Skip to main content
ONTAP commands
A newer release of this product is available.

vserver security file-directory ntfs dacl add

Contributors
Suggest changes
PDFs

Add a DACL entry to NTFS security descriptor

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security file-directory ntfs dacl add command adds access control entries (ACEs) into a security descriptor’s discretionary access control list (DACL).

If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.

Adding a DACL entry to the security descriptor is the second step in configuring and applying ACLs to a file or folder. Before you can add a DACL entry to a security descriptor, you must first create the security descriptor.

The steps to creating and applying NTFS ACLs are the following:

  • Create an NTFS security descriptor.

  • Add DACLs and SACLs to the NTFS security descriptor.

Note If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor.

  • Create a file/directory security policy.

This step associates the policy with a Vserver.
* Create policy tasks.

A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
* Apply a policy to the associated Vserver.

Parameters

-vserver <vserver name> - Vserver

Specifies the name of the Vserver associated with the security descriptor to which you want to add a discretionary access control entry (discretionary ACE).

-ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name

Specifies the name of the security descriptor to which you want to add a discretionary access control entry.

-access-type {deny|allow} - Allow or Deny

Specifies whether the discretionary access control entry is an allow or deny type of access control.

-account <name or sid> - Account Name or SID

Specifies the account on which to apply the discretionary access control entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:

+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDN

Note If you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
{ [-rights {no-access|full-control|modify|read-and-execute|read|write}] - DACL ACE's Access Rights

Specifies the right that you want to add for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.

You can specify one of the following rights values:

  • no-access

  • full-control

  • modify

  • read-and-execute

  • read

  • write

| [-advanced-rights <Advanced access right>,…​] - DACL ACE's Advanced Access Rights }

Specifies the advanced rights that you want to add for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.

You can specify one or more of the following advanced rights:

  • read-data

  • write-data

  • append-data

  • read-ea

  • write-ea

  • execute-file

  • delete-child

  • read-attr

  • write-attr

  • delete

  • read-perm

  • write-perm

  • write-owner

  • full-control

| [-rights-raw <Hex Integer>] - DACL ACE's Raw Access Rights (privilege: advanced) }

Specifies the raw rights that you want to add for the account specified in the -account parameter. The rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.

[-apply-to {this-folder|sub-folders|files}] - Apply DACL Entry

Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.

You can specify one or more of the following values:

  • this-folder

  • sub-folder

  • files

Note Select one of the following combinations of values for the -apply-to parameter for Storage-Level Access Guard (SLAG):

  • this-folder, sub-folder, files

  • this-folder, sub-folder

  • files

If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task .

Examples

The following example adds a DACL entry to the security descriptor named “sd1” on Vserver "vs1" for the "DOMAIN\Administrator" account.

cluster1::> vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1
cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\administrator
Vserver: vs1
              Security Descriptor Name: sd1
                         Allow or Deny: deny
                   Account Name or SID: DOMAIN\Administrator
                         Access Rights: full-control
                Advanced Access Rights: -
                              Apply To: this-folder
                         Access Rights: full-control