Merge pull request #107920 from normesta/normesta-reg-updates-5

A doc request from support

Author: PRMerger14

articles/storage/blobs/data-lake-storage-access-control.md

@@ -5,7 +5,7 @@ author: normesta
 ms.subservice: data-lake-storage-gen2
 ms.service: storage
 ms.topic: conceptual
-ms.date: 04/23/2019
+ms.date: 03/16/2020
 ms.author: normesta
 ms.reviewer: jamesbak
 ---
@@ -37,18 +37,22 @@ When a security principal is granted RBAC data permissions through a [built-in r
 
 Azure Data Lake Storage Gen2 supports Shared Key and SAS methods for authentication. A characteristic of these authentication methods is that no identity is associated with the caller and therefore security principal permission-based authorization cannot be performed.
 
-In the case of Shared Key, the caller effectively gains ‘super-user’ access, meaning full access to all operations on all resources, including setting owner and changing ACLs.
+In the case of Shared Key, the caller effectively gains 'super-user' access, meaning full access to all operations on all resources, including setting owner and changing ACLs.
 
 SAS tokens include allowed permissions as part of the token. The permissions included in the SAS token are effectively applied to all authorization decisions, but no additional ACL checks are performed.
 
 ## Access control lists on files and directories
 
 You can associate a security principal with an access level for files and directories. These associations are captured in an *access control list (ACL)*. Each file and directory in your storage account has an access control list.
 
+> [!NOTE]
+> ACLs apply only to security principals in the same tenant. You can't associate a guest user with an access level.
+
 If you assigned a role to a security principal at the storage account-level, you can use access control lists to grant that security principal elevated access to specific files and directories.
 
 You can't use access control lists to provide a level of access that is lower than a level granted by a role assignment. For example, if you assign the [Storage Blob Data Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) role to a security principal, then you can't use access control lists to prevent that security principal from writing to a directory.
 
+
 ### Set file and directory level permissions by using access control lists
 
 To set file and directory level permissions, see any of the following articles:
@@ -230,7 +234,7 @@ The sticky bit isn't shown in the Azure portal.
 
 When a new file or directory is created under an existing directory, the default ACL on the parent directory determines:
 
-- A child directory’s default ACL and access ACL.
+- A child directory's default ACL and access ACL.
 - A child file's access ACL (files do not have a default ACL).
 
 #### umask
@@ -279,7 +283,7 @@ Always use Azure AD security groups as the assigned principal in ACLs. Resist th
 
 ### Which permissions are required to recursively delete a directory and its contents?
 
-- The caller has ‘super-user’ permissions,
+- The caller has 'super-user' permissions,
 
 Or
 
@@ -297,7 +301,7 @@ The creator of a file or directory becomes the owner. In the case of the root di
 
 The owning group is copied from the owning group of the parent directory under which the new file or directory is created.
 
-### I am the owning user of a file but I don’t have the RWX permissions I need. What do I do?
+### I am the owning user of a file but I don't have the RWX permissions I need. What do I do?
 
 The owning user can change the permissions of the file to give themselves any RWX permissions they need.