Controlling access to shares using permissions

File Services Administration Guide for Hitachi NAS Platform

Version
14.7.x
14.6.x
Audience
anonymous
Part Number
MK-92HNAS006-29

Access to shares is restricted through a combination of share-level and file-level permissions. These permissions determine the extent to which users can view and modify the contents of the shared directory. When users request access to a share, their share-level permissions are checked first; if authorized to access the share, their file-level permissions are checked.

When the share-level permissions differ from the file-level permissions, the more restrictive permissions apply, as described in the following table, where [a] = “allowed” and [d] = “denied”:

Note: One of the features of SMB is the ability to assign rights to machine (computer) accounts. A machine account is generated automatically by the operating system and registered in Active Directory. It can be used for authentication within a domain. A machine account authentication can be only done by an application which has built-in support. For example, Hyper-V server allows storing virtual machines on remote shares. Such shares should allow full access for the machine account of a computer running Hyper-V server.
Activity Read Change Full
View the names of files and subdirectories a a a
Change to subdirectories of the shared directory a a a
View data in files a a a
Run applications a a a
Add files and subdirectories d a a
Change data in files d a a
Delete files and subdirectories d a a
Change permissions on files or subdirectories d d a
Take ownership of files or subdirectories d d a

When configuring access to a share, it is only possible to add users or groups that are:

  • Known to domain controllers, and
  • Seen by the server on the network.
    Note: When a user is given access to a share, if the user has also a member of a group with a different access level, the more permissive level applies. For example, if a user is given Read access to a share, and that user also belongs to a group that has Change access to that same share, the user will have Change access to the share, because Change access is more permissive than Read access.