[8.19] [Security Solution] Hide plugins UI via config without disabling them (#222821) (#223126)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[Security Solution] Hide plugins UI via config without disabling them
(#222821)](#222821)

<!--- Backport version: 10.0.0 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-09T16:21:13Z","message":"[Security
Solution] Hide plugins UI via config without disabling them
(#222821)\n\n## Summary\n\nIntroduces a new config in the security
serverless plugin to hide other\nplugins' UI (making them
inaccessible).\n\nIt uses the `core.application.registerAppUpdater`
API.\n\n@elastic/kibana-visualizations I did some cleanup around the
custom\nglobal search's `registerResultProvider`, which seems to be a
workaround\nfrom times before `visibleIn` functionalities. This way, the
search\nresult depends on the plugin being accessible. My change
introduces a\nsmall text update in the search result, though. To me, now
it looks more\nconsistent with the rest of the analytics applications.
Let me know if\nyou think that's an issue.\n\n| Prev | New
|\n|------|-----|\n|\n![Prev](https://github.com/user-attachments/assets/c11e36c5-c101-440d-aa94-05bce288807d)\n|\n![New](https://github.com/user-attachments/assets/39becf16-7e0d-4c93-9cd7-35a1ced8b234)\n|\n\n###
Goal\n\nThis is needed by the `AI4DSOC` team to hide some applications
outside\nthe Security
Solution:\n\n```yaml\nxpack.securitySolutionServerless.inaccessibleApps:\n
- dashboards\n - visualize\n - maps\n -
lens\n```\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Tomasz Ciecierski
<[email protected]>","sha":"81c4fc89993e804ab795fabc67c8ce1fc2be1487","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","backport:version","v9.1.0","v8.19.0"],"title":"[Security
Solution] Hide plugins UI via config without disabling
them","number":222821,"url":"https://github.com/elastic/kibana/pull/222821","mergeCommit":{"message":"[Security
Solution] Hide plugins UI via config without disabling them
(#222821)\n\n## Summary\n\nIntroduces a new config in the security
serverless plugin to hide other\nplugins' UI (making them
inaccessible).\n\nIt uses the `core.application.registerAppUpdater`
API.\n\n@elastic/kibana-visualizations I did some cleanup around the
custom\nglobal search's `registerResultProvider`, which seems to be a
workaround\nfrom times before `visibleIn` functionalities. This way, the
search\nresult depends on the plugin being accessible. My change
introduces a\nsmall text update in the search result, though. To me, now
it looks more\nconsistent with the rest of the analytics applications.
Let me know if\nyou think that's an issue.\n\n| Prev | New
|\n|------|-----|\n|\n![Prev](https://github.com/user-attachments/assets/c11e36c5-c101-440d-aa94-05bce288807d)\n|\n![New](https://github.com/user-attachments/assets/39becf16-7e0d-4c93-9cd7-35a1ced8b234)\n|\n\n###
Goal\n\nThis is needed by the `AI4DSOC` team to hide some applications
outside\nthe Security
Solution:\n\n```yaml\nxpack.securitySolutionServerless.inaccessibleApps:\n
- dashboards\n - visualize\n - maps\n -
lens\n```\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Tomasz Ciecierski
<[email protected]>","sha":"81c4fc89993e804ab795fabc67c8ce1fc2be1487"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/222821","number":222821,"mergeCommit":{"message":"[Security
Solution] Hide plugins UI via config without disabling them
(#222821)\n\n## Summary\n\nIntroduces a new config in the security
serverless plugin to hide other\nplugins' UI (making them
inaccessible).\n\nIt uses the `core.application.registerAppUpdater`
API.\n\n@elastic/kibana-visualizations I did some cleanup around the
custom\nglobal search's `registerResultProvider`, which seems to be a
workaround\nfrom times before `visibleIn` functionalities. This way, the
search\nresult depends on the plugin being accessible. My change
introduces a\nsmall text update in the search result, though. To me, now
it looks more\nconsistent with the rest of the analytics applications.
Let me know if\nyou think that's an issue.\n\n| Prev | New
|\n|------|-----|\n|\n![Prev](https://github.com/user-attachments/assets/c11e36c5-c101-440d-aa94-05bce288807d)\n|\n![New](https://github.com/user-attachments/assets/39becf16-7e0d-4c93-9cd7-35a1ced8b234)\n|\n\n###
Goal\n\nThis is needed by the `AI4DSOC` team to hide some applications
outside\nthe Security
Solution:\n\n```yaml\nxpack.securitySolutionServerless.inaccessibleApps:\n
- dashboards\n - visualize\n - maps\n -
lens\n```\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Tomasz Ciecierski
<[email protected]>","sha":"81c4fc89993e804ab795fabc67c8ce1fc2be1487"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Tomasz Ciecierski <[email protected]>

