNF
zOXoWV_n)0g*cdqewdVS?E~8`f;CQ8sIpd)fqb!rqer-2Y|Ah!L9hx<+<YPC?yr<0U
z0VjUU#SM~(wNBmZ*#?tQY&>VxqwPB@!8_O==Yr79<JQv$;7ytiY^cI?D(auh$FG)G
zbv-Xi;+<|`n#|5lh)j7J`+2!xKpi4RT7=Gs_G}u0_a9J<UV|c#(F9QrZiX}cjT-T<
z*I%(a!jSuaGO||JpJw|Wzn!d+Y5N9o<2|E&G-4yhk}@=4oq3*g9w`CoZC(U*@Hk$e
z8)OlPzB7%8juqFia5SVnep~b3530_%dA6(j?Ap`tR3l#JamvXxF)k4N0;iUcqYqy+
z96Xf4!>K42?7;l#?JblS<$d#~2Tz~dSskCLFd~OGBtd<NoUle`9BiHrK-O$rL(!m#
z`aE<9%=9$-h0qaoJ5eUVpo-3}#(N4T3IL?PQ0WJD<1RPhvz!;|R$~sB^YPY3tJ>=i
zaJUnBA)3ejgNH<=CMxmnr5{)gbYK3=Hu;}5sVliX#^K<9@TNdr0YIdaoF(xf_(F+K
zwfL|i6FX7Upb*6bc#9NQ8AtL1bEDQ;SU4S0W6*`WC+)?oyM+yRHa<=RM+bVueG-im
z49ho}hDN*ViHVXhw@tXTss&$P_#WtCK=FZL9>&>Wg9ia<WUQ3gO6l2f)Prq`fI=uK
zrJudpR`WXKCZ{uRatXU6&uLo&sYNW3CZ}^Huk&ZRPd5}}0Z)SV6I|OPiFkc^{e4|m
zyS=oC*rbAiA4$Eik-A<;!IRdGEhraPx52f_RIn&*u*#F|D5C3MvG9H;c-+3+qWt-G
zrd>?m<oAvF6#Im+a;Bg#5!}o-bez1;CV8`WIlytAK<(VT$h)p*RO$Csb<0$Tb{u^x
zD`>;a{H9lHO{R09Ap#PmS;LOJPS$Ub_tFCtOfoE=<CK4x(|h{tf7i(|7pa^Or;>42
zI+6yjW{$_GD|v||k~a8^a)i5NDC7x>y<@+9o}ewR-Q0AKA>u>U-^<#tX&mxBHyi60
zRL(fxXx|zW3M+a--I57=*{J$D@(l=Ho%eYkE2{b8s=IN2sIM^e`eGhUKX6wFJR_oN
zR~3-k>CiU7prd^CiLIr0Suat-?`67C+T%0KQ*Ul^C`rI`5OtnkghRS-r165nfQzy~
zph~%G4yeKM!0KdTOj<1*((^6(Zkj=A!NE;Fzu3x_q5>yImgQ^ARhzG~`NXHi?UrgF
z)7ztZL#!2dwlh(utquT|hZu;xd+@GZ_dON2a`3+Uv97C5wM-P4D+>s$d69W0LTk=4
z9r|tUUDSFa=ANPC4BX_n3~M&C%;Nd65Ws9?(Wfby+qP7A({6s-E`clET)yiJanOPG
zMk8g}5EZ(2>w~p_Gv`Oe*&ij*okU5XJKq<C+e!NZ{OsVW%^6GQu>LwMAHO;AAb;_g
zUg>1>G&>9EO=~1e9*pTL75)^svK>Cr;ay~03moGAhE}Ov)AJRD(ebz#MaIvT^lJ=(
zngeQhQ9w;^f=g|$<!oNRIk&N48ZfU+N5R(wQSTfI_U2sUR>)YTy9hc4xRi}q$K=|3
zGV$}HG3y{cLXyTy*2eQ}lTH8~oD?foRJ8A=bIvQPX2>)h^Qgj%-`nqMeHf2{Tn|X5
z1LeLXJeu@rqV`}mU@uC9?M>Tmlk)PD?{qU5XKW;%Hp*J^Lut+TN6+(p)F3!pp0eF9
zl*jxYVA|_1Tzom+B!5aZ4PxCHXi4@*7KNiyHVwhDM&p_70@dcN>iQSV${6$%#PG!c
zYeS=qX;uTGmdEutcyhDt3QIY_qZ4xp9R;RfKgJ(hvk70mFnav_01X2tPxkYQVp+=|
z@L8;KHSt<n#pEGWe|aRni%y^&C$D+~xorXSh~OxK<EfkJ2n7+bY8uge-u1!(aV{(n
zWVMsPRqqF<*gL9h$l7rj$Bj124WzTd`P!10mjl%{jI`AQITKNZFRd0|umlP;Hlf4Z
zrclb7Yna344M#G)x=dsbcs5On##UT#_~uE;LkB_PgYq-^lTVL+>v3vsxvfCqYOvY8
z{2jm;A<n9#<emJ4jbhfxzyP(3`f75(+HNt4q_=yGD-j2!M%HZ@T>5H9O%_{Q3RJjy
zT<;dZ7b-XrpG?;VH?_$?_ItW<o&6}l&L0)Lm2CJlD|Dn&;-T*Vxxn%(^1X)4_r@}G
z7)h<qVc~riQ^lE16}xQ^u&iW1scCwfI9+glXr!da&Y5S<^n%Y9*Rfcowk*=Sf`$(7
zt`u9=G-dC!-vs=q(x}qw#2Cm&SMaju`Wn{-4I&L%v+6$+{?S8<9$wKQ9fjnan3aVZ
z=`m7|6?UIdm&|B$MUtHr7Tilw&Y6LMP8b(4CGxWB!i%)m_8s2p90D3f<Jmuj+|~%S
zN-4w_4mO=Q9f;>#Ea0f`Tbvpq%-Q1Pd?>>}oCTw}>xmY79`R%~mLje{;UhoXb3Vc!
zT&rE3@P!Gu^!<H8rcDwNHdr}XuR{Hzk@So~sNvL>1k*&K%lqJ+h)qsPi-g+2eJ<<U
z34~G*Rn6e}MDx|ygFx)Y4uDeb)3g(};?U1+=ilcNFBIqhF((oz3-T6A7TA-cRucEr
zDQk#o+`8D(z{Xuc$0np+WW8FKrD+;D*rKfC&7SG!fxlGT9vNZ&(6(|UqNGGR*69y_
zbr<@*4kBDFUXFJ&o<`BE#GX#q#>t<Bqkocqk-ef{-qpT+J*jq^CY|{aJ=`+4y^7ev
z(yEu4+Zg}|+1kPSoXD-vNB#H;U)3D(+DcA~H8^A8Pe1SyEQUd*-{Ko$(6zT`C7*6%
z{5kA?bnOXHOsXiJI36j&>%MKKq?R_yQBF^v<iOj_3H2NzUP5H`;I@nqxk-eL4q0Si
zAVbLmEtz%s^ozBQ@f5cquEKFv_4{`8WM`0|g5EIBu*U|1pT9i#NSp7wPn^mCI*#~s
zR!mGY6?TP_q$^5V?cl*zQTU6SV8xM2?1zaTLmr-D&&F`(IiYI%!_A*7xG;zbA!}!_
zG`PMv?V^9XiY|`fc*nqk5ai6P;`C@auJ-KCgO#%ftFEP$wrVi5>rH{~FJ#ngy~~sB
zQceOXT5=E(=GzkH1TO_{c|O&>Sc4F3Jblx|<I<naWpaBmNAAwwXA%>0p~fjJ8>{pU
zu?`pErH=gRZ-|U2Qsm}CHoz;s^bB8QTr?Dw$UjZy3VIXnl5cB>1Eiatm5-Oll#v`f
za&M1=dPnq~RvHF@od!q<$a6_PMun$xO=*6)ZYI%Or(vUwyFYc9`S|prV`CQ|^8zw&
zm$MYrepqJ-a!dO7f)w?__Z1s6mUNhfgpBNFsFb3kPrp|G$}Y4y1DuxVzHbnHnMk-Z
zYs|>dVP+9hJ@&qp{6z%bBeo^ZVK}W*ooJ>udV#9G>4$qIleX#OW`DV!ghT_^>%hm+
zb;FC_*yD@bB5lsSOfMbAX?|rWhs&bTagk{^m7JW@W`&fENHtl-I4R8ic%}L#8=Zc7
zQc_`GC-!Cy<I3FRHWgMne41#+>y$laj$a;)+TRGrSNL_>j?TDWIatrOT~Axr4I9$_
z7iI4h+*$N(3wP|KV<#Qkwr$(CZQC7mZ08r-wr$&X^5uWNI#1`GTXkzZ?)k84?zv~J
zz2;bBbc$N$bbgn)9_DswR%Q;LaocQl6u5qV(pe5iN=^&Pj7zLnZ@R4u)3jRTXI4XL
z3T95EZU|bf))l4v#x8rrX3=mOSwidL7K(yISRUH^%01%ldc@!I6tF_VtCsOF&tp9f
zXm4<>gLmm-vq&s_yy6plcfZ6>o;#%+TR7rzZC|Pqsncx|78|z2^?aDs^?oPv!A3Rv
zx;>9;xS!?~ib}rclAOy~sf=OW9TIEoENeBXzf|WHvqD7&$oM?y*j(1hH2`(CS=K5f
z9yz#Ko}GA{hd?|s>v=sBnH)}i92Z+9K#i_NhvZlxY%wTUrDM<?rv1g2$*=+ulb!Kh
zbttv|Os_ngXUmy=dsIA({_6q-rD>?hv`N~kp;RSNZ)~#|TY!3Gw?U`lXj0j=USD5t
zRp~8%{^Kb8!%izZS)sMDSIkG7D{OtbwL^`|NGh7BqWRPZxVqYLh#tDDZdXkva+xPx
zd+KtfD`{H<_-LtGCJn*PFEEfAWtc;qwOGxIc)j*tKfIz%XBU%*hFKI``8LgY7>%!$
z#9VBON?EU~Xtj~3<TRh0&|dDTPB!ADZdTiDH|b{3H*}|9;1@JrEl9mH_2*r_zam%J
zL<v`EO;a_(W@vHM>^fcE@#-|Djf5v&FAfM(a2YmSnZ?d-rL(A5%@T{AulS`k@s&8f
zcAPzy9Mr2<**y2IU5njO9g2M#jB^&kT`oz&z(OyD%4MriY!)$<T&q_+N=7Gn5H^JA
zepMdWxFxtAzrZw_UV541Q|p%Nu$_4`P*6;3Hk<(_-9L@0)OFI7)0#eCl3fQwd<v<f
z5Rb`Qhs*&nneOdP27aEa+F{MrOPZ`QGeg`r=}ni%(~Ws%kMVc3n&(SqnJE@-R<RdE
zYfNri`B{sdQE2$sM2DKu?8FuzQ@CY5joukucvhz6tVSOynu^kye+e8sUuTF3bYbMI
zOFA1JtB;y+mxkbM^F)Z<=FvWC+O5~q>(#Yx&XP2*ZE=a|EH`U4=h3PfBiy8ypNdjb
z?WQ(-*3tqd8v#C{R#DxV)o}P5GGqPZK3p`K&9hhDJ1#UOf=6z4ZvyR4V+M-FED5iM
zhif#lQns@a8P4lLnwka{Wjfi>YraKY^NVinZ?V;7=MXM7`2YoW6}?<`mn2t#WBV$b
z<N5{zkf|A9ko-oD@6XyfXhyg1(nm`?fD7k7q0LMy2(w=|=w;UQa_VGKom;)@dZB~n
zF?`kGO4Mvz_e(KNW7Lq$?9wF--*pq<GsjnV>+M5q&5mk&aq4nQ;%B`!JtA(Ft{UsZ
z^?)ToVDH9&r0m6WY)g>V_wO0f>{YGUV|AOG!uN&-LKl&Ii$ToyMvZ6Lg*8&LpYC~v
zbGd34{&bW|^?2>o%p>RJa+IZcUaZI#Z?a#Aqw*MBI%0ph`kXq3mAUq46lSTQFuNv&
zU*5f_TquL(laR9TX>GHG9@S_i3OhSJ`@*i#WP)vTfs0^8u_{7RKh{mF74UR6k6@*<
z)|_&$K4#hKD`~l;-7RXKjZ#hGhF@yKtJvyIr<F!W303+Q{AR1h5SUJmU#_LcG3rz2
z`Fqs>={wmUCn7nO&3!lBij0t80{!26lm0op1p=j#!w}vEs{ykq-3NF8LzVqJjgr0Y
zH|@&Zesha&pF8!YH-;$YHgWSx?8^aYOQtMnu-NX#J>3u(dQMO&{b?MPTNr|^P83c1
z9K%iExc#~f+unpL0egc7%T@b6=|=;V%67`UDzRI5-Jz^T-orj1lQ(QL^5et1_5E}C
z6Y0K=@i!6<7+<T?mFS<h2QGAUJ$HtwGapjQ;e^M@TYP9{NFbM>c}h2y%Q;GE%1B4}
za(uE4Kq7$cY^p+KYWm{S%KqLasfM!%vLApIw56k&|A!3hy6X-@H@mxKpwDJ-9AP8!
z_{i7)rWp5jpniHkkE=RtV>>}r-@|;~0n`?oP1`QdFv&@AlYlaX0aTJKHCpgGu@{Oj
z+YA57?+{nm?L2JO@&bVa=zF6B_IcZZ58hboah1hl>iy!8ZSRUqPpq5?vS4^K+)5Ol
zzc&HbUHs|~-}h4D+@j&<TnGl!F51V-yRI|GHKTOvsVDPet<?9fMjE{bmSg2ygD`3H
zIDuPQ)a@pEy+i*1#fl@jl3$-{MXCH~(8g?P3aMv$5trhraVnR_(g*cKs~e-P$FtP~
z_d8N_M++PE6`{3y9i-CLH$vS5;)Op;PIt`c^F+@Tk*zl0Bg4;qP`?=#4q%Qs%Sp^x
z;AWXl^wC+eEdtt2G(R?Lp!ys>!M#a)39F!0rmMc`b=Pl`&~A+vU_j?1o;62&C~rTY
zk7ikhpSbS!DHFo}ljl2t7cHMUtMS-O+wGFY{W}WPKJCN)iX=7HtKx`$<hih0PeLjv
zQ%GdaQlJZ;Dl^KmpZ1lDsfb@w1Eo*nEsJtH&a%r0J7p)`iga&&k!y#lO1ckNYvjd%
zv<1f%Q;I~c?GR0B6bNNxQ+~UJlo39nnfFRzJvPh!RwPxwhr=wtyO2aZz5jaqiK<KI
zF>K9vl-Ny+Pwy5tw(vMVq=DTEm1sX#<=-6qX8?_u(_yRwF#tnXu~_*Z7-E%Y{x=5?
zF_DORr-)|w8Iw7qZ3OCS8HB^K%YKcu5I8Ni3kzqHW#olX`|X1>1=m-5hqcPP?<)>6
z;NPEp*pCSKP6++6s^(l7Me?q%9XM^LPa5_=`>ACTNocI9?I3(~9_U77n-MHrO25fz
z<U!I|=i6biJ116JZXv|!A<?ycS&BEjK{UrbeYKiV+@$|Sc51k4grSBwb|O<$S!C^{
z&D7D*qEtkM!iqW?=WaPRt7`%dC8b!}FWq0MgG8o0yeVzF{YabeCxoZFj*S|kA$G4v
z2F0B8dRUTd2NSr(Bz%px%R2BkI^maPJ76;4|CwaA-k!`*LcL;&-L6R?7*3UJpWe4c
z#Tp#>H1GBgQvF`2qXKl^l4>(pLk3c>uDA|B>zxwzMgaSf<eoux<q=@;JORI8+}FNT
zTo-{Uy*|vl>FJA=qk@R(#->E<I!@|(b}BH&HJkRwQKd-0ESX2A&{DH$dtn;-z|`C&
zy{5hG^pkUTF@ADsjTIb5=?=bNU-uUit<KF6LI%iWoGo9XS^=MF4yUvtKW}=n@NP7q
zB4*JI+{bN%iR&?Kh+w+g->Gvy&57B+3GcRH+x3P=O$`Ou@a@N*5ARpmv5n5nMFM65
z*ex#0B*trVcT8J$`l9T2!GsRAWoP*4XjAHx0an)Kt>wI<k4f6g;`-q8WI9pTtT;V`
zM50FWImI={rhE6T(|fzCQ4gvQmQU43Qv*J6+%epf2ufz$F=nQ+Vumd_4PE2$s@gmb
z*OzSh5;vn-3n|ud-=68eo>NLL6F4R1qL~|G!l8%qHZ@l0WY_~(U#{j~U+#`S%~ua`
zI=WAE8e&pO%>jne-8S4mn>4D494`Fht`GWbPm64A=MMh_<ZH21Rvr5Hm}LcCZA|-T
zWGDLB-5A!<ThA+NHthh!W4+ME_9vtLr_YmhM%6$H(N{fR**R;uPP31wX~|abnDpqT
z(b^XG7Yvl(hdvOw?m&2l61T$3Ih!9+54T9q@N)2Vm(P#SEL~8uGrEF6f?<0o%+Pk2
z7Tt9bnNrO5zT;Z_3?LO&n-hOCaes$=q_083h~c?HW#wi4SrMoeG;~9mTDM*%-8O80
zOM}kP{o2^aLrgaklxa&yaoDw`!}|B&{;~03to0dA3KeEMsFiK{EqC!Yqi9<NhW%r_
z8^c|(SG<!sNYfQpXyFVoPQ2t=$8}0C(h~S|*C&u@&Zg$J>NhPD@vmFvt@L~NAzfb3
z*{xRh&sB8$O7;FyE&Rdrxb0F1ZU8<H22q$^(DoAbP(Hrh@Z<4cYP%HDruU~SVZ+q=
zn=2)`0>2DU38m4_UyB6Ag*X)5Y`Lj4btcW+AqNZ;!?rDkHOy6RyBp2;{W8zIaUk8F
zp+To$kW!F6ZH-ignAK25!<(UE*J-6C&1M}?$1!aZz{&v_T)u?)J_|)SB}3%;P~n3v
zZW}Q<wmzU4zAxZJbgTXZ=<vyrL+qKG?M50*PFhn09jxyz2b`S__aM_oOMeqQlP)X5
zp8G};l5YDG<8C&u+4kmWYhQMfTVGtf&<M4jd$I2hLV9)5CFIaDwn7NmyUM1l{}vyW
zdwf7`XWeCwD&J*k-j*^;CSC9K1&J^2-BiLhxvzTo5Z{#bZm;`WpC;x_p*QlDI9FS^
zZLxQ3ol0wa4(S_9ur+dh-*bjKM^mkK&ViZF<X)}Z_BwjsP9jOSG(_R?PbT~tIm2)6
zB|IDnm!ey0KUC(ygEr<DEpZ0Bg?SQ4I_Nf6rQ3X16B+843IxHl5Sb%^d~2<~D;u4}
z+$R0J?e(%7`BgegKE)jgL8cwk?DqnOKjnkK2Fn9spsPBO#RSnUCBG9m>$Y>bY$}dU
z2tq1{6*QZw7n;mR^P_)PJ)oloH=AUZ7;tp|WEX_CgnGZ_hZQt!PBd5swRKk}5Xix#
z=cD(AFHCgmjy`w}zzNJtg&l6%&{6NcCkL<>P-J`F%SdN&gV#4-rI@}O-3(mrkJVj`
zZI)aU`RL*LJ+I*N?Kg7Z_g><LJIw11B(dp%Q_S5SFJ2pM6t>^2KkMyZ%BAjq-5#Gy
zm3Firo)RVSgzE2N*UyqrAPsVaF}$8p-QJGLsCU{D73;dt-W9^^Kgom{K*jWK#&L($
z`bdr4Wj-h$w0Fu2?VqL|CexjD`}gnizcbMZytky*?xvEgIKIF;%iIK!BFLx{3n0@F
zBc^6=V&_<E6921G@B6ho*}hj5mrBS<fthed0nezjQbI)AZHg6Zy&e3Cq->2|W~(EP
zX~IghKRp?)czkd6-HVB9?9KAZOZ!i<k65%oq^+lDCt$sLs1KEErel)6wf7#Db0B5o
z?@Em$;?}1ra(=pN-v<J(Xm_k)Nqnw&dm$Ht&JeTb`=c7Y=Zy9S+dWCc4R(-3y=#F)
zH=_Gz<9eK(*e4|=2j63x=<B*?D`gM^#8A@!Hq2Ik4}hjH!w}C@wiA51qY+0-4IudS
z;DAKmWOy6-IET9uZdJ@p-22bqO%f@P1s0bNE?^Gz=Bz?2pfS;L{q3gw!?KpQFvX&h
z0Vrry>utsJ6md2&V+PCj%{6ADvo2Sox_<X~Du6j=;H%%ld|m?FA(4@R$%L$sE1$P)
zh~n<E>bafkOI1U&06C+;BuT!thAWt--ECLC4Nf8D*Xg}^;)w0&XI|aE?@5^bTj3E-
z%HhWENy%1fFm82zpS<xTGFR)(aG4C&Q$B1qI{`^qhY;cMO|@nykkHLi2=N7o6n}bH
zEbd>rb7#a_Qvxo0DmvcBQY52<Mz6%GC+l>Z`ucylvOU1Ub}DO@k~$X-4EyN1$N=p}
zlsx?TN2i`s`VEP`Epy&zV)aoEgG-}>-kJbZsLS;{pFp;!i`5vO_oo7hA3cxcS~SO^
z%8?Pb+?x~l%A_7ief?ikr}LO)?@wok@(F6NoXxPQTy?G=t@rjCiiLjo)IVkiI}xe&
z0?$h~skh1>ALY@h@~m#7FpG4YdG8(=6+esjBF%K#q7N?TlGWsNgps1oVx%u2b&Dhl
zL>gcEjh0HjU-#0NkU(OD_4lCaLa58!8CZz68|u3A6=~{X4K22V+WY1SC%V;}9ME-3
zi!(7Y%QN?6)06VoIyfXOSFbsRy~ge5CdMiVD47&h*dG)Ls@P44xx;a0{0!GG;4p2~
zxDHFgspMY~<&kL}9SJj)9Khebzs^axgvUVIG51ONA|q0>sEop2rJ^eQDHk)L+ppX|
z#lSFGUZ-d?4zyb=7epXoYV^k=NmjBoOZ^`1_XdBqR-prf&chx)>nW4Er-QeT>crv5
zFKlw}w;Wsh+lAo#9NF-Vc<q}JQnc8BpA>9&?J}e>KXSgjcz)x1EdybwBsX?1NRW22
zCC2|2lpqHZ6r{_0-b%1tUer<3aaq)Hqp1MUQd0h56^`HXf(pix6cmIieBSc<_uBnV
znj{Sk3H=p*-DhmNwei&DcHMfM?W&OI81PUH&GKr|;>;S^t9$XAzJ~5@9*KBOLD}Nh
zHT-3fJ9QZaRDR3f;HQqY72s)~8$0Rz8?gaHMmDyD7p#Qd`T~3$8dPy3@1~XvhY^C$
zx{^m3m1I20$i^j$3u22>@rSpBExTv3r#%5<M%_rMjBIz0TNDX?!aKJUCW!wibScPC
zz-PhQ3A$C3KQed?0srS&x@L24;TO=t%km$l3hBBQ2D4}q1Ujk(h4s%-D>;M3x2h4!
zGJh7i4F|V6<iP`CB6}&&VEtV60U+mx-rSw+5xI`o{=DPDkI~s(cAq;=&Q~~LeK81>
zV-qRpsp4eJzHTjaXbh_OMB<}O8E6D*0~z0<a@CwAo0!aCNOnE5U4Jz`4|D>7tRj~6
z4efB!bL4kJOXYy?k9)YvH4ix5EK$SBwz%2Fb<GSAvu9i(Fd9ppwx@z3@fhZ5WF*Di
z`9`Yfm>7jj%%~0MNdUi2_xU2$GK;cf27;hI3bRQW@gKxh;rL|+BQl1jaNcVw+(TvQ
zfcl2;S~ZMTxGUP2+kgRwBWNG+<|;`L9tykp$dCD;aDP?p=RZ#}SMzq^{4|pjmYD7d
zoWzVWhDr+kxklVsp~L9en>Rp#zTSFB{*ZeV6K{j2#3Uu4U`4PEmU;c1%;!!f7PL#$
zda*QKPdk>>n@%Xu<fXM``A`||=$gr1$>}YKn?OO1)oaP;35YM>g1L1a;K-)DG0$6R
