Forum Discussion

Tabriz's avatar
Tabriz
Level 5
3 years ago

Create Read Only User

Who has experience related to this issue? I read about the NBAC.

But l don't to do risk). Who can help me to do this procedure correctly?

So, in our infrastructure, the Master and Media Server are the same. 

How to create a read-only user for NBU Client (Console Administration 7.7.3. 

Thanks beforehand!

Best regards,

Tabriz

  • davidmoline's avatar
    davidmoline
    3 years ago

    HI Tabriz 

    I agree with Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).

    As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides

    The following is a sample content of the auth.conf file on a Windows NetBackup master server:
    Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
    Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
    * ADMIN=JBP JBP=ENDUSER+BU

    The above sample auth.conf file allows:

    • Windows-domain\BKADMIN user to fully manage the NetBackup environment
    • Windows-domain\BKOPS user to monitor NetBackup Activity Monitor and, perform backup and restore tasks
    • All other users to use BAR GUI and, perform backup and restore tasks

    The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).

    ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.

    JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.

    The table below shows the NetBackup Java Authorisation ADMIN keywords.

    Table 1 Java Authorisation Admin Keywords

    ADMIN Keyword

    Capability/Application

    ALL

    Indicates that the user has administrative privileges for all of the applications that are listed in this table.

    AM

    Activity Monitor

    BMR

    Bare Metal Restore

    BPM

    Backup Policy Management

    BAR or JBP

    Backup, Archive, and Restore

    CAT

    Catalog

    DM

    Device Monitor

    HPD

    Host Properties

    MM

    Media Management

    REP

    Reports

    SUM

    Storage Unit Management

    VLT

    Vault Management

     

    The table below shows the NetBackup Java Authorisation JBP keywords.

    Table 2 Java Authorisation JBP Keywords

    JBP Keyword

    Capability/Application

    ALL

    Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server.

    ENDUSER

    Allows the users to perform restore tasks from true image or regular backups plus redirected restores.

    BU

    Allows the users to perform backup tasks.

    ARC

    Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks.

    RAWPART

    Allows the users to perform raw partition restores.

8 Replies

Sort By
    • Tabriz's avatar
      Tabriz
      Level 5
      3 years ago

      Hi Nicolai ,

       

      Thank you for the response!

      l have created a new user in NBU Appliance Main>Manage>NetbackupCLI> Create a new user.

      Now l need to define any permissions to the new user? Where from l can define permission. from auth.conf file?

       

      Thanks

      • davidmoline's avatar
        davidmoline
        Level 6
        3 years ago

        HI Tabriz 

        I agree with Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).

        As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides

        The following is a sample content of the auth.conf file on a Windows NetBackup master server:
        Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
        Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
        * ADMIN=JBP JBP=ENDUSER+BU

        The above sample auth.conf file allows:

        • Windows-domain\BKADMIN user to fully manage the NetBackup environment
        • Windows-domain\BKOPS user to monitor NetBackup Activity Monitor and, perform backup and restore tasks
        • All other users to use BAR GUI and, perform backup and restore tasks

        The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).

        ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.

        JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.

        The table below shows the NetBackup Java Authorisation ADMIN keywords.

        Table 1 Java Authorisation Admin Keywords

        ADMIN Keyword

        Capability/Application

        ALL

        Indicates that the user has administrative privileges for all of the applications that are listed in this table.

        AM

        Activity Monitor

        BMR

        Bare Metal Restore

        BPM

        Backup Policy Management

        BAR or JBP

        Backup, Archive, and Restore

        CAT

        Catalog

        DM

        Device Monitor

        HPD

        Host Properties

        MM

        Media Management

        REP

        Reports

        SUM

        Storage Unit Management

        VLT

        Vault Management

         

        The table below shows the NetBackup Java Authorisation JBP keywords.

        Table 2 Java Authorisation JBP Keywords

        JBP Keyword

        Capability/Application

        ALL

        Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server.

        ENDUSER

        Allows the users to perform restore tasks from true image or regular backups plus redirected restores.

        BU

        Allows the users to perform backup tasks.

        ARC

        Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks.

        RAWPART

        Allows the users to perform raw partition restores.
  • Tabriz's avatar
    Tabriz
    Level 5
    3 years ago

    Dear davidmoline ,

     

    Firstly, Thank you for the wide information.
    I'm sorry l couldn't understand quite.

    I created a new user in NBU Appliance 5230. with this command
    Main->Support>Manage>Create username

    But after creating the user l couldn't log in to Java Administration Console( Client Software for monitoring and backup the hosts).

    For login, the GUI (Client Software) do l must add the new user to auth.conf? in which the admin user was added.

     

    Br,

     

    Tabriz