Hi everyone!
NetApp's Multi-admin-verify (MAV) is a great tool for enforcing dual control on potentially dangerous commands (or any command - it's up to you as an admin to decide!), so having a sandbox to play with in labondemand.netapp.com was something I've long thought would be handy.
However, it's one thing to play in a sandbox, and another thing to make it in the first place, and know what steps to follow to set it up in your production environment. We don't have a pre-defined lab for MAV that I could find, so I wrote the attached powershell script to build one from scratch.
The script does the following:
Creates AD OUs and groups for StorageAdmins and StorageOperators
Provisions 9 accounts into each of them (storageadmX and storageopX), password: Netapp1!
Creates an SVM on ONTAP cluster 1 (192.168.0.101)
Domain joins SVM to demo.netapp.com
Sets up domain tunnel through that SVM
Sets up StorageAdmin and StorageOperator roles based on the admin role
Assigns groups to roles
Sets up MAV with StorageOperator requiring MAV approval, StorageAdmin not requiring approval
Restricts vol delete and snap delete commands under MAV for StorageOperator
I’ve tested it with 9.16.1 and 9.19.1 labs and it’s done what I expected with regards to setup - I haven’t done deep testing of MAV with it, the aim is to setup an environment where MAV can be tested.
To use it:
Drag the script into the lab window once the login is finished,
Find it in the “Cloud storage” under “My Computer”,
Copy it to the Desktop
Open PowerShell, and run the command
I hope people find this helpful!
Please note values are hardcoded for the demo environment on labondemand.netapp.com, but you are welcome to use it as a basis for your own environments too. This script is provided only as community supported - please do not call NetApp support for help with it.
