IBM General Parallel File System for AIX: Administration and Programming Reference

DFS ACL evaluation

When a user tries to perform an operation on an object, GPFS examines the object's ACL according to the checking sequence described in the following list. GPFS stops evaluating the entries as soon as the user matches a condition described in the list. Evaluation proceeds to a condition in the checking sequence only if the user fails to match all of the previous conditions.

1. The user owns the object. GPFS grants the user the permissions specified with the owning user entry. The permissions are not filtered through the mask entry.

   Note:

   The owner of the file always has permission to administer the ACL.

2. A user or foreign_user entry exists for the user. GPFS grants the user the permissions specified with the entry after filtering the permissions through the mask entry.
3. The user belongs to the group that owns the object or to any other groups that have group or foreign_group entries. The user's permissions to the object are based on the first group match; permissions are not accrued if the user belongs to multiple groups.

   Note:

   Distributed Computing Environment (DCE) Local File System (LFS) behavior is different in that permissions are accrued if the user belongs to multiple groups. GPFS behavior follows the above form since GPFS ACLs are based on a later version of POSIX ACLs.

4. The user is from the default cell. GPFS grants the user the permissions specified with the other entry. The permissions are not filtered through the mask entry.
5. The user belongs to a foreign cell that has a foreign_other entry. GPFS grants the user the permissions specified with the entry for that cell after filtering the permissions through the mask entry.
6. The user matches no entry. GPFS denies the user access to the object.