Hi Community,
When we install the Commvault agent on any Linux or Windows Client.
What permissions or roles does it need on the host in order for backups to work?
Regards, Mohit
Solved
Commvault Agent Permissions
+11Best answer by Jos Meijer
You can run without a sudo or root (except on Macintosh), but this will limit your backup to the file locations within the rights of this user which performed the install.
Regarding rights on the FS, this is the statement in documentation:
UNIX Group
We recommend that you assign a dedicated UNIX group for all Commvault processes. Users associated to that group are granted access rights over Commvault configuration files, registry, and log files. If you do not assign a group, you must set access permissions for other users during the installation. Only the root group has all access rights by default.
If you plan to install a database agent (for example, Oracle), assign the UNIX group that is used by the database application, and add the database users to the group. The group grants access rights for both Commvault and database application processes.
Access Permissions for the UNIX Group and Other Computer Users
If you do not assign a dedicated UNIX group, you must set sufficient access permissions for other users (other than root users) during the installation. By default, read and execute permissions are granted to other users during installations from the installation package, and read, write, and execute permissions during installations from the CommCell Console.
If you do assign a dedicated UNIX group, you will be able to set the access permissions for the group. By default, read, write, and execute permissions are granted to the UNIX group.
Note:
For installations on AIX computers and for 32-bit installations, grant read permissions for other users to ensure that services are started when the installation completes.
Review the writable permissions to other (world) computer users if the last two digits of file permissions are 2, 3, 6, or 7, for potential security vulnerability.
For the Commvault binaries: https://kb.commvault.com/article/INS0035
If I were you I would use a sudo account or dedicated group with full access.
But this depends on what your company policy is in this matter.
If you have a CISO then I would contact him/her to find out what is allowed.
If you have a question or comment, please create a topic
+17- Commvault Certified Expert
- 638 replies
If you want to be able to backup all file data on the client, looking at:
Windows
- Install the agent with a local admin and either leave the services on Local System or assign local admin service account
Linux
- Install agent with Root or Sudo or during installation provide a dedicated UNIX Group with the necessary rights
If we are talking about application agents there might a need for additional rights.
+11Also when the backup runs, what permissions are required by the Commvault agent to scan all files/directories and keep track of changes in files.
+17- Commvault Certified Expert
- 638 replies
- Answer
You can run without a sudo or root (except on Macintosh), but this will limit your backup to the file locations within the rights of this user which performed the install.
Regarding rights on the FS, this is the statement in documentation:
UNIX Group
We recommend that you assign a dedicated UNIX group for all Commvault processes. Users associated to that group are granted access rights over Commvault configuration files, registry, and log files. If you do not assign a group, you must set access permissions for other users during the installation. Only the root group has all access rights by default.
If you plan to install a database agent (for example, Oracle), assign the UNIX group that is used by the database application, and add the database users to the group. The group grants access rights for both Commvault and database application processes.
Access Permissions for the UNIX Group and Other Computer Users
If you do not assign a dedicated UNIX group, you must set sufficient access permissions for other users (other than root users) during the installation. By default, read and execute permissions are granted to other users during installations from the installation package, and read, write, and execute permissions during installations from the CommCell Console.
If you do assign a dedicated UNIX group, you will be able to set the access permissions for the group. By default, read, write, and execute permissions are granted to the UNIX group.
Note:
For installations on AIX computers and for 32-bit installations, grant read permissions for other users to ensure that services are started when the installation completes.
Review the writable permissions to other (world) computer users if the last two digits of file permissions are 2, 3, 6, or 7, for potential security vulnerability.
For the Commvault binaries: https://kb.commvault.com/article/INS0035
If I were you I would use a sudo account or dedicated group with full access.
But this depends on what your company policy is in this matter.
If you have a CISO then I would contact him/her to find out what is allowed.
1 person likes this
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.