Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.
I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.
I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.
Anyone automated this? Perl would be perfect.
Ah, I see.
Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.
Sorry, Scott, I don't have an example WFA command that does this at the moment. Without someone posting an example command or workflow, some PowerShell scripting would be involved.
Hope this helps,
So +1 to Dave's suggestion. But I will give another option. Since you are already familiar with fsecurity, you could implement that option. The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA). The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP. I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.
Jeremy Goodrum, NetApp
So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path. This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run. This becomes a slight challenge when dealing with secure tenancies. I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go. It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.
Jeremy Goodrum, NetApp
I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?
The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.
Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.
Jeremy Goodrum, NetApp
I was just presented with this request today for a customer using vfilers and where WFA cannot access CIFS in them and found this post.
I can imagine a WFA command that does the following:
1) Build a properly formatted fsecurity.conf file with the things you want to set NTFS permissions on (see TR-3596 for more info)
2) Puts this file on the storage controller
3) Use invoke-nassh to run fsecurity apply with the fsecurity.conf file as input
And then a 2nd WFA command that does:
1) Watch status of previous fsecurity apply command repeatedly until it finishes
I guess I'll add it to my to-do list unless someone has already done it (please share!) or someone has a better/easier way to accomplish.
I was able to set the File Level permissions with fsecurity command as below
# connect to controller
Connect-WFAController -Array $Array -VFiler $vFilerName
# validate volume existence - throws error if the volume does not exist
Get-NaVol -Names $VolumeName -ErrorAction Stop
$fullPath = "/vol/" + $vFilerName + "_root/etc/fsecurity_" + $VolumeName + ".conf"
Write-NaFile $fullPath -Data "cb56f6f4`n" -NoOverwrite
Write-NaFile $fullPath -Data "1,0,`"/vol/$VolumeName`",2,`"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)`"" -Append
Write-NaFile $fullPath -Data "`n" -Append
$command = "vfiler run $vFilerName fsecurity apply " + $fullPath
$command_out = Invoke-NaSsh -Command $command
Has anyone tried to construct the fsecurity file?
With the given information below, is it possible to build fsecurity file
-Access Level- DACL INHERIT
Full Control 0x001f01ff CIOI
Modify 0x001301bf CIOI
Read 0x00120089 CIOI
Read and Execute 0x001200a9 CIOI
Write 0x00100116 CIOI
Security Group Access Level
OSFOPS Read and Execute
One of my colleagues suggested to use a new cmdlet using 2.1 NTFSSecurity Module which works fine on command line
PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Add-Ace -Account Domain\Global_Group -AccessRights FullControl
PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Get-Ace
Path: \\ toaster1\c$\vol\vol0018a (Inheritance disabled)
Account Access Rights Applies to Type IsInherited
------- ------------- ---------- ---- -----------
BUILTIN\Administrators (S-1-5-32... FullControl ThisFolderSubfoldersAn... Allow False
Domain\Global_Group (S-1-5-21-5883715... FullControl ThisFolderSubfoldersAn... Allow False
Question, How do I Import 2.1 NTFSSecurity Module so that WFA recognizes the Add-Ace cmdlet.
I downloaded the command let and added Import-Module command in profile.ps1 file @ C:\Program Files\netapp\WFA\PoSH
But I get “The term 'Add-Ace' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”
Any suggestion on how to import a new module to WFA ?