SET COMMANDAPPROVAL (Specifies whether command approval is required)

Edit online

Use this command to specify whether approval is required for an administrator to run restricted commands.

Privilege class

To issue this command, you must have system privilege.

The commands in the following list are considered restricted commands. The set of restricted commands is predefined by the server and cannot be customized. When SET COMMANDAPPROVAL is set to ON, restricted commands that are issued are placed into a pending state and will not run until they are approved by an approval administrator. Pending commands that are not approved within 72 hours are automatically rejected. When command approval is enabled, the server does not validate the syntax or evaluate the parameters of restricted commands unless otherwise noted in the following list. When a restricted command is issued, it is automatically placed into the queue of pending commands, regardless of the syntax.

Restricted commands:
  • ACTIVATE POLICYSET
  • AUDIT CONTAINER
  • AUDIT VOLUME
  • CREATE CERTIFICATE

    The CREATE CERTIFICATE command is placed in the approval queue only if the DEFAULT=YES parameter is specified.

  • DEACTIVATE DATA
  • DECOMMISSION NODE
  • DECOMMISSION VM
  • DELETE BACKUPSET
  • DELETE FILESPACE
  • DELETE MGMTCLASS
  • DELETE RETSET
  • DELETE VOLUME
  • RELEASE RETSET
  • SET ACTLOGRETENTION
  • SET APPROVERSREQUIREAPPROVAL (only for the OFF parameter value)
  • SET COMMANDAPPROVAL (only for the OFF parameter value)
  • SET DBRECOVERY
  • SET DEFAULTTLSCERT
  • SET SUMMARYRETENTION
  • UPDATE ADMIN

    The UPDATE ADMIN command is placed in the approval queue only if the MFAREQUIRED=NO parameter is specified and multifactor authentication (MFA) is enabled for the administrator account.

  • UPDATE BACKUPSET
  • UPDATE NODE

    The UPDATE NODE command is placed in the approval queue only if the DOMAIN parameter is specified.

  • UPDATE RETSET

    The UPDATE RETSET command is placed in the approval queue only if the retention period that is specified in the RETENTION parameter is reduced. If the retention period is increased, the command is not held for approval.

  • UPDATE STGPOOL

Syntax

Read syntax diagramSkip visual syntax diagramSet COMMANDAPprovalOFfSet COMMANDAPprovalONOFf

Parameters

ON
Specifies that an approval administrator must authorize the use of restricted commands before they can be processed. Approval administrators are specified by using the CMDAPPROVER parameter on the UPDATE ADMIN and REGISTER ADMIN commands.
When an administrator issues a restricted command, the command is added to a queue of commands that are pending approval. Pending commands will not run until approved by an approval administrator. After a pending command request is approved, the command runs immediately.
OFf
Specifies that approval for restricted commands is not required. This is the default value. If command approval was previously enabled, all pending commands are automatically rejected when you issue the SET COMMANDAPPROVAL OFF command.

Example: Specify whether to require command approval

Set command approval to ON to require approval for restricted commands to run.
set commandapproval on

Related commands

Table 1. Commands related to SET COMMANDAPPROVAL
Command Description
APPROVE PENDINGCMD Approve commands that are pending approval.
QUERY PENDINGCMD Display a list of commands that are pending approval.
REGISTER ADMIN Defines a new administrator.
REJECT PENDINGCMD Reject commands that are pending approval.
SET APPROVERSREQUIREAPPROVAL Specifies whether commands issued by approval administrators require approval.
UPDATE ADMIN Changes the password or contact information associated with any administrator.
UPDATE NODE Changes the attributes that are associated with a client node.
WITHDRAW PENDINGCMD Withdraw commands that are pending approval.