File Storage NAS provides NFS access control lists (ACLs), including POSIX ACL and NFSv4 ACL, for NFS file systems. NFS ACLs let you grant fine-grained permissions on directories and files to specific users and groups.
Background
When multiple users and groups share a file system, administrators need fine-grained control over who can access specific files and directories. File Storage NAS provides NFS ACLs — including NFSv4 ACL and POSIX ACL — for this purpose. An ACL is a list of access control entries (ACEs) that define permissions on a file or directory.
Mounting an NFSv4 ACL file system over NFSv3 converts the ACLs to POSIX ACLs, and vice versa. However, the two ACL types are not fully compatible, and interoperability between mode and ACLs is limited. NFSv3 mounts also do not support locks. If you use NFSv4 ACLs, mount with the NFSv4 protocol only and avoid mode and POSIX ACLs. Features.
Enable NFS ACL from the console or API. Configure the NFS ACL feature.
POSIX ACL
POSIX ACL extends the standard mode permission model by letting you set permissions for specific users and groups beyond the owner, group, and other classes. It also supports permission inheritance.
Each ACE specifies read, write, and execute permissions for a user or group.
An ACE contains a tag type, an optional qualifier, and a set of permissions, in the format default:type:permissions.
-
default: Directory inheritance ACE
Indicates an inheritance ACE for a directory. Only directories support this type of ACE.
-
type: ACE tag type
A POSIX ACE must have exactly one of six types. Each type is represented by a single character.
Type
Identifier
Description
ACL_USER_OBJ
user:The file owner.
ACL_USER
user:uidA specific user. Example:
user:admin.ACL_GROUP_OBJ
group:The owning group of the file.
ACL_GROUP
group:gidA specific user group. Example:
group:players.ACL_MASK
mask:The maximum permissions for ACEs that apply to specific users, the owning group, and specific user groups.
ACL_OTHER
other:Other users.
-
Permissions
Permission
Description
r
Read permission.
w
Write permission.
x
Permission to execute a file or enter a directory.
-
No permission.
POSIX ACL details: acl - Linux man page.
NFSv4 ACL
NFSv4 ACL provides more granular permission control than POSIX ACL.
The ACE format for an NFSv4 ACL is type:flags:principal:permissions.
-
ACE type
Each NFSv4 ACE must have exactly one of four types, represented by a single character.
Type
Identifier
Description
Allow
A
Allow.
Grants the specified permissions.
Deny
D
Deny.
Denies the specified permissions.
Audit
U
Audit.
Logs any access that requires the specified permissions. Requires one or both of the successful-access and failed-access flags. Only some systems support this type.
Alarm
L
Alarm.
Generates a system alarm for any access that requires the specified permissions. Requires one or both of the successful-access and failed-access flags. Only some systems support this type.
-
Flags
ACEs have three categories of flags: group, inheritance, and administrative.
Flag
Identifier
Description
group
g
Specifies a user group.
directory-inherit
d
Directory inheritance ACE.
Newly created subdirectories inherit the ACE.
file-inherit
f
File inheritance ACE.
-
Newly created files inherit the ACE from the parent directory, but their inheritance flags are removed.
-
Newly created subdirectories inherit the ACE from the parent directory. If
directory-inheritis not also specified in the parent ACE,inherit-onlyis added to the inherited ACE.
inherit-only
i
The ACE is not considered during permission checks, but it is inheritable. However, the
inherit-onlyflag is stripped from the inherited ACE.no-propagate-inherit
n
Newly created subdirectories inherit the ACE, but their inheritance flags are removed.
successful-access
S
For Audit or Alarm ACEs, this flag triggers the specified action when an access attempt that matches the permissions is successful.
failed-access
F
For Audit or Alarm ACEs, this flag triggers the specified action when an access attempt that matches the permissions is denied.
-
-
Principal
The principal that can perform operations on a file, including OWNER@, GROUP@, EVERYONE@, or a specific principal.
-
Permissions
Note-
The default minimum permissions for the OWNER@ principal are tTnNcCy. Permissions less than these are not allowed.
-
The default minimum permissions for the GROUP@ and EVERYONE@ principals are tncy. Permissions less than these are not allowed.
NFSv4 ACL details: nfs4_acl - Linux man page.
-
POSIX ACL guidelines
-
Set ACLs
-
Use inheritance (
default) to apply the same ACL to a subdirectory tree, avoiding per-file or per-directory setup. -
Use
setfacl -Rwith caution — running it on large directory trees creates metadata pressure and degrades performance. -
Plan user groups and permissions before setting ACLs. Manage access through group memberships so you can adjust permissions by changing groups instead of modifying ACLs. Always set ACLs for groups, not individual users.
-
If you use POSIX ACL across multiple clients, ensure matching UIDs and GIDs for the same users and groups. NAS identifies principals by UID or GID, not by name.
-
-
Use ACLs
-
The system scans all ACEs during each permission check. Minimize ACE count to avoid performance degradation.
-
-
Set permissions for 'other'
-
Minimize 'other' permissions — they apply to all users. Granting 'other' more access than a specific ACE creates a security risk.
-
Run
umask 777before your code to set the creationmodeto000, minimizing default permissions. umask and defaultmode. -
After POSIX ACL is enabled, the 'other' class in file mode is treated as 'everyone' during permission checks.
-
NFSv4 ACL guidelines
-
Set ACLs
-
Set ACLs by using UIDs or GIDs, such as
UID 1001. -
Use inheritance to apply the same ACL to a subdirectory tree, avoiding per-file or per-directory ACL setup.
-
Use
nfs4_setfacl -Rwith caution — running it on large directory trees creates metadata pressure and degrades performance.
-
-
Use ACLs
-
The system scans all ACEs during each permission check. Minimize ACE count to avoid performance degradation.
-
-
Set ACL permissions
-
After adopting NFSv4 ACLs, avoid using
mode. -
The
nfs4_setfaclcommand supports -a, -x, and -m options, butnfs4_setfacl -e <file>provides a more intuitive interactive editing experience. -
Fine-grained write permissions can cause unexpected failures — for example, granting
wwithoutamay block writes. Similar issues apply to directory modifications. Use uppercaseWwithnfs4_setfaclto set write permissions.nfs4_setfaclexpandsWto the full write set:wadTfor files andwadTDfor directories. -
Plan user groups and permissions before setting ACLs. Manage access through group memberships so you can adjust permissions by changing groups instead of modifying ACLs. Always set ACLs for groups, not individual users.
-
NAS supports only
AllowACEs for NFSv4 ACLs, notDenyACEs. Minimize 'everyone' permissions — excessive 'everyone' access creates security vulnerabilities.
-
Configure NFS ACL
After enabling NFS ACL, use POSIX ACL or NFSv4 ACL to manage file and directory permissions.
-
NFSv3 file systems: Manage permissions by using POSIX ACL.
-
NFSv4 file systems: Manage permissions by using NFSv4 ACL.