z/OS UNIX System Services User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using access control lists (ACLs) to control access to files and directories

z/OS UNIX System Services User's Guide
SA23-2279-00

Using access control lists (ACLs), you can control access to UNIX files and directories by individual users (UIDs) and groups (GIDs). ACLs are used in conjunction with permission bits.

There are three kinds of ACLs:
  • Access ACLs are ACLs that are used to provide protection for a file system object.
  • File default ACLs are model ACLs that are inherited by files created within the parent directory. The file inherits the model ACL as its access ACL. Directories also inherit the file default ACL as their file default ACL.
  • Directory default ACLs are model ACLs that are inherited by subdirectories created within the parent directory. The directory inherits the model ACL as its directory default ACL and as its access ACL.
There are two kinds of ACL entries:
  • Base ACL entries are permission bits (owner, group, other). You can change the permissions using chmod or setfacl.
  • Extended ACL entries are ACL entries for individual users or groups. Like the permission bits, they are stored with the file, not in RACF® profiles.

Additional access control mechanisms are allowed to further restrict the access permissions that are defined by the file permission bits. Because ACLs can grant and restrict access, the use of ACLs is not UNIX 95-compliant.

ACLs are supported by HFS, zFS, and TFS. It is possible that other physical file systems will eventually support z/OS® ACLs. Consult your file system documentation to see if ACLs are supported.

Parent topic: Handling security for your files

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014