I have a customer currently running V8.1.2 Windows Masters with 3.1.2 Appliance Media Servers. I will shortly be upgrading to 8.2/3.2 on all systems.
They are looking to implement RBAC to allow the admin of the system to be split accross various teams - specificaly having one team simply able to monitor job succes/failure and make no changes to the system.
If all workloads were VMware then they culd use ONLY the Web GUI and we can control via the RBAC config within the GUI, however there are other workloads (HP/UX, Linux, Windows) which I don't believe can be managed through the Web GUI at this point (8.2/3.2).
What is the best way of controlling access to the environment in this instance ? In the old days NBAC would be deployed/configured, in the new world RBAC is the way - but what is the recommended way when we have a mix of workloads which I believe we will still have to use the Java Console to access ?
Is it controlled through the auth.conf file ? Will this work for the Java console ? Will this work for both the Java console AND the Web GUI ?
Any input appreciated.
8.2 is starting to move in the right direction finally for RBAC but as you said the web GUI doesn't support all workloads yet. I would highly advise staying far, far away from NBAC, you're more likely to break something than you are to get it working to your satisfaction.
Stick with auth.conf for now - it's not perfect but it's also not going to cause you to reinstall either. =)
Easy keyword reference for auth.conf entries :
# User access keywords for ADMIN GUI
# ALL = Everything
# AM = Activity Monitor
# BMR = Bare Metal Restore
# BPM = Backup Policy Management
# BAR or JBP = BAR access
# CAT = Catalog
# DM = Device Monitor
# HPD = Host Properties
# MM = Media Management
# REP = Reports
# SM = Security Management
# SUM = Storage Unit Management
# VLT = Vault Management
# User access keywords for JBP/BAR GUI
# ENDUSER = Restore from true image or regular backups, plus redirected restores
# BU = backup tasks
# ARC = archive tasks
# RAWPART = restore raw partitions
# ALL = all backup and restore actions
user2 ADMIN=JBP+AM+BPM+DM+MM JBP=BU
user3 ADMIN=ALL JBP=ALL
If you absolutely get forced into NBAC, set it up in a test lab first, load a copy of your prod catalog into it, and attempt to configure things - add users, add permissions, modify stuff, etc. See if it meets your needs. But whatever you do don't just enable it in production and expect everything to be sunshine and rainbows.
Best of luck.
Thanks for that. I hear you, and fully agree with you, regarding the NBAC. I've been there a couple of times previously and it's not pretty.....
I will go ahead and configure the auth.conf file on the master servers required. I have done this previously on appliances where the appliance was master/media, but in this case I have Windows Master servers with appliance media servers. I guess I just configure the auth.conf on the windows master the same as I did on the appliance masters previously....