SMB File Gateway Joined to Domain - Permissions

Question

I've just joined our File Gateway to domain. The idea is to have some folders inside a Bucket and assign each one permissions to certain users, but I think it's not possible.  
  
The allow/deny access to file shares, only works at root level? There's not granular permissions? If a users acess a file share, will he have full control on every folder this bucket has?  
  
If I want to have several folders (for example, to separate departments of a company), must I create one Bucket for each department and get one file share to each Bucket? It's the only way I think is possible to have separated folders, each one with different access permissions.  
  
Thanks in advance.  
  
Edited by: melanina896 on May 9, 2019 6:17 PM

Accepted Answer

1. Before we launched this feature, the permissions you could assign to individual files and folders in your file share were very limited. You could've changed say the user who own's the file to get read-only or read-write permissions. And now from what you're describing you can assign permissions to different users and groups on those files and folders in your file share.   
  
2. To enable this feature I suggest using the UpdatedSMBFileShare API, pass your file share ARN and SMBACLEnabled: True  
  
https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_UpdateSMBFileShare.html  
{  
"FileShareArn": "arn:aws:storagegateway:us-east-2:111122223333:share/share-YYYYYYY",  
"SMBACLEnabled": "true",  
}  
  
In general to run APIs, you will need to get credentials. Details can be found here: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html

Answer

Hi, You'll be pleased to know that we just launched support for ACLs on the file gateway. So now you can have different folders in your bucket (marketing, common, finance, etc)  and use the exported SMB file share after enabling ACLs to set Windows ownership and permissions for individual users and groups (up to 10) on those folders.  
  
Please refer to the announcement for more details and it also points you to the link in our user guide with instructions to enable ACLs: https://forums.aws.amazon.com/ann.jspa?annID=6801

Answer

Hi! Thanks @smithaAWS, it's great to know that.  
  
Just for being sure, I want to ask:  
  
a. Without this feature, is it impossible to grant permissions to individual folders on a Bucket using SMB File Gateway joined to domain? I mean, until today it was impossible?  
  
b. Is there any detailed guide for using this feature? I don't know how to access the UpdateSMBFileShare APi.  
  
Thanks so much.

Answer

Just applied update-smb-file-share and it's working great.  
Now I can assign permissions to my domain users from folder's properties.  
  
I have only one question:  
  
Which is the best way to prevent users (with access to file share) to add permissions for another users? Any user that has access to the file share can modify permissions, even his own permissions.  
  
Thanks you so much.

SMB File Gateway Joined to Domain - Permissions

관련 콘텐츠