topic Re: cli-cifs? in Active IQ Unified Manager Discussions

cli-cifs?

MRJORDANG — Wed, 04 Jun 2025 23:00:42 GMT

Hello,

Does the "cli-cifs" privilege limit an ONTAP user to read only privileges? I'd like to restrict a user to the ability to view cifs shares but not the ability to make any changes.

DATA ONTAP 8.1.4P9 7-Mode

Thanks,

MRJG

Re: cli-cifs?

rwelshman — Mon, 19 Oct 2015 17:44:19 GMT

no, it will allow access to the entire cifs family of commands. It is very difficult to create read-only access to the filers. They can view the shares using "computer management" on their workstation and connecting to the filer.

Re: cli-cifs?

MRJORDANG — Mon, 19 Oct 2015 18:38:35 GMT

Thank you for the response. Then what is the difference between the following two privileges?

cli-cifs

cli-cifs*

I thought the same thing you mentioned, but then I discovered documentation that includes the cli-cifs* privilege which I would think allows access to the entire subset of cifs commands.

Re: cli-cifs?

rwelshman — Mon, 19 Oct 2015 19:02:07 GMT

I'm pretty sure that if you just specify cli-cifs without the *, the user could only use "cifs" which won't give them any results.

Re: cli-cifs?

MRJORDANG — Mon, 19 Oct 2015 19:13:17 GMT

Would love to find some documentation that validates your statement. Best I can find is the following:

"The format for this is cli-* , which means allow all the commands and subcommands. (cli-<command> just means the command and NO subcommands.) " 
http://www.netapp.com/us/media/tr-3358.pdf

But then, as you mentioned, just allowing the capability to run the "cifs" command (no other arguments) should effectively do nothing except provide the help output for the cifs command. Yet, I see in the following in the messages file when a user attempts to execute "cifs shares":

"User 'testuser' denied access - missing required capability:  'cli-cifs'"