Skip to main content

ONTAP multi-admin verification overview

Contributors netapp-dbagwell netapp-forry netapp-aherbin netapp-lenida

Beginning with ONTAP 9.11.1, you can use multi-admin verification (MAV) to ensure that certain operations, such as deleting volumes or Snapshot copies, can be executed only after approvals from designated administrators. This prevents compromised, malicious, or inexperienced administrators from making undesirable changes or deleting data.

Configuring multi-admin verification consists of:

After initial configuration, these elements can be modified only by administrators in a MAV approval group (MAV administrators).

When multi-admin verification is enabled, the completion of every protected operation requires these steps:

  1. When a user initiates the operation, a request is generated.

  2. Before the operation can be executed, at least one MAV administrator must approve.

  3. Upon approval, the user is prompted and completes the operation.

Note If you need to disable multi-admin verification functionality without MAV administrator approval, contact NetApp Support and mention the following Knowledge Base article: How to disable Multi-Admin Verification if MAV admin is unavailable.

Multi-admin verification is not intended for use with volumes or workflows that involve heavy automation, because each automated task would require approval before the operation could be completed. If you want to use automation and MAV together, it's recommended that you use queries for specific MAV operations. For example, you could apply volume delete MAV rules only to volumes where automation is not involved, and you could designate those volumes with a particular naming scheme.

Note Multi-admin verification is not available with Cloud Volumes ONTAP.

How multi-admin verification works

Multi-admin verification consists of:

  • A group of one or more administrators with approval and veto powers.

  • A set of protected operations or commands in a rules table.

  • A rules engine to identify and control execution of protected operations.

MAV rules are evaluated after role-based access control (RBAC) rules. Therefore, administrators who execute or approve protected operations must already possess the minimum RBAC privileges for those operations. Learn more about RBAC.

System-defined rules

When multi-admin verification is enabled, system-defined rules (also known as guard-rail rules) establish a set of MAV operations to contain the risk of circumventing the MAV process itself. These operations cannot be removed from the rules table. Once MAV is enabled, operations designated by an asterisk ( * ) require approval by one or more administrators before execution, except for show commands.

  • security multi-admin-verify modify operation *

    Controls the configuration of multi-admin verification functionality.

  • security multi-admin-verify approval-group operations *

    Control membership in the set of administrators with multi-admin verification credentials.

  • security multi-admin-verify rule operations *

    Control the set of commands requiring multi-admin verification.

  • security multi-admin-verify request operations

    Control the approval process.

Rule-protected commands

In addition to system-defined operations, the following commands are protected by default when multi-admin verification is enabled, but you can modify the rules to remove protection for these commands.

  • security login password

  • security login unlock

  • set

Each ONTAP version provides more commands you can choose to protect with multi-admin verification rules. Choose your ONTAP release for the full list of commands available for protection.

9.16.1
  • cluster date modify 3

  • cluster log-forwarding create 3

  • cluster log-forwarding delete 3

  • cluster log-forwarding modify 3

  • cluster peer delete

  • cluster time-service ntp server create 3

  • cluster time-service ntp server delete 3

  • cluster time-service ntp server key create 3

  • cluster time-service ntp server key delete 3

  • cluster time-service ntp server key modify 3

  • cluster time-service ntp server modify 3

  • event config modify

  • lun delete 3

  • security anti-ransomware volume attack clear-suspect 1

  • security anti-ransomware volume disable 1

  • security anti-ransomware volume event-log modify 2

  • security anti-ransomware volume pause 1

  • security anti-ransomware vserver event-log modify 2

  • security audit modify 3

  • security ipsec config modify 3

  • security ipsec policy create 3

  • security ipsec policy delete 3

  • security ipsec policy modify 3

  • security login create

  • security login delete

  • security login modify

  • security key-manager onboard update-passphrase 3

  • security saml-sp create 3

  • security saml-sp delete 3

  • security saml-sp modify 3

  • snaplock legal-hold end 3

  • storage aggregate delete 3

  • storage aggregate offline 4

  • storage encryption disk destroy 3

  • storage encryption disk modify 3

  • storage encryption disk revert-to-original-state 3

  • storage encryption disk sanitize 3

  • system bridge run-cli 3

  • system controller flash-cache secure-erase run 3

  • system controller service-event delete 3

  • system health alert delete 3

  • system health alert modify 3

  • system health policy definition modify 3

  • system node autosupport modify 3

  • system node autosupport trigger modify 3

  • system node coredump delete 3

  • system node coredump delete-all 3

  • system node hardware nvram-encryption modify 3

  • system node run

  • system node systemshell

  • system script delete 3

  • system service-processor ssh add-allowed-addresses 3

  • system service-processor ssh remove-allowed-addresses 3

  • system smtape restore 3

  • system switch ethernet log disable-collection 3

  • system switch ethernet log modify 3

  • timezone 3

  • volume create 3

  • volume delete

  • volume encryption conversion start 4

  • volume encryption rekey start 4

  • volume file privileged-delete 3

  • volume flexcache delete

  • volume modify 3

  • volume recovery-queue modify 2

  • volume recovery-queue purge 2

  • volume recovery-queue purge-all 2

  • volume snaplock modify 1

  • volume snapshot autodelete modify

  • volume snapshot create 3

  • volume snapshot delete

  • volume snapshot modify 3

  • volume snapshot policy add-schedule

  • volume snapshot policy create

  • volume snapshot policy delete

  • volume snapshot policy modify

  • volume snapshot policy modify-schedule

  • volume snapshot policy remove-schedule

  • volume snapshot rename 3

  • volume snapshot restore

  • vserver audit create 3

  • vserver audit delete 3

  • vserver audit disable 3

  • vserver audit modify 3

  • vserver audit rotate-log 3

  • vserver create 2

  • vserver consistency-group create 4

  • vserver consistency-group delete 4

  • vserver consistency-group modify 4

  • vserver consistency-group snapshot create 4

  • vserver consistency-group snapshot delete 4

  • vserver delete 3

  • vserver modify 2

  • vserver object-store-server audit create 3

  • vserver object-store-server audit delete 3

  • vserver object-store-server audit disable 3

  • vserver object-store-server audit modify 3

  • vserver object-store-server audit rotate-log 3

  • vserver options 3

  • vserver peer delete

  • vserver security file-directory apply 3

  • vserver security file-directory remove-slag 3

  • vserver stop 4

  • vserver vscan disable 3

  • vserver vscan on-access-policy create 3

  • vserver vscan on-access-policy delete 3

  • vserver vscan on-access-policy disable 3

  • vserver vscan on-access-policy modify 3

  • vserver vscan scanner-pool create 3

  • vserver vscan scanner-pool delete 3

  • vserver vscan scanner-pool modify 3

9.15.1
  • cluster date modify 3

  • cluster log-forwarding create 3

  • cluster log-forwarding delete 3

  • cluster log-forwarding modify 3

  • cluster peer delete

  • cluster time-service ntp server create 3

  • cluster time-service ntp server delete 3

  • cluster time-service ntp server key create 3

  • cluster time-service ntp server key delete 3

  • cluster time-service ntp server key modify 3

  • cluster time-service ntp server modify 3

  • event config modify

  • lun delete 3

  • security anti-ransomware volume attack clear-suspect 1

  • security anti-ransomware volume disable 1

  • security anti-ransomware volume event-log modify 2

  • security anti-ransomware volume pause 1

  • security anti-ransomware vserver event-log modify 2

  • security audit modify 3

  • security ipsec config modify 3

  • security ipsec policy create 3

  • security ipsec policy delete 3

  • security ipsec policy modify 3

  • security login create

  • security login delete

  • security login modify

  • security key-manager onboard update-passphrase 3

  • security saml-sp create 3

  • security saml-sp delete 3

  • security saml-sp modify 3

  • snaplock legal-hold end 3

  • storage aggregate delete 3

  • storage encryption disk destroy 3

  • storage encryption disk modify 3

  • storage encryption disk revert-to-original-state 3

  • storage encryption disk sanitize 3

  • system bridge run-cli 3

  • system controller flash-cache secure-erase run 3

  • system controller service-event delete 3

  • system health alert delete 3

  • system health alert modify 3

  • system health policy definition modify 3

  • system node autosupport modify 3

  • system node autosupport trigger modify 3

  • system node coredump delete 3

  • system node coredump delete-all 3

  • system node hardware nvram-encryption modify 3

  • system node run

  • system node systemshell

  • system script delete 3

  • system service-processor ssh add-allowed-addresses 3

  • system service-processor ssh remove-allowed-addresses 3

  • system smtape restore 3

  • system switch ethernet log disable-collection 3

  • system switch ethernet log modify 3

  • timezone 3

  • volume create 3

  • volume delete

  • volume file privileged-delete 3

  • volume flexcache delete

  • volume modify 3

  • volume recovery-queue modify 2

  • volume recovery-queue purge 2

  • volume recovery-queue purge-all 2

  • volume snaplock modify 1

  • volume snapshot autodelete modify

  • volume snapshot create 3

  • volume snapshot delete

  • volume snapshot modify 3

  • volume snapshot policy add-schedule

  • volume snapshot policy create

  • volume snapshot policy delete

  • volume snapshot policy modify

  • volume snapshot policy modify-schedule

  • volume snapshot policy remove-schedule

  • volume snapshot rename 3

  • volume snapshot restore

  • vserver audit create 3

  • vserver audit delete 3

  • vserver audit disable 3

  • vserver audit modify 3

  • vserver audit rotate-log 3

  • vserver create 2

  • vserver delete 3

  • vserver modify 2

  • vserver object-store-server audit create 3

  • vserver object-store-server audit delete 3

  • vserver object-store-server audit disable 3

  • vserver object-store-server audit modify 3

  • vserver object-store-server audit rotate-log 3

  • vserver options 3

  • vserver peer delete

  • vserver security file-directory apply 3

  • vserver security file-directory remove-slag 3

  • vserver vscan disable 3

  • vserver vscan on-access-policy create 3

  • vserver vscan on-access-policy delete 3

  • vserver vscan on-access-policy disable 3

  • vserver vscan on-access-policy modify 3

  • vserver vscan scanner-pool create 3

  • vserver vscan scanner-pool delete 3

  • vserver vscan scanner-pool modify 3

9.14.1
  • cluster peer delete

  • event config modify

  • security anti-ransomware volume attack clear-suspect 1

  • security anti-ransomware volume disable 1

  • security anti-ransomware volume event-log modify 2

  • security anti-ransomware volume pause 1

  • security anti-ransomware vserver event-log modify 2

  • security login create

  • security login delete

  • security login modify

  • system node run

  • system node systemshell

  • volume delete

  • volume flexcache delete

  • volume recovery-queue modify 2

  • volume recovery-queue purge 2

  • volume recovery-queue purge-all 2

  • volume snaplock modify 1

  • volume snapshot autodelete modify

  • volume snapshot delete

  • volume snapshot policy add-schedule

  • volume snapshot policy create

  • volume snapshot policy delete *

  • volume snapshot policy modify

  • volume snapshot policy modify-schedule

  • volume snapshot policy remove-schedule

  • volume snapshot restore

  • vserver create 2

  • vserver modify 2

  • vserver peer delete

9.13.1
  • cluster peer delete

  • event config modify

  • security anti-ransomware volume attack clear-suspect 1

  • security anti-ransomware volume disable 1

  • security anti-ransomware volume pause 1

  • security login create

  • security login delete

  • security login modify

  • system node run

  • system node systemshell

  • volume delete

  • volume flexcache delete

  • volume snaplock modify 1

  • volume snapshot autodelete modify

  • volume snapshot delete

  • volume snapshot policy add-schedule

  • volume snapshot policy create

  • volume snapshot policy delete *

  • volume snapshot policy modify

  • volume snapshot policy modify-schedule

  • volume snapshot policy remove-schedule

  • volume snapshot restore

  • vserver peer delete

9.12.1/9.11.1
  • cluster peer delete

  • event config modify

  • security login create

  • security login delete

  • security login modify

  • system node run

  • system node systemshell

  • volume delete

  • volume flexcache delete

  • volume snapshot autodelete modify

  • volume snapshot delete

  • volume snapshot policy add-schedule

  • volume snapshot policy create

  • volume snapshot policy delete *

  • volume snapshot policy modify

  • volume snapshot policy modify-schedule

  • volume snapshot policy remove-schedule

  • volume snapshot restore

  • vserver peer delete

  1. New rule-protected command for 9.13.1

  2. New rule-protected command for 9.14.1

  3. New rule-protected command for 9.15.1

  4. New rule-protected command for 9.16.1

*This command is only available with CLI and is unavailable for System Manager in some releases.

How multi-admin approval works

Any time a protected operation is entered on a MAV-protected cluster, an operation execution request is sent to the designated MAV administrator group.

You can configure:

  • The names, contact information, and number of administrators in the MAV group.

    A MAV administrator should have an RBAC role with cluster administrator privileges.

  • The number of MAV administrator groups.

    • A MAV group is assigned for each protected operation rule.

    • For multiple MAV groups, you can configure which MAV group approves a given rule.

  • The number of MAV approvals required to execute a protected operation.

  • An approval expiry period within which a MAV administrator must respond to an approval request.

  • An execution expiry period within which the requesting administrator must complete the operation.

Once these parameters are configured, MAV approval is required to modify them.

MAV administrators cannot approve their own requests to execute protected operations. Therefore:

  • MAV should not be enabled on clusters with only one administrator.

  • If there is only one person in the MAV group, that MAV administrator cannot initiate protected operations; regular administrators must initiate protected operations, and the MAV administrator can only approve.

  • If you want MAV administrators to be able to execute protected operations, the number of MAV administrators must be one greater than the number of approvals required. For example, if two approvals are required for a protected operation, and you want MAV administrators to execute them, there must be three people in the MAV administrators group.

MAV administrators can receive approval requests in email alerts (using EMS) or they can query the request queue. When they receive a request, they can take one of three actions:

  • Approve

  • Reject (veto)

  • Ignore (no action)

Email notifications are sent to all approvers associated with a MAV rule when:

  • A request is created.

  • A request is approved or vetoed.

  • An approved request is executed.

If the requestor is in the same approval group for the operation, they will receive an email when their request is approved.

Note A requestor can't approve their own requests even if they are in the approval group (although they can get email notifications for their own requests). Requestors who are not in approval groups (that is, who are not MAV administrators) don't receive email notifications.

How protected operation execution works

If execution is approved for a protected operation, the requesting user continues with the operation when prompted. If the operation is vetoed, the requesting user must delete the request before proceeding.

MAV rules are evaluated after RBAC permissions. As a result, a user without sufficient RBAC permissions for operation execution cannot initiate the MAV request process.