#snapcenter RBAC security hardening tipps

Has someone tried to use less permissions than recommanded and given by the documentation ( https://docs.netapp.com/us-en/sc-plugin-vmware-vsphere/scpivs44_minimum_ontap_privileges_required.html#minimum-ontap-privileges-required )?
I want to keep as less permissions as posible for the snapcenter user. I didn't want to create/delete LUNs or volumes with snapcenter. Have not tested it to discover site effects, but would be great someone has already expierence making a hardend user role for snapcenter.
There is TR-4957 ( https://www.netapp.com/media/88875-tr-4957-security-hardening-guide-for-netapp-snap-center.pdf ), recommanding certificate authentication, but security login role looks like the same.

Or maybe someone can explain the following needed permisson for me, what there are used for in snapcenter:
volume delete
volume destroy
lun delete

We had customers who have tried this in the past, and they all went back to using the (vs)admin role pretty quickly, since it led to subtle issues after updates or other changes in the environment that they had no energy to chase down every time 🙂

Those commands are needed in SnapCenter because SnapCenter creates a clone to run the backup verification, it then has to be able to clean up those volumes.