PowerProtect DP Series: Protection Storage: Alert: Security officer user account must be created

The below alert may be seen on Protection Storage after upgrading IDPA to 2.7:

This alert shows up to due to new security compliance audit that was introduced in DDOS 7.5.x and later. In these DDOS versions, the system prompts for Security Officer User account creation if it does not exist.

Since IDPA 2.7 has DDOS 7.6, this alert is seen after the upgrade on systems that do not have a Security Office User account existing.

Note: Enhanced security hardening in DDOS 7.5 or later includes a requirement for Security Officer User authorization in addition to DD Admin authorization before performing high impact commands such as:

• File System Destroy
• Cloud Tier Destroy
• GC Sanitization

Once the Security Officer User account is created, the alert clears on its own.

To create the First Security Officer User account:

1. Log in to ACM. 
2. Scroll to Protection Storage component and click its gear icon.
3. Click Create First Security Officer and go through the criteria for username and password before creating it.
4. Scroll down to Input new security Username and password.

Note: When first Security Officer User account is created from ACM as per the above steps, it automatically enables the security authorization too.

1. Once Security Officer User is created, AAH to Data Domain using newly created security officer credentials to verify the same:

Sec_Officer01@dd4400> authorization policy show
Runtime authorization policy is enabled

2. Security Officer User password expires every 90 days as per default password aging. Password aging can be checked and modified as below depending upon requirement:

Sec_Officer01@dd4400> user password aging show

User                Password       Minimum Days     Maximum Days     Warn Days       Disable Days   Status
                    Last Changed   Between Change   Between Change   Before Expire   After Expire
-----------------   ------------   --------------   --------------   -------------   ------------   --------

Sec_Officer01       Apr 07, 2022   0                90               7               never          enabled

sysadmin            Mar 25, 2022   0                99999            7               never          enabled
-----------------   ------------   --------------   --------------   -------------   ------------   --------

 

Example:
To set password aging for security user as 120 days instead of default 90 days, use the below command:

Sec_Officer01@dd4400> user password aging set Sec_Officer01 max-days-between-change 120

 

Note:
It is important to keep the security credentials safe and to change the password before it expires as only another security officer (if existing) has the permission to change or reset expired or locked security officer account. Only an existing security officer can create another security officer account.