Read-Only rights for Vulnerability Dashboard Only

[Miran Ul Haq]

Hi Community,

I am trying to create a user with Read-Only rights on Vulnerability Detection dashboard only. 

I created a custom role for this purpose and set index permission only to wazuh-states-vulnerabilities-*  (picture attached), but the dashboard is giving permissions error (picture attached).

Now, when I set index permission to * everything works fine. However, the issue is the alerts and inventory indexes are also showing with these permissions.

I am stuck, not sure how to make only vulnerabilities index visible and hide rest of them.

Will appreciate any help.

Thanks.

[juan.c...@wazuh.com]

Hi Miran UI Haq,

Unforntunately the wazuh dashboard depends on access to some of the other indexes to work. Restricting access to only wazuh-states-vulnerabilities-*  will break it. Here's a reddit post that matches your issue and explains why this is the case in further detail: https://www.reddit.com/r/Wazuh/comments/1jk7rf5/wazuh_rbac_autorisation_to_see_only_the/

I will consult with the dashboard team to see if  what you're  trying to accomplish is possible and get back to you.

 

[Miran Ul Haq]

Hi Juan,

Thanks for the reply.

I will check the reddit link, and would appreciaite any feedback you can share with the dashboard team.

Best Reagards,
Miran

[juan.c...@wazuh.com]

Hi Miran,

I've checked with the team and, although these kind of permission restrictions might be highly experimental and could produce problems in other views, it's doable and they've managed to reproduce it. Here are the steps they used:
(On Wazuh 4.14.4)
```
To see the Vulnerability Detection Dashboard (and Inventory), the role should be configured with something like this:

Cluster permissions: cluster_composite_ops_ro

Index permissions:

* index: wazuh-states-vulnerabilities* index permissions: read
This provides permissions to read the documents of the wazuh-states-vulnerabilities indices that contain the data displayed in the dashboard and inventory

* index: .kibana* index permissions: read
This provides permissions to read the documents of all the saved objects in all the tenants. If using multitenancy, you could want to restrict to the related index. These indices can rotate and can be hard to define the concrete tenant index or this could be migrated/rotated in the future breaking the permissions configuration. You could define a concrete index where you know the saved object of the tenant accessed by the user are located. This is required to avoid errors related to getting the index patterns.Tenant permissions:

* tenant: global_tenant permission: Read only


Considerations:

* The Vulnerability Detection Dashboard (and Inventory) views check and create if possible the index pattern wazuh-states-vulnerabilities*. If the user is configured to only read the saved object indices (.kibanaX), the tenant permissions is Read only and the index pattern is not created, this could throw an error when trying to create the index pattern with the read only user. To remediate this, access to the  Vulnerability Detection Dashboard view with an administrator (permissions to write the index pattern) user using the same tenant (if configured multitenancy) that the readonly user will access.
```

Attaching evidence of the vulnerability detection view. (image.png)

Keep in mind this configuration is only about indexer permissions. Regarding  the Wazuh server API, you might be interested in giving the user some minimal permissions about agent information reading so that you he can use the `Explore Agent` button and perform filtering. (Although he can also use the Add Filter button on the dashboard and  use the `agent.id` or `agent.name`.

[Miran Ul Haq]

Hi Juan,

Really appreciate your help.

This worked and gave the desired output.

Best Regards,

Miran