POSIX provides limited file security management granularity. File access security can only be controlled via the permission bits as specified for the user, group and other classes. Some UNIX platforms have introduced additional security granularity by adding access control list (ACL) support to provide security specification on an individual user and/or group basis. An ACL is simply a list that specifies which users and groups get access to a file with what type of permission. The precise characteristics of this ACL support are platform specific.

The NFS Version 4 protocol provides the ability to remotely manage ACLs by providing the ability to display and modify ACL values with the ACL attribute. The NFS v4 protocol has provided a very rich ACL definition with granularity beyond that provided by many platform ACL implementations. Therefore, it is necessary to map between the NFS ACL definition and the platform definition. The key is to ensure that in this mapping process, the mapping should err in the direction of more restricted access, not less. When the NFS server sets an ACL it must be set at least as secure as specified by the NFS request. When an NFS server sends an ACL to an NFS client, the client must not perceive the file as more secure than it really is. For details on the NFS version 4 ACL definition, see the NFS version 4 protocol.

For POSIX permission bits, and some flavors of ACLs, a single entry specifies whether permission is being granted or denied for the target user or group to access the file. By contrast, NFS version 4 ACLs have two types of ACLs: “Allow” and “Deny”. An “Allow” indicates that the target user or group is being given the specified permission to access the file while a “Deny” indicates that the target user or group is explicitly being denied the specified permission to access the file.

Further, the ordering of a POSIX ACE (access control entry - an entry in the ACL) differs from that of an NFS Version 4 ACE. POSIX has a defined ordering as follows: owner, supplemental users, owning group, supplemental groups, and other. This is a kernel maintained ordering and can not be changed by the user. NFS version 4 ACEs do not have a rigid order. It is defined by the order of the entries in the ACL as created by the user. If an ACL conflict arises because of differences between the two ordering algorithms, then the POSIX rules will apply, since the ACL access authority is determined by the underlying z/OS UNIX system, not by the z/OS NFS server.

NFS can display and modify remote file system access control lists, provided that the function is supported by the remote NFS server. This support is limited to z/OS UNIX access control lists, as described in z/OS UNIX System Services Planning, under Using Access Control Lists (ACLs). Access control list checking is controlled by the underlying file systems on the server systems, not by z/OS NFS server or client.