How does Access Based Enumeration (ABE) work?
Applies to
- ONTAP 9
- Data ONTAP 8 7-Mode
Answer
- When access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a folder or file underneath it do not see these displayed in their environment.
- The actual permissions on files and folders do not change, only visibility does.
- ABE does not hide the share itself, it only hides the folders/files created under it, based on the access permissions.
- If users or automated systems rely on the visibility of all files and folders for indexing or management purposes, ABE could disrupt these operations.
Note: There is no global option per-SVM, each share must have ABE enabled on it if required
- Local administrators still have unrestricted enumeration
- Members of the BUILTIN\Administrators group are granted unrestricted access to the local system
- Thus, an account in this group would be able to enumerate the entire directory
- By default, ABE is disabled
- Enabling ABE
- For Data ONTAP 8 7-Mode
cifs shares -change sharename -accessbasedenum
- For ONTAP 9
::> cifs share properties add -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
- For Data ONTAP 8 7-Mode
- Disabling ABE
- For Data ONTAP 8 7-Mode
cifs shares -change sharename -noaccessbasedenum
- For ONTAP 9
::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
- For Data ONTAP 8 7-Mode
Additional Information
- If creating a CIFS share TEST with the
accessbasedenumoption- The share
\FILERTESTis mapped with the user DOMAINuserA- A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.
- Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share
\FILERTEST. This is the expected behavior - There are some options to hide the cifs share TEST, such as:
- Disabling the CIFS shares browsing with the
-nobrowseoption- Creating a share and appending the $ symbol to the end of the name.
- Disabling the CIFS shares browsing with the
- The share
- Starting ONTAP 9.9.1 a cifs option was introduced that enumerates shared based on share-level permissions
-is-share-enum-permission-check-enabled(privilege: advanced)- If this parameter is set to true, the NetShareEnum call will only respond with the shares the user has access to. The default value is false which means it will respond with all shares.
- Enabling or disabling access-based enumeration on SMB shares (ONTAP 9+)
- Providing folder security on shares with access-based enumeration (Clustered ONTAP 8.3.1)
- Data ONTAP 7.3 File Access and Protocols
- na_cifs_shares Man page
- Provide folder security on shares with access-based enumeration overview (netapp.com)
- There is no need to have client reconnect to see impact of ABE, on next query dir, if ABE was enabled, the files\folders user does not have access to will no longer be returned in results.