#Where is the Security Descriptor Defined?

1 messages · Page 1 of 1 (latest)

lavish snow Sep 16, 2025, 1:33 PM

I'm attempting to convert an existing playbook we've used for years into a REST compatible one.
The playbook creates qtrees and applies NTFS ACLs to the path.
The equivalent ONTAP CLI commands for applying DACLs are as follows.

DACLs are created and defined by a Security Descriptor, e.g.

vserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd secsd1-qtree1-ntfs -access-type allow -account DOMAIN\Group1 -rights full -apply-to this-folder,sub-folders-files
vserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd secsd1-qtree1-ntfs -access-type allow -account DOMAIN\Group2 -rights change -apply-to this-folder,sub-folders-files

Tasks are then defined against a policy:

vserver security file-directory policy task add -vserver vs1 -policy-name secpol1 -path /volname/qtree1 -security-type ntfs -nfts-mode replace -ntfs-sd secsd1-qtree1-ntfs

In our existing playbook, these commands are covered by two tasks that are now deprecated:

- name: Add NTFS DACLs
  na_ontap_ntfs_dacl:
    state: present
    vserver: vs1
    security_descriptor: "secsd1-qtree1-ntfs"
    account: "DOMAIN\Group1"
    access_type: allow
    rights: "full_control"
    apply_to: this_folder,sub_folders,files
    <<: *login

- name: Create file directory policy and add task
  na_ontap_file_directory_policy:
    state: present
    vserver: vs1
    policy_name: secpol1
    path: "/volname/qtree1"
    ntfs_sd: "secsd1-qtree1-ntfs"
    ntfs_mode: replace
    <<: *login

(Message split into two posts)

...Continued
The netapp.ontap documentation says the following about the above two modules.
na_ontap_ntfs_dacl migrate to na_ontap_file_security_permissions
na_ontap_file_directory_policy deprecated

I understand that I need to combine these two into na_ontap_file_security_permissions but I can't see where or how I define the ntfs-sd for DACLs and policy-name for the policy tasks. Can someone help explain what I'm missing please?

This is what I have so far regarding the new module. I haven't tested it yet because I'm stuck on the security descriptor and policy names.

- name: Create DACL Policies and Tasks
  na_ontap_file_security_permissions:
    state: present
    vserver: vs1
    access_control: file_directory
    path: "/volname/qtree1"
    propogation_mode: replace
    acls:
      - access: access_allow
        user: "DOMAIN\Group1"
        rights: full_control
        apply_to:
          files: true
          sub_folders: true
          this_folder: true
    <<: *login

Am I correct in thinking that the above single module will replace the previous two?
Will this cover those ONTAP CLI commands?
Have I managed to correctly transpose the values from old to new?
Where do I define the Security Descriptor and Policy names?

TIA,
Paul.

proud hollow Sep 16, 2025, 4:20 PM

I think you need to also use na_ontap_file_security_permissions_acl module

lavish snow Sep 22, 2025, 8:36 AM

Unfortunately na_ontap_file_security_permissions_acl is very similar to na_ontap_file_security_permissions and I still can't see a way to specify the Security Descriptor (-ntfs-sd) and Policy Names (-policy-name). I have to specify these names when manually running ONTAP CLI commands, but they aren't an option in the Ansible modules. I can't find any other modules for this task other than the deprecated ones. I must be missing something obvious. 🙂

onyx olive Sep 22, 2025, 12:51 PM

@lavish snow Could you please try na_ontap_fdspt module?

lavish snow Sep 23, 2025, 3:30 PM

Hi @onyx olive thank you for that, I didn't know about this module and it indeed appears to cover the same functionality as the deprecated na_ontap_file_directory_policy module. Could I perhaps suggest that the documentation found here (https://galaxy.ansible.com/ui/repo/published/netapp/ontap/docs/) is updated to say na_ontap_file_directory_policy has migrated to na_ontap_fdspt please?

Unfortunately though I still can't see how I link DACLs with a Security Descriptor (SD). I see that na_ontap_fdspt creates and adds Tasks to a file-directory policy. A policy is a means to link a path with an SD (the link is a Task) so that I when I apply the policy (vserver security file-directory apply) the ACLs defined in the SD are applied to the path.

The problem I still have is associating DACLs with a Security Descriptor. I spun up a NetApp Lab on Demand to have a play with na_ontap_file_security_permissions/na_ontap_file_security_permissions_acl and they only appear to apply ACLs in real-time to files or folders. What I need though is the ability to define DACLs in a SD that I can store on the Cluster and apply to specific folders defined in a policy task when users eventually mess up their permissions. I've had a play with na_ontap_fdsd/fdsp/fdspt/fdss in the lab but none of them create a Security Descriptor.

Here is the output from the lab where I create the SD manually. How do I do this with Ansible? I could do this before as seen in my original message, but I can't find a way to do this with REST modules.

cluster1::> vserver security file-directory ntfs dacl add -vserver svm1_cluster1 -ntfs-sd secsd-test -access-type allow -account DEMO\Administrator -rights full-control -apply-to this-folder,sub-folders,files

cluster1::> vserver security file-directory ntfs dacl add -vserver svm1_cluster1 -ntfs-sd secsd-test -access-type allow -account DEMO\paul -rights full-control -apply-to this-folder,sub-folders,files

cluster1::> vserver security file-directory ntfs dacl show                                                                                        
Vserver: svm1_cluster1
  NTFS Security Descriptor Name: secsd-test

    Account Name     Access   Access             Apply To
                     Type     Rights
    --------------   -------  -------            -----------
    DEMO\Administrator   allow  full-control     this-folder, sub-folders, files
    DEMO\paul        allow    full-control       this-folder, sub-folders, files
2 entries were displayed.

The na_ontap_fdspt module does this:

cluster1::> vserver security file-directory policy task show

Vserver: svm1_cluster1
  Policy: secpol-test

   Index  File/Folder  Access           Security  NTFS       NTFS Security
          Path         Control          Type      Mode       Descriptor Name
   -----  -----------  ---------------  --------  ---------- ---------------
   1      /vol2/ntfs1  file-directory   ntfs      replace    secsd-test

onyx olive Sep 23, 2025, 3:53 PM

@lavish snow I don't think that this operation is supported by the existing modules, please use cli commands for now.

lavish snow Sep 24, 2025, 8:09 AM

@onyx olive it is/was supported by na_ontap_ntfs_dacl but the ONTAP Collection Readme (https://galaxy.ansible.com/ui/repo/published/netapp/ontap/docs/) within "Replaced Modules" says na_ontap_ntfs_dacl -> na_ontap_file_security_permissions. If this operation is not supported by the existing modules, why does the readme say na_ontap_file_security_permissions is the replacement when it doesn't actually replicate na_ontap_ntfs_dacl functionality? Does it need to be listed under the Deprecated modules?
I think for now I will continue to use na_ontap_ntfs_dacl and just ensure ZAPI is enabled on our Clusters.
What is the best way for me to raise this as an issue please? Should I report it through Github (https://github.com/ansible-collections/netapp.ontap) or raise a NetApp support case?

lavish snow Sep 24, 2025, 9:20 AM

I suspect the issue is lack of an equivalent REST call for this functionality. I'll ask a question in the ontap-api community because the API reference found here (https://docs.netapp.com/us-en/ontap-restapi/post-protocols-file-security-permissions-.html#related-ontap-commands) says that vserver security file-directory ntfs dacl add is related to the API call but I can't see any option to specify the ntfs-sd Security Descriptor Name.

lavish snow Sep 24, 2025, 9:44 AM

Posted here: https://discord.com/channels/855068651522490400/1420344678892568576

proud hollow Sep 24, 2025, 2:54 PM

Not sure if you can use any of this, but here's my workaround using the new modules in place of the deprecated modules...

(Split over multiple posts)

- name: Add NTFS permissions on a path.
  hosts: localhost
  collections:
    - netapp.ontap
  gather_facts: false

  vars:
    netapp_hostname: cluster_hostname_or_ip
    netapp_username: awx_user
    netapp_password: awx_user_password
    https: true
    validate_certs: false
    vserver: vserver_name
    ntfs_path: ""
    ntfs_fc_acl_usr: ""
    ntfs_fc_acl_usr_dom: ""
    ntfs_mod_acl_usr: ""
    ntfs_mod_acl_usr_dom: ""
    ntfs_rd_acl_usr: ""
    ntfs_rd_acl_usr_dom: ""
    sep: '\'
    fc_usr: "{{ ntfs_fc_acl_usr_dom.upper() ~ sep ~ ntfs_fc_acl_usr }}"
    mod_usr: "{{ ntfs_mod_acl_usr_dom.upper() ~ sep ~ ntfs_mod_acl_usr }}"
    rd_usr: "{{ ntfs_rd_acl_usr_dom.upper() ~ sep ~ ntfs_rd_acl_usr }}"
    condition_1: "Process still running"
    condition_2: "Failed to convert Windows name to SID"

  tasks:
    - name: Set common facts.
      ansible.builtin.set_fact:
        netapp_vars: &netapp_vars
          hostname: "{{ netapp_hostname }}"
          username: "{{ netapp_username }}"
          password: "{{ netapp_password }}"
          https: "{{ https }}"
          validate_certs: "{{ validate_certs }}"
          vserver: "{{ vserver }}"

