RBAC Reference

RBAC policies are made up of three elements: actions, resources and effect. Each API endpoint involves one or more actions and can be performed on specific resources.

For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions and the endpoints affected by each one can be found in this reference page.

This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.

Resources
Actions
Default policies
Default roles
Default rules

Resources

*:*

Description

Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless.

agent:group

Description

Reference agents via group name. This resource is disaggregated into the agent’s IDs belonging to the specified group.

Example

agent:group:web

agent:id

Description

Reference agents via agent ID

Example

agent:id:001

group:id

Description

Reference agent groups via group ID

Example

group:id:default

node:id

Description

Reference cluster node via node ID

Example

node:id:worker1

decoder:file

Description

Reference decoder file via its filename

Example

decoder:file:0005-wazuh_decoders.xml

list:file

Description

Reference list file via its filename

Example

list:file:audit-keys

rule:file

Description

Reference rule file via its filename

Example

rule:file:0610-win-ms_logs_rules.xml

policy:id

Description

Reference security policy via its id

Example

policy:id:1

role:id

Description

Reference security role via its id

Example

role:id:1

rule:id

Description

Reference security rule via its id

Example

rule:id:1

user:id

Description

Reference security user via its id

Example

user:id:1

Actions

In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)

Active_response

active-response:command

Agent

agent:create

agent:delete

agent:modify_group

agent:read

agent:restart

agent:upgrade

Ciscat

ciscat:read

Cluster

cluster:read_api_config

cluster:read

cluster:restart

cluster:status

cluster:update_api_config

  • Deprecated since version 4.0.4.

cluster:update_config

Decoders

decoders:read

decoders:update

decoders:delete

Group

group:create

group:delete

group:modify_assignments

group:read

group:update_config

Lists

lists:read

lists:update

lists:delete

Logtest

logtest:run

Manager

manager:read_api_config

manager:read

manager:restart

manager:update_api_config

  • Deprecated since version 4.0.4.

manager:update_config

Mitre

mitre:read

Rootcheck

rootcheck:clear

rootcheck:read

rootcheck:run

Rules

rules:read

rules:update

rules:delete

SCA

sca:read

Security

security:create_user

security:create

security:delete

security:read_config

security:read

security:revoke

security:update_config

security:update

Syscheck

syscheck:clear

syscheck:read

syscheck:run

Syscollector

syscollector:read

Task

task:status

Default policies

agents_all

Grant full access to all agents related functionalities.

Actions
Resources
  • agent:id:*

  • agent:group:*

  • group:id:*

  • *:*:*

Effect
  • allow

agents_commands

Allow sending commands to agents.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

agents_read

Grant read access to all agents related functionalities.

Actions
Resources
  • agent:id:*

  • agent:group:*

  • group:id:*

Effect
  • allow

ciscat_read

Allow read agent’s ciscat results information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

cluster_all

Provide full access to all cluster/manager related functionalities.

Actions
Resources
  • node:id:*

  • '*:*:*'

Effect
  • allow

cluster_read

Provide read access to all cluster/manager related functionalities.

Actions
Resources
  • node:id:*

  • '*:*:*'

Effect
  • allow

decoders_read

Allow reading all decoder files in the system.

Actions
Resources
  • decoder:file:*

Effect
  • allow

decoders_all

Allow managing all decoder files in the system.

Actions
Resources
  • decoder:file:*

  • *:*:*

lists_all

Allow managing all CDB lists files in the system.

Actions
Resources
  • list:file:*

  • '*:*:*'

Effect
  • allow

lists_read

Allow reading all list paths in the system.

Actions
Resources
  • list:file:*

Effect
  • allow

logtest_all

Provide access to all logtest related functionalities.

Actions
Resources
  • *:*:*

Effect
  • allow

mitre_read

Allow reading MITRE database information.

Actions
Resources
  • *:*:*

Effect
  • allow

rootcheck_read

Allow reading all rootcheck information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

rootcheck_all

Allow reading, running and clearing rootcheck information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

rules_read

Allow reading all rule files in the system.

Actions
Resources
  • rules:file:*

Effect
  • allow

rules_all

Allow managing all rule files in the system.

Actions
Resources
  • rules:file:*

  • *:*:*

Effect
  • allow

sca_read

Allow reading agent’s sca information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

security_all

Provide full access to all security related functionalities.

Actions
Resources
  • role:id:*

  • policy:id:*

  • user:id:*

  • rule:id:*

  • *:*:*

Effect
  • allow

users_all

Provide full access to all users related functionalities.

Actions
Resources
  • user:id:*

  • *:*:*

Effect
  • allow

syscheck_read

Allow reading syscheck information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

syscheck_all

Allow reading, running and clearing syscheck information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

syscollector_read

Allow reading agents information.

Actions
Resources
  • agent:id:*

  • agent:group:*

Effect
  • allow

task_status

Allow reading tasks information.

Actions
Resources
  • *:*:*

Effect
  • allow

Default roles

administrator

Administrator role of the system, this role have full access to the system.

Policies
Rules

agents_admin

Agents administrator of the system, this role have full access to all agents related functionalities.

Policies

agents_readonly

Read only role for agents related functionalities.

Policies

cluster_admin

Manager administrator of the system, this role have full access to all manager related functionalities.

Policies

cluster_readonly

Read only role for manager related functionalities.

Policies

readonly

Read only role, this role can read all the information of the system.

Policies

users_admin

Users administrator of the system, this role provides full access to all users related functionalities.

Policies

Default rules

Warning

Run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other Wazuh API user.

wui_elastic_admin

Administrator permissions for WUI’s elastic users.

rule:
    FIND:
        username: "elastic"

wui_opendistro_admin

Administrator permissions for WUI’s opendistro users.

rule:
    FIND:
        user_name: "admin"