vserver security file-directory ntfs sacl add

Add a SACL entry to NTFS security descriptor

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory ntfs sacl add command adds system access control list entries (ACEs) into a security descriptor’s system access control list (SACL).

If the security descriptor contains a SACL that has existing security ACEs, the command adds the new security ACE to the SACL. If the security descriptor does not contain a SACL, the command creates the SACL and adds the new security ACE to it.

Adding a SACL entry to the security descriptor is the second step in configuring and applying security ACLs to a file or folder. Before you can add a SACL entry to a security descriptor, you must first create the security descriptor.

The steps to creating and applying NTFS ACLs are the following:

Parameters

-vserver <vserver name> - Vserver
Specifies the name of the Vserver associated with the security descriptor to which you want to add a system access control list entry.
-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name
Specifies the name of the security descriptor to which you want to add a system access control list entry.
-access-type {failure|success} - Success or Failure
Specifies whether the system access control list entry that you want to add is a failure or success access audit type.
-account <name or sid> - Account Name or SID
Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:
  • SID
  • Domain\user-name
  • user-name@Domain
  • user-name@FQDN
Note: If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights
Specifies the rights that you want to get audited for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

  • no-access
  • full-control
  • modify
  • read-and-execute
  • read
  • write
| [-advanced-rights <Advanced access right>, ...] - Advanced Access Rights
Specifies the advanced rights that you want to get audited for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

  • read-data
  • write-data
  • append-data
  • read-ea
  • write-ea
  • execute-file
  • delete-child
  • read-attr
  • write-attr
  • delete
  • read-perm
  • write-perm
  • write-owner
  • full-control
| [-rights-raw <Hex Integer>]} - Raw Access Rights (privilege: advanced)
Specifies the raw rights that you want to get audited for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.
[-apply-to {this-folder|sub-folders|files}, ...] - Apply SACL To
Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

  • this-folder
  • sub-folder
  • files
Note: Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):
  • this-folder, sub-folder, files
  • this-folder, sub-folder
  • files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task.

Examples

The following example adds a SACL entry to the security descriptor named “sd1” on Vserver vs1.

                cluster1::> vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type failure -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1

                cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator


                                                Vserver: vs1
                               Security Descriptor Name: sd1
                Access type for Specified Access Rights: failure
                                    Account Name or SID: DOMAIN\Administrator
                                          Access Rights: full-control
                                 Advanced Access Rights: -
                                               Apply To: this-folder
                                          Access Rights: full-control