za)VIEMJJHo>MNGgx98n`;rA=cdId5IPm773dSD!2Ww5UhLQ-7Lt_;0f6VjDmXI3rT
z&A(kX%qzER<N6fAwAa9-(hY51m$p<;+FD-Sd#36Xz5t|ZhH`EBTzoK?!77tRy!C{!
z`oi0PWbi?0a$Q>^0}*%%Ko9<=^tYzGy352RuKy7GO?khJ!bFxdEf*G<b7*3u%ugcm
zLO3MN{2s0^R_!m3c^8nH;caj;aG)xWJ_E7bWRM_F6@o5=OpkxX1_SyAt+IAcOM61E
zyG2;zL|x#XLOLHWLm2p$5ni9eKmr5`%yPHmXW6Bs$`&hB4X(@VFLa*4B=0zMmpWr4
z!O2j(zSr&yxjB7Mz}|55KI9NVgRRQil<|u;!i5e)?=pc)|DxSo9JpQg>}Im%|Dv}y
z-@#oh<FYFnEm0b)-Zlnxd%<bXH>{z10B)N&i|Wh^QxNR!oj6U}wVZ9MuPDqi;YnU}
z8KKI{7bf@BlEAcVyMZ!Jzcg2-RB~TwXQME<UW0dqUC0(m?XT>Ue9@fg1Oy9W^iz7j
z%>jE0_T}Z_?ithX_9=#8pAG_hN_-KrS~WGfHoTo~73$s=1w-d0>v>1QwZ{=qWCf6*
zk`{t_mhM6M3Jw)?;-3mMk#DYn!EGzWXNag)V3FE<=+9qB-{JW_!9rK$d&TznKm4QP
z+47gP05P-6Ax%zKxXK%s#MEr))zkHav+(mmPB4?(863HPnOR0i5}oYJ`D%cqWv%0F
zhw{HmMT1nH|E#Q3jkrw`yg5DEU+H|O|KfI|?{mEp)ij|omBpUSEghO;IG%(V7Req&
z&#CVDnn@a=r7pTr9IdSoB%$Gv5r20cE{{B~j>>>|1D|oMNH!MFyII85BgiigPst6%
zU^D^tRA8S^Qy!T<l;DPK%KrVv^Y-)=J0DM|!<vs|>wG}Qcs~{|(OV{#)Uy=B^07fC
z0Mh<$Nxh4GcP9)8B@Txa5!6}NG(ZnY#$NJ?^W7AWLuq`my#z-|P&+-r8|Ybhw(Xvu
zY5LghBFsGmzP2KAJVf9HRzR0^yqzY=vw*NOi}A~jZ(oYvy}@UIVS01<W28X$Npd?&
zbUR!BTo`d>a}|S~qC(g0uhz8%84`qUO6Lm>64Wl95ixzz?YASEC~FWgcEhD1ilnqj
zJP~n7O!S9n1_`M5A%lUjqkf)7ddVdc@|<pynAL1egY1k!er3PW?+aVuK6_A(YHR3;
z<vY1jin1K`H=`+dwidTy^9v0ho1K`kHD|#f7>g0kLQj>_?;{ypF#>U${x7LD`*=*t
z<5FQ8XfVEs3N!QQkT@P7HmmFzrR#6%A34Sa@Nc|mtz4N71Rl#g<rqe+OS)zsJMfqR
zV-`AkgV}p_Z(6Jj1f2d80u&4fC*>jX=cX;6+qbCcep!1z$3(<Gz@emQCv3LRZ?QNL
z)qLJ?)jkbqsdUz2lCyk;$acy&{i4Na>TfGaa}l(f6(Eyoss(c0vGTVING@<<#c72L
z@>`S^$0=9dXdWcbi&`j1VwRNdcYW0|p+~W4>?XhAMJorkbRg*2W}wNYb;DYHu%j{A
zK2jFf+ZsYp*X4Fc(Ut*&Mm2U+OK>hEEeR+gnwnWJ^j88(h{Pda<)StX=HmL4!uW=?
zQA#18GRPSjls-z*+0CE<cqt2SmNSX0@`Zd$U!TP8jVI7WF$zq;#pSfUTy#89hgz}y
zqg6~PJnw4GdFOfczL;A+hZ@0(Qx4A(^ZCvVWhYecBpy<cQ_Exye2R0ffUmZfay7du
zMZXAU#rLw?&gbBe717DJrx@%S-(y!{VKGB6y@X}Dy?2(J{x7tW7?!0!es4rXJ!O9=
zgg*m^3o70nwL6_bkE<toduu?r2|JKQgJJhtP?-Q0lm+~^uOU$mFQ$~-r%!Kv^T;!^
z&A8?Bb~}scU$P}B#S+nG2IQgzb*f2eNG6LS+@IsnltW%?b#FwP$xr>k0hic!Fa(CU
zU^%ot!$z|wTXPmF>G-FS;#UPr6Dg|t-LYE|-V#DlAAcaFlZ=DKzV8r%v!(i8efSJ!
zYO|a-4^IQRC0l(`1>E-!2NTbAlL+rpA@Bn9*evm0)|0qaaDaGzEQ2>3HkDIwgW`BU
zGl70v9C6gZw7EJTO*h&*GR8C0PT92WMUbVOptTlEpN)B6bht-o8X!-Y(6@c_uyl24
zbEv{RM#0A*`bP9!%NI?FxJs1Ceo_+ahFcA0%8^Oc$9Z<}Ddc1tgMMK^GG|S9A7#@l
z!18J+fQ0b|(R;l7X2iC9`+n*>nf1}a(R;I6tKCQJ5_P^VV{zzBB+C&#5BmxnPF{=m
zU^L#5$emt!#lWAD&X|`ZBd)54x3M4@r)x7FAOg0M;G?l#Gd!*Ha7NC>tf|Kqjl+SH
z^NO*1pet9WeX#%YXDD-uRBhvLb^@m9R92K**UHGBP#0~vbN9c6L~wPF3Ig5lh)nn*
z@n+*a#rc(OocN|TmAQUIAhl|Q{<mLyj#0+K1c5-)f2C!|l7c}s*JI`~QH*cMb$xhn
zV@hOCNzn*7m+f8?+DQ?c3p}ux9N^ddIuIoiylSr6xsB=B%jCK-F?Rf5?tiQ5A74dn
zWoaikQ^I4bRu5Jpc50eyROf7j?3WnknHh!x`2dI9%79Gko685Byr}D%qihtD1Q)~u
zs3ePsGOhn!R3I%aIZuw33RQpY-wwRc=7;9UOgd1E%L=NWnBZMrMDzLGfMutbB94_y
zCf?wW_7%Ap673OvYCGQC9AGHqM$-zOin!b~*-|^PQU=`?!MZQhT1dfkEoE5GX8No@
zsoyOx(|<<{*IZ>x-yU)0>}~u@V#iJmtJTTWJV>P*fjlAnLoFm@p2t$?MyI{vie~rq
zYBJ!c{T9L<vBjIIjk?;lS~LyyBLbY71}^ms4-5Q_E9x=_$v;ojT9LaG=NN=00eg(b
z81|+u__B+}4R+4=$+gt^Lj2Xth2r-)PIa^ON%K)Aj%ey3OWT)U6neYBefy9k*HGHs
z2m}7iFTT;Ci#(?Zq1nvo>DJT7QI9E92JbqB%U~)9c|l`aqF}3=^zkVmu!C0D4pHRg
z$ah5oEclvRd~J<4{fai5GLN)hW7Dse#$yEyA51nMIe;3+^J%ssMQR{=!e>hSSJ@6{
zyAH?7HLDm+w4PCIp5>Ty@|1Rnc&o`PaJ3Y9_iP2g`;T1!TSWP^bK5UA$w4C8XJ+I#
z#;o0sG4kKUQ_G93I?N)%HfGEY<o2b#^O>lR%c)>IO2ooCdc+8*+P{HJSl*a2cXsPi
zuVR=1+jPL5u#B3jLoc`<9wSo|iMkq?8sy~EuOe(NI|shOsecQGXEf9s+!0e~bi(tZ
zspN;kub&woF=wy=v8Lj%+fmJ1dJ%-_*O7(AJH#}*;Ii`~0@}6Cm%({DYk7fKh2I?y
zlx(8Wi+@O1B&F_tyV6TX+9>+nc6A*N<_ymo8Q5Rr`FlvA8J^A+rE$5UP(PAiScKfR
zS7#+q`R)7`kK+wg+kX9BLR9VabsG%oKq+X8r3%m#vN6Pjh1=AZJ@n6VlLKvZ60y*Q
z{}PzA^cFSv?3`%~1d@rn<cjz)mp;YRBFYuA!*KGp`7l6b%?>}JP-WIA$&g(bbZWt>
zUd?TJO`oA0{KYXlT>BjT8%O>=Jtz3v=SI$$eoLOIKm4uf>O)4IBD}F7rPc$W7n@4m
zI;LUQsQ_->;rS<6F!tjC#k<23d(6GA|AoS+#~!y?`VE?ko6(PT;#Ag=!<s0C)&ozW
zc66W;9JP>TxY;+t#LrXctlJ6#+FI<vPB9g6(-mP>(D1&@YVL@Vj|AMV`yFHq^So!Q
znNGVZM&I}{cI%T|yKH1Q75@{rq?(j%L18M50$mPYMDb~QUc&P|ftF$JSF1_En+Kr0
ztfzchbw^N?B{~C$8g!hH-&t9kG144PS;!5`0a(Lol+B!(#*HRE87YK~S38FLj%v?1
z^WKZMe@SRqVSELm9|9bP_6(q?;fe)s%hlH+o6gQKbOfI^lElrO?Ce!&Vp{;WtD{0?
z_SH}Dr^QStI=fHl43^U2Yfi#=iJZaWBV0>UBpk^y)(_-ovK2Cv{EDgGwWoA&Km5ji
z<`!LO|F8D>LNZldj{Ez|3-)3Syo~L6_fc&d<PcHujLS6I8F*QxZN20D(sndP?n7Sc
zdGO#IksaGZCMm&huuB-UgjTjKJTp;pA>l~bDSIo*`ST3Zx*ZdyI=i4of0pnLa-7~n
zo9|@tZ*xO&Cpz4i%Z3~1mG!a5b~^!^eK+E7TIxPerRopxlt~Opnkag?3X`5%K|Hon
zh~Xz+_uawfT4UqqPyp<|4$wH9wJ4Q!!kf87jg_TpI&GYZ__06I$8<VFdkAd#Vqr~+
zz7l@~xBG?)#3(QnR&sNyQKv+fc7~tzgpXczW~L>FZtHjHnay^VBKJafOy4B6L}#9d
z|5e<sG`eym+KKkaXv7xenPJRrWl96bu`Z_P)QPaj*oavF1y54et#^42YV3qT8nN!I
zu}15%JeJV|mGk~u6uT=!o>NNv=9Y$pbaEmJL5%D8MCyF@8JEawZMPgk!(w(}==yxH
ziD*q>W#_!2)`TtO80RSBs&0F2?Ohd&!RLEnYNGKg3;3t1xu$PF!rk$)R?j^bi>8;K
z$^0FhS3xSV?5^V`%lauZz&NLEG4I2!tIdu}N2eEtdfgFe1o8BzXC3i%^_1P?3>J8J
za(Jj~V~3pj_CShmU;V)-oV^iKiBwl0XNyOlANhq!jgF9F5;|-eKafan)I3*!(^+u6
z%iZq6X+N~+R?}w~3mVeN*P)UTv-2&-I%_?zK7^-F?z(qpE6hT&Vzg3B3cb4r$o=Y2
z4Y6<J+40SYP+m1Y67{+(wwm`71Kt(h-pNhS)e;FQY2G}ba3D}D=WtY3bis>ruN7U7
z|0T&!V5N%%gO3+S0O*VRwCPtWU5;61wJT(M1GehM%#`n)!UZIczY+tYyXzLH_j*0L
z<=vhGEh%=jUl(!~hZ*NX#xJ*eJ4B`5QOC#9!%sk)h;EmJhDb~XmZp)EQ%aW@X!xK!
zzrV2nr`)uN-(sASnNH$dMADTPvs1$fR=&Wz?xzYkn=5!CA)eff?^@2z#iXevGZX)K
z@%XN|gCv_w4iDmP`_rLWoYT!;*zJ!PJ3Lu%?5eo^LE5|a9NOAv^PI$#&5CCyNr48F
zS?nFJW8!$-(eYF@-!WtyM$a0k(c~s^!eT(){=AB!7#boQ7#oC{WqSt$xD6e#_DA{n
z;+POq5nZn!O=IxGfIdMC4CRB;q!3%O)ncpNLKvEU#~m;3<vVS!#Zua2&2%L(5z><G
zWOZ|o{YmhV&-6qUqucZcGotycnt)*OYyMYnR%T78VoXg86~pb21_k@mLCIF%enA$=
zmpJmgj8c2Dm0HKmamfv++{2ovjK{|9q<tN;=t77SY=dU(7c#oxZV7ii>wjwj3<Nyt
z5XcaAxe&4!KJA+O5%`hus6FXzc*sbA>*{cWm|S|#)=QzUkU!dAJy>KvC_&qG8$do-
z4tADx(Y{{B#rm6OmYI_j;hOpe1kDUC!XGO-8SEbg5eNkm#}BZhc!y(n8Nx>#99;qF
zd4UKQ5AMH;Fx3{Qk!`?og;uPFG~6*J#3C)n>M4j0fFhsQG|`kLzVWR+wl<ZEzHP3}
z=KyKv3_rBe?eDzN-L~od+VZnSYJ<-VG()!?T(3ab@9d`TPk{5;kwNdAI1tX{^MV)3
zd509(<dkUibUuX;D&Ps{ss~9TE9y%}E*@Sext%5xmFkEeST^SxK?>xXn^-O8S-5O(
znzrfGo*mspIc}~Nz6r2vNG-w;-2@Ta4@uP%i0`)LP7bBM3xhxb(h$G%=S}n4q#;t$
zVsCMmmogGQ(xtAmOmpWn3a;kk1byf!W!T?2wp}mOFoGfLXg7r6d{&Q0-u@0g39oPI
zBT>&$#qBL1&GV~<hkHdWHnn$k4b6&CDHvo3!smT|j!V$HCxxF&{l4hsp>J{>$k~1e
z-kglQnTYxh3@Tch*@BeXa>qs`g|1xp0G8PJMM7WxUAjtVIE$gzA-HE~U_pf_*$b+^
zvcd!(1XEdgi3Rw_>D>2z-5~{a&lOISTYRzy_VV<cALk&%c8I_Ti~t9mvh?H};S@*#
zMxqHWvXO~c)$~^~Ta~11CS)?N3O7?lR6d=R<k@hFlas4=bV+h95zTbKXuhd`p$?;W
zZ8Dj+1C2XR6rW^uReWl^hpl2Ouqz3b*T;iG&b>AO`?x)((WKv7ZB3)EECx9U|1N!@
z<>VJ~xB99>7bB~`h!B2s%}&gr{q+*e_xpvF<shArU*?FVe-rMzA_k+Zk?!;!?pyTG
zQx%`#;N7?3vjd)!$3y%=F``9JbP?08bpeABi$SnASt@I3ZAp|MmDASLSPGeK&9rI^
zfB|mVy}C_efWOu)S1TCvv{0CTtj1+tO`N7GIJpRQLnq4uQ@>A%H8LSPF}miHkAOrd
zB*?2PFvz>BnD(z<+H@>$=gq?&$BN$xGst5y0qYUza6LibTg-6gFq+X&OCFq2+jC3n
z%C3IcG_OXi&@o_tWf#^$nhHmUAuJG{s%XfyXNU^2qU#eJ|I-Z)KD$F)DmH3B2_cK?
zSr7qQT)6HYYRHT#bwB1gRjDOD6gf|9cV`v|pQ%{>?6m5|^H>91e_0w51RTfZq2Y%V
z%7Idq8CyVK?~iN|7?G?bB<}(u3g&az?-u_&w%!mcE;JBwU$cjp6UupX=G$vDGkm$d
zf~*zn+b>p7U*W2g+O~3r&m%;|{dj%7i`;^V&1zl9c!;%Et+YQrYIVMj>l7N(+YtgY
zGg)EMQ4}fZL+x`1cVcqcKlC{)aWoLY7vTPdUv1P&J_#<%e0IY1d%J2oLQeSRrBlq|
zZGfSS4!Q_)XgUqSPK|2P4Lsq=-dPa$6>8tK7ZFxMZA<$WsQmkmHSSHOFX6LYfA1iq
zxohLs@(ZrJ!6CtlM)<xoi^WA>_ulIPQsuT6k_8*!=EShbIWP{7#sm!EXhOeElBvoj
z9Iu$#7f~`>zW(l>C0sVVKm|&!(!o5)EL$V|I9nSWf(dSOso*_6sDj)MQprKKMwU@E
z@hP!sl}lYxO$K*kluM>(h^WM#@*%!qmdW(j&S_Lmzfn|9FtQwRVp24}739hNfrJ;j
z+Z?3U9a4J8#=<I$(eR@fb=*51y*GFprxhXSDJEubEc5uN1b#7Tx_(cSF3;_*AMXIw
zwO?pqH0Z^u19Enjm(k{!n!V*>*orfaTwN)$O~$|Udtx54mG#;x)g^1GAy%aQwV~pK
zY-ik7SU(>MO#I3%e~@!k{k0q4ll^0V^sQICt*`B!B$aKVr#F%T9kQZ>GRCa;5dDFj
zp+AeAVRSuO(`5VO*UbvyNO34bG4RGcW)9^#*x(&*rhe3;d=`m78{{`=%hc|UDYlHo
z{tKg{|9~B|vK@sgk}0QN@tgDhlC7kza`g<Z!XGK;E})>!8PedsH_a<XkCp52c>|Ai
zA3ksi@K;w>R+hP6uwAt1UxXCWlaYz7=~E^5bxX@Wg8^A$QBqYnGvoDv4aLvSW1~N>
zH)@GGJtN^kk;Yyy=|>~N*fKYyD=PqEZJ7xp8^Xa11(jBc%ivozT8+`fQD`dlEkq5+
zj&&6jdiOa`?bf3yD8{BmFiD1sp_x|f`$-Z<s2aqeLqZK^8r1q@A|3i!Y%)|#xLrzG
zf_)75XsGoK37J4Ot*;)v3=Iu=hW1K@H?wZ5?IdO(2zt>UdN((9IL9uRm)~v{{!G+W
zH1__@*i1<agSN1}ABZl8zWEJ>;S@xCRLxp;c3jz&hj?6x$Lr|<{?+zDj`zCG<$f&(
zqi@m2F5q3<*WkS$X16Q%tr?pal|2-v=MCv|=}neYXb~1l4ZBBb{tF89oXPfgHY9Q?
zB{+N4{yj4(5lQUiyo`&=;RqG^F5&^9ZX#kFQKO;!Xt4+Ls|xuD39f;%D#McW<b=Ui
z&jjQ-qi7vjj8YN<V^K}xt2s*7WFJ@`f5~)}PSP4-XXS5~+G%JdCGFK)nxP55=&o6#
z+M{u~nXO5Iv!KY=MB2;#7mm1D!s%4(t<IC3g^`)ltz-Pldi8ZMpPEJz5b23)2%q02
ze}B|D3vAY#5~KQq{2e?b7&dv`L1{1zL8fT5pzqmnwdBq;4-StcY|Gx5f!K;diZG3~
z8&V>n?-WGXlnKNe8tM)@tTZibT);NXVe<0zhsM^xC8zX~?H~Wd$lGVJ#BT_?PuQ4%
z9sdStmUOB;rA8#{P*zs0g9Gdrw>hO*amy?_-9xi?!x@-bO#0saTXJilCIT)HjTJEt
zMf`g1=cUG)eUm_~+DvthL8BfN8Pq<;#E@CAGl04`%|N2aDaV<f$njUnpxfW1^X+qj
zc_(7ac)9hJ#_U;}6RcOTs>%{<!%&-r?)PsHG7#(y34!mXcp+-4+Os1aDE|i$Q*1F8
zs~yX-D`?$2A21;^sz%T5!$G5q0!`Dkma;f9J$mF&lFJ|L9BC8bT2Vns(tNm7qjpPv
z_Yo-Ab}Uan?x1h9$f!D5HMYE{n$WbESi(dqw>)zF_qP(FeRphwLXLL^Zk(E*ydul3
zw1h-JP!Na?6YLd?Pw9a=Ed_;u)*J-KCIzr|bwtJuAoWD_lUU6uTE(6p+kuC9PNTn~
zLj2slCy2S&<t2)8h?J6=GQT;Nq0;8UJ)Oh@>ZmF|Br<~HRm4@S-4y1>2kSH;CEMJK
z@|GNjY;w49hhjkC)Y5e>-aDqRMZsKMLpQR|u#GLUGcphONZJ2K8C>;@if&?h_j93E
zhiMLu>FCg*>q3uZzec=6(TCk1YiiYUE9Z(uA*3d^tnxs@`_YH*Z67<W<$(uO+80)@
z`<pX_$}mn?N?CJNd+nL%h{pY=aX??L`u(Q8qhMPT^B#Y`yK^+YD-;pH4}Rb4Ji@nK
zwXerd2h>ga{_W-!hKvVdB5-&wl7M6zI9HXR4>I*`%!bvMldw)25U{gcdNb`CTf&>v
zVzgQM=_6zf22<Xn5~4c>qCN3z2)AuMdlqmDiA}6bA@;&$KU$=Y#+%^@M+g2uLFT(f
z^#SyTzswj{`>dAzGk^%X%oUruKs-_G(<rs9A~F(9@70>8!7p+O=-0nj3lXs2Q#4I%
z81h&cJ7aQnAjSTApB66xB)X&EDr9q#kd-jsMd0)-Z$3NH!Q&Q}kB=g;4TX&Ms6Q|c
zAHqcWN8xyrpWIT&qidYZn^?E<3zKD(q^6HnVPj-0Bo>`xmdSkNS@RG*QIsi9!{<Da
zV85&Ws(^DF&W{!)>sOvpLc@QDRg8w*oG`!_yuCN*zFq>LdlA66{&sFSAYqdu()DJe
z{c%gIw3u`qCw?hdpMh79%@H&cvuw;D*4(5BsVNkh3$me_R<Uld4e6{2eQot>Rq?3B
zRK8o}){svlCBqD87vhIR%$P$|(7i@8nn;sW$evp#gtDR`>vB%wy+2#}aI$i>@(wNL
z?bMp1KrZ6Qe0^&*mZ|tjr|1AD($4@R_WfwVI$^+JKr#zCpV0^)?_3au7vM89B{G~9
zb0E;drW&;)iWE1KPx;yh674@R%hQ7(c9kCO|AQX8K>utg?so7z*KJYnhh?z@ZYRpN
zmj*G;Nd=;5+(7_{n1S^&)VwLJr9I}0%-f?s^IV>om#t}xz5c$Nd&7?uC^)^Yqz(sd
z4uTnX$mEaCxzTNu(~iY5G~1*9M$iTvW`I`&zvY6#hub9l!EB-L_v}15TTSntS$4n=
zUvF2psiaEEDnOcuj$;&Z<OkfpA>D6UY(i#ztv?@V{K-PWpHE^V1GTlgFhYIap9sZF
z0tV}|1G5~Qy#7JtzdMrI2KZAGw}R2%nP39_Ab<}Z_$}@EA!CHbB>oWBK>hVLj9XzW
z&9s3f(MzYhHco$Zg9Kx<c@rN3DT~Wy+mDdf_xjrXyC1*C?VR&syEOr=y8)2rSZWi7
z_wq~?mk5-;G61Gf((<7ox|1iA+d==M4EBbYY-yw^)3SG3vfYD>?8mErUJVj>W!GS>
zM0vVJ=v3VeFWK7gpZxL&<zBZGy`1EDyjV|qT7S5rHht<BLcNTkae~4QMb)S1Urp@N
zXh&XYKpaF~!2ml-C%yw$XqQFz;DZDV2y>8*_CFSe(D{(oIbnSJ^Ir9Z3<Vrr$jZ9<
ziNhowO*bW$1QeN><TYsT*V_#4v;tuFEc5q~H#;WqAK&p=NJsGxJ(h2r+k%6QZx(bY
z^y}({oc15z1A?J3BOFF1=)#!fX6+qnTJd8>T)w~|M;Ii0LE;ZdeVsrhqweDWB~QLc
za+B)NXa`?n4lMqYBwGzUu*D0-Njk8dNxUEXuNO7~`2h|IsppA)`iRZ^)Na)mEP&i`
