Regarding Wazuh API RBAC

[sau sau]

Hi Everyone,

Is there a way i can control Wazuh API access on basic of backend roles given to a user. 
I have 2 wazuh apis
  - client_1:
      url: https://client_1
      port: 55000
      username: wazuh_wui
      password: <pass>
      run_as: false
  - client_2:
      url: https://client_2
      port: 55000
      username: wazuh-wui
      password: <pass>
      run_as: false


on the dashboard i see both apis. Is there a way i can restrict access like user with backend role client_2 can access only wazuh api client_2?

[Pedro De Castro]

Hey sau sau, 

I understand your goal, like do a mapping between the user logged in from the UI (with a backend role mapped) and the API RBAC. I believe you can use `run_us` for that, like you enable run_us at `wazuh-dashboard/data/wazuh/config/wazuh.yml`, later enable the user run_as allow using the Wazuh API like this: `allow_run_as` [Reference].

In the Authorization context doc you can read more about how it works: https://documentation.wazuh.com/current/user-manual/api/rbac/auth-context.html#authorization-context

Let me do a few testing and get back to you, I will ask the team as well about this it's a really interesting use case.

[sau sau]

Hi Pedro,

Yes my goal is to map the logged-in Dashboard user (with a backend role) to the API RBAC so that API access is restricted per tenant. I’ve already tested run_as for resource-level RBAC, and it works perfectly for restricting access to agents/groups per tenant.

The challenge I’m facing is that even with run_as and role based policies, the dashboard still shows all API endpoints and allows switching between different Wazuh APIs (other tenants). What I wanted to know is if a true API-level RBAC can be achieved where users only see and can access the endpoints they’re allowed to, and cannot interact with other tenants at all.

I’ll look into the Authorization Context documentation you shared in the meantime. I’d really appreciate any insights from your team on handling multi-tenant API access restrictions and dynamic endpoint visibility in the Dashboard.

[Juan Sebastián Saldarriaga Arango]

Hi, I have answered this to you directly two days ago but I'm not sure if you received it. Sending this again

Yes, you can restrict which Wazuh API a user can access — but only starting from Wazuh Dashboard 4.7+

- Users with backend role client_1 → can access only API client_1
- Users with backend role client_2 → can access only API client_2

How to configure it (short version)

Identify your API connection names
In your dashboard config you have:

client_1:
url: https://client_1
client_2:
url: https://client_2

These names (client_1, client_2) will be used for permissions.

Create a Dashboard role for each API
In Wazuh Dashboard → Security → Roles, create:

- Role: role_client_1
Add permission:
wazuh:api_selector:client_1

- Role: role_client_2
Add permission:
wazuh:api_selector:client_2

This permission tells the dashboard:
“Users with this role are allowed to use only this specific API connection.”

Map backend roles to these dashboard roles
In Security → Role Mappings:

- Map backend role client_1 → role_client_1
- Map backend role client_2 → role_client_2

Assign backend roles to users
In the user settings (Opensearch Security):

- User A → backend role: client_1
- User B → backend role: client_2

When users log in:

A user with backend role client_1 only sees API client_1 in the dropdown.

A user with backend role client_2 only sees API client_2.

They cannot switch to or access the other API.

[sau sau]

Hey Juan, 

Reaching out to you again regarding this.
From what i can see i have dashboard version 4.10.3


But I do not see the option to add permission: wazuh:api_selector:client_1 under wazuh dashboard > security > roles.

Am I missing out something here?