ONTAP Discussions

Multi-admin Verify support for ADS groups

a_lehn
4,726 Views

Hi
We are currently testing the use of MAV which is supported in Ontap 9.11.1x.

As I see it, it is only possible to create local users as approvers, does anyone know if there will be support for using AD groups as  a approvers. ?


The idea is via. automation that a user is temporarily members of a AD group to approve pending approver

1 ACCEPTED SOLUTION

elementx
4,643 Views

Do you need one of the two accounts to be ADS-based and the other local based, or both ADS-based?

If you want the both to be ADS-based, how do you plan to handle ADS outage or unplanned downtime?

View solution in original post

18 REPLIES 18

elementx
4,704 Views

How would ADS admins approve any action (e.g. change of ADS or NTP) if ADS were to be wiped or unreachable?

a_lehn
4,652 Views

Understand your point
There will also always be a local admins as extra approve, which we normalt not used (local admin user).
In our environment are an admin AD group empty  when it is not in use (time limited). We have different ad groups that have access for different roles. 

This helps us protect our day-to-day against limit admin rights.

elementx
4,644 Views

Do you need one of the two accounts to be ADS-based and the other local based, or both ADS-based?

If you want the both to be ADS-based, how do you plan to handle ADS outage or unplanned downtime?

a_lehn
4,638 Views

Today we use our ADS account depending of what you want to do, where you join to differensens  storage rules (time limited).
We never use the local admin accounts.

Our idea is to use 2 ADS-groups, when we need an approval, a storage admins joins the approval group and will aut be removed from the approval group again (time-limited automations tools).

In case there should be an ADS outage/unplanned, we will use the local storage admin users for that.
Hope it make sense.
Maybe I have misunderstand the way MAV can works.

 

elementx
4,631 Views

I haven't used the feature myself yet, so I don't know either. But now that the use case is clear someone who's used it will be able to comment and confirm.

dbenadib
4,564 Views

Having Active Directory users as approver is working ..

dbenadib_0-1664468821608.png

 

elementx
4,561 Views

Can anything on ONTAP be approved if ADS is down?

Or does it practically freeze operations because they can't be approved?

dbenadib
4,559 Views

Ontap will not check on AD availability. But it that case every logon to ONTAP will be lost not only the selected command that apply to MAV restrictions.

In any case if you are really concerned about that you could add both local and AD account as approvers

elementx
4,557 Views

Right, so using the feature with ADS accounts and no fall-back seems risky.

a_lehn
4,543 Views

I tried the same thing but if in your example I use demo\user1 to delete snapshot I can't use demo\user2 to approver, only a local ontap user works according to my test.

dbenadib
4,537 Views

It looks like an issue on Ure environment, In my lab it works

 

DEMO\user1 tried to delete a snapshot on volume vol3

dbenadib_0-1664525491136.png

it generates the request with index #8

Demo\user2 approved the request

dbenadib_1-1664525559640.png

 

Demo\user1 retried to delete snapshot with success:

dbenadib_2-1664525597340.png

 

a_lehn
4,226 Views

It works if you use AD user, correct... but not when using AD groups.
One thing that I noticed about it, when you use AD users, you have to be careful how you write the domain\username when you create approval-group

security multi-admin-verify approval-group create -name mav-grp1 -approvers DDDD\username......

If you login with lowercase "dddd\username" it work on SSH level but MAV will not work correctly, it have to be the same upper/lowercase....

MicheldeBruin
3,435 Views

So Active Directory Groups still cannot be used, we have specific groups to manage our netapps and are already waiting several years, to make this happen. especially for SSO on system manager. 

we have a lot of netapps that needs to be managed by a group af support administrator, but these also change regurarly

kind regards,
Michel de Bruin

Reinhard089
2,961 Views

Hi,

we do have the same problem, it is nice to know that only AD-Users are working, but we need AD-Groups working with MAV.
nice regards

reinhard

a_lehn
2,935 Views

Hi, 
After dialog with Netapp, they told me that ADS-groups  will be supported in future ONTAP releases.
Best regards
Anders

PatrickNgo
1,339 Views

@a_lehnDo we have any developments on this? Customer is interested in using MAV with AD groups rather than users.

Reinhard089
1,324 Views

no, we are still waiting for the "new upcoming" ontap release. to use MAV with AD groups.

we want to secure some, not all, admin work with MAV. and it is not important if this feature is working with an outage of AD, than we wait with this kind of work, till AD is reachable again.

our problem is, that we do not want to be user-admins and take care who is in that backup team, that's the job of the teamleader (, of that Backupteam).

PatrickNgo
1,315 Views

Thank you @Reinhard089

Public