Access-Based Enumeration (ABE)

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 1 minute(s) read
Prev Next

Access-Based Enumeration (ABE) hides files and directories that users do not have permissions to access.

VAST Cluster supports ABE for the SMB storage protocol.

When a client lists an ABE-enabled view, ABE filters the listing so that it contains only files and directories for which the client's user has generic read permissions. For SMB, the required permissions are:

  • FILE_TRAVERSE / FILE_EXECUTE

  • FILE_LIST_DIRECTORY / FILE_READ_DATA

  • FILE_READ_ATTRIBUTES

  • FILE_READ_EA

  • READ_CONTROL

Note

Privileged users are allowed to view all files and directories within their tenant.

When you create a new view, ABE is by default disabled.

After you enable ABE for a view, you can set the maximum directory level (depth) to perform ABE checks. If not set explicitly, the depth is unlimited and ABE checks are performed on all directories and files in the view, regardless of directory depth.

To check current ABE settings for a view:

  • In VAST Web UI, go to Element Store -> Views and look at the ABE Protocols column.

  • In VAST CLI, run the view list or view show command and look at the Abe-protocols and Abe-max-depth fields.

To set up ABE for a view:

  • In VAST Web UI, go to the ABE tab for a view (Element Store -> Views -> choose to create or edit a view). In the Protocols dropdown, select SMB. If you want to limit the directory levels at which ABE is enabled,  set the Max depth.

  • In VAST CLI, use the --abe-protocols and --abe-max-depth options on the view create or view modify command.

Related articles