Skip to main content
NetApp adopts Microsoft’s Business-to-Customer (B2C) Identity Management
Effective December 3 - NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources. For accounts that did not pre-register (prior to Dec 3) access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity. To learn more, Read the FAQ and Watch the video. Need assistance? Complete this form and select “Registration Issue” as the Feedback Category. 
NetApp Knowledge Base

How does ONTAP generate permissions for NFS and CIFS clients, when the volume security style is not native to the protocol?

Last Updated:

Applies to



NTFS ACLs are translated into the least permissive variant of Unix modebits, and are applied to the Owner, Owner Group, and Other fields as they would apply to a user making a request. Ownership of a file is determined by the UID & GID of the mapped user that wrote the ownership information. The "other" field may be present, depending on if an equivalent SID has explicit permissions (such as Everyone).  This can lead to some confusion if an Administrator assigns an arbitrary owner of an object, as the resulting Unix permissions will reflect their mapping, rather than the new owner's.

The following Access Masks will translate into modebits directly:

  • Read & Execute (r-x),
  • Read (r--),
  • Write (-w-),
  • Modify (rwx),
  • Full Control (rwx),
  • Traverse Folder / Execute File (--x),
  • Create Files / Write Data(-w-),
  • List Folders / Read Data (r--)

Other special permissions don't have a direct translation into Unix modebits. In those cases, it is not possible to express a client's ability to perform such an action with modebits alone.

Unix permissions are translated into NTFS ACLs, when the option "-is-unix-ntaclenabled" is set to true (default). These fields are translated into a fake SID by default, showing UNIXPermUid\User and UNIXPermGid\Group, other, and the current user as well. The resulting NTFS ACL will appear more permissive, compared to the modebits, as there are permissions that do not have a translation. ONTAP tries to preserve the client's expectation with this translation - a Windows user whose mapped user would get rwx would effectively have a Full Control ACL, even though this provides special permissions that a Unix user could not be explicitly given via modebits.

Both translations are performed when permissions are written.

Additional Information