diff --git a/reference/fleet/fleet-roles-privileges.md b/reference/fleet/fleet-roles-privileges.md
index ec1fc5803d..4ec2a1c7df 100644
--- a/reference/fleet/fleet-roles-privileges.md
+++ b/reference/fleet/fleet-roles-privileges.md
@@ -6,9 +6,10 @@ products:
- id: elastic-agent
---
-# Required roles and privileges [fleet-roles-and-privileges]
+# Roles and privileges [fleet-roles-and-privileges]
-Assigning the {{kib}} feature privileges `Fleet` and `Integrations` grants access to use {{fleet}} and Integrations.
+Use {{kib}} roles and privileges to grant users access to {{fleet}} and Integrations.
+{{fleet}} and integrations privileges can be set to:
`all`
: Grants full read-write access.
@@ -19,22 +20,27 @@ Assigning the {{kib}} feature privileges `Fleet` and `Integrations` grants acces
`none`
: No access is granted.
-Take advantage of these privilege settings by:
+You can take advantage of these privilege settings by:
* [Using an {{es}} built-in role](#fleet-roles-and-privileges-built-in)
-* [Creating a new role](#fleet-roles-and-privileges-create)
+* [Creating a new role](#fleet-roles-and-privileges-create).
+
+To configure access at a more granular level, select a custom set of privileges for individual {{fleet}} features:
+
+* [Customize sub-feature privileges for {{fleet}}](#fleet-roles-and-privileges-sub-features) {applies_to}`stack: ga 9.1`
+
## Built-in roles [fleet-roles-and-privileges-built-in]
{{es}} comes with built-in roles that include default privileges.
`editor`
-: The built-in `editor` role grants the following privileges, supporting full read-write access to {{fleet}} and Integrations:
+: The built-in `editor` role grants these privileges, supporting full read-write access to {{fleet}} and Integrations:
* {{Fleet}}: `all`
* Integrations: `all`
`viewer`
-: The built-in `viewer` role grants the following privileges, supporting read-only access to {{fleet}} and Integrations:
+: The built-in `viewer` role grants these privileges, supporting read-only access to {{fleet}} and Integrations:
* {{Fleet}}:: `read`
* Integrations:: `read`
@@ -42,7 +48,7 @@ Take advantage of these privilege settings by:
You can also create a new role that can be assigned to a user, in order to grant more specific levels of access to {{fleet}} and Integrations.
-## Create a role for {{fleet}} [fleet-roles-and-privileges-create]
+## Create a new role for {{fleet}} [fleet-roles-and-privileges-create]
To create a new role with access to {{fleet}} and Integrations:
@@ -52,7 +58,8 @@ To create a new role with access to {{fleet}} and Integrations:
4. Specify a name for the role.
5. Leave the {{es}} settings at their defaults, or refer to [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for descriptions of the available settings.
6. In the {{kib}} section, select **Assign to space**.
-7. In the **Spaces** menu, select **All Spaces**. Since many Integrations assets are shared across spaces, the users need the {{kib}} privileges in all spaces.
+7. In the **Spaces** menu, select **All Spaces**.
+ Because many Integrations assets are shared across spaces, users need the {{kib}} privileges in all spaces.
8. Expand the **Management** section.
9. Set **Fleet** privileges to **All**.
10. Choose the access level that you'd like the role to have with respect to {{fleet}} and integrations:
@@ -61,10 +68,114 @@ To create a new role with access to {{fleet}} and Integrations:
:alt: Kibana privileges flyout showing Fleet and Integrations access set to All
:screenshot:
:::
- 2. Similarly, to create a read-only user for {{fleet}} and Integrations, set both the **Fleet** and **Integrations** privileges to `Read`.
+ 2. To create a read-only user for {{fleet}} and Integrations, set both the **Fleet** and **Integrations** privileges to `Read`.
:::{image} images/kibana-fleet-privileges-read.png
:alt: Kibana privileges flyout showing Fleet and Integrations access set to All
:screenshot:
:::
+ 3. If you'd like to define more specialized access to {{fleet}} based on individual components, expand the **Fleet** menu and enable **Customize sub-feature privileges**.
