This page contains instructions for limiting how often already-authenticated users cause triggers to fire. One important use-case is limiting how often your users must provide additional authentication while accessing your servers. While 2FA is fundamental to good security, even highly-cautious DevSecOps teams may prefer not to continually prompt already-authenticated users for verification. This page focuses on how to limit the number of 2FA prompts, but the same idea works with any kind of trigger.


Conceptual Overview

You can limit the number of 2FA requests by configuring triggers that would ordinarily ask for 2FA not to do so for already-authenticated users

When users connect to a Cmd-enabled server, they are by default classified as an unauthenticated Linux user. By authenticating with Cmd using 2FA, they assume the roles associated with their Cmd account. You can select which user accounts have which roles, and configure 2FA triggers not to fire for users with certain roles. 

The same principle applies to other types of triggers (e.g. you can stop any given trigger from firing for particular authenticated users).


Setting up user roles for your team 

  • In the Cmd web app, click the project name in the top right to open the dropdown menu.

  • Click Project and app settings, which will bring you to Users & roles.

  • Create a new user role:
       - Click Manage roles, then Add user role.
       - Give the role a name (e.g. “MFAexempt”), and click Ok.

  • Assign the new role to whichever user accounts you want to exempt:
       - For each account, click the three-dot icon on the right side of its row, then click
       - Under User roles, add the new role, then click Save.


Configuring triggers to ignore a particular role

  • Identify which triggers you want to stop from prompting already-authenticated users for 2FA. 

  • For each of those triggers, add the following CQL at the end of the query field (assuming your new role is called “MFAexempt”):

AND session_user_role != "MFAexempt"
  • This will cause the trigger to fire only for users who are not authenticated to one of the user accounts with the “MFAexempt” role.


Example: Testing 2FA trigger-exemption

First, I created a new user role called “MFAexempt”, and added it to my user account. This caused the role to appear on my Account Info page:

I then created a simple trigger that fires when a user attempts to execute the ‘ls’ command, unless they are an authenticated user with the “MFAexempt” role:

When fired, this trigger displays a terminal message and prompts for 2FA. In the following screenshot, I used the ‘ls’ command twice on a Cmd-enabled server where this trigger was active. The first time, I was prompted for 2FA (because I was not yet authenticated), but I was not prompted the second time, even though I used the same command (because after authenticating, I became associated with the exempt user role):

Related resources:

Did this answer your question?