Global Storage

Global Storage Forum

Connect, collaborate, and stay informed with insights from across Storage

 View Only

  • 1.  Two Person Integrity (TPI)

    Posted Thu June 29, 2023 02:05 AM

    Hi,

    We are very excited about the new TPI feature, but now that we've updated our V5035 with the new software and enabled TPI, we've discovered it is just as easy as before to delete a datastore.

    From the docs I see that one cannot delete a safeguarded snapshot without TPI approval, but why on earth wouldn't IBM want us to protect general deletions?

    Am I missing something, or is it simply not possible to use the feature the way I want?

    /Rasmus



    ------------------------------
    Rasmus Teglgaard
    ------------------------------


  • 2.  RE: Two Person Integrity (TPI)

    Posted Fri June 30, 2023 01:11 PM
    Edited by Nezih Boyacioglu Fri June 30, 2023 02:25 PM

    Hi Rasmus,

    After reading your post I check the Two Person Integrity feature. It works as it described in v8.6 and I like it a lot. 

    • you must have two users with security admin role (except superuser)
    • enable tpi (this will also locks your superuser account)
    • login with your own security admin user - you will see it's became "restricted security administrator" on the upper right corner
    • go to your safeguarded volume copies and try to delete it, it will say "Action not allowed" and "Request Elevated Role" as an option. Choose Request Elevated Role.
    • login with your 2nd security admin user / or 2nd security admin must logs on to your system and he/she will see Role Elevation Request. 
    • If 2nd security admin approves your request now you have to right to delete safeguarded copies or doing some usual security admin stuff. 

    you can control volume deletes with Volume Delete Protection. It works very well. 

    Regards



    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 3.  RE: Two Person Integrity (TPI)

    Posted Mon July 24, 2023 04:58 AM

    Still it cannot protect your datastores from being deleted, which is a major shortcoming imo.

    And the Volume Delete Protection is just to prevent you from deleting the wrong datastore fx. Anyone with access to the GUI can disable the feature and then delete the datastore.



    ------------------------------
    Rasmus Teglgaard
    ------------------------------

    Original Message


Related Content