Multi-person authorization process with respect to roles
Users can be requesters and approvers at the same time, however they cannot approve their own tickets.
The multi-person authorization process flow with respect to roles is as follows:
Table:
Component | Description |
|---|
Multi-person authorization ticket | When a requester performs a critical NetBackup operation that is protected by multi-person authorization, a ticket is generated that requires an approval from the approver before a specific action can be executed. This ticket is used within NetBackup to ensure that critical actions undergo thorough review process by multiple people before they are executed.
The following sample flow is for the image expiry operation that requires multi-person authorization:
A requester expires an image using the NetBackup web UI.
A ticket is created. The ticket is pending for approval. Approvers review the ticket. Approvers either approve or reject the ticket. After the approval, the ticket is scheduled by NetBackup and finally marked Done after the execution. The ticket activity log, request, and response details can be viewed by the approver or the requester using the web UI, on the Ticket details page. A ticket is expired after it ages beyond the expiration period. Such tickets cannot be approved unless they are renewed by the Requester. Tickets in the Done, Rejected, Expired, and Canceled states are purged when no action is performed on them for the specified purge period in days.
|
Requester role | A requester is a user who initiates an operation that requires multi-person authorization.
A ticket is created for the operation if the user is not in the exempted users' list.
The ticket requires an approval from an approver before the operation is performed.
A requester is not allowed to self approve even if the requester is also an approver, an Administrator, or a Security Administrator.
Once the ticket is created it is in the Pending state. The requester can cancel a ticket only if it is in the Pending state.
If the ticket ages beyond the expiry period, the ticket is moved to the Expired state.
Only the requester can renew such tickets. A new expiry period is calculated for the renewed ticket based on the configuration settings multi-person authorization.
|
Approver role | An approver is an authorized individual who reviews and provides approval for tickets. The approver evaluates the details of the ticket and either approves or rejects the ticket based on the assessment.
After the approval, the ticket is scheduled for execution.
To be an approver, the user should have RBAC permissions like Update Ticket, View Ticket or the user should have the Default Multi-Person Authorization Approver role.
When a ticket is in the Pending State, it can be approved or rejected.
|
Exempted users | An exempted user is an individual who does not need multi-person authorization for operations except the following: User groups cannot be exempted. This eliminates the necessity for any approvals, however it must be used with caution.
If the exempted user account is hacked, the multi-person authorization process can be of no use as it is bypassed for this user.
For example, if user1 is an exempted user and she attempts to expire an image (an operation that needs multi-person authorization), the image expires without ticket generation and additional approvals.
|
