All Products
Search
Document Center

Cloud Storage Gateway:Enable Windows access-based enumeration

Last Updated:Nov 08, 2023

Cloud Storage Gateway supports Windows access-based enumeration (ABE). After you mount a Server Message Block (SMB) share to a local client, you can use ABE to control the visibility of files and folders based on user permissions. This topic describes how to enable Windows ABE.

Prerequisites

Background information

In a Windows file system, files and folders are visible to users by default, even if the users have no permissions on the files or folders. After Windows ABE is enabled on a CSG instance, shares mounted to a client show files and folders based on user permissions.

When you use Windows ABE, pay attention to the following notes.

  • When you enable Windows ABE, the permission information about files or folders is stored in the metadata of the associated OSS bucket.

  • We recommend that you set no more than 10 access control entries for each file or folder.

  • By default, the root directories of SMB shares are visible to all users. We recommend that you do not change the permissions of SMB root directories. You can specify permissions to access the top-level folders of SMB shares. Permissions to root directories are saved on the gateway and cannot be saved to OSS buckets.

Windows ABE can be enabled only when you create a share. Perform the following steps to create an SMB share.

  1. Log on to the CSG console.

  2. In the upper-left corner of the page, select the region where the destination file gateway resides.

  3. In the left-side navigation pane, click Gateways. On the page that appears, locate the file gateway and click the ID of the file gateway.

  4. In the left-side navigation pane, click Share. On the Shares page, click Create.

  5. On the Bucket Setting tab, set the required parameters, and click Next.

    Note

    For more information about the parameters, see Bucket settings.

  6. On the Basic Information page, set the required parameters as described in Basic information, set the following additional parameters, and then click Next.

    Parameter

    Description

    Windows ACL

    Select whether to enable Windows ACL. This parameter is available only when the Protocol parameter is set to SMB.

    Note

    To enable Windows ABE, you must join an AD domain first.

    Access Based Enumeration

    Select whether to enable Windows ABE. After Windows ABE is enabled, you can only view files or folders that you have permissions to manage. This parameter is available only when the Windows ACL parameter is set to Yes.

  7. On the Advanced Settings tab, set the following parameters, and then click Next.

    Note

    For more information about the parameters, see Advanced settings.

  8. In the Confirmation step, verify your settings and click OK.

After the share is created, you can click the + icon on the right side of the share name to check whether Windows ACL and Windows access-based enumeration are enabled.

For more information about how to use Windows ABE, see Enable Windows access-based enumeration.