Manual Pages

Table of Contents


na_fsecurity - Definition file for an fsecurity job


The fsecurity definition files describe an fsecurity job, which is used as input to the na_fsecurity_apply(1) command, and contains a list of tasks that will be run against the file system. This file can have any convenient name, and can be stored in any convenient location in the local volumes. The name of the file is given as a parameter to the na_fsecurity_apply(1) command.


The definition file can be located anywhere in the file system, in either ASCII or Unicode format. The first line is always the file's signature, with task definitions on each subsequent line.

The file signature is currently cb56f6f4, and it will be updated when new versions of the file are supported. It is important that this is the only value on the line, including spaces.

Each task is a comma-separated list of values that are defined as follows:

  type,subtype,"path",propagation mode,"security definition"

1 - Security Descriptor Definition Language (SDDL)

0 - Standard
1 - Storage-Level Access Guard (Guard)

The path to the target file system object, in double-quotes.

propagation mode
0 - Propagate inheritable permissions to all subfolders and files
1 - Do not allow permissions on this file or folders to be replaced (Not implemented)
2 - Replace existing permissions on all subfolders and files with inheritable permissions

security definition
The security definition that will be applied to the specified
path. The format is described by the type field, and is always enclosed in double-quotes.

For more information about SDDL syntax and proper formatting of the security description value, see "Security Descriptor String Format" at the following URL:

NOTE This file can also be generated by the secedit utility. It is available for download from the NOW Tool Chest.


This is a sample fsecurity definition file which propagates a security descriptor down the /vol/vol0/qtree hierarchy. The definition allows Everyone full control, and the second line sets a Guard security descriptor which denies the ability to Write.


Any changes take effect after running the na_fsecurity_apply(1) command.


Changes are persistent across system reboots.



Table of Contents