ONTAP Discussions

Setting Volume NTFS Permission from OnTap

shocko
2,455 Views

I'm using C-mode Ontap 9.3 (soon to be 9.12!) and I have a volume that houses 300 CIFS shares. in total there are ~ 40 million files/folders on this volume

I have a requirement to create the following:

- An ADDS group that has list access to all directories

- An ADDS group that has read access to all files/directories

 

If I share out the root of this volume and add an NTFS ACL for this purpose it's taking over 60 hrs and counting to complete! This is because doing this over the CIFS protocol is incredibly inefficient. 

Is there anyway I can set/modify/add NTFS permissions on this volume from the Filer1/vServer itself? I found the following article but it's not clear to me if this destroys existing NTFS permissions Configure NTFS file permissions using the ONTAP CLI (netapp.com)

1 ACCEPTED SOLUTION

elementx
2,428 Views

I think policies are additive.

I found another place where that is indicated:

> ONTAP REST also allows users to add new DACLs/SACLs permissions to an existing already created NTFS through a simple patch call. 

https://netapp.io/2021/06/28/simplified-management-of-file-security-permissions-with-ontap-rest-apis/

 

Incidentally, the same post also indicates that the CLI/API approach should help shorten the time required to apply new permissions:

 

> The file-directory command allows IT administrators to apply security over large directories without causing significant performance degradation.

 

I haven't tried to use it, so I'd test with ONTAP Simulator or using a test share. Or maybe just wait until someone who's used it confirms for us.

View solution in original post

2 REPLIES 2

elementx
2,429 Views

I think policies are additive.

I found another place where that is indicated:

> ONTAP REST also allows users to add new DACLs/SACLs permissions to an existing already created NTFS through a simple patch call. 

https://netapp.io/2021/06/28/simplified-management-of-file-security-permissions-with-ontap-rest-apis/

 

Incidentally, the same post also indicates that the CLI/API approach should help shorten the time required to apply new permissions:

 

> The file-directory command allows IT administrators to apply security over large directories without causing significant performance degradation.

 

I haven't tried to use it, so I'd test with ONTAP Simulator or using a test share. Or maybe just wait until someone who's used it confirms for us.

ABisht
522 Views

may be too late but we are using the API;s to apply file permissions as per this article here https://docs.netapp.com/us-en/ontap-restapi/ontap/patch-protocols-file-security-permissions-.html#request-body

 

works quite efficiently only problem I have encountered is permissions not getting applied at files level for some reason

Public