RBAC Reference
RBAC policies consist of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.
For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read
on the resource agent:id
or agent:group
. For example, agent:id:001
(agent 001) or agent:id:*
(all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.
This reference also contains a set of default roles and policies that can be immediately used instead of creating new ones.
Resources
Resources |
Description |
Example |
---|---|---|
*:* |
Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless. |
|
agent:group |
Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group. |
agent:group:web |
agent:id |
Reference agents via agent ID |
agent:id:001 |
group:id |
Reference agent groups via group ID |
group:id:default |
node:id |
Reference cluster node by node ID |
node:id:worker1 |
decoder:file |
Reference decoder file via its filename |
decoder:file:0005-wazuh_decoders.xml |
list:file |
Reference list file via its filename |
list:file:audit-keys |
rule:file |
Reference rule file via its filename |
rule:file:0610-win-ms_logs_rules.xml |
policy:id |
Reference security policy via its ID |
policy:id:1 |
role:id |
Reference security role via its ID |
role:id:1 |
rule:id |
Reference security rule via its ID |
rule:id:1 |
user:id |
Reference security user via its ID |
user:id:1 |
Actions
In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>).
Active_response
The /active-response endpoint of the Wazuh server API allows users to interact with the Wazuh active response module.
active-response:command
Agent
The /agents endpoint of the Wazuh server API allows users to enroll and manage agents on the Wazuh server.
agent:create
agent:delete
agent:modify_group
agent:read
agent:reconnect
agent:restart
agent:upgrade
CIS-CAT
The /ciscat endpoint of the Wazuh server API enables users to retrieve specific information from the results of CIS-CAT scans carried out on the Wazuh agents.
ciscat:read
Cluster
The /cluster endpoint of the Wazuh server API allows users to manage the configuration and health of the master node and the worker nodes in the Wazuh cluster.
cluster:read_api_config
cluster:read
GET /cluster/{node_id}/configuration/{component}/{configuration} (node:id)
GET /cluster/{node_id}/stats/analysisd (node:id) - Deprecated since version 4.4
GET /cluster/{node_id}/stats/remoted (node:id) - Deprecated since version 4.4
cluster:restart
cluster:status
cluster:update_config
Decoders
The /decoder endpoint of the Wazuh server API enables users to manage and retrieve information about the decoders included in the Wazuh server.
decoders:read
decoders:update
decoders:delete
Events
The /event endpoint of the Wazuh server API allows users to ingest security events to the Wazuh analysis engine.
event:ingest
Group
The /groups endpoint of the Wazuh server API enables users to group Wazuh agents into distinct subsets for centralized configurations.
group:create
group:delete
group:modify_assignments
group:read
group:update_config
Lists
The /lists endpoint of the Wazuh server API allows users to retrieve and manage the CDB lists that are used for checking malicious files on Wazuh agents.
lists:read
lists:update
lists:delete
Logtest
The /logtest endpoint of the Wazuh server API allows users to test and verify new rules and decoders against provided log examples in the Wazuh analysis engine.
logtest:run
Manager
The /manager endpoint of the Wazuh server API enables users to manage and collect relevant information from the Wazuh manager.
manager:read_api_config
manager:read
manager:restart
manager:update_config
MITRE
The /mitre endpoint of the Wazuh server API allows users to retrieve a high-level overview of the corresponding tactics and techniques from the MITRE ATT&CK database.
mitre:read
Rootcheck
The /rootcheck endpoint of the Wazuh server API enables users to interact with the Wazuh rootcheck module and retrieve results from the scans on the Wazuh agents.
rootcheck:clear
rootcheck:read
rootcheck:run
Rules
The /rules endpoint of the Wazuh server API lets users manage and retrieve information about the Wazuh rules that are used to analyze incoming events and generate alerts.
rules:read
rules:update
rules:delete
SCA
The /sca endpoint of the Wazuh server API allows users to interact with the Wazuh SCA module and collect relevant SCA scan results from Wazuh agents.
sca:read
Security
The /security endpoint of the Wazuh server API enables administrators to manage security-related aspects within the Wazuh environment.
security:create_user
security:create
security:delete
security:edit_run_as
security:read_config
security:read
security:revoke
security:update_config
security:update
File integrity monitoring
The /syscheck endpoint of the Wazuh server API allows users to interact with the Wazuh File Integrity Monitoring module as it initiates routine scans and retrieves syscheck results.
