a week ago
I am trying the Snaplock feature in Netapp simulator storage.
I get the process to create Enterprise WORM folder, Audit Log and privileged delete account.
But I have a question about the system administrator and vsadmin-snaplock.
1. In order the prevent system administrator has too much power to delete the WORM file in Enterprise mode. So, we have to create another account has privileged delete the WORM file. Is it the major purpose to separate the system administrator and vsadmin-snaplock acccount?
2. If yes, there is no any method can prevent system administrator to create a vsadmin-snaplock account or modify the password of vsadmin-snaplock account. It means that administrator can do the privileged delete when he wanted. Is it right?
I know the audit log will save all the process. But the log is just for record, it can not prevent the wrong happen.
Do you know if there is any manner can prevent administrator to create or modify vsadmin-snaplock account in anytime?
Solved! SEE THE SOLUTION
a week ago
1-Yes, 2-Administrator has the ability to assign rights. Refer http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-arch-con%2FGUID-6226EB59-EF12-4D3D-A7B9-6B6407DE77C7.html
Administrator is a pre defined role, not sure if it allows to restrict modifying a user account.