Skip to main content

Using local users and groups for authentication and authorization

You can create local users and groups on the storage virtual machine (SVM). The CIFS server can use local users for CIFS authentication and can use both local users and groups for authorization when determining both share and file and directory access rights.

Local group members can be local users, domain users and groups, and domain machine accounts.

Local users and groups can also be assigned privileges. Privileges control access to SVM resources and can override the permissions that are set on objects. A user or member of a group that is assigned a privilege is granted the specific rights that the privilege allows.

Note
Privileges do not provide ONTAP general administrative capabilities.
  • How ONTAP uses local users and groups
    When configuring and using local users and groups, you must understand what they are and how they are used. For example, you can use local users and groups to provide share and file-access security to data residing on the storage virtual machine (SVM). You can also assign user management rights to users through the use of local users and groups.
  • What local privileges are
    Privileges are well-known rights that can be granted to local and domain users and groups to perform User Rights Management tasks on the CIFS server. You cannot create privileges. You can only add or remove existing privileges.
  • Guidelines for using BUILTIN groups and the local administrator account
    There are certain guidelines you should keep in mind when you use BUILTIN groups and the local administrator account. For example, you can rename the local administrator account, but you cannot delete this account.
  • Requirements for local user passwords
    By default, local user passwords must meet complexity requirements. The password complexity requirements are similar to the requirements defined in the Microsoft Windows Local security policy.
  • Predefined BUILTIN groups and default privileges
    You can assign membership of a local user or domain user to a predefined set of BUILTIN groups provided by ONTAP. Predefined groups have predefined privileges assigned.
  • Enabling or disabling local users and groups functionality
    Before you can use local users and groups for access control of NTFS security-style data, local user and group functionality must be enabled. Additionally, if you want to use local users for SMB authentication, the local user authentication functionality must be enabled.
  • Managing local user accounts
    You can manage local user accounts by creating, modifying, and deleting them, and by displaying information about user accounts and group membership. You can also perform other management tasks, such as enabling, disabling, and renaming user accounts, setting the password for an account, and managing local account password complexity.
  • Managing local groups
    You can manage local groups by creating or modifying groups, displaying information about groups and group membership, and by deleting unneeded groups. You can also perform other management tasks, such as renaming groups and adding or removing both local and domain users from the local groups.
  • Managing local privileges
    You can manage local privileges by adding, removing, or resetting privileges for local and domain user accounts and groups. You can also display information about privileges assigned to local and domain user accounts and groups.