Manage administrator approval groups

Contributors netapp-aoife netapp-forry

Before enabling multi-admin verification (MAV), you must create an admin approval group containing one or more administrators to be granted approve or veto authority. Once you have enabled multi-admin verification, any modifications to approval group membership requires approval from one of the existing qualified administrators.

About this task

You can add existing administrators to a MAV group or create new administrators.

MAV functionality honors existing role-based access control (RBAC) settings. Potential MAV administrators must have sufficient privilege to execute protected operations before they are added to MAV administrator groups. Learn more about RBAC.

You can configure MAV to alert MAV administrators that approval requests are pending. To do so, you must configure email notifications—​in particular, the Mail From and Mail Server parameters—​or you can clear these parameters to disable notification. Without email alerts, MAV administrators must check the approval queue manually.

System Manager procedure

If you want to create a MAV approval group for the first time, see the System Manager procedure to enable multi-admin verification.

To modify an existing approval group or create an additional approval group:

  1. Identify administrators to receive multi-admin verification.

    1. Click Cluster > Settings.

    2. Click blue arrow icon next to Users and Roles.

    3. Click add icon under Users.

    4. Modify the roster as needed.

      For more information, see Control administrator access.

  2. Create or modify the MAV approval group:

    1. Click Cluster > Settings.

    2. Click blue arrow icon next to Multi-Admin Approval in the Security section. (You will see the gear icon icon if MAV is not yet configured.)

      • Name: enter a group name.

      • Approvers: select approvers from a list of users.

      • Email address: enter email address(es).

      • Default group: select a group.

MAV approval is required to edit an existing configuration once MAV is enabled.

CLI procedure

  1. Verify that values have been set for the Mail From and Mail Server parameters. Enter:

    event config show

    The display should be similar to the following:

    cluster01::> event config show
                               Mail From:  admin@localhost
                             Mail Server:  localhost
                               Proxy URL:  -
                              Proxy User:  -
     Publish/Subscribe Messaging Enabled:  true

    To configure these parameters, enter:

    event config modify -mail-from email_address -mail-server server_name

  2. Identify administrators to receive multi-admin verification

    If you want to… Enter this command

    Display current administrators

    security login show

    Modify credentials of current administrators

    security login modify <parameters>

    Create new administrator accounts

    security login create -user-or-group-name admin_name -application ssh -authentication-method password

  3. Create the MAV approval group:

    security multi-admin-verify approval-group create [ -vserver svm_name] -name group_name -approvers approver1[,approver2…] [-email address1], address1…​]

    • -vserver - Only the admin SVM is supported in this release.

    • -name - The MAV group name, up to 64 characters.

    • -approvers - The list of one or more approvers.

    • -email - One or more email addresses that are notified when a request is created, approved, vetoed, or executed.

      Example: The following command creates a MAV group with two members and associated email addresses.

      cluster-1::> security multi-admin-verify approval-group create -name mav-grp1 -approvers pavan,julia -email pavan@myfirm.com,julia@myfirm.com
  4. Verify group creation and membership:

    security multi-admin-verify approval-group show [-instance]

    Example:

    cluster-1::> security multi-admin-verify approval-group show -instance
    Vserver  Name        Approvers        Email
    -------  ---------------- ------------------  ------------------------------------------------------------
    svm-1    mav-grp1   pavan,julia      email pavan@myfirm.com,julia@myfirm.com

Use these commands to modify your initial MAV group configuration.

Note: All require MAV administrator approval before execution.

If you want to… Enter this command

Modify the group characteristics or modify existing member information

security multi-admin-verify approval-group modify [parameters]

Add or remove members

security multi-admin-verify approval-group replace [-vserver svm_name] -name group_name [-approvers-to-add approver1[,approver2…]][-approvers-to-remove approver1[,approver2…]]

Delete a group

security multi-admin-verify approval-group delete [-vserver svm_name] -name group_name