When should ACLs be created or modified from the NetApp CLI?
Applies to
ONTAP 9
Answer
- NetApp provides the ability in both 7-mode and CDOT to manipulate a limited portion of both SACL and DACL entries on NTFS filesystem objects for specific use cases. The following tools should only be used in specific use cases, as detailed below.
- Currently, there are no CLI methods to manipulate NFSv4 ACLs via the ONTAP CLI. NFSv4 ACLs can be manipulated from an NFS client using the nfs4_getfacl andnfs4_setfacl client utilities.
- Use cases for using the CLI to set file and folder security:
- Storage of files in large enterprise environments, such as file storage in home directories. An example of this would be a new home dir cloned from an existing home dir, where all ACLs need to be updated for the new user.
- Migration of data. As an example, existing ACLs do not allow access or all need to be overwritten on migrated data.
- Change of Windows domain. This scenario is regarding a domain SID change, where no access to files is allowed via the new Domain Controllers.Standardization of file security and audit policies across NTFS file systems. This use case revolves around a global or file system wide change.
- All the above use cases are intended for one-time large-scale changes, or for outage troubleshooting where the Security tab in Windows Explorer file/folder properties does not allow ACL changes.
- Any changes to ACLs made via CLI *may* completely overwrite the current ACLs present on the file or folder if the incorrect options are given for the 'ntfs-mode’ flag of the 'file-directory policy task add' command.
WARNING
|