The DR Series system software supports the use of access control lists (ACLs) for CIFS and share-level permissions. By definition, an ACL is simply a list of permissions that can be associated with any network resource.
Each ACL can contain access control entries (ACEs) that define or describe the permissions for an individual user or a group of users. An ACL can consist of zero (meaning that all users have access) or a number of ACEs that define specific permissions on a per-user or per-group basis.
|
NOTE:If an ACE list is empty (meaning that it contains zero entries), this means that all access requests will be granted. |
An ACL describes the entities that are allowed to access a specific resource. ACLs are a built-in access control mechanism in the Windows operating systems.
|
NOTE: The DR Series system supports setting up share-level permissions for a CIFS share using a Microsoft Windows administrative tool. Share-level permissions let you control access to shares. For more information, see Configuring Share-Level Security. |
All new containers apply a default Access Control List (ACL) at the root of the container. This default ACL is the same as that which would be created by a Microsoft Windows 2003 Server. Therefore, these new containers with the default ACL support the following permission types:
|
NOTE: Any user that is part of BUILTIN\Administrators can edit ACLs on CIFS shares. The local DR Series system administrator is included in the BUILTIN\Administrators group. To add additional domain groups to the BUILTIN\Administrators group, you can use the Computer Manager tool on a Windows client to connect to the DR Series system as Domain administrator and add any groups you want. This capability allows users other than the Domain administrator to modify an ACL as needed. |
- BUILTIN\Administrators:
- Allows: Full access, object inherit, and container inherit.
- Applies to: This folder, subfolders, and files.
- CREATOR OWNER:
- Allows: Full access, inherit only, object inherit, and container inherit.
- Applies to: Subfolders and files only.
- EVERYONE:
- Allows: Traverse folders, execute files, list folders, read data, read attributes, and read extended attributes.
- Applies to: This folder only.
- NT AUTHORITY\SYSTEM:
- Allows: Full access, object inherit, and container inherit.
- Applies to: This folder, subfolders, and files.
- BUILTIN\Users:
- Allows: Create folders and append data, inherit-only, and container inherit.
- Applies to: This folder, subfolders, and files.
- BUILTIN\Users:
- Allows: Read and execute, and container inherit.
- Applies to: This folder, subfolders, and files.
- BUILTIN\Users:
- Allows: Create files and write data, object inherit, and container inherit.
- Applies to: Subfolders only.
|
NOTE: If these permissions are unsuitable for your needs, you can modify the default ACL to suit your own requirement using the Windows ACL Editor (for example, using Properties → Security from Windows Explorer). |
|
NOTE: The system does not understand the Owner Rights permission and sets the owner of new files/folders created by the Domain Administrators as DOM\Administrator rather than as BUILTIN\Administrators. |
For a user to create, delete, or rename a file or a directory requires Write access to the parent directory that contains these files. Only the owner of a file (or the root user) can change permissions.
Permissions are based on the user IDs (UIDs) for the file Owner and group IDs (GIDs) for the primary group. Files have owner IDs and group owner IDs. To enable Unix access, the DR Series system supports three levels of users:
- Owner (of the file)
- Group (group in which the owner belongs)
- Other (other users with an account on the system)
Each of these three user types support the following access permissions:
- Read (read access that allows user to read files)
- Write (write access that allows user to create or write to a file)
- Execute (access that allows user to execute files or traverse directories in the filesystem)
|
NOTE: A root user has all levels of permission access, and a user can be a member of a single group or of multiple groups (up to 32 groups are allowed in Unix). |
To enable Windows access, the DR Series system supports access control lists (ACLs) that contain zero or more access control entries (ACEs), and an empty ACE list grants all access requests. The Windows New Technology File System (NTFS) uses ACLs as part of the security descriptor (SD) process, which requires permissions to access such filesystem objects as files and directories. ACLs support two levels of users:
Both Owners and Groups have Security IDs (SIDs) that define and identify an object owner or the group owning an object. ACEs in an ACL consist of a SID, a specific permission that either allows or denies access and also defines which of the following inheritance settings apply:
- IO—inherit-only: not used for access checking.
- OI—object inherit: new files get this ACE added.
- CI—container inherit: new directories get this ACE added.
Windows NTFS ACLs include the following read, write, append, execute, and delete permissions that allow users to:
- Synchronize access
- Read data or list the directory
- Write data or add a file
- Append data or add a folder
- Read Extended Attributes (EAs)
- Write EAs
- Execute file or traverse folders
- Delete child or delete folders
- Delete a file
The Owner user type has two default permissions:
- Write discretionary ACL
- Read control