Network and Storage Protocols

NTFS security: How to handle internal security objects?

MrFrogger
1,692 Views

Hello,

 

I'm using the C# ONTAP API 9.5P3 to create directories and assign NTFS security DACLs to them. In this process a security policy, a security policy task and a security descriptor are being created. When deleting the created directory, these objects remain and never get deleted by the server.

 

How should I deal with these objects? Ignore them? Delete them immediately or on directory deletion (which might be done by a user over CIFS)? What if permissions need to change?


Code I used for testing:

// create security policy
string policyName = "my-policy";
new FileDirectorySecurityPolicyCreate {PolicyName = policyName}.Invoke(filer);

// create directory and apply NTFS DACLs
string uuid = BuildUniqueIdentifier();
string securityDescriptorName = $"sd-{uuid}";

new FileCreateDirectory {Perm = "0777", Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer);

new FileDirectorySecurityNtfsCreate{Owner = "John Doe", NtfsSd = securityDescriptorName}.Invoke(filer);

new FileDirectorySecurityNtfsDaclAdd
{
	NtfsSd = securityDescriptorName,
	Account = "Unauthorized Person",
	AccessType = "deny",
	ApplyTo = new[] {"this-folder"}
}.Invoke(filer);

new FileDirectorySecurityPolicyTaskAdd
{
	PolicyName = policyName,
	NtfsSd = new[] {securityDescriptorName},
	Path = "/Test_CIFS_volume/test-folder"
}.Invoke(filer);

new FileDirectorySecuritySet {PolicyName = policyName}.Invoke(filer);

// delete the created directory
new FileDeleteDirectory {Path = "/vol/Test_CIFS_volume/test-folder"}.Invoke(filer);

// output existing security objects (implementation omitted for readability) 
GetVersion(filer);
ListSecurityDescriptors(filer);
ListPolicies(filer);
ListPolicyTasks(filer, policyName);

Output:

API Version: NetApp Release 9.5P3: Tue Apr 16 22:44:27 UTC 2019
Security Descriptors:
 - sd-1575281495-f39a5bf0-244b-45ac-866b-49b83f6ef0b9 [Owner: John Doe]
Policies:
 - my-policy
Tasks for policy my-policy:
 - ntfs [Path: /Test_CIFS_volume/test-folder]
1 ACCEPTED SOLUTION

MrFrogger
1,504 Views

I got my question answered by support: A developer utilizing these API calls has full responsibility over the generated entities. They never get deleted by the NetApp-Server. If a user deletes the related file system objects, the entities are not getting deleted either. The recommendation is to keep the system clean and delete them as soon as possible.

View solution in original post

1 REPLY 1

MrFrogger
1,505 Views

I got my question answered by support: A developer utilizing these API calls has full responsibility over the generated entities. They never get deleted by the NetApp-Server. If a user deletes the related file system objects, the entities are not getting deleted either. The recommendation is to keep the system clean and delete them as soon as possible.

Public