ONTAP Multi-Admin Verification (MAV) is a security feature in NetApp ONTAP that requires multiple administrator approvals before performing certain sensitive operations. This feature helps protect against insider threats, human error, or misuse by enforcing a dual-authorization policy for specific administrative actions.
Key Concepts of Multi-Admin Verification (MAV)
-
Purpose: Enhance security by requiring multiple admins to approve critical actions such as:
-
Volume deletion
-
Snapshot deletion
-
SVM (Storage Virtual Machine) or LIF deletion
-
Key management operations
-
Security configuration changes
-
-
Minimum ONTAP Version: MAV is supported starting from ONTAP 9.11.1.
How It Works
-
Enable MAV:
-
Use the ONTAP CLI or System Manager to enable the feature.
-
Define a trusted admin group responsible for approving requests.
-
-
Create MAV-Protected Operations:
-
Identify which commands or actions require verification.
-
Set policies that define the number of approvals needed (typically 2 or more).
-
-
Request-Approve Flow:
-
Admin A initiates a sensitive action.
-
The action is pending until approved by one or more trusted admins.
-
Trusted Admin B reviews and approves (or denies) the request.
-
Once approved, the action is executed.
-
-
Audit Trail:
-
All MAV activities are logged for traceability and auditing purposes.
Considerations
-
Delayed Operations: MAV introduces an intentional delay — actions won’t proceed until approved.
-
Trusted Group Management: Be careful who you include in the approver group; they have veto power.
-
Not a substitute for RBAC: Use Role-Based Access Control (RBAC) together with MAV for layered security.