zO={nFeFc9AKMuKp2`pNi5<R=`XZG(}gVv{|!Df1yr$QbeF3SIdoooVqTN4QUu7jUb
z|Cu#JV1(hUQ8$90Y2E)0dvwSV!Nm4oQd5-wm#CW?!apz)cw1&v+yDNn*#A@T{}Vkr
ze}2NQfT=ku{tr+8JHDqs>Zi;++;ghD%@~3IcewpmHNw;!RQ~TVKR<GGz;*ElyFN{K
zS^t04|EKc*CpN(T6Gq#USpVOt{+}^FUrfh;vJv*YI_5_De@VyxOVWIM>s6K)^BWpq
zT__*v$UlcE6}5CC=IR_bP?gKEP|#8HOItu$T*~#J(y&kui%Kg2pUICSgC?L?aKM4S
zf8%`@wiXLp*lfPfG#6aRsb~&6yl>2Na#>6cQQdDmpDGkmsp1ji5np%+a{K!izAW*M
zo}Kp{^{z>P8(CBiat>K8bqy((Nr>#(ATc`L&MNG-WCFah)T&eqIy!KUj*jRV8QYc@
zzw_S+>BI<FpGXzw6cdKjEG?lElah+m987TK(__Cont`*wI`!==<}9(*<nRX~PKe!K
z-FxM$7pbeXm3JQkbi!pR1-a<hHXLeIEj{IFMeyFCzID7Xcz}cS0WTi^v^@k!yFTxf
zDmPnj!{S2vI&9G0IW)iS))kU>>Jh$z3MI9iA01u~A3yj~si`LVL!uDr8)||=MuQmS
zK#6~@$;p$W&@(d!XK!`l*J{4$o0x!sfCPR29QWK$R+LLQ-1d14kdY+W#=D-(A?Q+7
z%J<h0V}8G0LpPi*VZ$F)%_5-oAzbqdGoJFVv%b7)C~ecJu)y1GNB$*bS!;6mc%AwR
z#7Xw3bwBQm)8AXg#d9_7&JBH6JJ^_&QEz-@eglQ*d+EieqzNdk==rMBN>DL?L{NKA
z>HeMqgtt<i1eKMQF}wZjHRa2cOG``r8yg>e^7y*ZN5=2w90(}EQ=Ve!85R^_S!{J9
z1{Q;v+1uOV5n7)gS`qPCXtQ_&lMu^JcFv(b-&d853J?xTBKw%V?+2kjY8<fPaXEn2
zS#fuEt?&7t9>43ATwGkpX=y|M{lk2Ce7qk2sH&<GadBxB#=ko3L^CDX7d$XQNvYU1
zw%g1<yX$k#?6!w`CHXnOYxo@O_(<N@s<|uaKUuA&lWv%A6R~phB_JcfT89tr9WB6p
zz1`j?^f-QgbK*FsjI426Cq=<r?VG$(yI}AI<UzbVuhn^9tTkbpKzp^UXmZQ*RF#$G
zF$k6k<AYw?^Sy*|wHowujXsEtBYR$u@9pjB8=L#r)hYJy12HLqSxQ)Uwm%OR24pFy
zYC|vDFoUuY^&_U31orla_6(fJa)fGX!}A46n`pt}u3<-p{d!41b3{o^DY$}XnMVKN
zOR7uLqEY+8K0(v+Uv($8&L~MFy4R0k!KJ$t{b)SEdOlqGNdYYfL3+9Nxp;pbqNm-I
zG}8mb)*))69CO0?Z7k59t~Me&<~SLB`8guEVObsu0Bz8=KtT-ka$3sCXb!R)eUg$@
zf)A}p;cS<|@x1~qN~)q&<@_(B$n>|%{r-QtxzGU{gGovimI|s0q2=jX51+JWZz>up
z$?SF4Kg~O|XH;8=!YbTOLIbsGDVSz7Yi>htG0ID`rKt(lEH13COEkilhihZL?Qjgw
z7L?I&YB!@1;^v3;PtYUNf1wM#88O|p8j$NykBH;meJq4)2*@5T%NW97vi$QGAr|MG
z&F`iJ;ktL#>R;OT$$kw>c~DZxz1<c>Ywvp$zv2N@<(C0MrS`{d^RixWlA>F(>i)tP
z?u+j-RErx1C?6mG$6Smm4Oowf2}!rTOofQLIeBI$$j-hk6;NUhR*=xJTyHnRvW(RJ
zJIox2u9u1iqHGwRs8>ZS<b%z<|MSyTn_7Bm<UG0|gZ;qH`V|qC6m&!{!OQx4L0H`R
zCd(bf=%>{2l@Q$YejE=xs?6@AeB|ME7lhGvg1h0{F9~u(eyh}u7V*2Cx5TFoKrzyx
z3JX0WYe<9xQ6>RXYQ9+!ueCEMaq^)_;(K^PEtE7$l>_2XTI~ge@+n0I?1dw=WpH$_
zx&d&Af)Vzd&`xM>=$xa_Qw0Tfp{R`v4J@oj=U13yTb6P?A+iz^2Ag?Ck5^UFh5@V#
z^P{Eh!T_nPI%K%AnihzU0(#8q_z7=;ojxQovPeB^QDrGoMyV#Mbn=m6_d^JZ{Jm2D
zHuRPf&GqPyNo*VNU0)?mOY^mOF#txo5!b8?D}7FF)?}z>2BVlXX5dryjkZxwPfgbl
z*41VkE^Z2_hLOeCC$!44)3ThB7#(*uI}w<X0@2EV(@K0-1NWVX$4zAZ7|_{!HU_P{
zywoetZI$Ja_t{yOpE+F>yD!>XJLArm%Oyk+B6)!^kzBlXF~@|mh8DzE7YP80fp`w8
zjbYREe$>M%7S)MC{eFXx{uI?8eIS5)D4_r95ax?!PgP+qp{XdhmE?PXWw1ECF9jV=
znW|!)i!(JU=8enFLrwX31?yQT9?eWVfiS@u!l{TvBSpiRFU0qJ%Y<30C5gHBTvO0%
zPG=URnny(PAu=K=wW?6i)EMNj1)f(u`DgD}w$q7;MfK`Mw29=TI*AwgL@7a~Z0R#c
zJRj;oZY~685mZCFPz1**pZn(!tLb_bCd~iO%ABA~zTZV^R~Ha0+=F<~n8dlVeEPp2
zJ*`463n3XQur;{8_<PyDYz)e>$AtwkPH~_#$?0EcrekQ2%gQSG=?`k#;SZ8-zET_%
zEi`#I(bKDGEfH6zwQxcqxOjf2Bp7L{EM;;cnd6k@;!belO3BRwg%Sj><M_}(Ja<Hi
ztX*G#>M;C))NN~#o*D~vdJ<4hYe=wW5}f6?Og&SYB@;)GL@EY$z@*D?<J4M-4t9*p
zNC}1oTUaOtmj~k8GR6XoIH=C<+wh}`iWHWb0vret*k4Yo<|m-!T0Y7rv0e{C@%WvN
z=(AV&1hE;s-Sko~884j{ZYvLz*=NQ!hH~{T4m|}ibg|xgOvq6eAH~~r;V@XNY74)l
zEsEbM+PLbXWeZb3f+)$xKvjz84nMOn8m{i&O_!eecGI*n_F_74k|*$`cKWbPMYJZ%
zOBCJTy1#$lPsUHzl9NFps_oG;&NSzpvzWB9<9j4?<5+MF%O)L$eduru`(s>7PE`*j
zEVJve8=SC?xg>vd>3^hK%~)BL7r6|ld6$wd#=V<bDX0LUvSu_Jo@l$db81PRhq+xR
zxX&{|0<KgQ6&N5MMyw)vErS`}GPxQq%BnTqiw{p@Mys(LyCA6qgt9tASaY6q`YY_G
z?(m#n^=ea+)l{Wy(*Lne0a<kSKB_FxtRcPs9cpZUY;3al=Xk|&R>%{k5Cx{!vZ16f
z{w9OHWCu8O1-S1Ou^AYwD~FfmiFs;gpw4O1nFq_K!SG55Suwj;wEAXbu-u)jdD(4L
zCv02h#;xgTb-}z9=Tl0@6IkdCJb_*&55=q?*msMF2EGS~b~H3X@)iWX%NZpVzsILV
z<*m4JBX)*95XmggDD56q8Rm#^B@YN;1;JmrzZLn-0N0i!ckWz*P7^#4NaAiu_s=`f
zjhvfuz9ZZC;SD{DPCXiQwClOc4Z%s%utDP}fEzo<#JI55Ri+w&9>-k|4PmRrD=9;V
z{G$Pn`xlJp(<TXewDwOZoSeS5k3;DsJ1Gozoo!!xfJN50R)axk`G*kX@?oFGS|Dl$
ze<>8u2jf%>Z&1r@z1@MC3LsO=%{9eVJ>hZ(9YQ!?=O3WFPr5x++s?Dekw|0DmFmY8
z!&?u;-PLfvm@TSN`fD`ZL<7m?hM8<kIboAYZ`r2|3pry>HGTOBRKf^X>%5DjzBIp?
zR_|4F3Oi1xBb@3_S^4e?cj4`oOMXNxV`;RDO%EzZ^KVUgTxQSrZ3g~=9VN8R67@ox
zd)HEd!l3k0UB`pB$!;|`2|d3RaW2eCi*F*02U&Lm{bHp9%3v0ge15#2>-&YQ?E$j)
zFXGoqZ8C=Nu%pmWTlB=N*@$^G{;ZlI|J21Bo|%(Ot@W;S+Om<y<Aba<-1IQ=I9iWv
znMQsvJu%fIG_PJG{2|MsdixPFbfh%B&8?#I5{pfB#XxPR^CO1~-XJQ9?<{n#&G4^@
z3?8`1MBz$}X6$U<>~L=U*ozNC@=9C=%Q<J*%T<N8!Ng1y-t)^AtW-*y->9Zb7>usa
zp<wS))6yzRkwWcFwO>&vbqjrI)6UdjmO|}bglvc4te*`~%ZYX5@r=T$xddrHmv^aU
z;LIJ1bM3`%+v|L1dGGlaxX_7>c*!WrS`EmOj0?B_`i3J?paEd=+G|-ju~r)-nGhe0
zh)>170oph!E%wf2buyg{ULW+DB?kt}OEm1r5^uf9Tk3hiemC+H2X->lrl$~o#>1}U
zo$vY|H`#^wWh-?iFtmDcWI?$QA!Q_if}%!(;`aR=DvKxvi)2*0C(HOsVo%9!xIS0E
zSg*L^5SdbP^~iep7Yx4Ra)^5Uoh?eMnRAT#;`TP)$P3X?W@o05KEq;%R(5^PSWFv&
zIlNG`TygmEKFeZSPw@$k__t~2`ut44JqJ|P`$W1SA>wj^vR$}3?)I4I=c$GOIlh7`
zMO4O#4?Aazh)Vw-S6>+wM--$RNFW3c?gR<0!DWC1cXtN&!QBZE+})iF5Zo=eh2RVf
zFfh1#aA(=K``&rGfBMHgeXHx<>RYF~PJQ2JH74OZ4~Cj&)=lel`mlz|Yu^5gR%SHk
z?%k49mdR$&bmwe-xy4|UHcI`GaqX~@!R=1+*vYLRrYMQvVgDG(eS}&!D@}T;l)>wY
z3~MsQ%*Xa7SyGmQz?CB#2&q-IbkVR@tBC|yP<G>w#NF&rLs#z44go|B;J8qHN-29?
ziv1-I3Bzt#%Y<MIGp=_S#F3FS_wox{rNd^ML$ML^<Eifi<<R86n7TV%orZgFBCk(1
zSJhsT2CIg&<9N2q8;FEdE!|KHl&Zki?%rVzn>7sgwJx?(0r>AGDJc-B+?2b0kd2&j
zFOIn=q6c-RS%S(KCI*@@NU;NW;vRn>{1)^Wj>&|qSr$8IGyjbl4#O}A+)yvvK(1B4
z3CIxeC$m$CRY@U<bZn*wCxm}z&-+kHiZEVazhpeqNc_salIGOybxl-s!E!e6d%BEC
zY48`1{#0`(U$v27_~ma?BBJc#)3bjW{46?IX!vfj3-=HyiDiXNu&fbm4Mn#iG!`q3
zHG58MX{P#z$#@(jL-<tH?cc2Rz}NXc^3}jdi6;6yU4DeYedmSWHfYrmUFtmtM{r_w
zutI1}2VmCVl&|UzkH_#Wr>8`%<wX$55&RM#N8|Wx>u4S0F~#G}XT$FA$4l3rIGM3*
z9U`iZfSk@Sx61-%)v-a2BY+zjv4D38l`X%oTThJcmWf?#oms!&Mz#b6&D)pfVbZf>
zJ_6UU8z~<<S}5d+j*%-~IEK*&oh-84EWD?2FidIb?cLK?DKW{<MLc}-X<&DL*K@LO
z47Ae@V4Rv9X+ev%6Sg=FS|=;R{Gv&U-sj@dgw%8_lZgGD<9K37X>Z8M*7lw5?aqVZ
z8P-8)#O8Y^8ctI2U17|8ODdEi<<ntsrxl0!fiU_36jO3Ba^d$gy@d0!`gWKSLT`qE
z8EQ-gq|RlK$$Yy0yeIC|$+U(uOgaC(5yZd_=K8ULKm?V~)p#<k=}&dT4`*3aHn@z0
zB0kXl$;W9$IW)V9*xdu4zuig*GZZLMwPs&-$)(Oz@TI=*mDhNEb7pqCxjKi9rK5T6
zb{|E<#es;qiqmuC%e!0t#8Y@MWVcvVMUTq<z5^L^U{<!+xOb4{2_|bNNP>h#56Te@
z{P=mR6X@S=vOM)kB4;69o^MbO?e>b~d!{;lPZsJ#BgkaI<%mhxpz>ot+N0p<9CYwK
z#A^I|cZ+3bH}S_Xz<cFS0Q!8nXhHt=mf@64uIb+KG>|(2rXBpvYJ$z)?r!XPFt^=O
z>xYkZ<wyD0F?wQq9+k^5lYhTIl<<KHn*WKJd_#8tn-^qp&vt7YDP(`4Xf8<{6o_1q
zD%98-H;)w?T1M>+8A@2Wf?@_~trjaEiS5l%^Xo&YbABs-_C{Sj@#iQ@$BH{$ie8vy
zLFL2S16bpMV<;6`n7>ZVMF@LiFL_Xc=Uk9dw6^Mol=~A_0wVa^(M0Wpf?VRl<5vUT
zTV6Zp-0zu69K*hw^Y<ZS@;e=ou`CO2j0{4YjhB$!C<Ji7k_-QQhQ|m;vTg~?xJDI#
z3nud?ZANlFw7S`0c~AmmVMbpmrXqY>lrj`6;YR`q6dSY+dM*B~2KGNo{A*t1ObfNu
zznfXH6}hUQ?2P9|H>cTFzU+`1C^IK~*|sR5<`huW^J90xITG;32pLkTxcFm$egYxi
zX%x0$m5{b{p;nu@C=raaH;PZ@ULq5+=Oq}+4($T^o7mZ^cK-q0oAxQTm$#D@O2-$K
z=s}d-?Kv?iF~ooBA%Nul?esfHvN4S$)@uLhT>cUE(yyrV8Kmc@$fed)OUR7+v891?
zGW5V=X_r9iEX!R%IB%Pnn)Kt!sH$&{?ClpRbuTOg3{qA_<?kS?>zQ}X%sGA`b=K?D
zZti^jp%?Q%$KOb9jA?~biB|TWsLyk{J))20bKz^+B<j?;u%cSKZ?3~X8nS7n90^jJ
z>!7sXdpmRKh6fj+UXpR3yY5bie{bPwt}%+<8z3uRd>l(j^PilQu=~B&(QNgNRI;jm
z1{KhL&t(|Ii5P-xyq7@b)MzKzi(8%3f6p2|U3cTeVsM5s6o&piwn=~w9A+T)Hv!xA
z<I;7m7`=nq?s#@c^G;JtVLjrmX~WN<OB;a7SS#*ZsThkuD_4Wr_2DK_YM%HRW1QwE
z((a*l`@%gUemqyp@u8kP;JR4gpMxTW{mcOZV$+>RX%25Mqa4vjVo(eDR$68-k6v*^
z2H8DMklk<gJILFZH%QskAFAXbCDK1liQ_1RuvXWw#|SS&TwMT2iQ15;Oiips#(y#+
zf6^?+2WvYQh&}K_hLi^T?k+gXl$CYVqH4_0!R2`|`nCpSU)owD@!G@tzJqj$gxoQA
zCW}Y>#iSWVw)SxR{oitBK)2S%21m=VEpc;-*XfnkU~|l^ZvTq7uQl)m_yc&eis$jb
zro)nlZD*Uq>#(1chq=Sv4nb9-0rI#P=&A@f?D;*V%=5j!fNv<g%@KUObWP#fMr&Sp
znONYYK0C4!%A*MgAE)&!Z44zK<9V9tNT&l;NEz6_RtGuzvusnQ6yKN5+$~NOirYRi
zJA(;8d|V(DzdV}s7PjWdVZocR1am(jv#pHv{E>xlSPe-)KgRN`+J9pVZ4Q2Yg*$LM
zl!lGZT8X_Rrt)V;Z~eA!SYg=5nkjfR2W|{;MoL3vBV3$jkJu%W`MtxZfiaD8Xk$5m
z{BO>pIRdrh(n?12Zi#1jX(`UQ+++=R1|3aJLnpC^L`L9*w}m82T}H7Ly6zdBmz*qF
zLLc0{W&f1(6hjv&k(X~j!($}193nNe?_)1?x*p|Ihy;zHm2DaPwnTo*N1qiFz?^qA
zF=8}`$g|7lE@OUe_xk)Eq+u3l^gIkEvrVZwEw)H;z>z+pnUFTT0}CU8NcQd(32+Wq
z@t5?&NvqZ*V05|buGuSlPAf?>n$e4!SUvbx1ygU+C}HjCn)fA{U>rAy;HYd&r)^`@
zCktuI^5-WJfoQj2Uh<~xh;E8d@(!%NPEg=Xko44Ce-h%D<HrD2;MOPCXPP)erQrdA
z=vupf!VH>{GJnf@zW4UxvGA>=+mo`VI2%$5`IoPo$|{jz=C`7N-qV*=oS$u5<!^kG
z6QCQ*iN0$nEuuSQ5_vw7FTqnI{VOD+93`!%6(H_C9iXL$gQL#%^ZDTMyWSAf!Y!Qd
z4_D)GjyD>I)je&a<0dU*i-d?tQFX0NNTj-z33O}vPb?ssvN^mc4f?9pmpe5yLI7@d
zAR_rf24C_mNb!F<YQSfhYUwwa=~sPva<*I2vlH-AYSF#BIQ@Wdo{Ws=baOgSZo|j6
zVTt^cnz|h1bg)Ite~;WZJgQqS41Mgm`VsyyL%_%E@1;NnuLIG1(xy)LuG^De`8PR*
zcU^{8JO`DMc{Y2~E1LC1INPyA3mngVs(y7o<VQ>I3$(4+XHy7`$D@>;8LLp$cgE78
zrKF|T8;6vh>imvzc>u(Mk|yb0wjd&cFX(wn9t_NXr4$ShnLc~!;-A-ZIho&h(57dr
zP4Qu=4`E6@-t}*(#>>FFzD75`qN$6P*8X{&M@mn}y55o?5#)Bf@0)AR#7CNMAt%+^
zD1F+U%Kg^U)?ihD^<X>#h+gwYLyelw%YG4X-7&Q`_9a_t`%p^bD0i%pMo7J}%t+Ra
z9d43rX*~2}{ZHYy>;9L3n0M2BX~cj6(utE|M6MhyK?O~V&{udWdZCqr6Cgjzn~Pq&
z=8R6uuM4?6G*vB+1l1nB%7DY<z-=t=3klM{k6Wi$GJdgH1Ol?od<ohHL%+AiTdJk4
z-AL%hKLhk+d^CU&+~>!=PY+*vedU$qOX_Xue^mlFK`VYSC#y*74=twBWnpaOu&xhQ
zW~dxNlQ)S14O2_qfRyoTLbcMYCr0K!gKfzgzv$D|zH<?7hF$hG)dFt!HYZgr)`J%9
zD&o6IuN`!iL)*f_ql5xcjQpD7q7KDa)<gzZH6xoUM26ck-1r-9!mE$r#<nJ*K~z*k
zM0gAz%+Tt&oUIS_jzqH~68@=kST4NDm^Ku6wnRUV9(;cHr`4HcR8&7!EtD(N*p<WC
z4F%TjLoIqm()D0MY9RQop%W=X*oTO$%~3U@snNm4!?*jPCM9`fKmC)6JmY@BhXzi@
zl5maXVZ%t$m*)uFxNI`MtPWT43Jh*tLk)!@i>PJ;F(LI}V(h8IG)3FLAA%4uRHEdJ
z%}s-@$=l9gSu_P!Dx)sQU?O4jHxmJMZ?&z1u$Nbe7gOAZzyu~oo8luZv}@*G++hkn
z!7=e*KR!{)Er{CYZKB!Usc1f(L*Kj6g2*$;FE8Lo;_a_$I1aoX=wjDn4e`CxmF1eT
zbkg|W#FhJpO6k*BauCqsD!-oul>Hs;DU`^{ZKzJVB+^ST=uKc$HaSwkK;Ah(^{X|d
zF>L@Bcp4j-OXn7t&r-a7xN+Q@+!)SxXg!UakTYn1q{3;4#$Mb0l<EH==dh!Ezk(xl
zcE6*Q0r62+<pTfD_*{^gHa7MG7R5Cyy%!R&=$FPUhp$h=iwH}(cUMsywO$trZc`Tx
z*z~V;EVMJa1}$mT@4b}`G0q-WRJ5^>@V_xG>W-8gyrzhIFASG*RZq^b&tK!eVWk=I
zn`tDANOOv5qi?fJb~e9*|Io$oDWVl3SYiW8^ll~Ml}+bl)j7wwk0l&tC#(j9qs-3K
zn@!y=Hm>Y3UUh{eBhIfppxYq*Jafeb*JTMX2C$T#R^}B@x``hy4`IT6t^YQ9EFqKK
z^c@+NL?uznmK{K*u})@Dul5$Bq(Urna^JRZZl$4YrOx+tF%k34pshnzaR1F$7Z~s$
zTgXN-l*~bDPk^n7>;<HmBnaX|W)mgrYC=HR5)Ji^e~G0Uw%BNLZU6hi%Y(4N3)%Or
zOZzL+Z|7@%_kM3)Cz=fnvM%R=YA+b~nkg5SwiIhf%ii<+$m@>m-Ap$%hydqn9jN{8
zcHt^wFeX|9v2WuBR+0g+XN$Qo!+_t!PP@*UXT~<Ox%KDxz&p14xO+R*AHY^Rc_FFU
zG@sE#w&1k51kr`b6hFh5RDMm$0fVu$9Q#vKs4qe6JGn~K|F{a~RtMVTIb`a~5YCfo
zOy{?mSc)x&Mij6Gj10iF!ZbWVNKeLPjr~dVq`QH`ykLIZD@HZ-^Jz#M$vn=*6le?O
zof~%J;CpdoNmIyA60dfFZ}FV60~ff^XzE-c?{`h+8TkP_ABKP?`mZ>~RwTr}M<Y$$
z;QX$au${%G42}t-nJL?b-2o$s+babHgL6VX9$OX}47o3LF2lsM1Y@Dp&*;?_X(l6R
zfs&L)CIGOMtQJ#qzDQ6`rkQacXZZ|Q-ycRU&HyLRa#$Qiv)9uVmNVy<EI&n~$ndE+
zU@!la8d)z*sqyuXUbO&Gc4-O8?$}2%rX;~dDn=266TonRkr@5{jdO_aX0-k8`Z849
zr6ZB;JU$6A^4YB$j!O|%8HpD$Q-6-iD!?35Ii3GEYr(a{nWh70^i^4{mt0~M;kAkK
z_rLgUe&2tn%i(T2zi}=#q|f_=gXh1L@V0uZO*gexmf)lvldaEJ3Grq5?7>SpwOhV!
zPT411caUT{Yh%lSI`sf%mna9}10btJ^|h#=xA*dyN_K{!%eKtFB`ORYKOVJ96PC~q
