Security Policy Enforcement Process

Order of Enforcement

If the volume-level enforcement mode is set to PolicyAceAndDataAce (default setting), the system evaluates and enforces the ACEs directly applied to data objects AND the ACEs defined in the security policies applied to data objects. When a user submits a data-operation request, the system evaluates and enforces the ACEs hierarchically, starting with the volume in which the data resides.

For example, to perform a write operation on a file, the system first evaluates permissions on the volume in which the file resides. If at least one security policy is applied to the volume, the system evaluates the ACEs set in the security policy AND the ACEs or POSIX mode bits directly applied to the volume. Both sets of ACEs must allow permit the user to access the volume. If one set of ACEs does not permit access to the volume, the system denies the user permission to perform the operation. If both sets of ACEs permit access to the volume, the system checks access permissions on the file. The system evaluates security policies applied to the file AND any ACEs or POSIX mode bits applied directly to the file. Both sets of ACEs must permit the user write access on the file. If they both allow access (writefileeace), the user can perform the data operation on the file. If not, the system denies access.

Note the following behaviors related to the enforcement mode setting:

When set to PolicyAceOnly, the system only enforces the ACEs set in security policies. A user can only perform data operations on a data object if the security policies associated with the data object allow the user access. However, if a data object is not associated with at least one security policy, the system enforces any ACEs or POSIX mode bits set directly on the data object. In this case, a user can only access the data object if the ACEs or POSIX mode bits set directly on the data object allow the user access.
In PolicyAceOnly and PolicyAceAndDataAce modes, if a security policy is applied to a data object, and ACEs are not defined in the policy (""), the system continues to the next level data object to evaluate permissions.

Data Fabric File System Enforcement Process

The Data Fabric filesystem enforces security policies on data objects, in the following order:

Volumes
Files/Directories
Note: The system only enforces directory ACEs when determining access to the directory during directory operations. For read and write operations, directory ACEs are enforced during the path-walk operation when opening a file. If the user has a handle (FID) to the file, the user can access the file directly with the FID. In that case, the system ignores directory ACEs.

The following diagram shows the order in which the Data Fabric filesystem evaluates and enforces data operations on data objects when the enforcement mode is set to PolicyAceOnly:

Note: If no policy is applied at the volume or file/directory level, the system will enforce DataAces (mode and ACEs applied directly on data object) to protect the data.

The following diagram shows the order in which the Data Fabric file system evaluates and enforces data operations on data objects when the enforcement mode is set to PolicyAceAndDataAce (default mode):

The following diagram shows the order in which the Data Fabric file system evaluates and audits data operations on data objects when the enforcement mode is set to PolicyAceAuditAndDataAce (permissive mode):

Note: The system does not enforce denied access checks, but does log the information about the denied check in the audit logs.

Data Fabric Database Enforcement Process

The security policies and ACEs applied to a volume also apply to JSON tables within that volume. The user that issues a data operation against a table in a volume must have permission to access the data in the volume through ACEs or security policies set on that volume.

For data operations, Data Fabric Database enforces ACEs (directly set on data objects) in the following order:

Volume
JSON column families
JSON fields

Note: Data Fabric Database does not enforce table ACEs during data operations; however, when you create a table you can define default ACEs. Default ACEs are the permissions automatically applied to new column families when they are created for a table. Similarly, new column families created for a table inherit the security policies applied to the table.

Data Fabric Database supports ACEs for the following types of data operations:

Read
Write
Traverse (JSON Only)
Append (Binary Only – Currently, Policy-Based Security does not support binary tables.)

Data Fabric Database enforces security policies in the following order:

JSON table
JSON column family
JSON field

Note: Policies enforced on a primary table are also enforced on the secondary indices for the table.

The following diagram shows the order in which Data Fabric Database evaluates and enforces data operations on data objects when the enforcement mode is set to PolicyAceAndDataAce (default mode):

Note: Data Fabric Database evaluates and enforces the security policies and ACEs set on the volume before evaluating data access controls on the table. Refer to the preceding Data Fabric filesystem diagrams.