Skip to main content
NetApp Knowledge Base

When should ACLs be created or modified from the NetApp CLI?

Views:
1,265
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Answer

  • NetApp provides the ability in both 7-mode and CDOT to manipulate a limited portion of both SACL and DACL entries on NTFS filesystem objects for specific use cases. The following tools should only be used in specific use cases, as detailed below. 
  • Currently, there are no CLI methods to manipulate NFSv4 ACLs via the ONTAP CLI. NFSv4 ACLs can be manipulated from an NFS client using the nfs4_getfacl andnfs4_setfacl client utilities.
  • Use cases for using the CLI to set file and folder security:
    • Storage of files in large enterprise environments, such as file storage in home directories. An example of this would be a new home dir cloned from an existing home dir, where all ACLs need to be updated for the new user.
    • Migration of data. As an example, existing ACLs do not allow access or all need to be overwritten on migrated data.
    • Change of Windows domain. This scenario is regarding a domain SID change, where no access to files is allowed via the new Domain Controllers.Standardization of file security and audit policies across NTFS file systems. This use case revolves around a global or file system wide change.
  • All the above use cases are intended for one-time large-scale changes, or for outage troubleshooting where the Security tab in Windows Explorer file/folder properties does not allow ACL changes.
  • Any changes to ACLs made via CLI *may* completely overwrite the current ACLs present on the file or folder if the incorrect options are given for the 'ntfs-mode’ flag of the 'file-directory policy task add' command.​​​​​​​

WARNING

  • This process is not the recommended method for NTFS ACL management
  • It is recommended to use the Windows 'Security' tab whenever possible
  • This process should be used when NTFS ACL management is not available via Windows

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.