I've sent this through to the guys at Cutter but thought I'd try to crowd-source an answer too as we have lots of S7000 users on here...
Background: I have a CIFS share called ‘resources’, inside this are folders called ‘staff’ and ‘subjects’. Students have read-only access to ‘subjects’ and deny-all access on ‘staff’. The plan is to enable ABE on this share and add another folder called ‘admin’ that students will also have deny-all permissions on. I need this folder and its contents to be invisible unless a user has permissions on it.
I set up a test share as a proof-of-concept for this and it worked flawlessly, exactly how I expected and wanted it to - i.e. for the folders on which a user doesn't have permissions, or has explicit DENY permissions, the folders aren't visible. However, I’ve just enabled ABE on the ‘resources’ share and expected ‘staff’ to disappear when viewed as a student, but it doesn’t. If I make a new folder in the root of the share on which students have no permissions, they can still see it (even though they get ‘access is denied’ when they try to access it).
Any ideas what the problem is? There are a lot of files in this share, but I was under the impression ABE would still work for the top-level directories in which there aren’t many folders.
EDIT: From an Oracle FAQ -
-CIFS access-based enumeration that permits users to see only those CIFS files to which they have access, allowing users in many-client environments with shallow directory hierarchies to not be overwhelmed with files that they cannot access.
Is this my problem? Can ABE not still work for the top-level directories?
Thank in advance,
Last edited by Duke; 22nd November 2010 at 04:27 PM.
Can't edit my post so having to reply, but I wanted to put an answer on here in case anyone else gets this.
Try the following - Restart the CIFS service, go to the share, disable ABE and hit apply, then re-enable ABE and hit apply. Fixed it for me, cheers to Tim J @ Oracle and the guys are Cutter for great support as always.
Glad to hear you have it working, I've thought about ABE a few times but never been bothered to try it yet. Maybe when I get my 7120 in and start moving stuff onto it I'll give it a go then
It's actually really nice. In theory it's no more secure than standard Windows ACLs, but I find in a school environment it offers a bit more security-through-obscurity which is always a plus. I find if people can't see the file/folder then there's no temptation to try to get into it.
There doesn't appear to be any disk or processor overhead from turning it on so no reason not to in a CIFS environment.