It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Role-Based Access for the Barracuda WAF REST APIs

  • Last updated on

API Privilege

The API Privilege section allows users to access the Barracuda REST APIs. By default the value is set to No. Set the value to Yes if you want permissions to use REST APIs. Using the "administrator-roles" API, you can grant READ/WRITE permissions for specific object(s) that this role may need access to. You can refer to the table List of Supported Objects to know the list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.

Create a Role and Grant Permission

The example JSON below describes how to create a new role and grant the required permissions to objects the role is accessing.

 [POST] 
        http:///<WAF-IP/WAF-Domain>:8000/restapi/v3/administrator-roles
    (Authorization) => Basic Auth
        a) username
=> {{token}}   [ensure that the token ends with a colon ':']
    (Body) => raw 
              JSON(application/json)
    Inputs - 
   ------
{
    "name": "sample_role",
    "services": [
        "_ALL:read"
    ],
    "security-policies": [
        "_ALL_:read"
    ],
    "service-groups": [
        "_ALL_:read"
    ],
    "vsites": [
        "_ALL_:read"
    ],
    "operations": [
        "certificate-management"
    ],
    "objects":[
        "services:read",
        "security-policies:read",
        "url-profiles:read"
    ]
}

URL: /v3/administrator-roles

Method: POST

Description: Creates a new role and grants READ/WRITE permissions to the object the role is accessing

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

   

name

Alphanumeric

Yes

A name for the role.

services

Alphanumeric

Conditional

Grants permission to all the services configured in the Barracuda Web Application Firewall.

"_ALL: read" will grant READ permission to all the services created in Barracuda WAF.

security-policies

Alphanumeric

Conditional

Grants permission to all the security policies configured in the Barracuda Web Application Firewall.

"_ALL: read" will grant READ permission to all the security policies created in Barracuda WAF.

service-groups

Alphanumeric

Conditional

Grants permission to all the service groups configured in the Barracuda Web Application Firewall.

"_ALL_:read" will grant READ permission to all the service groups created in Barracuda WAF.

Vsites

Alphanumeric

Conditional

Grants permission to all the Vsites configured in the Barracuda Web Application Firewall.

"_ALL_:read" will grant READ permission to all the Vsites created in Barracuda WAF.

operations

Alphanumeric

Conditional

Grants permission to all the operations configured in the Barracuda Web Application Firewall.

"_ALL_:read" will grant READ permission to all the operations created in Barracuda WAF.

objects

Alphanumeric

Conditional

Grants permission to the generic objects specified.

"services:read" will grant READ permission to the (generic) services object.

RBA differences in UI vs API

  1. For editing a sub-resource the user role needs the following:
    1. A WRITE permission on that sub-resource and at least a READ permission on its object.
  2. Any custom role should have at least a READ permission on the service the role wants in order to view access or firewall logs.
  3. If a user is creating/adding/editing a new object from the UI, the user role needs to have the following:
    1. A WRITE access directly on that object. 
    2. Accessibility (either READ/WRITE) to its parent object.
    3. A WRITE permission on that tab/screen that the role is creating the object from.
  4. Granting permissions to an object from the Administrator-Roles API will automatically grant the same permission for the dependent screen(s) of that object and vice-versa (when done from the UI).

The predefined/factory shipped roles other than "Admin" do not have API Privilege.

 


 

List of Supported Objects

The following table provides a list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.
ObjectDescriptionSyntax used

