On Wed, Sep 09, 2009 at 07:34:24AM +0200, Borzenkov, Andrey wrote:
If you do not trust domain administrators, remove them from local administrators group on filer and/or implement finer grained role restrictions.
But this does not soleve the problem methinks. I want them to be able to set up shares in the volumes they need to. I just do not want them to be able to set up shares to oracle databases on the same filer.
One solution would be virtual filers (forget the name of that feature for the monent). Then I could have the oracle volumes on seperate virtual filers to the shares. But thats a lot of bother.
Regards, pdg
--
See mail headers for contact information.
On Sep 8, 2009, at 11:12 PM, Peter D. Gray wrote:
One solution would be virtual filers (forget the name of that feature for the monent). Then I could have the oracle volumes on seperate virtual filers to the shares. But thats a lot of bother.
This is one of the reasons why we use vfilers via Multistore. It is particularly handy when a filer is serving many protocols and privileges need to be delegated.
-=--=- gerald villabroza <geraldv at stanford.edu> technical lead, its storage, stanford university
MultiStore is the correct solution. Although just as a side commentary, if you really can't trust your admins, you've got security problems far beyond what software can help solve.
-- Adam Fox Systems Engineer adamfox@netapp.com
-----Original Message----- From: Peter D. Gray [mailto:pdg@uow.edu.au] Sent: Wednesday, September 09, 2009 2:13 AM To: toasters@mathworks.com Subject: Re: restrict access to volumes to particular protocols
On Wed, Sep 09, 2009 at 07:34:24AM +0200, Borzenkov, Andrey wrote:
If you do not trust domain administrators, remove them from local
administrators group on filer and/or implement finer grained role restrictions.
But this does not soleve the problem methinks. I want them to be able to set up shares in the volumes they need to. I just do not want them to be able to set up shares to oracle databases on the same filer.
One solution would be virtual filers (forget the name of that feature for the monent). Then I could have the oracle volumes on seperate virtual filers to the shares. But thats a lot of bother.
Regards, pdg
--
See mail headers for contact information.
-
Fox, Adam -
Gerald Villabroza -
Peter D. Gray