[DOCS] Clarify transform requirements (#83295)

docs/reference/transform/setup.asciidoc

@@ -5,39 +5,97 @@
 <titleabbrev>Setup</titleabbrev>
 ++++
 
-To use the {transforms}, you must have the
-{subscriptions}[appropriate license] and at least one
-<<transform-setup-nodes,{transform} node>> in your {es} cluster. If {stack}
-{security-features} are enabled, you must also ensure your users have the
-<<transform-privileges,necessary privileges>>.
-
 [discrete]
-[[transform-setup-nodes]]
-== {transform-cap} nodes
+[[requirements-overview]]
+== Requirements overview
 
-To use {transforms}, there must be at least one {transform} node in your cluster.
-If you want to control which nodes run {transforms}, add or remove `transform`
-from the `node.roles` setting on some nodes. For more information, see
-<<modules-node>> and <<transform-settings>>.
+To use {transforms}, you must have:
+
+* at least one <<transform-node,{transform} node>>,
+* management features visible in the {kib} space, and
+* security privileges that:
++
+--
+* grant use of {transforms}, and
+* grant access to source and destination indices
+--
 
 [discrete]
 [[transform-privileges]]
 == Security privileges
 
-The {es} {security-features} provide <<built-in-roles,built-in roles>>
-and <<security-privileges,privileges>> that make it easier to control
-which users can manage or view {transforms}.
+Assigning security privileges affects how users access {transforms}. Consider 
+the two main categories:
 
-To _view_ the configuration and status of {transforms}, you must have:
+* *<<transform-es-security-privileges>>*: uses an {es} client, cURL, or {kib}
+**{dev-tools-app}** to access {transforms} via {es} APIs. This scenario requires
+{es} security privileges.
+* *<<transform-kib-security-privileges>>*: uses {transforms} in {kib}. This
+scenario requires {kib} feature privileges _and_ {es} security privileges.
 
-* `transform_user` built-in role or `monitor_transform`
-cluster privileges
+[discrete]
+[[transform-es-security-privileges]]
+=== {es} API user
 
-To _manage_ {transforms}, you must have:
+To _manage_ {transforms}, you must meet all of the following requirements:
 
-* `transform_admin` built-in role or `manage_transform`
-cluster privileges
-* `read` and `view_index_metadata` index privileges on source indices
-* `read`, `create_index`, and `index` index privileges on destination indices
+* `transform_admin` built-in role or `manage_transform` cluster privileges,
+* `read` and `view_index_metadata` index privileges on source indices, and
+* `create_index`, `index`, `manage`, and `read` index privileges on destination
+indices
 
-For more information, see <<security-privileges>> and <<built-in-roles>>.
+To view only the configuration and status of {transforms}, you must have:
+
+* `transform_user` built-in role or `monitor_transform` cluster privileges
+
+For more information about {es} roles and privileges, refer to
+<<built-in-roles>> and <<security-privileges>>.
+
+[discrete]
+[[transform-kib-security-privileges]]
+=== {kib} user
+
+Within a {kib} space, for full access to {transforms}, you must meet all of the
+following requirements:
+
+*  Management features visible in the {kib} space, including
+`Data View Management` and `Stack Monitoring`,
+* `monitoring_user` built-in role,
+* `transform_admin` built-in role or `manage_transform` cluster privileges,
+* `kibana_admin` built-in role or a custom role with `read` or `all` {kib}
+privileges for the `Data View Management` feature (dependent on whether data
+views already exist for your destination indices),
+* data views for your source indices,
+* `read` and `view_index_metadata` index privileges on source indices, and
+* `create_index`, `index`, `manage`, and `read` index privileges on destination
+indices 
+
+Within a {kib} space, for read-only access to {transforms}, you must meet all of
+the following requirements:
+
+* Management features visible in the {kib} space, including `Stack Monitoring`,
+* `monitoring_user` built-in role,
+* `transform_user` built-in role or `monitor_transform` cluster privileges,
+* `kibana_admin` built-in role or a custom role with `read` {kib} privileges
+for at least one feature in the space,
+* data views for your source and destination indices, and
+* `read`, and `view_index_metadata` index privileges on source indices and
+destination indices 
+
+For more information and {kib} security features, see
+{kibana-ref}/kibana-role-management.html[{kib} role management] and
+{kibana-ref}/kibana-privileges.html[{kib} privileges].
+
+
+[discrete]
+[[transform-kib-spaces]]
+== {kib} spaces
+
+{kibana-ref}/xpack-spaces.html[Spaces] enable you to organize your source and 
+destination indices and other saved objects in {kib} and to see only the objects 
+that belong to your space. However, this limited scope does not apply to 
+{transforms}; they are visible in all spaces.
+
+To successfully create {transforms} in {kib}, you must be logged into a space
+where the source indices are visible and the `Data View Management` and
+`Stack Monitoring` features are visible.

x-pack/docs/en/security/authorization/built-in-roles.asciidoc

@@ -184,8 +184,8 @@ Grants `manage_transform` cluster privileges, which enable you to manage
 {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
 
 [[built-in-roles-transform-user]] `transform_user`::
-Grants `monitor_transform` cluster privileges, which enable you to use
-{transforms}. This role also includes all
+Grants `monitor_transform` cluster privileges, which enable you to perform
+read-only operations related to {transforms}. This role also includes all
 {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
 
 [[built-in-roles-transport-client]] `transport_client`::