Security Policy Enforcement Process

Describes the steps followed during security policy enforcement on volumes.

Order of Enforcement

Data Fabric File System enforce security policies hierarchically, starting at the volume level.

If the volume-level enforcement mode is set to PolicyAceAndDataAce (default setting), the system evaluates and enforces the ACEs directly applied to data objects AND the ACEs defined in the security policies applied to data objects. When a user submits a data-operation request, the system evaluates and enforces the ACEs hierarchically, starting with the volume in which the data resides.

For example, to perform a write operation on a file, the system first evaluates permissions on the volume in which the file resides. If at least one security policy is applied to the volume, the system evaluates the ACEs set in the security policy AND the ACEs or POSIX mode bits directly applied to the volume. Both sets of ACEs must allow the user to access the volume. If one set of ACEs does not permit access to the volume, the system denies the user permission to perform the operation. If both sets of ACEs permit access to the volume, the system checks access permissions on the file. The system evaluates security policies applied to the file AND any ACEs or POSIX mode bits applied directly to the file. Both sets of ACEs must permit the user write access on the file. If they both allow access (writefileeace), the user can perform the data operation on the file. If not, the system denies access.

Note the following behaviors related to the enforcement mode setting:
  • When set to PolicyAceOnly, the system only enforces the ACEs set in security policies. A user can only perform data operations on a data object if the security policies associated with the data object allow the user access. However, if a data object is not associated with at least one security policy, the system enforces any ACEs or POSIX mode bits set directly on the data object. In this case, a user can only access the data object if the ACEs or POSIX mode bits set directly on the data object allow the user access.
  • In PolicyAceOnly and PolicyAceAndDataAce modes, if a security policy is applied to a data object, and ACEs are not defined in the policy (""), the system continues to the next level data object to evaluate permissions.

Data Fabric File System Enforcement Process

The Data Fabric filesystem enforces security policies on data objects, in the following order:
  • Volumes
  • Files/Directories
    NOTE
    The system only enforces directory ACEs when determining access to the directory during directory operations. For read and write operations, directory ACEs are enforced during the path-walk operation when opening a file. If the user has a handle (FID) to the file, the user can access the file directly with the FID. In that case, the system ignores directory ACEs. See Managing File and Directory ACEs for details on directory ACEs.
The following diagram shows the order in which the Data Fabric filesystem evaluates and enforces data operations on data objects when the enforcement mode is set to PolicyAceOnly:
NOTE
If no policy is applied at the volume or file/directory level, the system will enforce DataAces (mode and ACEs applied directly on data object) to protect the data.

The following diagram shows the order in which the Data Fabric file system evaluates and enforces data operations on data objects when the enforcement mode is set to PolicyAceAndDataAce (default mode):
The following diagram shows the order in which the Data Fabric file system evaluates and audits data operations on data objects when the enforcement mode is set to PolicyAceAuditAndDataAce (permissive mode):
NOTE
The system does not enforce denied-access checks, but does log the information about the denied check in the audit logs.