topic Virtual Storage Console Limited Use Rights in VMware Solutions Discussions

Virtual Storage Console Limited Use Rights

TMADOCTHOMAS — Wed, 04 Jun 2025 10:33:30 GMT

Hello,

I am attempting to reduce rights to the bare minimum on local OnTAP service accounts to increase our security posture. I've created a custom role for the VSC service account that just allows for discovery, however it occurred to me that we can probably go further.

We use VSC for one single purpose only: to verify our ESX host settings match NetApp best practices. The only thing we do is browse to Overview and click Edit ESXi Host Settings when we have a new ESX host added. With this in mind: do we need an account on the cluster at all? Do we have to perform discovery if all we do is apply appropriate settings to ESX hosts? In other words: do I even need a local service account at all? Would love to hear any suggestions or thoughts!

Re: Virtual Storage Console Limited Use Rights

JohnChampion — Fri, 26 Feb 2021 16:45:07 GMT

If the ONLY thing you want is the ESXi host settings, have you considered using a PowerCLI script to check/implement the settings?

They are documented here:

https://docs.netapp.com/vapp-97/topic/com.netapp.doc.vsc-dsg/GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F.html#GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F

Re: Virtual Storage Console Limited Use Rights

TMADOCTHOMAS — Fri, 26 Feb 2021 18:04:39 GMT

Thanks @JohnChampion ! I have seen that list before, but never thought about scripting the changes in PowerShell. I don't know that I will have time to write and troubleshoot a PS script for something like that however. Plus I really like being able to look in VSC and verify that settings are correct for all systems.

Re: Virtual Storage Console Limited Use Rights

TMADOCTHOMAS — Fri, 05 Mar 2021 19:44:38 GMT

Bumping this to see if anyone is able to answer my question regarding whether I need a VSC local account on the NetApp at all.

Here is a correlary question: if I do need to keep it, I've already given the account a custom role based on documented limited rights the account needs. However, some of those rights are still admin-oriented, which still leaves me a little concerned about someone gaining access to the account. The only application applied to the account is ontapi. I am not clear about what "ontapi" really means in this context. If someone obtained access to the account, what would they be able to do with the "ontapi" application?