Skip to main content

Add a new SACL or DACL ACE

Contributors

POST /protocols/file-security/permissions/{svm.uuid}/{path}/acl

Introduced In: 9.9

Adds the new SACL/DACL ACE. You must keep the following points in mind while using these endpoints:

  • SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated.

  • Set access_control field to slag while adding SLAG ACE.

  • Set access_control field to file_directory while adding file-directory ACE. By Default access_control field is set to file_directory.

  • For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".

Required properties

  • user - Name of the user to which the ACE applies.

  • access - Specifies whether the ACE is for DACL or SACL.

  • vserver security file-directory ntfs dacl add

  • vserver security file-directory ntfs sacl add

Parameters

Name Type In Required Description

path

string

path

True

path

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

svm.uuid

string

path

True

UUID of the SVM to which this object belongs.

Request Body

Name Type Description

access

string

Specifies whether the ACL is for DACL or SACL. It is a required field. The available values are:

  • access_allow - DACL for allow access

  • access_deny - DACL for deny access

  • audit_success - SACL for success access

  • audit_failure - SACL for failure access

access_control

string

Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable).

advanced_rights

advanced_rights

Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.

apply_to

apply_to

Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.

ignore_paths

array[string]

Specifies that permissions on this file or directory cannot be replaced.

propagation_mode

string

Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:

  • propagate - propagate inheritable permissions to all subfolders and files

  • ignore - ignore inheritable permissions

  • replace - replace existing permissions on all subfolders and files with inheritable permissions

rights

string

Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter).

user

string

Specifies the account to which the ACE applies. You can specify either name or SID.

Example request
{
  "access": "access_allow",
  "access_control": "file_directory",
  "ignore_paths": [
    "/dir1/dir2/",
    "/parent/dir3"
  ],
  "propagation_mode": "string",
  "rights": "full_control",
  "user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
}

Response

Status: 202, Accepted
Name Type Description

job

job_link

Example response
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Response

Status: 201, Created

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

655865

The specified file or directory does not exist.

10485811

Access is a required field.

1260882

Specified SVM not found.

6691623

User is not authorized.

4849676

The specified Windows user or group does not exist.

10485810

User is a required field.

10485813

All values cannot be false.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

advanced_rights

Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.

Name Type Description

append_data

boolean

Append DAta

delete

boolean

Delete

delete_child

boolean

Delete Child

execute_file

boolean

Execute File

full_control

boolean

Full Control

read_attr

boolean

Read Attributes

read_data

boolean

Read Data

read_ea

boolean

Read Extended Attributes

read_perm

boolean

Read Permissions

synchronize

boolean

Synchronize

write_attr

boolean

Write Attributes

write_data

boolean

Write Data

write_ea

boolean

Write Extended Attributes

write_owner

boolean

Write Owner

write_perm

boolean

Write Permission

apply_to

Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.

Name Type Description

files

boolean

Apply to Files

sub_folders

boolean

Apply to all sub-folders

this_folder

boolean

Apply only to this folder

file_directory_security_acl

Manages the DACLS or SACLS.

Name Type Description

access

string

Specifies whether the ACL is for DACL or SACL. It is a required field. The available values are:

  • access_allow - DACL for allow access

  • access_deny - DACL for deny access

  • audit_success - SACL for success access

  • audit_failure - SACL for failure access

access_control

string

Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable).

advanced_rights

advanced_rights

Specifies the advanced access right controlled by the ACE for the account specified. You can specify more than one "advanced-rights" value by using a comma-delimited list.

apply_to

apply_to

Specifies where to apply the DACL or SACL entries. You can specify more than one value by using a comma-delimited list.

ignore_paths

array[string]

Specifies that permissions on this file or directory cannot be replaced.

propagation_mode

string

Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:

  • propagate - propagate inheritable permissions to all subfolders and files

  • ignore - ignore inheritable permissions

  • replace - replace existing permissions on all subfolders and files with inheritable permissions

rights

string

Specifies the access rights controlled by the ACE for the account specified. The "rights" parameter is mutually exclusive with the "advanced_rights" parameter. If you specify the "rights" parameter, you can specify one of the following "rights" values ("-" or "_" is accepted as the delimiter).

user

string

Specifies the account to which the ACE applies. You can specify either name or SID.

href

Name Type Description

href

string

Name Type Description

self

href

Name Type Description

_links

_links

uuid

string

The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.