NetApp® ONTAP® REST APIs are creating a break-through in everyday storage management tasks. ONTAP REST APIs reflect careful consideration of the complexity of traditional storage management through ZAPIs or CLIs. The REST APIs are more focus on simplicity and improved performance to make it easy for users to manage ONTAP storage and to achieve key storage outcomes such as  storage provisioning, data protection, security management, and upgrading. This blog post discusses how the vserver file-security permission configuration feature has been enhanced and simplified in ONTAP 9.9.1.

What is vserver file-security permission used for?  

In ONTAP, vserver file-security is a command used in the command line interface (CLI) to view and set security on a file or directory structure without the need for a client. It is used to make security changes to the infrastructure, rather than the traditional way of making those changes over wire. The file-directory command allows IT administrators to apply security over large directories without causing significant performance degradation. This file-directory capability act as a centralized security management tool to manage CIFS and NFS security information. It works like cacl() commands on a Windows client.

In the CLI, execute the following 5 commands to apply NTFS ACLs:

  • Create an NTFS SD.
  • Add DACLs/SACLs to the NTFS SD.
  • Create a policy.
  • Create a task.
  • Apply the policy.

In terms of ONTAPI/ZAPIs, making security configuration in a file directory involves 13 ZAPI calls:

  • File-directory-security-ntfs-create
  • File-directory-security-ntfs-delete
  • File-directory-security-ntfs-get-iter
  • File-directory-security-ntfs-dacl-get-iter
  • File-directory-security-ntfs-sacl-get-iter
  • File-directory-security-ntfs-get-iter
  • File-directory-security-policy-create
  • File-directory-security-policy-delete
  • File-directory-security-policy-get-iter
  • File-directory-security-policy-task-add
  • File-directory-security-policy-task-get-iter
  • File-directory-security-policy-task-modify
  • File-directory-security-policy-task-remove

Until ONTAP 9.8, it was possible to automate file-security permissions only via private CLI passthrough. Sample scripts are posted on GitHub for file security permissions usage through private CLI passthrough.  In terms of CLI passthrough, for a CLI command vserver security policy create,  the command gets converted as a POST operation with API endpoint:


In ONTAP REST APIs 9.9.1, file directory security permission configuration is made simpler with a single REST call to create the NTFS ACLs. With a single REST POST call, users can manage NTFS security and NTFS audit policies. Users need to input the key parameters, such as svm.uuid and targeted path, to apply security permissions, and they can set parameters such as access level and advanced access permissions for the account. The following screenshot shows that the single post call, /protocols/file-security/permissions/{svm.uuid}/{path} will help to achieve the different CLI commands execution.

ONTAP REST also allows users to add new DACLs/SACLs permissions to an existing already created NTFS through a simple patch call. Users can easily automate setting up file-security permissions for a file or directory with new API endpoints available in ONTAP 9.9.1. The following screenshot shows API endpoints in file-security permissions for easier storage management. For more information, check out the file-security permissions code posted in GitHub, and bookmark ONTAP REST APIs - our one-stop shop for all the resources you need. If you have any questions, write to us at Slack channel - #api - REST Query: #api Channel.

About Mahalakshmi G

Mahalakshmi works as Subject Matter Expert at NetApp with over 6 years of experience in Data Storage Industry. She is part of ONTAP Manageability Product Management team. She currently focuses on Automation and Tools portfolio such as ONTAP REST APIs, NetApp Manageability SDK and PSTK. She loves solving real-world customer issues and always looks for a way to automate complex storage management operations. Apart from work, Mahalakshmi is keen on music, an opacarophile, avid-book reader and enjoys traveling to historical places.

Pin It on Pinterest