About multiperson authorization
NetBackup Security Administrator can configure multiperson authorization that helps protect primary servers from an undesirable or a malicious act, in a proactive manner. Multiperson authorization ensures that a second authorized user approves actions before they are performed.
To configure multiperson authorization in NetBackup, you need to have two users: one is the requester and the other is the approver.
A requester cannot be an approver of their own tickets.
Multiperson authorization is not supported in a domain where NetBackup Access Control (NBAC) is enabled.
Multiperson authorization is not supported for catalog maintenance operations by certain database agents.
As part of the database catalog synchronization, the database may initiate an image expiration request through command-line or other interfaces to the NetBackup catalog, which does not generate multiperson authorization ticket.
To prevent the direct expiration of backup images by database agents see the 'About preventing the direct expiration of backup images' topic in the NetBackup for Oracle Administrator's Guide.
Ticket - Ticket is a multiperson authorization request to perform a critical operation.
Requester - A requester is a user who wants to perform a critical operation that requires multiperson authorization.
Approver - An approver is an individual who reviews and allows an operation that requires multiperson authorization by approving a ticket.
Exempted user - An exempted user is not required to go through the multiperson authorization workflow. This user must only be used to perform critical operations like image expiration and image hold removal.
For additional security, it is recommended that there are no exempted users.
The following operations and the associated command-line options need multiperson authorization:
Expiring images expiration:
bpexpdate
nbdecommission
bpimage -deleteCopy
Removing image hold:
nbholdutil -delete
Modifying global security settings:
nbcertcmd -setsecconfig
nbseccmd -setsecurityconfig
Managing encryption key
nbkmscmd
nbkmsutil
For more information on commands, see the NetBackup Command Reference Guide.
Multiperson authorization is supported for the following commands that are run with the nbcmdrun command:
bpplcatdrinfo
bpplclients
bppldelete
bpplsched
bpplinclude
bpplinfo -set
bpplsched
bpplschedrep
bpplschedwin
bppolicynew
If an Alta View user has requested a NetBackup operation that needs multiperson authorization, on a registered primary server, multiperson authorization must be enabled in Alta View. Else, NetBackup rejects this Alta View request and the respective user operation fails.