NetBackup Security: NetBackup Access Control (NBAC)

By | February 28, 2015

Recently I have reviewed the newest version of Symantec NetBackup ™ Security and Encryption Guide and I realized that I have not met so often in my customer environment an important NetBackup security option: NBAC. Hmm, I can admit, I have seen twice this feature implemented...

The NetBackup Access Control (NBAC) is the role-based access control that is used for master servers, media servers, and clients. NBAC can be used in the following situations:

  • Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes).
  • Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.

NetBackup Security: NetBackup Access Control (NBAC)

NetBackup Access Control (NBAC) Components

There are following NBAC components:

  • Root broker -  Authenticates the authentication broker. The root broker does not authenticate clients.
  • Authentication broker - Authenticates the master server, media server, GUI, and clients by establishing credentials with each one of them. The authentication broker also authenticates a user when operating a command prompt. There can be more than one authentication broker in a datacenter installation. The authentication broker can be combined with the root broker.
  • Authorization engine - Communicates with the master server and the media server to determine the permissions of an authenticated user. These permissions determine the functionality available to a given server. The authorization engine also stores user groups and permissions. Only one authorization engine is required in a datacenter installation. The authorization engine also communicates over the WAN to authorize other media servers in a multi-datacenter environment.
  • GUI - Specifies a Remote Administration Console that receives credentials from the authentication brokers. The GUI then may use the credentials to gain access to functionality on the clients, media, and master servers.

NetBackup Security: NetBackup Access Control (NBAC) 2

The NetBackup Access Control (NBAC) offers you higher security and permission granularity but also more complexity of your backup environment. When you need to upgrade the NetBackup, you also have to follow additional steps to be able to do the upgrade successfully. Fortunately, installing and configuring NBAC is not difficult since NetBackup 7.x (configuring NBAC with NBU 6.x or older was a nightmare!).

Please follow the next post to configure NBAC on Master, Media and NetBackup clients.

6 thoughts on “NetBackup Security: NetBackup Access Control (NBAC)

  1. cooper

    Hi, I am in no way an NBU guru, or anything, but we are deploying NBU v7.6x on Wintel (RHEL) as roll your own appliances with SAN backend, to use Client dedup then encrypt to SAN, Local (media svr) dedup and encrypt to SAN, Unix BMR and using many other v7.6 features like MSDP, VADP, Accellerator,AIR - when we have the pipe. We will no longer be deploying a VTL/dedup appliance like EMC, Exagrid or Quantum, but use FC SAN for disk offloading. When we deployed Symantec OpsCentre, 8 mths ago, I wanted the backup team to use NBAC, but was told not yet, now they want to deploy NBAC, with v7.6 and then migrate off the old 7.1, 7.4, 7.5 environment to the new v7.6. When will you release your -how to deploy, implement NBU, i'm hoping this will be easier to read and understand than the complex NBU guides. Also do you know if Symantec has a v7.6 NBAC blueprint like they do for other features?

    Reply
    1. Mariusz Post author

      I will check on the partnernet about NBAC blueprint and I will drop you an email (I hope that the email you provided is correct). I think I will write a procedure to install and configure NBAC not earlier than in April.

      Reply
  2. Mike in Arizona

    You mentioned about writing a NBAC how-to but I searched and couldn't find anything. I have a POC that I'm currently working on and they'd like to have users control their own set of policies. Can NBAC go this granular? Is there a better way? Thank for a great blog. I reference it all the time. Feel free to email if needed.

    Reply
    1. Mariusz Post author

      Hi Mike,

      Unfortunately, currently there is not possible to control set of policies. Maybe when Veritas will add a functionality to segregate policies in folders then it will possible to do a better granular. Good luck in your POC!

      Reply
  3. Faz

    Hi, Did you get a chance to publish the NBAC guide step by step, for transport level security.

    Reply
    1. Mariusz Post author

      Hi Faz,

      I haven't published it. In this week I will post. Published.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *