Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

better user management and control

Created: 20 Dec 2012 • Updated: 16 Feb 2013 | 1 comment
This issue has been solved. See solution.

hi, 

please help me out:

I modified the auth.conf to specify access to certain users.

I used the following parameters below to limit a user to do restore and monitoring only.

root ADMIN=ALL JBP=ALL

* ADMIN=JBP JBP=ENDUSER+BU+ARC

restore ADMIN=AM+DM+BAR

I would like to know if I can restrict the user further to restore on specified clients only. If so, please share the procedure.

thanks,

Comments 1 CommentJump to latest comment

RamNagalla's picture

hi,

I dont think Netbackup  java console have a option to restrict for specific clients, 

restricting the restore to client level will bring more complexlity as deficult to manage i believe.. 

For more info see the Netbackup 7.5 admin guide I UNIX , page no 981

copied from admin guide>.

Authorization file (auth.conf) characteristics
The /usr/openv/java/auth.conf file is installed on all NetBackup-Java capable
hosts and contains only the following entries:
root ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC
The first field of each entry is the user name that is granted access to the rights
that the entry specifies. In the released version, the first field lets root users use
all of the NetBackup-Java applications.
An asterisk in the first field indicates that any user name is accepted and the user
is allowed to use the applications as specified. If the auth.conf file exists, it must
have an entry for each user. Or, the auth.conf file must have an entry that
contains an asterisk (*) in the user name field; users without entries cannot access
any NetBackup-Java applications. Any entries that designate specific user names
must precede a line that contains an asterisk in the user name field.
Note: The asterisk specification cannot be used to authorize all users for any
administrator capabilities. Each user must be authorized by using individual
entries in the auth.conf file.
To deny all capabilities to a specific user, add a line that indicates the user before
a line that starts with an asterisk.
For example:
mydomain\ray ADMIN= JBP=
* ADMIN=JBP JBP=ENDUSER+BU+ARC
Using the NetBackup-Java administration console 981
Authorization file (auth.conf) characteristics
The remaining fields specify the access rights.
Specifies the applications that the user can access. ADMIN=ALL allows access to all
NetBackup-Java applications and the related administrator-related capabilities.
See “About authorizing nonroot users for specific applications” on page 983.
ADMIN keyword
Specifies what the user can do with the Backup, Archive, and Restore client application
(jbpSA). JBP=ALL allows access to all Backup, Archive, and Restore capabilities, including
those for administration.
See “About authorizing specific tasks in jbpSA” on page 984.
JBP keyword
An asterisk in the first field indicates that any user name is accepted and the user is
allowed to use the applications as specified. The second line of the released version contains
an asterisk in the first field. The asterisk means that NetBackup-Java validates any user
name for access to the Backup, Archive, and Restore client application jbpSA.
JBP=ENDUSER+BU+ARC allows users to back up, archive, and restore files only.
asterisk (*)
The user name and password that is entered in the logon screen must be valid on
the machine that is specified in the host field. (True for starting the
NetBackup-Java Administration Console or the Backup, Archive, and Restore
application (jbpSA).) The NetBackup-Java application server authenticates the
user name and password by using the system password file data for the specified
machine. The password must be the same password that was used upon logon at
that machine.
For example, assume you log on with the following information:
username = joe
password = access
Here you must use the same user name and password to log into NetBackup-Java.
Note: The NetBackup-Java logon box accepts passwords greater than eight
characters. However, only the first eight are significant upon logon to a
NetBackup-Java application server on a UNIX system.
You can log on to the NetBackup-Java application server under a different user
name than the name used to log on to the operating system. For example, if you
log on to the operating system with a user name of joe, you can subsequently log
on to jnbSA as root.
Upon exit, some application state information is automatically saved in the
directory of joe $HOME/.java/.userPrefs/vrts directory. (For example, table
column order.) The information is restored the next time you log on to the
Using the NetBackup-Java administration console
Authorization file (auth.conf) characteristics
982
operating system under account joe and initiate the NetBackup-Java application.
This logon method of is useful if there is more than one administrator because it
saves the state information for each administrator.
Note: NetBackup-Java creates a user’s $HOME/.java/.userPrefs/vrts directory
the first time an application is exited. Only NetBackup-Java applications use the
.java/.userPrefs/vrts directory.
If the user name is not valid as determined by the contents of the auth.conf file,
an error message appears. All applications are inaccessible to the user:
No authorization entry exists in the auth.conf file for username
name_specified_in_login_dialog. None of the NB-Java applications are
available to you.
To summarize, the following types of entries are contained in the auth.conf file,
as follows:
