Professional Documents
Culture Documents
Wazuh Add users with group permissions
Wazuh Add users with group permissions
Add group
Run the following commands on the Wazuh server to create the agent groups joss_wintel,
joss_linux :
/var/ossec/bin/agent_groups -a -g joss_wintel -q
/var/ossec/bin/agent_groups -a -g joss_linux -q
You have now added a group label that allows us to identify all the Wazuh alerts coming from this
group of agents. Note that only new alerts will include this group label.
Creating and mapping an internal user
Follow these steps to create an internal user, create a custom role and map it to the new user.
1. Click the upper-left menu icon ☰ to open the available options, select Security, and then
Internal users to open the internal users' page.
2. Click Create internal user, provide a username and password, and click Create to complete the
action.
3. To create a custom role and map the user to it, follow these steps:
a. Go to Security, select Roles to open the page.
b. Click Create role, complete the empty fields with the following parameters:
Name: Assign a name to the role.
Cluster permissions: cluster_composite_ops_ro
Index: *
Index permissions: read
c. Click Add another index permission and unfold the new section Add index permission.
Complete the empty fields with the following parameters and make sure to replace your
group name accordingly:
Index: wazuh-alerts*
Index permissions: read
Document level security:
{
"bool": {
"must": {
"match": {
"agent.labels.group": "joss_wintel"
}
}
}
}
d. Click Add another index permission and unfold the new section Add index permission.
Complete the empty fields with the following parameters and make sure to replace your
group name accordingly:
Index: wazuh-monitoring*
Index permissions: read
Document level security:
{
"bool": {
"must": {
"match": {
"group": "joss_wintel"
}
}
}
}
e. Under Tenant permissions, select Tenant: global_tenant and the Read only option.
f. Click Create to complete the task.
g. Select the Mapped users tab and click Manage mapping.
h. Add the user you created in the previous steps and click Map to confirm the action.
You have now created an internal user and assigned it reading permissions over the Wazuh alerts
and Wazuh monitoring documents from the authorized agents group.
1. Click the upper-left menu icon ☰ to open the available options and click Wazuh.
2. Click Wazuh to open the Wazuh dashboard menu, select Security, and then Policies to open
the policies page.
3. Click Create policy and complete the empty fields with the requested information.
5. Click Roles to open the tab, click Create Role, and fill in the empty fields with the requested
information.
Role name: Assign a name to the new role.
Policies: Select the policy created previously.
6. Click Create role to confirm the action.
7. Click Create Role mapping and complete the empty fields with the requested information.
Role mapping name: Assign a name to the role mapping.
Roles: Select the role created previously, for example joss_wintel, and the
cluster_readonly role. The latter assigns the user basic configuration reading
permissions.
Internal users: Select the internal user created previously.
8. Click Save role mapping to finish the action.
For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-
dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service
and clear your browser cache and cookies.
You have now created a new internal user and mapped it to manage a Wazuh agents' group.
Authenticate with the new user and open the Wazuh dashboard, see that only joss_wintel agents'
alerts and information are displayed.