Veritas NetBackup™ Commands Reference Guide

Last Published:
Product(s): NetBackup (8.1.1)
  1. Introduction
    1.  
      About NetBackup commands
    2.  
      Navigating multiple menu levels
    3.  
      NetBackup command conventions
    4.  
      NetBackup Media Manager command notes
    5.  
      IPV6 updates
  2. Appendix A. NetBackup Commands
    1.  
      acsd
    2.  
      add_media_server_on_clients
    3.  
      backupdbtrace
    4.  
      backuptrace
    5.  
      bmrc
    6.  
      bmrconfig
    7.  
      bmrepadm
    8.  
      bmrprep
    9.  
      bmrs
    10.  
      bmrsrtadm
    11.  
      bp
    12.  
      bparchive
    13.  
      bpbackup
    14.  
      bpbackupdb
    15.  
      bpcatarc
    16.  
      bpcatlist
    17.  
      bpcatres
    18.  
      bpcatrm
    19.  
      bpcd
    20.  
      bpchangeprimary
    21.  
      bpclient
    22.  
      bpclimagelist
    23.  
      bpclntcmd
    24.  
      bpclusterutil
    25.  
      bpcompatd
    26.  
      bpconfig
    27.  
      bpdbjobs
    28.  
      bpdbm
    29.  
      bpdgclone
    30.  
      bpdown
    31.  
      bpduplicate
    32.  
      bperror
    33.  
      bpexpdate
    34.  
      bpfis
    35.  
      bpflist
    36.  
      bpgetconfig
    37.  
      bpgetdebuglog
    38.  
      bpimage
    39.  
      bpimagelist
    40.  
      bpimmedia
    41.  
      bpimport
    42.  
      bpinst
    43.  
      bpkeyfile
    44.  
      bpkeyutil
    45.  
      bplabel
    46.  
      bplist
    47.  
      bpmedia
    48.  
      bpmedialist
    49.  
      bpminlicense
    50.  
      bpnbat
    51.  
      bpnbaz
    52.  
      bppficorr
    53.  
      bpplcatdrinfo
    54.  
      bpplclients
    55.  
      bppldelete
    56.  
      bpplinclude
    57.  
      bpplinfo
    58.  
      bppllist
    59.  
      bpplsched
    60.  
      bpplschedrep
    61.  
      bppolicynew
    62.  
      bpps
    63.  
      bprd
    64.  
      bprecover
    65.  
      bprestore
    66.  
      bpretlevel
    67.  
      bpschedule
    68.  
      bpschedulerep
    69.  
      bpsetconfig
    70.  
      bpstsinfo
    71.  
      bpstuadd
    72.  
      bpstudel
    73.  
      bpstulist
    74.  
      bpsturep
    75.  
      bptestbpcd
    76.  
      bptestnetconn
    77.  
      bptpcinfo
    78.  
      bpup
    79.  
      bpverify
    80.  
      cat_convert
    81.  
      cat_export
    82.  
      cat_import
    83.  
      configurePorts
    84.  
      create_nbdb
    85.  
      csconfig cldinstance
    86.  
      csconfig cldprovider
    87.  
      csconfig meter
    88.  
      csconfig throttle
    89.  
      duplicatetrace
    90.  
      importtrace
    91.  
      jbpSA
    92.  
      jnbSA
    93.  
      ltid
    94.  
      manageClientCerts
    95.  
      mklogdir
    96.  
      nbauditreport
    97.  
      nbcatsync
    98.  
      NBCC
    99.  
      NBCCR
    100.  
      nbcertcmd
    101.  
      nbcertupdater
    102.  
      nbcldutil
    103.  
      nbcomponentupdate
    104.  
      nbcplogs
    105.  
      nbdb_admin
    106.  
      nbdb_backup
    107.  
      nbdb_move
    108.  
      nbdb_ping
    109.  
      nbdb_restore
    110.  
      nbdb_unload
    111.  
      nbdbms_start_server
    112.  
      nbdbms_start_stop
    113.  
      nbdc
    114.  
      nbdecommission
    115.  
      nbdelete
    116.  
      nbdeployutil
    117.  
      nbdevconfig
    118.  
      nbdevquery
    119.  
      nbdiscover
    120.  
      nbdna
    121.  
      nbemm
    122.  
      nbemmcmd
    123.  
      nbexecute
    124.  
      nbfindfile
    125.  
      nbfirescan
    126.  
      nbftadm
    127.  
      nbftconfig
    128.  
      nbgetconfig
    129.  
      nbhba
    130.  
      nbholdutil
    131.  
      nbhostidentity
    132.  
      nbhostmgmt
    133.  
      nbhypervtool
    134.  
      nbjm
    135.  
      nbkmsutil
    136.  
      nboraadm
    137.  
      nborair
    138.  
      nbpem
    139.  
      nbpemreq
    140.  
      nbperfchk
    141.  
      nbplupgrade
    142.  
      nbrb
    143.  
      nbrbutil
    144.  
      nbregopsc
    145.  
      nbreplicate
    146.  
      nbrestorevm
    147.  
      nbseccmd
    148.  
      nbsetconfig
    149.  
      nbsnapimport
    150.  
      nbsnapreplicate
    151.  
      nbsqladm
    152.  
      nbstl
    153.  
      nbstlutil
    154.  
      nbstop
    155.  
      nbsu
    156.  
      nbsvrgrp
    157.  
      resilient_clients
    158.  
      restoretrace
    159.  
      stopltid
    160.  
      tl4d
    161.  
      tl8d
    162.  
      tl8cd
    163.  
      tldd
    164.  
      tldcd
    165.  
      tlhd
    166.  
      tlhcd
    167.  
      tlmd
    168.  
      tpautoconf
    169.  
      tpclean
    170.  
      tpconfig
    171.  
      tpext
    172.  
      tpreq
    173.  
      tpunmount
    174.  
      verifytrace
    175.  
      vltadm
    176.  
      vltcontainers
    177.  
      vlteject
    178.  
      vltinject
    179.  
      vltoffsitemedia
    180.  
      vltopmenu
    181.  
      vltrun
    182.  
      vmadd
    183.  
      vmchange
    184.  
      vmcheckxxx
    185.  
      vmd
    186.  
      vmdelete
    187.  
      vmoprcmd
    188.  
      vmphyinv
    189.  
      vmpool
    190.  
      vmquery
    191.  
      vmrule
    192.  
      vmupdate
    193.  
      vnetd
    194.  
      vwcp_manage
    195.  
      vxlogcfg
    196.  
      vxlogmgr
    197.  
      vxlogview
    198.  
      W2KOption

Name

bpnbaz — perform Authorization administration tasks from within NetBackup

SYNOPSIS

bpnbaz -[AddGroup | DelGroup] Group_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddPerms | DelPerms] Permission_1[,Permission_2,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]

bpnbaz -[AddPolicy | DelPolicy] Policy_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddUser | DelUser] Domain_Type:Domain_Name:User_Name [-reason "reason"] [-CredFile Credential]

bpnbaz -[AllowAuthorization | DisallowAuthorization] Machine_Name [-M server] [-Server server1.domain.com]

bpnbaz -CheckUpgrade [-Server server1.domain.com]

bpnbaz -Configureauth

bpnbaz -GetConfiguredHosts [target.server.com] [-out file] | -all [-out file] | [-file progress_file]

bpnbaz -GetDomainInfosFromAuthBroker [target.server.com [-out file] | [-file progress_file]

bpnbaz -ListGroupMembers Group_Name [-M server] [-Server server1.domain.com][-CredFile Credential]

bpnbaz -[ListPerms | ListMainObjects | ListGroups | ListPolicyObjects | ShowAuthorizers] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -LookupUser Domain_Type:Domain_Name:User_Name [-CredFile credential]

bpnbaz -ListUsers [-CredFile credential]

bpnbaz -ListLockedUsers [-U | -l] [-User Domain_Type:Domain_Name:User_Name]

