ONTAP 9 Manuals ( CA08871-402 )

Manage protected operation rules

You create multi-admin verification (MAV) rules to designate operations requiring approval. Whenever an operation is initiated, protected operations are intercepted and a request for approval is generated.

Rules can be created before enabling MAV by any administrator with appropriate RBAC capabilities, but once MAV is enabled, any modification to the rule set requires MAV approval.

Only one MAV rule can be created per operation; for example, you cannot make multiple volume-snapshot-delete rules. Any desired rule constraints must be contained within one rule.

You can create rules to protect these commands. You can protect each command beginning with the ONTAP version in which protection capability for the command first became available.

The rules for MAV system-default commands, the security multi-admin-verify commands, cannot be altered.

In addition to system-defined operations, the following commands are protected by default when multi-admin verification is enabled, but you can modify the rules to remove protection for these commands.

  • security login password

  • security login unlock

  • set

Rule constraints

When you create a rule, you can optionally specify the -query option to limit the request to a subset of the command functionality. The -query option can also be used to limit configuration elements, such as the SVM, the volume, and Snapshot names.

For example, in the volume snapshot delete command, -query can be set to -snapshot !hourly*,!daily*,!weekly*, meaning that volume Snapshots prefixed with hourly, daily, or weekly attributes are excluded from MAV protections.

smci-vsim20::> security multi-admin-verify rule show
                                               Required  Approval
Vserver Operation                              Approvers Groups
------- -------------------------------------- --------- -------------
vs01    volume snapshot delete                 -         -
          Query: -snapshot !hourly*,!daily*,!weekly*
Any excluded configuration elements would not be protected by MAV, and any administrator could delete or rename them.

By default, rules specify that a corresponding security multi-admin-verify request create “protected_operation” command is generated automatically when a protected operation is entered. You can modify this default to require that the request create command be entered separately.

By default, rules inherit the following global MAV settings, although you can specify rule-specific exceptions:

  • Required Number of Approvers

  • Approval Groups

  • Approval Expiry period

  • Execution Expiry period

ONTAP System Manager procedure

If you want to add a protected operation rule for the first time, see the ONTAP System Manager procedure to enable multi-admin verification.

To modify the existing rule set:

  1. Select Cluster > Settings.

  2. Select gear icon next to Multi-Admin Approval in the Security section.

  3. Select add icon to add at least one rule; you can also modify or delete existing rules.

    • Operation – Select a supported command from the list.

    • Query – Enter any desired command options and values.

    • Optional parameters – Leave blank to apply global settings, or assign a different value for specific rules to override the global settings.

      • Required number of approvers

      • Approval groups

CLI procedure

All security multi-admin-verify rule commands require MAV administrator approval before execution except security multi-admin-verify rule show.
If you want to… Enter this command

Create a rule

security multi-admin-verify rule create -operation “protected_operation” [-query operation_subset] [parameters]

Modify credentials of current administrators

security login modify <parameters>

Example: the following rule requires approval to delete the root volume.

security multi-admin-verify rule create -operation "volume delete" -query "-vserver vs0"

Modify a rule

security multi-admin-verify rule modify -operation “protected_operation” [parameters]

Delete a rule

security multi-admin-verify rule delete -operation “protected_operation”

Show rules

security multi-admin-verify rule show

For command syntax details, see the security multi-admin-verify rule man pages.

Top of Page