Configure advanced NTFS file permissions using the Windows Security tab

Contributors

You can configure standard NTFS file permissions on files and folders by using the Windows Security tab in the Windows Properties window.

Before you begin

The administrator performing this task must have sufficient NTFS permissions to change permissions on the selected objects.

About this task

Configuring NTFS file permissions is done on a Windows host by adding entries to NTFS discretionary access control lists (DACLs) that are associated with an NTFS security descriptor. The security descriptor is then applied to NTFS files and directories. These tasks are automatically handled by the Windows GUI.

Steps
  1. From the Tools menu in Windows Explorer, select Map network drive.

  2. Complete the Map Network Drive dialog box:

    1. Select a Drive letter.

    2. In the Folder box, type the CIFS server name containing the share that contains the data to which you want to apply permissions and the name of the share.

      If your CIFS server name is “CIFS_SERVER” and your share is named “share1”, you should type \\CIFS_SERVER\share1.

      Note

      You can specify the IP address of the data interface for the CIFS server instead of the CIFS server name.

    3. Click Finish.

    The drive you selected is mounted and ready with the Windows Explorer window displaying files and folders contained within the share.

  3. Select the file or directory for which you want to set NTFS file permissions.

  4. Right-click the file or directory, and then select Properties.

  5. Select the Security tab.

    The Security tab displays the list of users and groups for which NTFS permission are set. The Permissions for box displays a list of Allow and Deny permissions in effect for each user or group selected.

  6. Click Advanced.

    The Windows Properties window displays information about existing file permissions assigned to users and groups.

  7. Click Change Permissions.

    The Permissions window opens.

  8. Perform the desired actions:

    If you want to…​ Do the following…​

    Set up advanced NTFS permissions for a new user or group

    1. Click Add.

    2. In the Enter the object name to select box, type the name of the user or group that you want to add.

    3. Click OK.

    Change advanced NTFS permissions from a user or group

    1. In the Permissions entries: box, select the user or group whose advanced permissions you want to change.

    2. Click Edit.

    Remove advanced NTFS permissions for a user or group

    1. In the Permissions entries: box, select the user or group that you want to remove.

    2. Click Remove.

    3. Skip to Step 13.

    If you are adding advanced NTFS permissions on a new user or group or changing NTFS advanced permissions on an existing user or group, the Permission Entry for <Object> box opens.

  9. In the Apply to box, select how you want to apply this NTFS file permission entry.

    If you are setting up NTFS file permissions on a single file, the Apply to box is not active. The Apply to setting defaults to This object only.

  10. In the Permissions box, select the Allow or Deny boxes for the advanced permissions that you want to set on this object.

    • To allow the specified access, select the Allow box.

    • To not allow the specified access, select the Deny box. You can set permissions on the following advanced rights:

    • Full control

      If you choose this advanced right, all other advanced rights are automatically chosen (either Allow or Deny rights).

    • Traverse folder / execute file

    • List folder / read data

    • Read attributes

    • Read extended attributes

    • Create files / write data

    • Create folders / append data

    • Write attributes

    • Write extended attributes

    • Delete subfolders and files

    • Delete

    • Read permissions

    • Change permissions

    • Take ownership

    Note

    If any of the advanced permission boxes are not selectable, it is because the permissions are inherited from the parent object.

  11. If you want subfolders and files of this object to inherit these permissions, select the Apply these permissions to objects and/or containers within this container only box.

  12. Click OK.

  13. After you finish adding, removing, or editing NTFS permissions, specify the inheritance setting for this object:

    • Select the Include inheritable permissions from this object’s parent box.

      This is the default.

    • Select the Replace all child object permissions with inheritable permissions from this object box.

      This setting is not present in the Permissions box if you are setting NTFS file permissions on a single file.

      Note

      Be cautious when selecting this setting. This setting removes all existing permissions on all child objects and replaces them with this object’s permission settings. You could inadvertently remove permissions that you did not want removed. It is especially important when setting permissions in a mixed security-style volume or qtree. If child objects have a UNIX effective security style, propagating NTFS permissions to those child objects results in ONTAP changing these objects from UNIX security style to NTFS security style, and all UNIX permissions on those child objects are replaced with NTFS permissions.

    • Select both boxes.

    • Select neither box.

  14. Click OK to close the Permissions box.

  15. Click OK to close the Advanced Security settings for <Object> box.

    For more information about how to set advanced NTFS permissions, see your Windows documentation.

Related information