_ALL_

Grants READ/WRITE permission to all objects

_ALL_:read
_ALL_:write

access-rules

Grants READ/WRITE permission to the access-rules Object

access-rules:read
access-rules:write

access-policies

Grants READ/WRITE permission to the access-policies object

access-policies:read
action-policies:write

adaptive-profiling-rules

Grants READ/WRITE permission to the adaptive-profiling-rules object

adaptive-profiling-rules:read
adaptive-profiling-rules:write

admin-ip-range

Grants READ/WRITE permission to the admin-ip-range object

admin-ip-range:read
admin-ip-range:write

allow-deny-clients

Grants READ/WRITE permission to the allow-deny-clients object

allow-deny-clients:read
allow-deny-clients:write

attack-patterns

Grants READ/WRITE permission to the attack -patterns object

attack-patterns:read
attack-patterns:write

attack-types

Grants READ/WRITE permission to the attack- types object

attack-types:read
attack-types:write

authorization-policies

Grants READ/WRITE permission to the authorization-policies object

authorization-policies:read
authorization-policies:write

auto-system-acls

Grants READ/WRITE permission to the auto-system-acls object

auto-system-acls:read

auto-system-acls:write

backup

Grants READ/WRITE permission to the backup object

backup:read
backup:write

bonds

Grants READ/WRITE permission to the bonds patterns object

bonds:read

bonds:write

client-certificate-crl

Grants READ/WRITE permission to the client- certificate-crls object

client-certificate-crls:read

client-certificate-crls:write

cluster/nodes

Grants READ/WRITE permission to the cluster/nodes object

cluster/nodes:read

cluster/nodes:write

Cluster

Grants READ/WRITE permission to the cluster object

cluster:read

cluster:write

Created-certificates

Grants READ/WRITE permission to created-certificate object

created-certificate:read
created-certificate:write

Credential servers

Grants READ/WRITE permission to the credential-servers object

credential-servers:read
credential-servers:write

custom --parameter classes

Grants READ/WRITE permission to the custom-parameter-classes object

custom-parameter-classes:read
custom-parameter-classes:write

ddos-policies

Grants READ/WRITE permission to the ddos-policies object

ddos-policies:read
ddos-policies:write

destination-nats

Grants READ/WRITE permission to the destination-nats object

destination-nats:read
destination-nats:write

geo-pools

Grants READ/WRITE permission to the geo-pools object

geo-pools:read
geo-pools:write

geoip-allowed-networks

Grants READ/WRITE permission to the geoip-allowed-networks object

geoip-allowed-networks:read
geoip-allowed-networks:write

geoip-blocked-networks

Grants READ/WRITE permission to the geoip-blocked-networks object

geoip-blocked-networks:read
geoip-blocked-networks:write

global-acls

Grants READ/WRITE permission to the global-acls object

global-acls:read
global-acls:write

header-acls

Grants READ/WRITE permission to the header-acls object

header-acls:read
header-acls:write

http-request-rewrite-rules

Grants READ/WRITE permission to the http-request-rewrite-rules object

http-request-rewrite-rules:read
http-request-rewrite-rules:write

http-response-rewrite-rules

Grants READ/WRITE permission to the http-response-rewrite-rules object

http-response-rewrite-rules:read
http-response-rewrite-rules:write

identity-theft-patterns

Grants READ/WRITE permission to the identity-theft-patterns object

identity-theft-patterns:read
identity-theft-patterns:write

identity-types

Grants READ/WRITE permission to the identity-types object

identity-types:read
identity-types:write

input-patterns

Grants READ/WRITE permission to the input-patterns object

input-patterns:read
input-patterns:write

input-types

Grants READ/WRITE permission to the input-types object

input-types:read
input-types:write

interface-routes

Grants READ/WRITE permission to the interface-routes object

interface-routes:read
interface-routes:write

 

Grants READ/WRITE permission to the attack patterns object

internal-attack-patterns:read
internal-attack-patterns:write

 

