Enable and disable multi-admin verification

Contributors netapp-aoife netapp-forry

Multi-admin verification (MAV) must be enabled explicitly. Once you have enabled multi-admin verification, approval by administrators in a MAV approval group (MAV administrators) is required to delete it.

About this task

Once MAV is enabled, modifying or disabling MAV requires MAV administrator approval.

Note If you need to disable multi-admin verification functionality without MAV administrator approval, contact NetApp Support and mention the following Knowledge Base article: How to disable Multi-Admin Verification if MAV admin is unavailable.

When you enable MAV, you can specify the following parameters globally.

Approval groups

A list of global approval groups. At least one group is required to enable MAV functionality.

Required approvers

The number of approvers required to execute a protected operation. The default and minimum number is 1.

Note: The required number of approvers must be less than the total number of unique approvers in the default approval groups.

Approval expiry (hours, minutes, seconds)

The period within which a MAV administrator must respond to an approval request. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

Execution expiry (hours, minutes, seconds)

The period within which the requesting administrator must complete the:: operation. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

You can also override any of these parameters for specific operation rules.

System Manager procedure

  1. Identify administrators to receive multi-admin verification.

    1. Click Cluster > Settings.

    2. Click blue arrow icon next to Users and Roles.

    3. Click add icon under Users.

    4. Modify the roster as needed.

      For more information, see Control administrator access.

  2. Enable multi-admin verification by creating at least one approval group and adding at least one rule.

    1. Click Cluster > Settings.

    2. Click gear icon next to Multi-Admin Approval in the Security section.

    3. Click add icon to add at least one approval group.

      • Name – Enter a group name.

      • Approvers – Select approvers from a list of users.

      • Email address – Enter email address(es).

      • Default group – Select a group.

    4. Add at least one rule.

      • Operation – Select a supported command from the list.

      • Query – Enter any desired command options and values.

      • Optional parameters; leave blank to apply global settings, or assign a different value for specific rules to override the global settings.

        • Required number of approvers

        • Approval groups

    5. Click Advanced Settings to view or modify defaults.

      • Required number of approvers (default: 1)

      • Execution request expiry (default: 1 hour)

      • Approval request expiry (default: 1hour)

      • Mail server*

      • From email address*

        *These update the email settings managed under "Notification Management". You are prompted to set them if they have not yet been configured.

    6. Click Enable to complete MAV initial configuration.

After initial configuration, the current MAV status is displayed in the Multi-Admin Approval tile.

  • Status (enabled or not)

  • Active operations for which approvals are required

  • Number of open requests in pending state

You can display an existing configuration by clicking blue arrow icon. MAV approval is required to edit an existing configuration.

To disable multi-admin verification:

  1. Click Cluster > Settings.

  2. Click gear icon next to Multi-Admin Approval in the Security section.

  3. Click the Enabled toggle button.

    MAV approval is required to complete this operation.

CLI procedure

Before enabling MAV functionality at the CLI, at least one MAV administrator group must have been created.

If you want to… Enter this command

Enable MAV functionality

security multi-admin-verify modify -approval-groups group1[,group2…​] [-required-approvers nn ] -enabled true [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Example : the following command enables MAV with 1 approval group, 2 required approvers, and default expiry periods.

cluster-1::> security multi-admin-verify modify -approval-groups mav-grp1 -required-approvers 2 -enabled true

Complete initial configuration by adding at least one operation rule.

Modify a MAV configuration (requires MAV approval)

security multi-admin-verify approval-group modify [-approval-groups group1[,group2…​]] [-required-approvers nn ] [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Verify MAV functionality

security multi-admin-verify show

Example:

cluster-1::> security multi-admin-verify show
Is      Required  Execution Approval Approval
Enabled Approvers Expiry    Expiry   Groups
------- --------- --------- -------- ----------
true    2         1h        1h       mav-grp1

Disable MAV functionality (requires MAV approval)

security multi-admin-verify modify -enabled false