vserver security file-directory ntfs create

Create an NTFS security descriptor

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory ntfs create command creates an NTFS security descriptor to which you can add access control entries (ACEs) to the discretionary access control list (DACL) and the system access control list (SACL).

Creating an NTFS security descriptor is the first step in configuring and applying NTFS access control lists (ACLs) to files and folders residing within a namespace. Later, you will associate the security descriptor to a policy task.

You can create NTFS security descriptors for files and folders residing within FlexVol volumes with NTFS security-style or on NTFS security descriptors on mixed security-style volumes.

The steps to creating and applying NTFS ACLs are the following:

Create an NTFS security descriptor.
Add DACLs and SACLs to the NTFS security descriptor.
Note: If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding a SACL to the security descriptor.
Create a file/directory security policy.
This step associates the policy with a Vserver.
Create a policy task.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
Apply a policy to the associated Vserver.

Parameters

-vserver <vserver name> - Vserver

Specifies the name of the Vserver on which to create the security descriptor.

-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

Specifies the name of the security descriptor you want to create. After you create a security descriptor, you can add SACL and DACL access control entries (ACEs) to it.

Note: Every newly created security descriptor contains the 4 default DACL ACEs as mentioned below:

                    Vserver: vserver1
                         NTFS Security Descriptor Name: sd1

                           Account Name     Access   Access             Apply To
                                            Type     Rights
                           --------------   -------  -------            -----------
                           BUILTIN\Administrators
                                            allow    full-control      this-folder, sub-folders, files
                           BUILTIN\Users    allow    full-control      this-folder, sub-folders, files
                           CREATOR OWNER    allow    full-control      this-folder, sub-folders, files
                           NT AUTHORITY\SYSTEM
                                            allow    full-control      this-folder, sub-folders, files

[-owner <name or sid>] - Owner

Specifies the owner of the security descriptor. You can specify the owner using either a user name or SID.

The owner of the security descriptor can modify the permissions on the file (or folder) or files (or folders) to which the security descriptor is applied and can give other users the right to take ownership of the object or objects to which the security descriptor is applied. You can use any of the following formats when specifying the value for this parameter:

SID
Domain\user-name
user-name@Domain
user-name@FQDN

Note: If you specify any of the three user name formats for the value of -owner, keep in mind that the value for the user name is case insensitive. The value for the user name is ignored for Storage-Level Access Guard (SLAG).

[-group <name or sid>] - Primary Group (privilege: advanced)

Specifies the owner group of the security descriptor. You can specify the owner group using either a group name or SID. You can use any of the following formats when specifying the value for this parameter:

SID
Domain\user-name
user-name@Domain
user-name@FQDN

Note: If you specify any of the three user name formats for the value of -group, keep in mind that the value for the user name is case insensitive. The value for the user name is ignored for SLAG.

[-control-flags-raw <Hex Integer>] - Raw Control Flags (privilege: advanced)

Specifies the control flags in the security descriptor.

Note: The value for the control flag is ignored for SLAG.

Examples

Every newly created security descriptor contains the 4 default DACL ACEs as mentioned below:

                    Vserver: vserver1
                         NTFS Security Descriptor Name: sd1

                           Account Name     Access   Access             Apply To
                                            Type     Rights
                           --------------   -------  -------            -----------
                           BUILTIN\Administrators
                                            allow    full-control      this-folder, sub-folders, files
                           BUILTIN\Users    allow    full-control      this-folder, sub-folders, files
                           CREATOR OWNER    allow    full-control      this-folder, sub-folders, files
                           NT AUTHORITY\SYSTEM
                                            allow    full-control      this-folder, sub-folders, files

The following example creates an NTFS security descriptor named “sd1” on Vserver "vs1" and assigns “DOMAIN\Administrator” as the security descriptor owner.

              cluster1::> vserver security file-directory ntfs create -ntfs-sd sd1 -vserver vs1 -owner DOMAIN\Administrator

              cluster1::> vserver security file-directory ntfs show -vserver vs1 -ntfs-sd sd1
                                       Vserver: vs1
                      Security Descriptor Name: sd2
              Owner of the Security Descriptor: DOMAIN\Administrator