Manage protected operation rules
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- SAN storage management
- Security and data encryption
-
Data protection and disaster recovery
- Data protection with the CLI
Collection of separate PDF docs
Creating your file...
You create multi-admin verification (MAV) rules to designate operations requiring approval. Whenever an operation is initiated, protected operations are intercepted and a request for approval is generated.
Rules can be created before enabling MAV by any administrator with appropriate RBAC capabilities, but once MAV is enabled, any modification to the rule set requires MAV approval.
Rule-protected commands
You can create rules to protect the following commands beginning with ONTAP 9.11.1.
|
|
You can create rules to protect the following commands beginning with ONTAP 9.13.1:
-
volume snaplock modify
-
security anti-ransomware volume attack clear-suspect
-
security anti-ransomware volume disable
-
security anti-ransomware volume pause
You can create rules to protect the following commands beginning with ONTAP 9.14.1:
-
volume recovery-query modify
-
volume recovery-query purge
-
volume recovery-query purge-all
-
vserver modify
The rules for MAV system-default commands, the security multi-admin-verify
commands, cannot be altered.
In addition to the system-defined commands, the following commands are protected by default when multi-admin verification is enabled, but you can modify the rules to remove protection for these commands.
-
security login password
-
security login unlock
-
set
When you create a rule, you can optionally specify the -query
option to limit the request to a subset of the command functionality. For example, in the default set command, -query
is set to -privilege diag
, meaning that a request is generated for the set command only when -privilege diag
is specified.
smci-vsim20::> security multi-admin-verify rule show Required Approval Vserver Operation Approvers Groups ------- -------------------------------------- --------- ------------- vs01 set - - Query: -privilege diagnostic
By default, rules specify that a corresponding security multi-admin-verify request create “protected_operation”
command is generated automatically when a protected operation is entered. You can modify this default to require that the request create
command be entered separately.
By default, rules inherit the following global MAV settings, although you can specify rule-specific exceptions:
-
Required Number of Approvers
-
Approval Groups
-
Approval Expiry period
-
Execution Expiry period
System Manager procedure
If you want to add a protected operation rule for the first time, see the System Manager procedure to enable multi-admin verification.
To modify the existing rule set:
-
Select Cluster > Settings.
-
Select next to Multi-Admin Approval in the Security section.
-
Select to add at least one rule; you can also modify or delete existing rules.
-
Operation – Select a supported command from the list.
-
Query – Enter any desired command options and values.
-
Optional parameters – Leave blank to apply global settings, or assign a different value for specific rules to override the global settings.
-
Required number of approvers
-
Approval groups
-
-
CLI procedure
All security multi-admin-verify rule commands require MAV administrator approval before execution except security multi-admin-verify rule show .
|
If you want to… | Enter this command |
---|---|
Create a rule |
|
Modify credentials of current administrators |
Example: the following rule requires approval to delete the root volume.
|
Modify a rule |
|
Delete a rule |
|
Show rules |
|
For command syntax details, see the security multi-admin-verify rule
man pages.