In addition to securing access by using native file-level and export and share security, you can configure Storage-Level Access Guard, a third layer of security applied by ONTAP at the volume level. Storage-Level Access Guard applies to access from all NAS protocols to the storage object to which it is applied.
Only NTFS access permissions are supported. For ONTAP to perform security checks on UNIX users for access to data on volumes for which Storage-Level Access Guard has been applied, the UNIX user must map to a Windows user on the SVM that owns the volume.
Because all files or directories in a volume are subject to Storage-Level Access Guard settings, inheritance through propagation is not required.
Applies to every directory and file within the storage object. This is the default setting.
Applies to every file within the storage object. Applying this security does not affect access to, or auditing of, directories.
Applies to every directory within the storage object. Applying this security does not affect access to, or auditing of, files.
It will never give extra access permissions.
It’s applied at the storage object level and stored in the metadata used to determine the effective permissions.
It is designed to be modified by storage administrators only.
Exceptional access is allowed to these servers to screen files and directories, even if Storage-Level Access Guard denies access to the object.
Access to a file or directory is determined by the combined effect of the export or share permissions, the Storage-Level Access Guard permissions set on volumes, and the native file permissions applied to files and/or directories. All levels of security are evaluated to determine what the effective permissions a file or directory has. The security access checks are performed in the following order: