This is a rather long post so I thought I'd ask my question at the top.

If you're running a NB master server on windows, how do you control access
to NetBackup for your operations and support staff? We have a situation
where we need to allow operations staff access to monitor jobs and tapes
and support staff should have more complete access. How do you control this
kind of access?

In some of our smaller offices we have decided to run NetBackup on Microsoft

Windows servers. We came up against the problem of how to allow operators

restricted access to the admin console so they could do things like run vault
jobs, check
the scratch pool etc. Our initial decision was to use VxSS but this is
a separate
product and, as far as we are aware, not certified by engineering. So our
next step
was to try and use the Java Console. This had the potential to be quite
a useful tool as
it enables you to restrict access to parts of the console based on username
(eg: you
could let operations staff access the activity montior and reports only).
The usernames used would be AD entries ie: no need to maintain a separate
user list. But we came up
against these obstacles when evaulating the java console - at least on Windows

systems:

* The NetBackup client service must run as LocalSystem. This is an issue
in India where they run it as a domain account. If you run the client service
as a domain account you can't authenticate (check this reference: http://seer.support.veritas.com/docs/270086.htm)
even if the domain account has admin rights on the server

* The user must have interactive login privileges to the master server and

* The user must be in the server's local administrator group

That last requirement pretty much kills the use of the java console as far
as I can see. I'm not sure we'd want to allow operators admin access to
our master servers. Also, these requirements pretty much circumvent any
security the java console had built into it in the first place!

A tale of frustration I can tell you.

In the end the solution (for allowing operators to use the admin console)
we came up with was this:
* Add the user's PC's hostname to the master server's allowed server list
(eg: add it as a SERVER = entry in bp.conf)
* then install the admin console on the PC and bob's your uncle.
This has these issues though:
* There's no access control. If the server name matches any user on that
PC can run the admin console and has full access to NB
* It's difficult to manage. What happens if your PC name changes for example
or if I move my laptop from one office to another?

But it seems the only viable way of allowing operators access.

I looked into using advanced authentication/authorization to provide user
access also. However I am thinking that this is unsuitable for our purposes
for these reasons:
* To provide decent authentication you need vopie which is troublesome as
detailed below. We could use noauth as an alternative though
* Advanced authorization still requires that you enter each PC's hostname
into the server list on the master server
* Advanced authorization does not provide any measure of restricting access
(like the java console).

Much of this has come about because we are running on Windows. If we were
running Unix we could have written a set of scripts or web pages to front-end
what the operators need to do. I'm pretty sure that's how most of you guys
work. But this is not so easy to accomplish on Windows.