2014-07-11 02:12 PM
I'm cross-posting this note in both the NetApp PowerShell Toolkit (MS Cloud and Svr Virt) and the Workflow Automation communities as the audience I'm looking for probably spans both.
Many NetApp CIFS users create single Volume/CIFS-share combos (or a qtree within) and then control access to portions of it by setting NTFS folder/file permissions on the qtree or folders with the share. I'm trying to advise customers the options available for doing this in an automated fashion. Options I'm aware of include:
Since I believe the fsecurity command is 7-mode only, I'm leaning towards recommending Get-ACL & Set-ACL since I presume these would work in both a 7-mode and cDOT environment. The idea would use NetApp PS Toolkit cmdlets to create a volume and share, then the PoSH code would map to the newly created share (\\filer\share), then create folder(s) within it and apply permissions to the folder using Get/Set-ACL cmdlets.
However, reading this article ...
... there is this statement: "... Additionally, the .NET Framework doesn't provide classes that represent the permissions in every type of Windows resource. For example, while the .NET Framework provides classes that let you manipulate file security, it doesn't provide classes that let you work with the security on shared folders. ..."
Q1: I'm a little fuzzy on MS CIFS terminology, but is this saying how I envisioned using Get/Set-ACL above would NOT work ... because the mapped folder is being accessed via the CIFS sharing protocol?
Q2: I also see mention of the Dsacls.exe, Cacls.exe, and Xcacls.exe CLI commands. Can anyone comment as to if this 'would' or wouldn't work against a folder/file being access in a CIFS share?
Q3: I have working examples of WFA commands that use the fsecurity command but they are 7-mode mode only. Another question is if/how would NetApp recommend doing similar functions in a cDOT environment?
Q4: Lastly ... Is anyone aware of PoSH or WFA cmds that automate NTFS folder/file permission setting using techniques other than that fsecurity command ... or is that the only way?
2014-07-12 06:09 AM
Good questions and at the moment I can only answer the below. I would need on work on the others the answer correctly.
@ Q1: I'm a little fuzzy on MS CIFS terminology, but is this saying how I envisioned using Get/Set-ACL above would NOT work ... because the mapped folder is being accessed via the CIFS sharing protocol?
Both Get-Acl and Set-Acl can work with network mapped drives or network folder available by cifs sharing.
Get-Acl -Path \\10.226.179.161\WFA-Backups
Get-Acl -Path Y:\WFA-Backups
Also set-Acl would work be depends on what permission you have on the folder.
2014-07-14 08:50 AM
1 - as said, get-acl and set-acl work just fine
2 - the other Windows CLI tools work as well
3 - i haven't used WFA and i don't know what the recommendations are, but fsecurity is available on cDOT in the nodeshell
4 - i would probably recommend get/set-acl (it is what i use for our provisioning scripts), but for cDOT there is Add/Get/Set/Remove-NcFileDirectorySecurityNtfs
2014-12-23 02:25 AM - edited 2014-12-23 06:22 AM
I created this WFA command to add permission to given UNC path, needed permission and domain user/group and another one to remove NTFS permission (usually Everyone-FullControl is auto and we want to remove it)
It's pretty straight forward.
I'll tweak it more for my customer that asked for it.