zs}lJWK&0L^{bGSY*}6pwP!iTFi-jy6zKhhty?>;IP498D5lLn`x8fy-eo!8hQo60C
z%f%w&M9R{XHqfHF)5D|2!7ah)z{^O&1p{l=z0RjIF;1@2tp%7c8zbV;`#nL>UaK`)
zmQ10qH~~YFd6F8o0tBKjWcLqEiLhUP<@%KIc(=xh;sgABAWe_hg11-SoCx{$Z+_6O
z&&>Q`N9$UFwgJ)rUFevoy^=Q)9vc`2MZwx7t)PFkPENglRNoqp=abVZ^hI*LghnT$
zrHnWJ9<+NHuwingV;Rbcd|Pt<Rq(>{o+e&yejvXc(;=eW3G+i^C64Ug^DOdC#ur}-
zWVfrN>g@r;;jY6_uOHBrJgD30F_c1^UHub&J|=p}AgfJGlm(r7nNV$)0;xXI%KfBv
zD;aJ)@7LVvwo{$1l7kY_HfL>TZZ?W<EJb*SLi@o^)1T8rTT?WK5{RR^;DYkr^sxuA
zFUJvK$<abfMH`VbtGu~Bn{|>`lcm!111qgjjk5+j+QqFunn^7Q_NEHCa_s*&A~n|=
zCEGgOhr`!`(3LW{0y*!5K8iJ?IjG3u8#zROj^6D{k`Lr#r<VXmiP=d}+`D-UO`8py
z?2|`GUVy*WQav97iKH*``JJy(4ZY0y1zX&|DL8+;M?;8j7MRAY@*xy{#%phBO09-&
zeU{fcyf+Y)5cH<SV*;@Y-(8wHadIV9M~d3;O%w#9x|Z^u?5zOA)EaH_oW#?@uS3SX
zpOU0UM~X@vgFPs+kaRVumYo$8^w?UraHnF`=G4=>`vPC?m;`S<cYDZVR^URj56!FX
zZ{JGAOKlxco<S=DLjuJ<-D8nNIFQ45r{6`-tONkOX9gT{FgwJkMsy^M_!Vs$>Bo)X
zs!3!cdn;jk3%$jKQ~(E+cC`$bPoLj&`&eWD;5N734yh%vJA_;jAmR`d)Y5b}X6+n`
zBz>1q52b?LwQm}K`z7%%bgDEB%9h^mv3Y#)@RMa5-B?$aFkQg`Qxd0ZxbHxmD2V9d
zXLZ$@<vKr`L06bsR@khjc0sEY?xfgO_Y&=((WkE!#dySu)FRflw(|nmPwjdAE%}|{
zW+J)R%Z_i5k#Bx5^7#g1qYnM;1k$9@@t#-@?`<zi?k5dlq(tPS0HVq=BpB(wT1ax*
zTDMXEP|~E;)4T-Pt+u)1B1BrZweqJ2=h)h|iw?8ZnI^cPs{j4v!h9d4)jt#kWpRVo
zSz88_?>9Z(+=P91Ds{QBC6ktNo3>%C#xA9AN5U%pIZRkW87LiI4WFuc5qsx;=tg=^
zC5PbuZD@UlaCNh)`vn8oel_qtC}g^+*b41_9a0Uz^O1Jq5(p1ow8pEjtMeNBgdDsa
zL!>uU{%2~Qq@!;Yg6Zz|G>r>RqgYWRouM?rA6@|Th05rFw$vZg43i?ZDSyiwCitt)
zQ>Rwj{Gx^ql2PAQ@HCO<3iBZ1sD|@*$_^fWEWs#GY|JaF3Dk5(_*(%=NFG;AjZ2W&
zs-X&DI;juq<{LB9J0i+n>Q^6rglP1tL-_M09+O?Bk%_0}={>0KaGGT8ij(Y9606Ov
z)O#QXGJPu~#QHtSQ2Q)egWQ;c+WPO3{xSGXe-m!1rEid?u~yi4uGi_~*85V4?k}MU
zE2*j=debkQGr@%dIhA-aN{V0`4n-}^pREC`ab5G|g{9u+S(YW;w)Y)Y{Ua6hM-~W?
zm~7|6`cx{zk}!6!PnXfSPEHqCdq<l=Y!oEgO&bO#-n!wqzEGNt2&$@TBInr6iWoMN
z(9l7SF~(2|Gs`3R8Gf8gIj*p)gBJ3pOL^ijuHdpj)7AdY?#2OZ>UW#Jexs|Z+S1><
zMPX;QUktN1ZlJLm$Fd*9{+B$eB<Lm<ppXGty)OK;KA6rR4;O_k4O)8=Pd@rR%EmrL
zN1qlAwP4UcN@47YWO0L56B}v5^i5q!x4F8o^ipwg_R8F)I!8L0aqtxi(u`+v%y<>2
zsR0VqVKH308YrfGa*2#Z^2Sp-c8!Pr4*6Sre#so#yxlYNABFJ5nbH77ddIKNp#usV
z@6q{B8(O_z{|*PRjGnRX2PE^80bHyYb5cxr(|zOr49WCe`1lxhJLyp(LP#r#Acfk5
zjz4n2(RT~R?U{KJv7w~+Z;xwF8!Z*5c+(P{Qa5)}xamUOZ5(`1W5`LAyUHuLwvcDL
zoz+K!gB@AM#}k(2O`rs5JKTEV_`7NqQcB)0U`HoEA#I{wF3S>UCDIw&VzM~7SR_l<
z(0~>>>g%GP{-hL1Q~c5_L>&sCx}!bw_^315fk7)3Z?h1PHnqw(i^4itc_cGppl-CS
zLR-t3?IM}?_p*yp=N&&<)KMa=5I-kdRdTX-`s1{N{G1Ix-YW0T(3zd%rNzXXn*Cg?
zM7!=wsGDLc;W0`v@e^xr<QL#gb1nkKWLJsIxRh5~{#ERZq$xC!86DeQ3D(-zwP}1a
zgObvCTuU9G(K9iFs_lXVU<%<$&Hm{2kFTJk^MmI|QDEQT-(I->?j6w#lHthNo1)(o
z-@>qlV{7I&uC$Fz%Dx-!i8^7oKln7RU6I17UJ7=&I2!7Lt2!m0@Ha*u8fRP5-_dRq
zwR)PJe6<~rQUJ<&(w>CuQQURktkQ`NUXKKp?4<U_LaC`E7b1%$H%36Aw5GoW+kFbn
zI=@S7feIRn5Y8PICAXbCuI;HmeZ0$oKkc!>KMHjl1vM0kpqxO`qmD$}d~NYcBK)w-
zl0s>__sU&pl+iHdv#LSKL<utn5W})S!jLIw6V3BI3=~m9cg0V<H#fQ}jkk%#lEZn@
z+_mjM9&!c)8Ma~vU=EANuP5Iqt0!|&LWa4AXg`h<WeH4|{G~i3mZsqn`Yw$yRAkno
zT3fto*q*^MMl+6(sGHqtlfcWeAtbaS%%7q~S~bqb#8EfH@d0DrP4vujI!q))dY`Ti
zV4Zb2Rj$wHrK2z7B|DH|;m2@imuX9j`$$f2Hf1&SDx~4?R?~*=OH#6z@)e|`scRl&
zst>)n(8f!9MYtcyqr^p-o1d92T#oN97hn#!#*aJd@DKFOWOxNG+x?qpn=bG1tVrYP
z3q(N1!VF5!ejCMwlaS@sDAIw9QFq3p{EeeTnM$UmM}&jWEnIPr__C0)h4^S7RL<c|
zTb)B&rtSX$p-YR!0N)NV)_vU3x{{rWhbFb!9zqcUy|)!54AF<{rd0f{M&3sdiD1ZE
z$Ch9tHtEy0U<P?@k2kmC1*DDXmPv?8O|g65|9MWDQqv!Ub&|8<D}1DM{~&OezCJZU
z_zdvvbspuF`11VS=3cS&uDNuzO2k&4UrC^wWj`32kaY!=WEOgFYjpq4eG{>IWUl4(
zjgDZOYg)o0wnEU)Bm!Iv9%~UND`=rUdt<StA;7uE*w!1?<QU7#%{*FTib*^@paJTo
zcd>R(ox%^)F$#AGn%$ex(7DWZb&i;o+C-L5fzXQ3qsp>a!wVHj1lft`R5N=F#UmRp
zU2m|MYXK|-y&>TVsvA#fRw@iGVh}9<&qK<@kyzUHeWEYq(z`!VQ!2*y8(8ybKr?5J
zFtEg&c~YpCq|z6}7HKg%qD#dw4)Z>iTN29+qZc32RsRR_=j-`WV`k?&GI{RKn?quB
zLMpe-+qunF!mp%D0-03Ts3DakoLW*Ujyg^O(d(@5qVIq2NNHLEBZ)$*&iHZeY;ut!
zukmIpZIih@OW2Fp-lCHVeEcYk`UG!*7%P7LYLXdM%@=I~p>E|~+k?l#G(b6m;)S8O
zq0x*MZV<G}n)c5x)H`78OO(&4bamr&3JGi4dZ&Cr-&PYF*5KuY6S)GRxG?}islq>-
zfj$%~bON_${mKPa^O$cRu6Kt1qVFmlN%=Vd3L(6u7i@X4-}ZkPqw4=){pEIZ?{BkB
zpF+{H7oy~Sw;2-kW*#9fwV<na;bw%cdNSQvgc_CHSHYOWnP$HhY1;MQj|PXF!S|!u
z;``7@`bnhTq2+h<n2x2Pi9{F*IZjOH@3eCI+ht>><%Tvc&RnE@<VcjkZQu8)I=OXQ
z<4By7S5k#(EJ77>-sg0Ddj$!U7JL(L0qgtI8QEAse#p;P+NWI9$)tbnpSpgnY~8Mr
zH##?^R`wvrQ(%dnLZR}UgL>!9Mce9bPr!z4BD3mC>C=KYzv!9kSXq_SG$K}!>{T+p
z{ApAAq)}HN)kb5TxL4ru%EDUYkQ7kU{R!N-7hC|6T;w}@exT%xlhH@tCw%97&O#V>
z^3_k5Mso@e7lUX<&yu?+y{1RV@db@{8HS%$&S?UrUYH(iHGGeVcA`&`yl3=uu_@{K
zBI2caG(V9)tg5#k=o0tPWE0KdFY#&jsVccuc^%o_vZ#|?vGd!lYTzLb@{AQ@^qMF`
zL2(fyf0?>C<^3h8%#HYsKHq?mf?}nfD#jsR;(_CqXJa?fl!fh1@gz-w5uQ>g`EVY_
zD#wroZJw_Sqk(-^8_)&~KzkZ%a4+s6-o0q=G+-NkncHYH=0y|~Q}L1Cm;=*6Cy27`
zj!4J{Z@JRp1!auL)qL&DnTW%jh}Z9#LMb|O_)Ro)e8~A`<*Dvs5A|q4Qjvx5NFe?)
z;oi!jH`y-c(20u;_v^6%H}EI&h2A%U%1XhDcf=>SUVo)nLr83X4pXa3*(xQUiu%UK
z1X4Fv5VtXwnOas|exYHNHkEqE%4y+dNhPid^P)1hZpp7n5(y$KaxCDYabdSuqfI>D
zWH+Yy+(**;PM3A)Gd7e;@wJI-QBW7>3A;pE*=iH=o5lxy?_g4$Yk)ZkeTE*?Ohe`P
z#cxC-Dp_DA=}V6ox>_A<gPT@8d1r4wOi(Xb0xt8dTQ%P7#0%rC=cYm3PMJ2Z-2gvM
zUnT3lrSSOMEV%~7ar-@efBfT)Ys*i%z;BiNxpJ$S2<713ku*{n0l+(yh|seMNAY*J
zb2ITzq}rSG$ltSh>3(p!)1K_5;b-a!6ui_r@3HR<|9x4z9dU{whQ)(#V`t@C%iK!a
zPS)jz3wK83-j*uw$l_85DC?7<h$_fy+;1yoFd%^;2PJNqA>ddvgeXq6L%b4QVa?+G
z_(yQt{?2ylERpjzJ?=(aLc$5FTvO|(pyBpE=sb#5Ax!nzdMdTzg>^_(-QT_i<UPw=
zt^5-=%^}t#W;2Kgdil<&Bj{PA@tcD)r;l`|!lzZzJW%~T`w(;H2hy1k-aLvHyp(KR
zeQIVZ$*59OR%u)N`;2Wz){kpM6`SSnQ0bLf{LJZA^q*Ow4uTP-#4>YzL%~{#!g0;9
z?B9HRni#SzZ2F8x+=X?k>3w``6zbf$w$(otY*?}iMZ*p;NyhEHO-RPKN2h;kk6!&M
zJhI=3|J9xn{F*6BD7z|R1q@(bJ(c(fks9eiky|3QKDz>TtC^_c@_d)ZV_y=Fj;mC9
z`KcNA2c6ELIuj}Q920uTW|>#JIi;U8TG^pmb2g<^d;rZq<E%gO6c7D^%jOsR-{anr
z@Vaq`tPSmJXrOEC>@P2nY_i8ceaPLTW>gz%dul1%_7Rqx{E-FM8=@k8=Q$LS4CxPf
zQ;Kfj-%*@=h-tTYO9M2xs&fm{(I*MD+=v{Ok}S|!MO7C4NA|mNFjde%xC?Djk1CSj
z6~H4oh|EF`Kf{BsDXG2bz8ZF%g2H2^q3vgHkcaAvn~JO+s`ubsKc|XHbe!6Q=R2P=
zI&z5&2mKMSR7{R)NA`|)G4+M$7n0K&(_*~K5RaL#`}swKa^3Him<(c~!u*#Ey{@OF
zX@kB3sepI9+@>W}%9l4v$tt|iGy<CRASavqPxzxFay!qZ1b`!!1ZOTp;#9iZr5XC^
z@>uXB-^7$$Q^^&9hWqw%&Vt#OeO1yK8Y@1}AvsX<^nK=Y<|04n8WbXac1-{Bl^+Rp
zlYy3V$0i+rKrJWEYC+*o@&0%&yk&rIKN2@Y#@Bip61b-_ve7k2?o9T<?Qk(}C_g*4
zCXBM=a0~8rzi<^pE9+%d(@!IJ$AEo#g_U3!LansX8Lzde=OSqET+{jRJ*l|;0`Q!j
zQ|v;q&60wWg#DE|eDK@%5#!A_yu%$<o~yp3M^>jBO{=Nwgh~IG3*fa66M^0Mtzl6F
zGD|QuB5g3X>?aipq#y5alIX(o^1NU40RRXW3I4ZBYp~|3pjAm`7hKa_wB-<56$tmO
zFpdCdR_c`#)JFR!sgAbeKBix@j=h^ydh}c!x0r6;{qD~PC!8{Ld}wlb$cp~nKG}A#
z?|-<`Stl%?Os_|Hr_$C8<4Cvb=uet{mbX52_Y^NC#I6y(NMSnK@b1e{MNK`P8|F>p
z<EzPcj}_(4mkg28pRW$kYu~`XqBJ9f^;3Hq0UMo%W;yjPXDN?m*<-Ve&901q^(v?K
z%=4)&6W4S`$2_eP7SVYSu1S_TV*0q|fAJNUm4G>_awqfAu-}h*d6*pwK|-!jji>n+
z7HCL37Icw|uFUNi<TEkEK)2-6hhc(`Nnz9fF3e_{rdwMMZqeKw;&#>$-}JmGmm3&#
z<u_6{Q9e<1C+5)`g_uobJ>MMP=m3%UtnF{B{NSzd{y-1mexZxfpj~Eip>+xZj-A@^
zwA;DU7FBbJpJweKS-g?4Y2%DozxUU(^bDKG5S*c|d8#ax0>u}oW&b$5@@xSe%#QqR
zNau58Z3=K$BzRNLnaF$5Lh61olqAhvD;+ho(7O9mS(J&7eiO-KUYLi~{Np;Fz2Qq7
zuhLP)FL?Ils{kQo{hC~|yT!yFr$ng&NuelvfI{ba68H39YpZ?BD>B!pA*I}Ms>$l9
z-0o-g@qEuhcjB?RxGGW&P(wt%=q|VYom1@d16JUS_xy_O63KKDU%>tfV%=(I8o<6<
zRPXsZz@}Q1+DN^I!f7~2J8&W9np8v?+9<o3LiS6gd>oLHm~Lg3ie>*O(M+g&0g9%W
z?@9^C;`Ye+hVR>S0SPgDTBk@{@{paWRmHu!Jb#~}!J(sG`B1Ar1pDwWlkilNp|f--
zo^s_palu}~=#pa4-aWlT{77lJX7#z?dGp#JH*g32r#@Ciya=p7#7uc^>>n>N&=pSf
zRQVtpxaKvUW9QzF>&eU`teh;3Rku#p(b#tReWH5{5#PK8qoo9PHss^0u_iCC#c)+p
z$8-W&1!0plS2ste{0`c*`~6R))A%cRHcZ|<*ge#JX+h0LWf$o3OtlmNy{LQGhcDLq
z06d&240RWCd-{Y)l^VQ5R#r8BHD&>>2V#dcO|GOgexI))%q=E=<<(K<@jM4U?Hn=@
z17zuyNH$ZOtPTa}bol~(VdJDXFmrz_7#UOPf`D=SwVvmWK&jG=2x$k_BZU*fX@;$R
zGJ3vCSap|I#fkqtCqUG+j7|6-o+4?RM*Q-F&|LZ?WUsfgs^i7uc!9iL7Gn~^;49Z3
zG05z8dK&Qai?3dPg5jOV3cLh<C22URdGn+w?=VFzw2H4M)HnXI_N?xGqo{x~L@8r!
zy`v-h<bhNd2DKVz_pvXsegOZC3(ZoA<qf<nyw(8{7<TIUSH^NYY>mhr7Vzz5*l^8V
z+~Mo}8+yp{UZ3O5`Q(DYWeP*b(7!CAxZfm~yTA9tr<*_6mp<OtUi5db$1rkgN%Orq
ztY|Sb0$Z59w@v}7ROy|^K+^&oTzMpKDz9Etw!Z=%W*ZI!9D>7cPKyEhd<O;N^W4jb
zZAhU=(4|f}#~N?(HhOeu2e0E4Gl*B`3BQeT1Bz3=T7)?x>k;m`Kl)O=`g|bDeOlx?
z2ci4O0KZM_14!>Jt1m;wbZ`_4e#RV=<tFJ?CW94bbK}{j6Bu2&n+L}2E#mdvcSCnp
z-rR+TdVDq7xk6PYhv-*mvp};!^2b!~L-gxU=AP`8Sy!6A3mK}}qm12Y8<xf{z2rad
zp7_q5o<8e^(2qAV_887|zC1B&j&)0X_D8c1-e84k=M~C#d4S=fwE~_=wv8@xaza{4
zb@bd<{~UCDmTXpRrFS>}c(c1qxb!bo*yRmQdZZq}+x?+&7|ac2EtZRCEqT>JWDR&X
z<iGamQ>@!Cu9*L#*rZ@gGB#bT?J@G2&mszfR@vvWZsser^>Xt9?`1)J^B^7h`Mu_O
zWrrs6yuk5UQo{}V`LJnNY$QE_aM>kuH+W-95b(SvZhOF~lPr~9<~&O9c@c85(n#^x
zMpE5$qT~M{zKxZ+P(T0i0>#ID5P@_^&C#{azd+eu#~4EDxbP@LQz?C<ar(jJ1jgcH
zj{^+S-u0$*oSh*gU`o*|i`<kdyIw23zN~orx7iyT$Z!>k<OwRj;&?fHdGaJ#7WQLk
zk4rmMyF_{ry@%WQGj41)@6u88ziP1G-w5SR)trt^x0NocBlT<Qy%fUD0nW{U5yu21
zmYJp-vuqm6xg`=nZTdYH*}~D{37VyL-N&~rhS`qO(5soi<r?1;?;ZzmZjqqxcWFrm
zeY3D_o5iRbw_wGAC5XeA{c`<cHRy|m-SHIQC+M=lXr(6F;a)yh$Y0}-jgr3mBkey{
z8DB&9fI>iCgS}@FUN&J-nRMbfKinsAV`!g{;Hs9sR6?e~uF~ME`<5)udb?beLA^vx
zRjoI_-Lk)}gCo!?Ug^LFH=)VM<@`c3nLIKI3O#~sSd3n6pk-dyCAd7K?EPZiX&Td6
z-D%*pS%~CPnysJ9<}o=K`5W)C*(fdD#%5*$DES<}T4MpdwQgj;!RKvTU*2KA+$(pr
z`_c^5vxz4MJ{+JyF=i=v>@FzmmNjjF^KiyxiXbaY@9RDGZj1AyXt(horp~h&S3Rqb
zOP4v+<04P!_6sIvdBDqAM8=Dnhw7PpFA3)Smt;fzw4Ln=r@gJTyidAqcYj-$#zFi#
zZ;xi=*{3_P09B$3#UfP~H2}mTJjD?`N9E>-h4^d{Z9<1<iHgd@jgFeulTOJj9^YnO
z7?5@zxBzU#U*IVGy)$C@uqaGpmG7OTRjE_vUSn|(OzJSFi>t4!aWWlz+S&CDq*YU2
zr5kGMS-Z0sbNQL~U4d;lJW{T1xF(MBXL`Q3M6|u(59Eu^4e;qfiE3x(jgimDpx)W8
zMf+w8DXTJZmf#`!wqI*+Hp{5{e#hP~$8yH2ubq!aW_lK@G&d;IqsTCpt&sQoX_U*q
zkg!Cnhbh}9hbX}dztKz-Tf9Fn&!`w#5r$qXT*CG`{Z1{O_jeH6pk))bd~dyexmU5U
zFf~WVE!_9B)uKh)eQA_=N=!B~AJ#9SI6H_RWM9%zA#FCfl5U3|x2}hc9#7{S|8hJ8
zWm%c&yJm$1xbp`7NlLfBz8T#2*lp~k!>1@ZWN(pO#jNts_~Q2i8FSAp9xKo8LP^?(
z8H0jHiU#>g+k3?c!#;19W^v9Hx;7fqwwY}X?~k%ub<G+sjT8LG;(rR30yun~_kFH~
z?kLp_N!rHk=q3!X>Ow23|FoC4=(6;1Odf<al2wozddbzWD{B`c5%^xVtXapXUvdqK
z(;pl`lxE~BDyzLOJ_Fs3Z)TSc;x_v94y(53C|3003;RVI-#}!rd@X515_p*Qi$wFZ
zYfnkqh+6TX=S!)TWqDay?N0}n8;g278H3j@{pEU$jyKGEs&?+cxSwEMpl|52weoHI
zZrl><s+N&r=Fg)s_rJAL^8R<F_fDJiD`rUYE%r^wcEwDXI>fAo)$sY1O7GHm^)7q%
zj<!5<LGNaVt~$B+7w__uu0tRX41Q_?t#EMo!ReuW2UtV2(QRX5V>+kPiB+LJY>cj%
z^*H=^KT{M+VEn`kd^kR3K1>Ynlosi--lgEv?(IoTEbQ3#xY%CeT|YBJqnK7lqd1!o
z#n7^fX&grB7=*7Y)=8Vj)sb?t3wz|p#$x#<(;50gShJ>tPi2)ny2dH71*(&eyx5vg
zT`U!_7(91ddJakzvIEOGHOk$2gG}WtvoP}E8^9^erAM*RG`8t5<!Y!Wd$!pwq*-3-
zYoPB2oWcIiF9fU%I=0`regdB^o9<2^`Sj!!rP>kVWJ*3=c2XKtBz9KON3vQiCHH!q
z22SP0+(?r)+g@p|Qf2wia37x*C~lto4z%RsH}pGX71BBuwnKm>B~MJZanb!^sDe7Y
zv7Z7(=T8Z-gJF_WZ*qMnY+$uZOqw;YI>Ek!mcF4K-WdCisiBM2`;gQ9b)>+V{_A&K
zgl|w669&}T86*7$mc*ZBX@k&(2vDnl#K(9X)0WrdkADTnGkD|^RdHqiHm&3%K@a<Y
z0dazNEV*}yz(zKMf_cK943iUsyLtY<6tkB7elILQzGWBF7vDWnHvOsHgxL?r!evMI
zs}3E1f9-BAZ4qv{)b!syZ@Y(9wH$nWSm`J*ZofkD9Nu0ixALW&Jek%eG;nKvZrpQ+
zcLg+A`W<Iy!RaR_Y>+&1H{#exuMe)LckrTt^(;g>I@So-LUAH~r-0Dop`wmV6{AE4
