ONTAP 9.14.1 commands

vserver security file-directory apply

Apply security descriptors on files and directories defined in a policy to a Vserver

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.


The vserver security file-directory apply command applies security settings to files and directories defined in a security policy of a Vserver.

Applying a security policy to a Vserver is the last step to creating and applying NTFS ACLs to files or folders. A security policy contains definitions for the security configuration of a file (or folder) or set of files (or, folders). The policy is a container for tasks. A task associates a file/folder path name to the security descriptor that needs to be set on the file/folder. Every task in a policy is uniquely identified by the file/folder path. A policy cannot have duplicate task entries. There can be only one task per path.

The steps to creating and applying NTFS ACLs are the following:

  • Create an NTFS security descriptor.

  • Add DACLs and SACLs to the NTFS security descriptor.

If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor.
  • Create a file/directory security policy.

This step associates the policy with a Vserver.

  • Create policy tasks.

A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.

  • Apply a policy to the associated Vserver.

Modifying the ACLs via ONTAP CLI will replace the current permissions on the directory or path.


-vserver <vserver name> - Vserver

Specifies the Vserver that contains the path to which the security policy is applied.

-policy-name <Security policy name> - Policy Name

Specifies the security policy to apply.

[-ignore-broken-symlinks {true|false}] - Skip Broken Symlinks

If you specify this parameter as true , the file-directory apply job will skip all the symlinks that are broken instead of failing the job.


The following example applies a security policy named “p1” to Vserver vs0.

cluster1::> vserver security file-directory apply -vserver vs0 -policy-name p1
Top of Page