Feature Request: Allow all REST API endpoints with GET for Backup Viewer

[DE&C]

Feature Request

• Allow all REST API endpoints with GET (data retrieval only) to be accessible "Read Only User"

->(Backup Viewer role).

Reasoning:

• Ensures that monitoring and reporting tools can fetch necessary information without requiring elevated permissions.
  
  Increases security by limiting access to non-destructive operations.
  
  Simplifies integration for read-only use cases.

Example

• /api/v1/license

[Mildur]

Hi Doron,

The request for a "Read Only" API viewer makes sense.
However, I'm not sure if this should be part of the "Backup Viewer" role, as the Backup Viewer is intended to only see backups.

It might be possible to add such a role when our new v13 feature "Custom Role (RBAC)" adds support for REST API.
I'll discuss this request further with our REST API team.

As a workaround, you may check out RestAPI of Service Provider Console. VSPC already allows Read Only API access.

Best,
Fabian

[aeckstein]

Hi all,

i´m currently developing a REST API based Monitoring Plugin for the monitoring solution checkmk ( https://checkmk.com ) for Veeam Backup and Replication 13.

What I realized is that the current available VBR user roles don´t really fit the use case of monitoring.
It seems that some of the most basic informations, e.g. license status, is only available to the Administrator role.
I really would like to avoid using Administrator Accounts to access the REST api to not compromise the security of the backup server with the monitoring access.
Are there any plans for more configurable api permissions (rbac) or a monitoring role, which has read-only access to all rest api endpoints ?

Any Tips regarding security that i´m missing and how are other monitoring solutions addressing this issue ?

kind regards
Andre

[david.domask]

Hi Andre, welcome to the forums.

I've moved your post to an existing topic on the same subject -- understood on the request, and we intend to extend role based access control (RBAC) to the automation endpoints including REST API, but no ETA at the moment.

[Suryanarayanan]

Hi All,

We are accessing below VBR API calls using a seperate service account with a "Veeam Backup Administrator".

APIs:
Get Access Token: /api/oauth2/token
Get All Backups: /api/v1/backups
Get All Backup Files: /api/v1/backups/{id}/backupFiles
Get Installed License : /api/v1/license

Can you check and let us know what is least role needed for that account. We dont want to give full access.

Can we use "Veeam Backup Operator" or "Veeam Backup Viewer" ?

Regards,
Surya

[david.domask]

Hi Surya,

I've merged your topic with an existing topic on the subject.

Please see the previous answers, currently Backup Administrator is required with the exception of the Incident API Operator role. As noted above we plan to expand role based access controls (RBAC) further in future releases, and we will update this thread when there's more to share.

[DE&C]

Hi Doron,

The request for a "Read Only" API viewer makes sense.
However, I'm not sure if this should be part of the "Backup Viewer" role, as the Backup Viewer is intended to only see backups.

It might be possible to add such a role when our new v13 feature "Custom Role (RBAC)" adds support for REST API.
I'll discuss this request further with our REST API team.

As a workaround, you may check out RestAPI of Service Provider Console. VSPC already allows Read Only API access.

Best,
Fabian

Hi Fabian

You are right, for the “Backup Viewer” role this does not make much sense.

In my opinion, a simple “read all APIs” role would already solve the problem for now, even before Veeam releases a full RBAC feature set. Such a role would likely require significantly fewer development resources and should be relatively straightforward to implement from a technical perspective, since it would mainly involve extending access permissions for existing APIs.


Some details from the field:

Over the past few months, in various discussions with customers, I have repeatedly heard that many of them would also like to have such an API read-only role. Unfortunately, most of them are not very motivated to post here themselves (I am still trying to convince them to join the discussion ).

This feedback comes from a wide range of organizations: smaller environments with fewer than 150 VMs, larger environments with more than 1,000 VMs, as well as large universities, hospitals, and federal-related organizations.

At the moment, one of the biggest showstoppers for automation is clearly the missing read-only permission for APIs.

As input for a future RBAC implementation, another helpful feature would be the ability to import or automatically create role configurations. For example:

• Automation Tool 1 → Configuration A

• Automation Tool 2 → Configuration B

This would allow predefined configurations to be deployed automatically instead of having to create them manually each time.

[david.domask]

Hi DE&C,

Your input on pre-defined read-only API roles is understood -- RBAC brought a lot of granularity in the initial release with v13 and we will continue to expand it out, as RBAC for automation is definitely something we want available.

As for this request:

As input for a future RBAC implementation, another helpful feature would be the ability to import or automatically create role configurations. For example:

Automation Tool 1 → Configuration A

Automation Tool 2 → Configuration B

This would allow predefined configurations to be deployed automatically instead of having to create them manually each time.

Noted, makes sense and will discuss internally.