VEM REST API - Minimum required role for Zabbix integration (Portal User vs Portal Administrator)

[charlieferreiracln]

Hi all,
I'm currently implementing a monitoring integration between Zabbix and Veeam Backup Enterprise Manager (VEM), following the official Zabbix integration template:
https://www.zabbix.com/br/integrations/ ... nager_http
The integration uses the VEM REST API (port 9398), where Zabbix authenticates with a dedicated service account and queries endpoints like /jobs, /backupSessions, /repositories, and /backupServers.
During testing I noticed the following behaviour depending on the role assigned to the service account:

Portal User — all endpoints work except /jobs, which returns HTTP 403
Portal Administrator — all endpoints work, including /jobs

My questions:

Is Portal Administrator strictly required for this integration, or is there a way to grant access to /jobs with a lower-privilege role?
If Portal Administrator is mandatory, how do others handle the security concern around user management permissions being included in that role for a service account that only needs read access?
Is there any plan for a dedicated read-only role in VEM that covers full API access without user management capabilities?

Running VEM v13. Any input appreciated!

Best regards,
Carlos

[david.domask]

Hi Carlos,

You're correct, the different roles have restrictions on the endpoints they can access in Enterprise Manager.

I'm not in full which endpoints Zabbix is using, but the link you provided mentions they built their integration with Portal Administrator in mind for all operations.

Long term, we plan to expand more complete RBAC coverage, focusing on the Backup Server REST API itself primarily.

As for security, monitor the account activity heavily and if feasible restrict the login access exclusively to the Enterprise Manager server.