Log in with a username and storage account key on a machine that has line-of-sight to the domain controller, and give some users (or groups) permission to edit permissions on the root of the file share.One-time username/storage account key setup: Log in with username and storage account key every time: Anytime you want to configure ACLs, mount the file share by using your storage account key on a machine that has line-of-sight to the domain controller. There are two approaches you can take to configuring and editing Windows ACLs: NT AUTHORITY\Authenticated Users:(OI)(CI)(M)įor more information on these advanced permissions, see the command-line reference for icacls. The following permissions are included on the root directory of a file share: If there are ACLs assigned to CREATOR OWNER on that object, then the user that is the owner of this object has the permissions to the object defined by the ACL. It is included in the root directory to be consistent with Windows Files Server experience for hybrid scenarios.Īll users in AD that can get a valid Kerberos token.Įach object either directory or file has an owner for that object. Such service account doesn't apply in Azure Files context. The service account of the operating system of the file server. For Azure Files, there isn't a hosting server, hence BUILTIN\Users includes the same set of users as NT AUTHORITY\Authenticated Users. For a traditional file server, you can configure the membership definition per server. It includes NT AUTHORITY\Authenticated Users by default. This group is empty, and no one can be added to it.īuilt-in security group representing users of the file server. Usersīuilt-in security group representing administrators of the file server. Modify, Read, Write, Edit (Change permissions), ExecuteĪzure Files supports the full set of basic and advanced Windows ACLs. Storage File Data SMB Share Elevated Contributor Share-level permission (built-in role)įull control, Modify, Read, Write, Execute If you're using Azure Storage Explorer, you'll also need the Reader and Data Access role in order to read/access the file share. The following table contains the Azure RBAC permissions related to this configuration. Premium file shares (FileStorage), LRS/ZRS If you're using Azure Active Directory Domain Services (Azure AD DS), then the client machine must have line-of-sight to the domain controllers for the domain that's managed by Azure AD DS, which are located in Azure. If you're authenticating with Azure Files using Active Directory Domain Services (AD DS) or Azure Active Directory Kerberos (Azure AD Kerberos) for hybrid identities, this means you'll need line-of-sight to the on-premises AD. To configure Windows ACLs, you'll need a client machine running Windows that has line-of-sight to the domain controller. The same would be true if it was reversed: if a user had read/write access at the share-level, but only read at the file-level, they can still only read the file. For example, if a user has read/write access at the file level, but only read at a share level, then they can only read that file. While share-level permissions act as a high-level gatekeeper that determines whether a user can access the share, Windows ACLs operate at a more granular level to control what operations the user can do at the directory or file level.īoth share-level and file/directory-level permissions are enforced when a user attempts to access a file/directory, so if there's a difference between either of them, only the most restrictive one will be applied. Before you begin this article, make sure you've read Assign share-level permissions to an identity to ensure that your share-level permissions are in place with Azure role-based access control (RBAC).Īfter you assign share-level permissions, you can configure Windows access control lists (ACLs), also known as NTFS permissions, at the root, directory, or file level.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |