NTFS ACLs are translated into the least permissive variant of Unix modebits, and are applied to the Owner, Owner Group, and Other fields as they would apply to a user making a request. Ownership of a file is determined by the UID & GID of the mapped user that wrote the ownership information. The "other" field may be present, depending on if an equivalent SID has explicit permissions (such as Everyone). This can lead to some confusion if an Administrator assigns an arbitrary owner of an object, as the resulting Unix permissions will reflect their mapping, rather than the new owner's.
The following Access Masks will translate into modebits directly:
- Read & Execute (r-x),
- Read (r--),
- Write (-w-),
- Modify (rwx),
- Full Control (rwx),
- Traverse Folder / Execute File (--x),
- Create Files / Write Data(-w-),
- List Folders / Read Data (r--)
Other special permissions don't have a direct translation into Unix modebits. In those cases, it is not possible to express a client's ability to perform such an action with modebits alone.
Unix permissions are translated into NTFS ACLs, when the option "-is-unix-ntaclenabled" is set to true (default). These fields are translated into a fake SID by default, showing UNIXPermUid\User and UNIXPermGid\Group, other, and the current user as well. The resulting NTFS ACL will appear more permissive, compared to the modebits, as there are permissions that do not have a translation. ONTAP tries to preserve the client's expectation with this translation - a Windows user whose mapped user would get rwx would effectively have a Full Control ACL, even though this provides special permissions that a Unix user could not be explicitly given via modebits.
Both translations are performed when permissions are written.