Creating SMB share access control lists
Configuring share permissions by creating access control lists (ACLs) for SMB shares enables you to control the level of access to a share for users and groups.
About this task
You can configure share-level ACLs by using local or domain Windows user or group names or Linux user or group names.
Before creating a new ACL, you should delete the default share ACL Everyone / Full Control , which poses a security risk.
In workgroup mode, the local domain name is the SMB server name.
- Delete the default share ACL:vserver cifs share access-control delete -vserver vserver_name -share share_name -user-or-group everyone
- Configure the new ACL:
If you want to configure ACLs by using a... Enter the command... Windows user vserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type windows -user-or-group Windows_domain_name\user_name -permission access_right Windows group vserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type windows -user-or-group Windows_group_name -permission access_right Linux user vserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type unix-user -user-or-group UNIX_user_name -permission access_right Linux group vserver cifs share access-control create -vserver vserver_name -share share_name -user-group-type unix-group -user-or-group UNIX_group_name -permission access_right - Verify that the ACL applied to the share is correct by using the vserver cifs share access-control show command.
Sales TeamWindows group for the
salesshare on the
vs1.example.comSVM:
cluster1::> vserver cifs share access-control create -vserver vs1.example.com
-share sales -user-or-group "Sales Team" -permission Change
cluster1::> vserver cifs share access-control show
Share User/Group User/Group Access
Vserver Name Name Type Permission
---------------- ----------- -------------------- --------- -----------
vs1.example.com c$ BUILTIN\Administrators windows Full_Control
vs1.example.com sales DOMAIN\"Sales Team" windows Change
The following command gives Read permission to the engineering
Linux group for the eng
share on the vs2.example.com
SVM:
cluster1::> vserver cifs share access-control create -vserver vs2.example.com
-share eng -user-group-type unix-group -user-or-group eng -permission Read
cluster1::> vserver cifs share access-control show
Share User/Group User/Group Access
Vserver Name Name Type Permission
---------------- ----------- ------------------- ----------- -----------
vs2.example.com c$ BUILTIN\Administrators windows Full_Control
vs2.example.com eng engineering unix-group Read
The following commands give Change permission to the local Windows group named Tiger Team
and Full_Control permission to the local Windows user named Sue Chang
for the datavol5
share on the vs1
SVM:
cluster1::> vserver cifs share access-control create -vserver vs1
-share datavol5 -user-group-type windows -user-or-group "Tiger Team" -permission Change
cluster1::> vserver cifs share access-control create -vserver vs1 -share datavol5
-user-group-type windows -user-or-group "Sue Chang" -permission Full_Control
cluster1::> vserver cifs share access-control show -vserver vs1
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
vs1 c$ BUILTIN\Administrators windows Full_Control
vs1 datavol5 DOMAIN\"Tiger Team" windows Change
vs1 datavol5 DOMAIN\"Sue Chang" windows Full_Control