Zone based RBAC and administration
With newer OneFS releases apparently zone administration can be delegated to "zone admins" (zRBAC). According to documentation, zone administration can be done by these "zone admins" via Web-UI from within the zone, without having to have connectivity/access to subnets/IPs linked to the system zone.
In older OneFS releases Access to administration (Web-UI, API, ssh, etc.) was limited to subnets/IPs linked to the system zone (via Groupnet). This is one of our "main pillars" of Isilon/Powerscale security architecture and hardening. We have a "pseudo air-gapped" network for the system access zone with no possibility of access to the system zone and system administration from subnets/IPs related to "data" access zones (the "pseudo air-gap" design is out of scope in this discussion, but assume access to administration is impossible from access zone networks except for attacks with unlimited funding/time which we don't count ourselves as possible targets).
According to documentation, ssh still seems to be disabled outside the system access zone, so that's good. But is there a way to force OneFS back into the "old" design, removing Web-UI, API and any other administration option from all "non-system" access zones?
Thanks a lot for any input and help, as this pulls our Powerscale impementation and usage badly into "high risk" territory from a CISO/CSO department point of view!