RBAC Reference

RBAC policies are made up of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.

For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.

This reference also contains a set of default roles and policies that can be immediately used instead of having to create new ones.

Resources

*:*
agent:group
agent:id
group:id
node:id
decoder:file
list:file
rule:file
policy:id
role:id
rule:id
user:id

Actions

Active_response
- active-response:command
Agent
Ciscat
- ciscat:read
Cluster
Decoders
Events
- event:ingest
Group
Lists
Logtest
- logtest:run
Manager
Mitre
- mitre:read
Rootcheck
Rules
SCA
- sca:read
Security
Syscheck
Syscollector
- syscollector:read
Task
- task:status
Vulnerability
- vulnerability:read

Default policies

Default roles

administrator
agents_admin
agents_readonly
cluster_admin
cluster_readonly
readonly
users_admin

Default rules

wui_elastic_admin
wui_opendistro_admin

Resources

:

Description

Reference resources that do not yet exist in the system (futures). Actions using these resources are called resourceless.

agent:group

Description	Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group.
Example	agent:group:web

agent:id

Description	Reference agents via agent ID
Example	agent:id:001

group:id

Description	Reference agent groups via group ID
Example	group:id:default

node:id

Description	Reference cluster node via node ID
Example	node:id:worker1

decoder:file

Description	Reference decoder file via its filename
Example	decoder:file:0005-wazuh_decoders.xml

list:file

Description	Reference list file via its filename
Example	list:file:audit-keys

rule:file

Description	Reference rule file via its filename
Example	rule:file:0610-win-ms_logs_rules.xml

policy:id

Description	Reference security policy via its id
Example	policy:id:1

role:id

Description	Reference security role via its id
Example	role:id:1

rule:id

Description	Reference security rule via its id
Example	rule:id:1

user:id

Description	Reference security user via its id
Example	user:id:1

Actions

In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>)

Active_response

active-response:command

PUT /active-response (agent:id, agent:group)

Agent

agent:create

agent:delete

DELETE /agents (agent:id, agent:group)

agent:modify_group

agent:reconnect

PUT /agents/reconnect (agent:id, agent:group)

agent:restart

agent:upgrade

Ciscat

ciscat:read

Cluster

cluster:read_api_config

GET /cluster/api/config (node:id)

cluster:read

cluster:restart

PUT /cluster/restart (node:id)

cluster:status

GET /cluster/status (*:*)

cluster:update_api_config

Deprecated since version 4.0.4.

cluster:update_config

PUT /cluster/{node_id}/configuration (node:id)

Decoders

decoders:read

decoders:update

PUT /decoders/files/{filename} (*:*)

decoders:delete

Events

event:ingest

POST /events (*:*)

Group

group:create

POST /groups (*:*)

group:delete

DELETE /groups (group:id)

group:modify_assignments

group:read

group:update_config

PUT /groups/{group_id}/configuration (group:id)

Lists

lists:read

lists:update

PUT /lists/files/{filename} (*:*)

lists:delete

Logtest

logtest:run

Manager

manager:read_api_config

GET /manager/api/config (*:*)

manager:restart

PUT /manager/restart (*:*)

manager:update_api_config

Deprecated since version 4.0.4.

manager:update_config

PUT /manager/configuration (*:*)

Mitre

mitre:read

Rootcheck

rootcheck:clear

rootcheck:read

rootcheck:run

PUT /rootcheck (agent:id, agent:group)

Rules

rules:read

rules:update

PUT /rules/files/{filename} (*:*)

rules:delete

SCA

sca:read

Security

security:create_user

POST /security/users (*:*)

security:create

security:delete

security:edit_run_as

PUT /security/users/{user_id}/run_as (*:*)

security:read_config

GET /security/config (*:*)

security:read

security:revoke

PUT /security/user/revoke (*:*)

security:update_config

security:update

Syscheck

syscheck:clear

syscheck:read

syscheck:run

PUT /syscheck (agent:id, agent:group)

Syscollector

syscollector:read

Task

task:status

GET /tasks/status (*:*)

Vulnerability

vulnerability:read

Deprecated since version 4.8.0.

vulnerability:run

Deprecated since version 4.8.0.

Default policies

agents_all

Grant full access to all agents related functionalities.

resourceless:
  actions:
    - agent:create
    - group:create
  resources:
    - '*:*:*'
  effect: allow
agents:
  actions:
    - agent:read
    - agent:delete
    - agent:modify_group
    - agent:reconnect
    - agent:restart
    - agent:upgrade
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
    - group:delete
    - group:update_config
    - group:modify_assignments
  resources:
    - group:id:*
  effect: allow

agents_commands

Allow sending commands to agents.

agents:
  actions:
    - active-response:command
  resources:
    - agent:id:*
  effect: allow

agents_read

Grant read access to all agents related functionalities.

agents:
  actions:
    - agent:read
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
groups:
  actions:
    - group:read
  resources:
    - group:id:*
  effect: allow

ciscat_read

Allow reading the agent ciscat results information.

ciscat:
  actions:
    - ciscat:read
  resources:
    - agent:id:*
  effect: allow

cluster_all

Provide full access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
    - manager:update_config
    - manager:restart
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:restart
    - cluster:update_config
  resources:
    - node:id:*
  effect: allow

cluster_read

Provide read access to all cluster/manager related functionalities.

resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
  resources:
    - '*:*:*'
  effect: allow
nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:read_api_config
  resources:
    - node:id:*
  effect: allow

decoders_all

Allow managing all decoder files in the system.

files:
  actions:
    - decoders:read
    - decoders:delete
  resources:
    - decoder:file:*
  effect: allow
resourceless:
  actions:
    - decoders:update
  resources:
    - '*:*:*'
  effect: allow

decoders_read

Allow reading all decoder files in the system.

decoders:
  actions:
    - decoders:read
  resources:
    - decoder:file:*
  effect: allow

events_ingest

Allow sending events to analysisd.

resourceless:
  actions:
    - event:ingest
  resources:
    - '*:*:*'
  effect: allow

lists_all

Allow managing all CDB lists files in the system.

files:
  actions:
    - lists:read
    - lists:delete
  resources:
    - list:file:*
  effect: allow
resourceless:
  actions:
    - lists:update
  resources:
    - '*:*:*'
  effect: allow

lists_read

Allow reading all lists paths in the system.

lists:
  actions:
    - lists:read
  resources:
    - list:file:*
  effect: allow

logtest_all

Provide access to all logtest related functionalities.

logtest:
  actions:
    - logtest:run
  resources:
    - '*:*:*'
  effect: allow

mitre_read

Allow reading MITRE database information.

mitre:
  actions:
    - mitre:read
  resources:
    - '*:*:*'
  effect: allow

rootcheck_all

Allow reading, running and clearing rootcheck information.

rootcheck:
  actions:
    - rootcheck:clear
    - rootcheck:read
    - rootcheck:run
  resources:
    - agent:id:*
  effect: allow

rootcheck_read

Allow reading all rootcheck information.

rootcheck:
  actions:
    - rootcheck:read
  resources:
    - agent:id:*
  effect: allow

rules_all

Allow managing all rule files in the system.

files:
  actions:
    - rules:read
    - rules:delete
  resources:
    - rule:file:*
  effect: allow
resourceless:
  actions:
    - rules:update
  resources:
    - '*:*:*'
  effect: allow

rules_read

Allow reading all rule files in the system.

rules:
  actions:
    - rules:read
  resources:
    - rule:file:*
  effect: allow

sca_read

Allow reading the agent sca information.

sca:
  actions:
    - sca:read
  resources:
    - agent:id:*
  effect: allow

security_all

Provide full access to all security related functionalities.

resourceless:
  actions:
    - security:create
    - security:create_user
    - security:edit_run_as
    - security:read_config
    - security:update_config
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
security:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - role:id:*
    - policy:id:*
    - user:id:*
    - rule:id:*
  effect: allow

syscheck_all

Allow reading, running and clearing syscheck information.

syscheck:
  actions:
    - syscheck:clear
    - syscheck:read
    - syscheck:run
  resources:
    - agent:id:*
  effect: allow

syscheck_read

Allow reading syscheck information.

syscheck:
  actions:
    - syscheck:read
  resources:
    - agent:id:*
  effect: allow

syscollector_read

Allow reading agents information.

syscollector:
  actions:
    - syscollector:read
  resources:
    - agent:id:*
  effect: allow

task_status

Allow reading tasks information.

task:
  actions:
    - task:status
  resources:
    - '*:*:*'
  effect: allow

users_all

Provide full access to all users related functionalities.

resourceless:
  actions:
    - security:create_user
    - security:edit_run_as
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
users:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - user:id:*
  effect: allow

users_modify_run_as

Provides the capability to modify the users' run_as parameter.

flag:
  actions:
    - security:edit_run_as
  resources:
    - '*:*:*'
  effect: allow

vulnerability_read

Allow reading agents' vulnerabilities information.

vulnerability:
  actions:
    - vulnerability:read
  resources:
    - agent:id:*
  effect: allow

vulnerability_run

Allow running a vulnerability detector scan.

resourceless:
  actions:
    - vulnerability:run
  resources:
    - '*:*:*'
  effect: allow

Default roles

administrator

Administrator role of the system, this role have full access to the system.

Policies

agents_all
agents_commands
ciscat_read
cluster_all
decoders_all
lists_all
logtest_all
mitre_read
rootcheck_all
rules_all
sca_read
security_all
syscheck_all
syscollector_read
task_status
vulnerability_read
vulnerability_run

Rules

wui_elastic_admin
wui_opendistro_admin

agents_admin

Agents administrator of the system, this role have full access to all agents related functionalities.

Policies

agents_all

agents_readonly

Read only role for agents related functionalities.

Policies

agents_read

cluster_admin

Manager administrator of the system, this role have full access to all manager related functionalities.

Policies

cluster_all

cluster_readonly

Read only role for manager related functionalities.

Policies

cluster_read

readonly

Read only role, this role can read all the information of the system.

Policies

agents_read
ciscat_read
cluster_read
decoders_read
lists_read
mitre_read
rootcheck_read
rules_read
sca_read
syscheck_read
syscollector_read
vulnerability_read

users_admin

Users administrator of the system, this role provides full access to all users related functionalities.

Policies

users_all

Default rules

Warning

Run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other ThreatLockDown API user.

wui_elastic_admin

Administrator permissions for WUI's elastic users.

rule:
    FIND:
        username: "elastic"

wui_opendistro_admin

Administrator permissions for WUI's opendistro users.

rule:
    FIND:
        user_name: "admin"