VMware Solutions Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VMware Solutions Discussions

Ask a Question

Virtual Storage Console Limited Use Rights

TMADOCTHOMAS
‎2021-02-25 12:43 PM
1,887 Views

Hello,

I am attempting to reduce rights to the bare minimum on local OnTAP service accounts to increase our security posture. I've created a custom role for the VSC service account that just allows for discovery, however it occurred to me that we can probably go further. 

 

We use VSC for one single purpose only: to verify our ESX host settings match NetApp best practices. The only thing we do is browse to Overview and click Edit ESXi Host Settings when we have a new ESX host added. With this in mind: do we need an account on the cluster at all? Do we have to perform discovery if all we do is apply appropriate settings to ESX hosts? In other words: do I even need a local service account at all? Would love to hear any suggestions or thoughts!

0 Kudos
View By:
1 ACCEPTED SOLUTION

JohnChampion
NetApp
‎2021-02-26 08:45 AM
1,841 Views

If the ONLY thing you want is the ESXi host settings, have you considered using a PowerCLI script to check/implement the settings?

 

They are documented here: 

 

https://docs.netapp.com/vapp-97/topic/com.netapp.doc.vsc-dsg/GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F.html#GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F

 

View solution in original post

0 Kudos
3 REPLIES 3

JohnChampion
NetApp
‎2021-02-26 08:45 AM
1,842 Views

If the ONLY thing you want is the ESXi host settings, have you considered using a PowerCLI script to check/implement the settings?

 

They are documented here: 

 

https://docs.netapp.com/vapp-97/topic/com.netapp.doc.vsc-dsg/GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F.html#GUID-346ACB95-6AD4-4DEA-8901-C9697AC3530F

 

0 Kudos

TMADOCTHOMAS
‎2021-02-26 10:04 AM
In response to JohnChampion
1,832 Views

Thanks @JohnChampion ! I have seen that list before, but never thought about scripting the changes in PowerShell. I don't know that I will have time to write and troubleshoot a PS script for something like that however. Plus I really like being able to look in VSC and verify that settings are correct for all systems.

0 Kudos

TMADOCTHOMAS
‎2021-03-05 11:44 AM
In response to TMADOCTHOMAS
1,755 Views

Bumping this to see if anyone is able to answer my question regarding whether I need a VSC local account on the NetApp at all.

 

Here is a correlary question: if I do need to keep it, I've already given the account a custom role based on documented limited rights the account needs. However, some of those rights are still admin-oriented, which still leaves me a little concerned about someone gaining access to the account. The only application applied to the account is ontapi. I am not clear about what "ontapi" really means in this context. If someone obtained access to the account, what would they be able to do with the "ontapi" application?

0 Kudos
All Community Forums
Public