«

»

How to set List Permissions

1. The use of list groups and permission groups to set list permissions

In other articles we already referred to the aspect that for the allocation of list permissions, list groups and permission groups can be used. For this purpose, there are questions such as:

  • “Can I use only list groups to set list permissions?”
  • “Can I use only permission groups to set list permissions?”
  • “Can I use permission groups on higher directories and list groups below?”
  • “Up to which level can the list groups be used and from which level the permission groups?”

2. Example

To simplify, we assume permission end points in the level 7. Further, we make up a value for the average number of sub-directories per directory. We assume that, in the 7th level all these directories are given explicit permissions.  And finally, we require an average value for the number of permission groups per permission end point (PEP).

Simplified assumptions:
2 sub-directories per directory
1 permission group per PEP in level 7

 

level below
the share
list group
per level
permission groups
per directory
Level 1: 2 64
Level 2: 4 32
Level 3: 8 16
Level 4: 16 8
Level 5: 32 4
Level 6: 64 2
PEP: 1

To answer the question, as to where the list groups and the permission groups are suited, at best the question is turned around:

Where are list groups or permission groups not suited?

The figures in the examples illustrate this:

  • In the lower levels many list groups put load on the Kerberos token for the permitted user.
  • In the upper levels, many permission groups are put load on the ACL and slow down the access to the directory.

The higher the loading the larger is the assumed value.

3. List Groups

List Groups are additionally created. One group per directory.

Problem:

Every list group adds 8 or 40 byte to the Kerberos token, depending on the group type. If the size of the Kerberos token exceeds a specific server dependent value, the user suddenly cannot log in anymore.

Conclusion:

In our example the number of list groups doubles per directory from level to level. From level 4 or 5, the number of list groups can be considerably large. No list groups should be used any more in this level. In case of problems with the Kerberos token the limit between list and permission groups should be shifted or pushed upwards.

4. Permission Groups with List Permissions

These groups are not created in addition. The groups placed for the end point permission (BEP) are used again, but only with the list permissions.

Problem:

Every group has an entry in the Access Control List (ACL) of the directories. The more entries are found in the ACL, the longer it takes to display the content of the directory.

Conclusion:

In our example the number of permission groups doubles per directory from level to level. However, it begins from below. In the upper level therefore, no permission groups are directly permitted on the directories. Therefore, a list group is used here, which places only one ACL-entry.  The permission groups are nested in this list group.

5. The Line between List- and Permission Groups

The list groups and permission groups with list permissions perfectly complement each other. You determine the limit between the two according to your given circumstances. There is no generally applicable rule.

For example it should be noted which parameter causes the problems:

  • the number of sub-directories with explicit permissions
  • the number of permission groups per permission end point