Many computing environments may implement various types of security to protect against malicious and/or undesirable access to data. In an example, a business may provide employees with work computing devices that may connect to a data storage network of the business. Access to a work computing device may be controlled by user login credentials of a user. Access to network resources (e.g., access to a particular file, directory, volume, storage aggregate, etc.) on the data storage network may be controlled based upon access rights specified for the user. For example, a user may be restricted from access a particular directory and/or file hosted on a volume of a data storage device within the data storage network.
A domain administrator (e.g., a user that maps to a root directory) may be capable of resetting security permissions in any way the domain administrator chooses. The domain administrator may have the ability to take ownership of a file and/or directory so that the domain administrator may remove permission constraints against them and potentially remove auditing settings. Thus, the domain administrator may unfortunately have unrestricted access to sensitive data within the data storage network (e.g., a client side administrator may have the ability to steal intellectual property from the business). It may be advantageous to employ an additional layer of security at a storage level where merely a storage administrator of the data storage network (e.g., a non-client side administrator) and/or storage operating systems and applications, but not the domain administrator or other client side users, have access to change storage level access security.