NetBackup™ Web UI Security Administrator's Guide

Last Published:
Product(s): NetBackup (8.2)
  1. Introducing the NetBackup web user interface
    1.  
      About the NetBackup web user interface
    2.  
      Terminology
    3.  
      First-time sign in to a NetBackup master server from the NetBackup web UI
    4.  
      Sign in to the NetBackup web UI
    5.  
      Authorized users
    6.  
      The NetBackup dashboard
  2. Managing role-based access control
    1.  
      About role-based access control (RBAC) in NetBackup
    2.  
      NetBackup default RBAC roles
    3.  
      Configuring RBAC
    4.  
      Add a custom role
    5.  
      Edit or delete a custom role
    6.  
      About object groups
    7. Steps to create an object group
      1.  
        Selecting the assets for an object group
      2.  
        Selecting application servers for an object group
      3.  
        Selecting protection plans for an object group
      4.  
        Preview the objects in an object group
    8.  
      Edit or delete an object group
    9.  
      Add access for a user through access rules
    10.  
      Edit or remove user access rules
  3. Adding AD or LDAP domains
    1.  
      Add AD or LDAP domains
  4. Security events and audit logs
    1.  
      View security events and audit logs
    2. About NetBackup auditing
      1.  
        User identity in the audit report
      2.  
        Audit retention period and catalog backups of audit records
      3.  
        Viewing the detailed NetBackup audit report
  5. Managing hosts
    1.  
      View NetBackup host information
    2.  
      Approve or add mappings for a host that has multiple host names
    3.  
      Remove mappings for a host that has multiple host names
    4.  
      Reset a host's attributes
  6. Managing security certificates
    1.  
      About security management and certificates in NetBackup
    2.  
      NetBackup host IDs and host ID-based certificates
    3. Managing NetBackup security certificates
      1.  
        Reissue a NetBackup certificate
      2.  
        Managing NetBackup certificate authorization tokens
    4. Using external security certificates with NetBackup
      1.  
        View external certificate information for the NetBackup hosts in the domain
  7. Managing user sessions
    1.  
      Display a message to users when they sign in
    2.  
      Enable maximum sign-in attempts and idle time-out settings for user sessions
    3.  
      Sign out a NetBackup user session
    4.  
      Unlock a NetBackup user
  8. Managing master server security settings
    1.  
      Certificate authority for secure communication
    2.  
      Disable communication with NetBackup 8.0 and earlier hosts
    3.  
      Disable automatic mapping of NetBackup host names
    4.  
      About NetBackup certificate deployment security levels
    5.  
      Select a security level for NetBackup certificate deployment
    6.  
      Set a passphrase for disaster recovery
  9. Creating and using API keys
    1.  
      About API keys
    2.  
      Manage API keys
    3.  
      Use an API key with NetBackup REST APIs
    4.  
      View API keys
  10. Configuring smart card authentication
    1.  
      Configure user authentication with smart cards or digital certificates
    2.  
      Edit the configuration for smart card authentication
    3.  
      Add or delete a CA certificate that is used for smart card authentication
    4.  
      Disable or temporarily disable smart card authentication
  11. Troubleshooting access to the web UI
    1.  
      Tips for accessing the NetBackup web UI
    2.  
      If a user doesn't have the correct permissions or access in the NetBackup web UI
    3. Unable to add AD or LDAP domains with the vssat command
      1.  
        Connection cannot be established with the AD or the LDAP server
      2.  
        User credentials are not valid
      3.  
        An incorrect user base DN or group base DN was provided
      4.  
        Multiple users or groups exist with the same name under user base DN or group base DN
      5.  
        User or group does not exist

Add a custom role

If the default NetBackup roles for RBAC do not meet your needs, you can configure a role with custom role permissions. Note, however, that custom roles do have certain limitations. See Limitations of custom roles.

To add a custom role

  1. On the left, select Security > RBAC.
  2. Select the Roles tab and click Add.
  3. Provide a Role name and a description.

    For example, you may want to indicate that role is for any users that are backup administrators for a particular department or region.

  4. For Role permissions, choose the permission or type of access that you want users with that role to have for each permission type.

    For example, you may want a user to be able to view, but not manage protection plans. Or you may want to give only some users the ability to perform recovery of assets, but not to configure application servers or asset groups.

    See Table: Description of permissions for custom roles.

  5. Click Add.

Permissions for custom roles

Table: Description of permissions for custom roles describes the individual permissions that you can select for a custom role.

Table: Description of permissions for custom roles

Permission category

Permission

Action that the permission allows

Job management

Allow a user view to jobs or to manage job operations.

Manage Jobs

Manage current or completed jobs. Includes the ability to delete, cancel, restart, and suspend a job.

View Jobs

View the current or the completed jobs for the master server.

Asset management

Allow a user to manage assets, subscribe assets to protection plans, or to view assets.

Note that a user can only manage assets for which that user is granted access.

Manage Application Servers and Asset Groups

Add credentials, so NetBackup can discover additional information for the workload. For example, when the user adds VMware credentials, NetBackup discovers more details for the VMware server. The user can then view and select objects within the vCenter.

Create and manage asset groups (or "intelligent" groups) and subscribe groups to protection plans. When the backup runs, NetBackup dynamically creates a list of all VMs that meet the conditions for the intelligent group. For example, a user can create an intelligent VM group named "Finance Department". Then the user can add a condition so the group contains all VMs that have a display name that starts with the specific string "finance".

Manage Assets

Manage the assets that are associated with the supported workloads and subscribe assets to protection plans.

View Assets

View assets that are associated with the supported workloads.

Storage Management

Allow a user to view and manage storage servers and storage units.

Manage Storage

Create, view, edit, or delete storage servers and storage units.

Note: Users that only have this permission are not able to sign in to the web UI.

View Storage

View the attributes for storage servers and storage units.

Note: Users that only have this permission are not able to sign in to the web UI.

Recovery Point Management

Manage Recovery Point Expiration

Expire the recovery points available for an asset. This functionality is currently only available from the NetBackup APIs.

Note: Users that only have this permission are not able to sign in to the web UI.

Manage Recovery Points

Manage the recovery points available for an asset. This permission lets the user restore, copy, and duplicate a recovery point and change the primary copy of an image. These functions are currently only available from the NetBackup APIs.

Note: Users that only have this permission are not able to sign in to the web UI.

Security management

Allow a user to view audit logs or to manage security settings or certificates in NetBackup.

Manage Global Security Settings

Manage security settings for the NetBackup master server. These settings affect communication with 8.0 and earlier hosts, automatic mapping of host names, the security level for certificate deployment, and the disaster recovery passphrase.

Note: Users that only have this permission are not able to sign in to the web UI.

Manage API Keys

Add, edit, view, or delete any API keys that are created for NetBackup users.

Manage Certificates

Manage NetBackup security certificates and view external CA certificate details for hosts. For NetBackup certificates, includes the ability to revoke a certificate, create a resissue token so a certificate can be reissued, or create a new token. Users with this permission can also manage user sessions.

View Audit Logs

See who has signed in to NetBackup, made changes to security settings, or who has browsed or restored a backup image. Also view the access history for the current user.

Manage User Authentication

Manage the settings for authenticating users with a smart card or digital certificate. Users with this permission can also manage locked NetBackup user accounts.

View API Keys

View the API keys that are created for NetBackup users. A NetBackup user is able to view and manage their own key.

Protection plan management

Note that a user can only manage or select a protection plan for which that user is granted access.

Manage Protection Plans

Create, edit, or delete protection plans. Also can subscribe assets to protection plans.

View Protection Plans

View the protection plans that are available and subscribe assets to a protection plan.

Role based access control

Allow an administrator to create the access rules that determine the permissions a user has for a specific workload or asset and for specific protection plans.

View Access Rules

View the access rules that are configured.

Manage Access Rules

Create, manage, or delete access rules.

Create custom roles and object groups.

Recovery

Allow a user to perform one or more types of recovery.

Note that users can only view and recover assets for which that user is granted access.

Instant Access

Create an instant access image. This permission also enables View Recovery Points and View Assets.

Overwrite Asset

Allows the user to restore assets to their original location. Without this permission a user must restore assets to a different location.

View Recovery Points

View the recovery points that are available for an asset.

Note: Users that only have this permission are not able to sign in to the web UI.

Restore Files

Restore individual files from the backup image. This permission also enables View Recovery Points and View Assets.

Recover/Restore

Restore the data from a backup image to a different location.

Download Files

Download individual files from an instant access mount point. This permission also enables View Recovery Points and View Assets.

Limitations of custom roles

When you create custom roles, note the following:

  • Some permissions are only available with default RBAC roles or for a custom role that is configured with the NetBackup APIs.

    • A user can only manage Hosts settings if that user has the Security administrator role.

    • A user can only manage Alerts and notifications and view Usage reporting if that user has the Backup administrator role.

    • A user with the Security administrator role also has certain "view" permissions. This way that user can find and add assets, application servers, and protection plans to an object group. If you want a user with a custom role to create access rules, be sure to select the appropriate view permissions for the custom role.

  • Some individual permissions do not have a direct correlation with a screen in the web UI. Users that attempt to sign in but that only have a permission of this kind receive an "Unauthorized" message. When you create custom roles, be sure to enable the minimal number of permissions so the user can sign in to and use the web UI.