1. Managing ZFS File Systems in Oracle Solaris 11.4
  2. Oracle Solaris ZFS Delegated Administration
  3. Delegating ZFS Permissions

Delegating ZFS Permissions

You can use the zfs allow command to delegate permissions on ZFS file systems to non-root users in the following ways:

  • Individual permissions can be delegated to a user, group, or everyone.

  • Groups of individual permissions can be delegated as a permission set to a user, group, or everyone.

  • Permissions can be delegated either locally to the current file system only or to all descendants of the current file system.

The following table describes the operations that can be delegated and any dependent permissions that are required to perform the delegated operations.

Permission (Subcommand) Description Dependencies

allow

The permission to grant permissions that you have to another user.

Must also have the permission that is being allowed.

clone

The permission to clone any of the dataset's snapshots.

Must also have the create permission and the mount permission in the original file system.

create

The permission to create descendant datasets.

Must also have the mount permission.

destroy

The permission to destroy a dataset.

Must also have the mount permission.

diff

The permission to identify paths within a dataset.

Non-root users need this permission to use the zfs diff command.

hold

The permission to hold a snapshot.

  

mount

The permission to mount and unmount a file system, and create and destroy volume device links.

  

promote

The permission to promote a clone to a dataset.

Must also have the mount permission and the promote permission in the original file system.

receive

The permission to create descendant file systems with the zfs receive command.

Must also have the mount permission and the create permission.

release

The permission to release a snapshot hold, which might destroy the snapshot.

  

rename

The permission to rename a dataset.

Must also have the create permission and the mount permission in the new parent.

rollback

The permission to roll back a snapshot.

  

send

The permission to send a snapshot stream.

  

share

The permission to share and unshare a file system.

Must have both share and share.nfs to create an NFS share.

Must have both share and share.smb to create an SMB share.

snapshot

The permission to create a snapshot of a dataset.

  

You can delegate the following set of permissions but a permission might be limited to access, read, or change permission:

  • groupquota

  • groupused

  • key

  • keychange

  • userprop

  • userquota

  • userused

In addition, you can delegate administration of the following ZFS properties to non-root users:

  • aclinherit

  • aclmode

  • atime

  • canmount

  • casesensitivity

  • checksum

  • compression

  • copies

  • dedup

  • defaultgroupquota

  • defaultuserquota

  • devices

  • encryption

  • exec

  • keysource

  • logbias

  • mountpoint

  • nbmand

  • normalization

  • primarycache

  • quota

  • readonly

  • recordsize

  • refquota

  • refreservation

  • reservation

  • rstchown

  • secondarycache

  • setuid

  • shadow

  • share.nfs

  • share.smb

  • snapdir

  • sync

  • utf8only

  • version

  • volblocksize

  • volsize

  • vscan

  • xattr

  • zoned

Some of these properties can be set only at dataset creation time. For a description of these properties, see zfs(8).