Re: CIFS Shares DACLS vs Storage Level Gaurd - Effective Permissions

shocko

I'm looking at a use case as follows:

Use case: I have a CIFS share with a DACL in place to allow various AD groups various levels of access. I wish to set it to read-only without modifying the DACL or setting the read-only bit as I don't want to touch the files directly (several million).

I was thinking of using a storage level gaurd for this purpose but I'm not 100% clear on if there is any effective permissions between a standard NTFS DACL and the storage level gaurd or if they are simply seperate controls checked in order i.e. are permissions combined from both levels and an effective permission outoput or is it simply a set of checks in order that the user has to pass e.g. NTFS level checked and then if access allowed storage level checked. if NTFS access denied storage level not checked as no need.

For exmaple:

Q1: If UserA is a Member of GroupA and has write on ShareA at the NTFS level and a member of GroupB that has read at the storage level I'd assume they get read access ultimately?
Q2: If UserA is a Member of GroupA and has read on ShareA at the NTFS level and a member of GroupB that has write at the storage level I'd assume they get writeaccess ultimately?

cruxrealm

Both file-level and SLAG follow the same NTFS permission rules. The difference is that SLAG is set on the volume/qtree level. SLAG is typically used to implement business data access policies that must be applied.

SLAG will work for what you intend to do. However, be sure to inform the storage/system admins which volumes/qtree have SLAG enabled, as it will be a challenge to debug permissions later.