RBAC read-only user: Dashboard widgets empty, IT Hygiene permission error and MITRE access issues

20 views
Skip to first unread message

Marco Presini

unread,
Jun 30, 2026, 5:32:58 AM (3 days ago) Jun 30
to Wazuh | Mailing List

Hello everyone,

I'm trying to configure a read-only RBAC user in Wazuh.

I followed the official documentation step by step:

https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#creating-and-setting-a-wazuh-read-only-user

My goal is to create a user that can access only a specific group of agents.

According to the documentation, the example action policy uses only agent:read. Since I also need access to SCA, FIM and Inventory information, I added the following actions to the policy:

  • agent:read

  • sca:read

  • syscheck:read

  • syscollector:read

The RBAC configuration seems to work correctly for most features:

  • the user can log in;

  • the user can only see the intended agents;

  • the user can open the agent pages;

  • SCA results, FIM and Inventory information are visible.

However, I'm experiencing the following issues.

1. Dashboard widgets show no data

On the Dashboard, the following widgets are always empty:

  • Events count evolutionNo results found

  • MITRE ATT&CKNo results

  • ComplianceNo results

The Administrator account displays data correctly for the same time range.

2. IT Hygiene permission error

When opening IT Hygiene, I get the following error:

no permissions for [indices:data/write/index] and User [name=c.polini, backend_roles=[], requestedTenant=null]: security_exception: [security_exception] Reason: no permissions for [indices:data/write/index] and User [name=c.polini, backend_roles=[], requestedTenant=null]

I would expect a read-only user not to require write permissions, so I'm wondering whether I'm missing an RBAC permission or if this is an expected limitation.

3. NIST 800-53

If I open the NIST 800-53 section for an agent, I don't get any permission errors and some results are displayed.

However, the information shown is not the same as what the Administrator account sees.

Is this expected, or is there an additional permission required?

4. MITRE ATT&CK

There are two different behaviors:

  • On the Dashboard and Events pages, I get "No results match your search criteria."

  • In Intelligence → MITRE & Framework, I get:

You have no permissions This section requires the permission: - mitre:read (*:*:*)

Should mitre:read also be included in the action policy, or are additional permissions/index privileges required for a read-only RBAC user?

Has anyone experienced the same behavior or knows which permissions are needed to make these sections work correctly?

For reference, I'm using Wazuh version 4.14.5, is the official VM.

Thank you!

Diego Arjona García

unread,
Jun 30, 2026, 7:25:27 AM (3 days ago) Jun 30
to Wazuh | Mailing List
In order to have a role that can only access a certain group of agents and access every other module you defined in read-only format, you must have the following configuration:
1. In Indexer Management > Security, you should have the configuration like in the documentation but if you wish you can add in Document Level Security the following filter, so the data the user sees is only from the specified group.
2. In Server Mangement > Security. You will have to create a new policy specifying the agents groups you wish to see data from.
Also, you will have to create a new Role that includes those policies plus all the others that appear in the already existing read-only role:



Captura desde 2026-06-30 13-17-35.png
Reply all
Reply to author
Forward
0 new messages