Oracle ZFS Storage Appliance provides file access control through access control lists (ACLs). An ACL is a mechanism that allows or denies access to a particular file or directory.
The ACL model provided by Oracle ZFS Storage Appliance is based on the NFSv4 ACL model, which is derived from Windows ACL semantics. It is a rich ACL model that provides fine-grained access to files and directories. Every file and directory within the storage appliance has an ACL, and all access control decisions for both SMB and NFS go through the same algorithms for determining who is allowed or denied access to files and directories.
An ACL is composed of one or more access control entries (ACEs). Each ACE contains an entry for the permissions the ACE grants or denies, who the ACE applies to, and the inheritance-level flags used.
NFSv4 ACLs let individual ACEs be inherited by newly created files and directories. ACE inheritance is controlled by several inheritance-level flags that an administrator sets on the ACL when it is initially configured.
NFSv4 ACLs are order dependent and are processed from top to bottom. Once a permission is granted, a subsequent ACE cannot take it away. Once a permission is denied, a subsequent ACE cannot grant it.
An SMB share-level ACL is an ACL that is combined with a file or directory ACL in the share to determine the file’s effective permissions. The share-level ACL provides another layer of access control above the file ACLs and provides more sophisticated access control configurations. Share-level ACLs are set when the file system is exported using the SMB protocol. If the file system is not exported using the SMB protocol, setting the share-level ACL has no effect. By default, share-level ACLs grant everyone full control.
ACL behavior and inheritance properties are applicable only for NFS clients. SMB clients use strict Windows semantics and take precedence over ZFS properties. The difference is that NFS utilizes POSIX semantics and SMB clients do not. The properties are mainly compatible with POSIX.