json-profiles

Grants READ/WRITE permission to the json-profiles object

json-profiles:read
json-profiles:write

json-security-policies

Grants READ/WRITE permission to the json-security-policies object

json-security-policies:read
json-security-policies:write

kerberos-services

Grants READ/WRITE permission to the kerberos-services object

kerberos-services:read
kerberos-services:write

ldap-services

Grants READ/WRITE permission to the ldap-services object

ldap-services:read
ldap-services:write

local-groups

Grants READ/WRITE permission to the local-groups object

local-groups:read
local-groups:write

local-hosts

Grants READ/WRITE permission to the local-hosts object

local-hosts:read
local-hosts:write

local-users

Grants READ/WRITE permission to the local-users object

local-users:read
local-users:write

module-log-levels

Grants READ/WRITE permission to module-log-levels object

module-log-levels:read
module-log-levels:write

network-acls

Grants READ/WRITE permission to the network-acls object

network-acls:read
network-acls:write

network-interfaces

Grants READ/WRITE permission to the network-interface object

network-interfaces:read
network-interface:write

nodes

Grants READ/WRITE permission to the nodes object

nodes:read
nodes:write

ntp-servers

Grants READ/WRITE permission to the ntp-servers object

ntp-servers:read
ntp-servers:write

parameter-optimizers

Grants READ/WRITE permission to the parameter-optimizers object

parameter-optimizers:read
parameter-optimizers:write

parameter-profiles

Grants READ/WRITE permission to the parameter-profiles object

parameter-profiles:read
parameter-profiles:write

preferred-clients

Grants READ/WRITE permission to preferred-clients object

preferred-clients:read
preferred-clients:write

protected-data-types

Grants READ/WRITE permission to the protected-data-types object

protected-data-types:read
protected-data-types:write

radius-services

Grants READ/WRITE permission to the radius-services object

radius-services:read
radius-services:write

rate-control-pools

Grants READ/WRITE permission to rate-control-pools object

rate-control-pools:read
rate-control-pools:write

reports

Grants READ/WRITE permission to the reports object

reports:read
reports:write

response-body-rewrite-rules

Grants READ/WRITE permission to the response-body-rewrite-rules object

response-body-rewrite-rules:read
response-body-rewrite-rules:write

response-pages

Grants READ/WRITE permission to the response-pages object

response-pages:read
response-pages:write

rsa-securid-services

Grants READ/WRITE permission to the rsa-securid-services object

rsa-securid-services:read
rsa-securid-services:write

saml-services

Grants READ/WRITE permission to the saml-services object

saml-services:read
saml-services:write

secure-browsing-policies

Grants READ/WRITE permission to the secure-browsing-policies object

secure-browsing-policies:read
secure-browsing-policies:write

security-policies/cloaking

Grants READ/WRITE permission to the security-policies/cloaking object

security-policies/cloaking:read
security-policies/cloaking:write

security-policies/cookie-security

Grants READ/WRITE permission to the security-policies/cookie-security object

security-policies/cookie-security:read
security-policies/cookie-security:write

security-policies/parameter-protection

Grants READ/WRITE permission to the security-policies/parameter-protection object

security-policies/parameter-protection:read
security-policies/parameter-protection:write

security-policies/request-limits

Grants READ/WRITE permission to the security-policies/request-limits object

security-policies/request-limits:read
security-policies/request-limits:write

security-policies/url-normalization

Grants READ/WRITE permission to the security-policies/url-normalization object

security-policies/url-normalization:read
security-policies/url-normalization:write

security-policies/url-protection

Grants READ/WRITE permission to the security-policies/url-protection object

security-policies/url-protection:read
security-policies/url-protection:write

security-policies

Grants READ/WRITE permission to the security-policies object

security-policies:read
security-policies:write

service-groups

Grants READ/WRITE permission to the service-groups object

service-groups:read
service-groups:write

services/adaptive-profiling

Grants READ/WRITE permission to the services/adaptive-profiling object

services/adaptive-profiling:read
services/adaptive-profiling:write

services/authentication

Grants READ/WRITE permission to the services/authentication object

services/authentication:read
services/authentication:write

services/basic-securityGrants READ/WRITE permission to the services/basic-security object

services/basic-security:read
services/basic-security:write

services/caching

Grants READ/WRITE permission to the services/caching object

services/caching:read
services/caching:write

services/clickjacking

Grants READ/WRITE permission to the services/clickjacking object

services/clickjacking:read
services/clickjacking:write

services/compression

Grants READ/WRITE permission to the services/compression object

services/compression:read
services/compression:write

services/comment-spam

Grants READ/WRITE permission to the services/comment-spam

services/comment-spam:read

services/comment-spam:write

services/exception-profiling

Grants READ/WRITE permission to the services/exception-profiling object

services/exception-profiling:read
services/exception-profiling:write

services/ftp-security

Grants READ/WRITE permission to the services/ftp-security object

services/ftp-security:read
services/ftp-security:write

services/ip-reputation

Grants READ/WRITE permission to the services/ip-reputation object

services/ip-reputation:read
services/ip-reputation:write

services/referer-spam

Grants READ/WRITE permission to the services/referer-spam object

services/referer-spam:read
services/referer-spam:write

services/sensitive-parameter-names

Grants READ/WRITE permission to the services/sensitive-parameter-names object

services/sensitive-parameter-names:read
services/sensitive-parameter-names:write

services/session-tracking

Grants READ/WRITE permission to the services/session-tracking object

services/session-tracking:read
services/session-tracking:write

services/slow-client-attack

Grants READ/WRITE permission to the services/slow-client-attack object

services/slow-client-attack:read
services/slow-client-attack:write

services/ssl-ocsp

Grants READ/WRITE permission to the services/ssl-ocsp object

services/ssl-ocsp:read
services/ssl-ocsp:write

services/url-encryption

Grants READ/WRITE permission to the services/url-encryption object

services/url-encryption:read
services/url-encryption:write

services/website-profile

Grants READ/WRITE permission to the services/website-profile object

services/website-profile:read
services/website-profile:write

services

Grants READ/WRITE permission to the services object

services:read
services:write

session-identifiers

Grants READ/WRITE permission to the session-identifiers object

session-identifiers:read
session-identifiers:write

source-nats

Grants READ/WRITE permission to the source-nats object

source-nats:read
source-nats:write

static-routes

Grants READ/WRITE permission to the static-routes object

static-routes:read
static-routes:write

system/azure-config

Grants READ/WRITE permission to the system/azure-config object

system/azure-config:read
system/azure-config:write

syslog-servers

Grants READ/WRITE permission to the syslog-servers object

syslog-servers:read
syslog-servers:write

system/advanced-settings

Grants READ/WRITE permission to the system/advanced-settings object

system/advanced-settings:read
system/advanced-settings:write

system/appearance

Grants READ/WRITE permission to the system/appearance object

system/appearance:read
system/appearance:write

system/cookies-and-parameters

Grants READ/WRITE permission to the system/cookies-and-parameters object

system/cookies-and-parameters:read
system/cookies-and-parameters:write

system/custom-headers

Grants READ/WRITE permission to the system/custom-headers object

system/custom-headers:read
system/custom-headers:write

system/dns

Grants READ/WRITE permission to the system/dns object

system/dns:read
system/dns:write

system/email-notifications

Grants READ/WRITE permission to the system/email-notifications object

system/email-notifications:read
system/email-notifications:write

system/encryption-key

Grants READ/WRITE permission to the system/encryption-key object

system/encryption-key:read
system/encryption-key:write

system/energize-updates

Grants READ/WRITE permission to the system/energize-updates object

system/energize-updates:read
system/energize-updates:write

system/exception- heuristics

Grants READ/WRITE permission to the system/exception- heuristics object

system/exception- heuristics:read
system/exception-heuristics:write

system/export-log-filters

Grants READ/WRITE permission to the system/export-log-filters object

system/export-log-filters:read
system/export-log-filters:write

 

Grants READ/WRITE permission to the attack patterns object

system/export-log-settings:read
system/export-log-settings:write

system/export-log-settings

Grants READ/WRITE permission to the system/export-log-settings object

system/ftp-access-logs:read
system/ftp-access-logs:write

system/gdpr-compliance

Grants READ/WRITE permission to the system/gdpr-compliance object

system/gdpr-compliance:read
system/gdpr-compliance:write

system/lan-configuration

Grants READ/WRITE permission to the system/lan-configuration object

system/lan-configuration:read
system/lan-configuration:write

system/location

Grants READ/WRITE permission to the system/location object

system/location:read
system/location:write

system/logs-format

Grants READ/WRITE permission to the system/logs-format object

system/logs-format:read
system/logs-format:write

system/management-configuration

Grants READ/WRITE permission to the system/management-configuration object

system/management-configuration:read
system/management-configuration:write

system/network-configuration

Grants READ/WRITE permission to the system/network-configuration object

system/network-configuration:read
system/network-configuration:write

system/network-hsm

Grants READ/WRITE permission to the system/network-hsm object

system/network-hsm:read
system/network-hsm:write

system/ng-firewall

Grants READ/WRITE permission to the system/ng-firewall object

system/ng-firewall:read
system/ng-firewall:write

system/pattern-mode

Grants READ/WRITE permission to the system/pattern-mode object

system/pattern-mode:read
system/pattern-mode:write

system/proxy-server

Grants READ/WRITE permission to the system/proxy-server object

system/proxy-server:read
system/proxy-server:write

system/secure-administration

Grants READ/WRITE permission to the system/secure-administration object

system/secure-administration:read

system/secure-administration:write

system/snmp

Grants READ/WRITE permission to the system/snmp object

system/snmp:read
system/snmp:write

system/syslog-settings

Grants READ/WRITE permission to the system/syslog-settings object

system/syslog-settings:read
system/syslog-settings:write

system/wan-configuration

Grants READ/WRITE permission to the system/wan-configuration object

system/wan-configuration:read
system/wan-configuration:write

system/web-interface

Grants READ/WRITE permission to the system/web-interface object

system/web-interface:read
system/web-interface:write

system

Grants READ/WRITE permission to the system object

system:read
system:write

trap-receivers

Grants READ/WRITE permission to the trap-receivers object

trap-receivers:read
trap-receivers:write

trusted-ca-certificate

Grants READ/WRITE permission to the trusted-ca-certificate object

trusted-ca-certificate:read
trusted-ca-certificate:write

trusted-host-groups

Grants READ/WRITE permission to the trusted-host-groups object

trusted-host-groups:read
trusted-host-groups:write

trusted-hosts

Grants READ/WRITE permission to the trusted-hosts object

trusted-hosts:read
trusted-hosts:write

trusted-server-certificate

Grants READ/WRITE permission to the trusted-server-certificate object

trusted-server-certificate:read
trusted-server-certificate:write

uploaded-certificate

Grants READ/WRITE permission to the uploaded-certificate object

uploaded-certificate:read
uploaded-certificate:write

url-acls

Grants READ/WRITE permission to the url-acls object

url-acls:read
url-acls:write

url-encryption-rules

Grants READ/WRITE permission to the url-encryption-rules object

url-encryption-rules:read
url-encryption-rules:write

url-optimizers

Grants READ/WRITE permission to the url-optimizers object

url-optimizers:read
url-optimizers:write

url-policies

Grants READ/WRITE permission to the url-policies object

url-policies:read
url-policies:write

url-profiles

Grants READ/WRITE permission to the url-profiles object

url-profiles:read
url-profiles:write

url-translations

Grants READ/WRITE permission to the url-translations object

url-translations:read
url-translations:write

virtual-interfaces

Grants READ/WRITE permission to the virtual-interfaces object

virtual-interfaces:read
virtual-interfaces:write

vlans

Grants READ/WRITE permission to the vlans object

vlans:read
vlans:write

vsites

Grants READ/WRITE permission to the vsites object

vsites:read
vsites:write

web-scraping-policies

Grants READ/WRITE permission to the web-scraping-policies object

web-scraping-policies:read
web-scraping-policies:write

whitelisted-bots

Grants READ/WRITE permission to the whitelisted-bots object

whitelisted-bots:read
whitelisted-bots:write