Edit ACL Screens
9 minute read.Last Modified 2023-11-30 10:15 EST
TrueNAS SCALE offers two ACL types: POSIX (the SCALE default) and NFSv4. For a more in-depth explanation of ACLs and configurations in TrueNAS SCALE, see our ACL Primer.
The ACL Type setting, found in the Advanced Options of both the Add Dataset and Edit Dataset screens, determines the ACL presets available on the Select a preset ACL window and also determines which permissions editor screens you see after you click theedit icon on the Dataset Permissions widget.
If ACL Type is set to NSFv4, you can select the ACL Mode you want to use.
NFSv4 is an access control list (ACL) type not related to the share type you might use (SMB or NFS).
If you selected POSIX or Inherit as your ACL type, the first screen you see after you click edit on the Dataset Permissions widget is the Storage > Edit Permissions screen with the Unix Permissions Editor basic ACL configuration settings.
Use the settings on this screen to configure basic ACL permissions.
The Owner section controls which TrueNAS user and group has full control of this dataset.
|User||Enter or select a user to control the dataset. Users created manually or imported from a directory service appear in the menu.|
|Apply User||Select to confirm user changes. To prevent errors, TrueNAS only submits changes only after you select this option.|
|Group||Enter or select the group to control the dataset. Groups created manually or imported from a directory service appear in the menu.|
|Apply Group||Select to confirm group changes. To prevent errors, TrueNAS only submits changes only after you select this option.|
The Access section lets users define the basic Read, Write, and Execute permissions for the User, Group, and Other accounts that might access this dataset.
A common misconfiguration is removing the Execute permission from a dataset that is a parent to other child datasets. Removing this permission results in lost access to the path.
The Advanced section lets users Apply Permissions Recursively to all directories, files, and child datasets within the current dataset.
To access advanced POSIX ACL settings, click Add ACL on the Unix Permissions Editor. The Select a preset ACL window displays with two radio buttons.
Selecting a preset replaces the ACL currently displayed on the Edit ACL screen and deletes any unsaved changes.
There are two different Select a preset ACL windows.
If using POSIX or Inherit as the ACL Type setting, the window with three setting options displays before you see the Edit ACL screen. These setting options allow you to select and use a pre-configured set of permissions that match general permissions situations or to create a custom set of permissions. You can add to a pre-configured ACL preset on the Edit ACL screen.
If using NFSv4 as the ACL Type setting, you access the NFS4 Select a Preset ACL window from the Edit ACL screen by clicking Use Preset ACL.
The ACL Type setting determines the pre-configured options presented on the Default ACL Options dropdown list on each of these windows. For POSIX, the options are POSIX_OPEN, POSIX_RESTRICTED, or POSIX_HOME. For NFSv4, the options are NFS4_OPEN, NFS4_RESTRICTED, NFS4_HOME, and NFS4_DOMAIN_HOME.
|Select a preset ACL||Click this radio button to populate the Default ACL Options dropdown list with a set of pre-configured POSIX permissions.|
|Create a custom ACL||Click this radio button to display the Edit ACL screen with no default permissions, users, or groups to configure your own set of permissions after you click Continue.|
Click Continue to display the Edit ACL screen.
The Edit ACL screen displays different options based on the ACL Type setting on the Add Dataset or Edit Dataset screen in the Advanced Options section.
The section below describes the differences between screens for each ACL type.
Select any user account or group manually entered or imported from a directory service in the Owner or Owner Group. The value entered or selected in each field displays in the Access Control List below these fields.
Dataset displays the dataset path (name) you selected to edit.
The Access Control List section displays the items and a permissions summary for the owner@, group@, and everyone@ for both POSIX and NSFv4 ACL types. The list of items changes based on a selected pre-configured set of permissions.
To add a new item to the ACL, click Add Item, define Who the Access Control Entry (ACE) applies to, and configure permissions and inheritance flags for the ACE.
These functions display on the Edit ACL screen for both POSIX and NSFv4 ACL types except for Strip ACL, which only displays for NSFv4 types.
|Add Item||Adds a new ACE to the Access Control List.|
|Apply permissions recursively||Select to apply all settings or changes on the Edit ACL screen to all child datasets in the path in Dataset.|
|Save Access Control List||Saves settings or changes made on the Edit ACL screen.|
|Strip ACL||(NSFv4 only) Remove all ACLs from the current dataset and any directories or files contained within this dataset. Stripping the ACL resets dataset permissions and can make data inaccessible until you create new permissions.|
|Permissions Editor||(POSIX only) Displays the Unix Permissions Editor screen for POSIX ACL types.|
|Use Preset||Displays the Select a preset ACL window. If the ACL Type setting, found in the Advanced Options of both the Add Dataset and Edit Dataset screens, is POSIX or Inherit, the Default ACL Options dropdown displays POSIX pre-configured options. If set to NFSv4, the preset options displayed are pre-configured NSFv4 options.|
|Save As Preset||Saves the current access control list as a custom preset and adds it to the Access Control List.|
The POSIX Access Control Entry settings include Who, Permissions, and Flags options.
|Who||Select the user or group from the dropdown list the permissions apply to.|
User denotes access rights for users identified by the entry qualifier.
Group denotes access rights for the filegroup.
Other denotes access rights for processes that do not match any other entry in the ACL.
Group Obj denotes access rights for the filegroup.
User Obj denotes access rights for the file owner.
Mask denotes the maximum access rights User, Group Obj, or Group type entries can grant.
|Permissions||Select the checkbox for each permission type (Read, Write and Execute) to apply to the user or group in Who.|
|Flags||Select the Default option to include a flag setting for the user or group in Who.|
There are two Access Control Entry settings, Who and ACL Type.
The NFSv4 ACL Type radio buttons change the Permissions and Flags setting options. Select Allow to grant the specified permissions or Deny to restrict the permissions for the user or group in Who.
|Who||Access Control Entry (ACE) user or group. Select a specific User or Group for this entry. See nfs4_setfacl(1) NFSv4 ACL ENTRIES.|
User denotes access rights for users identified by the qualifier.
Group denotes access rights for groups identified by the qualifier.
owner@ applies this entry to the user that owns the dataset.
group@ applies this entry to the group that owns the dataset.
everyone@ applies this entry to all users and groups.
|ACL Type||Determines how the Permissions apply to the chosen Who. Choose Allow to grant the specified permissions and Deny to restrict the specified permissions.|
TrueNAS divides permissions and inheritance flags into basic and advanced options. The basic permissions options are commonly-used groups of advanced options. Basic inheritance flags only enable or disable ACE inheritance. Advanced flags offer finer control for applying an ACE to new files or directories.
Click the Basic radio button to display the Permissions dropdown list of options that applies to the user or group in Who.
|Read||View file or directory contents, attributes, named attributes, and ACL.|
|Modify||Adjust file or directory contents, attributes, and named attributes. Create new files or subdirectories. Includes the Traverse permission.|
|Traverse||Execute a file or move through a directory.|
|Full Control||Apply all permissions.|
Click the Advanced radio button to display the Permissions options for the user or group in Who.
|Read Data||View file contents or list directory contents.|
|Write Data||Create new files or modify any part of a file.|
|Append Data||Add new data to the end of a file.|
|Read Named Attributes||View the named attributes directory.|
|Write Named Attributes||Create a named attribute directory. Must be paired with the Read Named Attributes permission.|
|Execute||Execute a file, move through, or search a directory.|
|Delete Children||Delete files or subdirectories from inside a directory.|
|Read Attributes||View file or directory non-ACL attributes.|
|Write Attributes||Change file or directory non-ACL attributes.|
|Delete||Remove the file or directory.|
|Read ACL||View the ACL.|
|Write ACL||Change the ACL and the ACL mode.|
|Write Owner||Change the user and group owners of the file or directory.|
|Synchronize||Synchronous file read/write with the server. This permission does not apply to FreeBSD clients.|
Click the Basic radio button to display the flag settings that enable or disable ACE inheritance.
|Inherit||Enable ACE inheritance.|
|No Inherit||Disable ACE inheritance.|
Click the Advanced radio button to display the flag settings that enable or disable ACE inheritance and offer finer control for applying an ACE to new files or directories.
|File Inherit||The ACE is inherited with subdirectories and files. It applies to new files.|
|Directory Inherit||New subdirectories inherit the full ACE.|
|No Propagate Inherit||The ACE can only be inherited once.|
|Inherit Only||Remove the ACE from permission checks but allow new files or subdirectories to inherit it. Inherit Only is removed from these new objects.|
|Inherited||Set when this dataset inherits the ACE from another dataset.|