File Access Control Checks

A file Access Control List (ACL) is identified by the keyword file_acl. The ACL name must be unique to be used with a file permissions item. A file ACL can contain one or multiple user entry.

Usage

<file_acl: ["name"]>

 

<user: ["user_name"]>

acl_inheritance: ["value"]

acl_apply: ["value"]

(optional) acl_allow: ["rights value"]

(optional) acl_deny: ["rights value"]

</user>

 

</acl>

Syntax

Associated Types

Allowed Types

acl_inheritance

not inherited

inherited

not used

acl_apply

this folder only

this object only

this folder and files

this folder and subfolders

this folder, subfolders and files

files only

subfolders only

subfolders and files only

acl_allow

acl_deny

These settings are optional.

Generic rights:

  • full control
  • modify
  • read & execute
  • read
  • write
  • list folder contents

Advanced rights:

  • full control
  • traverse folder / execute file
  • list folder / read data
  • read attributes
  • read extended attributes
  • create files / write data
  • create folders / append data
  • write attributes
  • write extended attributes
  • delete subfolder and files
  • delete
  • read permissions
  • change permissions
  • take ownership

Here is an example file access control .audit text:

<file_acl: "ASU1">

 

<user: "Administrators">

acl_inheritance: "not inherited"

acl_apply: "This folder, subfolders and files"

acl_allow: "Full Control"

</user>

 

<user: "System">

acl_inheritance: "not inherited"

acl_apply: "This folder, subfolders and files"

acl_allow: "Full Control"

</user>

 

<user: "Users">

acl_inheritance: "not inherited"

acl_apply: "this folder only"

acl_allow: "list folder / read data" | "read attributes" | "read extended

attributes" | "create files / write data" | "create folders / append data" |

"write attributes" | "write extended attributes" | "read permissions"

</user>

 

</acl>