All Products
Search
Document Center

File Storage NAS:Manage permission groups

Last Updated:Jun 04, 2026

In File Storage NAS, a permission group acts as a virtual firewall that uses a whitelist to control network access to your file systems. You can configure custom permission groups with rules that grant different levels of access to specific IP addresses or CIDR blocks for various scenarios.

Background

By default, each Alibaba Cloud account has a default permission group. This group grants any IP address within the VPC full read/write access to the file system, with no restrictions on Linux user access.

The default permission group applies only within a VPC and is inaccessible from the public internet. It cannot be modified or deleted.

Important

If the default permission group is insufficient for your needs, create custom permission groups to grant specific access levels to different IP addresses or CIDR blocks.

Limitations

  • You can create up to 20 permission groups for each Alibaba Cloud account in a region.

  • Each permission group can contain up to 300 rules.

  • Permission groups can be created only for the VPC network type.

Procedure

Note

To maximize data security, add permission group rules cautiously. Grant access only to trusted IP addresses or CIDR blocks.

    Log on to the NAS console.

  1. Create a permission group.

    1. In the left-side navigation pane, choose File System > Permission Group.

    2. In the top navigation bar, select a region.

    3. On the Permission Group page, click the General-purpose NAS or Extreme NAS tab, and then click Create Permission Group.

    4. In the Create Permission Group dialog box, configure the parameters.

      The following table describes the key parameters.

      Parameter

      Description

      Name

      The name of the permission group. The name must meet the following requirements:

      • Must start with a letter.

      • Can contain letters, digits, underscores (_), and hyphens (-).

      • Chinese characters are not supported.

      • The name must be unique within the region.

      Network type

      Only VPC is supported.

      Note

      As of November 21, 2022, you can no longer create classic network permission groups for General-purpose NAS file systems. However, existing groups of this type created before this date can still be used.

  2. Add a rule to the permission group.

    1. Find the permission group that you created. In the Actions column, click Manage Rules. Then, click Create Rule and configure the rule parameters.

      Parameter

      Description

      Authorization type

      The authorization type for this rule. Valid values are IPv4 access address and IPv6 access address.

      Note

      IPv6 access addresses are supported only for Extreme NAS.

      Click to view regions that support IPv6

      China (Hohhot), China (Chengdu), China (Zhangjiakou), China (Shenzhen), China (Shanghai), China (Hangzhou), China (Beijing), and China (Qingdao).

      Authorized address

      The IP address or CIDR block to which access is granted. Permission groups only support access control based on IP addresses or CIDR blocks. They do not support restrictions based on device identifiers such as MAC addresses. If multiple devices in the same network share the same egress IP address, the permission group cannot distinguish access requests from different devices.

      Read/write permissions

      The permissions for the authorized source. Valid values are Read-only and Read/Write.

      User permissions

      Specifies how to map user identities from the client-side Linux system. This setting does not apply to SMB file systems and has no effect if configured.

      • No Anonymity: Allows a client's root user to access the file system with root privileges.

      • Root User Anonymity: Maps access requests from a root user on the client to the anonymous nobody user.

      • General Anonymity: Maps access requests from all users on the client to the anonymous nobody user.

      The nobody user is a default Linux user with low privileges, which enhances security. This user can typically only access public content on the server.

      Priority

      If an authorized source matches multiple rules, the one with the highest priority (lowest number) takes precedence. Enter an integer from 1 to 100, where 1 is the highest priority.

      Note

      If multiple rules with the same priority but different permissions contain overlapping CIDR blocks, the rule that was created first takes effect. We recommend avoiding configurations with overlapping CIDR blocks.

    2. Click OK.

Other operations

On the Permission Group page, you can perform the following operations.

Actions

Description

View permission groups and details

View details for permission groups in the current region, such as their type, rule count, and the number of attached file systems.

Edit a permission group

Find the target permission group and click Edit to modify its description.

Delete a permission group

Find the target permission group and click Delete to delete it.

View permission group rules

Find the target permission group and click Manage Rules to view the rules within that group.

Edit a permission group rule

Click Manage Rules, find the target rule, and then click Edit. You can modify the authorized address, read/write permissions, user permissions, and priority.

Delete a permission group rule

Click Manage Rules, find the target rule, and then click Delete to delete the rule.

Related topics

To protect data in transit, use the encryption-in-transit feature. It secures the network link between your ECS instances and the NAS service, protecting data from theft or tampering during transmission. For detailed instructions, see Encryption-in-transit for NFS file systems or Encryption-in-transit for SMB file systems.