Skip to main content
Cloud Sync

Copying ACLs

Contributors netapp-bcammett

Cloud Sync can copy access control lists (ACLs) between a source SMB share and a target SMB share, or between a source NFS server and target NFS server. If needed, you can manually preserve ACLs for SMB shares yourself by using robocopy.

Setting up Cloud Sync to copy ACLs

Copy ACLs between SMB servers or between NFS servers by enabling a setting when you create a relationship or after you create a relationship.

What you'll need
  • A new sync relationship or an existing sync relationship.

    For SMB shares, note that this feature is available for new sync relationships created after the 23 Feb 2020 release. If you’d like to use this feature with existing relationships created prior to that date, then you’ll need to recreate the relationship.

  • Any type of data broker.

    This feature works with any type of data broker: the AWS, Azure, Google Cloud Platform, or on-prem data broker. The on-prem data broker can run any supported operating system.

  • For NFS, you'll need to use version 4 or later.

    Copying ACLs isn't supported with NFS version 3.

Steps for a new relationship
  1. From Cloud Sync, click Create New Sync Relationship.

  2. Drag and drop SMB Server to the source and target or NFS Server to the source and target and click Continue.

  3. On the SMB Server or NFS Server page:

    1. Enter a new server or select an existing server and click Continue.

    2. Select Copy Access Control Lists to the target and click Continue.

      A screenshot that shows the option to enable Copy Access Control Lists to the target.

  4. Follow the remaining prompts to create the sync relationship.

Steps for an existing relationship
  1. Hover over the sync relationship and click the action menu.

  2. Click Settings.

  3. Select Copy Access Control Lists to the target.

  4. Click Save Settings.


When syncing data, Cloud Sync preserves the ACLs between the source and target servers.

Manually copying ACLs between SMB shares

You can manually preserve ACLs between SMB shares by using the Windows robocopy command.

  1. Identify a Windows host that has full access to both SMB shares.

  2. If either of the endpoints require authentication, use the net use command to connect to the endpoints from the Windows host.

    You must perform this step before you use robocopy.

  3. From Cloud Sync, create a new relationship between the source and target SMB shares or sync an existing relationship.

  4. After the data sync is complete, run the following command from the Windows host to sync the ACLs and ownership:

    robocopy /E /COPY:SOU /secfix [source] [target] /w:0 /r:0 /XD ~snapshots /UNILOG:”[logfilepath]

    Both source and target should be specified using the UNC format. For example: \\<server>\<share>\<path>