Restrict LDAP users to see only specific agents under the Wazuh dashboard --> Wazuh UI

[Vasko Mihaylov]

I need help to restrict LDAP users to see only specific agents under the Wazuh dashboard --> Wazuh UI. I followed the LDAP integration docs to configure LDAP with Wazuh Indexer and Wazuh Dashboard. The LDAP users can login to the Wazuh dashboard and they have `cluster_composite_ops_ro` permissions for the LDAP role as explained in the Setup read-only role docs. My Backend Role Mapping CNs are: ``` Directory Administrators 

sfp-developers ``` Searching online OpenSearch offers the Document-level security functionality --> https://opensearch.org/docs/latest/security/access-control/document-level-security/, however setting up Document-level security in the role I always get the following errors: ``` Permissions errors: INFO: Index pattern id in cookie: no INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 0 INFO: Found default index pattern with title [wazuh-alerts-*]: no INFO: Checking if index pattern [wazuh-alerts-*] exists... INFO: Index pattern id [wazuh-alerts-*] exists: no INFO: Creating index pattern [wazuh-alerts-*]... INFO: Removed current pattern from cookie: [] ERROR: no permissions for [indices:data/write/index] and User [name=vasko.mihaylov, backend_roles=[pxp-operators, grafana-ro, nexus, grafana, logserver-operator, pixelpark, jenkins, gitlab, grafana-rw, monitoring-configurator, monitoring, Directory Administrators], requestedTenant=]: security_exception: [security_exception] Reason: no permissions for [indices:data/write/index] and User [name=vasko.mihaylov, backend_roles=[pxp-operators, grafana-ro, nexus, grafana, logserver-operator, pixelpark, jenkins, gitlab, grafana-rw, monitoring-configurator, monitoring, Directory Administrators], requestedTenant=] ``` Here are my role settings and the dls query: ``` { "spk_ldap": { "reserved": false, "hidden": false, "cluster_permissions": [ "cluster_composite_ops_ro" ], "index_permissions": [ { "index_patterns": [ "*" ], "dls": "{\n \"term\": { \"agent.name\": \"dev-deploy-rhel9.pixelpark.com\" }\n}", "fls": [], "masked_fields": [], "allowed_actions": [ "read" ] } ], "tenant_permissions": [ { "tenant_patterns": [ "global_tenant" ], "allowed_actions": [ "kibana_all_write" ] } ], "static": false } } ``` If I remove the `"dls": "{\n \"term\": { \"agent.name\": \"dev-deploy-rhel9.pixelpark.com\" }\n}",` the LDAP users can log in without problems but they can see all the Wazuh functionalities and agents. Furthermore, I tried to use the Parameter substitution as noted in the OpenSearch docs --> https://opensearch.org/docs/latest/security/access-control/document-level-security/#parameter-substitution. Here are my Ldap custom attributes: ``` "custom_attribute_names": [ "attr.ldap.entryUUID", "attr.ldap.inetUserStatus", "attr.ldap.postalCode", "attr.ldap.createTimestamp", "attr.ldap.modifyTimestamp", "ldap.original.username", "attr.ldap.creatorsName", "attr.ldap.shadowLastChange", "attr.ldap.l", "attr.ldap.o", "attr.ldap.objectClass", "attr.ldap.parentid", "attr.ldap.uid", "attr.ldap.givenName", "ldap.dn", "attr.ldap.cn", "attr.ldap.nsUniqueId", "attr.ldap.gidNumber", "attr.ldap.street", "attr.ldap.uidNumber", "attr.ldap.sn", "attr.ldap.entryid", "attr.ldap.homeDirectory", "attr.ldap.pwdUpdateTime", "attr.ldap.loginShell", "attr.ldap.mail" ], ``` and the dls query I used was: `"dls": "{\"term\": { \"agent.name\": \"${attr.ldap.uid}\"}}",` and still the same permission error. I am out of ideas. I would appreciate any help. Thank you!

[Carlos Ezequiel Bordon]

Vasko, in this guide https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents explains how to configure the configuration you are looking for, you may have to make some changes, but it should be enough.