Client permissions - ServerOrClient vs ServerOnly

lipi

ADSM.ORG Member
Joined
Jan 14, 2015
Messages
46
Reaction score
0
Points
0
PREDATAR Control23

Hello everybody:

With INITSESSION=ServerOrClient:

- Full functionality, specifically:
- Server can start backups
- Client can start backups


With INITSESSION=ServerOnly:
- Only server can issue operations on client
- No dsmcad on client
- No access to webclient from client
- Cannot restore from client

I want:
- Client cannot start "manual" backups, only backups issued from a sched (with its clopts), can be run.

So, I don't want a user to be able to do:
backup movie_of_10GiB.avi
backup /my_stupid_dir

- Client has to see its backups, and restore them
- Want dsmcad instead of dsmsched.

Is it possible with TSM 7.1.1?
 
PREDATAR Control23

You can't have all that:
- Client cannot start "manual" backups, only backups issued from a sched (with its clopts), can be run.
That's only possible if SESSIONINIT=SERVERONLY, but that means you cannot restore.

- Client has to see its backups, and restore them
That's only possible if SESSIONINIT=SERVERORCLIENT, but that means they will also be able to do manual backups. Personally, I don't see the harm in doing manual backups, it's the same data the schedule would backup, and if the policies are set right, just means that older versions will roll off quicker if they do more backups. It will not backup more data.

So, I don't want a user to be able to do:
backup movie_of_10GiB.avi
backup /my_stupid_dir
If you don't want users to backup certain files, then you want to do excludes with a client option set. http://www-01.ibm.com/support/knowl....srv.doc/t_mgclinod_mkclioptsets.html?lang=en

However, you can only exclude file by pattern, not by size. So you could prevent users to backup all AVI files or certain directories using excludes in a client option set. You could specify a MAXSIZE on the storage pools, but that would mean that any client trying to backup a valid file larger than the MAXSIZE would fail. It's easier to just exclude files by pattern instead.

- Want dsmcad instead of dsmsched.
You just need to configure the scheduler to be managed by CAD, but not possible if SESSIONINIT=SERVERONLY: http://www-01.ibm.com/support/knowl...m.client.doc/t_cfg_schdcad_steps.html?lang=en

Is it possible with TSM 7.1.1?
I've been working with TSM since ADSM 3.x and all the above has been available since then and will be available in future release, that's standard TSM functionality.
 
PREDATAR Control23

With INITSESSION=ServerOnly:
- Only server can issue operations on client
- No dsmcad on client
- No access to webclient from client
- Cannot restore from client

The line you wrote "Cannot restore from client" does not apply here. The INITSESSION parameter refers to scheduled backups. All clients can do manual backups and restores when logged in using the right credentials.

If you don't want anyone to run manual backups, restrict user access to the TSM by not giving users access to any TSM functionality. Restricting user access means not being able to do any backup or restore for files.

Give access to only authorized users and exclude files that you do not want to be backed up. When the schedule runs, these files will be excluded automatically.

Edit:

I was wrong in making the point for manual operations.

Server-only initiated backups may not be totally desirable when one needs to do restores. I still suggest restricting users so they don't have access to any TSM functionality.
 
Last edited:
PREDATAR Control23

Ed, If you have serveronly, all sessions must be initiated by the server:
SERVEROnly
Specifies that the server does not accept client requests for sessions. All sessions must be initiated by server-prompted scheduling on the port that is defined for the client with the REGISTER or UPDATE NODE commands. You cannot use the client acceptor, dsmcad, to start the scheduler when SESSIONINITIATION is set to SERVERONLY.
 
PREDATAR Control23

Ed, If you have serveronly, all sessions must be initiated by the server:

I don't think that this applies to manual operations. The TSM help says 'SERVER-PROMPTED SCHEDULES'.

Edit:

I stand corrected.

Marclant is right. Indeed you cannot start a manual operation. I checked with a simulation.
 
Last edited:
PREDATAR Control23

I copied the above from HELP REGISTER NODE, the key is "All sessions must..."

You did make me doubt myself though, so I tested it.

On server:
Code:
tsm: SERVER1>UPDATE NODE MARCLANT SESSIONINIT=SERVERONLY
ANR2063I Node MARCLANT updated.

On my client:
Code:
c:\Program Files\Tivoli\TSM\baclient>dsmc
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 7, Release 1, Level 1.0
  Client date/time: 03/25/2015 09:24:48
(c) Copyright by IBM Corporation and other(s) 1990, 2014. All Rights Reserved.

Node Name: MARCLANT
ANS1382E Server does not allow client-initiated connections for this node.

c:\Program Files\Tivoli\TSM\baclient>

In Actlog:
Code:
03/25/2015 08:23:06  ANR0406I Session 2852 started for node MARCLANT (WinNT)
  (Tcp/Ip 9.49.214.112(58551)). (SESSION: 2852)
03/25/2015 08:23:07  ANR0476W Session 2852 for node MARCLANT (WinNT) refused -
  node is not allowed to initiate sessions. (SESSION: 2852)
03/25/2015 08:23:07  ANR0403I Session 2852 ended for node MARCLANT (WinNT).
  (SESSION: 2852)
 
PREDATAR Control23

Marclant, you were right. I stand corrected as posted above. I guess this is something one totally forgets if not seen and used that often.
 
PREDATAR Control23

Up to you, but maybe it would be best to delete our discussion from the thread, it takes away from the original post?
 
PREDATAR Control23

Up to you, but maybe it would be best to delete our discussion from the thread, it takes away from the original post?

I think it is best to keep it (unless ADMIN thinks otherwise) so people would see the logic and steps taken to resolve an issue and concepts.
 
Top