Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > Permission mapping
This section describes how OneFS maps for file and directory permissions across the SMB and NFS protocols when OneFS is running with its default settings.
Windows access rights | OneFS internal representation | Mode bits approximation |
FILE_ADD_FILE | add_file | d-w- |
FILE_ADD_SUBDIRECTORY | add_subdir | d-w- |
FILE_ALL_ACCESS | dir_gen_all, file_gen_all | drwx or -rwx |
FILE_APPEND_DATA | append, add_subdir | --w- or d-w- |
FILE_DELETE_CHILD | delete_child | d-w- |
FILE_EXECUTE | execute | ---x |
FILE_LIST_DIRECTORY | list | dr-- |
FILE_READ_ATTRIBUTES | file_read_attr | -r-- |
FILE_READ_DATA | file_read | -r-- |
FILE_READ_EA | file_read_ext_attr | -r-- |
FILE_TRAVERSE | traverse | d--x |
FILE_WRITE_ATTRIBUTES | file_write_attr | --w- |
FILE_WRITE_DATA | file_write | --w- |
FILE_WRITE_EA | file_write_ext_attr | --w- |
DELETE | std_delete | d-w- or --w- |
READ_CONTROL | std_read_dac | dr-- or -r-- |
WRITE_DAC | std_write_dac | drwx or -rwx |
WRITE_OWNER | std_write_owner | drwx or -rwx |
SYNCHRONIZE | std_synchronize | NA |
Because mode bits are a subset of the richer Windows ACL model, mapping mode bits to ACLs is simpler. OneFS processes mode bits to create a synthetic ACL when an SMB client attempts to access a file or a directory with mode bits. Because the security model for ACLs is richer than that of mode bits, no information is lost.
Description | Permissions |
UNIX Permission | Read |
OneFS | file_gen_read |
Windows Effective Permissions | list folder/read data |
Mapping to Windows Access Rights Constants | FILE_LIST_DIRECTORY, FILE_READ_ATTRIBUTES, FILE_READ_DATA, FILE_READ_DATA, FILE_READ_EA |
Description | Permissions |
UNIX Permission | Write |
OneFS | file_gen_write |
Windows Effective Permissions | create files/write data; create folders/append Data; delete subfolders and files |
Mapping to Windows Access Rights Constants | FILE_ADD_FILE, FILE_WRITE_DATA; FILE_ADD_SUBDIRECTORY, FILE_APPEND_DATA; DELETE, FILE_DELETE_CHILD, FILE_WRITE_ATTRIBUTES, FILE_READ_EA |
Description | Permissions |
UNIX Permission | Execute |
OneFS | file_gen_write |
Windows Effective Permissions | traverse folder / execute file |
Mapping to Windows Access Rights Constants | FILE_TRAVERS, FILE_EXECUTE |
In addition, the mode rwx is mapped to full control (FILE_ALL_ACCESS), which is represented on OneFS as file_gen_all. As such, a user, a group, or everyone with the mode bit set to rwx includes the following additional effective permissions: change permissions, take ownership, delete, and synchronize (WRITE_DAC, WRITE_OWNER, DELETE, and SYNCHRONIZE).
Similar to the Windows permissions model, the PowerScale system of representing permissions divides permissions into three related groups: standard permissions, which can apply to any object in the file system; generic permissions, which are logical wrappers for a bundle of more specific permissions; and constants, each of which is a specific type of permission. Also, certain permissions apply only to a directory; others apply only to a nondirectory file system object.
Description | Permissions |
std_delete | The right to delete the object |
std_read_dac | The right to read the security descriptor, not including the SACL (In OneFS, a superuser can list the SACL, but it is otherwise unsupported.) |
std_write_dac | The right to modify the DAC L in the object’s security descriptor |
std_write_owner | The right to change the owner in the object’s security descriptor |
std_synchronize | The right to use the object as a thread synchronization primitive (On OneFS, this right has no effect.) |
std_required | Maps to std_delete, std_read_dac, std_write_dac, and std_write_owner |
Description | Permissions |
dir_gen_all | Read, write, and execute access |
dir_gen_read | Read access |
dir_gen_write | Write access |
dir_gen_execute | Execute access |
list | List entries |
add_file | The right to create a file in the directory |
add_subdir | The right to create a subdirectory |
delete_child | The right to delete children, including read-only files |
traverse | The right to traverse the directory |
dir_read_attr | The right to read directory attributes |
dir_write_attr | The right to write directory attributes |
dir_read_ext_attr | The right to read extended directory attributes |
dir_write_ext_attr | The right to write extended directory attributes |
Description | Permissions |
dir_gen_read | list, dir_read_attr, dir_read_ext_attr, std_read_dac, and std_synchronize |
dir_gen_write | add_file, add_subdir, dir_write_attr, dir_write_ext_attr, std_read_dac, and std_synchronize |
dir_gen_execute | traverse, std_read_dac, and std_synchronize |
dir_gen_all | dir_gen_read, dir_gen_write, dir_gen_execute, delete_child, and std_write_owner |
Description | Permissions |
file_gen_all | Read, write, and execute access |
file_gen_read | Read access |
file_gen_write | Write access |
file_gen_execute | Execute access |
file_read | The right to read file data |
file_write | The right to write file data |
append | The right to append to a file |
execute | The right to execute a file |
delete_child | This permission is not used for a file but can be set for Windows compatibility |
file_read_attr | The right to read file attributes |
file_write_attr | The right to write file attributes |
file_read_ext_attr | The right to read extended file attributes |
file_write_ext_attr | The right to write extended file attributes |
Description | Permissions |
file_gen_read | file_read, file_read_attr, file_read_ext_attr, std_read_dac, and std_synchronize |
file_gen_write | file_write, file_write_attr, file_write_ext_attr, append, std_read_dac, and std_synchronize |
file_gen_execute | execute, std_read_dac, and std_synchronize |
file_gen_all | file_gen_read, file_gen_write, file_gen_execute, delete, std_write_dac, and std_write_owner |