[ResponseOps] Require all privilege to "Actions and Connectors" in order to execute SentinelOne sub-actions (#171247)

## Summary

- Adds an additional authz check to the execution of SentinelOne
sub-actions to ensure the user has the `all` privilege to "Actions and
Connectors"

x-pack/plugins/actions/server/lib/action_executor.test.ts

@@ -22,6 +22,7 @@ import {
 import { securityMock } from '@kbn/security-plugin/server/mocks';
 import { finished } from 'stream/promises';
 import { PassThrough } from 'stream';
+import { SecurityConnectorFeatureId } from '../../common';
 
 const actionExecutor = new ActionExecutor({ isESOCanEncrypt: true });
 const services = actionsMock.createServices();
@@ -839,6 +840,44 @@ test('successfully authorize system actions', async () => {
   });
 });
 
+test('Execute of SentinelOne sub-actions require create privilege', async () => {
+  const actionType: jest.Mocked<ActionType> = {
+    id: '.sentinelone',
+    name: 'sentinelone',
+    minimumLicenseRequired: 'enterprise',
+    supportedFeatureIds: [SecurityConnectorFeatureId],
+    validate: {
+      config: { schema: schema.any() },
+      secrets: { schema: schema.any() },
+      params: { schema: schema.any() },
+    },
+    executor: jest.fn(),
+  };
+  const actionSavedObject = {
+    id: '1',
+    type: 'action',
+    attributes: {
+      name: '1',
+      actionTypeId: '.sentinelone',
+      config: {
+        bar: true,
+      },
+      secrets: {
+        baz: true,
+      },
+      isMissingSecrets: false,
+    },
+    references: [],
+  };
+
+  encryptedSavedObjectsClient.getDecryptedAsInternalUser.mockResolvedValueOnce(actionSavedObject);
+  actionTypeRegistry.get.mockReturnValueOnce(actionType);
+
+  await actionExecutor.execute({ ...executeParams, actionId: 'sentinel-one-connector-authz' });
+
+  expect(authorizationMock.ensureAuthorized).toHaveBeenCalledWith({ operation: 'create' });
+});
+
 test('pass the params to the actionTypeRegistry when authorizing system actions', async () => {
   const actionType: jest.Mocked<ActionType> = {
     id: '.cases',

x-pack/plugins/actions/server/lib/action_executor.ts

@@ -567,6 +567,14 @@ const ensureAuthorizedToExecute = async ({
 
       await authorization.ensureAuthorized({ operation: 'execute', additionalPrivileges });
     }
+
+    // SentinelOne sub-actions require that a user have `all` privilege to Actions and Connectors.
+    // This is a temporary solution until a more robust RBAC approach can be implemented for sub-actions
+    if (actionTypeId === '.sentinelone') {
+      await authorization.ensureAuthorized({
+        operation: 'create',
+      });
+    }
   } catch (error) {
     throw new ActionExecutionError(error.message, ActionExecutionErrorReason.Authorization, {
       actionId,

x-pack/plugins/actions/tsconfig.json

@@ -43,7 +43,7 @@
     "@kbn/core-saved-objects-api-server-mocks",
     "@kbn/core-elasticsearch-server-mocks",
     "@kbn/core-logging-server-mocks",
-    "@kbn/serverless"
+    "@kbn/serverless",
   ],
   "exclude": [
     "target/**/*",