#define share
$share = "\\{{ netapp_svm_host }}\{{ volume_name }}\{{ qtree_name }}"

#block inheritance from parent netapp volume and remove inherited permissions
$acl = Get-Acl $share
$acl.SetAccessRuleProtection($true,$false)
$acl | Set-Acl $share

#set ownership for netapp account BUILTIN\Administrators
$acl = Get-Acl $share
$object = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators")
$acl.SetOwner($object)
$acl | Set-Acl $share

#set permissions for members with inheritance for subfolders and files
{% for item in object_attributes %}
$acl = Get-Acl $share
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("{{ domain }}\{{ item.name }}","ExecuteFile, ReadData,ReadAttributes,ReadExtendedAttributes,Createfiles,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,Delete,ReadPermissions","ContainerInherit, ObjectInherit","InheritOnly","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $share

{% endfor %}