From f5cd771284238648afb1a89097798a1ad2bd7750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20S=C3=A1nchez?= <jorge.sanchez@wazuh.com>
Date: Wed, 26 Nov 2025 15:03:40 +0100
Subject: [PATCH] Create new roles for Indexer Content Manager API (#1243)

Co-authored-by: Alex Ruiz <alejandro.ruiz.becerra@wazuh.com>
---
 CHANGELOG.md                                  |  1 +
 .../src/config/security/roles.wazuh.yml       | 29 +++++++++++++++++++
 .../config/security/roles_mapping.wazuh.yml   | 28 ++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8542d157668..5cae3e1a645 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add Cross-Cluster Search environment [(#1034)](https://github.com/wazuh/wazuh-indexer/pull/1034)
 - Add Security Analytics fork to Wazuh Indexer packages [(#1188)](https://github.com/wazuh/wazuh-indexer/pull/1188)
 - Map `alerting_full_access` and `notifications_full_access` roles to the `kibanaserver` user [(#1201)](https://github.com/wazuh/wazuh-indexer/pull/1201)
+- Create new roles for Indexer Content Manager API [(#1243)](https://github.com/wazuh/wazuh-indexer/pull/1243)
 
 ### Fixed
 
diff --git a/distribution/src/config/security/roles.wazuh.yml b/distribution/src/config/security/roles.wazuh.yml
index 45b96dd2cd2..7ec016ba23b 100644
--- a/distribution/src/config/security/roles.wazuh.yml
+++ b/distribution/src/config/security/roles.wazuh.yml
@@ -172,3 +172,32 @@ ml_config_write:
     - "system:admin/system_index"
   tenant_permissions: []
   static: false
+
+# Roles for Content Manager plugin subscription management
+cm_subscription_read:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+    - "plugin:content_manager/subscription_get"
+  index_permissions: []
+  tenant_permissions: []
+  static: true
+
+cm_subscription_write:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+    - "plugin:content_manager/subscription_post"
+    - "plugin:content_manager/subscription_delete"
+  index_permissions: []
+  tenant_permissions: []
+  static: true
+
+cm_update:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+    - "plugin:content_manager/update"
+  index_permissions: []
+  tenant_permissions: []
+  static: true
diff --git a/distribution/src/config/security/roles_mapping.wazuh.yml b/distribution/src/config/security/roles_mapping.wazuh.yml
index be5aeeb6a71..b84d667fa1f 100644
--- a/distribution/src/config/security/roles_mapping.wazuh.yml
+++ b/distribution/src/config/security/roles_mapping.wazuh.yml
@@ -120,3 +120,31 @@ notifications_full_access:
   users:
   - "kibanaserver"
   and_backend_roles: []
+
+# Roles for Content Manager plugin subscription management
+cm_subscription_read:
+  reserved: true
+  hidden: false
+  backend_roles: [ ]
+  hosts: [ ]
+  users:
+    - "wazuh-server"
+  and_backend_roles: [ ]
+
+cm_subscription_write:
+  reserved: true
+  hidden: false
+  backend_roles: [ ]
+  hosts: [ ]
+  users:
+    - "wazuh-dashboard"
+  and_backend_roles: [ ]
+
+cm_update:
+  reserved: true
+  hidden: false
+  backend_roles: [ ]
+  hosts: [ ]
+  users:
+    - "wazuh-dashboard"
+  and_backend_roles: [ ]