vserver fpolicy policy scope create
Create scope
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver fpolicy policy scope create
command creates an FPolicy scope for an FPolicy policy. A scope defines the boundaries on which the FPolicy policy will apply. The Vserver is the basic scope boundary. When you create a scope for an FPolicy policy, you must define the FPolicy policy to which it will apply and you must designate to which Vserver you want to apply the scope. There are a number of parameters that further restrict the scope within the specified Vserver. You can restrict the scope by specifying what to include in the scope. Or you can restrict the scope by specifying what to exclude from the scope. For example, you can restrict the scope by specifying which volumes to include using the -volumes-to-include
parameter or which volumes to exclude using the -volumes-to-exclude
parameter. Once you apply a scope to an enabled policy, policy event checks get applied to the scope defined by this command.
There are special considerations for the scope for a cluster FPolicy policy. The cluster FPolicy policy is a policy that the cluster administrator creates for the admin Vserver. If the cluster administrator also creates the scope for that cluster FPolicy policy, a Vserver administrator cannot create a scope for that same policy. However, if the cluster administrator does not create a scope for the cluster FPolicy policy, then any Vserver administrator can create the scope for that cluster policy. In the event that the Vserver administrator creates a scope for that cluster FPolicy policy, the cluster administrator cannot subsequently create a cluster scope for that same cluster policy. This is because the cluster administrator cannot override the scope for the same cluster policy. |
This command is not supported for a Vserver with Infinite Volume. |
Parameters
-vserver <Vserver Name>
- Vserver-
This parameter specifies the name of the Vserver on which you want to create an FPolicy policy scope.
-policy-name <Policy name>
- Policy-
This parameter specifies the name of the FPolicy policy for which you want to create the scope.
[-shares-to-include <Share name>,…]
- Shares to Include-
This parameter specifies a list of shares for file access monitoring. With this option, the administrator provides a list of shares, separated by commas. For file access events relative to the specified shares and file operations monitored by the FPolicy policy, a notification is generated. The `-shares-to-include ` parameter can contain regular expressions and can include metacharacters such as "?" and "*".
When a share is included in the -shares-to-include
parameter and the parent volume of the share is included in the-volumes-to-exclude
parameter,-volumes-to-exclude
has precedence over-shares-to-include
. [-shares-to-exclude <Share name>,…]
- Shares to Exclude-
This parameter specifies a list of shares to exclude from file access monitoring. With this option, the administrator provides a list of shares, separated by commas. When a share is specified in the
-shares-to-exclude
parameter, no notification is sent for files accessed relative to that share. The-shares-to-exclude
parameter can contain regular expressions and can include metacharacters such as "?" and "*". [-volumes-to-include <volume name>,…]
- Volumes to Include-
This parameter specifies a list of volumes for file access monitoring. With this option, the administrator provides a list of volumes, separated by commas. For file access events within the volume and file operations monitored by the FPolicy policy, a notification is generated. The
-volumes-to-include
parameter can contain regular expressions and can include metacharacters such as "?" and "*". [-volumes-to-exclude <volume name>,…]
- Volumes to Exclude-
This parameter specifies a list of volumes to exclude from file access monitoring. With this option, the administrator provides a list of volumes, separated by commas, for which no file access notifications are generated. The
-volumes-to-exclude
parameter can contain regular expressions and can include metacharacters such as "?" and "*".When a share is included in the -shares-to-include
parameter and the parent volume of the share is included in the-volumes-to-exclude
parameter,-volumes-to-exclude
has precedence over-shares-to-include
. Similarly, when an export policy is included in the-export-policies-to-include
parameter and the parent volume of the export-policy is included in the-volumes-to-exclude
parameter,-volumes-to-exclude
has precedence over-export-policies-to-include
. [-export-policies-to-include <FPolicy export policy>,…]
- Export Policies to Include-
This parameter specifies a list of export policies for file access monitoring. With this option, the administrator provides a list of export policies, separated by commas. For file access events within an export policy and file operations monitored by the FPolicy policy, a notification is generated. The
-export-policies-to-include
parameter can contain regular expressions and can include metacharacters such as "?" and "*".When an export policy is included in the -export-policies-to-include
parameter and the parent volume of the export policy is included in the-volumes-to-exclude
parameter,-volumes-to-exclude
has precedence over-export-policies-to-include
. [-export-policies-to-exclude <FPolicy export policy>,…]
- Export Policies to Exclude-
This parameter specifies a list of export policies to exclude from file access monitoring. With this option, the administrator provides a list of export policies, separated by commas, for which no file access notification is sent. The
-export-policies-exclude
parameter can contain regular expressions and can include metacharacters such as "?" and *. [-file-extensions-to-include <File extension>,…]
- File Extensions to Include-
This parameter specifies a list of file extensions, separated by commas, for a given FPolicy policy for which FPolicy processing is required. Any file access to files with the same extensions included in the
-file-extensions-to-include
parameter generates a notification. The-file-extensions-to-include
parameter can contain regular expressions and can include metacharacters such as "?". [-file-extensions-to-exclude <File extension>,…]
- File Extensions to Exclude-
This parameter specifies a list of file extensions, separated by commas, for a given FPolicy policy for which FPolicy processing will be excluded. Using the exclude list, the administrator can request notification for all extensions except those in the excluded list. Any file access to files with the same extensions included in the
-file-extensions-to-exclude
parameter does not generate a notification. The-file-extensions-to-exclude
parameter can contain regular expressions and can include metacharacters such as "?".An administrator can specify both -file-extensions-to-include
and-file-extensions-to-exclude
lists. The-file-extensions-to-exclude
parameter is checked first before the-file-extensions-to-include
parameter is checked. [-is-file-extension-check-on-directories-enabled {true|false}]
- Is File Extension Check on Directories Enabled (privilege: advanced)-
This parameter specifies whether the file name extension checks apply to directory objects as well. If this parameter is set to true, the directory objects are subjected to same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications would be sent for directories even if their name extensions do not match. By default, it is
false
. [-is-monitoring-of-objects-with-no-extension-enabled {true|false}]
- Is Monitoring of Objects with No Extension Enabled (privilege: advanced)-
This parameter specifies whether the extension checks apply to objects with no extension as well. If this parameter is set to true, the objects with no extension are also monitored along with the objects with extension. By default, it is
false
.This parameter is ignored when file-extensions-to-include and file-extensions-to-exclude lists are empty.
Examples
The following example creates an FPolicy policy scope.
cluster1::> vserver fpolicy policy scope create -vserver vs1.example.com -policy-name vs1_pol -file-extensions-to-include flv,wmv,mp3,mp4 -file-extensions-to-exclude cpp,c,h,txt cluster1::> vserver fpolicy policy scope show Vserver Policy Extensions Extensions Name Name Included Excluded ----------------- ------------------- -------------------- ------------------- Cluster cserver_pol txt mp3, wmv vs1.example.com vs1_pol flv, wmv, mp3, mp4 cpp, c, h, txt 2 entries were displayed.