RBAC Reference¶
RBAC policies are made up of three elements: actions, resources and effect. Each API endpoint involves one or more actions and can be performed on specific resources.
For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read
on the resource agent:id
or agent:group
. For example, agent:id:001
(agent 001) or agent:id:*
(all agents). All the existing resources, available actions and the endpoints affected by each one can be found in this reference page.
This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.
Resources¶
*:*¶
Description |
Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless. |
agent:group¶
Description |
Reference agents via group name. This resource is disaggregated into the agent’s IDs belonging to the specified group. |
Example |
agent:group:web |
agent:id¶
Description |
Reference agents via agent ID |
Example |
agent:id:001 |
group:id¶
Description |
Reference agent groups via group ID |
Example |
group:id:default |
node:id¶
Description |
Reference cluster node via node ID |
Example |
node:id:worker1 |
file:path¶
Description |
Reference file via its path |
Example |
decoder:file¶
Description |
Reference decoder file via its path |
Example |
decoder:file:0005-wazuh_decoders.xml |
list:path¶
Description |
Reference list file via its path |
Example |
list:path:etc/lists/audit-keys |
rule:file¶
Description |
Reference rule file via its path |
Example |
rule:file:0610-win-ms_logs_rules.xml |
policy:id¶
Description |
Reference security policy via its id |
Example |
policy:id:1 |
role:id¶
Description |
Reference security role via its id |
Example |
role:id:1 |
rule:id¶
Description |
Reference security rule via its id |
Example |
rule:id:1 |
user:id¶
Description |
Reference security user via its id |
Example |
user:id:1 |
Actions¶
In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)
Agent¶
agent:create¶
agent:delete¶
agent:modify_group¶
agent:read¶
agent:restart¶
Ciscat¶
Cluster¶
cluster:delete_file¶
DELETE /cluster/{node_id}/files (node:id:<node>&file:path:<file_path>)
cluster:read_api_config¶
cluster:read_file¶
GET /cluster/{node_id}/files (node:id:<node>&file:path:<file_path>)
cluster:restart¶
cluster:status¶
cluster:update_api_config¶
Deprecated since version 4.0.4.
cluster:upload_file¶
Decoders¶
Manager¶
manager:delete_file¶
manager:read_api_config¶
manager:read¶
manager:read_file¶
manager:restart¶
manager:update_api_config¶
Deprecated since version 4.0.4.
manager:upload_file¶
Rules¶
SCA¶
Security¶
security:create_user¶
security:create¶
security:delete¶
security:read_config¶
security:read¶
security:revoke¶
security:update_config¶
security:update¶
Syscollector¶
syscollector:read¶
GET /experimental/syscollector/hardware (agent:id, agent:group)
GET /experimental/syscollector/hotfixes (agent:id, agent:group)
GET /experimental/syscollector/netaddr (agent:id, agent:group)
GET /experimental/syscollector/netiface (agent:id, agent:group)
GET /experimental/syscollector/netproto (agent:id, agent:group)
GET /experimental/syscollector/packages (agent:id, agent:group)
GET /experimental/syscollector/ports (agent:id, agent:group)
GET /experimental/syscollector/processes (agent:id, agent:group)
GET /syscollector/{agent_id}/hardware (agent:id, agent:group)
GET /syscollector/{agent_id}/hotfixes (agent:id, agent:group)
GET /syscollector/{agent_id}/netaddr (agent:id, agent:group)
GET /syscollector/{agent_id}/netiface (agent:id, agent:group)
GET /syscollector/{agent_id}/netproto (agent:id, agent:group)
GET /syscollector/{agent_id}/packages (agent:id, agent:group)
GET /syscollector/{agent_id}/processes (agent:id, agent:group)
Default policies¶
agents_all¶
Grant full access to all agents related functionalities.
- Actions
- Resources
agent:id:*
agent:group:*
group:id:*
*:*:*
- Effect
allow
agents_commands¶
Allow sending commands to agents.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
agents_read¶
Grant read access to all agents related functionalities.
- Actions
- Resources
agent:id:*
agent:group:*
group:id:*
- Effect
allow
ciscat_read¶
Allow read agent’s ciscat results information.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
cluster_all¶
Provide full access to all cluster/manager related functionalities.
- Actions
- Resources
file:path:*
node:id:*
node:id:*&file:path:*
'*:*:*'
- Effect
allow
cluster_read¶
Provide read access to all cluster/manager related functionalities.
- Actions
- Resources
file:path:*
node:id:*
node:id:*&file:path:*
'*:*:*'
- Effect
allow
decoders_read¶
Allow read all decoder files in the system.
- Actions
- Resources
decoder:file:*
- Effect
allow
sca_read¶
Allow read agent’s sca information.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
security_all¶
Provide full access to all security related functionalities.
- Actions
- Resources
role:id:*
policy:id:*
user:id:*
rule:id:*
*:*:*
- Effect
allow
users_all¶
Provide full access to all users related functionalities.
- Actions
- Resources
user:id:*
*:*:*
- Effect
allow
syscheck_read¶
Allow read syscheck information.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
syscheck_all¶
Allow read, run and clear syscheck information.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
syscollector_read¶
Allow read agents information.
- Actions
- Resources
agent:id:*
agent:group:*
- Effect
allow
Default roles¶
administrator¶
Administrator role of the system, this role have full access to the system.
agents_admin¶
Agents administrator of the system, this role have full access to all agents related functionalities.
- Policies
cluster_admin¶
Manager administrator of the system, this role have full access to all manager related functionalities.
- Policies
readonly¶
Read only role, this role can read all the information of the system.
Default rules¶
Warning
Run_as permissions through these mapping rules can only be obtained with wazuh-wui
user. These rules will never match an authorization context for any other Wazuh API user.
wui_elastic_admin¶
Administrator permissions for WUI’s elastic users.
rule:
FIND:
username: "elastic"
wui_opendistro_admin¶
Administrator permissions for WUI’s opendistro users.
rule:
FIND:
user_name: "admin"