RESTful knowledge exchange
Post Reply
rvvliet78
Novice
Posts: 3
Liked: 1 time
Joined: Apr 26, 2017 9:43 am
Full Name: Rick van Vliet
Contact:

API permissions

Post by rvvliet78 » 1 person likes this post

Hi,

I would like to submit a feature in the permissions of the rest API.

In our environment we have an Infra team who are responsible for the backup servers and they configure the jobs and we have Teams dedicated to serving customers. As each customer team has their own monitoring server they would like to use the Rest API to get the latest job status and failed jobs and stuff.

At the moment this information is only available with a user within Veeam that has full Admin permissions. If I give the teams a user account with admin permissions they can potentially remove jobs for other teams or restore VM's from other teams.
Some of our customers have sensitive data that the team serving them is only allowed to access, if someone from another team can change his permissions via the api they can access this data which will cause ISO certification issues.

It is however not a problem for them to see if jobs of other teams are successfull or fail so a "Read-only" permission would be more then sufficient.

Kind Regards,

Rick
dhc
Service Provider
Posts: 2
Liked: never
Joined: Feb 07, 2018 2:17 pm
Full Name: David Haynes
Contact:

[MERGED] Minimum permission required?

Post by dhc »

I would like to use the REST API in a read-only mode except for the required POST to get the access token. What is the minimum permission required so that I can read elements like /backups/{id}, /restorepoints and /cloud/tenants? Does it have to the 'Admin' or is there some lesser permission role?

Thanks
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: API permissions

Post by veremin »

Currently only users with Admin permissions can operate with RESTful APIs, but consider your feature request noted. Thanks.
benyoung
Veeam Vanguard
Posts: 148
Liked: 47 times
Joined: May 25, 2016 3:29 am
Full Name: Ben Young
Contact:

Re: API permissions

Post by benyoung »

We do a similar thing here in our multi tenant environment - achieving this by effectively fronting the veeam environment via our own API - as we do with the other systems, vCenter, Fortinet etc

Although it is a bit of work you can control exactly what you want people to access as well as augment that information with other data sources if required and quite often we have our schema different by prefetching other related data from veeam at the same time, such as job sessions/restore point data to prevent multiple calls having to be made if that is the intended use for the data
spine
Service Provider
Posts: 12
Liked: never
Joined: Mar 13, 2019 8:33 pm
Full Name: Steven Pine
Contact:

Re: API permissions

Post by spine »

Are there any updates to this question? We also are in need of multiple read only credentials to a variety of clients enterprise api portals.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: API permissions

Post by nielsengelen »

Currently no update yet when this will be added however your feature request is noted.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
masonit
Service Provider
Posts: 325
Liked: 23 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Maso
Contact:

Re: API permissions

Post by masonit »

Hi

Think I have the same request as others in this thread.

I am doing some testing with Veeam vCloud self service portal and also its rest api. Api works fine as an administrator. But when trying to connect to Api using an vCloud tenant account. Then I can't connect. Shouldn't a vCloud tenant user be able to connect to Veeam self service rest api and manage their own jobs/backups/restore through rest api? In the same way as they can manage them using the web portal?

\Masonit
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: API permissions

Post by veremin »

We have this functionality only for Cloud Connect Backup & Replication tenants.

Let's consider your post as a feature request for future product versions.

Thanks!
masonit
Service Provider
Posts: 325
Liked: 23 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Maso
Contact:

Re: API permissions

Post by masonit »

Please do. Big limitation when customer can create vCloud vms with api. But not backup.

\Masonit
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: API permissions

Post by veremin »

Got it, your voice has been heard. Thanks!
mchavigny
Novice
Posts: 5
Liked: 2 times
Joined: Aug 26, 2019 1:16 pm
Contact:

[MERGED] Enterprise manager - Read Only user for API

Post by mchavigny »

Hi everybody,

I try to create Read Only user to request API.
I my user have a role different of "Portal Administrator", I can't show job in Rest API (but backup view work) :

Code: Select all

{
  "FirstChanceExceptionMessage": null,
  "Message": "Access denied.",
  "StackTrace": null,
  "Status": null,
  "StatusCode": 403
}
In fact, this problem not occured in Webpage, I can view job, but NOT in api with 'https://veeamenterprisemanager:9398/api/query?type=job' url

Can you know how to create a Read Only user with privilege to Read Job in RestAPI with Veeam Backup Enterprise Manager 9.5u4 ?

Best regards,
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: API permissions

Post by Vitaliy S. »

Today, RESTful API account requires admin privileges, please take a look at the existing topic for more info.
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: API permissions

Post by veremin »

Also, if you describe the use case (or situation you're struggling with) in more details, it would help us to estimate the feature request better. Thanks!
BramV
Novice
Posts: 4
Liked: never
Joined: May 11, 2015 3:10 pm
Full Name: Bram
Contact:

Re: API permissions

Post by BramV »

This is another request for adding a read-only user.
Use case: This could then be used in job monitoring scripts. Now with the required admin privileges, if the monitoring server is compromised, the backup system can be compromised.

It seems a regular non-admin user can see all job and server stats on the dashboard homepage but can't request them using the API
oleg.feoktistov
Veeam Software
Posts: 1912
Liked: 635 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: API permissions

Post by oleg.feoktistov » 1 person likes this post

Yes, this feature is under consideration. Thank you!
jw_ic
Enthusiast
Posts: 34
Liked: never
Joined: Oct 25, 2017 1:26 pm
Full Name: James Wuerflein
Contact:

Re: API permissions

Post by jw_ic »

BUMP! I would also like to see a backup operator type role for API requests vs full admin
tsmagnum
Novice
Posts: 6
Liked: 5 times
Joined: Feb 26, 2021 7:34 am
Full Name: T.S. Magnum
Contact:

Re: API permissions

Post by tsmagnum »

Hello, any status update about this request?
We cannot use an admin user to monitor a server, it would be a great enhancement having API RO access.

Thanks!
oleg.feoktistov
Veeam Software
Posts: 1912
Liked: 635 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: API permissions

Post by oleg.feoktistov »

No update on read-only access role so far. It is likely the case that we would need to implement such role for EM portal first.
However, rest api access for users with Portal Users and Restore Operators role is allowed.
Thanks!
nioko
Lurker
Posts: 2
Liked: 1 time
Joined: Jun 29, 2020 10:56 am
Full Name: Nico Baumgartner
Contact:

Re: API permissions

Post by nioko »

Also looking for this. No need to give full permissions just to monitor some jobs.
monitor
Lurker
Posts: 2
Liked: 1 time
Joined: Mar 10, 2023 9:51 am
Contact:

Re: API permissions

Post by monitor » 1 person likes this post

In the age of increasing cyber threats and principle of least privilege being one of the security measures, the fact that Veeam Backup Administrator role is required for monitoring is unacceptable.

The feature was first requested almost 6 years ago.

Therefore, I would like to kindly request to fast-track a solution to this security vulnerability.
pzaf
Lurker
Posts: 1
Liked: never
Joined: Jan 28, 2019 11:04 pm
Full Name: Peter Zafiris
Contact:

Re: API permissions

Post by pzaf »

I am also looking for this feature. Backup Admin role for API monitoring access etc is overkill.
GeraldS
Novice
Posts: 6
Liked: 3 times
Joined: Mar 28, 2019 8:18 am
Full Name: Gerald Schneider
Location: Rostock, Germany

Re: API permissions

Post by GeraldS » 1 person likes this post

As of now (using VBR 12) not all API endpoints require the admin role. In the Zabbix HTTP Checks I had to comment out a single endpoint (listing services) to be able to use the check with the Backup Viewer role.

I posted some details in the Zabbix forum about it: https://www.zabbix.com/forum/zabbix-tro ... m-rest-api
Veeam Certified Engineer 2023
monitor
Lurker
Posts: 2
Liked: 1 time
Joined: Mar 10, 2023 9:51 am
Contact:

Re: API permissions

Post by monitor »

Thank you, GeraldS!

Commenting out endpoint ‘services’ did indeed fix my problem.

API monitoring in Zabbix now also works with Backup Viewer role.
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: API permissions

Post by mikeely »

GeraldS wrote: May 19, 2023 1:06 pm As of now (using VBR 12) not all API endpoints require the admin role. In the Zabbix HTTP Checks I had to comment out a single endpoint (listing services) to be able to use the check with the Backup Viewer role.

I posted some details in the Zabbix forum about it: https://www.zabbix.com/forum/zabbix-tro ... m-rest-api
Unfortunately this doesn't work when querying the Enterprise Manager API, or perhaps the template for that is populated some other place that I could not find.

Bumping the request to allow read-only access to all GET endpoints.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests