Add a new SACL or DACL ACE
POST /protocols/file-security/permissions/{svm.uuid}/{path}/acl
Introduced In: 9.9
Adds the new SACL/DACL ACE. You must keep the following points in mind while using these endpoints:
-
SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated.
-
Set access_control field to slag while adding SLAG ACE.
-
Set access_control field to file_directory while adding file-directory ACE. By Default access_control field is set to file_directory.
-
For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".
Related ONTAP commands
-
vserver security file-directory ntfs dacl add
-
vserver security file-directory ntfs sacl add
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
path |
string |
path |
True |
path |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Request Body
Name | Type | Description |
---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
access_control |
string |
Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
rights |
string |
Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter). |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
Example request
{
"access": "access_allow",
"access_control": "file_directory",
"ignore_paths": [
"/dir1/dir2/",
"/parent/dir3"
],
"propagation_mode": "string",
"rights": "full_control",
"user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
}
Response
Status: 202, Accepted
Name | Type | Description |
---|---|---|
job |
Example response
{
"job": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "string"
}
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Response
Status: 201, Created
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
655865 |
The specified file or directory does not exist. |
10485811 |
Access is a required field. |
1260882 |
Specified SVM not found. |
6691623 |
User is not authorized. |
4849676 |
The specified Windows user or group does not exist. |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
advanced_rights
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.
Name | Type | Description |
---|---|---|
append_data |
boolean |
Append DAta |
delete |
boolean |
Delete |
delete_child |
boolean |
Delete Child |
execute_file |
boolean |
Execute File |
full_control |
boolean |
Full Control |
read_attr |
boolean |
Read Attributes |
read_data |
boolean |
Read Data |
read_ea |
boolean |
Read Extended Attributes |
read_perm |
boolean |
Read Permissions |
synchronize |
boolean |
Synchronize |
write_attr |
boolean |
Write Attributes |
write_data |
boolean |
Write Data |
write_ea |
boolean |
Write Extended Attributes |
write_owner |
boolean |
Write Owner |
write_perm |
boolean |
Write Permission |
apply_to
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.
Name | Type | Description |
---|---|---|
files |
boolean |
Apply to Files |
sub_folders |
boolean |
Apply to all sub-folders |
this_folder |
boolean |
Apply only to this folder |
file_directory_security_acl
Manages the DACLS or SACLS.
Name | Type | Description |
---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
access_control |
string |
Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
rights |
string |
Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter). |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
job_link
Name | Type | Description |
---|---|---|
_links |
||
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |