User's Guide: Account Quorum Policy

1.0 Introduction

A quorum policy is composed of one or more quorum policy rules. A quorum policy rule is composed of:

  • Quorum Group: A set of members in the group that are needed to approve an operation.

  • Administrator: Minimum number of administrators that need to approve the operation.

  • Application: an application that approves a sensitive operation for a specific use case.

  • Using a second-factor security key to approve the request.

  • Password re-entry required to approve the request.

In addition, the quorum policy can establish if “all” or “any” of the quorum policy rules are required to have a quorum and approve the requested operation.

2.0 Account Quorum Policy

2.1 Create a Quorum Policy for an Account

To set a quorum policy at the account level:

  1. Navigate to the Settings menu item in the DSM left navigation bar.

  2. On the Account settings page, click the QUORUM POLICY tab.

  3. In the Quorum approval policy page, click the ADD POLICY FOR THE ACCOUNT button to add the Account Quorum Policy. 

  4. In the Quorum approval policy form, fill the details such as the number/name of administrators that need to approve sensitive operations with keys and plugins.

    NOTE

    • Only verified users can be added as approvers in the Quorum approval policy.

    • Users with pending invites will not appear in the drop down for quorum approvers.

  5. Click the Advanced button to add more combinations for the quorum policy.

  6. There are two optional check boxes:

    1. Using second-factor security key is required to approve requests:  This option will be automatically enabled if second-factor authentication is enabled by the user at the account level, from the Authentication tab on the Account Settings page. The user cannot edit this option.

    2. Profile password re-entry is required to approve request: Enable this option if you want a re-entry of the password to approve a request.

  7. The Operations that require Quorum approval section allows you to configure which operations in the account will require quorum approval. The operation listed below is selected by default and cannot be altered as this operation mandatorily requires a quorum approval.  

    AccountQuorumPolicy1.png

    Figure 1: Choose an operation that requires approval

    • Quorum policy update: Any updates to the Account Quorum Policy except Approval requests expiration time will generate a Quorum Approval request. This also includes deleting an Account Quorum Policy and renaming an account. 

    A user can configure the following operations for quorum approval.

    • Update authentication methods: Any updates to the Account Authentication Settings will generate a Quorum Approval request. This includes:

      • All operations under SINGLE SIGN-ON (SSO) configuration: Creating or Updating third-party SSO integrations will generate a Quorum Approval request.

      • Configuring two-factor authentication using a password at the Account level. 

      • Configuring two-factor authentication using a password at the User/System level.  

        QP-Account2.png

        Figure 2: 2F authentication at the user/system level

    • Cryptographic policy update: Any updates to Account level Cryptographic-policy will generate a Quorum Approval request. This includes creating, updating, or deleting a Cryptographic policy. 

    • Log Management: Any updates to Account level Log Management settings including “Logging invalid API requests” will generate a Quorum Approval request. This includes adding, editing, or deleting custom log management integrations with Splunk, Google Stackdriver, and Syslog. 

  8. Click the SAVE POLICY button. In the Quorum policy window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen.  

    Quorum7a.png

    Figure 3: Review and save account quorum policy

2.2 Update Account Quorum Policy

To edit an account quorum policy:

  1. Click the EDIT POLICY button on the Quorum Approval Policy page. 

  2. To set the approval request expiration time, click the EDIT button for the Approval requests expiration time field.

NOTE

By default, the quorum approval request for the account quorum policy expires after 10 days.

2.3 Retain and Log Expired Quorum Approval Requests

The Quorum approval requests in the Tasks → PENDING, COMPLETED, and FAILED tab expire after a default 30-day period. This period can be updated using the Approval requests expiration time field on the Quorum approval policy page.

The following features are applicable only in DSM on-premises environments:

  • To retain all the expired Quorum approval requests (pending, completed, and failed), enable the Retain Expired requests toggle.

    Figure 4: Retain Expired Requests Toggle Button

    • On the Tasks page, select the Show expired tasks check box to see all your expired tasks in the PENDING, COMPLETED, and FAILED tabs.

      Figure 5: Show Expired Tasks Check Box

  • To generate the audit logs for the pending approval requests that have expired, enable the toggle for Show audit log for any requests that have expired and have not been acted upon.

    Figure 6: Show Audit Log for Any Requests Toggle Button

NOTE

Currently, selecting the Show Expired Tasks check box displays all the expired tasks (Approval, Import/Export, and App credentials), instead of the expired tasks for the selected tab. Support to filter expired tasks based on the selected tab will be added soon.

2.4 Setting Access Limits for Sensitive Results

You can set the access limits for the requester when retrieving results from sensitive operations by enabling the toggle for Check requester's access when getting results of sensitive operations. If enabled, the following sensitive operations will have access limits set on the requester:

  • Export key

  • Retrieve app API key credentials

  • Decrypt key

  • Batch key operations

Enabling this option will restrict access to the operation results to those users (account administrator or account members) who were able to see the operation results earlier.  

Figure 7: Check the Access Toggle