Wazuh RBAC - How to create and map internal users

Wazuh RBAC allows access to Wazuh resources based on the roles and policies assigned to the users. It is an easy-to-use administration system that enables to manage users’ or entities’ permissions to the system resources. To learn more, see the Role-Based Access Control section.

Learn how to create internal users and map them with Wazuh in the below sections.

Creating and setting a Wazuh admin user

Follow these steps to create an internal user, create a new role mapping, and give administrator permissions to the user.

  1. Log into Kibana as administrator.

  2. Click the upper-left menu icon to open the options, select Security and then Internal users to open the internal users page.

  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to the admin role, follow these steps:

    1. Click the upper-left menu icon to open the options, select Security and then Roles to open the roles page.

    2. Search for the all_access role in the roles’ list and select it to open the details window.

    3. Select the Mapped users tab and click Manage mapping.

    4. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click the upper-left menu icon to open the available options and click Wazuh.

    2. Click Wazuh to open the Wazuh Kibana plugin menu, select Security and then Roles mapping to open the page.

    3. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select administrator.

      • Internal users: Select the internal user created previously.

    4. Click Save role mapping to save and map the user with Wazuh as administrator.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. Restart the Kibana service and clear your browser cache and cookies.

Creating and setting a Wazuh read-only user

Follow these steps to create an internal user, create a new role mapping, and give read-only permissions to the user.

  1. Log into Kibana as administrator.

  2. Click the upper-left menu icon to open the options, select Security and then Internal users to open the internal users page.

  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to the appropriate role, follow these steps:

    1. Click the upper-left menu icon to open the options, select Security and then Roles to open the roles page.

    2. Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

      • Name: Assign a name to the role.

      • Cluster permissions: cluster_composite_ops_ro

      • Index: *

      • Index permissions: read

      • Tenant permissions: global_tenant and select the Read only option.

    3. Select the Mapped users tab and click Manage mapping.

    4. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click the upper-left menu icon to open the available options and click Wazuh.

    2. Click Wazuh to open the menu, select Security and then Roles mapping to open the page.

    3. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select readonly.

      • Internal users: Select the internal user created previously.

    4. Click Save role mapping to save and map the user with Wazuh as read-only.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. Restart the Kibana service and clear your browser cache and cookies.

Creating an internal user and mapping it to Wazuh

Follow these steps to create an internal user and map it to a role of your choice.

  1. Log into Kibana as administrator.

  2. Click the upper-left menu icon to open the options, select Security and then Internal users to open the internal users page.

  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to a given role, follow these steps:

    1. Go to Security, select Roles to open the page, and click the name of the selected role to open the window. Alternatively, you can create a custom role by clicking Create role.

    2. Select the Mapped users tab and click Manage mapping.

    3. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click the upper-left menu icon to open the available options and click Wazuh.

    2. Click Wazuh to open the Wazuh Kibana plugin menu, select Security and then Roles mapping to open the page.

    3. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select the Wazuh roles that you want to map the user with.

      • Internal users: Select the internal user created previously.

      Wazuh includes an extensive list of default policies and roles. Additionally, you can create custom policies and roles to suit your needs. To see an example, check our Use case: Give a user permissions to manage a group of agents below.

    4. Click Save role mapping to save and map the user with Wazuh.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. Restart the Kibana service and clear your browser cache and cookies.

Use case: Give a user permissions to read and manage a group of agents

In this use case, we explore how to create an internal user and give it permissions to read and manage an agents group.

This process involves adding a label in the agent group’s centralized configuration to identify the Wazuh alerts coming from this group of agents, creating an internal user, and giving it reading permission only for those documents that correspond to the group of authorized agents.

It also involves mapping this user with the Wazuh API, creating a custom policy that includes permissions to read, restart, upgrade, among other actions over a group of agents, and finally creating a custom role and mapping it to our internal user.

As a final result, we will have a new user with permission to manage a group of agents and read the documents regarding said group.

In this example, we have an environment with five agents. Agents 001, 002, and 005 belong to the Team_A group whereas agents 003, 004, and 005 belong to the Team_B group. To learn more on how to create agents groups see Grouping agents. We will describe how to create a new user and give it permissions to manage agents from Team_A.

Adding an agents group label

To prepare the environment, add a label in the Team_A centralized configuration agent.conf. To learn more, see Agent labels.

  1. Log into Kibana as administrator.

  2. Click Wazuh to open the Wazuh Kibana plugin menu, select Management and then Groups to open the page.

  3. Select your group, for example, Team_A.

  4. Select Files and click Edit group configuration.

  5. Add a label to identify the group, for example:

    <agent_config>
           <labels>
                   <label key="group">Team_A</label>
           </labels>
    </agent_config>
    
  6. Click Save to complete the action.

You have now added a group label that allows us to identify all the Wazuh alerts coming from this group of agents.

Creating and mapping an internal user

Follow these steps to create an internal user, create a custom role and map it to the new user.

  1. Click the upper-left menu icon to open the available options, select Security and then Internal users to open the internal users page.

  2. Click Create internal user, provide a username and password, and click Create to complete the action.

  3. To create a custom role and map the user to it, follow these steps:

    1. Go to Security, select Roles to open the page.

    2. Click Create role, complete the empty fields with the following parameters:

      • Name: Assign a name to the role.

      • Cluster permissions: cluster_composite_ops_ro

      • Index: *

      • Index permissions: read

    3. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:

      • Index: wazuh-alerts*

      • Index permissions: read

      • Document level security:

        {
          "bool": {
            "must": {
              "match": {
                "agent.labels.group": "Team_A"
              }
            }
          }
        }
        
    4. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:

      • Index: wazuh-monitoring*

      • Index permissions: read

      • Document level security:

        {
          "bool": {
            "must": {
              "match": {
                "group": "Team_A"
              }
            }
          }
        }
        
    5. Under Tenant permissions, select Tenant: global_tenant and the Read only option.

    6. Click Create to complete the task.

    7. Select the Mapped users tab and click Manage mapping.

    8. Add the user you created in the previous steps and click Map to confirm the action.

You have now created an internal user and assigned it reading permissions over the Wazuh alerts and Wazuh monitoring documents from the authorized agents group.

Mapping with Wazuh

To map the user with Wazuh, follow these steps:

  1. Click the upper-left menu icon to open the available options and click Wazuh.

  2. Click Wazuh to open the Wazuh Kibana plugin menu, select Security and then Policies to open the policies page.

  3. Click Create policy and complete the empty fields with the requested information.

    • Policy name: Assign a name to the new policy.

    • Action: Select the actions that the user is allowed to perform, for example, agent:read, and click Add. Select as many actions as needed.

    • Resource: Select agent:group.

    • Resource identifier: Write the name of the agents group, for example, Team_A, and click Add. You can add as many resources as needed.

    • Select an effect: Select Allow.

  4. Click Create policy to complete the action.

  5. Click Roles to open the tab, click Create Role, and fill the empty fields with the requested information.

    • Role name: Assign a name to the new role.

    • Policies: Select the policy created previously.

  6. Click Create role to confirm the action.

  7. Click Create Role mapping and complete the empty fields with the requested information.

    • Role mapping name: Assign a name to the role mapping.

    • Roles: Select the role created previously.

    • Internal users: Select the internal user created previously.

  8. Click Save role mapping to finish the action.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. Restart the Kibana service and clear your browser cache and cookies.

You have now created a new internal user and mapped it to manage a Wazuh agents group. Authenticate with the new user and open the Wazuh Kibana plugin, see that only Team_A agents’ alerts and information are displayed.