Create SMB share access control lists
Suggest changes
PDFs
Configuring share permissions by creating access control lists (ACLs) for SMB shares enables you to control the level of access to a share for users and groups.
You can configure share-level ACLs by using local or domain Windows user or group names or UNIX user or group names.
Before creating a new ACL, you should delete the default share ACL Everyone / Full Control, which poses a security risk.
In workgroup mode, the local domain name is the SMB server name.
-
Delete the default share ACL:`vserver cifs share access-control delete -vserver <vserver_name> -share <share_name> -user-or-group Everyone`
-
Configure the new ACL:
If you want to configure ACLs by using a… Enter the command… Windows user
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type windows -user-or-group <Windows_domain_name\user_name> -permission <access_right>Windows group
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type windows -user-or-group <Windows_domain_name\group_name> -permission <access_right>UNIX user
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type <unix-user> -user-or-group <UNIX_user_name> -permission <access_right>UNIX group
vserver cifs share access-control create -vserver <vserver_name> -share <share_name> -user-group-type <unix-group> -user-or-group <UNIX_group_name> -permission <access_right> -
Verify that the ACL applied to the share is correct by using the
vserver cifs share access-control showcommand.
The following command gives Change permissions to the “Sales Team” Windows group for the “sales” share on the "`vs1.example.com` "SVM:
cluster1::> vserver cifs share access-control create -vserver vs1.example.com -share sales -user-or-group "DOMAIN\Sales Team" -permission Change
cluster1::> vserver cifs share access-control show -vserver vs1.example.com
Share User/Group User/Group Access
Vserver Name Name Type Permission
---------------- ----------- -------------------- --------- -----------
vs1.example.com c$ BUILTIN\Administrators windows Full_Control
vs1.example.com sales DOMAIN\Sales Team windows Change
The following command gives Read permission to the "engineering" UNIX group for the "eng" share on the "vs2.example.com" SVM:
cluster1::> vserver cifs share access-control create -vserver vs2.example.com -share eng -user-group-type unix-group -user-or-group engineering -permission Read
cluster1::> vserver cifs share access-control show -vserver vs2.example.com
Share User/Group User/Group Access
Vserver Name Name Type Permission
---------------- ----------- ------------------- ----------- -----------
vs2.example.com c$ BUILTIN\Administrators windows Full_Control
vs2.example.com eng engineering unix-group Read
The following commands give Change permission to the local Windows group named "Tiger Team" and Full_Control permission to the local Windows user named "Sue Chang" for the "datavol5" share on the "vs1" SVM:
cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5 -user-group-type windows -user-or-group "Tiger Team" -permission Change
cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5 -user-group-type windows -user-or-group "Sue Chang" -permission Full_Control
cluster1::> vserver cifs share access-control show -vserver vs1
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
vs1 c$ BUILTIN\Administrators windows Full_Control
vs1 datavol5 Tiger Team windows Change
vs1 datavol5 Sue Chang windows Full_Control