Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

PowerScaleOneFS CLI Command Reference

PDF

isi auth settings acls modify

Modifies access control list (ACL) settings for OneFS.

Syntax

isi auth settings acls modify
  [--create-over-smb {allow | disallow}]
  [--chmod {remove | replace | replace_users_and_groups | merge |  merge_with_ugo_priority | deny | ignore}]
  [--chmod-inheritable {yes | no}]
  [--chown {owner_group_and_acl | owner_group_only | ignore}]
  [--access {unix | windows}]
  [--rwx {retain | full_control}]
  [--group-owner-inheritance {native | parent | creator}]
  [--chmod-007 {default | remove}]
  [--calcmode-owner {owner_aces | owner_only}]
  [--calcmode-group {group_aces | group_only}]
  [--synthetic-denies {none | remove}]
  [--utimes {only_owner | owner_and_write}]
  [--dos-attr {deny_smb | deny_smb_and_nfs}]
  [--calcmode {approx | 777}]
  [--calcmode-traverse {ignore | require}]
  [--verbose]

Options

--create-over-smb {allow | disallow}
Specifies whether to allow or deny creation of ACLs over SMB.
NOTE:Inheritable ACLs on the system take precedence over this setting. If inheritable ACLs are set on a folder, any new files and folders created in that folder will inherit the folder's ACL. Disabling this setting does not remove ACLs currently set on files. If you want to clear an existing ACL, run the chmod -b <mode> <file> command to remove the ACL and set the correct permissions.
--chmod {remove | replace | replace_users_and_groups | merge | merge_with_ugo_priority | deny | ignore}
Specifies how permissions are handled when a chmod operation is initiated on a file with an ACL, either locally or over NFS. This setting controls any elements that affect UNIX permissions, including File System Explorer. Enabling this policy setting does not change how chmod operations affect files that do not have ACLs. The following values are valid:
remove
For chmod operations, removes any existing ACL and instead sets the chmod permissions. Select this option only if you do not need permissions to be set from Windows.
replace
Removes the existing ACL and creates an ACL equivalent to the UNIX permissions. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
replace_users_and_groups
Removes the existing ACL and creates an ACL equivalent to the UNIX permissions for all users/groups referenced in old ACL. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
merge
Merges permissions that are applied by chmod with existing ACLs. An ACE for each identity (owner, group, and everyone) is either modified or created, but all other ACEs are unmodified. Inheritable ACEs are also left unmodified to enable Windows users to continue to inherit appropriate permissions. UNIX users can set specific permissions for each of those three standard identities, however.
merge_with_ugo_priority
Merges the new permissions with the existing ACLs, marking any corresponding inherited and inheritable ACEs on the directory as inherit-only.
deny
Prevents users from making NFS and local chmod operations. Enable this setting if you do not want to allow permission sets over NFS.
ignore
Ignores the chmod operation if file has an existing ACL, which prevents an NFS client from making changes to the ACL. Select this option if you defined an inheritable ACL on a directory and want to use that ACL for permissions.
CAUTION:If you attempt to run the chmod command on the same permissions that are currently set on a file with an ACL, you may cause the operation to silently fail. The operation appears to be successful, but if you were to examine the permissions on the cluster, you would notice that the chmod command had no effect. As an alternative, you can run the chmod command away from the current permissions and then perform a second chmod command to revert to the original permissions. For example, if your file shows 755 UNIX permissions and you want to confirm this number, you could run chmod 700 file; chmod 755 file.
--chmod-inheritable {yes | no}
On Windows systems, the ACEs for directories can define detailed inheritance rules. On a UNIX system, the mode bits are not inherited. Making ACLs that are created on directories by the chmod command inheritable is more secure for tightly controlled environments but may deny access to some Windows users who would otherwise expect access.
--chown {owner_group_and_acl | owner_group_only | ignore}
Changes the user or group that has ownership of a file or folder. The following values are valid:
ownder_group_and_acl
Modifies only the owner or group, which enables the chown or chgrp operation to perform as it does in UNIX. Enabling this setting modifies any ACEs in the ACL associated with the old and new owner or group.
owner_group_only
Modifies the owner or group and ACL permissions, which enables the NFS chown or chgrp operation to function as it does in Windows. When a file owner is changed over Windows, no permissions in the ACL are changed.
ignore
Ignores the chown and chgrp operations if file has an existing ACL, which prevents an NFS client from making changes to the owner or group.
NOTE:Over NFS, the chown or chgrp operation changes the permissions and user or group that has ownership. For example, a file owned by user Joe with rwx------ (700) permissions indicates rwx permissions for the owner, but no permissions for anyone else. If you run the chown command to change ownership of the file to user Bob, the owner permissions are still rwx but they now represent the permissions for Bob, rather than for Joe, who lost all of his permissions. This setting does not affect UNIX chown or chgrp operations performed on files with UNIX permissions, and it does not affect Windows chown or chgrp operations, which do not change any permissions.
--access {unix | windows}
In UNIX environments, only the file owner or superuser has the right to run a chmod or chown operation on a file. In Windows environments, you can implement this policy setting to give users the right to perform chmod operations that change permissions, or the right to perform chown operations that take ownership, but do not give ownership away. The following values are valid:
unix
Allows only the file owner to change the mode or owner of the file, which enable chmod and chown access checks to operate with UNIX-like behavior.
windows
Allow the file owner and users with WRITE_DAC and WRITE_OWNER permissions to change the mode or owner of the file, which enables chmod and chown access checks to operate with Windows-like behavior.
--rwx {retain | full_control}
Specifies how to handle rwx permissions mapped to windows rights. In UNIX environments, rwx permissions indicate that a user or group has read, write, and execute permissions and that a user or group has the maximum level of permissions.

When you assign UNIX permissions to a file, no ACLs are stored for that file. Because a Windows system processes only ACLs, the Isilon cluster must translate the UNIX permissions into an ACL when you view a file's permissions on a Windows system. This type of ACL is called a synthetic ACL. Synthetic ACLs are not stored anywhere; instead, they are dynamically generated and discarded as needed. If a file has UNIX permissions, you may notice synthetic ACLs when you run the ls file command to view a file’s ACLs.

When you generate a synthetic ACL, the Isilon cluster maps UNIX permissions to Windows rights. Windows supports a more granular permissions model than UNIX does, and it specifies rights that cannot easily be mapped from UNIX permissions. The following values are valid:

retain
Retains rwx permissions and generates an ACE that provides only read, write, and execute permissions.
full_control
Treats rwx permissions as full control and generates an ACE that provides the maximum Windows permissions for a user or a group by adding the change permissions right, the take ownership right, and the delete right.
--group-owner-inheritance {native | parent | creator}
Specifies how to handle inheritance of group ownership and permissions. If you enable a setting that causes the group owner to be inherited from the creator's primary group, you can override it on a per-folder basis by running the chmod command to set the set-gid bit. This inheritance applies only when the file is created. The following values are valid:
native
Specifies that if an ACL exists on a file, the group owner will be inherited from the file creator's primary group. If there is no ACL, the group owner is inherited from the parent folder.
parent
Specifies that the group owner be inherited from the file's parent folder.
creator
Specifies that the group owner be inherited from the file creator's primary group.
--chmod-007 {default | remove}
Specifies whether to remove ACLs when running the chmod (007) command. The following values are valid:
default
Sets 007 UNIX permissions without removing an existing ACL.
remove
Removes ACLs from files over UNIX file sharing (NFS) and locally on the cluster through the chmod (007) command. If you enable this setting, be sure to run the chmod command on the file immediately after using chmod (007) to clear an ACL. In most cases, you do not want to leave 007 permissions on the file.
--calcmode-owner {owner_aces | owner_only}
Specifies how to approximate owner mode bits. The following values are valid:
owner_aces
Approximates owner mode bits using all possible group ACEs. This causes the owner permissions to appear more permissive than the actual permissions on the file.
owner_only
Approximates owner mode bits using only the ACE with the owner ID. This causes the owner permissions to appear more accurate, in that you see only the permissions for a particular owner and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
--calcmode-group {group_aces | group_only}
Specifies how to approximage group mode bits. The following values are valid:
group_aces
Approximates group mode bits using all possible group ACEs. This causes the group permissions to appear more permissive than the actual permissions on the file.
group_only
Approximates group mode bits using only the ACE with the owner ID. This causes the group permissions to appear more accurate, in that you see only the permissions for a particular group and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
--synthetic-denies {none | remove}
Specifies how to handle synthetic ACLs. The Windows ACL user interface cannot display an ACL if any deny ACEs are out of canonical ACL order. To correctly represent UNIX permissions, deny ACEs may be required to be out of canonical ACL order. The following values are valid:
none
Does not modify synthetic ACLs and mode bit approximations, which prevents modifications to synthetic ACL generation and allows “deny” ACEs to be generated when necessary.
CAUTION:This option can lead to permissions being reordered, permanently denying access if a Windows user or an application performs an ACL get, an ACL modification, and an ACL set to and from Windows.
remove
Removes deny ACEs when generating synthetic ACLs. This setting can cause ACLs to be more permissive than the equivalent mode bits.
--utimes {only_owner | owner_and_write}
Specifies who can change utimes, which are the access and modification times of a file.
only_owner
Allows only owners to change utimes to client-specific times, which complies with the POSIX standard.
owner_and_write
Allows owners as well as users with write access to modify utimes to client-specific times, which is less restrictive.
--dos-attr {deny_smb | deny_smb_and_nfs}
Specifies how to handle the read-only DOS attribute for NFS and SMB. The following values are valid:
deny_smb
Denies permission to modify files with DOS read-only attribute over SMB only.
deny_smb_nfs
Denies permission to modify files with DOS read-only attribute through both NFS and SMB.
--calcmode {approx | 777}
Specifies how to display mode bits. The following values are valid:
approx
Specifies to use ACL to approximate mode bits. Displays the approximation of the NFS mode bits that are based on ACL permissions.
777
Specifies to always display 777 if an ACL exists. If the approximated NFS permissions are less permissive than those in the ACL, you may want to use this setting so the NFS client does not stop at the access check before performing its operation. Use this setting when a third-party application may be blocked if the ACL does not provide the proper access.
--calcmode-traverse {ignore | require}
Specifies whether or not traverse rights are required in order to traverse directories with existing ACLs. The following values are valid:
ignore
Specifies that traverse rights are not required.
require
Specifies that traverse rights are required.
{--verbose | -v}
Displays more detailed information.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\