Skip to main content

Create an FPolicy configuration for an SVM

Contributors

POST /protocols/fpolicy/{svm.uuid}/policies

Introduced In: 9.6

Creates an FPolicy policy configuration for the specified SVM. To create an FPolicy policy, you must specify the policy scope and the FPolicy events to be monitored.

Important notes:

  • A single policy can monitor multiple events.

  • An FPolicy engine is an optional field whose default value is set to native. A native engine can be used to simply block the file access based on the file extensions specified in the policy scope.

  • To enable a policy, the policy priority must be specified. If the priority is not specified, the policy is created but it is not enabled.

  • The "mandatory" field, if set to true, blocks the file access when the primary or secondary FPolicy servers are down.

Required properties

  • svm.uuid - Existing SVM in which to create the FPolicy policy.

  • events - Name of the events to monitior.

  • name - Name of the FPolicy policy.

  • scope - Scope of the policy. Can be limited to exports, volumes, shares or file extensions.

  • priority- Priority of the policy (ranging from 1 to 10).

Default property values

  • mandatory - true

  • engine - native

  • fpolicy policy scope create

  • fpolicy policy create

  • fpolicy enable

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

svm.uuid

string

path

True

UUID of the SVM to which this object belongs.

Request Body

Name Type Description

allow_privileged_access

boolean

Specifies whether privileged access is required for FPolicy servers. Privileged access is used when the FPolicy server requires direct access to the cluster nodes. When this parameter is set to true, FPolicy servers can access files on the cluster using a separate data channel with privileged access.

enabled

boolean

Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled.

engine

fpolicy_engine_reference

FPolicy external engine

events

array[fpolicy_event_reference]

mandatory

boolean

Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances.

name

string

Specifies the name of the policy.

passthrough_read

boolean

Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage.

persistent_store

string

Specifies the persistent storage name. This can then be used to enable persistent mode for FPolicy events.

priority

integer

Specifies the priority that is assigned to this policy.

privileged_user

string

Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format.

scope

scope

svm

svm

Example request
{
  "engine": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "string"
  },
  "events": [
    "event_cifs",
    "event_open"
  ],
  "name": "fp_policy_1",
  "persistent_store": "ps1",
  "priority": 1,
  "privileged_user": "mydomain\\testuser",
  "scope": {
    "exclude_export_policies": [
      "string"
    ],
    "exclude_extension": [
      "string"
    ],
    "exclude_shares": [
      "string"
    ],
    "exclude_volumes": [
      "vol1",
      "vol_svm1",
      "*"
    ],
    "include_export_policies": [
      "string"
    ],
    "include_extension": [
      "string"
    ],
    "include_shares": [
      "sh1",
      "share_cifs"
    ],
    "include_volumes": [
      "vol1",
      "vol_svm1"
    ]
  },
  "svm": {
    "uuid": "string"
  }
}

Response

Status: 201, Created
Name Type Description

_links

_links

num_records

integer

Number of Records

records

array[fpolicy_policy]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "engine": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "string"
      },
      "events": [
        "event_cifs",
        "event_open"
      ],
      "name": "fp_policy_1",
      "persistent_store": "ps1",
      "priority": 1,
      "privileged_user": "mydomain\\testuser",
      "scope": {
        "exclude_export_policies": [
          "string"
        ],
        "exclude_extension": [
          "string"
        ],
        "exclude_shares": [
          "string"
        ],
        "exclude_volumes": [
          "vol1",
          "vol_svm1",
          "*"
        ],
        "include_export_policies": [
          "string"
        ],
        "include_extension": [
          "string"
        ],
        "include_shares": [
          "sh1",
          "share_cifs"
        ],
        "include_volumes": [
          "vol1",
          "vol_svm1"
        ]
      },
      "svm": {
        "uuid": "string"
      }
    }
  ]
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

9764875

An FPolicy event does not exist

9764888

An FPolicy engine does not exist

9764898

An FPolicy policy cannot be created without defining its scope

9765027

FPolicy creation is successful but it cannot be enabled as the priority is already in use by another policy

9765037

FPolicy creation failed as passthrough-read cannot be enabled for policy without privileged user

9765038

Passthrough-read policies are not supported with asynchronous external engine

9765056

The specified Persistent Store does not exist

9765059

Persistent store feature is not supported with native engine

9765060

Persistent store feature is not supported with synchronous engine

9765061

Persistent store feature is not supported with mandatory screening

9765065

A valid privileged user name must be in the form "domain-name\user-name"

9765066

The privileged user contains characters that are not allowed

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

fpolicy_engine_reference

FPolicy external engine

Name Type Description

_links

_links

name

string

The name of the FPolicy external engine.

fpolicy_event_reference

FPolicy events

Name Type Description

_links

_links

name

string

scope

Name Type Description

check_extensions_on_directories

boolean

Specifies whether the file name extension checks also apply to directory objects. If this parameter is set to true, the directory objects are subjected to the same extension checks as regular files. If this parameter is set to false, the directory names are not matched for extensions and notifications are sent for directories even if their name extensions do not match. Default is false.

exclude_export_policies

array[string]

exclude_extension

array[string]

exclude_shares

array[string]

exclude_volumes

array[string]

include_export_policies

array[string]

include_extension

array[string]

include_shares

array[string]

include_volumes

array[string]

object_monitoring_with_no_extension

boolean

Specifies whether the extension checks also apply to objects with no extension. If this parameter is set to true, all objects with or without extensions are monitored. Default is false.

svm

Name Type Description

uuid

string

SVM UUID

fpolicy_policy

Name Type Description

allow_privileged_access

boolean

Specifies whether privileged access is required for FPolicy servers. Privileged access is used when the FPolicy server requires direct access to the cluster nodes. When this parameter is set to true, FPolicy servers can access files on the cluster using a separate data channel with privileged access.

enabled

boolean

Specifies if the policy is enabled on the SVM or not. If no value is mentioned for this field but priority is set, then this policy will be enabled.

engine

fpolicy_engine_reference

FPolicy external engine

events

array[fpolicy_event_reference]

mandatory

boolean

Specifies what action to take on a file access event in a case when all primary and secondary servers are down or no response is received from the FPolicy servers within a given timeout period. When this parameter is set to true, file access events will be denied under these circumstances.

name

string

Specifies the name of the policy.

passthrough_read

boolean

Specifies whether passthrough-read should be allowed for FPolicy servers registered for the policy. Passthrough-read is a way to read data for offline files without restoring the files to primary storage. Offline files are files that have been moved to secondary storage.

persistent_store

string

Specifies the persistent storage name. This can then be used to enable persistent mode for FPolicy events.

priority

integer

Specifies the priority that is assigned to this policy.

privileged_user

string

Specifies the privileged user name for accessing files on the cluster using a separate data channel with privileged access. The input for this field should be in "domain\username" format.

scope

scope

svm

svm

Name Type Description

next

href

self

href

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error