vserver security file-directory ntfs dacl add

Add a DACL entry to NTFS security descriptor

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory ntfs dacl add command adds access control entries (ACEs) into a security descriptor’s discretionary access control list (DACL).

If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.

Adding a DACL entry to the security descriptor is the second step in configuring and applying ACLs to a file or folder. Before you can add a DACL entry to a security descriptor, you must first create the security descriptor.

The steps to creating and applying NTFS ACLs are the following:

Parameters

-vserver <vserver name> - Vserver
Specifies the name of the Vserver associated with the security descriptor to which you want to add a discretionary access control entry (discretionary ACE).
-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name
Specifies the name of the security descriptor to which you want to add a discretionary access control entry.
-access-type {deny|allow} - Allow or Deny
Specifies whether the discretionary access control entry is an allow or deny type of access control.
-account <name or sid> - Account Name or SID
Specifies the account on which to apply the discretionary access control entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:
  • SID
  • Domain\user-name
  • user-name@Domain
  • user-name@FQDN
Note: If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - DACL ACE's Access Rights
Specifies the right that you want to add for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

  • no-access
  • full-control
  • modify
  • read-and-execute
  • read
  • write
| [-advanced-rights <Advanced access right>, ...] - DACL ACE's Advanced Access Rights
Specifies the advanced rights that you want to add for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

  • read-data
  • write-data
  • append-data
  • read-ea
  • write-ea
  • execute-file
  • delete-child
  • read-attr
  • write-attr
  • delete
  • read-perm
  • write-perm
  • write-owner
  • full-control
| [-rights-raw <Hex Integer>]} - DACL ACE's Raw Access Rights (privilege: advanced)
Specifies the raw rights that you want to add for the account specified in the -account parameter. The rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.
[-apply-to {this-folder|sub-folders|files}, ...] - Apply DACL Entry
Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

  • this-folder
  • sub-folder
  • files
Note: Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):
  • this-folder, sub-folder, files
  • this-folder, sub-folder
  • files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task.

Examples

The following example adds a DACL entry to the security descriptor named “sd1” on Vserver "vs1" for the "DOMAIN\Administrator" account.

                   cluster1::> vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1

                   cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\administrator


                               Vserver: vs1
              Security Descriptor Name: sd1
                         Allow or Deny: deny
                   Account Name or SID: DOMAIN\Administrator
                         Access Rights: full-control
                Advanced Access Rights: -
                              Apply To: this-folder
                         Access Rights: full-control