Role-Based Access for the Barracuda WAF REST APIs

API Privilege

The API Privilege section allows users to access the Barracuda REST APIs. By default the value is set to No. Set the value to Yes if you want permissions to use REST APIs. Using the "administrator-roles" API, you can grant READ/WRITE permissions for specific object(s) that this role may need access to. You can refer to the table List of Supported Objects to know the list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.

Create a Role and Grant Permission

The example JSON below describes how to create a new role and grant the required permissions to objects the role is accessing.

 [POST] 
        http:///<WAF-IP/WAF-Domain>:8000/restapi/v3/administrator-roles
    (Authorization) => Basic Auth
        a) username
=> {{token}}   [ensure that the token ends with a colon ':']
    (Body) => raw 
              JSON(application/json)
    Inputs - 
   ------
{
    "name": "sample_role",
    "services": [
        "_ALL:read"
    ],
    "security-policies": [
        "_ALL_:read"
    ],
    "service-groups": [
        "_ALL_:read"
    ],
    "vsites": [
        "_ALL_:read"
    ],
    "operations": [
        "certificate-management"
    ],
    "objects":[
        "services:read",
        "security-policies:read",
        "url-profiles:read"
    ]
}

Parameter Name	Data Type	Mandatory	Description
URL: /v3/administrator-roles
Method: POST
Description: Creates a new role and grants READ/WRITE permissions to the object the role is accessing
Input Parameters:
name	Alphanumeric	Yes	A name for the role.
services	Alphanumeric	Conditional	Grants permission to all the services configured in the Barracuda Web Application Firewall. "_ALL: read" will grant READ permission to all the services created in Barracuda WAF.
security-policies	Alphanumeric	Conditional	Grants permission to all the security policies configured in the Barracuda Web Application Firewall. "_ALL: read" will grant READ permission to all the security policies created in Barracuda WAF.
service-groups	Alphanumeric	Conditional	Grants permission to all the service groups configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the service groups created in Barracuda WAF.
Vsites	Alphanumeric	Conditional	Grants permission to all the Vsites configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the Vsites created in Barracuda WAF.
operations	Alphanumeric	Conditional	Grants permission to all the operations configured in the Barracuda Web Application Firewall. "_ALL_:read" will grant READ permission to all the operations created in Barracuda WAF.
objects	Alphanumeric	Conditional	Grants permission to the generic objects specified. "services:read" will grant READ permission to the (generic) services object.

RBA differences in UI vs API

For editing a sub-resource the user role needs the following:
1. A WRITE permission on that sub-resource and at least a READ permission on its object.
Any custom role should have at least a READ permission on the service the role wants in order to view access or firewall logs.
If a user is creating/adding/editing a new object from the UI, the user role needs to have the following:
1. A WRITE access directly on that object.
2. Accessibility (either READ/WRITE) to its parent object.
3. A WRITE permission on that tab/screen that the role is creating the object from.
Granting permissions to an object from the Administrator-Roles API will automatically grant the same permission for the dependent screen(s) of that object and vice-versa (when done from the UI).

The predefined/factory shipped roles other than "Admin" do not have API Privilege.

List of Supported Objects

The following table provides a list of objects supported in the Barracuda REST APIs and their syntax that should be used in the JSON when granting READ/WRITE permissions.

Object	Description	Syntax used

Object	Description	Syntax used
_ALL_	Grants READ/WRITE permission to all objects	_ALL_:read _ALL_:write
access-rules	Grants READ/WRITE permission to the access-rules Object	access-rules:read access-rules:write
access-policies	Grants READ/WRITE permission to the access-policies object	access-policies:read action-policies:write
adaptive-profiling-rules	Grants READ/WRITE permission to the adaptive-profiling-rules object	adaptive-profiling-rules:read adaptive-profiling-rules:write
admin-ip-range	Grants READ/WRITE permission to the admin-ip-range object	admin-ip-range:read admin-ip-range:write
allow-deny-clients	Grants READ/WRITE permission to the allow-deny-clients object	allow-deny-clients:read allow-deny-clients:write
attack-patterns	Grants READ/WRITE permission to the attack -patterns object	attack-patterns:read attack-patterns:write
attack-types	Grants READ/WRITE permission to the attack- types object	attack-types:read attack-types:write
authorization-policies	Grants READ/WRITE permission to the authorization-policies object	authorization-policies:read authorization-policies:write
auto-system-acls	Grants READ/WRITE permission to the auto-system-acls object	auto-system-acls:read auto-system-acls:write
backup	Grants READ/WRITE permission to the backup object	backup:read backup:write
bonds	Grants READ/WRITE permission to the bonds patterns object	bonds:read bonds:write
client-certificate-crl	Grants READ/WRITE permission to the client- certificate-crls object	client-certificate-crls:read client-certificate-crls:write
cluster/nodes	Grants READ/WRITE permission to the cluster/nodes object	cluster/nodes:read cluster/nodes:write
Cluster	Grants READ/WRITE permission to the cluster object	cluster:read cluster:write
Created-certificates	Grants READ/WRITE permission to created-certificate object	created-certificate:read created-certificate:write
Credential servers	Grants READ/WRITE permission to the credential-servers object	credential-servers:read credential-servers:write
custom --parameter classes	Grants READ/WRITE permission to the custom-parameter-classes object	custom-parameter-classes:read custom-parameter-classes:write
ddos-policies	Grants READ/WRITE permission to the ddos-policies object	ddos-policies:read ddos-policies:write
destination-nats	Grants READ/WRITE permission to the destination-nats object	destination-nats:read destination-nats:write
geo-pools	Grants READ/WRITE permission to the geo-pools object	geo-pools:read geo-pools:write
geoip-allowed-networks	Grants READ/WRITE permission to the geoip-allowed-networks object	geoip-allowed-networks:read geoip-allowed-networks:write
geoip-blocked-networks	Grants READ/WRITE permission to the geoip-blocked-networks object	geoip-blocked-networks:read geoip-blocked-networks:write
global-acls	Grants READ/WRITE permission to the global-acls object	global-acls:read global-acls:write
header-acls	Grants READ/WRITE permission to the header-acls object	header-acls:read header-acls:write
http-request-rewrite-rules	Grants READ/WRITE permission to the http-request-rewrite-rules object	http-request-rewrite-rules:read http-request-rewrite-rules:write
http-response-rewrite-rules	Grants READ/WRITE permission to the http-response-rewrite-rules object	http-response-rewrite-rules:read http-response-rewrite-rules:write
identity-theft-patterns	Grants READ/WRITE permission to the identity-theft-patterns object	identity-theft-patterns:read identity-theft-patterns:write
identity-types	Grants READ/WRITE permission to the identity-types object	identity-types:read identity-types:write
input-patterns	Grants READ/WRITE permission to the input-patterns object	input-patterns:read input-patterns:write
input-types	Grants READ/WRITE permission to the input-types object	input-types:read input-types:write
interface-routes	Grants READ/WRITE permission to the interface-routes object	interface-routes:read interface-routes:write
	Grants READ/WRITE permission to the attack patterns object	internal-attack-patterns:read internal-attack-patterns:write
json-profiles	Grants READ/WRITE permission to the json-profiles object	json-profiles:read json-profiles:write
json-security-policies	Grants READ/WRITE permission to the json-security-policies object	json-security-policies:read json-security-policies:write
kerberos-services	Grants READ/WRITE permission to the kerberos-services object	kerberos-services:read kerberos-services:write
ldap-services	Grants READ/WRITE permission to the ldap-services object	ldap-services:read ldap-services:write
local-groups	Grants READ/WRITE permission to the local-groups object	local-groups:read local-groups:write
local-hosts	Grants READ/WRITE permission to the local-hosts object	local-hosts:read local-hosts:write
local-users	Grants READ/WRITE permission to the local-users object	local-users:read local-users:write
module-log-levels	Grants READ/WRITE permission to module-log-levels object	module-log-levels:read module-log-levels:write
network-acls	Grants READ/WRITE permission to the network-acls object	network-acls:read network-acls:write
network-interfaces	Grants READ/WRITE permission to the network-interface object	network-interfaces:read network-interface:write
nodes	Grants READ/WRITE permission to the nodes object	nodes:read nodes:write
ntp-servers	Grants READ/WRITE permission to the ntp-servers object	ntp-servers:read ntp-servers:write
parameter-optimizers	Grants READ/WRITE permission to the parameter-optimizers object	parameter-optimizers:read parameter-optimizers:write
parameter-profiles	Grants READ/WRITE permission to the parameter-profiles object	parameter-profiles:read parameter-profiles:write
preferred-clients	Grants READ/WRITE permission to preferred-clients object	preferred-clients:read preferred-clients:write
protected-data-types	Grants READ/WRITE permission to the protected-data-types object	protected-data-types:read protected-data-types:write
radius-services	Grants READ/WRITE permission to the radius-services object	radius-services:read radius-services:write
rate-control-pools	Grants READ/WRITE permission to rate-control-pools object	rate-control-pools:read rate-control-pools:write
reports	Grants READ/WRITE permission to the reports object	reports:read reports:write
response-body-rewrite-rules	Grants READ/WRITE permission to the response-body-rewrite-rules object	response-body-rewrite-rules:read response-body-rewrite-rules:write
response-pages	Grants READ/WRITE permission to the response-pages object	response-pages:read response-pages:write
rsa-securid-services	Grants READ/WRITE permission to the rsa-securid-services object	rsa-securid-services:read rsa-securid-services:write
saml-services	Grants READ/WRITE permission to the saml-services object	saml-services:read saml-services:write
secure-browsing-policies	Grants READ/WRITE permission to the secure-browsing-policies object	secure-browsing-policies:read secure-browsing-policies:write
security-policies/cloaking	Grants READ/WRITE permission to the security-policies/cloaking object	security-policies/cloaking:read security-policies/cloaking:write
security-policies/cookie-security	Grants READ/WRITE permission to the security-policies/cookie-security object	security-policies/cookie-security:read security-policies/cookie-security:write
security-policies/parameter-protection	Grants READ/WRITE permission to the security-policies/parameter-protection object	security-policies/parameter-protection:read security-policies/parameter-protection:write
security-policies/request-limits	Grants READ/WRITE permission to the security-policies/request-limits object	security-policies/request-limits:read security-policies/request-limits:write
security-policies/url-normalization	Grants READ/WRITE permission to the security-policies/url-normalization object	security-policies/url-normalization:read security-policies/url-normalization:write
security-policies/url-protection	Grants READ/WRITE permission to the security-policies/url-protection object	security-policies/url-protection:read security-policies/url-protection:write
security-policies	Grants READ/WRITE permission to the security-policies object	security-policies:read security-policies:write
service-groups	Grants READ/WRITE permission to the service-groups object	service-groups:read service-groups:write