Solved! Go to Solution.
I understand where the 3rd party is coming from, the company that I work for does both EV and NetApp filers.
You might have success with limiting the account to do api calls only, since EV does all it's work through the API. In order to be able to do anything with FSA, the EVSA would still need admin permissions on the share and filesystem security though.
The correct permissions would then be api-* for the NetApp filer. Offcourse, the official requirement is still administrative permissions, but I've tested this in a lab (note: this was in EV7) and it worked. Haven't tested it with file blocking, but since it's implemented in fpolicy as well, it should work equally well.