nsrwatch enhancements in NW8.2SP3

I like it.  As for permissions, nothing changed there.  Anyone could have run in the past nsrwatch from client and monitor server (or at least its own sessions).  Same applies now.  Whether you can start the groups depends on higher set of permissions (same as for NMC).  Same goes for device management.

For NMM you might need admin user only if using snapshot management so that powersnap module may take care of ssid deletion for snaps. If using pure RMAN then that is not the case and having oracle user in DB admin/operator group is enough.  I can think of other ways user can destroy their backups as well in older versions too (like by using nsrmm from client if permission sets allows them) and normally I have never ever seen that happening so I do not loose my sleep over nsrwatch neither (especially since on Windows system if I had to grant admin access I would grant it to SYSTEM user and it case of misuse there is always a way to correlate the logs).  I do not see any harm in extending nsrwatch functionality that would give users more power than they have now (think of nsrmm for example which you will also find on clients).

I know exactly that if something is permitted in a system then simply removing a program (/limiting access to it) which can perform some operations is not a fix for the security hole.

Monitoring is not an issue. We can limit access to NMC - and in NMC users log in with their own user, so they have much less permissions than the 'oracle' user (nmda) or NMM technical user has.

NMM admin guide says eg.: "The NMM client must be manually granted NetWorker administrator privileges to perform

media database operations during snapshot deletion."

So now we give the tool for the users which can be used to destroy all of their backups (re-label DD volumes). And I bet this action won't create a detailed log on the server... I think this is a nightmare