edit-icon download-icon

Use permission groups

Last Updated: Nov 27, 2017

In NAS, the permission group acts as a whitelist that allows you to restrict file system access. You can allow specified IP addresses or CIDR blocks to access the file system, and assign different levels of access permission to different IP addresses or CIDR blocks by adding rules to the permission group.

Default permission group

When NAS is activated, the Default VPC Permission Group is automatically generated. It allows all IP addresses in a VPC to access the mount point with full permissions. Full permissions include Read/Write permission with no restriction on root users.

For classic network mount points, no default permission group is provided. In addition, the allowed IP address in permission group rules must be a single IP addresse rather than a CIDR block.

Note: We recommend that you add permission group rules carefully and only allow necessary IP addresses.

Create a permission group

To create a permission group, follow these steps.

  1. Log on to the NAS console.

  2. From the left-side navigation pane, click Permission Groups.

  3. Click Create Permission Group.

  4. On the Create Permission Group page, enter a name and click OK.

Note: Up to 10 permission groups are allowed for an Alibaba Cloud account.

Add a rule to a permission group

On the Permission Groups page, click Manage under a permission group to enter its Rules page, where you can add and manage rules.

A permission group rule is composed of the following attributes:

Attribute Value Description
Authorized Address Single IP addresses or CDIR blocks (classic network only supports single IP addresses) Authorized objects of the rule.
Read and Write Permission Read-Only or Read/Write Allows the authorized object read-only or read/write access on the file system.
User Permission Do not restrict root users (no_squash), restrict root users (root_squash), restrict all users (all_squash) Determines whether to restrict the permission of the authorized object’s Linux system users in the file system. When determining access permissions of a file or a directory,
  • If you restrict root users, then the root users are treated as nobody.
  • If you restrict all users, then all users including root users are treated as nobody.
Priority 1-100, with 1 as the highest priority When the same authorization object matches multiple rules, the rule with the highest priority overwrites the remaining rules.
Thank you! We've received your feedback.