All Products
Search

This Product

    Cloud Parallel File Storage:Use an NFSv4 ACL to control access to a CPFS-POSIX file system

    Document Center

    Cloud Parallel File Storage:Use an NFSv4 ACL to control access to a CPFS-POSIX file system

    Last Updated:Nov 09, 2025

    Access control lists (ACLs) are used to define the access permissions that are granted to users or user groups on files or directories. This topic describes how to configure an NFSv4 ACL to control access to files and directories in a Cloud Parallel File Storage (CPFS) file system that is mounted by using the CPFS-POSIX client.

    Prerequisites

    A CPFS file system is mounted by using the CPFS-POSIX client. For more information, see Getting started with the CPFS-POSIX client.
    Note The CPFS-NFS client supports only NFSv3 and does not support NFSv4 ACLs.

    Command description

    Before you configure an NFSv4 ACL, we recommend that you get familiar with the following commands.
    CommandDescription
    mmgetacl <FileName or Dirname> Queries the ACL that applies to the specified file.
    mmgetacl <FileName or Dirname > standard.aclQueries the ACL that applies to the specified file and saves the ACL to a specific file.
    mmputacl -i standard.acl <FileName or Dirname>Applies a standard ACL to the specified file or directory.
    export EDITOR=/usr/bin/vim;mmeditacl <FileName or Dirname> Edits the ACL that applies to the specified file or directory.

    Configure an ACL

    To control access to files and directories by configuring an NFSv4 ACL, perform the following steps:

    1. Create users and groups.

      In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.

      1. Create the player user and add the player user to the players group. 
        sudo useradd player
        sudo groupadd players
        sudo usermod -g players player
      2. Create the admini user and add the admini user to the adminis group. 
        sudo useradd admini
        sudo groupadd adminis
        sudo usermod -g adminis admini
      3. Create the anonym user. 
        sudo useradd anonym
    2. Obtain the IDs of the players and adminis groups.

      Open the /etc/group file to obtain the IDs of the players and adminis groups. 

      players:x:1001:
adminis:x:1003:
    3. Configure an NFSv4 ACL to control access to files and directories.

      In this example, a directory named dir3 is created. The players group is granted the read-only permissions on all files in the dir3 directory. The adminis group is granted the read, write, and execute permissions on all files in the dir3 directory. Other users are granted no permissions on the dir3 directory.

      1. Create a directory named dir3. 
        mkdir dir3
      2. Configure an ACL and save the ACL to the acl.txt file. 
        #NFSv4 ACL
#owner:root
#group:root
special:everyone@:----:allow:FileInherit:DirInherit
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

special:group@:----:allow:FileInherit:DirInherit
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

special:owner@:----:allow:FileInherit:DirInherit
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (-)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

group:adminis:rwxc:allow:FileInherit:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:players:r-x-:allow:FileInherit:DirInherit
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

special:owner@:---c:allow
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:group@:----:allow
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

special:everyone@:----:allow
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
      3. Apply the ACL to the dir3 directory. 
        mmputacl -i ~/acl.txt dir3

    Verify the ACL

    To verify the configured ACL, perform the following steps:

    1. Verify whether the admini user has the read and write permissions on the dir3/file file. 
      sudo su admini -c 'touch dir3/file'
      sudo su admini -c 'echo 123 > dir3/file'

      If no error message appears, the admini user has the read and write permissions on the dir3/file file.

    2. Verify whether the player user has the read-only permissions on the dir3/file file.
      1. Verify whether the player user has the execute permissions on the dir3/file file.
        • Run the 
          sudo su player -c 'touch dir3/file'
          command.
        • If the output is similar to the following information, the player user does not have the execute permissions on the dir3/file file: 
          touch: cannot touch 'dir3/file': Permission denied
      2. Verify whether the player user has the write permissions on the dir3/file file.
        • Run the 
          sudo su player -c 'echo 456 >> dir3/file'
          command.
        • If the output is similar to the following information, the player user does not have the write permissions on the dir3/file file: 
          bash: dir3/file: Permission denied
      3. Verify whether the player user has the permissions to modify the ACL of the dir3/file file.
        1. Modify the ACL of the dir3/file file. 
          sudo su player -c 'export EDITOR=/usr/bin/vim;/usr/lpp/mmfs/bin/mmeditacl dir3/file'
        2. Enter yes to apply the new ACL. 
          mmeditacl: Should the modified ACL be applied? (yes) or (no)
          If the output is similar to the following information, the player user does not have the permissions to modify the ACL of the dir3/file file: 
          tsputacl: Authorization failure
    3. Verify that the anonym user has no permissions on the dir3 directory.
      1. Verify whether the anonym user has the permissions to access the dir3 directory.
        • Run the 
          sudo su anonym -c 'ls dir3'
          command.
        • If the output is similar to the following information, the anonym user does not have the permissions to access the dir3 directory: 
          ls: cannot open directory 'dir3': Permission denied
      2. Verify whether the anonym user has the permissions to view the content of the dir3/file file.
        • Run the 
          sudo su anonym -c 'cat dir3/file'
          command.
        • If the output is similar to the following information, the anonym user does not have the permissions to view the content of the dir3/file file: 
          cat: dir3/file: Permission denied
      3. Verify whether the anonym user has the permissions to modify the ACL of the dir3/file file.
        • Run the 
          sudo su anonym -c 'export EDITOR=/usr/bin/vim;/usr/lpp/mmfs/bin/mmeditacl dir3/file'
          command.
        • If the output is similar to the following information, the anonym user does not have the permissions to modify the ACL of the dir3/file file: 
          dir3/file: Permission denied
tsgetacl: Cannot open dir3/file
mmeditacl: Failure reading ACL (rc=13)

    Revoke permissions

    This section describes how to revoke permissions from a user. For example, remove the admini user from the adminis group, add the admini user to a group named adminis2, and then verify that the admini user has no permissions on the dir3 directory.

    1. Create a group named adminis2. 
      sudo groupadd adminis2
    2. Remove the admini user from the adminis group and add the admini user to the adminis2 group. 
      sudo usermod -g adminis2 admini
    3. Query the ID information about the admini user.
      • Run the 
        id admini
        command.
      • Sample output: 
        uid=1001(admini) gid=1005(adminis2) groups=1005(adminis2)
        .
    4. Verify that the admini user has no permissions on the dir3 directory.
      1. Verify whether the admini user has the permissions to access the dir3 directory.
        • Run the 
          sudo su admini -c 'ls dir3'
          command.
        • If the output is similar to the following information, the admini user does not have the permissions to access the dir3 directory: 
          ls: cannot open directory 'dir3': Permission denied
      2. Verify whether the admini user has the permissions to view the content of the dir3/file file.
        • Run the 
          sudo su admini -c 'cat dir3/file'
          command.
        • If the output is similar to the following information, the admini user does not have the permissions to view the content of the dir3/file file: 
          cat: dir3/file: Permission denied
      3. Verify whether the admini user has the permissions to modify the ACL of the dir3/file file.
        • Run the 
          sudo su admini -c 'export EDITOR=/usr/bin/vim;/usr/lpp/mmfs/bin/mmeditacl dir3/file'
          command.
        • If the output is similar to the following information, the admini user does not have the permissions to modify the ACL of the dir3/file file: 
          dir3/file: Permission denied
tsgetacl: Cannot open dir3/file
mmeditacl: Failure reading ACL (rc=13)