Skip to content

[RFC] Stage 0: Add user.is_privileged boolean field #2493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[RFC] Stage 0: Add user.is_privileged boolean field #2493

wants to merge 4 commits into from
+81 −0

Conversation

hop-dev
Copy link

@hop-dev hop-dev commented Jun 18, 2025

This RFC proposes adding a new boolean field, user.is_privileged. It will explicitly flag when a user has elevated or administrative rights.

@hop-dev hop-dev requested a review from a team as a code owner June 18, 2025 13:12
@github-actions GitHub Actions
Copy link

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@hop-dev hop-dev mentioned this pull request Jun 19, 2025
Merged
hop-dev added a commit to elastic/kibana that referenced this pull request Jun 20, 2025
@hop-dev @kibanamachine
[Entity Analytics][Privmon] swap labels.monitoring.privileged_users
32820f9 
… (string) to `user.is_privileged` (boolean) (#224623)

## Summary

We have [this RFC](elastic/ecs#2493) in, I think
this is a safer bet and might save us a migration in the future:

---------

Co-authored-by: kibanamachine <[email protected]>
mjwolf
mjwolf approved these changes Jun 23, 2025
View reviewed changes
Copy link
Contributor

@mjwolf mjwolf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good for RFC stage 0.

I've set this RFC to 0051.

For future RFC stages, there are a few more things to consider.

  • What is a privileged user exactly? For example, it may not be just root, it can be a user with wheel or other similar groups.
  • In Linux, you can already use user.effective.id to see if the user is or has assumed root privilages, which holds similar info to user.is_privileged
  • In Windows, is this set for all actions with an administrator account, or only actions with the elevated UAC permissions?

akowalska622 pushed a commit to akowalska622/kibana that referenced this pull request Jun 25, 2025
@hop-dev @kibanamachine @akowalska622
[Entity Analytics][Privmon] swap labels.monitoring.privileged_users
105aeee 
… (string) to `user.is_privileged` (boolean) (elastic#224623)

## Summary

We have [this RFC](elastic/ecs#2493) in, I think
this is a safer bet and might save us a migration in the future:

---------

Co-authored-by: kibanamachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjwolf mjwolf mjwolf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hop-dev @mjwolf