RBAC ReferencePermalink to this headline

RBAC policies are made up of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.

For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.

This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.

Resources
Actions
Default policies
Default roles
Default rules

ResourcesPermalink to this headline

*:*Permalink to this headline

Description

Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless.

agent:groupPermalink to this headline

Description

Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group.

Example

agent:group:web

agent:idPermalink to this headline

Description

Reference agents via agent ID

Example

agent:id:001

group:idPermalink to this headline

Description

Reference agent groups via group ID

Example

group:id:default

node:idPermalink to this headline

Description

Reference cluster node via node ID

Example

node:id:worker1

decoder:filePermalink to this headline

Description

Reference decoder file via its filename

Example

decoder:file:0005-wazuh_decoders.xml

list:filePermalink to this headline

Description

Reference list file via its filename

Example

list:file:audit-keys

rule:filePermalink to this headline

Description

Reference rule file via its filename

Example

rule:file:0610-win-ms_logs_rules.xml

policy:idPermalink to this headline

Description

Reference security policy via its id

Example

policy:id:1

role:idPermalink to this headline

Description

Reference security role via its id

Example

role:id:1

rule:idPermalink to this headline

Description

Reference security rule via its id

Example

rule:id:1

user:idPermalink to this headline

Description

Reference security user via its id

Example

user:id:1

ActionsPermalink to this headline

In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)

Active_responsePermalink to this headline

active-response:commandPermalink to this headline

AgentPermalink to this headline

agent:createPermalink to this headline

agent:deletePermalink to this headline

agent:modify_groupPermalink to this headline

agent:readPermalink to this headline

agent:reconnectPermalink to this headline

agent:restartPermalink to this headline

agent:upgradePermalink to this headline

CiscatPermalink to this headline

ciscat:readPermalink to this headline

ClusterPermalink to this headline

cluster:read_api_configPermalink to this headline

cluster:readPermalink to this headline

cluster:restartPermalink to this headline

cluster:statusPermalink to this headline

cluster:update_api_configPermalink to this headline

  • Deprecated since version 4.0.4.

cluster:update_configPermalink to this headline

DecodersPermalink to this headline

decoders:readPermalink to this headline

decoders:updatePermalink to this headline

decoders:deletePermalink to this headline

EventsPermalink to this headline

event:ingestPermalink to this headline

GroupPermalink to this headline

group:createPermalink to this headline

group:deletePermalink to this headline

group:modify_assignmentsPermalink to this headline

group:readPermalink to this headline

group:update_configPermalink to this headline

ListsPermalink to this headline

lists:readPermalink to this headline

lists:updatePermalink to this headline

lists:deletePermalink to this headline

LogtestPermalink to this headline

logtest:runPermalink to this headline

ManagerPermalink to this headline

manager:read_api_configPermalink to this headline

manager:readPermalink to this headline

manager:restartPermalink to this headline

manager:update_api_configPermalink to this headline

  • Deprecated since version 4.0.4.

manager:update_configPermalink to this headline

MitrePermalink to this headline

mitre:readPermalink to this headline

RootcheckPermalink to this headline

rootcheck:clearPermalink to this headline

rootcheck:readPermalink to this headline

rootcheck:runPermalink to this headline

RulesPermalink to this headline

rules:readPermalink to this headline

rules:updatePermalink to this headline

rules:deletePermalink to this headline

SCAPermalink to this headline

sca:readPermalink to this headline

SecurityPermalink to this headline

security:create_userPermalink to this headline

security:createPermalink to this headline

security:deletePermalink to this headline

security:edit_run_asPermalink to this headline

security:read_configPermalink to this headline

security:readPermalink to this headline

security:revokePermalink to this headline

security:update_configPermalink to this headline

security:updatePermalink to this headline

SyscheckPermalink to this headline

syscheck:clearPermalink to this headline

syscheck:readPermalink to this headline

syscheck:runPermalink to this headline

SyscollectorPermalink to this headline

syscollector:readPermalink to this headline

TaskPermalink to this headline

task:statusPermalink to this headline

VulnerabilityPermalink to this headline

vulnerability:readPermalink to this headline

Deprecated since version 4.8.0.

vulnerability:runPermalink to this headline

Deprecated since version 4.8.0.

Default policiesPermalink to this headline

agents_allPermalink to this headline

Grant full access to all agents related functionalities.

resourceless:
  actions:
    - agent:create
    - group:create
  resources:
    - '*:*:*'
  effect: allow
agents:
  actions:
    - agent:read
    - agent:delete
    - agent:modify_group
    - agent:reconnect
    - agent:restart
    - agent:upgrade
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
    - group:delete
    - group:update_config
    - group:modify_assignments
  resources:
    - group:id:*
  effect: allow

agents_commandsPermalink to this headline

Allow sending commands to agents.

agents:
  actions:
    - active-response:command
  resources:
    - agent:id:*
  effect: allow

agents_readPermalink to this headline

Grant read access to all agents related functionalities.

agents:
  actions:
    - agent:read
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
  resources:
    - group:id:*
  effect: allow

ciscat_readPermalink to this headline

Allow reading the agent ciscat results information.

ciscat:
  actions:
    - ciscat:read
  resources:
    - agent:id:*
  effect: allow

cluster_allPermalink to this headline

Provide full access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
    - manager:update_config
    - manager:restart
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:restart
    - cluster:update_config
  resources:
    - node:id:*
  effect: allow

cluster_readPermalink to this headline

Provide read access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:read_api_config
  resources:
    - node:id:*
  effect: allow

decoders_allPermalink to this headline

Allow managing all decoder files in the system.

