Cannot access to Users administration with other role than administrator

[Tostti]

Wazuh	Elastic	Rev	Security
4.x	7.x	4xxx	Basic, ODFE, Xpack

Browser
Chrome, Firefox, Safari, etc

Description
By default, Wazuh contains a role called users_admin, that should be able to edit the configuration of Wazuh internal users. However, from the frontend is not possible to access that menu without having the administrator role

The API allows editing users only with that role, that can be verified making the request manually. I created a test user with only that role:

root@tostti:/home/tostti# TOKEN=$(curl -u test:Test1234! -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   400  100   400    0     0   1225      0 --:--:-- --:--:-- --:--:--  1226
root@tostti:/home/tostti# echo $TOKEN
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjc3Nzc4OTE2LCJleHAiOjE2Nzc3Nzk4MTYsInN1YiI6ImxhbGFsYSIsInJ1bl9hcyI6ZmFsc2UsInJiYWNfcm9sZXMiOlszXSwicmJhY19tb2RlIjoid2hpdGUifQ.AauiYwCf-y2uxbw1nxxK9nXHUH4E_jbBcT1YndltQyZbZNqlp01ocggEVkXwwI5suQGn6au9I9sxE7qBgeMFYWr5AbTIbNT8kA1bLoS307x6xpoMfjGUi5XcOTagIEXtYqTYMRPomSAc6m6vjmZcZb9p2rshiQ6h4yPrTpX0QyN-nmru
root@tostti:/home/tostti# curl -k -X POST "https://localhost:55000/security/users" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"password\": \"Test1234!\",\"username\": \"test2\"}"
{"data": {"affected_items": [{"id": 102, "username": "lsalasdla", "allow_run_as": false, "roles": []}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "User was successfully created", "error": 0}root@tostti:/home/tostti#

Steps to reproduce

1. Create a user only with users_admin role
2. Navigate to Wazuh/Security/Users

Expected Result
The Users screen should be shown

Actual Result
An error message is shown

Screenshots
Expected result:

Actual result:

Additional information
The issue was discovered on the Users configuration, but is possible that a similar situation occurs for different roles

[Desvelao]

Research

The Security section in the plugin is restricted to the users with the administrator role. This was a soft implementation of RBAC.

We will replace this approach with another one more specific to the actions.

Tab analysis

Tab	Description	API request	Permissions
Users	Display table	GET /security/users?sort=username	security:read (user:id:*)
Users	Display table	GET /security/roles?sort=name	security:read (role:id:*)
Users	Remove user from table	DELETE /security/users?user_ids={user_id}	security:delete (user:id:user_id)
Users	Create user button	POST /security/users	security:create_user (*:*:*)
Users	Create user flyout apply button	POST /security/users	security:create_user (*:*:*)
Users	Create user flyout apply button	PUT /security/users/${userId}/run_as?allow_run_as=${allowRunAs}	security:edit_run_as (*:*:*)
Users	Edit user flyout apply button	POST /security/users	security:create_user (*:*:*)
Users	Edit user flyout apply button	PUT /security/users/${userId}/run_as?allow_run_as=${allowRunAs}	security:edit_run_as (*:*:*)
Roles	Display table	GET /security/roles	security:read (role:id:*)
Roles	Display table	GET /security/policies	security:read (policy:id:*)
Roles	Remove role from table	DELETE /security/roles?roles_ids={role_id}	security:delete (role:id:role_id)
Roles	Create role button	POST /security/roles	security:create (*:*:*)
Roles	Create role flyout Create role button	POST /security/roles	security:create (*:*:*)
Roles	Create role flyout Create role button	POST /security/roles/${roleId}/policies?policy_ids={policy_ids}	security:update (*:*:*)
Roles	Edit role flyout Add policy button	POST /security/roles/${roleId}/policies?policy_ids={policy_ids}	security:update (role:id:*)
Roles	Edit role flyout table remove policy	POST /security/roles/${roleId}/policies?policy_ids={policy_ids}	security:delete (role:id:*)
Policies	Display table	GET /security/policies	security:read (policy:id:*)
Policies	Remove policy from table	DELETE /security/policies?policy_ids={policy_ids}	security:delete (policy:id:policy_id)
Policies	Create policy button	POST /security/policies	security:create (*:*:*)
Policies	Create policy flyout Create policy button	POST /security/policies	security:create (*:*:*)
Policies	Edit policy flyout Apply button	PUT /security/policies/{policy_id}	security:update (policy:id:*)
Roles mapping	Display table	GET /security/roles?sort=name	security:read (role:id:*)
Roles mapping	Display table	GET /security/rules?sort=name	security:read (rule:id:*)
Roles mapping	Remove policy from table	DELETE /security/rules?rule_ids={rule_id}	security:delete (rule:id:{rule_id})
Roles mapping	Create role mapping button	-	security:create (*:*:*)
Roles mapping	Create role mapping flyout Save role mapping button	POST /security/rules	security:create (*:*:*)
Roles mapping	Create role mapping flyout Save role mapping button	POST /security/rules	security:create (*:*:*)
Roles mapping	Edit role mapping flyout Save role mapping button	PUT /security/rules/{rule_id}	security:update (rule:id:{rule_id})
Roles mapping	Edit role mapping flyout Save role mapping button	POST /security/roles/${roleId}/rules?rule_ids={rule_id}	security:update (role:id::*)
Roles mapping	Edit role mapping flyout Save role mapping button	DELETE /security/roles/${roleId}/rules?rule_ids={rule_id}	security:delete (role:id::*)