syscheck:clear
syscheck:read
syscheck:run
Syscollector
The /syscollector endpoint of the Wazuh server API allows users to collect system information from monitored endpoints and send them to the Wazuh server.
syscollector:read
GET /experimental/syscollector/hardware (agent:id, agent:group)
GET /experimental/syscollector/hotfixes (agent:id, agent:group)
GET /experimental/syscollector/netaddr (agent:id, agent:group)
GET /experimental/syscollector/netiface (agent:id, agent:group)
GET /experimental/syscollector/netproto (agent:id, agent:group)
GET /experimental/syscollector/packages (agent:id, agent:group)
GET /experimental/syscollector/ports (agent:id, agent:group)
GET /experimental/syscollector/processes (agent:id, agent:group)
GET /syscollector/{agent_id}/hardware (agent:id, agent:group)
GET /syscollector/{agent_id}/hotfixes (agent:id, agent:group)
GET /syscollector/{agent_id}/netaddr (agent:id, agent:group)
GET /syscollector/{agent_id}/netiface (agent:id, agent:group)
GET /syscollector/{agent_id}/netproto (agent:id, agent:group)
GET /syscollector/{agent_id}/packages (agent:id, agent:group)
GET /syscollector/{agent_id}/processes (agent:id, agent:group)
Task
The /tasks endpoint of the Wazuh server API enables users to get status information about the tasks performed by the Wazuh manager.
task:status
Vulnerability
The /vulnerability endpoint of the Wazuh server API allows users to perform vulnerability detector scans and collect relevant information about vulnerabilities from Wazuh agents. This API endpoint has been deprecated since version 4.7.
vulnerability:read
GET /vulnerability/{agent_id} (agent:id, agent:group) - Deprecated since version 4.7
GET /vulnerability/{agent_id}/last_scan (agent:id, agent:group) - Deprecated since version 4.7
GET /vulnerability/{agent_id}/summary/{field} (agent:id, agent:group) - Deprecated since version 4.7
vulnerability:run
PUT /vulnerability (*:*) - Deprecated since version 4.7
Default policies
agents_all
Grant full access to all agents related functionalities.
resourceless:
actions:
- agent:create
- group:create
resources:
- '*:*:*'
effect: allow
agents:
actions:
- agent:read
- agent:delete
- agent:modify_group
- agent:reconnect
- agent:restart
- agent:upgrade
resources:
- agent:id:*
- agent:group:*
effect: allow
groups:
actions:
- group:read
- group:delete
- group:update_config
- group:modify_assignments
resources:
- group:id:*
effect: allow
agents_commands
Allow sending active response commands to Wazuh agents.
agents:
actions:
- active-response:command
resources:
- agent:id:*
effect: allow
agents_read
Grant read access to all agents related functionalities.
agents:
actions:
- agent:read
resources:
- agent:id:*
- agent:group:*
effect: allow
groups:
actions:
- group:read
resources:
- group:id:*
effect: allow
ciscat_read
Allow reading the agent ciscat results information.
ciscat:
actions:
- ciscat:read
resources:
- agent:id:*
effect: allow
cluster_all
Provide full access to all cluster/manager related functionalities.
resourceless:
actions:
- cluster:status
- manager:read
- manager:read_api_config
- manager:update_config
- manager:restart
resources:
- '*:*:*'
effect: allow
nodes:
actions:
- cluster:read_api_config
- cluster:read
- cluster:restart
- cluster:update_config
resources:
- node:id:*
effect: allow
cluster_read
Provide read access to all cluster/manager related functionalities.
resourceless:
actions:
- cluster:status
- manager:read
- manager:read_api_config
resources:
- '*:*:*'
effect: allow
nodes:
actions:
- cluster:read_api_config
- cluster:read
- cluster:read_api_config
resources:
- node:id:*
effect: allow
decoders_all
Allow managing all decoder files in the Wazuh server.
files:
actions:
- decoders:read
- decoders:delete
resources:
- decoder:file:*
effect: allow
resourceless:
actions:
- decoders:update
resources:
- '*:*:*'
effect: allow
decoders_read
Allow reading all decoder files in the Wazuh server.
decoders:
actions:
- decoders:read
resources:
- decoder:file:*
effect: allow
events_ingest
Allow sending events to the Wazuh analysis engine.
