Multi-admin verification
Beginning with ONTAP 9.11.1, you can use multi-admin verification (MAV) to allow certain operations, such as deleting volumes or Snapshot copies, to be executed only after approvals from designated administrators. This prevents compromised, malicious, or inexperienced administrators from making undesirable changes or deleting data.
Configuring MAV consists of the following:
After initial configuration, only administrators in a MAV approval group (MAV administrators) can modify these elements.
When MAV is enabled, the completion of every protected operation requires three steps:
-
When a user initiates the operation, a request is generated.
-
Before it can be executed, the required number of MAV administrators must approve.
-
After approval, the user completes the operation.
MAV is not intended for use with volumes or workflows that involve heavy automation because each automated task requires approval before the operation can be completed. If you want to use automation and MAV together, NetApp recommends that you use queries for specific MAV operations. For example, you can apply volume delete
MAV rules only to volumes where automation is not involved, and you can designate those volumes with a particular naming scheme.
For more detailed information about MAV, see the ONTAP multi-admin verification documentation.