From 503346209864b74839b97e7fdb2df6e8930c2798 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 9 Feb 2026 09:29:07 -0500
Subject: [PATCH] default roles

---
 salt/soc/defaults.yaml | 1 +
 salt/soc/soc_soc.yaml  | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 6f9fc0226..5368ff804 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1509,6 +1509,7 @@ soc:
           anonymousCidr:
           apiKey:
         staticrbac:
+          defaultRole: ""
           roleFiles:
             - rbac/permissions
             - rbac/roles
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index a9b09b813..3359217ac 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -455,6 +455,11 @@ soc:
             global: True
             advanced: True
             forcedType: int
+        staticrbac:
+          defaultRole:
+            description: "Default role for new users that have not been assigned a role. When a role is specified, an attempt will be made to permanently assign the role to the user once the user accesses SOC. The role name must match exactly the name of an existing RBAC role. Standard system roles include: limited-auditor, limited-analyst, auditor, analyst, superuser"
+            global: True
+            advanced: False
         strelkaengine:
           aiRepoUrl:
             description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules.