Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I need some insight into the best way to lock down the local SnapCenter account on a NetApp cluster. The following articles outline several steps, however the role they outline includes cluster and vserver commands. I don't believe those commands work in an SVM context. The account we have right now resides in SVMs that contain datastores and iSCSI LUNs, all backed up by SnapCenter.
In summary: I want to assign the limited rights recommended below, but can't assign them all if the account is in an SVM <if I understand correctly>. Anyone have an insight into this?
Solved! See The Solution
1 ACCEPTED SOLUTION
TMADOCTHOMAS has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A colleague of mine found an article describing how to lock down the account at the SVM level. Here is it in case anyone searches this topic:
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are providing SnapCenter with the Vserver admin login, it is restricted only to that vserver. if you wish for it to have access to the cluster vserver, then you can use the documentation you have listed to restrict its rights to ONTAPI calls only.
What does your end goal look like for the SnapCenter deployment?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @aladd for responding to my post. We've had SnapCenter running for over a year. When I set it up, my understanding was we needed a local account on any SVM that SnapCenter connected to with the admin role. Now, as a separate project, we are trying to beef up security and give all accounts the least amount of rights it needs.
I did see information on a recent SnapCenter update that indicated you can now simply create a connection to the cluster rather than an SVM.
So here are some questions:
- Is there no way to lock down a local SVM account in the same way as described by the articles for a local cluster account? (Or, at the very least, is it not documented anywhere as a procedure)?
- If I switch to connecting via cluster vs. SVM in SnapCenter, I could then follow the procedure in the articles. However, in some ways, I'm wondering if this would be less secure because I would be giving a lot of rights to the whole cluster (even though they're limited) vs. admin rights to a few SVMs. Thoughts?
- Is it possible to set the account that connects to storage to a domain level service account rather than a local account?
TMADOCTHOMAS has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A colleague of mine found an article describing how to lock down the account at the SVM level. Here is it in case anyone searches this topic: