Skip to main content

Enable or disable dynamic authorization in ONTAP

Contributors netapp-mwallis netapp-aaron-holt netapp-dbagwell netapp-ahibbard

Beginning with ONTAP 9.15.1, administrators can configure and enable dynamic authorization either in visibility mode to test the configuration, or in enforced mode to activate the configuration for CLI users connecting over SSH. If you no longer need dynamic authorization, you can disable it. When you disable dynamic authorization, the configuration settings remain available and you can use them later if you decide to re-enable it.

Learn more about the security dynamic-authorization modify command in the ONTAP command reference.

Enable dynamic authorization for testing

You can enable dynamic authorization in visibility mode, which enables you to test the feature and ensure that users will not be accidentally locked out. In this mode, the trust score is checked with every restricted activity, but not enforced. However, any activity that would have been denied or subject to additional authentication challenges is logged. As a best practice, you should test your intended settings in this mode before enforcing them.

Note You can follow this step to enable dynamic authorization for the first time even if you haven't yet configured any other dynamic authorization settings. Refer to Customize dynamic authorization for steps to configure other dynamic authorization settings to customize it to your environment.
Steps
  1. Enable dynamic authorization in visibility mode by configuring global settings and changing the feature state to visibility. If you don't use the -vserver parameter, the command is run at the cluster level. Update the values in brackets <> to match your environment. Parameters in bold are required:

    security dynamic-authorization modify \
    -state visibility \
    -lower-challenge-boundary <percent> \
    -upper-challenge-boundary <percent> \
    -suppression-interval <interval> \
    -vserver <storage_VM_name>
  2. Check the result by using the show command to display the global configuration:

    security dynamic-authorization show

Enable dynamic authorization in enforced mode

You can enable dynamic authorization in enforced mode. Typically, you use this mode after you have completed testing with visibility mode. In this mode, the trust score is checked with every restricted activity, and activity restrictions are enforced if the restriction conditions are met. The suppression interval is also enforced, preventing additional authentication challenges within the specified interval.

Note This step assumes that you have previously configured and enabled dynamic authorization in visibility mode, which is strongly recommended.
Steps
  1. Enable dynamic authorization in enforced mode by changing its state to enforced. If you don't use the -vserver parameter, the command is run at the cluster level. Update the values in brackets <> to match your environment. Parameters in bold are required:

    security dynamic-authorization modify \
    -state enforced \
    -vserver <storage_VM_name>
  2. Check the result by using the show command to display the global configuration:

    security dynamic-authorization show

Disable dynamic authorization

You can disable dynamic authorization if you no longer need the added authentication security.

Steps
  1. Disable dynamic authorization by changing its state to disabled. If you don't use the -vserver parameter, the command is run at the cluster level. Update the values in brackets <> to match your environment. Parameters in bold are required:

    security dynamic-authorization modify \
    -state disabled \
    -vserver <storage_VM_name>
  2. Check the result by using the show command to display the global configuration:

    security dynamic-authorization show

What's next

(Optional) Depending on your environment, refer to Customize dynamic authorization to configure other dynamic authorization settings.