Display information about file security on NTFS security-style volumes

Contributors

You can display information about file and directory security on NTFS security-style volumes, including what the security style and effective security styles are, what permissions are applied, and information about DOS attributes. You can use the results to validate your security configuration or to troubleshoot file access issues.

About this task

You must supply the name of the storage virtual machine (SVM) and the path to the data whose file or folder security information you want to display. You can display the output in summary form or as a detailed list.

  • Because NTFS security-style volumes and qtrees use only NTFS file permissions and Windows users and groups when determining file access rights, UNIX-related output fields contain display-only UNIX file permission information.

  • ACL output is displayed for file and folders with NTFS security.

  • Because Storage-Level Access Guard security can be configured on the volume root or qtree, output for a volume or qtree path where Storage-Level Access Guard is configured might display both regular file ACLs and Storage-Level Access Guard ACLs.

  • The output also displays information about Dynamic Access Control ACEs if Dynamic Access Control is configured for the given file or directory path.

Step
  1. Display file and directory security settings with the desired level of detail:

    If you want to display information…​ Enter the following command…​

    In summary form

    vserver security file-directory show -vserver vserver_name -path path

    With expanded detail

    vserver security file-directory show -vserver vserver_name -path path -expand-mask true

Examples

The following example displays the security information about the path /vol4 in SVM vs1:

cluster::> vserver security file-directory show -vserver vs1 -path /vol4

                                 Vserver: vs1
                               File Path: /vol4
                       File Inode Number: 64
                          Security Style: ntfs
                         Effective Style: ntfs
                          DOS Attributes: 10
                  DOS Attributes in Text: ----D---
                 Expanded Dos Attributes: -
                            Unix User Id: 0
                           Unix Group Id: 0
                          Unix Mode Bits: 777
                  Unix Mode Bits in Text: rwxrwxrwx
                                    ACLs: NTFS Security Descriptor
                                          Control:0x8004
                                          Owner:BUILTIN\Administrators
                                          Group:BUILTIN\Administrators
                                          DACL - ACEs
                                          ALLOW-Everyone-0x1f01ff
                                          ALLOW-Everyone-0x10000000-OI|CI|IO

The following example displays the security information with expanded masks about the path /data/engineering in SVM vs1:

cluster::> vserver security file-directory show -vserver vs1 -path -path /data/engineering -expand-mask true

                Vserver: vs1
              File Path: /data/engineering
      File Inode Number: 5544
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
     ...0 .... .... .... = Offline
     .... ..0. .... .... = Sparse
     .... .... 0... .... = Normal
     .... .... ..0. .... = Archive
     .... .... ...1 .... = Directory
     .... .... .... .0.. = System
     .... .... .... ..0. = Hidden
     .... .... .... ...0 = Read Only
           Unix User Id: 0
          Unix Group Id: 0
         Unix Mode Bits: 777
 Unix Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004

                             1... .... .... .... = Self Relative
                             .0.. .... .... .... = RM Control Valid
                             ..0. .... .... .... = SACL Protected
                             ...0 .... .... .... = DACL Protected
                             .... 0... .... .... = SACL Inherited
                             .... .0.. .... .... = DACL Inherited
                             .... ..0. .... .... = SACL Inherit Required
                             .... ...0 .... .... = DACL Inherit Required
                             .... .... ..0. .... = SACL Defaulted
                             .... .... ...0 .... = SACL Present
                             .... .... .... 0... = DACL Defaulted
                             .... .... .... .1.. = DACL Present
                             .... .... .... ..0. = Group Defaulted
                             .... .... .... ...0 = Owner Defaulted

                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                             0... .... .... .... .... .... .... .... = Generic Read
                             .0.. .... .... .... .... .... .... .... = Generic Write
                             ..0. .... .... .... .... .... .... .... = Generic Execute
                             ...0 .... .... .... .... .... .... .... = Generic All
                             .... ...0 .... .... .... .... .... .... = System Security
                             .... .... ...1 .... .... .... .... .... = Synchronize
                             .... .... .... 1... .... .... .... .... = Write Owner
                             .... .... .... .1.. .... .... .... .... = Write DAC
                             .... .... .... ..1. .... .... .... .... = Read Control
                             .... .... .... ...1 .... .... .... .... = Delete
                             .... .... .... .... .... ...1 .... .... = Write Attributes
                             .... .... .... .... .... .... 1... .... = Read Attributes
                             .... .... .... .... .... .... .1.. .... = Delete Child
                             .... .... .... .... .... .... ..1. .... = Execute
                             .... .... .... .... .... .... ...1 .... = Write EA
                             .... .... .... .... .... .... .... 1... = Read EA
                             .... .... .... .... .... .... .... .1.. = Append
                             .... .... .... .... .... .... .... ..1. = Write
                             .... .... .... .... .... .... .... ...1 = Read

                           ALLOW-Everyone-0x10000000-OI|CI|IO
                             0... .... .... .... .... .... .... .... = Generic Read
                             .0.. .... .... .... .... .... .... .... = Generic Write
                             ..0. .... .... .... .... .... .... .... = Generic Execute
                             ...1 .... .... .... .... .... .... .... = Generic All
                             .... ...0 .... .... .... .... .... .... = System Security
                             .... .... ...0 .... .... .... .... .... = Synchronize
                             .... .... .... 0... .... .... .... .... = Write Owner
                             .... .... .... .0.. .... .... .... .... = Write DAC
                             .... .... .... ..0. .... .... .... .... = Read Control
                             .... .... .... ...0 .... .... .... .... = Delete
                             .... .... .... .... .... ...0 .... .... = Write Attributes
                             .... .... .... .... .... .... 0... .... = Read Attributes
                             .... .... .... .... .... .... .0.. .... = Delete Child
                             .... .... .... .... .... .... ..0. .... = Execute
                             .... .... .... .... .... .... ...0 .... = Write EA
                             .... .... .... .... .... .... .... 0... = Read EA
                             .... .... .... .... .... .... .... .0.. = Append
                             .... .... .... .... .... .... .... ..0. = Write
                             .... .... .... .... .... .... .... ...0 = Read

The following example displays security information, including Storage-Level Access Guard security information, for the volume with the path /datavol1 in SVM vs1:

cluster::> vserver security file-directory show -vserver vs1 -path /datavol1

                Vserver: vs1
              File Path: /datavol1
      File Inode Number: 77
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           Unix User Id: 0
          Unix Group Id: 0
         Unix Mode Bits: 777
 Unix Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                           ALLOW-Everyone-0x10000000-OI|CI|IO


                         Storage-Level Access Guard security
                         SACL (Applies to Directories):
                           AUDIT-EXAMPLE\Domain Users-0x120089-FA
                           AUDIT-EXAMPLE\engineering-0x1f01ff-SA
                         DACL (Applies to Directories):
                           ALLOW-EXAMPLE\Domain Users-0x120089
                           ALLOW-EXAMPLE\engineering-0x1f01ff
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff
                         SACL (Applies to Files):
                           AUDIT-EXAMPLE\Domain Users-0x120089-FA
                           AUDIT-EXAMPLE\engineering-0x1f01ff-SA
                         DACL (Applies to Files):
                           ALLOW-EXAMPLE\Domain Users-0x120089
                           ALLOW-EXAMPLE\engineering-0x1f01ff
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff

Related information