Multi-Person Authorization applies to entity deletion operations and other security-related operations such as updating the storage policy copy and updating the approval user groups. These operations send an authorization request email to the users who are the members of the approver group. You can configure the user groups authorized to approve these requests from the Command Center.
The following are the operations that trigger authorization request emails:
-
Delete Client: This operation triggers the authorization email request to retire and delete the server from the Commcell or company level.
-
Delete Storage Policy: This operation triggers the authorization email request to delete the storage policies that is associated with a plan.
-
Delete Storage Policy Copy: This operation triggers the authorization email request to delete the storage policy copies that is associated with a plan.
-
Delete Library Mount Path: This operation triggers the authorization email request to delete a library, a mount path, or a backup destination.
-
Delete Agent: This operation triggers the authorization email request to retire or delete an agent.
-
Disable Compliance Lock: This operation triggers the authorization email request to disable compliance lock on storage.
-
Delete Plan: This operation triggers the authorization email request to delete a plan.
-
Delete Subclient: This operation triggers the authorization email request to delete a subclient.
-
Delete Tape Media Contents: This operation triggers the authorization email request to delete tape media or media contents.
-
Delete BackupSet : This operation triggers the authorization email request to delete a backupset.
-
Delete Jobs: This operation triggers the authorization email request to delete jobs from a storage policy.
-
Delete Company: This operation triggers the authorization email request to delete a company.
-
Update Approval User Group: This operation triggers the authorization email request when a user attempts to update an approver group.
-
Enable Root Access: This operation triggers the authorization email request when a user attempts to enable password based root access on the HyperScale nodes. Note: It is only available at the global level, and not at the tenant level.
-
Update Storage Policy Copy: This operation triggers the authorization email request when a user attempts to update a storage policy copy.
-
Disable Compliance Lock Via MSP: This operation triggers the second authorization email request to disable Compliance Lock on storage. Note: It is only available at the global level, and not at the tenant level.
Note:
By default, the users associated to the master group receive the approval request, and one approval is required.
Tenant users can use Multi-Person Authorization in their environment. They can configure individual operations according to their requirements, while modifications to the Global Configuration determine the overall behavior in their environment.
Opting-in by tenants is provided for the following operations:
-
Delete Client
-
Delete Subclient
-
Delete Plan
-
Delete Agent
-
Delete Job
-
Delete Storage Policy
-
Delete Storage Policy Copy
The above operations require the Allow Tenant Admins to Opt In option to be enabled at the global level. For all other operations, MPA is enforced automatically without tenant admin selection.
In addition to selecting custom approver groups for individual operations and configuring the Global Settings, tenant admins can also define the approval method for their tenant users.
Procedure
-
From the navigation pane, go to Manage > Security.
-
Click Multi person authorization tile.
-
For an Operation name, click action button
> Edit.The Edit dialog box appears.
-
Under User groups which can authorize the request, select the user group of which the associated user will receive the authorization email request.
-
Under Number of approvers, specify the number of users who must approve the request.
-
Click Save.
These are optional configurations. If no settings are defined at the operation level, the Global Configuration values will apply. Any changes made to the configuration must be approved or revoked by another administrator.