VMware Solutions Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VMware Solutions Discussions

Ask a Question

Ontap Tools Security

alexandremendes
‎2025-07-15 06:45 AM
784 Views

I'm studying ONTAP tools and would like to better understand your perspective on the tool. I think the value it adds to administration is fantastic. But I'm also concerned about the risks if an attacker gains access to vCenter and can also directly damage the storage, such as deleting datastores, Snapmirrors, etc.

 

1) Is this risk worth the tradeoff for management agility?

 

2)How do you significantly reduce these risks? 

 

3) Does it work well with Multi-Admin Approvals?

0 Kudos
View By:
1 ACCEPTED SOLUTION

ChanceBingen
NetApp
‎2025-07-16 07:54 AM
742 Views

Hello, Alexandre!

Allow to address your questions one at a time.

1. Is the risk worth it? I think so, if you take the proper precautions outlined below.

2. For risk mitigation, there are several things you can do.

  a. You can limit access to just one SVM, and dedicate an SVM to just that purpose. This SVM could also use tenant capacity management to limit the storage consumption.

  b. You can lock down your vCenter users with the built-in vCenter user roles so that only very select users have the rights to delete datastores.

  c. You can use multi-factor authentication in vCenter to ensure your users are who they say they are.

  d. If you want to lock down ONTAP tools so that it can't ever delete volumes, you could use an ONTAP RBAC user lacking delete permissions when you onboard the storage to be managed.

 

Unfortunately, it doesn't currently support MAV. However, we have been talking about it internally. If you would like us to prioritize that feature, please let your account team (or partner) know so they can log a formal request.

View solution in original post

0 Kudos
1 REPLY 1

ChanceBingen
NetApp
‎2025-07-16 07:54 AM
743 Views

Hello, Alexandre!

Allow to address your questions one at a time.

1. Is the risk worth it? I think so, if you take the proper precautions outlined below.

2. For risk mitigation, there are several things you can do.

  a. You can limit access to just one SVM, and dedicate an SVM to just that purpose. This SVM could also use tenant capacity management to limit the storage consumption.

  b. You can lock down your vCenter users with the built-in vCenter user roles so that only very select users have the rights to delete datastores.

  c. You can use multi-factor authentication in vCenter to ensure your users are who they say they are.

  d. If you want to lock down ONTAP tools so that it can't ever delete volumes, you could use an ONTAP RBAC user lacking delete permissions when you onboard the storage to be managed.

 

Unfortunately, it doesn't currently support MAV. However, we have been talking about it internally. If you would like us to prioritize that feature, please let your account team (or partner) know so they can log a formal request.

0 Kudos
All Community Forums
Public