05-16-2017 02:03 PM
I have a number of 5240 Appliances running V3 with the Master/Media role. We are importing a number of tapes from another NBU environment and some of the retentions need to be amended.
I know I can use the /usr/openv/netbackup/bin/admincmd/bpexpdate -m xx1234 -d 06/30/18 command to afect all images on a tape, but this needs command line access which I don't want to grant to my admin staff.
How else can I do this ?
AJ
05-16-2017 02:05 PM - edited 05-16-2017 02:07 PM
You can execute this command using a non-admin NetBackupCLI user.
Reference: https://www.veritas.com/support/en_US/article.v97047302_v121822011
(The reference points to the Virtual Appliance, but the concept is identical in the physical Appliance)
05-16-2017 02:08 PM
Once you create the NetBackupCLI user, just login using that instead of "admin".
05-16-2017 03:37 PM
Thanks for the input.
I have one issue here though......
I have the staff involved defined already in the auth.conf with specific priveledges as I don't want them to have admin rights, and NetbackupCLI is not sufficient. These users (although AD integration is implemented) have manual entries at the bottom of the auth.conf file (catch-all entry has been removed) granting them specific rights (JBP,MM,AM,DM). CLI is not available as one of these rights. If I add them as an AD user and grant them NetBackupCLI this entry will be populated in the middle section of the auth.conf and the manual entry granting all other priveledges will never be reached. Dilema......
Also, I cannot create a separate user for this task only as site security restrictions do not allow this.
Any thoughts ?
AJ
05-19-2017 11:21 AM
Despite some efforts to eliminate it, CLI access is still the only way to do certain things in NetBackup. And yes, ADMIN.CONF doesn't cover it because of the requirement (which I've heard is relaxed in 8.0/3.0) for the NetBackup Admins to be local or domain Admins as well.
One solution which may work is for the people without CLI to type up the series of commands that need to be executed and then provide them to someone with CLI. Not only would this constitute "separation of duties/responsibilities" but also could be used as a "second set of eyes" review.
Another option is to not change the image expirations but change the tape expiration. That can be done via the GUI (right click on a tape, change). I haven't done this to see if it also updates the associated images but it might be worth some experimentation.