I am trying to setup separate RO access to specific agent groups using a Wazuh RBAC manual but keep getting the attached error. We are also setting up SAML login. Would SAML prevent external users (Non domain/tenant) accounts be blocked?
113 views
Skip to first unread message
David Brindley
Apr 22, 2024, 7:42:42 PM4/22/24
to Wazuh | Mailing List
Sebastian Dario Bustos
Apr 22, 2024, 11:52:58 PM4/22/24
to Wazuh | Mailing List
Hi David,
Thank you for using Wazuh!!!
I see on your example, that there is no tenant selected, can you click on the user's icon and select the global tenant and attempt to reload the Wazuh app again?
I see on your example, that there is no tenant selected, can you click on the user's icon and select the global tenant and attempt to reload the Wazuh app again?
Also, can you please indicate which SSO are you integrating to Wazuh?
Usually, if your run_as parameter is set to true, you will have to create a roles_mapping on the Wazuh app that instead mapping it directly to internal users as mentioned on the guide you followed (https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html) you will map it to a backend role finding the department group you set up on your SSO, for example for OneLogin:
Click Create Role mapping and complete the empty fields with the following parameters:
Role mapping name: Assign a name to the role mapping.
Roles: Select the role you created with the document level security and the cluster_readonly role.
Custom rules: Click Add new rule to expand this field.
User field: backend_roles
Search operation: FIND
Value: Assign the value of the Department field in OneLogin configuration.
Reference for the OneLogin integration section used here: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/onelogin.html#wazuh-indexer-configuration
Please let me know.
Regards.
David Brindley
Apr 25, 2024, 5:51:17 AM4/25/24
to Wazuh | Mailing List
Hi
Sebastian,
Thanks for the quick response on that. We plan to use Entra ID as SSO so I will look into that implementation. For clarification, The cswadmin user is listed under the global tenant. We are also trying to give non-tenant users RO access to their agents. Would SSO/MFA prevent this unless they were given tenant accounts?
Thanks,
David Brindley
David Brindley
Apr 25, 2024, 5:51:48 AM4/25/24
to Wazuh | Mailing List
Hi Sebastian,
Thanks for the quick response! Sorry of you see this message twice. I typed it up earlier and sent it, but don't see it in the thread so I'm resending. For clarification, the cswadmin account is in the global tenant. We do not currently have SSO configured, but plan to implement with Entra-ID so I don't know if that changes the answer for the backend role, but I see the Entra option in the guide you linked so I can start working on configuring that. For the group access, our goal is for an external user outside our Entra tenant to log into Wazuh with RO rights to agents with the "CSW" tag using a local Wazuh account. Do you think that is possible with SSO/MFA enabled?
Thanks,
David Brindley
Thanks for the quick response! Sorry of you see this message twice. I typed it up earlier and sent it, but don't see it in the thread so I'm resending. For clarification, the cswadmin account is in the global tenant. We do not currently have SSO configured, but plan to implement with Entra-ID so I don't know if that changes the answer for the backend role, but I see the Entra option in the guide you linked so I can start working on configuring that. For the group access, our goal is for an external user outside our Entra tenant to log into Wazuh with RO rights to agents with the "CSW" tag using a local Wazuh account. Do you think that is possible with SSO/MFA enabled?
Thanks,
David Brindley
On Monday, April 22, 2024 at 8:52:58 PM UTC-7 Sebastian Dario Bustos wrote:
Sebastian Dario Bustos
Apr 25, 2024, 11:40:25 PM4/25/24
to Wazuh | Mailing List
Hi David,
Yes, it is possible to restrict the read only permissions to a specific group of agents the same as with internal users, as mentioned on the previous comment, following the same guide provided but instead of mapping users to the role you will map backend_roles from the SSO and on the roles_mapping creation part, instead of entering internal users on the "internal users" field, you need to click on the below "Add new rule" link and then complete the fields as follows:
Search operation: FIND
Value: Assign the value of the Role name you gave on your Entra ID SSO setup for the read only users (backend role).
Here is the link for Entra ID SSO integration, here, as an example, is used the name of "
wazuh-readonly" as the role name which will be used as the backend role (to map the : https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/read-only/microsoft-entra-id.html
Hint: On the Wazuh Dashboard security -> roles (and the role you created with the Document Level Security) you can map internal uses and backend roles for your SSO and on the Wazuh app's security section you can create multiple roles_mapping for each kind of users (internal and backend roles as mentioned above) pointing to the same role you created following the guide.
Let me know if this helps.
Regards.
Reply all
Reply to author
Forward
0 new messages