Monitoring Permissions

Enable these permissions to allow file activity monitoring on your NAS or SharePoint environments.

NAS Permissions

NetApp Data ONTAP Cluster-Mode Permissions

The policy name and credentials are case-sensitive when targeting a NetApp Data ONTAP Cluster-Mode device. The policy name must be StealthAUDIT and the engine name must be StealthAUDITEngine. A tailored FPolicy is recommended as it decreases the impact on the NetApp device.

The credential that is associated with the FPolicy used to monitor activity must be provisioned with at least the following CLI commands:

CLI command Access
version Readonly
volume Readonly
vserver Readonly

For more options to enable and configure the FPolicy, use the following CLI commands:

Employing the “Enable and connect FPolicy” Option.

The File Activity Monitor can be configured to ensure that everything is actively monitored with periodic checks on the FPolicy. If the “Enable and connect FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy, and collect events:

CLI Command Access
version Readonly
volume Readonly
vserver Readonly
vserver fpolicy disable All
vserver fpolicy enable All
vserver fpolicy engine-connect All

Employing the “Configure FPolicy” Option

The File Activity Monitor can automatically configure FPolicy. If the “Configure FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy and collect events:

CLI command Access
version Readonly
volume Readonly
vserver Readonly
server fpolicy All
security certificate install (only needed for FPolicy TLS connection) All
NetApp Data ONTAP 7-Mode Permissions

It is necessary to enable the "file and printer sharing" where FAM is installed.

An FPolicy must be configured on the target device for file activity monitoring. A tailored FPolicy is recommended as it decreases the impact on the NetApp device. The credential associated with the FPolicy used to monitor activity must be provisioned with access to the following API calls:

  • login-http-admin api-system-api-list
  • api-system-get-version
  • api-cifs-share-list-iter-* api-volume-list-info-iter-*

If the File Activity Monitor will be automatically configuring the FPolicy, then the following command is also needed:

  • api-fpolicy*

If the File Activity Monitor will be configured to use the “Enable and connect to the FPolicy” option, then the following command is also needed:

  • cli-fpolicy*

The credential must also have the following permissions on the target device:

  • Group membership in both of the following groups:
  • ONTAP Power Users
  • ONTAP backup Operators
EMC Celeriac or Unity device

The EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where FAM agent is deployed.

EMC Isilon device

The EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the File Activity Monitor agent is deployed.

Hitachi
A Hitachi device can host multiple Enterprise Virtual Servers (EVS). Each EVS has multiple file systems. Auditing is enabled and configured per file system. HNAS generates the audit log files in EVT format (a standard event log format in Windows XP/2003 and earlier). Hitachi stores the generated audit logs in a user specified location on the file system. FAM accesses this location to collect the log files as they are generated. The credential used to monitor activity must be provisioned with:
  • Capability of enabling a File System Audit Policy on the Hitachi device
  • Audit rights to the Hitachi log directory

Firewall rules - Windows Proxy Server

NetApp Data ONTAP Cluster-Mode Firewall Rules

The following firewall settings are required for communication between FAM and the NetApp Data ONTAP Cluster-Mode device:

Communication Direction Protocol Ports Description
FAM to NetApp HTTP (Optional) 80 ONTAPI
FAM to NetApp HTTPS (Optional) 443 ONTAPI
NetApp to FAM TCP 9999 FPolicy events
NetApp Data ONTAP 7-Mode Firewall Rule

The following firewall settings are required for communication between FAM and the NetApp Data ONTAP 7-Mode device:

Communication Direction Protocol Ports Description
FAM to NetApp* HTTP (optional) 80 ONTAPI
FAM to NetApp* HTTP (optional) 443 ONTAPI
FAM to NetApp TCP

135, 139

Dynamic Range (49152-65535)

RPC
FAM to NetApp TCP 445 SMB
FAM to NetApp UDP 137, 138 RPC
NetApp to FAM TCP

135, 139

Dynamic Range (49152-65535)

RPC
NetApp to FAM TCP 445 SMB
NetApp to FAM UDP 137, 138 RPC

*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options within the File Activity Monitor.

EMC Firewall Rules

The following firewall settings are required for communication between FAM and the EMC Celerra, Dell EMC Unity, or EMC Isilon device:

Communication Direction Protocol Ports Description
EMC Isilon Device to CEE Server TCP TCP 12228 CEE Communication
EMC Device (other than Isilon) to CEE Server TCP RPC Dynamic Range CEE Communication
Hitachi Firewall Rules
The following firewall settings are required for communication between FAM and the Hitachi device:
Communication Direction Protocol Ports Description
Unidirectional TCP 445 SMB

SharePoint Permissions

  • The provided domain user must be a local admin on the SharePoint application server.
  • Auditing settings must be enabled on SharePoint.