topic NTFS security: How to handle internal security objects? in Network and Storage Protocols https://community.netapp.com/t5/Network-and-Storage-Protocols/NTFS-security-How-to-handle-internal-security-objects/m-p/152681#M9332 <P>Hello,</P> <P>&nbsp;</P> <P>I'm using the C# ONTAP API 9.5P3 to create directories and assign NTFS security DACLs to them. In this process a security policy, a security policy task and a security descriptor are being created. When deleting the created directory, these objects remain and never get deleted by the server.</P> <P>&nbsp;</P> <P>How should I deal with these objects? Ignore them? Delete them immediately or on directory deletion (which might be done by a user over CIFS)? What if permissions need to change?</P> <P><BR />Code I used for testing:</P> <PRE>// create security policy string policyName = "my-policy"; new FileDirectorySecurityPolicyCreate {PolicyName = policyName}.Invoke(filer); // create directory and apply NTFS DACLs string uuid = BuildUniqueIdentifier(); string securityDescriptorName = $"sd-{uuid}"; new FileCreateDirectory {Perm = "0777", Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer); new FileDirectorySecurityNtfsCreate{Owner = "John Doe", NtfsSd = securityDescriptorName}.Invoke(filer); new FileDirectorySecurityNtfsDaclAdd { NtfsSd = securityDescriptorName, Account = "Unauthorized Person", AccessType = "deny", ApplyTo = new[] {"this-folder"} }.Invoke(filer); new FileDirectorySecurityPolicyTaskAdd { PolicyName = policyName, NtfsSd = new[] {securityDescriptorName}, Path = "/Test_CIFS_volume/test-folder" }.Invoke(filer); new FileDirectorySecuritySet {PolicyName = policyName}.Invoke(filer); // delete the created directory new FileDeleteDirectory {Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer); // output existing security objects (implementation omitted for readability) GetVersion(filer); ListSecurityDescriptors(filer); ListPolicies(filer); ListPolicyTasks(filer, policyName);</PRE> <P>Output:</P> <PRE>API Version: NetApp Release 9.5P3: Tue Apr 16 22:44:27 UTC 2019 Security Descriptors: - sd-1575281495-f39a5bf0-244b-45ac-866b-49b83f6ef0b9 [Owner: John Doe] Policies: - my-policy Tasks for policy my-policy: - ntfs [Path: /Test_CIFS_volume/test-folder] </PRE> Wed, 04 Jun 2025 12:07:20 GMT MrFrogger 2025-06-04T12:07:20Z NTFS security: How to handle internal security objects? https://community.netapp.com/t5/Network-and-Storage-Protocols/NTFS-security-How-to-handle-internal-security-objects/m-p/152681#M9332 <P>Hello,</P> <P>&nbsp;</P> <P>I'm using the C# ONTAP API 9.5P3 to create directories and assign NTFS security DACLs to them. In this process a security policy, a security policy task and a security descriptor are being created. When deleting the created directory, these objects remain and never get deleted by the server.</P> <P>&nbsp;</P> <P>How should I deal with these objects? Ignore them? Delete them immediately or on directory deletion (which might be done by a user over CIFS)? What if permissions need to change?</P> <P><BR />Code I used for testing:</P> <PRE>// create security policy string policyName = "my-policy"; new FileDirectorySecurityPolicyCreate {PolicyName = policyName}.Invoke(filer); // create directory and apply NTFS DACLs string uuid = BuildUniqueIdentifier(); string securityDescriptorName = $"sd-{uuid}"; new FileCreateDirectory {Perm = "0777", Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer); new FileDirectorySecurityNtfsCreate{Owner = "John Doe", NtfsSd = securityDescriptorName}.Invoke(filer); new FileDirectorySecurityNtfsDaclAdd { NtfsSd = securityDescriptorName, Account = "Unauthorized Person", AccessType = "deny", ApplyTo = new[] {"this-folder"} }.Invoke(filer); new FileDirectorySecurityPolicyTaskAdd { PolicyName = policyName, NtfsSd = new[] {securityDescriptorName}, Path = "/Test_CIFS_volume/test-folder" }.Invoke(filer); new FileDirectorySecuritySet {PolicyName = policyName}.Invoke(filer); // delete the created directory new FileDeleteDirectory {Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer); // output existing security objects (implementation omitted for readability) GetVersion(filer); ListSecurityDescriptors(filer); ListPolicies(filer); ListPolicyTasks(filer, policyName);</PRE> <P>Output:</P> <PRE>API Version: NetApp Release 9.5P3: Tue Apr 16 22:44:27 UTC 2019 Security Descriptors: - sd-1575281495-f39a5bf0-244b-45ac-866b-49b83f6ef0b9 [Owner: John Doe] Policies: - my-policy Tasks for policy my-policy: - ntfs [Path: /Test_CIFS_volume/test-folder] </PRE> Wed, 04 Jun 2025 12:07:20 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/NTFS-security-How-to-handle-internal-security-objects/m-p/152681#M9332 MrFrogger 2025-06-04T12:07:20Z Re: NTFS security: How to handle internal security objects? https://community.netapp.com/t5/Network-and-Storage-Protocols/NTFS-security-How-to-handle-internal-security-objects/m-p/152873#M9336 <P>I got my question answered by support: A developer utilizing these API calls has full responsibility over the generated entities. They never get deleted by the NetApp-Server. If a user deletes the related file system objects, the entities are not getting deleted either. The recommendation is to keep the system clean and delete them as soon as possible.</P> Mon, 09 Dec 2019 08:52:33 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/NTFS-security-How-to-handle-internal-security-objects/m-p/152873#M9336 MrFrogger 2019-12-09T08:52:33Z