# Managing FSx for ONTAP storage virtual machines
In FSx for ONTAP, volumes are hosted on virtual file servers called storage virtual machines (SVMs). An SVM is an isolated file server with its own administrative credentials and endpoints for administering and accessing data. When you access data in FSx for ONTAP, your clients and workstations mount a volume, SMB share, or iSCSI LUN hosted by an SVM using the SVM's endpoint (IP address).
Amazon FSx automatically creates a default SVM on your file system when you create a file system using the AWS Management Console. You can create additional SVMs on your file system at any time using the console, AWS CLI, or Amazon FSx API and SDKs. You cannot create SVMs using the ONTAP CLI or REST API.
You can join your SVMs to a Microsoft Active Directory for file access authentication and authorization. For more information, see [Working with Microsoft Active Directory in FSx for ONTAP](ad-integration-ontap.md).
## Maximum number of SVMs per file system
The following table lists the maximum number of SVMs that you can create for a file system. The maximum number of SVMs depends on the amount of throughput capacity provisioned in megabytes per second (MBps), and also on the file system's [network type](manage-network-type.md).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-svms.html)
**Topics**
+ [
## Maximum number of SVMs per file system
](#max-svms)
+ [
# Creating storage virtual machines (SVM)
](creating-svms.md)
+ [
# Updating storage virtual machines (SVM)
](updating-svms.md)
+ [
# Managing SVM Microsoft Active Directory configurations
](manage-svm-ad-config-secrets-manager.md)
+ [
# Auditing file access
](file-access-auditing.md)
+ [
# Setting up an SMB server in a workgroup
](smb-server-workgroup-setup.md)
+ [
# Monitoring storage virtual machine (SVM) configuration details
](viewing-svms.md)
+ [
# Deleting storage virtual machines (SVM)
](deleting-svms.md)
# Creating storage virtual machines (SVM)
You can create an FSx for ONTAP SVM using the AWS Management Console, AWS CLI, and API.
The maximum number of SVMs you can create for a file system depends on your file system's deployment type, network type, and the amount of throughput capacity provisioned. For more information, see [Maximum number of SVMs per file system](managing-svms.md#max-svms).
## SVM properties
When creating an SVM, you define the following properties:
+ The FSx for ONTAP file system to which it belongs.
+ The Microsoft Active Directory (AD) configuration – You can optionally join your SVM to a self-managed AD for authentication and access control of Windows and macOS clients. For more information, see [Working with Microsoft Active Directory in FSx for ONTAP](ad-integration-ontap.md).
+ The root volume security style – Set the root volume security style (Unix or NTFS) to align with the type of clients that you're using to access your data within the SVM. For more information, see [Volume security style](managing-volumes.md#volume-security-style).
+ The SVM administrative password – you can optionally set the password for the SVM's `vsadmin` user. For more information, see [Managing SVMs with the ONTAP CLI](managing-resources-ontap-apps.md#vsadmin-ontap-cli).
**To create a storage virtual machine (console)**
1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. In the left navigation pane, choose **Storage virtual machines**.
1. Choose **Create new storage virtual machine**.
1. For **File system**, choose the file system to create the storage virtual machine on.
1. In the **Storage virtual machine name** field, provide a name for the storage virtual machine. You can use a maximum of 47 alphanumeric characters, plus the underscore (\$1) special character.
1. For **SVM administrative password**, you can optionally choose **Specify a password** and provide a password for this SVM's `vsadmin` user. You can use the `vsadmin` user to administer the SVM using the ONTAP CLI or REST API. For more information about the `vsadmin` user, see [Managing SVMs with the ONTAP CLI](managing-resources-ontap-apps.md#vsadmin-ontap-cli).
If you choose **Don't specify a password** (the default), you can still use the file system's `fsxadmin` user to manage your file system using the ONTAP CLI or REST API, but you can't use your SVM's `vsadmin` user to do the same.
1. For **Active Directory**, you have the following options:
+ If you are not joining your file system to an Active Directory (AD), choose **Do not join an Active Directory**.
+ If you are joining your SVM to a self-managed AD domain, choose **Join an Active Directory**, and provide the following details for your AD. For more information, see [Prerequisites for joining an SVM to a self-managed Microsoft AD](self-manage-prereqs.md).
+ The NetBIOS name of the Active Directory computer object to create for your SVM. The NetBIOS name cannot exceed 15 characters. This is the name of this SVM in Active Directory.
+ The fully qualified domain name (FQDN) of your Active Directory. The FQDN cannot exceed 255 characters.
+ **DNS server IP addresses** – The IPv4 or IPv6 addresses of the DNS servers for your domain.
