[Fleet] Handle unavailable spaces in agent policy space selector

[jillguyonnet]

Summary

Closes #193827

This PR improves the space selector in agent policy setting to handle the case where the user does not have access to all policy spaces.

In this case:

• Space selection is disabled
• The "Create space" link is hidden
• A tooltip is shown to inform the user why the input is disabled
• The inaccessible space badges are given an Unavailable space badge

Screenshots

For a user with access to all policy spaces (no change):

For a user with access to only a subset of policy spaces:

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

[nchaulet]

This looks a good solution to me, we should probably remove the space_ids property when that field is disabled from the data we send to update the policy here https://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/details_page/components/settings/index.tsx#L108

[jillguyonnet]

we should probably remove the space_ids property when that field is disabled from the data

Good catch, thanks! I pushed a fix. I kept it local to the component instead of centralising the userHasAccessToAllPolicySpaces logic as it is small enough, let me know what you think.

One general concern I had is that this fix relies on the Saved Objects API returning ? for the id of unavailable spaces. It allows the fix to be small, but I'm not sure how reliable this will be in the future. Any thoughts?

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[nchaulet]

One general concern I had is that this fix relies on the Saved Objects API returning ? for the id of unavailable spaces. It allows the fix to be small, but I'm not sure how reliable this will be in the future. Any thoughts?

It seems pretty reliable, the space plugin seems to use that behavior frequently in their code, it seems also they expose a UNKNOWN_SPACE constant that we may want to use

[nchaulet]

LGTM 🚀

[jillguyonnet]

It seems pretty reliable, the space plugin seems to use that behavior frequently in their code, it seems also they expose a UNKNOWN_SPACE constant that we may want to use

Cheers 👍 I pushed a commit to use the constant.

[kpollich]

Is there anything preventing us from hiding the spaces entirely instead of displaying "unavailable space"? This badge isn't actionable for users with limited space access, and seems like it's adding UI noise for them.

[jillguyonnet]

Is there anything preventing us from hiding the spaces entirely instead of displaying "unavailable space"? This badge isn't actionable for users with limited space access, and seems like it's adding UI noise for them.

Nothing preventing, it's a small change. My thinking was that this shows more clearly why the input is disabled, but with the tooltip it shouldn't be a concern. If showing how many unavailable spaces are assigned is a concern, then I'm definitely happy to hide them instead.

[kpollich]

If showing how many unavailable spaces are assigned is a concern, then I'm definitely happy to hide them instead.

If we're relying on spaces as an information/data isolation mechanism, I think a user with permissions to only 2 spaces should not know there are 12 available spaces in Kibana. Hiding the spaces entirely seems like the more "proper" thing to do when it comes to data isolation. I'd be in favor of making this change here.

[jillguyonnet]

Hiding the spaces entirely seems like the more "proper" thing to do when it comes to data isolation.

Thank you, agreed and done. I've updated the PR description.

[nchaulet]

🚀

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 6079fad

Failed CI Steps

• Jest Tests #11
• Jest Tests #11
• FTR Configs #79

Test Failures

• [job] [logs] Jest Tests #11 / AgentStatusFilter Shows tour and inactive count if first time seeing newly inactive agents
• [job] [logs] FTR Configs #79 / discover/group4 data view flyout "after all" hook for "update data view with no time field"
• [job] [logs] FTR Configs #79 / discover/group4 data view flyout create saved data view
• [job] [logs] Jest Tests #11 / step select agent policy should select first agent policy by default if multiple exists

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
fleet	1240	1241	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.7MB	1.7MB	+419.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	174.2KB	174.3KB	+43.0B

History

• 💔 Build #253607 failed 6b8d3ee
• 💚 Build #253311 succeeded 9564563
• 💔 Build #253301 failed 576dc66

cc @jillguyonnet