bpnbaz -ProvisionCert NetBackup_host_name[-out file] | -AllMediaservers -AllClients [-images] [-out file] [-dryrun] | -file progress.file

bpnbaz -SetupAT [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -SetupClient [client.server.com] [-out file] | -all [-images] [-out file] | [-file progress_file] [-dryrun] [-disable]

bpnbaz -SetupMaster [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupMedia [media.server.com [-out file] | -all [-out file] | -file progress_file] [-dryrun] [-disable]

bpnbaz -SetupSecurity NBU.Master.Server.com [-M server] [-Server server1.domain.com]

bpnbaz -SetupExAudit -DisableExAudit

bpnbaz -UnconfigureAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -UnlockUser -User [Domain_Type:Domain_Name:User_Name]

bpnbaz -UnhookSharedSecSvcsWithPBX [target.server.com [-out file] | -file progress_file]

bpnbaz -Upgrade [-Silent] [-Server server1.domain.com]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\

DESCRIPTION

NetBackup uses the bpnbaz command to access the authorization portion of NetBackup Product Authentication and Authorization Service. Authorization checks the rights on an object. This command enables you to do the following:

  • -AddGroup creates Az groups and -DelGroup deletes Az groups. -DelGroup deletes all the members of the group when you delete an Az group from the authorization engine. This operation is not reversible; if you remove a group, you revoke the rights that are granted to members of the group.

    Note:

    An authorization (Az) group is a collection within the Authorization engine into which OS groups and OS users can be placed. When you add a user to an Az group, you grant them the rights and privileges that are associated with that group.

  • -AddPerms and -DelPerms add and delete the specified permissions for the given role on individual policies from the main NetBackup resource objects.

    For more about permissions, see the NetBackup Administrator's Guide, Volume I.

  • -AddPolicy and -DelPolicy add and delete policies from the main NetBackup resource objects.

  • -AddUser and -DelUser add and delete permissions on individual policies from the main NetBackup resource objects.

    When used with the enhanced auditing feature, -AddUser and -DelUser grant and revoke NetBackup administrator privileges for enhanced auditing. For enhanced auditing, you do not have to include the OSGroup, Server or CredFile options.

  • -AllowAuthorization and -DisallowAuthorization specify which computers are allowed or not allowed to perform authorization checks. The security administrator must specify which servers (master or media) can examine the Authorization database to perform authorization checks.

  • -AllClients deploys the security certificate to all the available clients.

  • -AllMediaservers deploys the security certificate to all the available media servers.

  • -CheckUpgrade determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns 61. Only NetBackup installers use this option.

  • -Configureauth configures the Authentication Broker.

    Incorrect information for the domain name results in failures during the configuration of Authentication Broker and NetBackup Access Controls. To correct this problem, use this command to configure Authentication Broker.

  • -GetConfiguredHosts obtains NBAC status on the host. Either the -all or target.server.com option is required for this command.

  • -GetDomainInfosFromAuthBroker requests broker domain maps from the authorization broker.

  • -ListGroupMembers lists the group member that is associated with a particular group defined by Group_Name.

  • -ListGroups lists the defined groups

  • -ListMainObjects lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that you can use to verify changes to permissions on an object. This option shows the permissions each group has within the authorization system.

  • -ListPerms lists the current permissions on NetBackup resource and policies. It shows all applicable permissions for a given object or object type within the database. This option helps the user to create meaningful customizations to their authorization.

  • -ListPolicyObjects displays all objects or object collections that are associated with the specified policy.

  • -ListUser lists all users who have administrator privileges. This parameter is only used in enhanced auditing mode.

  • -ListLockedUsers lists all user accounts that are locked.

  • - LookupUser searches for users to determine if the user has administrative privileges. This parameter is only used in enhanced auditing mode.

  • - ProvisionCert generates an authentication certificate for the specified host and is unique to that host. The certificate must be generated for each host and cannot be pushed from one host to another. An authentication certificate is required on the media servers that host the NetBackup CloudStore Service Container (nbcssc). For more information, see the NetBackup Cloud Administrator's Guide. The security certificate is also required on master servers, media servers, and clients to establish a secure communication with the NetBackup-Java Administration Console.

    For more information, see the NetBackup Cloud Administrator's Guide.

  • -SetupAT generates credentials for all nodes in a clustered master environment. Run this command after NetBackup installation or upgrade.

  • -SetupAuthBroker sets up the authentication broker to use NBAC.

  • -SetupClient sets up NBAC on the client. Run it after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target client systems.

    By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. The following is an example of the format of this file:

    client1.server.com
    #client2.server.com #SUCCESS (0) @(07/16/10 12:09:29)
    client3.server.com #INTERNAL_ERROR(68) @(07/16/10 12:09:39)
    • The first line indicates that client1.server.com has not yet been contacted at all.

    • The second line indicates that client2.server.com has been successfully contacted. Each success is commented out (with a leading #) and not contacted multiple times.

    • The third line indicates that client3.server.com has been contacted but an error has occurred. Errors are printed out on the command line with a recommendation of what to do. The error number that is indicated in the logs may indicate the problem.

  • -SetupMaster sets up the master server to use NBAC. The bpnbaz -SetupMaster command contains no user arguments. You are prompted for the password for your current operating system user identity. The authorization server and authentication broker must be installed and running on the master server.

    -SetupMaster adds root/administrator by default to the NBU_Security Admin group. The first time that you use -SetupMaster with the -fsa option adds the first security administrator member to the NBU_Security Admin group. If you have configured NBAC already using -SetupMaster without the -fsa option, use the -AddUser option to add any more members.

  • -SetupMedia sets up the media server to use NBAC. An NetBackup administrator group member can run the bpnbaz -SetupMedia command after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server and expects connectivity between the master server and target media server systems.

    By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. Refer to the SetupClient description of an example of the file format.

  • -SetupSecurity sets up the initial security information. It must be run as root on the Az server.

  • -ShowAuthorizers lists the computers that are allowed to perform authorization checks.

  • -U list type is user.

  • -UnlockUser unlocks the specified user account.

  • -User is optional for the -ListLockedUsers parameter. It lists information about the specified user account. Data is returned only if the user account is locked. This option is required when using the -UnlockUser parameter.

  • -UnconfigureAuthBroker removes the configuration from the Authorization Broker.

  • -UnhookSharedSecSvcsWithPBX unhooks the shared Authentication and Authorization services from PBX in Windows Server Failover Clustering (WSFC) environments.

  • -Upgrade modifies the NetBackup operation schema by adding authorization objects. In addition, this option upgrades default user accounts with default permissions for these new objects. You must have NBU_Security Admin privileges.

For more about NBAC and the use of the bpnbaz command, see the NetBackup Security and Encryption Guide.

To use this command and its associated options, you must be a member of the NetBackup Security Administrators group (NBU_Security Administration). The only exception is with the SetupSecurity command.

You must have local administrator privileges on the authorization server to run this command.

When you use bpnbaz, assume that the master server and the Az server are the same computer.

Note:

The use of NetBackup Access Control requires the user's home directories to work correctly.

NetBackup has enhanced the audit capability that helps to audit users without having to enable NBAC. NetBackup administrators can delegate NetBackup administrator privileges to designated users. For more information about enhanced auditing and the use of the bpnbaz command with this feature, see the NetBackup Security and Encryption Guide.

OPTIONS

-all

Scans all the storage units or policies and collects all the associated unique host names that are found in the policies. You can scan in a sorted order. The results are written to the progress file.

client.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-CredFile Credential

Specifies a file name (Credential) from which to obtain a Veritas Product Authentication and Authorization Service credential, rather than the default location.

-disable

Disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.

-DisableExAudit

Disables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

Group_Name

Identifies the authorization group on which an operation is to be performed. NetBackup does not allow user groups to be nested.

Domain_Type:Domain_Name:User_Name

The Domain_Type variable is the domain to which the user or group belongs, and the User_Name variable defines the applicable user or group name designating the NetBackup administrator.

-dryrun

Generates a list of computers to receive the security certificate. The exact details of how this option works depends on the parameter with which it is used.

  • dryrun, when used with ProvisionCert

    Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. The -dryrun option only works with the - AllMediaservers and the - Allclients parameters. Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. If the -out file option is not provided, then the host list is written to the default DeploySecurityCerts.progress file.

  • dryrun, when used with either SetupMedia or SetupClient

    Generates a list of media server names or client names depending on the option used. The command writes the list of names to the log. This option works with client.server.com and media.server.com but the intention is to use it with the -all option. Generates the list of media server names and writes them to the log. The log file name is SetupMedia.nbac if the command is used with SetupMedia option. The log file name is SetupClient.nbac if the command is used with SetupClient option.

    If you have more than 250 clients, use -dryrun with -SetupClient to see all of the clients that are visible to the master server.

-file progress_file

Specify a different file name for the progress log. If -file is used, the input and the output files are the same, which allows multiple rounds to execute without changing the command. Use the progress file iteratively by feeding the file back in multiple times until all clients are available online.

-fsa

Provisions a specific OS user as the NetBackup administrator. You are asked for the password for your current OS user identity.

Group_Name

Adds the users by creating a unique enterprise account name, following this format: Authentication type:Domain_Type:User_Name

The supported Authentication types for this variable are the following:

  • Nis - Network Information Services

  • NISPLUS - Network Information Services Plus

  • Unixpwd - UNIX Password file on the Authentication server

  • WINDOWS - Primary Domain Controller or Active Directory

  • Vx - Veritas Private database.

-images

-images searches all images for unique host names. Do not use this option with large catalogs unless you include the -dryrun option. This option discovers all unique clients that are contained in the image catalog. Older catalogs may contain a large number of decommissioned hosts, renamed hosts, and hosts relocated to new masters. Run-time can increase significantly as this command tries to contact unreachable hosts.

-M server

Specifies the name of the master server as defined in the variable server. This server name may be different from the local host name.

Machine_Name

Specifies the computer to be allowed or disallowed to perform authorization checks. The security administrator must specify which master servers or media servers can examine the Authorization database to perform authorization checks.

media.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-Object Object

Controls the access to specified objects or object collections.

-OSGroup

Defines a named collection of authentication principals that are established in a native operating system and treated as a single entity. All members of an authentication group or OS group are from the same authentication domain.

-out file

Specifies a custom output file name. By default, the output is written to the SetupMedia.nbac file. Use this option with the -all option.

Permission_1[,Permission_2,...]

Permissions for the role that is given to the designated object or policy.

policy_name

Specifies the name of the policy from the main NetBackup resource objects.

-ProvisionCert media_server_name

Generates an authentication certificate for the media server that is indicated.

-reason "reason"

For enhanced auditing, the reason indicates the reason why the command is used. The reason text string that is entered is captured and appears in the audit report. The string must be enclosed in double quotes ("...") and cannot exceed 512 characters. In addition, it cannot begin with a dash character (-) and must not contain the single quotation mark symbol (').

-Server server1.domain.com

This option specifies the Az server being used. Currently we expect the Az server and the NetBackup master server to exist on the same system.

Determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns "61". Only NetBackup installers use this option.

-SetupExAudit

Enables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

-Silent

Directs the upgrade operation to automatically enhance the permissions of groups to account for new objects in the system. This option occurs only for the default groups, and only if those groups have never been changed.

target.server.com

Specifies the name of a single target host. Use this option to find the NBAC status on a single host. It captures the status of the host in the ConfiguredHosts.nbac file.

EXAMPLES

Example 1 - Create and list an Az group.

An Az group is a collection within the Authorization engine where other OS groups and OS users are placed. This collection is the building block against which permissions are applied on the objects within the database. If you add a user to an Az group, you grant them all the rights and privileges that are associated with that group. When a user is placed in more than one group, that user's effective permissions are as follows: the logical "or" of the applicable permissions of each group to which the user belongs. The following example demonstrates how to create and list an existing Az group:

# bpnbaz -AddGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operatorsroo
Security Administrators
Resource Management Applications
Applications
New Group 1 
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 2 - Delete an Az group.

If you delete an Az group from the authorization engine, all the members are removed from the group. This operation is not reversible. When you remove a group, you revoke the rights that are granted to members of the group. Therefore, carefully consider the implications of deleting groups.

# bpnbaz -DelGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operators
Security Administrators
Resource Management Applications
Applications
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 3 - Add and remove users from Az groups (and List group members)

Add users by creating a unique enterprise name of the following format: Authentication type:Domain to which user or group belongs:user or group name

The following are the Supported Authentication types:

  • Nis - Network Information Services

  • NisPlus - Network Information Services Plus

  • Unixpwd - UNIX Password file on the Authentication server

  • WINDOWS - Primary Domain Controller or Active Directory

  • Vx - Veritas Private database

# bpnbaz -AddUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: ssosa
Operation completed successfully.
# bpnbaz -DelUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
Operation completed successfully.

Example 4 - List applicable permissions

The -ListPerms option shows all applicable permissions for a given object or object type within the database. This information helps the user to create meaningful customizations to their authorization.

# bpnbaz -ListPerms -server
test.domain.veritas.com
    Object Type: Unknown
Browse
Object Type: Media
    Browse
    Read
    New
    Delete
    Eject
    . . . 
    Restart
    Synchronize
Object Type: PolicyGroup
    Browse
    Read
    New
    Delete
    Activate
    Deactivate
    Backup
Operation completed successfully.

Example 5 - List main objects

The -ListMainObjects option lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that can be used to verify changes to permissions on an object. It shows what permissions each group has within the authorization system.

# bpnbaz -ListMainObjects -server
test.domain.veritas.com
. . .
NBU_RES_Policy:
    Role: NBU_User
        Unknown
    Role: NBU_Media Device Operator
        Browse
        Read
    Role: NBU_Executive
        Read
        Browse
    Role: NBU_Database Agent Operator
        Unknown
        Role: NBU_Unknown
    Unknown
    Role: NBU_Operator
        Browse
        Read
    Role: NBU_Admin
        Browse
        New
        Activate
        Backup
        Read
        Delete
        Deactivate
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
Operation completed successfully.

Example 6 - Add and delete permissions from an object or policy

Delete all permissions from an object for a given group. Add the permissions that are specified for the given role to the object or policy in question.

# bpnbaz -AddPerms Browse,Read,
New,Delete -Group TestGroup1 -Object NBU_RES_Job -server 
test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListMainObjects -server
test.domain.veritas.com
NBU_RES_Unknown:
    Role: NBU_User
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: TestGroup1
        Read
        Delete
        New
        Browse
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
NBU_RES_Service:
    Role: NBU_Unknown
. . .
Operation completed successfully.
# bpnbaz -DelPerms -Group
TestGroup1 -Object NBU_RES_Policy -server test.domain.veritas.com
Operation completed successfully.

Example 7 - Specify what servers can perform authorization checks

This example also views what servers can perform authorization checks. In addition. It also disallows a server from performing authorization checks.

The -AllowAuthorization option specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are permitted to examine the Authorization database to perform authorization checks. The following examples demonstrate how to allow or disallow a computer to perform authorization.

# bpnbaz -AllowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.

# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@test.domain.veritas.com
Name: butterball.domain.veritas.com
Operation completed successfully.
# bpnbaz --DisallowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
Operation completed successfully.

Example 8 - Set up initial security boot strapping

The user must run the -SetupSecurity option as root on the Az server. The user must then provide the logon information for the first NetBackup Security administrator.

Note:

The root user on the system upon which the Az server is installed is always a security administrator.

# bpnbaz -SetupSecurity 
test.domain.veritas.com -server test.domain.veritas.com
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]: 
Domain: domain.veritas.com
Name: ssosa
Password: Authentication type (NIS, NISplus, WINDOWS, vx, unixpwd: 
NIS
Operation completed successfully.

SEE ALSO

See bpnbat.