Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section I. Identity and access management
  7. NetBackup Access Control Security (NBAC)
  9. Using NetBackup Access Control (NBAC) with Auto Image Replication
NetBackup™ Security and Encryption Guide

Using NetBackup Access Control (NBAC) with Auto Image Replication

If Auto Image Replication is configured for two domains and NetBackup Access Control (NBAC) is used, it must be used in both the source domain and the target domain. The configuration for the primary servers must be either USE_VXSS = REQUIRED or USE_VXSS = AUTOMATIC. (However, the setting may be REQUIRED in one domain and AUTOMATIC in the other.

Auto Image Replication is not supported between primary server domains where one primary server is configured to use NBAC and NBAC is disabled on the other primary server. That is, the configuration for one primary server is USE_VXSS = AUTOMATIC or USE_VXSS = REQUIRED and on the other primary server it is USE_VXSS = PROHIBITED (disabled).

The following configuration is necessary if NBAC is used in the primary server domains:

  • In the source primary server domain:

    The administrator should make sure that the target primary server has the permissions set correctly before configuration for the operation begins.

  • In the target primary server domain:

    The security administrator in the target domain must give the administrator in the source domain the correct set of permissions. The source domain administrator needs Browse, Read, and Configure permissions on the following objects: HostProperties, DiskPool, and DevHost.

    The source domain administrator can be added as a member to any existing group which has all three permissions.

Consider the following example:

Two NBAC domains each contain a primary server:

  • Replication source NBAC domain: DomainA contains Master-A

  • Replication target NBAC domain: DomainB contains Master-B

NBAC is enabled in both the domains. (If NBAC is used in one domain, it must be used in the other domain.)

For UserA to create an Auto Image Replication SLP with Master-B as the target, UserA needs permission on Master-B to do so.

A security administrator (UserB) in DomainB must create a user group (NB_InterDomainUsers, for example) and give Browse, Read, and Configure permissions in the following areas:

  • HostProperties

  • DiskPool

  • DevHost

The security administrator in DomainB (UserB) then assigns NB_InterDomainUsers to DomainA\UserA using the bpnbaz -AddUser command.

Feedback

Was this page helpful?
Previous

Network Attributes tab for the client

Next

Troubleshooting Access Management

Feedback

Was this page helpful?