This articles covers the use case
- the job is configured to synchronize NTFS files access permissions
- there are Agents or storages that do not support these permissions (for example, a cloud storage, a Linux Agent).
It covers only the case of NTFS permissions and is not applicable for Posix permissions.
Different/missing ACL on files makes the Agent try and synchronize this to remote Agents. For it to work, the same ACL (owners, groups, users ID and/or names) shall be available on all the Agents involved. Is some cases it's not possible, for example, there's a cloud storage or a Linux OS that do not support NFTS file permissions.
The basic idea about default ACL is to assign some Owner, group and SSDL to the files using custom parameters in Job profile. These ACL will be applied on files during synchronization in the above mentioned environment. Current default values are:
owner, Parameter name: default_usid
. Default value - O:S-1-1-0
(everyone)
group, Parameter name: default_gsid
. Default value - G:S-1-1-0
(everyone)
acl, Parameter name: default_sddl
. Default value - D:AI
(always inherit)
If the files are synchronized from a Windows Agent to a Linux Agent, the current files' permissions are synced and stored on the Linux Agent.
When the files are synchronized from a Linux to Windows (generated on the Linux), these defaults are applied. For the Agent to be able to change owner permissions, the Agent service must run as Local System, not as Admin. Otherwise error "Failed to set owner and group" will appear.
In case when only Windows Agents are involved, these parameters don't play any role.