Access control protects directories and files by providing a means of
specifying who should be granted access. GPFS access control lists
(ACLs) extend the base permissions, or traditional file access modes, of read
(r), write (w), and execute (x) beyond the three categories of file owner,
file group, and other users, to allow the definition of additional users and
user groups. In this way, an ACL can be created that might look like
this:
#owner:jesmith
#group:team_A
user::rwx
group::rwx
other::--x
mask::rwx
user:alpha:r-x
group:audit:r-x
group:system:rwx
In this ACL:
GPFS ACLs are fully compatible with the base operating system permission set. Any change to the base permissions, using the chmod command, for example, modifies the corresponding GPFS ACL as well. Similarly, any change to the GPFS ACL is reflected in the output of commands such as ls -l.
Each GPFS file or directory has an access ACL that determines its access privileges. These ACLs control who is allowed to read or write at the file or directory level.
In addition to an access ACL, a directory may also have a default ACL, which is assigned as an access ACL to every file created in that directory. This allows a user to protect all files in a directory without explicitly setting an ACL for each one. When a new subdirectory is created, both its access ACL and its default ACL are set to the default ACL of its parent directory.
If the directory does not have a default ACL, the initial access ACL of newly created objects consists only of the three required entries. The values of these entries are based on the mode parameter on the function that creates the object and the umask currently in effect for the process.
Administrative tasks are associated with GPFS ACLs are: