File system ACL

Access to the files and directories is managed through access control lists (ACLs). It ensures that only authorized users get access to directories and files. The IBM Spectrum Scale™ ACLs are stored in the NFSV4 ACL format.

An ACL is a list of permissions that are associated with a directory or file. It defines which users are allowed to access a particular directory or file. An access control entry in the ACL defines the permissions for a user or a group of users. An ACL usually consists of multiple entries. Each ACL has an owner that is associated with it, who owns the file or directory for which the ACL is defined. Owners usually have full access to the files or directories that they own. If the directory contains files or subdirectories, the owner, owning group, and ACL cannot be modified. Even if the directory contains files or subdirectories, the ACL can be modified by users with the Dataaccess role.

Access rights

You can enable access control for users to directories, files, and other objects such as file systems and filesets. To provide simplified access to the most common sets of access rights, the following generic rights are defined for the ACL entries:
  • Read
  • Write
  • Execute
The access permissions of ACL entries are defined at a more detailed level by using the access mask feature in the ACL. The following access permissions are available:
  • Read file's data and list contents of the directory
  • Modify file's data and create a file in the directory
  • Append data to a file and create a subdirectory in the directory
  • Execute a file and traverse the directory
  • Delete file or directory
  • Delete files or subdirectories inside the directory
  • Read basic attributes
  • Modify basic attributes
  • Read extended attributes
  • Modify extended attributes
  • Read ACL
  • Modify ACL
  • Change owner
  • Access file locally with synchronous reads and writes

User or user group types

Access control defines privileges of a user or user groups on the files and directories. You can define access control for the following user types:
  • User

    A regular user in the file system. If this ACL entry is inherited by child directories or files, the access rights that are defined at the ACL entry in the parent directory become applicable to the same user in the child ACL entry.

  • Group

    A regular user group in the file system. If this ACL entry is inherited by child directories or files, the access rights that are defined at the ACL entry in the parent directory become applicable to the same user group in the child ACL entry.

  • User (Owner)

    Owner of a file or directory. When the ACL is saved to file system, the owner becomes a normal user in the ACL. That is, when you open the ACL the next time, the system displays the ACL entry as a normal user entry. If the owner of a file or directory is changed, the access permissions including inheritance that are defined for the previous owner remains.

  • Group (Owning group)

    Group that owns the file or directory. When the ACL is saved to file system, the owner becomes a normal user group in the ACL. That is, when you open the ACL the next time, the system displays the ACL entry as a normal user group entry. If the owning group of a file or directory is changed, the access permissions including inheritance that are defined for the previous owning group remains.

  • Special owner

    Applies to the owner of a file or directory. If the special owner is inherited by the child directories or files, the corresponding access permissions apply to the owner of the child object, not to the owner of the parent directory. If the owner of the file or directory is changed, the access permissions set for this ACL entry become applicable to the new owner.

  • Special group

    Applies to the owning group of a file or directory. If the special group is inherited by the child directories or files, the corresponding access permissions apply to the owning group of the child object, not to the owning group of the parent directory. If the owning group of the file or directory is changed, the access permissions set for this ACL entry become applicable to the new owning group.

  • Everyone

    Applies to all users.

You can only specify a name for types User and Group. For the remaining types, you can only define access rights, but not a specific user or group name. You can specify only user (owner) and group (owning group) for an ACL. For the remaining user types, you can define only access rights.

Users who have the DataAccess role are allowed to do the following:
  • Modify the ACL of a file or directory, even if it is not empty.
  • Define ACL for a file or directory using the Access > File System ACL > Files and Directories.

Inheritance

The restrictions that are defined in an ACL for accessing a directory or file can be applied to users who access files inside that directory. The ACL entry flags control the inheritance of access controls. ACL entries on directories might be inherited by files or subdirectories that are created inside the directory. You can specify whether the inheritance that is defined in an ACL entry applies to the current directory and its children or only to the subdirectories and files that are contained in the parent directory.

ACL entries are inherited to the child directories or files at the time of creation. Changes made to the ACL of a parent directory are not propagated to child directories or files.

ACL templates

You can define ACL templates to help the users to set default access control permissions for files and directories. The use of ACL template helps to save time and ensures that the standard and desired values for each ACL entry are used. You can use any of the predefined ACL templates to set the access rights to files and directories.

Users with the Administrator, SecurityAdmin, and Dataaccess roles are allowed to manage the ACL templates. These users can create and modify default and custom ACL templates.

The default ACL is listed in a grid in the Access > File System ACL > ACL Templates page with the name Default. When using the GUI to create a file system or fileset, the system populates the owner, group, and ACL from the default template and displays these settings in the GUI panel as default values. You can edit the default values or load another template before you create the file system or fileset. The default template reduces the chances of entering wrong values by displaying an example of expected values. You can also create, edit, and delete custom ACL templates, but you cannot delete the default template or change its name.

To create a custom template, go to Access > File System ACL > ACL Templates > Create Template.

To copy ACL from an existing template, use the Copy ACL from Existing Template option. When you load a custom template, the values that are populated from the current ACL is replaced with those of the custom template.

ACL for files and directories

You can set access controls to the directories and files that are existing in the system. You can define owner, owning group, and access control list (ACL) for any file or directory that exists in the system.

The user can enter the full path of a directory or file in the Directory field. The system uses the default ACL template to display the default values of access permissions, owner, and owning group. You can modify the values of individual fields.

To modify the ACL, select Edit. This launches the Edit Access Control dialog. To use a custom ACL template to modify the default values, select Load ACL Template. The Directory field that is used to enter a directory or file is an auto complete input field. This shows the matching directories or files in a list box. The input field supports a maximum of 100,000 child objects.