About the Vault Operator user group

NetBackup Access Management is used to define user groups, specify which actions each user group can perform, and assign users to those user groups. Each user group can perform only the actions explicitly granted and no others.

When Vault is installed and licensed, NetBackup includes a Vault Operator user group that has permission to perform the operator actions necessary for the Vault process.

Table: Vault Operator permission sets defaults lists the permissions that the Vault Operator user group has in NetBackup Access Management terminology.

Table: Vault Operator permission sets defaults

Permission sets

Permissions

Vault Operator

Operate media

Browse media

X

Read media

X

Inject media

X

Eject media

X

Move media

X

Assign media

X

Deassign media

X

Update database

X

Update bar codes

X

New

X

Delete

X

Expire

X

Read report

Browse report

X

Read report

X

Operate robot

Browse robot

X

Read robot

X

Inventory robot

X

New robot

X

Delete robot

X

Drive

Browse drive

X

Read drive

X

NBU_Catalog

Browse

X

Read

X

Job

Browse job

X

Read job

X

Suspend job

X

Resume job

X

Cancel job

X

Delete job

X

Restart job

X

New job

X

Service

Browse service

X

Read service

X

Host Properties

Browse Host Properties

X

Read Host Properties

X

License

Browse license

X

Read license

X

Volume Group

Browse volume group

X

Read volume group

X

New volume group

X

Delete volume group

X

Volume Pool

Browse volume pool

X

Read volume pool

X

Dev Host

Browse device host

X

Read device host

X

Vault

Browse vault

X

Read vault

X

Manage containers

X

Run reports

X

ServerGroup

Browse

X

Read

X

These permissions are granted only in the scope of actions performed in Vault. For example, the Vault Operator group has permission to update databases, but only to the extent allowed by Vault, such as when ejecting media changes volume group information for the volume ejected. As defined in the default permission sets, the Vault Operator cannot use the NetBackup Administration Console to change database information that is not related to the operate media actions.

If you use Access Management to administer access by using the default Vault Operator group, those permission sets and permissions apply regardless of whether the actions are initiated from the Vault Operator Menu or the NetBackup Administration Console.

A NetBackup Security Administrator (a user group defined within NetBackup Access Management) can use Access Management to add users to the Vault Operator group and change the permission sets and permissions of the Vault Operator group. A Security Administrator also can create new user groups to define new roles.

Because you can change which actions user groups can perform, the Vault documentation cannot specify which actions are or are not allowed by Access Management. If an action cannot be performed because of access management restrictions, NetBackup Administration Console messages will explain the restriction.

See "Access Management" in the NetBackup System Administrator's Guide, Volume II.

Note:

Giving operators access to the Vault Operator Menu also gives operators the capability to change report destinations. If you do not want your operators to view reports and change report destinations, do not give them access to the Vault Operator Menu. For example, you may not want your operators to see the Recovery Report or to be able to change to whom reports are emailed.