All Products
Search
Document Center

File Storage NAS:NFS ACL overview

Last Updated:Jun 03, 2026

File Storage NAS provides NFS access control lists (ACLs), including POSIX ACL and NFSv4 ACL, for NFS file systems. NFS ACLs let you grant fine-grained permissions on directories and files to specific users and groups.

Background

When multiple users and groups share a file system, administrators need fine-grained control over who can access specific files and directories. File Storage NAS provides NFS ACLs — including NFSv4 ACL and POSIX ACL — for this purpose. An ACL is a list of access control entries (ACEs) that define permissions on a file or directory.

Mounting an NFSv4 ACL file system over NFSv3 converts the ACLs to POSIX ACLs, and vice versa. However, the two ACL types are not fully compatible, and interoperability between mode and ACLs is limited. NFSv3 mounts also do not support locks. If you use NFSv4 ACLs, mount with the NFSv4 protocol only and avoid mode and POSIX ACLs. Features.

Enable NFS ACL from the console or API. Configure the NFS ACL feature.

POSIX ACL

POSIX ACL extends the standard mode permission model by letting you set permissions for specific users and groups beyond the owner, group, and other classes. It also supports permission inheritance.

Each ACE specifies read, write, and execute permissions for a user or group.

An ACE contains a tag type, an optional qualifier, and a set of permissions, in the format default:type:permissions.

  • default: Directory inheritance ACE

    Indicates an inheritance ACE for a directory. Only directories support this type of ACE.

  • type: ACE tag type

    A POSIX ACE must have exactly one of six types. Each type is represented by a single character.

    Type

    Identifier

    Description

    ACL_USER_OBJ

    user:

    The file owner.

    ACL_USER

    user:uid

    A specific user. Example: user:admin.

    ACL_GROUP_OBJ

    group:

    The owning group of the file.

    ACL_GROUP

    group:gid

    A specific user group. Example: group:players.

    ACL_MASK

    mask:

    The maximum permissions for ACEs that apply to specific users, the owning group, and specific user groups.

    ACL_OTHER

    other:

    Other users.

  • Permissions

    Permission

    Description

    r

    Read permission.

    w

    Write permission.

    x

    Permission to execute a file or enter a directory.

    -

    No permission.

    POSIX ACL details: acl - Linux man page.

NFSv4 ACL

NFSv4 ACL provides more granular permission control than POSIX ACL.

The ACE format for an NFSv4 ACL is type:flags:principal:permissions.

  • ACE type

    Each NFSv4 ACE must have exactly one of four types, represented by a single character.

    Type

    Identifier

    Description

    Allow

    A

    Allow.

    Grants the specified permissions.

    Deny

    D

    Deny.

    Denies the specified permissions.

    Audit

    U

    Audit.

    Logs any access that requires the specified permissions. Requires one or both of the successful-access and failed-access flags. Only some systems support this type.

    Alarm

    L

    Alarm.

    Generates a system alarm for any access that requires the specified permissions. Requires one or both of the successful-access and failed-access flags. Only some systems support this type.

  • Flags

    ACEs have three categories of flags: group, inheritance, and administrative.

    Flag

    Identifier

    Description

    group

    g

    Specifies a user group.

    directory-inherit

    d

    Directory inheritance ACE.

    Newly created subdirectories inherit the ACE.

    file-inherit

    f

    File inheritance ACE.

    • Newly created files inherit the ACE from the parent directory, but their inheritance flags are removed.

    • Newly created subdirectories inherit the ACE from the parent directory. If directory-inherit is not also specified in the parent ACE, inherit-only is added to the inherited ACE.

    inherit-only

    i

    The ACE is not considered during permission checks, but it is inheritable. However, the inherit-only flag is stripped from the inherited ACE.

    no-propagate-inherit

    n

    Newly created subdirectories inherit the ACE, but their inheritance flags are removed.

    successful-access

    S

    For Audit or Alarm ACEs, this flag triggers the specified action when an access attempt that matches the permissions is successful.

    failed-access

    F

    For Audit or Alarm ACEs, this flag triggers the specified action when an access attempt that matches the permissions is denied.

  • Principal

    The principal that can perform operations on a file, including OWNER@, GROUP@, EVERYONE@, or a specific principal.

  • Permissions

    Note
    • The default minimum permissions for the OWNER@ principal are tTnNcCy. Permissions less than these are not allowed.

    • The default minimum permissions for the GROUP@ and EVERYONE@ principals are tncy. Permissions less than these are not allowed.

    NFSv4 ACL permissions for files

    Permission

    Description

    Notes

    r

    Read file data.

    None.

    w

    Write or create a file.

    Takes effect only when the a permission is also present. Invalid when specified alone.

    a

    Append data to a file.

    Takes effect only when the w permission is also present. Invalid when specified alone.

    x

    Execute a file.

    Takes effect only when the r permission is also present. Invalid when specified alone.

    d

    Delete a file.

    The d permission on a file has no effect. A user with wx permissions on the parent directory can delete the file, regardless of the file's d permission.

    D

    -

    The D permission cannot be set on a file. A nfs4_setfacl D operation is filtered by the client.

    t

    Read file attributes.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    T

    Modify file attributes.

    None.

    n

    Read the named attributes of a file.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    N

    Modify the named attributes of a file.

    File Storage NAS does not support setting named attributes. The N permission is not effective.

    c

    Read the ACL of a file.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    C

    Modify the ACL of a file.

    None.

    o

    Modify the owner of a file.

    A user with the o permission can change the file owner to themselves, but not to another user unless the current user is root.

    y

    Allow synchronous access.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    NFSv4 ACL permissions for directories

    Permission

    Description

    Notes

    r

    List directory contents.

    None.

    w

    Create files or directories.

    The w permission is not effective. Its functionality is included in the D permission, which takes effect only when the x permission is also present.

    a

    Create subdirectories.

    The a permission is not effective. Its functionality is included in the D permission, which takes effect only when the x permission is also present.

    x

    Enter a directory.

    None.

    d

    Delete a directory.

    The d permission is not effective. A user with wx permissions on the parent directory can delete the current directory, regardless of the d permission on the directory itself.

    D

    Delete child files and subdirectories.

    Takes effect only when the x permission is also present. Invalid when specified alone.

    t

    Read directory attributes.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    T

    Modify directory attributes.

    None.

    n

    Read the named attributes of a directory.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    N

    Modify the named attributes of a directory.

    File Storage NAS does not support setting named attributes. The N permission is not effective.

    c

    Read the ACL of a directory.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    C

    Modify the ACL of a directory.

    None.

    o

    Modify the owner of a directory.

    A user with the o permission can change the directory owner to themselves, but not to another user unless the current user is root.

    y

    Allow synchronous access.

    One of the default minimum permissions (tncy). This permission cannot be removed.

    NFSv4 ACL details: nfs4_acl - Linux man page.

POSIX ACL guidelines

  • Set ACLs

    • Use inheritance (default) to apply the same ACL to a subdirectory tree, avoiding per-file or per-directory setup.

    • Use setfacl -R with caution — running it on large directory trees creates metadata pressure and degrades performance.

    • Plan user groups and permissions before setting ACLs. Manage access through group memberships so you can adjust permissions by changing groups instead of modifying ACLs. Always set ACLs for groups, not individual users.

    • If you use POSIX ACL across multiple clients, ensure matching UIDs and GIDs for the same users and groups. NAS identifies principals by UID or GID, not by name.

  • Use ACLs

    • The system scans all ACEs during each permission check. Minimize ACE count to avoid performance degradation.

  • Set permissions for 'other'

    • Minimize 'other' permissions — they apply to all users. Granting 'other' more access than a specific ACE creates a security risk.

    • Run umask 777 before your code to set the creation mode to 000, minimizing default permissions. umask and default mode.

    • After POSIX ACL is enabled, the 'other' class in file mode is treated as 'everyone' during permission checks.

NFSv4 ACL guidelines

  • Set ACLs

    • Set ACLs by using UIDs or GIDs, such as UID 1001.

    • Use inheritance to apply the same ACL to a subdirectory tree, avoiding per-file or per-directory ACL setup.

    • Use nfs4_setfacl -R with caution — running it on large directory trees creates metadata pressure and degrades performance.

  • Use ACLs

    • The system scans all ACEs during each permission check. Minimize ACE count to avoid performance degradation.

  • Set ACL permissions

    • After adopting NFSv4 ACLs, avoid using mode.

    • The nfs4_setfacl command supports -a, -x, and -m options, but nfs4_setfacl -e <file> provides a more intuitive interactive editing experience.

    • Fine-grained write permissions can cause unexpected failures — for example, granting w without a may block writes. Similar issues apply to directory modifications. Use uppercase W with nfs4_setfacl to set write permissions. nfs4_setfacl expands W to the full write set: wadT for files and wadTD for directories.

    • Plan user groups and permissions before setting ACLs. Manage access through group memberships so you can adjust permissions by changing groups instead of modifying ACLs. Always set ACLs for groups, not individual users.

    • NAS supports only Allow ACEs for NFSv4 ACLs, not Deny ACEs. Minimize 'everyone' permissions — excessive 'everyone' access creates security vulnerabilities.

Configure NFS ACL

Console

Enable NFS ACL

  1. Log on to the NAS console.

  2. In the left-side navigation pane, choose File System > File System List.

  3. In the top navigation bar, select a region.

  4. On the File System List page, find the target file system and click its file system ID, or click Manage in the Actions column.

  5. Select the Access Control tab and click Enable. In the NFS ACL section, select Enable. In the confirmation dialog box, note that enabling NFS ACL changes the meaning of 'other' to 'everyone'. Set 'other' permissions to the minimum level. Click OK.

Disable NFS ACL

On the Access Control tab, click Close.

Disabling NFS ACL clears all permissions for principals other than owner, group, and other. The 'other' semantic reverts from 'everyone' to standard mode other. Click OK to confirm.

API

  • Call the EnableNfsAcl operation to enable the NFS ACL feature.

  • Call the DisableNfsAcl operation to disable the NFS ACL feature.

After enabling NFS ACL, use POSIX ACL or NFSv4 ACL to manage file and directory permissions.