How to configure NetBackup Access Control (NBAC) ?

By | December 26, 2015
0 Comment

As I descirbed some months ago, NetBackup Access Control (NBAC) can be used to limit access to NetBackup more granular. Since NetBackup 7.x. the configuration of NBAC is simplified. NBAC should be configured on the following NetBackup components:

  • Master Server
  • Media Servers
  • Clients

Configuring NetBackup Access Control (NBAC) on Master Server

To configure NBAC on Master Server, please follow the below steps:

  1. Run the bpnbaz -setupmaster command. Type y to continue the configuration wizard.How to configure NetBackup Access Control (NBAC) Master
  2. When above command completes successfully, please restart NetBackup services (bpdown -v -f).
  3. Please run the following command to log in to Authorization Component: bpnbat -loginHow to configure NetBackup Access Control (NBAC) Login

Configuring NetBackup Access Control (NBAC) on Media Server

To configure NBAC on Media Server(s), please follow the below steps:

  1. Run the bpnbaz -setupmedia fqdn_of_media command. Type y to continue the configuration wizard.How to configure NetBackup Access Control (NBAC) Media Server
  2. When above command completes successfully, please restart NetBackup services on the target media server (bpdown -v -f)
  3. Please repeat steps 1-2 on the rest media servers.

Configuring NetBackup Access Control (NBAC) on clients

To configure NBAC on Clients, please follow the below steps:

  1. Run the bpnbaz -setupclient fqdn_of_client command. Type y to continue the configuration wizard.How to configure NetBackup Access Control (NBAC) Client
  2. When above command completes successfully, please restart NetBackup services on the target client (bpdown -v -f)
  3. Please repeat steps 1-2 on the rest clients.

NBAC Permissions

As you could notice, during the configuration of NBAC, the USE_VXSS was left in AUTOMATIC mode. This option specifies whether the local system uses NetBackup product authentication and authorization. It is recommended to use the REQUIRED mode so you should change it on Master, Media Servers and Clients as well. To change please navigate to NetBackup Management --> Host Properties --> Master Servers or Media Servers or Clients, select host and double click. Then click on Access Control and select Required mode. Click OK. Restart NetBackup services on the target host.How to configure NetBackup Access Control (NBAC) Required

Now you can specify users and permissions for them. There are some pre-defined NBAC groups

How to configure NetBackup Access Control (NBAC) Permissions

  • NBU_User
  • NBU_Operator
  • NBU_Admin
  • NBU_Security Admin
  • Vault_Operator
  • NBU_SAN Admin
  • NBU_KMS Admin

You need to add the required users to the required groups within the Access Management tab. If users do not have required permissions, a similar error is received:

How to configure NetBackup Access Control (NBAC) ExampleBy default, all authenticated users (Autheniticated Principals) are in NBU_User group and they do not have any permissions (only list/browse license 🙂 ) to NetBackup. To add users to a group, click on the group and specify user or group that you want to add:

How to configure NetBackup Access Control (NBAC) Add User

Conclusion

The NetBackup Access Control (NBAC) offers you higher security and permission granularity but also more complexity of your backup environment. Sometimes, it's better (and easier) to just limit access to the NetBackup Machine 🙂