REST API reference
Retrieve file permissions
Suggest changes
PDFs
GET /protocols/file-security/permissions/{svm.uuid}/{path}
Introduced In: 9.9
Retrieves file permissions
Related ONTAP commands
-
vserver security file-directory show
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
path |
string |
path |
True |
target path |
fields |
array[string] |
query |
False |
Specify the fields to return. |
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Response
Status: 200, Ok| Name | Type | Description |
|---|---|---|
access_control |
string |
An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
acls |
array[acl] |
A discretionary access security list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the access control entries (ACEs) in the object's DACL to determine whether to grant access to it. |
control_flags |
string |
Specifies the control flags in the SD. It is a Hexadecimal Value. |
dos_attributes |
string |
Specifies the file attributes on this file or directory. |
effective_style |
string |
Specifies the effective style of the SD. The following values are supported:
|
group |
string |
Specifies the owner's primary group. You can specify the owner group using either a group name or SID. |
group_id |
string |
Specifies group ID on this file or directory. |
ignore_paths |
array[string] |
Specifies that permissions on this file or directory cannot be replaced. |
inode |
integer |
Specifies the File Inode number. |
mode_bits |
integer |
Specifies the mode bits on this file or directory. |
owner |
string |
Specifies the owner of the SD. You can specify the owner using either a user name or security identifier (SID). The owner of the SD can modify the permissions on the file (or folder) or files (or folders) to which the SD is applied and can give other users the right to take ownership of the object or objects to which the SD is applied. |
propagation_mode |
string |
Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:
|
security_style |
string |
Specifies the security style of the SD. The following values are supported:
|
text_dos_attr |
string |
Specifies the textual format of file attributes on this file or directory. |
text_mode_bits |
string |
Specifies the textual format of mode bits on this file or directory. |
user_id |
string |
Specifies user ID of this file or directory. |
Example response
{
"access_control": "file_directory",
"acls": [
{
"access": "access_allow",
"access_control": "file_directory",
"inherited": 1,
"rights": "full_control",
"user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
}
],
"control_flags": "8014",
"dos_attributes": "10",
"effective_style": "mixed",
"group": "S-1-5-21-2233347455-2266964949-1780268902-69700",
"group_id": "2",
"ignore_paths": [
"/dir1/dir2/",
"/parent/dir3"
],
"inode": 64,
"mode_bits": 777,
"owner": "S-1-5-21-2233347455-2266964949-1780268902-69304",
"propagation_mode": "propagate",
"security_style": "ntfs",
"text_dos_attr": "---A----",
"text_mode_bits": "rwxrwxrwx",
"user_id": "10"
}Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
655865 |
The specified file or directory does not exist. |
1260882 |
Specified SVM not found. |
6691623 |
User is not authorized. |
4849676 |
The specified Windows user or group does not exist. |
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
advanced_rights
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.
| Name | Type | Description |
|---|---|---|
append_data |
boolean |
Append DAta |
delete |
boolean |
Delete |
delete_child |
boolean |
Delete Child |
execute_file |
boolean |
Execute File |
full_control |
boolean |
Full Control |
read_attr |
boolean |
Read Attributes |
read_data |
boolean |
Read Data |
read_ea |
boolean |
Read Extended Attributes |
read_perm |
boolean |
Read Permissions |
synchronize |
boolean |
Synchronize |
write_attr |
boolean |
Write Attributes |
write_data |
boolean |
Write Data |
write_ea |
boolean |
Write Extended Attributes |
write_owner |
boolean |
Write Owner |
write_perm |
boolean |
Write Permission |
apply_to
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.
| Name | Type | Description |
|---|---|---|
files |
boolean |
Apply to Files |
sub_folders |
boolean |
Apply to all sub-folders |
this_folder |
boolean |
Apply only to this folder |
acl
An ACE is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
| Name | Type | Description |
|---|---|---|
access |
string |
Specifies whether the ACL is for DACL or SACL. The available values are:
|
access_control |
string |
An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable). |
advanced_rights |
Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list. |
|
apply_to |
Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list. |
|
inherited |
boolean |
Indicates whether or not the ACE flag is inherited. |
rights |
string |
Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter). |
user |
string |
Specifies the account to which the ACE applies. You can specify either name or SID. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |