Introduce read-only view for User Management

[legrego]

Elasticsearch introduced a new read_security cluster privilege via elastic/elasticsearch#89790, which is meant to be a read-only version of their manage_security cluster privilege.

The User Management screen currently requires manage_security, but we should also allow for users with read_security to view a read-only version of this screen.

We should make the following adjustments for users with the read_security cluster privilege:

Allow page to be viewed by users with read_security.

This sample diff also introduces a save UI capability, which you can access at capabilities.users.save. When this is set to true, then the UI can assume that the current user has manage_security privileges, and should therefore have access to all CRUD controls. Similarly, when this is set to false, then the UI can assume that the current user does not have full privileges, and should therefore be presented with a readonly version of the screen.

diff --git a/x-pack/plugins/security/server/features/security_features.ts b/x-pack/plugins/security/server/features/security_features.ts
index b741d809151..396f2d1640e 100644
--- a/x-pack/plugins/security/server/features/security_features.ts
+++ b/x-pack/plugins/security/server/features/security_features.ts
@@ -16,6 +16,10 @@ const userManagementFeature: ElasticsearchFeatureConfig = {
   privileges: [
     {
       requiredClusterPrivileges: ['manage_security'],
+      ui: ['save'],
+    },
+    {
+      requiredClusterPrivileges: ['read_security'],
       ui: [],
     },
   ],

Remove editable controls from list page

• Add reading glasses icon to secondary navbar

Remove editable controls from the view page

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

@elastic/kibana-security I updated the issue description with some screenshots outlining what I think the minimum set of changes should be. What do y'all think?