Dual Control

Dual Control adds an extra layer of protection for all TS7700 write and data deletion operations.

Dual Control terms

Checker:
The person that authorizes the request.
Custom Role:
A role that can be named and get its privileges assigned as the user needs.
LDAP:
Lightweight Directory Access Protocol. A lightweight client/server protocol for accessing directory services, widely used to manage and abstract users and access out of the applications.
Local Security Policy:
Security Policy that uses local DB to perform authentication and grant authorization to the TS7700.
Maker:
The person that performs a request to execute an operation.

How Dual Control works

Dual Control adds a layer of protection for data deletion operations. With Dual Control, two users are required to authorize some high-risk operations before they can be executed. Dual Control is a user-level protection, this means that even an Administrator cannot circumvent this protection; however, IBM service can.

Attention: When creating a category, if Dual Control is enabled, Hold Expire (the Hold Expire checkbox) will be disabled for security reasons.

Dual Control setup

  1. Setup users/groups to be administrators and/or checkers in Access > Security settings. For more information on the Security settings page, refer to Security settings.
  2. There must be at least two checker users and at least two Administrators, if checkers = 2 and admins = 2, then they must not be the same users, if not, the Enable button is disabled. Refer to Deadlock examples. Once there is not a deadlock situation, the administrator can then see the Enable dual control button.
    That opens a dialog and you can select the users to check incoming requests.

    The dialog contains all the local users and remote user mappings from all active security policies, this means that if multiple policies are assigned to different clusters. This dialog contains the conjunction of the users and remote mappings for the currently assigned policies. The local policy will always be shown in this list. It does not matter if it is active or not.

    A scroll bar for entire dialog content appears if there are many user accounts. By default, all user accounts are NOT selected as checkers. The dialog must contain a control to select all/unselect all. The Administrators must be at the top, and then the same order of the Roles & Permissions page.

    If Dual Control is enabled, the disablement becomes protected, that means that it requires a Checker to approve. After it is enabled, the Enable Dual Control button is replaced by a Data Grid.

You can customize what column options appear in the Data Grid table. In the MI, go to Access > Dual Control. Then select the Actions tab and choose what Data Grid options appear in the column in the Data Grid table.

Attention: If there is one custom role that has permissions granted under Access list of Roles and Permissions, then dual control cannot be enabled in the system.

Dual Control Management

Only a Checker can approve the dual control-protected action. Any Checker user cannot approve its own submitted requests.

For each request, the checker will be presented with a dialog box explaining what action is to be approved.

When a Checker approves or rejects a request, or a Maker rejects an owned request, the following confirmation dialogs will pop up:

Deadlock examples

To set up Dual Control, there must be at least two users with Checker authority and two Administrators in all currently assigned security policies for the following cases before proceeding. In this case, conjunction must be >= 3, otherwise you have a deadlock situation that will not allow Dual Control to be enabled.

This example shows a how a minimum of 4-person single team may implement Dual Control protections.
  • Bob the Administrator (the lead storage admin for the TS7700)
  • Sally the Administrator (Bob's backup)
  • Nick the Operator (Helps out but doesn't have full control)
  • Roger the Monitor (a manager that needs to view the account)
Table 1. Not allowed - Only one admin
Bob Admin Checker
Sally Operator Checker
Nick Manager Checker
Roger ReadOnly  
Table 2. Not allowed - only one checker
Bob Admin Checker
Sally Admin  
Nick Manager  
Roger ReadOnly  
Table 3. Not allowed - Only two checkers, only two admins and they are the same, conjunction = 2.
Bob Admin Checker
Sally Admin Checker
Nick Manager  
Roger ReadOnly  
Table 4. Allowed – Only two checkers, only two admins, but they are not the same. Conjunction = 3.
Bob Admin  
Sally Admin Checker
Nick Manager Checker
Roger ReadOnly  
Table 5. Allowed – Three checkers, only two admins, it does not matter two admins are checkers
Bob Admin Checker
Sally Admin Checker
Nick Manager Checker
Roger ReadOnly  
Table 6. Allowed – Only two checkers, three admins, it does not matter two checkers are admins
Bob Admin Checker
Sally Admin Checker
Nick Admin  
Roger ReadOnly  

TS7700 will only check that the users and mappings exist in the TS7700, it will not do any further validation such as checking that the LDAP user exists, that the user's account is not locked or password expired.

Dual Control protected operations

The implementation of Dual Control protects the settings to prevent accidental or intentional harmful changes that can pose a risk for the user's data:

  • Add Category
  • Modify Category
  • Delete Category
  • Modify logical volume version retention for a Cloud Pool
  • Create Data Class
  • Modify Data Class
  • Delete Data Class
  • Delete Object Policy
  • Modify replication of Object Policy
  • Create Object Store
  • Modify object policy of Object Store
  • Delete Object Store
When Dual Control is enabled, it also covers the following actions, which avoid the bypassing of the protection:
  • Disable Dual Control
  • Modify User Password
  • Add/Modify Local Security Policy Account
  • Enable Local/Remote Security Policy
  • Modify Remote Security Policy and User Group Mapping