Author: semd

config/serverless.security.search_ai_lake.yml

@@ -3,6 +3,14 @@
 xpack.osquery.enabled: false
 xpack.ml.ad.enabled: false
 xpack.ml.dfa.enabled: false
+
+## Plugins that are inaccessible in the UI
+xpack.securitySolutionServerless.inaccessibleApps:
+  - dashboards
+  - visualize
+  - maps
+  - lens
+
 ## Disable plugin features
 xpack.alerting.maintenanceWindow.enabled: false
 xpack.alerting.rulesSettings.enabled: false

x-pack/platform/plugins/private/translations/translations/fr-FR.json

@@ -27762,7 +27762,6 @@
     "xpack.lens.reporting.shareContextMenu.csvReportsButtonLabel": "Téléchargement CSV",
     "xpack.lens.resetLayerAriaLabel": "Effacer le calque",
     "xpack.lens.saveDuplicateRejectedDescription": "La confirmation d'enregistrement avec un doublon de titre a été rejetée.",
-    "xpack.lens.searchTitle": "Lens : créer des visualisations",
     "xpack.lens.section.bannerMessagesLabel": "Messages de déclassement",
     "xpack.lens.section.configPanelLabel": "Panneau de configuration",
     "xpack.lens.section.dataPanelLabel": "Panneau de données",

x-pack/platform/plugins/private/translations/translations/ja-JP.json

@@ -27735,7 +27735,6 @@
     "xpack.lens.reporting.shareContextMenu.csvReportsButtonLabel": "CSVダウンロード",
     "xpack.lens.resetLayerAriaLabel": "レイヤーをクリア",
     "xpack.lens.saveDuplicateRejectedDescription": "重複ファイルの保存確認が拒否されました",
-    "xpack.lens.searchTitle": "Lens：ビジュアライゼーションを作成",
     "xpack.lens.section.bannerMessagesLabel": "廃止予定メッセージ",
     "xpack.lens.section.configPanelLabel": "構成パネル",
     "xpack.lens.section.dataPanelLabel": "データパネル",

x-pack/platform/plugins/private/translations/translations/zh-CN.json

@@ -27793,7 +27793,6 @@
     "xpack.lens.reporting.shareContextMenu.csvReportsButtonLabel": "CSV 下载",
     "xpack.lens.resetLayerAriaLabel": "清除图层",
     "xpack.lens.saveDuplicateRejectedDescription": "已拒绝使用重复标题保存确认",
-    "xpack.lens.searchTitle": "Lens：创建可视化",
     "xpack.lens.section.bannerMessagesLabel": "过时消息",
     "xpack.lens.section.configPanelLabel": "配置面板",
     "xpack.lens.section.dataPanelLabel": "数据面板",

x-pack/platform/plugins/shared/lens/public/plugin.ts

@@ -69,6 +69,7 @@ import type { ChartType } from '@kbn/visualization-utils';
 import type { ServerlessPluginStart } from '@kbn/serverless/public';
 import { LicensingPluginStart } from '@kbn/licensing-plugin/public';
 import { FieldsMetadataPublicStart } from '@kbn/fields-metadata-plugin/public';
+import { DEFAULT_APP_CATEGORIES } from '@kbn/core/public';
 import type { EditorFrameService as EditorFrameServiceType } from './editor_frame_service';
 import type {
   FormBasedDatasource as FormBasedDatasourceType,
@@ -135,7 +136,6 @@ import { getSaveModalComponent } from './app_plugin/shared/saved_modal_lazy';
 import type { SaveModalContainerProps } from './app_plugin/save_modal_container';
 
 import { setupExpressions } from './expressions';
-import { getSearchProvider } from './search_provider';
 import { OpenInDiscoverDrilldown } from './trigger_actions/open_in_discover_drilldown';
 import { ChartInfoApi } from './chart_info_api';
 import { type LensAppLocator, LensAppLocatorDefinition } from '../common/locator/locator';
@@ -476,7 +476,9 @@ export class LensPlugin {
     core.application.register({
       id: APP_ID,
       title: NOT_INTERNATIONALIZED_PRODUCT_NAME,
-      visibleIn: [],
+      visibleIn: ['globalSearch'],
+      category: DEFAULT_APP_CATEGORIES.kibana,
+      euiIconType: 'logoKibana',
       mount: async (params: AppMountParameters) => {
         const { core: coreStart, plugins: deps } = startServices();
 
