Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section IX. Managing security
  7. Configuring multiperson authorization
  9. About multiperson authorization
NetBackup™ Web UI Administrator's Guide

About multiperson authorization

NetBackup Security Administrator can configure multiperson authorization that helps protect primary servers from an undesirable or a malicious act, in a proactive manner. Multiperson authorization ensures that a second authorized user approves actions before they are performed.

To configure multiperson authorization in NetBackup, you need to have two users: one is the requester and the other is the approver.

A requester cannot be an approver of their own tickets.

Support information

  • Multiperson authorization is not supported in a domain where NetBackup Access Control (NBAC) is enabled.

  • Multiperson authorization is not supported for catalog maintenance operations by certain database agents.

    As part of the database catalog synchronization, the database may initiate an image expiration request through command-line or other interfaces to the NetBackup catalog, which does not generate multiperson authorization ticket.

    To prevent the direct expiration of backup images by database agents see the 'About preventing the direct expiration of backup images' topic in the NetBackup for Oracle Administrator's Guide.

Terminology

  • Ticket - Ticket is a multiperson authorization request to perform a critical operation.

  • Requester - A requester is a user who wants to perform a critical operation that requires multiperson authorization.

  • Approver - An approver is an individual who reviews and allows an operation that requires multiperson authorization by approving a ticket.

  • Exempted user - An exempted user is not required to go through the multiperson authorization workflow. This user must only be used to perform critical operations like image expiration and image hold removal.

    For additional security, it is recommended that there are no exempted users.

Command-line options that need multiperson authorization

The following operations and the associated command-line options need multiperson authorization:

  • Expiring images expiration:

    • bpexpdate

    • nbdecommission

    • bpimage -deleteCopy

  • Removing image hold:

    • nbholdutil -delete

  • Modifying global security settings:

    • nbcertcmd -setsecconfig

    • nbseccmd -setsecurityconfig

  • Managing encryption key

    • nbkmscmd

    • nbkmsutil

For more information on commands, see the NetBackup Command Reference Guide.

Multiperson authorization is supported for the following commands that are run with the nbcmdrun command:

  • bpplcatdrinfo

  • bpplclients

  • bppldelete

  • bpplsched

  • bpplinclude

  • bpplinfo -set

  • bpplsched

  • bpplschedrep

  • bpplschedwin

  • bppolicynew

Multiperson authorization in a NetBackup and Alta View setup

If an Alta View user has requested a NetBackup operation that needs multiperson authorization, on a registered primary server, multiperson authorization must be enabled in Alta View. Else, NetBackup rejects this Alta View request and the respective user operation fails.

Feedback

Was this page helpful?
Previous

Configuring multiperson authorization

Next

Workflow to configure multiperson authorization for NetBackup operations

Feedback

Was this page helpful?