Setting NTFS Permissions in Clustered Data ONTAP

After spending the last few weeks moving into my new place and having “fun” furnishing it, I am back on the road armed with more content! Within a few hours of being onsite today I got asked if it was possible to set NTFS permissions to files and/or folders within Clustered Data ONTAP (cDOT). This is another commonly asked question and the answer to it is yes, you can apply NTFS permissions to filesystem objects from within cDOT. Below I have included a summarized step by step tutorial on how to apply NTFS permissions to a given path (can be the root of a volume or a file or folder which resides within a cDOT volume):

  • Create a file-directory policy
    vserver security file-directory policy create -vserver db_svm_file -policy-name pol1
  • Create a security descriptor which will contain the access control entries
    vserver security file-directory ntfs create -vserver db_svm_file -ntfs-sd sd1
  • Add a task to the policy which includes the path you would like to apply the policy to
    vserver security file-directory policy task add -vserver db_svm_file -policy-name pol1 -path /software_cifs_nfs_1 -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1
  • Add access control entries to the recently created security descriptor. NOTE: Any access control entires NOT added to the security descriptor will be removed from the specified parent & children filesystem objects when the policy is applied!
    vserver security file-directory ntfs dacl add -vserver db_svm_file -ntfs-sd sd1 -account "DBURKLAND\Domain Admins" -access-type Allow -rights full-control -apply-to this-folder,sub-folders,files
    vserver security file-directory ntfs dacl add -vserver db_svm_file -ntfs-sd sd1 -account "DBURKLAND\Domain Users" -access-type Allow -rights modify -apply-to this-folder,sub-folders,files
  • Display the properties of the security descriptor to confirm that all of the necessary entries are present
    vserver security file-directory ntfs dacl show -vserver db_svm_file -ntfs-sd sd1
  • Apply the policy to the appropriate vserver
    vserver security file-directory apply -vserver db_svm_file -policy-name pol1
  • Verify the policy was applied correctly to the vserver
    vserver security file-directory job show -instance

For more details please refer to the following links: