There is a growing need, in the field of computer networks, to provide access to the content of file servers through multiple file access protocols. In every case, it is expected that the access rights are properly preserved and validated, regardless of the access protocol used. For example, it might be desirable to create a security descriptor for a file using an NFS client and subsequently provide an SMB client with access to the file.
Unfortunately, the tools available to network administrators to provide this kind of access control are extremely limited. The challenge is that the different file access protocols expect different access control support from the underlying file system. Various file server vendors have tried different ways to solve this issue. Some vendors designed brand new file systems capable of storing all known access control structures required by various file access protocols. Others use an intermediate broker with understanding of various ways to resolve the access rights that expected to satisfy different protocol clients.
Other prior solutions have required maintaining a complex inode data structure to accommodate various forms of access control entries (ACEs), such as NT/SID and UNIX/UID, for example. These implementations generally require transformation of the ACL into a generic form. This type of transformation raises a chance of losing protocol compliance because any reproduction of a security descriptor may not be identical to the security descriptor as created by the protocol client.