Re: Any Reason Not to Lock the vsadmin Account?

TMADOCTHOMAS · ‎2021-11-03

Recently I've investigated ways to lock down access to our NetApp clusters and am currently looking at the vsadmin accounts in SVMs. We don't delegate duties at the SVM level, and we use a dedicated, limited 'snapcenter' account in SVMs that need SnapCenter connectivity. We still have a 'snapdrive' account as well for a handful of cdot systems we still need SnapDrive on.

With this in mind, is there any reason not to lock the vsadmin account to reduce the number of ways someone could log in? Any "gotchas" I'm not considering?

TMADOCTHOMAS · ‎2021-11-03

To elaborate a little:

The ONLY reason we still have SnapDrive is for LUN management (resizing, creation, etc.) on a handful of systems to get around SnapCenter bugs. We don't use it for backups. With that in mind I think we don't need vsadmin, especially since the snapdrive service account is a vsadmin level account. Any thoughts or suggestions?

tech-trt18 · ‎2023-01-11

I'm looking for this same question... Also, if there's no reason to keep vsadmin unlocked I'm willing to remove "management-ssh" and "management-http(s)" from network LIFs on CIFS and NFS serving SVMs... Because as I see if the vsadmin (or any other user) is necessary, I don't see why these management policies need to be present on these LIFs.

TMADOCTHOMAS · ‎2023-01-11

@tech-trt18 for what it's worth, I did end up disabling vsadmin across the board and have had no ill effects.

tech-trt18 · ‎2023-01-11

Thank you for the reply. I got some different users, one of them in a LUN serving SVM I think it's used for receiving "Snapshot for Oracle" commands... The other SVMs I'm going to lock "vsadmin" and remove "management-*" services on all data LIFs.

Thank you for the reply!

Any Reason Not to Lock the vsadmin Account?

NetApp Support Site Wins Silver Stevie® Award

Sign-up for Software Release Notifications!