commvault.com commvault.com
Question

Authorisation Workflows when only priviliged accounts have access

  • 15 May 2023
  • 5 replies
  • 112 views
Michael Woodward
Rank
Userlevel 3
Badge +9

I’m deploying the authorisation workflows for the usual functions in a few environments. We already have a robust role-based access methodology where only privileged accounts have access to the system and a different account (higher privileged) has master rights, no low-level accounts have access to the system.

The issue I can see is that the authorisation workflow sends an email to the privileged users in the groups that I choose to be the authoriser, but none of these users have valid email accounts so won’t get an email notification that there is a request to approve.

Apart from having eyes-on-glass on Command Centre to approve requests what have people done in a similar situation?

All users are authenticated via SAML using AzureAD for MFA so email addresses get synced from there.  Perhaps we could have a local account with a Distribution list for all approvers but then the local account would have to be added to the “users who can authenticate” list which would allow a generic account to approve requests which is not desirable.

Would love to hear how this could be accomplished.

5 replies

clecky
Rank
Userlevel 2
Badge +8

You could use a webhook to send an alert. 
some people here have done it via teams but I am sure there are plenty of other services you can hook into.

 

https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/what-are-webhooks-and-connectors

 

Incoming Webhooks

Incoming Webhooks help in posting messages from apps to Teams. If Incoming Webhooks are enabled for a team in any channel, it exposes the HTTPS endpoint, that accepts correctly formatted JSON and inserts the messages to that channel. For example, you can create an Incoming Webhook in your DevOps channel, configure your build, and simultaneously deploy and monitor services to send alerts.

Michael Woodward
Rank
Userlevel 3
Badge +9

You could use a webhook to send an alert. 
some people here have done it via teams but I am sure there are plenty of other services you can hook into.

I’ve set this up in my lab, I only get a webhook alert when the workflow completes, not when it starts or when there’s an action to perform.   

It’s also a bit odd, in Command Centre the alert definitions don’t support adding a “workflow” alert, and the CommCell console alerts don’t support webhooks, so i’ve setup the alert on workflow operations in the java console and then added in webhooks as that notification type in command centre.

Does this sound about right or is there another way to have an alert on the Approval request?

 

clecky
Rank
Userlevel 2
Badge +8

It would require some additional digging the workflow authorization activity is like a black box.

I assume that it generates a link that gets sent in email.

If you can capture the link and then send it via a webhook using the “on start” section of the activity then you can send an alert to a channel dedicated to each user.

They could then click the link. To complete the process.

Someone with a deeper understanding would have to help.

A
Rank
Userlevel 3
Badge +6

Michael

How will these users log in to the command center to do the approvals?

Michael Woodward
Rank
Userlevel 3
Badge +9

Michael

How will these users log in to the command center to do the approvals?

The users from the defined approval group have access to Command Centre via SAML, the only issue is the accounts don’t have email accounts linked to them because they’re a privileged account.

For example, I have 3 accounts:

Normal user: for logging into desktops / email etc

Medium Level privileged account: general administration functions, but not the really destructive things (deleting policies etc)

High Level privileged account: Master access to Commvault.

We want to implement authorisation workflows so that no single user can perform a delete operation. My fall back will be to create a local user as a “break glass” account which has a valid email address linked to a distribution list, this will email all users in the approval group since the email link just directs to the Command Centre to perform the approval.

 

Reply


Terms & ConditionsCookie settings