为什么添加NTFS SACL会替换DACL条目?
适用场景
- ONTAP 9
- CIFS
- NTFS
- SACL
- DACL
问题解答
-
配置 NTFSSACL 并创建新的安全描述符将添加4 个默认 NTFSDACL 条目
cluster1::> vserver security file-directory ntfs show -vserver svm1 -ntfs-sd sd1
There are no entries matching your query.
cluster1::> vserver security file-directory ntfs sacl add -vserver svm1 -ntfs-sd sd1 -access-type failure -account demo\user -rights full-control -apply-to this-folder,sub-folders,filescluster1::> vserver security file-directory ntfs dacl show -vserver svm1 -ntfs-sd sd1
Vserver: svm1
NTFS Security Descriptor Name: sd1
Account Name Access Access Apply To
Type Rights
-------------- ------- ------- -----------
BUILTIN\Administrators
allow full-control this-folder, sub-folders, files
BUILTIN\Users allow full-control this-folder, sub-folders, files
CREATOR OWNER allow full-control this-folder, sub-folders, files
NT AUTHORITY\SYSTEM
allow full-control this-folder, sub-folders, files
4 entries were displayed.
- 如果 [1] 对安全描述符运行文件目录应用、则现有NTFS DACL将被上面列出的默认ACL覆盖
- 这样、如果在定义更显式的DACL之前有人意外应用了安全描述符、则可以访问数据
- 在应用文件安全策略之前、请将NTFS DACL修改为所需的设置
- 如果删除这些默认DACL而不进行修改或替换为所需的DACL、则会导致无法访问数据