ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • vserver security file-directory ntfs dacl add

    Add a DACL entry to NTFS security descriptor

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The vserver security file-directory ntfs dacl add command adds access control entries (ACEs) into a security descriptor’s discretionary access control list (DACL).

    If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.

    Adding a DACL entry to the security descriptor is the second step in configuring and applying ACLs to a file or folder. Before you can add a DACL entry to a security descriptor, you must first create the security descriptor.

    The steps to creating and applying NTFS ACLs are the following:

    • Create an NTFS security descriptor.

    • Add DACLs and SACLs to the NTFS security descriptor.

    If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor.
    • Create a file/directory security policy.

    This step associates the policy with a Vserver.
    * Create policy tasks.

    A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
    * Apply a policy to the associated Vserver.

    Parameters

    -vserver <vserver name> - Vserver

    Specifies the name of the Vserver associated with the security descriptor to which you want to add a discretionary access control entry (discretionary ACE).

    -ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

    Specifies the name of the security descriptor to which you want to add a discretionary access control entry.

    -access-type {deny|allow} - Allow or Deny

    Specifies whether the discretionary access control entry is an allow or deny type of access control.

    -account <name or sid> - Account Name or SID

    Specifies the account on which to apply the discretionary access control entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

    +
    * SID
    * Domain\user-name
    * user-name@Domain
    * user-name@FQDN

    If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
    { [-rights {no-access|full-control|modify|read-and-execute|read|write}] - DACL ACE’s Access Rights

    Specifies the right that you want to add for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

    You can specify one of the following rights values:

    • no-access

    • full-control

    • modify

    • read-and-execute

    • read

    • write

    | [-advanced-rights <Advanced access right>,…​] - DACL ACE’s Advanced Access Rights }

    Specifies the advanced rights that you want to add for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

    You can specify one or more of the following advanced rights:

    • read-data

    • write-data

    • append-data

    • read-ea

    • write-ea

    • execute-file

    • delete-child

    • read-attr

    • write-attr

    • delete

    • read-perm

    • write-perm

    • write-owner

    • full-control

    | [-rights-raw <Hex Integer>] - DACL ACE’s Raw Access Rights }

    Specifies the raw rights that you want to add for the account specified in the -account parameter. The rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

    [-apply-to {this-folder|sub-folders|files}] - Apply DACL Entry

    Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.

    You can specify one or more of the following values:

    • this-folder

    • sub-folder

    • files

    Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):
    • this-folder, sub-folder, files

    • this-folder, sub-folder

    • files

    If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

    Examples

    The following example adds a DACL entry to the security descriptor named “sd1” on Vserver "vs1" for the "DOMAIN\Administrator" account.

    cluster1::> vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1
    cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\administrator
    Vserver: vs1
                  Security Descriptor Name: sd1
                             Allow or Deny: deny
                       Account Name or SID: DOMAIN\Administrator
                             Access Rights: full-control
                    Advanced Access Rights: -
                                  Apply To: this-folder
                             Access Rights: full-control
    Top of Page