NetBackup™ Web UI Security Administrator's Guide
- Introducing the NetBackup web user interface
- Managing role-based access control
- Security events and audit logs
- Managing host mappings and certificates
- Managing global security settings
- Troubleshooting the web UI
Add a custom role
If the default NetBackup roles for RBAC do not meet your needs, you can configure a role with custom role permissions. Note, however, that customer roles do have certain limitations. See Limitations of custom roles.
To add a custom role
- On the left, select Security > RBAC.
- Select the Roles tab and click Add.
- Provide a Role name and a description.
For example, you may want to indicate that role is for any users that are backup administrators for a particular department or region.
- For Role permissions, choose the permission or type of access that you want users with that role to have for each permission type.
For example, you may want a user to be able to view, but not manage protection plans. Or you may want to give only some users the ability to perform recovery of assets, but not to configure application servers or asset groups.
- Click Add.
When you create custom roles, note the following:
Some permissions are only available with default RBAC roles or for a custom role that is configured with the NetBackup APIs.
A user can only manage
settings if that user has the role.A user can only manage
and view if that user has the role.A user with the
role also has certain "view" permissions. This way that user can find and add assets, application servers, and protection plans to an object group. If you want a user with a custom role to create access rules, be sure to select the appropriate view permissions for the custom role.
Some individual permissions do not have a direct correlation with a screen in the web UI. Users that attempt to sign in but that only have a permission of this kind receive an "Unauthorized" message. When you create custom roles, be sure to enable the minimal number of permissions so the user can sign in to and use the web UI.
See Table: Description of permissions for custom roles. describes the individual permissions that you can select for a custom role.
Table: Description of permissions for custom roles
Permission category | Permission | Action that the permission allows |
---|---|---|
Allow a user to perform one or more types of recovery. Note that users can only view and recover assets for which that user is granted access. | Recover/Restore | Restore the data from a backup image to its original location or a different location. |
View Recovery Points | View the recovery points that are available for an asset. Users that only have this permission are not able to sign in to the web UI. | |
Download Files |
Download individual files from an instant access mount point. This permission also enables and . | |
Instant Access | Create an instant access image. This permission also enables and . | |
Restore Files | Restore individual files from the backup image to an ESXi server or cluster. This permission also enables and . | |
Note that a user can only manage or select a protection plan for which that user is granted access. | Manage Protection Plans | Create, edit, or delete protection plans. Also can subscribe assets to protection plans. |
View Protection Plans | View the protection plans that are available and subscribe assets to a protection plan. | |
Allow a user to view audit logs or to manage security settings or certificates in NetBackup. | View audit logs | See who has signed in to NetBackup, made changes to security settings, or who has browsed or restored a backup image. Also view the access history for the current user. |
Manage Global Security Settings | Manage global security in NetBackup. These settings affect communication with 8.0 and earlier hosts, automatic mapping of host names, the security level for certificate deployment, and the disaster recovery passphrase. Users that only have this permission are not able to sign in to the web UI. | |
Manage Certificates | Manage security certificates for hosts. Includes the ability to revoke a certificate, create a resissue token so a certificate can be reissued, or create a new token. | |
Allow a user view to jobs or to manage job operations. | Manage Jobs | Manage current or completed jobs. Includes the ability to delete, cancel, restart, and suspend a job. |
View Jobs | View the current or the completed jobs for the master server. | |
Allow a user to manage assets, subscribe assets to protection plans, or to view assets. Note that a user can only manage assets for which that user is granted access. | Manage Appservers and Asset Groups | Add VMware vCenter credentials, which allow NetBackup to discover additional information for the server so administrator can view and select objects within the vCenter. Create and manage asset groups and subscribe groups to protection plans. |
Manage Assets | Manage the assets that are associated with the supported workloads and subscribe assets to protection plans. | |
View Assets | View assets that are associated with the supported workloads. | |
Allow an administrator to create the access rules that determine the permissions a user has for a specific workload or asset and for specific protection plans. | Manage Access Rules | Create, manage, or delete access rules. Create custom roles and object groups. |
View Access Rules | View the access rules that are configured. |