[Internal]: Documentation for new Security -> Rules privileges

[rylnd]

Description

What: We are splitting RBAC permissions related to Security Solution, to allow finer-grained control of rules, alerts, and exceptions access. These abilities were previously held generally in the SecuritySolution feature privilege, but are now being moved to their own subfeature(s).
When: This is planning to ship in 9.3
Why: More granular privileges will allow users to create more purpose-driven roles and users, with permissions scoped to only the things they need to do.

Resources

These new privileges are introduced in elastic/kibana#239634. A subsequent commit will add the migrations and role changes necessary to allow:

1. New role(s) leveraging these finer-grained permissions
2. Existing users to have an uninterrupted experience, by updating their permissions from e.g. siemv4:all to siemv5:all and rules:all

The RBAC epic, and related resources, can be found here.

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

• Detections Requirements (https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-requirements)
  • While the index privilege requirements are not currently changing, we'll need to update the kibana privileges for the relevant roles/actions.
• Any page referencing Alert/Rule/Exceptions privileges in the context of Security Solution

What release is this request related to?

N/A

Serverless release

Jan 20, 2026 (9.3 GA)

Collaboration model

The documentation team

Point of contact.

Main contact: @rylnd

Stakeholders: @yctercero @approksiu

[yctercero]

Tagging on a few more details. We're envisioning rolling out RBAC changes in a couple stages:

• 1st PR - moving exceptions, rules, alerts privileges logic out of "Security" catch all privilege and into new "Rules" privilege. This PR is being tested and will be merged once we get all sign offs.
• Subsequent PR will go in to add exception subfeature privileges under "Rules"
• Subsequent PR will go in to add rules management subfeature privileges under "Rules"
• Subsequent PR will go in to add alert managemet privileges under "Alerts" that will sit at the same level as "Rules"

There isn't a way to feature flag these changes. So while a user of 9.3 will see the final state. Serverless users will experience these in-between states.

Moving out alerts, rules and exceptions will affect other features that use these:

• See this sheet for details
• Will need to update docs for required privileges for SIEM migrations, Attack Discovery, Cases, Timeline

I'm going to follow up and try to be more explicit about all the details.