Networker Server Users & Groups - Can you use AD Groups here?

I'm using LDAP/AD group, but this is used to control who can access NMC in the first place (external auth).  Then only NMC host with those users along with admin accounts on backup server host are allowed to have priviledges on bakcup server level.

That doesnt really help though does it. If anything, i think thats a worse implementation than using native authentication.

The whole point of LDAP and directory integration is to centralise and improve administration. I dont want to have to manually administer a couple of dozen Networker Servers with individual user access, or when someone leaves go round them all to remove his account or add someone new that may start. Thats what directory integration is there for... to use groups.

Very disappointing if that really is the case

I don't hit that problem as we have a simple rule that user admins take care of who should be where and its maitenance.  I define LDAP group I wish to have connection access and that's it.  If I need to filter that list further I can do that at NSR usergroup level.  In your case, you might not need to do that at all.

So i assume from your reply you only have 1 level of access on your Networker Servers and presumably from what you've wrote, its full control on the Networker Server for all. In which case its just *@<NMCServer>

If thats not the case, what syntax do you use to provide access on the networker servers? Without the use of groups of some kind then you're going to have to specify individual users in the Admins group on every Networker Server and then equally someone has to go around and remove anyone that leaves from all of them as well

Not much use if you need to provide 2 levels of access to people using 1 NMC, one for admins to have full control of things and one for some other members of the support team who shouldnt have access to meddle with everything in a more restricted group on the Networker Server.

I use backup admin group to control access to NMC.  This is used by ops and admins - even there is no difference in our case for some other reasons.  Only people in that group are allowed to connect to NMC host.  That's some 6 people (whole backup and storage team).  By default, user group in NW are such that they give all RO access thus I add only people from backup part to have admin rights (3) and remaing (3) are left with RO.

With time, I also created CLI tooling which eliminated NMC thus we don't use it too much these days.  This is run as root and since we maintain our own server that's not big issue (at other locations backup admins can run sudo so again no issue there).  We used NMC for monitoring anyway thus even RO access would work for us (we are strict in running all changes on backup server from backup server itself).

Where things get complicated, and I agree this is a bit of a design issue with NW at the time, is the rights you need to add for index management when using online modules and others (eg, PowerSnap or NMM).  Again, in our case this is no a big issue due to user management on UNIX at dc level which is controlled in different manner, but for rest out there I'm quite sure this is not the case.

The bottom line is that NMC provides auth model only for connecting to NMC while NW provides auth model to connect to NW.  You can restrict overall picture by allowing only admin connections from localhost and NMC host.  Managing that from single host using nsradmin tooling is quite simple and adds no overhead at all.