Veritas-bu

Re: [Veritas-bu] VxSS

2007-11-27 16:42:28
Subject: Re: [Veritas-bu] VxSS
From: Jared.Seaton AT mylanlabs DOT com
To: "Cruice, Daniel (US - Glen Mills)" <dcruice AT deloitte DOT com>
Date: Tue, 27 Nov 2007 16:29:11 -0500

Yes you can limit access.  You can have read-only access to just about anything in the gui.  Though it is a gigantic pain to do this, it has to be done command line only.

If the steps below read the same as the documentation that you mentioned looked like hieroglyphics, that's because you can't just jump into VxSS without reading.  I suggest reading through the links in my previous post as well as the VxSS Admin and Install Guides, and the Access Management chapter in the NetBackup Administrator's Guide Volume II.

Even after reading all of that you will find that there is still trial and error involved with VxSS.  It is a complicated beast, though your environment shouldn't be too bad.

Step by step how to limit access: (from a work instruction i wrote)

7.0 Procedure
7.1. Login to the VxSS/NetBackup Master Server via SSH or telnet as a user that is
setup as a Security Administrator in VxSS
7.2. Run ‘/usr/openv/netbackup/bin/bpnbat –login’ to obtain authentication
7.2.1. Enter the FQDN of the Master Server for ‘Authentication Broker’
7.2.2. Accept the default AT port
7.2.3. Enter ‘unixpwd’ for Authentication type
7.2.4. Enter the FQDN of the Master Server for ‘Domain’
7.2.5. Enter your username
7.3. Run ‘vssaz login --domain unixpwd:<FQDN of Master Server> --prplname
<username> --broker <FQDN of Master Server>:2821’ to login to the AZ
7.4. Run ‘bpnbaz –listgroups’ to get a list of the AZ groups
7.5. Run ‘bpnbaz –listperms’ to display the permissions available for each ObjectType
7.6. Run ‘bpnbaz –addperms Permission_1[Permission_2,…] –Group <Group_Name> –Object <Object_Name> –Server <FQDN of Master Server>’ to add permissions to a User Group
When running ‘bpnbaz –addperms’ command, the value for –Object is the
Object Type found from running ‘bpnbaz –listperms’ with NBU_RES_
appended to the beginning (e.g., Object Type: DevHost, value for –Object is
NBU_RES_DevHost)
To enable read-only access for any Object you must enable the permissions
Read, Browse and List (when applicable)
7.7. ‘Browse’ and ‘Read’ permissions for ‘HostProperties’ Object Type MUST be
set for all groups
Run ‘bpnbaz -addperms Browse,Read -group <Group Name> -Object NBU_RES_HostProperties -Server mgw-unx-nbu1.myl.com’ to add ‘Browse’ and ‘Read’ permissions for ‘HostProperties’
7.8. Run ‘bpnbaz –listmainobjects | more’
For each object that permissions were added to, verify that you see
Role: <group name> and the permission listed underneath





Jared M. Seaton
Recovery Administrator
Mylan Inc.
304-554-5926
304-685-1389 (Cell)



"Cruice, Daniel (US - Glen Mills)" <dcruice AT deloitte DOT com>
Sent by: veritas-bu-bounces AT mailman.eng.auburn DOT edu

11/27/2007 02:42 PM

To
VERITAS-BU AT mailman.eng.auburn DOT edu
cc
Subject
[Veritas-bu] VxSS





Anyone using VxSS?  I have a totally Windows Environment running NBU 6.0 MP4…dedicated network, master / media servers are all in workgroups and clients are controlled via Host files residing on the Master / media servers.  My environment is shared between two separate groups (call it group X and group Y, with my group (X) managing the Infrastructure as well as the backups for the servers we manage.  My management is asking if there is a way to tighten up security on the NBU environment.  Currently we have a generic ID set up on the Master / media servers to log into.  Group X has an ID and group Y  has their own ID, yet group Y can theoretically manage my policies and I theirs.   We are planning to migrate everything to an AD domain, however I don’t think that is going to be good enough of a security measure.  I am looking for ways to control who can do what.  Is there a way I can limit what group Y can do, like not have access to make any changes to my policies, my client lists, etc.  I was trying to read up on VxSS, but might as well be reading hieroglyphs.  Any ideas?
 
Thanks
Dan Cruice
 

 
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. _______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

==============================================================================
CONFIDENTIALITY NOTICE:  This e-mail message and all attachments transmitted with it may contain legally privileged, proprietary and/or confidential information intended solely for the use of the addressee.  If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, duplication or other use of this message and/or its attachments is strictly prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments.  Thank you.
==============================================================================

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
<Prev in Thread] Current Thread [Next in Thread>