Scan Permissions
NAS and SharePoint permissions for File Discovery, Entitlement and Classification (FDEC)
SharePoint Scan Permissions
The SharePoint Agent is capable of auditing permissions and content, or Access Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint servers. It is installed on the application server which hosts the Central Administration component.
- Local Administrator group membership on the on server where the SharePoint Agent is installed
- Site Collection Administrator on all Site Collections to be scanned
- DB_Owner or SPDataAccess should be applied on the desired Configuration database and all Content
databases depending on the SharePoint version:
- For SharePoint 2013 and 2016: SPDataAccess on the SharePoint Content database and all Configuration databases
- For SharePoint 2010: DB_Owner on the SharePoint Content database and all Configuration databases
SharePoint Scan Permissions: Less Privileged Model
If restricted permissions are desired by the organization, the following permissions are needed for the service account to successfully run SharePoint Agent-based scans.
- Log on as a Service in the Local Security Policy
- Local group membership to IIS_IUSRS
- Performance Log Users (For Sensitive Data Discovery Only)
- Site Collection Administrator on all Site Collections to be scanned
- Local 'Users' group membership on server where the SharePoint Agent is installed
- Local group membership to Backup Operators
- Local group membership to WSS_WPG
- WSS_CONTENT_APPLICATION_POOLS on the SharePoint Configuration database
- Full Control on the agent install directory, for example C:\Program Files\IBM\FDECforSP
- WSS_CONTENT_APPLICATION_POOLS on the SharePoint Content database(s)
- WSS_CONTENT_APPLICATION_POOLS on the SharePoint Configuration database
If scans will include Web Application scoping, this last permission will already have been met.
See Permission Options section of the SharePoint Agent Installation Guide for additional information on the less privilege model of provisioning.
NAS Scan Permissions
- NetApp Data ONTAP Cluster-Mode Permissions
- The credential used to collect file system data from a NetApp Data ONTAP Cluster-Mode device
must have the ability to:
- Enumerate shares by executing specific API calls
- Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions
- Share Enumeration – API Calls (Cluster-Mode)
- To enumerate the shares on a NetApp Data ONTAP Cluster-Mode device, File System scans require a
credential provisioned with the following CLI commands at minimum.
CLI Command Access version Readonly volume Readonly vserver Readonly server fpolicy Readonly security login role show-ontapi Readonly Important: In order to enumerate shares on NetApp Data ONTAP Cluster-Mode device v8.3+, the credential needs to have at least the following permission on the target host: Group membership in the Power Users group. - Bypass NTFS Security (Cluster-Mode)
-
It is possible to enable a credential to bypass NTFS security on NetApp Data ONTAP Cluster-Mode devices by provisioning access to a special share: ONTAP_Admin$. In order to access the ONTAP_Admin$ share, the credential must be associated with an FPolicy on the target device.
The FPolicy can be an “empty” FPolicy and should have minimal impact on an organization’s system. The policy name must be “StealthAUDIT”.
- NetApp Data ONTAP 7-Mode Permissions
-
The credential used to collect file system data from a NetApp Data ONTAP 7-Mode device must have the ability to:
- Enumerate shares by executing specific API calls
- Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions
- Share Enumeration – API Calls (7-Mode)
- To enumerate the shares on a NetApp Data ONTAP 7-Mode device, File System scans require a
credential provisioned with access to (at minimum) the following API calls:
- login-http-admin
- api-system-api-list
- api-system-get-version
- api-cifs-share-list-iter-*
- Bypass NTFS Security (7-Mode)
- In order to bypass NTFS, the credential needs to at least have the following permissions on the
target host:
- Group membership in both of the following groups:
- Power Users
- Backup Operators
- Group membership in both of the following groups:
Note: All NetApp groups are assigned an RID. Built-in NetApp groups such as Power Users and Backup Operators are assigned specific RID values. On 7-Mode NetApp devices, system access checks for a group are identified by the RID assigned to the group and not by the role it has. Therefore, the ability to bypass access checks with the Power Users and Backup Operators group has nothing to do with the power role or the backup role. Neither role is required. For example, the built-in Power User group, even when stripped off all roles, still has more file system access capabilities than any other non-built-in group. - EMC Celerra, VNX, VNXe, VMAX3, or Unity Permissions
-
The credential used to collect file system data from an EMC Celerra, VNX, VNXe,VMAX3, or Unity device needs to at least have the following permissions on the target host:
- Group membership in both of the following groups:
- Power Users
- Backup Operators
These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders.
If there are folders to which the credential is denied access, it is likely that the Backup Operators group does not have the “Back up files and directories” right. In that case, it is necessary to assign additional “Back up files and directories” right to those groups or to create a new local group, using Computer Management from a Windows server. Then assign rights to it using the CelerraManagementTool.msc plugin which is available to EMC customers.
Note: In order to successfully scan EMC devices from a Windows Server 2012 or newer, the “Require Secure Negotiate” policy must be turned off on that server. This is due to a problem that is caused by the “Secure Negotiate” feature which was added to SMB 3.0 for Windows Server 2012 and Windows 8. This feature depends upon the correct signing of error responses by all SMBv2 servers, including servers that support only protocol versions 2.0 and 2.1. Some third-party file servers do not return a signed error response; therefore, the connection fails. - Group membership in both of the following groups:
- EMC Isilon Permissions
-
The credential used to collect file system data from an EMC Isilon device must have the following permissions on the target host:
- Group membership in the local Administrators group – LOCAL:System Provider
- Rights on the actual file tree or to the IFS root share
- Share Permissions
- Read access
- Folder Permissions
- List Folder / Read Data
- Traverse Folder / Execute File
- Read Permissions
- Share Permissions
These permissions grant the credential the ability to audit folders and shares. In order to execute scoped Classification scans, the credential must also have the LOCAL:System provider selected in each access zone in which the shares to be scanned reside.
- Hitachi Permissions
-
The credential used to collect file system data from a Hitachi device must have the following permission on the target host:
- Group membership in both of the following local groups:
- Local Administrators
- Backup Administrators
This permission grants the credential read access to all target folders and files.
- Group membership in both of the following local groups: