vserver security file-directory ntfs sacl add
Add a SACL entry to NTFS security descriptor
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security file-directory ntfs sacl add
command adds system access control list entries (ACEs) into a security descriptor’s system access control list (SACL).
If the security descriptor contains a SACL that has existing security ACEs, the command adds the new security ACE to the SACL. If the security descriptor does not contain a SACL, the command creates the SACL and adds the new security ACE to it.
Adding a SACL entry to the security descriptor is the second step in configuring and applying security ACLs to a file or folder. Before you can add a SACL entry to a security descriptor, you must first create the security descriptor.
The steps to creating and applying NTFS ACLs are the following:
-
Create an NTFS security descriptor.
-
Add DACL and SACL entries to the NTFS security descriptor.
If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor. |
-
Create a file/directory security policy.
This step associates the policy with a Vserver.
* Create policy tasks.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
* Apply a policy to the associated Vserver.
Parameters
-vserver <vserver name>
- Vserver-
Specifies the name of the Vserver associated with the security descriptor to which you want to add a system access control list entry.
-ntfs-sd <ntfs sd name>
- NTFS Security Descriptor Name-
Specifies the name of the security descriptor to which you want to add a system access control list entry.
-access-type {failure|success}
- Success or Failure-
Specifies whether the system access control list entry that you want to add is a
failure
orsuccess
access audit type. -account <name or sid>
- Account Name or SID-
Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:
+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDNIf you specify any of the three user name formats for the value of -account
, keep in mind that the value for the user name is case insensitive. - {
[-rights {no-access|full-control|modify|read-and-execute|read|write}]
- Access Rights -
Specifies the rights that you want to get audited for the account specified in the
-account
parameter. The-rights
parameter is mutually exclusive with the-advanced-rights
and-rights-raw
parameter. If you specify the-rights
parameter, you can only specify one value.You can specify one of the following rights values:
-
no-access
-
full-control
-
modify
-
read-and-execute
-
read
-
write
-
- |
[-advanced-rights <Advanced access right>,…]
- Advanced Access Rights } -
Specifies the advanced rights that you want to get audited for the account specified in the
-account
parameter. The-advanced-rights
parameter is mutually exclusive with the-rights
and-rights-raw
parameter. You can specify more than one advanced-rights value by using a comma-delimited list.You can specify one or more of the following advanced rights:
-
read-data
-
write-data
-
append-data
-
read-ea
-
write-ea
-
execute-file
-
delete-child
-
read-attr
-
write-attr
-
delete
-
read-perm
-
write-perm
-
write-owner
-
full-control
-
- |
[-rights-raw <Hex Integer>]
- Raw Access Rights (privilege: advanced) } -
Specifies the raw rights that you want to get audited for the account specified in the
-account
parameter. The-rights-raw
parameter is mutually exclusive with the-advanced-rights
and-rights
parameter. Specify the value as a hexadecimal integer, for example:0xA10F
or0xb3ff
etc. [-apply-to {this-folder|sub-folders|files}]
- Apply SACL To-
Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.
You can specify one or more of the following values:
-
this-folder
-
sub-folder
-
files
Select one of the following combinations of values for the -apply-to
parameter for Storage-Level Access Guard (SLAG):-
this-folder, sub-folder, files
-
this-folder, sub-folder
-
files
If you specify an invalid
-apply-to
value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG)security file-directory policy task
. -
Examples
The following example adds a SACL entry to the security descriptor named “sd1” on Vserver vs1.
cluster1::> vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type failure -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1 cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator Vserver: vs1 Security Descriptor Name: sd1 Access type for Specified Access Rights: failure Account Name or SID: DOMAIN\Administrator Access Rights: full-control Advanced Access Rights: - Apply To: this-folder Access Rights: full-control