Skip to main content

Using security tracing to verify or troubleshoot file and directory access

You can add permission tracing filters to instruct ONTAP to log information about why the SMB/CIFS and NFS servers on a storage virtual machine (SVM) allows or denies a client or user's request to perform an operation. This can be useful when you want to verify that your file access security scheme is appropriate or when you want to troubleshoot file access issues.

  • How security traces work
    Security traces allow you to configure a filter that detects client operations over SMB/CIFS and NFS on the storage virtual machine (SVM), and trace all access checks matching that filter. You can then view the trace results, which provides a convenient summary of the reason that access was allowed or denied.
  • Types of access checks security traces monitor
    Access checks for a file or folder are done based on multiple criteria. Security traces monitor operations on all these criteria.
  • Considerations when creating security traces
    You should keep several considerations in mind when you create security traces on storage virtual machines (SVMs). For example, you need to know on which protocols you can create a trace, which security-styles are supported, and what the maximum number of active traces is.
  • Performing security traces
    Performing a security trace involves creating a security trace filter, verifying the filter criteria, generating access requests on an SMB or NFS client that match filter criteria, and viewing the results.
  • How to interpret security trace results
    Security trace results provide the reason that a request was allowed or denied. Output displays the result as a combination of the reason for allowing or denying access and the location within the access checking pathway where access is either allowed or denied. You can use the results to isolate and identify why actions are or are not allowed.