Skip to main content
NetApp Knowledge Base

How does Access Based Enumeration (ABE) work?

  1. Last updated
  2. Save as PDF
Views:
15,581
Visibility:
Public
Votes:
9
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 8 7-Mode

Answer

  • When access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a folder or file underneath it do not see these displayed in their environment.
    • The actual permissions on files and folders do not change, only visibility does.
    • ABE does not hide the share itself, it only hides the folders/files created under it, based on the access permissions.​​
    • If users or automated systems rely on the visibility of all files and folders for indexing or management purposes, ABE could disrupt these operations.

Note: There is no global option per-SVM, each share must have ABE enabled on it if required

  • Local administrators still have unrestricted enumeration
    • Members of the BUILTIN\Administrators group are granted unrestricted access to the local system
    • Thus, an account in this group would be able to enumerate the entire directory
  • By default, ABE is disabled
  • Enabling ABE
    • For Data ONTAP 8 7-Mode
      cifs shares -change sharename -accessbasedenum
    • For ONTAP 9
      ::> cifs share properties add -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
  • Disabling ABE
    • For Data ONTAP 8 7-Mode
      cifs shares -change sharename -noaccessbasedenum
    • For ONTAP 9
      ::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties access-based-enumeration

Additional Information

  • If creating a CIFS share TEST with the accessbasedenum option

The share \\FILER\TEST is mapped with the user DOMAIN\userA

A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAIN\userA.

  • Another user, such as DOMAIN\userB, will be able to see the share TEST, but will not see the folder PROVA under the share \\FILER\TEST. This is the expected behavior
  • There are some options to hide the cifs share TEST, such as:

Disabling the CIFS shares browsing

  • For Data ONTAP 8 7-Mode
    cifs shares -change sharename -nobrowse
  • For ONTAP 9
    ::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties browsable

Creating a share and appending the $ symbol to the end of the name (this will hide the share from explorer, but it will still be accessible from client if they type the share name)

  • Starting ONTAP 9.9.1 a cifs option was introduced that enumerates shared based on share-level permissions
    • -is-share-enum-permission-check-enabled (privilege: advanced)  
    • If this parameter is set to true, the NetShareEnum call will only respond with the shares the user has access to. The default value is false which means it will respond with all shares.
  • Enabling or disabling access-based enumeration on SMB shares (ONTAP 9+)
  • Provide folder security on shares with access-based enumeration overview (netapp.com)
  • There is no need to have client reconnect to see impact of ABE, on next query of file list, if ABE was enabled, the files\folders user does not have access to will no longer be returned in results.
  • If user is a member of local admin (on SVM) then they will be able to see the shares.
NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.