HP StoreAll Series Installation Manual page 168

ACEs can be explicit or inherited. An explicit ACE is assigned directly to the object by the owner
or an administrator, while an inherited ACE is inherited from the parent directory. ACEs are
governed by the following precedence rules:
An explicit deny ACE overrides an explicit allow ACE, and an inherited deny ACE overrides
an inherited allow ACE. For example, if an explicit allow ACE grants a user read-write
permission, but an explicit deny ACE denies the same user write permission, the effective
permission for this user is read-only.
An explicit ACE overrides an inherited ACE. For example, if an explicit allow ACE grants the
user read-write permission and an inherited deny ACE denies this same user write permission,
the resulting permission for this user is still read-write.
An ACL that is assigned to a file created by the HP StoreAll OS Software defines up to three special
explicit allow ACEs derived from the file mask, in addition to any other explicit and inherited ACEs
the file might have.
Linux mode mask and special ACEs mapping
The HP StoreAll client maps the mode mask for a file to a set of up to three special explicit allow
ACEs. The initial ACE is for the Windows user that corresponds to the file UID, the second ACE is
for the Windows group that corresponds to the file GID, and the third ACE is for the built-in Windows
group Everyone, which corresponds to the file's Other class of user.
Linux class
Owner (owning user)
Group (owning group)
Other
The permissions for each special ACE are set according to the bits in each category. If all bits in
some categories are cleared, no corresponding special ACE is added to the file ACL, and no
explicit deny ACE is generated.
User mapping
Owner mapping. Each file and directory in Linux has a UID that defines its owner and must be
mapped to a corresponding Windows user. See
Directory server" (page
If the user mapping can be resolved, this user is designated as the owner in the Owner special
ACE and is displayed as the owner of the file. If the user mapping cannot be resolved, an unknown
Windows user is used instead. The unknown user must be defined on the management console.
Group mapping. Each file and directory in Linux has a GID that defines its owner group, with
access rights as specified by the mode mask. A Windows group can be mapped to a corresponding
Linux GID.
If the mapping can be resolved, this group is designated as the owning group in the Group special
ACE. If the mapping cannot be resolved, the Group special ACE is not added to the file ACL.
Mapping ACLs to mode masks
If a special ACE is modified by the Windows client, the corresponding bits in the file mode mask
are updated. Likewise, if the mode mask is modified by the Linux client, the corresponding permission
in the special ACEs is updated.
Inherited ACEs do not affect the file mode mask, only special ACEs do this. For example, if you
have a special ACE for Everyone with read permission, and an inherited ACE for Everyone with
read-write-execute permissions, the corresponding permission in the file mode mask for others is
set to read-only. The write-execute permissions of the inherited ACE are ignored in the mapping.
168 Installing and configuring HP StoreAll clients for Linux and Windows (optional)
163).
Windows account
Owner special ACE
Group special ACE
Everyone special ACE
"Configuring groups and users on the Active