Enable and disable multi-admin verification

07/25/2024 Contributors

Multi-admin verification (MAV) must be enabled explicitly. Once you have enabled multi-admin verification, approval by administrators in a MAV approval group (MAV administrators) is required to delete it.

About this task

Once MAV is enabled, modifying or disabling MAV requires MAV administrator approval.

If you need to disable multi-admin verification functionality without MAV administrator approval, contact NetApp Support and mention the following Knowledge Base article: How to disable Multi-Admin Verification if MAV admin is unavailable.

When you enable MAV, you can specify the following parameters globally.

Approval groups: A list of global approval groups. At least one group is required to enable MAV functionality.

If you are using MAV with Autonomous Ransomware Protection (ARP), define a new or existing approval group that is responsible for approving ARP pause, disable, and clear suspect requests.

Required approvers

The number of approvers required to execute a protected operation. The default and minimum number is 1.

The required number of approvers must be less than the total number of unique approvers in the default approval groups.

Approval expiry (hours, minutes, seconds)

The period within which a MAV administrator must respond to an approval request. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

Execution expiry (hours, minutes, seconds)

The period within which the requesting administrator must complete the:: operation. The default value is one hour (1h), the minimum supported value is one second (1s), and the maximum supported value is 14 days (14d).

You can also override any of these parameters for specific operation rules.

System Manager procedure

Identify administrators to receive multi-admin verification.
1. Click Cluster > Settings.
2. Click next to Users and Roles.
3. Click under Users.
4. Modify the roster as needed.
  
  For more information, see Control administrator access.
Enable multi-admin verification by creating at least one approval group and adding at least one rule.
1. Click Cluster > Settings.
2. Click next to Multi-Admin Approval in the Security section.
3. Click to add at least one approval group.
  - Name – Enter a group name.
  - Approvers – Select approvers from a list of users.
  - Email address – Enter email address(es).
  - Default group – Select a group.
4. Add at least one rule.
  - Operation – Select a supported command from the list.
  - Query – Enter any desired command options and values.
  - Optional parameters; leave blank to apply global settings, or assign a different value for specific rules to override the global settings.
    
    Required number of approvers
    
    Approval groups
5. Click Advanced Settings to view or modify defaults.
  - Required number of approvers (default: 1)
  - Execution request expiry (default: 1 hour)
  - Approval request expiry (default: 1hour)
  - Mail server*
  - From email address*
    
    *These update the email settings managed under "Notification Management". You are prompted to set them if they have not yet been configured.
6. Click Enable to complete MAV initial configuration.

After initial configuration, the current MAV status is displayed in the Multi-Admin Approval tile.

Status (enabled or not)
Active operations for which approvals are required
Number of open requests in pending state

You can display an existing configuration by clicking Arrow icon . MAV approval is required to edit an existing configuration.

To disable multi-admin verification:

Click Cluster > Settings.
Click next to Multi-Admin Approval in the Security section.
Click the Enabled toggle button.

MAV approval is required to complete this operation.

CLI procedure

Before enabling MAV functionality at the CLI, at least one MAV administrator group must have been created.

If you want to… Enter this command

If you want to…	Enter this command
Enable MAV functionality	`security multi-admin-verify modify -approval-groups group1[,group2…] [-required-approvers nn ] -enabled true [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]` Example : the following command enables MAV with 1 approval group, 2 required approvers, and default expiry periods. cluster-1::> security multi-admin-verify modify -approval-groups mav-grp1 -required-approvers 2 -enabled true Complete initial configuration by adding at least one operation rule.
Modify a MAV configuration (requires MAV approval)	`security multi-admin-verify approval-group modify [-approval-groups group1[,group2…]] [-required-approvers nn ] [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]`
Verify MAV functionality	`security multi-admin-verify show` Example: cluster-1::> security multi-admin-verify show Is Required Execution Approval Approval Enabled Approvers Expiry Expiry Groups ------- --------- --------- -------- ---------- true 2 1h 1h mav-grp1
Disable MAV functionality (requires MAV approval)	`security multi-admin-verify modify -enabled false`

Enable MAV functionality

security multi-admin-verify modify -approval-groups group1[,group2…] [-required-approvers nn ] -enabled true [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Example : the following command enables MAV with 1 approval group, 2 required approvers, and default expiry periods.

cluster-1::> security multi-admin-verify modify -approval-groups mav-grp1 -required-approvers 2 -enabled true

Complete initial configuration by adding at least one operation rule.

Modify a MAV configuration (requires MAV approval)

security multi-admin-verify approval-group modify [-approval-groups group1[,group2…]] [-required-approvers nn ] [ -execution-expiry [nnh][nnm][nns]] [ -approval-expiry [nnh][nnm][nns]]

Verify MAV functionality

security multi-admin-verify show

Example:

cluster-1::> security multi-admin-verify show
Is      Required  Execution Approval Approval
Enabled Approvers Expiry    Expiry   Groups
------- --------- --------- -------- ----------
true    2         1h        1h       mav-grp1

Disable MAV functionality (requires MAV approval)

security multi-admin-verify modify -enabled false

Enable and disable multi-admin verification

Creating your file...

System Manager procedure

CLI procedure