If you missed the pre-registration for NetApp MS Azure AD B2C, the new login prompt will offer the option to register. Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

NetApp Share ACL vs. DACL


Is there a way to sync the ACL on the NetApp shares to sync back to windows? The permissions are set correctly on the ACL and only those on the ACL have access to them but of course the DACL shows everyone on the windows side. This is obviously more asthetic than anything but if an audit happened it's just one more thing I would have to explain/prove. 



If you want to set NTFS permissions on files or folders from storage you can use fsecurity,


I'm not sure what you are saying here. Are you talking Netapp share permission?

Can you give us a deeper example


Sure thing, if you look at the output below, the vserver cifs share command shows the share level permission on NetApp, so only Domain Admins have access. When you look at the vserver security output, it shows the Windows DACL which still has Everyone listed, so if I go into the properties in Windows it will look like Everyone has access. Like I said though this is really asthetic or so I wouldn't have to explain this for an audit or anything as the permissions work the way they should on the NetApp. Is there a way to have the permissions on NetApp propogate so they are in sync on the Windows DACL as well?


SAN::> vserver cifs share access-control show -share Test
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
svm01 Test Domain Admins windows Full_Control



SAN::> vserver security file-directory show -vserver svm01 -path /Test

Vserver: svm01
File Path: /Test
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor



You are displaying two different things.


You are displaying share level permissions vs ntfs file level permissions.  




Yes I understand that, the NTFS permissions don't really matter as the share permissions on the netapp are working correctly. I know I could go into the NTFS permission on windows and change them manually I was just wondering if there's a way to push the permissions from the share to match in NTFS since they are both windows groups. Everything I have seen online has pointed to manually changing them in windows. 


Those are two separate entire entities.  It's basic windows, two constructs, Share ACLs' and File System ACLs.


When you create a file system, the default permissions are everyone/full control.  I don't think that's modifiable.  Same with shares, you need to go edit them and create access lists.


But the standard practice in the industry is either


share level - everyone / full control or authenticated users - full control

ntfs - this is where you lock the files down with security groups etc.


There is no concept of pushing down permissions from a share to a file system.  


This is a good read - https://blog.varonis.com/the-difference-between-share-and-ntfs-permissions/


Wow that was dumb of me. Sorry I was way trying to overcomplicate this and didn't think about what these actually were. Sorry about that. Thanks for head check, I need it every now and then. I'm new to netapp so I just straight up tried to be overcomplex. 

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner