Feature Request: Allow all REST API endpoints with GET for Backup Viewer

[DE&C]

Feature Request

• Allow all REST API endpoints with GET (data retrieval only) to be accessible "Read Only User"

->(Backup Viewer role).

Reasoning:

• Ensures that monitoring and reporting tools can fetch necessary information without requiring elevated permissions.
  
  Increases security by limiting access to non-destructive operations.
  
  Simplifies integration for read-only use cases.

Example

• /api/v1/license

[Mildur]

Hi Doron,

The request for a "Read Only" API viewer makes sense.
However, I'm not sure if this should be part of the "Backup Viewer" role, as the Backup Viewer is intended to only see backups.

It might be possible to add such a role when our new v13 feature "Custom Role (RBAC)" adds support for REST API.
I'll discuss this request further with our REST API team.

As a workaround, you may check out RestAPI of Service Provider Console. VSPC already allows Read Only API access.

Best,
Fabian

[aeckstein]

Hi all,

i´m currently developing a REST API based Monitoring Plugin for the monitoring solution checkmk ( https://checkmk.com ) for Veeam Backup and Replication 13.

What I realized is that the current available VBR user roles don´t really fit the use case of monitoring.
It seems that some of the most basic informations, e.g. license status, is only available to the Administrator role.
I really would like to avoid using Administrator Accounts to access the REST api to not compromise the security of the backup server with the monitoring access.
Are there any plans for more configurable api permissions (rbac) or a monitoring role, which has read-only access to all rest api endpoints ?

Any Tips regarding security that i´m missing and how are other monitoring solutions addressing this issue ?

kind regards
Andre

[david.domask]

Hi Andre, welcome to the forums.

I've moved your post to an existing topic on the same subject -- understood on the request, and we intend to extend role based access control (RBAC) to the automation endpoints including REST API, but no ETA at the moment.

[Suryanarayanan]

Hi All,

We are accessing below VBR API calls using a seperate service account with a "Veeam Backup Administrator".

APIs:
Get Access Token: /api/oauth2/token
Get All Backups: /api/v1/backups
Get All Backup Files: /api/v1/backups/{id}/backupFiles
Get Installed License : /api/v1/license

Can you check and let us know what is least role needed for that account. We dont want to give full access.

Can we use "Veeam Backup Operator" or "Veeam Backup Viewer" ?

Regards,
Surya

[david.domask]

Hi Surya,

I've merged your topic with an existing topic on the subject.

Please see the previous answers, currently Backup Administrator is required with the exception of the Incident API Operator role. As noted above we plan to expand role based access controls (RBAC) further in future releases, and we will update this thread when there's more to share.