vserver security file-directory policy task add
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
Add a policy task
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security file-directory policy task add
command adds a single task entry to a security policy. A task refers to a single operation that can be done by a security policy to a file/folder.
Before you create a security policy task, you must first create a security policy and a security descriptor. You should also add DACL entries and SACL entries (if desired) to the security descriptor before you create the security policy task.
You can add DACL and SACL entries to the security descriptor after you have associated it to a security policy task. |
Creating a policy task is the fourth step in configuring and applying ACLs to a file or folder. When you create the policy task, you associate a security descriptor to it. You also associate the task to a security policy.
The steps to creating and applying NTFS ACLs are the following:
-
Create an NTFS security descriptor.
-
Add DACLS and SACLS to the NTFS security descriptor.
If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding SACLs to the Security Descriptor. |
-
Create a file/directory security policy.
This step associates the policy with a Vserver.
* Create policy tasks.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
Adding a policy task fails if a job is currently running for the specified policy to which a task is being added. |
-
Apply a policy to the associated Vserver.
Parameters
-vserver <vserver name>
- Vserver-
Specifies the Vserver associated with the security policy to which you want to add a task.
-policy-name <Security policy name>
- Policy Name-
Specifies the name of the security policy into which you want to add the task.
-path <text>
- Path-
Specifies the path of the file/folder on which to apply the security descriptor associated with this task.
[-index-num <integer>]
- Position-
Specifies the index number of a task. Tasks are applied in order. A task with a larger index value is applied after a task with a lower index number. If you do not specify this optional parameter, new tasks are applied to the end of the index list.
The range of supported values is 1 through 9999. If there is a gap between the highest existing index number and the value entered for this parameter, the task with this number is considered to be the last task in the policy and is treated as having an index number of the previous highest index plus one.
If you specify an index number that is already assigned to an existing task, index number will be auto arranged to highest index number in the table. [-security-type {ntfs|nfsv4}]
- Security Type of the File-
Specifies whether the security descriptor associated with this task is an NTFS or a NFSv4 security descriptor type. If you do not specify a value for this optional parameter, the default is “ntfs”.
The nfsv4 security descriptor type is not supported in this release. If you specify this optional parameter, you must enter ntfs for the -security-type value. [-ntfs-mode {propagate|ignore|replace}]
- Propagation Mode-
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files and/or folders contained within a parent folder inherit access control and audit information from the parent folder.
You can specify one of the three parameter values that correspond to three types of propagation modes:
-
propagate - propagate inheritable permissions to all subfolders and files
-
replace - replace existing permissions on all subfolders and files with inheritable permissions
-
ignore - do not allow permissions on this file or folder to be replaced
The ntfs-mode value is ignored for Storage-Level Access Guard (SLAG). -
[-ntfs-sd <ntfs sd name>,…]
- NTFS Security Descriptor Name-
Specifies the list of security descriptor names to apply to the path specified in the
-path
parameter. [-access-control {file-directory|slag}]
- Access Control Level-
Specifies the access control of the task to be applied. Valid values are
file-directory
orslag
. Use the valueslag
to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The valueslag
is not supported on FlexGroups. The default value isfile-directory
.
Examples
The following example adds a security policy task entry to the policy named “policy1” on Vserver vs1.
cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy1 -path / -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd -index-num 1 cluster1::> vserver security file-directory policy task add -vserver vs1 -policy-name policy2 -path /1 -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1,sd2 cluster1::> vserver security file-directory policy task show Vserver: vs1 Policy: policy1 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 / slag ntfs propagate sd Vserver: vs1 Policy: policy2 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 /1 file-directory ntfs propagate sd1, sd2