Data Backup and Recovery

SnapCenter Role With Minimum Privileges

TMADOCTHOMAS
2,149 Views

Hello,

I need some insight into the best way to lock down the local SnapCenter account on a NetApp cluster. The following articles outline several steps, however the role they outline includes cluster and vserver commands. I don't believe those commands work in an SVM context. The account we have right now resides in SVMs that contain datastores and iSCSI LUNs, all backed up by SnapCenter.

 

In summary: I want to assign the limited rights recommended below, but can't assign them all if the account is in an SVM <if I understand correctly>. Anyone have an insight into this?

 

https://docs.netapp.com/ocsc-44/index.jsp?topic=%2Fcom.netapp.doc.ocsc-isg%2FGUID-58C54D8A-71B1-47E2-8BF4-52CCC929526D.html

https://docs.netapp.com/ocsc-44/index.jsp?topic=%2Fcom.netapp.doc.ocsc-isg%2FGUID-58C54D8A-71B1-47E2-8BF4-52CCC929526D.html

https://docs.netapp.com/ocsc-44/index.jsp?topic=%2Fcom.netapp.doc.ocsc-isg%2FGUID-58C54D8A-71B1-47E2-8BF4-52CCC929526D.html 

1 ACCEPTED SOLUTION

TMADOCTHOMAS
1,960 Views

A colleague of mine found an article describing how to lock down the account at the SVM level. Here is it in case anyone searches this topic:

 

https://docs.netapp.com/ocsc-42/index.jsp?topic=%2Fcom.netapp.doc.ocsc-isg%2FGUID-D39A6ACE-D69D-4470-ABE4-A63A7803E880.html

View solution in original post

3 REPLIES 3

aladd
2,110 Views

If you are providing SnapCenter with the Vserver admin login, it is restricted only to that vserver. if you wish for it to have access to the cluster vserver, then you can use the documentation you have listed to restrict its rights to ONTAPI calls only.

 

What does your end goal look like for the SnapCenter deployment?

TMADOCTHOMAS
2,087 Views

Thanks @aladd for responding to my post. We've had SnapCenter running for over a year. When I set it up, my understanding was we needed a local account on any SVM that SnapCenter connected to with the admin role. Now, as a separate project, we are trying to beef up security and give all accounts the least amount of rights it needs. 

 

I did see information on a recent SnapCenter update that indicated you can now simply create a connection to the cluster rather than an SVM.

 

So here are some questions:

  • Is there no way to lock down a local SVM account in the same way as described by the articles for a local cluster account? (Or, at the very least, is it not documented anywhere as a procedure)?
  • If I switch to connecting via cluster vs. SVM in SnapCenter, I could then follow the procedure in the articles. However, in some ways, I'm wondering if this would be less secure because I would be giving a lot of rights to the whole cluster (even though they're limited) vs. admin rights to a few SVMs. Thoughts?
  • Is it possible to set the account that connects to storage to a domain level service account rather than a local account?

TMADOCTHOMAS
1,961 Views

A colleague of mine found an article describing how to lock down the account at the SVM level. Here is it in case anyone searches this topic:

 

https://docs.netapp.com/ocsc-42/index.jsp?topic=%2Fcom.netapp.doc.ocsc-isg%2FGUID-D39A6ACE-D69D-4470-ABE4-A63A7803E880.html

Public