Using ACEs for MapR-FS

Describes how to define access to files, directories, and whole volume data using user, group, and role definitions.

Access Control Expressions (ACEs) for MapR-FS allow you to define whitelists (to grant access) and blacklists (to deny access) for a combination of users, roles, and groups. You can grant different permissions to multiple users, groups, and roles for files, directories, and whole volume data using boolean expressions and subexpressions.

ACEs for Files, Directories, and Whole Volume

An ACE is defined by a combination of user, group, and/or role definitions. You can combine these definitions using the supported syntax. For more information, see Syntax of Access Control Expressions.

The examples in the following table demonstrate how ACEs can be used to create whitelists, to grant access, and blacklists, to deny access.

This Access Control Expression... Grants access to... Denies access to...
(u:u1&g:g1) only user 'u1', if user 'u1' is a member of group 'g1' users who are not 'u1' and members of group 'g1'
(g:g1&g:g2)|r:r1 only users who are in both the groups 'g1' and 'g2', or users who are assigned role 'r1' users who are not in both the groups 'g1' and 'g2', and users who are not assigned role 'r1'
(g:g1&!g:g2) only users who are in group 'g1' and not in group 'g2' users who are in group 'g2', even if they are in group 'g1', and all other users
(g:g1|g:g2) users who are in groups 'g1' or 'g2' only users who are not in groups 'g1' or 'g2'
(g:g1|g:g2)&!r:r1 only users in groups 'g1' or 'g2' and who are not assigned role 'r1' users who are not members of groups 'g1' or 'g2', users who are assigned role 'r1', even if they are in group 'g1' or 'g2', and all other users
(p) everyone none
(!g:g1&!g:g2&!g:g3) users who are not in groups 'g1', 'g2', and 'g3' only users who are in groups 'g1', 'g2', or 'g3'
((u:u1|u:u2|u:u3)&g:g1&g:g2)&!r:r1 only users 'u1', 'u2', or 'u3', who are also members in groups 'g1' and 'g2', but not assigned role 'r1' users who are not 'u1', 'u2', or 'u3' and members of groups 'g1' and 'g2', and users who are assigned role 'r1'
(u:u1|u:u2|u:u3)&g:g1|g:g2 only users who are 'u1’, ‘u2', or 'u3' and who are members in groups 'g1' or 'g2' users who are not 'u1', 'u2', or 'u3' and members of groups 'g1' or 'g2'
Note: The entities — user, group, role, and public — must be common for MapR-FS and MapR-DB ACEs.