PowerProtect DP Series: Protection Storage: Alert: Security officer user account must be created
Summary: Message "Alert: Security officer user account must be created." received after upgrading IDPA to version 2.7.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
The below alert may be seen on Protection Storage after upgrading IDPA to 2.7:
Current Alerts -------------- Id Post Time Severity Class Object Message ----- ------------------------ -------- -------- ------ ------------------------------------------------------------------ m0-21 Mon Mar 22 08:54:24 2021 CRITICAL Security EVT-SECURITY-00029: Security officer user account must be created. ----- ------------------------ -------- -------- ------ ------------------------------------------------------------------ There is 1 active alert
Cause
This alert shows up to due to new security compliance audit that was introduced in DDOS 7.5.x and later. In these DDOS versions, the system prompts for Security Officer User account creation if it does not exist.
Since IDPA 2.7 has DDOS 7.6, this alert is seen after the upgrade on systems that do not have a Security Office User account existing.
Note: Enhanced security hardening in DDOS 7.5 or later includes a requirement for Security Officer User authorization in addition to DD Admin authorization before performing high impact commands such as:
Since IDPA 2.7 has DDOS 7.6, this alert is seen after the upgrade on systems that do not have a Security Office User account existing.
Note: Enhanced security hardening in DDOS 7.5 or later includes a requirement for Security Officer User authorization in addition to DD Admin authorization before performing high impact commands such as:
- File System Destroy
- Cloud Tier Destroy
- GC Sanitization
Resolution
Once the Security Officer User account is created, the alert clears on its own.
To create the First Security Officer User account:
- Log in to ACM.
- Scroll to Protection Storage component and click its gear icon.
- Click Create First Security Officer and go through the criteria for username and password before creating it.
- Scroll down to Input new security Username and password.
Note: When first Security Officer User account is created from ACM as per the above steps, it automatically enables the security authorization too.
- Once Security Officer User is created, AAH to Data Domain using newly created security officer credentials to verify the same:
Sec_Officer01@dd4400> authorization policy show Runtime authorization policy is enabled
- Security Officer User password expires every 90 days as per default password aging. Password aging can be checked and modified as below depending upon requirement:
Sec_Officer01@dd4400> user password aging show User Password Minimum Days Maximum Days Warn Days Disable Days Status Last Changed Between Change Between Change Before Expire After Expire ----------------- ------------ -------------- -------------- ------------- ------------ -------- Sec_Officer01 Apr 07, 2022 0 90 7 never enabled sysadmin Mar 25, 2022 0 99999 7 never enabled ----------------- ------------ -------------- -------------- ------------- ------------ --------
Example:
To set password aging for security user as 120 days instead of default 90 days, use the below command:
Sec_Officer01@dd4400> user password aging set Sec_Officer01 max-days-between-change 120
Note:
It is important to keep the security credentials safe and to change the password before it expires as only another security officer (if existing) has the permission to change or reset expired or locked security officer account. Only an existing security officer can create another security officer account.
Affected Products
Data Domain, Integrated Data Protection Appliance FamilyArticle Properties
Article Number: 000198128
Article Type: Solution
Last Modified: 14 Dec 2022
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.