When PAAS is enabled, the following predefined actions require approval by an Approver User.
PAAS privileged actions
The following actions require approval when PAAS is enabled, regardless of whether Platform Protection and Account Protection modes are enabled or disabled.
Table 1. Privileged actions related to PAAS
Action
Description
Resource (for API)
Required role of Management User who submits the request
Create Approval User.
Adding new Approver Users after the initial two Approver Users requires approval.
NOTE:The first two Approver Users are created before PAAS is enabled and do not need approvals.
paas
security_admin
Delete Approval User.
Deleting any Approver User requires approval.
paas
security_admin
Enable Platform Protection Mode.
Enabling Platform Protection Mode requires approval. See the next table for a list of additional actions that require approval when Platform Protection is enabled.
paas
security_admin
Disable Platform Protection Mode.
Disabling Platform Protection requires approval.
paas
security_admin
Reset an Approver User password.
If an Approver User forgets a password, a Management User with security_admin role can reset the password. This action requires approval.
NOTE:Approver Users can change their own passwords without approval.
paas
security_admin
Platform Protection Mode privileged actions
The following additional actions require approval when Platform Protection Mode is enabled.
Table 2. Privileged actions related to Platform Protection Mode
Action
Description
Resource (for API)
Required role of Management User who submits the request
Escalate permission.
The escalate permission command requires approval. This command allows the user to open a shell-like environment at the operating system level on the ObjectScale Appliance.
platform
operations_admin
Account Protection Mode privileged actions
Account Protection is enabled individually per account. When Account Protection is enabled on an account, the following actions require approval.
Table 3. Privileged actions related to Account Protection Mode
Action
Description
Resource (for API)
Required role of Management User who submits the request
Disable account protection.
Enabling protection on an account does not require approval, but disabling the protection after it is enabled does require approval.
iam
operations_admin
Configure bucket locks.
Change bucket lock configurations.
objControl
operations_admin storage_admin storage_operator
Configure Object Lock.
Change Object Lock configurations.
s3
operations_admin storage_admin storage_operator
Configure object retention.
Reduce retention periods on Object Locks with a GOVERNANCE mode lock.
NOTE:The initial setting and changes to increase the retention period are not protected actions.
NOTE:It is not possible to change the configuration on a COMPLIANCE mode lock. A PAA request for a COMPLIANCE mode override does not work.
s3
operations_admin storage_admin storage_operator
Delete with retention override .
Delete objects under retention with a GOVERNANCE mode lock.
NOTE:It is not possible to override a COMPLIANCE mode lock. A PAA request for a COMPLIANCE mode override does not work.
s3
operations_admin storage_admin storage_operator
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\