Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ DataStore SDK Programmer's Guide for XBSA 1.1.0
  5. Using the NetBackup XBSA interface
  7. Creating a NetBackup XBSA application
  9. Backup - creating an object
  11. NetBackup object ownership
Veritas NetBackup™ DataStore SDK Programmer's Guide for XBSA 1.1.0

NetBackup object ownership

Default behavior

When the NetBackup XBSA interface is used to create an object, by default the owner of the object is the logon user of the process that created the object. The default group of the object is also the logon user, not the primary group of the logon user, but the exact same name as the logon user name. The permissions of the file are set to 600, or 'rw- - - - - - -', which is read/write for owner and no access permissions for anyone else. This requires that the user restoring an object be an administrator or the same user that created the object. The XBSA objectOwner fields are saved in the NetBackup catalog with the object, but they are kept as attributes of the object and are not used for security purposes.

Ownership options

Using the XBSA environmental variables NBBSA_USE_OBJECT_OWNER, NBBSA_USE_OBJECT_GROUP, NBBSA_OBJECT_OWNER, and NBBSA_GROUP_OWNER, an agent can change the default owner. These variables allow the XBSA agent to be able to specify who owns the objects.

Note:

Specifying object ownership only works when creating objects using BSACreateObject(). Accessing the objects by BSAQueryObject() and BSAGetObject() is dependent on the logon process having permissions to access the objects. So if user_Y creates an object with an object owner of user_X, then user_X or an administrator (root) can access and restore the object, but user_Y cannot.

Object owner

To specify the owner of an object, the XBSA environment variable NBBSA_USE_OBJECT_OWNER needs to be set. There are four values that this variable can be set to. These values are defined in nbbsa.h.

/*
 * XBSA values to use to define how to specify NetBackup object ownership
 */
#define VxLOGIN_USER  0 /* Default, owner/group field is set to the logon user */
#define VxLOGIN_GROUP 1 /* group field is set to the primary group of the logon user */ 
#define VxBSA_OWNER   2 /* owner/group field is set to                                \
objectDescriptor->objectOwner.bsa_ObjectOwner  */
#define VxAPP_OWNER   3 /* owner/group field is set to                                \ 
objectDescriptor->objectOwner.app_ObjectOwner  */
#define VxENV_OWNER   4 /* owner/group field is set to value of                       \
NBBSA_OBJECT_OWNER/NBBSA_OBJECT_GROUP */

VxLOGIN_USER is the default behavior that you would get if the NBBSA_USE_OBJECT_OWNER variable wasn't set.

VxLOGIN_GROUP does not apply to object ownership.

VxBSA_OWNER sets the object owner to the value stored in the objectDescriptor field objectOwner.bsa_ObjectOwner. The value in the bsa_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.bsa_ObjectOwner is still stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.

VxAPP_OWNER sets the object owner to the value stored in the objectDescriptor field objectOwner.app_ObjectOwner. The value in the app_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.app_ObjectOwner is still stored as an attribute of the object and a query needs to correctly specify this field in the query descriptor to successfully find the object.

VxENV_OWNER sets the object owner to the value of the XBSA environmental variable NBBSA_OBJECT_OWNER. The value stored in the NBBSA_OBJECT_OWNER must be a valid user name without any spaces in the name.

The variables NBBSA_USE_OBJECT_OWNER and NBBSA_OBJECT_OWNER can be changed within a transaction so that an XBSA agent can set different ownerships of each object in a transaction.

Object group

An XBSA agent can also change the group ownership of an object. When the group ownership is set by one of these options, other than the default, the permissions on the object are set to 660, or 'rw - rw- - - -', which is read/write for owner and group. This allows any user in the specified group to access and restore the object.

To specify the group of an object, the XBSA environment variable NBBSA_USE_OBJECT_GROUP needs to be set. There are five values that this variable can be set to. These values are defined in nbbsa.h.

/*
 * XBSA values to use to define how to specify NetBackup object ownership 
 */
#define VxLOGIN_USER 0 /* Default, owner/group field is set to the logon user  */
#define VxLOGIN_GROUP 1 /* group field is set to the primary group of the logon user */ 
#define VxBSA_OWNER 2 /* owner/group field is set to                                  \ 
objectDescriptor->objectOwner.bsa_ObjectOwner  */ 
#define VxAPP_OWNER 3 /* owner/group field is set to                                  \ 
objectDescriptor->objectOwner.app_ObjectOwner  */ 
#define VxENV_OWNER 4 /* owner/group field is set to value of                         \ 
NBBSA_OBJECT_OWNER/NBBSA_OBJECT_GROUP */

VxLOGIN_USER is the default behavior that you would get if the NBBSA_USE_OBJECT_GROUP variable was not set. The group name is the same name as the owner field, whether that is the logon user or a user name defined by one of the other options, and the permissions of the object will be 600, owner read/write only.

VxLOGIN_GROUP sets the group field to the primary group of the logon user.

VxBSA_OWNER sets the object group to the value stored in the objectDescriptor field objectOwner.bsa_ObjectOwner. The value in the bsa_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.bsa_ObjectOwner still is stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.

VxAPP_OWNER sets the object group to the value stored in the objectDescriptor field objectOwner.app_ObjectOwner. The value in the app_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.app_ObjectOwner is still stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.

VxENV_OWNER sets the object group to the value of the XBSA environmental variable NBBSA_OBJECT_GROUP. The value stored in the NBBSA_OBJECT_GROUP must be a valid user name without any spaces in the name.

The variables NBBSA_USE_OBJECT_GROUP and NBBSA_OBJECT_GROUP can be changed within a transaction so that an XBSA agent can set different group ownerships of each object in a transaction.

Feedback

Was this page helpful?
Previous

Creating an object

Next

Creating an empty object

Feedback

Was this page helpful?