+ :::{image} images/kibana-fleet-privileges-enable.png
+ :alt: Kibana customize sub-feature privileges UI
+ :screenshot:
+ :::
+
+ Any setting for individual {{fleet}} components that you specify here takes precedence over the general `All`, `Read`, or `None` privilege set for {{fleet}}.
+
+ Based on your selections, access to features in the {{fleet}} UI are enabled or disabled for the role.
+ Those details are covered in the next section: [Customize access to {{fleet}} features](#fleet-roles-and-privileges-sub-features).
+
+After you've created a new role, you can assign it to any {{es}} user.
+You can edit the role at any time by returning to the **Roles** page in {{kib}}.
+
+## Customize sub-feature privileges for {{fleet}}[fleet-roles-and-privileges-sub-features]
+
+```{applies_to}
+stack: ga 9.1
+```
+
+Beginning with {{stack}} version 9.1, you have more granular control when [creating a new role](#fleet-roles-and-privileges-create) or editing it. This is useful when people in your organization access {{fleet}} for different purposes, and you need to fine-tune the components that they can view and the actions that they can perform.
+
+The {{fleet}} UI varies depending on the privileges granted to the role.
+
+### Example 1: Read access for {{agents}}[fleet-roles-and-privileges-sub-features-example1]
+
+Set `Read` access for {{agents}} only:
+
+* Agents: `Read`
+* Agent policies: `None`
+* Settings: `None`
+
+With these privileges, the {{fleet}} UI shows only the **Agents** and **Data streams** tabs.
+The **Agent policies**, **Enrollment tokens**, **Uninstall tokens**, and **Settings** tabs are unavailable.
+
+The set of actions available for an agent are limited to viewing the agent and requesting a diagnostics bundle.
+
+:::{image} images/kibana-fleet-privileges-agents-view.png
+:alt: Fleet UI showing only the Agents and Data streams tabs
+:screenshot:
+:::
+
+Change the **Agents** privilege to `All` to enable the role to perform the [full set of available actions](/reference/fleet/manage-agents.md) on {{agents}}.
+
+### Example 2: Read access for all {{fleet}} features[fleet-roles-and-privileges-sub-features-example2]
+
+Set `Read` access for {{agents}}, agent policies, and {{fleet}} settings:
+
+* Agents: `Read`
+* Agent policies: `Read`
+* Settings: `Read`
+
+With these privileges, the {{fleet}} UI shows the **Agents**, **Agent policies**, **Data streams**, and **Settings** tabs.
+The **Enrollment tokens** and **Uninstall tokens** tabs are unavailable.
+
+The set of actions available for an agent are limited to viewing the agent and requesting a diagnostics bundle.
+
+You can view agent policies, but you cannot create a new policy.
+
+:::{image} images/kibana-fleet-privileges-all-view.png
+:alt: Fleet UI showing four tabs available
+:screenshot:
+:::
+
+You can view {{fleet}} settings, but they are not editable.
+
+:::{image} images/kibana-fleet-privileges-view-settings.png
+:alt: Fleet UI showing settings are non-editable
+:screenshot:
+:::
+
+### Example 3: All access for {{agents}}[fleet-roles-and-privileges-sub-features-example3]
+
+Set `All` access for {{agents}} only:
+
+* Agents: `All`
+* Agent policies: `Read`
+* Settings: `Read`
+
+With these privileges, the {{fleet}} UI shows all tabs.
+
+All {{agent}} actions can be performed and new agents can be created. Enrollment tokens and uninstall tokens are both available.
+
+:::{image} images/kibana-fleet-privileges-agent-all.png
+:alt: Fleet UI showing all tabs available
+:screenshot:
+:::
+
+Access to {{fleet}} settings is still read-only.
+To enable actions such as creating a new {{fleet-server}}, set the **Fleet Settings** privilege to `All`.
+
+
+## {{fleet}} privileges and available actions [fleet-roles-and-privileges-sub-features-table]
+
+```{applies_to}
+stack: ga 9.1
+```
+
+
+This table shows the set of available actions for the `read` or `all` privilege for each {{fleet}} feature.
-Once you've created a new role you can assign it to any {{es}} user. You can edit the role at any time by returning to the **Roles** page in {{kib}}.
\ No newline at end of file
+|Component |`read` privilege |`all` privilege |
+| --- | --- | --- |
+| Agents | View-only access to {{agents}}, including:
* [View a list of all agents and their status](/reference/fleet/monitor-elastic-agent.md#view-agent-status)
* [Request agent diagnostic packages](/reference/fleet/monitor-elastic-agent.md#collect-agent-diagnostics) |Full access to manage {{agents}}, including:
* [Perform upgrades](/reference/fleet/upgrade-elastic-agent.md)
* [Configure monitoring](/reference/fleet/monitor-elastic-agent.md)
* [Migrate agents to a new cluster](/reference/fleet/migrate-elastic-agent.md)
* [Unenroll agents from {{fleet}}](/reference/fleet/unenroll-elastic-agent.md)
* [Set the inactivity timeout](/reference/fleet/set-inactivity-timeout.md)
* [Create and revoke enrollment tokens](/reference/fleet/fleet-enrollment-tokens.md) |
+| Agent policies | View-only access, including:
* Agent policies and settings
* The integrations associated with a policy | Full access to manage agent policies, including:
* [Create a policy](/reference/fleet/agent-policy.md#create-a-policy)
* [Add an integration to a policy](/reference/fleet/agent-policy.md#add-integration)
* [Apply a policy](/reference/fleet/agent-policy.md#apply-a-policy)
* [Edit or delete an integration](/reference/fleet/agent-policy.md#policy-edit-or-delete)
* [Copy a policy](/reference/fleet/agent-policy.md#copy-policy)
* [Edit or delete a policy](/reference/fleet/agent-policy.md#policy-main-settings)
* [Change the output of a policy](/reference/fleet/agent-policy.md#change-policy-output) |
+| Fleet settings | View-only access, including:
* Configured {{fleet}} hosts
* {{fleet}} output settings
* The location to download agent binaries | Full access to manage {{fleet}} settings, including:
* [Editing hosts](/reference/fleet/fleet-settings.md#fleet-server-hosts-setting)
* [Adding or editing outputs](/reference/fleet/fleet-settings.md#output-settings)
* [Update the location for downloading agent binaries](/reference/fleet/fleet-settings.md#fleet-agent-binary-download-settings) |
diff --git a/reference/fleet/images/kibana-fleet-privileges-agent-all.png b/reference/fleet/images/kibana-fleet-privileges-agent-all.png
new file mode 100644
index 0000000000..7ae69225da
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges-agent-all.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges-agents-view.png b/reference/fleet/images/kibana-fleet-privileges-agents-view.png
new file mode 100644
index 0000000000..33695f4313
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges-agents-view.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges-all-view.png b/reference/fleet/images/kibana-fleet-privileges-all-view.png
new file mode 100644
index 0000000000..efea268b9e
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges-all-view.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges-all.png b/reference/fleet/images/kibana-fleet-privileges-all.png
index 128b1862b6..36782f00c1 100644
Binary files a/reference/fleet/images/kibana-fleet-privileges-all.png and b/reference/fleet/images/kibana-fleet-privileges-all.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges-enable.png b/reference/fleet/images/kibana-fleet-privileges-enable.png
new file mode 100644
index 0000000000..8731e6d493
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges-enable.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges-view-settings.png b/reference/fleet/images/kibana-fleet-privileges-view-settings.png
new file mode 100644
index 0000000000..00bfbc4504
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges-view-settings.png differ
diff --git a/reference/fleet/images/kibana-fleet-privileges.png b/reference/fleet/images/kibana-fleet-privileges.png
new file mode 100644
index 0000000000..cea848dab7
Binary files /dev/null and b/reference/fleet/images/kibana-fleet-privileges.png differ