With multi-person authorization you can enforce authorization from another user when data deletion and other security operations are attempted. Multi-person authorization can help protect against insider threats as well as bad actors using compromised credentials to perform data exfiltration or destructive tasks with the Commvault management interface.
Tenant users can use Multi-Person Authorization in their environment. They can configure individual operations according to their requirements, while modifications to the Global Configuration determine the overall behavior in their environment. To allow tenant administrators to authorize actions initiated by their respective users, the following steps can be performed to enable MPA for selected Delete operations:
-
Enable tag-based authorization on the required business logic workflow.
-
Add a tag on the company page in the Command Center or Enable Delete Authorization from the Security IQ page.
Opting-in by tenants is provided for the following operations:
- Delete Client
- Delete Subclient
- Delete Plan
- Delete Agent
- Delete Job
- Delete Storage Policy
- Delete Storage Policy Copy
The above operations require the Allow Tenant Admins to Opt In option to be enabled at the global level. For all other operations, MPA is enforced automatically without tenant admin selection.
In addition to selecting custom approver groups for individual operations and configuring the Global Settings, tenant admins can also define the approval method for their tenant users.
A seven day cooldown period is now applied to newly onboarded tenant users. During this period, Dual Authorization is not enforced, allowing tenants to configure approvers and exclusions as needed.