Creating an NTFS security descriptor

Creating an NTFS security descriptor (file security policy) is the first step in configuring and applying NTFS access control lists (ACLs) to files and folders residing within storage virtual machines (SVMs). You can associate the security descriptor to the file or folder path in a policy task.

About this task

You can create NTFS security descriptors for files and folders residing within NTFS security-style volumes, or for files and folders residing on mixed security-style volumes.

By default, when a security descriptor is created, four discretionary access control list (DACL) access control entries (ACEs) are added to that security descriptor. The four default ACEs are as follows:

Object Access type Access rights Where to apply the permissions
BUILTIN\Administrators Allow Full Control this-folder, sub-folders, files
BUILTIN\Users Allow Full Control this-folder, sub-folders, files
CREATOR OWNER Allow Full Control this-folder, sub-folders, files
NT AUTHORITY\SYSTEM Allow Full Control this-folder, sub-folders, files

You can customize the security descriptor configuration by using the following optional parameters:

The value for any optional parameter is ignored for Storage-Level Access Guard. See the man pages for more information.