One of our existing german customer ask the following, can someone help on this?

We have a more specific question and hope you can recommend someone at your company who is very familiar with the document management system in IFS. In brief:

Of the four possible repository types https://docs.ifs.com/techdocs/25r1/070_remote_deploy/400_installation_options/130_add-on_cmp/docman…, we currently use ‘Database’ and are satisfied with it.
However, in future we would also like to store sensitive documents in IFS and restrict access to them on a large scale so that even people with IFSAPP login details do not have access to them.
Therefore, we would like to set up a second repository with the type ‘File Storage’, as described here https://docs.ifs.com/techdocs/25R1/070_remote_deploy/400_installation_options/120_file_storage_for_… on an external SMB storage
The documentation one level above states: ‘The caller interacts with the service using simple REST operations.’

However, we are not yet clear on exactly what this access entails. Is there a service user who is allowed to access the external storage and, in principle, every IFS user or, in particular, the IFSAPP? Or does this perhaps even run via our connected Entra user, and could we then restrict this on our side so that, for example, only Entra users from the Human Resources department have access to it, and the IFSAPP cannot grant itself permissions in IFS?