Scan Permissions

NAS and SharePoint permissions for File Discovery, Entitlement and Classification (FDEC)

SharePoint Scan Permissions

The SharePoint Agent is capable of auditing permissions and content, or Access Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint servers. It is installed on the application server which hosts the Central Administration component.

If limited provisioning of the service account is not required by the organization, then the following permissions are sufficient for successful SharePoint Agent-based scans:
  • Local Administrator group membership on the on server where the SharePoint Agent is installed
  • Site Collection Administrator on all Site Collections to be scanned
  • DB_Owner or SPDataAccess should be applied on the desired Configuration database and all Content databases depending on the SharePoint version:
    • For SharePoint 2013 and 2016: SPDataAccess on the SharePoint Content database and all Configuration databases
    • For SharePoint 2010: DB_Owner on the SharePoint Content database and all Configuration databases

SharePoint Scan Permissions: Less Privileged Model

If restricted permissions are desired by the organization, the following permissions are needed for the service account to successfully run SharePoint Agent-based scans.

Prior to installation of the SharePoint Agent, the service account to be supplied during installation and later used to run the Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing scans against the targeted SharePoint environment needs the following permissions:
  • Log on as a Service in the Local Security Policy
  • Local group membership to IIS_IUSRS
  • Performance Log Users (For Sensitive Data Discovery Only)
After the SharePoint Agent installation, this service account needs the following additional permissions to run the Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing scans:
  • Site Collection Administrator on all Site Collections to be scanned
  • Local 'Users' group membership on server where the SharePoint Agent is installed
If the scans will include Web Application scoping, then the following permissions are also needed (this can be skipped if running full farm scans):
  • Local group membership to Backup Operators
  • Local group membership to WSS_WPG
  • WSS_CONTENT_APPLICATION_POOLS on the SharePoint Configuration database
After the FDEC SharePoint Agent is installed, ensure that the service account has the following permissions:
  • Full Control on the agent install directory, for example C:\Program Files\IBM\FDECforSP
The FDEC SharePoint Agent utilizes Microsoft APIs. The Microsoft APIs require an account with the following permissions in order to collect all of the data:
  • WSS_CONTENT_APPLICATION_POOLS on the SharePoint Content database(s)
  • WSS_CONTENT_APPLICATION_POOLS on the SharePoint Configuration database

If scans will include Web Application scoping, this last permission will already have been met.

See Permission Options section of the SharePoint Agent Installation Guide for additional information on the less privilege model of provisioning.

NAS Scan Permissions

NetApp Data ONTAP Cluster-Mode Permissions
The credential used to collect file system data from a NetApp Data ONTAP Cluster-Mode device must have the ability to:
  • Enumerate shares by executing specific API calls
  • Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions
Share Enumeration – API Calls (Cluster-Mode)
To enumerate the shares on a NetApp Data ONTAP Cluster-Mode device, File System scans require a credential provisioned with the following CLI commands at minimum.
CLI Command Access
version Readonly
volume Readonly
vserver Readonly
server fpolicy Readonly
security login role show-ontapi Readonly
Important: In order to enumerate shares on NetApp Data ONTAP Cluster-Mode device v8.3+, the credential needs to have at least the following permission on the target host: Group membership in the Power Users group.
Bypass NTFS Security (Cluster-Mode)

It is possible to enable a credential to bypass NTFS security on NetApp Data ONTAP Cluster-Mode devices by provisioning access to a special share: ONTAP_Admin$. In order to access the ONTAP_Admin$ share, the credential must be associated with an FPolicy on the target device.

The FPolicy can be an “empty” FPolicy and should have minimal impact on an organization’s system. The policy name must be “StealthAUDIT”.

NetApp Data ONTAP 7-Mode Permissions
The credential used to collect file system data from a NetApp Data ONTAP 7-Mode device must have the ability to:
  • Enumerate shares by executing specific API calls
  • Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions
The following sections outline the required permissions granted to the credential used within the assigned Connection Profile for these target hosts.
Share Enumeration – API Calls (7-Mode)
To enumerate the shares on a NetApp Data ONTAP 7-Mode device, File System scans require a credential provisioned with access to (at minimum) the following API calls:
  • login-http-admin
  • api-system-api-list
  • api-system-get-version
  • api-cifs-share-list-iter-*
Bypass NTFS Security (7-Mode)
In order to bypass NTFS, the credential needs to at least have the following permissions on the target host:
  • Group membership in both of the following groups:
    • Power Users
    • Backup Operators
Note: All NetApp groups are assigned an RID. Built-in NetApp groups such as Power Users and Backup Operators are assigned specific RID values. On 7-Mode NetApp devices, system access checks for a group are identified by the RID assigned to the group and not by the role it has. Therefore, the ability to bypass access checks with the Power Users and Backup Operators group has nothing to do with the power role or the backup role. Neither role is required. For example, the built-in Power User group, even when stripped off all roles, still has more file system access capabilities than any other non-built-in group.
EMC Celerra, VNX, VNXe, VMAX3, or Unity Permissions
The credential used to collect file system data from an EMC Celerra, VNX, VNXe,VMAX3, or Unity device needs to at least have the following permissions on the target host:
  • Group membership in both of the following groups:
    • Power Users
    • Backup Operators

These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders.

If there are folders to which the credential is denied access, it is likely that the Backup Operators group does not have the “Back up files and directories” right. In that case, it is necessary to assign additional “Back up files and directories” right to those groups or to create a new local group, using Computer Management from a Windows server. Then assign rights to it using the CelerraManagementTool.msc plugin which is available to EMC customers.

Note: In order to successfully scan EMC devices from a Windows Server 2012 or newer, the “Require Secure Negotiate” policy must be turned off on that server. This is due to a problem that is caused by the “Secure Negotiate” feature which was added to SMB 3.0 for Windows Server 2012 and Windows 8. This feature depends upon the correct signing of error responses by all SMBv2 servers, including servers that support only protocol versions 2.0 and 2.1. Some third-party file servers do not return a signed error response; therefore, the connection fails.
EMC Isilon Permissions
The credential used to collect file system data from an EMC Isilon device must have the following permissions on the target host:
  • Group membership in the local Administrators group – LOCAL:System Provider
  • Rights on the actual file tree or to the IFS root share
    • Share Permissions
      • Read access
    • Folder Permissions
      • List Folder / Read Data
      • Traverse Folder / Execute File
      • Read Permissions

These permissions grant the credential the ability to audit folders and shares. In order to execute scoped Classification scans, the credential must also have the LOCAL:System provider selected in each access zone in which the shares to be scanned reside.

Hitachi Permissions
The credential used to collect file system data from a Hitachi device must have the following permission on the target host:
  • Group membership in both of the following local groups:
    • Local Administrators
    • Backup Administrators

This permission grants the credential read access to all target folders and files.