Skip to main content

Learn about ONTAP SMB security styles and their effects

Contributors netapp-aherbin netapp-aaron-holt netapp-dbagwell netapp-forry netapp-ahibbard
PDFs

There are four different security styles: UNIX, NTFS, mixed, and unified. Each security style has a different effect on how permissions are handled for data. You must understand the different effects to ensure that you select the appropriate security style for your purposes.

It is important to understand that security styles do not determine what client types can or cannot access data. Security styles only determine the type of permissions ONTAP uses to control data access and what client type can modify these permissions.

For example, if a volume uses UNIX security style, SMB clients can still access data (provided that they properly authenticate and authorize) due to the multiprotocol nature of ONTAP. However, ONTAP uses UNIX permissions that only UNIX clients can modify using native tools.

Security style Clients that can modify permissions Permissions that clients can use Resulting effective security style Clients that can access files

Unix

NFS

  • NFSv3 mode bits

  • NFSv4.x ACLs

Unix

NFS and SMB

NTFS

SMB

NTFS ACLs

NTFS

NFS and SMB

Mixed

NFS or SMB

  • NFSv3 mode bits

  • NFSv4.x ACLs

  • NTFS ACLs

  • UNIX (for NFSv3 mode bits and NFSv4.x ACLs)

  • NTFS (for NTFS ACLs)

NFS and SMB

Unified (For infinite volumes only, in ONTAP 9.4 and earlier releases.)

NFS or SMB

  • NFSv3 mode bits

  • NFSv4.1 ACLs

  • NTFS ACLs

  • UNIX (for NFSv3 mode bits and NFSv4.1 ACLs)

  • NTFS (for NTFS ACLs)

NFS and SMB

FlexVol volumes support UNIX, NTFS, and mixed security styles. When the security style is mixed or unified, the effective permissions depend on the client type that last modified the permissions because users set the security style on an individual basis. If the last client that modified permissions was an NFSv3 client, the permissions are UNIX NFSv3 mode bits. If the last client was an NFSv4 client, the permissions are NFSv4 ACLs. If the last client was an SMB client, the permissions are Windows NTFS ACLs.

The unified security style is only available with infinite volumes, which are no longer supported in ONTAP 9.5 and later releases. For more information, see FlexGroup volumes management overview.

The show-effective-permissions parameter with the vserver security file-directory command enables you to display effective permissions granted to a Windows or UNIX user on the specified file or folder path. In addition, the optional parameter -share-name enables you to display the effective share permission. Learn more about vserver security file-directory show-effective-permissions in the ONTAP command reference.

Note

ONTAP initially sets some default file permissions. By default, the effective security style on all data in UNIX, mixed, and unified security style volumes is UNIX and the effective permissions type is UNIX mode bits (0755 unless specified otherwise) until configured by a client as allowed by the default security style. By default, the effective security style on all data in NTFS security style volumes is NTFS and has an ACL allowing full control to everyone.
Related information
Note Security styles can be set on FlexVol volumes (both root or data volumes) and qtrees. Security styles can be set manually at the time of creation, inherited automatically, or changed at a later time. == Decide which SMB security styles to use on ONTAP SVMs

To help you decide which security style to use on a volume, you should consider two factors. The primary factor is the type of administrator that manages the file system. The secondary factor is the type of user or service that accesses the data on the volume.

When you configure the security style on a volume, you should consider the needs of your environment to ensure that you select the best security style and avoid issues with managing permissions. The following considerations can help you decide:

Security style Choose if…​

UNIX

  • The file system is managed by a UNIX administrator.

  • The majority of users are NFS clients.

  • An application accessing the data uses a UNIX user as the service account.

NTFS

  • The file system is managed by a Windows administrator.

  • The majority of users are SMB clients.

  • An application accessing the data uses a Windows user as the service account.

Mixed

The file system is managed by both UNIX and Windows administrators and users consist of both NFS and SMB clients.

Learn about ONTAP SMB security style inheritance

If you do not specify the security style when creating a new FlexVol volume or a qtree, it inherits its security style in different ways.

Security styles are inherited in the following manner:

  • A FlexVol volume inherits the security style of the root volume of its containing SVM.

  • A qtree inherits the security style of its containing FlexVol volume.

  • A file or directory inherits the security style of its containing FlexVol volume or qtree.