cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Create Read Only User

Go to solution
Tabriz
Level 5

‎02-21-2022 11:27 PM

Who has experience related to this issue? I read about the NBAC.

But l don't to do risk). Who can help me to do this procedure correctly?

So, in our infrastructure, the Master and Media Server are the same. 

How to create a read-only user for NBU Client (Console Administration 7.7.3. 

Thanks beforehand!

Best regards,

Tabriz

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
davidmoline
Level 6
Employee
In response to Tabriz

‎02-22-2022 01:38 PM

HI @Tabriz 

I agree with @Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).

As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides

The following is a sample content of the auth.conf file on a Windows NetBackup master server:
Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
* ADMIN=JBP JBP=ENDUSER+BU

The above sample auth.conf file allows:

  • Windows-domain\BKADMIN user to fully manage the NetBackup environment
  • Windows-domain\BKOPS user to monitor NetBackup Activity Monitor and, perform backup and restore tasks
  • All other users to use BAR GUI and, perform backup and restore tasks

The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).

ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.

JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.

The table below shows the NetBackup Java Authorisation ADMIN keywords.

Table 1 Java Authorisation Admin Keywords

ADMIN Keyword

Capability/Application

ALL

Indicates that the user has administrative privileges for all of the applications that are listed in this table.

AM

Activity Monitor

BMR

Bare Metal Restore

BPM

Backup Policy Management

BAR or JBP

Backup, Archive, and Restore

CAT

Catalog

DM

Device Monitor

HPD

Host Properties

MM

Media Management

REP

Reports

SUM

Storage Unit Management

VLT

Vault Management

 

The table below shows the NetBackup Java Authorisation JBP keywords.

Table 2 Java Authorisation JBP Keywords

JBP Keyword

Capability/Application

ALL

Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server.

ENDUSER

Allows the users to perform restore tasks from true image or regular backups plus redirected restores.

BU

Allows the users to perform backup tasks.

ARC

Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks.

RAWPART

Allows the users to perform raw partition restores.

View solution in original post

8 REPLIES 8

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   

‎02-22-2022 01:24 AM

Hi @Tabriz 

NBAC is a beast, if you want to implement NBAC, you must master it before implementing it.

NBAC is sort of discontinued in newer version of Netbackup, in favor of RBAC. 

My advice is to upgrade to NBU 9.X and use RBAC.

If you can't upgrade, use the java console and add a R/O user in auth.conf

https://www.veritas.com/support/en_US/doc/18716246-126559472-0/v41641695-126559472

Go to solution
Tabriz
Level 5
In response to Nicolai

‎02-22-2022 04:31 AM

Hi @Nicolai ,

 

Thank you for the response!

l have created a new user in NBU Appliance Main>Manage>NetbackupCLI> Create a new user.

Now l need to define any permissions to the new user? Where from l can define permission. from auth.conf file?

 

Thanks

0 Kudos

Go to solution
davidmoline
Level 6
Employee
In response to Tabriz

‎02-22-2022 01:38 PM

HI @Tabriz 

I agree with @Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).

As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides

The following is a sample content of the auth.conf file on a Windows NetBackup master server:
Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
* ADMIN=JBP JBP=ENDUSER+BU

The above sample auth.conf file allows:

  • Windows-domain\BKADMIN user to fully manage the NetBackup environment
  • Windows-domain\BKOPS user to monitor NetBackup Activity Monitor and, perform backup and restore tasks
  • All other users to use BAR GUI and, perform backup and restore tasks

The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).

ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.

JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.

The table below shows the NetBackup Java Authorisation ADMIN keywords.

Table 1 Java Authorisation Admin Keywords

ADMIN Keyword

Capability/Application

ALL

Indicates that the user has administrative privileges for all of the applications that are listed in this table.

AM

Activity Monitor

BMR

Bare Metal Restore

BPM

Backup Policy Management

BAR or JBP

Backup, Archive, and Restore

CAT

Catalog

DM

Device Monitor

HPD

Host Properties

MM

Media Management

REP

Reports

SUM

Storage Unit Management

VLT

Vault Management

 

The table below shows the NetBackup Java Authorisation JBP keywords.

Table 2 Java Authorisation JBP Keywords

JBP Keyword

Capability/Application

ALL

Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server.

ENDUSER

Allows the users to perform restore tasks from true image or regular backups plus redirected restores.

BU

Allows the users to perform backup tasks.

ARC

Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks.

RAWPART

Allows the users to perform raw partition restores.

Go to solution
Tabriz
Level 5
In response to davidmoline

‎02-22-2022 09:51 PM

Dear @davidmoline ,

 

Thank you for the wide information!

I would like to create a user which that, only can monitor from GUI  backup process.

How do this?

Best regards,

Tabriz

 

0 Kudos

Go to solution
davidmoline
Level 6
Employee
In response to Tabriz

‎02-23-2022 02:11 PM

Hi @Tabriz 

To be able to monitor backup activity via the Java (or Windows) GUI - "ADMIN=AM" will also grant rights to cancel and restart jobs. 

Instead look at OpsCenter which can provide the level of control you want. 

Add the user with the "reporter" role - this will allow them to monitor what's going on without being able to modify anything.

Also note that if you allow the user admin access to the NetBackup master/media server, then they have the ability to do anything (via the command line). 

Cheers
David

0 Kudos

Go to solution
Tabriz
Level 5

‎02-23-2022 10:43 PM

Dear @davidmoline ,

 

Firstly, Thank you for the wide information.
I'm sorry l couldn't understand quite.

I created a new user in NBU Appliance 5230. with this command
Main->Support>Manage>Create username

But after creating the user l couldn't log in to Java Administration Console( Client Software for monitoring and backup the hosts).

For login, the GUI (Client Software) do l must add the new user to auth.conf? in which the admin user was added.

 

Br,

 

Tabriz

0 Kudos

Go to solution
Tabriz
Level 5
In response to Tabriz

‎02-23-2022 10:54 PM

Dear @davidmoline@Nicolai ,

 

Thank you for the everything !

I created r/o user Thanks !

 

Best Regards,

 

Tabriz 

0 Kudos

Go to solution
abhinav_trivedi
Level 4
Certified

‎10-26-2023 12:56 PM

@Tabriz how did you create it after creating Netbackup cli account in appliance. 

0 Kudos