Skip to main content

Security styles and their effects

Contributors netapp-ahibbard netapp-dbagwell netapp-forry netapp-aherbin

There are four different security styles: UNIX, NTFS, mixed, and unified. Each security style has a different effect on how permissions are handled for data. You must understand the different effects to ensure that you select the appropriate security style for your purposes.

It is important to understand that security styles do not determine what client types can or cannot access data. Security styles only determine the type of permissions ONTAP uses to control data access and what client type can modify these permissions.

For example, if a volume uses UNIX security style, SMB clients can still access data (provided that they properly authenticate and authorize) due to the multiprotocol nature of ONTAP. However, ONTAP uses UNIX permissions that only UNIX clients can modify using native tools.

Security style Clients that can modify permissions Permissions that clients can use Resulting effective security style Clients that can access files

Unix

NFS

NFSv3 mode bits

Unix

NFS and SMB

NFSv4.x ACLs

NTFS

SMB

NTFS ACLs

NTFS

Mixed

NFS or SMB

NFSv3 mode bits

UNIX

NFSv4.ACLs

NTFS ACLs

NTFS

Unified (For infinite volumes only, in ONTAP 9.4 and earlier releases.)

NFS or SMB

NFSv3 mode bits

Unix

NFSv4.1 ACLs

NTFS ACLs

NTFS

FlexVol volumes support UNIX, NTFS, and mixed security styles. When the security style is mixed or unified, the effective permissions depend on the client type that last modified the permissions because users set the security style on an individual basis. If the last client that modified permissions was an NFSv3 client, the permissions are UNIX NFSv3 mode bits. If the last client was an NFSv4 client, the permissions are NFSv4 ACLs. If the last client was an SMB client, the permissions are Windows NTFS ACLs.

The unified security style is only available with infinite volumes, which are no longer supported in ONTAP 9.5 and later releases. For more information, see FlexGroup volumes management overview.

Beginning with ONTAP 9.2, the show-effective-permissions parameter to the vserver security file-directory command enables you to display effective permissions granted to a Windows or UNIX user on the specified file or folder path. In addition, the optional parameter -share-name enables you to display the effective share permission.

Note

ONTAP initially sets some default file permissions. By default, the effective security style on all data in UNIX, mixed, and unified security style volumes is UNIX and the effective permissions type is UNIX mode bits (0755 unless specified otherwise) until configured by a client as allowed by the default security style. By default, the effective security style on all data in NTFS security style volumes is NTFS and has an ACL allowing full control to everyone.