Skip to main content

Manage protected operation rules

Contributors netapp-dbagwell netapp-forry netapp-aoife netapp-ahibbard netapp-lenida
PDFs

You create multi-admin verification (MAV) rules to designate operations requiring approval. Whenever an operation is initiated, protected operations are intercepted and a request for approval is generated.

Rules can be created before enabling MAV by any administrator with appropriate RBAC capabilities, but once MAV is enabled, any modification to the rule set requires MAV approval.

Only one MAV rule can be created per operation; for example, you cannot make multiple volume-snapshot-delete rules. Any desired rule constraints must be contained within one rule.

Rule-protected commands

You can create rules to protect the following commands beginning with ONTAP 9.11.1.

cluster peer delete

event config modify

security login create

security login delete

security login modify

system node run

system node systemshell

volume delete

volume flexcache delete

volume snapshot autodelete modify

volume snapshot delete

volume snapshot policy add-schedule

volume snapshot policy create

volume snapshot policy delete

volume snapshot policy modify

volume snapshot policy modify-schedule

volume snapshot policy remove-schedule

volume snapshot restore

vserver peer delete

You can create rules to protect the following commands beginning with ONTAP 9.13.1:

  • volume snaplock modify

  • security anti-ransomware volume attack clear-suspect

  • security anti-ransomware volume disable

  • security anti-ransomware volume pause

You can create rules to protect the following commands beginning with ONTAP 9.14.1:

  • volume recovery-queue modify

  • volume recovery-queue purge

  • volume recovery-queue purge-all

  • vserver modify

The rules for MAV system-default commands, the security multi-admin-verify commands, cannot be altered.

In addition to the system-defined commands, the following commands are protected by default when multi-admin verification is enabled, but you can modify the rules to remove protection for these commands.

  • security login password

  • security login unlock

  • set

Rule constraints

When you create a rule, you can optionally specify the -query option to limit the request to a subset of the command functionality. The -query option can also be used to limit configuration elements, such as the SVM, the volume, and Snapshot names.

For example, in the volume snapshot delete command, -query can be set to -snapshot !hourly*,!daily*,!weekly*, meaning that volume Snapshots prefixed with hourly, daily, or weekly attributes are excluded from MAV protections.

smci-vsim20::> security multi-admin-verify rule show
                                               Required  Approval
Vserver Operation                              Approvers Groups
------- -------------------------------------- --------- -------------
vs01    volume snapshot delete                 -         -
          Query: -snapshot !hourly*,!daily*,!weekly*
Note Any excluded configuration elements would not be protected by MAV, and any administrator could delete or rename them.

By default, rules specify that a corresponding security multi-admin-verify request create “protected_operation” command is generated automatically when a protected operation is entered. You can modify this default to require that the request create command be entered separately.

By default, rules inherit the following global MAV settings, although you can specify rule-specific exceptions:

  • Required Number of Approvers

  • Approval Groups

  • Approval Expiry period

  • Execution Expiry period

System Manager procedure

If you want to add a protected operation rule for the first time, see the System Manager procedure to enable multi-admin verification.

To modify the existing rule set:

  1. Select Cluster > Settings.

  2. Select gear icon next to Multi-Admin Approval in the Security section.

  3. Select add icon to add at least one rule; you can also modify or delete existing rules.

    • Operation – Select a supported command from the list.

    • Query – Enter any desired command options and values.

    • Optional parameters – Leave blank to apply global settings, or assign a different value for specific rules to override the global settings.

      • Required number of approvers

      • Approval groups

CLI procedure

Note All security multi-admin-verify rule commands require MAV administrator approval before execution except security multi-admin-verify rule show.
If you want to… Enter this command

Create a rule

security multi-admin-verify rule create -operation “protected_operation” [-query operation_subset] [parameters]

Modify credentials of current administrators

security login modify <parameters>

Example: the following rule requires approval to delete the root volume.

security multi-admin-verify rule create -operation "volume delete" -query "-vserver vs0"

Modify a rule

security multi-admin-verify rule modify -operation “protected_operation” [parameters]

Delete a rule

security multi-admin-verify rule delete -operation “protected_operation”

Show rules

security multi-admin-verify rule show

For command syntax details, see the security multi-admin-verify rule man pages.