multiperson authorization process with respect to roles
Users can be requesters and approvers at the same time, however they cannot approve their own tickets.
The multiperson authorization process flow with respect to roles is as follows:
Table:
Component | Description |
|---|
multiperson authorization ticket | When a requester performs a critical NetBackup operation that is protected by multiperson authorization, a ticket is generated that requires an approval from the approver before a specific action can be executed. This ticket is used within NetBackup to ensure that critical actions undergo thorough review process by multiple people before they are executed.
The following sample flow is for the image expiry operation that requires multiperson authorization:
A requester expires an image using the NetBackup web UI.
A ticket is created. The ticket is pending for approval. Approvers review the ticket. Approvers either approve or reject the ticket. After the approval, the ticket is scheduled by NetBackup and finally marked Done after the execution. The ticket activity log, request, and response details can be viewed by the approver or the requester using the web UI, on the Ticket details page. A ticket is expired after it ages beyond the expiration period. Such tickets cannot be approved unless they are renewed by the Requester. Tickets in the Done, Rejected, Expired, and Canceled states are purged when no action is performed on them for the specified purge period in days.
|
Requester role | A requester is a user who initiates an operation that requires multiperson authorization.
A ticket is created for the operation if the user is not in the exempted users' list.
The ticket requires an approval from an approver before the operation is performed.
A requester is not allowed to self approve even if the requester is also an approver, an Administrator, or a Security Administrator.
Once the ticket is created it is in the Pending state. The requester can cancel a ticket only if it is in the Pending state.
If the ticket ages beyond the expiry period, the ticket is moved to the Expired state.
Only the requester can renew such tickets. A new expiry period is calculated for the renewed ticket based on the configuration settings multiperson authorization.
|
Approver role | An approver is an authorized individual who reviews and provides approval for tickets. The approver evaluates the details of the ticket and either approves or rejects the ticket based on the assessment.
After the approval, the ticket is scheduled for execution.
To be an approver, the user should have RBAC permissions like Update Ticket, View Ticket or the user should have the Default Multiperson Authorization Approver role.
When a ticket is in the Pending State, it can be approved or rejected.
|
Exempted users | An exempted user is an individual who does not need multiperson authorization for operations except the following: User groups cannot be exempted. This eliminates the necessity for any approvals, however it must be used with caution.
If the exempted user account is hacked, the multiperson authorization process can be of no use as it is bypassed for this user.
For example, if user1 is an exempted user and she attempts to expire an image (an operation that needs multiperson authorization), the image expires without ticket generation and additional approvals.
|
