Video Screencast Help

NBAC - Simple Implementation

Created: 09 Mar 2013 | 6 comments
SYMAJ's picture

I have an environment with a W2K8R2 Master server running 7504, and two 5220 Appliances acting as Media Servers.  I have four PC's running Windows Remote Admin Console which I want to be able to restrict the NBU access from.

I have NBU services running under the local system account on the Master Server.

After reviewing the documentation in the Security Encryption guide I see the following as being required:

1. Run bpnbaz -setupmaster on the Master Server

2. Restart NBU services on the Master

3. Add the required users to the required groups within the Access Management tab of the admin console - specifying their userid, domain etc.

4. Check the access control is set to AUTOMATIC on the Master Server

Once the above is done is that all I need to be able to restrict access by the users to the specific NBU functions ?  Do I need to run the setupmedia and setupclient in order to simply restrict access ?



Operating Systems:

Comments 6 CommentsJump to latest comment

V4's picture


it's not necessary to run bpnbaz against media server and clients unless client's infosec team asks to enforce strict permissions etc.

NBAC still requires more enhancement  in terms of Granularity and NBU console must now come up with Views to enforce true NBAC

Views with NBAC in console would limit boundary set to delegated users.

I believe we cannot have User 1 restriction to client a, b and c and user 2 to client a and c etc.

This should get granular.

OpsCenter has Views but does not offers true operational functionalities . It still provides true monitoring, reporting and partial operational task etc.

StefanosM's picture

captain jack sparrow is right, you can not use nbac or opcenter for multi tenancy.

You can use NBAC to restrict users from specific netbackup functions. For example you can have a user that can start a policy, but not change the policy. This goes to all policies and you can not select which policies the user can start.

SYMAJ's picture

Thanks for that.

So setting up as per my first post should work OK for me ? 



V4's picture

It's perfect. Go ahead. Do verify latest release notes and late breaking news for any updates on NBAC if any.

Also review Security Admin Guide for NBU for more information on methods and possibilities you can explore with NBU

NBAC presently integrates with Opscenter also. Hence any policy changes done within NBU console will reflect in Audit logs of OpsCenter (check if it's enabled, if not enable it with retention of xxx days)

You would have all details of previous value and new value (if modified)

Who did what and when.

Note: If OpsCenter is not deployed, You can deploy it. It is complimentary with NBU. It provides basic reporting (60 days) and operational restore functionalities. Analytics provide more granularities with customization (licensed feature).

Hope this helps

SYMAJ's picture

I am still having issues when I enable NBAC (set authentication to AUTOMATIC from PROHIBITED).

When I do this I see the Authentication and Auhtorization services startup OK.  I then restart all Netbackup Services but when I try and start the Admin Console (from the Master Server itself) I get the 'VERSION COULD NOT BE RETRIEVED' error displayed, and I cannot access the Admin Console.

I have no firewalls in the environment between the PC's I am trying to access this from via Remote Admin Console and the Master Server, but I can't even do it from the Master Server itself !!

I am running the NBU services under Local Service Account - is this an issue ?

As above, I have only run the bpnbaz -setupmaster, and have note done anything with the media servers or clients.

Any thoughts ?


V4's picture

AJ NBU services for NBAC must not be under local account

Could you try with Domain Admin account which is also a local NBU admin group member