Hello everyone,
I'm trying to configure a read-only RBAC user in Wazuh.
I followed the official documentation step by step:
My goal is to create a user that can access only a specific group of agents.
According to the documentation, the example action policy uses only agent:read. Since I also need access to SCA, FIM and Inventory information, I added the following actions to the policy:
agent:read
sca:read
syscheck:read
syscollector:read
The RBAC configuration seems to work correctly for most features:
the user can log in;
the user can only see the intended agents;
the user can open the agent pages;
SCA results, FIM and Inventory information are visible.
However, I'm experiencing the following issues.
1. Dashboard widgets show no dataOn the Dashboard, the following widgets are always empty:
Events count evolution → No results found
MITRE ATT&CK → No results
Compliance → No results
The Administrator account displays data correctly for the same time range.
2. IT Hygiene permission errorWhen opening IT Hygiene, I get the following error:
no permissions for [indices:data/write/index] and User [name=c.polini, backend_roles=[], requestedTenant=null]: security_exception: [security_exception] Reason: no permissions for [indices:data/write/index] and User [name=c.polini, backend_roles=[], requestedTenant=null]I would expect a read-only user not to require write permissions, so I'm wondering whether I'm missing an RBAC permission or if this is an expected limitation.
3. NIST 800-53If I open the NIST 800-53 section for an agent, I don't get any permission errors and some results are displayed.
However, the information shown is not the same as what the Administrator account sees.
Is this expected, or is there an additional permission required?
4. MITRE ATT&CKThere are two different behaviors:
On the Dashboard and Events pages, I get "No results match your search criteria."
In Intelligence → MITRE & Framework, I get:
Should mitre:read also be included in the action policy, or are additional permissions/index privileges required for a read-only RBAC user?
Has anyone experienced the same behavior or knows which permissions are needed to make these sections work correctly?
For reference, I'm using Wazuh version 4.14.5, is the official VM.
Thank you!