ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • vserver security file-directory ntfs sacl modify

    Modify an NTFS security descriptor SACL entry

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The vserver security file-directory ntfs sacl modify command modifies parameters in an existing system access control list entry.

    You can unambiguously define which SACL entry to modify by specifying the following four parameters in the modify command:

    • Vserver associated with the security descriptor that contains the SACL entry

    • Name of the security descriptor that contains the SACL entry

    • Whether the SACL is a success or failure type of SACL entry

    • The account name or SID to which the SACL is applied

    You can modify the following parameters:

    • -rights,-advanced-rights,-rights-raw

    • -apply-to

    Parameters

    -vserver <vserver name> - Vserver

    Specifies the name of the Vserver associated with the security descriptor containing the system access control list entry whose fields you want to modify.

    -ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

    Specifies the name of the security descriptor that contains the system access control list entry that you want to modify.

    -access-type {failure|success} - Success or Failure

    Specifies whether the system access control list entry that you want to modify is a failure or success access audit type.

    -account <name or sid> - Account Name or SID

    Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

    +
    * SID
    * Domain\user-name
    * user-name@Domain
    * user-name@FQDN

    If you specify any of the three user name formats for the value of -account , keep in mind that the value for the user name is case insensitive.
    { [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights

    Specifies the rights that you want to get audited for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

    You can specify one of the following rights values:

    • no-access

    • full-control

    • modify

    • read-and-execute

    • read

    • write

    | [-rights-raw <Hex Integer>] - Raw Access Rights

    Specifies the raw rights that you want to get audited for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

    | [-advanced-rights <Advanced access right>,…​] - Advanced Access Rights }

    Specifies the advanced rights that you want to get audited for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

    You can specify one or more of the following advanced rights:

    • read-data

    • write-data

    • append-data

    • read-ea

    • write-ea

    • execute-file

    • delete-child

    • read-attr

    • write-attr

    • delete

    • read-perm

    • write-perm

    • write-owner

    • full-control

    [-apply-to {this-folder|sub-folders|files}] - Apply SACL To

    Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.

    You can specify one or more of the following values:

    • this-folder

    • sub-folder

    • files

    Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):
    • this-folder, sub-folder, files

    • this-folder, sub-folder

    • files

    If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

    Examples

    The following example modifies the rights and -apply-to fields in the SACL entry.

    cluster1::> vserver security file-directory ntfs sacl modify -ntfs-sd sd2 -access-type success -account BUILTIN\Administrators -vserver vs1 -rights modify -apply-to this-folder,sub-folders
    cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd2 -account BUILTIN\Administrators -instance
    Vserver: vs1
                               Security Descriptor Name: sd2
                Access type for Specified Access Rights: success
                                    Account Name or SID: BUILTIN\Administrators
                                          Access Rights: modify
                                 Advanced Access Rights: -
                                               Apply To: this-folder, sub-folders
                                          Access Rights: modify
    Top of Page