Search <book_title>...

Veritas NetBackup™ Commands Reference Guide

Last Published: 2019-07-01

Product(s): NetBackup (8.2)

Introduction
Appendix A. NetBackup Commands
1. acsd
2. add_media_server_on_clients
3. backupdbtrace
4. backuptrace
5. bmrc
6. bmrconfig
7. bmrepadm
8. bmrprep
9. bmrs
10. bmrsrtadm
11. bp
12. bparchive
13. bpbackup
14. bpbackupdb
15. bpcatarc
16. bpcatlist
17. bpcatres
18. bpcatrm
19. bpcd
20. bpchangeprimary
21. bpclient
22. bpclimagelist
23. bpclntcmd
24. bpclusterutil
25. bpcompatd
26. bpconfig
27. bpdbjobs
28. bpdbm
29. bpdgclone
30. bpdown
31. bpduplicate
32. bperror
33. bpexpdate
34. bpfis
35. bpflist
36. bpgetconfig
37. bpgetdebuglog
38. bpimage
39. bpimagelist
40. bpimmedia
41. bpimport
42. bpinst
43. bpkeyfile
44. bpkeyutil
45. bplabel
46. bplist
47. bpmedia
48. bpmedialist
49. bpminlicense
50. bpnbat
51. bpnbaz
52. bppficorr
53. bpplcatdrinfo
54. bpplclients
55. bppldelete
56. bpplinclude
57. bpplinfo
58. bppllist
59. bpplsched
60. bpplschedrep
61. bpplschedwin
62. bppolicynew
63. bpps
64. bprd
65. bprecover
66. bprestore
67. bpretlevel
68. bpschedule
69. bpschedulerep
70. bpsetconfig
71. bpstsinfo
72. bpstuadd
73. bpstudel
74. bpstulist
75. bpsturep
76. bptestbpcd
77. bptestnetconn
78. bptpcinfo
79. bpup
80. bpverify
81. cat_convert
82. cat_export
83. cat_import
84. configureCertsForPlugins
85. configureMQ
86. configurePorts
87. configureWebServerCerts
88. create_nbdb
89. csconfig cldinstance
90. csconfig cldprovider
91. csconfig meter
92. csconfig throttle
93. csconfig reinitialize
94. duplicatetrace
95. importtrace
96. jbpSA
97. jnbSA
98. ltid
99. manageClientCerts
100. mklogdir
101. nbauditreport
102. nbcatsync
103. NBCC
104. NBCCR
105. nbcertcmd
106. nbcertupdater
107. nbcldutil
108. nbcloudrestore
109. nbcomponentupdate
110. nbcplogs
111. nbdb_admin
112. nbdb_backup
113. nbdb_move
114. nbdb_ping
115. nbdb_restore
116. nbdb_unload
117. nbdbms_start_server
118. nbdbms_start_stop
119. nbdc
120. nbdecommission
121. nbdelete
122. nbdeployutil
123. nbdevconfig
124. nbdevquery
125. nbdiscover
126. nbdna
127. nbemm
128. nbemmcmd
129. nbfindfile
130. nbfirescan
131. nbftadm
132. nbftconfig
133. nbgetconfig
134. nbhba
135. nbholdutil
136. nbhostidentity
137. nbhostmgmt
138. nbhypervtool
139. nbimageshare
140. nbinstallcmd
141. nbjm
142. nbkmsutil
143. nboraadm
144. nborair
145. nbpem
146. nbpemreq
147. nbperfchk
148. nbplupgrade
149. nbrb
150. nbrbutil
151. nbregopsc
152. nbreplicate
153. nbrepo
154. nbrestorevm
155. nbseccmd
156. nbsetconfig
157. nbsnapimport
158. nbsnapreplicate
159. nbsqladm
160. nbstl
161. nbstlutil
162. nbstop
163. nbsu
164. nbsvrgrp
165. resilient_clients
166. restoretrace
167. stopltid
168. tl4d
169. tl8d
170. tl8cd
171. tldd
172. tldcd
173. tlhd
174. tlhcd
175. tlmd
176. tpautoconf
177. tpclean
178. tpconfig
179. tpext
180. tpreq
181. tpunmount
182. verifytrace
183. vltadm
184. vltcontainers
185. vlteject
186. vltinject
187. vltoffsitemedia
188. vltopmenu
189. vltrun
190. vmadd
191. vmchange
192. vmcheckxxx
193. vmd
194. vmdelete
195. vmoprcmd
196. vmphyinv
197. vmpool
198. vmquery
199. vmrule
200. vmupdate
201. vnetd
202. vssat
203. vwcp_manage
204. vxlogcfg
205. vxlogmgr
206. vxlogview
207. W2KOption

Name

bpnbaz — perform Authorization administration tasks from within NetBackup

SYNOPSIS

bpnbaz -[AddGroup | DelGroup] Group_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddPerms | DelPerms] Permission_1[,Permission_2,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]

bpnbaz -[AddPolicy | DelPolicy] Policy_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -AddRBACPrincipal -User | -UserGroup Domain_Type:Domain_Name:User_Name [-reason "reason"]

bpnbaz -[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddUser | DelUser] Domain_Type:Domain_Name:User_Name [-reason "reason"] [-CredFile Credential]

bpnbaz -[AllowAuthorization | DisallowAuthorization] Machine_Name [-M server] [-Server server1.domain.com]

bpnbaz -CheckUpgrade [-Server server1.domain.com]

bpnbaz -Configureauth

bpnbaz -GetConfiguredHosts [target.server.com] [-out file] | -all [-out file] | [-file progress_file]

bpnbaz -GetDomainInfosFromAuthBroker [target.server.com [-out file] | [-file progress_file]

bpnbaz -ListGroupMembers Group_Name [-M server] [-Server server1.domain.com][-CredFile Credential]

bpnbaz -[ListPerms | ListMainObjects | ListGroups | ListPolicyObjects | ShowAuthorizers] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -LookupUser Domain_Type:Domain_Name:User_Name [-CredFile credential]

bpnbaz -ListUsers [-CredFile credential]

bpnbaz -ListLockedUsers [-U | -l] [-User Domain_Type:Domain_Name:User_Name]

bpnbaz -ProvisionCert NetBackup_host_name[-out file] | -AllMediaservers -AllClients [-images] [-out file] [-dryrun] | -file progress.file

bpnbaz -SetupAT [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -SetupClient [client.server.com] [-out file] | -all [-images] [-out file] | [-file progress_file] [-dryrun] [-disable]

bpnbaz -SetupMaster [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupMedia [media.server.com [-out file] | -all [-out file] | -file progress_file] [-dryrun] [-disable]

bpnbaz -SetupSecurity NBU.Master.Server.com [-M server] [-Server server1.domain.com]

bpnbaz -SetupExAudit -DisableExAudit

bpnbaz -UnconfigureAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -UnlockUser -User [Domain_Type:Domain_Name:User_Name]

bpnbaz -UnhookSharedSecSvcsWithPBX [target.server.com [-out file] | -file progress_file]

bpnbaz -Upgrade [-Silent] [-Server server1.domain.com]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\

DESCRIPTION

NetBackup uses the bpnbaz command to access the authorization portion of NetBackup Product Authentication and Authorization Service. Authorization checks the rights on an object. This command enables you to do the following:

-AddGroup creates Az groups and -DelGroup deletes Az groups. -DelGroup deletes all the members of the group when you delete an Az group from the authorization engine. This operation is not reversible; if you remove a group, you revoke the rights that are granted to members of the group.
Note:
An authorization (Az) group is a collection within the Authorization engine into which OS groups and OS users can be placed. When you add a user to an Az group, you grant them the rights and privileges that are associated with that group.
-AddPerms and -DelPerms add and delete the specified permissions for the given role on individual policies from the main NetBackup resource objects.
For more about permissions, see the NetBackup Administrator's Guide, Volume I.
-AddPolicy and -DelPolicy add and delete policies from the main NetBackup resource objects.
-AddRBACPrincipal adds role-based access control (RBAC) permissions for a security administrator and a backup administrator to a specified user or user group. For more about permissions, see the NetBackup Web UI Security Administrator's Guide or the NetBackup Web UI Backup Administrator's Guide.
-AddUser and -DelUser add and delete permissions on individual policies from the main NetBackup resource objects.
When used with the enhanced auditing feature, -AddUser and -DelUser grant and revoke NetBackup administrator privileges for enhanced auditing. For enhanced auditing, you do not have to include the OSGroup, Server or CredFile options.
-AllowAuthorization and -DisallowAuthorization specify which computers are allowed or not allowed to perform authorization checks. The security administrator must specify which servers (master or media) can examine the Authorization database to perform authorization checks.
-AllClients deploys the security certificate to all the available clients.
-AllMediaservers deploys the security certificate to all the available media servers.
-CheckUpgrade determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns 61. Only NetBackup installers use this option.
-Configureauth configures the Authentication Broker.
Incorrect information for the domain name results in failures during the configuration of Authentication Broker and NetBackup Access Controls. To correct this problem, use this command to configure Authentication Broker.
-GetConfiguredHosts obtains NBAC status on the host. Either the -all or target.server.com option is required for this command.
-GetDomainInfosFromAuthBroker requests broker domain maps from the authorization broker.
-ListGroupMembers lists the group member that is associated with a particular group defined by Group_Name.
-ListGroups lists the defined groups
-ListMainObjects lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that you can use to verify changes to permissions on an object. This option shows the permissions each group has within the authorization system.
-ListPerms lists the current permissions on NetBackup resource and policies. It shows all applicable permissions for a given object or object type within the database. This option helps the user to create meaningful customizations to their authorization.
-ListPolicyObjects displays all objects or object collections that are associated with the specified policy.
-ListUser lists all users who have administrator privileges. This parameter is only used in enhanced auditing mode.
-ListLockedUsers lists all user accounts that are locked.
- LookupUser searches for users to determine if the user has administrative privileges. This parameter is only used in enhanced auditing mode.
- ProvisionCert generates an authentication certificate for the specified host and is unique to that host. The certificate must be generated for each host and cannot be pushed from one host to another. An authentication certificate is required on the media servers that host the NetBackup CloudStore Service Container (nbcssc). For more information, see the NetBackup Cloud Administrator's Guide.
The security certificate is also required on master servers, media servers, and clients to establish a secure communication with the NetBackup-Java Administration Console.
For more information, see the NetBackup Cloud Administrator's Guide.
Note:
Starting with NetBackup 8.2, this option is only required when the media server version is older than 8.2. If your master server is 8.2, and your media server is 8.1.2, this option is still required.
-SetupAT generates credentials for all nodes in a clustered master environment. Run this command after NetBackup installation or upgrade.
-SetupAuthBroker sets up the authentication broker to use NBAC.
-SetupClient sets up NBAC on the client. Run it after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target client systems.
By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. The following is an example of the format of this file:
```
client1.server.com
#client2.server.com #SUCCESS (0) @(07/16/10 12:09:29)
client3.server.com #INTERNAL_ERROR(68) @(07/16/10 12:09:39)
```
- The first line indicates that client1.server.com has not yet been contacted at all.
- The second line indicates that client2.server.com has been successfully contacted. Each success is commented out (with a leading #) and not contacted multiple times.
- The third line indicates that client3.server.com has been contacted but an error has occurred. Errors are printed out on the command line with a recommendation of what to do. The error number that is indicated in the logs may indicate the problem.
-SetupMaster sets up the master server to use NBAC. The bpnbaz -SetupMaster command contains no user arguments. You are prompted for the password for your current operating system user identity. The authorization server and authentication broker must be installed and running on the master server.
-SetupMaster adds root/administrator by default to the NBU_Security Admin group. The first time that you use -SetupMaster with the -fsa option adds the first security administrator member to the NBU_Security Admin group. If you have configured NBAC already using -SetupMaster without the -fsa option, use the -AddUser option to add any more members.
-SetupMedia sets up the media server to use NBAC. An NetBackup administrator group member can run the bpnbaz -SetupMedia command after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server and expects connectivity between the master server and target media server systems.
By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. Refer to the SetupClient description of an example of the file format.
-SetupSecurity sets up the initial security information. It must be run as root on the Az server.
-ShowAuthorizers lists the computers that are allowed to perform authorization checks.
-U list type is user.
-UnlockUser unlocks the specified user account.
-User is optional for the -ListLockedUsers parameter. It lists information about the specified user account. Data is returned only if the user account is locked. This option is required when using the -UnlockUser parameter.
-UnconfigureAuthBroker removes the configuration from the Authorization Broker.
-UnhookSharedSecSvcsWithPBX unhooks the shared Authentication and Authorization services from PBX in Windows Server Failover Clustering (WSFC) environments.
-Upgrade modifies the NetBackup operation schema by adding authorization objects. In addition, this option upgrades default user accounts with default permissions for these new objects. You must have NBU_Security Admin privileges.

For more about NBAC and the use of the bpnbaz command, see the NetBackup Security and Encryption Guide.

To use this command and its associated options, you must be a member of the NetBackup Security Administrators group (NBU_Security Administration). The only exception is with the SetupSecurity command.

You must have local administrator privileges on the authorization server to run this command.

When you use bpnbaz, assume that the master server and the Az server are the same computer.

Note:

The use of NetBackup Access Control requires the user's home directories to work correctly.

NetBackup has enhanced the audit capability that helps to audit users without having to enable NBAC. NetBackup administrators can delegate NetBackup administrator privileges to designated users. For more information about enhanced auditing and the use of the bpnbaz command with this feature, see the NetBackup Security and Encryption Guide.

OPTIONS

-all

Scans all the storage units or policies and collects all the associated unique host names that are found in the policies. You can scan in a sorted order. The results are written to the progress file.

client.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-CredFile Credential

Specifies a file name (Credential) from which to obtain a Veritas Product Authentication and Authorization Service credential, rather than the default location.

-disable

Disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.

-DisableExAudit

Disables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

Group_Name

Identifies the authorization group on which an operation is to be performed. NetBackup does not allow user groups to be nested.

Domain_Type:Domain_Name:User_Name

The Domain_Type variable is the domain to which the user or group belongs, and the User_Name variable defines the applicable user or group name designating the NetBackup administrator.

-dryrun

Generates a list of computers to receive the security certificate. The exact details of how this option works depends on the parameter with which it is used.

dryrun, when used with ProvisionCert
Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. The -dryrun option only works with the - AllMediaservers and the - Allclients parameters. Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. If the -out file option is not provided, then the host list is written to the default DeploySecurityCerts.progress file.
dryrun, when used with either SetupMedia or SetupClient
Generates a list of media server names or client names depending on the option used. The command writes the list of names to the log. This option works with client.server.com and media.server.com but the intention is to use it with the -all option. Generates the list of media server names and writes them to the log. The log file name is SetupMedia.nbac if the command is used with SetupMedia option. The log file name is SetupClient.nbac if the command is used with SetupClient option.
If you have more than 250 clients, use -dryrun with -SetupClient to see all of the clients that are visible to the master server.

-file progress_file

Specify a different file name for the progress log. If -file is used, the input and the output files are the same, which allows multiple rounds to execute without changing the command. Use the progress file iteratively by feeding the file back in multiple times until all clients are available online.

-fsa

Provisions a specific OS user as the NetBackup administrator. You are asked for the password for your current OS user identity.

Group_Name

Adds the users by creating a unique enterprise account name, following this format: Authentication type:Domain_Type:User_Name

The supported Authentication types for this variable are the following:

Nis - Network Information Services
NISPLUS - Network Information Services Plus
Unixpwd - UNIX Password file on the Authentication server
WINDOWS - Primary Domain Controller or Active Directory
Vx - Veritas Private database.

-images

-images searches all images for unique host names. Do not use this option with large catalogs unless you include the -dryrun option. This option discovers all unique clients that are contained in the image catalog. Older catalogs may contain a large number of decommissioned hosts, renamed hosts, and hosts relocated to new masters. Run-time can increase significantly as this command tries to contact unreachable hosts.

-M server

Specifies the name of the master server as defined in the variable server. This server name may be different from the local host name.

Machine_Name

Specifies the computer to be allowed or disallowed to perform authorization checks. The security administrator must specify which master servers or media servers can examine the Authorization database to perform authorization checks.

media.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-Object Object

Controls the access to specified objects or object collections.

-OSGroup

Defines a named collection of authentication principals that are established in a native operating system and treated as a single entity. All members of an authentication group or OS group are from the same authentication domain.

-out file

Specifies a custom output file name. By default, the output is written to the SetupMedia.nbac file. Use this option with the -all option.

Permission_1[,Permission_2,...]

Permissions for the role that is given to the designated object or policy.

policy_name

Specifies the name of the policy from the main NetBackup resource objects.

-ProvisionCert media_server_name

Generates an authentication certificate for the media server that is indicated.

-reason "reason"

For enhanced auditing, the reason indicates the reason why the command is used. The reason text string that is entered is captured and appears in the audit report. The string must be enclosed in double quotes ("...") and cannot exceed 512 characters. In addition, it cannot begin with a dash character (-) and must not contain the single quotation mark symbol (').

-Server server1.domain.com

This option specifies the Az server being used. Currently we expect the Az server and the NetBackup master server to exist on the same system.

Determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns "61". Only NetBackup installers use this option.

-SetupExAudit

Enables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

-Silent

Directs the upgrade operation to automatically enhance the permissions of groups to account for new objects in the system. This option occurs only for the default groups, and only if those groups have never been changed.

target.server.com

Specifies the name of a single target host. Use this option to find the NBAC status on a single host. It captures the status of the host in the ConfiguredHosts.nbac file.

EXAMPLES

Example 1 - Create and list an Az group.

An Az group is a collection within the Authorization engine where other OS groups and OS users are placed. This collection is the building block against which permissions are applied on the objects within the database. If you add a user to an Az group, you grant them all the rights and privileges that are associated with that group. When a user is placed in more than one group, that user's effective permissions are as follows: the logical "or" of the applicable permissions of each group to which the user belongs. The following example demonstrates how to create and list an existing Az group:

# bpnbaz -AddGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operatorsroo
Security Administrators
Resource Management Applications
Applications
New Group 1 
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 2 - Delete an Az group.

If you delete an Az group from the authorization engine, all the members are removed from the group. This operation is not reversible. When you remove a group, you revoke the rights that are granted to members of the group. Therefore, carefully consider the implications of deleting groups.

# bpnbaz -DelGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operators
Security Administrators
Resource Management Applications
Applications
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 3 - Add and remove users from Az groups (and List group members)

Add users by creating a unique enterprise name of the following format: Authentication type:Domain to which user or group belongs:user or group name

The following are the Supported Authentication types:

Nis - Network Information Services
NisPlus - Network Information Services Plus
Unixpwd - UNIX Password file on the Authentication server
WINDOWS - Primary Domain Controller or Active Directory
Vx - Veritas Private database

# bpnbaz -AddUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: ssosa
Operation completed successfully.
# bpnbaz -DelUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
Operation completed successfully.

Example 4 - List applicable permissions

The -ListPerms option shows all applicable permissions for a given object or object type within the database. This information helps the user to create meaningful customizations to their authorization.

# bpnbaz -ListPerms -server
test.domain.veritas.com
    Object Type: Unknown
Browse
Object Type: Media
    Browse
    Read
    New
    Delete
    Eject
    . . . 
    Restart
    Synchronize
Object Type: PolicyGroup
    Browse
    Read
    New
    Delete
    Activate
    Deactivate
    Backup
Operation completed successfully.

Example 5 - List main objects

The -ListMainObjects option lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that can be used to verify changes to permissions on an object. It shows what permissions each group has within the authorization system.

# bpnbaz -ListMainObjects -server
test.domain.veritas.com
. . .
NBU_RES_Policy:
    Role: NBU_User
        Unknown
    Role: NBU_Media Device Operator
        Browse
        Read
    Role: NBU_Executive
        Read
        Browse
    Role: NBU_Database Agent Operator
        Unknown
        Role: NBU_Unknown
    Unknown
    Role: NBU_Operator
        Browse
        Read
    Role: NBU_Admin
        Browse
        New
        Activate
        Backup
        Read
        Delete
        Deactivate
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
Operation completed successfully.

Example 6 - Add and delete permissions from an object or policy

Delete all permissions from an object for a given group. Add the permissions that are specified for the given role to the object or policy in question.

# bpnbaz -AddPerms Browse,Read,
New,Delete -Group TestGroup1 -Object NBU_RES_Job -server 
test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListMainObjects -server
test.domain.veritas.com
NBU_RES_Unknown:
    Role: NBU_User
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: TestGroup1
        Read
        Delete
        New
        Browse
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
NBU_RES_Service:
    Role: NBU_Unknown
. . .
Operation completed successfully.
# bpnbaz -DelPerms -Group
TestGroup1 -Object NBU_RES_Policy -server test.domain.veritas.com
Operation completed successfully.

Example 7 - Specify what servers can perform authorization checks

This example also views what servers can perform authorization checks. In addition. It also disallows a server from performing authorization checks.

The -AllowAuthorization option specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are permitted to examine the Authorization database to perform authorization checks. The following examples demonstrate how to allow or disallow a computer to perform authorization.

# bpnbaz -AllowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.

# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@test.domain.veritas.com
Name: butterball.domain.veritas.com
Operation completed successfully.
# bpnbaz --DisallowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
Operation completed successfully.

Example 8 - Set up initial security boot strapping

The user must run the -SetupSecurity option as root on the Az server. The user must then provide the logon information for the first NetBackup Security administrator.