elastic · nastasha-solomon · Feb 8, 2022 · Jan 25, 2022 · Jan 25, 2022 · Jan 26, 2022
@@ -13,15 +13,7 @@ You can create roles and define feature privileges at different levels to manage
 NOTE: To send cases to external systems, you need the
 https://www.elastic.co/subscriptions[appropriate license].
 
-When setting up feature access to cases, you can configure the following:
-
-- Base privileges for the {es-sec} solution
-- Sub-feature privileges for the Cases feature (toggle *Customize sub-feature privileges* to use this optional setting)
-- Privileges for actions and connectors
-
-NOTE: Privileges set at the sub-feature level will override base privileges for the {es-sec} solution. In other words, the Cases feature takes on the base privileges of the {es-sec} solution unless configured otherwise. For example, a role with `Read` base privileges only can view {es-sec} features and artifacts (including cases) within the {es-sec} app  but can't modify them. However, setting the role's sub-feature privileges for Cases to `All` allows the role to view and manage cases only.
-
-More information about the minimum privileges needed to use cases is below:
+To grant access to cases, set the {kib} space privileges for the *Cases* and *Actions and Connectors* features as follows:
 
 [discrete]
 [width="100%",options="header"]
@@ -30,15 +22,15 @@ More information about the minimum privileges needed to use cases is below:
 | Action      | {kib} Privileges
 | Give full access to manage cases
 a|
-* `All` for the *Security* feature
+* `All` for the *Cases* feature
 * `All` for the *Action and Connector* feature (go to *Management > Actions and Connectors* to set this)
 
 NOTE: Roles without `All` *Actions and Connectors* feature privileges cannot create, add, delete, or modify case connectors.
 
-| Give view-only access for cases | `Read` for the *Cases* sub-feature
-| Revoke all access to cases | `None` for the *Cases* sub-feature |
+| Give view-only access for cases | `Read` for the *Cases* feature
+| Revoke all access to cases | `None` for the *Cases* feature |
 
 |==============================================
 
 [role="screenshot"]
-image::images/cases-privs.png[]
+image::images/case-feature-privs.png[]
@@ -1,7 +1,7 @@
 [[sec-requirements]]
 = Elastic Security system requirements
 
-{es-sec} is an inbuilt part of {kib}. To use {es-sec}, you only need an {stack}
+{elastic-sec} is an inbuilt part of {kib}. To use {elastic-sec}, you only need an {stack}
 deployment (an {es} cluster and {kib}). For information on installing the
 {stack}, see
 {stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
@@ -27,14 +27,14 @@ Changes might be required if your nodes have customized roles. When updating nod
 [discrete]
 == {kib} space and index privileges
 
-To use {es-sec}, you must have at least:
+To use {elastic-sec}, you must have at least:
 
 * `Read` privilege for the `Security` feature in the {kib} space (see
-{kibana-ref}/xpack-spaces.html[Spaces]).
-* `Read` and `view_index_metadata` privileges for all {es-sec} indices, such as
+{kibana-ref}/xpack-spaces.html[Spaces]). This grants you `Read` access to all features in {elastic-sec} except cases. Additional <<case-permissions, minimum privileges>> are needed to use cases.
+* `Read` and `view_index_metadata` privileges for all {elastic-sec} indices, such as
 `filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
 
-NOTE: <<advanced-settings>> describes how to modify {es-sec} indices.
+NOTE: <<advanced-settings>> describes how to modify {elastic-sec} indices.
 
 For more information about index privileges, see
 {ref}/security-privileges.html[{es} security privileges].
@@ -47,7 +47,7 @@ There are some additional requirements for specific features:
 * <<detections-permissions-section>>
 * <<case-permissions>>
 * <<ml-requirements>>
-* <<sensor-full-disk-access, MacOS {es-sec} agent requirements>>
+* <<sensor-full-disk-access, MacOS {elastic-sec} agent requirements>>
 * <<conf-map-ui>>
 
 [discrete]
@@ -67,23 +67,23 @@ required subscription plans for all features.
 == Advanced configuration and UI options
 
 <<advanced-settings>> describes how to modify advanced settings, such as the
-{es-sec} indices, default time intervals used in filters, and IP reputation
+{elastic-sec} indices, default time intervals used in filters, and IP reputation
 links.
 
 [discrete]
 == Third-party collectors mapped to ECS
 
 The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be used for storing event data in Elasticsearch. ECS helps users normalize their event data
 to better analyze, visualize, and correlate the data represented in their
-events. {es-sec} can ingest and normalize events from any ECS-compliant data source.
+events. {elastic-sec} can ingest and normalize events from any ECS-compliant data source.
 
-IMPORTANT: {es-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data collectors to ship data to {es}, the data must be mapped to ECS.
-<<siem-field-reference>> lists ECS fields used in {es-sec}.
+IMPORTANT: {elastic-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data collectors to ship data to {es}, the data must be mapped to ECS.
+<<siem-field-reference>> lists ECS fields used in {elastic-sec}.
 
 [discrete]
 == Cross-cluster searches
 
-For information on how to perform cross-cluster searches on {es-sec}
+For information on how to perform cross-cluster searches on {elastic-sec}
 indices, see:
 
 * {ref}/modules-cross-cluster-search.html[Search across cluster]