Skip to main content

Coming soon...New Support-Specific categorization of Knowledge Articles in the NetApp Knowledge Base site to improve navigation, searchability and your self-service journey.

NetApp Knowledge Base

How does Access Based Enumeration (ABE) work?

Views:
7,840
Visibility:
Public
Votes:
7
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 8 7-Mode

Answer

  • When access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a shared folder or file underneath it (whether through individual or group permission restrictions), do not see that shared resource displayed in their environment.
    • There is no global option per-SVM, each share must have ABE enabled on it if required
ABE does not hide the share, it only hides the folders/files created under it, based on the access permissions.​​
  • Local administrators still have unrestricted enumeration
  • Members of the BUILTIN\Administrators group are granted unrestricted access to the local system
  • Thus, an account in this group would be able to enumerate the entire directory
  • By default, ABE is disabled
  • Enabling ABE
    • For Data ONTAP 8 7-Mode
      • cifs shares -change sharename -accessbasedenum
    • For Data ONTAP 9
      • ::> cifs share properties add -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
  • Disabling ABE
    • For Data ONTAP 8 7-Mode
      • cifs shares -change sharename -noaccessbasedenum
    • For Data ONTAP 9
      • ::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties access-based-enumeration

Additional Information

 

Scan to view the article on your device