From c4fb0cd6de5b00ee7c39e676f509a561ea7714c8 Mon Sep 17 00:00:00 2001
From: Kaituo Li <kaituo@amazon.com>
Date: Mon, 13 Nov 2023 15:43:43 -0800
Subject: [PATCH] Update Security Docs: Clarify Anomaly Detection Access
 Control (#5581)

* Update Security Docs: Clarify Anomaly Detection Access Control

This commit updates the security documentation to clarify how `anomaly_read_access` and `anomaly_full_access` permissions impact user access to anomaly detection results. It explains that users without backend roles can still view each other's detection results with these permissions. The documentation now also emphasizes the importance of using backend role filters for more granular access control to detector results.

Signed-off-by: Kaituo Li <kaituo@amazon.com>

* Update _observing-your-data/ad/security.md

Co-authored-by: Melissa Vagi <vagimeli@amazon.com>
Signed-off-by: Kaituo Li <kaituo@amazon.com>

---------

Signed-off-by: Kaituo Li <kaituo@amazon.com>
Co-authored-by: Melissa Vagi <vagimeli@amazon.com>
---
 _observing-your-data/ad/security.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/_observing-your-data/ad/security.md b/_observing-your-data/ad/security.md
index 8b9d80ba..8eeaa3df 100644
--- a/_observing-your-data/ad/security.md
+++ b/_observing-your-data/ad/security.md
@@ -92,3 +92,5 @@ PUT _plugins/_security/api/rolesmapping/anomaly_full_access
 ```
 
 Because they have different backend roles, `alice` and `bob` cannot view each other's detectors or their results.
+
+If users do not have backend roles, they still can view other users' anomaly detection results as long as they have `anomaly_read_access`. This is the same for users who have `anomaly_full_access`, as it includes all of the permissions as `anomaly_read_access`. Administrators should inform users that having `anomaly_read_access` allows for viewing of the results from any detector in the cluster, including data not directly accessible to them. To limit access to the detector results, administrators should use backend role filters at the time the detector is created. This ensures only users with matching backend roles can access results from those particular detectors.
\ No newline at end of file