Understand your point
There will also always be a local admins as extra approve, which we normalt not used (local admin user).
In our environment are an admin AD group empty  when it is not in use (time limited). We have different ad groups that have access for different roles. 

This helps us protect our day-to-day against limit admin rights.

Today we use our ADS account depending of what you want to do, where you join to differensens  storage rules (time limited).
We never use the local admin accounts.

Our idea is to use 2 ADS-groups, when we need an approval, a storage admins joins the approval group and will aut be removed from the approval group again (time-limited automations tools).

In case there should be an ADS outage/unplanned, we will use the local storage admin users for that.
Hope it make sense.
Maybe I have misunderstand the way MAV can works.

I haven't used the feature myself yet, so I don't know either. But now that the use case is clear someone who's used it will be able to comment and confirm.

Can anything on ONTAP be approved if ADS is down?

Or does it practically freeze operations because they can't be approved?

Ontap will not check on AD availability. But it that case every logon to ONTAP will be lost not only the selected command that apply to MAV restrictions.

In any case if you are really concerned about that you could add both local and AD account as approvers

Right, so using the feature with ADS accounts and no fall-back seems risky.

I tried the same thing but if in your example I use demo\user1 to delete snapshot I can't use demo\user2 to approver, only a local ontap user works according to my test.

It looks like an issue on Ure environment, In my lab it works

DEMO\user1 tried to delete a snapshot on volume vol3

it generates the request with index #8

Demo\user2 approved the request

Demo\user1 retried to delete snapshot with success:

It works if you use AD user, correct... but not when using AD groups.
One thing that I noticed about it, when you use AD users, you have to be careful how you write the domain\username when you create approval-group

security multi-admin-verify approval-group create -name mav-grp1 -approvers DDDD\username......

If you login with lowercase "dddd\username" it work on SSH level but MAV will not work correctly, it have to be the same upper/lowercase....

So Active Directory Groups still cannot be used, we have specific groups to manage our netapps and are already waiting several years, to make this happen. especially for SSO on system manager. 

we have a lot of netapps that needs to be managed by a group af support administrator, but these also change regurarly

kind regards,
Michel de Bruin

Hi,

we do have the same problem, it is nice to know that only AD-Users are working, but we need AD-Groups working with MAV.
nice regards

reinhard

Hi, 
After dialog with Netapp, they told me that ADS-groups  will be supported in future ONTAP releases.
Best regards
Anders

no, we are still waiting for the "new upcoming" ontap release. to use MAV with AD groups.

we want to secure some, not all, admin work with MAV. and it is not important if this feature is working with an outage of AD, than we wait with this kind of work, till AD is reachable again.

our problem is, that we do not want to be user-admins and take care who is in that backup team, that's the job of the teamleader (, of that Backupteam).

Thank you @Reinhard089