Admin Role/Account Hardening? [ONTAP 9.14.1]

Q: Can we modify the admin role?
A: No!

cluster1::> security login role show -role admin
           Role          Command/  Access
Vserver    Name          Directory Level
---------- ------------- --------- -------
cluster1   admin         DEFAULT   all

cluster1::> security login role modify -role admin -cmddirname DEFAULT -access none

Error: command failed: Cannot modify pre-defined roles.


Q: Can we modify the role of the admin user?
A: Yes, mostly, except the service-processor (but you could delete the service-processor Application from admin.)

cluster1::> security login show -user-or-group-name admin

Vserver: cluster1
                                                                
User/Group             Authentication          Acct
Name       Application Method        Role Name Locked
---------- ----------- ------------- --------- ------
admin      amqp        password      admin     no
admin      console     password      admin     no
admin      http        cert          admin     -
admin      http        password      admin     no
admin      ontapi      cert          admin     -
admin      ontapi      password      admin     no
admin      service-processor
                       password      admin     no
admin      ssh         password      admin     no
8 entries were displayed.

cluster1::> security login modify -user-or-group-name admin -vserver cluster1 -application * -role readonly

Error: command failed on vserver "cluster1" user-or-group-name "admin" application "console" authentication-method "password": Cannot delete the last console login with the role "admin". Create a new console admin login before deleting this one.

Warning: Do you want to continue running this command? {y|n}: y

Error: command failed on vserver "cluster1" user-or-group-name "admin" application "service-processor" authentication-method "password": Modification of a "service-processor" user's role to a non-admin role is not supported.

Warning: Do you want to continue running this command? {y|n}: y
6 entries were modified.

cluster1::> security login delete -user-or-group-name admin -vserver cluster1 -application service-processor -authentication-method password


Q: Can we lock the admin user?
A: Yes, if there is another user/group with admin privileges.

cluster1::> security login lock -username admin -vserver cluster1

Error: command failed: You cannot lock the account of the last user with the role "admin" that can log into the node CLI using the console.

Comments