RBAC Reference
RBAC policies are made up of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.
For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read
on the resource agent:id
or agent:group
. For example, agent:id:001
(agent 001) or agent:id:*
(all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.
This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.
Resources
*:*
Description |
Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless. |
agent:group
Description |
Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group. |
Example |
agent:group:web |
decoder:file
Description |
Reference decoder file via its filename |
Example |
decoder:file:0005-wazuh_decoders.xml |
Actions
In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)
Agent
agent:read
Cluster
Manager
manager:read
Security
security:delete
security:update
Syscollector
syscollector:read
GET /experimental/syscollector/hardware (agent:id, agent:group)
GET /experimental/syscollector/hotfixes (agent:id, agent:group)
GET /experimental/syscollector/netaddr (agent:id, agent:group)
GET /experimental/syscollector/netiface (agent:id, agent:group)
GET /experimental/syscollector/netproto (agent:id, agent:group)
GET /experimental/syscollector/packages (agent:id, agent:group)
GET /experimental/syscollector/ports (agent:id, agent:group)
GET /experimental/syscollector/processes (agent:id, agent:group)
GET /syscollector/{agent_id}/hardware (agent:id, agent:group)
GET /syscollector/{agent_id}/hotfixes (agent:id, agent:group)
GET /syscollector/{agent_id}/netaddr (agent:id, agent:group)
GET /syscollector/{agent_id}/netiface (agent:id, agent:group)
GET /syscollector/{agent_id}/netproto (agent:id, agent:group)
GET /syscollector/{agent_id}/packages (agent:id, agent:group)
GET /syscollector/{agent_id}/processes (agent:id, agent:group)
Default policies
agents_all
Grant full access to all agents related functionalities.
resourceless:
actions:
- agent:create
- group:create
resources:
- '*:*:*'
effect: allow
agents:
actions:
- agent:read
- agent:delete
- agent:modify_group
- agent:reconnect
- agent:restart
- agent:upgrade
resources:
- agent:id:*
- agent:group:*
effect: allow
groups:
actions:
- group:read
- group:delete
- group:update_config
- group:modify_assignments
resources:
- group:id:*
effect: allow
agents_commands
Allow sending commands to agents.
agents:
actions:
- active-response:command
resources:
- agent:id:*
effect: allow
agents_read
Grant read access to all agents related functionalities.
agents:
actions:
- agent:read
resources:
- agent:id:*
- agent:group:*
effect: allow
groups:
actions:
- group:read
resources:
- group:id:*
effect: allow
ciscat_read
Allow reading the agent ciscat results information.
ciscat:
actions:
- ciscat:read
resources:
- agent:id:*
effect: allow
cluster_all
Provide full access to all cluster/manager related functionalities.
resourceless:
actions:
- cluster:status
- manager:read
- manager:read_api_config
- manager:update_config
- manager:restart
resources:
- '*:*:*'
effect: allow
nodes:
actions:
- cluster:read_api_config
- cluster:read
- cluster:restart
- cluster:update_config
resources:
- node:id:*
effect: allow
cluster_read
Provide read access to all cluster/manager related functionalities.
resourceless:
actions:
- cluster:status
- manager:read
- manager:read_api_config
resources:
- '*:*:*'
effect: allow
nodes:
actions:
- cluster:read_api_config
- cluster:read
- cluster:read_api_config
resources:
- node:id:*
effect: allow
decoders_all
Allow managing all decoder files in the system.
files:
actions:
- decoders:read
- decoders:delete
resources:
- decoder:file:*
effect: allow
resourceless:
actions:
- decoders:update
resources:
- '*:*:*'
effect: allow
decoders_read
Allow reading all decoder files in the system.
decoders:
actions:
- decoders:read
resources:
- decoder:file:*
effect: allow
lists_all
Allow managing all CDB lists files in the system.
files:
actions:
- lists:read
- lists:delete
resources:
- list:file:*
effect: allow
resourceless:
actions:
- lists:update
resources:
- '*:*:*'
effect: allow
lists_read
Allow reading all lists paths in the system.
lists:
actions:
- lists:read
resources:
- list:file:*
effect: allow
logtest_all
Provide access to all logtest related functionalities.
logtest:
actions:
- logtest:run
resources:
- '*:*:*'
effect: allow
mitre_read
Allow reading MITRE database information.
mitre:
actions:
- mitre:read
resources:
- '*:*:*'
effect: allow
rootcheck_all
Allow reading, running and clearing rootcheck information.
rootcheck:
actions:
- rootcheck:clear
- rootcheck:read
- rootcheck:run
resources:
- agent:id:*
effect: allow
rootcheck_read
Allow reading all rootcheck information.
rootcheck:
actions:
- rootcheck:read
resources:
- agent:id:*
effect: allow
rules_all
Allow managing all rule files in the system.
files:
actions:
- rules:read
- rules:delete
resources:
- rule:file:*
effect: allow
resourceless:
actions:
- rules:update
resources:
- '*:*:*'
effect: allow
rules_read
Allow reading all rule files in the system.
rules:
actions:
- rules:read
resources:
- rule:file:*
effect: allow
sca_read
Allow reading the agent sca information.
sca:
actions:
- sca:read
resources:
- agent:id:*
effect: allow
security_all
Provide full access to all security related functionalities.
resourceless:
actions:
- security:create
- security:create_user
- security:edit_run_as
- security:read_config
- security:update_config
- security:revoke
resources:
- '*:*:*'
effect: allow
security:
actions:
- security:read
- security:update
- security:delete
resources:
- role:id:*
- policy:id:*
- user:id:*
- rule:id:*
effect: allow
syscheck_all
Allow reading, running and clearing syscheck information.
syscheck:
actions:
- syscheck:clear
- syscheck:read
- syscheck:run
resources:
- agent:id:*
effect: allow
syscheck_read
Allow reading syscheck information.
syscheck:
actions:
- syscheck:read
resources:
- agent:id:*
effect: allow
syscollector_read
Allow reading agents information.
syscollector:
actions:
- syscollector:read
resources:
- agent:id:*
effect: allow
task_status
Allow reading tasks information.
task:
actions:
- task:status
resources:
- '*:*:*'
effect: allow
users_all
Provide full access to all users related functionalities.
resourceless:
actions:
- security:create_user
- security:edit_run_as
- security:revoke
resources:
- '*:*:*'
effect: allow
users:
actions:
- security:read
- security:update
- security:delete
resources:
- user:id:*
effect: allow
users_modify_run_as
Provides the capability to modify the users' run_as parameter.
flag:
actions:
- security:edit_run_as
resources:
- '*:*:*'
effect: allow
Default roles
agents_admin
Agents administrator of the system, this role have full access to all agents related functionalities.
- Policies
cluster_admin
Manager administrator of the system, this role have full access to all manager related functionalities.
- Policies