Role-Based Access for the Barracuda WAF REST APIs

Last updated on 2019-04-15 00:30:38

API Privilege

The API Privilege section allows users to access the Barracuda REST APIs. By default the value is set to No. Set the value to Yes if you want permissions to use REST APIs. Using the "administrator-roles" API, you can grant READ/WRITE permissions for specific object(s) that this role may need access to. You can refer to the table List of Supported Objects to know the list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.

Create a Role and Grant Permission

The example JSON below describes how to create a new role and grant the required permissions to objects the role is accessing.

 [POST] 
        http:///<WAF-IP/WAF-Domain>:8000/restapi/v3/administrator-roles
    (Authorization) => Basic Auth
        a) username
=> {{token}}   [ensure that the token ends with a colon ':']
    (Body) => raw 
              JSON(application/json)
    Inputs - 
   ------
{
    "name": "sample_role",
    "services": [
        "_ALL:read"
    ],
    "security-policies": [
        "_ALL_:read"
    ],
    "service-groups": [
        "_ALL_:read"
    ],
    "vsites": [
        "_ALL_:read"
    ],
    "operations": [
        "certificate-management"
    ],
    "objects":[
        "services:read",
        "security-policies:read",
        "url-profiles:read"
    ]
}

Parameter Name	Data Type	Mandatory	Description
URL: /v3/administrator-roles
Method: POST
Description: Creates a new role and grants READ/WRITE permissions to the object the role is accessing
Input Parameters:
name	Alphanumeric	Yes	A name for the role.
services	Alphanumeric	Conditional	Grants permission to all the services configured in the Barracuda Web Application Firewall. "_ALL: read" will grant READ permission to all the services created in Barracuda WAF.
security-policies	Alphanumeric	Conditional	Grants permission to all the security policies configured in the Barracuda Web Application Firewall. "_ALL: read" will grant READ permission to all the security policies created in Barracuda WAF.
service-groups	Alphanumeric	Conditional	Grants permission to all the service groups configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the service groups created in Barracuda WAF.
Vsites	Alphanumeric	Conditional	Grants permission to all the Vsites configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the Vsites created in Barracuda WAF.
operations	Alphanumeric	Conditional	Grants permission to all the operations configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the operations created in Barracuda WAF.
objects	Alphanumeric	Conditional	Grants permission to the generic objects specified. "services:read" will grant READ permission to the (generic) services object.

RBA differences in UI vs API

For editing a sub-resource the user role needs the following:
1. A WRITE permission on that sub-resource and at least a READ permission on its object.
Any custom role should have at least a READ permission on the service the role wants in order to view access or firewall logs.
If a user is creating/adding/editing a new object from the UI, the user role needs to have the following:
1. A WRITE access directly on that object.
2. Accessibility (either READ/WRITE) to its parent object.
3. A WRITE permission on that tab/screen that the role is creating the object from.
Granting permissions to an object from the Administrator-Roles API will automatically grant the same permission for the dependent screen(s) of that object and vice-versa (when done from the UI).

The predefined/factory shipped roles other than "Admin" do not have API Privilege.

List of Supported Objects

The following table provides a list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.

Object	Description	Syntax used
_ALL_	Grants READ/WRITE permission to all objects	_ALL_:read _ALL_:write
access-rules	Grants READ/WRITE permission to the access-rules Object	access-rules:read access-rules:write
access-policies	Grants READ/WRITE permission to the access-policies object	access-policies:read action-policies:write
adaptive-profiling-rules	Grants READ/WRITE permission to the adaptive-profiling-rules object	adaptive-profiling-rules:read adaptive-profiling-rules:write
admin-ip-range	Grants READ/WRITE permission to the admin-ip-range object	admin-ip-range:read admin-ip-range:write
allow-deny-clients	Grants READ/WRITE permission to the allow-deny-clients object	allow-deny-clients:read allow-deny-clients:write
attack-patterns	Grants READ/WRITE permission to the attack -patterns object	attack-patterns:read attack-patterns:write
attack-types	Grants READ/WRITE permission to the attack- types object	attack-types:read attack-types:write
authorization-policies	Grants READ/WRITE permission to the authorization-policies object	authorization-policies:read authorization-policies:write
auto-system-acls	Grants READ/WRITE permission to the auto-system-acls object	auto-system-acls:read auto-system-acls:write
backup	Grants READ/WRITE permission to the backup object	backup:read backup:write
bonds	Grants READ/WRITE permission to the bonds patterns object	bonds:read bonds:write
client-certificate-crl	Grants READ/WRITE permission to the client- certificate-crls object	client-certificate-crls:read client-certificate-crls:write
cluster/nodes	Grants READ/WRITE permission to the cluster/nodes object	cluster/nodes:read cluster/nodes:write
Cluster	Grants READ/WRITE permission to the cluster object	cluster:read cluster:write
Created-certificates	Grants READ/WRITE permission to created-certificate object	created-certificate:read created-certificate:write
Credential servers	Grants READ/WRITE permission to the credential-servers object	credential-servers:read credential-servers:write
custom --parameter classes	Grants READ/WRITE permission to the custom-parameter-classes object	custom-parameter-classes:read custom-parameter-classes:write
ddos-policies	Grants READ/WRITE permission to the ddos-policies object	ddos-policies:read ddos-policies:write
destination-nats	Grants READ/WRITE permission to the destination-nats object	destination-nats:read destination-nats:write
geo-pools	Grants READ/WRITE permission to the geo-pools object	geo-pools:read geo-pools:write
geoip-allowed-networks	Grants READ/WRITE permission to the geoip-allowed-networks object	geoip-allowed-networks:read geoip-allowed-networks:write
geoip-blocked-networks	Grants READ/WRITE permission to the geoip-blocked-networks object	geoip-blocked-networks:read geoip-blocked-networks:write
global-acls	Grants READ/WRITE permission to the global-acls object	global-acls:read global-acls:write
header-acls	Grants READ/WRITE permission to the header-acls object	header-acls:read header-acls:write
http-request-rewrite-rules	Grants READ/WRITE permission to the http-request-rewrite-rules object	http-request-rewrite-rules:read http-request-rewrite-rules:write
http-response-rewrite-rules	Grants READ/WRITE permission to the http-response-rewrite-rules object	http-response-rewrite-rules:read http-response-rewrite-rules:write
identity-theft-patterns	Grants READ/WRITE permission to the identity-theft-patterns object	identity-theft-patterns:read identity-theft-patterns:write
identity-types	Grants READ/WRITE permission to the identity-types object	identity-types:read identity-types:write
input-patterns	Grants READ/WRITE permission to the input-patterns object	input-patterns:read input-patterns:write
input-types	Grants READ/WRITE permission to the input-types object	input-types:read input-types:write
interface-routes	Grants READ/WRITE permission to the interface-routes object	interface-routes:read interface-routes:write
	Grants READ/WRITE permission to the attack patterns object	internal-attack-patterns:read internal-attack-patterns:write
json-profiles	Grants READ/WRITE permission to the json-profiles object	json-profiles:read json-profiles:write
json-security-policies	Grants READ/WRITE permission to the json-security-policies object	json-security-policies:read json-security-policies:write
kerberos-services	Grants READ/WRITE permission to the kerberos-services object	kerberos-services:read kerberos-services:write
ldap-services	Grants READ/WRITE permission to the ldap-services object	ldap-services:read ldap-services:write
local-groups	Grants READ/WRITE permission to the local-groups object	local-groups:read local-groups:write
local-hosts	Grants READ/WRITE permission to the local-hosts object	local-hosts:read local-hosts:write
local-users	Grants READ/WRITE permission to the local-users object	local-users:read local-users:write
module-log-levels	Grants READ/WRITE permission to module-log-levels object	module-log-levels:read module-log-levels:write
network-acls	Grants READ/WRITE permission to the network-acls object	network-acls:read network-acls:write
network-interfaces	Grants READ/WRITE permission to the network-interface object	network-interfaces:read network-interface:write
nodes	Grants READ/WRITE permission to the nodes object	nodes:read nodes:write
ntp-servers	Grants READ/WRITE permission to the ntp-servers object	ntp-servers:read ntp-servers:write
parameter-optimizers	Grants READ/WRITE permission to the parameter-optimizers object	parameter-optimizers:read parameter-optimizers:write
parameter-profiles	Grants READ/WRITE permission to the parameter-profiles object	parameter-profiles:read parameter-profiles:write
preferred-clients	Grants READ/WRITE permission to preferred-clients object	preferred-clients:read preferred-clients:write
protected-data-types	Grants READ/WRITE permission to the protected-data-types object	protected-data-types:read protected-data-types:write
radius-services	Grants READ/WRITE permission to the radius-services object	radius-services:read radius-services:write
rate-control-pools	Grants READ/WRITE permission to rate-control-pools object	rate-control-pools:read rate-control-pools:write
reports	Grants READ/WRITE permission to the reports object	reports:read reports:write
response-body-rewrite-rules	Grants READ/WRITE permission to the response-body-rewrite-rules object	response-body-rewrite-rules:read response-body-rewrite-rules:write
response-pages	Grants READ/WRITE permission to the response-pages object	response-pages:read response-pages:write
rsa-securid-services	Grants READ/WRITE permission to the rsa-securid-services object	rsa-securid-services:read rsa-securid-services:write
saml-services	Grants READ/WRITE permission to the saml-services object	saml-services:read saml-services:write
secure-browsing-policies	Grants READ/WRITE permission to the secure-browsing-policies object	secure-browsing-policies:read secure-browsing-policies:write
security-policies/cloaking	Grants READ/WRITE permission to the security-policies/cloaking object	security-policies/cloaking:read security-policies/cloaking:write
security-policies/cookie-security	Grants READ/WRITE permission to the security-policies/cookie-security object	security-policies/cookie-security:read security-policies/cookie-security:write
security-policies/parameter-protection	Grants READ/WRITE permission to the security-policies/parameter-protection object	security-policies/parameter-protection:read security-policies/parameter-protection:write
security-policies/request-limits	Grants READ/WRITE permission to the security-policies/request-limits object	security-policies/request-limits:read security-policies/request-limits:write
security-policies/url-normalization	Grants READ/WRITE permission to the security-policies/url-normalization object	security-policies/url-normalization:read security-policies/url-normalization:write
security-policies/url-protection	Grants READ/WRITE permission to the security-policies/url-protection object	security-policies/url-protection:read security-policies/url-protection:write
security-policies	Grants READ/WRITE permission to the security-policies object	security-policies:read security-policies:write
service-groups	Grants READ/WRITE permission to the service-groups object	service-groups:read service-groups:write
services/adaptive-profiling	Grants READ/WRITE permission to the services/adaptive-profiling object	services/adaptive-profiling:read services/adaptive-profiling:write
services/authentication	Grants READ/WRITE permission to the services/authentication object	services/authentication:read services/authentication:write
services/basic-security	Grants READ/WRITE permission to the services/basic-security object	services/basic-security:read services/basic-security:write
services/caching	Grants READ/WRITE permission to the services/caching object	services/caching:read services/caching:write
services/clickjacking	Grants READ/WRITE permission to the services/clickjacking object	services/clickjacking:read services/clickjacking:write
services/compression	Grants READ/WRITE permission to the services/compression object	services/compression:read services/compression:write
services/comment-spam	Grants READ/WRITE permission to the services/comment-spam	services/comment-spam:read services/comment-spam:write
services/exception-profiling	Grants READ/WRITE permission to the services/exception-profiling object	services/exception-profiling:read services/exception-profiling:write
services/ftp-security	Grants READ/WRITE permission to the services/ftp-security object	services/ftp-security:read services/ftp-security:write
services/ip-reputation	Grants READ/WRITE permission to the services/ip-reputation object	services/ip-reputation:read services/ip-reputation:write
services/referer-spam	Grants READ/WRITE permission to the services/referer-spam object	services/referer-spam:read services/referer-spam:write
services/sensitive-parameter-names	Grants READ/WRITE permission to the services/sensitive-parameter-names object	services/sensitive-parameter-names:read services/sensitive-parameter-names:write
services/session-tracking	Grants READ/WRITE permission to the services/session-tracking object	services/session-tracking:read services/session-tracking:write
services/slow-client-attack	Grants READ/WRITE permission to the services/slow-client-attack object	services/slow-client-attack:read services/slow-client-attack:write
services/ssl-ocsp	Grants READ/WRITE permission to the services/ssl-ocsp object	services/ssl-ocsp:read services/ssl-ocsp:write
services/url-encryption	Grants READ/WRITE permission to the services/url-encryption object	services/url-encryption:read services/url-encryption:write
services/website-profile	Grants READ/WRITE permission to the services/website-profile object	services/website-profile:read services/website-profile:write
services	Grants READ/WRITE permission to the services object	services:read services:write
session-identifiers	Grants READ/WRITE permission to the session-identifiers object	session-identifiers:read session-identifiers:write
source-nats	Grants READ/WRITE permission to the source-nats object	source-nats:read source-nats:write
static-routes	Grants READ/WRITE permission to the static-routes object	static-routes:read static-routes:write
system/azure-config	Grants READ/WRITE permission to the system/azure-config object	system/azure-config:read system/azure-config:write
syslog-servers	Grants READ/WRITE permission to the syslog-servers object	syslog-servers:read syslog-servers:write
system/advanced-settings	Grants READ/WRITE permission to the system/advanced-settings object	system/advanced-settings:read system/advanced-settings:write
system/appearance	Grants READ/WRITE permission to the system/appearance object	system/appearance:read system/appearance:write
system/cookies-and-parameters	Grants READ/WRITE permission to the system/cookies-and-parameters object	system/cookies-and-parameters:read system/cookies-and-parameters:write
system/custom-headers	Grants READ/WRITE permission to the system/custom-headers object	system/custom-headers:read system/custom-headers:write
system/dns	Grants READ/WRITE permission to the system/dns object	system/dns:read system/dns:write
system/email-notifications	Grants READ/WRITE permission to the system/email-notifications object	system/email-notifications:read system/email-notifications:write
system/encryption-key	Grants READ/WRITE permission to the system/encryption-key object	system/encryption-key:read system/encryption-key:write
system/energize-updates	Grants READ/WRITE permission to the system/energize-updates object	system/energize-updates:read system/energize-updates:write
system/exception- heuristics	Grants READ/WRITE permission to the system/exception- heuristics object	system/exception- heuristics:read system/exception-heuristics:write
system/export-log-filters	Grants READ/WRITE permission to the system/export-log-filters object	system/export-log-filters:read system/export-log-filters:write
	Grants READ/WRITE permission to the attack patterns object	system/export-log-settings:read system/export-log-settings:write
system/export-log-settings	Grants READ/WRITE permission to the system/export-log-settings object	system/ftp-access-logs:read system/ftp-access-logs:write
system/gdpr-compliance	Grants READ/WRITE permission to the system/gdpr-compliance object	system/gdpr-compliance:read system/gdpr-compliance:write
system/lan-configuration	Grants READ/WRITE permission to the system/lan-configuration object	system/lan-configuration:read system/lan-configuration:write
system/location	Grants READ/WRITE permission to the system/location object	system/location:read system/location:write
system/logs-format	Grants READ/WRITE permission to the system/logs-format object	system/logs-format:read system/logs-format:write
system/management-configuration	Grants READ/WRITE permission to the system/management-configuration object	system/management-configuration:read system/management-configuration:write
system/network-configuration	Grants READ/WRITE permission to the system/network-configuration object	system/network-configuration:read system/network-configuration:write
system/network-hsm	Grants READ/WRITE permission to the system/network-hsm object	system/network-hsm:read system/network-hsm:write
system/ng-firewall	Grants READ/WRITE permission to the system/ng-firewall object	system/ng-firewall:read system/ng-firewall:write
system/pattern-mode	Grants READ/WRITE permission to the system/pattern-mode object	system/pattern-mode:read system/pattern-mode:write
system/proxy-server	Grants READ/WRITE permission to the system/proxy-server object	system/proxy-server:read system/proxy-server:write
system/secure-administration	Grants READ/WRITE permission to the system/secure-administration object	system/secure-administration:read system/secure-administration:write
system/snmp	Grants READ/WRITE permission to the system/snmp object	system/snmp:read system/snmp:write
system/syslog-settings	Grants READ/WRITE permission to the system/syslog-settings object	system/syslog-settings:read system/syslog-settings:write
system/wan-configuration	Grants READ/WRITE permission to the system/wan-configuration object	system/wan-configuration:read system/wan-configuration:write
system/web-interface	Grants READ/WRITE permission to the system/web-interface object	system/web-interface:read system/web-interface:write
system	Grants READ/WRITE permission to the system object	system:read system:write
trap-receivers	Grants READ/WRITE permission to the trap-receivers object	trap-receivers:read trap-receivers:write
trusted-ca-certificate	Grants READ/WRITE permission to the trusted-ca-certificate object	trusted-ca-certificate:read trusted-ca-certificate:write
trusted-host-groups	Grants READ/WRITE permission to the trusted-host-groups object	trusted-host-groups:read trusted-host-groups:write
trusted-hosts	Grants READ/WRITE permission to the trusted-hosts object	trusted-hosts:read trusted-hosts:write
trusted-server-certificate	Grants READ/WRITE permission to the trusted-server-certificate object	trusted-server-certificate:read trusted-server-certificate:write
uploaded-certificate	Grants READ/WRITE permission to the uploaded-certificate object	uploaded-certificate:read uploaded-certificate:write
url-acls	Grants READ/WRITE permission to the url-acls object	url-acls:read url-acls:write
url-encryption-rules	Grants READ/WRITE permission to the url-encryption-rules object	url-encryption-rules:read url-encryption-rules:write
url-optimizers	Grants READ/WRITE permission to the url-optimizers object	url-optimizers:read url-optimizers:write
url-policies	Grants READ/WRITE permission to the url-policies object	url-policies:read url-policies:write
url-profiles	Grants READ/WRITE permission to the url-profiles object	url-profiles:read url-profiles:write
url-translations	Grants READ/WRITE permission to the url-translations object	url-translations:read url-translations:write
virtual-interfaces	Grants READ/WRITE permission to the virtual-interfaces object	virtual-interfaces:read virtual-interfaces:write
vlans	Grants READ/WRITE permission to the vlans object	vlans:read vlans:write
vsites	Grants READ/WRITE permission to the vsites object	vsites:read vsites:write
web-scraping-policies	Grants READ/WRITE permission to the web-scraping-policies object	web-scraping-policies:read web-scraping-policies:write
whitelisted-bots	Grants READ/WRITE permission to the whitelisted-bots object	whitelisted-bots:read whitelisted-bots:write