Skip to main content
A newer release of this product is available.

vserver fpolicy policy scope create

Contributors
Suggest changes

Create scope

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver fpolicy policy scope create command creates an FPolicy scope for an FPolicy policy. A scope defines the boundaries on which the FPolicy policy will apply. The Vserver is the basic scope boundary. When you create a scope for an FPolicy policy, you must define the FPolicy policy to which it will apply and you must designate to which Vserver you want to apply the scope. There are a number of parameters that further restrict the scope within the specified Vserver. You can restrict the scope by specifying what to include in the scope. Or you can restrict the scope by specifying what to exclude from the scope. For example, you can restrict the scope by specifying which volumes to include using the -volumes-to-include parameter or which volumes to exclude using the -volumes-to-exclude parameter. Once you apply a scope to an enabled policy, policy event checks get applied to the scope defined by this command.

Note There are special considerations for the scope for a cluster FPolicy policy. The cluster FPolicy policy is a policy that the cluster administrator creates for the admin Vserver. If the cluster administrator also creates the scope for that cluster FPolicy policy, a Vserver administrator cannot create a scope for that same policy. However, if the cluster administrator does not create a scope for the cluster FPolicy policy, then any Vserver administrator can create the scope for that cluster policy. In the event that the Vserver administrator creates a scope for that cluster FPolicy policy, the cluster administrator cannot subsequently create a cluster scope for that same cluster policy. This is because the cluster administrator cannot override the scope for the same cluster policy.

Parameters

-vserver <Vserver Name> - Vserver

This parameter specifies the name of the Vserver on which you want to create an FPolicy policy scope.

-policy-name <Policy name> - Policy

This parameter specifies the name of the FPolicy policy for which you want to create the scope.

[-shares-to-include <Share name>,…​] - Shares to Include

This parameter specifies a list of shares for file access monitoring. With this option, the administrator provides a list of shares, separated by commas. For file access events relative to the specified shares and file operations monitored by the FPolicy policy, a notification is generated. The `-shares-to-include ` parameter can contain regular expressions and can include metacharacters such as "?" and "*".

Note When a share is included in the -shares-to-include parameter and the parent volume of the share is included in the -volumes-to-exclude parameter, -volumes-to-exclude has precedence over -shares-to-include .
[-shares-to-exclude <Share name>,…​] - Shares to Exclude

This parameter specifies a list of shares to exclude from file access monitoring. With this option, the administrator provides a list of shares, separated by commas. When a share is specified in the -shares-to-exclude parameter, no notification is sent for files accessed relative to that share. The -shares-to-exclude parameter can contain regular expressions and can include metacharacters such as "?" and "*".

[-volumes-to-include <volume name>,…​] - Volumes to Include

This parameter specifies a list of volumes for file access monitoring. With this option, the administrator provides a list of volumes, separated by commas. For file access events within the volume and file operations monitored by the FPolicy policy, a notification is generated. The -volumes-to-include parameter can contain regular expressions and can include metacharacters such as "?" and "*".

[-volumes-to-exclude <volume name>,…​] - Volumes to Exclude

This parameter specifies a list of volumes to exclude from file access monitoring. With this option, the administrator provides a list of volumes, separated by commas, for which no file access notifications are generated. The -volumes-to-exclude parameter can contain regular expressions and can include metacharacters such as "?" and "*".

Note When a share is included in the -shares-to-include parameter and the parent volume of the share is included in the -volumes-to-exclude parameter, -volumes-to-exclude has precedence over -shares-to-include . Similarly, when an export policy is included in the -export-policies-to-include parameter and the parent volume of the export-policy is included in the -volumes-to-exclude parameter, -volumes-to-exclude has precedence over -export-policies-to-include .
[-export-policies-to-include <FPolicy export policy>,…​] - Export Policies to Include

This parameter specifies a list of export policies for file access monitoring. With this option, the administrator provides a list of export policies, separated by commas. For file access events within an export policy and file operations monitored by the FPolicy policy, a notification is generated. The -export-policies-to-include parameter can contain regular expressions and can include metacharacters such as "?" and "*".

Note When an export policy is included in the -export-policies-to-include parameter and the parent volume of the export policy is included in the -volumes-to-exclude parameter, -volumes-to-exclude has precedence over -export-policies-to-include .
[-export-policies-to-exclude <FPolicy export policy>,…​] - Export Policies to Exclude

This parameter specifies a list of export policies to exclude from file access monitoring. With this option, the administrator provides a list of export policies, separated by commas, for which no file access notification is sent. The -export-policies-exclude parameter can contain regular expressions and can include metacharacters such as "?" and *.

[-file-extensions-to-include <File extension>,…​] - File Extensions to Include

This parameter specifies a list of file extensions, separated by commas, for a given FPolicy policy for which FPolicy processing is required. Any file access to files with the same extensions included in the -file-extensions-to-include parameter generates a notification. The -file-extensions-to-include parameter can contain regular expressions and can include metacharacters such as "?".

[-file-extensions-to-exclude <File extension>,…​] - File Extensions to Exclude

This parameter specifies a list of file extensions, separated by commas, for a given FPolicy policy for which FPolicy processing will be excluded. Using the exclude list, the administrator can request notification for all extensions except those in the excluded list. Any file access to files with the same extensions included in the -file-extensions-to-exclude parameter does not generate a notification. The -file-extensions-to-exclude parameter can contain regular expressions and can include metacharacters such as "?".

Note An administrator can specify both -file-extensions-to-include and -file-extensions-to-exclude lists. The -file-extensions-to-exclude parameter is checked first before the -file-extensions-to-include parameter is checked.
[-is-file-extension-check-on-directories-enabled {true|false}] - Is File Extension Check on Directories Enabled (privilege: advanced)

This parameter specifies whether the file name extension checks apply to directory objects as well. If this parameter is set to true, the directory objects are subjected to same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications would be sent for directories even if their name extensions do not match. By default, it is false .

[-is-monitoring-of-objects-with-no-extension-enabled {true|false}] - Is Monitoring of Objects with No Extension Enabled (privilege: advanced)

This parameter specifies whether the extension checks apply to objects with no extension as well. If this parameter is set to true, the objects with no extension are also monitored along with the objects with extension. By default, it is false .

Note This parameter is ignored when file-extensions-to-include and file-extensions-to-exclude lists are empty.

Examples

The following example creates an FPolicy policy scope.

cluster1::> vserver fpolicy policy scope create   -vserver vs1.example.com
                                                            -policy-name vs1_pol
                                                            -file-extensions-to-include flv,wmv,mp3,mp4
                                                            -file-extensions-to-exclude cpp,c,h,txt
cluster1::> vserver fpolicy policy scope show
            Vserver           Policy              Extensions           Extensions
            Name              Name                Included             Excluded
            ----------------- ------------------- -------------------- -------------------
            Cluster           cserver_pol         txt                  mp3, wmv
            vs1.example.com   vs1_pol             flv, wmv, mp3, mp4   cpp, c, h, txt
            2 entries were displayed.