vserver security file-directory ntfs dacl modify
Modify an NTFS security descriptor DACL entry
Description
The vserver security file-directory ntfs dacl modify command modifies parameters in an existing discretionary access control (DACL) entry.
You can unambiguously define which DACL entry to modify by specifying the following four parameters in the modify command:
- Vserver associated with the security descriptor that contains the DACL entry
- Name of the security descriptor that contains the DACL entry
- Whether the DACL is an allow or deny type of DACL entry
- The account name or SID to which the DACL is applied
You can modify the following parameters:
- -right,-advanced-rights ,-rights-raw
- -apply-to
Parameters
- -vserver <vserver name> - Vserver
- Specifies the name of the Vserver associated with the security descriptor containing the discretionary access control entry whose parameters you want to modify.
- -ntfs-sd <ntfs sd name> - NTFS Security Descriptor Name
- Specifies the name of the security descriptor that contains the discretionary access control entry that you want to modify.
- -access-type {deny|allow} - Allow or Deny
- Specifies whether the discretionary access control entry that you want to modify is an allow or deny type of access control.
- -account <name or sid> - Account Name or SID
- Specifies the account associated with the discretionary access control entry you want to modify. You can specify the account by using a user name or SID. You can use any of the following formats when specifying the value for this parameter:- SID
- Domain\user-name
- user-name@Domain
- user-name@FQDN
 NoteIf you specify any of the three user name formats for the value of -account, keep in mind that the value for the user name is case insensitive.
- { [-rights {no-access|full-control|modify|read-and-execute|read|write}] - Access Rights
- Specifies the right that you want to add for the account specified in the -account parameter. The -rights parameter is mutually exclusive with the -advanced-rights and -rights-raw parameter. If you specify the -rights parameter, you can only specify one value.You can specify one of the following rights values: - no-access
- full-control
- modify
- read-and-execute
- read
- write
 
- | [-rights-raw <Hex Integer>] - Raw Access Rights (privilege: advanced)
- Specifies the raw rights that you want to add for the account specified in the -account parameter. The -rights-raw parameter is mutually exclusive with the -advanced-rights and -rights parameter. Specify the value as a hexadecimal integer, for example: 0xA10F or 0xb3ff etc.
- | [-advanced-rights <Advanced access right>, ...]} - Advanced Access Rights
- Specifies the advanced rights that you want to add for the account specified in the -account parameter. The -advanced-rights parameter is mutually exclusive with the -rights and -rights-raw parameter. You can specify more than one advanced-rights value by using a comma-delimited list.You can specify one or more of the following advanced rights: - read-data
- write-data
- append-data
- read-ea
- write-ea
- execute-file
- delete-child
- read-attr
- write-attr
- delete
- read-perm
- write-perm
- write-owner
- full-control
 
- [-apply-to {this-folder|sub-folders|files}, ...] - Apply DACL Entry
- Specifies where to apply the discretionary access control entry. You can specify more than one value by using a comma-delimited list.You can specify one or more of the following values: - this-folder
- sub-folder
- files
 NoteSelect one of the following combinations of values for the-apply-to parameter for Storage-Level Access Guard (SLAG): - this-folder, sub-folder, files
- this-folder, sub-folder
- files
 If you specify an invalid -apply-to value, this security descriptor is removed from the associated Storage-Level Access Guard (SLAG) security file-directory policy task. 
Examples
The following example modifies the -right and -apply-to parameters in the DACL entry associated to the security descriptor named “sd2” on Vserver vs1 for the "BUILTIN\Administrators" account.
            cluster1::> vserver security file-directory ntfs dacl modify -ntfs-sd sd2 -access-type allow -account BUILTIN\Administrators -vserver vs1 -rights modify -apply-to this-folder,sub-folders
            cluster1::> vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd2 -account BUILTIN\Administrators -instance
                             Vserver: vs1
            Security Descriptor Name: sd2
                       Allow or Deny: allow
                 Account Name or SID: BUILTIN\Administrators
                       Access Rights: modify
              Advanced Access Rights: -
                            Apply To: this-folder, sub-folders
                       Access Rights: modify