Add a new SACL or DACL ACE
Suggest changes
PDFs
POST /protocols/file-security/permissions/{svm.uuid}/{path}/acl
Introduced In: 9.9
Adds the new SACL/DACL ACL.
Related ONTAP commands
-
vserver security file-directory ntfs dacl add -
vserver security file-directory ntfs sacl add
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
path |
string |
path |
True |
path |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Request Body
| Name | Type | Description |
|---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
rights |
string |
Specifies the access right controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values: |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
Example request
{
"access": "access_allow",
"ignore_paths": [
"/dir1/dir2/",
"/parent/dir3"
],
"propagation_mode": "string",
"rights": "full_control",
"user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
}Response
Status: 202, Accepted| Name | Type | Description |
|---|---|---|
job |
Example response
{
"job": {
"uuid": "string"
}
}Error
Status: Default, ErrorDefinitions
See Definitions
advanced_rights
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.
| Name | Type | Description |
|---|---|---|
append_data |
boolean |
Append DAta |
delete |
boolean |
Delete |
delete_child |
boolean |
Delete Child |
execute_file |
boolean |
Execute File |
full_control |
boolean |
Full Control |
read_attr |
boolean |
Read Attributes |
read_data |
boolean |
Read Data |
read_ea |
boolean |
Read Extended Attributes |
read_perm |
boolean |
Read Permissions |
synchronize |
boolean |
Synchronize |
write_attr |
boolean |
Write Attributes |
write_data |
boolean |
Write Data |
write_ea |
boolean |
Write Extended Attributes |
write_owner |
boolean |
Write Owner |
write_perm |
boolean |
Write Permission |
apply_to
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.
| Name | Type | Description |
|---|---|---|
files |
boolean |
Apply to Files |
sub_folders |
boolean |
Apply to all sub-folders |
this_folder |
boolean |
Apply only to this folder |
file_directory_security_acl
Manages the DACLS or SACLS.
| Name | Type | Description |
|---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
rights |
string |
Specifies the access right controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values: |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
job_link
| Name | Type | Description |
|---|---|---|
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |