User's Guide: Account Quorum Policy

  • Updated on May 28, 2025
  • Published on Jun 27, 2024
  • 5 minute(s) read
Prev Next

1.0 Introduction

This article describes the features of the Fortanix-Data-Security-Manager (DSM) Quorum approval policy at account-level.

The Quorum approval policy feature adds an extra layer of control and protection to sensitive operations performed in a Fortanix DSM account. For example, when you apply a Quorum approval policy to a group, operations such as exporting key require approval from a predefined number of quorum approvers before execution.

2.0 Quorum Policy

A Quorum approval policy consists of one or more quorum policy rules. Each rule can include the following components:

  • Quorum Group: Specifies a subset of group members required to approve an operation.

  • Administrator: Specifies the minimum number of administrators who must approve the operation.

  • Application: Identifies an application authorized to approve sensitive operations for specific use cases.

  • Second-Factor Security Key:  Requires the user to authenticate using a second-factor security key to approve the request.

  • Password Re-entry: Requires the user to re-enter their password to approve the request.

The quorum policy can also define the approval condition, whether all rules must be satisfied or if approval from any one rule is sufficient to meet the quorum requirement for the requested operation.

3.0 Account Quorum Approval Policy

3.1 Create an Account Quorum Approval Policy

Perform the following steps to set an account-level Quorum approval policy:

  1. Navigate to the Settings → QUORUM POLICY tab.

  2. In the Approval requests expiration time section, click EDIT to specify the duration after which the quorum approval request will expire. You can select the time unit as seconds, minutes, hours, or days.

  3. In the Account Quorum Policy section, click ADD POLICY FOR THE ACCOUNT to add the account-level quorum policy.

  4. In the form, enter the details of the quorum reviewers or administrative apps required to approve account-level sensitive operations.

    NOTE

    • Only verified users can be added as approvers in the Quorum approval policy.

    • Users with pending invites will not appear in the drop down for quorum approvers.

  5. Click ADVANCED to add more combinations for the Quorum approval policy (optional).

    • You can select either AND or OR to define multiple quorum approval rules:

      • AND: All rules must be met for the operation to be approved.

      • OR: Any one of the rules, if met, is sufficient for quorum approval.

  6. There are two optional check boxes:

    1. Using second-factor security key is required to approve requests: This option is auto-enabled if you enabled second-factor authentication at the account level in Settings → AUTHENTICATION tab. This option is not editable.

    2. Profile password re-entry is required to approve request: Enable this option to enforce password re-entry for approval requests.

  7. In the Operations that require Quorum approval section, configure which account-level operations should generate the quorum approval request.

    Figure 1: Operations that require approval

    • Update account (quorum policy, account details): This option is enabled by default and cannot be modified, as updates to the account’s Quorum approval policy configuration or account details always require quorum approval.

    • Update authentication methods: Any changes to the account AUTHENTICATION settings will generate a quorum approval request. This includes:

      • Creating or updating Single Sign-On (SSO) configurations.

      • Configuring two-factor authentication using a password at the account-level.

      • Configuring two-factor authentication using a password at the user or system-level.

      Figure 2: 2F authentication at users/system level

    • Cryptographic policy update: Any modifications to account-level Cryptographic policy, such as creating, updating, or deleting a Cryptographic policy, will generate a quorum approval request.

    • Log management: Any modifications to account-level Log Management settings, including Logging invalid API requests, will generate a quorum approval request. This includes configuring logging of invalid API requests and configuring (add, edit, or delete) third-party log management integrations such as Splunk, Google Cloud’s Operations Suite, Syslog, or Azure Log Analytics.

  8. If you have enabled the ADVANCED settings above, select either the any or all option to determine whether all or any of the conditions must be met to achieve quorum.

  9. Click SAVE POLICY.

  10. The Quorum policy dialog box displays the quorum policy summary. Review the configuration and click SAVE to apply the policy.

    Figure 3: Account-level quorum policy

3.2 Update Account Quorum Approval Policy

Perform the following steps to edit an account-level Quorum approval policy:

  1. On the Quorum Approval Policy page, click EDIT POLICY.

  2. In the Account Quorum Policy section, update the policy settings as required.

  3. Click SAVE to update the policy.

NOTE

By default, the quorum approval request for the account quorum policy expires after 10 days.

3.3 Delete Account Quorum Approval Policy

Perform the following steps to delete an account-level Quorum approval policy:

  1. Click EDIT POLICY and go to the detailed view of the Quorum approval policy.

  2. Scroll to the end of the Quorum approval policy page, click DELETE POLICY.

  3. On the Delete Policy confirmation dialog box, click DELETE to confirm the action.

NOTE

Deleting a Quorum approval policy is a sensitive operation and will automatically generate a quorum approval request.

3.4 Retain and Log Expired Quorum Approval Requests

The quorum approval requests in the Tasks → PENDING, COMPLETED, and FAILED tab expire after a default 30-day period. This period can be updated using the Approval requests expiration time field on the Quorum approval policy page.

The following features are applicable only in Fortanix DSM on-premises environments:

  • To retain all the expired quorum approval requests (pending, completed, and failed), enable the Retain Expired requests toggle.

    Figure 4: Retain expired requests toggle button

  • On the Tasks page, select the Show expired tasks check box to see all your expired tasks in the PENDING, COMPLETED, and FAILED tabs.

    Figure 5: Show expired tasks check box

  • To generate the audit logs for the pending approval requests that have expired, enable the toggle for Show audit log for any requests that have expired and have not been acted upon.

    Figure 6: Show audit log for any requests toggle button

NOTE

Currently, selecting the Show Expired Tasks check box displays all the expired tasks (Approval, Import/Export, and App credentials), instead of the expired tasks for the selected tab. Support to filter expired tasks based on the selected tab will be added soon.

3.5 Setting Access Limits for Sensitive Results

You can set the access limits for the requester when retrieving results from sensitive operations by enabling the toggle for Check requester's access when getting results of sensitive operations. If enabled, the following sensitive operations will have access limits set on the requester:

  • Export key

  • Retrieve app API key credentials

  • Decrypt key

  • Batch key operations

Enabling this option will restrict access to the operation results to those users (account administrators or account members) who were able to see the operation results earlier.

Figure 7: Check requester access

Related articles