PowerScale: OneFS: Manage Windows (ACL) Permissions From OneFS Command-Line Interface

Summary: It is recommended to manage Windows permissions by connecting to the folder over SMB and using the Windows Explorer interface. There are cases however where using the CLI could be wanted. This article describes how to do this. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

To display the existing permissions on the file/folder run: 
ls -led <path to file/folder>
For example: 
# ls -led file
-rwxrwxrwx +  1 root  wheel  0 Jul  2 14:02 file
 OWNER: user:root
 GROUP: group:wheel
 0: group:Users allow file_gen_read,file_gen_write
 1: user:root allow file_gen_read,file_gen_write,std_write_dac
 2: group:wheel allow file_gen_read
 3: everyone allow file_gen_all

Changing permissions

To change permissions in the CLI using chmod, you must be logged in as root.

There are two ways to identify the wanted permission entries to put in the access control list (ACL). The first is recommended if possible.

  1. Locate or create a file/folder with the wanted permissions over SMB and run ls -led <file or folder>. This can be any permission entry on any user/group on any file/folder on any Isilon as long as they have the wanted permissions. 
  2. View the description of each permission entry from the manual for chmod (man chmod) and identify which ones you need for your workflow.

Adding a new permission entry for a user/group

For this example, I am using method one but the command for setting the permissions is the same whether you identified the permissions types to add from the manual for chmod (man chmod) or by looking at a file with the wanted permissions.

The command for users and groups is the same except for the word 'user' is replaced with 'group' or vice versa:  chmod +a group "<domain name>\<group name>" allow <permissions to add> <file or folder>

For example, if I wanted to set the permissions entry for the file, the user's group above on file2 for the active directory domain 'AD' group 'domain users'  I would use this command:

# chmod +a group "AD\domain users" allow file_gen_read,file_gen_write file2
# ls -led file2
-rw-rw-r-- +  1 root  wheel  0 Jul  2 14:09 file2
 OWNER: user:root
 GROUP: group:wheel
 0: group:Domain Users allow file_gen_read,file_gen_write
 1: user:root allow file_gen_read,file_gen_write,std_write_dac
 2: group:wheel allow file_gen_read
 3: everyone allow file_gen_read

To remove an Access Control Entry, you can remove the entire line for the wanted user or group or the permission types you want to remove then add a new entry with the wanted permissions. The command to remove an entry is identical to adding one except you change '+a' with '-a'. For example, if I wanted to remove the entry from the file above for the root user I would use this command:

# chmod -a user root allow file_gen_read,file_gen_write,std_write_dac file
# ls -led file
-rwxrwxrwx +  1 root  wheel  0 Jul  2 14:02 file
 OWNER: user:root
 GROUP: group:wheel
 0: group:Users allow file_gen_read,file_gen_write
 1: group:wheel allow file_gen_read
 2: everyone allow file_gen_all

For well-known groups such as everyone, leave off the group. For example, if I wanted to also remove write access from everyone but leave the other access levels from the file above I would use this command:

# chmod -a everyone allow file_gen_write file
# ls -led file
-rwxrwxr-x +  1 root  wheel  0 Jul  2 14:02 file
 OWNER: user:root
 GROUP: group:wheel
 0: group:Users allow file_gen_read,file_gen_write
 1: group:wheel allow file_gen_read
 2: everyone allow std_delete,std_write_dac,std_write_owner,file_read,file_read_ext_attr,execute,delete_child,file_read_attr

To enable inheritance for new files and folders, add to the permission entry 'object_inherit' and 'container_inherit' respectively. For example, if I wanted to add an entry for the local group users on a folder dir to grant full access and inherit to new files and folders I would use this command:

# chmod +a group users allow dir_gen_all,object_inherit,container_inherit dir
# ls -led dir
drwxrwxr-x +  2 root  wheel  0 Jul  2 14:22 dir
 OWNER: user:root
 GROUP: group:wheel
 0: group:Users allow dir_gen_all,object_inherit,container_inherit
 1: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
 2: group:wheel allow dir_gen_read,dir_gen_execute
 3: everyone allow dir_gen_read,dir_gen_execute


 

You can also edit ACEs using SIDs, UIDs, or GIDs. For the syntax to do so, here are some examples:

chmod +a sid <actual SID> <target path>
chmod +a user <actual UID> <target path>
chmod +a group <actual GID> <target path>

 

Additional Information

This Microsoft article describes each permission type as described by Windows but for details on each permission type as displayed with ls led on PowerScale see man chmod.

File and Folder Permissions

References:

Dell PowerScale OneFS: Authentication, Identity Management, and Authorization (delltechnologies.com)
Access Control Lists on Dell EMC PowerScale OneFS (delltechnologies.com)

Affected Products

PowerScale OneFS

Products

PowerScale OneFS
Article Properties
Article Number: 000010579
Article Type: How To
Last Modified: 07 Nov 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.