+ **Service account credentials** – Choose how to provide your service account credentials:
+ **Option 1**: AWS Secrets Manager secret ARN - The secret containing the username and password for a service account on your Active Directory domain. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD-best-practices.md#bp-store-ad-creds-using-secret-manager).
+ **Option 2**: Plaintext credentials
+ **Service account username** – The user name of the service account in your existing Microsoft Active Directory. Don't include a domain prefix or suffix. For example, for `EXAMPLE\ADMIN`, use only `ADMIN`.
+ **Service account password** – The password for the service account.
+ **Confirm password** – The password for the service account.
+ (Optional) **Organizational Unit (OU)** – The distinguished path name of the organizational unit to which you want to join your file system.
+ **Delegated file system administrators group** – The name of the group in your AD that can administer your file system.
If you are using AWS Managed Microsoft AD, you must specify a group such as AWS Delegated FSx Administrators, AWS Delegated Administrators, or a custom group with delegated permissions to the OU.
If you are joining to a self-managed AD, use the name of the group in your AD. The default group is `Domain Admins`.
1. For **SVM root volume security style**, choose the security style for the SVM depending on the type of clients that access your data. Choose **Unix (Linux)** if you primarily access your data using Linux clients; choose **NTFS** if you primarily access your data using Windows clients. For more information, see [Volume security style](managing-volumes.md#volume-security-style).
1. Choose **Confirm** to create the storage virtual machine.
You can monitor the update progress on the **File systems** detail page, in the **Status** column of the **Storage virtual machines** pane. The storage virtual machine is ready for use when its status is **Created**.
## To create a storage virtual machine (CLI)
+ To create an FSx for ONTAP storage virtual machine (SVM), use the [create-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/create-storage-virtual-machine.html) CLI command (or the equivalent [CreateStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateStorageVirtualMachine.html) API operation), as shown in the following example.
```
aws fsx create-storage-virtual-machine \
--file-system-id fs-0123456789abcdef0 \
--name svm1 \
--svm-admin-password password \
--active-directory-configuration SelfManagedActiveDirectoryConfiguration='{DomainName="corp.example.com", \
OrganizationalUnitDistinguishedName="OU=FileSystems,DC=corp,DC=example,DC=com",FileSystemAdministratorsGroup="FSxAdmins", \
UserName="FSxService",Password="password", \
DnsIps=["10.0.1.18"]}',NetBiosName=amznfsx12345
```
After successfully creating the storage virtual machine, Amazon FSx returns its description in JSON format, as shown in the following example.
```
{
"StorageVirtualMachine": {
"CreationTime": 1625066825.306,
"Endpoints": {
"Management": {
"DnsName": "svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.4"]
},
"Nfs": {
"DnsName": "svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.4"]
},
"Smb": {
"DnsName": "amznfsx12345",
"IpAddressses": ["198.19.0.4"]
},
"SmbWindowsInterVpc": {
"IpAddressses": ["198.19.0.5", "198.19.0.6"]
},
"Iscsi": {
"DnsName": "iscsi.svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.7", "198.19.0.8"]
}
},
"FileSystemId": "fs-0123456789abcdef0",
"Lifecycle": "CREATING",
"Name": "vol1",
"ResourceARN": "arn:aws:fsx:us-east-1:123456789012:storage-virtual-machine/fs-0123456789abcdef0/svm-abcdef0123456789a",
"StorageVirtualMachineId": "svm-abcdef0123456789a",
"Subtype": "default",
"Tags": [],
"ActiveDirectoryConfiguration": {
"NetBiosName": "amznfsx12345",
"SelfManagedActiveDirectoryConfiguration": {
"UserName": "Admin",
"DnsIps": [
"10.0.1.3",
"10.0.91.97"
],
"OrganizationalUnitDistinguishedName": "OU=Computers,OU=customer-ad,DC=customer-ad,DC=example,DC=com",
"DomainName": "customer-ad.example.com"
}
}
}
}
```
# Updating storage virtual machines (SVM)
You can update the following storage virtual machine (SVM) configuration properties using the Amazon FSx console, AWS CLI, and Amazon FSx API:
+ SVM administrative account password.
+ SVM Active Directory (AD) configuration – You can join an SVM to an AD, or modify the AD configuration of an SVM already joined to an AD. For more information, see [Managing SVM Microsoft Active Directory configurations](manage-svm-ad-config-secrets-manager.md).
**To update the SVM administrator account credentials (console)**
1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. Choose the SVM to update as follows:
+ In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to update an SVM.
+ Choose the **Storage virtual machines** tab.
