02-21-2022 11:27 PM
Who has experience related to this issue? I read about the NBAC.
But l don't to do risk). Who can help me to do this procedure correctly?
So, in our infrastructure, the Master and Media Server are the same.
How to create a read-only user for NBU Client (Console Administration 7.7.3.
Thanks beforehand!
Best regards,
Tabriz
Solved! Go to Solution.
02-22-2022 01:38 PM
HI @Tabriz
I agree with @Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).
As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides
The following is a sample content of the auth.conf file on a Windows NetBackup master server:
Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
* ADMIN=JBP JBP=ENDUSER+BU
The above sample auth.conf file allows:
The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).
ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.
JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.
The table below shows the NetBackup Java Authorisation ADMIN keywords.
Table 1 Java Authorisation Admin Keywords
ADMIN Keyword |
Capability/Application |
ALL |
Indicates that the user has administrative privileges for all of the applications that are listed in this table. |
AM |
Activity Monitor |
BMR |
Bare Metal Restore |
BPM |
Backup Policy Management |
BAR or JBP |
Backup, Archive, and Restore |
CAT |
Catalog |
DM |
Device Monitor |
HPD |
Host Properties |
MM |
Media Management |
REP |
Reports |
SUM |
Storage Unit Management |
VLT |
Vault Management |
The table below shows the NetBackup Java Authorisation JBP keywords.
Table 2 Java Authorisation JBP Keywords
JBP Keyword |
Capability/Application |
ALL |
Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server. |
ENDUSER |
Allows the users to perform restore tasks from true image or regular backups plus redirected restores. |
BU |
Allows the users to perform backup tasks. |
ARC |
Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks. |
RAWPART |
Allows the users to perform raw partition restores. |
02-22-2022 01:24 AM
Hi @Tabriz
NBAC is a beast, if you want to implement NBAC, you must master it before implementing it.
NBAC is sort of discontinued in newer version of Netbackup, in favor of RBAC.
My advice is to upgrade to NBU 9.X and use RBAC.
If you can't upgrade, use the java console and add a R/O user in auth.conf
https://www.veritas.com/support/en_US/doc/18716246-126559472-0/v41641695-126559472
02-22-2022 04:31 AM
Hi @Nicolai ,
Thank you for the response!
l have created a new user in NBU Appliance Main>Manage>NetbackupCLI> Create a new user.
Now l need to define any permissions to the new user? Where from l can define permission. from auth.conf file?
Thanks
02-22-2022 01:38 PM
HI @Tabriz
I agree with @Nicolai that NBAC is a beast and should be avoided. What are you trying to achive though? What do you want to allow (or stop) your user from doing? (I'd suggest RBAC, but of course this is not possible for the version you are using).
As for auth.conf, the following should help you craft an entry for a particular user - there are more details on this in one of the Server Admin guides
The following is a sample content of the auth.conf file on a Windows NetBackup master server:
Windows-domain\BKADMIN ADMIN=ALL JBP=ALL
Windows-domain\BKOPS ADMIN=AM JBP=ENDUSER+BU
* ADMIN=JBP JBP=ENDUSER+BU
The above sample auth.conf file allows:
The auth.conf file can be configured with specific Windows domain users with ADMIN and JBP keywords (this assumes the system can authenticate using AD, otherwise use local system users).
ADMIN keyword specifies the NetBackup administration applications and the related administrator capabilities.
JBP keyword specifies the NetBackup Backup, Archive, and Restore client application (BAR GUI) and the related capabilities.
The table below shows the NetBackup Java Authorisation ADMIN keywords.
Table 1 Java Authorisation Admin Keywords
ADMIN Keyword |
Capability/Application |
ALL |
Indicates that the user has administrative privileges for all of the applications that are listed in this table. |
AM |
Activity Monitor |
BMR |
Bare Metal Restore |
BPM |
Backup Policy Management |
BAR or JBP |
Backup, Archive, and Restore |
CAT |
Catalog |
DM |
Device Monitor |
HPD |
Host Properties |
MM |
Media Management |
REP |
Reports |
SUM |
Storage Unit Management |
VLT |
Vault Management |
The table below shows the NetBackup Java Authorisation JBP keywords.
Table 2 Java Authorisation JBP Keywords
JBP Keyword |
Capability/Application |
ALL |
Allows the users to perform all actions, including server-directed restores. (Restores to a client that is different from the client that is logged into.) Server-directed restores can only be performed from a NetBackup master server. |
ENDUSER |
Allows the users to perform restore tasks from true image or regular backups plus redirected restores. |
BU |
Allows the users to perform backup tasks. |
ARC |
Allows the users to perform archive tasks. The capability to perform backups (BU) is required to allow archive tasks. |
RAWPART |
Allows the users to perform raw partition restores. |
02-22-2022 09:51 PM
Dear @davidmoline ,
Thank you for the wide information!
I would like to create a user which that, only can monitor from GUI backup process.
How do this?
Best regards,
Tabriz
02-23-2022 02:11 PM
Hi @Tabriz
To be able to monitor backup activity via the Java (or Windows) GUI - "ADMIN=AM" will also grant rights to cancel and restart jobs.
Instead look at OpsCenter which can provide the level of control you want.
Add the user with the "reporter" role - this will allow them to monitor what's going on without being able to modify anything.
Also note that if you allow the user admin access to the NetBackup master/media server, then they have the ability to do anything (via the command line).
Cheers
David
02-23-2022 10:43 PM
Dear @davidmoline ,
Firstly, Thank you for the wide information.
I'm sorry l couldn't understand quite.
I created a new user in NBU Appliance 5230. with this command
Main->Support>Manage>Create username
But after creating the user l couldn't log in to Java Administration Console( Client Software for monitoring and backup the hosts).
For login, the GUI (Client Software) do l must add the new user to auth.conf? in which the admin user was added.
Br,
Tabriz
02-23-2022 10:54 PM
Dear @davidmoline, @Nicolai ,
Thank you for the everything !
I created r/o user Thanks !
Best Regards,
Tabriz
10-26-2023 12:56 PM
@Tabriz how did you create it after creating Netbackup cli account in appliance.