FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.

Hi Rob,

You can watch my video to see how to set up TPI and how it works.

https://ibm.biz/BdMcg4

FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.

That was a good video and it helped to show the flow.

So are you recommending the workaround I mentioned earlier?  In your example you used SECADM001 and SECADM002 instead of ITAdmins and BeanCounters

"I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password."

Hi Rob,

You can watch my video to see how to set up TPI and how it works.

https://ibm.biz/BdMcg4

FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.

second question after watching the video.

Does that elevated privilege only work for deleting the previously requested drive or can they do other operations at that higher privilege?

That was a good video and it helped to show the flow.

So are you recommending the workaround I mentioned earlier?  In your example you used SECADM001 and SECADM002 instead of ITAdmins and BeanCounters

"I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password."

Hi Rob,

You can watch my video to see how to set up TPI and how it works.

https://ibm.biz/BdMcg4

FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.

2. For more information about two-person integrity, read the IBM documentation at https://www.ibm.com/docs/en/flashsystem-9x00/8.7.0?topic=security-two-person-integrity

1. Restricted admins can perform most of the same tasks and run most of the same commands as users with the administrator role, but they cannot run some rm commands. Therefore, I cannot call them "dummy users."

second question after watching the video.

Does that elevated privilege only work for deleting the previously requested drive or can they do other operations at that higher privilege?

That was a good video and it helped to show the flow.

So are you recommending the workaround I mentioned earlier?  In your example you used SECADM001 and SECADM002 instead of ITAdmins and BeanCounters

"I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password."

Hi Rob,

You can watch my video to see how to set up TPI and how it works.

https://ibm.biz/BdMcg4

FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.

Perhaps 'dummy' is a bad term.  What I originally was asking for is how do I have one person from one department initiate the request and a person from another department approve the request?  Ideally ITAdmins would be composed of Chris Edwards and Rob Berendt and BeanCounters would be composed of Sam Baron and Charlene Moore.  So if someone from ITAdmins initiated the request the other person from ITAdmins could not approve the request.  It would have to be someone from BeanCounters.  It's looking to me that it's not possible to setup such groups.  Instead you would have to set up a shared account where two people would know the account name and password (like ITAdmins) and another shared account where two different people would know the account name and password (like BeanCounters).  Does this make sense?  I think the terms we're looking for here are 'separation of duties' and making that by two different departments to reduce collusion.

2. For more information about two-person integrity, read the IBM documentation at https://www.ibm.com/docs/en/flashsystem-9x00/8.7.0?topic=security-two-person-integrity

1. Restricted admins can perform most of the same tasks and run most of the same commands as users with the administrator role, but they cannot run some rm commands. Therefore, I cannot call them "dummy users."

second question after watching the video.

Does that elevated privilege only work for deleting the previously requested drive or can they do other operations at that higher privilege?

That was a good video and it helped to show the flow.

So are you recommending the workaround I mentioned earlier?  In your example you used SECADM001 and SECADM002 instead of ITAdmins and BeanCounters

"I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password."

Hi Rob,

You can watch my video to see how to set up TPI and how it works.

https://ibm.biz/BdMcg4

FS7300 with 8.7.0.3.

We're looking at Two Person Integrity (TPI).  What our other SAN provider does is support requiring a person from two different groups.  For example, if I have one group, ITAdmins, with my boss and I in it.  And another group, BeanCounters, with two people in it.  I'd like TPI to require one person from ITAdmins and one person from BeanCounters.  If all four people were in the same group then it would be too easy for collusion to occur.  For example, if my boss walks over to my desk with a pink slip pad in hand it might be construed as undue influence to get me to approve his attempt to perform questionable activities.

I suppose the workaround is to just have two 'dummy' users:  ITAdmins and BeanCounters.  And two employees from each department would have access to their respective password.