Enabling Volume, Directory, and File Authorizations with ACEs

Describes how to set access control expressions for volumes, directories and files.

Access Control Expression (ACE)s allow you to define allowlists (to grant access) and denylists (to deny access) for a combination of users, roles, and groups. You can grant different permissions to multiple users, groups, and roles for file system files, directories, and whole volume data using boolean expressions and subexpressions.

ACEs for Files, Directories, and Whole Volume

An ACE is defined by a combination of user, group, and/or role definitions. Combine these definitions using the supported syntax. For more information, see Syntax of Access Control Expressions.

The examples in the following table demonstrate how ACEs can be used to create allowlists to grant access, and denylists to deny access.

This Access Control Expression... Grants access to... Denies access to...
(u:u1&g:g1) only user 'u1', if user 'u1' is a member of group 'g1' users who are not 'u1' and members of group 'g1'
(g:g1&g:g2)|r:r1 only users who are in both the groups 'g1' and 'g2', or users who are assigned role 'r1' users who are not in both the groups 'g1' and 'g2', and users who are not assigned role 'r1'
(g:g1&!g:g2) only users who are in group 'g1' and not in group 'g2' users who are in group 'g2', even if they are in group 'g1', and all other users
(g:g1|g:g2) users who are in groups 'g1' or 'g2' only users who are not in groups 'g1' or 'g2'
(g:g1|g:g2)&!r:r1 only users in groups 'g1' or 'g2' and who are not assigned role 'r1' users who are not members of groups 'g1' or 'g2', users who are assigned role 'r1', even if they are in group 'g1' or 'g2', and all other users
(p) everyone none
(!g:g1&!g:g2&!g:g3) users who are not in groups 'g1', 'g2', and 'g3' only users who are in groups 'g1', 'g2', or 'g3'
((u:u1|u:u2|u:u3)&g:g1&g:g2)&!r:r1 only users 'u1', 'u2', or 'u3', who are also members in groups 'g1' and 'g2', but not assigned role 'r1' users who are not 'u1', 'u2', or 'u3' and members of groups 'g1' and 'g2', and users who are assigned role 'r1'
(u:u1|u:u2|u:u3)&g:g1|g:g2 only users who are 'u1’, ‘u2', or 'u3' and who are members in groups 'g1' or 'g2' users who are not 'u1', 'u2', or 'u3' and members of groups 'g1' or 'g2'
NOTE
The entities — user, group, role, and public — must be the same for file system and HPE Ezmeral Data Fabric Database ACEs.