IBM Support

Controlling access to Windows registry entries for IBM Spectrum Protect backup-archive and data protection clients

Technote (FAQ)


Question

IBM Spectrum Protect™ for Windows backup-archive and data protection clients store sensitive information in the Windows registry, such as credentials to log in to the IBM Spectrum Protect server. How do I validate which users and groups have access to this information and either add or remove users or groups?

Answer

To validate or modify the users who have access to the IBM Spectrum Protect information in the Windows Registry, complete the following steps:

  1. From a Windows command prompt, start the Registry Editor (regedit.exe). You need to run the command prompt utility as an administrator (Run as administrator).
  2. Navigate to the IBM Spectrum Protect Windows client registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Nodes
  3. Under the Nodes key, identify the node entries that are displayed for each IBM Spectrum Protect node name that is defined for the client machine on the IBM Spectrum Protect server.
    Typically, only one entry exists under the Nodes key. If multiple nodes are defined for a more complex installation, you can repeat the next step for each individual node name entry.
  4. Right-click the registry key that is associated with the IBM Spectrum Protect node name and click Permissions.
  5. In the Security tab of the Permissions for <node name> window, complete one or more of the following actions:
    • To verify the users and groups who have access to the IBM Spectrum Protect information, review the information in the Security tab.
    • To add a user or group, for example, a member of the Backup Administrators group, click Add in the Security tab and complete the Select Users or Groups window.
    • To remove a user or group, select a group or user name in the "Group or user name" list, and click Remove.
 
Important: In order for the IBM Spectrum Protect for Windows backup-archive client to function properly, the following users must have full control to the ADSM registry key:
  • SYSTEM
  • Administrators (<local machine>\Administrators)

Disabling inheritance of permissions

Inheritance of permissions is typically enabled by default, so you must disable inheritance before you remove a user or group, otherwise you might encounter the following warning:

"You can't remove object_name because this object is inheriting permissions  from its parent. To remove object_name you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions, and then try removing object_name again."

When this warning occurs, you must complete the following steps to disable inheritance:
  1. In the Permissions window, click Advanced.
  2. Click Disable inheritance.
  3. Click Convert inherited permissions into explicit permissions on this object.
Once you have disabled inheritance, you can remove the user or group permissions.


Examples

Example 1
Your system has a user running as Administrator (a backup-archive client, Data Protection for VMware, Data Protection for Microsoft Hyper-V, or other data protection modules running as Administrator), or the backup-archive client user is a member of the Backup Operators group.

To remove the Users group from the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM key, complete the following steps:
  1. On the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM key, prevent objects from inheriting permissions (see "Disabling inheritance in permissions" above).
  2. Remove the "Users" group from the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM key.
 
Example 2
Your system has a data protection client that runs as a user who does not have local administrator authority and a backup-archive client that requires local administrator authority.  (For example, Data Protection for Oracle or Data Protection for Microsoft SQL clients running as a database administrator)
 
To give database administrators access to the data protection client node (DP_node) but not to the backup-archive client node (BA_node), complete the following steps:  
  1. On the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM key, prevent objects from inheriting permissions (see "Disabling inheritance in permissions" above).
  2. Add the DB administrator users or group to the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM key (Full Control).
  3. On the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Nodes\<BA_node>, prevent objects from inheriting permissions (see "Disabling inheritance in permissions" above).
  4. On the \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Nodes\<BA_node> key, remove the DB administrator users or group that you added in step 2.

Document information

More support for: IBM Spectrum Protect
Client

Software version: All Versions

Operating system(s): Windows

Reference #: 2000998

Modified date: 25 May 2017