About using NetBackup Access Control (NBAC)
The NetBackup Access Control (NBAC) is the role-based access control that is used for master servers, media servers, and clients. NBAC can be used in situations where you want to:
Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes). It can have local administrators (manage the application within one facility). It can also have overall administrators who may have responsibility for multiple sites and determine backup policy. Note that this feature is very useful in preventing user errors. If junior level administrators are restricted from certain operations, they are prevented from making inadvertent mistakes.
Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.
It has been found that NBAC running on NetBackup 6.5 (AZ version 126.96.36.199) cannot be upgraded to NetBackup 7.5. It is important that you upgrade to AZ version 6.5.4 (188.8.131.52) before the NBAC upgrade from NetBackup 6.5 to NetBackup 7.5 is successful.
The following table lists the NBAC considerations.
Table: NBAC Considerations
Consideration or issue
Description or resolution
Prerequisites before you configure NBAC
This prerequisites list can help you before you start to configure NBAC. These items ensure an easier installation. The following list contains the information for this installation:
User name or password for master server (root or administrator permission).
Name of master server
Name of all media servers that are connected to the master server
Name of all clients to be backed up
Host name or IP address
Host names should be resolvable to a valid IP address.
Use the ping or traceroute command as one of the tools to ensure that you can see the hosts. Using these commands ensures that you have not configured a firewall or other obstruction to block access.
Determine if the master server, media server, or client is to be upgraded
Determine if the master server, media server, or client is to be upgraded as follows:
Some features are provided by upgrading master servers, some by media servers, and some from upgrading clients.
NetBackup works with a higher revision master server and lower revision clients and media servers.
Feature content determines what is deployed.
Deployment can be step wise if required.
Information about roles
Determine the roles in the configuration as follows:
NBAC license key requirements
No license is required to turn on the access controls.
NBAC and KMS permissions
Typically when using NBAC and the Setupmaster command is run, the NetBackup related group
permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator
users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded from 6.5.x to 7.0 or from 7.0 to 7.0.1. The solution is to grant the root and administrator users NBU_Admin and KMS_Admin permissions manually.
MSCS Error messages while unhooking shared security services from PBX
In MSCS environments running the bpnbaz -UnhookSharedSecSvcsWithPBX <virtualhostname> command can trigger error messages. However the shared Authentication and Authorization services are successfully unhooked from PBX and the errors can be ignored.
Possible cluster node errors
In a clustered environment when the command bpnbaz -setupmaster is run in the context of
local Administrator the AUTHENTICATION_DOMAIN entries may not contain the other cluster node entries. In such case these entries must be manually added from Host
Properties into the
Catalog recovery fails when NBAC is set to REQUIRED mode
If NBAC is running in REQUIRED mode and a catalog recovery was preformed, NBAC needs to be reset back from PROHIBTED mode to REQUIRED mode.
Policy validation fails in NBAC mode (i.e. USE_VXSS = REQUIRED)
Back up, restore, and verification of policy for snapshot can fail in NBAC enabled
mode if one of the following has been done.
See About authorization objects and permissions
See About defining a user group and users
See About determining who can access NetBackup
See About including authentication and authorization databases in the NetBackup hot catalog backups
See About NetBackup Access Control (NBAC) configuration
See Access control host properties
See Access control host properties dialog for the client
See Access management troubleshooting guidelines
See Accessing the client host properties
See Accessing the master server and media server host properties
See Adding a new user to the user group
See Assigned Users pane on the Users tab
See Assigning a user to a user group
See Authentication Domain tab
See Authentication Domain tab for the client
See Authorization objects
See Authorization Service tab
See BUAndRest authorization object permissions
See Client verification points for a mixed UNIX master server
See Client verification points for a mixed Windows master server
See Client verification points for Windows
See Configuring NetBackup Access Control (NBAC) for NetBackup pre-7.0 media server and client computers
See Configuring NetBackup Access Control (NBAC) on standalone master servers
See Configuring NetBackup Access Control (NBAC)
See Configuring NetBackup Access Control (NBAC) on a clustered master server
See Configuring NetBackup Access Control (NBAC) on media servers
See Configuring user groups
See Creating a new user group
See Creating a new user group by copying an existing user group
See Defined Users pane on the Users tab
See DevHost authorization object permissions
See DiskPool authorization object permissions
See Drive authorization object permissions
See Establishing a trust relationship between the broker and the Windows remote console
See Fat client authorization object permissions
See Fat server authorization object permissions
See Granting permissions
See HostProperties authorization object permissions
See Individual users
See Installing and configuring access control on clients
See Installing the NetBackup 7.5 master server highly available on a cluster
See Job authorization object permissions
See Key managment system (kms) group authorization object permissions
See License authorization object permissions
See Logging on as a new user
See Manually configuring the Access Control host properties
See Master server verification points for a mixed UNIX master server
See Master server verification points for a mixed Windows master server
See Master server verification points for Windows
See Media authorization object permissions
See Media server verification points for a mixed UNIX master server
See Media server verification points for a mixed Windows master server
See Media server verification points for Windows
See NBAC configure commands summary
See NBAC configuration overview
See NBU_Catalog authorization object permissions
See NetBackup access management administration
See NetBackup default user groups
See Network Settings tab
See Network Settings tab for the client
See Permissions tab
See Policy authorization object permissions
See Renaming a user group
See Report authorization object permissions
See Robot authorization object permissions
See Security authorization object permissions
See Server group authorization object permissions
See Service authorization object permissions
See Storage unit authorization object permissions
See Troubleshooting topics for NetBackup Authentication and Authorization
See Unifying NetBackup Management infrastructures with the setuptrust command
See UNIX client verification
See UNIX master server verification
See UNIX media server verification
See Upgrading NetBackup Access Control (NBAC)
See User groups
See Users tab
See Using the Access Management utility
See Using the setuptrust command
See Vault authorization object permissions
See Verification points in a mixed environment with a UNIX master server
See Verification points in a mixed environment with a Windows master server
See Viewing specific user permissions for NetBackup user groups
See Volume group authorization object permissions
See VolumePool authorization object permissions
See Windows verification points