Home > Storage > PowerStore > Storage Admin > Dell PowerStore: File Capabilities > Access policy
The access policy is used to define how security is enforced on a multiprotocol file system. The default setting of Native maintains two separate sets of permissions for each file and the protocol that is used to access the file determines which set of permissions are checked. If SMB is used, the ACLs are checked. If NFS is used, the NFSv3 mode bits or NFSv4 ACL are checked.
If the multiprotocol environment is heavily weighted toward users of one type or another, setting the access policy to one of the other values may be desirable. The Windows setting only checks the ACLs and completely ignores the NFSv3 mode bits and NFSv4 ACL while the UNIX policy does the opposite.
Table 9 describes the available access policies that can be configured at the file system level.
Access policy | Description |
Native (default) | Manages access for each protocol separately with its own native security Security for NFS shares uses the UNIX mode bits or NFSv4 ACL Security for SMB shares uses the SMB Access Control List (ACL) The two sets of permissions are independent and there is no synchronization between them NFSv3 UNIX mode bits or NFSv4 ACL permission changes are synchronized to each other, but SMB ACL is not changed SMB ACL permission changes do not change the NFSv3 UNIX mode bits or NFSv4 ACL |
Windows | Uses the SMB ACL for both protocols Upon request for NFS access, the Windows credential that is built from the DC/LGDB is used to check the ACL for permissions NFSv3 UNIX mode bits or NFSv4 ACLs are updated when SMB ACL permissions are changed NFSv3 UNIX mode bits or NFSv4 ACL permission changes are denied |
UNIX | Uses the NFSv3 UNIX mode bits or NFSv4 ACL for both protocols Upon request for SMB access, the UNIX credential that is built from the UDS/local files is used to check the NFSv3 mode bits or NFSv4 ACL for permissions SMB ACL permissions are updated when NFSv3 UNIX mode bits or NFSv4 ACLs are changed SMB ACL permission changes are allowed, to avoid causing disruption, but these permissions are not maintained |
Figure 23 shows how to configure the access policy on a file system.
For files created on NFS, the SMB ACLs are determined by ACL inheritance. For files created on SMB, the NFSv3 UNIX permissions are determined by the UMASK setting. The UMASK is a bitmask that controls the default UNIX permissions for newly created files and folders. This setting is only applied to new files and folders that are created on SMB on multiprotocol file systems.
The UMASK setting determines which UNIX permissions are excluded for new files and directories. By default, new files have 666 (-rw-rw-rw-) permissions while new directories have 777 (drwxrwxrwx) permissions. If the UMASK is set to the default value of 022, new files have 644 (-rw-r--r--) permissions and new directories have 755 (drwxr-xr-x) permissions instead. If NFSv4 ACL inheritance is present on the directory, it takes precedence over the UMASK setting.
This behavior is only used to determine the UNIX permissions when creating files. If permissions are changed on an existing file, the behavior depends on the configured access policy.
Figure 24 shows how to configure the UMASK setting on an SMB share.