@@ -511,20 +513,6 @@ export class LensPlugin {
       },
     });
 
-    if (globalSearch) {
-      globalSearch.registerResultProvider(
-        getSearchProvider(
-          core.getStartServices().then(
-            ([
-              {
-                application: { capabilities },
-              },
-            ]) => capabilities
-          )
-        )
-      );
-    }
-
     urlForwarding.forwardApp(APP_ID, APP_ID);
 
     // Note: this overwrites a method defined above

x-pack/platform/plugins/shared/lens/public/search_provider.ts

@@ -35,8 +35,7 @@ export const productTypes = schema.arrayOf<SecurityProductType>(productType, {
 });
 export type SecurityProductTypes = TypeOf<typeof productTypes>;
 
-export const configSchema = schema.object({
-  enabled: schema.boolean({ defaultValue: false }),
+const commonConfigSchemaProps = {
   productTypes,
   /**
    * For internal use. A list of string values (comma delimited) that will enable experimental
@@ -53,6 +52,19 @@ export const configSchema = schema.object({
   enableExperimental: schema.arrayOf(schema.string(), {
     defaultValue: () => [],
   }),
-});
+  /**
+   * A list of APP IDs that are not accessible in the serverless environment.
+   * This is used to disable the apps in the UI and prevent users from accessing them.
+   */
+  inaccessibleApps: schema.arrayOf(schema.string(), { defaultValue: [] }),
+};
+
+export const commonConfigSchema = schema.object(commonConfigSchemaProps);
+
+export type ServerlessSecurityPublicConfig = TypeOf<typeof commonConfigSchema>;
 
-export type ServerlessSecurityConfigSchema = TypeOf<typeof configSchema>;
+// This is used to expose the common config schema properties to the browser
+// so that they can be used in the client-side code.
+export const exposeToBrowser = Object.fromEntries(
+  Object.keys(commonConfigSchemaProps).map((prop) => [prop, true])
+);

x-pack/solutions/security/plugins/security_solution_serverless/common/config.ts

@@ -5,15 +5,23 @@
  * 2.0.
  */
 
-import type { CoreSetup, CoreStart, Plugin, PluginInitializerContext } from '@kbn/core/public';
+import type {
+  AppUpdater,
+  CoreSetup,
+  CoreStart,
+  Plugin,
+  PluginInitializerContext,
+} from '@kbn/core/public';
+import { BehaviorSubject } from 'rxjs';
+import { AppStatus } from '@kbn/core-application-browser';
 
 import { getDashboardsLandingCallout } from './components/dashboards_landing_callout';
+import type { ServerlessSecurityPublicConfig } from '../common/config';
 import type {
   SecuritySolutionServerlessPluginSetup,
   SecuritySolutionServerlessPluginStart,
   SecuritySolutionServerlessPluginSetupDeps,
   SecuritySolutionServerlessPluginStartDeps,
-  ServerlessSecurityPublicConfig,
 } from './types';
 import { registerUpsellings } from './upselling';
 import { createServices } from './common/services/create_services';
@@ -44,20 +52,20 @@ export class SecuritySolutionServerlessPlugin
   }
 
   public setup(
-    _core: CoreSetup,
+    core: CoreSetup,
     setupDeps: SecuritySolutionServerlessPluginSetupDeps
   ): SecuritySolutionServerlessPluginSetup {
     const { securitySolution } = setupDeps;
-    const { productTypes } = this.config;
+    const { productTypes, enableExperimental, inaccessibleApps } = this.config;
 
     this.experimentalFeatures = parseExperimentalConfigValue(
-      this.config.enableExperimental,
+      enableExperimental,
       securitySolution.experimentalFeatures
     ).features;
 
     securitySolution.setProductFeatureKeys(getEnabledProductFeatures(productTypes));
-
     setupDeps.discover.showInlineTopNav();
+    updateInaccessibleApps(inaccessibleApps, core);
 
     return {};
   }
@@ -85,3 +93,23 @@ export class SecuritySolutionServerlessPlugin
 
   public stop() {}
 }
+
+/**
+ * Disables apps that are inaccessible based on the provided configuration.
+ * It updates the app status to 'inaccessible' for those apps.
+ * The apps will still execute their lifecycle methods, but it will remain inaccessible in the UI.
+ */
+const updateInaccessibleApps = (inaccessibleApps: string[], core: CoreSetup) => {
+  if (!inaccessibleApps?.length) {
+    return;
+  }
+
+  const inaccessibleAppsSet = new Set(inaccessibleApps);
+  const appUpdater$ = new BehaviorSubject<AppUpdater>((app) => {
+    if (inaccessibleAppsSet.has(app.id)) {
+      return { status: AppStatus.inaccessible };
+    }
+  });
+
+  core.application.registerAppUpdater(appUpdater$);
+};

x-pack/solutions/security/plugins/security_solution_serverless/public/plugin.ts

@@ -15,7 +15,6 @@ import type { ManagementSetup, ManagementStart } from '@kbn/management-plugin/pu
 import type { CloudStart } from '@kbn/cloud-plugin/public';
 import type { DiscoverSetup } from '@kbn/discover-plugin/public';
 import type { IntegrationAssistantPluginStart } from '@kbn/integration-assistant-plugin/public';
-import type { ServerlessSecurityConfigSchema } from '../common/config';
 
 // eslint-disable-next-line @typescript-eslint/no-empty-interface
 export interface SecuritySolutionServerlessPluginSetup {}
@@ -39,8 +38,3 @@ export interface SecuritySolutionServerlessPluginStartDeps {
   cloud: CloudStart;
   integrationAssistant?: IntegrationAssistantPluginStart;
 }
-
-export type ServerlessSecurityPublicConfig = Pick<
-  ServerlessSecurityConfigSchema,
-  'productTypes' | 'enableExperimental'
->;

x-pack/solutions/security/plugins/security_solution_serverless/public/types.ts

@@ -8,14 +8,14 @@
 import { schema, type TypeOf } from '@kbn/config-schema';
 import type { PluginConfigDescriptor, PluginInitializerContext } from '@kbn/core/server';
 import type { SecuritySolutionPluginSetup } from '@kbn/security-solution-plugin/server/plugin_contract';
+
 import { USAGE_SERVICE_USAGE_URL } from './constants';
-import { productTypes } from '../common/config';
+import { commonConfigSchema, exposeToBrowser } from '../common/config';
 import type { ExperimentalFeatures } from '../common/experimental_features';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 
-export const configSchema = schema.object({
+export const serverConfigSchema = schema.object({
   enabled: schema.boolean({ defaultValue: false }),
-  productTypes,
   /**
    * Usage Reporting: the interval between runs of the endpoint task
    */
@@ -25,41 +25,24 @@ export const configSchema = schema.object({
   /**
    * Usage Reporting: the interval between runs of the cloud security task
    */
-
   cloudSecurityUsageReportingTaskInterval: schema.string({ defaultValue: '30m' }),
 
-  /**
-   * Usage Reporting: timeout value for how long the task should run.
-   */
-  usageReportingTaskTimeout: schema.string({ defaultValue: '1m' }),
-
   /**
    * Usage Reporting: the URL to send usage data to
    */
   usageReportingApiUrl: schema.string({ defaultValue: USAGE_SERVICE_USAGE_URL }),
+
   /**
-   * For internal use. A list of string values (comma delimited) that will enable experimental
-   * type of functionality that is not yet released. Valid values for this settings need to
-   * be defined in:
-   * `x-pack/solutions/security/plugins/security_solution_serverless/common/experimental_features.ts`
-   * under the `allowedExperimentalValues` object
-   *
-   * @example
-   * xpack.securitySolutionServerless.enableExperimental:
-   *   - someCrazyServerlessFeature
-   *   - someEvenCrazierServerlessFeature
+   * Usage Reporting: timeout value for how long the task should run.
    */
-  enableExperimental: schema.arrayOf(schema.string(), {
-    defaultValue: () => [],
-  }),
+  usageReportingTaskTimeout: schema.string({ defaultValue: '1m' }),
 });
+const configSchema = schema.allOf([commonConfigSchema, serverConfigSchema]);
+
 export type ServerlessSecuritySchema = TypeOf<typeof configSchema>;
 
 export const config: PluginConfigDescriptor<ServerlessSecuritySchema> = {
-  exposeToBrowser: {
-    enableExperimental: true,
-    productTypes: true,
-  },
+  exposeToBrowser,
   schema: configSchema,
   deprecations: ({ renameFromRoot }) => [
     renameFromRoot(