files:
  actions:
    - decoders:read
    - decoders:delete
  resources:
    - decoder:file:*
  effect: allow
resourceless:
  actions:
    - decoders:update
  resources:
    - '*:*:*'
  effect: allow

decoders_readPermalink to this headline

Allow reading all decoder files in the system.

decoders:
  actions:
    - decoders:read
  resources:
    - decoder:file:*
  effect: allow

events_ingestPermalink to this headline

Allow sending events to analysisd.

resourceless:
  actions:
    - event:ingest
  resources:
    - '*:*:*'
  effect: allow

lists_allPermalink to this headline

Allow managing all CDB lists files in the system.

files:
  actions:
    - lists:read
    - lists:delete
  resources:
    - list:file:*
  effect: allow
resourceless:
  actions:
    - lists:update
  resources:
    - '*:*:*'
  effect: allow

lists_readPermalink to this headline

Allow reading all lists paths in the system.

lists:
  actions:
    - lists:read
  resources:
    - list:file:*
  effect: allow

logtest_allPermalink to this headline

Provide access to all logtest related functionalities.

logtest:
  actions:
    - logtest:run
  resources:
    - '*:*:*'
  effect: allow

mitre_readPermalink to this headline

Allow reading MITRE database information.

mitre:
  actions:
    - mitre:read
  resources:
    - '*:*:*'
  effect: allow

rootcheck_allPermalink to this headline

Allow reading, running and clearing rootcheck information.

rootcheck:
  actions:
    - rootcheck:clear
    - rootcheck:read
    - rootcheck:run
  resources:
    - agent:id:*
  effect: allow

rootcheck_readPermalink to this headline

Allow reading all rootcheck information.

rootcheck:
  actions:
    - rootcheck:read
  resources:
    - agent:id:*
  effect: allow

rules_allPermalink to this headline

Allow managing all rule files in the system.

files:
  actions:
    - rules:read
    - rules:delete
  resources:
    - rule:file:*
  effect: allow
resourceless:
  actions:
    - rules:update
  resources:
    - '*:*:*'
  effect: allow

rules_readPermalink to this headline

Allow reading all rule files in the system.

rules:
  actions:
    - rules:read
  resources:
    - rule:file:*
  effect: allow

sca_readPermalink to this headline

Allow reading the agent sca information.

sca:
  actions:
    - sca:read
  resources:
    - agent:id:*
  effect: allow

security_allPermalink to this headline

Provide full access to all security related functionalities.

resourceless:
  actions:
    - security:create
    - security:create_user
    - security:edit_run_as
    - security:read_config
    - security:update_config
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
security:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - role:id:*
    - policy:id:*
    - user:id:*
    - rule:id:*
  effect: allow

syscheck_allPermalink to this headline

Allow reading, running and clearing syscheck information.

syscheck:
  actions:
    - syscheck:clear
    - syscheck:read
    - syscheck:run
  resources:
    - agent:id:*
  effect: allow

syscheck_readPermalink to this headline

Allow reading syscheck information.

syscheck:
  actions:
    - syscheck:read
  resources:
    - agent:id:*
  effect: allow

syscollector_readPermalink to this headline

Allow reading agents information.

syscollector:
  actions:
    - syscollector:read
  resources:
    - agent:id:*
  effect: allow

task_statusPermalink to this headline

Allow reading tasks information.

task:
  actions:
    - task:status
  resources:
    - '*:*:*'
  effect: allow

users_allPermalink to this headline

Provide full access to all users related functionalities.

resourceless:
  actions:
    - security:create_user
    - security:edit_run_as
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
users:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - user:id:*
  effect: allow

users_modify_run_asPermalink to this headline

Provides the capability to modify the users' run_as parameter.

flag:
  actions:
    - security:edit_run_as
  resources:
    - '*:*:*'
  effect: allow

vulnerability_readPermalink to this headline

Allow reading agents' vulnerabilities information.

vulnerability:
  actions:
    - vulnerability:read
  resources:
    - agent:id:*
  effect: allow

vulnerability_runPermalink to this headline

Allow running a vulnerability detector scan.

resourceless:
  actions:
    - vulnerability:run
  resources:
    - '*:*:*'
  effect: allow

Default rolesPermalink to this headline

administratorPermalink to this headline

Administrator role of the system, this role have full access to the system.

Policies
Rules

agents_adminPermalink to this headline

Agents administrator of the system, this role have full access to all agents related functionalities.

Policies

agents_readonlyPermalink to this headline

Read only role for agents related functionalities.

Policies

cluster_adminPermalink to this headline

Manager administrator of the system, this role have full access to all manager related functionalities.

Policies

cluster_readonlyPermalink to this headline

Read only role for manager related functionalities.

Policies

readonlyPermalink to this headline

Read only role, this role can read all the information of the system.

Policies

users_adminPermalink to this headline

Users administrator of the system, this role provides full access to all users related functionalities.

Policies

Default rulesPermalink to this headline

Warning

Run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other ThreatLockDown API user.

wui_elastic_adminPermalink to this headline

Administrator permissions for WUI's elastic users.

rule:
    FIND:
        username: "elastic"

wui_opendistro_adminPermalink to this headline

Administrator permissions for WUI's opendistro users.

rule:
    FIND:
        user_name: "admin"