Learn how to configure Retention Lock Governance (RLG) and Retention Lock Compliance (RLC) on Dell PowerProtect Data Domain systems. This step‑by‑step demo uses a DD9410, and the same workflow applies to DD9910 and DD9910F. You’ll see the exact CLI commands, account requirements, and iDRAC steps needed to enable immutable file locking for governance and strict compliance use cases. What you’ll learn • Check licenses for Retention-Lock-Governance and Retention-Lock-Compliance • List and review mtrees • Enable Retention Lock Governance on a target mtree • Prepare and enable Retention Lock Compliance (includes downtime) • Create and authorize a Security Officer user • Configure iDRAC operators/read‑only users and turn on compliance mode • Set date change limit and frequency during RLC enablement • Apply RLC to a specific mtree and verify status.
In this demo, we are going to showcase how to configure retention lock governance and retention lock compliance. We will be using a Data Domain 9410 in this demo. The same procedure can be utilized for DD9910 and DD9910F as well. Retention Lock is a license feature that provides immutable file locking and secure data retention for customers to meet both corporate governance and compliance.
Retention Lock compliance is more strict than governance. First, navigate to Licenses under Administration where the license is already applied for the feature Retention-Lock-Governance and Retention-Lock-Compliance. Login into the PuTTY session of the DD and run "mtree list" to check the list of mtrees. Also check the status of the existing statuses.
Retention Lock Governance can be enabled for mtree using the command Here we are enabling Retention Lock Governance for the mtree demo rig. Now we are going to enable and configure the Retention Lock Compliance. Please note to enable Retention Lock Compliance, the system requires downtime. To enable and configure RLC, a security officer user must be created and enabled. A security officer user called "secuser" is already created in this Data Domain.
To enable Security Officer Authorization, login to the PuTTY session of the DD using Security Officer credentials and execute the command "authorization policy set security-officer enabled". Switch back to sysadmin PuTTY session and run "system retention-lock compliance configure". You will be asked to enter Security Officer credentials for confirmation.
The system will reboot post confirmation. Both DD 9910 and DD 9410 systems require compliance mode to be enabled on iDRAC before Retention Lock Compliance can be configured on the system. Login to the PuTTY session after the system is up and running, and check if any iDRAC users already configured using the command user idrac list.
To Create the user, execute the command "user idrac create" which requires security officer credentials. Next, the system will prompt you to enter the number of iDRAC operators and iDRAC read only users that need to be created. Key the username and password for iDRAC operator and iDRAC read only user.
For the purpose of this demo, we are creating only one for each user type. After the iDRAC users are successfully created, enable the Retention Lock Compliance on the system using the command "system retention-lock compliance enable", which will again prompt for security user credentials. It is recommended to set the system date change frequency and date change limit while enabling the retention lock compliance to avoid any undesired changes to the system clock. Please note that these values cannot be configured once RLC is enabled.
In this demo, we are setting the date change limit as 12 hours and the date change frequency as one day. Now the system is ready to run the Retention Lock Compliance feature. Execute the command "mtree retention-lock enable mode compliance metree/data/coll/demo-rlc" to enable RLC feature on the mtree demo RLC. This command will prompt security user credentials. The status of the mtree shows that demo RLC is Retention Lock Compliance enabled. This concludes the demo. Thank you for watching.
