Customize dynamic authorization in ONTAP
As an administrator, you can customize different aspects of your dynamic authorization configuration to increase the security of remote administrator SSH connections to your ONTAP cluster.
You can customize the following dynamic authorization settings depending on your security needs:
Configure dynamic authorization global settings
You can configure global settings for dynamic authorization, including the storage VM to secure, the suppression interval for authentication challenges, and the trust score settings.
Learn more about the security dynamic-authorization modify
command in the ONTAP command reference.
-
Configure global settings for dynamic authorization. If you don't use the
-vserver
parameter, the command is run at the cluster level. Update the values in brackets <> to match your environment:security dynamic-authorization modify \ -lower-challenge-boundary <percent> \ -upper-challenge-boundary <percent> \ -suppression-interval <interval> \ -vserver <storage_VM_name>
-
View the resulting configuration:
security dynamic-authorization show
Configure restricted commands
When you enable dynamic authorization, the feature includes a default set of restricted commands. You can modify this list to suit your needs. Refer to the multi-admin verification (MAV) documentation for information on the default list of restricted commands.
Add a restricted command
You can add a command to the list of commands that are restricted with dynamic authorization.
Learn more about the security dynamic-authorization rule create
command in the ONTAP command reference.
-
Add the command. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization rule create \ -query <query> \ -operation <text> \ -index <integer> \ -vserver <storage_VM_name>
-
View the resulting list of restricted commands:
security dynamic-authorization rule show
Remove a restricted command
You can remove a command from the list of commands that are restricted with dynamic authorization.
Learn more about the security dynamic-authorization rule delete
command in the ONTAP command reference.
-
Remove the command. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization rule delete \ -operation <text> \ -vserver <storage_VM_name>
-
View the resulting list of restricted commands:
security dynamic-authorization rule show
Configure dynamic authorization groups
By default, dynamic authorization applies to all users and groups as soon as you enable it. However, you can create groups using the security dynamic-authorization group create
command, so that dynamic authorization only applies to those specific users.
Add a dynamic authorization group
You can add a dynamic authorization group.
Learn more about the security dynamic-authorization group create
command in the ONTAP command reference.
-
Create the group. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization group create \ -name <group-name> \ -vserver <storage_VM_name> \ -excluded-usernames <user1,user2,user3...>
-
View the resulting dynamic authorization groups:
security dynamic-authorization group show
Remove a dynamic authorization group
You can remove a dynamic authorization group.
Learn more about the security dynamic-authorization group delete
command in the ONTAP command reference.
-
Delete the group. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization group delete \ -name <group-name> \ -vserver <storage_VM_name>
-
View the resulting dynamic authorization groups:
security dynamic-authorization group show
Configure dynamic authorization trust score components
You can configure the maximum score weight to change priority of scoring criteria or to remove certain criteria from risk scoring.
As a best practice, you should leave the default score weight values in place, and only adjust them if needed. |
Learn more about the security dynamic-authorization trust-score-component modify
command in the ONTAP command reference.
The following are the components that you can modify, along with their default score and percentage weights:
Criteria | Component name | Default raw score weight | Default percentage weight |
---|---|---|---|
Trusted device |
|
20 |
50 |
User login authentication history |
|
20 |
50 |
-
Modify trust score components. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization trust-score-component modify \ -component <component-name> \ -weight <integer> \ -vserver <storage_VM_name>
-
View the resulting trust score component settings:
security dynamic-authorization trust-score-component show
Reset the trust score for a user
If a user is denied access due to system policies and is able to prove their identity, the administrator can reset the user's trust score.
Learn more about the security dynamic-authorization user-trust-score reset
command in the ONTAP command reference.
-
Add the command. Refer to Configure dynamic authorization trust score components for a list of trust score components that you can reset. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization user-trust-score reset \ -username <username> \ -component <component-name> \ -vserver <storage_VM_name>
Display your trust score
A user can display their own trust score for a login session.
-
Display your trust score:
security login whoami
You should see output similar to the following:
User: admin Role: admin Trust Score: 50
Configure a custom trust score provider
If you already receive scoring methods from an external trust score provider, you can add the custom provider to the dynamic authorization configuration.
-
The custom trust score provider must return a JSON response. The following syntax requirements must be met:
-
The field that returns the trust score must be a scalar field and not an element of an array.
-
The field that returns the trust score can be a nested field, such as
trust_score.value
. -
There must be a field within the JSON response that returns a numeric trust score. If this is not natively available, you can write a wrapper script to return this value.
-
-
The value provided can be either a trust score or a risk score. The difference is that the trust score is in ascending order with a higher score denoting a higher trust level, while the risk score is in descending order. For example, a trust score of 90 for a score range of 0 to 100 indicates that the score is very trustworthy and likely to result in an "allow" without additional challenge, while a risk score of 90 for a score range of 0 to 100 indicates high risk and likely to result in a "deny" without an additional challenge.
-
The custom trust score provider must be accessible via the ONTAP REST API.
-
The custom trust score provider must be configurable using one of the supported parameters. Custom trust score providers that require configuration that is not in the supported parameter list are not supported.
Learn more about the security dynamic-authorization trust-score-component create
command in the ONTAP command reference.
-
Add a custom trust score provider. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization trust-score-component create \ -component <text> \ -provider-uri <text> \ -score-field <text> \ -min-score <integer> \ -max-score <integer> \ -weight <integer> \ -secret-access-key "<key_text>" \ -provider-http-headers <list<header,header,header>> \ -vserver <storage_VM_name>
-
View the resulting trust score provider settings:
security dynamic-authorization trust-score-component show
Configure custom trust score provider tags
You can communicate with external trust score providers using tags. This enables you to send information in the URL to the trust score provider without exposing sensitive information.
Learn more about the security dynamic-authorization trust-score-component create
command in the ONTAP command reference.
-
Enable trust score provider tags. Update the values in brackets <> to match your environment. If you don't use the
-vserver
parameter, the command is run at the cluster level. Parameters in bold are required:security dynamic-authorization trust-score-component create \ -component <component_name> \ -weight <initial_score_weight> \ -max-score <max_score_for_provider> \ -provider-uri <provider_URI> \ -score-field <REST_API_score_field> \ -secret-access-key "<key_text>"
For example:
security dynamic-authorization trust-score-component create -component comp1 -weight 20 -max-score 100 -provider-uri https://<url>/trust-scores/users/<user>/<ip>/component1.html?api-key=<access-key> -score-field score -access-key "MIIBBjCBrAIBArqyTHFvYdWiOpLkLKHGjUYUNSwfzX"