Network Storage Protocols Discussions

NTFS security: How to handle internal security objects?



I'm using the C# ONTAP API 9.5P3 to create directories and assign NTFS security DACLs to them. In this process a security policy, a security policy task and a security descriptor are being created. When deleting the created directory, these objects remain and never get deleted by the server.


How should I deal with these objects? Ignore them? Delete them immediately or on directory deletion (which might be done by a user over CIFS)? What if permissions need to change?

Code I used for testing:

// create security policy
string policyName = "my-policy";
new FileDirectorySecurityPolicyCreate {PolicyName = policyName}.Invoke(filer);

// create directory and apply NTFS DACLs
string uuid = BuildUniqueIdentifier();
string securityDescriptorName = $"sd-{uuid}";

new FileCreateDirectory {Perm = "0777", Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer);

new FileDirectorySecurityNtfsCreate{Owner = "John Doe", NtfsSd = securityDescriptorName}.Invoke(filer);

new FileDirectorySecurityNtfsDaclAdd
	NtfsSd = securityDescriptorName,
	Account = "Unauthorized Person",
	AccessType = "deny",
	ApplyTo = new[] {"this-folder"}

new FileDirectorySecurityPolicyTaskAdd
	PolicyName = policyName,
	NtfsSd = new[] {securityDescriptorName},
	Path = "/Test_CIFS_volume/test-folder"

new FileDirectorySecuritySet {PolicyName = policyName}.Invoke(filer);

// delete the created directory
new FileDeleteDirectory {Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer);

// output existing security objects (implementation omitted for readability) 
ListPolicyTasks(filer, policyName);


API Version: NetApp Release 9.5P3: Tue Apr 16 22:44:27 UTC 2019
Security Descriptors:
 - sd-1575281495-f39a5bf0-244b-45ac-866b-49b83f6ef0b9 [Owner: John Doe]
 - my-policy
Tasks for policy my-policy:
 - ntfs [Path: /Test_CIFS_volume/test-folder]

Re: NTFS security: How to handle internal security objects?

I got my question answered by support: A developer utilizing these API calls has full responsibility over the generated entities. They never get deleted by the NetApp-Server. If a user deletes the related file system objects, the entities are not getting deleted either. The recommendation is to keep the system clean and delete them as soon as possible.