Dual Control
Dual Control adds an extra layer of protection for all TS7700 write and data deletion operations.
Dual Control terms
- Checker:
- The person that authorizes the request.
- Custom Role:
- A role that can be named and get its privileges assigned as the user needs.
- LDAP:
- Lightweight Directory Access Protocol. A lightweight client/server protocol for accessing directory services, widely used to manage and abstract users and access out of the applications.
- Local Security Policy:
- Security Policy that uses local DB to perform authentication and grant authorization to the TS7700.
- Maker:
- The person that performs a request to execute an operation.
How Dual Control works
Dual Control adds a layer of protection for data deletion operations. With Dual Control, two users are required to authorize some high-risk operations before they can be executed. Dual Control is a user-level protection, this means that even an Administrator cannot circumvent this protection; however, IBM service can.
Dual Control setup
- Setup users/groups to be administrators and/or checkers in Security settings. . For more information on the Security settings page, refer to
- There must be at least two checker users and at least two Administrators, if checkers = 2 and
admins = 2, then they must not be the same users, if not, the Enable button
is disabled. Refer to Deadlock examples. Once
there is not a deadlock situation, the administrator can then see the Enable dual
control button.
The dialog contains all the local users and remote user mappings from all active security policies, this means that if multiple policies are assigned to different clusters. This dialog contains the conjunction of the users and remote mappings for the currently assigned policies. The local policy will always be shown in this list. It does not matter if it is active or not.
A scroll bar for entire dialog content appears if there are many user accounts. By default, all user accounts are NOT selected as checkers. The dialog must contain a control to select all/unselect all. The Administrators must be at the top, and then the same order of the Roles & Permissions page.
If Dual Control is enabled, the disablement becomes protected, that means that it requires a Checker to approve. After it is enabled, the Enable Dual Control button is replaced by a Data Grid.
You can customize what column options appear in the Data Grid table. In the MI, go to
. Then select the Actions tab and choose what Data Grid options appear in the column in the Data Grid table.Dual Control Management
Only a Checker can approve the dual control-protected action. Any Checker user cannot approve its own submitted requests.
For each request, the checker will be presented with a dialog box explaining what action is to be approved.
When a Checker approves or rejects a request, or a Maker rejects an owned request, the following confirmation dialogs will pop up:


Deadlock examples
To set up Dual Control, there must be at least two users with Checker authority and two Administrators in all currently assigned security policies for the following cases before proceeding. In this case, conjunction must be >= 3, otherwise you have a deadlock situation that will not allow Dual Control to be enabled.
- Bob the Administrator (the lead storage admin for the TS7700)
- Sally the Administrator (Bob's backup)
- Nick the Operator (Helps out but doesn't have full control)
- Roger the Monitor (a manager that needs to view the account)
Bob | Admin | Checker |
Sally | Operator | Checker |
Nick | Manager | Checker |
Roger | ReadOnly |
Bob | Admin | Checker |
Sally | Admin | |
Nick | Manager | |
Roger | ReadOnly |
Bob | Admin | Checker |
Sally | Admin | Checker |
Nick | Manager | |
Roger | ReadOnly |
Bob | Admin | |
Sally | Admin | Checker |
Nick | Manager | Checker |
Roger | ReadOnly |
Bob | Admin | Checker |
Sally | Admin | Checker |
Nick | Manager | Checker |
Roger | ReadOnly |
Bob | Admin | Checker |
Sally | Admin | Checker |
Nick | Admin | |
Roger | ReadOnly |
TS7700 will only check that the users and mappings exist in the TS7700, it will not do any further validation such as checking that the LDAP user exists, that the user's account is not locked or password expired.
Dual Control protected operations
The implementation of Dual Control protects the settings to prevent accidental or intentional harmful changes that can pose a risk for the user's data:
- Add Category
- Modify Category
- Delete Category
- Modify logical volume version retention for a Cloud Pool
- Create Data Class
- Modify Data Class
- Delete Data Class
- Delete Object Policy
- Modify replication of Object Policy
- Create Object Store
- Modify object policy of Object Store
- Delete Object Store
- Disable Dual Control
- Modify User Password
- Add/Modify Local Security Policy Account
- Enable Local/Remote Security Policy
- Modify Remote Security Policy and User Group Mapping