How to hide the folder in NetApp from user who doesn’t have access to some folder by ABE options.

How to hide the folder in NetApp from user who doesn’t have access to some folder by ABE options.

Access Based Enumeration

Hello friend lots of people are not aware of the ABE feature of the NetApp well it is one of the intresting feature of cifs used in NetApp.

We know that we can put user level permission on the qtree and then on the respective folders but some time most of the storage administrator want that those user who have access to their folder should be able to see their folder only in qtree , they should be not able to see those folders where they do not have access , because there is even chance of leakage of information by the folder name also.

This type of security feature can be enable on NetApp by the enabling the ABE on the NetApp they work only for cifs not for nfs.

Enable/Disable ABE through the NetApp Storage CLI

To enable ABE on an existing share:

FAS1>  cifs shares -change <sharename> -accessbasedenum

 To disable ABE on an existing share:

FAS1>  cifs shares -change <sharename> -noaccessbasedenum 

To create a share with ABE enabled:

FAS1>  cifs shares -add <sharename> <path> -accessbasedenum

After enabling the ABE on some shares you need to logoff and logon then you can see effect.

For Example: Refer the below step

1.  We will use a share called  DATA, located at /vol/DATA.

SERVER>  Net use T: \\FAS1\DATA 

2.  At the root of the share, make a folder called \Software.

SERVER>  MKDIR T:\SOFTWARE 

3.  Underneath \SOFTWARE, create three directories: FilerView, SnapManager, and NDA.

SERVER>  MKDIR T:\SOFTWARE\FilerView

SERVER>  MKDIR T:\SOFTWARE\SnapManager

SERVER>  MKDIR T:\SOFTWARE\NDA

 4.  We have two users which were previously created in Active Directory, Fred and Wilma.

.  SERVER> Start Explorer, go to drive T:, select properties on each of the folders specified

and assign the following permissions.

Create Folder	Assign Fred	Assign Wilma
\FilerView	Full Control	Full Control
\SnapManager	Full Control	Full Control
\NDA	No Access	Requires the following as a minimum:List Folder/ReadData,Read Extended Attributes,Read Permission

6.  Disconnect from drive T:

SERVER>  Net use T: /delete /yes 

7.  Map Fred to the DATA share

SERVER>  From the desktop, double click on the DEMO.MSC shortcut. 

This will allow you to remotely connect to the VISTA workstation.

On the left colume of the MSC, expand ‘Remote Desktop’.  Double-click on ‘Connect as Fred’

Once connect, click start, run, cmd.

8. VISTA> net use T: \\FAS1\data

9.  Open the SOFTWARE folder.

10.  Fred will see all three sub-folders even though he doesn’t have access rights to the NDA

folder.

11.  Verify this by clicking on each sub-folder.

12.  VISTA> Logoff Fred

13. Connect Wilma.

SERVER>  From the desktop, double click on the DEMO.MSC shortcut. 

This will allow you to remotely connect to the VISTA workstation.

On the left colume of the MSC, expand ‘Remote Desktop’.  Double-click on ‘Connect as Wilma’

Once connect, click start, run, cmd.

VISTA> net use T: \\FAS1\data

14.  Open the SOFTWARE folder.

Notice Wilma can also see all folders.

15.  Verify Wilma has access to each folder by clicking on each folders name

16.  Enable Access Based Enumeration

FAS1> cifs shares –change data –accessbasedenum

17.  Wilma can still access all three folders, as she was given permission.

18.  VISTA> Logoff Wilma

19.  Reconnect Fred to the DATA share.

SERVER>  From the desktop, double click on the DEMO.MSC shortcut. 

This will allow you to remotely connect to the VISTA workstation.

On the left colume of the MSC, expand ‘Remote Desktop’.  Double-click on ‘Connect as Fred’

Once connect, click start, run, cmd.

VISTA> net use t: \\FAS1\data

20.  Notice Fred now can only see the folders he has access to.

21.  VISTA> Logoff Fred