make endpointArtifactManagement product feature offer specific with own role migrations

x-pack/solutions/security/packages/features/src/security/product_feature_config.ts

@@ -126,16 +126,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
   // Adds no additional kibana feature controls
   [ProductFeatureSecurityKey.endpointPolicyProtections]: {},
 
-  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
-    subFeatureIds: [
-      SecuritySubFeatureId.hostIsolationExceptionsBasic,
-      SecuritySubFeatureId.trustedApplications,
-      SecuritySubFeatureId.blocklist,
-      SecuritySubFeatureId.eventFilters,
-      SecuritySubFeatureId.globalArtifactManagement,
-    ],
-  },
-
   // Endpoint Complete Tier:
   // Allows access to create/update HIEs
   [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: {

x-pack/solutions/security/packages/features/src/security/types.ts

@@ -22,6 +22,7 @@ export interface SecurityFeatureParams {
 
 export type DefaultSecurityProductFeaturesConfig = Omit<
   Record<ProductFeatureSecurityKey, ProductFeatureKibanaConfig<SecuritySubFeatureId>>,
-  ProductFeatureSecurityKey.endpointExceptions
+  | ProductFeatureSecurityKey.endpointExceptions
+  | ProductFeatureSecurityKey.endpointArtifactManagement
   // | add not generic security app features here
 >;

x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts

@@ -93,31 +93,14 @@ export const getSecurityBaseKibanaFeature = ({
         default: [
           { feature: TIMELINE_FEATURE_ID, privileges: ['all'] },
           { feature: NOTES_FEATURE_ID, privileges: ['all'] },
-          {
+          // note: overriden by product feature endpointArtifactManagement when enabled
-            feature: SECURITY_FEATURE_ID_V3,
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] },
-            privileges: [
-              // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
-              'minimal_all',
-
-              // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
-              // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
-              // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
-              'global_artifact_management_all',
-            ],
-          },
         ],
         minimal: [
           { feature: TIMELINE_FEATURE_ID, privileges: ['all'] },
           { feature: NOTES_FEATURE_ID, privileges: ['all'] },
-          {
+          // note: overriden by product feature endpointArtifactManagement when enabled
-            feature: SECURITY_FEATURE_ID_V3,
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] },
-            privileges: [
-              'minimal_all',
-
-              // See above.
-              'global_artifact_management_all',
-            ],
-          },
         ],
       },
       app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'],

x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts

@@ -90,29 +90,12 @@ export const getSecurityV2BaseKibanaFeature = ({
     all: {
       replacedBy: {
         default: [
-          {
+          // note: overriden by product feature endpointArtifactManagement when enabled
-            feature: SECURITY_FEATURE_ID_V3,
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] },
-            privileges: [
-              // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
-              'minimal_all',
-
-              // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
-              // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
-              // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
-              'global_artifact_management_all',
-            ],
-          },
         ],
         minimal: [
-          {
+          // note: overriden by product feature endpointArtifactManagement when enabled
-            feature: SECURITY_FEATURE_ID_V3,
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] },
-            privileges: [
-              'minimal_all',
-
-              // See above.
-              'global_artifact_management_all',
-            ],
-          },
         ],
       },
       app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'],

x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts

@@ -11,7 +11,7 @@ import type {
 } from '@kbn/security-solution-features';
 import {
   ProductFeatureSecurityKey,
-  type SecuritySubFeatureId,
+  SecuritySubFeatureId,
 } from '@kbn/security-solution-features/keys';
 import {
   securityDefaultProductFeaturesConfig,
@@ -21,6 +21,7 @@ import {
   ProductFeaturesPrivilegeId,
   ProductFeaturesPrivileges,
 } from '@kbn/security-solution-features/privileges';
+import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants';
 
 export const getSecurityProductFeaturesConfigurator =
   (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => {
@@ -47,4 +48,77 @@ const securityProductFeaturesConfig: Record<
   [ProductFeatureSecurityKey.endpointExceptions]: {
     privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions],
   },
+
+  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
+    subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
+      SecuritySubFeatureId.trustedApplications,
+      SecuritySubFeatureId.blocklist,
+      SecuritySubFeatureId.eventFilters,
+      SecuritySubFeatureId.globalArtifactManagement,
+    ],
+
+    baseFeatureConfigModifier: (baseFeatureConfig) => {
+      if (
+        !['siem', 'siemV2'].includes(baseFeatureConfig.id) ||
+        !baseFeatureConfig.privileges?.all.replacedBy ||
+        !('default' in baseFeatureConfig.privileges.all.replacedBy)
+      ) {
+        return baseFeatureConfig;
+      }
+
+      return {
+        ...baseFeatureConfig,
+        privileges: {
+          ...baseFeatureConfig.privileges,
+
+          all: {
+            ...baseFeatureConfig.privileges.all,
+
+            // overwriting siem:ALL role migration in siem and siemV2
+            replacedBy: {
+              default: baseFeatureConfig.privileges.all.replacedBy.default.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
+                        'minimal_all',
+
+                        // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
+                        // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
+                        // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+
+              minimal: baseFeatureConfig.privileges.all.replacedBy.minimal.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        'minimal_all',
+
+                        // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+            },
+          },
+        },
+      };
+    },
+  },
 };

x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts

@@ -17,6 +17,7 @@ import {
   ProductFeatureSecurityKey,
   SecuritySubFeatureId,
 } from '@kbn/security-solution-features/keys';
+import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants';
 import type { ExperimentalFeatures } from '../../common/experimental_features';
 
 export const getSecurityProductFeaturesConfigurator =
@@ -48,4 +49,63 @@ const securityProductFeaturesConfig: Record<
   [ProductFeatureSecurityKey.endpointExceptions]: {
     subFeatureIds: [SecuritySubFeatureId.endpointExceptions],
   },
+
+  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
+    subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
+      SecuritySubFeatureId.trustedApplications,
+      SecuritySubFeatureId.blocklist,
+      SecuritySubFeatureId.eventFilters,
+      SecuritySubFeatureId.globalArtifactManagement,
+    ],
+
+    baseFeatureConfigModifier: (baseFeatureConfig) => {
+      if (
+        !['siem', 'siemV2'].includes(baseFeatureConfig.id) ||
+        !baseFeatureConfig.privileges?.all.replacedBy ||
+        !('default' in baseFeatureConfig.privileges.all.replacedBy)
+      ) {
+        return baseFeatureConfig;
+      }
+
+      return {
+        ...baseFeatureConfig,
+        privileges: {
+          ...baseFeatureConfig.privileges,
+
+          all: {
+            ...baseFeatureConfig.privileges.all,
+
+            // overwriting siem:ALL role migration in siem and siemV2
+            replacedBy: {
+              ...baseFeatureConfig.privileges.all.replacedBy,
+
+              default: baseFeatureConfig.privileges.all.replacedBy.default.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
+                        'minimal_all',
+
+                        // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
+                        // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
+                        // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege.
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+            },
+
+            // minimal_all is not overwritten, as it does not includes Endpoint Exceptions ALL.
+          },
+        },
+      };
+    },
+  },
 };