Product Feature - Fileserver Implicit Access Control Lists

Fileserver Implicit ACLs are defined in the /etc/yfs/server/yfs-server.conf configuration file using the following schema:

    [fileserver]
        implicit-acls = {
          directory = {
            positive = <ace-list>
            negative = <ace-list>
          }
          file = {
            positive = <ace-list>
            negative = <ace-list>
          }
          link = {
            positive = <ace-list>
            negative = <ace-list>
          }
        }

where

    <ace-list> := [<names-or-ids> <rights>]+
    <names-or-ids> := <name-or-id>[,<name-or-id>]+
    <rights> := any or all of [rliwdka] or "all", "read", "write"

The implicit acls when specified are merged into the volume max acl and the object acls to produce an effective acl before use.

Implicit acls can be used for Data Loss Prevention scanning or Backups.

Implicit negative access control entries can be used to prevent the granting of particular rights to the specified entities regardless of what rights might be granted via an object acl.

Regardless of the implicit negative ACEs specified here, they cannot override the implicit administrator rights granted by the

    [fileserver]
       implicit = <rights>

setting.

Each implicit ACL can support up to 32 positive and 32 negative ACEs. This value is set via MAX_IMPLICIT_ACES in src/viced/implicit_acls.h. Each list of names-or-ids is limited to 255 characters.

If an operation is denied due to the per-file, directory or volume maximum acl, the error code is EACCES. If the operation is denied due to the implicit acl, the error code is EPERM.