Enable Windows permission support in CSG - Cloud Storage Gateway

Cloud Storage Gateway (CSG) provides Windows permission support. After you enable Windows permission support for a Server Message Block (SMB) share, you can use access-based enumeration(ABE) to control the visibility of files and directories based on permissions on these files and directories. This topic describes how to enable Windows permission support.

Prerequisites

A file gateway is created, and a cache disk is attached to it. For more information, see Manage file gateways and Attach a cache disk.
An OSS bucket is created. For more information, see Get started by using the OSS console.
The gateway is added to an Active Directory (AD) domain. For more information, see Configure AD and DNS.

Background information

In a Windows file system, files and directories are visible to users by default, even if they do not have permissions to access these files or directories. After Windows permission support is enabled for an SMB share, ABE can be enabled for the share. ABE allows users to see only files and directories on which they are granted permissions.

Usage notes

Take note of the following information when you use Windows permission support in CSG:

When you enable Windows permission support, the permission information about files or directories is stored as the metadata of the corresponding OSS objects.
We recommend that you set no more than 10 permission entries for each file or directory.
By default, the root directory of an SMB is visible to all users. We recommend that you do not change the permissions on the root directory. You can specify permissions to access the top-level directories of the SMB share. Permissions on the root directory are saved on the gateway and cannot be saved as object metadata.

Procedure

Note

You can enable Windows permission support for a share only when you create the share.

On the Gateways page of the CSG console, click the ID of the file gateway. On the Shares tab of the gateway details page, click Create.
On the Create Share page, configure the share settings. For more information, see Create a share.

In the Basic Information step, select SMB for Protocol, and configure the two parameters as described in the following table. For more information, see Basic Information.

Parameter	Description
Windows Permission Support	Select Yes to enable Windows permission support. Note This parameter is available only if you set Protocol to SMB. To enable Windows permission support, you must add the gateway to an AD domain first.
Access-based Enumeration	Select Yes to enable Windows ABE. After Windows ABE is enabled, users can only view files or directories that they have permissions to manage. Note This parameter is available only if you set Windows Permission Support to Yes.

After the share is created, you can click the + icon on the right side of the share name to check whether Windows Permission Support and Access-based Enumeration are enabled.

For more information about how to implement ABE based on Windows permission support, see Enable Windows access-based enumeration.