Access to Bacula resources

Access to Bacula resources#

Basics#

There is possible to limit access to Bacula resources to give specific users ability to use selected resources. A good example for this case can be a company that wants to give employees ability to run backup and restore that every employee can log in to Bacularis and see only his/her backups. All of them are able to run backup only own computer and perform restore to locations on the own computer only.

To limit access to Bacula resources Bacularis uses the Bacula Console ACL function. To setup this access, you can use one of the following ways:

  • Use the set access button for users, API hosts or API host groups. (available from version 2.4.0).

  • Use the new user wizard on the security page.

  • Configure access manually by creating custom ACL consoles and assign them to user Basic or OAuth2 accounts.

../_images/bacularis_user_access_to_restricted_resources.png

Restricted Bacula resource access can be used together with limitted access to pages by roles. This way you can define to which Bacularis areas users should have access and what Bacula resources they can use.

Here is a video guide that shows using restricted Bacula resource access together with custom access to pages.

Configuration#

Below you can find description for the ways to configure restricted Bacula resource access for users.

Set access button#

This is the simplest way of setting restricted access to Bacula resources. It is about selecting jobs that should be available for given user. This function you can find in the set access button that is accessible on the security page for users, API hosts and API host groups.

After selecting jobs, in the background is created a Bacula Console ACL resource that defines access only to the selected jobs and all related to these jobs resources. For example if you select access for a job AAA which uses in the Bacula configuration client BBB, storage CCC, pool DDD then the newly created Bacula Console ACL will contain access for all these resources:

Console {
  Name = XYZ
  JobAcl = AAA
  ClientAcl = BBB
  StorageAcl = CCC
  PoolAcl = DDD
  ...etc.
}

and this console will be used automatically for this user account.

Here is a video guide that shows this type of configuration:

New user wizard#

The second way of configuring the restricted access to Bacula resources is the way that uses a wizard.

The new user wizard helps to create a new user with restricted or full access to Bacula resources. All the configuration process you can see on the video guide here:

Manual Console ACL configuration#

The third and the last way of configuring restricted Bacula access is the manual configuration. Below you can find steps needed to setup the restricted Bacula resource access.

If you use the basic users in the API host:

  1. Create the Console ACL with defined selected Bacula resources,

  2. Assign the Console to the API basic user,

  3. Add new API host using the API basic user with assigned the Console.

  4. Assign the API host to Bacularis Web user.

If you use the OAuth2 authorization in the API host:

  1. Create the Console ACL with defined selected Bacula resources,

  2. Assign the Console to the OAuth2 client account,

  3. Add new API host using the OAuth2 client account with assigned the Console.

  4. Assign the API host to Bacularis Web user.

All the steps can be done on the Bacularis Web side without need to do anything directly on the API host.

Resource permissions#

Since Bacularis version 2.5.0 there is available a new function to set permission setting per Bacula resource like Job, Client, FileSet …etc. For each resource you can set read-only, read-write on no access permissions. This settings is set per API host and it enables to set user limitted (ro or rw) access to some resources and to some set no access at all.

This function is specially useful if users have access to configure Bacula on the web interface because it allows to set granular access to selected resources per user. There is also possible to create read-only users that are able to read configuration on the web interface but not write it.

Here you can find a video guide that shows how this function works in practice: