Release notes
Add NTFS DACL access control entries to the NTFS security descriptor in ONTAP
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Adding DACL (discretionary access control list) access control entries (ACEs) to the NTFS security descriptor is the second step in configuring and applying NTFS ACLs to a file or folder. Each entry identifies which object is allowed or denied access, and defines what the object can or cannot do to the files or folders defined in the ACE.
You can add one or more ACEs to the security descriptor's DACL.
If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.
You can optionally customize DACL entries by specifying what rights you want to allow or deny for the account specified in the -account parameter. There are three mutually exclusive methods for specifying rights:
-
Rights
-
Advanced rights
-
Raw rights (advanced-privilege)
|
If you do not specify rights for the DACL entry, the default is to set the rights to |
You can optionally customize DACL entries by specifying how to apply inheritance.
The value for any optional parameter is ignored for Storage-Level Access Guard. Learn more about the commands described in this procedure in the ONTAP command reference.
-
Add a DACL entry to a security descriptor:
vserver security file-directory ntfs dacl add -vserver vserver_name -ntfs-sd SD_name -access-type {allow|deny} -account name_or_SIDoptional_parametersvserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account domain\joe -rights full-control -apply-to this-folder -vserver vs1 -
Verify that the DACL entry is correct:
vserver security file-directory ntfs dacl show -vserver vserver_name -ntfs-sd SD_name -access-type {allow|deny} -account name_or_SIDvserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\joeVserver: vs1 Security Descriptor Name: sd1 Allow or Deny: deny Account Name or SID: DOMAIN\joe Access Rights: full-control Advanced Access Rights: - Apply To: this-folder Access Rights: full-control
Learn more about vserver security file-directory ntfs dacl in the ONTAP command reference.
