https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48424#M4462 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>I noticed you wrote the following:</P><P></P><P><STRONG><EM>"My question is, when I move the files over to a CIFS share on a filer,&nbsp; in order to maintain the ability for the group to manage the files, I&nbsp; need to make them members of the local Administrators group on the filer&nbsp; itself"</EM></STRONG></P><P></P><P>I d suggest to you that the storage admins should not have to do CIFS permissioning. In most big evnironments I have been to its not seen as secure nor scalable to have</P><P>the storage admins doing CIFS permissioning.</P><P></P><P>The way I have seen this been done in the past is that the storage guys create a cifs share wide open, then its grabbed by the windows team that will set permissions and</P><P>deal with any issues. After all the windows guys will have access to AD admin accounts and thus will be in a good position to fix any issues. They will also have the</P><P>knowledge about how permissions should be fixed to fit current security requirements etc.</P><P></P><P>My two pennies worth, which would void having to deal with your current issue.</P><P></P><P>Regards,</P><P>Eric</P></BODY></HTML> Mon, 30 Aug 2010 03:10:30 GMT eric_barlier 2010-08-30T03:10:30Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48414#M4460 <HTML><HEAD></HEAD><BODY><P>Basically, we are migrating file servers to CIFS shares on our filer.&nbsp; There is a group of file server admins in an AD group.&nbsp; This AD group is a member of the local Administrators group on the file server, which is given so they can manage all the files on the server.</P><P><BR />My question is, when I move the files over to a CIFS share on a filer, in order to maintain the ability for the group to manage the files, I need to make them members of the local Administrators group on the filer itself.&nbsp; But I don't want to them to have the ability to manage the filer itself...either through CLI, Filerview, System Manager, etc.</P><P></P><P>Is it possible to do this?&nbsp; If not, I would have to use xcacls or some similar utility to modify the ACL on all files/folders to give that group admin access, but I would rather not have to do that.</P></BODY></HTML> Thu, 05 Jun 2025 07:10:22 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48414#M4460 kungfujoe23 2025-06-05T07:10:22Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48418#M4461 <HTML><HEAD></HEAD><BODY><P>User capabilities are defined by roles. By default group Administrator is given “admin” role that has following priviliges:</P><P></P><P>Name: Administrators</P><P>Info: Members can fully administer the filer</P><P>Rid: 544</P><P>Roles: admin</P><P></P><P>Name: admin</P><P>Info:</P><P>Allowed Capabilities: login-<STRONG>,cli-</STRONG>,api-<STRONG>,security-</STRONG></P><P></P><P>So you could create another role and assign it to group Administrators instead of default role “admin”; if you will not include login-* in this group, users in this group will not be able to log into filer using any available protocol. Actually, it is quite possible that for your purpose you can remove <STRONG>all</STRONG> capabilities from this group, because it sounds like you only need it as placeholder for file ACLs.</P><P></P><P>Please check TR-3358 for more in-depth description of role based access control.</P><P></P><P>This is not tested. One thing I miss – how RBAC plays together with Windows management API.</P></BODY></HTML> Tue, 17 Aug 2010 05:11:54 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48418#M4461 aborzenkov 2010-08-17T05:11:54Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48424#M4462 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>I noticed you wrote the following:</P><P></P><P><STRONG><EM>"My question is, when I move the files over to a CIFS share on a filer,&nbsp; in order to maintain the ability for the group to manage the files, I&nbsp; need to make them members of the local Administrators group on the filer&nbsp; itself"</EM></STRONG></P><P></P><P>I d suggest to you that the storage admins should not have to do CIFS permissioning. In most big evnironments I have been to its not seen as secure nor scalable to have</P><P>the storage admins doing CIFS permissioning.</P><P></P><P>The way I have seen this been done in the past is that the storage guys create a cifs share wide open, then its grabbed by the windows team that will set permissions and</P><P>deal with any issues. After all the windows guys will have access to AD admin accounts and thus will be in a good position to fix any issues. They will also have the</P><P>knowledge about how permissions should be fixed to fit current security requirements etc.</P><P></P><P>My two pennies worth, which would void having to deal with your current issue.</P><P></P><P>Regards,</P><P>Eric</P></BODY></HTML> Mon, 30 Aug 2010 03:10:30 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Allow-users-full-access-to-CIFS-shares-and-files-folders-without-admin-access-to/m-p/48424#M4462 eric_barlier 2010-08-30T03:10:30Z