Yes you can limit access. You
can have read-only access to just about anything in the gui. Though
it is a gigantic pain to do this, it has to be done command line only.
If the steps below read the same as
the documentation that you mentioned looked like hieroglyphics, that's
because you can't just jump into VxSS without reading. I suggest
reading through the links in my previous post as well as the VxSS Admin
and Install Guides, and the Access Management chapter in the NetBackup
Administrator's Guide Volume II.
Even after reading all of that you will
find that there is still trial and error involved with VxSS. It is
a complicated beast, though your environment shouldn't be too bad.
Step by step how to limit access: (from
a work instruction i wrote)
7.0 Procedure
7.1. Login to the VxSS/NetBackup Master Server
via SSH or telnet as a user that is
setup as a Security Administrator in VxSS
7.2. Run ‘/usr/openv/netbackup/bin/bpnbat
–login’ to obtain authentication
7.2.1. Enter the FQDN of the Master Server
for ‘Authentication Broker’
7.2.2. Accept the default AT port
7.2.3. Enter ‘unixpwd’ for Authentication
type
7.2.4. Enter the FQDN of the Master Server
for ‘Domain’
7.2.5. Enter your username
7.3. Run ‘vssaz
login --domain unixpwd:<FQDN of Master Server> --prplname
<username> --broker <FQDN
of Master Server>:2821’ to login
to the AZ
7.4. Run ‘bpnbaz
–listgroups’ to get a list of the
AZ groups
7.5. Run ‘bpnbaz
–listperms’ to display the permissions
available for each ObjectType
7.6. Run ‘bpnbaz
–addperms Permission_1[Permission_2,…] –Group <Group_Name> –Object
<Object_Name> –Server <FQDN of Master Server>’ to
add permissions to a User Group
When running ‘bpnbaz –addperms’ command,
the value for –Object is the
Object Type found from running ‘bpnbaz –listperms’
with NBU_RES_
appended to the beginning (e.g., Object Type:
DevHost, value for –Object is
NBU_RES_DevHost)
To enable read-only access for any Object
you must enable the permissions
Read, Browse and List (when applicable)
7.7. ‘Browse’ and ‘Read’ permissions
for ‘HostProperties’ Object Type MUST be
set for all groups
Run ‘bpnbaz
-addperms Browse,Read -group <Group Name> -Object NBU_RES_HostProperties
-Server mgw-unx-nbu1.myl.com’ to
add ‘Browse’ and ‘Read’ permissions for ‘HostProperties’
7.8. Run ‘bpnbaz
–listmainobjects | more’
For each object that permissions were added
to, verify that you see
Role: <group name> and the permission
listed underneath
Jared M. Seaton
Recovery Administrator
Mylan Inc.
304-554-5926
304-685-1389 (Cell)
"Cruice, Daniel (US
- Glen Mills)" <dcruice AT deloitte DOT com>
Sent by: veritas-bu-bounces AT mailman.eng.auburn DOT edu
11/27/2007 02:42 PM
|
To
| VERITAS-BU AT mailman.eng.auburn DOT edu
|
cc
|
|
Subject
| [Veritas-bu] VxSS |
|
Anyone using VxSS? I have a totally
Windows Environment running NBU 6.0 MP4…dedicated network, master / media
servers are all in workgroups and clients are controlled via Host files
residing on the Master / media servers. My environment is shared
between two separate groups (call it group X and group Y, with my group
(X) managing the Infrastructure as well as the backups for the servers
we manage. My management is asking if there is a way to tighten up
security on the NBU environment. Currently we have a generic ID set
up on the Master / media servers to log into. Group X has an ID and
group Y has their own ID, yet group Y can theoretically manage my
policies and I theirs. We are planning to migrate everything to
an AD domain, however I don’t think that is going to be good enough of
a security measure. I am looking for ways to control who can do what.
Is there a way I can limit what group Y can do, like not have access
to make any changes to my policies, my client lists, etc. I was trying
to read up on VxSS, but might as well be reading hieroglyphs.
Any ideas?
Thanks
Dan Cruice
This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and is protected
by law. If you are not the intended recipient, you should delete this message
and are hereby notified that any disclosure, copying, or distribution of
this message, or the taking of any action based on it, is strictly prohibited.
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
==============================================================================
CONFIDENTIALITY NOTICE: This e-mail message and all attachments transmitted with it may contain legally privileged, proprietary and/or confidential information intended solely for the use of the addressee. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, duplication or other use of this message and/or its attachments is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. Thank you.
==============================================================================
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|