About using NetBackup Access Control (NBAC)
NetBackup Access Control (NBAC) is the legacy access control method for NetBackup and is no longer being updated. It is recommended that you use role-based access control (RBAC) with the web UI.
The NetBackup Access Control (NBAC) is the role-based access control that is used for primary servers, media servers, and clients. NBAC can be used in situations where you want to:
Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes). It can have local administrators (manage the application within one facility). It can also have overall administrators who may have responsibility for multiple sites and determine backup policy. Note that this feature is very useful in preventing user errors. If junior level administrators are restricted from certain operations, they are prevented from making inadvertent mistakes.
Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.
The following table lists the NBAC considerations.
Table: NBAC considerations
Consideration or issue | Description or resolution |
|---|---|
Prerequisites before you configure NBAC |
This prerequisites list can help you before you start to configure NBAC. These items ensure an easier installation. The following list contains the information for this installation:
|
Determine if the primary server, media server, or client is to be upgraded |
Determine if the primary server, media server, or client is to be upgraded as follows:
|
Information about roles |
Determine the roles in the configuration as follows:
|
NBAC license requirements |
No license is required to turn on the access controls. |
NBAC and KMS permissions | Typically when using NBAC and when the Setupmaster command is run, the NetBackup related group permissions (for example, NBU_Admin and KMS_Admin) are created. The default root and administrator users are also added to those groups. In some cases the root and administrator users are not added to the KMS group when NetBackup is upgraded. The solution is to grant the root and the administrator users NBU_Admin and KMS_Admin permissions manually. |
Windows Server Failover Clustering (WSFC) error messages while unhooking shared security services from PBX | In WSFC environments running the bpnbaz -UnhookSharedSecSvcsWithPBX <virtualhostname> command can trigger error messages. However the shared Authentication and Authorization services are successfully unhooked from PBX and the errors can be ignored. |
Possible cluster node errors | In a clustered environment when the command bpnbaz -setupmaster is run in the context of local Administrator the AUTHENTICATION_DOMAIN entries may not contain the other cluster node entries. In such case these entries must be manually added from Host Properties into the |
Catalog recovery fails when NBAC is set to REQUIRED mode | NetBackup does not support catalog recovery when NBAC is set to the REQUIRED mode. To perform catalog recovery, you must first ensure that the NBAC setting on the primary server and all media servers is configured to PROHIBITED or AUTOMATIC. |
Policy validation fails in NBAC mode (USE_VXSS = REQUIRED) | Back up, restore, and verification of policy for snapshot can fail in NBAC enabled mode if one of the following has been done.
|
The bpnbaz -setupmaster command fails with an error "Unable to contact Authorization Service" | If a user other than an Administrator tries to modify NetBackup security, the bpnbaz - setupmaster fails. Only a user 'Administrator' who is a part of the Administrator's group has permissions to modify the NetBackup security and enable NBAC. |
Failure of authentication broker configuration during installation. | Invalid domain name configuration of the system causes failure during configuration of authentication broker. To correct this problem, use the bpnbaz -configureauth command to configure the authentication broker. For information about the bpnbaz command, see the NetBackup Commands Reference Guide: |
NetBackup GUI errors may occur if NBAC is enabled on a system that previously had Enhanced Auditing enabled. | When switching the NetBackup server from Enhanced Auditing to NBAC, make sure that all directories that are named after users are deleted in the following directory: Windows: UNIX, Linux: The following topic contains more details: |
NBAC requires the Reverse Hostname Lookup option to be set to Allowed | For NBAC to function properly and to allow communication with NBAC-enabled systems, do the following on the primary server, media servers and all clients:
|