Skip to main content

security multi-admin-verify rule create

Contributors
Suggest changes

Create a rule

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security multi-admin-verify rule create command creates a rule for the specified ONTAP operation.

Parameters

[-vserver <vserver>] - Vserver

This specifies Vserver information for which the rule should be associated with. This is an optional parameter. This parameter defaults to a Cluster server and supports only Cluster servers.

-operation <text> - Operation

This specifies the ONTAP operation information for the rule to be created.

[-auto-request-create {true|false}] - Automatic Request Creation

This specifies rule information for the auto request create state. Auto request creation for the rule is enabled by default, by setting this value to true.

[-query <query>] - Query

This specifies the query information which is applied to the subset of objects of ONTAP operation of the rule to be created. This is an optional parameter. If a query is not specified for the rule, the rule applies to all objects of the ONTAP operation.

[-required-approvers {<integer>|-}] - Required Number of Approvers

This specifies the required number of approvers to approve the ONTAP execution request. This is an optional parameter. If required-approvers is not specified for the rule, the required-approvers from the global setting is applied to the ONTAP operation request. The required-approvers from the global setting can be viewed using the security multi-admin-verify show command. The minimum supported value is 1.

[-approval-groups <text>,…​] - Approval Groups

This specifies the list of users who can approve the ONTAP operation request. This is an optional parameter. If approval-groups is not specified for the rule, the approval-groups from the global setting is applied to the ONTAP operation request. The approval-groups from the global setting can be viewed using the security multi-admin-verify show command.

[-execution-expiry <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Execution Expiry

This specifies the amount of time after a request has been approved by which the operation must be executed before the approved execution request expires. This is an optional parameter. If execution-expiry is not specified for the rule, the execution-expiry from the global setting is applied to the ONTAP execution request. The execution-expiry from the global setting can be viewed using the security multi-admin-verify show command. The default value is one hour (1h ), the minimum supported value is one second (1s ), and the maximum supported value is 14 days (14d ).

[-approval-expiry <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Approval Expiry

This specifies the amount of time after a new execution request is submitted by which approvers have to approve or disapprove the request before the pending execution request expires. This is an optional parameter. If approval-expiry is not specified for the rule, the approval-expiry from the global setting is applied to the ONTAP execution request. The approval-expiry from the global setting can be viewed using the security multi-admin-verify show command. The default value is one hour (1h ), the minimum supported value is one second (1s ), and the maximum supported value is 14 days (14d ).

Examples

The following example creates a new rule for the ONTAP operation volume delete with 3 required approvers and is applicable to Vserver vs0 objects:

cluster1::> security multi-admin-verify rule create  -operation "volume delete" -query "-vserver vs0" -required-approvers 3