Cloud Storage Gateway supports Windows access-based enumeration (ABE). After you mount a Server Message Block (SMB) share to a local client, you can use ABE to control the visibility of files and folders based on user permissions. This topic describes how to enable Windows ABE.
In a Windows file system, files and folders are visible to users by default, even if the users have no permissions on the files or folders. After Windows ABE is enabled on a CSG instance, shares mounted to a client show files and folders based on user permissions.
When you use Windows ABE, pay attention to the following notes.
- When you enable Windows ABE, the permission information about files or folders is stored in the metadata of the associated OSS bucket.
- We recommend that you set no more than 10 access control entries for each file or folder.
- Be default, the root directories of SMB shares are visible to all users. We recommend that you do not change the permissions of SMB root directories. You can specify permissions to access the top-level folders of SMB shares. Permissions to root directories are saved on the gateway and cannot be saved to OSS buckets.
Windows ABE can be enabled only when you create a share. Perform the following steps to create an SMB share.
- Log on to the CSG console.
- Select the region where the target file gateway is located.
- Go to the Gateway Cluster page, find the target file gateway, and then click the name of the gateway to go to the Share tab.
- On the Share tab, click Create.
- On the Bucket Setting tab, set the required parameters, and click Next.
- On the Basic Information page, set the required parameters as described in Basic information, set the following additional parameters, and then click Next.
Parameter Description Windows ACL Select whether to enable Windows ACL. This parameter is available only when the Protocol parameter is set to SMB.Note To enable Windows ABE, you must join an AD domain first. Access Based Enumeration Select whether to enable Windows ABE. After Windows ABE is enabled, you can only view files or folders that you have permissions to manage. This parameter is available only when the Windows ACL parameter is set to Yes.
- On the Advanced Settings tab, set the following parameters, and then click Next.
- Click Next to go to the Summary tab, make sure that the specified information is correct, and then click OK.
After the share is created, you can click the + icon on the right side of the share name to check whether Windows ACL and Windows access-based enumeration are enabled.
For more information about how to use Windows ABE, see Enable Windows access-based enumeration.