Add NTFS SACL access control entries to the NTFS security descriptor

Contributors

Adding SACL (system access control list) access control entries (ACEs) to the NTFS security descriptor is the second step in creating NTFS audit policies for files or folders in SVMs. Each entry identifies the user or group that you want to audit. The SACL entry defines whether you want to audit successful or failed access attempts.

About this task

You can add one or more ACEs to the security descriptor’s SACL.

If the security descriptor contains a SACL that has existing ACEs, the command adds the new ACE to the SACL. If the security descriptor does not contain a SACL, the command creates the SACL and adds the new ACE to it.

You can configure SACL entries by specifying what rights you want to audit for success or failure events for the account specified in the -account parameter. There are three mutually exclusive methods for specifying rights:

  • Rights

  • Advanced rights

  • Raw rights (advanced-privilege)

Note

If you do not specify rights for the SACL entry, the default setting is Full Control.

You can optionally customize SACL entries by specifying how to apply inheritance with the apply to parameter. If you do not specify this parameter, the default is to apply this SACL entry to this folder, subfolders, and files.

Steps
  1. Add a SACL entry to a security descriptor: vserver security file-directory ntfs sacl add -vserver vserver_name -ntfs-sd SD_name -access-type {failure|success} -account name_or_SIDoptional_parameters

    vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type failure -account domain\joe -rights full-control -apply-to this-folder -vserver vs1

  2. Verify that the SACL entry is correct: vserver security file-directory ntfs sacl show -vserver vserver_name -ntfs-sd SD_name -access-type {failure|success} -account name_or_SID

    vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\joe

                                      Vserver: vs1
                            Security Descriptor Name: sd1
             Access type for Specified Access Rights: failure
                                 Account Name or SID: DOMAIN\joe
                                       Access Rights: full-control
                              Advanced Access Rights: -
                                            Apply To: this-folder
                                       Access Rights: full-control