[9.1] Add reporting_user feature for reserved set of privileges (#231533) (#232384)

# Backport

This will backport the following commits from `main` to `9.1`:
- [Add `reporting_user` feature for reserved set of privileges
(#231533)](#231533)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Tim
Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add
`reporting_user` feature for reserved set of
privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add
`reporting_user` feature for reserved set of privileges (#231533)\n\n##
Summary\n\nWe want to switch the reserved `reporting_user` role to use a
\"reserved\nprivilege definition\" and uses just that privilege. This PR
satisfies\nthe Kibana requirements. There is a corresponding
Elasticsearch
PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n##
Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+
license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST
/_security/role/test_reporting_user\n {\n \"cluster\": [],\n
\"indices\": [],\n \"application\": [{\n \"application\":
\"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n
\"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user`
role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\":
[],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n
\"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\":
[\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n
}\n ],\n \"applications\": [\n {\n \"application\":
\"kibana-.kibana\",\n \"privileges\": [\n
\"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n
\"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n
\"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n
\"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n
}\n ```\n\n3. Create a test user with just those two roles. Install
sample data.\nLog in using the new test user.\n4. Test cases\n\n | App |
Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved
search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF,
PNG\n| Stack Management | List reports, download reports, view report
info,\ndelete reports\n\n6. As admin, create an additional Space which
the test user should not\nhave access to. Ensure the test user does not
have access to those\nspaces.\n7. Remove the `test_reporting_user` role
from the user and ensure they\ndo not see any Reporting controls in the
UI, and can not access Stack\nManagement > Reporting.\n\n##
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text
added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n-
~~[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials~~\n- [x] [Unit
or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- ~~[ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n-
~~[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.~~\n- ~~[ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed~~\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[x] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
Larry Gregory
<[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tim Sullivan <[email protected]>

Author: darnautov

src/platform/packages/private/kbn-reporting/get_csv_panel_actions/panel_actions/get_csv_panel_action.tsx

@@ -148,8 +148,11 @@ export class ReportingCsvPanelAction implements ActionDefinition<EmbeddableApiCo
     const license = await firstValueFrom(licensing.license$);
     const licenseHasCsvReporting = checkLicense(license.check('reporting', 'basic')).showLinks;
 
+    const capabilities = application.capabilities;
     // NOTE: For historical reasons capability identifier is called `downloadCsv. It can not be renamed.
-    const capabilityHasCsvReporting = application.capabilities.dashboard_v2?.downloadCsv === true;
+    const capabilityHasCsvReporting =
+      capabilities.dashboard_v2?.downloadCsv === true ||
+      capabilities.reportingLegacy?.generateReport === true;
     if (!licenseHasCsvReporting || !capabilityHasCsvReporting) {
       return false;
     }

src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_csv_modal_reporting.tsx

@@ -183,7 +183,9 @@ export const reportingCsvExportProvider = ({
 
       const licenseHasCsvReporting = licenseCheck.showLinks;
 
-      const capabilityHasCsvReporting = capabilities.discover_v2?.generateCsv === true;
+      const capabilityHasCsvReporting =
+        capabilities.discover_v2?.generateCsv === true ||
+        capabilities.reportingLegacy?.generateReport === true;
 
       if (!(licenseHasCsvReporting && capabilityHasCsvReporting)) {
         return false;

src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_pdf_png_modal_reporting.tsx

@@ -9,6 +9,7 @@
 
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n-react';
+import type { Capabilities } from '@kbn/core/public';
 import { toMountPoint } from '@kbn/react-kibana-mount';
 import { ShareContext } from '@kbn/share-plugin/public';
 import React from 'react';
@@ -79,6 +80,13 @@ const getJobParams = (opts: JobParamsProviderOptions, type: 'pngV2' | 'printable
   };
 };
 
+const hasCapabilityByKey = (capabilities: Capabilities, capabilityKey: keyof Capabilities) => {
+  return (
+    capabilities[capabilityKey]?.generateScreenshot === true ||
+    capabilities.reportingLegacy?.generateReport === true
+  );
+};
+
 export const reportingPDFExportProvider = ({
   apiClient,
   startServices$,
@@ -217,24 +225,18 @@ export const reportingPDFExportProvider = ({
         license.check('reporting', 'gold')
       );
 
