Groups, Roles, and Mapping

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

BWeb uses group information from the IdP to determine the user’s role and permissions. Roles are mapped via group names (or IDs) delivered in the OAuth2/OIDC token.

For a predictable rollout, define a clear naming standard in the IdP before assigning users. This avoids authorization drift when different teams create groups with inconsistent names.

Admin Group

A BWeb administrator group is required for initial access and setup. By default, the admin role is named Bacula Admins. You can change this later in the BWeb configuration page or by editing /opt/bweb/etc/bweb.conf.

At least one user must be mapped to this admin role before the first production login.

BWeb Permission Groups

For granular permissions, define additional groups in the IdP using a prefix. By default, the prefix is bacula_. Examples:

• bacula_r_view_job

• bacula_r_config

Associate these groups with the users who should have the corresponding BWeb permissions.

Keep permission groups narrow and task-oriented. For example, create separate groups for read-only operators and configuration administrators instead of broad, multi-purpose groups.

BWeb Console Groups

In addition to BWeb roles, you can associate specific Bacula Console profiles that enforce ACLs at the Director level. To do this:

1. Create Console resources in BWeb in Configuration > Director > Consoles and Configuration > Console.

2. Modify the BWeb connection command to include the user-specific console file:

/opt/bacula/bin/bconsole -n -c /opt/bacula/etc/bconsole-%u.conf

3. Create IdP groups with two prefixes: the BWeb role prefix bacula_ and the console prefix console_.

Example: for a console named operator (/opt/bacula/etc/bconsole-operator.conf), create a group named bacula_console_operator.

Any user mapped to that group will connect through the specified console and inherit the ACLs defined in the Director Console resource.

BWeb Internal Group Matching

Some providers return group names (for example, Okta), while others return group IDs (for example, Microsoft Entra ID). When the IdP returns IDs, BWeb requires a mapping file that associates each IdP group ID with a BWeb role name.

Create the file /opt/bweb/etc/bweb_external_roles.json with JSON content similar to:

{
      "aaaaaaaa-1111-2222-bbbb-333333333333" : "Bacula Admins",
      "zzzzzzzz-yyyy-wwww-0000-111111111111" : "r_view_job",
      "bbbbbbbb-yyyy-cccc-0000-222222222222" : "r_config"
}

It is not mandatory to define all available BWeb roles, but you must include the admin role (or the value configured as default_admin_role) and any roles that users should receive.

After updating this file, reload or restart BWeb services so changes are applied consistently.

See also

Previous articles:

• Concepts and Background

• Architecture and Requirements

• Okta Configuration

• Microsoft Entra ID Configuration

• Keycloak Configuration

Next articles:

• Installation and Deployment

• Usage and SSO Experience

• Troubleshooting and Recovery

Go back to: Authentication via OpenID Connect/OAuth 2.0 and Single Sign-On.