Skip to content

Change reporting_user role to leverage reserved kibana privileges #132766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 18, 2025
Merged

Change reporting_user role to leverage reserved kibana privileges #132766

merged 8 commits into from
Aug 18, 2025

Conversation

legrego
Copy link
Member

@legrego legrego commented Aug 12, 2025
edited
Loading

This PR reverts #118058 in favor of a reserved Kibana privilege.

Updates the built-in reporting_user role to leverage a new reporting_user reserved privilege. This more closely aligns with the way this role behaved in previous versions.

This also marks the role as deprecated again, with the recommendation to leverage Kibana's feature privileges for more fine-grained control over reporting features.

@elasticsearchmachine elasticsearchmachine added v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Aug 12, 2025
@legrego legrego force-pushed the fix-reporting_user-role branch from bcb49a5 to efecf69 Compare August 12, 2025 18:50
@legrego legrego removed the external-contributor Pull request authored by a developer outside the Elasticsearch team label Aug 12, 2025
@legrego legrego force-pushed the fix-reporting_user-role branch from 8d03426 to 52c0b3e Compare August 12, 2025 19:09
@legrego legrego added the auto-backport Automatically create backport pull requests when merged label Aug 12, 2025
@tsullivan tsullivan mentioned this pull request Aug 12, 2025
Merged
3 tasks
@tsullivan
Copy link
Member

Kibana PR: elastic/kibana#231533

@legrego legrego added v9.0.6 v9.1.3 Team:Security Meta label for security team labels Aug 14, 2025
@legrego legrego marked this pull request as ready for review August 14, 2025 13:12
@legrego legrego requested a review from a team as a code owner August 14, 2025 13:12
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label and removed Team:Security Meta label for security team labels Aug 14, 2025
@slobodanadamovic slobodanadamovic added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team and removed needs:triage Requires assignment of a team area label labels Aug 18, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@slobodanadamovic slobodanadamovic requested review from slobodanadamovic and removed request for a team August 18, 2025 07:02
slobodanadamovic
slobodanadamovic approved these changes Aug 18, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@elasticsearchmachine
Copy link
Collaborator

Hi @legrego, I've created a changelog YAML for you. Note that since this PR is labelled >deprecation, you need to update the changelog YAML to fill out the extended information sections.

slobodanadamovic
slobodanadamovic reviewed Aug 18, 2025
View reviewed changes
@legrego legrego mentioned this pull request Aug 18, 2025
Merged
@legrego legrego enabled auto-merge (squash) August 18, 2025 13:27
@legrego legrego merged commit f627210 into elastic:main Aug 18, 2025
40 checks passed
This was referenced Aug 18, 2025
Merged
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
9.0
9.1

legrego added a commit to legrego/elasticsearch that referenced this pull request Aug 18, 2025
@legrego
Change reporting_user role to leverage reserved kibana privileges (el…
0732cb5 
…astic#132766)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <[email protected]>
legrego added a commit to legrego/elasticsearch that referenced this pull request Aug 18, 2025
@legrego
Change reporting_user role to leverage reserved kibana privileges (el…
fccacbe 
…astic#132766)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <[email protected]>
@legrego legrego deleted the fix-reporting_user-role branch August 18, 2025 16:24
elasticsearchmachine pushed a commit that referenced this pull request Aug 18, 2025
@legrego
Change reporting_user role to leverage reserved kibana privileges (#1…
3a42af7 
…32766) (#133078)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine pushed a commit that referenced this pull request Aug 18, 2025
@legrego
Change reporting_user role to leverage reserved kibana privileges (#1…
80c9680 
…32766) (#133079)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <[email protected]>
rjernst pushed a commit to rjernst/elasticsearch that referenced this pull request Aug 18, 2025
@legrego @rjernst
Change reporting_user role to leverage reserved kibana privileges (el…
190757e 
…astic#132766)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <[email protected]>
szybia added a commit to szybia/elasticsearch that referenced this pull request Aug 19, 2025
@szybia
Merge remote-tracking branch 'upstream/main' into geoip-enrich-cache-…
730dad7 
…improv

* upstream/main: (92 commits)
  ESQL: mark LOOKUP JOIN as ExecutesOn.Any by default (elastic#133064)
  Fix 404s in REST API landing page (elastic#133086)
  Fix release tests for OptimizerVerificationTests (elastic#133100)
  Make Glob non-recursive (elastic#132798)
  Update ES|QL function list for release versions (elastic#133096)
  Split transport version func test into abstract base (elastic#133035)
  Omit project ID from snapshot metrics (elastic#133098)
  Mute org.elasticsearch.xpack.esql.analysis.AnalyzerTests testNoDenseVectorFailsForMagnitude elastic#133013
  Mute org.elasticsearch.xpack.esql.optimizer.OptimizerVerificationTests testRemoteEnrichAfterCoordinatorOnlyPlans elastic#133015
  Mute org.elasticsearch.test.rest.yaml.CcsCommonYamlTestSuiteIT test {p0=search/160_exists_query/Test exists query on _id field} elastic#133097
  Rename initial to unreferenced in transport versions (elastic#133082)
  Rename exception type header (elastic#133045)
  ESQL: Pluggable tests for Operator status (elastic#132876)
  ESQL: Mark new signatures in MIN and MAX (elastic#132980)
  Don't try to serialize half-baked cluster info (elastic#132756)
  migrate ml_rollover_legacy_indices transport version (elastic#133008)
  Enable `exclude_source_vectors` by default for new indices (elastic#131907)
  Expose APIs needed by flush during translog replay (elastic#132960)
  Change reporting_user role to leverage reserved kibana privileges (elastic#132766)
  Update TasksIT for batched execution (elastic#132762)
  ...
szybia added a commit to szybia/elasticsearch that referenced this pull request Aug 19, 2025
@szybia
Merge remote-tracking branch 'upstream/main' into invalid-grok-500
c6d3769 
* upstream/main: (58 commits)
  ESQL: mark LOOKUP JOIN as ExecutesOn.Any by default (elastic#133064)
  Fix 404s in REST API landing page (elastic#133086)
  Fix release tests for OptimizerVerificationTests (elastic#133100)
  Make Glob non-recursive (elastic#132798)
  Update ES|QL function list for release versions (elastic#133096)
  Split transport version func test into abstract base (elastic#133035)
  Omit project ID from snapshot metrics (elastic#133098)
  Mute org.elasticsearch.xpack.esql.analysis.AnalyzerTests testNoDenseVectorFailsForMagnitude elastic#133013
  Mute org.elasticsearch.xpack.esql.optimizer.OptimizerVerificationTests testRemoteEnrichAfterCoordinatorOnlyPlans elastic#133015
  Mute org.elasticsearch.test.rest.yaml.CcsCommonYamlTestSuiteIT test {p0=search/160_exists_query/Test exists query on _id field} elastic#133097
  Rename initial to unreferenced in transport versions (elastic#133082)
  Rename exception type header (elastic#133045)
  ESQL: Pluggable tests for Operator status (elastic#132876)
  ESQL: Mark new signatures in MIN and MAX (elastic#132980)
  Don't try to serialize half-baked cluster info (elastic#132756)
  migrate ml_rollover_legacy_indices transport version (elastic#133008)
  Enable `exclude_source_vectors` by default for new indices (elastic#131907)
  Expose APIs needed by flush during translog replay (elastic#132960)
  Change reporting_user role to leverage reserved kibana privileges (elastic#132766)
  Update TasksIT for batched execution (elastic#132762)
  ...
darnautov pushed a commit to elastic/kibana that referenced this pull request Aug 20, 2025
@tsullivan @legrego
Add reporting_user feature for reserved set of privileges (#231533)
f9be58b 
## Summary

We want to switch the reserved `reporting_user` role to use a "reserved
privilege definition" and uses just that privilege. This PR satisfies
the Kibana requirements. There is a corresponding Elasticsearch PR:
elastic/elasticsearch#132766

## Testing
**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**

1. Create `test_reporting_user` role

    ```
    POST /_security/role/test_reporting_user
    {
        "cluster": [],
        "indices": [],
        "application": [{
            "application": "kibana-*",
            "privileges": ["reserved_reporting_user"],
            "resources": ["*"]
        }]
    }
    ```

2. Create `test_analyst_user` role

    ```
    POST /_security/role/test_analyst_user
    {
        "cluster": [],
        "indices": [
            {
            "names": ["kibana_sample_*"],
            "privileges": ["all"],
            "field_security": {
                "grant": ["*"],
                "except": []
            },
            "allow_restricted_indices": false
            }
        ],
        "applications": [
            {
            "application": "kibana-.kibana",
            "privileges": [
                "feature_discover_v2.read",
                "feature_dashboard_v2.read",
                "feature_canvas.read",
                "feature_visualize_v2.read"
            ],
            "resources": ["space:default"]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
    ```

3. Create a test user with just those two roles. Install sample data.
Log in using the new test user.
4. Test cases

    | App | Reporting feature
    |-|-
    | Dashboard | PDF, PNG, CSV (from saved search panel action)
    | Discover | CSV
    | Canvas | PDF
    | Lens | PDF, PNG
| Stack Management | List reports, download reports, view report info,
delete reports

6. As admin, create an additional Space which the test user should not
have access to. Ensure the test user does not have access to those
spaces.
7. Remove the `test_reporting_user` role from the user and ensure they
do not see any Reporting controls in the UI, and can not access Stack
Management > Reporting.

## Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: Larry Gregory <[email protected]>
darnautov pushed a commit to darnautov/kibana that referenced this pull request Aug 20, 2025
@tsullivan
Add reporting_user feature for reserved set of privileges (elastic#…
c866d45 
…231533)

## Summary

We want to switch the reserved `reporting_user` role to use a "reserved
privilege definition" and uses just that privilege. This PR satisfies
the Kibana requirements. There is a corresponding Elasticsearch PR:
elastic/elasticsearch#132766

## Testing
**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**

1. Create `test_reporting_user` role

    ```
    POST /_security/role/test_reporting_user
    {
        "cluster": [],
        "indices": [],
        "application": [{
            "application": "kibana-*",
            "privileges": ["reserved_reporting_user"],
            "resources": ["*"]
        }]
    }
    ```

2. Create `test_analyst_user` role

    ```
    POST /_security/role/test_analyst_user
    {
        "cluster": [],
        "indices": [
            {
            "names": ["kibana_sample_*"],
            "privileges": ["all"],
            "field_security": {
                "grant": ["*"],
                "except": []
            },
            "allow_restricted_indices": false
            }
        ],
        "applications": [
            {
            "application": "kibana-.kibana",
            "privileges": [
                "feature_discover_v2.read",
                "feature_dashboard_v2.read",
                "feature_canvas.read",
                "feature_visualize_v2.read"
            ],
            "resources": ["space:default"]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
    ```

3. Create a test user with just those two roles. Install sample data.
Log in using the new test user.
4. Test cases

    | App | Reporting feature
    |-|-
    | Dashboard | PDF, PNG, CSV (from saved search panel action)
    | Discover | CSV
    | Canvas | PDF
    | Lens | PDF, PNG
| Stack Management | List reports, download reports, view report info,
delete reports

6. As admin, create an additional Space which the test user should not
have access to. Ensure the test user does not have access to those
spaces.
7. Remove the `test_reporting_user` role from the user and ensure they
do not see any Reporting controls in the UI, and can not access Stack
Management > Reporting.

## Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: Larry Gregory <[email protected]>
(cherry picked from commit f9be58b)

# Conflicts:
#	x-pack/platform/test/reporting_api_integration/reporting_and_security/default_reporting_user_role.ts
darnautov pushed a commit to darnautov/kibana that referenced this pull request Aug 20, 2025
@tsullivan
Add reporting_user feature for reserved set of privileges (elastic#…
82eb4ff 
…231533)

## Summary

We want to switch the reserved `reporting_user` role to use a "reserved
privilege definition" and uses just that privilege. This PR satisfies
the Kibana requirements. There is a corresponding Elasticsearch PR:
elastic/elasticsearch#132766

## Testing
**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**

1. Create `test_reporting_user` role

    ```
    POST /_security/role/test_reporting_user
    {
        "cluster": [],
        "indices": [],
        "application": [{
            "application": "kibana-*",
            "privileges": ["reserved_reporting_user"],
            "resources": ["*"]
        }]
    }
    ```

2. Create `test_analyst_user` role

    ```
    POST /_security/role/test_analyst_user
    {
        "cluster": [],
        "indices": [
            {
            "names": ["kibana_sample_*"],
            "privileges": ["all"],
            "field_security": {
                "grant": ["*"],
                "except": []
            },
            "allow_restricted_indices": false
            }
        ],
        "applications": [
            {
            "application": "kibana-.kibana",
            "privileges": [
                "feature_discover_v2.read",
                "feature_dashboard_v2.read",
                "feature_canvas.read",
                "feature_visualize_v2.read"
            ],
            "resources": ["space:default"]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
    ```

3. Create a test user with just those two roles. Install sample data.
Log in using the new test user.
4. Test cases

    | App | Reporting feature
    |-|-
    | Dashboard | PDF, PNG, CSV (from saved search panel action)
    | Discover | CSV
    | Canvas | PDF
    | Lens | PDF, PNG
| Stack Management | List reports, download reports, view report info,
delete reports

6. As admin, create an additional Space which the test user should not
have access to. Ensure the test user does not have access to those
spaces.
7. Remove the `test_reporting_user` role from the user and ensure they
do not see any Reporting controls in the UI, and can not access Stack
Management > Reporting.

## Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: Larry Gregory <[email protected]>
(cherry picked from commit f9be58b)

# Conflicts:
#	src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_csv_modal_reporting.tsx
#	src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_pdf_png_modal_reporting.tsx
#	src/platform/test/functional/page_objects/export_page.ts
#	x-pack/platform/plugins/private/reporting/server/plugin.test.ts
#	x-pack/test/api_integration/apis/features/features/features.ts
#	x-pack/test/reporting_api_integration/reporting_and_security/default_reporting_user_role.ts
#	x-pack/test/reporting_api_integration/services/scenarios.ts
#	x-pack/test/reporting_functional/services/scenarios.ts
darnautov added a commit to elastic/kibana that referenced this pull request Aug 20, 2025
@darnautov @tsullivan
[9.1] Add reporting_user feature for reserved set of privileges (#2…
50d9838 
…31533) (#232384)

# Backport

This will backport the following commits from `main` to `9.1`:
- [Add `reporting_user` feature for reserved set of privileges
(#231533)](#231533)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Tim
Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add
`reporting_user` feature for reserved set of
privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tim Sullivan <[email protected]>
darnautov added a commit to elastic/kibana that referenced this pull request Aug 20, 2025
@darnautov @tsullivan @kobelb
[9.0] Add reporting_user feature for reserved set of privileges (#2…
00f077b 
…31533) (#232396)

# Backport

This will backport the following commits from `main` to `9.0`:
- [Add `reporting_user` feature for reserved set of privileges
(#231533)](#231533)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Tim
Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add
`reporting_user` feature for reserved set of
privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Tim Sullivan <[email protected]>
Co-authored-by: Brandon Kobel <[email protected]>
legrego added a commit to elastic/docs-content that referenced this pull request Aug 26, 2025
@legrego @shainaraskas
Deprecates the reporting_user role. (#2605)
68bee8b 
This marks the `reporting_user` role as deprecated, in favor of custom
roles which leverage Kibana feature privileges.

Relates: elastic/elasticsearch#132766

---------

Co-authored-by: shainaraskas <[email protected]>
qn895 pushed a commit to qn895/kibana that referenced this pull request Aug 26, 2025
@tsullivan @legrego @qn895
Add reporting_user feature for reserved set of privileges (elastic#…
1173875 
…231533)

## Summary

We want to switch the reserved `reporting_user` role to use a "reserved
privilege definition" and uses just that privilege. This PR satisfies
the Kibana requirements. There is a corresponding Elasticsearch PR:
elastic/elasticsearch#132766

## Testing
**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**

1. Create `test_reporting_user` role

    ```
    POST /_security/role/test_reporting_user
    {
        "cluster": [],
        "indices": [],
        "application": [{
            "application": "kibana-*",
            "privileges": ["reserved_reporting_user"],
            "resources": ["*"]
        }]
    }
    ```

2. Create `test_analyst_user` role

    ```
    POST /_security/role/test_analyst_user
    {
        "cluster": [],
        "indices": [
            {
            "names": ["kibana_sample_*"],
            "privileges": ["all"],
            "field_security": {
                "grant": ["*"],
                "except": []
            },
            "allow_restricted_indices": false
            }
        ],
        "applications": [
            {
            "application": "kibana-.kibana",
            "privileges": [
                "feature_discover_v2.read",
                "feature_dashboard_v2.read",
                "feature_canvas.read",
                "feature_visualize_v2.read"
            ],
            "resources": ["space:default"]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
    ```

3. Create a test user with just those two roles. Install sample data.
Log in using the new test user.
4. Test cases

    | App | Reporting feature
    |-|-
    | Dashboard | PDF, PNG, CSV (from saved search panel action)
    | Discover | CSV
    | Canvas | PDF
    | Lens | PDF, PNG
| Stack Management | List reports, download reports, view report info,
delete reports

6. As admin, create an additional Space which the test user should not
have access to. Ensure the test user does not have access to those
spaces.
7. Remove the `test_reporting_user` role from the user and ensure they
do not see any Reporting controls in the UI, and can not access Stack
Management > Reporting.

## Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: Larry Gregory <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

Assignees
No one assigned
Labels
auto-backport Automatically create backport pull requests when merged >deprecation :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v9.0.6 v9.1.3 v9.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@legrego @tsullivan @elasticsearchmachine @slobodanadamovic