-      const capabilityHasDashboardScreenshotReporting =
-        capabilities.dashboard_v2?.generateScreenshot === true;
-      const capabilityHasVisualizeScreenshotReporting =
-        capabilities.visualize_v2?.generateScreenshot === true;
+      const capabilityHasDashboardReporting = hasCapabilityByKey(capabilities, 'dashboard_v2');
+      const capabilityHasVisualizeReporting = hasCapabilityByKey(capabilities, 'visualize_v2');
 
       if (!licenseHasScreenshotReporting) {
         return false;
       }
 
-      if (objectType === 'dashboard' && !capabilityHasDashboardScreenshotReporting) {
+      if (objectType === 'dashboard' && !capabilityHasDashboardReporting) {
         return false;
       }
 
-      if (
-        isSupportedType &&
-        !capabilityHasVisualizeScreenshotReporting &&
-        !capabilityHasDashboardScreenshotReporting
-      ) {
+      if (isSupportedType && !capabilityHasVisualizeReporting && !capabilityHasDashboardReporting) {
         return false;
       }
 
@@ -380,24 +382,18 @@ export const reportingPNGExportProvider = ({
       const { showLinks } = checkLicense(license.check('reporting', 'gold'));
       const licenseHasScreenshotReporting = showLinks;
 
-      const capabilityHasDashboardScreenshotReporting =
-        capabilities.dashboard_v2?.generateScreenshot === true;
-      const capabilityHasVisualizeScreenshotReporting =
-        capabilities.visualize_v2?.generateScreenshot === true;
+      const capabilityHasDashboardReporting = hasCapabilityByKey(capabilities, 'dashboard_v2');
+      const capabilityHasVisualizeReporting = hasCapabilityByKey(capabilities, 'visualize_v2');
 
       if (!licenseHasScreenshotReporting) {
         return false;
       }
 
-      if (objectType === 'dashboard' && !capabilityHasDashboardScreenshotReporting) {
+      if (objectType === 'dashboard' && !capabilityHasDashboardReporting) {
         return false;
       }
 
-      if (
-        isSupportedType &&
-        !capabilityHasVisualizeScreenshotReporting &&
-        !capabilityHasDashboardScreenshotReporting
-      ) {
+      if (isSupportedType && !capabilityHasVisualizeReporting && !capabilityHasDashboardReporting) {
         return false;
       }
 

src/platform/test/functional/page_objects/export_page.ts

@@ -19,6 +19,10 @@ export class ExportPageObject extends FtrService {
     return await this.testSubjects.exists('exportTopNavButton');
   }
 
+  async exportButtonMissingOrFail() {
+    await this.testSubjects.missingOrFail('exportTopNavButton', { timeout: 1000 });
+  }
+
   async clickExportTopNavButton() {
     return this.testSubjects.click('exportTopNavButton');
   }

x-pack/platform/packages/private/security/authorization_core/src/privileges/privileges.ts

@@ -245,6 +245,8 @@ export function privilegesFactory(
           read: [actions.login, ...readActions],
         },
         reserved: features.reduce((acc: Record<string, string[]>, feature: KibanaFeature) => {
+          // Reserved privileges are intentionally not excluded from registration based on their `hidden` attribute.
+          // This is explicitly to support the legacy reporting use case.
           if (feature.reserved) {
             feature.reserved.privileges.forEach((reservedPrivilege) => {
               acc[reservedPrivilege.id] = [

x-pack/platform/plugins/private/canvas/public/services/kibana_services.ts

@@ -43,13 +43,17 @@ export const setKibanaServices = (
   kibanaVersion = initContext.env.packageInfo.version;
 
   coreServices = kibanaCore;
+  const capabilities = kibanaCore.application.capabilities;
   contentManagementService = deps.contentManagement;
   dataService = deps.data;
   dataViewsService = deps.dataViews;
   embeddableService = deps.embeddable;
   expressionsService = deps.expressions;
   presentationUtilService = deps.presentationUtil;
-  reportingService = Boolean(kibanaCore.application.capabilities.canvas?.generatePdf)
+  reportingService = Boolean(
+    capabilities.canvas?.generatePdf === true ||
+      capabilities.reportingLegacy?.generateReport === true
+  )
     ? deps.reporting
     : undefined;
   spacesService = deps.spaces;

x-pack/platform/plugins/private/reporting/server/features.ts

@@ -21,9 +21,10 @@ interface FeatureRegistrationOpts {
 }
 
 export function registerFeatures({ isServerless, features }: FeatureRegistrationOpts) {
-  // Register a 'shell' feature specifically for Serverless. If granted, it will automatically provide access to
-  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations. On its own, this
-  // feature doesn't grant any additional privileges.
+  // Register a 'shell' features for Reporting. On their own, they don't grant specific privileges.
+
+  // Shell feature for Serverless. If granted, it will automatically provide access to
+  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations.
   if (isServerless) {
     features.registerKibanaFeature({
       id: 'reporting',
@@ -39,6 +40,44 @@ export function registerFeatures({ isServerless, features }: FeatureRegistration
         read: { disabled: true, savedObject: { all: [], read: [] }, ui: [] },
       },
     });
+  } else {
+    // Shell feature for self-managed environments, to be leveraged by a reserved privilege defined
+    // in ES. This grants access to reporting features in a legacy fashion.
+    features.registerKibanaFeature({
+      id: 'reportingLegacy',
+      name: i18n.translate('xpack.reporting.features.reportingLegacyFeatureName', {
+        defaultMessage: 'Reporting Legacy',
+      }),
+      category: DEFAULT_APP_CATEGORIES.management,
+      management: { insightsAndAlerting: ['reporting'] },
+      scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
+      hidden: true,
+      app: [],
+      privileges: null,
+      reserved: {
+        description: i18n.translate(
+          'xpack.reporting.features.reportingLegacyFeatureReservedDescription',
+          {
+            defaultMessage:
+              'Reserved for use by the Reporting plugin. This feature is used to grant access to Reporting capabilities in a legacy manner.',
+          }
+        ),
+        privileges: [
+          {
+            id: 'reporting_user',
+            privilege: {
+              excludeFromBasePrivileges: true,
+              app: [],
+              catalogue: [],
+              management: { insightsAndAlerting: ['reporting'] },
+              savedObject: { all: [], read: [] },
+              api: ['generateReport'],
+              ui: ['generateReport'],
+            },
+          },
+        ],
+      },
+    });
   }
 
   features.enableReportingUiCapabilities();

x-pack/platform/plugins/private/reporting/server/plugin.test.ts

@@ -185,7 +185,7 @@ describe('Reporting Plugin', () => {
   describe('features registration', () => {
     it('registers Kibana manage scheduled reporting feature in traditional build flavour', async () => {
       plugin.setup(coreSetup, pluginSetup);
-      expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledTimes(1);
+      expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledTimes(2); // manage scheduled reports + shell feature for self-managed
       expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledWith({
         id: 'manageReporting',
         name: 'Manage Scheduled Reports',
@@ -212,7 +212,7 @@ describe('Reporting Plugin', () => {
       plugin = new ReportingPlugin(serverlessInitContext);
 
       plugin.setup(coreSetup, pluginSetup);
-      expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledTimes(2);
+      expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledTimes(2); // manage scheduled reports + shell feature for serverless
       expect(featuresSetup.registerKibanaFeature).toHaveBeenNthCalledWith(1, {
         id: 'reporting',
         name: 'Reporting',

x-pack/platform/plugins/shared/features/common/kibana_feature.ts

@@ -159,6 +159,8 @@ export interface KibanaFeatureConfig {
    * Indicates whether the feature is available as a standalone feature. The feature can still be
    * referenced by other features, but it will not be displayed in any feature management UIs. By default, all features
    * are visible.
+   *
+   * @note This flag is designed for use via configuration overrides, and very select use cases. Please consult prior to use.
    */
   hidden?: boolean;
 

x-pack/platform/plugins/shared/features/server/feature_registry.test.ts

@@ -2030,6 +2030,114 @@ describe('FeatureRegistry', () => {
       );
     });
 
+    it('allows reserved features to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: null,
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() => featureRegistry.registerKibanaFeature(feature)).not.toThrowError();
+    });
+
+    it('does not allow features with both regular and reserved privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
+    it('does not allow features with regular privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
     it('allows independent sub-feature privileges to register a minimumLicense', () => {
       const feature1: KibanaFeatureConfig = {
         id: 'test-feature',