3013 - Permission denied: Resource type: *:*

[Sudo]

Hello all. I have a problem with my RBAC rules since the update to 4.4. I get the error 3013 for users with read only rights inside wazuh-dashboard.

Since I didn't get any feedback on the Wazuh Discord and was referred here by the trainer from the Wazuh Engineer training, I'll try again to give some more information from my previous researches.

The error pattern described below occurred only after upgrading to version 4.4 

```

Error: 3013 - Permission denied: Resource type: *:*

    at createError (https://test.test.de/44006/bundles/plugin/wazuh/wazuh.plugin.js:2:28658)
    at settle (https://test.test.de/44006/bundles/plugin/wazuh/wazuh.plugin.js:8:19613)
    at XMLHttpRequest.onloadend (https://test.test.de/44006/bundles/plugin/wazuh/wazuh.plugin.js:2:26451)
```

The rule assigned to the users contains the following permissions

 
**Actions:**
```
agent:read
vulnerability:read
syscollector:read
ciscat:read
listen:read
mitre:read
rootcheck:read
rules:read
sca:read
read syscheck:read
group:read
group:update_config
```

**Ressources**
```
agent:group:CompanyName
```

If I add the resource `*:*:*` the user has no permission to see any agent at all, but the error message is no longer present.
It doesn't seem to matter what other resource I add. Also a rule:file:* seems to override the agent:group permissions so no agents are viewable anymore.

The index permissions have been set according to the RBAC documentation. The only exception here is another tentant to which read and write permissions have been assigned. 

If more info is needed, please let me know. Maybe someone can help.

[Ifeanyi Onyia Odike]

Hi Sudo,

Thank you for using Wazuh!

I will take a look at this issue and respond. Do hold on.

BR,

[Ifeanyi Onyia Odike]

Hi Sudo,

I have gone through this issue in detail and I would require some extra time to replicate it.

I will provide a response once this is done.

BR,

[Sudo]

Thanks for your effort

[Ifeanyi Onyia Odike]

Hi Sudo,

Thank you for holding on. I see you may have used the creating and setting Wazuh read-only user guide for your scenario. 

I have tried to replicate the issue and I did not receive the error in your first mail.

Can you follow these basics steps and tell me if it solves the issue:

1. Restart the Wazuh dashboard service and clear your browser cache and cookies.

2. Try to create and log in with a new user using the steps in the link provided above.

Please let us know how it goes.

BR,

[Sudo]

Thanks for the feedback. I have once again performed the steps mentioned:

1. clearing the cache and cookies does not lead to any change.
2. i went through the process again and have no problem when using the predefined group "readonly". However, when I follow the "Use Case: Give a user permissions to read and manage a group of agents" the problems described above occur again.

I have to create my own policy and role because I don't want users to be able to see all agents, which is done by assigning the resource agent:id:*.

Thanks again for your work

[Ifeanyi Onyia Odike]

Hi Sudo,

Thank you for your response. I will replicate this use case and revert with my findings.

Do hold on.

BR,

[Ifeanyi Onyia Odike]

Hi Sudo,

I have replicated this scenario and I did not encounter the error: https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents

Can you try replicating the scenario and creating a new group for the user you have created using the steps in the documentation above?

[Sergey S]

Hello everybody

Wazuh Dashboard, Indexer, Manager 4.4.3

I'm developing RBAC in our Wazuh and faced with this problem too. Case is quite similar - one team has read access only to their agents.

And It doesn't seem like lack of permissions - users has all required access, but error still raises sometime.

My wazuh policy:

Actions:

• agent:read
• group:read
• ciscat:read
• vulnerability:read
• mitre:read
• rootcheck:read
• sca:read
• syshceck:read
• syscollector:read
• cluster:read

Resources:

• agent:group:<some_group_name>
• group:id:<some_group_name>

Also, found that @Gabriel Diaz Lopez de la Llave<gabrie...@wazuh.com> mentioned this error is as bug:

https://github.com/wazuh/wazuh-kibana-app/pull/5201

https://groups.google.com/g/wazuh/c/Cx57zocN9os/m/JntuUrvMBwAJ
but it is about Wazuh KIbana app, and I think Wazuh Dashboard is another case.

воскресенье, 14 мая 2023 г. в 18:58:42 UTC+2, Ifeanyi Onyia Odike:

[Gus]

Hi all,

Same issue here. v4.5.2 from OVA

Followed documentation here, tried twice:

https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents

User seems to be functinal, just constatntly getting the same error:

3013 - Permission denied: Resource type: *:*

createError@https://w.a*****/45202/bundles/plugin/wazuh/wazuh.plugin.js:2:28658
settle@https://w.a*****45202/bundles/plugin/wazuh/wazuh.plugin.js:8:19613
onloadend@https://w.a*****/45202/bundles/plugin/wazuh/wazuh.plugin.js:2:26457