elastic · joepeeples · Oct 24, 2024 · Sep 20, 2024 · Oct 16, 2024 · Oct 23, 2024
@@ -13,38 +13,26 @@ This page covers the requirements for using the entity risk scoring and asset cr
 
 ### User roles
 
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+To turn on the risk scoring engine, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
 
-<DocIf condition={"((serverlessCustomRoles))" === "false"}>
-    To turn on the risk scoring engine, you need one of the following <DocLink slug="/serverless/general/assign-user-roles" section="security">Security user roles</DocLink>:
+**Predefined roles**
 
-    * Platform engineer
-    * Detections admin
-    * Admin
-</DocIf>
+* Platform engineer
+* Detections admin
+* Admin
 
-<DocIf condition={"((serverlessCustomRoles))" === "true"}>
-    To turn on the risk scoring engine, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
+**Custom role privileges**
 
-    **Predefined roles**
-
-    * Platform engineer
-    * Detections admin
-    * Admin
-
-    **Custom role privileges**
-
-    <DocTable columns={[{ title: "Cluster" }, { title: "Index" }, { title: "((kib))" }]}>
-        <DocRow>
-            <DocCell>
-                * `manage_index_templates`
-                * `manage_transform`
-            </DocCell>
-            <DocCell>`all` privilege for `risk-score.risk-score-*`</DocCell>
-            <DocCell>**Read** for the **Security** feature</DocCell>
-        </DocRow>
-    </DocTable>
-</DocIf>
+<DocTable columns={[{ title: "Cluster" }, { title: "Index" }, { title: "((kib))" }]}>
+    <DocRow>
+        <DocCell>
+            * `manage_index_templates`
+            * `manage_transform`
+        </DocCell>
+        <DocCell>`all` privilege for `risk-score.risk-score-*`</DocCell>
+        <DocCell>**Read** for the **Security** feature</DocCell>
+    </DocRow>
+</DocTable>
 
 ### Known limitations
 
@@ -57,74 +45,50 @@ To use the asset criticality feature, turn on the `securitySolution:enableAssetC
 
 ### User roles
 
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
-
-<DocIf condition={"((serverlessCustomRoles))" === "false"}>
-    The following <DocLink slug="/serverless/general/assign-user-roles" section="security">Security user roles</DocLink> allow you to view an entity's asset criticality:
-
-    * Viewer
-    * Tier 1 analyst
-
-    The following Security user roles allow you to view, assign, change, or unassign an entity's asset criticality:
-
-    * Editor
-    * Tier 2 analyst
-    * Tier 3 analyst
-    * Threat intelligence analyst
-    * Rule author
-    * SOC manager
-    * Endpoint operations analyst
-    * Platform engineer
-    * Detections admin
-    * Endpoint policy manager
-</DocIf>
-
-<DocIf condition={"((serverlessCustomRoles))" === "true"}>
-    To use asset criticality, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
-
-    **Predefined roles**
-
-    <DocTable columns={[{ title: "Action" }, { title: "Predefined role" }]}>
-        <DocRow>
-            <DocCell>View asset criticality</DocCell>
-            <DocCell>
-                * Viewer
-                * Tier 1 analyst
-            </DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>View, assign, change, or unassign asset criticality</DocCell>
-            <DocCell>
-                * Editor
-                * Tier 2 analyst
-                * Tier 3 analyst
-                * Threat intelligence analyst
-                * Rule author
-                * SOC manager
-                * Endpoint operations analyst
-                * Platform engineer
-                * Detections admin
-                * Endpoint policy manager
-            </DocCell>
-        </DocRow>
-    </DocTable>
-
-    **Custom role privileges**
-
-    Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
-
-    <DocTable columns={[{ title: "Action" }, { title: "Index privilege" }]}>
-        <DocRow>
-            <DocCell>View asset criticality</DocCell>
-            <DocCell>`read`</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>View, assign, or change asset criticality</DocCell>
-            <DocCell>`read` and `write`</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>Unassign asset criticality</DocCell>
-            <DocCell>`delete`</DocCell>
-        </DocRow>    
-    </DocTable>
-</DocIf>
+To use asset criticality, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
+
+**Predefined roles**
+
+<DocTable columns={[{ title: "Action" }, { title: "Predefined role" }]}>
+    <DocRow>
+        <DocCell>View asset criticality</DocCell>
+        <DocCell>
+            * Viewer
+            * Tier 1 analyst
+        </DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>View, assign, change, or unassign asset criticality</DocCell>
+        <DocCell>
+            * Editor
+            * Tier 2 analyst
+            * Tier 3 analyst
+            * Threat intelligence analyst
+            * Rule author
+            * SOC manager
+            * Endpoint operations analyst
+            * Platform engineer
+            * Detections admin
+            * Endpoint policy manager
+        </DocCell>
+    </DocRow>
+</DocTable>
+
+**Custom role privileges**
+
+Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
+
+<DocTable columns={[{ title: "Action" }, { title: "Index privilege" }]}>
+    <DocRow>
+        <DocCell>View asset criticality</DocCell>
+        <DocCell>`read`</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>View, assign, or change asset criticality</DocCell>
+        <DocCell>`read` and `write`</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>Unassign asset criticality</DocCell>
+        <DocCell>`delete`</DocCell>
+    </DocRow>    
+</DocTable>
@@ -7,80 +7,72 @@ tags: ["security","defend","reference","manage"]
 
 <DocBadge template="technical preview" />
 
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+You can create user roles and define privileges to manage feature access in ((elastic-sec)). This allows you to use the principle of least privilege while managing access to ((elastic-defend))'s features.
 
-<DocIf condition={"((serverlessCustomRoles))" === "false"}>
-    <DocBadgeComingSoon>Coming soon</DocBadgeComingSoon>
-</DocIf>
+Configure roles and privileges in **Stack Management** → **Custom Roles**. For more details on using this UI, refer to <DocLink slug="/serverless/custom-roles" />.
 
-<DocIf condition={"((serverlessCustomRoles))" === "true"}> 
-    You can create user roles and define privileges to manage feature access in ((elastic-sec)). This allows you to use the principle of least privilege while managing access to ((elastic-defend))'s features.
+<DocCallOut title="Note">
+    ((elastic-defend))'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space. 
+</DocCallOut>
 
-    Configure roles and privileges in **Stack Management** → **Custom Roles**. For more details on using this UI, refer to <DocLink slug="/serverless/custom-roles" />.
+To grant access, select **All** for the **Security** feature in the **((kib)) privileges** configuration UI, then turn on the **Customize sub-feature privileges** switch. For each of the following sub-feature privileges, select the type of access you want to allow:
 
-    <DocCallOut title="Note">
-        ((elastic-defend))'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space. 
-    </DocCallOut>
+* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration.
+* **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege).
+* **None**: Users can't access or view the feature.
 
-    To grant access, select **All** for the **Security** feature in the **((kib)) privileges** configuration UI, then turn on the **Customize sub-feature privileges** switch. For each of the following sub-feature privileges, select the type of access you want to allow:
-
-    * **All**: Users have full access to the feature, which includes performing all available actions and managing configuration.
-    * **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege).
-    * **None**: Users can't access or view the feature.
-
-    <DocTable columns={[{ title: "", width: "25%" }, { title: "" }]}>
-        <DocRow>
-            <DocCell>**Endpoint List**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/endpoints-page">Endpoints</DocLink> page, which lists all hosts running ((elastic-defend)), and associated integration details.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Trusted Applications**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/trusted-applications">Trusted applications</DocLink> page to remediate conflicts with other software, such as antivirus or endpoint security applications</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Host Isolation Exceptions**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/host-isolation-exceptions">Host isolation exceptions</DocLink> page to add specific IP addresses that isolated hosts can still communicate with.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Blocklist**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/blocklist">Blocklist</DocLink> page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Event Filters**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/event-filters">Event Filters</DocLink> page to filter out endpoint events that you don't want stored in ((es)).</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**((elastic-defend)) Policy Management**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/policies-page">Policies</DocLink> page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Response Actions History**</DocCell>
-            <DocCell>Access the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> for endpoints.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Host Isolation**</DocCell>
-            <DocCell>Allow users to <DocLink slug="/serverless/security/isolate-host">isolate and release hosts</DocLink>.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Process Operations**</DocCell>
-            <DocCell>Perform host process-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink>, including `processes`, `kill-process`, and `suspend-process`.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**File Operations**</DocCell>
-            <DocCell>Perform file-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.</DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Execute Operations**</DocCell>
-            <DocCell>
-                Perform shell commands and script-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.
-                <DocCallOut title="Warning" color="warning">
-                    The commands are run on the host using the same user account running the ((elastic-defend)) integration, which normally has full control over the system. Only grant this feature privilege to ((elastic-sec)) users who require this level of access.
-                </DocCallOut>
-            </DocCell>
-        </DocRow>
-        <DocRow>
-            <DocCell>**Scan Operations**</DocCell>
-            <DocCell>Perform folder scan <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.</DocCell>
-        </DocRow>
-    </DocTable>
-</DocIf>
+<DocTable columns={[{ title: "", width: "25%" }, { title: "" }]}>
+    <DocRow>
+        <DocCell>**Endpoint List**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/endpoints-page">Endpoints</DocLink> page, which lists all hosts running ((elastic-defend)), and associated integration details.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Trusted Applications**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/trusted-applications">Trusted applications</DocLink> page to remediate conflicts with other software, such as antivirus or endpoint security applications</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Host Isolation Exceptions**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/host-isolation-exceptions">Host isolation exceptions</DocLink> page to add specific IP addresses that isolated hosts can still communicate with.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Blocklist**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/blocklist">Blocklist</DocLink> page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Event Filters**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/event-filters">Event Filters</DocLink> page to filter out endpoint events that you don't want stored in ((es)).</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**((elastic-defend)) Policy Management**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/policies-page">Policies</DocLink> page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Response Actions History**</DocCell>
+        <DocCell>Access the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> for endpoints.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Host Isolation**</DocCell>
+        <DocCell>Allow users to <DocLink slug="/serverless/security/isolate-host">isolate and release hosts</DocLink>.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Process Operations**</DocCell>
+        <DocCell>Perform host process-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink>, including `processes`, `kill-process`, and `suspend-process`.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**File Operations**</DocCell>
+        <DocCell>Perform file-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Execute Operations**</DocCell>
+        <DocCell>
+            Perform shell commands and script-related <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.
+            <DocCallOut title="Warning" color="warning">
+                The commands are run on the host using the same user account running the ((elastic-defend)) integration, which normally has full control over the system. Only grant this feature privilege to ((elastic-sec)) users who require this level of access.
+            </DocCallOut>
+        </DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>**Scan Operations**</DocCell>
+        <DocCell>Perform folder scan <DocLink slug="/serverless/security/response-actions">response actions</DocLink> in the response console.</DocCell>
+    </DocRow>
+</DocTable>
@@ -24,14 +24,8 @@ configure `source.geo` and `destination.geo` ECS fields for your indices.
 <div id="prereq-perms"></div>
 
 ## Permissions required
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
-
-<DocIf condition={"((serverlessCustomRoles))" === "false"}>
-  To view the map, you need the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined user role</DocLink>.
-</DocIf>
-<DocIf condition={"((serverlessCustomRoles))" === "true"}>
-  To view the map, you need the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with at least `Read` privileges for the `Maps` feature.
-</DocIf>
+
+To view the map, you need the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with at least `Read` privileges for the `Maps` feature.
 
 <div id="kibana-index-pattern"></div>