According to this article I can now request a Compliance Lock on the support portal.
Previously, a document needed to be filled in by the customer and signed/approved prior to the codes being supplied.
From what I see, this new process has removed the requirement for customer approval and has given the full authority to one individual with Maintenance Advantage access.
Is there any comment on what I’m understanding? I don’t have a test environment to understand how this new process works and it’s less/more secure than the previous procedure.
Thanks,
Mauro
Page 1 / 1
Hi @Mauro,
Thank you for your question! Although we have removed the requirement for Customer Support to be directly involved in these requests, and have also removed the requirement for the signed document to be provided on company letterhead, we have not opened this up for a single individual to remove Compliance Lock.
This new self-service portal form is only supposed as of 11.32 (Commvault Platform Release 2023E) and beyond. Beginning with this release, any attempt to disable Compliance Lock triggers a Multi-Person Authorization workflow. The operation will essentially be queued until another user with Administrative permissions accepts the request.
As soon as the command is executed, the user will be notified in the command prompt that the process will not be completed until multi-person authorization is satisfied. I have run through a test of this in my lab to showcase the behavior.
Here is the notification the executing user will see once the script has been executed:
The users that are configured to receive multi-person authorization requests (by default, all users in the rmaster] group) will receive an email such as this:
Additionally, those same users can see the same request in the Command Center’s Monitoring > Approvals Dashboard:
Compliance Lock will only be disabled once another Master user approves the request.
I hope this answers your question!
-Brian Bruno
@Brian Bruno, do you know if it’s controllable which user(s) can approve.
Yes, This is configurable under GetAndProcessAuthorization Workflow Configuration tab:
If the request is sent by an admin account and there is no other admin (master) account, the request is approved automatically:
.
Thank you for all the feedback on this.
I’m going to set this up in my lab and simulate a few scenarios based on what we’ve encountered in the field.
I will update this thread with what I’ve managed to test.