To deliver all the new features in NetBackup 8.3 like our ransomware resiliency strategy and security enhancements, we reimagined and enhanced how we implement role-based access control (RBAC). Our priorities include improved granular control for roles, updated standards to de-emphasize canned roles and re-engineered RBAC to offer more flexibility. We provided new canned roles that adhere to our new RBAC standards. As a result of this reimagining and re-strategizing, RBAC now looks very different.
Veritas is committed to providing its users flexibility and ease of use by creating simple products and features. The RBAC feature in NetBackup 8.3 is a big step forward in that direction, allowing more granular access control.
What is RBAC?
RBAC uses roles as a way of delegating permissions on objects to users. The NetBackup web user interface (web UI) lets you configure and apply RBAC in your NetBackup environment for APIs and the web UI. You can use RBAC to provide access for users who don’t usually have access to NetBackup. You can also provide limited access and permissions based on their role in your organization to NetBackup users who would normally require Administrator access. Beginning with the NetBackup 8.1.2 release, the NetBackup web UI provided RBAC for a limited number of security settings and workloads. The RBAC feature is enforced and applicable for the web UI and APIs.
With improved infrastructure in the NetBackup 8.3 release, RBAC allows more granular permissions, improved flexibility and greater control. The design of RBAC is based on access control lists (ACLs), and it closely follows the ANSI INCITS 359-2004 standard.
Deploying a fresh install
After the installation of NetBackup 8.3, the Administrator can create access definitions and roles. An access rule gives a user permissions and access to the NetBackup environment through the web UI based on the user’s role in the organization. By default, only the “Administrator” role is created in NetBackup 8.3, and it has all privileges for RBAC. The “Administrator” needs to log in to the web UI to configure additional custom roles for different tasks such as Workload Administrator, Security Administrator, and Backup Administrator (see Figure 1).
Upgrading to NetBackup 8.3 ‒ Checking for RBAC configuration
When running an upgrade to NetBackup 8.3, some pre-condition checks will run. The installer needs confirmation if any of the roles listed in Table 1 are already implemented.
There are multiple checks needed for RBAC configuration. The presence of any preconfigured principals in RBAC or whether the user may have configured custom roles or added custom object groups to predefined roles all indicate a need to inform the user that RBAC has changed in ways the user must understand before proceeding.
Although there are no error messages, there will be prompts during the upgrade process. Any NetBackup Master Server that is being upgraded from 8.2 to NetBackup 8.3 runs these checks.
After upgrading to NetBackup 8.3, a migration tool called rbac_user_migration is available to move previous Backup Administrator users to the new elevated Administrator role. A corresponding Perl script of this tool is also accessible from SORT. You must reconfigure any RBAC canned roles such as Workload Admin or custom roles configured in previous NetBackup versions after upgrading to NetBackup 8.3.
The new RBAC feature is closely aligned with the access control list (ACL) model. There’s no need to create custom or Workload Admin roles after an upgrade. The newer version also provides an optional user migration tool. The multiple canned roles (Backup Admin, Security Admin) are available only with the earlier RBAC version (see Table 2).
Table 1. Available RBAC Roles
|VMware Administrator||Provides all permissions necessary to manage protection for VMware VMs through Protection Plans.|
|RHV Administrator||Provides all permissions necessary to manage protection for RedHat Virtualization VMs through Protection Plans.|
|Cloud Administrator||Provides all permissions necessary to manage the protection of cloud assets using Protection Plans.|
|MS-SQL Administrator||Provides all permissions necessary to manage protection for Microsoft SQL Server databases using Protection Plans.|
|Storage Administrator||Provides all permissions necessary to configure and manage disk-based storage and cloud storage for NetBackup.|
Table 2. RBAC Features and Capabilities]
RBAC and ransomware
RBAC complements the ransomware resiliency posture for data protection. RBAC ensures that access to resources on NetBackup is restricted. Only those users assigned the Administrator role are authorized to configure and manage NetBackup. RBAC configuration is protected in catalog backup of Master Servers and can be recovered through established catalog recovery processes.
RBAC and cloud plug-in support
In NetBackup 8.3, cloud plug-in support is provided with named queries for assets, asset-by-id, create-or-update-assets, assets-count, delete-assets, and cleanup-assets. There are two named queries implemented by cloud providers: “add-assets-protection” and “remove-assets-protection.” These named queries are consumed by service-level objective (SLO) APIs internally when the asset is subscribed to a Protection Plan. All other workload providers have also implemented these named queries for SLO integration. The same plug-in experience exists for VMware, SQL Server and RHV (Red Hat Virtualization).