Community

Subscribe
Highlighted

How to set File Level Security

Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.

Thanks !

Re: How to set File Level Security

I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.

I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.

Anyone automated this? Perl would be perfect.

Re: How to set File Level Security

Have you seen the WFA commands called "Set CIFS Share ACL" and "Set CIFS Share Multiple ACLs"?  Do they provide what you need?

Re: How to set File Level Security

Those commands are to set Share Level Access. They do not provide setting File Level Permissions.

Re: How to set File Level Security

Ah, I see. 

Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.

Sorry, Scott, I don't have an example WFA command that does this at the moment.  Without someone posting an example command or workflow, some PowerShell scripting would be involved.

Hope this helps,

Dave

Re: How to set File Level Security

So +1 to Dave's suggestion.  But I will give another option.  Since you are already familiar with fsecurity, you could implement that option.  The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA).  The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP.  I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

Re: How to set File Level Security

Has anybody used Get-ACL or Set-ACL cmdlet on a NetApp File / Folder ? I tried couple of options but couldn't make it work.

Re: How to set File Level Security

So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path.  This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run.  This becomes a slight challenge when dealing with secure tenancies.  I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go.  It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

Re: How to set File Level Security

I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?

Re: How to set File Level Security

The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.

Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com