Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.

NetApp KCS Award

NetApp Knowledge Base

How does ONTAP generate permissions for NFS and CIFS clients, when the volume security style is not native to the protocol?

Last Updated:

Applies to



NTFS ACLs are translated into the least permissive variant of Unix modebits, and are applied to the Owner, Owner Group, and Other fields as they would apply to a user making a request. Ownership of a file is determined by the UID & GID of the mapped user that wrote the ownership information. The "other" field may be present, depending on if an equivalent SID has explicit permissions (such as Everyone).  This can lead to some confusion if an Administrator assigns an arbitrary owner of an object, as the resulting Unix permissions will reflect their mapping, rather than the new owner's.

The following Access Masks will translate into modebits directly:

  • Read & Execute (r-x),
  • Read (r--),
  • Write (-w-),
  • Modify (rwx),
  • Full Control (rwx),
  • Traverse Folder / Execute File (--x),
  • Create Files / Write Data(-w-),
  • List Folders / Read Data (r--)

Other special permissions don't have a direct translation into Unix modebits. In those cases, it is not possible to express a client's ability to perform such an action with modebits alone.

Unix permissions are translated into NTFS ACLs, when the option "-is-unix-ntaclenabled" is set to true (default). These fields are translated into a fake SID by default, showing UNIXPermUid\User and UNIXPermGid\Group, other, and the current user as well. The resulting NTFS ACL will appear more permissive, compared to the modebits, as there are permissions that do not have a translation. ONTAP tries to preserve the client's expectation with this translation - a Windows user whose mapped user would get rwx would effectively have a Full Control ACL, even though this provides special permissions that a Unix user could not be explicitly given via modebits.

Both translations are performed when permissions are written.

Additional Information



Scan to view the article on your device