[Ai4dSoc] Hide notes/timelines for search_ai_lake tier (#215334)

> [!CAUTION]
> Do not merge yet!
> This PR is mergeable based on the assumption that we do not allow
downgrading to `search_ai_lake` tier from `essentials`/`complete` or
`trial` `complete/essentals`.

## Summary

On serverless with following sets of product types/lines timelines and
notes are not available to the user.

```json5
[
  { product_line: 'ai_soc', product_tier: 'search_ai_lake' }
]
```
or 
```json5
[
  { product_line: 'security', product_tier: 'search_ai_lake' }
]
```
or with 
```json5
[
  { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  { product_line: 'security', product_tier: 'search_ai_lake' }
]
```

This applies to custom role creation flyout where timelines/notes
privileges are not available for RBAC.

### Screenshots (where timeline and notes are not available)

#### Custom role creation 
![Screenshot 2025-03-20 at 14 04
30](https://github.com/user-attachments/assets/5368b85e-ac29-4eac-a397-8f978c217369)

Also on alerts page notes and timelines is not available action items.
Trying to access these via URL does not show them either.

#### Current alerts page (with timelines and notes not available)
![Screenshot 2025-03-20 at 14 08
46](https://github.com/user-attachments/assets/735c0968-c8aa-4954-b8aa-4e6be53e147b)

#### Alert details via URL (without notes on the expanded flyout)
![Screenshot 2025-03-20 at 14 18
55](https://github.com/user-attachments/assets/8b47978f-12f7-4022-8a72-22de8f7652fc)


## How to Test

1. While on the Kibana root directory, run ES/Kibana on serverless mode
with:

```bash
yarn es serverless --kill --projectType security --kibanaUrl=http://0.0.0.0:5601
```
and on a new window
```bash
yarn serverless-security --no-base-path
```

Enable the AI for SOC tier, by adding the following to your
`serverless.security.dev.yaml` file:

```json5
xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]
```

2. Once Kibana is up and running login in with the `admin` role using
the role dropdown.
3. Navigate to `app/management/roles/edit`
4. Click on `Assign to space` button and assign a space to that role on
the `Assign role to spaces` flyout.
5. Expand the `Security` privileges and verify that only 4
sub-privileges are seen and that Timelines and Notes are not among them.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

.github/CODEOWNERS

@@ -2248,6 +2248,7 @@ x-pack/test/api_integration/apis/management/index_management/inference_endpoints
 
 # AI4DSOC in Security Solution
 /x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc @elastic/security-engineering-productivity
+/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/privileges @elastic/security-generative-ai
 /x-pack/test/security_solution_api_integration/test_suites/ai4dsoc @elastic/security-engineering-productivity
 
 # Security Solution cross teams ownership

config/serverless.security.search_ai_lake.yml

@@ -3,3 +3,7 @@
 ## Disable plugins
 xpack.osquery.enabled: false
 
+xpack.features.overrides:
+  ### The following features are Security features hidden in Role management UI for this specific tier.
+  securitySolutionTimeline.hidden: true
+  securitySolutionNotes.hidden: true

src/cli/serve/compile_config_stack.js

@@ -53,6 +53,7 @@ export function compileConfigStack({ configOverrides, devConfig, dev, serverless
     }
   }
 
+  // Security specific configs
   if (serverlessMode === 'security') {
     // Security specific tier configs
     const serverlessSecurityTier = getSecurityTierFromCfg(configs);
@@ -87,6 +88,8 @@ function getServerlessModeFromCfg(configs) {
 function getSecurityTierFromCfg(configs) {
   const config = getConfigFromFiles(configs.filter(isNotNull));
 
+  // A product type is always present and for multiple addons in the config the product type/tier is always the same for all of them,
+  // and is the only element in the array, which is why we can access the first element for product type/tier
   const productType = _.get(config, 'xpack.securitySolutionServerless.productTypes', [])[0];
   return productType?.product_tier;
 }

x-pack/solutions/security/packages/features/src/notes/kibana_features.ts

@@ -36,8 +36,8 @@ export const getNotesBaseKibanaFeature = (
         all: params.savedObjects,
         read: params.savedObjects,
       },
-      ui: ['read', 'crud'],
-      api: ['notes_read', 'notes_write'],
+      ui: [],
+      api: [],
     },
     read: {
       app: [NOTES_FEATURE_ID, 'kibana'],
@@ -46,8 +46,8 @@ export const getNotesBaseKibanaFeature = (
         all: [],
         read: params.savedObjects,
       },
-      ui: ['read'],
-      api: ['notes_read'],
+      ui: [],
+      api: [],
     },
   },
 });

x-pack/solutions/security/packages/features/src/timeline/kibana_features.ts

@@ -36,8 +36,8 @@ export const getTimelineBaseKibanaFeature = (
         all: params.savedObjects,
         read: params.savedObjects,
       },
-      ui: ['read', 'crud'],
-      api: ['timeline_read', 'timeline_write'],
+      ui: [],
+      api: [],
     },
     read: {
       app: [TIMELINE_FEATURE_ID, 'kibana'],
@@ -46,8 +46,8 @@ export const getTimelineBaseKibanaFeature = (
         all: [],
         read: params.savedObjects,
       },
-      ui: ['read'],
-      api: ['timeline_read'],
+      ui: [],
+      api: [],
     },
   },
 });

x-pack/solutions/security/plugins/security_solution_serverless/common/pli/pli_config.ts

@@ -28,10 +28,14 @@ export const PLI_PRODUCT_FEATURES: PliProductFeatures = {
   [ProductLine.security]: {
     search_ai_lake: [],
     essentials: [
+      ProductFeatureKey.timeline,
+      ProductFeatureKey.notes,
       ProductFeatureKey.endpointHostManagement,
       ProductFeatureKey.endpointPolicyManagement,
     ],
     complete: [
+      ProductFeatureKey.timeline,
+      ProductFeatureKey.notes,
       ProductFeatureKey.endpointHostManagement,
       ProductFeatureKey.endpointPolicyManagement,
       ProductFeatureKey.advancedInsights,

x-pack/test/security_solution_cypress/ai4dsoc_serverless_config.ts

@@ -34,6 +34,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
         ])}`,
         '--csp.strict=false',
         '--csp.warnLegacyBrowsers=false',
+        '--xpack.features.overrides.securitySolutionTimeline.hidden=true',
+        '--xpack.features.overrides.securitySolutionNotes.hidden=true',
       ],
     },
     testRunner: SecuritySolutionConfigurableCypressTestRunner,

x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/privileges/security_privileges.cy.ts

@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  NOTES_SUB_PRIVILEGE,
+  TIMELINE_SUB_PRIVILEGE,
+} from '../../../screens/custom_roles/assign_to_space_flyout';
+import { login } from '../../../tasks/login';
+import { visit } from '../../../tasks/navigation';
+import { selectAllSpaces } from '../../../tasks/select_all_spaces';
+import { CUSTOM_ROLES_URL } from '../../../urls/navigation';
+
+describe('Custom role creation', { tags: '@serverless' }, () => {
+  beforeEach(() => {
+    login('admin');
+    visit(CUSTOM_ROLES_URL);
+  });
+
+  describe('Security privileges', () => {
+    it('should not show `Timelines` and `Notes` sub-privilege', () => {
+      selectAllSpaces();
+      // should not have timeline/notes sub-privileges
+      cy.get(TIMELINE_SUB_PRIVILEGE).should('not.exist');
+      cy.get(NOTES_SUB_PRIVILEGE).should('not.exist');
+    });
+  });
+});

x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const SPACE_SELECTOR_COMBO_BOX = '[data-test-subj="spaceSelectorComboBox"]';
+
+// Privileges
+export const SECURITY_PRIVILEGE = '[data-test-subj="featureCategory_securitySolution"]';
+
+// Sub-privileges
+export const TIMELINE_SUB_PRIVILEGE =
+  '[data-test-subj="featureCategory_securitySolution_securitySolutionTimeline"]';
+export const NOTES_SUB_PRIVILEGE =
+  '[data-test-subj="featureCategory_securitySolution_securitySolutionNotes"]';

x-pack/test/security_solution_cypress/cypress/screens/custom_roles/custom_role_page.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const ASSIGN_TO_SPACE_BUTTON = '[data-test-subj="addSpacePrivilegeButton"]';

x-pack/test/security_solution_cypress/cypress/tasks/select_all_spaces.ts

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  SPACE_SELECTOR_COMBO_BOX,
+  SECURITY_PRIVILEGE,
+} from '../screens/custom_roles/assign_to_space_flyout';
+import { ASSIGN_TO_SPACE_BUTTON } from '../screens/custom_roles/custom_role_page';
+
+export const selectAllSpaces = (): void => {
+  cy.get(ASSIGN_TO_SPACE_BUTTON).click();
+
+  // select all spaces
+  cy.get(SPACE_SELECTOR_COMBO_BOX).click();
+  cy.get(SPACE_SELECTOR_COMBO_BOX).type('* All Spaces');
+  cy.get(SPACE_SELECTOR_COMBO_BOX).type('{enter}');
+
+  // expand security privileges
+  cy.get(SECURITY_PRIVILEGE).click();
+};

x-pack/test/security_solution_cypress/cypress/urls/navigation.ts

@@ -84,3 +84,6 @@ export const ENTITY_ANALYTICS_DASHBOARD_URL = '/app/security/entity_analytics';
 
 // Asset Inventory
 export const ASSET_INVENTORY_URL = '/app/security/asset_inventory';
+
+// Custom Role Creation
+export const CUSTOM_ROLES_URL = 'app/management/security/roles/edit';