Setting Up Multi-Admin Verification (MAV) in NetApp ONTAP: An Easy Way to Enhance Your Security

Hello, tech enthusiasts!

We all know how critical security is in the world of storage. An accidental deletion or data loss caused by a malicious administrator can be a nightmare scenario. This is where NetApp ONTAP offers a great feature to make your systems even more secure: Multi-Admin Verification (MAV).

Available starting with ONTAP version 9.11.1, MAV prevents system administrators from performing certain disruptive actions without approval from at least one other administrator. So, how does this feature work, and why could it be important for your business? Let’s take a closer look!

How Does Multi-Admin Verification (MAV) Work?

ChatGPT said:

MAV works by creating rule sets and defining administrator groups associated with those rule sets. When a command or GUI operation is included in one of these rule sets, the action (such as deleting a volume) is placed in a pending state once it is triggered. Another administrator from the MAV group must approve the action before the original requester can carry it out.

As of ONTAP 9.11.1, some of the key operations you can protect with MAV include:

• cluster peer delete
• vserver peer delete
• volume snapshot delete
• volume delete
• volume flexcache delete
• secuirty login password*
• security login unlock*
• event config modify*
• set -privilege diagnostic
• security login create
• security login modify
• system mode run
• system node systemshell
• volume snapshot autodelete modify
• volume snapshot restore
• volume snapshot policy create
• volume snapshot policy modify
• volume snapshot add-schedule
• volume snapshot modify-schedule
• volume snapshot remove schedule

An important point: MAV applies not only to personnel with full administrative rights, but to all system administrators with appropriate access privileges. This makes it highly customizable—ranging from creating a single group in a small organization to cross-check potentially disruptive actions between two admins, to delegating data deletion responsibilities to a specific “compliance group” in a larger enterprise.

Configuring MAV via the CLI

Setting up MAV via the CLI (Command Line Interface) is quite straightforward.

The first step is to create the MAV approval group:

security multi-admin-verify approval-group create -vserver <admin SVM name> -name <MAV group name> -approvers <comma separated list of admin accounts> -email <comma separated list notification emails>

Enabling MAV

security multi-admin-verify modify -approval-groups <approval group(s)> -enabled true

The third step is to define the approval rules.

security multi-admin-verify rule create -operation <"protected_operation">

“Protected_operation” is one of the rules mentioned above (such as a volume delete operation). Since there is no apparent rule grouping, the configuration consists of individual standalone rules; this means you need to run the command separately for each operation.

Additionally, you can use the -query <operation_subset> parameter to specify certain flags for commands—for example, when deleting a snapshot with the -force true flag. The command can also be extended with additional parameters such as -vserver, -query, -required-approvers, -approval-groups, -execution-expiry, and -approval-expiry.

CLI Approval Process

When you attempt to run a MAV-protected command via the CLI, you will receive a message like this…

Warning: This operation requires multi-admin verification. To create a verification request use "security multi-admin-verify request create".
         Would you like to create a request for this operation? (y|n):

When you press ‘y’, you will receive the following response…

Error: command failed: The security multi-admin-verify request (index #) is auto-generated and requires approval.

The index will serve as a job reference number that other administrators can use for approval.

The next step for the other admin user is:

security multi-admin-verify request show <index #>

The output will show you the details of the request, including the operation, operation parameters, who requested it, and more.

To take action, run the following command:

security multi-admin-verify request approve/veto/delete <index #>

Multi-Admin Verification is one of the most important precautions you can take for data security, and enabling this feature on NetApp ONTAP is extremely straightforward. With the steps shared in this article, administrators can add an extra layer of protection to their systems with just a few commands.

Remember, a strong infrastructure is built not only on performance but also on well-thought-out security policies. Implementing features like MAV lays the foundation for a proactive and sustainable security approach.

See you in the next post!