[Fleet] Use Kibana Authz for API authorization (#205335)

2025-04-23 01:13:23 -04:00 · 2025-01-06 14:41:00 -05:00 · 2025-01-06 14:41:00 -05:00 · 0b8ae3634d
commit 0b8ae3634d
parent 2fc2019c83
26 changed files with 1024 additions and 382 deletions
--- a/oas_docs/bundle.json
+++ b/oas_docs/bundle.json
@ -8595,6 +8595,7 @@
    },
    "/api/fleet/agent_download_sources": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].",
        "operationId": "get-fleet-agent-download-sources",
        "parameters": [],
        "responses": {
@ -8690,6 +8691,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-agent-download-sources",
        "parameters": [
          {
@ -8818,7 +8820,7 @@
    },
    "/api/fleet/agent_download_sources/{sourceId}": {
      "delete": {
-        "description": "Delete an agent binary download source by ID.",
+        "description": "Delete an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -8891,7 +8893,7 @@
        ]
      },
      "get": {
-        "description": "Get an agent binary download source by ID.",
+        "description": "Get an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].",
        "operationId": "get-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -8981,7 +8983,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent binary download source by ID.",
+        "description": "Update an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -9118,6 +9120,7 @@
    },
    "/api/fleet/agent_policies": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "get-fleet-agent-policies",
        "parameters": [
          {
@ -9955,6 +9958,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies",
        "parameters": [
          {
@ -10955,6 +10959,7 @@
    },
    "/api/fleet/agent_policies/_bulk_get": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "post-fleet-agent-policies-bulk-get",
        "parameters": [
          {
@ -11741,7 +11746,7 @@
    },
    "/api/fleet/agent_policies/delete": {
      "post": {
-        "description": "Delete an agent policy by ID.",
+        "description": "Delete an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies-delete",
        "parameters": [
          {
@ -11834,7 +11839,7 @@
    },
    "/api/fleet/agent_policies/outputs": {
      "post": {
-        "description": "Get a list of outputs associated with agent policies.",
+        "description": "Get a list of outputs associated with agent policies.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].",
        "operationId": "post-fleet-agent-policies-outputs",
        "parameters": [
          {
@ -12007,7 +12012,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}": {
      "get": {
-        "description": "Get an agent policy by ID.",
+        "description": "Get an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "get-fleet-agent-policies-agentpolicyid",
        "parameters": [
          {
@ -12758,7 +12763,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent policy by ID.",
+        "description": "Update an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "put-fleet-agent-policies-agentpolicyid",
        "parameters": [
          {
@ -13771,7 +13776,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/copy": {
      "post": {
-        "description": "Copy an agent policy by ID.",
+        "description": "Copy an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies-agentpolicyid-copy",
        "parameters": [
          {
@ -14556,7 +14561,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/download": {
      "get": {
-        "description": "Download an agent policy by ID.",
+        "description": "Download an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-download",
        "parameters": [
          {
@ -14661,7 +14666,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/full": {
      "get": {
-        "description": "Get a full agent policy by ID.",
+        "description": "Get a full agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-full",
        "parameters": [
          {
@ -15187,7 +15192,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/outputs": {
      "get": {
-        "description": "Get a list of outputs associated with agent policy by policy id.",
+        "description": "Get a list of outputs associated with agent policy by policy id.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-outputs",
        "parameters": [
          {
@ -15468,6 +15473,7 @@
    },
    "/api/fleet/agent_status/data": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agent-status-data",
        "parameters": [
          {
@ -15587,6 +15593,7 @@
    },
    "/api/fleet/agents": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents",
        "parameters": [
          {
@ -16126,6 +16133,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents",
        "parameters": [
          {
@ -16216,6 +16224,7 @@
    },
    "/api/fleet/agents/action_status": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-action-status",
        "parameters": [
          {
@ -16439,6 +16448,7 @@
    },
    "/api/fleet/agents/actions/{actionId}/cancel": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-actions-actionid-cancel",
        "parameters": [
          {
@ -16567,6 +16577,7 @@
    },
    "/api/fleet/agents/available_versions": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-available-versions",
        "parameters": [],
        "responses": {
@ -16625,6 +16636,7 @@
    },
    "/api/fleet/agents/bulk_reassign": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-reassign",
        "parameters": [
          {
@ -16730,6 +16742,7 @@
    },
    "/api/fleet/agents/bulk_request_diagnostics": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents-bulk-request-diagnostics",
        "parameters": [
          {
@ -16836,6 +16849,7 @@
    },
    "/api/fleet/agents/bulk_unenroll": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-unenroll",
        "parameters": [
          {
@ -16947,6 +16961,7 @@
    },
    "/api/fleet/agents/bulk_update_agent_tags": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-update-agent-tags",
        "parameters": [
          {
@ -17060,6 +17075,7 @@
    },
    "/api/fleet/agents/bulk_upgrade": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-upgrade",
        "parameters": [
          {
@ -17181,7 +17197,7 @@
    },
    "/api/fleet/agents/files/{fileId}": {
      "delete": {
-        "description": "Delete a file uploaded by an agent.",
+        "description": "Delete a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-agents-files-fileid",
        "parameters": [
          {
@ -17260,7 +17276,7 @@
    },
    "/api/fleet/agents/files/{fileId}/{fileName}": {
      "get": {
-        "description": "Get a file uploaded by an agent.",
+        "description": "Get a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-files-fileid-filename",
        "parameters": [
          {
@ -17324,6 +17340,7 @@
    },
    "/api/fleet/agents/setup": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "get-fleet-agents-setup",
        "parameters": [],
        "responses": {
@ -17411,6 +17428,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "post-fleet-agents-setup",
        "parameters": [
          {
@ -17498,6 +17516,7 @@
    },
    "/api/fleet/agents/tags": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-tags",
        "parameters": [
          {
@ -17574,7 +17593,7 @@
    },
    "/api/fleet/agents/{agentId}": {
      "delete": {
-        "description": "Delete an agent by ID.",
+        "description": "Delete an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-agents-agentid",
        "parameters": [
          {
@ -17650,7 +17669,7 @@
        ]
      },
      "get": {
-        "description": "Get an agent by ID.",
+        "description": "Get an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-agentid",
        "parameters": [
          {
@ -18104,7 +18123,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent by ID.",
+        "description": "Update an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "put-fleet-agents-agentid",
        "parameters": [
          {
@ -18583,6 +18602,7 @@
    },
    "/api/fleet/agents/{agentId}/actions": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-actions",
        "parameters": [
          {
@ -18786,6 +18806,7 @@
    },
    "/api/fleet/agents/{agentId}/reassign": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-reassign",
        "parameters": [
          {
@ -18871,6 +18892,7 @@
    },
    "/api/fleet/agents/{agentId}/request_diagnostics": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents-agentid-request-diagnostics",
        "parameters": [
          {
@ -18967,6 +18989,7 @@
    },
    "/api/fleet/agents/{agentId}/unenroll": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-unenroll",
        "parameters": [
          {
@ -19016,6 +19039,7 @@
    },
    "/api/fleet/agents/{agentId}/upgrade": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-upgrade",
        "parameters": [
          {
@ -19110,6 +19134,7 @@
    },
    "/api/fleet/agents/{agentId}/uploads": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-agentid-uploads",
        "parameters": [
          {
@ -19289,6 +19314,7 @@
    },
    "/api/fleet/data_streams": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].",
        "operationId": "get-fleet-data-streams",
        "parameters": [],
        "responses": {
@ -19433,6 +19459,7 @@
    },
    "/api/fleet/enrollment_api_keys": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].",
        "operationId": "get-fleet-enrollment-api-keys",
        "parameters": [
          {
@ -19608,6 +19635,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-enrollment-api-keys",
        "parameters": [
          {
@ -19741,7 +19769,7 @@
    },
    "/api/fleet/enrollment_api_keys/{keyId}": {
      "delete": {
-        "description": "Revoke an enrollment API key by ID by marking it as inactive.",
+        "description": "Revoke an enrollment API key by ID by marking it as inactive.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-enrollment-api-keys-keyid",
        "parameters": [
          {
@ -19817,7 +19845,7 @@
        ]
      },
      "get": {
-        "description": "Get an enrollment API key by ID.",
+        "description": "Get an enrollment API key by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].",
        "operationId": "get-fleet-enrollment-api-keys-keyid",
        "parameters": [
          {
@ -19918,6 +19946,7 @@
    },
    "/api/fleet/epm/bulk_assets": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "post-fleet-epm-bulk-assets",
        "parameters": [
          {
@ -20056,6 +20085,7 @@
    },
    "/api/fleet/epm/categories": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-categories",
        "parameters": [
          {
@ -20154,6 +20184,7 @@
    },
    "/api/fleet/epm/custom_integrations": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-custom-integrations",
        "parameters": [
          {
@ -20350,6 +20381,7 @@
    },
    "/api/fleet/epm/data_streams": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-data-streams",
        "parameters": [
          {
@ -20463,6 +20495,7 @@
    },
    "/api/fleet/epm/packages": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages",
        "parameters": [
          {
@ -21022,6 +21055,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages",
        "parameters": [
          {
@ -21198,6 +21232,7 @@
    },
    "/api/fleet/epm/packages/_bulk": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages-bulk",
        "parameters": [
          {
@ -21463,6 +21498,7 @@
    },
    "/api/fleet/epm/packages/installed": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-installed",
        "parameters": [
          {
@ -21691,6 +21727,7 @@
    },
    "/api/fleet/epm/packages/limited": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-limited",
        "parameters": [],
        "responses": {
@ -21749,6 +21786,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/stats": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-pkgname-stats",
        "parameters": [
          {
@ -21822,6 +21860,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": {
      "delete": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "delete-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -22658,6 +22697,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -22867,6 +22907,7 @@
        ]
      },
      "put": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "put-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -23662,6 +23703,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath",
        "parameters": [
          {
@ -23731,6 +23773,7 @@
    },
    "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs",
        "parameters": [
          {
@ -23887,6 +23930,7 @@
    },
    "/api/fleet/epm/verification_key_id": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-verification-key-id",
        "parameters": [],
        "responses": {
@ -23943,6 +23987,7 @@
    },
    "/api/fleet/fleet_server_hosts": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].",
        "operationId": "get-fleet-fleet-server-hosts",
        "parameters": [],
        "responses": {
@ -24047,6 +24092,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-fleet-server-hosts",
        "parameters": [
          {
@ -24193,7 +24239,7 @@
    },
    "/api/fleet/fleet_server_hosts/{itemId}": {
      "delete": {
-        "description": "Delete a Fleet Server host by ID.",
+        "description": "Delete a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24266,7 +24312,7 @@
        ]
      },
      "get": {
-        "description": "Get a Fleet Server host by ID.",
+        "description": "Get a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24365,7 +24411,7 @@
        ]
      },
      "put": {
-        "description": "Update a Fleet Server host by ID.",
+        "description": "Update a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24511,6 +24557,7 @@
    },
    "/api/fleet/health_check": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-health-check",
        "parameters": [
          {
@ -24626,6 +24673,7 @@
    },
    "/api/fleet/kubernetes": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-kubernetes",
        "parameters": [
          {
@ -24706,6 +24754,7 @@
    },
    "/api/fleet/kubernetes/download": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-kubernetes-download",
        "parameters": [
          {
@ -24802,6 +24851,7 @@
    },
    "/api/fleet/logstash_api_keys": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-logstash-api-keys",
        "parameters": [
          {
@ -24868,6 +24918,7 @@
    },
    "/api/fleet/message_signing_service/rotate_key_pair": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].",
        "operationId": "post-fleet-message-signing-service-rotate-key-pair",
        "parameters": [
          {
@ -24968,6 +25019,7 @@
    },
    "/api/fleet/outputs": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].",
        "operationId": "get-fleet-outputs",
        "parameters": [],
        "responses": {
@ -26051,6 +26103,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-outputs",
        "parameters": [
          {
@ -28156,7 +28209,7 @@
    },
    "/api/fleet/outputs/{outputId}": {
      "delete": {
-        "description": "Delete output by ID.",
+        "description": "Delete output by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-outputs-outputid",
        "parameters": [
          {
@ -28254,7 +28307,7 @@
        ]
      },
      "get": {
-        "description": "Get output by ID.",
+        "description": "Get output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].",
        "operationId": "get-fleet-outputs-outputid",
        "parameters": [
          {
@ -29332,7 +29385,7 @@
        ]
      },
      "put": {
-        "description": "Update output by ID.",
+        "description": "Update output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].",
        "operationId": "put-fleet-outputs-outputid",
        "parameters": [
          {
@ -31422,6 +31475,7 @@
    },
    "/api/fleet/outputs/{outputId}/health": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-outputs-outputid-health",
        "parameters": [
          {
@ -34175,6 +34229,7 @@
    },
    "/api/fleet/package_policies/delete": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "post-fleet-package-policies-delete",
        "parameters": [
          {
@ -34366,7 +34421,7 @@
    },
    "/api/fleet/package_policies/upgrade": {
      "post": {
-        "description": "Upgrade a package policy to a newer package version.",
+        "description": "Upgrade a package policy to a newer package version.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "post-fleet-package-policies-upgrade",
        "parameters": [
          {
@ -34479,6 +34534,7 @@
    },
    "/api/fleet/package_policies/upgrade/dryrun": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].",
        "operationId": "post-fleet-package-policies-upgrade-dryrun",
        "parameters": [
          {
@ -35664,7 +35720,7 @@
    },
    "/api/fleet/package_policies/{packagePolicyId}": {
      "delete": {
-        "description": "Delete a package policy by ID.",
+        "description": "Delete a package policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "delete-fleet-package-policies-packagepolicyid",
        "parameters": [
          {
@ -37685,6 +37741,7 @@
    },
    "/api/fleet/proxies": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-proxies",
        "parameters": [],
        "responses": {
@ -37803,6 +37860,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-proxies",
        "parameters": [
          {
@ -37977,7 +38035,7 @@
    },
    "/api/fleet/proxies/{itemId}": {
      "delete": {
-        "description": "Delete a proxy by ID",
+        "description": "Delete a proxy by ID<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-proxies-itemid",
        "parameters": [
          {
@ -38050,7 +38108,7 @@
        ]
      },
      "get": {
-        "description": "Get a proxy by ID.",
+        "description": "Get a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-proxies-itemid",
        "parameters": [
          {
@ -38163,7 +38221,7 @@
        ]
      },
      "put": {
-        "description": "Update a proxy by ID.",
+        "description": "Update a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-proxies-itemid",
        "parameters": [
          {
@ -38341,6 +38399,7 @@
    },
    "/api/fleet/service_tokens": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-service-tokens",
        "parameters": [
          {
@ -38428,6 +38487,7 @@
    },
    "/api/fleet/settings": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-settings",
        "parameters": [],
        "responses": {
@ -38560,6 +38620,7 @@
        ]
      },
      "put": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-settings",
        "parameters": [
          {
@ -38752,6 +38813,7 @@
    },
    "/api/fleet/setup": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "post-fleet-setup",
        "parameters": [
          {
@ -38858,7 +38920,7 @@
    },
    "/api/fleet/uninstall_tokens": {
      "get": {
-        "description": "List the metadata for the latest uninstall tokens per agent policy.",
+        "description": "List the metadata for the latest uninstall tokens per agent policy.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "get-fleet-uninstall-tokens",
        "parameters": [
          {
@ -38995,7 +39057,7 @@
    },
    "/api/fleet/uninstall_tokens/{uninstallTokenId}": {
      "get": {
-        "description": "Get one decrypted uninstall token by its ID.",
+        "description": "Get one decrypted uninstall token by its ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "get-fleet-uninstall-tokens-uninstalltokenid",
        "parameters": [
          {
--- a/oas_docs/bundle.serverless.json
+++ b/oas_docs/bundle.serverless.json
@ -8595,6 +8595,7 @@
    },
    "/api/fleet/agent_download_sources": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].",
        "operationId": "get-fleet-agent-download-sources",
        "parameters": [],
        "responses": {
@ -8690,6 +8691,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-agent-download-sources",
        "parameters": [
          {
@ -8818,7 +8820,7 @@
    },
    "/api/fleet/agent_download_sources/{sourceId}": {
      "delete": {
-        "description": "Delete an agent binary download source by ID.",
+        "description": "Delete an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -8891,7 +8893,7 @@
        ]
      },
      "get": {
-        "description": "Get an agent binary download source by ID.",
+        "description": "Get an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].",
        "operationId": "get-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -8981,7 +8983,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent binary download source by ID.",
+        "description": "Update an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-agent-download-sources-sourceid",
        "parameters": [
          {
@ -9118,6 +9120,7 @@
    },
    "/api/fleet/agent_policies": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "get-fleet-agent-policies",
        "parameters": [
          {
@ -9955,6 +9958,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies",
        "parameters": [
          {
@ -10955,6 +10959,7 @@
    },
    "/api/fleet/agent_policies/_bulk_get": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "post-fleet-agent-policies-bulk-get",
        "parameters": [
          {
@ -11741,7 +11746,7 @@
    },
    "/api/fleet/agent_policies/delete": {
      "post": {
-        "description": "Delete an agent policy by ID.",
+        "description": "Delete an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies-delete",
