Specifies the name of the Vserver associated with the security descriptor containing the system access control list entry whose fields you want to modify.

-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

Specifies the name of the security descriptor that contains the system access control list entry that you want to modify.

-access-type {failure|success} - Success or Failure

Specifies whether the system access control list entry that you want to modify is a failure or success access audit type.

-account <name or sid> - Account Name or SID

Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDN

If you specify any of the three user name formats for the value of -account , keep in mind that the value for the user name is case insensitive.

{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights

Specifies the rights that you want to get audited for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

no-access
full-control
modify
read-and-execute
read
write

| [-rights-raw <Hex Integer>] - Raw Access Rights

Specifies the raw rights that you want to get audited for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

| [-advanced-rights <Advanced access right>,…] - Advanced Access Rights }

Specifies the advanced rights that you want to get audited for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

read-data
write-data
append-data
read-ea
write-ea
execute-file
delete-child
read-attr
write-attr
delete
read-perm
write-perm
write-owner
full-control

[-apply-to {this-folder|sub-folders|files}] - Apply SACL To

Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

this-folder
sub-folder
files

Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):

this-folder, sub-folder, files
this-folder, sub-folder
files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

Examples

The following example modifies the rights and -apply-to fields in the SACL entry.

cluster1::> vserver security file-directory ntfs sacl modify -ntfs-sd sd2 -access-type success -account BUILTIN\Administrators -vserver vs1 -rights modify -apply-to this-folder,sub-folders
cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd2 -account BUILTIN\Administrators -instance
Vserver: vs1
                           Security Descriptor Name: sd2
            Access type for Specified Access Rights: success
                                Account Name or SID: BUILTIN\Administrators
                                      Access Rights: modify
                             Advanced Access Rights: -
                                           Apply To: this-folder, sub-folders
                                      Access Rights: modify