–Or–
+ To display a list of all the SVMs available in your AWS account in the current AWS Region, expand **ONTAP** and choose **Storage virtual machines**.
1. Choose the storage virtual machine that you want to update.
1. Choose **Actions > Update administrator password**. The **Update SVM administrative credentials** window appears.
1. Enter the new password for the `vsadmin` user, and confirm it.
1. Choose **Update credentials** to save the new password.
**To update the SVM administrator account credentials (CLI)**
+ To update the configuration of an FSx for ONTAP SVM, use the [update-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-storage-virtual-machine.html) CLI command (or the equivalent [UpdateStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateStorageVirtualMachine.html) API operation), as shown in the following example.
```
aws fsx update-storage-virtual-machine \
--storage-virtual-machine-id svm-abcdef01234567890 \
--svm-admin-password new-svm-password \
```
After successfully creating the storage virtual machine, Amazon FSx returns its description in JSON format, as shown in the following example.
```
{
"StorageVirtualMachine": {
"CreationTime": 1625066825.306,
"Endpoints": {
"Management": {
"DnsName": "svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.4"]
},
"Nfs": {
"DnsName": "svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.4"]
},
"Smb": {
"DnsName": "amznfsx12345",
"IpAddressses": ["198.19.0.4"]
},
"SmbWindowsInterVpc": {
"IpAddressses": ["198.19.0.5", "198.19.0.6"]
},
"Iscsi": {
"DnsName": "iscsi.svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
"IpAddressses": ["198.19.0.7", "198.19.0.8"]
}
},
"FileSystemId": "fs-0123456789abcdef0",
"Lifecycle": "CREATING",
"Name": "vol1",
"ResourceARN": "arn:aws:fsx:us-east-1:123456789012:storage-virtual-machine/fs-0123456789abcdef0/svm-abcdef01234567890",
"StorageVirtualMachineId": "svm-abcdef01234567890",
"Subtype": "default",
"Tags": [],
"ActiveDirectoryConfiguration": {
"NetBiosName": "amznfsx12345",
"SelfManagedActiveDirectoryConfiguration": {
"UserName": "Admin",
"DnsIps": [
"10.0.1.3",
"10.0.91.97"
],
"OrganizationalUnitDistinguishedName": "OU=Computers,OU=customer-ad,DC=customer-ad,DC=example,DC=com",
"DomainName": "customer-ad.example.com"
}
}
}
}
```
# Managing SVM Microsoft Active Directory configurations
You can join an SVM to Microsoft Active Directory or modify the Microsoft Active Directory configuration of an SVM that's already joined to Microsoft Active Directory. FSx for ONTAP integrates with AWS Secrets Manager to securely manage your domain join service account credentials.
**To update SVM Microsoft Active Directory configuration (console)**
1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. Choose the SVM to update as follows:
+ In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to update an SVM.
+ Choose the **Storage virtual machines** tab.
–Or–
+ To display a list of all the SVMs available in your AWS account in the current AWS Region, expand **ONTAP** and choose **Storage virtual machines**.
1. Choose the storage virtual machine that you want to update.
1. Choose **Actions > Update Microsoft Active Directory configuration**. The **Update Microsoft Active Directory configuration** window appears.
1. For **Domain join service account credentials**, choose **Managed in Secrets Manager** (recommended) to use Secrets Manager for secure credential management.
**Note**
Using Secrets Manager eliminates the need to store plaintext credentials and provides centralized credential management. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD-best-practices.md#bp-store-ad-creds-using-secret-manager).
1. For **Secret**, choose an existing secret from Secrets Manager that contains your updated domain join service account credentials, or choose **Create new secret** to create one.
1. Update other Microsoft Active Directory configuration fields as needed for your environment.
1. Choose **Update configuration** to save the changes.
**To update SVM Microsoft Active Directory configuration (CLI)**
+ To update the Microsoft Active Directory configuration of an FSx for ONTAP SVM, use the [update-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-storage-virtual-machine.html) CLI command with the `--active-directory-configuration` parameter, as shown in the following example.
```
aws fsx update-storage-virtual-machine \
--storage-virtual-machine-id svm-abcdef01234567890 \
--active-directory-configuration DomainJoinServiceAccountSecret=secret-arn
```
# Auditing file access
Amazon FSx for NetApp ONTAP supports auditing of end-user accesses to files and directories in a storage virtual machine (SVM).
**Topics**
+ [
## File access auditing overview
](#auditing-overview)
+ [
## Overview of tasks for setting up file access auditing
](#auditing-tasks)
## File access auditing overview
File access auditing enables you to record end-user accesses of individual files and directories based on audit policies you define. File access auditing can help you improve your system's security and reduce the risk of unauthorized access to your system data. File access auditing helps your organizations remain compliant with data protection requirements, identify potential threats early, and reduce the risk of a data breach.
Across file and directory accesses, Amazon FSx supports logging of successful attempts (such as a user with sufficient permissions successfully accessing a file), failed attempts, or both. You can also turn off file access auditing at any time.
By default, audit event logs are stored in the `EVTX` file format, which allows you to view them using Microsoft Event Viewer.
### SMB access events that can be audited
The following table lists the SMB file and folder access events can be audited.
****
| Event ID (EVT/EVTX) | Event | Description | Category |
| --- | --- | --- | --- |
| 560/4656 | Open Object/Create Object | OBJECT ACCESS: Object (file or directory) open | File Access |
| 563/4659 | Open Object with the Intent to Delete | OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete | File Access |
| 564/4660 | Delete Object | OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory) | File Access |
| 567/4663 | Read Object/Write Object/Get Object Attributes/Set Object Attributes | OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute). For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object. | File Access |
| N/A/4664 | Hard link | OBJECT ACCESS: An attempt was made to create a hard link | File Access |
| N/A/N/A ONTAP Event ID 9999 | Rename Object | OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event. | File Access |
| N/A/N/A ONTAP Event ID 9998 | Unlink Object | OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event. | File Access |
### NFS access events that can be audited
The following NFS file and folder access events can be audited.
+ READ
+ OPEN
+ CLOSE
+ READDIR
+ WRITE
+ SETATTR
+ CREATE
+ LINK
+ OPENATTR
+ REMOVE
+ GETATTR
+ VERIFY
+ NVERIFY
+ RENAME
## Overview of tasks for setting up file access auditing
Setting up FSx for ONTAP for file access auditing involves the following high-level tasks:
1. [Familiarize yourself](#auditing-requirements) with the file access auditing requirements and considerations.
1. [Create an auditing configuration](#create-audit-config) on a specific SVM.
1. [Enable auditing](#enable-auditing) on that SVM.
1. [Configure audit policies](#file-audit-policies) on your files and directories.
1. [View the audit event logs](#view-audit-logs) after FSx for ONTAP emits them.
Task details are provided in the following procedures.
Repeat the tasks for any other SVM on your file system that you want to enable file access auditing for.
### Auditing requirements
Before you configure and enable auditing on an SVM, you should be aware of the following requirements and considerations.
+ NFS auditing supports audit Access Control Entries (ACEs) designated as type `u`, which generate an audit log entry when access is attempted on the object. For NFS auditing, there is no mapping between mode bits and audit ACEs. When converting ACLs to mode bits, audit ACEs are skipped. When converting mode bits to ACLs, audit ACEs are not generated.
+ Auditing is dependent on having available space in the staging volumes. (A staging volume is dedicated volume created by ONTAP to store staging files, which are intermediate binary files on individual nodes where audit records are stored prior to conversion to an EVTX or XML file format.) You must ensure that there is sufficient space for the staging volumes in aggregates that contain audited volumes.
+ Auditing is dependent on having available space in the volume containing the directory where converted audit event logs are stored. You must ensure that there is sufficient space in the volumes used to store event logs. You can specify the number of audit logs to retain in the auditing directory by using the `-rotate-limit` parameter when creating an auditing configuration, which can help to ensure that there is enough available space for the audit logs in the volume.
### Creating auditing configurations on SVMs
Before you can begin auditing file and directory events, you must create an auditing configuration on the Storage Virtual Machine (SVM). After you create the auditing configuration, you must enable it on the SVM.
Before you use the `vserver audit create` command to create the auditing configuration, make sure you've created a directory to be used as the destination for logs, and that the directory doesn't have symlinks. You specify the destination directory with the `-destination` parameter.
You can create an auditing configuration that rotates audit logs based on log size or a schedule, as follows:
+ To rotate audit logs based on log size, use this command:
```
vserver audit create -vserver svm_name -destination path [-format {xml|evtx}] [-rotate-limit integer] [-rotate-size {integer[KB|MB|GB|TB|PB]}]
```
The following example creates an auditing configuration for the SVM named `svm1` that audits file operations and CIFS (SMB) logon and logoff events (the default) using size-based rotation. The log format is `EVTX` (the default), logs are stored in the `/audit_log` directory, and you'll have a single log file at a time (up to 200MB in size).
```
vserver audit create -vserver svm1 -destination /audit_log -rotate-size 200MB
```
+ To rotate audit logs based on a schedule, use this command:
```
vserver audit create -vserver svm_name -destination path [-format {xml|evtx}]
[-rotate-limit integer] [-rotate-schedule-month chron_month]
[-rotate-schedule-dayofweek chron_dayofweek] [-rotate-schedule-day chron_dayofmonth]
[-rotate-schedule-hour chron_hour] [-rotate-schedule-minute chron_minute]
```
The `-rotate-schedule-minute` parameter is required if you are configuring time-based audit log rotation.
The following example creates an auditing configuration for the SVM named `svm2` using time-based rotation. The log format is `EVTX` (the default) and the audit logs are rotated monthly, at 12:30 PM on all days of the week.
```
vserver audit create -vserver svm2 -destination /audit_log -rotate-size 200MB -rotate-schedule-month all -rotate-schedule-dayofweek all -rotate-schedule-hour 12 -rotate-schedule-minute 30
```
You can use the `-format` parameter to specify whether the audit logs are created in the converted `EVTX` format (the default) or in the `XML` file format. The `EVTX` format allows you to view the log files with Microsoft Event Viewer.
By default, the categories of events to be audited are file access events (both SMB and NFS), CIFS (SMB) logon and logoff events, and authorization policy change events. You can have greater control over which events to log by the `-events` parameter, which has the following format:
```
-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|authorization-policy-change|security-group}
```
For example, using `-events file-share` enables auditing of file share events.
For more information on the `vserver audit create` command, see [ Create an audit configuration](https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-9101/vserver__audit__create.html).
### Enabling auditing on an SVM
After you finish setting up the auditing configuration, you must enable auditing on the SVM. To do so, use the following command:
```
vserver audit enable -vserver svm_name
```
For example, use the following command to enable auditing on the SVM named `svm1`.
```
vserver audit enable -vserver svm1
```
You can disable access auditing at any time. For example, use the following command to turn off auditing on the SVM named `svm4`.
```
vserver audit disable -vserver svm4
```
When you disable auditing, the audit configuration isn't deleted on the SVM, which means that you can re-enable auditing on that SVM at any time.
### Configuring file and folder audit policies
You need to configure audit policies on the files and folders that you want audited for user access attempts. You can configure audit policies to monitor both successful and failed access attempts.
You can configure both SMB and NFS audit policies. SMB and NFS audit policies have different configuration requirements and audit capabilities based on the security style of the volume.
#### Audit policies on NTFS security-style files and directories
You can configure NTFS audit policies by using the Windows Security tab or the ONTAP CLI.
##### To configure NTFS audit policies (Windows Security tab)
You configure NTFS audit policies by adding entries to NTFS SACLs that are associated with an NTFS security descriptor. The security descriptor is then applied to NTFS files and directories. These tasks are automatically handled by the Windows GUI. The security descriptor can contain discretionary access control lists (DACLs) for applying file and folder access permissions, SACLs for file and folder auditing, or both SACLs and DACLs.
1. From the **Tools** menu in Windows Explorer, select **Map network drive**.
1. Complete the **Map Network Drive** box:
1. Choose a **Drive** letter.
1. In the **Folder** box, type the SMB (CIFS) server name that contains the share, holding the data you want to audit and the name of the share.
1. Choose **Finish**.
The drive you selected is mounted and ready with the Windows Explorer window displaying files and folders contained within the share.
1. Select the file or directory for which you want to enable auditing access.
1. Right-click the file or directory, and then choose **Properties**.
1. Choose the **Security** tab.
1. Click **Advanced**.
1. Choose the **Auditing** tab.
1. Perform the desired actions:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/file-access-auditing.html)
If you are setting up auditing on a user or group or changing auditing on an existing user or group, the **Auditing Entry for *object*** box opens.
1. In the **Apply to** box, select how you want to apply this auditing entry.
If you are setting up auditing on a single file, the **Apply to** box is not active, as it defaults to This object only.
1. In the **Access** box, select what you want audited and whether you want to audit successful events, failure events, or both.
+ To audit successful events, choose the **Success** box.
+ To audit failure events, choose the **Failure** box.
Choose the actions that you need to monitor to meet your security requirements. For more information about these auditable events, see your Windows documentation. You can audit the following events:
+ Full control
+ Traverse folder / execute file
+ List folder / read data
+ Read attributes
+ Read extended attributes
+ Create files / write data
+ Create folders / append data
+ Write attributes
+ Write extended attributes
+ Delete subfolders and files
+ Delete
+ Read permissions
+ Change permissions
+ Take ownership
1. If you do not want the auditing setting to propagate to subsequent files and folders of the original container, choose the **Apply these auditing entries to objects and/or containers within this container only** box.
