Table of ContentsView in Frames

Adding permission tracing filters

You can add permission tracing filters to instruct Data ONTAP to log information in the system log about why the storage system allows or denies a client or user to perform an operation.

About this task

Adding permission tracing filters has a minor effect on storage system performance; therefore, you should add permission tracing filters for debugging purposes only. When you are done debugging, you should remove all permission tracing filters. Furthermore, the filtering criteria you specify should be as specific as possible so that Data ONTAP does not send a large number of EMS messages to the console.

Keep the following limitations in mind:

Step

  1. Enter the following command: sectrace add [-ip ip_address] [-ntuser nt_username] [-unixuser unix_username] [-path path_prefix] [-a]

    ip_address specifies the IP address of the client attempting access.

    nt_username specifies the Windows NT user name of the user attempting access.

    unix_username specifies the UNIX user name of the user attempting access. You cannot specify a UNIX user name if you specify an NT user name.

    path_prefix specifies the prefix of the path name of the files to trace access to. For example, specify /vol/vol0/home/file to trace access to all files having names that start with "file" in the /vol/vol0/home/ directory, such as /vol/vol0/home/file100 and /vol/vol0/home/file200.

    -a specifies that the storage system should trace requests that it allows as well as requests that it denies.

Examples

The following command adds a permission tracing filter to trace all access requests from a client with an IP address of 192.168.10.23 that Data ONTAP denies.

sectrace add -ip 192.168.10.23

The following command adds a permission tracing filter to trace all access requests from the UNIX user foo to the path /vol/vol0/home4 that Data ONTAP allows or denies:

sectrace add -unixuser foo -path /vol/vol0/home4 -a