1. Support
  2. Knowledge base
  3. 100050011

Security of Veritas Alta SaaS Protection Link-based Stubbing and Stub Share Permission

Article: 100050011
Last Published: 2023-04-12
Ratings: 0 0
Product(s): Veritas Alta SaaS Protection

Description

This article discusses the security aspects of the link-based stubbing feature.

The 'Everyone' Permission on the Stub Share

You will need to manually add the 'Everyone' group to the stub share with read/write permission, but then remove the NTFS permissions for the 'Everyone' group that is added as a result of applying the share.

Minimize the number of groups and users with NTFS permissions to the stub share folder. You may inadvertently allow users to traverse the share.
 
The best practices permissions for the 'Everyone' ACE are set programmatically by the Retrieval Service, and are necessary since any user in the organization may have access to a link-based stub and request retrieval. Furthermore, HCS instances in your environment need access to the stub share since they will need to create offline files for the corresponding link-based stubs they create in target directories. Veritas Alta SaaS Protection ensures the minimum permissions are configured.

The Veritas Alta SaaS Protection Retrieval Service will automatically set permissions on the stub share and automatically update them on an hourly basis. However, if you are installing a fresh HCS instance using a new service account, you may want to prompt Veritas Alta SaaS Protection to update the stub share permissions instead of waiting for the hourly maintenance job. To force the permissions to update, you will need to visit the Retrieval Service configuration interface. To do this, follow these steps:
  1. Open Retrieval Service GUI
  2. Select Advanced tab
  3. In the Link-based Stubbing settings, ensure the stub share's path is entered and then select the button 'Force Permissions Update...'

The stub share simply contains seamless stubs that are offline files. The Retrieval Service uses reparse points within the stub share's offline files to make a recall request to Veritas Alta SaaS Protection in the cloud for the full item.

Retrieval Authorization Checking

The 'everyone' permission on the stub share does not mean that any user in the organization can access all content or that the stub share is somehow a vulnerability!

The offline files in the stub share have a numerical file path and no distinguishing metadata.

When "Require Authorization for Stub Retrieval" is enabled, on each stub retrieval request, Veritas Alta SaaS Protection performs a data-level authorization check in the cloud to confirm that the requestor has permissions to the file in question. Thus, it is necessary for stub retrieval security authorization to pass that the requesting user is a domain account that is synchronized to Veritas Alta SaaS Protection via Azure Active Directory. If this is not true, then Veritas Alta SaaS Protection's authorization check will fail for the user, even if they are allowed access on-premises because the identity and/or permissions have not yet synchronized to the cloud.

Unrecognized Retrieval Users

It is possible that some retrieval request scenarios will fail authorization. This is typically because the user account making the retrieval request is unknown to Veritas Alta SaaS Protection.

Optionally, you may whitelist certain accounts. Accounts that have experienced failed authorization into Veritas Alta SaaS Protection will be listed in the Admin Portal where there is the option of adding them to the whitelist.

For instructions on how to authorize unrecognized users, see How to Whitelist Unrecognized Retrieval Users.
 

Was this content helpful?

Article Languages