Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Access Control Lists on Dell EMC PowerScale OneFS > Permission repair job
Permission repair is a OneFS Job Engine job. This job provides three modes to help users fix or set a large set of file permissions. For details about how to run a permission-repair job and its concepts, refer to the Dell EMC PowerScale OneFS Permission Repair Job document.
This section shows typical use cases for each fix or set permission mode, and provides two additional examples that are not in the OneFS permission repair document. Table 7 shows the typical use cases for each mode.
Mode option | Use case |
Clone mode | Clone mode should be used when a directory tree with many objects needs a new set of permissions such as switching from mode bits to ACLs. |
Inherit mode | When access is checked in a Windows environment, this mode automatically traces all parent directories looking for inherited ACEs, adding them to the access check. In contrast to Windows, the PowerScale system handles ACL inheritance by explicitly adding the inherited ACE onto the security descriptor of the file or the directory and only newly created files can contain the inherited ACEs. The inherit mode should be used when an inherited ACE is added to a directory that contains objects. |
Convert mode | The primary use case for convert mode is to update on-disk permissions after modifying the on-disk permission setting. |
For an example of clone mode, refer to the Dell EMC PowerScale OneFS Permission Repair Job document. The following sections include examples for inherit mode and convert mode.
With inherit mode, the current permissions of directories or files in a target are written over (not appended) by only the inheritable permissions of the template.
This example creates a directory and file hierarchy on OneFS as shown Figure 24, and all the files or directories under dir1 have the same ACL permissions as their parent directory.
The template directory is used as the permissions template for permission repair job, and the template directory ACL contains an inheritable ACE for user01 with the flags of object_inherit and container_inherit. The ACL permissions of these files and directories are shown in Figure 25 and Figure 26.
The example now starts the permission repair job using the command isi job jobs start, and waits for the job to complete as shown in Figure 27.
Checking the ACL permissions of the files and directory under dir1, the inherit mode of the permission repair job clones all permissions of the template to the parent directory dir1, and only the inheritable permission for user01 is propagated and written over the existing permissions of the subdirectories and files.
Convert mode converts all file and directory on-disk identities under the target to the type specified, including global, sid, unix, or native. No template required in this mode.
The ls command is used to view the file and directory on-disk identity type of user01. The current on-disk identity for user01 is its UID of 2002.
This example starts the permission-repair job using the command isi job jobs start, and waits for the job to complete as shown in Figure 30.
Checking the file and directory permissions again, the on-disk permission for user01 is converted into SID mode. The identities of root with UID 0 and everyone with SID S-1-1-0 are special identities, and they are not converted in the converted mode.