[8.x] [APM] Use subfeature permissions for Labs settings (#197092) (#197259)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[APM] Use subfeature permissions for Labs settings
(#197092)](https://github.com/elastic/kibana/pull/197092)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Romeu","email":"sergi.romeu@elastic.co"},"sourceCommit":{"committedDate":"2024-10-22T14:43:52Z","message":"[APM]
Use subfeature permissions for Labs settings (#197092)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/197091\r\n\r\nThis PR uses the
previously created\r\n(https://github.com/elastic/kibana/pull/194419)
subfeature permissions\r\nfor APM to be able to modify settings inside
Labs flyout.\r\n\r\n## Screenshots for unauthorized user\r\n| Before |
After
|\r\n\r\n|-------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|\r\n\r\n|![image](a57e68c2-10c8-428b-9fce-31309b7a9d6e)|\r\n\r\n##
How to test\r\n1. Go under Stack Management -> Roles and create a new
custom role.\r\n2. For Kibana, select All spaces for the space selector,
and Customize,\r\nyou can get all the permissions you need.\r\n3. Go
into Observability and APM and User Experience.\r\n4. Select Read and
save the role.\r\n5. Create a new user and assign that role and also the
viewer role.\r\n6. Login with an incognito / different browser into the
new user.\r\n7. Go into APM -> Settings, WARNING: if you are not able to
see settings\r\nis because you don't have data, run node
scripts/synthtrace\r\nmany_services.ts --live --clean.\r\n8. You should
not be able to change the configuration on each tab.\r\n9. Change the
role privileges to have Read but with write access.\r\n10. Test it, you
should be able to modify the settings.\r\n11. Do the same with All with
and without the write
permissions.","sha":"68b328d36ba6a178c27744c249b0cea7f4eaa00b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","apm:settings","ci:project-deploy-observability","Team:obs-ux-infra_services"],"title":"[APM]
Use subfeature permissions for Labs
settings","number":197092,"url":"https://github.com/elastic/kibana/pull/197092","mergeCommit":{"message":"[APM]
Use subfeature permissions for Labs settings (#197092)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/197091\r\n\r\nThis PR uses the
previously created\r\n(https://github.com/elastic/kibana/pull/194419)
subfeature permissions\r\nfor APM to be able to modify settings inside
Labs flyout.\r\n\r\n## Screenshots for unauthorized user\r\n| Before |
After
|\r\n\r\n|-------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|\r\n\r\n|![image](a57e68c2-10c8-428b-9fce-31309b7a9d6e)|\r\n\r\n##
How to test\r\n1. Go under Stack Management -> Roles and create a new
custom role.\r\n2. For Kibana, select All spaces for the space selector,
and Customize,\r\nyou can get all the permissions you need.\r\n3. Go
into Observability and APM and User Experience.\r\n4. Select Read and
save the role.\r\n5. Create a new user and assign that role and also the
viewer role.\r\n6. Login with an incognito / different browser into the
new user.\r\n7. Go into APM -> Settings, WARNING: if you are not able to
see settings\r\nis because you don't have data, run node
scripts/synthtrace\r\nmany_services.ts --live --clean.\r\n8. You should
not be able to change the configuration on each tab.\r\n9. Change the
role privileges to have Read but with write access.\r\n10. Test it, you
should be able to modify the settings.\r\n11. Do the same with All with
and without the write
permissions.","sha":"68b328d36ba6a178c27744c249b0cea7f4eaa00b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197092","number":197092,"mergeCommit":{"message":"[APM]
Use subfeature permissions for Labs settings (#197092)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/197091\r\n\r\nThis PR uses the
previously created\r\n(https://github.com/elastic/kibana/pull/194419)
subfeature permissions\r\nfor APM to be able to modify settings inside
Labs flyout.\r\n\r\n## Screenshots for unauthorized user\r\n| Before |
After
|\r\n\r\n|-------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|\r\n\r\n|![image](a57e68c2-10c8-428b-9fce-31309b7a9d6e)|\r\n\r\n##
How to test\r\n1. Go under Stack Management -> Roles and create a new
custom role.\r\n2. For Kibana, select All spaces for the space selector,
and Customize,\r\nyou can get all the permissions you need.\r\n3. Go
into Observability and APM and User Experience.\r\n4. Select Read and
save the role.\r\n5. Create a new user and assign that role and also the
viewer role.\r\n6. Login with an incognito / different browser into the
new user.\r\n7. Go into APM -> Settings, WARNING: if you are not able to
see settings\r\nis because you don't have data, run node
scripts/synthtrace\r\nmany_services.ts --live --clean.\r\n8. You should
not be able to change the configuration on each tab.\r\n9. Change the
role privileges to have Read but with write access.\r\n10. Test it, you
should be able to modify the settings.\r\n11. Do the same with All with
and without the write
permissions.","sha":"68b328d36ba6a178c27744c249b0cea7f4eaa00b"}}]}]
BACKPORT-->

Co-authored-by: Sergi Romeu <sergi.romeu@elastic.co>

x-pack/plugins/observability_solution/apm/public/components/routing/app_root/apm_header_action_menu/labs/labs_flyout.tsx

@@ -20,6 +20,7 @@ import {
   EuiSpacer,
   EuiText,
   EuiTitle,
+  EuiToolTip,
 } from '@elastic/eui';
 import { withSuspense } from '@kbn/shared-ux-utility';
 import { i18n } from '@kbn/i18n';
@@ -42,7 +43,11 @@ interface Props {
 
 export function LabsFlyout({ onClose }: Props) {
   const trackApmEvent = useUiTracker({ app: 'apm' });
-  const { docLinks, notifications } = useApmPluginContext().core;
+  const { docLinks, notifications, application } = useApmPluginContext().core;
+
+  const canSave =
+    application.capabilities.advancedSettings.save &&
+    (application.capabilities.apm['settings:save'] as boolean);
 
   const { data, status } = useFetcher(
     (callApmApi) => callApmApi('GET /internal/apm/settings/labs'),
@@ -152,7 +157,7 @@ export function LabsFlyout({ onClose }: Props) {
                   >
                     <FieldRow
                       field={field}
-                      isSavingEnabled={true}
+                      isSavingEnabled={canSave}
                       onFieldChange={handleFieldChange}
                       unsavedChange={unsavedChanges[settingKey]}
                     />
@@ -172,16 +177,27 @@ export function LabsFlyout({ onClose }: Props) {
                 </EuiButtonEmpty>
               </EuiFlexItem>
               <EuiFlexItem grow={false}>
-                <EuiButton
-                  data-test-subj="apmLabsFlyoutReloadToApplyChangesButton"
-                  fill
-                  isLoading={isSaving}
-                  onClick={handleSave}
+                <EuiToolTip
+                  content={
+                    !canSave &&
+                    i18n.translate('xpack.apm.labs.noPermissionTooltipLabel', {
+                      defaultMessage:
+                        "Your user role doesn't have permissions to modify these settings",
+                    })
+                  }
                 >
-                  {i18n.translate('xpack.apm.labs.reload', {
-                    defaultMessage: 'Reload to apply changes',
-                  })}
-                </EuiButton>
+                  <EuiButton
+                    data-test-subj="apmLabsFlyoutReloadToApplyChangesButton"
+                    fill
+                    isLoading={isSaving}
+                    onClick={handleSave}
+                    isDisabled={!canSave}
+                  >
+                    {i18n.translate('xpack.apm.labs.reload', {
+                      defaultMessage: 'Reload to apply changes',
+                    })}
+                  </EuiButton>
+                </EuiToolTip>
               </EuiFlexItem>
             </EuiFlexGroup>
           </EuiFlyoutFooter>