API permissions

[rvvliet78]

Hi,

I would like to submit a feature in the permissions of the rest API.

In our environment we have an Infra team who are responsible for the backup servers and they configure the jobs and we have Teams dedicated to serving customers. As each customer team has their own monitoring server they would like to use the Rest API to get the latest job status and failed jobs and stuff.

At the moment this information is only available with a user within Veeam that has full Admin permissions. If I give the teams a user account with admin permissions they can potentially remove jobs for other teams or restore VM's from other teams.
Some of our customers have sensitive data that the team serving them is only allowed to access, if someone from another team can change his permissions via the api they can access this data which will cause ISO certification issues.

It is however not a problem for them to see if jobs of other teams are successfull or fail so a "Read-only" permission would be more then sufficient.

Kind Regards,

Rick

[dhc]

I would like to use the REST API in a read-only mode except for the required POST to get the access token. What is the minimum permission required so that I can read elements like /backups/{id}, /restorepoints and /cloud/tenants? Does it have to the 'Admin' or is there some lesser permission role?

Thanks

[veremin]

Currently only users with Admin permissions can operate with RESTful APIs, but consider your feature request noted. Thanks.

[benyoung]

We do a similar thing here in our multi tenant environment - achieving this by effectively fronting the veeam environment via our own API - as we do with the other systems, vCenter, Fortinet etc

Although it is a bit of work you can control exactly what you want people to access as well as augment that information with other data sources if required and quite often we have our schema different by prefetching other related data from veeam at the same time, such as job sessions/restore point data to prevent multiple calls having to be made if that is the intended use for the data

[spine]

Are there any updates to this question? We also are in need of multiple read only credentials to a variety of clients enterprise api portals.

[nielsengelen]

Currently no update yet when this will be added however your feature request is noted.

[masonit]

Hi

Think I have the same request as others in this thread.

I am doing some testing with Veeam vCloud self service portal and also its rest api. Api works fine as an administrator. But when trying to connect to Api using an vCloud tenant account. Then I can't connect. Shouldn't a vCloud tenant user be able to connect to Veeam self service rest api and manage their own jobs/backups/restore through rest api? In the same way as they can manage them using the web portal?

\Masonit

[veremin]

We have this functionality only for Cloud Connect Backup & Replication tenants.

Let's consider your post as a feature request for future product versions.

Thanks!

[masonit]

Please do. Big limitation when customer can create vCloud vms with api. But not backup.

\Masonit

[veremin]

Got it, your voice has been heard. Thanks!

[mchavigny]

Hi everybody,

I try to create Read Only user to request API.
I my user have a role different of "Portal Administrator", I can't show job in Rest API (but backup view work) :

Code: Select all

{
  "FirstChanceExceptionMessage": null,
  "Message": "Access denied.",
  "StackTrace": null,
  "Status": null,
  "StatusCode": 403
}

In fact, this problem not occured in Webpage, I can view job, but NOT in api with 'https://veeamenterprisemanager:9398/api/query?type=job' url

Can you know how to create a Read Only user with privilege to Read Job in RestAPI with Veeam Backup Enterprise Manager 9.5u4 ?

Best regards,

[Vitaliy S.]

Today, RESTful API account requires admin privileges, please take a look at the existing topic for more info.

[veremin]

Also, if you describe the use case (or situation you're struggling with) in more details, it would help us to estimate the feature request better. Thanks!

[BramV]

This is another request for adding a read-only user.
Use case: This could then be used in job monitoring scripts. Now with the required admin privileges, if the monitoring server is compromised, the backup system can be compromised.

It seems a regular non-admin user can see all job and server stats on the dashboard homepage but can't request them using the API

[oleg.feoktistov]

Yes, this feature is under consideration. Thank you!

[jw_ic]

BUMP! I would also like to see a backup operator type role for API requests vs full admin

[tsmagnum]

Hello, any status update about this request?
We cannot use an admin user to monitor a server, it would be a great enhancement having API RO access.

Thanks!

[oleg.feoktistov]

No update on read-only access role so far. It is likely the case that we would need to implement such role for EM portal first.
However, rest api access for users with Portal Users and Restore Operators role is allowed.
Thanks!

[nioko]

Also looking for this. No need to give full permissions just to monitor some jobs.

[monitor]

In the age of increasing cyber threats and principle of least privilege being one of the security measures, the fact that Veeam Backup Administrator role is required for monitoring is unacceptable.

The feature was first requested almost 6 years ago.

Therefore, I would like to kindly request to fast-track a solution to this security vulnerability.

[pzaf]

I am also looking for this feature. Backup Admin role for API monitoring access etc is overkill.

[GeraldS]

As of now (using VBR 12) not all API endpoints require the admin role. In the Zabbix HTTP Checks I had to comment out a single endpoint (listing services) to be able to use the check with the Backup Viewer role.

I posted some details in the Zabbix forum about it: https://www.zabbix.com/forum/zabbix-tro ... m-rest-api

[monitor]

Thank you, GeraldS!

Commenting out endpoint ‘services’ did indeed fix my problem.

API monitoring in Zabbix now also works with Backup Viewer role.

[mikeely]

As of now (using VBR 12) not all API endpoints require the admin role. In the Zabbix HTTP Checks I had to comment out a single endpoint (listing services) to be able to use the check with the Backup Viewer role.

I posted some details in the Zabbix forum about it: https://www.zabbix.com/forum/zabbix-tro ... m-rest-api

Unfortunately this doesn't work when querying the Enterprise Manager API, or perhaps the template for that is populated some other place that I could not find.

Bumping the request to allow read-only access to all GET endpoints.