To troubleshoot access control problems (that is, to determine why a client or user is given or denied access to a file on the storage system when you think it should not be), you can use the sectrace command.
More information
Adding permission tracing filters
You can add permission tracing filters to instruct Data ONTAP to log information in the system log about why the storage system allows or denies a client or user to perform an operation.
Removing permission tracing filters
Because permission tracing filters have a minor impact on storage system performance, you should remove them when you are done debugging access errors.
Displaying permission tracing filters
You can use the sectrace show command to display the permission tracing filters on a storage system or vFiler.
Finding out why Data ONTAP allowed or denied access
Data ONTAP logs an EMS message to the console whenever the criteria for a permission tracing filter are met. To get more information about why Data ONTAP allowed or denied access to a particular client or user, you can use the sectrace print-status command.