security dynamic-authorization modify
Modify dynamic-authorization global settings
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security dynamic-authorization modify
command modifies one or more dynamic authorization settings.
Parameters
-vserver <vserver name>
- Vserver-
This parameter optionally specifies the Vserver associated with the setting. If this parameter is specified, the setting applies to that Vserver only. If not specified, the cluster Vserver is used.
[-state {disabled|visibility|enforced}]
- Dynamic Authorization State-
This parameter sets the state of the dynamic authorization feature. Valid values are
disabled
,visibility
andenforced
.-
disabled: Dynamic Authorization is disabled. This is the default factory setting.
-
visibility: Dynamic Authorization is enabled in visibility mode. Customers will typically use this mode during a trial run to test the feature and ensure that users are not being inadvertently locked out. In this mode, the trust score is checked every time the user attempts to execute a restricted command, but not enforced. That is, the user will be allowed to execute all restricted commands as long as his RBAC privileges allow it. However, all commands that will either be denied or subject to additional MFA challenge will be logged.
-
enforced: Dynamic Authorization is enabled in enforcement mode. Customers will typically use this mode after they have completed their trial run using visibility mode and verified that their configuration settings are correct, i.e. no users are being inadvertently locked out as a result of incorrect configuration. In this mode, the trust score is checked every time the user attempts to execute a restricted command and use to enforce dynamic authorization. That is, the user will be allowed to execute all restricted commands without additional MFA challenge only if the trust score exceeds the upper MFA challenge boundary. If the trust score falls within the lower and upper MFA challenge boundary, the user will be subject to an additional MFA challenge before being allowed to execute the command. If the trust score falls below the lower MFA challenge boundary, the user will be denied access. All additional MFA challenges and denials will be logged. The suppression interval is also enforced so no additional authentication challenges will be required if repeated authorization requests are made within the suppression interval.
-
[-suppression-interval {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}]
- Dynamic Authorization Suppression Interval-
The dynamic authorization challenge suppression interval in ISO-8601 format. When a series of restricted commands are executed within a short interval, multiple authentication prompts are suppressed to create a good user experience. The default suppression interval is 10 minutes, or
PT10M
in ISO-8601 format. [-lower-challenge-boundary <percent>]
- Lower MFA Challenge Boundary-
The lower MFA challenge percentage boundary. Supported values are from
0
to99
. Default value is0
. [-upper-challenge-boundary <percent>]
- Upper MFA Challenge Boundary-
The upper MFA challenge percentage boundary. Supported values are from
0
to100
. This must be equal to or greater than the value of the lower boundary. A value of 100 means that every request will either be denied or subject to an additional authentication challenge; there are no requests that are allowed without a challenge. Default value is90
.
Examples
The following command modifies the lower challenge boundary to 10.
cluster1::> security dynamic-authorization modify -lower-challenge-boundary 10 cluster1::> security dynamic-authorization show Vserver: cluster1 Dynamic Authorization State: disabled Dynamic Authorization Suppression Interval: 10m Lower MFA Challenge Boundary: 10% Upper MFA Challenge Boundary: 90%