ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • vserver security file-directory ntfs sacl show

    Display NTFS security descriptor SACL entries

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The vserver security file-directory ntfs sacl show command displays information about all the system access control list entries in the Vserver. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information about all SACL entries:

    • Vserver name

    • Security descriptor

    • List of SACL entries

    You can specify the -fields parameter to specify which fields of information to display about SACL entries.

    You can specify the -instance parameter to display all information about SACL entries in a list format.

    Parameters

    { [-fields <fieldname>,…​]

    If you specify the -fields <fieldname>, …​ parameter, the command only displays the fields that you specify.

    | [-instance ] }

    If you specify the -instance parameter, the command displays detailed information about all entries.

    [-vserver <vserver name>] - Vserver

    If you specify this parameter, the command displays information only about system access control list entries associated with the specified Vserver.

    [-ntfs-sd <ntfs sd name>] - NTFS Security Descriptor Name

    If you specify this parameter, the command displays information only about the system access control list entries for the security descriptor that you specify.

    [-access-type {failure|success}] - Success or Failure

    If you specify this parameter, the command displays information only about the system access control list entries with the access type that you specify.

    [-account <name or sid>] - Account Name or SID

    If you specify this parameter, the command displays information only about the system access control list entries associated with the account name or SID that you specify. You can use any of the following formats when specifying the value for this parameter:

    +
    * SID
    * Domain\user-name
    * user-name@Domain
    * user-name@FQDN

    If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
    [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights

    If you specify this parameter, the command displays information only about the system access control list entries with the user right that you specify. The value for this parameter is mutually exclusive with any other rights values. Only one value can be specified.

    You can specify one of the following rights values:

    • no-access

    • full-control

    • modify

    • read-and-execute

    • read

    • write

    [-rights-raw <Hex Integer>] - Raw Access Rights

    If you specify this parameter, the command displays information only about the system access control list entries with the advanced user rights that you specify. This value for this parameter is mutually exclusive with any other rights values. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

    [-advanced-rights <Advanced access right>,…​] - Advanced Access Rights

    If you specify this parameter, the command displays information only about the system access control list entries with the advanced user rights that you specify. You can specify more than one value by using a comma-delimited list.

    You can specify one or more of the following advanced rights values:

    • read-data

    • write-data

    • append-data

    • read-ea

    • write-ea

    • execute-file

    • delete-child

    • read-attr

    • write-attr

    • delete

    • read-perm

    • write-perm

    • write-owner

    • full-control

    [-apply-to {this-folder|sub-folders|files}] - Apply SACL To

    If you specify this parameter, the command displays information only about the system access control list entries with the -applied-to value or values that you specify. You can specify more than one value by using a comma-delimited list.

    You can specify one or more of the following values:

    • this-folder

    • sub-folder

    • files

    [-readable-access-rights <TextNoCase>] - Access Rights

    If you specify this parameter, the command displays information only about the system access control list entries with the readable access rights that you specify.

    Examples

    The following example shows a SACL entry.

    cluster1::> vserver security file-directory sacl show
                  (vserver security file-directory ntfs sacl show)
    Vserver: vs1
                    NTFS Security Descriptor Name: sd1
    Account Name     Access   Access             Apply To
                                     Type     Rights
                   --------------   -------  -------            -----------
                   domain\user      success  full-control      this-folder, sub-folders, files
    Top of Page