The administrative restrictions of Compliance mode have the potential to affect both compliance data and enterprise data. To help you make an informed decision concerning SmartLock, we recommend the following best practices:
- Implement Compliance mode only if your organization is legally obligated to do so under SEC rule 17a-4(f). Since the Compliance mode installation or upgrade requires careful planning and preparation, we recommend performing this task with the assistance of Dell Support.
- Consider using Enterprise mode with its advanced security capabilities. These functions can protect directories and files from deletion in a WORM state, and disable the privileged delete function. Enterprise mode offers security requirements that are more than adequate for most users and most situations. Moreover, the superuser account remains available in Enterprise mode. It is more administrator-friendly compared to Compliance mode.
If you use the following best practices, they must be performed before you put an existing cluster in Compliance mode:
- Test and validate all workflows using a proof-of-concept Compliance mode cluster. Use the PowerScale OneFS Simulator as a virtual machine (VM) test host, if available.
- Verify that the cluster time is correct before putting the PowerScale cluster in Compliance mode.
- Do not use run-as-root on SMB shares. If you have previously configured SMB shares to run-as-root, change the settings for those shares to specify access permissions to Full-Control, Read-Write, or Read before putting the PowerScale cluster in Compliance mode.
- Use RBAC for cluster access to perform file management and administrative operations. Enable RBAC, grant appropriate privileges, and connect through the RBAC-enabled account to the CLI. The compadmin represents a regular data user in the context of the CLI.
- For data migrations from a non-Compliance-mode cluster to a cluster that will change to Compliance mode, verify that current ownership and access permissions are valid and appropriate on both clusters.
- Review the permissions and ownership of any files that exclusively permit the root account to manage or write data to them. After you upgrade to Compliance mode, if the OneFS configuration limits the relevant POSIX access permissions to specific directories or files, writing data or changing ownership of these objects is blocked.
- If any root-owned workflow or datafiles exist, perform all ownership or permission changes before upgrading to Compliance mode. Do not change the ownership of any system files. The Compliance mode conversion process automates all required ownership changes to system files. Do not change the ownership of any files outside of /ifs because no user data should reside outside of /ifs. As a best practice, change the ownership of files under /ifs that are owned by root to the compadmin account before upgrading to Compliance mode.
- In Compliance mode, the default POSIX permissions permit the compadmin account to write data. However, do not modify the following directories unless the default permissions for these directories have been changed: /ifs/.ifsvar and /ifs/.snapshot.
- Verify the available disaster recovery options on Compliance mode clusters in relation to SyncIQ. For more details, see the section SyncIQ.
Note: NDMP backups of SmartLock Compliance data are not considered to be compliant with the SEC regulation 17a-4(f).