Create an NTFS security descriptor
Creating an NTFS security descriptor is the first step in configuring and applying NTFS access control lists (ACLs) to files and folders residing within a namespace. Later, you will associate the security descriptor to a policy task.
You can create NTFS security descriptors for files and folders residing within FlexVol volumes with NTFS security-style or on NTFS security descriptors on mixed security-style volumes.
The steps to creating and applying NTFS ACLs are the following:
This step associates the policy with a Vserver.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
Vserver: vserver1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- BUILTIN\Administrators allow full-control this-folder, sub-folders, files BUILTIN\Users allow full-control this-folder, sub-folders, files CREATOR OWNER allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
The owner of the security descriptor can modify the permissions on the file (or folder) or files (or folders) to which the security descriptor is applied and can give other users the right to take ownership of the object or objects to which the security descriptor is applied. You can use any of the following formats when specifying the value for this parameter:
Vserver: vserver1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- BUILTIN\Administrators allow full-control this-folder, sub-folders, files BUILTIN\Users allow full-control this-folder, sub-folders, files CREATOR OWNER allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
The following example creates an NTFS security descriptor named “sd1” on Vserver "vs1" and assigns “DOMAIN\Administrator” as the security descriptor owner.
cluster1::> vserver security file-directory ntfs create -ntfs-sd sd1 -vserver vs1 -owner DOMAIN\Administrator cluster1::> vserver security file-directory ntfs show -vserver vs1 -ntfs-sd sd1 Vserver: vs1 Security Descriptor Name: sd2 Owner of the Security Descriptor: DOMAIN\Administrator