HP Data Protector best practices for backing up and restoring Microsoft SharePoint Server 2010
4
Configuring Data Protector Security
Data Protector security has to be planned, tested, and implemented on different security-critical layers
to ensure the secure operation of Data Protector. Data Protector Users security is one of the security-
critical layers of Data Protector. Each Data Protector user belongs to one user group only. This defines
the user's rights.
Data Protector User rights
Data Protector provides three predefined user groups, admin, operator, and user, with specific user
rights. The admin user group is assigned the strongest user rights which cannot be changed. To
configure and use Data Protector for backing up and restoring Microsoft SharePoint Server 2010, the
Microsoft SharePoint Server 2007/2010 farm administrator must be added to the Data Protector admin
or operator user group. For details on adding users, creating user groups, and assigning user rights, see
online Help.
NOTE
You can separate backup tasks that need to be performed by the Microsoft SharePoint Server farm
administrator from those that need to be performed by the Data Protector administrator.
Data Protector Inet service user impersonation
On Windows systems, backup and restore sessions are started by the Data Protector Inet service, which
by default runs under the Windows local SYSTEM user account. However, in case of Data Protector
Microsoft SharePoint Server 2007/2010 integration, you must specify that sessions are started under
the Microsoft SharePoint Server 2007/2010 farm administrator Windows domain user account. For this
use the Data Protector user impersonation functionality. You can specify impersonation information by
using the Data Protector CLI (by using omniinetpasswd or omnicc command) or GUI:
• To set up a user account for the Data Protector Inet service user impersonation on one or more
specified clients in the farm, by specifying the user name (for example, SHP farm admin)and the
password (for example, mysecret) directly or by saving the user name (for example, user SHP farm
admin from the domain HSL) and the password (for example, mysecret) into the specified file, log
on to the Cell Manager and from the Data_Protector_home\bin directory, run:
omnicc -impersonation -add_user -user SHP farm admin@HSL -host Client1-
host Client2 -host Client3 -passwd mysecret
To enable user impersonation on all clients in the cell, specify the –all option.
• To add the specified user account from the local Inet configuration, run:
omniinetpasswd -add {SHP farm admin@HSL|HSL\...} [Password]
Omniinetpasswd prompts for the password if not specified in the command line.
• Open the Data Protector GUI:
1. In the Context List, click Clients.
2. In the Scoping Pane, under Clients, right-click a selected client system and click Add
Impersonation.
3. In the Result Area, select the client systems for which you want to configure the Data Protector Inet
service user impersonation and follow further steps.