File IQ ACL-Based Access Filtering

  • Updated on Apr 14, 2026
  • Published on Feb 12, 2026
  • 7 minute(s) read
  • CD
  • MM
  • ET
 Prev Next

Overview

Access Control List (ACL)-based Access Filtering is a Premium feature introduced in File IQ 10.3 that lets you analyze and search files and folders based on Active Directory (AD) permissions on supported Nasuni UniFS volumes. File IQ collects and indexes NTFS access control lists (ACLs) during scans, allowing you to see who has access to what data and filter results by user, group, and permission type. Permissions are displayed using integrated Access Control pop-ups in File IQ dashboards.

This guide explains how to use File IQ's Access Control List (ACL) analytics for UniFS volumes secured by Active Directory (AD).

This feature is designed for administrators, security teams, and compliance users who need visibility into data access without modifying permissions on the Edge Appliance (filer).

This feature applies only to AD-backed UniFS volumes configured in NTFS exclusive mode.

Important: ACL data reveals who can access potentially sensitive data. Restrict access to File IQ dashboards and Grafana to trusted administrators and security personnel only. Any user with access to the File IQ Grafana dashboards can filter for and display ACLs.

Important: ACLs for scans completed prior to the File IQ 10.3 upgrade are not available.

ACL-based Access Filtering helps you answer common access and audit questions, such as:

  • Who can access a specific file or folder?

  • Where does a given user or group have read or write access?

  • Which areas of a volume are over-permissioned?

  • How have permissions changed over time?

How ACL Access Analysis Works in File IQ

Understanding NTFS and AD ACLs

On AD-backed SMB shares, permissions are stored as NTFS Access Control Lists (ACLs).

An ACL consists of a list of Access Control Entries (ACEs). Each ACE grants (ALLOW) or denies (DENY) permissions to a security principal, such as:

  • A user (for example, CORP\alice).

  • A group (for example, CORP\Finance or BUILTIN\Administrators).

  • Well-known identities (for example, EVERYONE or AUTHENTICATED_USERS).

NTFS permissions are represented as a bitmask and can include Read, Write, Execute, Delete, Full control, and other permissions. Permissions can be defined at the file or folder level and are typically inherited from parent folders unless inheritance is disabled.

What File IQ Does with ACLs

File IQ performs the following actions with ACLs:

  • Reads NTFS ACLs from supported AD-backed UniFS volumes during a volume scan.

  • Persists raw ACL metadata alongside file and directory records in the File IQ database.

  • Parses raw ACL metadata and indexes user-friendly user/group and permission information for volumes where metadata indexing is enabled.

  • Indexes ALLOW ACEs for filtering.

  • Exposes ACL-aware filters and an Access Control pop-up in the following dashboards:

    • Volume Explorer

    • Volume Version Explorer

    • Advanced Filtering – File Metadata

ACL indexing enables you to filter search results based on which users or groups have specific access types.

Scope and Limitations

The following table provides the scope and limitations of the ACL Access and Analysis.

Category

Details

Supported volumes

Applies only to AD-backed UniFS volumes configured in NTFS exclusive mode.

Enforcement

Does not modify or enforce permissions on the Edge Appliance (filer). This feature is for filtering and visualization only.

Data freshness

Reflects permissions as of the last completed volume scan (in Volume Explorer and Advanced Filtering - File Metadata dashboards) and point-in-time scans (Volume Version Explorer dashboard)

Indexed permissions

Only ALLOW ACEs are indexed and available for filtering. DENY ACEs are visible in the Access Control pop-up, but cannot be used as filter criteria.

Group membership

Transitive group membership is not calculated. For example, if USER_1 belongs to GROUP_1 and GROUP_1 has READ access to a file, searching for files USER_1 has READ access to will not return that file unless USER_1 is explicitly granted READ access.

Inheritance

ACL inheritance is supported. If a user is granted READ access to /projects/project_1 and inheritance is enabled, files within that directory will appear in filter results.

Identity filtering

Filtering is supported only by user or group name (for example, DOMAIN\user). Filtering by SID is not supported.

Indexing requirement

Volumes must be indexed for ACL-based filtering to function. Volumes that are not indexed or are too large to index do not support ACL-based filtering.

Dashboard visibility

Any user with access to the File IQ Grafana dashboards can filter for and display ACL information. Restrict access to trusted administrators and security personnel.

At a high level, File IQ processes ACL data as follows:

  1. Scan: During a volume scan, File IQ reads NTFS ACL metadata from supported UniFS volumes. The File System Metadata Service (FSMS) reads ACL-related attributes exposed by UniFS for each file and directory.

  2. Store: ACL data is persisted in raw format in the File IQ database alongside directory metadata.

  3. Index: File IQ parses ACL information and indexes user-friendly user/group and permission ALLOW combinations for volumes where metadata indexing is enabled.

  4. Visualize and filter: ACLs are displayed and can be filtered in File IQ dashboards. ACL-aware dashboards include Volume Explorer, Volume Version Explorer, and Advanced Filtering – File Metadata.

Volumes must be fully rescanned after enabling this feature or upgrading to File IQ 10.3. Indexing must be complete before ACL-based filtering is available.

Prerequisites and Supported Environments

ACL-based Access Filtering is available only when all of the following conditions are met:

  • You are running File IQ version 10.3 or newer.

  • The volume is an AD-backed UniFS volume configured in NTFS exclusive mode.

  • The volume is monitored by File IQ.

  • File Metadata Filtering is enabled globally and at the volume level.

  • Metadata indexing has completed successfully.

  • Required Premium licensing is in place.

  • Volumes must use NTFS-only permissions.

  • The NEAs and the File IQ Appliance must be joined to the same Active Directory domain.

  • If identity resolution fails, raw SIDs may appear in ACL pop-ups. Filtering by SID is not supported.

This feature does not work for:

  • NFS-only or Linux-permission volumes.

  • AD-backed UniFS volume configured in NTFS compatible mode.

  • Volumes not indexed by File IQ.

Enabling ACL Analysis for a Volume

To enable ACL Analysis for a volume, follow these steps:

  1. Confirm the volume is AD-backed and configured in NTFS exclusive mode.

  2. Navigate In the File IQ UI.

  3. Click the Configuration tab, and select Advanced Filtering.

  4. Check the Enable File Metadata Filtering box.

  5. Click Save.

  6. Under Volume Settings, select a previously scanned volume(s) to enable File Metadata Filtering.

  7. Click Edit X Volume.

  8. From the Edit Volume Metadata Filtering Settings pop-up, toggle Enabled to On.

  9. Click Save.

  10. Allow a volume scan to complete.

  11. Allow the indexing process for that scan to complete.

You can monitor scan and indexing progress using the Service Support dashboard.

Validating ACL Data Collection

After enabling the ACL Analysis for a volume, follow these steps to validate ACL data collection:

  1. Navigate to the File IQ Dashboards in Grafana.

  2. From the Grafana Homepage, select the Volume Explorer dashboard.

  3. Navigate to the Volume Name drop-down and select the previously configured volume.

  4. Locate a file or directory with a padlock icon.

  5. Click the padlock to open the Access Control pop-up.

  6. Confirm that ACL data appears.

    Note: If ACL data does not appear, verify that a full scan and indexing have completed since the feature was enabled.

Common Access Analysis Workflows

The following workflows illustrate common ways administrators might use Access Analysis while using various File IQ dashboards.

See Who Has Access to a File or Folder

The Access Control pop-up shows:

  • The file or folder name.

  • Users and groups with permissions on that object.

  • For the selected user or group, determine whether each permission is allowed or denied.

To see who has access to a file or folder, follow these steps:

  1. Open the Volume Explorer dashboard.

  2. From the Volume Name drop-down, select a volume.

  3. Navigate to a file or folder.

  4. Click the padlock icon to view its ACLs.

The Access Control pop-up shows users and groups with permissions and whether each permission is Allowed or Denied.

Find Files a User or Group Can Read or Write

To find out which files a user or group can read or write, follow these steps:

  1. Open the Advanced Filtering – File Metadata dashboard.

  2. From the Volume Name drop-down, select a volume.

  3. Specify a user or group name in DOMAIN\user format. Email format (for example, alice@corp.com) is not supported.

  4. Click Apply to view matching files and directories.

Note: If multiple permission types are selected, only files where the specified user or group has all selected permissions are returned.

Note: Transitive group membership is not calculated. For example, if USER_1 belongs to GROUP_1 and GROUP_1 has READ access to a file, searching for files USER_1 has READ access does not return that file unless USER_1 is explicitly granted READ access.

Identify Over-Permissioned Data

To identify over-permissioned data, follow these steps:

  1. Open the Advanced Filtering – File Metadata dashboard.

  2. Filter by a high-privilege group (for example, administrators).

  3. Expand the Access Control filters, and select Full control or Write permissions.

  4. Click Apply to review the results for sensitive paths.

Note: ACLs are not included in CSV files generated by the Advanced Metadata Filter Export feature.

Note: Filter criteria are preserved in the filters.txt file included in the exported report package.

Audit Permission Changes Over Time

To audit permission changes over time, follow these steps:

  1. Open the Volume Version Explorer dashboard.

  2. Select an earlier scan version.

  3. Inspect ACLs for a file or folder.

  4. Switch to a later scan version and compare permissions.

Note: In the Volume Version Explorer dashboard, ACLs are read-only and reflect permissions as they existed at the selected scan version.

Viewing and Interpreting ACLs

ACL details are displayed in an integrated Access Control pop-up interface in the dashboards.

The pop-up shows:

  • Users and groups with permissions on the selected file or folder.

  • Allowed and denied permissions per user or group.

  • Inherited permissions from parent directories.

Note: When inheritance is enabled, permissions applied at a parent directory are reflected on child objects.

Note: Only ALLOW ACEs are indexed for filtering. DENY permissions are visible in the pop-up, but cannot be used as filter criteria.

Limitations and Known Constraints

  • ACL data reflects permissions from the last completed scan and indexing run.

  • Volumes that are too large to index might not support ACL-based filtering.

Related articles