# Managing Users and Roles in Wazuh (v4.14+)

Wazuh operates on a **two-layered security model**. Because it is built on top of OpenSearch, user management is split into two parts:

1. **OpenSearch (Indexer):** Controls access to the underlying database and system settings.
2. **Wazuh App:** Controls access to security agents, rules, and dashboards.

To give a user full administrative privileges, you must grant them permissions in *both* layers. This guide outlines how to properly create an admin, how to assign restricted roles, and what those roles mean.

---

## Part 1: How to Create a Super Admin User

Creating a Super Admin requires setting up the user in the Indexer, assigning them a specific "Backend role" to bypass system locks, and then mapping them to the Wazuh App.

### Step 1: Create the User & Assign the Backend Role (Database Layer)

The **all\_access** system role is locked by default. To make someone an admin, you must assign them the **admin** Backend Role, which automatically inherits full system access.

1. Click the **Global Menu (≡)** in the top left corner.
2. Navigate to **Indexer management** -> **Security**.
3. Click on **Internal users**, then click the blue **Create internal user** button.
4. Enter a descriptive **Username** and a secure **Password**.
5. Scroll down to the **Backend roles** section. Type **`admin`** into the box and click **Add another backend role** (or press Enter).
6. Click the blue **Create** (or Save) button at the bottom right.

### Step 2: Map the User to the Wazuh App (Application Layer)

Now that the user has database access, you must grant them control over the Wazuh security features.

1. Click the **W. logo** in the top left to return to the Wazuh App.
2. Navigate to **Server management** -> **Security**.
3. Click the **Roles mapping** tab at the top of the screen.
4. Click the blue **Create Role mapping** button.
5. **Role mapping name:** Give it a recognizable name (e.g., *username\_admin\_access*).
6. **Roles:** Check the box for **`administrator`**.
7. Scroll down to the **Mapping rules** section. Under **Map internal users**, click the dropdown and select the user you created in Step 1.
8. *Crucial:* If there is a default "Custom rule" (e.g., one that looks for the word "wazuh"), click the **red trash can icon** to delete it.
9. Click **Save role mapping**.

The user is now a full Super Admin and can log in with total system control.

---

## Part 2: How to Assign Standard Roles (e.g., Read-Only)

If you want to create a restricted user (like a junior analyst who can only view alerts but cannot change settings), the process is nearly identical, but you skip the `admin` backend role.

1. **Create the User:** Go to *Indexer management -> Security -> Internal users* and create the user. **Do not** add anything to the "Backend roles" section. Just save the username and password.
2. **Map the Role:** Go to *Server management -> Security -> Roles mapping* and click **Create Role mapping**.
3. **Select the Restricted Role:** In the Roles dropdown, select a restricted role like **`readonly`** instead of administrator.
4. **Map the User:** Select your new user from the "Map internal users" dropdown, delete any default custom rules, and save.

---

## Understanding Built-In Roles

Wazuh comes with several pre-configured roles that dictate what a user can see and do within the application.

- **administrator:** Full control. The user can deploy agents, edit configuration files, create custom security rules, and manage other users.
- **readonly:** View-only access. The user can look at security events, read dashboard metrics, and check agent status, but cannot modify rules or system settings.
- **agents\_admin:** Agent management only. The user can deploy, group, and manage endpoints, but cannot change core server configurations or indexer settings.
- **agents\_readonly:** Granular view access. The user can only view data and alerts coming from the agents, without access to administrative menus.

> **Note:** Always ensure that users requiring global server configuration access are granted the `admin` Backend Role in the Indexer management menu, as Wazuh App roles alone cannot override database-level restrictions.