vserver security file-directory ntfs dacl add
Add a DACL entry to NTFS security descriptor
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security file-directory ntfs dacl add
command adds access control entries (ACEs) into a security descriptor’s discretionary access control list (DACL).
If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.
Adding a DACL entry to the security descriptor is the second step in configuring and applying ACLs to a file or folder. Before you can add a DACL entry to a security descriptor, you must first create the security descriptor.
The steps to creating and applying NTFS ACLs are the following:
-
Create an NTFS security descriptor.
-
Add DACLs and SACLs to the NTFS security descriptor.
If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor. |
-
Create a file/directory security policy.
This step associates the policy with a Vserver.
* Create policy tasks.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
* Apply a policy to the associated Vserver.
Parameters
-vserver <vserver name>
- Vserver-
Specifies the name of the Vserver associated with the security descriptor to which you want to add a discretionary access control entry (discretionary ACE).
-ntfs-sd <ntfs sd name>
- NTFS Security Descriptor Name-
Specifies the name of the security descriptor to which you want to add a discretionary access control entry.
-access-type {deny|allow}
- Allow or Deny-
Specifies whether the discretionary access control entry is an
allow
ordeny
type of access control. -account <name or sid>
- Account Name or SID-
Specifies the account on which to apply the discretionary access control entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:
+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDNIf you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive. - {
[-rights {no-access|full-control|modify|read-and-execute|read|write}]
- DACL ACE's Access Rights -
Specifies the right that you want to add for the account specified in the
-account
parameter. The-rights
parameter is mutually exclusive with the-advanced-rights
and-rights-raw
parameter. If you specify the-rights
parameter, you can only specify one value.You can specify one of the following rights values:
-
no-access
-
full-control
-
modify
-
read-and-execute
-
read
-
write
-
- |
[-advanced-rights <Advanced access right>,…]
- DACL ACE's Advanced Access Rights } -
Specifies the advanced rights that you want to add for the account specified in the
-account
parameter. The-advanced-rights
parameter is mutually exclusive with the-rights
and-rights-raw
parameter. You can specify more than one advanced-rights value by using a comma-delimited list.You can specify one or more of the following advanced rights:
-
read-data
-
write-data
-
append-data
-
read-ea
-
write-ea
-
execute-file
-
delete-child
-
read-attr
-
write-attr
-
delete
-
read-perm
-
write-perm
-
write-owner
-
full-control
-
- |
[-rights-raw <Hex Integer>]
- DACL ACE's Raw Access Rights (privilege: advanced) } -
Specifies the raw rights that you want to add for the account specified in the
-account
parameter. Therights-raw
parameter is mutually exclusive with the-advanced-rights
and-rights
parameter. Specify the value as a hexadecimal integer, for example:0xA10F
or0xb3ff
etc. [-apply-to {this-folder|sub-folders|files}]
- Apply DACL Entry-
Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.
You can specify one or more of the following values:
-
this-folder
-
sub-folder
-
files
Select one of the following combinations of values for the -apply-to
parameter for Storage-Level Access Guard (SLAG):-
this-folder, sub-folder, files
-
this-folder, sub-folder
-
files
If you specify an invalid
-apply-to
value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG)security file-directory policy task
. -
Examples
The following example adds a DACL entry to the security descriptor named “sd1” on Vserver "vs1" for the "DOMAIN\Administrator" account.
cluster1::> vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1 cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\administrator Vserver: vs1 Security Descriptor Name: sd1 Allow or Deny: deny Account Name or SID: DOMAIN\Administrator Access Rights: full-control Advanced Access Rights: - Apply To: this-folder Access Rights: full-control