Access checking

The user map is consulted to translate the identity of the user requesting access into a user identity on the platform where the object was created. The UNIX® or Windows® directory service is consulted to determine the group membership for the translated user identity. The requested permissions are translated into permissions on the platform where the object was created. A single permission might be translated into several permissions, or several permissions might be translated to a single permission. Access to the object is then determined using the translated user and group identities and the translated required permissions, according to the access control on the object. Only file creation, deletion, and regular file access are permitted across platforms. Access control (ownership and permission) changes are only permitted on the platform where the object was created.

Group membership information for cross-platform accesses is retrieved from the UNIX or Windows directory when needed. Group identities are not translated from the requesting platform to the platform where the object was created. Group membership on the requesting side is not considered. Instead, group membership is determined by consulting the directory service for the platform where the object was created. All of the groups to which the translated user belongs are applied. There is no mechanism for operating with reduced group membership.

Group membership information is cached for some period of time. Information can be reused for many access checks without consulting the directory service for each one. Changes to group membership that are made at a directory service are not automatically reflected to SAN File System clients. If it is important that changes be reflected immediately, use the SAN File System administrative client to direct one or all clients to refresh their group information.

Parent topic: Heterogeneous file sharing

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2