Skip to main content
NetApp Knowledgebase

How does Access Based Enumeration (ABE) work?

Views:
694
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 7-Mode

Answer

When creating a (CIFS) share, for example TEST, with the accessbasedenum option, the CIFS share TEST is not hidden.

According to the Access Based Enumeration documentation, when access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a shared folder or file underneath it (whether through individual or group permission restrictions), do not see that shared resource displayed in their environment.

Local administrators still have unrestricted enumeration. Members of the BUILTIN\Administrators group are granted unrestricted access to the local system. Thus, an account in this group would be able to enumerate the entire directory.By default, ABE is disabled.

Data ONTAP 7-Mode:
  • To enable ABE
    • cifs shares -change sharename -accessbasedenum
  • To disable ABE
    • cifs shares -change sharename -noaccessbasedenum
Clustered Data ONTAP:

::> cifs share properties add -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration

::> cifs share properties remove -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration

Additional Information

Example:

If creating a CIFS share TEST with the accessbasedenum option.

The share \FILERTEST is mapped with the user DOMAINuserA. A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.

Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share \FILERTEST. This is the expected behavior.

There are some options to hide the cifs share TEST, such as:

Disabling the CIFS shares browsing with the -nobrowse option
Creating a share and appending the $ symbol to the end of the name.