RBAC Reference

RBAC policies consist of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.

For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.

This reference also contains a set of default roles and policies that can be immediately used instead of creating new ones.

Resources

Resources

Description

Example

*:*

Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless.

agent:group

Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group.

agent:group:web

agent:id

Reference agents via agent ID

agent:id:001

group:id

Reference agent groups via group ID

group:id:default

node:id

Reference cluster node by node ID

node:id:worker1

decoder:file

Reference decoder file via its filename

decoder:file:0005-wazuh_decoders.xml

list:file

Reference list file via its filename

list:file:audit-keys

rule:file

Reference rule file via its filename

rule:file:0610-win-ms_logs_rules.xml

policy:id

Reference security policy via its ID

policy:id:1

role:id

Reference security role via its ID

role:id:1

rule:id

Reference security rule via its ID

rule:id:1

user:id

Reference security user via its ID

user:id:1

Actions

In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>).

Active_response

The /active-response endpoint of the Wazuh server API allows users to interact with the Wazuh active response module.

active-response:command

Agent

The /agents endpoint of the Wazuh server API allows users to enroll and manage agents on the Wazuh server.

agent:create

agent:delete

agent:modify_group

agent:read

agent:reconnect

agent:restart

agent:upgrade

CIS-CAT

The /ciscat endpoint of the Wazuh server API enables users to retrieve specific information from the results of CIS-CAT scans carried out on the Wazuh agents.

ciscat:read

Cluster

The /cluster endpoint of the Wazuh server API allows users to manage the configuration and health of the master node and the worker nodes in the Wazuh cluster.

cluster:read_api_config

cluster:read

cluster:restart

cluster:status

cluster:update_config

Decoders

The /decoder endpoint of the Wazuh server API enables users to manage and retrieve information about the decoders included in the Wazuh server.

decoders:read

decoders:update

decoders:delete

Events

The /event endpoint of the Wazuh server API allows users to ingest security events to the Wazuh analysis engine.

event:ingest

Group

The /groups endpoint of the Wazuh server API enables users to group Wazuh agents into distinct subsets for centralized configurations.

group:create

group:delete

group:modify_assignments

group:read

group:update_config

Lists

The /lists endpoint of the Wazuh server API allows users to retrieve and manage the CDB lists that are used for checking malicious files on Wazuh agents.

lists:read

lists:update

lists:delete

Logtest

The /logtest endpoint of the Wazuh server API allows users to test and verify new rules and decoders against provided log examples in the Wazuh analysis engine.

logtest:run

Manager

The /manager endpoint of the Wazuh server API enables users to manage and collect relevant information from the Wazuh manager.

manager:read_api_config

manager:read

manager:restart

manager:update_config

MITRE

The /mitre endpoint of the Wazuh server API allows users to retrieve a high-level overview of the corresponding tactics and techniques from the MITRE ATT&CK database.

mitre:read

Rootcheck

The /rootcheck endpoint of the Wazuh server API enables users to interact with the Wazuh rootcheck module and retrieve results from the scans on the Wazuh agents.

rootcheck:clear

rootcheck:read

rootcheck:run

Rules

The /rules endpoint of the Wazuh server API lets users manage and retrieve information about the Wazuh rules that are used to analyze incoming events and generate alerts.

rules:read

rules:update

rules:delete

SCA

The /sca endpoint of the Wazuh server API allows users to interact with the Wazuh SCA module and collect relevant SCA scan results from Wazuh agents.

sca:read

Security

The /security endpoint of the Wazuh server API enables administrators to manage security-related aspects within the Wazuh environment.

security:create_user

security:create

security:delete

security:edit_run_as

security:read_config

security:read

security:revoke

security:update_config

security:update

File integrity monitoring

The /syscheck endpoint of the Wazuh server API allows users to interact with the Wazuh File Integrity Monitoring module as it initiates routine scans and retrieves syscheck results.

syscheck:clear

syscheck:read

syscheck:run

Syscollector

The /syscollector endpoint of the Wazuh server API allows users to collect system information from monitored endpoints and send them to the Wazuh server.

syscollector:read

Task

The /tasks endpoint of the Wazuh server API enables users to get status information about the tasks performed by the Wazuh manager.

task:status

Vulnerability

The /vulnerability endpoint of the Wazuh server API allows users to perform vulnerability detector scans and collect relevant information about vulnerabilities from Wazuh agents. This API endpoint has been deprecated since version 4.7.

vulnerability:read

vulnerability:run

Default policies

agents_all

Grant full access to all agents related functionalities.

resourceless:
  actions:
    - agent:create
    - group:create
  resources:
    - '*:*:*'
  effect: allow
agents:
  actions:
    - agent:read
    - agent:delete
    - agent:modify_group
    - agent:reconnect
    - agent:restart
    - agent:upgrade
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
    - group:delete
    - group:update_config
    - group:modify_assignments
  resources:
    - group:id:*
  effect: allow

agents_commands

Allow sending active response commands to Wazuh agents.

agents:
  actions:
    - active-response:command
  resources:
    - agent:id:*
  effect: allow

agents_read

Grant read access to all agents related functionalities.

agents:
  actions:
    - agent:read
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
  resources:
    - group:id:*
  effect: allow

ciscat_read

Allow reading the agent ciscat results information.

ciscat:
  actions:
    - ciscat:read
  resources:
    - agent:id:*
  effect: allow

cluster_all

Provide full access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
    - manager:update_config
    - manager:restart
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:restart
    - cluster:update_config
  resources:
    - node:id:*
  effect: allow

cluster_read

Provide read access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:read_api_config
  resources:
    - node:id:*
  effect: allow

decoders_all

Allow managing all decoder files in the Wazuh server.

files:
  actions:
    - decoders:read
    - decoders:delete
  resources:
    - decoder:file:*
  effect: allow
resourceless:
  actions:
    - decoders:update
  resources:
    - '*:*:*'
  effect: allow

decoders_read

Allow reading all decoder files in the Wazuh server.

decoders:
  actions:
    - decoders:read
  resources:
    - decoder:file:*
  effect: allow

events_ingest

Allow sending events to the Wazuh analysis engine.

resourceless:
  actions:
    - event:ingest
  resources:
    - '*:*:*'
  effect: allow

lists_all

Allow managing all CDB lists files on the Wazuh server.

files:
  actions:
    - lists:read
    - lists:delete
  resources:
    - list:file:*
  effect: allow
resourceless:
  actions:
    - lists:update
  resources:
    - '*:*:*'
  effect: allow

lists_read

Allow reading the path of all the lists in the Wazuh server.

lists:
  actions:
    - lists:read
  resources:
    - list:file:*
  effect: allow

logtest_all

Provide access to all logtest related functionalities.

logtest:
  actions:
    - logtest:run
  resources:
    - '*:*:*'
  effect: allow

mitre_read

Allow reading MITRE database information.

mitre:
  actions:
    - mitre:read
  resources:
    - '*:*:*'
  effect: allow

rootcheck_all

Allow reading, running and clearing rootcheck information.

rootcheck:
  actions:
    - rootcheck:clear
    - rootcheck:read
    - rootcheck:run
  resources:
    - agent:id:*
  effect: allow

rootcheck_read

Allow reading all rootcheck information.

rootcheck:
  actions:
    - rootcheck:read
  resources:
    - agent:id:*
  effect: allow

rules_all

Allow managing all rule files in the Wazuh server.

files:
  actions:
    - rules:read
    - rules:delete
  resources:
    - rule:file:*
  effect: allow
resourceless:
  actions:
    - rules:update
  resources:
    - '*:*:*'
  effect: allow

rules_read

Allow reading all rule files in the system.

rules:
  actions:
    - rules:read
  resources:
    - rule:file:*
  effect: allow

sca_read

Allow reading the agent sca information.

sca:
  actions:
    - sca:read
  resources:
    - agent:id:*
  effect: allow

security_all

Provide full access to all security related functionalities.

resourceless:
  actions:
    - security:create
    - security:create_user
    - security:edit_run_as
    - security:read_config
    - security:update_config
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
security:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - role:id:*
    - policy:id:*
    - user:id:*
    - rule:id:*
  effect: allow

syscheck_all

Allow reading, running and clearing syscheck information.

syscheck:
  actions:
    - syscheck:clear
    - syscheck:read
    - syscheck:run
  resources:
    - agent:id:*
  effect: allow

syscheck_read

Allow reading syscheck information.

syscheck:
  actions:
    - syscheck:read
  resources:
    - agent:id:*
  effect: allow

syscollector_read

Allow reading agents information.

syscollector:
  actions:
    - syscollector:read
  resources:
    - agent:id:*
  effect: allow

task_status

Allow reading tasks information.

task:
  actions:
    - task:status
  resources:
    - '*:*:*'
  effect: allow

users_all

Provide full access to all users related functionalities.

resourceless:
  actions:
    - security:create_user
    - security:edit_run_as
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
users:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - user:id:*
  effect: allow

users_modify_run_as

Provides the capability to modify the users' run_as parameter.

flag:
  actions:
    - security:edit_run_as
  resources:
    - '*:*:*'
  effect: allow

vulnerability_read

Allow reading agents' vulnerabilities information.

vulnerability:
  actions:
    - vulnerability:read
  resources:
    - agent:id:*
  effect: allow

vulnerability_run

Allow running a vulnerability detector scan.

resourceless:
  actions:
    - vulnerability:run
  resources:
    - '*:*:*'
  effect: allow

Default roles

administrator

The administrator role has full access to all endpoints in the Wazuh server API.

Policies

Rules

agents_admin

The agent administrator role has full access to all agents related functionalities.

Policies

agents_readonly

Read only role for agents related functionalities.

Policies

cluster_admin

Manager administrator of the Wazuh server cluster, this role has full access to all manager related functionalities.

Policies

cluster_readonly

Read only role for manager related functionalities.

Policies

readonly

Read only role, this role can read all the information of the system.

Policies

users_admin

Users administrator of the system, this role provides full access to all users related functionalities.

Policies

Default rules

Warning

run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other Wazuh server API user.

wui_elastic_admin

Administrator permissions for the elastic users of the Wazuh dashboard.

rule:
    FIND:
        username: "elastic"

wui_opendistro_admin

Administrator permissions for the opendistro users of the Wazuh dashboard.

rule:
    FIND:
        user_name: "admin"