ONTAP Discussions

Multi-admin Verify support for ADS groups

a_lehn
1,030 Views

Hi
We are currently testing the use of MAV which is supported in Ontap 9.11.1x.

As I see it, it is only possible to create local users as approvers, does anyone know if there will be support for using AD groups as  a approvers. ?


The idea is via. automation that a user is temporarily members of a AD group to approve pending approver

1 ACCEPTED SOLUTION

elementx
947 Views

Do you need one of the two accounts to be ADS-based and the other local based, or both ADS-based?

If you want the both to be ADS-based, how do you plan to handle ADS outage or unplanned downtime?

View solution in original post

12 REPLIES 12

elementx
1,008 Views

How would ADS admins approve any action (e.g. change of ADS or NTP) if ADS were to be wiped or unreachable?

a_lehn
956 Views

Understand your point
There will also always be a local admins as extra approve, which we normalt not used (local admin user).
In our environment are an admin AD group empty  when it is not in use (time limited). We have different ad groups that have access for different roles. 

This helps us protect our day-to-day against limit admin rights.

elementx
948 Views

Do you need one of the two accounts to be ADS-based and the other local based, or both ADS-based?

If you want the both to be ADS-based, how do you plan to handle ADS outage or unplanned downtime?

a_lehn
942 Views

Today we use our ADS account depending of what you want to do, where you join to differensens  storage rules (time limited).
We never use the local admin accounts.

Our idea is to use 2 ADS-groups, when we need an approval, a storage admins joins the approval group and will aut be removed from the approval group again (time-limited automations tools).

In case there should be an ADS outage/unplanned, we will use the local storage admin users for that.
Hope it make sense.
Maybe I have misunderstand the way MAV can works.

 

elementx
935 Views

I haven't used the feature myself yet, so I don't know either. But now that the use case is clear someone who's used it will be able to comment and confirm.

dbenadib
868 Views

Having Active Directory users as approver is working ..

dbenadib_0-1664468821608.png

 

elementx
865 Views

Can anything on ONTAP be approved if ADS is down?

Or does it practically freeze operations because they can't be approved?

dbenadib
863 Views

Ontap will not check on AD availability. But it that case every logon to ONTAP will be lost not only the selected command that apply to MAV restrictions.

In any case if you are really concerned about that you could add both local and AD account as approvers

elementx
861 Views

Right, so using the feature with ADS accounts and no fall-back seems risky.

a_lehn
847 Views

I tried the same thing but if in your example I use demo\user1 to delete snapshot I can't use demo\user2 to approver, only a local ontap user works according to my test.

dbenadib
841 Views

It looks like an issue on Ure environment, In my lab it works

 

DEMO\user1 tried to delete a snapshot on volume vol3

dbenadib_0-1664525491136.png

it generates the request with index #8

Demo\user2 approved the request

dbenadib_1-1664525559640.png

 

Demo\user1 retried to delete snapshot with success:

dbenadib_2-1664525597340.png

 

a_lehn
530 Views

It works if you use AD user, correct... but not when using AD groups.
One thing that I noticed about it, when you use AD users, you have to be careful how you write the domain\username when you create approval-group

security multi-admin-verify approval-group create -name mav-grp1 -approvers DDDD\username......

If you login with lowercase "dddd\username" it work on SSH level but MAV will not work correctly, it have to be the same upper/lowercase....

Public