How security traces work

Contributors

You can add permission tracing filters to instruct ONTAP to log information about why the SMB and NFS servers on a storage virtual machine (SVM) allows or denies a client or user’s request to perform an operation. This can be useful when you want to verify that your file access security scheme is appropriate or when you want to troubleshoot file access issues.

Security traces allow you to configure a filter that detects client operations over SMB and NFS on the SVM, and trace all access checks matching that filter. You can then view the trace results, which provides a convenient summary of the reason that access was allowed or denied.

When you want to verify the security settings for SMB or NFS access on files and folders on your SVM or if you are faced with an access problem, you can quickly add a filter to turn on permission tracing.

The following list outlines important facts about how security traces works:

  • ONTAP applies security traces at the SVM level.

  • Each incoming request is screened to see if it matches filtering criteria of any enabled security traces.

  • Traces are performed for both file and folder access requests.

  • Traces can filter based on the following criteria:

    • Client IP

    • SMB or NFS path

    • Windows name

    • UNIX name

  • Requests are screened for Allowed and Denied access response results.

  • Each request matching filtering criteria of enabled traces is recorded in the trace results log.

  • The storage administrator can configure a timeout on a filter to automatically disable it.

  • If a request matches multiple filters, the results from the filter with the highest index number is recorded.

  • The storage administrator can print results from the trace results log to determine why an access request was allowed or denied.