        "parameters": [
          {
@ -11834,7 +11839,7 @@
    },
    "/api/fleet/agent_policies/outputs": {
      "post": {
-        "description": "Get a list of outputs associated with agent policies.",
+        "description": "Get a list of outputs associated with agent policies.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].",
        "operationId": "post-fleet-agent-policies-outputs",
        "parameters": [
          {
@ -12007,7 +12012,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}": {
      "get": {
-        "description": "Get an agent policy by ID.",
+        "description": "Get an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].",
        "operationId": "get-fleet-agent-policies-agentpolicyid",
        "parameters": [
          {
@ -12758,7 +12763,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent policy by ID.",
+        "description": "Update an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "put-fleet-agent-policies-agentpolicyid",
        "parameters": [
          {
@ -13771,7 +13776,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/copy": {
      "post": {
-        "description": "Copy an agent policy by ID.",
+        "description": "Copy an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].",
        "operationId": "post-fleet-agent-policies-agentpolicyid-copy",
        "parameters": [
          {
@ -14556,7 +14561,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/download": {
      "get": {
-        "description": "Download an agent policy by ID.",
+        "description": "Download an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-download",
        "parameters": [
          {
@ -14661,7 +14666,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/full": {
      "get": {
-        "description": "Get a full agent policy by ID.",
+        "description": "Get a full agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-full",
        "parameters": [
          {
@ -15187,7 +15192,7 @@
    },
    "/api/fleet/agent_policies/{agentPolicyId}/outputs": {
      "get": {
-        "description": "Get a list of outputs associated with agent policy by policy id.",
+        "description": "Get a list of outputs associated with agent policy by policy id.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].",
        "operationId": "get-fleet-agent-policies-agentpolicyid-outputs",
        "parameters": [
          {
@ -15468,6 +15473,7 @@
    },
    "/api/fleet/agent_status/data": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agent-status-data",
        "parameters": [
          {
@ -15587,6 +15593,7 @@
    },
    "/api/fleet/agents": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents",
        "parameters": [
          {
@ -16126,6 +16133,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents",
        "parameters": [
          {
@ -16216,6 +16224,7 @@
    },
    "/api/fleet/agents/action_status": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-action-status",
        "parameters": [
          {
@ -16439,6 +16448,7 @@
    },
    "/api/fleet/agents/actions/{actionId}/cancel": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-actions-actionid-cancel",
        "parameters": [
          {
@ -16567,6 +16577,7 @@
    },
    "/api/fleet/agents/available_versions": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-available-versions",
        "parameters": [],
        "responses": {
@ -16625,6 +16636,7 @@
    },
    "/api/fleet/agents/bulk_reassign": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-reassign",
        "parameters": [
          {
@ -16730,6 +16742,7 @@
    },
    "/api/fleet/agents/bulk_request_diagnostics": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents-bulk-request-diagnostics",
        "parameters": [
          {
@ -16836,6 +16849,7 @@
    },
    "/api/fleet/agents/bulk_unenroll": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-unenroll",
        "parameters": [
          {
@ -16947,6 +16961,7 @@
    },
    "/api/fleet/agents/bulk_update_agent_tags": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-update-agent-tags",
        "parameters": [
          {
@ -17060,6 +17075,7 @@
    },
    "/api/fleet/agents/bulk_upgrade": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-bulk-upgrade",
        "parameters": [
          {
@ -17181,7 +17197,7 @@
    },
    "/api/fleet/agents/files/{fileId}": {
      "delete": {
-        "description": "Delete a file uploaded by an agent.",
+        "description": "Delete a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-agents-files-fileid",
        "parameters": [
          {
@ -17260,7 +17276,7 @@
    },
    "/api/fleet/agents/files/{fileId}/{fileName}": {
      "get": {
-        "description": "Get a file uploaded by an agent.",
+        "description": "Get a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-files-fileid-filename",
        "parameters": [
          {
@ -17324,6 +17340,7 @@
    },
    "/api/fleet/agents/setup": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "get-fleet-agents-setup",
        "parameters": [],
        "responses": {
@ -17411,6 +17428,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "post-fleet-agents-setup",
        "parameters": [
          {
@ -17498,6 +17516,7 @@
    },
    "/api/fleet/agents/tags": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-tags",
        "parameters": [
          {
@ -17574,7 +17593,7 @@
    },
    "/api/fleet/agents/{agentId}": {
      "delete": {
-        "description": "Delete an agent by ID.",
+        "description": "Delete an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-agents-agentid",
        "parameters": [
          {
@ -17650,7 +17669,7 @@
        ]
      },
      "get": {
-        "description": "Get an agent by ID.",
+        "description": "Get an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-agentid",
        "parameters": [
          {
@ -18104,7 +18123,7 @@
        ]
      },
      "put": {
-        "description": "Update an agent by ID.",
+        "description": "Update an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "put-fleet-agents-agentid",
        "parameters": [
          {
@ -18583,6 +18602,7 @@
    },
    "/api/fleet/agents/{agentId}/actions": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-actions",
        "parameters": [
          {
@ -18786,6 +18806,7 @@
    },
    "/api/fleet/agents/{agentId}/reassign": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-reassign",
        "parameters": [
          {
@ -18871,6 +18892,7 @@
    },
    "/api/fleet/agents/{agentId}/request_diagnostics": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "post-fleet-agents-agentid-request-diagnostics",
        "parameters": [
          {
@ -18967,6 +18989,7 @@
    },
    "/api/fleet/agents/{agentId}/unenroll": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-unenroll",
        "parameters": [
          {
@ -19016,6 +19039,7 @@
    },
    "/api/fleet/agents/{agentId}/upgrade": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-agents-agentid-upgrade",
        "parameters": [
          {
@ -19110,6 +19134,7 @@
    },
    "/api/fleet/agents/{agentId}/uploads": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].",
        "operationId": "get-fleet-agents-agentid-uploads",
        "parameters": [
          {
@ -19289,6 +19314,7 @@
    },
    "/api/fleet/data_streams": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].",
        "operationId": "get-fleet-data-streams",
        "parameters": [],
        "responses": {
@ -19433,6 +19459,7 @@
    },
    "/api/fleet/enrollment_api_keys": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].",
        "operationId": "get-fleet-enrollment-api-keys",
        "parameters": [
          {
@ -19608,6 +19635,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-enrollment-api-keys",
        "parameters": [
          {
@ -19741,7 +19769,7 @@
    },
    "/api/fleet/enrollment_api_keys/{keyId}": {
      "delete": {
-        "description": "Revoke an enrollment API key by ID by marking it as inactive.",
+        "description": "Revoke an enrollment API key by ID by marking it as inactive.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "delete-fleet-enrollment-api-keys-keyid",
        "parameters": [
          {
@ -19817,7 +19845,7 @@
        ]
      },
      "get": {
-        "description": "Get an enrollment API key by ID.",
+        "description": "Get an enrollment API key by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].",
        "operationId": "get-fleet-enrollment-api-keys-keyid",
        "parameters": [
          {
@ -19918,6 +19946,7 @@
    },
    "/api/fleet/epm/bulk_assets": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "post-fleet-epm-bulk-assets",
        "parameters": [
          {
@ -20056,6 +20085,7 @@
    },
    "/api/fleet/epm/categories": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-categories",
        "parameters": [
          {
@ -20154,6 +20184,7 @@
    },
    "/api/fleet/epm/custom_integrations": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-custom-integrations",
        "parameters": [
          {
@ -20350,6 +20381,7 @@
    },
    "/api/fleet/epm/data_streams": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-data-streams",
        "parameters": [
          {
@ -20463,6 +20495,7 @@
    },
    "/api/fleet/epm/packages": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages",
        "parameters": [
          {
@ -21022,6 +21055,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages",
        "parameters": [
          {
@ -21198,6 +21232,7 @@
    },
    "/api/fleet/epm/packages/_bulk": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages-bulk",
        "parameters": [
          {
@ -21463,6 +21498,7 @@
    },
    "/api/fleet/epm/packages/installed": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-installed",
        "parameters": [
          {
@ -21691,6 +21727,7 @@
    },
    "/api/fleet/epm/packages/limited": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-limited",
        "parameters": [],
        "responses": {
@ -21749,6 +21786,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/stats": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-pkgname-stats",
        "parameters": [
          {
@ -21822,6 +21860,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": {
      "delete": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "delete-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -22658,6 +22697,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "post-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -22867,6 +22907,7 @@
        ]
      },
      "put": {
+        "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].",
        "operationId": "put-fleet-epm-packages-pkgname-pkgversion",
        "parameters": [
          {
@ -23662,6 +23703,7 @@
    },
    "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath",
        "parameters": [
          {
@ -23731,6 +23773,7 @@
    },
    "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs",
        "parameters": [
          {
@ -23887,6 +23930,7 @@
    },
    "/api/fleet/epm/verification_key_id": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].",
        "operationId": "get-fleet-epm-verification-key-id",
        "parameters": [],
        "responses": {
@ -23943,6 +23987,7 @@
    },
    "/api/fleet/fleet_server_hosts": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].",
        "operationId": "get-fleet-fleet-server-hosts",
        "parameters": [],
        "responses": {
@ -24047,6 +24092,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-fleet-server-hosts",
        "parameters": [
          {
@ -24193,7 +24239,7 @@
    },
    "/api/fleet/fleet_server_hosts/{itemId}": {
      "delete": {
-        "description": "Delete a Fleet Server host by ID.",
+        "description": "Delete a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24266,7 +24312,7 @@
        ]
      },
      "get": {
-        "description": "Get a Fleet Server host by ID.",
+        "description": "Get a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24365,7 +24411,7 @@
        ]
      },
      "put": {
-        "description": "Update a Fleet Server host by ID.",
+        "description": "Update a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-fleet-server-hosts-itemid",
        "parameters": [
          {
@ -24511,6 +24557,7 @@
    },
    "/api/fleet/health_check": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-health-check",
        "parameters": [
          {
@ -24626,6 +24673,7 @@
    },
    "/api/fleet/kubernetes": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-kubernetes",
        "parameters": [
          {
@ -24706,6 +24754,7 @@
    },
    "/api/fleet/kubernetes/download": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].",
        "operationId": "get-fleet-kubernetes-download",
        "parameters": [
          {
@ -24802,6 +24851,7 @@
    },
    "/api/fleet/logstash_api_keys": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-logstash-api-keys",
        "parameters": [
          {
@ -24868,6 +24918,7 @@
    },
    "/api/fleet/message_signing_service/rotate_key_pair": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].",
        "operationId": "post-fleet-message-signing-service-rotate-key-pair",
        "parameters": [
          {
@ -24968,6 +25019,7 @@
    },
    "/api/fleet/outputs": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].",
        "operationId": "get-fleet-outputs",
        "parameters": [],
        "responses": {
@ -26051,6 +26103,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-outputs",
        "parameters": [
          {
@ -28156,7 +28209,7 @@
    },
    "/api/fleet/outputs/{outputId}": {
      "delete": {
-        "description": "Delete output by ID.",
+        "description": "Delete output by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-outputs-outputid",
        "parameters": [
          {
@ -28254,7 +28307,7 @@
        ]
      },
      "get": {
-        "description": "Get output by ID.",
+        "description": "Get output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].",
        "operationId": "get-fleet-outputs-outputid",
        "parameters": [
          {
@ -29332,7 +29385,7 @@
        ]
      },
      "put": {
-        "description": "Update output by ID.",
+        "description": "Update output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].",
        "operationId": "put-fleet-outputs-outputid",
        "parameters": [
          {
@ -31422,6 +31475,7 @@
    },
    "/api/fleet/outputs/{outputId}/health": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-outputs-outputid-health",
        "parameters": [
          {
@ -34175,6 +34229,7 @@
    },
    "/api/fleet/package_policies/delete": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "post-fleet-package-policies-delete",
        "parameters": [
          {
@ -34366,7 +34421,7 @@
    },
    "/api/fleet/package_policies/upgrade": {
      "post": {
-        "description": "Upgrade a package policy to a newer package version.",
+        "description": "Upgrade a package policy to a newer package version.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "post-fleet-package-policies-upgrade",
        "parameters": [
          {
@ -34479,6 +34534,7 @@
    },
    "/api/fleet/package_policies/upgrade/dryrun": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].",
        "operationId": "post-fleet-package-policies-upgrade-dryrun",
        "parameters": [
          {
@ -35664,7 +35720,7 @@
    },
    "/api/fleet/package_policies/{packagePolicyId}": {
      "delete": {
-        "description": "Delete a package policy by ID.",
+        "description": "Delete a package policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].",
        "operationId": "delete-fleet-package-policies-packagepolicyid",
        "parameters": [
          {
@ -37685,6 +37741,7 @@
    },
    "/api/fleet/proxies": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-proxies",
        "parameters": [],
        "responses": {
@ -37803,6 +37860,7 @@
        ]
      },
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "post-fleet-proxies",
        "parameters": [
          {
@ -37977,7 +38035,7 @@
    },
    "/api/fleet/proxies/{itemId}": {
      "delete": {
-        "description": "Delete a proxy by ID",
+        "description": "Delete a proxy by ID<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "delete-fleet-proxies-itemid",
        "parameters": [
          {
@ -38050,7 +38108,7 @@
        ]
      },
      "get": {
-        "description": "Get a proxy by ID.",
+        "description": "Get a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-proxies-itemid",
        "parameters": [
          {
@ -38163,7 +38221,7 @@
        ]
      },
      "put": {
-        "description": "Update a proxy by ID.",
+        "description": "Update a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-proxies-itemid",
        "parameters": [
          {
@ -38341,6 +38399,7 @@
    },
    "/api/fleet/service_tokens": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "post-fleet-service-tokens",
        "parameters": [
          {
@ -38428,6 +38487,7 @@
    },
    "/api/fleet/settings": {
      "get": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].",
        "operationId": "get-fleet-settings",
        "parameters": [],
        "responses": {
@ -38560,6 +38620,7 @@
        ]
      },
      "put": {
+        "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].",
        "operationId": "put-fleet-settings",
        "parameters": [
          {
@ -38752,6 +38813,7 @@
    },
    "/api/fleet/setup": {
      "post": {
+        "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].",
        "operationId": "post-fleet-setup",
        "parameters": [
          {
@ -38858,7 +38920,7 @@
    },
    "/api/fleet/uninstall_tokens": {
      "get": {
-        "description": "List the metadata for the latest uninstall tokens per agent policy.",
+        "description": "List the metadata for the latest uninstall tokens per agent policy.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "get-fleet-uninstall-tokens",
        "parameters": [
          {
@ -38995,7 +39057,7 @@
    },
    "/api/fleet/uninstall_tokens/{uninstallTokenId}": {
      "get": {
-        "description": "Get one decrypted uninstall token by its ID.",
+        "description": "Get one decrypted uninstall token by its ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].",
        "operationId": "get-fleet-uninstall-tokens-uninstalltokenid",
        "parameters": [
          {
--- a/oas_docs/output/kibana.serverless.yaml
+++ b/oas_docs/output/kibana.serverless.yaml
@ -11199,6 +11199,7 @@ paths:
      x-beta: true
  /api/fleet/agent_download_sources:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].'
      operationId: get-fleet-agent-download-sources
      parameters: []
      responses:
@ -11265,6 +11266,7 @@ paths:
        - Elastic Agent binary download sources
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-agent-download-sources
      parameters:
        - description: A required header to protect against CSRF attacks
@ -11352,7 +11354,7 @@ paths:
      x-beta: true
  /api/fleet/agent_download_sources/{sourceId}:
    delete:
-      description: Delete an agent binary download source by ID.
+      description: 'Delete an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-agent-download-sources-sourceid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -11400,7 +11402,7 @@ paths:
        - Elastic Agent binary download sources
      x-beta: true
    get:
-      description: Get an agent binary download source by ID.
+      description: 'Get an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].'
      operationId: get-fleet-agent-download-sources-sourceid
      parameters:
        - in: path
@ -11461,7 +11463,7 @@ paths:
        - Elastic Agent binary download sources
      x-beta: true
    put:
-      description: Update an agent binary download source by ID.
+      description: 'Update an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-agent-download-sources-sourceid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -11554,6 +11556,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: get-fleet-agent-policies
      parameters:
        - in: query
@ -12133,6 +12136,7 @@ paths:
        - Elastic Agent policies
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies
      parameters:
        - description: A required header to protect against CSRF attacks
@ -12826,6 +12830,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/_bulk_get:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: post-fleet-agent-policies-bulk-get
      parameters:
        - description: A required header to protect against CSRF attacks
@ -13371,7 +13376,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/{agentPolicyId}:
    get:
-      description: Get an agent policy by ID.
+      description: 'Get an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: get-fleet-agent-policies-agentpolicyid
      parameters:
        - in: path
@ -13893,7 +13898,7 @@ paths:
        - Elastic Agent policies
      x-beta: true
    put:
-      description: Update an agent policy by ID.
+      description: 'Update an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: put-fleet-agent-policies-agentpolicyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -14595,7 +14600,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/{agentPolicyId}/copy:
    post:
-      description: Copy an agent policy by ID.
+      description: 'Copy an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies-agentpolicyid-copy
      parameters:
        - description: A required header to protect against CSRF attacks
@ -15139,7 +15144,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/{agentPolicyId}/download:
    get:
-      description: Download an agent policy by ID.
+      description: 'Download an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-agent-policies-agentpolicyid-download
      parameters:
        - in: path
@ -15206,7 +15211,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/{agentPolicyId}/full:
    get:
-      description: Get a full agent policy by ID.
+      description: 'Get a full agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].'
      operationId: get-fleet-agent-policies-agentpolicyid-full
      parameters:
        - in: path
@ -15555,7 +15560,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/{agentPolicyId}/outputs:
    get:
-      description: Get a list of outputs associated with agent policy by policy id.
+      description: 'Get a list of outputs associated with agent policy by policy id.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].'
      operationId: get-fleet-agent-policies-agentpolicyid-outputs
      parameters:
        - in: path
@ -15652,7 +15657,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/delete:
    post:
-      description: Delete an agent policy by ID.
+      description: 'Delete an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies-delete
      parameters:
        - description: A required header to protect against CSRF attacks
@ -15713,7 +15718,7 @@ paths:
      x-beta: true
  /api/fleet/agent_policies/outputs:
    post:
-      description: Get a list of outputs associated with agent policies.
+      description: 'Get a list of outputs associated with agent policies.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].'
      operationId: post-fleet-agent-policies-outputs
      parameters:
        - description: A required header to protect against CSRF attacks
@ -15916,6 +15921,7 @@ paths:
      x-beta: true
  /api/fleet/agent_status/data:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agent-status-data
      parameters:
        - in: query
@ -15991,6 +15997,7 @@ paths:
      x-beta: true
  /api/fleet/agents:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents
      parameters:
        - in: query
@ -16370,6 +16377,7 @@ paths:
        - Elastic Agents
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents
      parameters:
        - description: A required header to protect against CSRF attacks
@ -16428,7 +16436,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}:
    delete:
-      description: Delete an agent by ID.
+      description: 'Delete an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-agents-agentid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -16478,7 +16486,7 @@ paths:
        - Elastic Agents
      x-beta: true
    get:
-      description: Get an agent by ID.
+      description: 'Get an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-agentid
      parameters:
        - in: path
@ -16800,7 +16808,7 @@ paths:
        - Elastic Agents
      x-beta: true
    put:
-      description: Update an agent by ID.
+      description: 'Update an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: put-fleet-agents-agentid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17138,6 +17146,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/actions:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-actions
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17274,6 +17283,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/reassign:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-reassign
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17329,6 +17339,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/request_diagnostics:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents-agentid-request-diagnostics
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17391,6 +17402,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/unenroll:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-unenroll
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17424,6 +17436,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/upgrade:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17485,6 +17498,7 @@ paths:
      x-beta: true
  /api/fleet/agents/{agentId}/uploads:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-agentid-uploads
      parameters:
        - in: path
@ -17558,6 +17572,7 @@ paths:
      x-beta: true
  /api/fleet/agents/action_status:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-action-status
      parameters:
        - in: query
@ -17716,6 +17731,7 @@ paths:
      x-beta: true
  /api/fleet/agents/actions/{actionId}/cancel:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-actions-actionid-cancel
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17802,6 +17818,7 @@ paths:
      x-beta: true
  /api/fleet/agents/available_versions:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-available-versions
      parameters: []
      responses:
@ -17840,6 +17857,7 @@ paths:
      x-beta: true
  /api/fleet/agents/bulk_reassign:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-reassign
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17906,6 +17924,7 @@ paths:
      x-beta: true
  /api/fleet/agents/bulk_request_diagnostics:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents-bulk-request-diagnostics
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17972,6 +17991,7 @@ paths:
      x-beta: true
  /api/fleet/agents/bulk_unenroll:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-unenroll
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18043,6 +18063,7 @@ paths:
      x-beta: true
  /api/fleet/agents/bulk_update_agent_tags:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-update-agent-tags
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18114,6 +18135,7 @@ paths:
      x-beta: true
  /api/fleet/agents/bulk_upgrade:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18191,7 +18213,7 @@ paths:
      x-beta: true
  /api/fleet/agents/files/{fileId}:
    delete:
-      description: Delete a file uploaded by an agent.
+      description: 'Delete a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-agents-files-fileid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18243,7 +18265,7 @@ paths:
      x-beta: true
  /api/fleet/agents/files/{fileId}/{fileName}:
    get:
-      description: Get a file uploaded by an agent.
+      description: 'Get a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-files-fileid-filename
      parameters:
        - in: path
@ -18284,6 +18306,7 @@ paths:
      x-beta: true
  /api/fleet/agents/setup:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: get-fleet-agents-setup
      parameters: []
      responses:
@ -18344,6 +18367,7 @@ paths:
        - Elastic Agents
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: post-fleet-agents-setup
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18402,6 +18426,7 @@ paths:
      x-beta: true
  /api/fleet/agents/tags:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-tags
      parameters:
        - in: query
@ -18498,6 +18523,7 @@ paths:
      x-beta: true
  /api/fleet/data_streams:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].'
      operationId: get-fleet-data-streams
      parameters: []
      responses:
@ -18595,6 +18621,7 @@ paths:
      x-beta: true
  /api/fleet/enrollment_api_keys:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].'
      operationId: get-fleet-enrollment-api-keys
      parameters:
        - in: query
@ -18718,6 +18745,7 @@ paths:
        - Fleet enrollment API keys
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-enrollment-api-keys
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18808,7 +18836,7 @@ paths:
      x-beta: true
  /api/fleet/enrollment_api_keys/{keyId}:
    delete:
-      description: Revoke an enrollment API key by ID by marking it as inactive.
+      description: 'Revoke an enrollment API key by ID by marking it as inactive.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-enrollment-api-keys-keyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18858,7 +18886,7 @@ paths:
        - Fleet enrollment API keys
      x-beta: true
    get:
-      description: Get an enrollment API key by ID.
+      description: 'Get an enrollment API key by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].'
      operationId: get-fleet-enrollment-api-keys-keyid
      parameters:
        - in: path
@ -18927,6 +18955,7 @@ paths:
      x-beta: true
  /api/fleet/epm/bulk_assets:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: post-fleet-epm-bulk-assets
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19018,6 +19047,7 @@ paths:
      x-beta: true
  /api/fleet/epm/categories:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-categories
      parameters:
        - in: query
@ -19082,6 +19112,7 @@ paths:
      x-beta: true
  /api/fleet/epm/custom_integrations:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-custom-integrations
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19217,6 +19248,7 @@ paths:
      x-beta: true
  /api/fleet/epm/data_streams:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-data-streams
      parameters:
        - in: query
@ -19292,6 +19324,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages
      parameters:
        - in: query
@ -19684,6 +19717,7 @@ paths:
        - Elastic Package Manager (EPM)
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19804,6 +19838,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/_bulk:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages-bulk
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19979,6 +20014,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/{pkgName}/{pkgVersion}:
    delete:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: delete-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20558,6 +20594,7 @@ paths:
        - Elastic Package Manager (EPM)
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20700,6 +20737,7 @@ paths:
        - Elastic Package Manager (EPM)
      x-beta: true
    put:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: put-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21162,6 +21200,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath
      parameters:
        - in: path
@ -21291,6 +21330,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/{pkgName}/stats:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-pkgname-stats
      parameters:
        - in: path
@ -21338,6 +21378,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/installed:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-installed
      parameters:
        - in: query
@ -21484,6 +21525,7 @@ paths:
      x-beta: true
  /api/fleet/epm/packages/limited:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-limited
      parameters: []
      responses:
@ -21522,6 +21564,7 @@ paths:
      x-beta: true
  /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs
      parameters:
        - in: path
@ -21622,6 +21665,7 @@ paths:
      x-beta: true
  /api/fleet/epm/verification_key_id:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-verification-key-id
      parameters: []
      responses:
@ -21659,6 +21703,7 @@ paths:
      x-beta: true
  /api/fleet/fleet_server_hosts:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].'
      operationId: get-fleet-fleet-server-hosts
      parameters: []
      responses:
@ -21731,6 +21776,7 @@ paths:
        - Fleet Server hosts
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-fleet-server-hosts
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21830,7 +21876,7 @@ paths:
      x-beta: true
  /api/fleet/fleet_server_hosts/{itemId}:
    delete:
-      description: Delete a Fleet Server host by ID.
+      description: 'Delete a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-fleet-server-hosts-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21878,7 +21924,7 @@ paths:
        - Fleet Server hosts
      x-beta: true
    get:
-      description: Get a Fleet Server host by ID.
+      description: 'Get a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-fleet-server-hosts-itemid
      parameters:
        - in: path
@ -21945,7 +21991,7 @@ paths:
        - Fleet Server hosts
      x-beta: true
    put:
-      description: Update a Fleet Server host by ID.
+      description: 'Update a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-fleet-server-hosts-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22043,6 +22089,7 @@ paths:
      x-beta: true
  /api/fleet/health_check:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-health-check
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22117,6 +22164,7 @@ paths:
      x-beta: true
  /api/fleet/kubernetes:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-kubernetes
      parameters:
        - in: query
@ -22168,6 +22216,7 @@ paths:
      x-beta: true
  /api/fleet/kubernetes/download:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-kubernetes-download
      parameters:
        - in: query
@ -22229,6 +22278,7 @@ paths:
      x-beta: true
  /api/fleet/logstash_api_keys:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-logstash-api-keys
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22272,6 +22322,7 @@ paths:
      x-beta: true
  /api/fleet/message_signing_service/rotate_key_pair:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].'
      operationId: post-fleet-message-signing-service-rotate-key-pair
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22337,6 +22388,7 @@ paths:
      x-beta: true
  /api/fleet/outputs:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].'
      operationId: get-fleet-outputs
      parameters: []
      responses:
@ -23062,6 +23114,7 @@ paths:
        - Fleet outputs
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-outputs
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24468,7 +24521,7 @@ paths:
      x-beta: true
  /api/fleet/outputs/{outputId}:
    delete:
-      description: Delete output by ID.
+      description: 'Delete output by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-outputs-outputid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24532,7 +24585,7 @@ paths:
        - Fleet outputs
      x-beta: true
    get:
-      description: Get output by ID.
+      description: 'Get output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].'
      operationId: get-fleet-outputs-outputid
      parameters:
        - in: path
@ -25252,7 +25305,7 @@ paths:
        - Fleet outputs
      x-beta: true
    put:
-      description: Update output by ID.
+      description: 'Update output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].'
      operationId: put-fleet-outputs-outputid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -26643,6 +26696,7 @@ paths:
      x-beta: true
  /api/fleet/outputs/{outputId}/health:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-outputs-outputid-health
      parameters:
        - in: path
@ -28454,7 +28508,7 @@ paths:
      x-beta: true
  /api/fleet/package_policies/{packagePolicyId}:
    delete:
-      description: Delete a package policy by ID.
+      description: 'Delete a package policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: delete-fleet-package-policies-packagepolicyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -29782,6 +29836,7 @@ paths:
      x-beta: true
  /api/fleet/package_policies/delete:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: post-fleet-package-policies-delete
      parameters:
        - description: A required header to protect against CSRF attacks
@ -29911,7 +29966,7 @@ paths:
      x-beta: true
  /api/fleet/package_policies/upgrade:
    post:
-      description: Upgrade a package policy to a newer package version.
+      description: 'Upgrade a package policy to a newer package version.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: post-fleet-package-policies-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -29985,6 +30040,7 @@ paths:
      x-beta: true
  /api/fleet/package_policies/upgrade/dryrun:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].'
      operationId: post-fleet-package-policies-upgrade-dryrun
      parameters:
        - description: A required header to protect against CSRF attacks
@ -30778,6 +30834,7 @@ paths:
      x-beta: true
  /api/fleet/proxies:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-proxies
      parameters: []
      responses:
@ -30856,6 +30913,7 @@ paths:
        - Fleet proxies
      x-beta: true
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-proxies
      parameters:
        - description: A required header to protect against CSRF attacks
@ -30967,7 +31025,7 @@ paths:
      x-beta: true
  /api/fleet/proxies/{itemId}:
    delete:
-      description: Delete a proxy by ID
+      description: 'Delete a proxy by ID<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-proxies-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31015,7 +31073,7 @@ paths:
        - Fleet proxies
      x-beta: true
    get:
-      description: Get a proxy by ID.
+      description: 'Get a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-proxies-itemid
      parameters:
        - in: path
@ -31088,7 +31146,7 @@ paths:
        - Fleet proxies
      x-beta: true
    put:
-      description: Update a proxy by ID.
+      description: 'Update a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-proxies-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31202,6 +31260,7 @@ paths:
      x-beta: true
  /api/fleet/service_tokens:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-service-tokens
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31259,6 +31318,7 @@ paths:
      x-beta: true
  /api/fleet/settings:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-settings
      parameters: []
      responses:
@ -31347,6 +31407,7 @@ paths:
        - Fleet internals
      x-beta: true
    put:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-settings
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31474,6 +31535,7 @@ paths:
      x-beta: true
  /api/fleet/setup:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: post-fleet-setup
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31544,7 +31606,7 @@ paths:
      x-beta: true
  /api/fleet/uninstall_tokens:
    get:
-      description: List the metadata for the latest uninstall tokens per agent policy.
+      description: 'List the metadata for the latest uninstall tokens per agent policy.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: get-fleet-uninstall-tokens
      parameters:
        - description: Partial match filtering for policy IDs
@ -31637,7 +31699,7 @@ paths:
      x-beta: true
  /api/fleet/uninstall_tokens/{uninstallTokenId}:
    get:
-      description: Get one decrypted uninstall token by its ID.
+      description: 'Get one decrypted uninstall token by its ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: get-fleet-uninstall-tokens-uninstalltokenid
      parameters:
        - in: path
--- a/oas_docs/output/kibana.yaml
+++ b/oas_docs/output/kibana.yaml
@ -13346,6 +13346,7 @@ paths:
        - Security Exceptions API
  /api/fleet/agent_download_sources:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].'
      operationId: get-fleet-agent-download-sources
      parameters: []
      responses:
@ -13411,6 +13412,7 @@ paths:
      tags:
        - Elastic Agent binary download sources
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-agent-download-sources
      parameters:
        - description: A required header to protect against CSRF attacks
@ -13497,7 +13499,7 @@ paths:
        - Elastic Agent binary download sources
  /api/fleet/agent_download_sources/{sourceId}:
    delete:
-      description: Delete an agent binary download source by ID.
+      description: 'Delete an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-agent-download-sources-sourceid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -13544,7 +13546,7 @@ paths:
      tags:
        - Elastic Agent binary download sources
    get:
-      description: Get an agent binary download source by ID.
+      description: 'Get an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].'
      operationId: get-fleet-agent-download-sources-sourceid
      parameters:
        - in: path
@ -13604,7 +13606,7 @@ paths:
      tags:
        - Elastic Agent binary download sources
    put:
-      description: Update an agent binary download source by ID.
+      description: 'Update an agent binary download source by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-agent-download-sources-sourceid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -13696,6 +13698,7 @@ paths:
        - Elastic Agent binary download sources
  /api/fleet/agent_policies:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: get-fleet-agent-policies
      parameters:
        - in: query
@ -14274,6 +14277,7 @@ paths:
      tags:
        - Elastic Agent policies
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies
      parameters:
        - description: A required header to protect against CSRF attacks
@ -14966,6 +14970,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/_bulk_get:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: post-fleet-agent-policies-bulk-get
      parameters:
        - description: A required header to protect against CSRF attacks
@ -15510,7 +15515,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/{agentPolicyId}:
    get:
-      description: Get an agent policy by ID.
+      description: 'Get an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].'
      operationId: get-fleet-agent-policies-agentpolicyid
      parameters:
        - in: path
@ -16031,7 +16036,7 @@ paths:
      tags:
        - Elastic Agent policies
    put:
-      description: Update an agent policy by ID.
