Part 1
Use Cases for SLAG:
- Intellectual property protection by auditing and controlling all users' access at the storage level
- Storage for financial services companies, including banking and trading groups
- Government services with separate file storage for individual departments
- Universities protecting all student files
Configuring SLAG in Amazon FSx for NetApp ONTAP
This guide assumes you already have a Storage Virtual Machine (SVM) joined to the Active Directory "fsxnad" and SMB share exists. For the purpose of the guide - the SVM is "fsx" and volume/share is "vol2_clone".
Get the File System Management Endpoint
SSH with fsxadmin
Create Security Descriptor
vserver security file-directory ntfs create -vserver fsx -ntfs-sd sd_slag_demo
- Optimize DACL (remove defaults and add as needed)
When a new security descriptor is added there are default DACL's included (shown below). Add or Remove DACLs as required.
Check DACL
vserver security file-directory ntfs dacl show
Output:
Vserver: fsx
NTFS Security Descriptor Name: sd_slag_demo
Account Name Access Access Apply To
Type Rights
-------------- ------- ------- -----------
BUILTIN\Administrators
allow full-control this-folder, sub-folders, files
BUILTIN\Users allow full-control this-folder, sub-folders, files
CREATOR OWNER allow full-control this-folder, sub-folders, files
NT AUTHORITY\SYSTEM
allow full-control this-folder, sub-folders, files
Remove DACL's
For the purpose of this demo configuration, we do not need BUILTIN\Users, BUILTIN\Administrators, and CREATOR OWNER instead we will add specific AD Group to be able to access the file system.
vserver security file-directory ntfs dacl remove -vserver fsx -ntfs-sd sd_slag_demo -access-type allow -account builtin\users
vserver security file-directory ntfs dacl remove -vserver fsx -ntfs-sd sd_slag_demo -access-type allow -account builtin\administrators
vserver security file-directory ntfs dacl remove -vserver fsx -ntfs-sd sd_slag_demo -access-type allow -account "creator owner"
Add DACL's
vserver security file-directory ntfs dacl add -vserver fsx -ntfs-sd sd_slag_demo -access-type allow -account "fsxnad\Secured Users"
- Add SACL
Adding the auditing configuration for the groups/users
Audit - Delete Folders and Files
Apply - The Root and all the files & folders
Configure audit to capture the successful events of delete folders and files
vserver security file-directory ntfs sacl add -vserver fsx -ntfs-sd sd_slag_demo -access-type success -account "fsxnad\Domain Users" -advanced-rights delete-child, delete -apply-to this-folder,sub-folders,files
vserver security file-directory ntfs sacl add -vserver fsx -ntfs-sd sd_slag_demo -access-type success -account "fsxnad\engineering" -advanced-rights delete-child, delete -apply-to this-folder,sub-folders,files
- Create Security Policy
vserver security file-directory policy create -vserver fsx -policy-name slag_policy
- Add Task
The most important parameter is "-access-control slag", the other parameter is "-access-control file-directory"
⚠️ "file-directory" parameter will apply the SACL & DACL as Windows ACL and SACL, it will overwrite the existing permissions on the files and folders.
vserver security file-directory policy task add -vserver fsx -policy-name slag_policy -path /vol2_clone -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd_slag_demo
- Apply Configuration
vserver security file-directory apply -vserver fsx -policy-name slag_policy
- Validate Tasks Status
vserver security file-directory job show
Output:
Job ID Name Vserver Node State
------ -------------------- ---------- --------- -----
25 Fsecurity Apply fsx fsxn-000001 Success Description: File Directory Security Apply Job
References:
Top comments (0)