Access control list metadata to search on
Access Control List (ACL) metadata is collected from SMB/CIFS data source search results.
For SMB/CIFS data sources, IBM Spectrum® Discover collects Access Control List (ACL) metadata in addition to the standard system metadata. This information is stored in two tables, which are the Access Control Owner and Group (ACOG) and the Access Control Entries (ACES).
Important: Since ACL data is not displayed by default
and is unavailable using the "visual query", a special SQL query is needed to view ACL data.
Follow the steps to view ACL data for an SQL query:
- Log in to IBM Spectrum Discover GUI.
- From the main menu, click
The Query builder page is displayed.
- Click SQL query tab.
- In the Select * from Spectrum Discover where field, use the following
query and click View results to view all ACL
data.
"aces.entrytype like '%ACL'"
Note:
- To limit the ACL results to NFS or SMB, use the following
query:
"aces.entrytype = 'NFS4ACL'", "aces.entrytype = 'DACL'", or "aces.entrytype = 'SACL'"
- For any other specific aces or acog query, use the following
query:
"aces.accesstype = 'AUDIT'" or "acog.groupname ='UNIX_GROUPS\wheel'"
For information on how ACL data is used in policies, see How to use ACL data in policies.
Type the criteria in the search bar to search the ACL metadata. Possible fields to search on are:
- acog.ownername
- Indicates the owner of the file.
- acog.ownerid
- Indicates the security identifier for the owner of the file.
Note: To search for files based on owner name or security identifier, see the following example:
acog.ownername='DOMAIN\user'
acog.ownerid='S-1-1-1-1000'
- acog.groupname
- Indicates the group of owner of the file.
- acog.groupid
- Indicates the security identifier for the group of the owner of the file.
- aces.username
- Indicates the user or group name for which this ACE applies.
- aces.userid
- Indicates the security identifier for the user or group name for which this ACE applies.
- aces.entrytype
- Indicates that the entry type can either be DACL or SACL and NFS4ACL for NFSv4.
- aces.accesstype
- Indicates that the access type can be either one of the following options:
- ALLOWED
- DENIED
- AUDIT
Note: To search files with an access control entry that allows everyone to access, see the following
example:
aces.username='\Everyone' and aces.entrytype='DACL' and aces.access_type='ALLOWED'
To
search for files that are on a particular data source and display a Deny Access Control Entry, see
the following example:
datasource in ('smb1') and aces.entrytype='DACL' and aces.accesstype='DENIED'
- aces.permissions
- Indicates the possible permission levels that include:
- R - Read
- W - Write
- X - Execute
- D - Delete
- P - Write access controls
- O - Owner
The valid permission combinations are:- READ - R + X
- CHANGE - R + W + X + D
- FULL - R + W + X+ D + P + O
For NFSv4 the permissions vary as shown:- r - read-data
- w - write-data
- a - append-data
- x - execute
- d - delete
- t - read the attributes of the file
- T - write the attribute of the file
- n - read the named attributes of the file
- N - write the named attributes of the file
- c - read the file ACL
- C - write the file ACL
- o - change ownership of the file
Multiple NFSv4 permissions can be used in combinations like
rxtncy
for every entry.
- aces.flags
- Indicates the flags displaying the type of access control entry (ACE).
Note: A file can have more than one access control entry (ACE) associated with it. Search results
that contain ACL metadata, repeat the file metadata for each ACE. Therefore, reports are the
preferred method for using IBM Spectrum
Discover search
results with ACL metadata.