Manage protected operation rules
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
You create multi-admin verification (MAV) rules to designate operations requiring approval. Whenever an operation is initiated, protected operations are intercepted and a request for approval is generated.
Rules can be created before enabling MAV by any administrator with appropriate RBAC capabilities, but once MAV is enabled, any modification to the rule set requires MAV approval.
Only one MAV rule can be created per operation; for example, you cannot make multiple volume-snapshot-delete
rules. Any desired rule constraints must be contained within one rule.
Rule-protected commands
You can create rules to protect the following commands beginning with ONTAP 9.11.1.
|
|
You can create rules to protect the following commands beginning with ONTAP 9.13.1:
-
volume snaplock modify
-
security anti-ransomware volume attack clear-suspect
-
security anti-ransomware volume disable
-
security anti-ransomware volume pause
You can create rules to protect the following commands beginning with ONTAP 9.14.1:
-
volume recovery-queue modify
-
volume recovery-queue purge
-
volume recovery-queue purge-all
-
vserver modify
The rules for MAV system-default commands, the security multi-admin-verify
commands, cannot be altered.
In addition to the system-defined commands, the following commands are protected by default when multi-admin verification is enabled, but you can modify the rules to remove protection for these commands.
-
security login password
-
security login unlock
-
set
Rule constraints
When you create a rule, you can optionally specify the -query
option to limit the request to a subset of the command functionality. The -query
option can also be used to limit configuration elements, such as the SVM, the volume, and Snapshot names.
For example, in the volume snapshot delete
command, -query
can be set to -snapshot !hourly*,!daily*,!weekly*
, meaning that volume Snapshots prefixed with hourly, daily, or weekly attributes are excluded from MAV protections.
smci-vsim20::> security multi-admin-verify rule show Required Approval Vserver Operation Approvers Groups ------- -------------------------------------- --------- ------------- vs01 volume snapshot delete - - Query: -snapshot !hourly*,!daily*,!weekly*
Any excluded configuration elements would not be protected by MAV, and any administrator could delete or rename them. |
By default, rules specify that a corresponding security multi-admin-verify request create “protected_operation”
command is generated automatically when a protected operation is entered. You can modify this default to require that the request create
command be entered separately.
By default, rules inherit the following global MAV settings, although you can specify rule-specific exceptions:
-
Required Number of Approvers
-
Approval Groups
-
Approval Expiry period
-
Execution Expiry period
System Manager procedure
If you want to add a protected operation rule for the first time, see the System Manager procedure to enable multi-admin verification.
To modify the existing rule set:
-
Select Cluster > Settings.
-
Select next to Multi-Admin Approval in the Security section.
-
Select to add at least one rule; you can also modify or delete existing rules.
-
Operation – Select a supported command from the list.
-
Query – Enter any desired command options and values.
-
Optional parameters – Leave blank to apply global settings, or assign a different value for specific rules to override the global settings.
-
Required number of approvers
-
Approval groups
-
-
CLI procedure
All security multi-admin-verify rule commands require MAV administrator approval before execution except security multi-admin-verify rule show .
|
If you want to… | Enter this command |
---|---|
Create a rule |
|
Modify credentials of current administrators |
Example: the following rule requires approval to delete the root volume.
|
Modify a rule |
|
Delete a rule |
|
Show rules |
|
For command syntax details, see the security multi-admin-verify rule
man pages.