Re: multiple permissions for same trustee - how to realize with powershell

Tim_Stiller · ‎2018-11-23

Hi all,

i got a question from a customer which i'd like to discuss here:

$tmpSDID  = "sd01"
$tmpPolID = "pol01"

# AAAAA
# create new SD with temp-ID
$sd = New-NcFileDirectorySecurityNtfs     -SecurityDescriptor $tmpSDID

# remove default entries from SD-DACL 
# defaults are for Creator/Owner ; nt auth/SYSTEM, builtin\administratros und bziltin\users all with full-control
Get-NcFileDirectorySecurityNtfsDacl -SecurityDescriptor $tmpSDID | Remove-NcFileDirectorySecurityNtfsDacl

# BBBBBB
# add permissions to DACL of the SD
$ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files
$ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g2 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files
$ace3 = Add-NcFileDirectorySecurityNtfsDacl -Account $g3 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo this_folder, sub_folders, files

# CCCCCCCCC
# create policy task
$poltsk = Add-NcFileDirectorySecurityPolicyTask -Name $tmpPolID -SecurityType ntfs -NtfsSecurityDescriptor $tmpSDID -Path $Path

# apply policy task
$r = Set-NcFileDirectorySecurity -Name $tmpPolID

# Cleanup of policy task and descriptors, wait 5 seconds to let the netapp digest...
Start-Sleep -Seconds 5
Remove-NcFileDirectorySecurityPolicy -Name $tmpPolID
Remove-NcFileDirectorySecurityNtfs   -Name $tmpSDID

Everything is fine till here. But the customer asks how to assign multiple permissions to the same trustee, which should work as follows:

 $ace1 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights read               -ApplyTo   this_folder
 $ace2 = Add-NcFileDirectorySecurityNtfsDacl -Account $g1 -SecurityDescriptor $tmpSDID -AccessType allow -Rights full_control -ApplyTo  sub_folders, files

But according to the customer this throws an error because of duplicate entries.

In a pure Windows Powershell-Environment the customer would handle like this:

$ACL = Get-Acl $Path
# Regel 1 : overwrite existing permissions of $Trustee with new ones
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$Permission,$inhCIOI,$propNone,"Allow")
$ACL.SetAccessRule($ar)

# Regel2: add additional permissions to $Trustee
$ar = New-Object system.security.accesscontrol.filesystemaccessrule($Trustee,$anderePermission,$inhCIOI,$andereProp,"Allow")
$ACL.AddAccessRule($ar)                Set-Acl -Path $Path  -AclObject $ACL

How can we achieve the same with our Powershell SDK?

any input is appreciated!

thanks

Tim

GidonMarcus · ‎2018-11-27

Hi

FYI in case you escalate it internally. i found that there are two more users reporting this issue:

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/NetApp-PowerShell-Toolkit-4-5-released/m-p/136045/highlight/true#M5577

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/NetApp-PowerShell-Toolkit-4-5-released/m-p/136806/highlight/true#M5590

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Tim_Stiller · ‎2018-11-27

what is the way to get this fixed? Create a case although PSTK is only under community-support?

GidonMarcus · ‎2018-11-27

i'm afraid i don't know - i'm myself a customer. i expect that if it's a reproducible issue it will qualify to a case and a burt. hence i also provided the links to help "building" the case.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

multiple permissions for same trustee - how to realize with powershell

NetApp Knowledge Base Walkthrough

Join us on Discord