■ The defaults let anyone with any valid user name use the Backup, Archive,
and Restore client application (jbpSA).Only root users can access the
administrator applications and the administrator capabilities in jbpSA.
■ Specify entries for valid user names.
Note: The validated user name is the account the user can back up, archive or
restore files from or to. The Backup, Archive, and Restore application (jbpSA)
relies on system file permissions of when to browse directories and files to back
up or restore.
About authorizing nonroot users for specific
applications
Nonroot users can be authorized for a subset of the NetBackup-Java administrator
applications.
To authorize users for a subset of the NetBackup-Java administrator applications,
use the following identifiers for the ADMIN keyword in the auth.conf file:
Indicates that the user has administrative privileges for all of the
applications that are listed in this table.
ALL
AM Activity Monitor
Using the NetBackup-Java administration console 983
About authorizing nonroot users for specific applications
BMR Bare Metal Restore
BPM Backup Policy Management
BAR or JBP Backup, Archive, and Restore
CAT Catalog
DM Device Monitor
HPD Host Properties
MM Media Management
REP Reports
SUM Storage Unit Management
VLT Vault Management
For example, to give a user (user1) access only to the Device Monitor and Activity
Monitor, add the following entry to the auth.conf file:
user1 ADMIN=DM+AM
In order for a nonroot user to modify the files that the NetBackup-Java
Administration Console uses, run the nonroot_admin_nbjava script. The script
changes permissions on the following files:
/usr/openv/java/auth.conf
/usr/openv/java/Debug.properties
/usr/openv/java/nbj.conf
Note: nonroot_admin_nbjava is located in
/usr/openv/java/nonroot_admin_nbjava.
About authorizing specific tasks in jbpSA
The Backup, Archive, and Restore interface can be configured to let only a user
perform certain tasks. Not all tasks can be performed successfully without some
additional configuration.
The following require additional configuration and are documented elsewhere:
■ Redirected restores.
See “About server-directed restores” on page 1011.
Using the NetBackup-Java administration console
About authorizing specific tasks in jbpSA
984
See “About client-redirected restores” on page 1012.
■ User backups or archives require a policy schedule of these types and the task
to be submitted within the time window of the schedule.
To authorize users for a subset of Backup, Archive, and Restore capabilities, use
the following identifiers for the JBP keyword in the auth.conf file:
Table 26-1 Identifiers for the JBP keyword in the auth.conf file
Identifier Description
Allows the users to perform restore tasks from true image or regular backups plus redirected
restores.
ENDUSER
BU Allows the users to perform backup tasks.
Allows the users to perform archive tasks. The capability to perform backups (BU) is required to
allow archive tasks.
ARC
RAWPART Allows the users to perform raw partition restores.
Allows the users to perform all actions, including server-directed restores. (Restores to a client
that is different from the client that is logged into.) Server-directed restores can only be performed
from a NetBackup master server.
ALL
For example, to allow a user (user1) to restore but not backup up or archive files:
user1 ADMIN=JBP JBP=ENDUSER
About authorizing NetBackup-Java users on Windows
To use the Java Windows Administration Console, first log on to the
NetBackup-Java application server. The application server is on the NetBackup
host where you want to perform NetBackup administration or user operations.
To log on to the application server, log on to the dialog box that appears when the
console is started. Provide a valid user name and password for the system that is
specified in the Host name field of the log in dialog box.
The user name for Windows must be of the form: domainname\username
domainname specifies the domain of the NetBackup host. The domain is not
required if the NetBackup host is not a member of a domain.
The NetBackup-Java application server authenticates the user name and password
by using standard Windows authentication capabilities for the specified computer.
Using the NetBackup-Java administration console 985
About authorizing NetBackup-Java users on Windows
If NetBackup Access Control is not configured for the users, by default the
NetBackup-Java application server provides authorization data. The authorization
data allows all users who are members of the administrator group for the host’s
domain to use all the NetBackup-Java applications. Other users are allowed to
access only Backup, Archive, and Restore.
To restrict access to NetBackup-Java or some of its applications, create a
Install_path\java\auth.conf authorization file.
See “About the NetBackup-Java Administration Console” on page 977.
Restricting access to NetBackup-Java applications
on Windows
Use the following procedure to restrict access to one or more of the NetBackup-Java
applications.
To restrict access to one or more of the NetBackup-Java applications
1 Create the following file on the Windows system:
Install_path\java\auth.conf
2 Add an entry in auth.conf for each user that accesses NetBackup-Java
applications. The existence of this file, along with the entries it contains,
prohibits unlisted users from accessing NetBackup-Java applications on the
Windows system. The following is a sample auth.conf file on a Windows
system:
mydomain\Administrator ADMIN=ALL JBP=ALL
mydomain\joe ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC
See “About authorizing NetBackup-Java users” on page 980.
SOLUTION