resourceless:
actions:
- event:ingest
resources:
- '*:*:*'
effect: allow
lists_all
Allow managing all CDB lists files on the Wazuh server.
files:
actions:
- lists:read
- lists:delete
resources:
- list:file:*
effect: allow
resourceless:
actions:
- lists:update
resources:
- '*:*:*'
effect: allow
lists_read
Allow reading the path of all the lists in the Wazuh server.
lists:
actions:
- lists:read
resources:
- list:file:*
effect: allow
logtest_all
Provide access to all logtest related functionalities.
logtest:
actions:
- logtest:run
resources:
- '*:*:*'
effect: allow
mitre_read
Allow reading MITRE database information.
mitre:
actions:
- mitre:read
resources:
- '*:*:*'
effect: allow
rootcheck_all
Allow reading, running and clearing rootcheck information.
rootcheck:
actions:
- rootcheck:clear
- rootcheck:read
- rootcheck:run
resources:
- agent:id:*
effect: allow
rootcheck_read
Allow reading all rootcheck information.
rootcheck:
actions:
- rootcheck:read
resources:
- agent:id:*
effect: allow
rules_all
Allow managing all rule files in the Wazuh server.
files:
actions:
- rules:read
- rules:delete
resources:
- rule:file:*
effect: allow
resourceless:
actions:
- rules:update
resources:
- '*:*:*'
effect: allow
rules_read
Allow reading all rule files in the system.
rules:
actions:
- rules:read
resources:
- rule:file:*
effect: allow
sca_read
Allow reading the agent sca information.
sca:
actions:
- sca:read
resources:
- agent:id:*
effect: allow
security_all
Provide full access to all security related functionalities.
resourceless:
actions:
- security:create
- security:create_user
- security:edit_run_as
- security:read_config
- security:update_config
- security:revoke
resources:
- '*:*:*'
effect: allow
security:
actions:
- security:read
- security:update
- security:delete
resources:
- role:id:*
- policy:id:*
- user:id:*
- rule:id:*
effect: allow
syscheck_all
Allow reading, running and clearing syscheck information.
syscheck:
actions:
- syscheck:clear
- syscheck:read
- syscheck:run
resources:
- agent:id:*
effect: allow
syscheck_read
Allow reading syscheck information.
syscheck:
actions:
- syscheck:read
resources:
- agent:id:*
effect: allow
syscollector_read
Allow reading agents information.
syscollector:
actions:
- syscollector:read
resources:
- agent:id:*
effect: allow
task_status
Allow reading tasks information.
task:
actions:
- task:status
resources:
- '*:*:*'
effect: allow
users_all
Provide full access to all users related functionalities.
resourceless:
actions:
- security:create_user
- security:edit_run_as
- security:revoke
resources:
- '*:*:*'
effect: allow
users:
actions:
- security:read
- security:update
- security:delete
resources:
- user:id:*
effect: allow
users_modify_run_as
Provides the capability to modify the users' run_as parameter.
flag:
actions:
- security:edit_run_as
resources:
- '*:*:*'
effect: allow
vulnerability_read
Allow reading agents' vulnerabilities information.
vulnerability:
actions:
- vulnerability:read
resources:
- agent:id:*
effect: allow
vulnerability_run
Allow running a vulnerability detector scan.
resourceless:
actions:
- vulnerability:run
resources:
- '*:*:*'
effect: allow
Default roles
administrator
The administrator role has full access to all endpoints in the Wazuh server API.
Policies
Rules
agents_admin
The agent administrator role has full access to all agents related functionalities.
Policies
agents_readonly
Read only role for agents related functionalities.
Policies
cluster_admin
Manager administrator of the Wazuh server cluster, this role has full access to all manager related functionalities.
Policies
cluster_readonly
Read only role for manager related functionalities.
Policies
readonly
Read only role, this role can read all the information of the system.
Policies
users_admin
Users administrator of the system, this role provides full access to all users related functionalities.
Policies
Default rules
Warning
run_as permissions through these mapping rules can only be obtained with wazuh-wui
user. These rules will never match an authorization context for any other Wazuh server API user.
wui_elastic_admin
Administrator permissions for the elastic users of the Wazuh dashboard.
rule:
FIND:
username: "elastic"
wui_opendistro_admin
Administrator permissions for the opendistro users of the Wazuh dashboard.
rule:
FIND:
user_name: "admin"