NetBackup™ Web UI Security Administrator's Guide

Last Published:
Product(s): NetBackup (8.1.2)
  1. Introducing the NetBackup web user interface
    1.  
      About the NetBackup web user interface
    2.  
      Terminology
    3.  
      First-time sign in to a NetBackup master server from the NetBackup web UI
    4.  
    5.  
      The NetBackup dashboard
  2. Managing role-based access control
    1.  
      About role-based access control (RBAC) in NetBackup
    2.  
      NetBackup default RBAC roles
    3.  
      Configuring RBAC
    4.  
      Add a custom role
    5.  
      Edit or delete a custom role
    6.  
      Add an object group
    7.  
      Previewing the assets, application servers, or protection plans for an object group
    8.  
      Edit or delete an object group
    9.  
      Add access for a user through access rules
    10.  
      Edit or remove user access rules
    11.  
      How can I limit role permissions to specific objects or assets?
  3. Security events and audit logs
    1.  
      About NetBackup auditing
    2.  
      View security events and audit logs
  4. Managing host mappings and certificates
    1.  
      About security management and certificates in NetBackup
    2.  
      NetBackup host IDs and host ID-based certificates
    3.  
      View NetBackup host information
    4.  
      Approve or add mappings for a host that has multiple host names
    5.  
      Reissue a certificate when a host's certificate is no longer valid
    6.  
      Remove mappings for a host that has multiple host names
    7.  
      Reset a host's attributes
    8.  
    9.  
  5. Managing global security settings
    1.  
      Disable communication with NetBackup 8.0 and earlier hosts
    2.  
      Disable automatic mapping of NetBackup host names
    3.  
      Select a security level for certificate deployment
    4.  
      Set a passphrase for disaster recovery
  6. Troubleshooting the web UI
    1.  
      Tips for accessing the NetBackup web UI
    2.  
      If a user doesn't have the correct permissions or access to workload assets in the NetBackup web UI

Add a custom role

If the default NetBackup roles for RBAC do not meet your needs, you can configure a role with custom role permissions. Note, however, that customer roles do have certain limitations. See Limitations of custom roles.

To add a custom role

  1. On the left, select Security > RBAC.
  2. Select the Roles tab and click Add.
  3. Provide a Role name and a description.

    For example, you may want to indicate that role is for any users that are backup administrators for a particular department or region.

  4. For Role permissions, choose the permission or type of access that you want users with that role to have for each permission type.

    For example, you may want a user to be able to view, but not manage protection plans. Or you may want to give only some users the ability to perform recovery of assets, but not to configure application servers or asset groups.

    See Table: Description of permissions for custom roles.

  5. Click Add.

Limitations of custom roles

When you create custom roles, note the following:

  • Some permissions are only available with default RBAC roles or for a custom role that is configured with the NetBackup APIs.

    • A user can only manage Hosts settings if that user has the Security administrator role.

    • A user can only manage Alerts and notifications and view Usage reporting if that user has the Backup administrator role.

    • A user with the Security administrator role also has certain "view" permissions. This way that user can find and add assets, application servers, and protection plans to an object group. If you want a user with a custom role to create access rules, be sure to select the appropriate view permissions for the custom role.

  • Some individual permissions do not have a direct correlation with a screen in the web UI. Users that attempt to sign in but that only have a permission of this kind receive an "Unauthorized" message. When you create custom roles, be sure to enable the minimal number of permissions so the user can sign in to and use the web UI.

Permissions for custom roles

See Table: Description of permissions for custom roles. describes the individual permissions that you can select for a custom role.

Table: Description of permissions for custom roles

Permission category

Permission

Action that the permission allows

Recovery

Allow a user to perform one or more types of recovery.

Note that users can only view and recover assets for which that user is granted access.

Recover/Restore

Restore the data from a backup image to its original location or a different location.

View Recovery Points

View the recovery points that are available for an asset.

Note: Users that only have this permission are not able to sign in to the web UI.

Download Files

Download individual files from an instant access mount point. This permission also enables View Recovery Points and View Assets.

Instant Access

Create an instant access image. This permission also enables View Recovery Points and View Assets.

Restore Files

Restore individual files from the backup image to an ESXi server or cluster. This permission also enables View Recovery Points and View Assets.

Protection plan management

Note that a user can only manage or select a protection plan for which that user is granted access.

Manage Protection Plans

Create, edit, or delete protection plans. Also can subscribe assets to protection plans.

View Protection Plans

View the protection plans that are available and subscribe assets to a protection plan.

Security management

Allow a user to view audit logs or to manage security settings or certificates in NetBackup.

View audit logs

See who has signed in to NetBackup, made changes to security settings, or who has browsed or restored a backup image. Also view the access history for the current user.

Manage Global Security Settings

Manage global security in NetBackup. These settings affect communication with 8.0 and earlier hosts, automatic mapping of host names, the security level for certificate deployment, and the disaster recovery passphrase.

Note: Users that only have this permission are not able to sign in to the web UI.

Manage Certificates

Manage security certificates for hosts. Includes the ability to revoke a certificate, create a resissue token so a certificate can be reissued, or create a new token.

Job management

Allow a user view to jobs or to manage job operations.

Manage Jobs

Manage current or completed jobs. Includes the ability to delete, cancel, restart, and suspend a job.

View Jobs

View the current or the completed jobs for the master server.

Asset management

Allow a user to manage assets, subscribe assets to protection plans, or to view assets.

Note that a user can only manage assets for which that user is granted access.

Manage Appservers and Asset Groups

Add VMware vCenter credentials, which allow NetBackup to discover additional information for the server so administrator can view and select objects within the vCenter.

Create and manage asset groups and subscribe groups to protection plans.

Manage Assets

Manage the assets that are associated with the supported workloads and subscribe assets to protection plans.

View Assets

View assets that are associated with the supported workloads.

Role-based access control

Allow an administrator to create the access rules that determine the permissions a user has for a specific workload or asset and for specific protection plans.

Manage Access Rules

Create, manage, or delete access rules.

Create custom roles and object groups.

View Access Rules

View the access rules that are configured.