Skip to main content

Configure JIT privilege elevation in ONTAP

Contributors netapp-bhouser netapp-aaron-holt

Beginning with ONTAP 9.17.1, cluster administrators can configure just-in-time (JIT) privilege elevation to allow ONTAP users to temporarily elevate their privileges to perform certain tasks. When JIT is configured for a user, they can temporarily elevate their privilege to a role that has the necessary permissions to perform a task. After the session duration expires, the user returns to their original access level.

Cluster administrators can configure the duration for which a user can access JIT elevation. For example, you can configure user access to JIT elevation with a 30 minute per-session limit (the session validity period) for a 30-day period (the JIT validity period). During the 30-day period, the user can elevate their privilege as many times as needed, but each session is limited to 30 minutes.

JIT privilege elevation supports the principle of least privilege, allowing users to perform tasks that require elevated privileges without permanently granting them those privileges. This helps reduce the risk of unauthorized access or accidental changes to the system. The following examples describe some common use cases for JIT privilege elevation:

  • Allow temporary access to the security login create and security login delete commands to enable onboarding and offboarding of users.

  • Allow temporary access to system node image update and system node upgrade-revert during an update window. After the update is complete, command access is revoked.

  • Allow temporary access to cluster add-node, cluster remove-node, and cluster modify to enable cluster expansion or reconfiguration. Once the cluster changes are complete, command access is revoked.

  • Allow temporary access to volume snapshot restore to enable restore operations and backup target management. Once the restore or configuration is complete, command access is revoked.

  • Allow temporary access to security audit log show to enable audit log review and export during a compliance check.

For a more expansive list of common JIT use cases, refer to Common JIT use cases.

Cluster administrators can set up JIT access for ONTAP users, and configure the default JIT validity periods either globally across the cluster or for specific SVMs.

About this task
  • JIT privilege elevation is only available to users accessing ONTAP with SSH. Elevated privileges are only available within the user's current SSH session, but they can elevate privileges within as many concurrent SSH sessions as needed.

  • JIT privilege elevation is only supported for users using password, nsswitch, or domain authentication to log in. Multi-factor authentication (MFA) is not supported for JIT privilege elevation.

Before you begin
  • You must be an ONTAP cluster administrator at the admin privilege level to perform the following tasks.

Modify global JIT settings

You can modify the default JIT settings globally across the ONTAP cluster or for a specific SVM. These settings determine the default session validity period and the maximum JIT validity period for users who are configured for JIT access.

About this task
  • The default default-session-validity-period value is one hour. This setting determines how long a user can access elevated privileges in a JIT session before needing to re-elevate.

  • The default max-jit-validity-period value is 90 days. This setting determines the maximum period during which a user can access JIT elevation after the configured start date. You can configure the JIT validity period for individual users, but it cannot exceed the maximum JIT validity period.

Steps
  1. Check the current JIT settings:

    security jit-privilege show -vserver <svm_name>

    -vserver is optional. If you don't specify a SVM, the command shows the global JIT settings.

  2. Modify the JIT settings globally or for an SVM:

    security jit-privilege modify -vserver <svm_name> -default-session-validity-period <period> -max-jit-validity-period <period>

    If you don't specify a SVM, the command modifies the global JIT settings. The following example will set the default JIT session duration to 45 minutes and the maximum JIT duration to 30-days for SVM svm1:
    security jit-privilege modify -vserver svm1 -default-session-validity-period 45m -max-jit-validity-period 30d

    In this example, users will be able to access JIT elevation for 45 minutes at a time and can initiate JIT sessions for a maximum of 30-days after their configured start date.

Configure JIT privilege elevation access for a user

You can assign JIT privilege elevation access to ONTAP users.

Steps
  1. Check the current JIT access for a user:

    security jit-privilege user show -username <username>

    -username is optional. If you don't specify a username, the command shows the JIT access for all users.

  2. Assign new JIT access for a user:

    security jit-privilege create -username <username> -vserver <svm_name> -role <rbac_role> -session-validity-period <period> -jit-validity-period <period> -start-time <date>
    • If -vserver is not specified, JIT access is assigned at the cluster level.

    • -role is the RBAC role that the user will be elevated to. If not specified, -role defaults to admin.

    • -session-validity-period is the duration for which the user can access the elevated role before needing to start a new JIT session. If not specified, the global or SVM default-session-validity-period is used.

    • -jit-validity-period is the maximum duration for which a user can initiate JIT sessions after the configured start date. If not specified, the session-validity-period is used. This parameter cannot exceed the global or SVM max-jit-validity-period.

    • -start-time is the date and time after which the user can initiate JIT sessions. If not specified, the current date and time is used.

      The following example will allow ontap_user to access the admin role for 1 hour before needing to start a new JIT session. ontap_user will be able to initiate JIT sessions for a 60-day period starting at 1PM on July 1, 2025:
      security jit-privilege user create -username ontap_user -role admin -session-validity-period 1h -jit-validity-period 60d -start-time "7/1/25 13:00:00"

  3. If needed, revoke a user's JIT access:

    security jit-privilege user delete -username <username> -vserver <svm_name>

    This command will revoke a user's JIT access, even if their access has not expired. If -vserver is not specified, the JIT access is revoked at the cluster level. If the user is in an active JIT session, the session will be terminated.

Common JIT use cases

The following table contains common use cases for JIT privilege elevation. For each use case, an RBAC role would need to be configured to provide access to the relevant commands. Each command links to the ONTAP command reference, with more information about the command and its parameters.

Use case Commands Details

User and role management

  • security login create

  • security login delete

Temporarily elevate to add/remove users or change roles during onboarding or offboarding.

Certificate management

  • security certificate create

  • security certificate install

Grant short-term access for certificate installation or renewal.

SSH/CLI access control

  • security login create -application ssh

Temporarily grant SSH access for troubleshooting or vendor support.

License management

  • system license add

  • system license delete

Grant rights to add or remove licenses during feature activation or deactivation.

System upgrades and patching

  • system node image update

  • system node upgrade-revert

Elevate for the upgrade window, then revoke.

Network security settings

  • security login role create

  • security login role modify

Allow temporary changes to network-related security roles.

Cluster management

  • cluster add-node

  • cluster remove-node

  • cluster modify

Elevate for cluster expansion or reconfiguration.

SVM management

  • vserver create

  • vserver delete

  • vserver modify

Temporarily grant an SVM admin rights for provisioning or decommissioning.

Volume management

  • volume create

  • volume delete

  • volume modify

Elevate for volume provisioning, resizing, or removal.

Snapshot management

  • volume snapshot create

  • volume snapshot delete

  • volume snapshot restore

Elevate for snapshot deletion or restore during recovery.

Network configuration

  • network interface create

  • network port vlan create

Grant rights for network changes during maintenance windows.

Disk/aggregate management

  • storage disk assign

  • storage aggregate create

  • storage aggregate add-disks

Elevate for adding or removing disks or managing aggregates.

Data protection

  • snapmirror create

  • snapmirror modify

  • snapmirror restore

Temporarily elevate for configuring or restoring SnapMirror relationships.

Performance tuning

  • qos policy-group create

  • qos policy-group modify

Elevate for performance troubleshooting or tuning.

Audit log access

  • security audit log show

Temporarily elevate for audit log review or export during compliance checks.

Event and alert management

  • event notification create

  • event notification modify

Elevate for configuring or testing event notifications or SNMP traps.

Compliance-driven data access

  • volume show

  • security audit log show

Grant temporary read-only access for auditors to review sensitive data or logs.

Privileged access reviews

  • security login show

  • security login role show

Temporarily elevate to review and report on privileged access. Grant read-only elevated access for a limited time.