SMB Share Access Control

The SMB server uses the following access-control mechanisms to limit access to data shared by using SMB:

  • Host-based access control limits access to shares based on which client system is making the request.

  • Share ACLs limit user and group access to shares.

  • File and directory ACLs limit user and group access to individual files and directories.

Host-based access control is applied first and grants or denies access to the client system. If the client system is granted access, the share ACL is then applied to grant or deny access to the user. Finally, the individual file and directory ACLs are consulted. You can access the data shared by using SMB only if all three access control mechanisms allow the access.

Shares are always created with the default share ACL and, unless otherwise specified when the share is created, default host-based access control. You can apply non-default share ACLs to the share after the share is created.