Monitoring Permissions
Enable these permissions to allow file activity monitoring on your NAS or SharePoint environments.
NAS Permissions
- NetApp Data ONTAP Cluster-Mode Permissions
-
The policy name and credentials are case-sensitive when targeting a NetApp Data ONTAP Cluster-Mode device. The policy name must be StealthAUDIT and the engine name must be StealthAUDITEngine. A tailored FPolicy is recommended as it decreases the impact on the NetApp device.
The credential that is associated with the FPolicy used to monitor activity must be provisioned with at least the following CLI commands:
CLI command Access version Readonly volume Readonly vserver Readonly For more options to enable and configure the FPolicy, use the following CLI commands:
Employing the “Enable and connect FPolicy” Option.
The File Activity Monitor can be configured to ensure that everything is actively monitored with periodic checks on the FPolicy. If the “Enable and connect FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy, and collect events:
CLI Command Access version Readonly volume Readonly vserver Readonly vserver fpolicy disable All vserver fpolicy enable All vserver fpolicy engine-connect All Employing the “Configure FPolicy” Option
The File Activity Monitor can automatically configure FPolicy. If the “Configure FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy and collect events:
CLI command Access version Readonly volume Readonly vserver Readonly server fpolicy All security certificate install (only needed for FPolicy TLS connection) All - NetApp Data ONTAP 7-Mode Permissions
-
It is necessary to enable the "file and printer sharing" where FAM is installed.
An FPolicy must be configured on the target device for file activity monitoring. A tailored FPolicy is recommended as it decreases the impact on the NetApp device. The credential associated with the FPolicy used to monitor activity must be provisioned with access to the following API calls:
- login-http-admin api-system-api-list
- api-system-get-version
- api-cifs-share-list-iter-* api-volume-list-info-iter-*
If the File Activity Monitor will be automatically configuring the FPolicy, then the following command is also needed:
- api-fpolicy*
If the File Activity Monitor will be configured to use the “Enable and connect to the FPolicy” option, then the following command is also needed:
- cli-fpolicy*
The credential must also have the following permissions on the target device:
- Group membership in both of the following groups:
- ONTAP Power Users
- ONTAP backup Operators
- EMC Celeriac or Unity device
-
The EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where FAM agent is deployed.
- EMC Isilon device
-
The EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the File Activity Monitor agent is deployed.
- Hitachi
-
A Hitachi device can host multiple Enterprise Virtual Servers (EVS). Each EVS has multiple file systems. Auditing is enabled and configured per file system. HNAS generates the audit log files in EVT format (a standard event log format in Windows XP/2003 and earlier). Hitachi stores the generated audit logs in a user specified location on the file system. FAM accesses this location to collect the log files as they are generated. The credential used to monitor activity must be provisioned with:
- Capability of enabling a File System Audit Policy on the Hitachi device
- Audit rights to the Hitachi log directory
Firewall rules - Windows Proxy Server
- NetApp Data ONTAP Cluster-Mode Firewall Rules
-
The following firewall settings are required for communication between FAM and the NetApp Data ONTAP Cluster-Mode device:
Communication Direction Protocol Ports Description FAM to NetApp HTTP (Optional) 80 ONTAPI FAM to NetApp HTTPS (Optional) 443 ONTAPI NetApp to FAM TCP 9999 FPolicy events - NetApp Data ONTAP 7-Mode Firewall Rule
-
The following firewall settings are required for communication between FAM and the NetApp Data ONTAP 7-Mode device:
Communication Direction Protocol Ports Description FAM to NetApp* HTTP (optional) 80 ONTAPI FAM to NetApp* HTTP (optional) 443 ONTAPI FAM to NetApp TCP 135, 139
Dynamic Range (49152-65535)
RPC FAM to NetApp TCP 445 SMB FAM to NetApp UDP 137, 138 RPC NetApp to FAM TCP 135, 139
Dynamic Range (49152-65535)
RPC NetApp to FAM TCP 445 SMB NetApp to FAM UDP 137, 138 RPC *Only required if using the FPolicy Configuration and FPolicy Enable and Connect options within the File Activity Monitor.
- EMC Firewall Rules
-
The following firewall settings are required for communication between FAM and the EMC Celerra, Dell EMC Unity, or EMC Isilon device:
Communication Direction Protocol Ports Description EMC Isilon Device to CEE Server TCP TCP 12228 CEE Communication EMC Device (other than Isilon) to CEE Server TCP RPC Dynamic Range CEE Communication - Hitachi Firewall Rules
- The following firewall settings are required for communication between FAM and the Hitachi
device:
Communication Direction Protocol Ports Description Unidirectional TCP 445 SMB
SharePoint Permissions
- The provided domain user must be a local admin on the SharePoint application server.
- Auditing settings must be enabled on SharePoint.