Isilon OneFS: Traverse checking in OneFS and how to enforce it

Traverse Checking
By default, in OneFS, the following is true with respect to path traversal:   

• If an ACL exists on a directory, the traverse permission is granted (bypass traverse checking),
  • The "Traverse" permission allows for path traversal. This allows the user to navigate without the need for an execute permission.
  • The "Traverse" permission is different to the "Execute" permission and only exists in an ACL
• If no ACL exists (synthetic/POSIX), an explicit execute permission is required. 
  • Meaning the ability to navigate to a certain path requires a minimum of "Execute" permissions on the parent directory so traversal can be allowed.

Bypass Traverse Checking
A Microsoft Windows environment has a GPO called "bypass traverse checking" which allows users to access a directory path (\\server\root\folder\path), where intermediate paths are "bypassed" for "traverse checking" (validating the traverse/execute right is granted).
OneFS does not enforce Microsoft GPO set forth in Active Directory, but implements "bypass traverse checking" through the existence of an NTFS ACL.
 
How to Disable "Bypass Traverse Checking" / How to enforce Traverse Checking
Some users may wish to disable "bypass traverse checking" so as to enforce checking of the traverse permission on each intermediate directory, thereby enforcing an 'Access denied" when the permission is not granted explicitly.

Though Isilon OneFS has the ability to build a custom ACL policy via the WebUI or the CLI (in 8.x+ only), before 8.2, control of traverse checking is not visibly available as a configurable parameter or option, though a kernel level ACL policy does exist to alter the behavior described above (require an explicit traverse permission when an ACL exists).

The ability to alter the behavior through the UI/CLI interface was added since 8.2 code and after.