Skip to main content

Creating SMB share access control lists

Configuring share permissions by creating access control lists (ACLs) for SMB shares enables you to control the level of access to a share for users and groups.

About this task

You can configure share-level ACLs by using local or domain Windows user or group names or Linux user or group names.

Before creating a new ACL, you should delete the default share ACL Everyone / Full Control , which poses a security risk.

In workgroup mode, the local domain name is the SMB server name.

  1. Delete the default share ACL:vserver cifs share access-control delete -vserver vserver_name -share share_name -user-or-group everyone
  2. Configure the new ACL:
    If you want to configure ACLs by using a...Enter the command...
    Windows uservserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type windows -user-or-group Windows_domain_name\user_name -permission access_right
    Windows groupvserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type windows -user-or-group Windows_group_name -permission access_right
    Linux uservserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type unix-user -user-or-group UNIX_user_name -permission access_right
    Linux groupvserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type unix-group -user-or-group UNIX_group_name -permission access_right
  3. Verify that the ACL applied to the share is correct by using the vserver cifs share access-control show command.
The following command gives Change permissions to the Sales Team Windows group for the sales share on the vs1.example.com SVM:
cluster1::> vserver cifs share access-control create -vserver vs1.example.com 
-share sales -user-or-group "Sales Team" -permission Change

cluster1::> vserver cifs share access-control show
                 Share       User/Group              User/Group  Access
Vserver          Name        Name                    Type        Permission
---------------- ----------- --------------------    ---------   -----------
vs1.example.com  c$          BUILTIN\Administrators  windows     Full_Control
vs1.example.com  sales       DOMAIN\"Sales Team"     windows     Change

The following command gives Read permission to the engineering Linux group for the eng share on the vs2.example.com SVM:

cluster1::> vserver cifs share access-control create -vserver vs2.example.com 
-share eng -user-group-type unix-group -user-or-group  eng -permission Read

cluster1::> vserver cifs share access-control show
                 Share       User/Group               User/Group  Access
Vserver          Name        Name                     Type        Permission
---------------- ----------- -------------------      ----------- -----------
vs2.example.com  c$          BUILTIN\Administrators   windows     Full_Control
vs2.example.com  eng         engineering              unix-group  Read

The following commands give Change permission to the local Windows group named Tiger Team and Full_Control permission to the local Windows user named Sue Chang for the datavol5 share on the vs1 SVM:

cluster1::> vserver cifs share access-control create -vserver vs1 
-share datavol5 -user-group-type windows -user-or-group "Tiger Team" -permission Change

cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5 
-user-group-type windows -user-or-group "Sue Chang" -permission Full_Control

cluster1::> vserver cifs share access-control show -vserver vs1
               Share       User/Group                  User/Group  Access
Vserver        Name        Name                        Type        Permission
-------------- ----------- --------------------------- ----------- -----------
vs1            c$          BUILTIN\Administrators      windows     Full_Control
vs1            datavol5    DOMAIN\"Tiger Team"         windows     Change
vs1            datavol5    DOMAIN\"Sue Chang"          windows     Full_Control