Authorization file (auth.conf) characteristics
By default, the authorization file or auth.conf file grants access for the following functions in the NetBackup Administration Console:
On NetBackup servers | Administrator applications and capabilities for the root user. User backup and restore capabilities for all other users. |
On NetBackup clients | User backup and restore capabilities for all users. |
Auth.conf file locationWindows NetBackup servers |
Use this template file to create an |
UNIX NetBackup servers |
Contains the following entries: root ADMIN=ALL JBP=ALL * ADMIN=JBP JBP=ENDUSER+BU+ARC |
Configure the auth.conf file as follows:
If the auth.conf file exists, it must contain an entry. Provide an entry for each user or use an asterisk (*) to indicate all users except OS administrators, and RBAC administrators.
Users without entries in the file cannot access any NetBackup applications.
Use an asterisk (*) to indicate any user name except OS administrator, and RBAC administrator.
An asterisk in the first field indicates that any user name except OS administrator, and RBAC administrator is accepted and the user is allowed to use the applications as specified.
Entries for specific users must be listed first, followed by any entries with an asterisk (*).
Use the first field of each entry to indicate the user name that is granted or denied access rights. Use an asterisk to indicate any user name.
The remaining fields specify the specific access rights for the user or users. You cannot use an asterisk (*) authorize all users for all applications. Each user (or all users) must have specific application keywords. To deny all capabilities to a specific user, do not provide any keywords for the interface. For example:
mydomain\ray ADMIN= JBP=
You can specify user groups that need access to certain UI functions.
The <GRP> tag is used to specify a user group in the
auth.conffile. For example:<GRP> domain1\BackupAdmins ADMIN=SUM JBP=BU
In this example, domain1 is a NetBackup domain and BackupAdmins is a user group. All users in the BackupAdmins user group can access the Storage Unit Management (SUM) UI node and can carry out backup (BU) tasks.
The credentials that are entered in the logon screen must be valid on the computer that is specified in the host field. The NetBackup application server authenticates with the specified computer. The user name is the account used to back up, archive, or restore files. To perform remote administration or user operations with jbpSA, a user must have valid accounts on the NetBackup UNIX server or client computer. The Backup, Archive, and Restore application (jbpSA) relies on system file permissions of when to browse directories and files to back up or restore.
The password must be the same password that was used upon logon at that computer. For example, assume you log on with the following information:
username = joe password = access
You must use this same user name and password to log into NetBackup.
You can log on to the NetBackup application server under a different user name than the name used to log on to the operating system. For example, if you log on to the operating system with a user name of joe, you can subsequently log on to jnbSA as root.
Active Directory (AD) groups are supported in the auth.conf file only for primary servers.
User groups are defined using the <GRP> tag in the auth.conf file.
Note:
Run the vssat validateprpl command to verify the format of the group names that you have defined in the auth.conf file.
For more information on the command, see the NetBackup Commands Reference Guide.
If a user is part of multiple groups, the access rights for the user are combined. For example user1 is part of the user groups called BackupAdmins and StorageUnitAdmins.
<GRP> domain1\BackupAdmins ADMIN=SUM JBP=BU <GRP> domain1\StorageUnitAdmins ADMIN=CAT JBP=RAWPART
Access rights for user1 are combined as follows: ADMIN=SUM+CAT JBP=BU+RAWPART
If a user and the user group that the user is part of exist in the auth.conf file, the combined access rights are assigned to the user. For example: user1 is part of is part of the user groups called BackupAdmins and StorageUnitAdmins.
domain\user1 ADMIN=JBP JBP=ENDUSER <GRP> domain\BackupAdmins ADMIN=CAT JBP=BU <GRP> domain\StorageUnitAdmins ADMIN=SUM JBP=RAWPART
Access rights for user1 are as follows: ADMIN=JBP+SUM+CAT JBP=BU+RAWPART+ENDUSER
If duplicate entries of a user, a user group, or both exist in the auth.conf file - The first entry of the user, the user group, or both are taken into account and the combined access rights are assigned to the user. For example: user1 is part of the BackupAdmins user group and the
auth.conffile contains two entries of the BackupAdmins user group.<GRP> domain1\BackupAdmins ADMIN=CAT JBP=BU <GRP> domain1\BackupAdmins ADMIN=SUM JBP=RAWPART
Access rights for user1 are as follows: ADMIN=CAT JBP=BU
Upon exit, some application state information is automatically saved in the directory of joe $HOME/.java/.userPrefs/vrts directory. (For example, table column order.) The information is restored the next time you log on to the operating system under account joe and initiate the NetBackup application. This logon method is useful if there is more than one administrator because it saves the state information for each administrator.
Note:
NetBackup creates a user's $HOME/.java/.userPrefs/vrts directory the first time an application is exited. Only NetBackup applications use the .java/.userPrefs/vrts directory.