cancel
Showing results for 
Search instead for 
Did you mean: 

NBAC can you set AD groups and limit a subset of policies

austin_lazanows
Level 4
Certified
Hello everyone,
I have a customer who is looking to implement NBAC in their Netbackup environment for master and media servers only. The installation and setup of the authorization servers seems extremely straight forward but I have a couple of questions that for the life of me I cannot seem to find between the guides and how to documents (although it could just be bleary eye syndrome so help me if i've overlooked something). They are the following:
 
1. Can you specify an active directory group to be a part of an NBAC user group? Or do we have to individually add each user under the group to the NBAC user group? We are attempting to reduce the amount of time management spent in managing user accounts in general. if it is possible, if you can give me an example of how to perform this, that would be great.
 
2. Can you specify that an NBAC user group has modify access to only a specific list of policies (please note this does not mean that i don't want them to be able to manage policies altogether, but instead only a subset of policies)? For example, we would like the Unix netbackup admins to be able to modify the unix policies and systems but not be able to change the windows based policies. Obviously it would take a security admin to manage who could do what but they would prefer having peace of mind that someone else is not changing their work. The only other way around this that i can see if it is not a functionality is creating trail auditing and running reports to make sure unix guy A isn't messing with windows guy B's policies and vice versa.
Thanks for your help in advance!
 
1 ACCEPTED SOLUTION

Accepted Solutions

austin_lazanows
Level 4
Certified

FYI, you indeed can. Simply setup a group name in AD with the appropriate users. Then add to the NBAC Group an O.S. Group (as long as windows has been added to NBAC authentication) with the matching name for the group in AD.

 

Found an old document from Symantec for version 5 to actually find an example of this:)

View solution in original post

3 REPLIES 3

plslakewood
Level 4
Partner Accredited Certified

http://www.symantec.com/business/support/index?page=content&id=TECH87355&actp=search&viewlocale=en_US&searchid=1314725118002

austin_lazanows
Level 4
Certified

Unfortunately this doesn't help. It specifies what I already know (that you can use AD Users) but nothing about an AD user group. Does anyone have a working example of adding an entire user group from AD into NBAC and not via each individual user? This is obviously more important than limiting the policies.

austin_lazanows
Level 4
Certified

FYI, you indeed can. Simply setup a group name in AD with the appropriate users. Then add to the NBAC Group an O.S. Group (as long as windows has been added to NBAC authentication) with the matching name for the group in AD.

 

Found an old document from Symantec for version 5 to actually find an example of this:)