What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Creating User Accounts and Managing RBAC Across the SOCFortress Stack

    Taylor Walton

    08-Nov-2025

    Creating User Accounts and Managing RBAC Across the SOCFortress Stack

    This article explains how to create user accounts and manage role-based access control (RBAC) across the core tools in your SOCFortress stack: Graylog, Grafana, Wazuh, CoPilot, Shuffle, and Velociraptor. Each platform handles users and permissions slightly differently, but the overall goal is the same: give each person the access they need—nothing more, nothing less.

    Important: CoPilot and Velociraptor are typically exposed using your own internal/custom domain (for example: copilot., velociraptor-ui.). Make sure the URLs below are updated to match your organization’s internal DNS naming.

    High-Level Approach

    1. Decide which tools each user needs access to (Graylog, Grafana, Wazuh, CoPilot, Shuffle, Velociraptor).
    2. Create a user account in each relevant tool.
    3. Assign roles or permissions that match their job function (e.g., viewer, analyst, engineer, admin).
    4. Where available, use existing identity providers (SSO/Entra ID/ADFS) to centralize authentication.

    Tool-Specific User Management Links

    Use the links below as your primary references for creating users and assigning roles in each platform. Replace domain placeholders (like ) with your actual internal domain.

    Tool Purpose User / RBAC Documentation / URL Notes
    Graylog Log management, search, and alerting. Graylog – Manage Users & Roles Create users and roles directly in Graylog. Map roles to streams and dashboards to limit what each user can see.
    Grafana Dashboards and visualizations. Grafana – Create Users and Teams Use Grafana organizations, teams, and folder permissions to control access to dashboards.
    Wazuh UI Endpoint security, alerts, and compliance (SCA, vulnerabilities, etc.). Wazuh – RBAC & User Administration Wazuh RBAC is role-based and can be bound to indices, dashboards, and modules. Create roles first, then assign them to users.
    CoPilot SOCFortress case management / AI analyst / SOC portal. Example URL:
    https://copilot./user    		 CoPilot uses your custom domain. Update the URL to match your environment, e.g. https://copilot.soc.yourcompany.local/user. From the user page, create accounts and assign appropriate roles (Analyst, Manager, Admin).
    Shuffle SOAR platform for workflows and automations. Shuffle – User Management Add users to your organization and control who can edit workflows, manage apps, or just view automation results.
    Velociraptor DFIR and endpoint forensics & hunting. Example URL:
    https://velociraptor-ui./app/index.html#/users    		 Velociraptor also uses a custom internal domain. Replace with your own (for example: velociraptor-ui.soc.yourcompany.local). Use the Users page to create accounts and assign access (e.g., read-only vs. investigator).

    Recommended RBAC Pattern

    To keep things consistent across the stack, we recommend using a common set of roles and mirroring them in each tool as closely as possible.

    • Viewer / Read-only: Can view dashboards, alerts, and cases but cannot modify configurations.
    • Analyst: Can acknowledge alerts, update cases, run queries, and use automations, but cannot change core system settings.
    • Engineer / Power User: Can configure alerts, pipelines, dashboards, and workflows.
    • Administrator: Full control over users, roles, integrations, and system configuration.

    Example Workflow for Onboarding a New Analyst

    1. Create a user in Wazuh with an Analyst-like role (access to alerts, SCA, vulnerabilities, but no system-level admin privileges).
    2. Create a user in Graylog and assign a role that grants access to the relevant streams and dashboards only.
    3. Add the user to Grafana and place them into the appropriate team with access to SOC dashboards.
    4. Create a CoPilot user account at your CoPilot URL (e.g., https://copilot.soc.yourcompany.local/user) and assign the Analyst role.
    5. Add the user to Shuffle so they can view or trigger existing workflows (edit permissions only if necessary).
    6. If the analyst will perform DFIR work, create an account in Velociraptor with investigator-level permissions.

    Custom Domains and Internal DNS

    For environments using internal or custom domains (for example, customer-facing stacks or MSSP multi-tenant deployments), ensure:

    • Internal DNS correctly resolves:
      • copilot.
      • velociraptor-ui.
      • Other stack components as defined in your deployment (e.g., wazuh-ui, graylog01-ui, grafana).
    • Certificates (if using HTTPS) are valid for the custom domain names.
    • Any SSO/identity provider configuration is updated to include these application URLs as allowed callback/reply URLs.

    Troubleshooting Tips

    • If a user can’t log in, verify:
      • The correct URL (especially for CoPilot and Velociraptor custom domains).
      • The user exists in that specific tool.
      • The role assigned has login privileges and isn’t disabled.
    • If permissions seem too broad or too restrictive, adjust the role, not the user: it’s easier to manage when you have a few standard roles shared by many users.
    • For SSO setups, confirm the user has been assigned to the application in your identity provider.

    If you need help designing a consistent RBAC model across all tools or mapping your internal roles (e.g., Tier 1 / Tier 2 / Tier 3 analysts) into this stack, contact the SOCFortress team for guidance.

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.