    - name: Delete Everyone permissions.
      netapp.ontap.na_ontap_file_security_permissions:
        state: absent
        access_control: file_directory
        path: "{{ ntfs_path }}"
        propagation_mode: propagate
        validate_changes: warn
        acls:
          - access: access_allow
            user: "Everyone"
            apply_to:
              this_folder: true
              files: true
              sub_folders: true
        <<: *netapp_vars
      register: delete_result
      failed_when: "delete_result.failed and condition_1 not in delete_result.msg"

    - name: Add Full Control permissions.
      when: ntfs_fc_acl_usr != ''
      block:
        - name: Add Full Control permissions for {{ fc_usr }}.
          netapp.ontap.na_ontap_file_security_permissions_acl:
            state: present
            access_control: file_directory
            path: "{{ ntfs_path }}"
            propagation_mode: propagate
            validate_changes: warn
            access: access_allow
            acl_user: "{{ fc_usr }}"
            advanced_rights:
              full_control: true
            apply_to:
              this_folder: true
              files: true
              sub_folders: true
            <<: *netapp_vars
          register: fc_result
          failed_when: "fc_result.failed and (condition_1 not in fc_result.msg and condition_2 not in fc_result.msg)"

        - name: Inform if Full Control user or group is not found.
          ansible.builtin.debug:
            msg: "{{ ntfs_fc_acl_usr }} was not found in the {{ ntfs_fc_acl_usr_dom.upper() }} domain. Full Control permissions were not applied to the ACL."
          when: "fc_result.msg is defined and condition_2 in fc_result.msg"

    - name: Add Modify NTFS permissions.
      when: ntfs_mod_acl_usr != ''
      block:
        - name: Add Modify permissions for {{ mod_usr }}.
          netapp.ontap.na_ontap_file_security_permissions_acl:
            state: present
            access_control: file_directory
            path: "{{ ntfs_path }}"
            propagation_mode: propagate
            validate_changes: warn
            access: access_allow
            acl_user: "{{ mod_usr }}"
            advanced_rights:
              read_data: true
              read_perm: true
              write_data: true
              append_data: true
              read_ea: true
              write_ea: true
              execute_file: true
              read_attr: true
              write_attr: true
              delete: true
            apply_to:
              this_folder: true
              files: true
              sub_folders: true
            <<: *netapp_vars
          register: mdfy_result
          failed_when: "mdfy_result.failed and (condition_1 not in mdfy_result.msg and condition_2 not in mdfy_result.msg)"

        - name: Inform if Modify user or group is not found.
          ansible.builtin.debug:
            msg: "{{ ntfs_mod_acl_usr }} was not found in the {{ ntfs_mod_acl_usr_dom.upper() }} domain. Modify permissions were not applied to the ACL."
          when: "mdfy_result.msg is defined and condition_2 in mdfy_result.msg"

    - name: Add Read NTFS permissions.
      when: ntfs_rd_acl_usr != ''
      block:
        - name: Add Read permissions for {{ rd_usr }}.
          netapp.ontap.na_ontap_file_security_permissions_acl:
            state: present
            access_control: file_directory
            path: "{{ ntfs_path }}"
            propagation_mode: propagate
            validate_changes: warn
            access: access_allow
            acl_user: "{{ rd_usr }}"
            advanced_rights:
              read_data: true
              read_perm: true
              read_ea: true
              execute_file: true
              read_attr: true
            apply_to:
              this_folder: true
              files: true
              sub_folders: true
            <<: *netapp_vars
          register: rd_result
          failed_when: "rd_result.failed and (condition_1 not in rd_result.msg and condition_2 not in rd_result.msg)"

        - name: Inform if Read user or group is not found.
          ansible.builtin.debug:
            msg: "{{ ntfs_rd_acl_usr }} was not found in the {{ ntfs_rd_acl_usr_dom.upper() }} domain. Read permissions were not applied to the ACL."
          when: "rd_result.msg is defined and condition_2 in rd_result.msg"

lavish snow Sep 26, 2025, 6:49 AM

Thank you @proud hollow ! You've given some great examples that I didn't know were possible, such as the block: function and failed_when: (I've so far used basic Ansible features)