Defining access control lists, Managing shares – HP ProLiant DL585 G2 Storage-Server User Manual

creating too many shares also has its drawbacks. For example, if it is sufficient to create a single share

for user home directories, create a “homes” share rather than creating separate shares for each user.
By keeping the number of shares and other resources low, the performance of the storage server is

optimized. For example, instead of sharing out each individual user's home directory as its own share,

share out the top-level directory and let the users map personal drives to their own subdirectory.

Defining Access Control Lists

The Access Control List (ACL) contains the information that dictates which users and groups have access

to a share, as well as the type of access that is permitted. Each share on an NTFS file system has one

ACL with multiple associated user permissions. For example, an ACL can define that User1 has read

and write access to a share, User2 has read only access, and User3 has no access to the share. The

ACL also includes group access information that applies to every user in a configured group. ACLs are

also referred to as permissions.

Integrating local file system security into Windows domain environments

ACLs include properties specific to users and groups from a particular workgroup server or domain

environment. In a multidomain environment, user and group permissions from several domains can apply

to files stored on the same device. Users and groups local to the storage server can be given access

permissions to shares managed by the device. The domain name of the storage server supplies the

context in which the user or group is understood. Permission configuration depends on the network and

domain infrastructure where the server resides.
File-sharing protocols (except NFS) supply a user and group context for all connections over the network.

(NFS supplies a machine-based context.) When new files are created by those users or machines, the

appropriate ACLs are applied.
Configuration tools provide the ability to share permissions out to clients. These shared permissions are

propagated into a file system ACL, and when new files are created over the network, the user creating the

file becomes the file owner. In cases where a specific subdirectory of a share has different permissions

from the share itself, the NTFS permissions on the subdirectory apply instead. This method results in a

hierarchical security model where the network protocol permissions and the file permissions work together

to provide appropriate security for shares on the device.

NOTE:

Share permissions and file-level permissions are implemented separately. It is possible for files on a

file system to have different permissions from those applied to a share. When this situation occurs, the

file-level permissions override the share permissions.

Comparing administrative (hidden) and standard shares

CIFS supports both administrative shares and standard shares.

•

Administrative shares are shares with a last character of $. Administrative shares are not included

in the list of shares when a client browses for available shares on a CIFS server.

•

Standard shares are shares that do not end in a $ character. Standard shares are listed whenever

a CIFS client browses for available shares on a CIFS server.

The storage server supports both administrative and standard CIFS shares. To create an administrative

share, end the share name with the $ character when setting up the share. Do not type a $ character at

the end of the share name when creating a standard share.

Managing shares

Shares can be managed using the HP Storage Server Management Console. Tasks include:

•

Creating a new share

•

Deleting a share

64

File server management