Windows ACL
Windows Access Control List (ACL) is a list of privileges or permissions that determine specific access rights under the Windows environment. This can help administrator define access control rules for an individual file or a directory, and give different access rights for an individual user or group.
Through Windows ACL, you can assign different privileges to local and domain users in the system. The privileges apply to all file-related applications, such as FTP, File Station, NFS, AFP, etc.
To define Windows ACL settings for a shared folder:
You can define initial Windows ACL settings when creating a shared folder. Follow the steps below:
- Click Shared Folder in Control Panel.
- Click Create to create a shared folder, or select an existing shared folder and click Edit to edit the folder.
- Under the Shared Folder Info tab, enter the fields required.
- Under the Windows ACL tab, check the Allow editing Windows Access Control List checkbox to initialize Windows ACL support.
- Click OK to finish.
To edit Windows ACL settings using File Station:
-
Select a file or folder. You are not allowed to select and modify ACL permissions for multiple files.
-
Right-click the folder or choose the Action menu, and then choose Properties.
-
Under the General tab, choose a user from the Owner drop-down menu to set the user as the owner of the file or folder. If you are setting ACL permission for a folder, you can tick Apply to this folder, sub-folders and files to set the user as the owner of all files or folders within the folder.
-
Click the Permission tab and do any of the following to manage ACL permissions for the file or folder:
-
Click Create, enter the following information in the Permission Editor window, and click OK to create a permission entry:
-
User or group: Choose from the drop-down menu to specify the user or group that will be granted or denied the permission.
-
Inherit from (view only): View the information here to see if the permission is inherited (from a parent folder) or explicit (shown as None). See below for more information about permission inheritance.
-
Type: Choose Allow or Deny to grant or deny the permission to the user or group.
-
Apply to: If you are creating a permission entry for a folder, tick the checkboxes to apply the entry to this folder, the folders (or Child folders) or files (or Child files) in this folder, or all files and folders contained in this folder (or All descendants).
-
Administration: Tick Read permissions, Change permissions, or Take ownership to specify the user or group's access privilege to the permission entry.
-
Read or Write: Tick the checkboxes in these sections to modify the user or group's permission to the file or folder.
-
Select a permission entry on the list and click Edit (for explicit permissions) or View (for inherited permissions) to edit or view the permission.
-
Choose the options from the Advanced options drop-down menu to manage inherited permission entries. See below for more information about permission inheritance.
-
Choose Advanced options > Permission Inspector and choose from the User or group drop-down menu to view or modify multiple users or groups' permission to the file or folder.
-
Select a permission entry on the list and click Delete to delete the permission.
-
If you are managing ACL permissions for a folder, tick Apply to this folder, sub-folders and files to apply the permission entries on the list to all files or folders within the folder.
-
Click OK.
ACL permissions could be categorized as follows:
- Administration:
-
Read permissions: This controls whether a user can read the permissions of the file or folder.
-
Change permissions: This controls whether a user can change the permission of the file or folder.
-
Take ownership: This controls whether a user has ownership of the file or folder.
- Read:
-
Traverse folders/Execute files: This controls whether a user can run a program file.
-
List folders/Read data: This controls whether a user can read data in a file.
-
Read attributes: This controls whether a user can view the attributes of a file.
-
Read extended attributes: This controls whether a user can view the extended attributes of a file.
- Write:
-
Create files/Write data: This controls whether a user can change the contents of a file.
-
Create folders/Append data: This controls whether a user can add data to the end of a file.
-
Write attributes: This controls whether a user can change the attributes of a file.
-
Write extended attributes: This controls whether a user can change the extended attributes of a file.
-
Delete subfolders and files: This controls whether a user can delete a folder.
-
Delete: This controls whether a user can delete a file.
About permission inheritance:
ACL permissions are inherited from parent objects to child objects. For instance, if an ACL entry of the "sales" folder grants the "Read" permission to the user "Amy", then the ACL entry will be applied to all files within the "sales" folder (such as "annual report.xls"), allowing the user to open the files. Inherited permissions will be displayed in gray, whereas the object's own permissions (or "explicit" permissions) will be displayed in black.
To edit Windows ACL settings using Windows Explorer:
Refer to the How To article for detailed instructions.
Noteļ¼
- You can only add up to 200 ACL explicit permission entries for a file or folder.
-
When there's a conflict between Windows ACL settings and the shared folder privileges, the system will automatically adopt the settings the two may have in common. For example, if the shared folder privilege is "Read/Write", but ACL privileges is "Read". Then final privilege will only be "Read".
- Windows ACL is only supported on EXT4 file system. For previous DSM 2.3 users, you need to create at least one EXT4 volume to use ACL feature. This means, you have to format at least one hard disk and re-create a volume. Formatting DiskStation will result in erasing all stored data and settings. Please make sure all your data is backed up before processing.
- To define new privileges for domain users, make sure DSM and Windows clients are in the same domain.
- The ACL privileges of the following shared folders cannot be modified: photo, surveillance, web, homes, NetBackup, usbshare, sdshare, esatashare.