Unable to set granular permissions for Endpoint Security module

My SOC team is staring to use Elastic Stack for Security purposes, and we are planning to use both SIEM and Endpoint Security capabilities.
We have T1 and T2 analysts, and I'd wanted to give them different permissions for different parts of Security module.
I've managed to create a separate role with read-only access to SIEM rules and exceptions and full access to signals, and another role with full access to SIEM rules, exceptions and signals.
But I've encountered an issue with providing access to Endpoint Security module. I want to provide an ability to review all pages in Endpoint Security and perform actions like endpoints isolation for both roles. I haven't found any ways to create custom roles with such capabilities in docs, it is told there that the user must have superuser role to access those tabs.

Any ideas on how to find a work-around and provide users with full-access capabilities in Endpoint Security module without giving them superuser role? I just want to make sure my analysts will have access to features that are required to do their job without giving them an ability to break something inside Elastic.

@bil15 thank you for using Elastic Security!

Unfortunately, there is no workaround for this functionality today - superuser is still required to use response actions such as Host Isolation. This is because of some underlying permissions dependencies that we are working to resolve.

The good news is that we are actively working on providing support for this functionality. We would allow you to enable roles to specifically use certain response actions such as Host Isolation without needing to grant superuser. We plan to release this functionality in a near term release.

Great news, @Kevin_Logan !
Thank you for the update and thanks Elastic for a great job you do on improving your solutions

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.