[DOCS] Add serverless details in Elasticsearch security privileges (#109718)

lcawl · web-flow · commit 748dbd51e4cb · 2024-07-03T09:52:21.000-07:00
diff --git a/docs/reference/security/authorization/privileges.asciidoc b/docs/reference/security/authorization/privileges.asciidoc
@@ -1,6 +1,9 @@
-[role="xpack"]
 [[security-privileges]]
 === Security privileges
+:frontmatter-description: A list of privileges that can be assigned to user roles.
+:frontmatter-tags-products: [elasticsearch]
+:frontmatter-tags-content-type: [reference] 
+:frontmatter-tags-user-goals: [secure]
 
 This section lists the privileges that you can assign to a role.
 
@@ -19,31 +22,37 @@ See <<delete-async-search,delete async search>> API for more informations.
 `create_snapshot`::
 Privileges to create snapshots for existing repositories. Can also list and view
 details on existing repositories and snapshots.
++
+This privilege is not available in {serverless-full}.
 
 `cross_cluster_replication`::
 Privileges to connect to <<remote-clusters-api-key,remote clusters configured with the API key based model>>
 for cross-cluster replication.
 +
 --
+This privilege is not available in {serverless-full}.
+
 NOTE: This privilege should _not_ be directly granted. It is used internally by
 <<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
 to manage cross-cluster API keys.
-
 --
 
 `cross_cluster_search`::
 Privileges to connect to <<remote-clusters-api-key,remote clusters configured with the API key based model>>
 for cross-cluster search.
 +
 --
+This privilege is not available in {serverless-full}.
+
 NOTE: This privilege should _not_ be directly granted. It is used internally by
 <<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
 to manage cross-cluster API keys.
-
 --
 
 `grant_api_key`::
 Privileges to create {es} API keys on behalf of other users.
++
+This privilege is not available in {serverless-full}.
 
 `manage`::
 Builds on `monitor` and adds cluster operations that change values in the cluster.
@@ -73,14 +82,37 @@ owned by other users.
 
 --
 
+`manage_autoscaling`::
+All operations related to managing autoscaling policies.
++
+This privilege is not available in {serverless-full}.
+
 `manage_ccr`::
 All {ccr} operations related to managing follower indices and auto-follow
 patterns. It also includes the authority to grant the privileges necessary to
 manage follower indices and auto-follow patterns. This privilege is necessary
 only on clusters that contain follower indices.
++
+This privilege is not available in {serverless-full}.
+
+`manage_data_frame_transforms`::
+All operations related to managing {transforms}.
+deprecated[7.5] Use `manage_transform` instead.
++
+This privilege is not available in {serverless-full}.
+
+`manage_data_stream_global_retention`::
+All operations related to managing the data stream global retention settings.
++
+This privilege is not available in {serverless-full}.
+
+`manage_enrich`::
+All operations related to managing and executing enrich policies.
 
 `manage_ilm`::
-All {Ilm} operations related to managing policies.
+All {ilm} operations related to managing policies.
++
+This privilege is not available in {serverless-full}.
 
 `manage_index_templates`::
 All operations on index templates.
@@ -112,6 +144,8 @@ Enables the use of {es} APIs
 <<security-api-oidc-authenticate,OpenID connect authenticate>>, and
 <<security-api-oidc-logout,OpenID connect logout>>)
 to initiate and manage OpenID Connect authentication on behalf of other users.
++
+This privilege is not available in {serverless-full}.
 
 `manage_own_api_key`::
 All security-related operations on {es} API keys that are owned by the current
@@ -129,10 +163,14 @@ All operations on ingest pipelines.
 `manage_rollup`::
 All rollup operations, including creating, starting, stopping and deleting
 rollup jobs.
++
+This privilege is not available in {serverless-full}.
 
 `manage_saml`::
 Enables the use of internal {es} APIs to initiate and manage SAML authentication
 on behalf of other users.
++
+This privilege is not available in {serverless-full}.
 
 `manage_search_application`::
 All CRUD operations on <<search-application-apis, search applications>>.
@@ -152,46 +190,45 @@ All security-related operations on {es} service accounts including
 <<security-api-get-service-accounts>>,
 <<security-api-create-service-token>>, <<security-api-delete-service-token>>,
 and <<security-api-get-service-credentials>>.
++
+This privilege is not available in {serverless-full}.
 
 `manage_slm`::
 All {slm} ({slm-init}) actions, including creating and updating policies and
 starting and stopping {slm-init}.
++
+This privilege is not available in {serverless-full}.
 
 `manage_token`::
 All security-related operations on tokens that are generated by the {es} Token
 Service.
++
+This privilege is not available in {serverless-full}.
 
 `manage_transform`::
 All operations related to managing {transforms}.
 
-`manage_autoscaling`::
-All operations related to managing autoscaling policies.
-
-`manage_data_frame_transforms`::
-All operations related to managing {transforms}.
-deprecated[7.5] Use `manage_transform` instead.
-
-`manage_enrich`::
-All operations related to managing and executing enrich policies.
-
-`manage_data_stream_global_retention`::
-All operations related to managing the data stream global retention settings.
-
 `manage_watcher`::
 All watcher operations, such as putting watches, executing, activate or acknowledging.
 +
 --
+This privilege is not available in {serverless-full}.
+
 NOTE: Watches that were created prior to version 6.1 or created when the
 {security-features} were disabled run as a system user with elevated privileges,
 including permission to read and write all indices. Newer watches run with the
 security roles of the user who created or updated them.
-
 --
 
 `monitor`::
 All cluster read-only operations, like cluster health and state, hot threads,
 node info, node and cluster stats, and pending cluster tasks.
 
+`monitor_data_stream_global_retention`::
+Allows the retrieval of the data stream global retention settings.
++
+This privilege is not available in {serverless-full}.
+
 `monitor_enrich`::
 All read-only operations related to managing and executing enrich policies.
 
@@ -205,38 +242,49 @@ model snapshots, or results.
 `monitor_rollup`::
 All read-only rollup operations, such as viewing the list of historical and
 currently running rollup jobs and their capabilities.
++
+This privilege is not available in {serverless-full}.
 
 `monitor_snapshot`::
 Privileges to list and view details on existing repositories and snapshots.
++
+This privilege is not available in {serverless-full}.
 
 `monitor_text_structure`::
 All read-only operations related to the <<find-structure,find structure API>>.
++
+This privilege is not available in {serverless-full}.
 
 `monitor_transform`::
 All read-only operations related to {transforms}.
 
-`monitor_data_stream_global_retention`::
-Allows the retrieval of the data stream global retention settings.
-
 `monitor_watcher`::
 All read-only watcher operations, such as getting a watch and watcher stats.
++
+This privilege is not available in {serverless-full}.
 
 `read_ccr`::
 All read-only {ccr} operations, such as getting information about indices and
 metadata for leader indices in the cluster. It also includes the authority to
 check whether users have the appropriate privileges to follow leader indices.
 This privilege is necessary only on clusters that contain leader indices.
++
+This privilege is not available in {serverless-full}.
 
 `read_ilm`::
 All read-only {Ilm} operations, such as getting policies and checking the
 status of {Ilm}
++
+This privilege is not available in {serverless-full}.
 
 `read_pipeline`::
 Read-only access to ingest pipline (get, simulate).
 
 `read_slm`::
 All read-only {slm-init} actions, such as getting policies and checking the
 {slm-init} status.
++
+This privilege is not available in {serverless-full}.
 
 `read_security`::
 All read-only security-related operations, such as getting users, user profiles,
@@ -247,6 +295,8 @@ on all {es} API keys.
 `transport_client`::
 All privileges necessary for a transport client to connect. Required by the remote
 cluster to enable <<remote-clusters,{ccs}>>.
++
+This privilege is not available in {serverless-full}.
 
 [[privileges-list-indices]]
 ==== Indices privileges
@@ -320,16 +370,19 @@ Privileges to perform cross-cluster replication for indices located on
 <<remote-clusters-api-key,remote clusters configured with the API key based model>>.
 This privilege should only be used for
 the `privileges` field of <<roles-remote-indices-priv,remote indices privileges>>.
++
+This privilege is not available in {serverless-full}.
 
 `cross_cluster_replication_internal`::
 Privileges to perform supporting actions for cross-cluster replication from
 <<remote-clusters-api-key,remote clusters configured with the API key based model>>.
 +
 --
+This privilege is not available in {serverless-full}.
+
 NOTE: This privilege should _not_ be directly granted. It is used internally by
 <<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
 to manage cross-cluster API keys.
-
 --
 
 `delete`::
@@ -356,24 +409,30 @@ All `monitor` privileges plus index and data stream administration (aliases,
 analyze, cache clear, close, delete, exists, flush, mapping, open, field capabilities,
 force merge, refresh, settings, search shards, validate query).
 
+`manage_data_stream_lifecycle`::
+All <<data-stream-lifecycle, Data stream lifecycle>> operations relating to reading and managing the built-in lifecycle of a data stream.
+This includes operations such as adding and removing a lifecycle from a data stream.
+
 `manage_follow_index`::
 All actions that are required to manage the lifecycle of a follower index, which
 includes creating a follower index, closing it, and converting it to a regular
 index. This privilege is necessary only on clusters that contain follower indices.
++
+This privilege is not available in {serverless-full}.
 
 `manage_ilm`::
 All {Ilm} operations relating to managing the execution of policies of an index
 or data stream. This includes operations such as retrying policies and removing
 a policy from an index or data stream.
-
-`manage_data_stream_lifecycle`::
-All <<data-stream-lifecycle, Data stream lifecycle>> operations relating to reading and managing the built-in lifecycle of a data stream.
-This includes operations such as adding and removing a lifecycle from a data stream.
++
+This privilege is not available in {serverless-full}.
 
 `manage_leader_index`::
 All actions that are required to manage the lifecycle of a leader index, which
 includes <<ccr-post-forget-follower,forgetting a follower>>. This
 privilege is necessary only on clusters that contain leader indices.
++
+This privilege is not available in {serverless-full}.
 
 `monitor`::
 All actions that are required for monitoring (recovery, segments info, index
@@ -386,6 +445,8 @@ clear_scroll, search, suggest, tv).
 
 `read_cross_cluster`::
 Read-only access to the search action from a <<remote-clusters,remote cluster>>.
++
+This privilege is not available in {serverless-full}.
 
 `view_index_metadata`::
 Read-only access to index and data stream metadata (aliases, exists,
@@ -411,6 +472,8 @@ of user names. (You can also specify users as an array of strings or a YAML
 sequence.) For more information, see
 <<run-as-privilege>>.
 
+This privilege is not available in {serverless-full}.
+
 [[application-privileges]]
 ==== Application privileges
 
