Tuesday, 6 October 2015

Using Data ONTAP APIs (PowerShell) to Set ACLs

We encountered a problem this week with a mixed security style qtree. A UNIX client had changed the permissions to effective style UNIX for a folder within the qtree, and - in doing so - NT ACLs had been lost and no one could set permissions to regain NTFS access to this folder.

API and the Data ONTAP PowerShell Toolkit to the rescue!

## TO SEE THE PERMISSIONS BEOFRE ##
Get-NcFileDirectorySecurity -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -VserverContext SVM

## TO VIEW CURRENT SECURITY DESCRIPTORS ##
Get-NcFileDirectorySecurityNtfs -VserverContext SVM

## TO VIEW CURRENT SECURITY POLICY TASKS ##
Get-NcFileDirectorySecurityPolicyTask -VserverContext SVM

## THE SET SECURITY COMMAND ##
New-NcFileDirectorySecurityNtfs -SecurityDescriptor ntfssd1 -VserverContext SVM -Owner BUILTIN\Administrators -Group BUILTIN\Administrators |
Add-NcFileDirectorySecurityNtfsDacl -Account HBEU\cfmlive -AccessType Allow -Rights Full_Control -PassThru |
Add-NcFileDirectorySecurityPolicyTask -Name policy1 -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -SecurityType ntfs -PassThru |
Set-NcFileDirectorySecurity

## TO SEE THE PERMISSIONS AFTER ##
Get-NcFileDirectorySecurity -path /VOLNAME/QTREE/FOLDER1/FOLDER2 -VserverContext SVM

Note 1: The command is split into lines after | to make it more readable. The full set security command is one line.
Note 2: By setting an owner, that owner already gets Full Control so doesn’t need to be specified.
Note 3: The Security Descriptor and Security Policy Task need to be unique in the command for it not to error, hence the check before.
Note 4: This is for Clustered Data ONTAP.

No comments:

Post a Comment