I need help. Currently for a customer netbackup 7.7.3 (Windows 2012 master server), I login to the Netbackup Java Console via a domaiin account. The account was added by previous administrator. May I know how can I add another domain user account so that another person can login to the Netbackup Java Console to manage the backup?
I tried to find the auth.conf file but I could only file the auth.conf.win.template in the netbackup\java folder
Hope someone can give some advice.
I was checking this Access Management option in Netbackup Administration Java Console but it say that the feature is not installed. Is this Access Management only available if NBAC is enabled. Sorry i am not sure how this NBAC works..i was trying to read up on this. How do i know whether the customer netbackup has NBAC activated or not?
To determine if NBAC is running see if you can see anything under the "Access Management" section in the Java GUI. I would advise against trying to enable this unless you like pain. The feature is being depreciated and replaced in current versions of NetBackup with RBAC (which is much better).
To add additional users, although @StefanosM is correct, IMHO a better way to allow a user to access the GUI is to add that user to the auth.conf file found in <INSTALL_PATH>\NetBackup\java\auth.conf - I am always reluctant to provide admin access to a server just to let the user use an application.
With the auth.conf you have the ability to restrict what the user can see and do (it does not provide fine control though). Have a look at this past post with details on the various keywords used to provide access.
So in summary the problem I am facing, I don't know where the settings to allow and to control users to access to the Netbackup Administration Console. I myself still have access.
1) I can't find the auth.conf ile.
2) The Access Management feature is not active.
How do I know whether NBAC is used..is there any command to show status that the NBAC is running ?
I tried to run the command bpnbaz -listuers but it doesn't seem to recognize or not supporting the command. Does tthat mean that the NBAC is not used?
E:\Program Files\Veritas\NetBackup\bin\admincmd>bpnbaz -listusers
-ListUsers option is only supported when USE_VXSS is PROHIBITED and USE_AUTHENTI
CATION is ON.
One or more of your command line parameters is invalid or missing.
bpnbaz: Please choose one of the following:
-[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-S
erver server1.domain.com] [-CredFile Credential]
-[AddGroup | DelGroup] Group_Name [-Server server1.domain.com] [-CredFile Creden
-[AddPolicy | DelPolicy] Policy_Name [-Server server1.domain.com] [-CredFile Cre
-[ListPerms | ListMainObjects | ListPolicyObjects | ListGroups|ShowAuthorizers]
[-Server server1.domain.com] [-CredFile Credential]
-ListGroupMembers Group_Name [-Server server1.domain.com] [-CredFile Credential]
-AddPerms Permission_1[,Permission_2,...] -Group Group_Name -[Object|Policy] Ob
ject/Policy_Name [-Server server1.domain.com] [-CredFile Credential]
If there is no auth.conf, then only local administrators can run the GUI. You can use the template file you found, copy it to auth.conf and then add domain users as required (no requirement then for local admin access). The details for the various levels of access when using the auth.conf file are listed in the VOX article I previously linked - the example provided in the template (domain\user ADMIN=ALL JBP=ALL) provides full access to all components og the GUI. Change/add additional users as required.
It is highly unlikely you are running NBAC. Look to see if there is a bpazd or nbazd (it may have a different name depending on NBU version) process running. If it is not then you are defiitely nor using NBAC. Also did you check the "Access Management" section in the NetBackup GUI like I suggested previously? If it indicates that Access Management is not configured then it is not configured.
I wrote a PowerShell script which uses 2 AD groups to control access to the GUI, one for full backup administrators and one for operators. I run it on a schedule task to keep the group membership up to date. I hope this helps you or another person out. where you see reference to AD_GROUP_NAME_FULL" and "AD_GROUP_NAME_OPERATOR" just create 2 AD groups for example NetBackup_Full_Admin and NetBackup_operators, populate them with the users you wish to have full admin rights to the GUI. E.g
Jane Smith member of NetBackup_Full_Admin
John Down member of NetBackup_operators
When Jane logs in she will have the full NetBackup GUI available and when John logs in he will only be able to access the BAR (Backup Archive and Restore) functionality. The script is attached as text file, just rename the txt to ps1.
Hope this helps :)