ONTAP 9.15.1 commands

security dynamic-authorization modify

Modify dynamic-authorization global settings

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security dynamic-authorization modify command modifies one or more dynamic authorization settings.

Parameters

-vserver <vserver name> - Vserver

This parameter optionally specifies the Vserver associated with the setting. If this parameter is specified, the setting applies to that Vserver only. If not specified, the cluster Vserver is used.

[-state {disabled|visibility|enforced}] - Dynamic Authorization State

This parameter sets the state of the dynamic authorization feature. Valid values are disabled , visibility and enforced .

  • disabled: Dynamic Authorization is disabled. This is the default factory setting.

  • visibility: Dynamic Authorization is enabled in visibility mode. Customers will typically use this mode during a trial run to test the feature and ensure that users are not being inadvertently locked out. In this mode, the trust score is checked every time the user attempts to execute a restricted command, but not enforced. That is, the user will be allowed to execute all restricted commands as long as his RBAC privileges allow it. However, all commands that will either be denied or subject to additional MFA challenge will be logged.

  • enforced: Dynamic Authorization is enabled in enforcement mode. Customers will typically use this mode after they have completed their trial run using visibility mode and verified that their configuration settings are correct, i.e. no users are being inadvertently locked out as a result of incorrect configuration. In this mode, the trust score is checked every time the user attempts to execute a restricted command and use to enforce dynamic authorization. That is, the user will be allowed to execute all restricted commands without additional MFA challenge only if the trust score exceeds the upper MFA challenge boundary. If the trust score falls within the lower and upper MFA challenge boundary, the user will be subject to an additional MFA challenge before being allowed to execute the command. If the trust score falls below the lower MFA challenge boundary, the user will be denied access. All additional MFA challenges and denials will be logged. The suppression interval is also enforced so no additional authentication challenges will be required if repeated authorization requests are made within the suppression interval.

[-suppression-interval {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}] - Dynamic Authorization Suppression Interval

The dynamic authorization challenge suppression interval in ISO-8601 format. When a series of restricted commands are executed within a short interval, multiple authentication prompts are suppressed to create a good user experience. The default suppression interval is 10 minutes, or PT10M in ISO-8601 format.

[-lower-challenge-boundary <percent>] - Lower MFA Challenge Boundary

The lower MFA challenge percentage boundary. Supported values are from 0 to 99 . Default value is 0 .

[-upper-challenge-boundary <percent>] - Upper MFA Challenge Boundary

The upper MFA challenge percentage boundary. Supported values are from 0 to 100 . This must be equal to or greater than the value of the lower boundary. A value of 100 means that every request will either be denied or subject to an additional authentication challenge; there are no requests that are allowed without a challenge. Default value is 90 .

Examples

The following command modifies the lower challenge boundary to 10.

cluster1::> security dynamic-authorization modify -lower-challenge-boundary 10

cluster1::> security dynamic-authorization show
Vserver: cluster1
                          Dynamic Authorization State: disabled
           Dynamic Authorization Suppression Interval: 10m
                         Lower MFA Challenge Boundary: 10%
                         Upper MFA Challenge Boundary: 90%
Top of Page