1. Choose **Apply**.
1. After you finish adding, removing, or editing auditing entries, choose **OK**.
The **Auditing Entry for *object*** box closes.
1. In the **Auditing** box, choose the inheritance settings for this folder. Choose only the minimal level that provides the auditing events that meet your security requirements.
You can choose one of the following:
+ Choose the **Include inheritable auditing entries from this object's parent** box.
+ Choose the **Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object** box.
+ Choose both boxes.
+ Choose neither box.
If you are setting SACLs on a single file, the **Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object** box is not present in the **Auditing** box.
1. Choose **OK**.
##### To configure NTFS audit policies (ONTAP CLI)
By using the ONTAP CLI, you can configure NTFS audit policies without needing to connect to the data using an SMB share on a Windows client.
+ You can configure NTFS audit policies by using the [ vserver security file-directory ntfs sacl add](https://docs.netapp.com/us-en/ontap-cli-9101/vserver-security-file-directory-ntfs-sacl-add.html#description) command family.
For example, the following command creates a security policy named `p1` for the SVM named `vs0`.
```
vserver security file-directory policy create -policy-name p1 -vserver vs0
```
Then, the following command applies the `p1` security policy to the `vs0` SVM.
```
vserver security file-directory apply -vserver vs0 -policy-name p1
```
#### Audit policies on UNIX security-style files and directories
You configure auditing for UNIX security-style files and directories by adding audit ACEs (access control expressions) to NFS v4.x ACLs (access control lists). This allows you to monitor certain NFS file and directory access events for security purposes.
**Note**
For NFS v4.x, both discretionary and system ACEs are stored in the same ACL. Therefore, you must be careful when adding audit ACEs to an existing ACL to avoid overwriting and losing an existing ACL. The order in which you add the audit ACEs to an existing ACL does not matter.
##### To configure UNIX audit policies
1. Retrieve the existing ACL for the file or directory by using the `nfs4_getfacl` or equivalent command.
1. Append the desired audit ACEs.
1. Apply the updated ACL to the file or directory by using the `nfs4_setfacl` or equivalent command.
This example uses the `-a` option to give a user (named `testuser`) read permissions to the file named `file1`.
```
nfs4_setfacl -a "A::testuser@example.com:R" file1
```
### Viewing audit event logs
You can view audit event logs saved in the `EVTX` or `XML` file formats.
+ `EVTX` file format – You can open the converted `EVTX` audit event logs as saved files using Microsoft Event Viewer.
There are two options that you can use when viewing event logs using Event Viewer:
+ **General view**: Information that is common to all events is displayed for the event record. The event-specific data for the event record is not displayed. You can use the detailed view to display event-specific data.
+ **Detailed view**: A friendly view and a XML view are available. The friendly view and the XML view display both the information that is common to all events and the event-specific data for the event record.
+ `XML` file format – You can view and process XML audit event logs on third-party applications that support the XML file format. XML viewing tools can be used to view the audit logs provided you have the XML schema and information about definitions for the XML fields.
# Setting up an SMB server in a workgroup
You can configure a Server Message Block (SMB) server in a workgroup as an alternative to joining an [SVM to a Microsoft Active Directory](ad-integration-ontap.md) when the Microsoft Active Directory domain infrastructure is not available. A workgroup is a peer-to-peer network that uses the SMB protocol, and has only local accounts and groups.
The process of setting up an SMB server as a member in a workgroup consists of the following:
+ Creating the SMB server on a storage virtual machine (SVM).
+ Creating local users and groups.
+ Adding local users or groups as members of the workgroup.
Keep in mind that SMB servers in workgroup mode do not support the following SMB features:
+ SMB3 Witness protocol
+ SMB3 CA shares
+ SQL over SMB
+ Folder Redirection
+ Roaming Profiles
+ Group Policy Object (GPO)
+ Volume Snapshot Service (VSS)
Also, an SMB server in workgroup mode supports only NTLM authentication and does not support Kerberos authentication.
The following procedures take you through the process of setting up an SMB server on an SVM in a workgroup, create local accounts, and adding these accounts to the workgroup membership. You will use the NetApp ONTAP CLI from either the file system or SVM management interface to implement these procedures. For more information, see [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli).
**Topics**
+ [
# Creating an SMB server in a workgroup
](create-smb-server-workgroup.md)
+ [
# Creating a local user account on the SMB server
](smb-workgroup-create-local-accounts.md)
+ [
# Creating local groups on the SMB server
](smb-workgroup-create-local-groups.md)
+ [
# Adding local users to the local group
](smb-workgroup-add-users-to-group.md)
# Creating an SMB server in a workgroup
You can use the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html) ONTAP CLI command to create an SMB server on the SVM and specify the workgroup to which it belongs.
## Before you begin
The SVM and volumes (and interfaces) that you are using to serve data must have been configured to allow the SMB protocol.
The LIFs must be able to connect to the DNS servers that are configured on the SVM. A CIFS license may be required on the file system, however a CIFS license is not required if the SMB server will be used for authentication only.
**To create an SMB server in a workgroup**
1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.
```
[~]$ ssh fsxadmin@management_endpoint_ip
```
For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli).
1. Create the SMB server in a workgroup:
```
FSxIdabcde123456::> vserver cifs create -vserver vserver_name -cifs-server cifs_server_name -workgroup workgroup_name [-comment workgroup_description]
```
The following command creates the SMB server `smb_server01` in the workgroup `workgroup01`:
```
FSxIdabcde123456::> vserver cifs create -vserver svm1 -cifs-server SMB_SERVER01 -workgroup workgroup01
```
If you are connected to management port of the SVM, you do not need to specify a `-vserver`.
1. Verify the SMB server configuration by using the `vserver cifs show` command.
In the following example, the command output shows that a SMB server named `smb_server01` was created on SVM `svm1` in the workgroup `workgroup01`:
```
FSxIdabcde123456::> vserver cifs show -vserver svm1
Vserver: svm1
CIFS Server NetBIOS Name: SMB_SERVER01
NetBIOS Domain/Workgroup Name: workgroup01
Fully Qualified Domain Name: -
Organizational Unit: -
Default Site Used by LIFs Without Site Membership: -
Workgroup Name: workgroup01
Authentication Style: workgroup
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -
```
# Creating a local user account on the SMB server
You can create a local user account that can be used to authorize access to data contained in the SVM over an SMB connection. You can also use local user accounts for authentication when creating an SMB session. Local user functionality is enabled by default when the SVM is created. When you create a local user account, you must specify a user name and you must specify the SVM with which to associate the account.
**To create local user accounts on the SMB server**
1. Create the local user using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html) ONTAP CLI command:
```
vserver cifs users-and-groups local-user create -vserver svm_name -user-name user_name optional_parameters
```
The following optional parameters might be useful:
+ `-full-name` – The user's full name.
+ `-description` – A description for the local user.
+ `-is-account-disabled {true|false}` – Specifies whether the user account is enabled or disabled. If this parameter is not specified, the default is to enable the user account.
The command prompts for the local user's password.
1. Enter a password for the local user, and then confirm the password.
1. Verify that the user was successfully created:
```
vserver cifs users-and-groups local-user show -vserver svm_name
```
The following example creates a local user `SMB_SERVER01\sue`, with a full name `Sue Chang`, associated with SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-user create -vserver svm1 ‑user-name SMB_SERVER01\sue -full-name "Sue Chang"
Enter the password:
Confirm the password:
```
```
FSxIdabcde123456::> vserver cifs users-and-groups local-user show
Vserver User Name Full Name Description
-------- -------------------------- ---------- -------------
svm1 SMB_SERVER01\Administrator Built-in administrator account
svm1 SMB_SERVER01\sue Sue Chang
```
# Creating local groups on the SMB server
You can create local groups that can be used for authorizing access to data associated with the SVM over an SMB connection. You can also assign privileges that define what user rights or capabilities a member of the group has.
Local group functionality is enabled by default when the SVM is created. When you create a local group, you must specify a name for the group and you must specify the SVM with which to associate the group. You can specify a group name with or without the local domain name, and you can optionally specify a description for the local group. You cannot add a local group to another local group.
**To create a local group on the SMB server**
1. create the local group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html) ONTAP CLI command.
```
vserver cifs users-and-groups local-group create -vserver svm_name -group-name group_name [-description local_group_description
```
Including a description for the local group is useful.
1. Verify that the group was successfully created:
```
vserver cifs users-and-groups local-group show -vserver svm_name
```
The following example creates a local group `SMB_SERVER01\engineering` associated with SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group create -vserver svm1 -group-name SMB_SERVER01\engineering
```
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group show -vserver svm1
Vserver Group Name Description
---------------- ---------------------------- ----------------------------
svm1 BUILTIN\Administrators Built-in Administrators group
svm1 BUILTIN\Backup Operators Backup Operators group
svm1 BUILTIN\Guests Built-in Guests group
svm1 BUILTIN\Power Users Restricted administrative privileges
svm1 BUILTIN\Users All users
svm1 SMB_SERVER01\engineering
```
# Adding local users to the local group
You can manage local group membership by adding and removing local or domain users, or adding and removing domain groups. This is useful if you want to control access to data based on access controls placed on the group, or if you want users to have privileges associated with that group. If you no longer want a local user, domain user, or domain group to have access rights or privileges based on membership in a group, you can remove the member from the group.
