Create and map internal users (RBAC)

Wazuh Role-based access control (RBAC) allows access to Wazuh resources based on the roles and policies assigned to the users. It is an easy-to-use administration system that enables to manage users’ or entities’ permissions to the system resources.

Note

Role-based access control can also be configured by REST API requests. To learn more about using the Wazuh API to configure RBAC, see our documentation here.

In the following sections, we learn how to create internal users and map them with Wazuh in the Wazuh app for Splunk.

Prerequisites


Before any user role mapping can be done, the Wazuh API connection inside the Splunk app must be configured with the wazuh-wui credentials. To do this follow the steps below:

  1. Open Splunk in your desired browser and login with the username and password created when the Splunk package was installed. Click on the Wazuh app icon.

  2. Click on the “Settings” tab. Fill the form with your wazuh-wui API credentials. Use the URL and port from your Wazuh API server.

    By default, the Wazuh API port is 55000. The default wazuh-wui username and password is wazuh-wui:wazuh-wui. Ensure that the Run as option is checked. Once the API has been added, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.

    Note

    • If the Run as option is not checked when adding he wazuh-wui API credentials, RBAC cannot be configured.

    • Ensure that the “wazuh” user API credentials have already been added to the API configuration.

    • You can get more information about how to set up the credentials at Securing the Wazuh API section.

Creating and setting a Wazuh admin user

  1. Login to Splunk from your preferred browser.

  2. Select the Wazuh app for Splunk.

  3. Go to the “Security” tab. Select “Users” then “Add new user”.

  4. Specify the username and password, then select the “administrator” role for the user and save.

Creating and setting a Wazuh read-only user

  1. Login to Splunk from your preferred browser.

  2. Select the Wazuh app for Splunk.

  3. Go to the “Security” tab. Select “Users” then “Add new user”.

  4. Specify the username and password, then select the “readonly” role for the user and save.

Creating roles

  1. Login to Splunk from your preferred browser.

  2. Select the Wazuh app for Splunk.

  3. Go to the “Security” tab. Select “Roles” then “Add new role”.

  4. Specify the role name and select the policies you want to apply to the role. Then save.

Creating policies

  1. Login to Splunk from your preferred browser.

  2. Select the Wazuh app for Splunk.

  3. Go to the “Security” tab. Select “Policies” then “Add new policy”.

  4. Specify the policy name, then select the actions that should apply to the policy.

  5. Proceed to select the resource and resource identifier the policy will apply to.Then select an effect of the policy.

  6. Proceed to save the policy.

Mapping roles to users

  1. Login to Splunk from your preferred browser.

  2. Select the Wazuh app for Splunk.

  3. Go to the “Security” tab. Select “Roles Mapping” then “Add new role mapping”.

  4. Complete the empty fields with the requested information. Where

    Role mapping name: Assign a name to the role mapping.

    Roles: The roles to be mapped to a user.

    Internal users: The internal user to map a role to.

  5. Click Save to finish the action.