+      description: 'Update an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: put-fleet-agent-policies-agentpolicyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -16732,7 +16737,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/{agentPolicyId}/copy:
    post:
-      description: Copy an agent policy by ID.
+      description: 'Copy an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies-agentpolicyid-copy
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17275,7 +17280,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/{agentPolicyId}/download:
    get:
-      description: Download an agent policy by ID.
+      description: 'Download an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-agent-policies-agentpolicyid-download
      parameters:
        - in: path
@ -17341,7 +17346,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/{agentPolicyId}/full:
    get:
-      description: Get a full agent policy by ID.
+      description: 'Get a full agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].'
      operationId: get-fleet-agent-policies-agentpolicyid-full
      parameters:
        - in: path
@ -17689,7 +17694,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/{agentPolicyId}/outputs:
    get:
-      description: Get a list of outputs associated with agent policy by policy id.
+      description: 'Get a list of outputs associated with agent policy by policy id.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].'
      operationId: get-fleet-agent-policies-agentpolicyid-outputs
      parameters:
        - in: path
@ -17785,7 +17790,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/delete:
    post:
-      description: Delete an agent policy by ID.
+      description: 'Delete an agent policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].'
      operationId: post-fleet-agent-policies-delete
      parameters:
        - description: A required header to protect against CSRF attacks
@ -17845,7 +17850,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/agent_policies/outputs:
    post:
-      description: Get a list of outputs associated with agent policies.
+      description: 'Get a list of outputs associated with agent policies.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].'
      operationId: post-fleet-agent-policies-outputs
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18046,6 +18051,7 @@ paths:
        - Elastic Agent status
  /api/fleet/agent_status/data:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agent-status-data
      parameters:
        - in: query
@ -18120,6 +18126,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents
      parameters:
        - in: query
@ -18498,6 +18505,7 @@ paths:
      tags:
        - Elastic Agents
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18555,7 +18563,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/{agentId}:
    delete:
-      description: Delete an agent by ID.
+      description: 'Delete an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-agents-agentid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -18604,7 +18612,7 @@ paths:
      tags:
        - Elastic Agents
    get:
-      description: Get an agent by ID.
+      description: 'Get an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-agentid
      parameters:
        - in: path
@ -18925,7 +18933,7 @@ paths:
      tags:
        - Elastic Agents
    put:
-      description: Update an agent by ID.
+      description: 'Update an agent by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: put-fleet-agents-agentid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19262,6 +19270,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/{agentId}/actions:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-actions
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19397,6 +19406,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/{agentId}/reassign:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-reassign
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19451,6 +19461,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/{agentId}/request_diagnostics:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents-agentid-request-diagnostics
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19512,6 +19523,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/{agentId}/unenroll:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-unenroll
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19544,6 +19556,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/{agentId}/upgrade:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-agentid-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19604,6 +19617,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/{agentId}/uploads:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-agentid-uploads
      parameters:
        - in: path
@ -19676,6 +19690,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/action_status:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-action-status
      parameters:
        - in: query
@ -19833,6 +19848,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/actions/{actionId}/cancel:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-actions-actionid-cancel
      parameters:
        - description: A required header to protect against CSRF attacks
@ -19918,6 +19934,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/available_versions:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-available-versions
      parameters: []
      responses:
@ -19955,6 +19972,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/bulk_reassign:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-reassign
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20020,6 +20038,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/bulk_request_diagnostics:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: post-fleet-agents-bulk-request-diagnostics
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20085,6 +20104,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/bulk_unenroll:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-unenroll
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20155,6 +20175,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/bulk_update_agent_tags:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-update-agent-tags
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20225,6 +20246,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/bulk_upgrade:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-agents-bulk-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20301,7 +20323,7 @@ paths:
        - Elastic Agent actions
  /api/fleet/agents/files/{fileId}:
    delete:
-      description: Delete a file uploaded by an agent.
+      description: 'Delete a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-agents-files-fileid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20352,7 +20374,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/files/{fileId}/{fileName}:
    get:
-      description: Get a file uploaded by an agent.
+      description: 'Get a file uploaded by an agent.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-files-fileid-filename
      parameters:
        - in: path
@ -20392,6 +20414,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/setup:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: get-fleet-agents-setup
      parameters: []
      responses:
@ -20451,6 +20474,7 @@ paths:
      tags:
        - Elastic Agents
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: post-fleet-agents-setup
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20508,6 +20532,7 @@ paths:
        - Elastic Agents
  /api/fleet/agents/tags:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].'
      operationId: get-fleet-agents-tags
      parameters:
        - in: query
@ -20602,6 +20627,7 @@ paths:
        - Fleet internals
  /api/fleet/data_streams:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].'
      operationId: get-fleet-data-streams
      parameters: []
      responses:
@ -20698,6 +20724,7 @@ paths:
        - Data streams
  /api/fleet/enrollment_api_keys:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].'
      operationId: get-fleet-enrollment-api-keys
      parameters:
        - in: query
@ -20820,6 +20847,7 @@ paths:
      tags:
        - Fleet enrollment API keys
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-enrollment-api-keys
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20909,7 +20937,7 @@ paths:
        - Fleet enrollment API keys
  /api/fleet/enrollment_api_keys/{keyId}:
    delete:
-      description: Revoke an enrollment API key by ID by marking it as inactive.
+      description: 'Revoke an enrollment API key by ID by marking it as inactive.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: delete-fleet-enrollment-api-keys-keyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -20958,7 +20986,7 @@ paths:
      tags:
        - Fleet enrollment API keys
    get:
-      description: Get an enrollment API key by ID.
+      description: 'Get an enrollment API key by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].'
      operationId: get-fleet-enrollment-api-keys-keyid
      parameters:
        - in: path
@ -21026,6 +21054,7 @@ paths:
        - Fleet enrollment API keys
  /api/fleet/epm/bulk_assets:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: post-fleet-epm-bulk-assets
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21116,6 +21145,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/categories:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-categories
      parameters:
        - in: query
@ -21179,6 +21209,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/custom_integrations:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-custom-integrations
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21313,6 +21344,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/data_streams:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-data-streams
      parameters:
        - in: query
@ -21387,6 +21419,7 @@ paths:
        - Data streams
  /api/fleet/epm/packages:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages
      parameters:
        - in: query
@ -21778,6 +21811,7 @@ paths:
      tags:
        - Elastic Package Manager (EPM)
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages
      parameters:
        - description: A required header to protect against CSRF attacks
@ -21897,6 +21931,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/_bulk:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages-bulk
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22071,6 +22106,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/{pkgName}/{pkgVersion}:
    delete:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: delete-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22648,6 +22684,7 @@ paths:
      tags:
        - Elastic Package Manager (EPM)
    post:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: post-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -22789,6 +22826,7 @@ paths:
      tags:
        - Elastic Package Manager (EPM)
    put:
+      description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].'
      operationId: put-fleet-epm-packages-pkgname-pkgversion
      parameters:
        - description: A required header to protect against CSRF attacks
@ -23250,6 +23288,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath
      parameters:
        - in: path
@ -23377,6 +23416,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/{pkgName}/stats:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-pkgname-stats
      parameters:
        - in: path
@ -23423,6 +23463,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/installed:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-installed
      parameters:
        - in: query
@ -23568,6 +23609,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/packages/limited:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-packages-limited
      parameters: []
      responses:
@ -23605,6 +23647,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs
      parameters:
        - in: path
@ -23704,6 +23747,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/epm/verification_key_id:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].'
      operationId: get-fleet-epm-verification-key-id
      parameters: []
      responses:
@ -23740,6 +23784,7 @@ paths:
        - Elastic Package Manager (EPM)
  /api/fleet/fleet_server_hosts:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].'
      operationId: get-fleet-fleet-server-hosts
      parameters: []
      responses:
@ -23811,6 +23856,7 @@ paths:
      tags:
        - Fleet Server hosts
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-fleet-server-hosts
      parameters:
        - description: A required header to protect against CSRF attacks
@ -23909,7 +23955,7 @@ paths:
        - Fleet Server hosts
  /api/fleet/fleet_server_hosts/{itemId}:
    delete:
-      description: Delete a Fleet Server host by ID.
+      description: 'Delete a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-fleet-server-hosts-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -23956,7 +24002,7 @@ paths:
      tags:
        - Fleet Server hosts
    get:
-      description: Get a Fleet Server host by ID.
+      description: 'Get a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-fleet-server-hosts-itemid
      parameters:
        - in: path
@ -24022,7 +24068,7 @@ paths:
      tags:
        - Fleet Server hosts
    put:
-      description: Update a Fleet Server host by ID.
+      description: 'Update a Fleet Server host by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-fleet-server-hosts-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24119,6 +24165,7 @@ paths:
        - Fleet Server hosts
  /api/fleet/health_check:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-health-check
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24192,6 +24239,7 @@ paths:
        - Fleet internals
  /api/fleet/kubernetes:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-kubernetes
      parameters:
        - in: query
@ -24242,6 +24290,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/kubernetes/download:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].'
      operationId: get-fleet-kubernetes-download
      parameters:
        - in: query
@ -24302,6 +24351,7 @@ paths:
        - Elastic Agent policies
  /api/fleet/logstash_api_keys:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-logstash-api-keys
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24344,6 +24394,7 @@ paths:
        - Fleet outputs
  /api/fleet/message_signing_service/rotate_key_pair:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].'
      operationId: post-fleet-message-signing-service-rotate-key-pair
      parameters:
        - description: A required header to protect against CSRF attacks
@ -24408,6 +24459,7 @@ paths:
        - Message Signing Service
  /api/fleet/outputs:
    get:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].'
      operationId: get-fleet-outputs
      parameters: []
      responses:
@ -25132,6 +25184,7 @@ paths:
      tags:
        - Fleet outputs
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-outputs
      parameters:
        - description: A required header to protect against CSRF attacks
@ -26537,7 +26590,7 @@ paths:
        - Fleet outputs
  /api/fleet/outputs/{outputId}:
    delete:
-      description: Delete output by ID.
+      description: 'Delete output by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-outputs-outputid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -26600,7 +26653,7 @@ paths:
      tags:
        - Fleet outputs
    get:
-      description: Get output by ID.
+      description: 'Get output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].'
      operationId: get-fleet-outputs-outputid
      parameters:
        - in: path
@ -27319,7 +27372,7 @@ paths:
      tags:
        - Fleet outputs
    put:
-      description: Update output by ID.
+      description: 'Update output by ID.<br/><br/>[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].'
      operationId: put-fleet-outputs-outputid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -28709,6 +28762,7 @@ paths:
        - Fleet outputs
  /api/fleet/outputs/{outputId}/health:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-outputs-outputid-health
      parameters:
        - in: path
@ -30516,7 +30570,7 @@ paths:
        - Fleet package policies
  /api/fleet/package_policies/{packagePolicyId}:
    delete:
-      description: Delete a package policy by ID.
+      description: 'Delete a package policy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: delete-fleet-package-policies-packagepolicyid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31841,6 +31895,7 @@ paths:
        - Fleet package policies
  /api/fleet/package_policies/delete:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: post-fleet-package-policies-delete
      parameters:
        - description: A required header to protect against CSRF attacks
@ -31969,7 +32024,7 @@ paths:
        - Fleet package policies
  /api/fleet/package_policies/upgrade:
    post:
-      description: Upgrade a package policy to a newer package version.
+      description: 'Upgrade a package policy to a newer package version.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].'
      operationId: post-fleet-package-policies-upgrade
      parameters:
        - description: A required header to protect against CSRF attacks
@ -32042,6 +32097,7 @@ paths:
        - Fleet package policies
  /api/fleet/package_policies/upgrade/dryrun:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].'
      operationId: post-fleet-package-policies-upgrade-dryrun
      parameters:
        - description: A required header to protect against CSRF attacks
@ -32834,6 +32890,7 @@ paths:
        - Fleet package policies
  /api/fleet/proxies:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-proxies
      parameters: []
      responses:
@ -32911,6 +32968,7 @@ paths:
      tags:
        - Fleet proxies
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: post-fleet-proxies
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33021,7 +33079,7 @@ paths:
        - Fleet proxies
  /api/fleet/proxies/{itemId}:
    delete:
-      description: Delete a proxy by ID
+      description: 'Delete a proxy by ID<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: delete-fleet-proxies-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33068,7 +33126,7 @@ paths:
      tags:
        - Fleet proxies
    get:
-      description: Get a proxy by ID.
+      description: 'Get a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-proxies-itemid
      parameters:
        - in: path
@ -33140,7 +33198,7 @@ paths:
      tags:
        - Fleet proxies
    put:
-      description: Update a proxy by ID.
+      description: 'Update a proxy by ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-proxies-itemid
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33253,6 +33311,7 @@ paths:
        - Fleet proxies
  /api/fleet/service_tokens:
    post:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: post-fleet-service-tokens
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33309,6 +33368,7 @@ paths:
        - Fleet service tokens
  /api/fleet/settings:
    get:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].'
      operationId: get-fleet-settings
      parameters: []
      responses:
@ -33396,6 +33456,7 @@ paths:
      tags:
        - Fleet internals
    put:
+      description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].'
      operationId: put-fleet-settings
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33522,6 +33583,7 @@ paths:
        - Fleet internals
  /api/fleet/setup:
    post:
+      description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].'
      operationId: post-fleet-setup
      parameters:
        - description: A required header to protect against CSRF attacks
@ -33591,7 +33653,7 @@ paths:
        - Fleet internals
  /api/fleet/uninstall_tokens:
    get:
-      description: List the metadata for the latest uninstall tokens per agent policy.
+      description: 'List the metadata for the latest uninstall tokens per agent policy.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: get-fleet-uninstall-tokens
      parameters:
        - description: Partial match filtering for policy IDs
@ -33683,7 +33745,7 @@ paths:
        - Fleet uninstall tokens
  /api/fleet/uninstall_tokens/{uninstallTokenId}:
    get:
-      description: Get one decrypted uninstall token by its ID.
+      description: 'Get one decrypted uninstall token by its ID.<br/><br/>[Required authorization] Route required privileges: ALL of [fleet-agents-all].'
      operationId: get-fleet-uninstall-tokens-uninstalltokenid
      parameters:
        - in: path
--- a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts
@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common';
+
+export const FLEET_API_PRIVILEGES = {
+  FLEET: {
+    READ: `${PLUGIN_ID}-read`,
+    ALL: `${PLUGIN_ID}-all`,
+  },
+  AGENTS: {
+    READ: `${PLUGIN_ID}-agents-read`,
+    ALL: `${PLUGIN_ID}-agents-all`,
+  },
+  AGENT_POLICIES: {
+    READ: `${PLUGIN_ID}-agent-policies-read`,
+    ALL: `${PLUGIN_ID}-agent-policies-all`,
+  },
+  SETTINGS: {
+    READ: `${PLUGIN_ID}-settings-read`,
+    ALL: `${PLUGIN_ID}-settings-all`,
+  },
+  INTEGRATIONS: {
+    READ: `${INTEGRATIONS_PLUGIN_ID}-read`,
+    ALL: `${INTEGRATIONS_PLUGIN_ID}-all`,
+  },
+  SETUP: `fleet-setup`,
+};
--- a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts
@ -55,7 +55,7 @@ import {
  PostNewAgentActionResponseSchema,
  PostRetrieveAgentsByActionsResponseSchema,
 } from '../../types/rest_spec/agent';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { calculateRouteAuthz } from '../../services/security/security';

 import { genericErrorResponse } from '../schema/errors';
@ -95,8 +95,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get an agent`,
      description: `Get an agent by ID.`,
@ -126,8 +128,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .put({
      path: AGENT_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Update an agent`,
      description: `Update an agent by ID.`,
@ -157,8 +161,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.BULK_UPDATE_AGENT_TAGS_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Bulk update agent tags`,
      options: {
@ -187,8 +193,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .delete({
      path: AGENT_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Delete an agent`,
      description: `Delete an agent by ID.`,
@ -218,9 +226,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.LIST_PATTERN,
-
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get agents`,
      options: {
@ -249,8 +258,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.LIST_TAGS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get agent tags`,
      options: {
@ -279,8 +290,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.ACTIONS_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Create an agent action`,
      options: {
@ -313,8 +326,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.CANCEL_ACTIONS_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Cancel an agent action`,
      options: {
@ -348,8 +363,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get agents by action ids`,
      options: {
@ -377,8 +394,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.UNENROLL_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Unenroll an agent`,
      options: {
@ -396,8 +415,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.REASSIGN_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Reassign an agent`,
      options: {
@ -425,8 +446,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.REQUEST_DIAGNOSTICS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Request agent diagnostics`,
      options: {
@ -454,8 +477,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.BULK_REQUEST_DIAGNOSTICS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Bulk request diagnostics from agents`,
      options: {
@ -483,8 +508,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.LIST_UPLOADS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get agent uploads`,
      options: {
@ -512,8 +539,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.GET_UPLOAD_FILE_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get an uploaded file`,
      description: `Get a file uploaded by an agent.`,
@ -542,8 +571,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .delete({
      path: AGENT_API_ROUTES.DELETE_UPLOAD_FILE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Delete an uploaded file`,
      description: `Delete a file uploaded by an agent.`,
@ -568,11 +599,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
      },
      deleteAgentUploadFileHandler
    );
-
  // Get agent status for policy
  router.versioned
    .get({
      path: AGENT_API_ROUTES.STATUS_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(
          fleetAuthz,
@ -604,8 +635,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.DATA_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get incoming agent data`,
      options: {
@ -634,8 +667,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.UPGRADE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Upgrade an agent`,
      options: {
@ -663,8 +698,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.BULK_UPGRADE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Bulk upgrade agents`,
      options: {
@ -693,8 +730,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.ACTION_STATUS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get an agent action status`,
      options: {
@ -723,8 +762,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.BULK_REASSIGN_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Bulk reassign agents`,
      options: {
@ -753,8 +794,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .post({
      path: AGENT_API_ROUTES.BULK_UNENROLL_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Bulk unenroll agents`,
      options: {
@ -783,8 +826,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
  router.versioned
    .get({
      path: AGENT_API_ROUTES.AVAILABLE_VERSIONS_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+        },
      },
      summary: `Get available agent versions`,
      options: {
@ -817,8 +862,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
      .get({
        path: '/internal/fleet/agents/status_runtime_field',
        access: 'internal',
-        fleetAuthz: {
-          fleet: { readAgents: true },
+        security: {
+          authz: {
+            requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
+          },
        },
      })
      .addVersion(
--- a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts
@ -9,7 +9,7 @@ import { schema } from '@kbn/config-schema';
 import type { FleetAuthzRouter } from '../../services/security';

 import { API_VERSIONS } from '../../../common/constants';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { AGENT_POLICY_API_ROUTES } from '../../constants';
 import {
  GetAgentPoliciesRequestSchema,
@ -60,9 +60,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENT_POLICY_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: (authz) => {
-        //  Allow to retrieve agent policies metadata (no full) for user with only read agents permissions
-        return authz.fleet.readAgentPolicies || authz.fleet.readAgents;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Get agent policies`,
      options: {
@ -91,9 +100,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENT_POLICY_API_ROUTES.BULK_GET_PATTERN,
-      fleetAuthz: (authz) => {
-        //  Allow to retrieve agent policies metadata (no full) for user with only read agents permissions
-        return authz.fleet.readAgentPolicies || authz.fleet.readAgents;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Bulk get agent policies`,
      options: {
@ -122,9 +140,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENT_POLICY_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: (authz) => {
-        //  Allow to retrieve agent policies metadata (no full) for user with only read agents permissions
-        return authz.fleet.readAgentPolicies || authz.fleet.readAgents;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Get an agent policy`,
      description: `Get an agent policy by ID.`,
@ -154,8 +181,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENT_POLICY_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL],
+        },
      },
      summary: `Create an agent policy`,
      options: {
@ -184,8 +213,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: AGENT_POLICY_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL],
+        },
      },
      summary: `Update an agent policy`,
      description: `Update an agent policy by ID.`,
@ -215,8 +246,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENT_POLICY_API_ROUTES.COPY_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL],
+        },
      },
      summary: `Copy an agent policy`,
      description: `Copy an agent policy by ID.`,
@ -246,8 +279,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENT_POLICY_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL],
+        },
      },
      summary: `Delete an agent policy`,
      description: `Delete an agent policy by ID.`,
@ -277,8 +312,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENT_POLICY_API_ROUTES.FULL_INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ],
+        },
      },
      summary: `Get a full agent policy`,
      description: `Get a full agent policy by ID.`,
@ -308,8 +345,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENT_POLICY_API_ROUTES.FULL_INFO_DOWNLOAD_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.SETUP,
+          ],
+        },
      },
      enableQueryVersion: true,
      summary: `Download an agent policy`,
@ -343,8 +385,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: K8S_API_ROUTES.K8S_INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.SETUP,
+          ],
+        },
      },
      summary: `Get a full K8s agent manifest`,
      options: {
@ -373,8 +420,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: K8S_API_ROUTES.K8S_DOWNLOAD_PATTERN,
-      fleetAuthz: {
-        fleet: { readAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.SETUP,
+          ],
+        },
      },
      enableQueryVersion: true,
      summary: `Download an agent manifest`,
@ -406,8 +458,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENT_POLICY_API_ROUTES.LIST_OUTPUTS_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readAgentPolicies && authz.fleet.readSettings;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.SETTINGS.READ,
+          ],
+        },
      },
      summary: `Get outputs for agent policies`,
      description: `Get a list of outputs associated with agent policies.`,
@ -436,8 +493,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENT_POLICY_API_ROUTES.INFO_OUTPUTS_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readAgentPolicies && authz.fleet.readSettings;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.SETTINGS.READ,
+          ],
+        },
      },
      summary: `Get outputs for an agent policy`,
      description: `Get a list of outputs associated with agent policy by policy id.`,
--- a/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts
@ -21,6 +21,7 @@ import { CheckPermissionsRequestSchema, CheckPermissionsResponseSchema } from '.
 import { enableSpaceAwarenessMigration } from '../../services/spaces/enable_space_awareness';
 import { type FleetConfigType } from '../../config';
 import { genericErrorResponse } from '../schema/errors';
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';

