An error occured while saving your query: Forbidden
55 views
Skip to first unread message
doc dodo
Jan 5, 2026, 5:15:07 AMJan 5
to Wazuh | Mailing List
Hello,
I can't save filter and recieve the message "An error occured while saving your query: Forbidden
".
I tried looking for the right role in the indexer settings,
but it was not successful.
What role or permissions should a user be granted to be able to save filters?
Oluwaseyi Soneye
Jan 5, 2026, 11:22:43 AMJan 5
to Wazuh | Mailing List
Hello,
3. Go to the Mapped users section
4. Add the target user (I created a user "belly" for this test)
5. Save your changes
This issue is possibly caused by insufficient permissions to write to the Dashboards saved objects index, or by the user having read-only access.
Follow the steps below to ensure a user can search data and save filters successfully. The user needs Dashboards write permissions (to save filters) and Read access to Wazuh indices (to run searches)
Follow the steps below to ensure a user can search data and save filters successfully. The user needs Dashboards write permissions (to save filters) and Read access to Wazuh indices (to run searches)
First create a role with write access:
1. In the Wazuh Dashboard, navigate to: ☰ → Indexer management → Security → Roles.
2. Search for the role kibana_user.
3. Click the role, then click Duplicate role (top-right). Name the duplicated role. For example "kibana_user_copy".
4. Adjust permissions as needed:
Under Index permissions, you may remove permissions such as delete if you want to restrict destructive actions.
Under Tenant permissions, select global_tenant and set it to Read & Write.
Under Tenant permissions, select global_tenant and set it to Read & Write.
5. Click Create.
Next, map the user to the new role:
1. Still under Security → Roles, search for kibana_user_copy
2. Click the role3. Go to the Mapped users section
4. Add the target user (I created a user "belly" for this test)
5. Save your changes
Next, grant read access to Wazuh data indices
The user must also be able to search Wazuh indices (for example, wazuh-alerts-*).
1. Navigate to ☰ → Indexer management → Security → Internal users
2. Find and click the user. Then edit.
3. Under Backend roles (optional), add: readall
This backend role provides read permissions to Wazuh indices and allows searches to succeed.
4. Click Save changes
1. Navigate to ☰ → Indexer management → Security → Internal users
2. Find and click the user. Then edit.
3. Under Backend roles (optional), add: readall
This backend role provides read permissions to Wazuh indices and allows searches to succeed.
4. Click Save changes
Finally, test to confirm if works.
Navigate to ☰ → Explore > Discover. Add your filters, then click Save. From the screenshots, we see this succeeds.
I also removed the mapping and tested to recreate the initial issue.
Reply all
Reply to author
Forward
0 new messages