A quorum policy is composed of one or more quorum policy rules. A quorum policy rule is composed of:
- Quorum Group: A set of members in the group that are needed to approve an operation.
- Administrator: Minimum number of administrators that need to approve the operation.
- Application: an application that approves a sensitive operation for a specific use case.
- Using a second-factor security key to approve the request.
- Password re-entry required to approve the request.
In addition, the quorum policy can establish if “all” or “any” of the quorum policy rules are required to have a quorum and approve the requested operation.
Account Quorum Policy
Create a Quorum Policy for an Account
To set a quorum policy at the account level:
- Go to the Account Settings page in Fortanix Data Security Manager (DSM). Click the QUORUM POLICY tab.
- In the Quorum approval policy page, click the ADD POLICY FOR THE ACCOUNT button to edit the Account Quorum Policy.
- In the Quorum approval policy form, fill the details such as the number/name of administrators that need to approve sensitive operations with keys and plugins.
- Click the Advanced button to add more combinations for the quorum policy.
- There are two optional check boxes:
- Using a second-factor security key is required to approve requests: This option will be automatically enabled if second-factor authentication is enabled by the user at the account level, from the Authentication tab on the Account Settings page. The user cannot edit this option.
- Password re-entry is required to approve the request: Enable this option if you want a re-entry of the password to approve a request.
- The Operations that require Quorum approval section allows you to configure which operations in the account will require quorum approval. The operation listed below is selected by default and cannot be altered as this operation mandatorily requires a quorum approval.
Figure 2: Choose operation that requires approval
- Quorum policy update: Any updates to the Account Quorum Policy except Approval requests expiration time will generate a Quorum Approval request. This also includes deleting an Account Quorum Policy and renaming an account.
A user can configure the following operations for quorum approval.
Update authentication methods: Any updates to the Account Authentication Settings will generate a Quorum Approval request. This includes:
- All operations under SINGLE SIGN-ON (SSO) configuration: Creating or Updating third-party SSO integrations will generate a Quorum Approval request.
- Configuring two-factor authentication using a password at the Account level.
- Configuring two-factor authentication using a password at the User/System level.
Figure 3: 2F authentication at user/system level
- Cryptographic policy update: Any updates to Account level Cryptographic policy will generate a Quorum Approval request. This includes creating, updating, or deleting a Cryptographic policy.
- Log Management: Any updates to Account level Log Management settings including “Logging invalid API requests” will generate a Quorum Approval request. This includes adding, editing, or deleting custom log management integrations with Splunk, Google Stackdriver, and Syslog.
- Click the SAVE POLICY button. In the Quorum policy window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen.
Figure 4: Review and save account quorum policy
Update Account Quorum Policy
To edit an account quorum policy:
- Click the EDIT POLICY button on the Quorum Approval Policy page.
- To set the approval request expiration time, click the EDIT button for the Approval requests expiration time field.