Security Policy Enforcement Process
Describes the steps followed during security policy enforcement on volumes.
Order of Enforcement
Data Fabric File System enforce security policies hierarchically, starting at the volume level.
If the volume-level enforcement mode is set to PolicyAceAndDataAce
(default setting), the system evaluates and enforces the ACEs directly applied to data
objects AND the ACEs defined in the security policies applied to data objects. When a user
submits a data-operation request, the system evaluates and enforces the ACEs hierarchically,
starting with the volume in which the data resides.
For example, to perform a write operation on a file, the system first evaluates
permissions on the volume in which the file resides. If at least one security policy
is applied to the volume, the system evaluates the ACEs set in the security policy
AND the ACEs or POSIX mode bits directly applied to the volume. Both sets of ACEs
must allow the user to access the volume. If one set of ACEs does not permit access
to the volume, the system denies the user permission to perform the operation. If
both sets of ACEs permit access to the volume, the system checks access permissions
on the file. The system evaluates security policies applied to the file AND any ACEs
or POSIX mode bits applied directly to the file. Both sets of ACEs must permit the
user write access on the file. If they both allow access
(writefileeace
), the user can perform the data operation on the
file. If not, the system denies access.
- When set to
PolicyAceOnly
, the system only enforces the ACEs set in security policies. A user can only perform data operations on a data object if the security policies associated with the data object allow the user access. However, if a data object is not associated with at least one security policy, the system enforces any ACEs or POSIX mode bits set directly on the data object. In this case, a user can only access the data object if the ACEs or POSIX mode bits set directly on the data object allow the user access. - In
PolicyAceOnly
andPolicyAceAndDataAce
modes, if a security policy is applied to a data object, and ACEs are not defined in the policy (""
), the system continues to the next level data object to evaluate permissions.
Data Fabric File System Enforcement Process
- Volumes
- Files/DirectoriesNOTEThe system only enforces directory ACEs when determining access to the directory during directory operations. For read and write operations, directory ACEs are enforced during the path-walk operation when opening a file. If the user has a handle (FID) to the file, the user can access the file directly with the FID. In that case, the system ignores directory ACEs. See Managing File and Directory ACEs for details on directory ACEs.
PolicyAceOnly
:The following diagram shows the order in which the Data Fabric file
system evaluates and enforces data operations on data objects when
the enforcement mode is set to |
PolicyAceAuditAndDataAce
(permissive
mode):