Revert considerations for Dynamic Access Control

Contributors

You should be aware of what happens when reverting to a version of ONTAP that does not support Dynamic Access Control (DAC) and what you must do before and after reverting.

If you want to revert the cluster to a version of ONTAP that does not support Dynamic Access Control and Dynamic Access Control is enabled on one or more the storage virtual machines (SVMs), you must do the following before reverting:

  • You must disable Dynamic Access Control on all SVMs that have it enabled on the cluster.

  • You must modify any auditing configurations on the cluster that contain the cap-staging event type to use only the file-op event type.

You must understand and act on some important revert considerations for files and folders with Dynamic Access Control ACEs:

  • If the cluster is reverted, existing Dynamic Access Control ACEs are not removed; however, they will be ignored in file access checks.

  • Since Dynamic Access Control ACEs are ignored after reversion, access to files will change on files with Dynamic Access Control ACEs.

    This could allow users to access files they previously could not, or not be able to access files that they previously could.

  • You should apply non-Dynamic Access Control ACEs to the affected files to restore their previous level of security.

    This can be done either before reverting or immediately after reversion completes.

Note

Since Dynamic Access Control ACEs are ignored after reversion, it is not required that you remove them when applying non-Dynamic Access Control ACEs to the affected files. However, if desired, you can manually remove them.