fsecurity & storage-level access guard

MICHAEL_TROUP · ‎2011-08-19

I would like to confirm my understanding of fsecurity and was hoping someone could help me.

What I would like to do is be able to grant access to very large NTFS file systems without having to touch the "NTFS" file system at all. In my interpretation of fsecurity this is possible by setting permissions at the volume / qtree level (storage-level access guard). Is this correct ? If not, please explain becuase it is not clear to me what this feature really does and why it is useful.

Thanks in advance.

Michael Troup

aborzenkov · ‎2011-08-19

I was about to say "yes", but then realized, that order of application of storage level and file level ACLs is not clearly described anywhere. So I am no sure what happens if you have both Allow and Deny ACEs.

But in most common cases of using only Allow Storage Level ACLs should do the trick.

columbus_admin · ‎2011-08-19

Michael,

As of about a year ago, every time and I truly mean 100% of the time, we ran fsecurity (with the exception of fsecurity show), the filer would crash. I would really talk to support before running it. And we tried a 3050 and a 3160 if I remember under 7.3.2 8 or more times each.

That is indeed what fsecurity is supposedly for, but having never been able to get it work without a filer going down I don't know how it works(when it works).

- Scott

shaunjurr · ‎2011-09-04

I guess it is important to remember the differences between share-level and filesystem-level security and see where you actually need to add any restrictions. Basically, if the file system rights are already correct and you have limited guest access to CIFS (see cifs options) and implement ABE, you have a pretty decent start already. Share level rights are really only necessary in special cases if the filesystem rights are in place with ABE.