application commands
security dynamic-authorization modify
Suggest changes
-
PDF of this doc site
application commands
Collection of separate PDF docs
Creating your file...
Modify dynamic-authorization global settings
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security dynamic-authorization modify command modifies one or more dynamic authorization settings.
Parameters
-vserver <vserver name>- Vserver-
This parameter optionally specifies the Vserver associated with the setting. If this parameter is specified, the setting applies to that Vserver only. If not specified, the cluster Vserver is used.
[-state {disabled|visibility|enforced}]- Dynamic Authorization State-
This parameter sets the state of the dynamic authorization feature. Valid values are
disabled,visibilityandenforced.-
disabled: Dynamic Authorization is disabled. This is the default factory setting.
-
visibility: Dynamic Authorization is enabled in visibility mode. Customers will typically use this mode during a trial run to test the feature and ensure that users are not being inadvertently locked out. In this mode, the trust score is checked every time the user attempts to execute a restricted command, but not enforced. That is, the user will be allowed to execute all restricted commands as long as his RBAC privileges allow it. However, all commands that will either be denied or subject to additional MFA challenge will be logged.
-
enforced: Dynamic Authorization is enabled in enforcement mode. Customers will typically use this mode after they have completed their trial run using visibility mode and verified that their configuration settings are correct, i.e. no users are being inadvertently locked out as a result of incorrect configuration. In this mode, the trust score is checked every time the user attempts to execute a restricted command and use to enforce dynamic authorization. That is, the user will be allowed to execute all restricted commands without additional MFA challenge only if the trust score exceeds the upper MFA challenge boundary. If the trust score falls within the lower and upper MFA challenge boundary, the user will be subject to an additional MFA challenge before being allowed to execute the command. If the trust score falls below the lower MFA challenge boundary, the user will be denied access. All additional MFA challenges and denials will be logged. The suppression interval is also enforced so no additional authentication challenges will be required if repeated authorization requests are made within the suppression interval.
-
[-suppression-interval {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}]- Dynamic Authorization Suppression Interval-
The dynamic authorization challenge suppression interval in ISO-8601 format. When a series of restricted commands are executed within a short interval, multiple authentication prompts are suppressed to create a good user experience. The default suppression interval is 10 minutes, or
PT10Min ISO-8601 format. [-lower-challenge-boundary <percent>]- Lower MFA Challenge Boundary-
The lower MFA challenge percentage boundary. Supported values are from
0to99. Default value is0. [-upper-challenge-boundary <percent>]- Upper MFA Challenge Boundary-
The upper MFA challenge percentage boundary. Supported values are from
0to100. This must be equal to or greater than the value of the lower boundary. A value of 100 means that every request will either be denied or subject to an additional authentication challenge; there are no requests that are allowed without a challenge. Default value is90.
Examples
The following command modifies the lower challenge boundary to 10.
cluster1::> security dynamic-authorization modify -lower-challenge-boundary 10
cluster1::> security dynamic-authorization show
Vserver: cluster1
Dynamic Authorization State: disabled
Dynamic Authorization Suppression Interval: 10m
Lower MFA Challenge Boundary: 10%
Upper MFA Challenge Boundary: 90%