Multi-tenancy
92 views
Skip to first unread message
Joaquim António
May 8, 2025, 12:42:21 PMMay 8
to Wazuh | Mailing List
Hello,
If we have multiple clients, and want to give access to each client to access the dashboard and only have their data visible, is that possible to achieve? If not on an on-prem deployment, is that feature available on Wazuh Cloud?
Thank you in advance!
Best regards,
Joaquim Antonio
Federico Gustavo Galland
May 8, 2025, 2:58:52 PMMay 8
to Wazuh | Mailing List
Hi Joaquim,
If your clients have compliance requirements on the stricter side, you can use the architecture described in the following guide:
This is actually very similar to what we offer as multi-tenancy with our Wazuh Cloud service.
If you don't care too much that multiple clients share the same Wazuh Indexer cluster (their data lives together in the same hard drives) or if you are managing a smaller number of endpoints per client, you may also want to consider setting up an agent group per client:
You can then assign labels to each of these groups:
The agent group labels will now be part of every indexed alert, which you can use to split up agent data per client, and give users access only to their own agents:
It may be worth for you to set up a small PoC setup to try these out before committing to use them in your production environment.
Let me know if this answers your question.
henry
May 12, 2025, 1:10:36 AMMay 12
to Wazuh | Mailing List
Hi guys
I hope you don't mind if I jump in here.
Is it possible to make this work with SSO for authentication? And if so, how do we set the roles up on a per-tenant basis; that is tenant A can only see tenant A, etc?
I hope you don't mind if I jump in here.
Is it possible to make this work with SSO for authentication? And if so, how do we set the roles up on a per-tenant basis; that is tenant A can only see tenant A, etc?
Federico Gustavo Galland
May 13, 2025, 8:06:49 AMMay 13
to Wazuh | Mailing List
Henry,
You should be able to do that by following the documentation here:
Regards,
Fede
Federico Gustavo Galland
May 16, 2025, 8:10:03 AMMay 16
to Wazuh | Mailing List
Henry,
I'm not sure I follow 100%. You
want to define KeyCloack roles that restrict access to certain Wazuh
Agent groups in a multi-tenant setup?
On a general note, that should be possible by mixing and matching advice on this guide:
with the SSO and multitenant articles shared before.
In the end, the SAML role needs to map to a Wazuh Indexer role, which will then handle the privileges view.
Normally
this isn't all that necessary with a multitenant setup, since you can
just allow users of a site to access their own dashboard (connected to
their own indexer cluster).
Anyway, I suggest
you open up a new community question for this and try to give as much
detail as possible on your setup and your intended use-case.
Regards,
Fede
Federico Gustavo Galland
May 19, 2025, 7:52:04 AMMay 19
to Wazuh | Mailing List
> Cheers Fede
>
> Let me go and figure out exactly what I need to ask then I’ll go and open a new community question.
Sure, have a good rest of the week.
Elvys Marchon
Sep 29, 2025, 10:07:55 AM (18 hours ago) Sep 29
to Wazuh | Mailing List
Hello Guys,
I'm following up on the multi-tenancy discussion here. I've set up a Wazuh cluster (v4.13.0) with the goal of segregating data visibility for different clients. My test environment involves:
client_a: Apache server agent
client_b: Nginx server agent
I've followed the documentation links you previously shared for multi-tenancy:
https://documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html
https://documentation.wazuh.com/current/user-manual/agent/agent-management/labels.html
https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents
After applying these configurations, I'm encountering a partial success and need some clarification.
Problem: When client_a logs into the Wazuh dashboard:
In the "Discover" section, client_a cannot see logs from agents belonging to client_b, which is the desired behavior.
However, in the "Overview" section (and potentially "Vulnerabilities"), client_a still sees all agents and their vulnerabilities, including those belonging to client_b.
It appears that the RBAC and agent grouping/labeling are working for log discovery but not for the global agent/vulnerability overview.
Am I missing any additional configuration steps or specific permissions to fully restrict agent visibility in the "Overview" and "Vulnerabilities" sections based on agent groups or labels?
Any insights would be greatly appreciated.
I'm following up on the multi-tenancy discussion here. I've set up a Wazuh cluster (v4.13.0) with the goal of segregating data visibility for different clients. My test environment involves:
client_a: Apache server agent
client_b: Nginx server agent
I've followed the documentation links you previously shared for multi-tenancy:
https://documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html
https://documentation.wazuh.com/current/user-manual/agent/agent-management/labels.html
https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents
After applying these configurations, I'm encountering a partial success and need some clarification.
Problem: When client_a logs into the Wazuh dashboard:
In the "Discover" section, client_a cannot see logs from agents belonging to client_b, which is the desired behavior.
However, in the "Overview" section (and potentially "Vulnerabilities"), client_a still sees all agents and their vulnerabilities, including those belonging to client_b.
It appears that the RBAC and agent grouping/labeling are working for log discovery but not for the global agent/vulnerability overview.
Am I missing any additional configuration steps or specific permissions to fully restrict agent visibility in the "Overview" and "Vulnerabilities" sections based on agent groups or labels?
Any insights would be greatly appreciated.
Reply all
Reply to author
Forward
0 new messages