Skip to main content

Apply an SD to a path

Contributors

POST /protocols/file-security/permissions/{svm.uuid}/{path}

Introduced In: 9.9

Applies an SD to the given path. You must keep the following points in mind while using these endpoints:

  • Either SLAG ACL/s or file-directory ACL/s can be configured in one API call. Both cannot be configured in the same API call.

  • SLAG applies to all files and/or directories in a volume hence, inheritance is not required to be propagated.

  • Set access_control field to slag while configuring SLAG ACLs.

  • Set access_control field to file_directory while configuring file-directory ACLs. By Default access_control field is set to file_directory.

  • For SLAG, valid apply_to combinations are "this-folder, sub-folders", "files", "this-folder, sub-folders, files".

  • vserver security file-directory ntfs create

  • vserver security file-directory ntfs dacl add

  • vserver security file-directory ntfs sacl add

  • vserver security file-directory policy create

  • vserver security file-directory policy task add

  • vserver security file-directory apply

Parameters

Name Type In Required Description

path

string

path

True

target path

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

svm.uuid

string

path

True

UUID of the SVM to which this object belongs.

Request Body

Name Type Description

access_control

string

An Access Control Level specifies the access control of the task to be applied. Valid values are "file-directory" or "Storage-Level Access Guard (SLAG)". SLAG is used to apply the specified security descriptors with the task for the volume or qtree. Otherwise, the security descriptors are applied on files and directories at the specified path. The value SLAG is not supported on FlexGroups volumes. The default value is "file-directory" ('-' and '_' are interchangeable).

acls

array[acl]

A discretionary access security list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the access control entries (ACEs) in the object's DACL to determine whether to grant access to it.

control_flags

string

Specifies the control flags in the SD. It is a Hexadecimal Value.

dos_attributes

string

Specifies the file attributes on this file or directory.

effective_style

string

Specifies the effective style of the SD. The following values are supported:

  • unix - UNIX style

  • ntfs - NTFS style

  • mixed - Mixed style

  • unified - Unified style

group

string

Specifies the owner's primary group. You can specify the owner group using either a group name or SID.

group_id

string

Specifies group ID on this file or directory.

ignore_paths

array[string]

Specifies that permissions on this file or directory cannot be replaced.

inode

integer

Specifies the File Inode number.

mode_bits

integer

Specifies the mode bits on this file or directory.

owner

string

Specifies the owner of the SD. You can specify the owner using either a user name or security identifier (SID). The owner of the SD can modify the permissions on the file (or folder) or files (or folders) to which the SD is applied and can give other users the right to take ownership of the object or objects to which the SD is applied.

propagation_mode

string

Specifies how to propagate security settings to child subfolders and files. This setting determines how child files/folders contained within a parent folder inherit access control and audit information from the parent folder. The available values are:

  • propagate - propagate inheritable permissions to all subfolders and files

  • ignore - ignore inheritable permissions

  • replace - replace existing permissions on all subfolders and files with inheritable permissions

security_style

string

Specifies the security style of the SD. The following values are supported:

  • unix - UNIX style

  • ntfs - NTFS style

  • mixed - Mixed style

  • unified - Unified style

text_dos_attr

string

Specifies the textual format of file attributes on this file or directory.

text_mode_bits

string

Specifies the textual format of mode bits on this file or directory.

user_id

string

Specifies user ID of this file or directory.

Example request
{
  "access_control": "file_directory",
  "acls": [
    {
      "access": "access_allow",
      "access_control": "file_directory",
      "inherited": 1,
      "rights": "full_control",
      "user": "S-1-5-21-2233347455-2266964949-1780268902-69304"
    }
  ],
  "control_flags": "8014",
  "dos_attributes": "10",
  "effective_style": "mixed",
  "group": "S-1-5-21-2233347455-2266964949-1780268902-69700",
  "group_id": "2",
  "ignore_paths": [
    "/dir1/dir2/",
    "/parent/dir3"
  ],
  "inode": 64,
  "mode_bits": 777,
  "owner": "S-1-5-21-2233347455-2266964949-1780268902-69304",
  "propagation_mode": "propagate",
  "security_style": "ntfs",
  "text_dos_attr": "---A----",
  "text_mode_bits": "rwxrwxrwx",
  "user_id": "10"
}

Response

Status: 202, Accepted
Name Type Description

job

job_link

Example response
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Response

Status: 201, Created

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

655865

The specified file or directory does not exist.

10485813

All values corresponding to rights cannot be false.

10485815

The field "acls.access_control" is not allowed with POST method.

10485810

User is a required field.

1260882

Specified SVM not found.

6691623

User is not authorized.

4849676

The specified Windows user or group does not exist.

4849677

Failed to convert SID to a Windows name. Reason: "SecD Error: object not found".

10485814

The value provided for field control_flags is invalid.

10485813

All values cannot be false.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions