ACL Inheritance

As mentioned in Display and Modification of File Permissions, ACLs can be assigned to files after they are created. On Windows, it is also possible for an application to explicitly assign a specific ACL to a file at creation time. For example, an ACL can be passed in as part of a security descriptor in the lpSecurityAttributes parameter in the CreateFile function. However, the most common way that ACLs are assigned to files and folders is through inheritance.

How Inheritance Works

Each ACE in the ACL on a folder contains a set of flags that determine inheritance behavior. When creating new objects, the inheritance flags on an ACE may dictate that only files, only subfolders, both files and subfolders, or neither types of objects inhertit the ACE. Finally, another flag determines whether an ACE should be inherited by children of a folder, but not be used in the permission check for the folder itself.

Note: These flags are assigned to each ACE individually. This means that a newly created file or folder may inherit zero, all, or a subset of the ACEs from the parent folder.

On Windows, the inheritance flags can be adjusted implicitly in the Explorer security tab by clicking on Advanced > Change Permissions > Edit. On other platforms, these flags can be adjusted explicitly using a CLI. Refer to the Display and Modification of ACLs for the specific command to run on a given platform. Table 1 provides the list of ACE inheritance flags and descriptions.

**Table 1:** ACE Inheritance Flags
Flag	Description
File inherit	ACE should inherit to (non-directory) files.
Directory inherit	ACE should inherit to directories.
Limit inherit	Prevents newly created sub-directories inheriting the ACE from further inheriting the ACE to its children.
Only inherit	Causes the ACE to be inherited to files and sub-directories but not used for permission checking on the directory. Note: The `only_inherit` flag is never inherited.

On Windows, the limit_inherit is mapped to a check box labeled Apply these permissions to objects and/or containers withing this container only. The mapping of the three remaining tags to the seven Windows propagation pull down menu options are as follows:

Windows	Non-Windows (macOS, Linux, Unix)
This folder only	(none)
This folder, subfolders, and files	`directory_inherit`, `files_inherit`
This folder and subfolders	`directory_inherit`
Subfolders and files only	`files_inherit`
Subfolders and files only	`files_inherit`, `directory_inherit`, `only_inherit`
Subfolders only	`directory_inherit`, `only_inherit`
Files only	`files_inherit`, `only_inherit`

On non-Windows, propagation/inheritance is typically applied only when a file or directory is created. That is, when an object is created, its parent's list of ACEs is checked and any that apply are “inherited.” When an ACE is added to a parent directory, it is not “automatically” propagated to any existing files or directories.

On macOS X, the chmod command with the +a option can be used to apply an ACE. This can be done for large sub-trees with the chmod -R option.
On Linux and Unix systems, the StorNext snacl –R +a command can be used to apply an ACE to a sub-tree.