I'm looking at a use case as follows:
Use case: I have a CIFS share with a DACL in place to allow various AD groups various levels of access. I wish to set it to read-only without modifying the DACL or setting the read-only bit as I don't want to touch the files directly (several million).
I was thinking of using a storage level gaurd for this purpose but I'm not 100% clear on if there is any effective permissions between a standard NTFS DACL and the storage level gaurd or if they are simply seperate controls checked in order i.e. are permissions combined from both levels and an effective permission outoput or is it simply a set of checks in order that the user has to pass e.g. NTFS level checked and then if access allowed storage level checked. if NTFS access denied storage level not checked as no need.
For exmaple:
Q1: If UserA is a Member of GroupA and has write on ShareA at the NTFS level and a member of GroupB that has read at the storage level I'd assume they get read access ultimately?
Q2: If UserA is a Member of GroupA and has read on ShareA at the NTFS level and a member of GroupB that has write at the storage level I'd assume they get writeaccess ultimately?