Apply an SD to a path
POST /protocols/file-security/permissions/{svm.uuid}/{path}
Introduced In: 9.9
Applies an SD to the given path. You must keep the following points in mind while using these endpoints:
-
Either SLAG ACL/s or file-directory ACL/s can be configured in one API call. Both cannot be configured in the same API call.
-
SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated.
-
Set access_control field to slag while configuring SLAG ACLs.
-
Set access_control field to file_directory while configuring file-directory ACLs. By Default access_control field is set to file_directory.
-
For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".
Related ONTAP commands
-
vserver security file-directory ntfs create
-
vserver security file-directory ntfs dacl add
-
vserver security file-directory ntfs sacl add
-
vserver security file-directory policy create
-
vserver security file-directory policy task add
-
vserver security file-directory apply
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
path |
string |
path |
True |
target path |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Request Body
Name | Type | Description |
---|---|---|
access_control |
string |
An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
acls |
array[acl] |
A discretionary access security list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the access control entries (ACEs) in the object's DACL to determine whether to grant access to it. |
control_flags |
string |
Specifies the control flags in the SD. It is a Hexadecimal Value. |
dos_attributes |
string |
Specifies the file attributes on this file or directory. |
effective_style |
string |
Specifies the effective style of the SD. The following values are supported:
|
group |
string |
Specifies the owner's primary group. You can specify the owner group using either a group name or SID. |
group_id |
string |
Specifies group ID on this file or directory. |
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
inode |
integer |
Specifies the File Inode number. |
mode_bits |
integer |
Specifies the mode bits on this file or directory. |
owner |
string |
Specifies the owner of the SD. You can specify the owner using either a user name or security identifier (SID). The owner of the SD can modify the permissions on the file (or folder) or files (or folders) to which the SD is applied and can give other users the right to take ownership of the object or objects to which the SD is applied. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
security_style |
string |
Specifies the security style of the SD. The following values are supported:
|
text_dos_attr |
string |
Specifies the textual format of file attributes on this file or directory. |
text_mode_bits |
string |
Specifies the textual format of mode bits on this file or directory. |
user_id |
string |
Specifies user ID of this file or directory. |
Example request
{
"access_control": "file_directory",
"acls": [
{
"access": "access_allow",
"access_control": "file_directory",
"inherited": 1,
"rights": "full_control",
"user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
}
],
"control_flags": "8014",
"dos_attributes": "10",
"effective_style": "mixed",
"group": "S-1-5-21-2233347455-2266964949-1780268902-69700",
"group_id": "2",
"ignore_paths": [
"/dir1/dir2/",
"/parent/dir3"
],
"inode": 64,
"mode_bits": 777,
"owner": "S-1-5-21-2233347455-2266964949-1780268902-69304",
"propagation_mode": "propagate",
"security_style": "ntfs",
"text_dos_attr": "---A----",
"text_mode_bits": "rwxrwxrwx",
"user_id": "10"
}
Response
Status: 202, Accepted
Name | Type | Description |
---|---|---|
job |
Example response
{
"job": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"uuid": "string"
}
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Response
Status: 201, Created
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
655865 |
The specified file or directory does not exist. |
10485813 |
All values corresponding to rights cannot be false. |
10485815 |
The field "acls.access_control" is not allowed with POST method. |
10485810 |
User is a required field. |
1260882 |
Specified SVM not found. |
6691623 |
User is not authorized. |
4849676 |
The specified Windows user or group does not exist. |
4849677 |
Failed to convert SID to a Windows name. Reason: "SecD Error: object not found". |
10485814 |
The value provided for field control_flags is invalid. |
10485813 |
All values cannot be false. |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
advanced_rights
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.
Name | Type | Description |
---|---|---|
append_data |
boolean |
Append DAta |
delete |
boolean |
Delete |
delete_child |
boolean |
Delete Child |
execute_file |
boolean |
Execute File |
full_control |
boolean |
Full Control |
read_attr |
boolean |
Read Attributes |
read_data |
boolean |
Read Data |
read_ea |
boolean |
Read Extended Attributes |
read_perm |
boolean |
Read Permissions |
synchronize |
boolean |
Synchronize |
write_attr |
boolean |
Write Attributes |
write_data |
boolean |
Write Data |
write_ea |
boolean |
Write Extended Attributes |
write_owner |
boolean |
Write Owner |
write_perm |
boolean |
Write Permission |
apply_to
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.
Name | Type | Description |
---|---|---|
files |
boolean |
Apply to Files |
sub_folders |
boolean |
Apply to all sub-folders |
this_folder |
boolean |
Apply only to this folder |
acl
An ACE is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
Name | Type | Description |
---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
access_control |
string |
An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
inherited |
boolean |
Indicates whether or not the ACE flag is inherited. |
rights |
string |
Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter). |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
file_directory_security
Manages New Technology File System (NTFS) security and NTFS audit policies.
Name | Type | Description |
---|---|---|
access_control |
string |
An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
acls |
array[acl] |
A discretionary access security list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the access control entries (ACEs) in the object's DACL to determine whether to grant access to it. |
control_flags |
string |
Specifies the control flags in the SD. It is a Hexadecimal Value. |
dos_attributes |
string |
Specifies the file attributes on this file or directory. |
effective_style |
string |
Specifies the effective style of the SD. The following values are supported:
|
group |
string |
Specifies the owner's primary group. You can specify the owner group using either a group name or SID. |
group_id |
string |
Specifies group ID on this file or directory. |
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
inode |
integer |
Specifies the File Inode number. |
mode_bits |
integer |
Specifies the mode bits on this file or directory. |
owner |
string |
Specifies the owner of the SD. You can specify the owner using either a user name or security identifier (SID). The owner of the SD can modify the permissions on the file (or folder) or files (or folders) to which the SD is applied and can give other users the right to take ownership of the object or objects to which the SD is applied. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
security_style |
string |
Specifies the security style of the SD. The following values are supported:
|
text_dos_attr |
string |
Specifies the textual format of file attributes on this file or directory. |
text_mode_bits |
string |
Specifies the textual format of mode bits on this file or directory. |
user_id |
string |
Specifies user ID of this file or directory. |
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
job_link
Name | Type | Description |
---|---|---|
_links |
||
uuid |
string |
The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation. |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |