[9.0] Add reporting_user feature for reserved set of privileges (#231533) (#232396)

# Backport

This will backport the following commits from `main` to `9.0`:
- [Add `reporting_user` feature for reserved set of privileges
(#231533)](#231533)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Tim
Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add
`reporting_user` feature for reserved set of
privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Tim Sullivan <[email protected]>
Co-authored-by: Brandon Kobel <[email protected]>

Author: 3 people

src/platform/packages/private/kbn-reporting/get_csv_panel_actions/panel_actions/get_csv_panel_action.tsx

@@ -160,8 +160,11 @@ export class ReportingCsvPanelAction implements ActionDefinition<EmbeddableApiCo
     const license = await firstValueFrom(licensing.license$);
     const licenseHasCsvReporting = checkLicense(license.check('reporting', 'basic')).showLinks;
 
+    const capabilities = application.capabilities;
     // NOTE: For historical reasons capability identifier is called `downloadCsv. It can not be renamed.
-    const capabilityHasCsvReporting = application.capabilities.dashboard_v2?.downloadCsv === true;
+    const capabilityHasCsvReporting =
+      capabilities.dashboard_v2?.downloadCsv === true ||
+      capabilities.reportingLegacy?.generateReport === true;
     if (!licenseHasCsvReporting || !capabilityHasCsvReporting) {
       return false;
     }

src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_csv_modal_reporting.tsx

@@ -65,7 +65,9 @@ export const reportingCsvShareProvider = ({
     const licenseHasCsvReporting = licenseCheck.showLinks;
     const licenseDisabled = !licenseCheck.enableLinks;
 
-    const capabilityHasCsvReporting = application.capabilities.discover_v2?.generateCsv === true;
+    const capabilityHasCsvReporting =
+      application.capabilities.discover_v2?.generateCsv === true ||
+      application.capabilities.reportingLegacy?.generateReport === true;
 
     const generateReportingJobCSV = ({ intl }: { intl: InjectedIntl }) => {
       const { reportType, decoratedJobParams } = getSearchCsvJobParams({

src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_pdf_png_modal_reporting.tsx

@@ -10,6 +10,7 @@
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { toMountPoint } from '@kbn/react-kibana-mount';
+import type { Capabilities } from '@kbn/core/public';
 import { ShareContext, ShareMenuItemV2, ShareMenuProvider } from '@kbn/share-plugin/public';
 import React from 'react';
 import { firstValueFrom } from 'rxjs';
@@ -39,6 +40,13 @@ const getJobParams = (opts: JobParamsProviderOptions, type: 'pngV2' | 'printable
   return { ...baseParams, locatorParams };
 };
 
+const hasCapabilityByKey = (capabilities: Capabilities, capabilityKey: keyof Capabilities) => {
+  return (
+    capabilities[capabilityKey]?.generateScreenshot === true ||
+    capabilities.reportingLegacy?.generateReport === true
+  );
+};
+
 /**
  * This is used by Dashboard and Visualize apps (sharing modal)
  */
@@ -63,10 +71,14 @@ export const reportingExportModalProvider = ({
     const licenseHasScreenshotReporting = showLinks;
     const licenseDisabled = !enableLinks;
 
-    const capabilityHasDashboardScreenshotReporting =
-      application.capabilities.dashboard_v2?.generateScreenshot === true;
-    const capabilityHasVisualizeScreenshotReporting =
-      application.capabilities.visualize_v2?.generateScreenshot === true;
+    const capabilityHasDashboardReporting = hasCapabilityByKey(
+      application.capabilities,
+      'dashboard_v2'
+    );
+    const capabilityHasVisualizeReporting = hasCapabilityByKey(
+      application.capabilities,
+      'visualize_v2'
+    );
 
     if (!licenseHasScreenshotReporting) {
       return [];
@@ -78,15 +90,11 @@ export const reportingExportModalProvider = ({
       return [];
     }
 
-    if (objectType === 'dashboard' && !capabilityHasDashboardScreenshotReporting) {
+    if (objectType === 'dashboard' && !capabilityHasDashboardReporting) {
       return [];
     }
 
-    if (
-      isSupportedType &&
-      !capabilityHasVisualizeScreenshotReporting &&
-      !capabilityHasDashboardScreenshotReporting
-    ) {
+    if (isSupportedType && !capabilityHasVisualizeReporting && !capabilityHasDashboardReporting) {
       return [];
     }
 

x-pack/platform/packages/private/security/authorization_core/src/privileges/privileges.ts

@@ -245,6 +245,8 @@ export function privilegesFactory(
           read: [actions.login, ...readActions],
         },
         reserved: features.reduce((acc: Record<string, string[]>, feature: KibanaFeature) => {
+          // Reserved privileges are intentionally not excluded from registration based on their `hidden` attribute.
+          // This is explicitly to support the legacy reporting use case.
           if (feature.reserved) {
             feature.reserved.privileges.forEach((reservedPrivilege) => {
               acc[reservedPrivilege.id] = [

x-pack/platform/plugins/private/canvas/public/services/kibana_services.ts

@@ -45,13 +45,17 @@ export const setKibanaServices = (
   kibanaVersion = initContext.env.packageInfo.version;
 
   coreServices = kibanaCore;
+  const capabilities = kibanaCore.application.capabilities;
   contentManagementService = deps.contentManagement;
   dataService = deps.data;
   dataViewsService = deps.dataViews;
   embeddableService = deps.embeddable;
   expressionsService = deps.expressions;
   presentationUtilService = deps.presentationUtil;
-  reportingService = Boolean(kibanaCore.application.capabilities.canvas?.generatePdf)
+  reportingService = Boolean(
+    capabilities.canvas?.generatePdf === true ||
+      capabilities.reportingLegacy?.generateReport === true
+  )
     ? deps.reporting
     : undefined;
   spacesService = deps.spaces;

x-pack/platform/plugins/private/reporting/server/features.ts

@@ -16,9 +16,10 @@ interface FeatureRegistrationOpts {
 }
 
 export function registerFeatures({ isServerless, features }: FeatureRegistrationOpts) {
-  // Register a 'shell' feature specifically for Serverless. If granted, it will automatically provide access to
-  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations. On its own, this
-  // feature doesn't grant any additional privileges.
+  // Register a 'shell' features for Reporting. On their own, they don't grant specific privileges.
+
+  // Shell feature for Serverless. If granted, it will automatically provide access to
+  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations.
   if (isServerless) {
     features.registerKibanaFeature({
       id: 'reporting',
@@ -34,6 +35,44 @@ export function registerFeatures({ isServerless, features }: FeatureRegistration
         read: { disabled: true, savedObject: { all: [], read: [] }, ui: [] },
       },
     });
+  } else {
+    // Shell feature for self-managed environments, to be leveraged by a reserved privilege defined
+    // in ES. This grants access to reporting features in a legacy fashion.
+    features.registerKibanaFeature({
+      id: 'reportingLegacy',
+      name: i18n.translate('xpack.reporting.features.reportingLegacyFeatureName', {
+        defaultMessage: 'Reporting Legacy',
+      }),
+      category: DEFAULT_APP_CATEGORIES.management,
+      management: { insightsAndAlerting: ['reporting'] },
+      scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
+      hidden: true,
+      app: [],
+      privileges: null,
+      reserved: {
+        description: i18n.translate(
+          'xpack.reporting.features.reportingLegacyFeatureReservedDescription',
+          {
+            defaultMessage:
+              'Reserved for use by the Reporting plugin. This feature is used to grant access to Reporting capabilities in a legacy manner.',
+          }
+        ),
+        privileges: [
+          {
+            id: 'reporting_user',
+            privilege: {
+              excludeFromBasePrivileges: true,
+              app: [],
+              catalogue: [],
+              management: { insightsAndAlerting: ['reporting'] },
+              savedObject: { all: [], read: [] },
+              api: ['generateReport'],
+              ui: ['generateReport'],
+            },
+          },
+        ],
+      },
+    });
   }
 
   features.enableReportingUiCapabilities();

x-pack/platform/plugins/private/reporting/server/plugin.test.ts

@@ -5,13 +5,8 @@
  * 2.0.
  */
 
-import {
-  CoreSetup,
-  CoreStart,
-  DEFAULT_APP_CATEGORIES,
-  Logger,
-  type PackageInfo,
-} from '@kbn/core/server';
+import type { CoreSetup, CoreStart, Logger } from '@kbn/core/server';
+import { DEFAULT_APP_CATEGORIES, type PackageInfo } from '@kbn/core/server';
 import { coreMock, loggingSystemMock } from '@kbn/core/server/mocks';
 import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
 import { createMockConfigSchema } from '@kbn/reporting-mocks-server';
@@ -25,7 +20,7 @@ import { ReportingPlugin } from './plugin';
 import { createMockPluginSetup, createMockPluginStart } from './test_helpers';
 import type { ReportingSetupDeps } from './types';
 import { ExportTypesRegistry } from '@kbn/reporting-server/export_types_registry';
-import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import type { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 
 const sleep = (time: number) => new Promise((r) => setTimeout(r, time));
 
@@ -170,7 +165,7 @@ describe('Reporting Plugin', () => {
   describe('features registration', () => {
     it('does not register Kibana reporting feature in traditional build flavour', async () => {
       plugin.setup(coreSetup, pluginSetup);
-      expect(featuresSetup.registerKibanaFeature).not.toHaveBeenCalled();
+      expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledTimes(1);
       expect(featuresSetup.enableReportingUiCapabilities).toHaveBeenCalledTimes(1);
     });
 

x-pack/platform/plugins/shared/features/common/kibana_feature.ts

@@ -159,6 +159,8 @@ export interface KibanaFeatureConfig {
    * Indicates whether the feature is available as a standalone feature. The feature can still be
    * referenced by other features, but it will not be displayed in any feature management UIs. By default, all features
    * are visible.
+   *
+   * @note This flag is designed for use via configuration overrides, and very select use cases. Please consult prior to use.
    */
   hidden?: boolean;
 

x-pack/platform/plugins/shared/features/server/feature_registry.test.ts

@@ -2030,6 +2030,114 @@ describe('FeatureRegistry', () => {
       );
     });
 
+    it('allows reserved features to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: null,
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() => featureRegistry.registerKibanaFeature(feature)).not.toThrowError();
+    });
+
+    it('does not allow features with both regular and reserved privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
+    it('does not allow features with regular privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
     it('allows independent sub-feature privileges to register a minimumLicense', () => {
       const feature1: KibanaFeatureConfig = {
         id: 'test-feature',

x-pack/platform/plugins/shared/features/server/feature_schema.ts

@@ -217,7 +217,7 @@ const kibanaSubFeatureSchema = schema.object({
   ),
 });
 
-// NOTE: This schema intentionally omits the `composedOf` and `hidden` properties to discourage consumers from using
+// NOTE: This schema intentionally omits the `composedOf` property to discourage consumers from using
 // them during feature registration. This is because these properties should only be set via configuration overrides.
 const kibanaFeatureSchema = schema.object({
   id: schema.string({
@@ -233,6 +233,9 @@ const kibanaFeatureSchema = schema.object({
   name: schema.string(),
   category: appCategorySchema,
   scope: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+  // The hidden flag is only supported for explicit configuration for features with reserved privileges.
+  // All other usages are via configuration overrides.
+  hidden: schema.maybe(schema.boolean()),
   description: schema.maybe(schema.string()),
   order: schema.maybe(schema.number()),
   excludeFromBasePrivileges: schema.maybe(schema.boolean()),
@@ -322,6 +325,14 @@ const elasticsearchFeatureSchema = schema.object({
 export function validateKibanaFeature(feature: KibanaFeatureConfig) {
   kibanaFeatureSchema.validate(feature);
 
+  // The `hidden` attribute is ONLY permitted for features with reserved privileges, AND without normal privileges.
+  // The original intent of the hidden flag was to support serverless configuration overrides. There is now (>=9.0) an additional,
+  // maybe temporary use case for the legacy reporting authorization mode, which registers as a reserved privilege.
+  const { hidden, privileges, reserved } = feature;
+  if (hidden && (privileges !== null || typeof reserved === 'undefined')) {
+    throw new Error(`Feature ${feature.id} cannot be hidden.`);
+  }
+
   const unknownScopesEntries = difference(feature.scope ?? [], Object.values(KibanaFeatureScope));
 
   if (unknownScopesEntries.length) {