Create an FPolicy configuration for an SVM
POST /protocols/fpolicy/{svm.uuid}/policies
Introduced In: 9.6
Creates an FPolicy policy configuration for the specified SVM. To create an FPolicy policy, you must specify the policy scope and the FPolicy events to be monitored.
Important notes:
-
A single policy can monitor multiple events.
-
An FPolicy engine is an optional field whose default value is set to native. A native engine can be used to simply block the file access based on the file extensions specified in the policy scope.
-
To enable a policy, the policy priority must be specified. If the priority is not specified, the policy is created but it is not enabled.
-
The "mandatory" field, if set to true, blocks the file access when the primary or secondary FPolicy servers are down.
Required properties
-
svm.uuid
- Existing SVM in which to create the FPolicy policy. -
events
- Name of the events to monitior. -
name
- Name of the FPolicy policy. -
scope
- Scope of the policy. Can be limited to exports, volumes, shares or file extensions. -
priority
- Priority of the policy (ranging from 1 to 10).
Default property values
-
mandatory
- true -
engine
- native
Related ONTAP commands
-
fpolicy policy scope create
-
fpolicy policy create
-
fpolicy enable
Learn more
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
svm.uuid |
string |
path |
True |
UUID of the SVM to which this object belongs. |
Request Body
Name | Type | Description |
---|---|---|
allow_privileged_access |
boolean |
Specifies whether privileged access is required for FPolicy servers. Privileged access is used when the FPolicy server requires direct access to the cluster nodes. When this parameter is set to true, FPolicy servers can access files on the cluster using a separate data channel with privileged access. |
enabled |
boolean |
Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled. |
engine |
FPolicy external engine |
|
events |
array[fpolicy_event_reference] |
|
mandatory |
boolean |
Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances. |
name |
string |
Specifies the name of the policy. |
passthrough_read |
boolean |
Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage. |
persistent_store |
string |
Specifies the persistent storage name. This can then be used to enable persistent mode for FPolicy events. |
priority |
integer |
Specifies the priority that is assigned to this policy. |
privileged_user |
string |
Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format. |
scope |
||
svm |
Example request
{
"engine": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string"
},
"events": [
"event_cifs",
"event_open"
],
"name": "fp_policy_1",
"persistent_store": "ps1",
"priority": 1,
"privileged_user": "mydomain\\testuser",
"scope": {
"exclude_export_policies": [
"string"
],
"exclude_extension": [
"string"
],
"exclude_shares": [
"string"
],
"exclude_volumes": [
"vol1",
"vol_svm1",
"*"
],
"include_export_policies": [
"string"
],
"include_extension": [
"string"
],
"include_shares": [
"sh1",
"share_cifs"
],
"include_volumes": [
"vol1",
"vol_svm1"
]
},
"svm": {
"uuid": "string"
}
}
Response
Status: 201, Created
Name | Type | Description |
---|---|---|
_links |
||
num_records |
integer |
Number of Records |
records |
array[fpolicy_policy] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": [
{
"engine": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "string"
},
"events": [
"event_cifs",
"event_open"
],
"name": "fp_policy_1",
"persistent_store": "ps1",
"priority": 1,
"privileged_user": "mydomain\\testuser",
"scope": {
"exclude_export_policies": [
"string"
],
"exclude_extension": [
"string"
],
"exclude_shares": [
"string"
],
"exclude_volumes": [
"vol1",
"vol_svm1",
"*"
],
"include_export_policies": [
"string"
],
"include_extension": [
"string"
],
"include_shares": [
"sh1",
"share_cifs"
],
"include_volumes": [
"vol1",
"vol_svm1"
]
},
"svm": {
"uuid": "string"
}
}
]
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
9764875 |
An FPolicy event does not exist |
9764888 |
An FPolicy engine does not exist |
9764898 |
An FPolicy policy cannot be created without defining its scope |
9765027 |
FPolicy creation is successful but it cannot be enabled as the priority is already in use by another policy |
9765037 |
FPolicy creation failed as passthrough-read cannot be enabled for policy without privileged user |
9765038 |
Passthrough-read policies are not supported with asynchronous external engine |
9765056 |
The specified Persistent Store does not exist |
9765059 |
Persistent store feature is not supported with native engine |
9765060 |
Persistent store feature is not supported with synchronous engine |
9765061 |
Persistent store feature is not supported with mandatory screening |
9765065 |
A valid privileged user name must be in the form "domain-name\user-name" |
9765066 |
The privileged user contains characters that are not allowed |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
fpolicy_engine_reference
FPolicy external engine
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the FPolicy external engine. |
fpolicy_event_reference
FPolicy events
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
scope
Name | Type | Description |
---|---|---|
check_extensions_on_directories |
boolean |
Specifies whether the file name extension checks also apply to directory objects. If this parameter is set to true, the directory objects are subjected to the same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications are sent for directories even if their name extensions do not match. Default is false. |
exclude_export_policies |
array[string] |
|
exclude_extension |
array[string] |
|
exclude_shares |
array[string] |
|
exclude_volumes |
array[string] |
|
include_export_policies |
array[string] |
|
include_extension |
array[string] |
|
include_shares |
array[string] |
|
include_volumes |
array[string] |
|
object_monitoring_with_no_extension |
boolean |
Specifies whether the extension checks also apply to objects with no extension. If this parameter is set to true, all objects with or without extensions are monitored. Default is false. |
svm
Name | Type | Description |
---|---|---|
uuid |
string |
SVM UUID |
fpolicy_policy
Name | Type | Description |
---|---|---|
allow_privileged_access |
boolean |
Specifies whether privileged access is required for FPolicy servers. Privileged access is used when the FPolicy server requires direct access to the cluster nodes. When this parameter is set to true, FPolicy servers can access files on the cluster using a separate data channel with privileged access. |
enabled |
boolean |
Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled. |
engine |
FPolicy external engine |
|
events |
array[fpolicy_event_reference] |
|
mandatory |
boolean |
Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances. |
name |
string |
Specifies the name of the policy. |
passthrough_read |
boolean |
Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage. |
persistent_store |
string |
Specifies the persistent storage name. This can then be used to enable persistent mode for FPolicy events. |
priority |
integer |
Specifies the priority that is assigned to this policy. |
privileged_user |
string |
Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format. |
scope |
||
svm |
_links
Name | Type | Description |
---|---|---|
next |
||
self |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error