I have a very similar thread that I posted yesterday

https://www-secure.symantec.com/connect/forums/fine-tuning-java-console-access

and I think the solution to it would also help you in your case.  Unfortunately, no one has posted any comments in it yet.

 You can consider implimenting VxSS for enhanced security and authentication/autherization. The steps have been explained in the Netbackup Administrator's Guide 2.

Also as you want to have a user with read only permissions, can impliment NOM 6.5.4 where a feature of "user with read only permissions" has been introduced.

NOM doesn't require any addtional license, and a very good application for Netbackup reporting and monitoring.

Let me know if you need step by step guide for VxSS or NOM.

I guide explaining what VxSS is and how to implement it would be great.  I checked out the Admin Guide vol. 2 and did not find a really good description of it.  Would it be possible to provide the link to better documentation?

There is A LOT of information in the Yellow Books - certainly more than I can handle.  :)  I think it can get you started if you can put in the time.

http://www.symantec.com/business/theme.jsp?themeid=yellowbooks

(VxSS is now called "Symantec Product Authentication and Authorization Services" - but that acronym [SPAAS] hasn't caught on yet :)  )

There are also individual NetBackup manuals on Authentication and Authorization, which we have linked with all the other documentation:

DOCUMENTATION: Where is the documentation for Symantec Product Authentication Service (VxAT), Product Authorization Service (VxAZ) [formerly known as Veritas Security Services (VxSS)] and Infrastructure Core Services (ICS)? 
 http://support.veritas.com/docs/311203

Good luck!  Ask here if (when?) you get stuck!  I won't be able to help :) but there are some real experts who have made this thing work for them!

You can restrict access in the Java console through the /usr/openv/java/auth.conf file.

There is documentation in the NetBackup admin guides on editing this file.

NetBackup services don't have to be restarted after editing this file.

Unfortunately the admin guide does not get as granular as I need to be.  I need to do more than just restrict a user to the policy configuration window.  I need to allow them access to only rerun a manual backup.  I do not want them making policy changes, removing policies, or any similar activities.  I think the OP of this thread also needs the same functionality.  They want to restrict someone to the Activity Monitor, but they want to further refine their access to the AM.

And it looks like VxSS, or SPAAS, is much more than what I need.  I was just hoping there were some undocumented method that would allow me to dig further than just specifying "BPM" for backup policy management

Thanks all for your responses..yes i would require..step by step installtion guide/method for vxss or nom 6.5.4..
i guess using auth.conf we can only restrict which components can be granted to any particular..for ex: if i am only granting
Activity monitor. user can still be able to cancel / suspend any policy..which is not desired in our case

Thanks
Amit

Try this---

The process for configuring Veritas Security Services (VxSS) is as follows:

1)Make sure you can ping the NetBIOS version of the domain you log into (i.e. mybox not mybox.local and the FQDN of the master if using unixpwd)

2)Install Authentication service and Root Broker version 4.2 by executing the installics on the master server, and selecting yes to installing the Root + AB brokers. (installics is located on the Infrastructure Core Services disk)

3)Install the Authorization service 4.2 by executing the installics on the same server using the Custom/Complete install option. (installics is located on the Infrastructure Core Services disk)

4)Verify both processes (vxatd and vxazd) are started.

5)Goto Command line on server and change directories to the netbackup/bin directory (default is /usr/openv/netbackup/bin).

6)Run "bpnbat -addmachine" two times, one for the FQDN of the Master Server and once for the netbios version of the name.

7)Input the information requested (authentication broker should ALWAYS be the FQDN of the Master server, and the port number should be left as default).

8)Run "bpnbat -loginmachine" two times, one for the FQDN of the Master Server and once for the netbios version of the name.
9)Input the information requested (authentication broker should ALWAYS be the FQDN of the Master server, and the port number should be left as default).

10)Change directories to the Admincmd directory.

11)run "bpnbaz -setupsecurity %FQDN_of_Master%" (ie "bpnbaz -setupsecurity bob.mybox.local")

12)During this process you will be creating the NBU_Security_Admin, the person who is allowed to add users to other groups within Access Control. You will need to type in the Authentication broker name (again, FQDN of Master), leave port settings as default, the Authentication Domain (If Active Directory, it will be either NT or Windows, Depending on version of Veritas Security Services and FQDN of the master if using unixpwd). Domain will be the netbios version of domain (i.e. "mybox" not "mybox.com" for windows and FQDN of the master if using unixpwd). The login name (and the password to follow) will be the credentials for the user account that will be the security admin, so make sure you have access to it. When the information has been typed in and the password entered it will proceed to validate your account against your specified authentication type (ie Active Directory or the unix password file for unixpwd). If Successful, it will state "Operation Completed successfully". Anything else is considered a failure and will need to be reattempted.

13)Next type in "bpnbaz -allowauthorization %FQDN_of_Master%" (ie "bpnbaz -allowauthorization bob.mybox.local"). This again should return an "Operation Completed successfully".

14)Now change directories up one level to the bin directory, and type in "bpnbat -login" and hit enter.

15)Veritas Security Services will now ask for your credentials to validate you as an admin to login to Netbackup/Veritas Security Services. (reference information on "bpnbaz -setupsecurity" section above).

16)Change directories to admincmd and type "bpnbaz -listgroups". Five groups should be returned. If not, process was unsuccessful and you will need to rerun the "bpnbaz -setupsecurity" process.

17)Final stage in process is to associate NetBackup to use Veritas Security Services.

18)Open NetBackup Admin Console, expand the "Host Properties" section, then "Master Server". Bring up properties of Master Server and click "Access Control". Set VxSS to "Automatic". Click add, then select "Domain" from radio button for Domains, or Hostname if using unixpwd, and type in the netbios version of domain, and click Add/Ok/Close. Change from "Required" to "Automatic" (important, do not miss this step or you could potentially cause backups to fail).

19)Click on the Authentication Service tab. Click Add, and type in the domain or FQDN of the master if using unixpwd, authentication mechanism (for Active Directory, it would be NT or Windows, for password then unixpwd), followed by broker will be the FQDN of the master server. Click Add then Close.

20)Click on the Authorization Service Tab and type in the FQDN of the Master Server.

21)Click apply and Ok. Close NetBackup Admin Console then Reopen it. Click Help, then "Current NBAC User". If you can click it and it shows your credentials, you have completed the configuration of Veritas Security Services. You can now proceed to add your users and groups to the Access Management -> NBU User Groups Section.
*********

For each media server and Remote Admin Console you will need to repeat steps 6 and 13 (substituting the name of each Media Server and Remote Admin Console) from the master server and step 8 from the respective boxes

Thanks a lot ravi i will try out the steps and get back with results..also let me know after installing authenticationa and autohrization does it require netbackup service restart

Regards
Amit

I just came back from a meeting with a Symantec engineer, and this question came up.  He said that the functionality to get very granular with permissions was being looked at, however he said not to expect anything until after 7.0 has been released. 

 Hi Amit, the process doesn't requires restart of NBU services.