Enable Windows permission support in CSG - Cloud Storage Gateway

Cloud Storage Gateway provides Windows permission support. After you enable Windows permission support for a Server Message Block (SMB) share, you can use access-based enumeration(ABE) to control the visibility of files and directories based on permissions on these files and directories. This topic describes how to enable Windows permission support.

Prerequisites

A file gateway is created and a cache disk is attached to it. For more information, see Create a file gateway and Attach a cache disk.
An Object Storage Service (OSS) bucket is created. For more information, see Create buckets.
The gateway is added to an Active Directory (AD) domain. For more information, see Configure AD and DNS.

Background information

In a Windows file system, files and directories are visible to users by default, even if the users have no permissions on the files or directories. After Windows permission support is enabled for an SMB share, ABE can be enabled for the share. ABE allows users to see only files and directories on which they are granted permissions.

Usage notes

Take note of the following information when you use Windows permission support in CSG:

When you enable Windows permission support, the permission information about files or directories is stored as the metadata of the corresponding OSS objects.
We recommend that you set no more than 10 permission entries for each file or directory.
By default, the root directory of an SMB is visible to all users. We recommend that you do not change the permissions on the root directory. You can specify permissions to access the top-level directories of the SMB share. Permissions on the root directory are saved on the gateway and cannot be saved as object metadata.

Procedure

Windows permission support can be enabled only when you create an SMB share. Perform the following steps to enable Windows permission support when you create a share.

Log on to the CSG console.
In the upper-left corner of the page, select the region where the file gateway resides.
In the left-side navigation pane, click Gateways. On the page that appears, locate the file gateway and click the ID of the file gateway.
In the left-side navigation pane, click Share. On the Shares page, click Create.
In the Bucket Settings step, configure the parameters and click Next.
Note
For more information about the parameters in the Bucket Settings step, see the Bucket settings parameter table.

In the Basic Information step, select SMB for Protocol, configure the two parameters described in the following table, configure other parameters in the Basic information parameter table, and click Next.

Parameter	Description
Windows Permission Support	Select whether to enable Windows permission support. This parameter is available only when the Protocol parameter is set to SMB. Note To enable Windows permission support, you must add the gateway to an AD domain first.
Access-based Enumeration	Select whether to enable Windows ABE. After Windows ABE is enabled, users can only view files or directories that they have permissions to manage. This parameter is available only when the Windows Permission Support parameter is set to Yes.

In the Confirmation step, verify your settings and click OK.

After the share is created, you can click the + icon on the right side of the share name to check whether Windows Permission Support and Access-based Enumeration are enabled.

For more information about how to implement ABE based on Windows permission support, see Enable Windows access-based enumeration.