 export const getCheckPermissionsHandler: FleetRequestHandler<
  unknown,
@ -194,8 +195,14 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
      .post({
        path: '/internal/fleet/enable_space_awareness',
        access: 'internal',
-        fleetAuthz: {
-          fleet: { all: true },
+        security: {
+          authz: {
+            requiredPrivileges: [
+              FLEET_API_PRIVILEGES.AGENTS.ALL,
+              FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+              FLEET_API_PRIVILEGES.SETTINGS.ALL,
+            ],
+          },
        },
      })
      .addVersion(
@ -236,8 +243,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    .get({
      path: APP_API_ROUTES.AGENT_POLICIES_SPACES,
      access: 'internal',
-      fleetAuthz: {
-        fleet: { readAgentPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ],
+        },
      },
    })
    .addVersion(
@ -251,8 +260,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Create a service token`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts
@ -7,7 +7,7 @@
 import { schema } from '@kbn/config-schema';

 import type { FleetAuthzRouter } from '../../services/security';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { API_VERSIONS } from '../../../common/constants';

 import { DATA_STREAM_API_ROUTES } from '../../constants';
@ -49,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: DATA_STREAM_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+          ],
+        },
      },
      summary: `Get data streams`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts
@ -9,7 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security';

 import { FLEET_DEBUG_ROUTES } from '../../constants';
 import { API_VERSIONS } from '../../../common/constants';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import {
  FetchIndexRequestSchema,
  FetchSavedObjectNamesRequestSchema,
@ -27,8 +27,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: FLEET_DEBUG_ROUTES.INDEX_PATTERN,
      access: 'internal',
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+          ],
+        },
      },
    })
    .addVersion(
@ -43,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: FLEET_DEBUG_ROUTES.SAVED_OBJECTS_PATTERN,
      access: 'internal',
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+          ],
+        },
      },
    })
    .addVersion(
@ -59,8 +71,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: FLEET_DEBUG_ROUTES.SAVED_OBJECT_NAMES_PATTERN,
      access: 'internal',
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+          ],
+        },
      },
    })
    .addVersion(
--- a/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts
@ -21,7 +21,7 @@ import {
 } from '../../types';

 import { genericErrorResponse } from '../schema/errors';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { ListResponseSchema } from '../schema/utils';

 import {
@ -36,8 +36,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: DOWNLOAD_SOURCE_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+              ],
+            },
+          ],
+        },
      },
      summary: `Get agent binary download sources`,
      options: {
@ -65,8 +74,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: DOWNLOAD_SOURCE_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+              ],
+            },
+          ],
+        },
      },
      summary: `Get an agent binary download source`,
      description: `Get an agent binary download source by ID.`,
@ -95,8 +113,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: DOWNLOAD_SOURCE_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Update an agent binary download source`,
      description: `Update an agent binary download source by ID.`,
@ -125,8 +145,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: DOWNLOAD_SOURCE_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Create an agent binary download source`,
      options: {
@ -154,8 +176,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: DOWNLOAD_SOURCE_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Delete an agent binary download source`,
      description: `Delete an agent binary download source by ID.`,
--- a/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts
@ -22,7 +22,7 @@ import {
 } from '../../types';

 import { genericErrorResponse } from '../schema/errors';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { ListResponseSchema } from '../schema/utils';

 import {
@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: ENROLLMENT_API_KEY_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readEnrollmentTokens: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP],
+            },
+          ],
+        },
      },
      summary: `Get an enrollment API key`,
      description: `Get an enrollment API key by ID.`,
@ -66,8 +72,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: ENROLLMENT_API_KEY_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Revoke an enrollment API key`,
      description: `Revoke an enrollment API key by ID by marking it as inactive.`,
@ -96,8 +104,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { readEnrollmentTokens: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP],
+            },
+          ],
+        },
      },
      summary: `Get enrollment API keys`,
      options: {
@ -128,8 +142,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Create an enrollment API key`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts
@ -5,8 +5,9 @@
 * 2.0.
 */

-import { parseExperimentalConfigValue } from '../../../common/experimental_features';
+import type { RouteSecurity } from '@kbn/core-http-server';

+import { parseExperimentalConfigValue } from '../../../common/experimental_features';
 import { API_VERSIONS } from '../../../common/constants';

 import type { FleetAuthz } from '../../../common';
@ -57,7 +58,7 @@ import {
  ReauthorizeTransformResponseSchema,
 } from '../../types';
 import type { FleetConfigType } from '../../config';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { genericErrorResponse } from '../schema/errors';

 import {
@ -91,17 +92,40 @@ export const INSTALL_PACKAGES_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = {
  integrations: { installPackages: true },
 };

+export const INSTALL_PACKAGES_SECURITY: RouteSecurity = {
+  authz: {
+    requiredPrivileges: [
+      FLEET_API_PRIVILEGES.INTEGRATIONS.ALL,
+      FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+    ],
+  },
+};
+
 export const READ_PACKAGE_INFO_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = {
  integrations: { readPackageInfo: true },
 };

+export const READ_PACKAGE_INFO_SECURITY: RouteSecurity = {
+  authz: {
+    requiredPrivileges: [
+      {
+        anyRequired: [
+          FLEET_API_PRIVILEGES.INTEGRATIONS.READ,
+          FLEET_API_PRIVILEGES.SETUP,
+          FLEET_API_PRIVILEGES.FLEET.ALL,
+        ],
+      },
+    ],
+  },
+};
+
 export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType) => {
  const experimentalFeatures = parseExperimentalConfigValue(config.enableExperimental);

  router.versioned
    .get({
      path: EPM_API_ROUTES.CATEGORIES_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get package categories`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -128,7 +152,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get packages`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -155,7 +179,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.INSTALLED_LIST_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get installed packages`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -182,7 +206,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.LIMITED_LIST_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get a limited package list`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -209,7 +233,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.STATS_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get package stats`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -236,7 +260,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.INPUTS_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get an inputs template`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -263,7 +287,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.FILEPATH_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get a package file`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -290,6 +314,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.INFO_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(fleetAuthz, getRouteRequiredAuthz('get', EPM_API_ROUTES.INFO_PATTERN))
          .granted,
@ -319,9 +344,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .put({
      path: EPM_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        integrations: { writePackageSettings: true },
-      },
+      security: INSTALL_PACKAGES_SECURITY,
      summary: `Update package settings`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -348,7 +371,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: EPM_API_ROUTES.INSTALL_FROM_REGISTRY_PATTERN,
-      fleetAuthz: INSTALL_PACKAGES_AUTHZ,
+      security: INSTALL_PACKAGES_SECURITY,
      summary: `Install a package from the registry`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -376,9 +399,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    router.versioned
      .post({
        path: EPM_API_ROUTES.INSTALL_KIBANA_ASSETS_PATTERN,
-        fleetAuthz: {
-          integrations: { installPackages: true },
-        },
+        security: INSTALL_PACKAGES_SECURITY,
        summary: `Install Kibana assets for a package`,
        options: {
          tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -405,9 +426,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    router.versioned
      .delete({
        path: EPM_API_ROUTES.DELETE_KIBANA_ASSETS_PATTERN,
-        fleetAuthz: {
-          integrations: { installPackages: true },
-        },
+        security: INSTALL_PACKAGES_SECURITY,
        summary: `Delete Kibana assets for a package`,
        options: {
          tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -435,9 +454,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: EPM_API_ROUTES.BULK_INSTALL_PATTERN,
-      fleetAuthz: {
-        integrations: { installPackages: true, upgradePackages: true },
-      },
+      security: INSTALL_PACKAGES_SECURITY,
      summary: `Bulk install packages`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -473,9 +490,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
        },
        tags: [`oas-tag:Elastic Package Manager (EPM)`],
      },
-      fleetAuthz: {
-        integrations: { uploadPackages: true },
-      },
+      security: INSTALL_PACKAGES_SECURITY,
      summary: `Install a package by upload`,
    })
    .addVersion(
@ -499,7 +514,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: EPM_API_ROUTES.CUSTOM_INTEGRATIONS_PATTERN,
-      fleetAuthz: INSTALL_PACKAGES_AUTHZ,
+      security: INSTALL_PACKAGES_SECURITY,
      summary: `Create a custom integration`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -526,8 +541,13 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .delete({
      path: EPM_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        integrations: { removePackages: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.INTEGRATIONS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+          ],
+        },
      },
      summary: `Delete a package`,
      options: {
@ -556,7 +576,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.VERIFICATION_KEY_ID,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get a package signature verification key ID`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -583,7 +603,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: EPM_API_ROUTES.DATA_STREAMS_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Get data streams`,
      options: {
        tags: ['oas-tag:Data streams'],
@ -610,7 +630,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: EPM_API_ROUTES.BULK_ASSETS_PATTERN,
-      fleetAuthz: READ_PACKAGE_INFO_AUTHZ,
+      security: READ_PACKAGE_INFO_SECURITY,
      summary: `Bulk get assets`,
      options: {
        tags: ['oas-tag:Elastic Package Manager (EPM)'],
@ -639,6 +659,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .post({
      path: EPM_API_ROUTES.REAUTHORIZE_TRANSFORMS,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: {
        ...INSTALL_PACKAGES_AUTHZ,
        packagePrivileges: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts
@ -8,7 +8,7 @@ import { schema } from '@kbn/config-schema';

 import type { FleetAuthzRouter } from '../../services/security';
 import { API_VERSIONS } from '../../../common/constants';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { FLEET_PROXY_API_ROUTES } from '../../../common/constants';
 import {
  FleetProxyResponseSchema,
@ -34,8 +34,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: FLEET_PROXY_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ],
+        },
      },
      summary: `Get proxies`,
      options: {
@ -63,8 +65,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: FLEET_PROXY_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Create a proxy`,
      options: {
@ -92,8 +96,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: FLEET_PROXY_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Update a proxy`,
      description: `Update a proxy by ID.`,
@ -122,8 +128,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: FLEET_PROXY_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ],
+        },
      },
      summary: `Get a proxy`,
      description: `Get a proxy by ID.`,
@ -152,8 +160,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: FLEET_PROXY_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Delete a proxy`,
      description: `Delete a proxy by ID`,
--- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts
@ -21,7 +21,7 @@ import {
 } from '../../types';

 import { genericErrorResponse } from '../schema/errors';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { ListResponseSchema } from '../schema/utils';

 import {
@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: FLEET_SERVER_HOST_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.addAgents || authz.fleet.addFleetServers || authz.fleet.readSettings;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETTINGS.READ],
+            },
+          ],
+        },
      },
      summary: `Get Fleet Server hosts`,
      options: {
@ -64,8 +70,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: FLEET_SERVER_HOST_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Create a Fleet Server host`,
      options: {
@ -92,8 +100,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: FLEET_SERVER_HOST_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ],
+        },
      },
      summary: `Get a Fleet Server host`,
      description: `Get a Fleet Server host by ID.`,
@ -121,8 +131,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: FLEET_SERVER_HOST_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Delete a Fleet Server host`,
      description: `Delete a Fleet Server host by ID.`,
@ -153,8 +165,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: FLEET_SERVER_HOST_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Update a Fleet Server host`,
      description: `Update a Fleet Server host by ID.`,
--- a/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts
@ -7,7 +7,7 @@

 import { API_VERSIONS } from '../../../common/constants';
 import type { FleetAuthzRouter } from '../../services/security';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { APP_API_ROUTES } from '../../constants';
 import { PostHealthCheckRequestSchema, PostHealthCheckResponseSchema } from '../../types';
 import { genericErrorResponse } from '../schema/errors';
@ -19,8 +19,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: APP_API_ROUTES.HEALTH_CHECK_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Check Fleet Server health`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts
@ -10,6 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security';
 import { API_VERSIONS } from '../../../common/constants';
 import { MESSAGE_SIGNING_SERVICE_API_ROUTES } from '../../constants';
 import { RotateKeyPairSchema } from '../../types';
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';

 import { genericErrorResponse } from '../schema/errors';

@ -20,8 +21,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: MESSAGE_SIGNING_SERVICE_API_ROUTES.ROTATE_KEY_PAIR,
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+          ],
+        },
      },
      summary: 'Rotate a Fleet message signing key pair',
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts
@ -8,7 +8,7 @@
 import type { FleetAuthzRouter } from '../../services/security';

 import { API_VERSIONS } from '../../../common/constants';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { OUTPUT_API_ROUTES } from '../../constants';
 import {
  DeleteOutputRequestSchema,
@ -40,8 +40,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: OUTPUT_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+              ],
+            },
+          ],
+        },
      },
      summary: 'Get outputs',
      options: {
@ -68,8 +77,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: OUTPUT_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+              ],
+            },
+          ],
+        },
      },
      summary: 'Get output',
      description: 'Get output by ID.',
@ -97,8 +115,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: OUTPUT_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.allSettings || authz.fleet.allAgentPolicies;
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.SETTINGS.ALL,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+              ],
+            },
+          ],
+        },
      },
      summary: 'Update output',
      description: 'Update output by ID.',
@ -127,8 +154,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: OUTPUT_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: 'Create output',
      options: {
@ -156,8 +185,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: OUTPUT_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: 'Delete output',
      description: 'Delete output by ID.',
@ -189,8 +220,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: OUTPUT_API_ROUTES.LOGSTASH_API_KEY_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: 'Generate a Logstash API key',
      options: {
@ -218,8 +251,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: OUTPUT_API_ROUTES.GET_OUTPUT_HEALTH_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ],
+        },
      },
      summary: 'Get the latest output health',
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts
@ -7,9 +7,8 @@
 import { schema } from '@kbn/config-schema';

 import { getRouteRequiredAuthz } from '../../services/security';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import type { FleetAuthzRouter } from '../../services/security';
-
 import type { FleetAuthz } from '../../../common';
 import { API_VERSIONS } from '../../../common/constants';
 import { PACKAGE_POLICY_API_ROUTES } from '../../constants';
@ -56,6 +55,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: PACKAGE_POLICY_API_ROUTES.LIST_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(
          fleetAuthz,
@ -88,6 +88,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(
          fleetAuthz,
@ -123,6 +124,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(
          fleetAuthz,
@ -218,6 +220,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .put({
      path: PACKAGE_POLICY_API_ROUTES.UPDATE_PATTERN,
+      // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
        calculateRouteAuthz(
          fleetAuthz,
@ -258,8 +261,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: PACKAGE_POLICY_API_ROUTES.DELETE_PATTERN,
-      fleetAuthz: {
-        integrations: { writeIntegrationPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.ALL,
+          ],
+        },
      },
      summary: 'Bulk delete package policies',
      options: {
@ -287,8 +295,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .delete({
      path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        integrations: { writeIntegrationPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.ALL,
+          ],
+        },
      },
      summary: 'Delete a package policy',
      description: 'Delete a package policy by ID.',
@ -318,8 +331,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: PACKAGE_POLICY_API_ROUTES.UPGRADE_PATTERN,
-      fleetAuthz: {
-        integrations: { writeIntegrationPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.ALL,
+          ],
+        },
      },
      summary: 'Upgrade a package policy',
      description: 'Upgrade a package policy to a newer package version.',
@ -349,8 +367,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: PACKAGE_POLICY_API_ROUTES.DRYRUN_PATTERN,
-      fleetAuthz: {
-        integrations: { readIntegrationPolicies: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.READ,
+          ],
+        },
      },
      summary: 'Dry run a package policy upgrade',
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts
@ -9,6 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security';

 import { API_VERSIONS } from '../../../common/constants';

+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { PRECONFIGURATION_API_ROUTES } from '../../constants';
 import { PostResetOnePreconfiguredAgentPoliciesSchema } from '../../types';

@ -19,8 +20,15 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: PRECONFIGURATION_API_ROUTES.RESET_PATTERN,
      access: 'public',
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.READ,
+          ],
+        },
      },
    })
    .addVersion(
@ -35,8 +43,15 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: PRECONFIGURATION_API_ROUTES.RESET_ONE_PATTERN,
      access: 'public',
-      fleetAuthz: {
-        fleet: { all: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            FLEET_API_PRIVILEGES.AGENTS.ALL,
+            FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL,
+            FLEET_API_PRIVILEGES.SETTINGS.ALL,
+            FLEET_API_PRIVILEGES.INTEGRATIONS.READ,
+          ],
+        },
      },
    })
    .addVersion(
--- a/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts
@ -20,7 +20,7 @@ import {
  GetEnrollmentSettingsResponseSchema,
 } from '../../types';
 import type { FleetConfigType } from '../../config';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { genericErrorResponse, notFoundResponse } from '../schema/errors';

 import { getEnrollmentSettingsHandler } from './enrollment_settings_handler';
@ -39,6 +39,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
      .get({
        path: SETTINGS_API_ROUTES.SPACE_INFO_PATTERN,
        fleetAuthz: (authz) => {
+          // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
          return (
            authz.fleet.readSettings ||
            authz.integrations.writeIntegrationPolicies ||
@ -65,8 +66,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    router.versioned
      .put({
        path: SETTINGS_API_ROUTES.SPACE_UPDATE_PATTERN,
-        fleetAuthz: {
-          fleet: { allSettings: true },
+        security: {
+          authz: {
+            requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+          },
        },
        summary: `Create space settings`,
      })
@ -89,8 +92,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: SETTINGS_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ],
+        },
      },
      summary: `Get settings`,
      options: {
@ -120,8 +125,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .put({
      path: SETTINGS_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL],
+        },
      },
      summary: `Update settings`,
      options: {
@ -151,8 +158,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
  router.versioned
    .get({
      path: SETTINGS_API_ROUTES.ENROLLMENT_INFO_PATTERN,
-      fleetAuthz: (authz) => {
-        return authz.fleet.addAgents || authz.fleet.addFleetServers;
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
      summary: `Get enrollment settings`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts
@ -7,7 +7,7 @@
 import { schema } from '@kbn/config-schema';

 import type { FleetAuthzRouter } from '../../services/security';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { AGENTS_SETUP_API_ROUTES, SETUP_API_ROUTE } from '../../constants';
 import { API_VERSIONS } from '../../../common/constants';

@ -39,8 +39,19 @@ export const registerFleetSetupRoute = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: SETUP_API_ROUTE,
-      fleetAuthz: {
-        fleet: { setup: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Initiate Fleet setup`,
      options: {
@ -101,8 +112,19 @@ export const registerCreateFleetSetupRoute = (router: FleetAuthzRouter) => {
  router.versioned
    .post({
      path: AGENTS_SETUP_API_ROUTES.CREATE_PATTERN,
-      fleetAuthz: {
-        fleet: { setup: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Initiate agent setup`,
      options: {
@ -132,8 +154,19 @@ export const registerGetFleetStatusRoute = (router: FleetAuthzRouter) => {
  router.versioned
    .get({
      path: AGENTS_SETUP_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { setup: true },
+      security: {
+        authz: {
+          requiredPrivileges: [
+            {
+              anyRequired: [
+                FLEET_API_PRIVILEGES.AGENTS.READ,
+                FLEET_API_PRIVILEGES.AGENT_POLICIES.READ,
+                FLEET_API_PRIVILEGES.SETTINGS.READ,
+                FLEET_API_PRIVILEGES.SETUP,
+              ],
+            },
+          ],
+        },
      },
      summary: `Get agent setup info`,
      options: {
--- a/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts
@ -10,7 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security';
 import { API_VERSIONS } from '../../../common/constants';

 import { CREATE_STANDALONE_AGENT_API_KEY_ROUTE } from '../../constants';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import { PostStandaloneAgentAPIKeyRequestSchema } from '../../types';

 import { createStandaloneAgentApiKeyHandler } from './handler';
@ -20,8 +20,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
    .post({
      path: CREATE_STANDALONE_AGENT_API_KEY_ROUTE,
      access: 'internal',
-      fleetAuthz: {
-        fleet: { addAgents: true },
+      security: {
+        authz: {
+          requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+        },
      },
    })
    .addVersion(
--- a/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts
@ -7,7 +7,7 @@

 import { UNINSTALL_TOKEN_ROUTES, API_VERSIONS } from '../../../common/constants';
 import type { FleetConfigType } from '../../config';
-
+import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
 import type { FleetAuthzRouter } from '../../services/security';
 import {
  GetUninstallTokenRequestSchema,
@ -28,8 +28,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    router.versioned
      .get({
        path: UNINSTALL_TOKEN_ROUTES.LIST_PATTERN,
-        fleetAuthz: {
-          fleet: { allAgents: true },
+        security: {
+          authz: {
+            requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+          },
        },
        summary: 'Get metadata for latest uninstall tokens',
        description: 'List the metadata for the latest uninstall tokens per agent policy.',
@ -58,8 +60,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
    router.versioned
      .get({
        path: UNINSTALL_TOKEN_ROUTES.INFO_PATTERN,
-        fleetAuthz: {
-          fleet: { allAgents: true },
+        security: {
+          authz: {
+            requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
+          },
        },
        summary: 'Get a decrypted uninstall token',
        description: 'Get one decrypted uninstall token by its ID.',
--- a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts
@ -152,6 +152,7 @@ import type { PackagePolicyClientFetchAllItemIdsOptions } from './package_policy
 import { validatePolicyNamespaceForSpace } from './spaces/policy_namespaces';
 import { isSpaceAwarenessEnabled, isSpaceAwarenessMigrationPending } from './spaces/helpers';
 import { updatePackagePolicySpaces } from './spaces/package_policy';
+import { runWithCache } from './epm/packages/cache';

 export type InputsOverride = Partial<NewPackagePolicyInput> & {
  vars?: Array<NewPackagePolicyInput['vars'] & { name: string }>;
@ -1694,40 +1695,42 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
    packagePolicy?: PackagePolicy,
    pkgVersion?: string
  ): Promise<UpgradePackagePolicyResponse> {
-    const result: UpgradePackagePolicyResponse = [];
+    return runWithCache(async () => {
+      const result: UpgradePackagePolicyResponse = [];

-    for (const id of ids) {
-      try {
-        const {
-          packagePolicy: currentPackagePolicy,
-          packageInfo,
-          experimentalDataStreamFeatures,
-        } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion);
+      for (const id of ids) {
+        try {
+          const {
+            packagePolicy: currentPackagePolicy,
+            packageInfo,
+            experimentalDataStreamFeatures,
+          } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion);

-        if (currentPackagePolicy.is_managed && !options?.force) {
-          throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`);
+          if (currentPackagePolicy.is_managed && !options?.force) {
+            throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`);
+          }
+
+          await this.doUpgrade(
+            soClient,
+            esClient,
+            id,
+            currentPackagePolicy,
+            result,
+            packageInfo,
+            experimentalDataStreamFeatures,
+            options
+          );
+        } catch (error) {
+          result.push({
+            id,
+            success: false,
+            ...fleetErrorToResponseOptions(error),
+          });
        }
-
-        await this.doUpgrade(
-          soClient,
-          esClient,
-          id,
-          currentPackagePolicy,
-          result,
-          packageInfo,
-          experimentalDataStreamFeatures,
-          options
-        );
-      } catch (error) {
-        result.push({
-          id,
-          success: false,
-          ...fleetErrorToResponseOptions(error),
-        });
      }
-    }

-    return result;
+      return result;
+    });
  }

  private async doUpgrade(
--- a/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts
+++ b/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts
@ -52,7 +52,7 @@ function withDefaultPublicAccess<Method extends RouteMethod>(
    return {
      ...options,
      access: PUBLIC_API_ACCESS,
-      security: DEFAULT_FLEET_ROUTE_SECURITY,
+      security: options.security ? options.security : DEFAULT_FLEET_ROUTE_SECURITY,
    };
  }
 }