RBAC Reference
RBAC policies are made up of three elements: actions, resources and effect. Each API endpoint involves one or more actions and can be performed on specific resources.
For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions and the endpoints affected by each one can be found in this reference page.
This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.
Resources
*:*
Description |
Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless. |
agent:group
Description |
Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group. |
Example |
agent:group:web |
agent:id
Description |
Reference agents via agent ID |
Example |
agent:id:001 |
group:id
Description |
Reference agent groups via group ID |
Example |
group:id:default |
node:id
Description |
Reference cluster node via node ID |
Example |
node:id:worker1 |
decoder:file
Description |
Reference decoder file via its filename |
Example |
decoder:file:0005-wazuh_decoders.xml |
list:file
Description |
Reference list file via its filename |
Example |
list:file:audit-keys |
rule:file
Description |
Reference rule file via its filename |
Example |
rule:file:0610-win-ms_logs_rules.xml |
policy:id
Description |
Reference security policy via its id |
Example |
policy:id:1 |
role:id
Description |
Reference security role via its id |
Example |
role:id:1 |
rule:id
Description |
Reference security rule via its id |
Example |
rule:id:1 |
user:id
Description |
Reference security user via its id |
Example |
user:id:1 |
Actions
In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)
Active_response
active-response:command
Agent
agent:create
agent:delete
agent:modify_group
agent:read
agent:restart
agent:upgrade
Ciscat
ciscat:read
Cluster
cluster:read_api_config
cluster:read
cluster:restart
cluster:status
cluster:update_api_config
Deprecated since version 4.0.4.
cluster:update_config
Decoders
decoders:read
decoders:update
decoders:delete
Group
group:create
group:delete
group:modify_assignments
group:read
group:update_config
Lists
lists:read
lists:update
lists:delete
Logtest
logtest:run
Manager
manager:read_api_config
manager:read
manager:restart
manager:update_api_config
Deprecated since version 4.0.4.
manager:update_config
Mitre
mitre:read
Rootcheck
rootcheck:clear
rootcheck:read
rootcheck:run
Rules
rules:read
rules:update
rules:delete
SCA
sca:read
Security
security:create_user
security:create
security:delete
security:read_config
security:read
security:revoke
security:update_config
security:update
Syscheck
syscheck:clear
syscheck:read
syscheck:run
Syscollector
syscollector:read
GET /experimental/syscollector/hardware (agent:id, agent:group)
GET /experimental/syscollector/hotfixes (agent:id, agent:group)
GET /experimental/syscollector/netaddr (agent:id, agent:group)
GET /experimental/syscollector/netiface (agent:id, agent:group)
GET /experimental/syscollector/netproto (agent:id, agent:group)
GET /experimental/syscollector/packages (agent:id, agent:group)
GET /experimental/syscollector/ports (agent:id, agent:group)
GET /experimental/syscollector/processes (agent:id, agent:group)
GET /syscollector/{agent_id}/hardware (agent:id, agent:group)
GET /syscollector/{agent_id}/hotfixes (agent:id, agent:group)
GET /syscollector/{agent_id}/netaddr (agent:id, agent:group)
GET /syscollector/{agent_id}/netiface (agent:id, agent:group)
GET /syscollector/{agent_id}/netproto (agent:id, agent:group)
GET /syscollector/{agent_id}/packages (agent:id, agent:group)
GET /syscollector/{agent_id}/processes (agent:id, agent:group)
Task
task:status
Default policies
agents_all
Grant full access to all agents related functionalities.
- Actions
- Resources
agent:id:*agent:group:*group:id:**:*:*
- Effect
allow
agents_commands
Allow sending commands to agents.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
agents_read
Grant read access to all agents related functionalities.
- Actions
- Resources
agent:id:*agent:group:*group:id:*
- Effect
allow
ciscat_read
Allow read agent’s ciscat results information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
cluster_all
Provide full access to all cluster/manager related functionalities.
- Actions
- Resources
node:id:*'*:*:*'
- Effect
allow
cluster_read
Provide read access to all cluster/manager related functionalities.
- Actions
- Resources
node:id:*'*:*:*'
- Effect
allow
decoders_read
Allow reading all decoder files in the system.
- Actions
- Resources
decoder:file:*
- Effect
allow
decoders_all
Allow managing all decoder files in the system.
- Actions
- Resources
decoder:file:**:*:*
lists_all
Allow managing all CDB lists files in the system.
- Actions
- Resources
list:file:*'*:*:*'
- Effect
allow
lists_read
Allow reading all list paths in the system.
- Actions
- Resources
list:file:*
- Effect
allow
logtest_all
Provide access to all logtest related functionalities.
- Actions
- Resources
*:*:*
- Effect
allow
mitre_read
Allow reading MITRE database information.
- Actions
- Resources
*:*:*
- Effect
allow
rootcheck_read
Allow reading all rootcheck information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
rootcheck_all
Allow reading, running and clearing rootcheck information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
rules_read
Allow reading all rule files in the system.
- Actions
- Resources
rules:file:*
- Effect
allow
rules_all
Allow managing all rule files in the system.
- Actions
- Resources
rules:file:**:*:*
- Effect
allow
sca_read
Allow reading agent’s sca information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
security_all
Provide full access to all security related functionalities.
- Actions
- Resources
role:id:*policy:id:*user:id:*rule:id:**:*:*
- Effect
allow
users_all
Provide full access to all users related functionalities.
- Actions
- Resources
user:id:**:*:*
- Effect
allow
syscheck_read
Allow reading syscheck information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
syscheck_all
Allow reading, running and clearing syscheck information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
syscollector_read
Allow reading agents information.
- Actions
- Resources
agent:id:*agent:group:*
- Effect
allow
task_status
Allow reading tasks information.
- Actions
- Resources
*:*:*
- Effect
allow
Default roles
administrator
Administrator role of the system, this role have full access to the system.
agents_admin
Agents administrator of the system, this role have full access to all agents related functionalities.
- Policies
agents_readonly
Read only role for agents related functionalities.
- Policies
cluster_admin
Manager administrator of the system, this role have full access to all manager related functionalities.
- Policies
cluster_readonly
Read only role for manager related functionalities.
- Policies
readonly
Read only role, this role can read all the information of the system.
users_admin
Users administrator of the system, this role provides full access to all users related functionalities.
- Policies
Default rules
Warning
Run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other Wazuh API user.
wui_elastic_admin
Administrator permissions for WUI's elastic users.
rule:
FIND:
username: "elastic"
wui_opendistro_admin
Administrator permissions for WUI's opendistro users.
rule:
FIND:
user_name: "admin"