Managing command approval

Edit online

You can enable command approval to require an approval administrator to authorize restricted commands before they run.

About this task

The command approval feature provides an oversight process that prevents certain restricted commands from running until they are approved by another administrator. Command approval, when enabled, prevents an inexperienced administrator from running a command that might have unintended consequences, such as data loss. For more experienced administrators, the command approval feature provides a peer-review process for restricted commands. The command approval feature complements the access authorization that is provided by privilege classes. Privilege classes remain the security mechanism that determines which commands an administrator can issue.

When command approval is enabled, administrators can issue restricted commands, but the commands do not run unless they are approved by a designated approval administrator. When restricted commands are issued, they are placed into a queue of pending commands. Administrators who are designated as approval administrators can review pending commands and then approve or reject them. Any number of administrators can be designated as approval administrators. Designate enough approval administrators so that pending commands can be approved or rejected in a timely manner. Pending commands that are not approved within 72 hours are automatically rejected.

You can designate any administrator as an approval administrator, regardless of the administrative privilege class that is assigned to the administrator. The administrator who issues a restricted command must be authorized to run the command, but the approval administrator does not require the same level of authorization.
Tips:
  • Administrators with system privilege can designate themselves or other administrators as approval administrators. To prevent administrators from accessing commands that are outside their job responsibilities, assign them only to the privilege classes that they require. When an administrator changes a command approval configuration setting, the server issues the informational message ANR2744I. Consider defining an alert trigger for the ANR2744I message to monitor all changes to the command approval configuration. Alert triggers can be defined in the Operations Center.
  • The command approval feature is compatible with existing dsmadmc administrative command-line clients.
  • The command approval feature is not compatible with storage agents.
  • To avoid possible issues, do not use administrative scripts with the command approval feature. This includes IBM® Storage Protect server scripts and external command scripts that are used by automation or other tools.

The set of restricted commands is predefined by the server and cannot be customized. For a list of restricted commands, see SET COMMANDAPPROVAL.

Procedure

To manage the command approval feature, complete the following tasks on each IBM Storage Protect server:
Task Procedure
Designate one or more approval administrators. Designate one or more approval administrators by using the UPDATE ADMIN or REGISTER ADMIN commands.
  • To designate an administrator, ADMIN1, as an approval administrator, issue the following command: 
    update admin admin1 cmdapprover=yes
  • To designate a new administrator, ADMIN2, as an approval administrator, issue the following command: 
    register admin admin2 cmdapprover=yes
  • To view a list of all administrators who are designated as approval administrators, use the following SELECT command to query the IBM Storage Protect database:
    select * from admins where cmd_approver='Yes'
    Alternatively, review a detailed list of all administrators who are defined on the server by issuing the following QUERY ADMIN command and reviewing the Command approver field:
    query admin * f=d
Specify whether approval administrators are exempt from command approvals. Specify whether approval administrators are exempt from command approvals. By default, approval administrators are not exempt, and restricted commands that are issued by approval administrators require approval from another approval administrator. To change the default value and make approval administrators exempt from command approval, issue the following command:
set approversrequireapproval off
Enable the command approval feature. Enable the command approval feature by issuing the following command:
set commandapproval on
Approve or reject pending commands. Approval administrators can view the details about each pending command, including the command name, the administrator who issued the command, and the request ID for the pending command. Pending commands that are not approved within 72 hours are automatically rejected. To view and manage pending commands, take one or more of the following actions:
  • To view a list of all commands that are currently pending approval, issue the following command: 
    query pendingcmd
  • To approve a pending command that has a request ID of 227, issue the following command and optionally specify a reason for approving the command:
    approve pendingcmd 227 reason="Approved by Team XYZ."
  • To reject a pending command that has a request ID of 289, issue the following command and optionally specify a reason for rejecting the command:
    reject pendingcmd 289 reason="Not approved by Team XYZ."
Monitor pending commands. When the command approval feature is enabled and a restricted command is issued, the server issues the warning message ANR2742W, which indicates that the command is pending approval. To view pending approvals for each server, issue the QUERY PENDINGCMD command.
Tip: If you are managing multiple servers, consider defining an alert trigger for the ANR2742W message. By defining an alert trigger for this message, you can monitor all servers for commands that are pending approval. You can define an alert trigger by using the DEFINE ALERTTRIGGER command.
Withdraw a pending command. The administrator who issued a command that is pending approval can withdraw the command while it is in a pending state. The approval request is canceled, and the command does not run.
To withdraw a pending command that has a request ID of 191, issue the following command and optionally specify a reason for withdrawing the command:
withdraw pendingcmd 191 reason="No longer needed."
View the status and history of pending commands. View historical information about all commands that were held in the queue for command approval, including commands that were approved, rejected, withdrawn, and commands that are currently pending approval.
  • To view a list of commands that are currently pending approval and the associated request IDs, issue the following command: 
    query pendingcmd
  • Administrators who issue restricted commands are not automatically notified about status changes to the pending command. To view a complete list of all commands that were submitted for command approval, including commands that are currently pending approval, issue the following command:
    query pendingcmd f=d type=all
  • To view the history of a pending command that has a request ID of 576, issue the following command to search the activity log for all messages associated with the pending command request:
    query actlog search="request ID:576"
Disable the command approval feature. Disable the command approval feature by issuing the following command:
set commandapproval off
If the command approval feature is disabled, all pending commands are automatically rejected.