Access control list metadata to search on

Access Control List (ACL) metadata is collected from SMB/CIFS data source search results.

For SMB/CIFS data sources, IBM Spectrum® Discover collects Access Control List (ACL) metadata in addition to the standard system metadata. This information is stored in two tables, which are the Access Control Owner and Group (ACOG) and the Access Control Entries (ACES).

Important: Since ACL data is not displayed by default and is unavailable using the "visual query", a special SQL query is needed to view ACL data.
Follow the steps to view ACL data for an SQL query:
  1. Log in to IBM Spectrum Discover GUI.
  2. From the main menu, click Search > Query builder

    The Query builder page is displayed.

  3. Click SQL query tab.
  4. In the Select * from Spectrum Discover where field, use the following query and click View results to view all ACL data.
    "aces.entrytype like '%ACL'"
Note:
  • To limit the ACL results to NFS or SMB, use the following query:
    "aces.entrytype = 'NFS4ACL'", "aces.entrytype = 'DACL'", or "aces.entrytype = 'SACL'"
  • For any other specific aces or acog query, use the following query:
    "aces.accesstype = 'AUDIT'" or "acog.groupname ='UNIX_GROUPS\wheel'"

For information on how ACL data is used in policies, see How to use ACL data in policies.

Type the criteria in the search bar to search the ACL metadata. Possible fields to search on are:

acog.ownername
Indicates the owner of the file.
acog.ownerid
Indicates the security identifier for the owner of the file.
Note: To search for files based on owner name or security identifier, see the following example:
acog.ownername='DOMAIN\user'
acog.ownerid='S-1-1-1-1000'
acog.groupname
Indicates the group of owner of the file.
acog.groupid
Indicates the security identifier for the group of the owner of the file.
aces.username
Indicates the user or group name for which this ACE applies.
aces.userid
Indicates the security identifier for the user or group name for which this ACE applies.
aces.entrytype
Indicates that the entry type can either be DACL or SACL and NFS4ACL for NFSv4.
aces.accesstype
Indicates that the access type can be either one of the following options:
  • ALLOWED
  • DENIED
  • AUDIT
Note: To search files with an access control entry that allows everyone to access, see the following example:
aces.username='\Everyone' and aces.entrytype='DACL' and aces.access_type='ALLOWED' 
To search for files that are on a particular data source and display a Deny Access Control Entry, see the following example:
datasource in ('smb1') and aces.entrytype='DACL' and aces.accesstype='DENIED'
aces.permissions
Indicates the possible permission levels that include:
  • R - Read
  • W - Write
  • X - Execute
  • D - Delete
  • P - Write access controls
  • O - Owner
The valid permission combinations are:
  • READ - R + X
  • CHANGE - R + W + X + D
  • FULL - R + W + X+ D + P + O
For NFSv4 the permissions vary as shown:
  • r - read-data
  • w - write-data
  • a - append-data
  • x - execute
  • d - delete
  • t - read the attributes of the file
  • T - write the attribute of the file
  • n - read the named attributes of the file
  • N - write the named attributes of the file
  • c - read the file ACL
  • C - write the file ACL
  • o - change ownership of the file

Multiple NFSv4 permissions can be used in combinations like rxtncy for every entry.

aces.flags
Indicates the flags displaying the type of access control entry (ACE).
Note: A file can have more than one access control entry (ACE) associated with it. Search results that contain ACL metadata, repeat the file metadata for each ACE. Therefore, reports are the preferred method for using IBM Spectrum Discover search results with ACL metadata.