Subscribe

Access Based Enumeration at the Filer/vFiler level

This looked to be the most relevant community to post this comment in - sorry if its not.

ONTAP 7.2 gave us the ablity to enable ABE (Access Based Enumeration) support at the share level (cifs shares) using an extended attribute of the share command.  ABE appears to be gaining popularity in the Windows arena (in my business sector at least) because from an Information Security perspective it only shows users what they are entitled to access rather than everything in the directory (simplified here to make a point).

Is there anyway to make enabling ABE in my NetApp Filer environment easier?  For example can all shares that get created have ABE enabled by default rather than having to set it at a per share level.  Consider also that in large environments the people responsible for creating shares may be using the MMC and other Microsoft tools to manage shares and may not be logging into ONTAP to run the CIFS SHARES command as ONTAP access is limited to the storage administration team.

Is anyone looking at this, thinking about it or seeing the same challenges in their environment?

Re: Access Based Enumeration at the Filer/vFiler level

I agree, a cifs option at the filer level to enable ABE by default for new shares would be a nice feature addition.

Re: Access Based Enumeration at the Filer/vFiler level

cifs shares -change sharename -accessbasedenum

will turn it on for a share

Re: Access Based Enumeration at the Filer/vFiler level

Obviously this is an old post, however to turn on ABE on all shares you can use:

cifs shares -change * -accessbasedenum

ABE will not be enabled by default on all new shares created, but it will be enabled for any existing share.

Re: Access Based Enumeration at the Filer/vFiler level

This is really cool... in 7g/7mode I have only used wildcard * for vfiler commands and didn't know it worked on cifs share -change.