Access to Bacula resources

Basics

There is possible to limit access to Bacula resources to give specific users ability to use selected resources. A good example for this case can be a company that wants to give employees ability to run backup and restore that every employee can log in to Baculum and see only his/her backups. All of them are able to run backup only own computer and perform restore to locations on the own computer only.

To limit access to Bacula resources Baculum uses the Bacula Console ACL function. To setup this access, you need to create the Console resource in which you can define what jobs should be available for this console. The same is for clients, pools, storages etc., you can define them in the Console.

Once you have the Console defined, you can assign it to the API basic users or to OAuth2 clients, depending if Baculum Web to contact with API hosts uses the basic authentication or the the OAuth2 authorization. The default and the simplest one is basic authentication option.

Note

Assign the Consoles to the API basic accounts is available from Baculum version 11.0.5.7. In earlier versions assigning Consoles was only possible for the OAuth2 clients.

../_images/baculum_user_access_to_restricted_resources.png

Restricted Bacula resource access can be used together with limitted access to pages by roles. This way you can define to which Baculum areas users should have access and what Bacula resources they can use.

Configuration

Below you can find steps needed to setup restricted Bacula resource access.

If you use the basic users in the API host:

  1. Create the Console ACL with defined selected Bacula resources,

  2. Assign the Console to the API basic user,

  3. Add new API host using the API basic user with assigned the Console.

  4. Assign the API host to Baculum Web user.

If you use the OAuth2 authorization in the API host:

  1. Create the Console ACL with defined selected Bacula resources,

  2. Assign the Console to the OAuth2 client account,

  3. Add new API host using the OAuth2 client account with assigned the Console.

  4. Assign the API host to Baculum Web user.

All the steps can be done on the Baculum Web side without need to do anything directly on the API host.