From db2b8e93e6687999a3c3a30c0bee8433c93b4d90 Mon Sep 17 00:00:00 2001
From: Brandon Morelli <brandon.morelli@elastic.co>
Date: Mon, 26 Apr 2021 14:54:51 -0700
Subject: [PATCH 1/2] docs: remove apm_user

---
 docs/apm/apm-app-users.asciidoc               |  92 ++++++----
 .../apm-app-reader/content.asciidoc           |  45 +++++
 .../apm-app-reader/widget.asciidoc            |  40 +++++
 .../central-config-users/content.asciidoc     |  53 ++++++
 .../central-config-users/widget.asciidoc      |  40 +++++
 docs/apm/tab-widgets/code.asciidoc            | 166 ++++++++++++++++++
 6 files changed, 403 insertions(+), 33 deletions(-)
 create mode 100644 docs/apm/tab-widgets/apm-app-reader/content.asciidoc
 create mode 100644 docs/apm/tab-widgets/apm-app-reader/widget.asciidoc
 create mode 100644 docs/apm/tab-widgets/central-config-users/content.asciidoc
 create mode 100644 docs/apm/tab-widgets/central-config-users/widget.asciidoc
 create mode 100644 docs/apm/tab-widgets/code.asciidoc

diff --git a/docs/apm/apm-app-users.asciidoc b/docs/apm/apm-app-users.asciidoc
index 3f0a42251304c..dd0d870604484 100644
--- a/docs/apm/apm-app-users.asciidoc
+++ b/docs/apm/apm-app-users.asciidoc
@@ -10,7 +10,7 @@
 <titleabbrev>Users and privileges</titleabbrev>
 ++++
 
-You can use role-based access control to grant users access to secured
+Use role-based access control to grant users access to secured
 resources. The roles that you set up depend on your organization's security
 requirements and the minimum privileges required to use specific features.
 
@@ -24,6 +24,13 @@ In general, there are three types of privileges you'll work with:
 * **Elasticsearch index privileges**: Control access to the data in specific indices your cluster.
 * **Kibana space privileges**: Grant users write or read access to features and apps within Kibana.
 
+Select your use-case to get started:
+
+* <<apm-app-reader>>
+* <<apm-app-annotation-user-create>>
+* <<apm-app-central-config-user>>
+* <<apm-app-api-user>>
+
 ////
 ***********************************  ***********************************
 ////
@@ -36,13 +43,30 @@ In general, there are three types of privileges you'll work with:
 <titleabbrev>Create an APM reader user</titleabbrev>
 ++++
 
+APM reader users typically need to view the APM app and dashboards and visualizations that use APM data.
+These users might also need to create and edit dashboards, visualizations, and machine learning jobs.
+
 [[apm-app-reader-full]]
-==== Full APM reader
+==== APM reader
 
-APM reader users typically need to view the APM app, dashboards, and visualizations that contain APM data.
-These users might also need to create and edit dashboards, visualizations, and machine learning jobs.
+To create an APM reader user:
+
+. Create a new role, named something like `read-apm`, and assign the following privileges:
++
+--
+include::./tab-widgets/apm-app-reader/widget.asciidoc[]
+--
++
+TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]?
+Add the privileges under the **Data streams** tab.
 
-. Assign the following built-in roles:
+If your APM data is being sent to APM Server, you're using classic APM indices.
+
+If your APM data is ingested into `apm-*` indices, you're using classic APM indices.
+If you're
+
+. Assign the `read-apm` role created in the previous step, and the following built-in roles to
+any APM reader users:
 +
 [options="header"]
 |====
@@ -51,9 +75,6 @@ These users might also need to create and edit dashboards, visualizations, and m
 |`kibana_admin`
 |Grants access to all features in Kibana.
 
-|`apm_user`
-|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
-
 |`machine_learning_admin`
 |Grants the privileges required to create, update, and view machine learning jobs
 |====
@@ -63,14 +84,14 @@ These users might also need to create and edit dashboards, visualizations, and m
 
 In some instances, you may wish to restrict certain Kibana apps that a user has access to.
 
-. Assign the following built in roles:
+. Create a new role, named something like `read-apm-partial`, and assign the following privileges:
 +
-[options="header"]
-|====
-|Role | Purpose
-|`apm_user`
-|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
-|====
+--
+include::./tab-widgets/apm-app-reader/widget.asciidoc[]
+--
++
+TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]?
+Add the privileges under the **Data streams** tab.
 
 . Assign space privileges to any Kibana space that the user needs access to.
 Here are two examples:
@@ -98,6 +119,8 @@ Here are two examples:
 |Grants the privileges required to create, update, and view machine learning jobs
 |====
 
+include::./tab-widgets/code.asciidoc[]
+
 ////
 ***********************************  ***********************************
 ////
@@ -138,7 +161,7 @@ and assign the following privileges:
 ^1^ +\{ANNOTATION_INDEX\}+ should be the index name you've defined in
 <<apm-settings-kb,`xpack.observability.annotations.index`>>.
 
-. Assign the `annotation_user` created previously, and the built-in roles necessary to create
+. Assign the `annotation_user` created previously, and the roles and privileges necessary to create
 a <<apm-app-reader-full,full>> or <<apm-app-reader-partial,partial>> APM reader to any users that need to view annotations in the APM app
 
 [[apm-app-annotation-api]]
@@ -163,17 +186,17 @@ See <<apm-app-api-user>>.
 
 Central configuration users need to be able to view, create, update, and delete Agent configurations.
 
-. Assign the following built-in roles:
+. Create a new role, named something like `central-config-manager`, and assign the following privileges:
 +
-[options="header"]
-|====
-|Role | Purpose
-
-|`apm_user`
-|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
-|====
+--
+include::./tab-widgets/central-config-users/widget.asciidoc[]
+--
++
+TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]?
+Add the privileges under the **Data streams** tab.
 
-. Assign the following Kibana space privileges:
+. Assign the `central-config-manager` role created in the previous step, and the following Kibana space privileges to
+anyone who needs to manage central configurations:
 +
 [options="header"]
 |====
@@ -190,16 +213,17 @@ Central configuration users need to be able to view, create, update, and delete
 In some instances, you may wish to create a user that can only read central configurations,
 but not create, update, or delete them.
 
-. Assign the following built-in roles:
+. Create a new role, named something like `central-config-reader`, and assign the following privileges:
 +
-[options="header"]
-|====
-|Role | Purpose
-|`apm_user`
-|Grants the privileges required for APM users on +{beat_default_index_prefix}*+ indices
-|====
+--
+include::./tab-widgets/central-config-users/widget.asciidoc[]
+--
++
+TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]?
+Add the privileges under the **Data streams** tab.
 
-. Assign the following Kibana space privileges:
+. Assign the `central-config-reader` role created in the previous step, and the following Kibana space privileges to
+anyone who needs to read central configurations:
 +
 [options="header"]
 |====
@@ -215,6 +239,8 @@ but not create, update, or delete them.
 
 See <<apm-app-api-user>>.
 
+include::./tab-widgets/code.asciidoc[]
+
 ////
 ***********************************  ***********************************
 ////
diff --git a/docs/apm/tab-widgets/apm-app-reader/content.asciidoc b/docs/apm/tab-widgets/apm-app-reader/content.asciidoc
new file mode 100644
index 0000000000000..6b9c996035f6c
--- /dev/null
+++ b/docs/apm/tab-widgets/apm-app-reader/content.asciidoc
@@ -0,0 +1,45 @@
+// tag::classic-indices[]
+[options="header"]
+|====
+|Type |Privilege |Purpose
+
+|Index
+|`read` on `apm-*`
+|Read-only access to `apm-*` data
+
+|Index
+|`view_index_metadata` on `apm-*`
+|Read-only access to `apm-*` index metadata
+|====
+// end::classic-indices[]
+
+// tag::data-streams[]
+[options="header"]
+|====
+|Type |Privilege |Purpose
+
+|Index
+|`read` on `logs-apm*`
+|Read-only access to `logs-apm*` data
+
+|Index
+|`view_index_metadata` on `logs-apm*`
+|Read-only access to `logs-apm*` index metadata
+
+|Index
+|`read` on `metrics-apm*`
+|Read-only access to `metrics-apm*` data
+
+|Index
+|`view_index_metadata` on `metrics-apm*`
+|Read-only access to `metrics-apm*` index metadata
+
+|Index
+|`read` on `traces-apm*`
+|Read-only access to `traces-apm*` data
+
+|Index
+|`view_index_metadata` on `traces-apm*`
+|Read-only access to `traces-apm*` index metadata
+|====
+// end::data-streams[]
diff --git a/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc b/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc
new file mode 100644
index 0000000000000..51c01367786b6
--- /dev/null
+++ b/docs/apm/tab-widgets/apm-app-reader/widget.asciidoc
@@ -0,0 +1,40 @@
+++++
+<div class="tabs" data-tab-group="apm-app-reader">
+  <div role="tablist" aria-label="APM app reader">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="classic-indices-tab"
+            id="classic-indices">
+      Classic APM indices
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="data-streams-tab"
+            id="data-streams"
+            tabindex="-1">
+      Data streams
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="classic-indices-tab"
+       aria-labelledby="classic-indices">
+++++
+
+include::content.asciidoc[tag=classic-indices]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="data-streams-tab"
+       aria-labelledby="data-streams"
+       hidden="">
+++++
+
+include::content.asciidoc[tag=data-streams]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/docs/apm/tab-widgets/central-config-users/content.asciidoc b/docs/apm/tab-widgets/central-config-users/content.asciidoc
new file mode 100644
index 0000000000000..0945050d9a861
--- /dev/null
+++ b/docs/apm/tab-widgets/central-config-users/content.asciidoc
@@ -0,0 +1,53 @@
+// tag::classic-indices[]
+[options="header"]
+|====
+|Type |Privilege |Purpose
+
+|Index
+|`read` on `apm-*`
+|Read-only access to `apm-*` data
+
+|Index
+|`view_index_metadata` on `apm-*`
+|Read-only access to `apm-*` index metadata
+|====
+// end::classic-indices[]
+
+// tag::data-streams[]
+[options="header"]
+|====
+|Type |Privilege |Purpose
+
+|Index
+|`read` on `apm-agent-configuration`
+|Read-only access to `apm-agent-configuration` data
+
+|Index
+|`view_index_metadata` on `apm-agent-configuration`
+|Read-only access to `apm-agent-configuration` index metadata
+
+|Index
+|`read` on `logs-apm*`
+|Read-only access to `logs-apm*` data
+
+|Index
+|`view_index_metadata` on `logs-apm*`
+|Read-only access to `logs-apm*` index metadata
+
+|Index
+|`read` on `metrics-apm*`
+|Read-only access to `metrics-apm*` data
+
+|Index
+|`view_index_metadata` on `metrics-apm*`
+|Read-only access to `metrics-apm*` index metadata
+
+|Index
+|`read` on `traces-apm*`
+|Read-only access to `traces-apm*` data
+
+|Index
+|`view_index_metadata` on `traces-apm*`
+|Read-only access to `traces-apm*` index metadata
+|====
+// end::data-streams[]
diff --git a/docs/apm/tab-widgets/central-config-users/widget.asciidoc b/docs/apm/tab-widgets/central-config-users/widget.asciidoc
new file mode 100644
index 0000000000000..68bef4e50c549
--- /dev/null
+++ b/docs/apm/tab-widgets/central-config-users/widget.asciidoc
@@ -0,0 +1,40 @@
+++++
+<div class="tabs" data-tab-group="central-config-manager">
+  <div role="tablist" aria-label="Central config manager">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="classic-indices-tab"
+            id="classic-indices">
+      Classic APM indices
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="data-streams-tab"
+            id="data-streams"
+            tabindex="-1">
+      Data streams
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="classic-indices-tab"
+       aria-labelledby="classic-indices">
+++++
+
+include::content.asciidoc[tag=classic-indices]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="data-streams-tab"
+       aria-labelledby="data-streams"
+       hidden="">
+++++
+
+include::content.asciidoc[tag=data-streams]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/docs/apm/tab-widgets/code.asciidoc b/docs/apm/tab-widgets/code.asciidoc
new file mode 100644
index 0000000000000..6a30cf55c8dbb
--- /dev/null
+++ b/docs/apm/tab-widgets/code.asciidoc
@@ -0,0 +1,166 @@
+// Defining styles and script here for simplicity.
+++++
+<style>
+.tabs {
+  width: 100%;
+}
+[role="tablist"] {
+  margin: 0 0 -0.1em;
+  overflow: visible;
+}
+[role="tab"] {
+  position: relative;
+  padding: 0.3em 0.5em 0.4em;
+  border: 1px solid hsl(219, 1%, 72%);
+  border-radius: 0.2em 0.2em 0 0;
+  overflow: visible;
+  font-family: inherit;
+  font-size: inherit;
+  background: hsl(220, 20%, 94%);
+}
+[role="tab"]:hover::before,
+[role="tab"]:focus::before,
+[role="tab"][aria-selected="true"]::before {
+  position: absolute;
+  bottom: 100%;
+  right: -1px;
+  left: -1px;
+  border-radius: 0.2em 0.2em 0 0;
+  border-top: 3px solid hsl(219, 1%, 72%);
+  content: '';
+}
+[role="tab"][aria-selected="true"] {
+  border-radius: 0;
+  background: hsl(220, 43%, 99%);
+  outline: 0;
+}
+[role="tab"][aria-selected="true"]:not(:focus):not(:hover)::before {
+  border-top: 5px solid hsl(218, 96%, 48%);
+}
+[role="tab"][aria-selected="true"]::after {
+  position: absolute;
+  z-index: 3;
+  bottom: -1px;
+  right: 0;
+  left: 0;
+  height: 0.3em;
+  background: hsl(220, 43%, 99%);
+  box-shadow: none;
+  content: '';
+}
+[role="tab"]:hover,
+[role="tab"]:focus,
+[role="tab"]:active {
+  outline: 0;
+  border-radius: 0;
+  color: inherit;
+}
+[role="tab"]:hover::before,
+[role="tab"]:focus::before {
+  border-color: hsl(218, 96%, 48%);
+}
+[role="tabpanel"] {
+  position: relative;
+  z-index: 2;
+  padding: 1em;
+  border: 1px solid hsl(219, 1%, 72%);
+  border-radius: 0 0.2em 0.2em 0.2em;
+  box-shadow: 0 0 0.2em hsl(219, 1%, 72%);
+  background: hsl(220, 43%, 99%);
+  margin-bottom: 1em;
+}
+[role="tabpanel"] p {
+  margin: 0;
+}
+[role="tabpanel"] * + p {
+  margin-top: 1em;
+}
+</style>
+
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const tabs = document.querySelectorAll('[role="tab"]');
+  const tabList = document.querySelector('[role="tablist"]');
+  // Add a click event handler to each tab
+  tabs.forEach(tab => {
+    tab.addEventListener("click", changeTabs);
+  });
+  // Enable arrow navigation between tabs in the tab list
+  let tabFocus = 0;
+  tabList.addEventListener("keydown", e => {
+    // Move right
+    if (e.keyCode === 39 || e.keyCode === 37) {
+      tabs[tabFocus].setAttribute("tabindex", -1);
+      if (e.keyCode === 39) {
+        tabFocus++;
+        // If we're at the end, go to the start
+        if (tabFocus >= tabs.length) {
+          tabFocus = 0;
+        }
+        // Move left
+      } else if (e.keyCode === 37) {
+        tabFocus--;
+        // If we're at the start, move to the end
+        if (tabFocus < 0) {
+          tabFocus = tabs.length - 1;
+        }
+      }
+      tabs[tabFocus].setAttribute("tabindex", 0);
+      tabs[tabFocus].focus();
+    }
+  });
+});
+
+function setActiveTab(target) {
+  const parent = target.parentNode;
+  const grandparent = parent.parentNode;
+  // console.log(grandparent);
+  // Remove all current selected tabs
+  parent
+    .querySelectorAll('[aria-selected="true"]')
+    .forEach(t => t.setAttribute("aria-selected", false));
+  // Set this tab as selected
+  target.setAttribute("aria-selected", true);
+  // Hide all tab panels
+  grandparent
+    .querySelectorAll('[role="tabpanel"]')
+    .forEach(p => p.setAttribute("hidden", true));
+  // Show the selected panel
+  grandparent.parentNode
+    .querySelector(`#${target.getAttribute("aria-controls")}`)
+    .removeAttribute("hidden");
+}
+
+function changeTabs(e) {
+  // get the containing list of the tab that was just clicked
+  const tabList = e.target.parentNode;
+
+  // get all of the sibling tabs
+  const buttons = Array.apply(null, tabList.querySelectorAll('button'));
+
+  // loop over the siblings to discover which index thje clicked one was
+  const { index } = buttons.reduce(({ found, index }, button) => {
+    if (!found && buttons[index] === e.target) {
+      return { found: true, index };
+    } else if (!found) {
+      return { found, index: index + 1 };
+    } else {
+      return { found, index };
+    }
+  }, { found: false, index: 0 });
+
+  // get the tab container
+  const container = tabList.parentNode;
+  // read the data-tab-group value from the container, e.g. "os"
+  const { tabGroup } = container.dataset;
+  // get a list of all the tab groups that match this value on the page
+  const groups = document.querySelectorAll('[data-tab-group=' + tabGroup + ']');
+
+  // for each of the found tab groups, find the tab button at the previously discovered index and select it for each group
+  groups.forEach((group) => {
+    const target = group.querySelectorAll('button')[index];
+    setActiveTab(target);
+  });
+}
+</script>
+++++
\ No newline at end of file

From 2b27ba98ecf0f02cbd8da49c0ce50d1a371a4257 Mon Sep 17 00:00:00 2001
From: Brandon Morelli <brandon.morelli@elastic.co>
Date: Mon, 26 Apr 2021 14:57:39 -0700
Subject: [PATCH 2/2] cleanup

---
 docs/apm/apm-app-users.asciidoc | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/docs/apm/apm-app-users.asciidoc b/docs/apm/apm-app-users.asciidoc
index dd0d870604484..9b8a9c64ac43b 100644
--- a/docs/apm/apm-app-users.asciidoc
+++ b/docs/apm/apm-app-users.asciidoc
@@ -60,11 +60,6 @@ include::./tab-widgets/apm-app-reader/widget.asciidoc[]
 TIP: Using the {apm-server-ref-v}/apm-integration.html[APM integration for Elastic Agent]?
 Add the privileges under the **Data streams** tab.
 
-If your APM data is being sent to APM Server, you're using classic APM indices.
-
-If your APM data is ingested into `apm-*` indices, you're using classic APM indices.
-If you're
-
 . Assign the `read-apm` role created in the previous step, and the following built-in roles to
 any APM reader users:
 +