ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Setting NTFS ACL permission via the ONTAP PowerShell module

PwrShll
‎2018-09-19 12:13 PM
5,728 Views

 

Hello,

 

How can I apply NTFS permissions using the ONTAP PowerShell module? I can't use Set-Acl because I can't pass credentials to it for automation.

 

When provisioning CIFS shares using the Add-NcCifsShare command, I can see ACL is included... usually the Everyone group since it's a new share. See below.

 

add-nccifsshare.png

I can also see the permission I applied via the GUI in Windows show up using Get-NcFileDirectorySecurity and looking at the Acls property. What ONTAP command can I use to apply a AD group and say Read/Execute/List, and another AD group to Modify?

 

Get-ncfiledirectory.png

Preview file
14 KB
0 Kudos
Tags (3)
2 REPLIES 2

GidonMarcus
‎2018-09-20 05:22 PM
5,682 Views

Hi.

 

This is the ontap PS module way:

http://www.craig-tolley.co.uk/2016/02/09/assigning-permissions-to-a-volume-through-the-netapp-powershell-toolkit/

 

however i think that set-acl is the easier way i'm adding below a function i'm using in my provision script that elevate the permission with Invoke-Command. also - as you start with everyone/full control you acutely only need permission on the share to change the ACL with whatever user you running with (if' it's authenticating). so you can create the share with the default access list, apply NTFS ACL and then only changes the share access list as well.

 

use with:

Set-MyPermission -MyPath "\\filer\share\" -MyCred (get-credential)

 

Function Set-MyPermission
{
    [CmdletBinding()]
    param($MyPath,$MyCred)
    $MyPSSession = New-PSSession -Credential $MyCred 
    Invoke-Command -Session $MyPSSession -ArgumentList $MyPath -ScriptBlock `
    {
        param([string]$MyPath)
        try
        {
            $MyObjacl =  Get-ACL $MyPath
        }
        Catch
        {
            Write-Error -Category InvalidData -message  "Could not get current Folder ACL"
            return
        }
	try
	{
	    $MyAclRule = New-Object System.Security.AccessControl.FileSystemAccessRule(("RW_Group"),"Modify","ContainerInherit, ObjectInherit", "Allow", "Allow") 
	    $MyObjacl.AddAccessRule($MyAclRule)
	    #add more lines as above here
        }
        catch
        {
            Write-Error -Category InvalidData -message  "Failed to use one or more of the groups to create the ACE"
            return
        }
        try
        {
            Set-Acl $MyPath $MyObjacl
        }
        Catch
        {
            Write-Error -Category InvalidData -message "Failed apply the ACE on the folder"
            $MyObjacl
            return
        }
    }
    Remove-PSSession $MyPSSession
}

 

Gidi

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos

PwrShll
‎2018-10-09 07:43 AM
In response to GidonMarcus
5,620 Views

Thanks Gidi,

 

I am checking out that forum post...

 

What are the requirments for using Set-Acl? It requires credentails so does it need access to the mgmt, or svm? Sorry, I am not a NetApp guy.. just attempting to automate shares being created.

 

Thanks!

 

Mike

0 Kudos
Announcements
All Community Forums
Public