Veritas NetBackup™ Vault Administrator's Guide
- About Vault
- Installing Vault
- Best Practices
- About preferred vaulting strategies
- About how to ensure that data is vaulted
- About not Vaulting more than necessary
- About preparing for efficient recovery
- About avoiding resource contention during duplication
- About how to avoid sending duplicates over the network
- About increasing duplication throughput
- About organizing reports
- Configuring NetBackup Vault
- Configuring Vault
- About Vault configuration
- About configuring Vault Management Properties
- About creating a vault
- About creating profiles
- Configuring a profile
- Vaulting and managing media
- About Vault sessions
- About monitoring a Vault session
- About the list of images to be vaulted
- About ejecting media
- About injecting media
- About using containers
- About vaulting additional volumes
- About using notify scripts
- Creating originals or copies concurrently
- Reporting
- Administering Vault
- About administering access to Vault
- About NetBackup Vault session files
- Using the menu user interface
- Troubleshooting
- Debug logs
- Appendix A. Recovering from disasters
- Appendix B. Vault file and directory structure
About the Vault Operator user group permissions
NetBackup Access Management is used to define user groups, specify which actions each user group can perform, and assign users to those user groups. Each user group can perform only the actions explicitly granted and no others.
When Vault is installed and licensed, NetBackup includes a Vault Operator user group that has permission to perform the operator actions necessary for the Vault process.
Table: Vault Operator permission sets defaults lists the permissions that the Vault Operator user group has in NetBackup Access Management terminology.
Table: Vault Operator permission sets defaults
Permission sets | Permissions | Vault Operator |
---|---|---|
Operate media | Browse media | X |
Read media | X | |
Inject media | X | |
Eject media | X | |
Move media | X | |
Assign media | X | |
Deassign media | X | |
Update database | X | |
Update barcodes | X | |
New | X | |
Delete | X | |
Expire | X | |
Read report | Browse report | X |
Read report | X | |
Operate robot | Browse robot | X |
Read robot | X | |
Inventory robot | X | |
New robot | X | |
Delete robot | X | |
Drive | Browse drive | X |
Read drive | X | |
NBU_Catalog | Browse | X |
Read | X | |
Job | Browse job | X |
Read job | X | |
Suspend job | X | |
Resume job | X | |
Cancel job | X | |
Delete job | X | |
Restart job | X | |
New job | X | |
Service | Browse service | X |
Read service | X | |
Host Properties | Browse Host Properties | X |
Read Host Properties | X | |
License | Browse license | X |
Read license | X | |
Volume group | Browse volume group | X |
Read volume group | X | |
New volume group | X | |
Delete volume group | X | |
Volume Pool | Browse volume pool | X |
Read volume pool | X | |
Dev Host | Browse device host | X |
Read device host | X | |
Vault | Browse vault | X |
Read vault | X | |
Manage containers | X | |
Run reports | X | |
ServerGroup | Browse | X |
Read | X |
These permissions are granted only in the scope of actions that are performed in Vault. For example, the Vault Operator group has permission to update databases, but only to the extent that is allowed by Vault, such as when ejecting media changes volume group information for the volume ejected. As defined in the default permission sets, the Vault Operator cannot use the NetBackup Administration Console to change database information that is not related to the operate media actions.
If you use Access Management to administer access by using the default Vault Operator group, those permission sets and permissions apply regardless of whether the actions are initiated from the Vault Operator Menu or the NetBackup Administration Console.
A NetBackup Security Administrator (a user group that is defined within NetBackup Access Management) can use Access Management to add users to the Vault Operator group and change the permission sets and permissions of the Vault Operator group. A Security Administrator also can create new user groups to define new roles.
Because you can change which actions user groups can perform, the Vault documentation cannot specify which actions are or are not allowed by Access Management. If an action cannot be performed because of access management restrictions, NetBackup Administration Console messages explain the restriction.
See the NetBackup Security and Encryption Guide.
Note:
Giving operators access to the Vault Operator Menu also gives operators the capability to change report destinations. If you do not want your operators to view reports and change report destinations, do not give them access to the Vault Operator Menu. For example, you may not want your operators to see the Recovery Report or to be able to change to whom reports are emailed.