zKB9^y(5_miP3N!Y>-T(1%j8wNu##C8&}yKx;x*CHpfcN(i|3IJ*2S|K_;4AGefnDY
zWIp6(*<!boHgy3bBNI}83^v``k<NlgurxL&Ws9=3n{T)OE^Qj?+<_5$BMtJF%9QwT
z1QX~=`g7YFSLfa4uj)Hi)y}DQx<OiM=6fE|L#6V6p((>FQ%CcmFm1c%gudr2-)A!W
zMa|PWR@rOrUyt8>aWtjC+ZAf3RjW4hZd#O!$w=@J7TZb@y>_=cz{w4X|3g%ADyTo{
zyxz1Xs4~X>xd@r`*AeEkp0CT)jHY~(U)`LeRtv$x6)aU-AIkvE*lw{2P5}|p^FLo&
zIdb+MZ}e%X{p2FflH}Q9*nue*H48l9na8c}x#sEie!#WNDLtL1Ka}--cLpb2X{aFU
z(Bgba+AsC3AQCzhR`d@H&kMXXWMw6*)PFf=Pc_1BYmTy`Ij;dt;xD*^!r*Q$qqQTY
zhiQ(wwKj!K0=#<J{XTSYfPLX?B3@-u`=Yg$6`y{)qc2dp-y-uq%Q2+3$<CtPDyh5?
zr6qxfWVwk=l$0-YnwpC}6>NG%iG7{EuOGpj{#DKkPhmJ-$rOvdnFpFo9~lVmK(&7v
z1~JRh%wR>GE45e^Dh6-cr<E#A4vVrZ@k8|wfS%0Rv{loXU^1aMGxqh}acQ*}<j%Mp
zZNz23&srcL9AsZqM5p~#XO@kQ&Gpals=;N!^F#T~<;}}wpgzg_I>%qtl`260kl6Sp
z2WKe1O}7RN!m*s(TVG{5Q5*efUPi7iYW~<}0n?`is}A#6l=7+LFGa4d72$2>_);WL
z`N;R6>d^NW@s3WLboeMgA75dSub`sa2i?GKx$H6q9#%*&xh}zY^UXq+MDV9X&!(de
zd#-*&^tvVVaF$x*ysCyJKA1!~Z(Z^@G(R`lU*?97FrlpZ9CZo!okfUPsv{xQ-l!t~
zc>@!8)%`4s`><19-!5fyeHp!cB!h$tUlr`=2io_>xE%(hnQgKFGwBwu_1P+qVpDk|
zL4TOMJzf6PMNLKt*Dnmbdq2v|dH^D{@woZ4^ix+(T|9T3P}PB64Q=4g|3j9xYvuD&
zvwikW=U8L(bbs7Gk-xdlSK<pwe$@d)+|~(v0_UpLzeYu%s!!`Al+~P&u4k0Rn}KY5
zco(|;VUWy|>fs!vS{%Tqwpgf&E!jR^y+YKs^0};{C5u+m`|kNlI)t45#24n1vv7aZ
zMAy+8IV;_az?{7B6w{*zw{j09eNX1A5O!dD)Y?=K%EMn@U*9Q};~V(U&RHJ^4Fo=Y
ztRh|hmpS9&)YwITo(%}<k2BLI+|o(tL+<y+6)n{zCj&045Z=(%&+hoJ+}|hK6&Fu>
zG@jaz+cN=1JvH5P6~CmLU~EJ051MvQA)V}YGx34vSiI977i|;mw=4f3fm2;8^arPo
zZ9~DjTF5(d=PB4r>nir{1Jf1ERUHmvZ46oYC%4@l;@bz|8>VO|FiCH#SuCmxSodqN
z<>Um>!S2%O6ASd7y=!bZ%Xf|A>!$9ColTTUkeTdBS4EE##+x|Yo2Rh}7jZGO>pyh7
zZ0t2>JL-RGqr+K9nKqI{SAVOCc0I|$&jSN~C0@6lGm-M9nOxAD>z}c=Hwy5=n!>41
zZK~*-yPmC{HoA7*FGQEY<srVjHPn?zo=<8O&ASJLE&fK~6ILWp|L%6hQ;MVF{O3Ia
zi<bDJg*ro%&c@}f(>C4@W_leIu53L9mit<&jO=`q2Ta=Oivs-Ms*mH*Le~{l$C{@w
zv7HphE0sgjUd8MmD^hx1_5v;B+WFG+xDF2e5-)K96IXPsEyE!lzL&%V-^ZisqPys2
zUgqcLLAw*V2XhtabDk%%QFTTGHEioJEC-SJs3_E$fZGF*9Z+0)7uoaKZTHfecX_MC
z;k)+XO;1<8Me528-Tcmk%Xn+rsp6$qovU>t>rpdw+GF`{sLO#s#m1q3iBo^tZw$Q1
znGN?Fle%gC>r>0UfJ;gv4mb+S_TMeu?Y}-ozscNlHUPz!zKmeKNOE;O1IP1yP37+@
zjqX~XuhzA%_+GrS0Y1&}aZJbJarc;9Pss7_)2`iWbJAmz58IlW9=D4>DtR%)lIC=;
z2~G`O1=NZkrVn<n;jr`Zd8%w}(Vs6q8}?6dtiYl?#<`Ur)w%>u5uHJs)rAKByVang
zdEkj4>l}z?U{)GLaIkyB2Dy2;iMMMlJp8alP!aF&!q?eEFaF}UWW+q)e4LwY<^XH_
z*U;V!tyZ^X&1Wk}1|4&2BWe1#>x$OV8&CY+apXRobxzbAemo4*2(5aAi%7<Q=RLey
zA%)L3A2+A~o2~-N8%|@8g2rIL2Z?lWt@jc~2Hs&}zL`3C>wV2rQ|iTj?Xjgj=6slJ
z^Qo&xb%#`aUH}1yvwKm6k^bRx!pYONJuHh`L-an|(M|Z0zFpktJg}t-;Ct<L71E(f
zaC*Nk<5}9o<6V-EvhZL~T>P{_M=w}X(J>cuvX3`CDEVwUxqebz@^Du)2&8Rd<JJ8I
zS8N6y_p^I^si}{?a;ccg3%LI5i`fRi>byIVeZaEN@9%Nctlo$N8c31=4YmVIqB|m@
zs|3yFae>kgHxfpUr#pt8_<@N}5`?FwEcenEFI^85>THQEOAA7W#ICJ_JQNqlrJJ8!
z)>i`ZO;@uMQ_Yf9n!0A16=-TYqzuBNV;?R~$QtDp>UEoaZ$#XdZ8}>1S@GfSl|4Jb
zyM=y<E{B@C*}UWmoZlC_lb@VOf&B^LlZh;KSK60P)$<0~g9mM|iK(Qi>Y?aVxgn&0
z;abdEX>aefgKg+3u(h4)8j!eJwX2Z5$uLNYN%$Z#U$$?oG4s*>zjDs;p;Y>5UxuIb
zVTB-C7q9MNGmIq4o!6$O!}{K9^OgF)RIQl)y5Uni>v1Ps-UE^09PnXaCu22)Va>;8
z;93F1S=&wrpt&}%^kiHj<6=FHc{GiE@blbl5BW^es5IF~Kh>CRJk!}ZUN`;P<f97&
z0aUGCd8X(8!EAl+)q!1#G89m&d^>2EqR^c0t%0Oa-)k*4y22I>+flzotzu=d+O^Ah
zzYqcEMoI{Jfr{yB*ktax+j`u_bBzeCDsXom4v1??7pxXY##&T53N?sABWS7qwaqub
z)Y{{-UPs#{CcPVWy{mllu44i8X1=2B>84@Z7qb3uqpKl2ulqlbtZ7v=d4qSjfF(TJ
zrBd7X2xsZqdUe9-G@4>qlK{`@YmQ)tvBz*e8ZtEH7;@kVWfq$B(I9AS9x<Cgg^`ob
zak8oCTVJF$v1nOI#wW*}6T{=vZkE{Xm()GDU<VkUTwIVH(!*Ok@4YSwL|TWcs;k6~
zkB51fTAKR@#lkfruntfKuS1jU&+z;mj7(>QkZXBT(F#!KVUtIbR29<KFlB-9Fx+^%
z7w1#Qn}M<BRon+~V;iQMBM3gfkXo{cI~;Xf`l{MdjEbt)2^1=M^1$pc>}RoipJl2{
z`WGbn-mq24`zdVi_lWBz$)|k=QQ(!{Q6W_Gp~s^;SnR6w=lzvqpjC3XmM?tYF~jrO
z`N84|RpH-VnWQg#84U=%ViIXHW<~ilg@g#P9Geyb1=g%So?Cf%mdLDU$)##S7b|Z|
z4>lSs-FqqOWZ%W9^dOQ{x5)iYON3Z~vJ_n&69DChp@z`p0g@$)_skmHPBGQFRu_yC
zj^!}qmhJ|HZr@vPO^rF*1x72Mi`+qws16n)iW`fHF|L@A(@MGC?W38`%iPcF%Tzqy
z#xsP^7FScL+J+$4pHkvv<bhomM(*xve$8Lp>XA4NUsU3k@6cHH7u83gt`Fa@#26{~
z_2z*dO7D9^X;vNLpNriuJf$e_-s9}&GPboJWo6^o#CKnIeOca-Pj;`t;)X8T&5-i`
z0&_}!rjf4Tr@yXNy@Ab3tY(L0x%jsRL?g$MguA+$w4Yo$5E1p;<2)^mKU1P1@PRvK
zcTD+JOt|)!a<>ECB7?+MDLnG`ZuN;ATpv?x$_`w!h5ggR;)osN8Dk-Xs%A1vaxJ#2
zL0=9X@`^<K-&;@hblD@)D%I|+S?P6Kbf`6;@z~DFke~NNZiWk}2*_@&^L}M2>+Cp=
z<jnW8yx8N0;kx_SmH`r3NAs8#=j7*l;jqTd?^3a(rAJ;zaTv;r%~cxtOSRXv00FSo
z%QJ~^LH>B*%$xwm&NZ<E?wCuwZ*{W0QcPVkc)-82@=PUYw$e{AEBLDL%kSVfh|<&v
zrmonrL?Gp5<FB8B-p#o9Sf6k0={)ftd%0vO5&`r+8`ZW~_N`=nsk$Nj9c}&&dk;Ox
z@CkYJ$*tvcX>C5;lJYVEY2L=1bpK|vl$IMA3Ynn9KK~y)U9mR^@38;prK|GI*Ccl4
zp@)zEa~xZ2trhQ+jEeyQbLO}IJuQfxSu9~|H0oc#|2Bus&xVAOM3z1%2Y!7}P%*AG
zYPg1>YI&Fxg@?aeupjFGbKq0r>y5N7`*o)%pT3LbAYG?-Rpi4xvYY)3iFbJ#1phzF
z?cJ|Fo)}3TQ6ZvyavFQrSD0X1!Gz~vCv3T7F8(_G&FlF09>NbtD~(doMn*T1jx^*!
zH7u__GUL`GzFJ!2$B~g!Q&X#-nNgcl(XM#qD4c`xxn=aivY6y+_-O&l*hzdkrFFeC
zqZ+E3@aqf3Sk%zI6;L6}HZ?VMQII;Y#lKj?YH5!Fusnsm81|&Et9pX*QPAzXO7brz
z)~XPHyKeGlssGxipc5(;b<OfGpuit}byn9>uXR723TUOaf0-c_==}g2k4MO`KN!r0
z_wc2g#z_OQT>6Sp<i~%m!D$(lmY#k;c3b&yx{1=-NHX<{OO*SL_l4U;d2)(*+e$Ym
z`T278oBc}NQZOl%#rDmtK)L}KQW~eF)~Xc0;-CHvfLvia{9dnnQ=O4f5uz+=bitlg
zaWqSNyxOdF^R$nTK?zlM?5xwv*VbSz-F*WTenB12;uqe45zT-`2@Wy`Ys&tT2n$F)
zxvf8rx*wDzrmYkV#y@|}=Ow79b4iEV!`KLiiA5~4s&DW8uGlBE7Oj@9wvv?(o-meX
z%gimzcR)jnga_<9Ip%?N{~Z}IPh4x;vY8}N(Vst=S2YyHi=%wf_hy)@XSNanmwje|
zv*$O>Oahy(PmjBxIjboR|6S5_1_N)gNx;Pqt?B^fCg=xVK!?nHz~NHX7gH6_QHqCT
zF~mlE+_KsQ&DZc2K#(fwWyOJ^T3wITLz5!Pd<KEJVFWxjy-zm>#mav>$LaZ?6-t?c
zyBpr^&-WE`d{t^#fU^vdn)(htSw&b!v4(t}KEoAR@nLnxS1Sd|pWDhSHS`3XJ6F#r
za~igg_Bo$`L4CoyoM?N}`7&jf%#*GQ%&H~)#UWpI(JE0EuUA#1yb4FZ3#nKJhuKcg
z<?<U(ibj8#nchhc+mRx|Mm~eGit0AibR!OZ(iMYW!+HMG!PGNRR)p49J8!c*x3Ai#
zubp=q>;8_9od*l&I{ZQY?{m5)kIHR3$c1(}<yyh*KVh_&&1YD;0iJXlChwk)n>^%p
z8#Bi^SrSKjlHSW{n4B9+9%gPUS5jtgl~-m7)Q9XClpI#K$(1VQgZnC%+1u<_;>7e3
ze3BZk*4STn?$ZLIqT;oAHf`=5;rt%RDtAp6{WS3x)_=5jol#9?TNolu7zDwQr+~C5
zO$5ad0WqLdAs{t|5>${-3_}M&kjM;00VyI<0yy-TfYJ=1DNPV*p@~!lO9-JzCm`>N
zW!?<y{eSDN<kwy6+<VU1XWzZQ@7wq0o-O*GV6Vs46YC!zd2|H?&oU-#(!FSWuA3Sr
zF7}qhKqs`mO1e`QDRHr#_Oa~?Wzi+k;>n5w5qJQ!(3x2{Ik`_()zbS|rS->5)oz>4
zPg?BjZ(&>c{neEn6~~cnLN$M0Ht+21TTrwh``RDSP%;tQ_>>$N)E<#~$~li+J+;?i
zE?{JXE^IkIn$`LSv5xHrUX(&yD||$FTxGB(cR*D)?6&vG>o225X&YhN;m-mZG0Cc!
zR<5c3%!~7A&LwZutB%5BzO2cv&tvMk-@w&<yJe*dXFuzh&G5HBINsCt?74}Gb03Wc
z`RF!ANfK(m?Km|#lMG#!nP&qs6DsA&i?5j}pF1Zf*QKiqt1zVB_VNP0-Bf@cc+sW;
zp;$|@6|M-m=5VV4U#M1)*Xxtk))<`AdL%fBW0C%mU0+h(pr>WtVew@m4MXrqT&bNb
z^Wlvi)J0`Jl#^}ge_k@OymtJ}Z^2G&PiwPpG6q#3$Z_4b*24E477{IPd?1!|t5Cc(
zVebQ26I%RAKbPdDf{UeFUzGxz=K7y07z$ZkNmaU@YOGHG1%6OD=P+OV<~#fES@Y8#
z5Kvb}!r>P=M{nxD7|9U7ndGxeeRx7~Up}W~jgc_DDX+O-^%dTAPr>PQ;_e1R^11!5
zBPR4i#alfs9yqcCc{(ye^SoC$_ky(vA1bb%cuExsf4GZGTi)u`3u;JJN5^t3Q6JXW
z3{VG!#ug8rbeD;?IY@*Wq#YK}a#=8Qm=^R&o%Sx$nH)u*^Q(`6PeB6+PDY2EwD_Q&
zHYHA(_j6ET;e(9&iZ9^zSJ5xmbIOi(Z~C<7V;zk9VP66sj0V$qYe?@7Z+;Leo~kY$
zD_BE!#=$G=0f^jA`6K7E3}RGFX>(5mPkQRx56Jep38t$`8|>1JeGGeJ+&e`lyPXK2
za~MyL;AQTH;ao86Vw@=wJlhw~^FPk|{f=RoO#&v;hzO4)hcNQhX!yFm4dv#**?_7m
zRVyvy&LZF@a{Ba_Y2~!1+U+$4^>UleHI%^pvOR$z7B)(a8m<8Y%Nmr&hep-#%b1?n
zFo>E&@l&&e6G`X^pL(jQ+U6_eA^IPigZprmwPCpE>;A@<728vT;+=5E5qu-_#er*m
z5b~vtU*3CsxMTVb@y&T;l(>{~&k^L)wBu9_-{u3N>5Qu;9o|s$D^5afMs4O+=D8}<
z!$hjX`qS3mX`W_CWG-R&bgq|wP7LqO8&6o^O^Pb-M8Dp;9&7|wN?wGXcgKj^jI@F}
zBBeigqM`f|#Kk#w8MCQra;98AMm9yk^H-?t#|ggCuHd`NJxJwdw}mwMvekA`wcszv
zmld5>*22=3mupr(GWz6K&hs8K8mNCEW|8vw<Ywb;KZJ}88V50~3mU(^c?62|HqIb4
z1H@#EWZ;0d&)L1{J-sJ!D6>LKU?9K?=6<mYj~46xNZoZUvR$b!X|@~K(KX55_6l$A
z_`bucI@|auZpwDz4#Rnw;1W3Zhn|m#7tYD}fC997C9FO3HSb*>NSQzR1m@H1p0w5A
zB}PMUzPNqZI&aUSV7Tj`17CqS(O8Nhg!eHoY&K5IjV@VP>ao`-C@rqBOn#LfC-ciR
z8oF0pp91H;HS(45ki#@x1MlCy6C~Fj-mjfJdCw<^crnGVSzqBGUcT0^R-@1<X=atq
zdETJC+W?KrhR^=y`Xw5^;W}Zb8<SSBOBg|0hT2=m?CU2ie4v#qpdn*hE@pU*1pjH$
zW$SCt;{zF*=7B{;b!))J9~Z|l%Z-)EQ+c{P8AnltK}W?W)<^Q*FLjXyiwrRdUOYhs
zDo|<iozbnqN_IJX=R){+@8GHTR}E1E@`jY&*IilFwNk#o$Nc27AvTyZZDQN^G9VC=
zK!vG6t>tFtEA|&#<9*#wC3{sQt}Y+U8yppl-G>YAxGp!cP;iLEIJP8zAX{vsubn)-
zJ}X1*jwqij)GL>SG;zFlbZu!&InM)qJ%`inv+1<l&sIy&G_$m{9J2AW_v5vHyEzk^
zS*2X*KZ{zT4<QBzRj7w}KwRMHXBC*Cd&$Z9Ml?xk%<h<pjH-1Bkv&064Ov=Y_cAgL
zy(llmH*h})3aiY|$qDQU(;h_^BgLgu4>x^S@X+E83N(TzxlRca+^)rzoFLdo1~&(}
z!b!SYYuPs~?ot<gH>(pZT@r~ZgG#uK>i*E?d@&-W^X5uq?Mh;%i?jP}yerM7UvLmb
zt6M6E;0uZ73G}<_dO74Lrz=jrS-!@7aj3JuKrh>u=!-Kn!@x!Y9;z{}VeD#}EX?RZ
zscp94jNvD1FK|P4o8!0KT>483l&2!%AU9TK$BGjY1Q;{rA$+m$J%ijJE)k+;aBz*^
z%y1#9CJ-r_L6KcLhrtl#<m9T?-#V`(cKYHpF}}I3bPhv2j!`;2oGGAed&B~f?W+D1
z?dT-i@FqOoDr(7$DD$);@?J*LReHin2r~5QmKH7B`Xa%H9Pej$Iiytqfk3!*W@w-`
z$2;ir?l2MROjqKher|vmkoox8Sb1*c<W;~RBJ0+=R<S2athH><4JgDHRHfZeAb@#d
zCx6ur3@@uy{+tH2ZJwFSxjKng^3$P@K5&l_U+D?)WKCPX!$T=U$w?!3$qg}Fw$A*;
zT;=1a;me1dRw#t_3td{kPECq+?a~QmJ-ylJPL<+$PLQ5l*PD#f6qC6#-?G&WHi95l
zBR+4W2Xkdq45tqMa5&^!9B&76mJL@~o!x5%zuUNNeW7oJ1*g?Hj>bS`iCMFkl`otQ
zNUvQQnRV5aICqrqjyC99ZvUFSlDYW7Q~^Jg+d#e-$p;z89z4^3bN|}n@D;e)!_`yl
z;x^y!et`Z*9ew7JrhQCfS@fsA_{POq+1?$|j03yhBXI3#5kQ8D8%QP}V#Iz&l)w7(
z6cpDNfS$M7X64`H#rJcf0965wH@q9H_hWz`f(lF8%@2+eJ}kdeE@|%<*H384eNij*
zx4ynwISg=(#+Za(C3dt(^6-NVCMgbMJCvEYJBZEToo?&xA4C5%?Qf#$?^f|cS#N<o
zvmJH*vhw>;Tno^hK;`0V|L^SKFC`e61}HC*X^G^H7JWycyC~bhY4x8T`!QZ499Y+3
z8RXs_E#MNMJEog7nQr>Oj;0Yw{e*k>ay(9@x5NVRffaPVcFn@vJaKq_D1~R~9D1t6
zolQ+|{9;Cron0e9XQQOXry?A>{X8)HfIn)lp&sXRox(bp!bGBck~s`)*{LBE3dO?8
z>Vut!XshwUA)w$Bhy_X*vk%|~2Go1FsD3`+i_56ZE?MErxd0oG1r>$p8yhc&s7+jH
zAu5wY20|`rv0xkbo(h=D8m`m`%$SYV@W%)WfjxcqeuePxP<5vf)sZF+wbGDN0x`W(
z*Uiy&((>|#MfDqiwzsgbn0)TDtb&9AnHU#ZC2x*I7VhHQBLjsFR9#RdLxSh?fmu#*
z4zvuGqVIC^@bn?IQWQspN3kp*d+_)ar++nB*BFID<&P@F_VX1T^BQXJ?40dg|8(cG
zu^NbLm4~F>SX5(gXGa$;p83}dp^4qJw6wJRx3M#`9X{x%2sL>zf)F-~>-Vz~vv2+^
zD(Y~X_4ln!#N+X)WG`vk#um%eqWZGn%dg>x{TxHO<6LZi#vBx?ZfR|uzm-~aoO0k!
z)trm7^949O1_2}0A%T(sgPXK2aj@D0cz$6sJh&9*rcP3;FP9$X0~W-`o)sZRB0n#e
zP^${@5VGrDe;#!K<})_S9uyub=m9+oPz6x>%*rQ-9^#YFbrXT)>xj!vj*bERMQ6RW
z1doN2-_f3_?41+xc=6~_nQg-n4UL)}c_jptM8E3fRME><<en8WrzmZ<_Y*hPd2^iH
zs!NOL;Ep40=+HR*pS+)na%Nz89u~<2S44%@0WTAd+<hcwn>Hp|ibKM*Y1zOf?j#b8
zXNq&nOY&E25r1SxXEvR4<*9mjl^6AM2Dtl`-Y%(b?&$MJ<r=oQd=yy`o;vcS4wg|(
z{d{ct<bf4zjh48Tc!m3^{eb22BsB?Zy$i6$`y6#rT{Uc1Xq-Y|>hvG$z$Soz&*%4g
zu*N%IQnof}M7QhJ-FFuRdm=rO4m^*~Rx~;j_3Vj2q?OYP*C2QGUcMJ*X&4EQMUb5-
zj9)}`{qws-E)hd)QGu8<Or%Y~$%ad$MibG?7cn$+Ow3)d%3);p5x=@s0JX`e(DjG3
zwonbttSWAjy2;V6;HU>G6H_yL3t{7*6U?%Fn}6=$4oG3s1;FOg?bK+=e*$P|CX1E;
zOq8+{B$WWX1DW?a?)!<GKd^iQK;u<vT=)+t`(D6e0bv2nAn@SNBiTF9b6i?8uF)jo
z<PL=7iUz>$**?gD|DZ$P$AJOZ8KRc66Z0<t<Fn-zw94$Ta}^*L^F0#0JEjbh0tktc
z4qSH!O?YM!Djt=&$7RQq`TqrskCk;j@s(QrG;#YV1X!94AN_Mb7Uaj`VV?nPY`2kV
zqUjDh=K!wsj_DevYnV~PjGBKW6isGAV`2>xYnU{E$<UY#jY*!F<oTa^gNvzan39tz
zIsb>M0lv!|xhyOoMFVXui~nTv%*p_>X!Bp|X<K3}vgd!3gKj3U06zmAW9_1|mu~$V
D<PUjt

literal 0
HcmV?d00001

diff --git a/docs/spaces/index.asciidoc b/docs/spaces/index.asciidoc
new file mode 100644
index 00000000000000..b40c4267c2b49f
--- /dev/null
+++ b/docs/spaces/index.asciidoc
@@ -0,0 +1,17 @@
+[role="xpack"]
+[[xpack-spaces]]
+== Spaces
+
+With spaces, you can organize your dashboards and other saved objects into meaningful categories.
+After creating your own spaces, you will be asked to choose a space when you enter {kib}. Once inside a space,
+you will only see the dashboards and other saved objects that belong to that space. You can change your active space at any time.
+
+With security enabled, you can control which users have access to individual spaces.
+
+[role="screenshot"]
+image::spaces/images/space-selector.png["Space selector screen"]
+
+include::getting-started.asciidoc[]
+include::managing-spaces.asciidoc[]
+include::securing-spaces.asciidoc[]
+include::moving-saved-objects.asciidoc[]
diff --git a/docs/spaces/managing-spaces.asciidoc b/docs/spaces/managing-spaces.asciidoc
new file mode 100644
index 00000000000000..73a21ff049b36f
--- /dev/null
+++ b/docs/spaces/managing-spaces.asciidoc
@@ -0,0 +1,25 @@
+[role="xpack"]
+[[spaces-managing]]
+=== Managing spaces
+You can manage spaces from the **Management > Spaces** page. Here you can create, edit, and delete your spaces.
+
+[NOTE]
+{kib} has an <<spaces-api, experimental API>> if you want to create your spaces programatically.
+
+[role="screenshot"]
+image::spaces/images/space-management.png["Space Management"]
+
+==== Creating and updating spaces
+You can create as many spaces as you like, but each space must have a unique space identifier. The space identifier is a short string of text that is part of the {kib} URL when you are inside that space. {kib} automatically suggests a space identifier based on the name of your space, but you are free to customize this to your liking.
+
+[NOTE]
+You cannot change the space identifier once the space is created.
+
+[role="screenshot"]
+image::spaces/images/edit-space.png["Updating a space"]
+
+==== Deleting spaces
+Deleting a space is a destructive operation, which cannot be undone. When you delete a space, all of the saved objects that belong to that space are also deleted.
+
+[role="screenshot"]
+image::spaces/images/delete-space.png["Deleting a space"]
\ No newline at end of file
diff --git a/docs/spaces/moving-saved-objects.asciidoc b/docs/spaces/moving-saved-objects.asciidoc
new file mode 100644
index 00000000000000..e6a116f54a252f
--- /dev/null
+++ b/docs/spaces/moving-saved-objects.asciidoc
@@ -0,0 +1,14 @@
+[role="xpack"]
+[[spaces-moving-objects]]
+=== Moving saved objects between spaces
+You can use {kib}'s <<managing-saved-objects-export-objects, import/export>> interface to copy objects from one space to another:
+
+1.  Navigate to the space that contains your saved objects.
+2.  Export your saved objects via the <<managing-saved-objects-export-objects, import/export>> interface.
+3.  Navigate to the space you are importing to.
+4.  Import your saved objects via the <<managing-saved-objects-export-objects, import/export>> interface.
+5. (optional) Delete the saved objects from the space you exported from, if you don't want to keep a copy there.
+
+
+[NOTE]
+{kib} also has experimental <<dashboard-import-api-import, import>> and <<dashboard-import-api-export, export>> dashboard APIs if you are looking for a dashboard-centric way to automate this process.
\ No newline at end of file
diff --git a/docs/spaces/securing-spaces.asciidoc b/docs/spaces/securing-spaces.asciidoc
new file mode 100644
index 00000000000000..1fd6e915bc4f80
--- /dev/null
+++ b/docs/spaces/securing-spaces.asciidoc
@@ -0,0 +1,7 @@
+[role="xpack"]
+[[spaces-securing]]
+=== Securing spaces
+
+With security enabled, you can control who has access to specific spaces. You can manage access in **Management > Roles**.
+
+image::spaces/images/securing-spaces.png["Securing spaces"]
\ No newline at end of file

From 18ca584ac7bce4099c41ce0cf7ff50fab83a3dcc Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Tue, 25 Sep 2018 10:07:00 -0700
Subject: [PATCH 180/183] Making it easier and more terse to specify the user
 for a test

---
 .../common/lib/authentication.ts              |  48 ++++----
 .../common/lib/create_users_and_roles.ts      |  44 +++----
 .../common/suites/bulk_create.ts              |   8 +-
 .../common/suites/bulk_get.ts                 |   6 +-
 .../common/suites/create.ts                   |  10 +-
 .../common/suites/delete.ts                   |  10 +-
 .../common/suites/find.ts                     |  16 +--
 .../common/suites/get.ts                      |  10 +-
 .../common/suites/update.ts                   |  10 +-
 .../security_and_spaces/apis/bulk_create.ts   |  59 +++-------
 .../security_and_spaces/apis/bulk_get.ts      |  57 ++-------
 .../security_and_spaces/apis/create.ts        |  63 +++-------
 .../security_and_spaces/apis/delete.ts        |  67 +++--------
 .../security_and_spaces/apis/find.ts          |  65 +++--------
 .../security_and_spaces/apis/get.ts           |  61 +++-------
 .../security_and_spaces/apis/update.ts        |  67 +++--------
 .../security_only/apis/bulk_create.ts         |  72 +++---------
 .../security_only/apis/bulk_get.ts            |  70 +++--------
 .../security_only/apis/create.ts              |  84 ++++---------
 .../security_only/apis/delete.ts              |  96 +++++----------
 .../security_only/apis/find.ts                | 110 ++++++------------
 .../security_only/apis/get.ts                 |  90 +++++---------
 .../security_only/apis/update.ts              |  96 +++++----------
 .../common/lib/authentication.ts              |  64 +++++-----
 .../common/lib/create_users_and_roles.ts      |  60 +++++-----
 .../common/suites/create.ts                   |  10 +-
 .../common/suites/delete.ts                   |  10 +-
 .../common/suites/get.ts                      |   6 +-
 .../common/suites/get_all.ts                  |   6 +-
 .../common/suites/select.ts                   |   6 +-
 .../common/suites/update.ts                   |  10 +-
 .../security_and_spaces/apis/create.ts        |  57 +++------
 .../security_and_spaces/apis/delete.ts        |  53 +++------
 .../security_and_spaces/apis/get.ts           |  87 +++-----------
 .../security_and_spaces/apis/get_all.ts       |  62 +++-------
 .../security_and_spaces/apis/select.ts        |  82 +++----------
 .../security_and_spaces/apis/update.ts        |  62 +++-------
 37 files changed, 546 insertions(+), 1248 deletions(-)

diff --git a/x-pack/test/saved_object_api_integration/common/lib/authentication.ts b/x-pack/test/saved_object_api_integration/common/lib/authentication.ts
index 92888f3263ed9c..19210e3818b67b 100644
--- a/x-pack/test/saved_object_api_integration/common/lib/authentication.ts
+++ b/x-pack/test/saved_object_api_integration/common/lib/authentication.ts
@@ -6,51 +6,51 @@
 
 export const AUTHENTICATION = {
   NOT_A_KIBANA_USER: {
-    USERNAME: 'not_a_kibana_user',
-    PASSWORD: 'password',
+    username: 'not_a_kibana_user',
+    password: 'password',
   },
   SUPERUSER: {
-    USERNAME: 'elastic',
-    PASSWORD: 'changeme',
+    username: 'elastic',
+    password: 'changeme',
   },
   KIBANA_LEGACY_USER: {
-    USERNAME: 'a_kibana_legacy_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_legacy_user',
+    password: 'password',
   },
   KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_legacy_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_legacy_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_USER: {
-    USERNAME: 'a_kibana_dual_privileges_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_dual_privileges_user',
+    password: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_dual_privileges_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_dual_privileges_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_RBAC_USER: {
-    USERNAME: 'a_kibana_rbac_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_user',
+    password: 'password',
   },
   KIBANA_RBAC_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_rbac_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_RBAC_DEFAULT_SPACE_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_default_space_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_default_space_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_DEFAULT_SPACE_READ_USER: {
-    USERNAME: 'a_kibana_rbac_default_space_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_default_space_read_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_READ_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_read_user',
+    password: 'password',
   },
 };
diff --git a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
index 4dd2131f83ee41..b5e1b97fdf0a63 100644
--- a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
+++ b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts
@@ -102,9 +102,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+    username: AUTHENTICATION.NOT_A_KIBANA_USER.username,
     body: {
-      password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      password: AUTHENTICATION.NOT_A_KIBANA_USER.password,
       roles: [],
       full_name: 'not a kibana user',
       email: 'not_a_kibana_user@elastic.co',
@@ -112,9 +112,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_LEGACY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_LEGACY_USER.password,
       roles: ['kibana_legacy_user'],
       full_name: 'a kibana legacy user',
       email: 'a_kibana_legacy_user@elastic.co',
@@ -122,9 +122,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_legacy_dashboard_only_user'],
       full_name: 'a kibana legacy dashboard only user',
       email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
@@ -132,9 +132,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.password,
       roles: ['kibana_dual_privileges_user'],
       full_name: 'a kibana dual_privileges user',
       email: 'a_kibana_dual_privileges_user@elastic.co',
@@ -142,9 +142,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_dual_privileges_dashboard_only_user'],
       full_name: 'a kibana dual_privileges dashboard only user',
       email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
@@ -152,9 +152,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_USER.password,
       roles: ['kibana_rbac_user'],
       full_name: 'a kibana user',
       email: 'a_kibana_rbac_user@elastic.co',
@@ -162,9 +162,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_rbac_dashboard_only_user'],
       full_name: 'a kibana dashboard only user',
       email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
@@ -172,9 +172,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.password,
       roles: ['kibana_rbac_default_space_all_user'],
       full_name: 'a kibana default space all user',
       email: 'a_kibana_rbac_default_space_all_user@elastic.co',
@@ -182,9 +182,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.password,
       roles: ['kibana_rbac_default_space_read_user'],
       full_name: 'a kibana default space read-only user',
       email: 'a_kibana_rbac_default_space_read_user@elastic.co',
@@ -192,9 +192,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.password,
       roles: ['kibana_rbac_space_1_all_user'],
       full_name: 'a kibana rbac space 1 all user',
       email: 'a_kibana_rbac_space_1_all_user@elastic.co',
@@ -202,9 +202,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.password,
       roles: ['kibana_rbac_space_1_read_user'],
       full_name: 'a kibana rbac space 1 read-only user',
       email: 'a_kibana_rbac_space_1_readonly_user@elastic.co',
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
index 21e1c35c49b043..cb93afedcb1d94 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -28,7 +28,7 @@ interface BulkCreateTests {
 }
 
 interface BulkCreateTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   tests: BulkCreateTests;
 }
@@ -151,7 +151,7 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     description: string,
     definition: BulkCreateTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -160,7 +160,7 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
       it(`should return ${tests.default.statusCode}`, async () => {
         await supertest
           .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send(createBulkRequests(spaceId))
           .expect(tests.default.statusCode)
           .then(tests.default.response);
@@ -170,7 +170,7 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
         it(tests.custom!.description, async () => {
           await supertest
             .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_create`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send(tests.custom!.requestBody)
             .expect(tests.custom!.statusCode)
             .then(tests.custom!.response);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
index c09933bdb8d0df..dc5b7eaf3c75e0 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
@@ -20,7 +20,7 @@ interface BulkGetTests {
 }
 
 interface BulkGetTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   otherSpaceId?: string;
   tests: BulkGetTests;
@@ -134,7 +134,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     description: string,
     definition: BulkGetTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -143,7 +143,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
       it(`should return ${tests.default.statusCode}`, async () => {
         await supertest
           .post(`${getUrlPrefix(spaceId)}/api/saved_objects/_bulk_get`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send(createBulkRequests(otherSpaceId || spaceId))
           .expect(tests.default.statusCode)
           .then(tests.default.response);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
index 5e0bf23037d047..87c94c1d13b28f 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -27,7 +27,7 @@ interface CreateTests {
 }
 
 interface CreateTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   tests: CreateTests;
 }
@@ -133,14 +133,14 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     description: string,
     definition: CreateTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
       after(() => esArchiver.unload('saved_objects/spaces'));
       it(`should return ${tests.spaceAware.statusCode} for a space-aware type`, async () => {
         await supertest
           .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${spaceAwareType}`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send({
             attributes: {
               title: 'My favorite vis',
@@ -153,7 +153,7 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
       it(`should return ${tests.notSpaceAware.statusCode} for a non space-aware type`, async () => {
         await supertest
           .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${notSpaceAwareType}`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send({
             attributes: {
               name: `Can't be contained to a space`,
@@ -167,7 +167,7 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
         it(tests.custom.description, async () => {
           await supertest
             .post(`${getUrlPrefix(spaceId)}/api/saved_objects/${tests.custom!.type}`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send(tests.custom!.requestBody)
             .expect(tests.custom!.statusCode)
             .then(tests.custom!.response);
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
index 394722d7d368fe..9230415453d37f 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/delete.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -22,7 +22,7 @@ interface DeleteTests {
 }
 
 interface DeleteTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   otherSpaceId?: string;
   tests: DeleteTests;
@@ -82,7 +82,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     description: string,
     definition: DeleteTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -95,7 +95,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
               otherSpaceId || spaceId
             )}be3733a0-9efe-11e7-acb3-3dab96693fab`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.spaceAware.statusCode)
           .then(tests.spaceAware.response));
 
@@ -108,7 +108,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
               spaceId
             )}/api/saved_objects/globaltype/8121a00-8efd-21e7-1cb3-34ab966434445`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.notSpaceAware.statusCode)
           .then(tests.notSpaceAware.response));
 
@@ -119,7 +119,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
               otherSpaceId || spaceId
             )}not-a-real-id`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.invalidId.statusCode)
           .then(tests.invalidId.response));
     });
diff --git a/x-pack/test/saved_object_api_integration/common/suites/find.ts b/x-pack/test/saved_object_api_integration/common/suites/find.ts
index af90255bc01f04..d7bc0180f8e2bf 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/find.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/find.ts
@@ -25,7 +25,7 @@ interface FindTests {
 }
 
 interface FindTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   tests: FindTests;
 }
@@ -117,7 +117,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     description: string,
     definition: FindTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -128,7 +128,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
       }`, async () =>
         await supertest
           .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=visualization&fields=title`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.spaceAwareType.statusCode)
           .then(tests.spaceAwareType.response));
 
@@ -137,7 +137,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
       }`, async () =>
         await supertest
           .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=globaltype&fields=name`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.notSpaceAwareType.statusCode)
           .then(tests.notSpaceAwareType.response));
 
@@ -147,7 +147,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
         }`, async () =>
           await supertest
             .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.unknownType.statusCode)
             .then(tests.unknownType.response));
       });
@@ -162,7 +162,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
                 spaceId
               )}/api/saved_objects/_find?type=visualization&page=100&per_page=100`
             )
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.pageBeyondTotal.statusCode)
             .then(tests.pageBeyondTotal.response));
       });
@@ -173,7 +173,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
         }`, async () =>
           await supertest
             .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find?type=wigwags&search_fields=a`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.unknownSearchField.statusCode)
             .then(tests.unknownSearchField.response));
       });
@@ -182,7 +182,7 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
         it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () =>
           await supertest
             .get(`${getUrlPrefix(spaceId)}/api/saved_objects/_find`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.noType.statusCode)
             .then(tests.noType.response));
       });
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
index 8462c00faad233..85dcda1214ad4e 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -21,7 +21,7 @@ interface GetTests {
 }
 
 interface GetTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   otherSpaceId?: string;
   tests: GetTests;
@@ -117,7 +117,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
     description: string,
     definition: GetTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -132,7 +132,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
               otherSpaceId || spaceId
             )}${spaceAwareId}`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.spaceAware.statusCode)
           .then(tests.spaceAware.response);
       });
@@ -142,7 +142,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
       } when deleting a non-space-aware doc`, async () => {
         await supertest
           .get(`${getUrlPrefix(spaceId)}/api/saved_objects/globaltype/${notSpaceAwareId}`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.notSpaceAware.statusCode)
           .then(tests.notSpaceAware.response);
       });
@@ -155,7 +155,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
                 otherSpaceId || spaceId
               )}${doesntExistId}`
             )
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.doesntExist.statusCode)
             .then(tests.doesntExist.response);
         });
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
index e010a768cc1dac..e45fa1928b809d 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -22,7 +22,7 @@ interface UpdateTests {
 }
 
 interface UpdateTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId?: string;
   otherSpaceId?: string;
   tests: UpdateTests;
@@ -118,7 +118,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
     description: string,
     definition: UpdateTestDefinition
   ) => {
-    const { auth = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
+    const { user = {}, spaceId = DEFAULT_SPACE_ID, otherSpaceId, tests } = definition;
 
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -130,7 +130,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
               otherSpaceId || spaceId
             )}dd7caf20-9efd-11e7-acb3-3dab96693fab`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send({
             attributes: {
               title: 'My second favorite vis',
@@ -147,7 +147,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
               otherSpaceId || spaceId
             )}/api/saved_objects/globaltype/8121a00-8efd-21e7-1cb3-34ab966434445`
           )
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send({
             attributes: {
               name: 'My second favorite',
@@ -165,7 +165,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
                 spaceId
               )}not an id`
             )
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               attributes: {
                 title: 'My second favorite vis',
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
index c0e3a6c82a174a..4dc1542fd25435 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
@@ -58,24 +58,18 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       bulkCreateTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       bulkCreateTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -86,10 +80,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -100,24 +91,18 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
         },
       });
 
       bulkCreateTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -128,10 +113,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -142,10 +124,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -156,10 +135,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -170,10 +146,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -184,10 +157,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -198,10 +168,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkCreateTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
index 54d1fcb3b4b665..71a7f7ac677564 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
@@ -57,24 +57,18 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       bulkGetTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       bulkGetTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -85,10 +79,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -99,10 +90,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -113,10 +101,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -127,10 +112,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -141,10 +123,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -155,10 +134,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -169,10 +145,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -183,10 +156,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
@@ -197,10 +167,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       bulkGetTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           default: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
index 57df81e60cad0f..8aeb43d9d7f364 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/create.ts
@@ -60,28 +60,22 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       createTest(`user with no access  within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       createTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -96,10 +90,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -114,28 +105,22 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
         },
       });
 
       createTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -150,10 +135,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -168,10 +150,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -186,10 +165,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -204,10 +180,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -222,10 +195,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -240,10 +210,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       createTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
index 56cf2c8b067b6a..c12699cb89803a 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/delete.ts
@@ -60,32 +60,26 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       deleteTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           invalidId: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       deleteTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -104,10 +98,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -126,32 +117,26 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           invalidId: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
         },
       });
 
       deleteTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -170,10 +155,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -192,10 +174,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -214,10 +193,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -236,10 +212,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -258,10 +231,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -280,10 +250,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       deleteTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
index ed13a1fed8e343..d7ce2413daf42d 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
@@ -60,36 +60,33 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       findTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
             description: 'forbidden login and find visualization message',
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           notSpaceAwareType: {
             description: 'forbidden login and find globaltype message',
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           unknownType: {
             description: 'forbidden login and find wigwags message',
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           pageBeyondTotal: {
             description: 'forbidden login and find visualization message',
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           unknownSearchField: {
             description: 'forbidden login and find wigwags message',
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           noType: {
             description: 'bad request, type is required',
@@ -100,10 +97,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.SUPERUSER.USERNAME,
-          password: AUTHENTICATION.SUPERUSER.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -140,10 +134,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -180,10 +171,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -220,10 +208,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -260,10 +245,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -300,10 +282,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -340,10 +319,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-          password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -380,10 +356,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -420,10 +393,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
@@ -460,10 +430,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       findTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAwareType: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
index 013daeb0c99e91..eaa374098bd339 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
@@ -60,32 +60,26 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       getTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       getTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -104,10 +98,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -126,10 +117,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -148,10 +136,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -170,10 +155,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -192,10 +174,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -214,10 +193,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`rbac user with read globall within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -236,10 +212,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -258,10 +231,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -280,10 +250,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       getTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
index 458c449ab0fedb..fa02c2c6e60b38 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/update.ts
@@ -61,32 +61,26 @@ export default function({ getService }: TestInvoker) {
       },
     ].forEach(scenario => {
       updateTest(`user with no access within the ${scenario.spaceId} space`, {
-        auth: {
-          username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+            response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
           },
         },
       });
 
       updateTest(`superuser within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -105,10 +99,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`legacy user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -127,32 +118,26 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           notSpaceAware: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
         },
       });
 
       updateTest(`dual-privileges user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -171,10 +156,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`dual-privileges readonly user within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -193,10 +175,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`rbac user with all globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -215,10 +194,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`rbac user with read globally within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -237,10 +213,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`rbac user with all at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -259,10 +232,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`rbac user with read at the space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
@@ -281,10 +251,7 @@ export default function({ getService }: TestInvoker) {
       });
 
       updateTest(`rbac user with all at other space within the ${scenario.spaceId} space`, {
-        auth: {
-          username: scenario.users.allAtOtherSpace.USERNAME,
-          password: scenario.users.allAtOtherSpace.PASSWORD,
-        },
+        user: scenario.users.allAtOtherSpace,
         spaceId: scenario.spaceId,
         tests: {
           spaceAware: {
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
index c5d31fc946d445..4e7d9ea6fb148f 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
@@ -23,23 +23,17 @@ export default function({ getService }: TestInvoker) {
 
   describe('_bulk_create', () => {
     bulkCreateTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     bulkCreateTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         default: {
           statusCode: 200,
@@ -49,10 +43,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -62,25 +53,19 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
       },
     });
 
     bulkCreateTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -90,10 +75,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 403,
@@ -103,10 +85,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -116,10 +95,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`rbac readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 403,
@@ -129,60 +105,48 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkCreateTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     bulkCreateTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     bulkCreateTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     bulkCreateTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
index 8905f138bf8ebe..9376eb6b5995ff 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
@@ -20,23 +20,17 @@ export default function({ getService }: TestInvoker) {
 
   describe('_bulk_get', () => {
     bulkGetTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         default: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     bulkGetTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         default: {
           statusCode: 200,
@@ -46,10 +40,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -59,10 +50,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`legacy reeadonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -72,10 +60,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -85,10 +70,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -98,10 +80,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -111,10 +90,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         default: {
           statusCode: 200,
@@ -124,60 +100,48 @@ export default function({ getService }: TestInvoker) {
     });
 
     bulkGetTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     bulkGetTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     bulkGetTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     bulkGetTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         default: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
index 54c1f292f13fce..3bceeeeee33b2d 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts
@@ -25,27 +25,21 @@ export default function({ getService }: TestInvoker) {
 
   describe('create', () => {
     createTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         notSpaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     createTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -59,10 +53,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -76,31 +67,25 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
       },
     });
 
     createTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -114,10 +99,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -131,10 +113,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -148,10 +127,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -165,84 +141,72 @@ export default function({ getService }: TestInvoker) {
     });
 
     createTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     createTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     createTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     createTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
index fbba12ad41f87f..27b2375ae9129e 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
@@ -25,31 +25,25 @@ export default function({ getService }: TestInvoker) {
     } = deleteTestSuiteFactory(esArchiver, supertest);
 
     deleteTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         notSpaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         invalidId: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     deleteTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -67,10 +61,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -88,37 +79,31 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
         invalidId: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
       },
     });
 
     deleteTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -136,10 +121,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -157,10 +139,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -178,10 +157,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -199,108 +175,96 @@ export default function({ getService }: TestInvoker) {
     });
 
     deleteTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         invalidId: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     deleteTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         invalidId: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     deleteTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         invalidId: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     deleteTest(`rbac user with readonly at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         invalidId: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
index 79dbe4d4e05cf5..ee664e43375c07 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts
@@ -25,35 +25,32 @@ export default function({ getService }: TestInvoker) {
     } = findTestSuiteFactory(esArchiver, supertest);
 
     findTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         spaceAwareType: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         notSpaceAwareType: {
           description: 'forbidden legacy message',
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         noType: {
           description: 'bad request, type is required',
@@ -64,10 +61,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -103,10 +97,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -142,10 +133,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -181,10 +169,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -220,10 +205,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -259,10 +241,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -298,10 +277,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
@@ -337,44 +313,41 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         notSpaceAwareType: {
           description: 'only the globaltype',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         unknownType: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         pageBeyondTotal: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         unknownSearchField: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         noType: {
@@ -386,44 +359,41 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         spaceAwareType: {
           description: 'only the visualization',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         notSpaceAwareType: {
           description: 'only the globaltype',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         unknownType: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         pageBeyondTotal: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         unknownSearchField: {
           description: 'empty result',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         noType: {
@@ -435,44 +405,41 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         spaceAwareType: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         notSpaceAwareType: {
           description: 'only the globaltype',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         noType: {
@@ -484,44 +451,41 @@ export default function({ getService }: TestInvoker) {
     });
 
     findTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         spaceAwareType: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         notSpaceAwareType: {
           description: 'only the globaltype',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         unknownType: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         pageBeyondTotal: {
           description: 'forbidden login and find visualization message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         unknownSearchField: {
           description: 'forbidden login and find wigwags message',
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         noType: {
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
index 0d3168c9322c55..48698a56f892fc 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts
@@ -23,31 +23,25 @@ export default function({ getService }: TestInvoker) {
 
   describe('get', () => {
     getTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         notSpaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     getTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -65,10 +59,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -86,10 +77,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -107,10 +95,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -128,10 +113,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -149,10 +131,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -170,10 +149,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -191,108 +167,96 @@ export default function({ getService }: TestInvoker) {
     });
 
     getTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     getTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     getTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     getTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
index 84125c5071005c..de506b4186e056 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts
@@ -26,31 +26,25 @@ export default function({ getService }: TestInvoker) {
     } = updateTestSuiteFactory(esArchiver, supertest);
 
     updateTest(`user with no access`, {
-      auth: {
-        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
-        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.NOT_A_KIBANA_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         notSpaceAware: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
         doesntExist: {
           statusCode: 403,
-          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME),
+          response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
         },
       },
     });
 
     updateTest(`superuser`, {
-      auth: {
-        username: AUTHENTICATION.SUPERUSER.USERNAME,
-        password: AUTHENTICATION.SUPERUSER.PASSWORD,
-      },
+      user: AUTHENTICATION.SUPERUSER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -68,10 +62,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`legacy user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -89,37 +80,31 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`legacy readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME
+            AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
           ),
         },
       },
     });
 
     updateTest(`dual-privileges user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -137,10 +122,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`dual-privileges readonly user`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -158,10 +140,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`rbac user with all globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_USER,
       tests: {
         spaceAware: {
           statusCode: 200,
@@ -179,10 +158,7 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`rbac user with read globally`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
@@ -200,108 +176,96 @@ export default function({ getService }: TestInvoker) {
     });
 
     updateTest(`rbac user with all at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
           ),
         },
       },
     });
 
     updateTest(`rbac user with read at default space`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
           ),
         },
       },
     });
 
     updateTest(`rbac user with all at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
           ),
         },
       },
     });
 
     updateTest(`rbac user with read at space_1`, {
-      auth: {
-        username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
-        password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
-      },
+      user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
       tests: {
         spaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         notSpaceAware: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
         doesntExist: {
           statusCode: 403,
           response: createExpectLegacyForbidden(
-            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME
+            AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
           ),
         },
       },
diff --git a/x-pack/test/spaces_api_integration/common/lib/authentication.ts b/x-pack/test/spaces_api_integration/common/lib/authentication.ts
index 20aa0b5e955e5e..d4dcb333cd61a2 100644
--- a/x-pack/test/spaces_api_integration/common/lib/authentication.ts
+++ b/x-pack/test/spaces_api_integration/common/lib/authentication.ts
@@ -6,67 +6,67 @@
 
 export const AUTHENTICATION = {
   NOT_A_KIBANA_USER: {
-    USERNAME: 'not_a_kibana_user',
-    PASSWORD: 'password',
+    username: 'not_a_kibana_user',
+    password: 'password',
   },
   SUPERUSER: {
-    USERNAME: 'elastic',
-    PASSWORD: 'changeme',
+    username: 'elastic',
+    password: 'changeme',
   },
   KIBANA_LEGACY_USER: {
-    USERNAME: 'a_kibana_legacy_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_legacy_user',
+    password: 'password',
   },
   KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_legacy_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_legacy_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_USER: {
-    USERNAME: 'a_kibana_dual_privileges_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_dual_privileges_user',
+    password: 'password',
   },
   KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_dual_privileges_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_dual_privileges_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_RBAC_USER: {
-    USERNAME: 'a_kibana_rbac_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_user',
+    password: 'password',
   },
   KIBANA_RBAC_DASHBOARD_ONLY_USER: {
-    USERNAME: 'a_kibana_rbac_dashboard_only_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_dashboard_only_user',
+    password: 'password',
   },
   KIBANA_RBAC_DEFAULT_SPACE_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_default_space_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_default_space_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_DEFAULT_SPACE_READ_USER: {
-    USERNAME: 'a_kibana_rbac_default_space_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_default_space_read_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_READ_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_read_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_2_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_space_2_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_2_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_2_READ_USER: {
-    USERNAME: 'a_kibana_rbac_space_2_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_2_read_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_2_ALL_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_2_all_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_2_all_user',
+    password: 'password',
   },
   KIBANA_RBAC_SPACE_1_2_READ_USER: {
-    USERNAME: 'a_kibana_rbac_space_1_2_read_user',
-    PASSWORD: 'password',
+    username: 'a_kibana_rbac_space_1_2_read_user',
+    password: 'password',
   },
 };
diff --git a/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
index d7e0f55e276197..0017888c635677 100644
--- a/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
+++ b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts
@@ -136,9 +136,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+    username: AUTHENTICATION.NOT_A_KIBANA_USER.username,
     body: {
-      password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      password: AUTHENTICATION.NOT_A_KIBANA_USER.password,
       roles: [],
       full_name: 'not a kibana user',
       email: 'not_a_kibana_user@elastic.co',
@@ -146,9 +146,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_LEGACY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_LEGACY_USER.password,
       roles: ['kibana_legacy_user'],
       full_name: 'a kibana legacy user',
       email: 'a_kibana_legacy_user@elastic.co',
@@ -156,9 +156,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_legacy_dashboard_only_user'],
       full_name: 'a kibana legacy dashboard only user',
       email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
@@ -166,9 +166,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.password,
       roles: ['kibana_dual_privileges_user'],
       full_name: 'a kibana dual_privileges user',
       email: 'a_kibana_dual_privileges_user@elastic.co',
@@ -176,9 +176,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_dual_privileges_dashboard_only_user'],
       full_name: 'a kibana dual_privileges dashboard only user',
       email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
@@ -186,9 +186,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_USER.password,
       roles: ['kibana_rbac_user'],
       full_name: 'a kibana user',
       email: 'a_kibana_rbac_user@elastic.co',
@@ -196,9 +196,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.password,
       roles: ['kibana_rbac_dashboard_only_user'],
       full_name: 'a kibana dashboard only user',
       email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
@@ -206,9 +206,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.password,
       roles: ['kibana_rbac_default_space_all_user'],
       full_name: 'a kibana default space all user',
       email: 'a_kibana_rbac_default_space_all_user@elastic.co',
@@ -216,9 +216,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.password,
       roles: ['kibana_rbac_default_space_read_user'],
       full_name: 'a kibana default space read-only user',
       email: 'a_kibana_rbac_default_space_read_user@elastic.co',
@@ -226,9 +226,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.password,
       roles: ['kibana_rbac_space_1_all_user'],
       full_name: 'a kibana rbac space 1 all user',
       email: 'a_kibana_rbac_space_1_all_user@elastic.co',
@@ -236,9 +236,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.password,
       roles: ['kibana_rbac_space_1_read_user'],
       full_name: 'a kibana rbac space 1 read-only user',
       email: 'a_kibana_rbac_space_1_readonly_user@elastic.co',
@@ -246,9 +246,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.password,
       roles: ['kibana_rbac_space_2_all_user'],
       full_name: 'a kibana rbac space 2 all user',
       email: 'a_kibana_rbac_space_2_all_user@elastic.co',
@@ -256,9 +256,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.password,
       roles: ['kibana_rbac_space_2_read_user'],
       full_name: 'a kibana rbac space 2 read-only user',
       email: 'a_kibana_rbac_space_2_readonly_user@elastic.co',
@@ -266,9 +266,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.password,
       roles: ['kibana_rbac_space_1_2_all_user'],
       full_name: 'a kibana rbac space 1 and 2 all user',
       email: 'a_kibana_rbac_space_1_2_all_user@elastic.co',
@@ -276,9 +276,9 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
   });
 
   await es.shield.putUser({
-    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.USERNAME,
+    username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.username,
     body: {
-      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.PASSWORD,
+      password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.password,
       roles: ['kibana_rbac_space_1_2_read_user'],
       full_name: 'a kibana rbac space 1 and 2 read-only user',
       email: 'a_kibana_rbac_space_1_2_readonly_user@elastic.co',
diff --git a/x-pack/test/spaces_api_integration/common/suites/create.ts b/x-pack/test/spaces_api_integration/common/suites/create.ts
index f8ae030b42681c..7b750f4ee3ff45 100644
--- a/x-pack/test/spaces_api_integration/common/suites/create.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/create.ts
@@ -21,7 +21,7 @@ interface CreateTests {
 }
 
 interface CreateTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId: string;
   tests: CreateTests;
 }
@@ -72,7 +72,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeCreateTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, spaceId, tests }: CreateTestDefinition
+    { user = {}, spaceId, tests }: CreateTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -81,7 +81,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       it(`should return ${tests.newSpace.statusCode}`, async () => {
         return supertest
           .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .send({
             name: 'marketing',
             id: 'marketing',
@@ -96,7 +96,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.alreadyExists.statusCode}`, async () => {
           return supertest
             .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               name: 'space_1',
               id: 'space_1',
@@ -112,7 +112,7 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.reservedSpecified.statusCode} and ignore _reserved`, async () => {
           return supertest
             .post(`${getUrlPrefix(spaceId)}/api/spaces/space`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               name: 'reserved space',
               id: 'reserved',
diff --git a/x-pack/test/spaces_api_integration/common/suites/delete.ts b/x-pack/test/spaces_api_integration/common/suites/delete.ts
index 43b37900616e79..3376e73420fb2a 100644
--- a/x-pack/test/spaces_api_integration/common/suites/delete.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/delete.ts
@@ -20,7 +20,7 @@ interface DeleteTests {
 }
 
 interface DeleteTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId: string;
   tests: DeleteTests;
 }
@@ -69,7 +69,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeDeleteTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, spaceId, tests }: DeleteTestDefinition
+    { user = {}, spaceId, tests }: DeleteTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -78,7 +78,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       it(`should return ${tests.exists.statusCode}`, async () => {
         return supertest
           .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/space_2`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.exists.statusCode)
           .then(tests.exists.response);
       });
@@ -87,7 +87,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.reservedSpace.statusCode}`, async () => {
           return supertest
             .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/default`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.reservedSpace.statusCode)
             .then(tests.reservedSpace.response);
         });
@@ -97,7 +97,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.doesntExist.statusCode}`, async () => {
           return supertest
             .delete(`${getUrlPrefix(spaceId)}/api/spaces/space/space_3`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .expect(tests.doesntExist.statusCode)
             .then(tests.doesntExist.response);
         });
diff --git a/x-pack/test/spaces_api_integration/common/suites/get.ts b/x-pack/test/spaces_api_integration/common/suites/get.ts
index ea5e3ba09a7edb..50cddc4a7dac35 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get.ts
@@ -18,7 +18,7 @@ interface GetTests {
 }
 
 interface GetTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   currentSpaceId: string;
   spaceId: string;
   tests: GetTests;
@@ -78,7 +78,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
 
   const makeGetTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, currentSpaceId, spaceId, tests }: GetTestDefinition
+    { user = {}, currentSpaceId, spaceId, tests }: GetTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -87,7 +87,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
       it(`should return ${tests.default.statusCode}`, async () => {
         return supertest
           .get(`${getUrlPrefix(currentSpaceId)}/api/spaces/space/${spaceId}`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.default.statusCode)
           .then(tests.default.response);
       });
diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
index c2ef7d5d3be3e2..3bc1be39c9c702 100644
--- a/x-pack/test/spaces_api_integration/common/suites/get_all.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/get_all.ts
@@ -18,7 +18,7 @@ interface GetAllTests {
 }
 
 interface GetAllTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId: string;
   tests: GetAllTests;
 }
@@ -60,7 +60,7 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeGetAllTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, spaceId, tests }: GetAllTestDefinition
+    { user = {}, spaceId, tests }: GetAllTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -69,7 +69,7 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       it(`should return ${tests.exists.statusCode}`, async () => {
         return supertest
           .get(`${getUrlPrefix(spaceId)}/api/spaces/space`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.exists.statusCode)
           .then(tests.exists.response);
       });
diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts
index 507a4005adc102..ca4d3556a04cba 100644
--- a/x-pack/test/spaces_api_integration/common/suites/select.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/select.ts
@@ -20,7 +20,7 @@ interface SelectTests {
 }
 
 interface SelectTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   currentSpaceId: string;
   selectSpaceId: string;
   tests: SelectTests;
@@ -96,7 +96,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeSelectTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, currentSpaceId, selectSpaceId, tests }: SelectTestDefinition
+    { user = {}, currentSpaceId, selectSpaceId, tests }: SelectTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -105,7 +105,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       it(`should return ${tests.default.statusCode}`, async () => {
         return supertest
           .post(`${getUrlPrefix(currentSpaceId)}/api/spaces/v1/space/${selectSpaceId}/select`)
-          .auth(auth.username, auth.password)
+          .auth(user.username, user.password)
           .expect(tests.default.statusCode)
           .then(tests.default.response);
       });
diff --git a/x-pack/test/spaces_api_integration/common/suites/update.ts b/x-pack/test/spaces_api_integration/common/suites/update.ts
index a937aa497dcfa0..cfd1123e2b72c8 100644
--- a/x-pack/test/spaces_api_integration/common/suites/update.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/update.ts
@@ -20,7 +20,7 @@ interface UpdateTests {
 }
 
 interface UpdateTestDefinition {
-  auth?: TestDefinitionAuthentication;
+  user?: TestDefinitionAuthentication;
   spaceId: string;
   tests: UpdateTests;
 }
@@ -70,7 +70,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
 
   const makeUpdateTest = (describeFn: DescribeFn) => (
     description: string,
-    { auth = {}, spaceId, tests }: UpdateTestDefinition
+    { user = {}, spaceId, tests }: UpdateTestDefinition
   ) => {
     describeFn(description, () => {
       before(() => esArchiver.load('saved_objects/spaces'));
@@ -80,7 +80,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.alreadyExists.statusCode}`, async () => {
           return supertest
             .put(`${getUrlPrefix(spaceId)}/api/spaces/space/space_1`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               name: 'space 1',
               id: 'space_1',
@@ -97,7 +97,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.defaultSpace.statusCode}`, async () => {
           return supertest
             .put(`${getUrlPrefix(spaceId)}/api/spaces/space/default`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               name: 'the new default',
               id: 'default',
@@ -114,7 +114,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
         it(`should return ${tests.newSpace.statusCode}`, async () => {
           return supertest
             .put(`${getUrlPrefix(spaceId)}/api/spaces/space/marketing`)
-            .auth(auth.username, auth.password)
+            .auth(user.username, user.password)
             .send({
               name: 'marketing',
               id: 'marketing',
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
index 79cb4046ef8fc3..007b8351778c6c 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts
@@ -56,32 +56,26 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
     ].forEach(scenario => {
       createTest(`user with no access from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         tests: {
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.username),
           },
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.username),
           },
           reservedSpecified: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.noAccess.username),
           },
         },
       });
 
       createTest(`superuser from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         tests: {
           newSpace: {
             statusCode: 200,
@@ -100,10 +94,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         tests: {
           newSpace: {
             statusCode: 200,
@@ -122,10 +113,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`dual-privileges user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         tests: {
           newSpace: {
             statusCode: 200,
@@ -144,10 +132,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`legacy user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         tests: {
           newSpace: {
             statusCode: 200,
@@ -166,10 +151,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         tests: {
           newSpace: {
             statusCode: 403,
@@ -188,10 +170,7 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         tests: {
           newSpace: {
             statusCode: 403,
@@ -210,32 +189,26 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
 
       createTest(`legacy readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         tests: {
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
           },
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
           },
           reservedSpecified: {
             statusCode: 403,
-            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
           },
         },
       });
 
       createTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         tests: {
           newSpace: {
             statusCode: 403,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
index c6f3c339785be2..7d2d124f1a3744 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts
@@ -56,32 +56,26 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
     ].forEach(scenario => {
       deleteTest(`user with no access from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         tests: {
           exists: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
           },
           reservedSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
           },
           doesntExist: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME, 'read/get'),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
           },
         },
       });
 
       deleteTest(`superuser from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         tests: {
           exists: {
             statusCode: 204,
@@ -100,10 +94,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         tests: {
           exists: {
             statusCode: 204,
@@ -122,10 +113,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`dual-privileges user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         tests: {
           exists: {
             statusCode: 204,
@@ -144,10 +132,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`legacy user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         tests: {
           exists: {
             statusCode: 204,
@@ -166,10 +151,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         tests: {
           exists: {
             statusCode: 403,
@@ -188,10 +170,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         tests: {
           exists: {
             statusCode: 403,
@@ -210,15 +189,12 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`legacy readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         tests: {
           exists: {
             statusCode: 403,
             response: createExpectLegacyForbidden(
-              scenario.users.legacyRead.USERNAME,
+              scenario.users.legacyRead.username,
               'write/delete'
             ),
           },
@@ -235,10 +211,7 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
 
       deleteTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         tests: {
           exists: {
             statusCode: 403,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
index 3d1cc4d1e9b5fa..bff11d41602ac6 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts
@@ -63,14 +63,11 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`user with no access`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         tests: {
           default: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
@@ -78,10 +75,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`superuser`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         tests: {
           default: {
             statusCode: 200,
@@ -93,10 +87,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`rbac user with all globally`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         tests: {
           default: {
             statusCode: 200,
@@ -108,10 +99,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`dual-privileges user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         tests: {
           default: {
             statusCode: 200,
@@ -123,10 +111,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`legacy user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         tests: {
           default: {
             statusCode: 200,
@@ -138,10 +123,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`rbac user with read globally`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         tests: {
           default: {
             statusCode: 200,
@@ -153,10 +135,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`dual-privileges readonly user`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         tests: {
           default: {
             statusCode: 200,
@@ -168,10 +147,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`legacy readonly`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         tests: {
           default: {
             statusCode: 200,
@@ -183,10 +159,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
       getTest(`rbac user with read at space from the ${scenario.spaceId} space`, {
         currentSpaceId: scenario.spaceId,
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         tests: {
           default: {
             statusCode: 200,
@@ -202,10 +175,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.otherSpaceId,
           spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
+          user: scenario.users.allAtOtherSpace,
           tests: {
             default: {
               statusCode: 403,
@@ -235,10 +205,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`rbac user with all globally`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.allGlobally.USERNAME,
-            password: scenario.users.allGlobally.PASSWORD,
-          },
+          user: scenario.users.allGlobally,
           tests: {
             default: {
               statusCode: 404,
@@ -250,10 +217,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`dual-privileges user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.dualAll.USERNAME,
-            password: scenario.users.dualAll.PASSWORD,
-          },
+          user: scenario.users.dualAll,
           tests: {
             default: {
               statusCode: 404,
@@ -265,10 +229,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`legacy user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.legacyAll.USERNAME,
-            password: scenario.users.legacyAll.PASSWORD,
-          },
+          user: scenario.users.legacyAll,
           tests: {
             default: {
               statusCode: 404,
@@ -280,10 +241,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`rbac user with read globally`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.readGlobally.USERNAME,
-            password: scenario.users.readGlobally.PASSWORD,
-          },
+          user: scenario.users.readGlobally,
           tests: {
             default: {
               statusCode: 404,
@@ -295,10 +253,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`dual-privileges readonly user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.dualRead.USERNAME,
-            password: scenario.users.dualRead.PASSWORD,
-          },
+          user: scenario.users.dualRead,
           tests: {
             default: {
               statusCode: 404,
@@ -310,10 +265,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`legacy readonly user`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.legacyRead.USERNAME,
-            password: scenario.users.legacyRead.PASSWORD,
-          },
+          user: scenario.users.legacyRead,
           tests: {
             default: {
               statusCode: 404,
@@ -325,10 +277,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
         getTest(`rbac user with all at default space`, {
           currentSpaceId: scenario.spaceId,
           spaceId: scenario.otherSpaceId,
-          auth: {
-            username: scenario.users.allAtDefaultSpace.USERNAME,
-            password: scenario.users.allAtDefaultSpace.PASSWORD,
-          },
+          user: scenario.users.allAtDefaultSpace,
           tests: {
             default: {
               statusCode: 403,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
index 767074db1ed71f..d7dd0d9468d6d3 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts
@@ -58,24 +58,18 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
     ].forEach(scenario => {
       getAllTest(`user with no access can't access any spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         tests: {
           exists: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       getAllTest(`superuser can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         tests: {
           exists: {
             statusCode: 200,
@@ -86,10 +80,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`rbac user with all globally can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         tests: {
           exists: {
             statusCode: 200,
@@ -100,10 +91,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`dual-privileges user can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         tests: {
           exists: {
             statusCode: 200,
@@ -114,10 +102,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`legacy user can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         tests: {
           exists: {
             statusCode: 200,
@@ -128,10 +113,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`rbac user with read globally can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         tests: {
           exists: {
             statusCode: 200,
@@ -142,10 +124,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`dual-privileges readonly user can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         tests: {
           exists: {
             statusCode: 200,
@@ -156,10 +135,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`legacy readonly user can access all spaces from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         tests: {
           exists: {
             statusCode: 200,
@@ -170,10 +146,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`rbac user with all at space_1 can access space_1 from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allAtSpace_1.USERNAME,
-          password: scenario.users.allAtSpace_1.PASSWORD,
-        },
+        user: scenario.users.allAtSpace_1,
         tests: {
           exists: {
             statusCode: 200,
@@ -184,10 +157,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
 
       getAllTest(`rbac user with read at space_1 can access space_1 from ${scenario.spaceId}`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readAtSpace_1.USERNAME,
-          password: scenario.users.readAtSpace_1.PASSWORD,
-        },
+        user: scenario.users.readAtSpace_1,
         tests: {
           exists: {
             statusCode: 200,
@@ -200,10 +170,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
         `rbac user with all at default space can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allAtDefaultSpace.USERNAME,
-            password: scenario.users.allAtDefaultSpace.PASSWORD,
-          },
+          user: scenario.users.allAtDefaultSpace,
           tests: {
             exists: {
               statusCode: 200,
@@ -217,10 +184,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
         `rbac user with read at default space can access default from ${scenario.spaceId}`,
         {
           spaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.readAtDefaultSpace.USERNAME,
-            password: scenario.users.readAtDefaultSpace.PASSWORD,
-          },
+          user: scenario.users.readAtDefaultSpace,
           tests: {
             exists: {
               statusCode: 200,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
index c6d140e8fbf4a8..3e9e249c2f4bd7 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts
@@ -62,14 +62,11 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.noAccess.USERNAME,
-            password: scenario.users.noAccess.PASSWORD,
-          },
+          user: scenario.users.noAccess,
           tests: {
             default: {
               statusCode: 403,
-              response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+              response: createExpectLegacyForbidden(scenario.users.noAccess.username),
             },
           },
         }
@@ -82,10 +79,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.superuser.USERNAME,
-            password: scenario.users.superuser.PASSWORD,
-          },
+          user: scenario.users.superuser,
           tests: {
             default: {
               statusCode: 200,
@@ -102,10 +96,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.allGlobally.USERNAME,
-            password: scenario.users.allGlobally.PASSWORD,
-          },
+          user: scenario.users.allGlobally,
           tests: {
             default: {
               statusCode: 200,
@@ -122,10 +113,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.dualAll.USERNAME,
-            password: scenario.users.dualAll.PASSWORD,
-          },
+          user: scenario.users.dualAll,
           tests: {
             default: {
               statusCode: 200,
@@ -140,10 +128,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.legacyAll.USERNAME,
-            password: scenario.users.legacyAll.PASSWORD,
-          },
+          user: scenario.users.legacyAll,
           tests: {
             default: {
               statusCode: 200,
@@ -159,10 +144,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.readGlobally.USERNAME,
-            password: scenario.users.readGlobally.PASSWORD,
-          },
+          user: scenario.users.readGlobally,
           tests: {
             default: {
               statusCode: 200,
@@ -178,10 +160,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.dualRead.USERNAME,
-            password: scenario.users.dualRead.PASSWORD,
-          },
+          user: scenario.users.dualRead,
           tests: {
             default: {
               statusCode: 200,
@@ -197,10 +176,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.legacyRead.USERNAME,
-            password: scenario.users.legacyRead.PASSWORD,
-          },
+          user: scenario.users.legacyRead,
           tests: {
             default: {
               statusCode: 200,
@@ -237,10 +213,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allAtSpace.USERNAME,
-            password: scenario.users.allAtSpace.PASSWORD,
-          },
+          user: scenario.users.allAtSpace,
           tests: {
             default: {
               statusCode: 200,
@@ -256,10 +229,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.readAtSpace.USERNAME,
-            password: scenario.users.readAtSpace.PASSWORD,
-          },
+          user: scenario.users.readAtSpace,
           tests: {
             default: {
               statusCode: 200,
@@ -275,10 +245,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.spaceId,
           selectSpaceId: scenario.spaceId,
-          auth: {
-            username: scenario.users.allAtOtherSpace.USERNAME,
-            password: scenario.users.allAtOtherSpace.PASSWORD,
-          },
+          user: scenario.users.allAtOtherSpace,
           tests: {
             default: {
               statusCode: 403,
@@ -309,10 +276,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.userWithAllAtSpace.USERNAME,
-            password: scenario.users.userWithAllAtSpace.PASSWORD,
-          },
+          user: scenario.users.userWithAllAtSpace,
           tests: {
             default: {
               statusCode: 200,
@@ -328,10 +292,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.userWithAllAtBothSpaces.USERNAME,
-            password: scenario.users.userWithAllAtBothSpaces.PASSWORD,
-          },
+          user: scenario.users.userWithAllAtBothSpaces,
           tests: {
             default: {
               statusCode: 200,
@@ -349,10 +310,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.userWithAllAtOtherSpace.USERNAME,
-            password: scenario.users.userWithAllAtOtherSpace.PASSWORD,
-          },
+          user: scenario.users.userWithAllAtOtherSpace,
           tests: {
             default: {
               statusCode: 403,
@@ -386,10 +344,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         selectTest(`rbac user with all globally cannot access non-existent space`, {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.userWithAllGlobally.USERNAME,
-            password: scenario.users.userWithAllGlobally.PASSWORD,
-          },
+          user: scenario.users.userWithAllGlobally,
           tests: {
             default: {
               statusCode: 404,
@@ -401,10 +356,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
         selectTest(`rbac user with all at space cannot access non-existent space`, {
           currentSpaceId: scenario.currentSpaceId,
           selectSpaceId: scenario.selectSpaceId,
-          auth: {
-            username: scenario.users.userWithAllAtSpace.USERNAME,
-            password: scenario.users.userWithAllAtSpace.PASSWORD,
-          },
+          user: scenario.users.userWithAllAtSpace,
           tests: {
             default: {
               statusCode: 403,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
index a5bfefc41fdb3b..0b828a7d02f073 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts
@@ -58,32 +58,26 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
     ].forEach(scenario => {
       updateTest(`user with no access from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.noAccess.USERNAME,
-          password: scenario.users.noAccess.PASSWORD,
-        },
+        user: scenario.users.noAccess,
         tests: {
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           defaultSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.noAccess.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.noAccess.username),
           },
         },
       });
 
       updateTest(`superuser from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.superuser.USERNAME,
-          password: scenario.users.superuser.PASSWORD,
-        },
+        user: scenario.users.superuser,
         tests: {
           alreadyExists: {
             statusCode: 200,
@@ -102,10 +96,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`rbac user with all globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allGlobally.USERNAME,
-          password: scenario.users.allGlobally.PASSWORD,
-        },
+        user: scenario.users.allGlobally,
         tests: {
           alreadyExists: {
             statusCode: 200,
@@ -124,10 +115,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`dual-privileges used from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualAll.USERNAME,
-          password: scenario.users.dualAll.PASSWORD,
-        },
+        user: scenario.users.dualAll,
         tests: {
           alreadyExists: {
             statusCode: 200,
@@ -146,10 +134,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`legacy user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyAll.USERNAME,
-          password: scenario.users.legacyAll.PASSWORD,
-        },
+        user: scenario.users.legacyAll,
         tests: {
           alreadyExists: {
             statusCode: 200,
@@ -168,10 +153,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`rbac user with read globally from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readGlobally.USERNAME,
-          password: scenario.users.readGlobally.PASSWORD,
-        },
+        user: scenario.users.readGlobally,
         tests: {
           alreadyExists: {
             statusCode: 403,
@@ -190,10 +172,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`dual-privileges readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.dualRead.USERNAME,
-          password: scenario.users.dualRead.PASSWORD,
-        },
+        user: scenario.users.dualRead,
         tests: {
           alreadyExists: {
             statusCode: 403,
@@ -212,32 +191,26 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`legacy readonly user from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.legacyRead.USERNAME,
-          password: scenario.users.legacyRead.PASSWORD,
-        },
+        user: scenario.users.legacyRead,
         tests: {
           alreadyExists: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           defaultSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
           newSpace: {
             statusCode: 403,
-            response: createExpectLegacyForbidden(scenario.users.legacyRead.USERNAME),
+            response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
           },
         },
       });
 
       updateTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.allAtSpace.USERNAME,
-          password: scenario.users.allAtSpace.PASSWORD,
-        },
+        user: scenario.users.allAtSpace,
         tests: {
           alreadyExists: {
             statusCode: 403,
@@ -256,10 +229,7 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
 
       updateTest(`rbac user with read at space from the ${scenario.spaceId} space`, {
         spaceId: scenario.spaceId,
-        auth: {
-          username: scenario.users.readAtSpace.USERNAME,
-          password: scenario.users.readAtSpace.PASSWORD,
-        },
+        user: scenario.users.readAtSpace,
         tests: {
           alreadyExists: {
             statusCode: 403,

From 32bd0365dd44d01d61a8d4718b8594ee52f7d0cb Mon Sep 17 00:00:00 2001
From: Larry Gregory <lgregorydev@gmail.com>
Date: Wed, 26 Sep 2018 11:02:10 -0400
Subject: [PATCH 181/183] [Spaces] - Link to role management from space
 management (#23528)

---
 x-pack/plugins/spaces/index.ts                |  9 +++++
 .../secure_space_message.test.tsx.snap        | 28 +++++++++++++++
 .../components/secure_space_message/index.ts  |  7 ++++
 .../secure_space_message.test.tsx             | 36 +++++++++++++++++++
 .../secure_space_message.tsx                  | 30 ++++++++++++++++
 .../edit_space/manage_space_page.tsx          | 11 ++++--
 .../spaces_grid/spaces_grid_page.tsx          |  2 ++
 7 files changed, 121 insertions(+), 2 deletions(-)
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/secure_space_message/__snapshots__/secure_space_message.test.tsx.snap
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/secure_space_message/index.ts
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.test.tsx
 create mode 100644 x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.tsx

diff --git a/x-pack/plugins/spaces/index.ts b/x-pack/plugins/spaces/index.ts
index 83626cc83b74d6..9c44c11751dfcc 100644
--- a/x-pack/plugins/spaces/index.ts
+++ b/x-pack/plugins/spaces/index.ts
@@ -145,8 +145,17 @@ export const spaces = (kibana: any) =>
       registerUserProfileCapabilityFactory(async request => {
         const spacesClient = server.plugins.spaces.spacesClient.getScopedClient(request);
 
+        let manageSecurity = false;
+
+        if (server.plugins.security) {
+          const { showLinks = false } =
+            xpackMainPlugin.info.feature('security').getLicenseCheckResults() || {};
+          manageSecurity = showLinks;
+        }
+
         return {
           manageSpaces: await spacesClient.canEnumerateSpaces(),
+          manageSecurity,
         };
       });
 
diff --git a/x-pack/plugins/spaces/public/views/management/components/secure_space_message/__snapshots__/secure_space_message.test.tsx.snap b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/__snapshots__/secure_space_message.test.tsx.snap
new file mode 100644
index 00000000000000..793806db8c5449
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/__snapshots__/secure_space_message.test.tsx.snap
@@ -0,0 +1,28 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`SecureSpaceMessage doesn't render if user profile does not allow security to be managed 1`] = `""`;
+
+exports[`SecureSpaceMessage renders if user profile allows security to be managed 1`] = `
+<React.Fragment>
+  <EuiSpacer
+    size="l"
+  />
+  <EuiText
+    className="eui-textCenter"
+    grow={true}
+  >
+    <p>
+      Want to assign a role to a space? Go to Management and select
+       
+      <EuiLink
+        color="primary"
+        href="#/management/security/roles"
+        type="button"
+      >
+        Roles
+      </EuiLink>
+      .
+    </p>
+  </EuiText>
+</React.Fragment>
+`;
diff --git a/x-pack/plugins/spaces/public/views/management/components/secure_space_message/index.ts b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/index.ts
new file mode 100644
index 00000000000000..4526dc791a224d
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { SecureSpaceMessage } from './secure_space_message';
diff --git a/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.test.tsx b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.test.tsx
new file mode 100644
index 00000000000000..65b6bc2c120061
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.test.tsx
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { shallow } from 'enzyme';
+import React from 'react';
+import { SecureSpaceMessage } from './secure_space_message';
+
+describe('SecureSpaceMessage', () => {
+  it(`doesn't render if user profile does not allow security to be managed`, () => {
+    const userProfile = {
+      hasCapability: (key: string) => {
+        if (key === 'manageSecurity') {
+          return false;
+        }
+        throw new Error(`unexpected capability ${key}`);
+      },
+    };
+
+    expect(shallow(<SecureSpaceMessage userProfile={userProfile} />)).toMatchSnapshot();
+  });
+
+  it(`renders if user profile allows security to be managed`, () => {
+    const userProfile = {
+      hasCapability: (key: string) => {
+        if (key === 'manageSecurity') {
+          return true;
+        }
+        throw new Error(`unexpected capability ${key}`);
+      },
+    };
+
+    expect(shallow(<SecureSpaceMessage userProfile={userProfile} />)).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.tsx b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.tsx
new file mode 100644
index 00000000000000..db77c1ad6d113a
--- /dev/null
+++ b/x-pack/plugins/spaces/public/views/management/components/secure_space_message/secure_space_message.tsx
@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EuiLink, EuiSpacer, EuiText } from '@elastic/eui';
+import { UserProfile } from 'plugins/xpack_main/services/user_profile';
+import React, { Fragment } from 'react';
+
+interface Props {
+  userProfile: UserProfile;
+}
+
+export const SecureSpaceMessage = (props: Props) => {
+  if (props.userProfile.hasCapability('manageSecurity')) {
+    return (
+      <Fragment>
+        <EuiSpacer />
+        <EuiText className="eui-textCenter">
+          <p>
+            Want to assign a role to a space? Go to Management and select{' '}
+            <EuiLink href="#/management/security/roles">Roles</EuiLink>.
+          </p>
+        </EuiText>
+      </Fragment>
+    );
+  }
+  return null;
+};
diff --git a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
index 090a636ff76967..e8b4890173ea7b 100644
--- a/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
+++ b/x-pack/plugins/spaces/public/views/management/edit_space/manage_space_page.tsx
@@ -31,6 +31,7 @@ import { isReservedSpace } from '../../../../common';
 import { Space } from '../../../../common/model/space';
 import { SpaceAvatar } from '../../../components';
 import { SpacesManager } from '../../../lib';
+import { SecureSpaceMessage } from '../components/secure_space_message';
 import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 import { toSpaceIdentifier } from '../lib';
 import { SpaceValidator } from '../lib/validate_space';
@@ -101,6 +102,7 @@ export class ManageSpacePage extends Component<Props, State> {
           <EuiPageContent className="manageSpacePage__content">
             <EuiPageContentBody>{content}</EuiPageContentBody>
           </EuiPageContent>
+          {this.maybeGetSecureSpacesMessage()}
         </EuiPageBody>
       </EuiPage>
     );
@@ -182,8 +184,6 @@ export class ManageSpacePage extends Component<Props, State> {
           />
         </EuiFormRow>
 
-        <EuiSpacer />
-
         <EuiHorizontalRule />
 
         {this.getFormButtons()}
@@ -208,6 +208,13 @@ export class ManageSpacePage extends Component<Props, State> {
     return `Create space`;
   };
 
+  public maybeGetSecureSpacesMessage = () => {
+    if (this.editingExistingSpace()) {
+      return <SecureSpaceMessage userProfile={this.props.userProfile} />;
+    }
+    return null;
+  };
+
   public getFormButtons = () => {
     const saveText = this.editingExistingSpace() ? 'Update space' : 'Create space';
     return (
diff --git a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
index 4a85fc2eaa5f43..8debabf65c43da 100644
--- a/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
+++ b/x-pack/plugins/spaces/public/views/management/spaces_grid/spaces_grid_page.tsx
@@ -29,6 +29,7 @@ import { Space } from '../../../../common/model/space';
 import { SpaceAvatar } from '../../../components';
 import { SpacesManager } from '../../../lib/spaces_manager';
 import { ConfirmDeleteModal } from '../components/confirm_delete_modal';
+import { SecureSpaceMessage } from '../components/secure_space_message';
 import { UnauthorizedPrompt } from '../components/unauthorized_prompt';
 
 interface Props {
@@ -66,6 +67,7 @@ export class SpacesGridPage extends Component<Props, State> {
       <EuiPage restrictWidth className="spacesGridPage">
         <EuiPageBody>
           <EuiPageContent horizontalPosition="center">{this.getPageContent()}</EuiPageContent>
+          <SecureSpaceMessage userProfile={this.props.userProfile} />
         </EuiPageBody>
         {this.getConfirmDeleteModal()}
       </EuiPage>

From 4e712479bedbf87300df0e642d50f5e56560ca84 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Wed, 26 Sep 2018 08:47:54 -0700
Subject: [PATCH 182/183] Minimizing some formatting changes from the diff

---
 src/core_plugins/kibana/ui_setting_defaults.js        |  2 +-
 src/server/config/config.js                           |  2 +-
 src/server/saved_objects/service/lib/repository.js    |  8 ++------
 .../saved_objects/service/lib/repository.test.js      | 11 +++++------
 .../lib/__tests__/change_time_filter.test.js          |  2 +-
 5 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/src/core_plugins/kibana/ui_setting_defaults.js b/src/core_plugins/kibana/ui_setting_defaults.js
index 211263384fee5f..8b2dcc2d2b4a6a 100644
--- a/src/core_plugins/kibana/ui_setting_defaults.js
+++ b/src/core_plugins/kibana/ui_setting_defaults.js
@@ -528,4 +528,4 @@ export function getUiSettingDefaults() {
       category: ['accessibility'],
     },
   };
-}
\ No newline at end of file
+}
diff --git a/src/server/config/config.js b/src/server/config/config.js
index 1f34fefc376127..47b24d1f2a5dcc 100644
--- a/src/server/config/config.js
+++ b/src/server/config/config.js
@@ -167,7 +167,7 @@ export class Config {
           // true if there's a match
           if (child.schema._type === 'object') {
             if (has(key, child.schema, path.concat([child.key]))) return true;
-            // if the child matches, return true
+          // if the child matches, return true
           } else if (path.concat([child.key]).join('.') === key) {
             return true;
           }
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
index 6bcc1c4262de09..62b7070f359cac 100644
--- a/src/server/saved_objects/service/lib/repository.js
+++ b/src/server/saved_objects/service/lib/repository.js
@@ -354,10 +354,8 @@ export class SavedObjectsRepository {
       }
     });
 
-    const { docs } = response;
-
     return {
-      saved_objects: docs.map((doc, i) => {
+      saved_objects: response.docs.map((doc, i) => {
         const { id, type } = objects[i];
 
         if (!doc.found) {
@@ -369,7 +367,7 @@ export class SavedObjectsRepository {
         }
 
         const time = doc._source.updated_at;
-        const savedObject = {
+        return {
           id,
           type,
           ...time && { updated_at: time },
@@ -377,8 +375,6 @@ export class SavedObjectsRepository {
           attributes: doc._source[type],
           migrationVersion: doc._source.migrationVersion,
         };
-
-        return savedObject;
       })
     };
   }
diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
index 34c872d03dcd27..6d832ea3c2d123 100644
--- a/src/server/saved_objects/service/lib/repository.test.js
+++ b/src/server/saved_objects/service/lib/repository.test.js
@@ -268,12 +268,11 @@ describe('SavedObjectsRepository', () => {
     });
 
     it('should use create action if ID defined and overwrite=false', async () => {
-      await savedObjectsRepository.create('index-pattern',
-        {
-          title: 'Logstash'
-        }, {
-          id: 'logstash-*',
-        });
+      await savedObjectsRepository.create('index-pattern', {
+        title: 'Logstash'
+      }, {
+        id: 'logstash-*',
+      });
 
       sinon.assert.calledOnce(callAdminCluster);
       sinon.assert.calledWith(callAdminCluster, 'create');
diff --git a/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js b/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
index 4ffc6e00bb0769..eab08903ec029c 100644
--- a/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
+++ b/src/ui/public/filter_bar/lib/__tests__/change_time_filter.test.js
@@ -23,7 +23,7 @@ jest.mock('ui/chrome',
     getUiSettingsClient: () => {
       return {
         get: (key) => {
-          switch (key) {
+          switch(key) {
             case 'timepicker:timeDefaults':
               return { from: 'now-15m', to: 'now', mode: 'quick' };
             case 'timepicker:refreshIntervalDefaults':

From 0c3c099de26bd938bb07faa9c54524fd5361f873 Mon Sep 17 00:00:00 2001
From: kobelb <brandon.kobel@elastic.co>
Date: Thu, 27 Sep 2018 13:53:08 -0700
Subject: [PATCH 183/183] Switching from a while loop to a findIndex

---
 .../service/lib/priority_collection.ts            | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/server/saved_objects/service/lib/priority_collection.ts b/src/server/saved_objects/service/lib/priority_collection.ts
index ab8edaaaea22fa..3c918f0c1e1fc2 100644
--- a/src/server/saved_objects/service/lib/priority_collection.ts
+++ b/src/server/saved_objects/service/lib/priority_collection.ts
@@ -26,19 +26,16 @@ export class PriorityCollection<T> {
   private readonly array: Array<PriorityCollectionEntry<T>> = [];
 
   public add(priority: number, value: T) {
-    let i = 0;
-    while (i < this.array.length) {
-      const current = this.array[i];
+    const foundIndex = this.array.findIndex(current => {
       if (priority === current.priority) {
         throw new Error('Already have entry with this priority');
       }
 
-      if (priority < current.priority) {
-        break;
-      }
-      ++i;
-    }
-    this.array.splice(i, 0, { priority, value });
+      return priority < current.priority;
+    });
+
+    const spliceIndex = foundIndex === -1 ? this.array.length : foundIndex;
+    this.array.splice(spliceIndex, 0, { priority, value });
   }
 
   public toPrioritizedArray(): T[] {