elastic · joepeeples · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024
@@ -15,7 +15,11 @@ NOTE: {elastic-defend}'s feature privileges must be assigned to *All Spaces*. Yo
 [role="screenshot"]
 image::images/endpoint-privileges.png[Configuring privileges in Kibana,75%]
 
-To grant access, select *All* for the *Security* feature in the *{kib} privileges* configuration UI, then turn on the *Customize sub-feature privileges* switch. For each of the following sub-feature privileges, select the type of access you want to allow:
+To grant access, select *All* for the *Security* feature in the *Assign role to space* configuration UI, then turn on the *Customize sub-feature privileges* switch. 
+
+IMPORTANT: Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually.
+
+For each of the following sub-feature privileges, select the type of access you want to allow:
 
 * *All*: Users have full access to the feature, which includes performing all available actions and managing configuration.
 * *Read*: Users can view the feature, but can't perform any actions or manage configuration. (Some features don't have this privilege.)

diff --git a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc
@@ -0,0 +1,71 @@
+[[security-endpoint-management-req]]
+= {elastic-defend} feature privileges
+
+// :description: Manage user roles and privileges to grant access to {elastic-defend} features.
+// :keywords: security, defend, reference, manage
+
+preview:[]
+
+You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features.
+
+To configure roles and privileges, find **Roles** in the navigation menu or by using the global search field. For more details on using this UI, refer to <<custom-roles>>.
+
+[NOTE]
+====
+{elastic-defend}'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space.
+====
+
+To grant access, select **All** for the **Security** feature in the **Assign role to space** configuration UI, then turn on the **Customize sub-feature privileges** switch.
+
+IMPORTANT: Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually.
+
+For each of the following sub-feature privileges, select the type of access you want to allow:
+
+* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration.
+* **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege).
+* **None**: Users can't access or view the feature.
+
+|===
+|  |
+
+| **Endpoint List**
+| Access the <<security-endpoints-page,Endpoints>> page, which lists all hosts running {elastic-defend}, and associated integration details.
+
+| **Trusted Applications**
+| Access the <<security-trusted-applications,Trusted applications>> page to remediate conflicts with other software, such as antivirus or endpoint security applications
+
+| **Host Isolation Exceptions**
+| Access the <<security-host-isolation-exceptions,Host isolation exceptions>> page to add specific IP addresses that isolated hosts can still communicate with.
+
+| **Blocklist**
+| Access the <<security-blocklist,Blocklist>> page to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious.
+
+| **Event Filters**
+| Access the <<security-event-filters,Event Filters>> page to filter out endpoint events that you don't want stored in {es}.
+
+| **{elastic-defend} Policy Management**
+| Access the <<security-policies-page,Policies>> page and {elastic-defend} integration policies to configure protections, event collection, and advanced policy features.
+
+| **Response Actions History**
+| Access the <<security-response-actions-history,response actions history>> for endpoints.
+
+| **Host Isolation**
+| Allow users to <<security-isolate-host,isolate and release hosts>>.
+
+| **Process Operations**
+| Perform host process-related <<security-response-actions,response actions>>, including `processes`, `kill-process`, and `suspend-process`.
+
+| **File Operations**
+| Perform file-related <<security-response-actions,response actions>> in the response console.
+
+| **Execute Operations**
+a| Perform shell commands and script-related <<security-response-actions,response actions>> in the response console.
+
+[WARNING]
+====
+The commands are run on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Only grant this feature privilege to {elastic-sec} users who require this level of access.
+====
+
+| **Scan Operations**
+| Perform folder scan <<security-response-actions,response actions>> in the response console.
+|===