ONTAP 9 Manuals ( CA08871-402 )

Enable and disable multi-admin verification

Multi-admin verification (MAV) must be enabled explicitly. Once you have enabled multi-admin verification, approval by administrators in a MAV approval group (MAV administrators) is required to delete it.

About this task

Once MAV is enabled, modifying or disabling MAV requires MAV administrator approval.

When you enable MAV, you can specify the following parameters globally.

Approval groups

A list of global approval groups. At least one group is required to enable MAV functionality.

If you are using MAV with Autonomous Ransomware Protection (ARP), define a new or existing approval group that is responsible for approving ARP pause, disable, and clear suspect requests.
Required approvers

The number of approvers required to execute a protected operation. The default and minimum number is 1.

The required number of approvers must be less than the total number of unique approvers in the default approval groups.
Approval expiry (hours, minutes, seconds)

The period within which a MAV administrator must respond to an approval request. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

Execution expiry (hours, minutes, seconds)

The period within which the requesting administrator must complete the:: operation. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

You can also override any of these parameters for specific operation rules.

ONTAP System Manager procedure

  1. Identify administrators to receive multi-admin verification.

    1. Click Cluster > Settings.

    2. Click blue arrow icon next to Users and Roles.

    3. Click add icon under Users.

    4. Modify the roster as needed.

      For more information, see Control administrator access.

  2. Enable multi-admin verification by creating at least one approval group and adding at least one rule.

    1. Click Cluster > Settings.

    2. Click gear icon next to Multi-Admin Approval in the Security section.

    3. Click add icon to add at least one approval group.

      • Name – Enter a group name.

      • Approvers – Select approvers from a list of users.

      • Email address – Enter email address(es).

      • Default group – Select a group.

    4. Add at least one rule.

      • Operation – Select a supported command from the list.

      • Query – Enter any desired command options and values.

      • Optional parameters; leave blank to apply global settings, or assign a different value for specific rules to override the global settings.

        • Required number of approvers

        • Approval groups

    5. Click Advanced Settings to view or modify defaults.

      • Required number of approvers (default: 1)

      • Execution request expiry (default: 1 hour)

      • Approval request expiry (default: 1hour)

      • Mail server*

      • From email address*

        *These update the email settings managed under "Notification Management". You are prompted to set them if they have not yet been configured.

    6. Click Enable to complete MAV initial configuration.

After initial configuration, the current MAV status is displayed in the Multi-Admin Approval tile.

  • Status (enabled or not)

  • Active operations for which approvals are required

  • Number of open requests in pending state

You can display an existing configuration by clicking blue arrow icon. MAV approval is required to edit an existing configuration.

To disable multi-admin verification:

  1. Click Cluster > Settings.

  2. Click gear icon next to Multi-Admin Approval in the Security section.

  3. Click the Enabled toggle button.

    MAV approval is required to complete this operation.

CLI procedure

Before enabling MAV functionality at the CLI, at least one MAV administrator group must have been created.

If you want to… Enter this command

Enable MAV functionality

security multi-admin-verify modify -approval-groups group1[,group2…​] [-required-approvers nn ] -enabled true [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Example : the following command enables MAV with 1 approval group, 2 required approvers, and default expiry periods.

cluster-1::> security multi-admin-verify modify -approval-groups mav-grp1 -required-approvers 2 -enabled true

Complete initial configuration by adding at least one operation rule.

Modify a MAV configuration (requires MAV approval)

security multi-admin-verify approval-group modify [-approval-groups group1[,group2…​]] [-required-approvers nn ] [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Verify MAV functionality

security multi-admin-verify show

Example:

cluster-1::> security multi-admin-verify show
Is      Required  Execution Approval Approval
Enabled Approvers Expiry    Expiry   Groups
------- --------- --------- -------- ----------
true    2         1h        1h       mav-grp1

Disable MAV functionality (requires MAV approval)

security multi-admin-verify modify -enabled false

Top of Page