All Products
Search

This Product

    File Storage NAS:Manage permission groups

    Document Center

    File Storage NAS:Manage permission groups

    Last Updated:Dec 31, 2025

    In File Storage NAS (NAS), permission groups function as whitelists to control data access. To ensure data security, you can create custom permission groups and add rules to grant different access permissions to specific IP addresses or CIDR blocks for various scenarios.

    Background information

    Each Alibaba Cloud account has a default permission group that allows read and write access from all IP addresses and grants root users access without mapping them to a low-privilege user (the no_squash option).

    The default permission group is effective only in a virtual private cloud (VPC) and is not accessible over the public network. You cannot delete or modify the default permission group.

    Important

    If the default permission group does not meet your business requirements, you can create a custom permission group and add rules to grant different access permissions to specific IP addresses or CIDR blocks.

    Limits

    • Each Alibaba Cloud account can have up to 20 permission groups per region.

    • You can add up to 300 rules to each permission group.

    • You can create permission groups only for VPCs.

    Procedure

    Note

    To maximize data security, add rules only for necessary IP addresses or CIDR blocks.

      Log on to the NAS console.

    1. Create a permission group.

      1. In the navigation pane on the left, click File System > Permission Group.

      2. At the top of the page, select a region.

      3. On the Permission Group page, click the General-purpose NAS or Extreme NAS tab, and then click Create Permission Group.

      4. In the Create Permission Group dialog box, set the parameters.

        新建权限组

        The following describes the important parameters.

        Parameter

        Description

        Name

        Set the name of the permission group. The name must meet the following requirements:

        • It must start with a letter.

        • It can contain letters, digits, underscores (_), and hyphens (-).

        • It cannot contain Chinese characters.

        • Permission group names must be unique.

        Network Type

        Only VPC is supported.

        Note

        Starting from November 21, 2022, you cannot create classic network permission groups for General-purpose NAS file systems. Classic network permission groups that were created before November 21, 2022 can still be used.

    2. Add a rule to the permission group.

      1. Find the permission group that you created. Click Actions in the Manage Rules column, and then click Create Rule. Set the parameters for the rule.

        Parameter

        Description

        Authorization Type

        The type of IP address for the rule. Valid values are IPv4 access address and IPv6 access address.

        Note

        IPv6 access addresses are supported only by Extreme NAS file systems.

        Click to view the regions that support IPv6

        China (Hohhot), China (Chengdu), China (Zhangjiakou), China (Shenzhen), China (Shanghai), China (Hangzhou), China (Beijing), and China (Qingdao).

        Authorized Address

        Specifies the authorization object of the rule.

        Read/Write Permissions

        The access permissions for the authorized object. Valid values are Read-only and Read/Write.

        User Permissions

        Specifies whether to restrict access for Linux users. This parameter is not supported by Server Message Block (SMB) file systems and does not take effect if configured.

        • No Anonymity: Allows root users to access the file system.

        • Root User Anonymity: Maps root users to the nobody user.

        • General Anonymity: Maps all users to the nobody user.

        The nobody user is a default user in Linux with low permissions. This user can access only public content on the server, which ensures high security.

        Priority

        When multiple rules match the same authorized object, the rule with the highest priority takes effect. You can select an integer from 1 to 100. 1 indicates the highest priority.

        Note

        If multiple rules contain overlapping CIDR blocks, have different permissions, and have the same priority, the rule that was configured first takes effect. Avoid configuring rules with overlapping CIDR blocks.

      2. Click OK.

    Other operations

    On the Permission Group page, you can perform the following operations.

    Operation

    Description

    View permission groups and details

    View the permission groups created in the current region and their details. This includes the network type, number of rules, and number of attached file systems.

    Edit a permission group

    Find the target permission group and click Edit to modify the description of the permission group.

    Delete a permission group

    Find the target permission group and click Delete to delete the permission group.

    View permission group rules

    Find the target permission group and click Manage Rules to view the rules in the permission group.

    Edit a permission group rule

    Click Manage Rules. Find the target permission group rule and click Edit in the Actions column. In the dialog box that appears, you can modify the authorized address, read/write permissions, user permissions, and priority.

    Delete a permission group rule

    Click Manage Rules, find the target permission group rule, and click Delete.

    References

    You can use the encryption in transit feature to protect data transmitted between your Elastic Compute Service (ECS) instances and NAS file systems from interception or tampering. For more information, see encryption in transit for NFS file systems or encryption in transit for SMB file systems.