Configure JIT privilege elevation in ONTAP
Beginning with ONTAP 9.17.1, cluster administrators can configure just-in-time (JIT) privilege elevation to allow ONTAP users to temporarily elevate their privileges to perform certain tasks. When JIT is configured for a user, they can temporarily elevate their privilege to a role that has the necessary permissions to perform a task. After the session duration expires, the user returns to their original access level.
Cluster administrators can configure the duration for which a user can access JIT elevation. For example, you can configure user access to JIT elevation with a 30 minute per-session limit (the session validity period) for a 30-day period (the JIT validity period). During the 30-day period, the user can elevate their privilege as many times as needed, but each session is limited to 30 minutes.
JIT privilege elevation supports the principle of least privilege, allowing users to perform tasks that require elevated privileges without permanently granting them those privileges. This helps reduce the risk of unauthorized access or accidental changes to the system. The following examples describe some common use cases for JIT privilege elevation:
-
Allow temporary access to the
security login create
andsecurity login delete
commands to enable onboarding and offboarding of users. -
Allow temporary access to
system node image update
andsystem node upgrade-revert
during an update window. After the update is complete, command access is revoked. -
Allow temporary access to
cluster add-node
,cluster remove-node
, andcluster modify
to enable cluster expansion or reconfiguration. Once the cluster changes are complete, command access is revoked. -
Allow temporary access to
volume snapshot restore
to enable restore operations and backup target management. Once the restore or configuration is complete, command access is revoked. -
Allow temporary access to
security audit log show
to enable audit log review and export during a compliance check.
For a more expansive list of common JIT use cases, refer to Common JIT use cases.
Cluster administrators can set up JIT access for ONTAP users, and configure the default JIT validity periods either globally across the cluster or for specific SVMs.
-
JIT privilege elevation is only available to users accessing ONTAP with SSH. Elevated privileges are only available within the user's current SSH session, but they can elevate privileges within as many concurrent SSH sessions as needed.
-
JIT privilege elevation is only supported for users using password, nsswitch, or domain authentication to log in. Multi-factor authentication (MFA) is not supported for JIT privilege elevation.
-
You must be an ONTAP cluster administrator at the
admin
privilege level to perform the following tasks.
Modify global JIT settings
You can modify the default JIT settings globally across the ONTAP cluster or for a specific SVM. These settings determine the default session validity period and the maximum JIT validity period for users who are configured for JIT access.
-
The default
default-session-validity-period
value is one hour. This setting determines how long a user can access elevated privileges in a JIT session before needing to re-elevate. -
The default
max-jit-validity-period
value is 90 days. This setting determines the maximum period during which a user can access JIT elevation after the configured start date. You can configure the JIT validity period for individual users, but it cannot exceed the maximum JIT validity period.
-
Check the current JIT settings:
security jit-privilege show -vserver <svm_name>
-vserver
is optional. If you don't specify a SVM, the command shows the global JIT settings. -
Modify the JIT settings globally or for an SVM:
security jit-privilege modify -vserver <svm_name> -default-session-validity-period <period> -max-jit-validity-period <period>
If you don't specify a SVM, the command modifies the global JIT settings. The following example will set the default JIT session duration to 45 minutes and the maximum JIT duration to 30-days for SVM
svm1
:
security jit-privilege modify -vserver svm1 -default-session-validity-period 45m -max-jit-validity-period 30d
In this example, users will be able to access JIT elevation for 45 minutes at a time and can initiate JIT sessions for a maximum of 30-days after their configured start date.
Configure JIT privilege elevation access for a user
You can assign JIT privilege elevation access to ONTAP users.
-
Check the current JIT access for a user:
security jit-privilege user show -username <username>
-username
is optional. If you don't specify a username, the command shows the JIT access for all users. -
Assign new JIT access for a user:
security jit-privilege create -username <username> -vserver <svm_name> -role <rbac_role> -session-validity-period <period> -jit-validity-period <period> -start-time <date>
-
If
-vserver
is not specified, JIT access is assigned at the cluster level. -
-role
is the RBAC role that the user will be elevated to. If not specified,-role
defaults toadmin
. -
-session-validity-period
is the duration for which the user can access the elevated role before needing to start a new JIT session. If not specified, the global or SVMdefault-session-validity-period
is used. -
-jit-validity-period
is the maximum duration for which a user can initiate JIT sessions after the configured start date. If not specified, thesession-validity-period
is used. This parameter cannot exceed the global or SVMmax-jit-validity-period
. -
-start-time
is the date and time after which the user can initiate JIT sessions. If not specified, the current date and time is used.The following example will allow
ontap_user
to access theadmin
role for 1 hour before needing to start a new JIT session.ontap_user
will be able to initiate JIT sessions for a 60-day period starting at 1PM on July 1, 2025:
security jit-privilege user create -username ontap_user -role admin -session-validity-period 1h -jit-validity-period 60d -start-time "7/1/25 13:00:00"
-
-
If needed, revoke a user's JIT access:
security jit-privilege user delete -username <username> -vserver <svm_name>
This command will revoke a user's JIT access, even if their access has not expired. If
-vserver
is not specified, the JIT access is revoked at the cluster level. If the user is in an active JIT session, the session will be terminated.
Common JIT use cases
The following table contains common use cases for JIT privilege elevation. For each use case, an RBAC role would need to be configured to provide access to the relevant commands. Each command links to the ONTAP command reference, with more information about the command and its parameters.
Use case | Commands | Details |
---|---|---|
User and role management |
|
Temporarily elevate to add/remove users or change roles during onboarding or offboarding. |
Certificate management |
|
Grant short-term access for certificate installation or renewal. |
SSH/CLI access control |
|
Temporarily grant SSH access for troubleshooting or vendor support. |
License management |
|
Grant rights to add or remove licenses during feature activation or deactivation. |
System upgrades and patching |
|
Elevate for the upgrade window, then revoke. |
Network security settings |
|
Allow temporary changes to network-related security roles. |
Cluster management |
|
Elevate for cluster expansion or reconfiguration. |
SVM management |
|
Temporarily grant an SVM admin rights for provisioning or decommissioning. |
Volume management |
|
Elevate for volume provisioning, resizing, or removal. |
Snapshot management |
|
Elevate for snapshot deletion or restore during recovery. |
Network configuration |
|
Grant rights for network changes during maintenance windows. |
Disk/aggregate management |
|
Elevate for adding or removing disks or managing aggregates. |
Data protection |
|
Temporarily elevate for configuring or restoring SnapMirror relationships. |
Performance tuning |
|
Elevate for performance troubleshooting or tuning. |
Audit log access |
|
Temporarily elevate for audit log review or export during compliance checks. |
Event and alert management |
|
Elevate for configuring or testing event notifications or SNMP traps. |
Compliance-driven data access |
|
Grant temporary read-only access for auditors to review sensitive data or logs. |
Privileged access reviews |
|
Temporarily elevate to review and report on privileged access. Grant read-only elevated access for a limited time. |