Wazuh User segmentation
88 views
Skip to first unread message
Amin
May 30, 2025, 8:38:34 AM5/30/25
to Wazuh | Mailing List
Dear Community
The best scenario would be that the user automatically logs into a tenant assigned to him (and cannot change it) and only sees the data that we allow (special groups, O365 etc) with read rights.
Thanks a lot!
I am currently trying to achieve the following:
An internal user who logs in is only allowed to see the data of a certain group. This means that they only have read rights. Everything else is taboo for this user. This also applies to O365 data. How can I achieve this and is it even possible? I have tried to do this according to the instructions but get the following when I log in (in private tenant mode):
An internal user who logs in is only allowed to see the data of a certain group. This means that they only have read rights. Everything else is taboo for this user. This also applies to O365 data. How can I achieve this and is it even possible? I have tried to do this according to the instructions but get the following when I log in (in private tenant mode):
How can i solve that? What do you recommend?
The best scenario would be that the user automatically logs into a tenant assigned to him (and cannot change it) and only sees the data that we allow (special groups, O365 etc) with read rights.
Thanks a lot!
Javier Medeot
May 30, 2025, 10:33:10 AM5/30/25
to Wazuh | Mailing List
Hi Amin.
Wazuh dashboard tenants restrict access to dashboards, visualizations, index patterns, and other objects while the Wazuh Role-based access control allows you to restrict access to the very resources.
For example you can create an internal user and grant them resource access to specific alerts based on the agent group of the agent that triggered it. If by "data of a certain group" you mean this, you can read a use case in the following link. If not, maybe you can expand on what kind of groups you mean here.
And similarly to "agent.labels.group": "Team_A" in that use case, you could use "data.integration": "office365" to grant access to specific O365 Wazuh alerts.
Let me know if this is what you need. Thanks.
Amin
Jun 2, 2025, 5:35:27 AM6/2/25
to Wazuh | Mailing List
Thanks a lot!
I have made it so that a user only sees one group. Unfortunately, I cannot see all the data. This user should see all data with read rights.
I see SCA, for example. And if I click on “file integrity monitoring” at the top left, I can also see certain data but not on the dashboard of the endpoint.
MITRE says that I have no permission to “mitre_read (*:*:*).
And here is my policies for the user:
What am I missing or doing wrong here?
Thanks a lot!
I have made it so that a user only sees one group. Unfortunately, I cannot see all the data. This user should see all data with read rights.
I see SCA, for example. And if I click on “file integrity monitoring” at the top left, I can also see certain data but not on the dashboard of the endpoint.
MITRE says that I have no permission to “mitre_read (*:*:*).
And here is my policies for the user:
What am I missing or doing wrong here?
Thanks a lot!
Javier Medeot
Jun 2, 2025, 7:50:33 AM6/2/25
to Wazuh | Mailing List
Hi Amin. Can you try attaching the images again?
The ones you included in your message don't display so I can't quite follow what you are explaining here. Please, also mention the version of Wazuh you're using. Thank you.
Javier Medeot
Jun 2, 2025, 11:35:47 AM6/2/25
to Wazuh | Mailing List
Make sure the user is assigned the proper roles such as the cluster_readonly role and the one you created that includes the "team_readonly_..." custom policy from your image. Maybe you can share this custom role configuration and the role mapping to the user. Also, ensure run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies. "You have no mitre:read permission" seems to be pointing at a misconfiguration in policy assignment to a role and role assignment to the user.
Amin
Jun 6, 2025, 5:48:36 AM6/6/25
to Wazuh | Mailing List
Hi Javier
Thanks a lot for your message! I provide you following informations attached here.
runs_as is set to true in the wazuh.yml file. Also did i restart the wazuh dashboard service.
runs_as is set to true in the wazuh.yml file. Also did i restart the wazuh dashboard service.
Thanks a lot for your time! I really appreciate it :)
Javier Medeot
Jun 6, 2025, 10:49:43 AM6/6/25
to Wazuh | Mailing List
Hi Amin.
I suggest to go over all the steps in the guide to find missing permissions you might have overlooked. For example, I don't see the * Index permissions in your team_readonly_### indexer role from your screenshots. Also, I don't see a screenshot for Server management > Security > Roles mapping . This role mapping should include both your team_readonly_#### role and the default cluster_readonly role which has the default cluster_read policy assigned to it.
I think once you ensure all the suggested permissions in the guide are set then we can move forward to find what could be misconfigured here. Since it seems the impact is wide, such as affecting Mitre, Vulnerabilities and others, this looks more likely to be a general configuration issue and not some particular setting for Mitre, etc. It's easier to start from a working base and then tuning it to enable and disable functionalities. Let me know what you find. Thank you.
Amin
Aug 14, 2025, 8:02:01 AM8/14/25
to Wazuh | Mailing List
Hi Javier
Thanks a lot for your answer. I will try it out and test it :).
Best,
Amin
Best,
Amin
Reply all
Reply to author
Forward
0 new messages