05-10-2017 12:17 AM
How do I give user rights to use this "Netbackup Management -> Applications" menu in Netbackup Administration Console?
Netbackup 7.7.1
Now I have in auth.conf file:
user ADMIN=AM+BPM+BAR+CAT+HPD+REP JBP=ALL
And user have no rights to mentioned menu.
Looked in:
https://www.veritas.com/support/en_US/article.000121303
there is no such option...
Rgds,
Ahto
05-10-2017 12:54 AM
For granualr access you need NBAC - which I don't recommend.
For non-root access with administrative right to whole the Netbackup enviroment, you need Enhanced Auditing.
http://www.veritas.com/docs/000124456
More information in the "Netbackup Security and Encryption" guide
05-10-2017 01:32 AM
NBAC is configured.
Also line "USE_AUTH_CONF_NBAC = YES" in bp.conf.
Our DBA-s need access to this menu.
I do not want to give them "user ADMIN=ALL JBP=ALL" - this also works.
But line "user ADMIN=AM+BPM+BAR+CAT+HPD+REP JBP=ALL" - no access to "Application" menu.
So my question was - is there any undocumented option to configure auth.conf file?
Rgds,
Ahto
05-10-2017 04:53 AM
I am guessing you are using Oracle intelligent Policies.
Auth.conf only offer the sections you have already showed us.
If using NBAC you check out the section 6 in the "NetBackup 7.7 Security and Encryption Guide" - "Object permissions". NBAC permissions superceed auth.conf permissions. I haven't check if there is a object permission for "Applications".
05-10-2017 05:47 AM
Yes, you are right - we use both Oracle and MSSQL intelligent policies.
And I also get so far.
But I cannot find anywhere what authorization object is this "Applications" menu...
Rgds,
Ahto
05-11-2017 12:38 AM
Application may very well not be implemented in both auth.conf and NBAC. BMR and logging assistant in the GUI is also not NBAC implemented.
That said, Veritas is working on RBAC that will replace NBAC completely. It expect it to be released in 8.X
Best Regards
Nicolai
05-11-2017 01:09 AM
I think Nicolai is right. Seems the developers 'forgot' to add an option to auth.conf.
You may want to log a call with Support. If you get through to the 'right' person, he/she will send it to backline and from there to Engineering for a fix.
The 'wrong' support engineer will simply tell you to log a request for enhancement.
This process however is lengthy - you need to get hold of Product Management via your local Veritas office, who will then submit the request to Engineering.
Priority depends on the amount of requests world-wide for the same feature...