When adding members to a local group, keep the following in mind:
+ You cannot add users to the special *Everyone* group.
+ You cannot add a local group to another local group.
+ To add a domain user or group to a local group, ONTAP must be able to resolve the name to a SID.
When removing members from a local group, keep the following in mind:
+ You cannot remove members from the special *Everyone* group.
+ To remove a member from a local group, ONTAP must be able to resolve their name to a SID.
You need to have the `fsxadmin` role to run the commands used in this procedure. For more information, see [ONTAP roles and users](roles-and-users.md).
**To manage the local group membership**
+ Add a member to or remove a member from a group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html) and [vserver cifs users-and-groups local-group remove-members](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-remove-members.html) ONTAP CLI commands.
+ To add members to a workgroup:
```
vserver cifs users-and-groups local-group add-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
```
You can specify a comma-delimited list of local users, domain users, or domain groups to add to the specified local group.
+ To view members of a workgroup:
```
vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name
```
+ To remove members from a workgroup:
```
vserver cifs users-and-groups local-group remove-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
```
You can specify a comma-delimited list of local users, domain users, or domain groups to remove from the specified local group.
The following example adds a local user `SMB_SERVER01\sue` to the local group `SMB_SERVER01\engineering` on SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group add-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue
```
The following example removes the local user `SMB_SERVER01\sue` and `SMB_SERVER01\james` from the local group `SMB_SERVER01\engineering` on SVM `svm1`:
```
FSxIdabcde123456::> vserver cifs users-and-groups local-group remove-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue,SMB_SERVER01\james
```
The following example lists the members of the local group `SMB_SERVER01\engineering`:
```
FsxIdabcdef01234::> vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name
Vserver: svm1
Domain Name: SMB_SERVER01
Group Name: SMB_SERVER01\engineering
Member Name: SMB_SERVER01\anita
SMB_SERVER01\james
SMB_SERVER01\liang
```
# Monitoring storage virtual machine (SVM) configuration details
You can see the FSx for ONTAP storage virtual machines that are currently on your file system using the Amazon FSx console, the AWS CLI, and the Amazon FSx API.
**To view a storage virtual machine on your file system:**
+ **Using the console** – Choose a file system to view its **File systems** detail page. To list all the storage virtual machines on the file system, choose the **Storage virtual machines** tab, and then choose the storage virtual machine that you want to view.
+ **Using the CLI or API** – Use the [describe-storage-virtual-machines](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-storage-virtual-machines.html) CLI command or the [DescribeStorageVirtualMachines](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeStorageVirtualMachines.html) API operation.
The system response is a list of full descriptions of all the SVMs in your account in that AWS Region.
# Deleting storage virtual machines (SVM)
You can only delete an FSx for ONTAP SVM by using the Amazon FSx console, the AWS CLI, and API. Before you can delete an SVM, you must delete all non-root volumes attached to the SVM first.
**Important**
You cannot delete an SVM by using the NetApp ONTAP CLI or API.
**Note**
Before you delete a storage virtual machine, make sure that no applications are accessing the data in the SVM, and that you have deleted all non-root volumes attached to the SVM.
**To delete a storage virtual machine (console)**
1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. Choose the SVM that you want to delete as follows:
+ In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to delete an SVM.
+ Choose the **Storage virtual machines** tab.
–Or–
+ To display a list of all the SVMs available, expand **ONTAP** and choose **Storage virtual machines**.
Select the SVM that you want to delete from the list.
1. In the **Volumes** tab, view the list of volumes attached to the SVM. If there are any non-root volumes attached to the SVM, you must delete them before you can delete the SVM. See [Deleting volumes](deleting-volumes.md) for more information.
1. Choose **Delete storage virtual machine** from the **Actions** menu.
1. In the delete confirmation dialog box, choose **Delete storage virtual machine**.
**To delete a storage virtual machine (CLI)**
+ To delete an FSx for ONTAP storage virtual machine, use the [delete-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/delete-storage-virtual-machine.html) CLI command (or the equivalent [DeleteStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DeleteStorageVirtualMachine.html) API operation), as shown in the following example.
```
aws fsx delete-storage-virtual-machine --storage-virtual-machine-id svm-abcdef0123456789d
```