Adding a user with limited rights
Bony V John
Bony V John
Yes, it is possible to create a Wazuh Dashboard user with read-only access to alerts generated by a specific agent (for example, agent ID 008).
To achieve this, you need to first create an agent group on the Wazuh Manager and add this agent to that group.
You can refer to the Wazuh documentation for step-by-step guidance on creating agent groups and adding agents to them.
Note: Perform the following steps using the default Wazuh Dashboard admin user.
After adding the agent to the group, add the following configuration to the agent.conf file of that group to include a label field on the agent.
You can refer to the Wazuh agent labeling documentation for more details.
On the Wazuh Dashboard:
Menu (☰) > Agent management > Groups
Select the agent group you created, click the pencil icon next to its name, and add the following configuration inside the <agent_config> tag:
<label key="group">Team_A</label>
</labels>
On the Wazuh Dashboard:
Menu (☰) > Indexer Management > Security > Internal Users > Create Internal User
Add the username and password for the user, then click Create.
In the Indexer Management > Security > Roles > Create Role, configure the following:
-
Role name: (choose a descriptive name)
-
Cluster permissions: cluster_composite_ops_ro
-
Index: *
-
Index permissions: read
Now, click Add another index permission and complete the fields with:
-
Index: wazuh-alerts*
-
Index permissions: read
-
Document-level security:
"bool": {
"must": {
"match": {
"agent.labels.group": "Team_A"
}
}
}
}
Then, add another index permission:
-
Index: wazuh-monitoring*
-
Index permissions: read
-
Document-level security:
"bool": {
"must": {
"match": {
"group": "Team_A"
}
}
}
}
Currently, it’s not possible to restrict the Vulnerability and IT Hygiene dashboards by agent label directly.
However, you can restrict access by agent name using document-level security.
Note: If the agent name changes, you must update it in the configuration.
Add another index permission:
-
Index: wazuh-states-vulnerabilities-* and wazuh-states-inventory-*
-
Index permissions: read
-
Document-level security:
"bool": {
"should": [
{ "term": { "agent.name": "agentname008" } }
],
"minimum_should_match": 1
}
}
Replace agentname008 with your actual agent name.
Under Tenant permissions, select global_tenant with Read-only access, then click Create Role.
Finally, map the created user to this role:
In the created role, go to Mapped Users > Manage Mapping > Users, select the user, and click Save.
Refer to the Mapping with Wazuh section of the Wazuh RBAC documentation for guidance on creating a role and providing read-only access to that agent in the Wazuh Manager API.
WiFi
It is really possible to limit events by one agent.
But the user has the rights to create groups, view the name of other agents, change correlation and normalization rules.
How to prohibit everything to the user in general, except for viewing events by his agent?
Bony V John
Apologies for the late response. By following the Mapping with Wazuh section in the Wazuh documentation, you should only have read-only access to that agent and not be able to view rules or other configuration files.
The issue might be related to the run_as parameter still being set to false. You should modify the following file on your Wazuh Dashboard host:
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
In that file, change the run_as value from false to true to make the mapping effective with the Wazuh Manager. You can refer to the relevant section in the Wazuh documentation for more details about this configuration.