PowerProtect Data Manager 19.17 for Cyber Recovery User Guide

Managing policies

Create policies to perform replications, make point-in-time (PIT) copies, set retention locks, and perform other Cyber Recovery operations within the Cyber Recovery vault. You can also modify existing policies.

1. Select Policies from the Main Menu.
2. In the Policies content pane, do one of the following:
   1. To create a policy, click Add.
      The Add Policy wizard is displayed.
   2. To modify a policy, select a policy and click Edit.
      The Summary page of the Edit Policy wizard is displayed. Click Back to go to the wizard page that you want to modify.
3. On the Policy Information page, complete the following fields and then click Next:

   Table 1. Policy Information pageTable that describes the fields in the Policy Information page.

   Field	Description
   Name	Specify a policy name.
   Type	From the drop-down list, select PPDM. NOTE:A PowerProtect Data Manager policy requires two MTrees for configuration.
   Storage	Select the vault storage containing the replication context that the policy will protect. NOTE:You cannot edit the vault storage for an existing policy.
   Tags	Optionally, add a tag that provides useful information about the policy. The tag is displayed in the details description for the policy in the Policies content pane in the Cyber Recovery UI. Click Add Tag, enter the tag, and then click Add. NOTE:If a tag exceeds 24 characters, the details description displays the first 21 characters followed by an ellipsis (...).

4. On the Replication page, complete the following fields and then click Next:

   Table 2. Replication pageTable that describes the fields in the Replication page.

   Field	Description
   Replication Contexts	Under Context, select the MTree replication context to protect and the interface on the storage instance that is configured for replication. Under Ethernet Port, click Select Repl Ethernet and then select the interface on the storage instance that is configured for replication. NOTE: There can be only one policy per replication context, except for PowerProtect Data Manager policy types, which require a minimum of two replication contexts to create a PowerProtect Data Manager policy. Do not select the data or management Ethernet interfaces. If your DD system is running a version of DDOS that is earlier than version 7.8 and you select a Retention Lock Compliance replication context, the context will not be disabled.
   ServerDR Context	For a PowerProtect Data Manager deployment, select a ServerDR context from the list of replication contexts.
   Replication Window	Set a timeout value in hours for how long a job for a Sync action runs before Cyber Recovery issues a warning. The default value is 0. NOTE:If a job exceeds the time configured for the replication window, an alert is generated.
   Enforce Replication Window	If you change the default value in the Replication Window field, the Enforce Replication Window checkbox is displayed. Enable the checkbox to stop a Sync operation that continues to run beyond the replication window limit for that policy. When the replication window limit is exceeded, the operation completes the current DD snapshot replication and does not proceed to replicate queued snapshots.

5. On the Retention page, complete the following fields and then click Next:

   Table 3. Retention pageTable that describes the fields in the Retention page.

   Field	Description
   Retention Lock Type	Select one of the following: (Add Policy dialog box only) None, if retention locking is not supported. The retention fields are then removed from the dialog box. NOTE:A Sheltered Harbor policy cannot have a retention lock type of None. Governance if it is enabled on the storage instance. (Edit Policy dialog box only) Governance-disabled. Compliance if it is enabled on the storage instance.
   Enable Auto Retention Lock (for existing policies only)	NOTE:This feature has been deprecated and will be removed in a future release. When you create a new policy or if the auto retention lock feature is disabled for an existing policy, the checkbox is not available. When editing existing policies that have the auto retention lock feature enabled, the checkbox is displayed. You cannot use the checkbox to disable the auto retention lock feature.
   Retention Lock Minimum	Specify the minimum retention duration that this policy can apply to PIT copies. This value cannot be less than 12 hours.
   Retention Lock Maximum	Specify the maximum retention duration that this policy can apply to PIT copies. This value cannot be greater than 1,827 days.
   Retention Lock Duration	Specify the default retention duration that this policy applies to PIT copies. The value can be the retention lock minimum up to the retention lock maximum.

   If you selected a Retention Lock Compliance replication context or the Compliance Retention Lock type, the Storage Security Credentials page is displayed. Otherwise, the Summary page is displayed.

6. On the Storage Security Credentials page, enter the DD Security Officer (SO) username and password and then click Next.
   NOTE: This username was created on the DD system.
7. Review the Summary page and either:
   • Click Finish if you are satisfied with the summary information and want to add the policy.
   • Click Back to return to the previous pages to change the information.
   If you selected a Retention Lock Compliance replication context and your deployment is running a version of DDOS that is earlier than version 7.8, the Cyber Recovery software fails to create the policy.
   By default, the Policies table lists the policies.
8. Click a policy's row to open the details pane and view additional details about a policy, and then:
   1. Click to close the details pane.
   2. Click to open the details pane again.
9. To customize the columns in the table that lists the policies, click and select the columns to show or hide.
10. Disable or enable a policy:
    1. To disable a policy so that it does not run, swipe left on the slider under Enabled. An informational message confirms that the policy has been disabled and the Edit button is inactive. Also, an event is created.
    2. To sort policies by status, click Enabled.
    3. To filter on status, click and then click the Enabled or Disabled checkbox. Only the policies with the selected status are displayed. If you select both checkboxes, all policies are displayed.
    4. To reenable a policy, swipe right on the slider under Enabled. An informational message confirms that the policy has been reenabled and the Edit button is active. Also, an event is created.
11. To export policy information, select a policy and click Export.
    The Cyber Recovery software downloads the policies.csv file.

    NOTE:For existing policies with the automatic retention lock feature enabled, the policies.csv file includes the Automatic Retention Lock column. For newly created policies or existing policies with the auto retention lock feature disabled, the policies.csv file does not include the Automatic Retention Lock column.
12. To remove a policy, select an enabled or disabled policy and click Delete.
    NOTE:

    • You cannot delete a policy with associated copies or that is associated with a scheduled report.
    • If you delete a Retention Lock Compliance-enabled policy, the corresponding repository MTree is not deleted from the DD system. To delete the policy repository MTree, log in to the DD system and run the delete mtree <policy-repo-mtree> command, where <policy-repo-mtree> is cr-policy-<policy-id>-repo. For example:

      delete mtree cr-policy-665a11fa024d07d2108c48e5-repo.

      This command requires dual-authentication and prompts for DD security officer credentials to complete the command.
    • After you delete all policies with the automatic retention lock feature enabled, the exported policies.csv file no longer includes the Automatic Retention Lock column.