Merge pull request #268952 from mikewill4/patch-64

[SFTP] Add initial ACL documentation

Author: prmerger-automator[bot]

articles/storage/blobs/secure-file-transfer-protocol-known-issues.md

@@ -46,7 +46,6 @@ To transfer files to or from Azure Blob Storage via SFTP clients, see the follow
 
 | Category | Unsupported operations |
 |---|---|
-| ACLs | <li>`chgrp` - change group<li>`chmod` - change permissions/mode<li>`chown` - change owner<li>`put/get -p` - preserving properties such as permissions |
 | Random writes | Operations that include both READ and WRITE flags. For example: [SSH.NET create API](https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/SftpClient.cs#:~:text=public%20SftpFileStream-,Create,-(string%20path)) |
 | Links |<li>`symlink` - creating symbolic links<li>`ln` - creating hard links<li>Reading links not supported |
 | Capacity Information | `df` - usage info for filesystem |
@@ -62,8 +61,6 @@ To transfer files to or from Azure Blob Storage via SFTP clients, see the follow
 
 - Microsoft Entra ID isn't supported for the SFTP endpoint.
 
-- POSIX-like access control lists (ACLs) aren't supported for the SFTP endpoint.
-
 To learn more, see [SFTP permission model](secure-file-transfer-protocol-support.md#sftp-permission-model) and see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md).
 
 ## Networking

articles/storage/blobs/secure-file-transfer-protocol-support.md

@@ -50,9 +50,9 @@ Local users must use either a password or a Secure Shell (SSH) private key crede
 To set up access permissions, you'll create a local user, and choose authentication methods. Then, for each container in your account, you can specify the level of access you want to give that user.
 
 > [!CAUTION]
-> Local users do not interoperate with other Azure Storage permission models such as RBAC (role based access control), ABAC (attribute based access control), and ACLs (access control lists). 
+> Local users do not interoperate with other Azure Storage permission models such as RBAC (role based access control) and ABAC (attribute based access control). ACLs (access control lists) are supported for local users at the preview level.
 >
-> For example, Jeff has read only permission (can be controlled via RBAC, ABAC, or ACLs) via their Microsoft Entra identity for file _foo.txt_ stored in container _con1_. If Jeff is accessing the storage account via NFS (when not mounted as root/superuser), Blob REST, or Data Lake Storage Gen2 REST, these permissions will be enforced. However, if Jeff also has a local user identity with delete permission for data in container _con1_, they can delete _foo.txt_ via SFTP using the local user identity.
+> For example, Jeff has read only permission (can be controlled via RBAC or ABAC) via their Microsoft Entra identity for file _foo.txt_ stored in container _con1_. If Jeff is accessing the storage account via NFS (when not mounted as root/superuser), Blob REST, or Data Lake Storage Gen2 REST, these permissions will be enforced. However, if Jeff also has a local user identity with delete permission for data in container _con1_, they can delete _foo.txt_ via SFTP using the local user identity.
 
 For SFTP enabled storage accounts, you can use the full breadth of Azure Blob Storage security settings, to authenticate and authorize users accessing Blob Storage via Azure portal, Azure CLI, Azure PowerShell commands, AzCopy, as well as Azure SDKs, and Azure REST APIs. To learn more, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md).
 
@@ -72,7 +72,7 @@ If you choose to authenticate with private-public key pair, you can either gener
 
 ## Container permissions
 
-In the current release, you can specify only container-level permissions. Directory-level permissions aren't supported. You can choose which containers you want to grant access to and what level of access you want to provide (Read, Write, List, Delete, and Create). Those permissions apply to all directories and subdirectories in the container. You can grant each local user access to as many as 100 containers. Container permissions can also be updated after creating a local user. The following table describes each permission in more detail.
+For container-level permissions, you can choose which containers you want to grant access to and what level of access you want to provide (Read, Write, List, Delete, Create, Modify Ownership, and Modify Permissions). Those permissions apply to all directories and subdirectories in the container. You can grant each local user access to as many as 100 containers. Container permissions can also be updated after creating a local user. The following table describes each permission in more detail.
 
 | Permission | Symbol | Description |
 |---|---|---|
@@ -81,9 +81,31 @@ In the current release, you can specify only container-level permissions. Direct
 | List | l | <li>List content within container</li><li>List content within directory</li> |
 | Delete | d | <li>Delete file/directory</li> |
 | Create | c | <li>Upload file if file doesn't exist</li><li>Create directory if directory doesn't exist</li> |
+| Modify Ownership | o | <li>Change owner or group for file/directory</li> |
+| Modify Permissions | p | <li>Change permissions for file/directory</li> |
 
 When performing write operations on blobs in sub directories, Read permission is required to open the directory and access blob properties.
 
+## ACLs
+
+For directory or blob level permissions, you can change owner, group, and mode that are used by ADLS Gen2 ACLs. Most SFTP clients expose commands for changing these properties. The following table describes common commands in more detail.
+
+| Command | Required Container Permission | Description |
+|---|---|---|
+| chown | o | <li>Change owner for file/directory</li><li>Must specify numeric ID</li> |
+| chgrp | o | <li>Change group for file/directory</li><li>Must specify numeric ID</li> |
+| chmod | p | <li>Change permissions/mode for file/directory</li><li>Must specify POSIX style octal permissions</li> |
+
+The IDs required for changing owner and group are part of new properties for Local Users. The following table describes each new Local User property in more detail. 
+
+| Property | Description |
+|---|---|
+| UserId | <li>Unique identifier for the Local User within the storage account</li><li>Generated by default when the Local User is created</li><li>Used for setting owner on file/directory</li> |
+| GroupId | <li>Identifer for a group of Local Users</li> |
+| AllowAclAuthorization | <li>Allow authorizing this Local User's requests with ACLs</li> |
+
+Once the desired ACLs have been configured and the Local User enables `AllowAclAuthorization`, they may use ACLs to authorize their requests. Similar to RBAC, container permissions can interoperate with ACLs. Only if the local user doesn't have sufficient container permissions will ACLs be evaluated. To learn more, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md).
+
 ## Home directory
 
 As you configure permissions, you have the option of setting a home directory for the local user. If no other container is specified in an SFTP connection request, then the home directory is the directory that the user connects to by default. For example, consider the following request made by using [Open SSH](/windows-server/administration/openssh/openssh_overview). This request doesn't specify a container or directory name as part of the `sftp` command.