Two person integrity

Use two person integrity (TPI) to prohibit critical and risky tasks in the system from being executed by a single security administrator and by requiring the involvement of two security administrators.

TPI requires two security administrators to work together to complete certain tasks. Protecting data is an important part of IBM® Storage Virtualize, and TPI helps mitigate the chance of data loss, prevent inadvertent mistakes on operations, and enhance security.

Requirements for enabling TPI:
  • Ensure to have two users with the security administrator role.
  • The two users can be local, remote, or a combination of both.
  • If using remote users, a remote user group of security administrator role must be defined on the system and the remote authentication service must be enabled.
Requirements for disabling TPI:
After TPI is enabled, a user with an approved TPI request can disable TPI.
When you enable TPI, the users that belong to user groups of security administrator role are assigned the restricted security administrator role instead. However, their user groups retain their security administrator role.
Once TPI is enabled, a role elevation request and approval process is required to perform certain sensitive tasks:
  • The restricted security administrator can issue a role elevation request on its own behalf to complete certain tasks in the system.
  • Another restricted security administrator or a security administrator must approve the role elevation request.
  • For example, this role elevation request and approval process is required to remove a Safeguarded snapshot.
  • The restricted security administrators or security administrators can approve or deny role elevation requests, cancel role elevation requests, or revoke a role elevation request that was approved.
Available actions for a restricted security administrator that has an approved role elevation request.
  • Create, change, or remove security administrator user groups.
  • Create, change, or remove locally defined remote users.
  • Change the non security administrator user group attribute on an existing local user to a security administrator user group.
  • Modify attributes on existing local users that are members of the security administrator user groups.
  • Change the role of existing non security administrator user groups to the security administrator role.
  • Change the security administrator role of an existing user group to a non security administrator role.
  • Remove and change Safeguarded backups and Safeguarded backup locations.
  • Delete Safeguarded snapshots.
  • Use a provisioning policy to define a set of rules that are applied when volumes are created within a storage pool or child pool.
  • Change the single sign-on credentials that are used for the system.
  • Remove the Safeguarded snapshot policy association from a volume group.

Configuring two person integrity (TPI)

Enable TPI when you want to prohibit critical and risky tasks in the system from being executed by a single security administrator and by requiring the involvement of two security administrators.

When TPI is enabled, the users that belong to user groups of security administrator role are assigned the restricted security administrator role. However, their user groups retain their security administrator role.

The restricted security administrator can submit a TPI request on its own behalf to complete certain tasks in the system. Another restricted security administrator or a security administrator must approve the TPI request. For example, this request and approval process is required to remove a Safeguarded snapshot.

Prerequisites

Before you enable TPI, ensure that you have at least two users in the system with the security administrator role. The users can be local, remote, or a combination of both.

Using the management GUI
To enable TPI, complete the following steps:
  1. In the management GUI, select Settings > Security > User Access > Two person integrity.
  2. Select Enabled.
  3. Click Save.
  4. To apply the TPI changes, click Logout.
  5. After you sign in, the page displays that the current role is updated to restricted security administrator, and Manage Role Elevation Requests and Request Elevated role are displayed in the user menu list
Click Snooze for 5 minutes to stay on the page for 5 more minutes to review the settings.
Note: Snooze for 5 minutes is available only if user role is changed from security administrator to restricted security administrator.
To disable TPI, complete the following steps:
  1. In the management GUI, select Settings > Security > User Access > Two person integrity.
  2. Toggle the Enabled switch to the off position.
  3. Click Save.
Using command-line interface
To enable TPI, enter the following command. Any security administrator can enable TPI.
chsecurity -twopersonintegrity yes
To disable TPI, enter the following command. After TPI is enabled, a user with an approved TPI request can disable TPI.
chsecurity -twopersonintegrity no

Managing two person integrity (TPI)

Use two person integrity (TPI) to prohibit critical and risky tasks in the system from being executed by a single security administrator and by requiring the involvement of two security administrators.

TPI requires two security administrators to work together to complete certain tasks. Protecting data is an important part of IBM Storage Virtualize, and TPI helps mitigate the chance of data loss, prevent inadvertent mistakes on operations, and enhance security.

When you enable TPI, the users that belong to user groups of security administrator role are assigned the restricted security administrator role instead. However, their user groups retain their security administrator role.
Once TPI is enabled, a role elevation request and approval process is required to perform certain sensitive tasks:
  • The restricted security administrator can issue a role elevation request on its own behalf to complete certain tasks in the system.
  • Another restricted security administrator or a security administrator must approve the role elevation request.
  • For example, this role elevation request and approval process is required to remove a Safeguarded snapshot.
  • The restricted security administrators or security administrators can approve or deny role elevation requests, cancel role elevation requests, or revoke a role elevation request that was approved.

Viewing elevation requests

To access the Manage Role Elevation Requests page, select Access > Manage Role Elevation Requests.
  • You must have the security administrator role or restricted security administrator role to access the page.
  • After your request is approved, you must log out of the management GUI. Then, log in again for the setting to take effect.
  • The maximum number of active role elevation requests is four.
  • You can't approve your own requests.
  • Approved requests are displayed until their duration expires.
  • Denied, revoked, and canceled requests are automatically removed from the page.
  • If no requests are pending, information about how to request an elevated role is displayed.

Viewing the audit Log

To view a list of completed actions, select Access > Audit Log. If TPI is enabled, the Elevated Role column is displayed; if TPI is disabled, the Elevated Role column is hidden.