vserver security file-directory ntfs sacl add
Add a SACL entry to NTFS security descriptor
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security file-directory ntfs sacl add
command adds system access control list entries (ACEs) into a security descriptor’s system access control list (SACL).
If the security descriptor contains a SACL that has existing security ACEs, the command adds the new security ACE to the SACL. If the security descriptor does not contain a SACL, the command creates the SACL and adds the new security ACE to it.
Adding a SACL entry to the security descriptor is the second step in configuring and applying security ACLs to a file or folder. Before you can add a SACL entry to a security descriptor, you must first create the security descriptor.
The steps to creating and applying NTFS ACLs are the following:
-
Create an NTFS security descriptor.
-
Add DACL and SACL entries to the NTFS security descriptor.
|
If you want to audit file and directory events, you must configure auditing on the Vserver in addition to adding the SACL to the security descriptor. |
-
Create a file/directory security policy.
This step associates the policy with a Vserver.
* Create policy tasks.
A policy task refers to a single operation to apply to a file (or folder) or to a set of files (or folders). Amongst other things, the task defines which security descriptor to apply to a path.
* Apply a policy to the associated Vserver.
Parameters
-vserver <vserver name>
- Vserver-
Specifies the name of the Vserver associated with the security descriptor to which you want to add a system access control list entry.
-ntfs-sd <ntfs sd name>
- NTFS Security Descriptor Name-
Specifies the name of the security descriptor to which you want to add a system access control list entry.
-access-type {failure|success}
- Success or Failure-
Specifies whether the system access control list entry that you want to add is a
failure
orsuccess
access audit type. -account <name or sid>
- Account Name or SID-
Specifies the account on which to apply the system access control list entry. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:
+
* SID
* Domain\user-name
* user-name@Domain
* user-name@FQDNIf you specify any of the three user name formats for the value of -account
, keep in mind that the value for the user name is case insensitive. - {
[-rights {no-access|full-control|modify|read-and-execute|read|write}]
- Access Rights -
Specifies the rights that you want to get audited for the account specified in the
-account
parameter. The-rights
parameter is mutually exclusive with the-advanced-rights
and-rights-raw
parameter. If you specify the-rights
parameter, you can only specify one value.You can specify one of the following rights values:
-
no-access
-
full-control
-
modify
-
read-and-execute
-
read
-
write
-
- |
[-advanced-rights <Advanced access right>,…]
- Advanced Access Rights } -
Specifies the advanced rights that you want to get audited for the account specified in the
-account
parameter. The-advanced-rights
parameter is mutually exclusive with the-rights
and-rights-raw
parameter. You can specify more than one advanced-rights value by using a comma-delimited list.You can specify one or more of the following advanced rights:
-
read-data
-
write-data
-
append-data
-
read-ea
-
write-ea
-
execute-file
-
delete-child
-
read-attr
-
write-attr
-
delete
-
read-perm
-
write-perm
-
write-owner
-
full-control
-
- |
[-rights-raw <Hex Integer>]
- Raw Access Rights (privilege: advanced) } -
Specifies the raw rights that you want to get audited for the account specified in the
-account
parameter. The-rights-raw
parameter is mutually exclusive with the-advanced-rights
and-rights
parameter. Specify the value as a hexadecimal integer, for example:0xA10F
or0xb3ff
etc. [-apply-to {this-folder|sub-folders|files}]
- Apply SACL To-
Specifies where to apply the system access control list entry. You can specify more than one value by using a comma-delimited list.
You can specify one or more of the following values:
-
this-folder
-
sub-folder
-
files
Select one of the following combinations of values for the -apply-to
parameter for Storage-Level Access Guard (SLAG):-
this-folder, sub-folder, files
-
this-folder, sub-folder
-
files
If you specify an invalid
-apply-to
value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG)security file-directory policy task
. -
Examples
The following example adds a SACL entry to the security descriptor named “sd1” on Vserver vs1.
cluster1::> vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type failure -account DOMAIN\Administrator -rights full-control -apply-to this-folder -vserver vs1 cluster1::> vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account DOMAIN\Administrator Vserver: vs1 Security Descriptor Name: sd1 Access type for Specified Access Rights: failure Account Name or SID: DOMAIN\Administrator Access Rights: full-control Advanced Access Rights: - Apply To: this-folder Access Rights: full-control