Skip to main content

Access JIT privilege elevation in ONTAP

Contributors netapp-bhouser
PDFs

Beginning with ONTAP 9.17.1, cluster administrators can configure just-in-time (JIT) privilege elevation to allow ONTAP users to temporarily elevate their privileges to perform certain tasks. When JIT is configured for a user, they can temporarily elevate their privilege to a role that has the necessary permissions to perform a task. After the session expires, the user returns to their original access level.

Cluster administrators can configure the duration for which a user can access JIT elevation. For example, cluster administrators can configure user access to JIT elevation with a 30 minute per-session limit (the session validity period) for a 30-day period (the JIT validity period). During the 30-day period, the user can elevate their privilege as many times as needed, but each session is limited to 30 minutes.

About this task

  • JIT privilege elevation is only available to users accessing ONTAP with SSH. Elevated privilege is only available within the current SSH session, but you can elevate privileges within as many concurrent SSH sessions as needed.

  • JIT privilege elevation is only supported for users using password, nsswitch, or domain authentication to log in. Multi-factor authentication (MFA) is not supported for JIT privilege elevation.

  • A user's JIT session will be terminated if the configured session or JIT validity period expires, or if a cluster administrator revokes JIT access for the user.

Before you begin

  • To access JIT privilege elevation, a cluster administrator must configure JIT access for your account. The cluster administrator determines the role to which you can elevate your privileges, and the duration for which you can access elevated privileges.

Steps

  1. Temporarily elevate your privileges to the configured role:

    security jit-privilege elevate

    After entering this command, you are prompted to enter your login password. If JIT access is configured for your account, you will be granted elevated access for the configured session duration. After the session duration expires, you will return to your original access level. You can elevate your privileges as many times as needed within the configured JIT validity period.

  2. View the remaining time in your JIT session:

    security jit-privilege show-remaining-time

    If you are currently in a JIT session, this command displays the remaining time.

  3. If needed, end your JIT session early:

    security jit-privilege reset

    If you are currently in a JIT session, this command ends the JIT session and restores your original access level.