Forum Discussion

qox's avatar
qox
Level 3
4 months ago

How to configure RBAC

I've created a new user account in the master server to be used for logging into both the Java application and the new web UI. It worked in the java, but needs RBAC configuration in the web.

Can someone guide me through RBAC configuration for this user account?

The OS and NetBackup versions are Oracle Linux 8.9 and 10.3.0.1 respectively.

  • Hi qox 

    There are two ways to do this. 

    1. Use the WebUI, log in with an account with Security administration privileges (if you have access to root this account can be used). Go to the RBAC section and selecrt the role you wish to assign to the user (Administrator gives full control). Once in the role, enter the new user (or user group) and add them in. That simple.

    2. Use the command line. Use the bpnbaz command to add the user (this is really only useful to add the user to the Administrator role). The syntax is like this: 

    /usr/openv/netbackup/bin/admincmd/bpnbaz -AddRBACPrincipal -User unixpwd:<master server name>:<user>

    For more details refer to the NetBackup Web UI Administrator's Guide.

    Cheers
    David

  • Hi qox 

    There are two ways to do this. 

    1. Use the WebUI, log in with an account with Security administration privileges (if you have access to root this account can be used). Go to the RBAC section and selecrt the role you wish to assign to the user (Administrator gives full control). Once in the role, enter the new user (or user group) and add them in. That simple.

    2. Use the command line. Use the bpnbaz command to add the user (this is really only useful to add the user to the Administrator role). The syntax is like this: 

    /usr/openv/netbackup/bin/admincmd/bpnbaz -AddRBACPrincipal -User unixpwd:<master server name>:<user>

    For more details refer to the NetBackup Web UI Administrator's Guide.

    Cheers
    David

    • qox's avatar
      qox
      Level 3

      I can see two groups that I can use, Administrator (doesn't show in the below screenshot) and NetBackup Read-Only Operator. Because I don't want someone to use CLI or to have the permission to do RBAC. Is that correct?

      And in the description of Default Security Administrator, what does it mean to say "the permissions for this role cannot be edited"?

      • Hi qox 

        None of the built in RBAC roles can be edited (it's not just the security administrator role). If you want to customise the role, you will need to create a new one (use the +Add button at the top - you can use one of the existing roles as a template or craft one from scratch). Crafting a customer role also gives you clarity on the various aspects than can be controlled/restricted (even if you don't use it).

        If you want to restrict CLI access, then the Administrator role is not suitable (as it includes all permissions). 

        The role required for your new user depends entirely on the functionality you wish to assign to them (are they allowed to create policies, cancel jobs, what role will they have - I can't answer these for you). If you want to give them full access, then Administrator is fine. If they have Windows administration access to the master server, then removing CLI access from their RBAC role is pointless (as they can run the commands using as administrator).

        Cheers
        David