Network and Storage Protocols

Creator/Owner Permissions

storageadmins
7,670 Views

Hi everybody,

i have a question regarding the Creator/Owner permissions on a CIFS Share. We have several Shares on a FAS3140. Permissions on the share is everyone full control. On the Filesystem we have Full Control only for the Admistrator Group of the Filer and different read or change permissions to Domain Groups to the directory structure on the root level of the share. Permissions for subdirectories / files are inherited. Now we have the following problem. Per default the creator/owner of a file or directory has full control to it, that means if a user is creating a file or a directory he is able to modify the permissions of it, what we do not want. In Windows 2008 there is a new security principal called "OWNER RIGHTS" where this problem can be adressed (the process is described here: http://www.techrepublic.com/blog/networking/control-owner-access-rights-in-windows-server-2008/1379) .

My question is, is this also possible with a netapp filer ? Somebody solved that problem somehow and could guide me in the right direction ?

Thx and Best Regards

Wolfgang

4 REPLIES 4

aborzenkov
7,670 Views

Good question. Have you tested whether setting of this ACE has any effect?

rmharwood
7,670 Views

I could be wrong and I haven't done this very often, but I think all you need to do is to use the "CREATOR OWNER" principal and don't assign "change permissions" rights. I know this is supported by NetApp's CIFS implementation. You should test this to make sure it's doing what you want.

HTH,

Richard

Message was edited by: Richard Harwood Don't confuse principal and principle!

storageadmins
7,670 Views

Hi everybody,

thanks for the answers. I will definetely try out the CREATOR OWNER permission. I was not aware that this is possible in the netapp cifs implementation.

storageadmins
7,670 Views

So,

i tested a few things. Permissions on the CREATOR OWNER principal you can only set inside FilerView on the Share. If i try that with the explorer i get an Object not found error. If i set permissions on the share for everyone to full control and CREATOR OWNER to change, then there is no effect at all. Users can acces the share as before and the creators of files/directories are able to change permissions. If i set the permissions on the share for everyone to change, then the creators of files / directories are not able to change permissions anymore, this applies to old and to new files / directories. So i guess this is the way to go for me.

Regards

Wolfgang

Public