Index permissions for custom role
47 views
Skip to first unread message
doc dodo
May 8, 2026, 7:35:23 AMMay 8
to Wazuh | Mailing List
Hello,
I have role with readonly permissions, but I want to add possibility to delete some indicies.
I can't delete object from "Dashboard manager". (screen1)
I recieve error:
{"type":"log","@timestamp":"2026-05-08T11:13:23Z","tags":["error","opensearch","data"],"pid":54,"message":"[security_exception]: no permissions for [indices:data/write/delete] and User [name=testuser, backend_roles=[readall], requestedTenant=null]"}
I tried adding the "
data/write/delete]
"
permission, but that didn't solve the problem. (screen2)
Olamilekan Abdullateef Ajani
May 8, 2026, 9:21:23 AMMay 8
to Wazuh | Mailing List
Hello,
I am looking into this and will revert shortly.
Regards,
Olamilekan Abdullateef Ajani
May 8, 2026, 9:50:03 AMMay 8
to Wazuh | Mailing List
Hello,
After evaluating the issue, I noticed you added the permission: indices:data/write/delete to the user read-only role so they are able to delete the object, but that permission is for index data documents, not Dashboard saved objects, which is what you tried to alter. Those are 2 different things.
Deleting from Dashboard Management Saved Objects is controlled by tenant permissions, the dashboard layer, as confirmed by the error in one of your screenshots. Unable to delete saved objects: Forbidden.
To allow the user to delete from dashboards or saved objects, you need to modify the Tenant permissions section of that role
Go to Security > Roles and edit your custom role, then scroll down to the tenant permission section and change it to read/write as indicated in the attached screenshot.
If you want them to be able to delete data but not delete dashboard objects, you can keep the tenant as read-only and use the Dev Tools to send a DELETE request to the index specifically.
That said, another option is to create a separate tenant and grant read/write on that tenant to properly isolate roles and operations.
More information in the documentation below:
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/multi-tenancy.html
Deleting from Dashboard Management Saved Objects is controlled by tenant permissions, the dashboard layer, as confirmed by the error in one of your screenshots. Unable to delete saved objects: Forbidden.
To allow the user to delete from dashboards or saved objects, you need to modify the Tenant permissions section of that role
Go to Security > Roles and edit your custom role, then scroll down to the tenant permission section and change it to read/write as indicated in the attached screenshot.
If you want them to be able to delete data but not delete dashboard objects, you can keep the tenant as read-only and use the Dev Tools to send a DELETE request to the index specifically.
That said, another option is to create a separate tenant and grant read/write on that tenant to properly isolate roles and operations.
More information in the documentation below:
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/multi-tenancy.html
doc dodo
May 11, 2026, 3:34:35 AMMay 11
to Wazuh | Mailing List
Hello,
I added
the tenant permission like in my screen3, but that didn't solve the problem.
I have error in log:
[2026-05-11T10:25:03,616][INFO ][o.o.s.p.PrivilegesEvaluatorImpl] [wazuh1.indexer] No index-level perm match for User [name=testuser, backend_roles=[readall], requestedTenant=null] Resolved [aliases=[.kibana], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]]: Insufficient permissions for the referenced index [Action [indices:data/write/bulk[s]]] [RolesChecked [client_ro, own_index, readall]]
permissions
indices:data/write/bulk is added to Cluster permissions like in my screen4.
пятница, 8 мая 2026 г. в 16:50:03 UTC+3, Olamilekan Abdullateef Ajani:
Olamilekan Abdullateef Ajani
May 11, 2026, 10:03:48 AMMay 11
to Wazuh | Mailing List
Hello,
Based on the error, what we need is Kibana mapped permission so the user is only able to carry out the delete function of that object and not able to write.
indices:data/write/bulk,
indices:data/write/bulk[s],
indices:data/write/delete
indices:data/write/bulk,
indices:data/write/bulk[s],
indices:data/write/delete
are needed, and you need to add a new permission with .kibana* to reflect this. Please see attached for reference.
Using the REST API, you can add those permissions from the Wazuh indexer server and replace the password with your admin credentials.
curl -k -u admin:pass \
-X PATCH \
"https://localhost:9200/_plugins/_security/api/roles/client_ro" \
-H "Content-Type: application/json" \
-d '[
{
"op": "add",
"path": "/index_permissions/-",
"value": {
"index_patterns": [".kibana*"],
"allowed_actions": [
"indices:data/write/bulk",
"indices:data/write/bulk[s]",
"indices:data/write/delete"
]
}
}
]'
-X PATCH \
"https://localhost:9200/_plugins/_security/api/roles/client_ro" \
-H "Content-Type: application/json" \
-d '[
{
"op": "add",
"path": "/index_permissions/-",
"value": {
"index_patterns": [".kibana*"],
"allowed_actions": [
"indices:data/write/bulk",
"indices:data/write/bulk[s]",
"indices:data/write/delete"
]
}
}
]'
Once done, the required permissions should also appear on the dashboard, and the user should be able to perform the delete action and not create. I tried this, and it worked as expected. Please let me know what you find if you require further clarification.
Regards,
doc dodo
May 12, 2026, 2:46:46 AMMay 12
to Wazuh | Mailing List
Yes, this solved the problem. Thank you very much.
понедельник, 11 мая 2026 г. в 17:03:48 UTC+3, Olamilekan Abdullateef Ajani:
Reply all
Reply to author
Forward
0 new messages