Overview of Share-Level ACLs
Share-level ACLs can be used to specify maximum permissions allowed to security principals (users and groups) when accessing shares. A share-level ACL consists of Access Control Entries (ACEs). Each ACE specifies a security principal and a permission. When a user matches multiple ACEs (such as if the user belongs to different groups with different permissions), the least restrictive permission applies to the user.
The permissions that can be specified in a share-level ACE are:
READ. This permission is for read operations only.
CHANGE. This permission includes READ permission and permission to change files, create files, create directories, and to delete files and directories.
Note
CHANGE does not include permission to modify file attributes or ACLs.
FULL CONTROL. This permission includes CHANGE permission and permission to change file owners and Windows ACLs.
VAST Cluster supports share-level ACLs for SMB access. Share-level ACLs can be enabled and configured on each view. If there is a share-level ACL on a view, then, in order for a user to be able to access any file or directory on the cluster via SMB, the user needs to be granted access from the share-level ACL as well as from the file-system permissions. Share-level ACLs do not affect access for protocols other than SMB.
The default share-level permission configuration is:
Share-level ACL is disabled on each view.
The 'everyone' group has 'full control' share-level permission.
You can configure share-level ACL as follows:
You can enable share-level ACL on any SMB-enabled view. Enabling share-level ACL disables the 'Everyone' Group share-level permission on the specific view. In this case, all attempts to access the view's share via SMB will fail except where an ACE is found in the share-level ACL that grants access to the requesting user (and the user has the required file/directory permission).
You can configure up to 200 ACEs in a view's share-level ACL.
Changes to share-level ACL impact all currently logged-in users, with a two minute caching delay in applying the changes to those users.
Using Well-Known SIDs in Share-Level ACLs
These well-known SIDs are supported in share-level ACLs:
Replicator
Remote Desktop Users
Network Configuration Operators
Administrators
Domain Controllers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Print Operators
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Storage Replica Administrators
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Key Admins Enterprise
Key Admins
DnsAdmins
DnsUpdateProxy
Backup Operators
Domain Computers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Managing Share-Level ACLs
Share-level ACLs are configured per view.
Managing Share-level ACLs in VAST Web UI
To enable and/or configure share-level ACL when you create a view, see Creating Views.
To disable share-level ACL on a view, or to add, remove and change ACEs in a share-level ACL, see Modifying Views.