Skip to main content

Create an NTFS security descriptor

Contributors netapp-aherbin
PDFs

Creating an NTFS security descriptor audit policy is the first step in configuring and applying NTFS access control lists (ACLs) to files and folders residing within SVMs. You will associate the security descriptor to the file or folder path in a policy task.

About this task

You can create NTFS security descriptors for files and folders residing within NTFS security-style volumes, or for files and folders residing on mixed security-style volumes.

By default, when a security descriptor is created, four discretionary access control list (DACL) access control entries (ACEs) are added to that security descriptor. The four default ACEs are as follows:

Object Access type Access rights Where to apply the permissions

BUILTIN\Administrators

Allow

Full Control

this-folder, sub-folders, files

BUILTIN\Users

Allow

Full Control

this-folder, sub-folders, files

CREATOR OWNER

Allow

Full Control

this-folder, sub-folders, files

NT AUTHORITY\SYSTEM

Allow

Full Control

this-folder, sub-folders, files

You can customize the security descriptor configuration by using the following optional parameters:

  • Owner of the security descriptor

  • Primary group of the owner

  • Raw control flags

The value for any optional parameter is ignored for Storage-Level Access Guard. See the man pages for more information.

Steps

  1. If you want to use the advanced parameters, set the privilege level to advanced: set -privilege advanced

  2. Create a security descriptor: vserver security file-directory ntfs create -vserver vserver_name -ntfs-sd SD_nameoptional_parameters

    vserver security file-directory ntfs create -ntfs-sd sd1 -vserver vs1 -owner DOMAIN\joe

  3. Verify that the security descriptor configuration is correct: vserver security file-directory ntfs show -vserver vserver_name -ntfs-sd SD_name

    vserver security file-directory ntfs show -vserver vs1 -ntfs-sd sd1
                                         Vserver: vs1
                           Security Descriptor Name: sd1
                   Owner of the Security Descriptor: DOMAIN\joe

  4. If you are in the advanced privilege level, return to the admin privilege level: set -privilege admin