[Security Solution][Detection Engine] Verify if changes to saved query privileges in 9.0 can cause rule failures

[marshallmain]

See https://github.com/elastic/dev/issues/2775#issuecomment-2387066863 - access to saved queries in 9.0 will change. We need to check to see if this can cause rule failures, and if so, what can we do to mitigate issues on upgrade.

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[yctercero]

@vitaliidm @marshallmain Ryland will take this one for 9.0.

[rylnd]

@marshallmain @yctercero I did some cursory exploration here and I'm having trouble understanding how this fits into the broader effort described in https://github.com/elastic/dev/issues/2775:

1. Are we defining new feature privileges, and a migration path for them? I reviewed e.g. [SecuritySolution] Breaking out timeline & note privileges #201780, which introduces new privileges for notes and timeline, but have not seen similar discussion/movement about rules privileges.
2. As far as I can tell, we use the alerting-provided SavedObjects client to retrieve our saved query. I'll need to investigate further to answer:
   1. Whether this client is scoped to the current user
   2. Whether it respects a user's feature privileges, vs. e.g. a snapshot of ES privileges
   3. Whether it is dynamic with changes to feature privileges, and would e.g. be migrated automatically with the appropriate replacedBy declaration.

If either of you can help provide context for 1, I will continue to investigate 2.

[yctercero]

From our discussion at team sync:

Are we defining new feature privileges, and a migration path for them? I reviewed e.g. #201780, which introduces new privileges for notes and timeline, but have not seen similar discussion/movement about rules privileges.

We are not updating our privileges in 8.x series. Planned changes are for 9.1+.

As far as I can tell, we use the alerting-provided SavedObjects client to retrieve our saved query. I'll need to investigate further to answer:

Discussed reaching out to alerting for this.

[rylnd]

Quick update: this is still being discussed internally, but I've so far confirmed that feature privileges are encoded as part of a user/rule's API key. We're still collectively trying to figure out whether/how that works with the privilege migration/lifecycle mechanisms, and whether e.g. the savedObjectsClient will be able to leverage the replacedBy declaration for the outdated, encoded privilege(s).