Skip to main content

Dynamic authorization overview

Contributors netapp-mwallis

Beginning with ONTAP 9.15.1, administrators can configure and enable dynamic authorization to increase security of remote access to ONTAP while also mitigating potential damage that could be caused by a malicious actor. With ONTAP 9.15.1, dynamic authorization provides an initial framework for assigning a security score to users and, if their activity looks suspicious, challenging them with additional authorization checks or denying an operation completely. Administrators can create rules, assign trust scores, and restrict commands to determine when certain activity is allowed or denied for a user. Administrators can enable dynamic authorization cluster-wide or for individual storage VMs.

How dynamic authorization works

Dynamic authorization uses a trust scoring system to assign users a different level of trust depending on the authorization policies. Based on the user's trust level, an activity they perform can be allowed or denied, or the user can be prompted for further authentication.

Take the example of three different users attempting to delete a volume. At the time they try to perform the operation, the risk rating for each user is examined:

  • The first user logs in from a trusted device at regular office hours, which makes her risk rating low; the operation is allowed without additional authentication.

  • The second user logs in from a trusted device in her home outside of office hours, which makes the risk rating moderate; she is prompted for additional authentication before the operation is allowed.

  • The third user logs in from an untrusted device in a new location outside of office hours, which makes the risk rating high; the operation is not allowed.