Specifies the name of the Vserver associated with the security descriptor containing the discretionary access control entry whose parameters you want to modify.

-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

Specifies the name of the security descriptor that contains the discretionary access control entry that you want to modify.

-access-type {deny|allow} - Allow or Deny

Specifies whether the discretionary access control entry that you want to modify is an allow or deny type of access control.

-account <name or sid> - Account Name or SID

Specifies the account associated with the discretionary access control entry you want to modify. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDN

If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.

{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights

Specifies the right that you want to add for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

no-access
full-control
modify
read-and-execute
read
write

| [-rights-raw <Hex Integer>] - Raw Access Rights

Specifies the raw rights that you want to add for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

| [-advanced-rights <Advanced access right>,…] - Advanced Access Rights }

Specifies the advanced rights that you want to add for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

read-data
write-data
append-data
read-ea
write-ea
execute-file
delete-child
read-attr
write-attr
delete
read-perm
write-perm
write-owner
full-control

[-apply-to {this-folder|sub-folders|files}] - Apply DACL Entry

Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

this-folder
sub-folder
files

Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):

this-folder, sub-folder, files
this-folder, sub-folder
files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

Examples

The following example modifies the -right and -apply-to parameters in the DACL entry associated to the security descriptor named “sd2” on Vserver vs1 for the "BUILTIN\Administrators" account.

cluster1::> vserver security file-directory ntfs dacl modify -ntfs-sd sd2 -access-type allow -account BUILTIN\Administrators -vserver vs1 -rights modify -apply-to this-folder,sub-folders
cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd2 -account BUILTIN\Administrators -instance
Vserver: vs1
            Security Descriptor Name: sd2
                       Allow or Deny: allow
                 Account Name or SID: BUILTIN\Administrators
                       Access Rights: modify
              Advanced Access Rights: -
                            Apply To: this-folder, sub-folders
                       Access Rights: modify