RBAC Reference
RBAC policies consist of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.
For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.
This reference also contains a set of default roles and policies that can be immediately used instead of creating new ones.
Resources
| Resources | Description | Example | 
|---|---|---|
| *:* | Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless. | |
| agent:group | Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group. | agent:group:web | 
| agent:id | Reference agents via agent ID | agent:id:001 | 
| group:id | Reference agent groups via group ID | group:id:default | 
| node:id | Reference cluster node by node ID | node:id:worker1 | 
| decoder:file | Reference decoder file via its filename | decoder:file:0005-wazuh_decoders.xml | 
| list:file | Reference list file via its filename | list:file:audit-keys | 
| rule:file | Reference rule file via its filename | rule:file:0610-win-ms_logs_rules.xml | 
| policy:id | Reference security policy via its ID | policy:id:1 | 
| role:id | Reference security role via its ID | role:id:1 | 
| rule:id | Reference security rule via its ID | rule:id:1 | 
| user:id | Reference security user via its ID | user:id:1 | 
Actions
In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>).
Active_response
The /active-response endpoint of the Wazuh server API allows users to interact with the Wazuh Active Response module.
active-response:command
Agent
The /agents endpoint of the Wazuh server API allows users to enroll and manage agents on the Wazuh server.
agent:create
agent:delete
agent:modify_group
agent:read
agent:reconnect
agent:restart
agent:upgrade
agent:uninstall
Cluster
The /cluster endpoint of the Wazuh server API allows users to manage the configuration and health of the master node and the worker nodes in the Wazuh cluster.
cluster:read_api_config
cluster:read
- GET /cluster/{node_id}/configuration/{component}/{configuration} (node:id) 
- GET /cluster/{node_id}/stats/analysisd (node:id) - Deprecated since version 4.4 
- GET /cluster/{node_id}/stats/remoted (node:id) - Deprecated since version 4.4 
cluster:restart
cluster:status
cluster:update_config
Decoders
The /decoder endpoint of the Wazuh server API enables users to manage and retrieve information about the decoders included in the Wazuh server.
decoders:read
decoders:update
decoders:delete
Events
The /event endpoint of the Wazuh server API allows users to ingest security events to the Wazuh analysis engine.
event:ingest
Group
The /groups endpoint of the Wazuh server API enables users to group Wazuh agents into distinct subsets for centralized configurations.
group:create
group:delete
group:modify_assignments
group:read
group:update_config
Lists
The /lists endpoint of the Wazuh server API allows users to retrieve and manage the CDB lists that are used for checking malicious files on Wazuh agents.
lists:read
lists:update
lists:delete
Logtest
The /logtest endpoint of the Wazuh server API allows users to test and verify new rules and decoders against provided log examples in the Wazuh analysis engine.
logtest:run
Manager
The /manager endpoint of the Wazuh server API enables users to manage and collect relevant information from the Wazuh manager.
manager:read_api_config
manager:read
manager:restart
manager:update_config
MITRE
The /mitre endpoint of the Wazuh server API allows users to retrieve a high-level overview of the corresponding tactics and techniques from the MITRE ATT&CK database.
mitre:read
Rootcheck
The /rootcheck endpoint of the Wazuh server API enables users to interact with the Wazuh rootcheck module and retrieve results from the scans on the Wazuh agents.
rootcheck:clear
rootcheck:read
rootcheck:run
Rules
The /rules endpoint of the Wazuh server API lets users manage and retrieve information about the Wazuh rules that are used to analyze incoming events and generate alerts.
rules:read
rules:update
rules:delete
SCA
The /sca endpoint of the Wazuh server API allows users to interact with the Wazuh SCA module and collect relevant SCA scan results from Wazuh agents.
sca:read
Security
The /security endpoint of the Wazuh server API enables administrators to manage security-related aspects within the Wazuh environment.
security:create_user
security:create
security:delete
security:edit_run_as
security:read_config
security:read
security:revoke
security:update_config
security:update
File integrity monitoring
The /syscheck endpoint of the Wazuh server API allows users to interact with the Wazuh File Integrity Monitoring module as it initiates routine scans and retrieves syscheck results.
syscheck:clear
syscheck:read
syscheck:run
Syscollector
The /syscollector endpoint of the Wazuh server API allows users to collect system information from monitored endpoints and send them to the Wazuh server.
syscollector:read
- GET /experimental/syscollector/hardware (agent:id, agent:group) 
- GET /experimental/syscollector/hotfixes (agent:id, agent:group) 
- GET /experimental/syscollector/netaddr (agent:id, agent:group) 
- GET /experimental/syscollector/netiface (agent:id, agent:group) 
- GET /experimental/syscollector/netproto (agent:id, agent:group) 
- GET /experimental/syscollector/packages (agent:id, agent:group) 
- GET /experimental/syscollector/ports (agent:id, agent:group) 
- GET /experimental/syscollector/processes (agent:id, agent:group) 
- GET /syscollector/{agent_id}/hardware (agent:id, agent:group) 
- GET /syscollector/{agent_id}/hotfixes (agent:id, agent:group) 
- GET /syscollector/{agent_id}/netaddr (agent:id, agent:group) 
- GET /syscollector/{agent_id}/netiface (agent:id, agent:group) 
- GET /syscollector/{agent_id}/netproto (agent:id, agent:group) 
- GET /syscollector/{agent_id}/packages (agent:id, agent:group) 
- GET /syscollector/{agent_id}/processes (agent:id, agent:group) 
Task
The /tasks endpoint of the Wazuh server API enables users to get status information about the tasks performed by the Wazuh manager.
task:status
Vulnerability
The /vulnerability endpoint of the Wazuh server API allows users to perform vulnerability detector scans and collect relevant information about vulnerabilities from Wazuh agents. This API endpoint has been deprecated since version 4.7.
vulnerability:read
- GET /vulnerability/{agent_id} (agent:id, agent:group) - Deprecated since version 4.7 
- GET /vulnerability/{agent_id}/last_scan (agent:id, agent:group) - Deprecated since version 4.7 
- GET /vulnerability/{agent_id}/summary/{field} (agent:id, agent:group) - Deprecated since version 4.7 
vulnerability:run
- PUT /vulnerability (*:*) - Deprecated since version 4.7 
Default policies
agents_all_*
Grant full access to all agents related functionalities.
agents_all_resourceless:
  actions:
    - agent:create
    - group:create
    - agent:uninstall
  resources:
    - '*:*:*'
  effect: allow
agents_all_agents:
  actions:
    - agent:read
    - agent:delete
    - agent:modify_group
    - agent:reconnect
    - agent:restart
    - agent:upgrade
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
agents_all_groups:
  actions:
    - group:read
    - group:delete
    - group:update_config
    - group:modify_assignments
  resources:
    - group:id:*
  effect: allow
agents_commands_*
Allow sending active response commands to Wazuh agents.
agents_commands_agents:
  actions:
    - active-response:command
  resources:
    - agent:id:*
  effect: allow
agents_read_*
Grant read access to all agents related functionalities.
agents_read_agents:
  actions:
    - agent:read
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
agents_read_groups:
  actions:
    - group:read
  resources:
    - group:id:*
  effect: allow
cluster_all_*
Provide full access to all cluster/manager related functionalities.
cluster_all_resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
    - manager:update_config
    - manager:restart
  resources:
    - '*:*:*'
  effect: allow
cluster_all_nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:restart
    - cluster:update_config
  resources:
    - node:id:*
  effect: allow
cluster_read_*
Provide read access to all cluster/manager related functionalities.
cluster_read_resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
  resources:
    - '*:*:*'
  effect: allow
cluster_read_nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:read_api_config
  resources:
    - node:id:*
  effect: allow
decoders_all_*
Allow managing all decoder files in the Wazuh server.
decoders_all_files:
  actions:
    - decoders:read
    - decoders:delete
  resources:
    - decoder:file:*
  effect: allow
decoders_all_resourceless:
  actions:
    - decoders:update
  resources:
    - '*:*:*'
  effect: allow
decoders_read_*
Allow reading all decoder files in the Wazuh server.
decoders_read_decoders:
  actions:
    - decoders:read
  resources:
    - decoder:file:*
  effect: allow
events_ingest_*
Allow sending events to the Wazuh analysis engine.
events_ingest_resourceless:
  actions:
    - event:ingest
  resources:
    - '*:*:*'
  effect: allow
lists_all_*
Allow managing all CDB lists files on the Wazuh server.
lists_all_files:
  actions:
    - lists:read
    - lists:delete
  resources:
    - list:file:*
  effect: allow
lists_all_resourceless:
  actions:
    - lists:update
  resources:
    - '*:*:*'
  effect: allow
lists_read_*
Allow reading the path of all the lists in the Wazuh server.
lists_read_lists:
  actions:
    - lists:read
  resources:
    - list:file:*
  effect: allow
logtest_all_*
Provide access to all logtest related functionalities.
logtest_all_logtest:
  actions:
    - logtest:run
  resources:
    - '*:*:*'
  effect: allow
mitre_read_*
Allow reading MITRE database information.
mitre_read_mitre:
  actions:
    - mitre:read
  resources:
    - '*:*:*'
  effect: allow
rootcheck_all_*
Allow reading, running and clearing rootcheck information.
rootcheck_all_rootcheck:
  actions:
    - rootcheck:clear
    - rootcheck:read
    - rootcheck:run
  resources:
    - agent:id:*
  effect: allow
rootcheck_read_*
Allow reading all rootcheck information.
rootcheck_read_rootcheck:
  actions:
    - rootcheck:read
  resources:
    - agent:id:*
  effect: allow
rules_all_*
Allow managing all rule files in the Wazuh server.
rules_all_files:
  actions:
    - rules:read
    - rules:delete
  resources:
    - rule:file:*
  effect: allow
rules_all_resourceless:
  actions:
    - rules:update
  resources:
    - '*:*:*'
  effect: allow
rules_read_*
Allow reading all rule files in the system.
rules_read_rules:
  actions:
    - rules:read
  resources:
    - rule:file:*
  effect: allow
sca_read_*
Allow reading the agent sca information.
sca_read_sca:
  actions:
    - sca:read
  resources:
    - agent:id:*
  effect: allow
security_all_*
Provide full access to all security related functionalities.
security_all_resourceless:
  actions:
    - security:create
    - security:create_user
    - security:edit_run_as
    - security:read_config
    - security:update_config
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
security_all_security:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - role:id:*
    - policy:id:*
    - user:id:*
    - rule:id:*
  effect: allow
syscheck_all_*
Allow reading, running and clearing syscheck information.
syscheck_all_syscheck:
  actions:
    - syscheck:clear
    - syscheck:read
    - syscheck:run
  resources:
    - agent:id:*
  effect: allow
syscheck_read_*
Allow reading syscheck information.
syscheck_read_syscheck:
  actions:
    - syscheck:read
  resources:
    - agent:id:*
  effect: allow
syscollector_read_*
Allow reading agents information.
syscollector_read_syscollector:
  actions:
    - syscollector:read
  resources:
    - agent:id:*
  effect: allow
task_status_*
Allow reading tasks information.
task_status_task:
  actions:
    - task:status
  resources:
    - '*:*:*'
  effect: allow
users_all_*
Provide full access to all users related functionalities.
users_all_resourceless:
  actions:
    - security:create_user
    - security:edit_run_as
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
users_all_users:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - user:id:*
  effect: allow
users_modify_run_as_*
Provides the capability to modify the users' run_as parameter.
users_modify_run_as_flag:
  actions:
    - security:edit_run_as
  resources:
    - '*:*:*'
  effect: allow
vulnerability_read_*
Allow reading agents' vulnerabilities information.
vulnerability_read_vulnerability:
  actions:
    - vulnerability:read
  resources:
    - agent:id:*
  effect: allow
vulnerability_run_*
Allow running a vulnerability detector scan.
vulnerability_run_resourceless:
  actions:
    - vulnerability:run
  resources:
    - '*:*:*'
  effect: allow
Default roles
administrator
The administrator role has full access to all endpoints in the Wazuh server API.
Policies
Rules
agents_admin
The agent administrator role has full access to all agents related functionalities.
Policies
agents_readonly
Read only role for agents related functionalities.
Policies
cluster_admin
Manager administrator of the Wazuh server cluster, this role has full access to all manager related functionalities.
Policies
cluster_readonly
Read only role for manager related functionalities.
Policies
readonly
Read only role, this role can read all the information of the system.
Policies
users_admin
Users administrator of the system, this role provides full access to all users related functionalities.
Policies
Default rules
Warning
run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other Wazuh server API user.
wui_elastic_admin
Administrator permissions for the elastic users of the Wazuh dashboard.
rule:
    FIND:
        username: "elastic"
wui_opendistro_admin
Administrator permissions for the opendistro users of the Wazuh dashboard.
rule:
    FIND:
        user_name: "admin"