Veritas NetBackup™ Commands Reference Guide

Last Published:
Product(s): NetBackup (8.1.2)
  1. Introduction
    1.  
      About NetBackup commands
    2.  
      Navigating multiple menu levels
    3.  
      NetBackup command conventions
    4.  
      NetBackup Media Manager command notes
    5.  
      IPV6 updates
    6.  
      Removal of nbexecute command
  2. Appendix A. NetBackup Commands
    1.  
      acsd
    2.  
      add_media_server_on_clients
    3.  
      backupdbtrace
    4.  
      backuptrace
    5.  
      bmrc
    6.  
      bmrconfig
    7.  
      bmrepadm
    8.  
      bmrprep
    9.  
      bmrs
    10.  
      bmrsrtadm
    11.  
      bp
    12.  
      bparchive
    13.  
      bpbackup
    14.  
      bpbackupdb
    15.  
      bpcatarc
    16.  
      bpcatlist
    17.  
      bpcatres
    18.  
      bpcatrm
    19.  
      bpcd
    20.  
      bpchangeprimary
    21.  
      bpclient
    22.  
      bpclimagelist
    23.  
      bpclntcmd
    24.  
      bpclusterutil
    25.  
      bpcompatd
    26.  
      bpconfig
    27.  
      bpdbjobs
    28.  
      bpdbm
    29.  
      bpdgclone
    30.  
      bpdown
    31.  
      bpduplicate
    32.  
      bperror
    33.  
      bpexpdate
    34.  
      bpfis
    35.  
      bpflist
    36.  
      bpgetconfig
    37.  
      bpgetdebuglog
    38.  
      bpimage
    39.  
      bpimagelist
    40.  
      bpimmedia
    41.  
      bpimport
    42.  
      bpinst
    43.  
      bpkeyfile
    44.  
      bpkeyutil
    45.  
      bplabel
    46.  
      bplist
    47.  
      bpmedia
    48.  
      bpmedialist
    49.  
      bpminlicense
    50.  
      bpnbat
    51.  
      bpnbaz
    52.  
      bppficorr
    53.  
      bpplcatdrinfo
    54.  
      bpplclients
    55.  
      bppldelete
    56.  
      bpplinclude
    57.  
      bpplinfo
    58.  
      bppllist
    59.  
      bpplsched
    60.  
      bpplschedrep
    61.  
      bpplschedwin
    62.  
      bppolicynew
    63.  
      bpps
    64.  
      bprd
    65.  
      bprecover
    66.  
      bprestore
    67.  
      bpretlevel
    68.  
      bpschedule
    69.  
      bpschedulerep
    70.  
      bpsetconfig
    71.  
      bpstsinfo
    72.  
      bpstuadd
    73.  
      bpstudel
    74.  
      bpstulist
    75.  
      bpsturep
    76.  
      bptestbpcd
    77.  
      bptestnetconn
    78.  
      bptpcinfo
    79.  
      bpup
    80.  
      bpverify
    81.  
      cat_convert
    82.  
      cat_export
    83.  
      cat_import
    84.  
      configurePorts
    85.  
      configureTPCerts
    86.  
      create_nbdb
    87.  
      csconfig cldinstance
    88.  
      csconfig cldprovider
    89.  
      csconfig meter
    90.  
      csconfig throttle
    91.  
      duplicatetrace
    92.  
      importtrace
    93.  
      jbpSA
    94.  
      jnbSA
    95.  
      ltid
    96.  
      manageClientCerts
    97.  
      mklogdir
    98.  
      nbauditreport
    99.  
      nbcatsync
    100.  
      NBCC
    101.  
      NBCCR
    102.  
      nbcertcmd
    103.  
      nbcertupdater
    104.  
      nbcldutil
    105.  
      nbcloudrestore
    106.  
      nbcomponentupdate
    107.  
      nbcplogs
    108.  
      nbdb_admin
    109.  
      nbdb_backup
    110.  
      nbdb_move
    111.  
      nbdb_ping
    112.  
      nbdb_restore
    113.  
      nbdb_unload
    114.  
      nbdbms_start_server
    115.  
      nbdbms_start_stop
    116.  
      nbdc
    117.  
      nbdecommission
    118.  
      nbdelete
    119.  
      nbdeployutil
    120.  
      nbdevconfig
    121.  
      nbdevquery
    122.  
      nbdiscover
    123.  
      nbdna
    124.  
      nbemm
    125.  
      nbemmcmd
    126.  
      nbfindfile
    127.  
      nbfirescan
    128.  
      nbftadm
    129.  
      nbftconfig
    130.  
      nbgetconfig
    131.  
      nbhba
    132.  
      nbholdutil
    133.  
      nbhostidentity
    134.  
      nbhostmgmt
    135.  
      nbhypervtool
    136.  
      nbinstallcmd
    137.  
      nbjm
    138.  
      nbkmsutil
    139.  
      nboraadm
    140.  
      nborair
    141.  
      nbpem
    142.  
      nbpemreq
    143.  
      nbperfchk
    144.  
      nbplupgrade
    145.  
      nbrb
    146.  
      nbrbutil
    147.  
      nbregopsc
    148.  
      nbreplicate
    149.  
      nbrepo
    150.  
      nbrestorevm
    151.  
      nbseccmd
    152.  
      nbsetconfig
    153.  
      nbsnapimport
    154.  
      nbsnapreplicate
    155.  
      nbsqladm
    156.  
      nbstl
    157.  
      nbstlutil
    158.  
      nbstop
    159.  
      nbsu
    160.  
      nbsvrgrp
    161.  
      resilient_clients
    162.  
      restoretrace
    163.  
      stopltid
    164.  
      tl4d
    165.  
      tl8d
    166.  
      tl8cd
    167.  
      tldd
    168.  
      tldcd
    169.  
      tlhd
    170.  
      tlhcd
    171.  
      tlmd
    172.  
      tpautoconf
    173.  
      tpclean
    174.  
      tpconfig
    175.  
      tpext
    176.  
      tpreq
    177.  
      tpunmount
    178.  
      verifytrace
    179.  
      vltadm
    180.  
      vltcontainers
    181.  
      vlteject
    182.  
      vltinject
    183.  
      vltoffsitemedia
    184.  
      vltopmenu
    185.  
      vltrun
    186.  
      vmadd
    187.  
      vmchange
    188.  
      vmcheckxxx
    189.  
      vmd
    190.  
      vmdelete
    191.  
      vmoprcmd
    192.  
      vmphyinv
    193.  
      vmpool
    194.  
      vmquery
    195.  
      vmrule
    196.  
      vmupdate
    197.  
      vnetd
    198.  
      vssat
    199.  
      vwcp_manage
    200.  
      vxlogcfg
    201.  
      vxlogmgr
    202.  
      vxlogview
    203.  
      W2KOption

Name

bpnbaz — perform Authorization administration tasks from within NetBackup

SYNOPSIS

bpnbaz -[AddGroup | DelGroup] Group_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddPerms | DelPerms] Permission_1[,Permission_2,...] -Group Group_Name -Object Object [-M server] [-Server server1.domain.com] [-CredFileCredential]

bpnbaz -[AddPolicy | DelPolicy] Policy_Name [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddUser | DelUser] Group_Name Domain_Type:Domain_Name:User_Name [-OSGroup] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -[AddUser | DelUser] Domain_Type:Domain_Name:User_Name [-reason "reason"] [-CredFile Credential]

bpnbaz -[AllowAuthorization | DisallowAuthorization] Machine_Name [-M server] [-Server server1.domain.com]

bpnbaz -CheckUpgrade [-Server server1.domain.com]

bpnbaz -Configureauth

bpnbaz -GetConfiguredHosts [target.server.com] [-out file] | -all [-out file] | [-file progress_file]

bpnbaz -GetDomainInfosFromAuthBroker [target.server.com [-out file] | [-file progress_file]

bpnbaz -ListGroupMembers Group_Name [-M server] [-Server server1.domain.com][-CredFile Credential]

bpnbaz -[ListPerms | ListMainObjects | ListGroups | ListPolicyObjects | ShowAuthorizers] [-M server] [-Server server1.domain.com] [-CredFile Credential]

bpnbaz -LookupUser Domain_Type:Domain_Name:User_Name [-CredFile credential]

bpnbaz -ListUsers [-CredFile credential]

bpnbaz -ListLockedUsers [-U | -l] [-User Domain_Type:Domain_Name:User_Name]

bpnbaz -ProvisionCert NetBackup_host_name[-out file] | -AllMediaservers -AllClients [-images] [-out file] [-dryrun] | -file progress.file

bpnbaz -SetupAT [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -SetupClient [client.server.com] [-out file] | -all [-images] [-out file] | [-file progress_file] [-dryrun] [-disable]

bpnbaz -SetupMaster [-fsa [Domain_Type:Domain_Name:User_Name]

bpnbaz -SetupMedia [media.server.com [-out file] | -all [-out file] | -file progress_file] [-dryrun] [-disable]

bpnbaz -SetupSecurity NBU.Master.Server.com [-M server] [-Server server1.domain.com]

bpnbaz -SetupExAudit -DisableExAudit

bpnbaz -UnconfigureAuthBroker [target.server.com [-out file] | -file progress_file]

bpnbaz -UnlockUser -User [Domain_Type:Domain_Name:User_Name]

bpnbaz -UnhookSharedSecSvcsWithPBX [target.server.com [-out file] | -file progress_file]

bpnbaz -Upgrade [-Silent] [-Server server1.domain.com]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\

DESCRIPTION

NetBackup uses the bpnbaz command to access the authorization portion of NetBackup Product Authentication and Authorization Service. Authorization checks the rights on an object. This command enables you to do the following:

  • -AddGroup creates Az groups and -DelGroup deletes Az groups. -DelGroup deletes all the members of the group when you delete an Az group from the authorization engine. This operation is not reversible; if you remove a group, you revoke the rights that are granted to members of the group.

    Note:

    An authorization (Az) group is a collection within the Authorization engine into which OS groups and OS users can be placed. When you add a user to an Az group, you grant them the rights and privileges that are associated with that group.

  • -AddPerms and -DelPerms add and delete the specified permissions for the given role on individual policies from the main NetBackup resource objects.

    For more about permissions, see the NetBackup Administrator's Guide, Volume I.

  • -AddPolicy and -DelPolicy add and delete policies from the main NetBackup resource objects.

  • -AddUser and -DelUser add and delete permissions on individual policies from the main NetBackup resource objects.

    When used with the enhanced auditing feature, -AddUser and -DelUser grant and revoke NetBackup administrator privileges for enhanced auditing. For enhanced auditing, you do not have to include the OSGroup, Server or CredFile options.

  • -AllowAuthorization and -DisallowAuthorization specify which computers are allowed or not allowed to perform authorization checks. The security administrator must specify which servers (master or media) can examine the Authorization database to perform authorization checks.

  • -AllClients deploys the security certificate to all the available clients.

  • -AllMediaservers deploys the security certificate to all the available media servers.

  • -CheckUpgrade determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns 61. Only NetBackup installers use this option.

  • -Configureauth configures the Authentication Broker.

    Incorrect information for the domain name results in failures during the configuration of Authentication Broker and NetBackup Access Controls. To correct this problem, use this command to configure Authentication Broker.

  • -GetConfiguredHosts obtains NBAC status on the host. Either the -all or target.server.com option is required for this command.

  • -GetDomainInfosFromAuthBroker requests broker domain maps from the authorization broker.

  • -ListGroupMembers lists the group member that is associated with a particular group defined by Group_Name.

  • -ListGroups lists the defined groups

  • -ListMainObjects lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that you can use to verify changes to permissions on an object. This option shows the permissions each group has within the authorization system.

  • -ListPerms lists the current permissions on NetBackup resource and policies. It shows all applicable permissions for a given object or object type within the database. This option helps the user to create meaningful customizations to their authorization.

  • -ListPolicyObjects displays all objects or object collections that are associated with the specified policy.

  • -ListUser lists all users who have administrator privileges. This parameter is only used in enhanced auditing mode.

  • -ListLockedUsers lists all user accounts that are locked.

  • - LookupUser searches for users to determine if the user has administrative privileges. This parameter is only used in enhanced auditing mode.

  • - ProvisionCert generates an authentication certificate for the specified host and is unique to that host. The certificate must be generated for each host and cannot be pushed from one host to another. An authentication certificate is required on the media servers that host the NetBackup CloudStore Service Container (nbcssc). For more information, see the NetBackup Cloud Administrator's Guide. The security certificate is also required on master servers, media servers, and clients to establish a secure communication with the NetBackup-Java Administration Console.

    For more information, see the NetBackup Cloud Administrator's Guide.

  • -SetupAT generates credentials for all nodes in a clustered master environment. Run this command after NetBackup installation or upgrade.

  • -SetupAuthBroker sets up the authentication broker to use NBAC.

  • -SetupClient sets up NBAC on the client. Run it after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server. It expects connectivity between the master server and target client systems.

    By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. The following is an example of the format of this file:

    client1.server.com
    #client2.server.com #SUCCESS (0) @(07/16/10 12:09:29)
    client3.server.com #INTERNAL_ERROR(68) @(07/16/10 12:09:39)
    • The first line indicates that client1.server.com has not yet been contacted at all.

    • The second line indicates that client2.server.com has been successfully contacted. Each success is commented out (with a leading #) and not contacted multiple times.

    • The third line indicates that client3.server.com has been contacted but an error has occurred. Errors are printed out on the command line with a recommendation of what to do. The error number that is indicated in the logs may indicate the problem.

  • -SetupMaster sets up the master server to use NBAC. The bpnbaz -SetupMaster command contains no user arguments. You are prompted for the password for your current operating system user identity. The authorization server and authentication broker must be installed and running on the master server.

    -SetupMaster adds root/administrator by default to the NBU_Security Admin group. The first time that you use -SetupMaster with the -fsa option adds the first security administrator member to the NBU_Security Admin group. If you have configured NBAC already using -SetupMaster without the -fsa option, use the -AddUser option to add any more members.

  • -SetupMedia sets up the media server to use NBAC. An NetBackup administrator group member can run the bpnbaz -SetupMedia command after bpnbaz -SetupMaster has been completed successfully. It can be run from the master server and expects connectivity between the master server and target media server systems.

    By default, NBAC messages are logged to a file in the local directory that is called SetupClient.nbac. Refer to the SetupClient description of an example of the file format.

  • -SetupSecurity sets up the initial security information. It must be run as root on the Az server.

  • -ShowAuthorizers lists the computers that are allowed to perform authorization checks.

  • -U list type is user.

  • -UnlockUser unlocks the specified user account.

  • -User is optional for the -ListLockedUsers parameter. It lists information about the specified user account. Data is returned only if the user account is locked. This option is required when using the -UnlockUser parameter.

  • -UnconfigureAuthBroker removes the configuration from the Authorization Broker.

  • -UnhookSharedSecSvcsWithPBX unhooks the shared Authentication and Authorization services from PBX in Windows Server Failover Clustering (WSFC) environments.

  • -Upgrade modifies the NetBackup operation schema by adding authorization objects. In addition, this option upgrades default user accounts with default permissions for these new objects. You must have NBU_Security Admin privileges.

For more about NBAC and the use of the bpnbaz command, see the NetBackup Security and Encryption Guide.

To use this command and its associated options, you must be a member of the NetBackup Security Administrators group (NBU_Security Administration). The only exception is with the SetupSecurity command.

You must have local administrator privileges on the authorization server to run this command.

When you use bpnbaz, assume that the master server and the Az server are the same computer.

Note:

The use of NetBackup Access Control requires the user's home directories to work correctly.

NetBackup has enhanced the audit capability that helps to audit users without having to enable NBAC. NetBackup administrators can delegate NetBackup administrator privileges to designated users. For more information about enhanced auditing and the use of the bpnbaz command with this feature, see the NetBackup Security and Encryption Guide.

OPTIONS

-all

Scans all the storage units or policies and collects all the associated unique host names that are found in the policies. You can scan in a sorted order. The results are written to the progress file.

client.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-CredFile Credential

Specifies a file name (Credential) from which to obtain a Veritas Product Authentication and Authorization Service credential, rather than the default location.

-disable

Disables NBAC (USE_VXSS = PROHIBITED) on targeted hosts.

-DisableExAudit

Disables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

Group_Name

Identifies the authorization group on which an operation is to be performed. NetBackup does not allow user groups to be nested.

Domain_Type:Domain_Name:User_Name

The Domain_Type variable is the domain to which the user or group belongs, and the User_Name variable defines the applicable user or group name designating the NetBackup administrator.

-dryrun

Generates a list of computers to receive the security certificate. The exact details of how this option works depends on the parameter with which it is used.

  • dryrun, when used with ProvisionCert

    Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. The -dryrun option only works with the - AllMediaservers and the - Allclients parameters. Generates a list of hosts to receive the security certificate and writes that list to the file name that is provided in the -out option. If the -out file option is not provided, then the host list is written to the default DeploySecurityCerts.progress file.

  • dryrun, when used with either SetupMedia or SetupClient

    Generates a list of media server names or client names depending on the option used. The command writes the list of names to the log. This option works with client.server.com and media.server.com but the intention is to use it with the -all option. Generates the list of media server names and writes them to the log. The log file name is SetupMedia.nbac if the command is used with SetupMedia option. The log file name is SetupClient.nbac if the command is used with SetupClient option.

    If you have more than 250 clients, use -dryrun with -SetupClient to see all of the clients that are visible to the master server.

-file progress_file

Specify a different file name for the progress log. If -file is used, the input and the output files are the same, which allows multiple rounds to execute without changing the command. Use the progress file iteratively by feeding the file back in multiple times until all clients are available online.

-fsa

Provisions a specific OS user as the NetBackup administrator. You are asked for the password for your current OS user identity.

Group_Name

Adds the users by creating a unique enterprise account name, following this format: Authentication type:Domain_Type:User_Name

The supported Authentication types for this variable are the following:

  • Nis - Network Information Services

  • NISPLUS - Network Information Services Plus

  • Unixpwd - UNIX Password file on the Authentication server

  • WINDOWS - Primary Domain Controller or Active Directory

  • Vx - Veritas Private database.

-images

-images searches all images for unique host names. Do not use this option with large catalogs unless you include the -dryrun option. This option discovers all unique clients that are contained in the image catalog. Older catalogs may contain a large number of decommissioned hosts, renamed hosts, and hosts relocated to new masters. Run-time can increase significantly as this command tries to contact unreachable hosts.

-M server

Specifies the name of the master server as defined in the variable server. This server name may be different from the local host name.

Machine_Name

Specifies the computer to be allowed or disallowed to perform authorization checks. The security administrator must specify which master servers or media servers can examine the Authorization database to perform authorization checks.

media.server.com

Specifies the name of a single target host. Use this option to add a single additional host for use with NBAC.

-Object Object

Controls the access to specified objects or object collections.

-OSGroup

Defines a named collection of authentication principals that are established in a native operating system and treated as a single entity. All members of an authentication group or OS group are from the same authentication domain.

-out file

Specifies a custom output file name. By default, the output is written to the SetupMedia.nbac file. Use this option with the -all option.

Permission_1[,Permission_2,...]

Permissions for the role that is given to the designated object or policy.

policy_name

Specifies the name of the policy from the main NetBackup resource objects.

-ProvisionCert media_server_name

Generates an authentication certificate for the media server that is indicated.

-reason "reason"

For enhanced auditing, the reason indicates the reason why the command is used. The reason text string that is entered is captured and appears in the audit report. The string must be enclosed in double quotes ("...") and cannot exceed 512 characters. In addition, it cannot begin with a dash character (-) and must not contain the single quotation mark symbol (').

-Server server1.domain.com

This option specifies the Az server being used. Currently we expect the Az server and the NetBackup master server to exist on the same system.

Determines if an upgrade of existing authorization information is needed for the specified server. If so, this option returns "61". Only NetBackup installers use this option.

-SetupExAudit

Enables Enhanced Auditing mode. You must restart the NetBackup services after you run this command. For additional information about Enhanced Auditing, see Auditing NetBackup Operations in the NetBackup Security and Encryption Guide.

-Silent

Directs the upgrade operation to automatically enhance the permissions of groups to account for new objects in the system. This option occurs only for the default groups, and only if those groups have never been changed.

target.server.com

Specifies the name of a single target host. Use this option to find the NBAC status on a single host. It captures the status of the host in the ConfiguredHosts.nbac file.

EXAMPLES

Example 1 - Create and list an Az group.

An Az group is a collection within the Authorization engine where other OS groups and OS users are placed. This collection is the building block against which permissions are applied on the objects within the database. If you add a user to an Az group, you grant them all the rights and privileges that are associated with that group. When a user is placed in more than one group, that user's effective permissions are as follows: the logical "or" of the applicable permissions of each group to which the user belongs. The following example demonstrates how to create and list an existing Az group:

# bpnbaz -AddGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operatorsroo
Security Administrators
Resource Management Applications
Applications
New Group 1 
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 2 - Delete an Az group.

If you delete an Az group from the authorization engine, all the members are removed from the group. This operation is not reversible. When you remove a group, you revoke the rights that are granted to members of the group. Therefore, carefully consider the implications of deleting groups.

# bpnbaz -DelGroup "New Group 1" -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroups -server test.domain.veritas.com
Administrators
Operators
Security Administrators
Resource Management Applications
Applications
NBU_Unknown
NBU_User
NBU_Operator
NBU_Media Device Operator
NBU_Admin
NBU_Executive
NBU_Security Admin
NBU_Database Agent Operator
NBU_Database Agent Administrator
Operation completed successfully.

Example 3 - Add and remove users from Az groups (and List group members)

Add users by creating a unique enterprise name of the following format: Authentication type:Domain to which user or group belongs:user or group name

The following are the Supported Authentication types:

  • Nis - Network Information Services

  • NisPlus - Network Information Services Plus

  • Unixpwd - UNIX Password file on the Authentication server

  • WINDOWS - Primary Domain Controller or Active Directory

  • Vx - Veritas Private database

# bpnbaz -AddUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: ssosa
Operation completed successfully.
# bpnbaz -DelUser NBU_Operator
nis:domain.veritas.com:ssosa -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListGroupMembers
NBU_Operator -server test.domain.veritas.com
==========
Type: User
Domain Type: nis
Domain:domain.veritas.com
Name: jdimaggio
Operation completed successfully.

Example 4 - List applicable permissions

The -ListPerms option shows all applicable permissions for a given object or object type within the database. This information helps the user to create meaningful customizations to their authorization.

# bpnbaz -ListPerms -server
test.domain.veritas.com
    Object Type: Unknown
Browse
Object Type: Media
    Browse
    Read
    New
    Delete
    Eject
    . . . 
    Restart
    Synchronize
Object Type: PolicyGroup
    Browse
    Read
    New
    Delete
    Activate
    Deactivate
    Backup
Operation completed successfully.

Example 5 - List main objects

The -ListMainObjects option lists the current permissions for each group on each of the main NetBackup objects. This list is an informative view that can be used to verify changes to permissions on an object. It shows what permissions each group has within the authorization system.

# bpnbaz -ListMainObjects -server
test.domain.veritas.com
. . .
NBU_RES_Policy:
    Role: NBU_User
        Unknown
    Role: NBU_Media Device Operator
        Browse
        Read
    Role: NBU_Executive
        Read
        Browse
    Role: NBU_Database Agent Operator
        Unknown
        Role: NBU_Unknown
    Unknown
    Role: NBU_Operator
        Browse
        Read
    Role: NBU_Admin
        Browse
        New
        Activate
        Backup
        Read
        Delete
        Deactivate
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
. . .
Operation completed successfully.

Example 6 - Add and delete permissions from an object or policy

Delete all permissions from an object for a given group. Add the permissions that are specified for the given role to the object or policy in question.

# bpnbaz -AddPerms Browse,Read,
New,Delete -Group TestGroup1 -Object NBU_RES_Job -server 
test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ListMainObjects -server
test.domain.veritas.com
NBU_RES_Unknown:
    Role: NBU_User
. . .
NBU_RES_Job:
    Role: NBU_Media Device Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Executive
        Browse
        Read
    Role: NBU_Database Agent Operator
        Unknown
    Role: TestGroup1
        Read
        Delete
        New
        Browse
    Role: NBU_User
        Unknown
    Role: NBU_Unknown
        Unknown
    Role: NBU_Operator
        Browse
        Suspend
        Cancel
        Read
        Resume
        Delete
    Role: NBU_Admin
        Browse
        Delete
        Resume
        Read
        Suspend
        Cancel
    Role: NBU_Security Admin
        Unknown
    Role: NBU_Database Agent Administrator
        Unknown
    Role: Administrators
        Unknown
    Role: Operators
        Unknown
    Role: Applications
        Unknown
    Role: NBU_Security Admin
        Unknown
NBU_RES_Service:
    Role: NBU_Unknown
. . .
Operation completed successfully.
# bpnbaz -DelPerms -Group
TestGroup1 -Object NBU_RES_Policy -server test.domain.veritas.com
Operation completed successfully.

Example 7 - Specify what servers can perform authorization checks

This example also views what servers can perform authorization checks. In addition. It also disallows a server from performing authorization checks.

The -AllowAuthorization option specifies which computers are allowed to perform authorization checks. The security administrator must specify which servers (Master or Media) are permitted to examine the Authorization database to perform authorization checks. The following examples demonstrate how to allow or disallow a computer to perform authorization.

# bpnbaz -AllowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.

# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
==========
Type: User
Domain Type: vx
Domain:NBU_Machines@test.domain.veritas.com
Name: butterball.domain.veritas.com
Operation completed successfully.
# bpnbaz --DisallowAuthorization
butterball.domain.veritas.com -server test.domain.veritas.com
Operation completed successfully.
# bpnbaz -ShowAuthorizers -server
test.domain.veritas.com
Operation completed successfully.

Example 8 - Set up initial security boot strapping

The user must run the -SetupSecurity option as root on the Az server. The user must then provide the logon information for the first NetBackup Security administrator.

Note:

The root user on the system upon which the Az server is installed is always a security administrator.

# bpnbaz -SetupSecurity 
test.domain.veritas.com -server test.domain.veritas.com
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]: 
Domain: domain.veritas.com
Name: ssosa
Password: Authentication type (NIS, NISplus, WINDOWS, vx, unixpwd: 
NIS
Operation completed successfully.

SEE ALSO

See bpnbat.