ONTAP 9.14.1 commands

vserver security file-directory policy task add

Add a policy task

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.


The vserver security file-directory policy task add command adds a single task entry to a security policy. A task refers to a single operation that can be done by a security policy to a file/folder.

Before you create a security policy task, you must first create a security policy and a security descriptor. You should also add DACL entries and SACL entries (if desired) to the security descriptor before you create the security policy task.

You can add DACL and SACL entries to the security descriptor after you have associated it to a security policy task.

Creating a policy task is the fourth step in configuring and applying ACLs to a file or folder. When you create the policy task, you associate a security descriptor to it. You also associate the task to a security policy.

The steps to creating and applying NTFS ACLs are the following:

  • Create an NTFS security descriptor.

  • Add DACLS and SACLS to the NTFS security descriptor.

If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding SACLs to the Security Descriptor.
  • Create a file/directory security policy.

This step associates the policy with a Vserver.

  • Create policy tasks.

A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.

Adding a policy task fails if a job is currently running for the specified policy to which a task is being added.
  • Apply a policy to the associated Vserver.


-vserver <vserver name> - Vserver

Specifies the Vserver associated with the security policy to which you want to add a task.

-policy-name <Security policy name> - Policy Name

Specifies the name of the security policy into which you want to add the task.

-path <text> - Path

Specifies the path of the file/folder on which to apply the security descriptor associated with this task.

[-index-num <integer>] - Position

Specifies the index number of a task. Tasks are applied in order. A task with a larger index value is applied after a task with a lower index number. If you do not specify this optional parameter, new tasks are applied to the end of the index list.

The range of supported values is 1 through 9999. If there is a gap between the highest existing index number and the value entered for this parameter, the task with this number is considered to be the last task in the policy and is treated as having an index number of the previous highest index plus one.

If you specify an index number that is already assigned to an existing task, index number will be auto arranged to highest index number in the table.
[-security-type {ntfs|nfsv4}] - Security Type of the File

Specifies whether the security descriptor associated with this task is an NTFS or a NFSv4 security descriptor type. If you do not specify a value for this optional parameter, the default is “ntfs”.

The nfsv4 security descriptor type is not supported in this release. If you specify this optional parameter, you must enter ntfs for the -security-type value.
[-ntfs-mode {propagate|ignore|replace}] - Propagation Mode

Specifies how to propagate security settings to child subfolders and files. This setting determines how child files and/or folders contained within a parent folder inherit access control and audit information from the parent folder.

You can specify one of the three parameter values that correspond to three types of propagation modes:

  • propagate - propagate inheritable permissions to all subfolders and files

  • replace - replace existing permissions on all subfolders and files with inheritable permissions

  • ignore - do not allow permissions on this file or folder to be replaced

The ntfs-mode value is ignored for Storage-Level Access Guard (SLAG).
[-ntfs-sd <ntfs sd name>,…​] - NTFS Security Descriptor Name

Specifies the list of security descriptor names to apply to the path specified in the -path parameter.

[-access-control {file-directory|slag}] - Access Control Level

Specifies the access control of the task to be applied. Valid values are file-directory or slag . Use the value slag to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value slag is not supported on FlexGroups. The default value is file-directory .


The following example adds a security policy task entry to the policy named “policy1” on Vserver vs1.

cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy1 -path / -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd -index-num 1
cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy2 -path /1 -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1,sd2
              cluster1::> vserver security file-directory policy task show
Vserver: vs1
                Policy: policy1
Index  File/Folder  Access           Security  NTFS       NTFS Security
                          Path         Control          Type      Mode       Descriptor Name
                   -----  -----------  ---------------  --------  ---------- ---------------
                   1      /            slag             ntfs      propagate  sd
Vserver: vs1
                Policy: policy2
Index  File/Folder  Access           Security  NTFS       NTFS Security
                          Path         Control          Type      Mode       Descriptor Name
                   -----  -----------  ---------------  --------  ---------- ---------------
                   1      /1           file-directory   ntfs      propagate  sd1, sd2
Top of Page