ONTAP 9.15.1 commands

vserver security file-directory ntfs sacl add

Add a SACL entry to NTFS security descriptor

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory ntfs sacl add command adds system access control list entries (ACEs) into a security descriptor’s system access control list (SACL).

If the security descriptor contains a SACL that has existing security ACEs, the command adds the new security ACE to the SACL. If the security descriptor does not contain a SACL, the command creates the SACL and adds the new security ACE to it.

Adding a SACL entry to the security descriptor is the second step in configuring and applying security ACLs to a file or folder. Before you can add a SACL entry to a security descriptor, you must first create the security descriptor.

The steps to creating and applying NTFS ACLs are the following:

  • Create an NTFS security descriptor.

  • Add DACL and SACL entries to the NTFS security descriptor.

If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor.
  • Create a file/directory security policy.

This step associates the policy with a Vserver.

  • Create policy tasks.

A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.

  • Apply a policy to the associated Vserver.

Parameters

-vserver <vserver name> - Vserver

Specifies the name of the Vserver associated with the security descriptor to which you want to add a system access control list entry.

-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

Specifies the name of the security descriptor to which you want to add a system access control list entry.

-access-type {failure|success} - Success or Failure

Specifies whether the system access control list entry that you want to add is a failure or success access audit type.

-account <name or sid> - Account Name or SID

Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

  • SID

  • Domain\user-name

  • user-name@Domain

  • user-name@FQDN

If you specify any of the three user name formats for the value of -account , keep in mind that the value for the user name is case insensitive.
{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights

Specifies the rights that you want to get audited for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

  • no-access

  • full-control

  • modify

  • read-and-execute

  • read

  • write

| [-advanced-rights <Advanced access right>,…​] - Advanced Access Rights }

Specifies the advanced rights that you want to get audited for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

  • read-data

  • write-data

  • append-data

  • read-ea

  • write-ea

  • execute-file

  • delete-child

  • read-attr

  • write-attr

  • delete

  • read-perm

  • write-perm

  • write-owner

  • full-control

| [-rights-raw <Hex Integer>] - Raw Access Rights (privilege: advanced) }

Specifies the raw rights that you want to get audited for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

[-apply-to {this-folder|sub-folders|files}] - Apply SACL To

Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

  • this-folder

  • sub-folder

  • files

Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):
  • this-folder, sub-folder, files

  • this-folder, sub-folder

  • files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

Examples

The following example adds a SACL entry to the security descriptor named “sd1” on Vserver vs1.

cluster1::> vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type failure -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1
cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator
Vserver: vs1
                               Security Descriptor Name: sd1
                Access type for Specified Access Rights: failure
                                    Account Name or SID: DOMAIN\Administrator
                                          Access Rights: full-control
                                 Advanced Access Rights: -
                                               Apply To: this-folder
                                          Access Rights: full-control
Top of Page