vserver security file-directory policy task add

Add a policy task

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory policy task add command adds a single task entry to a security policy. A task refers to a single operation that can be done by a security policy to a file/folder.

Before you create a security policy task, you must first create a security policy and a security descriptor. You should also add DACL entries and SACL entries (if desired) to the security descriptor before you create the security policy task.

Note: You can add DACL and SACL entries to the security descriptor after you have associated it to a security policy task.

Creating a policy task is the fourth step in configuring and applying ACLs to a file or folder. When you create the policy task, you associate a security descriptor to it. You also associate the task to a security policy.

The steps to creating and applying NTFS ACLs are the following:

Parameters

-vserver <vserver name> - Vserver
Specifies the Vserver associated with the security policy to which you want to add a task.
-policy-name <Security policy name> - Policy Name
Specifies the name of the security policy into which you want to add the task.
-path <text> - Path
Specifies the path of the file/folder on which to apply the security descriptor associated with this task.
[-index-num <integer>] - Position
Specifies the index number of a task. Tasks are applied in order. A task with a larger index value is applied after a task with a lower index number. If you do not specify this optional parameter, new tasks are applied to the end of the index list.

The range of supported values is 1 through 9999. If there is a gap between the highest existing index number and the value entered for this parameter, the task with this number is considered to be the last task in the policy and is treated as having an index number of the previous highest index plus one.

Note: If you specify an index number that is already assigned to an existing task, index number will be auto arranged to highest index number in the table.
[-security-type {ntfs|nfsv4}] - Security Type of the File
Specifies whether the security descriptor associated with this task is an NTFS or a NFSv4 security descriptor type. If you do not specify a value for this optional parameter, the default is “ntfs”.
Note: The nfsv4 security descriptor type is not supported in this release. If you specify this optional parameter, you must enter ntfs for the -security-type value.
[-ntfs-mode {propagate|ignore|replace}] - Propagation Mode
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files and/or folders contained within a parent folder inherit access control and audit information from the parent folder.

You can specify one of the three parameter values that correspond to three types of propagation modes:

  • propagate - propagate inheritable permissions to all subfolders and files
  • replace - replace existing permissions on all subfolders and files with inheritable permissions
  • ignore - do not allow permissions on this file or folder to be replaced
Note: The ntfs-mode value is ignored for Storage-Level Access Guard (SLAG).
[-ntfs-sd <ntfs sd name>, ...] - NTFS Security Descriptor Name
Specifies the list of security descriptor names to apply to the path specified in the -path parameter.
[-access-control {file-directory|slag}] - Access Control Level
Specifies the access control of the task to be applied. Valid values are file-directory or slag. Use the value slag to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value slag is not supported on FlexGroups. The default value is file-directory.

Examples

The following example adds a security policy task entry to the policy named “policy1” on Vserver vs1.

              cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy1 -path / -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd -index-num 1

              cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy2 -path /1 -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1,sd2
              cluster1::> vserver security file-directory policy task show

              Vserver: vs1
                Policy: policy1

                   Index  File/Folder  Access           Security  NTFS       NTFS Security
                          Path         Control          Type      Mode       Descriptor Name
                   -----  -----------  ---------------  --------  ---------- ---------------
                   1      /            slag             ntfs      propagate  sd

              Vserver: vs1
                Policy: policy2

                   Index  File/Folder  Access           Security  NTFS       NTFS Security
                          Path         Control          Type      Mode       Descriptor Name
                   -----  -----------  ---------------  --------  ---------- ---------------
                   1      /1           file-directory   ntfs      propagate  sd1, sd2