What rights and permissions are required for the account that collects data

This article explains how to configure the account tht is used to collect audit data. It lists all required rights and permissions grouped by data source.
Email It to Me Print this Page
Question What rights and permissions are required for the account specified for data collection?
Answer
The table below lists all rights and permissions that must be granted to data collecting account in order to ensure successful data collection:
 
Audited SystemRequired Rights and Permissions
Active DirectoryOn the computer where Netwrix Auditor Server is installed (in 8.5, Netwrix Auditor Administrator Console):
  • A member of the local Administrators group (only for auditing local or trusted domain)
In the target domain:
  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled:
  • Permissions to the following registry key on each DC in the target domain: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
  • A member of one of the following groups: Administrators, Print Operators, Server Operators
  • The Share Read and Write permissions and Security Full control permissions for the logs backup folder.
Azure ADIn the Cloud:
  • The account must be assigned the Global Administrator role in Azure AD (Company Administrator in Azure AD PowerShell terms) —only required when first configuring Azure AD monitoring. Later, any regular account can be used to collect audit data.
NOTE: Accounts with multi-factor authentication are not supported.
ExchangeOn the computer where Netwrix Auditor Server is installed (in 8.5, Netwrix Auditor Administrator Console):
  • A member of the local Administrators group (only for auditing local or trusted domain).
In the target domain:
  • A member of the Domain Admins group / The Manage auditing and security log policy defined for this account
  • The Read rights on the Active Directory Deleted Objects container
  • If event logs autobackup is enabled:
  • Permissions to the following registry key on each DC in the target domain: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
  • A member of one of the following groups: Administrators, Print Operators, Server Operators
  • The Share Read and Write permissions and Security Full control permissions for the logs backup folder.
  • The account must belong to the Organization Management or Records Management group / the Audit Logs management role must be assigned to this account (only required if the audited AD domain has an Exchange organization running Exchange 2010, 2013, or 2016).
Exchange OnlineIn the Cloud:
  • To connect to Exchange Online, your personal Microsoft account must be assigned the following Exchange admin roles:
    • Audit logs
    • Mail Recipients
    • View-Only Configuration
Windows File ServersOn the target server:
  • The Manage auditing and security log and Backup files and directories policies must be defined for this account on a file server
  • The Read share permission on the audited shared folders
  • A member of the local Administrators group
  • For auditing DFS file shares, the account must be a member of the Server Operators group in the domain where the file server belongs to
EMC IsilonOn the target server:
NOTE: 
This is only required if you are going to configure EMC Isilon for auditing manually.
  • A member of the BUILTIN\Administrators group
  • The Read permissions on to the audited shared folders
  • The Read permissions on to the folder where audit events are logged (/ifs/.ifsvar/audit/)
  • To connect to EMC Isilon, an account must be assigned a custom role (e.g., netwrix_audit) that has the following privileges:
Platform API (ISI_PRIV_LOGIN_PAPI)readonly
Auth (ISI_PRIV_AUTH)readonly
Audit (ISI_PRIV_AUDIT)      readonly
Backup (ISI_PRIV_IFS_BACKUP)readonly

NOTE: An account used to connect to a cluster put into compliance mode must comply with some specific requirements.
EMC VNX/VNXeOn the target server:
  • The Read share permissions on to the audited shared folders
  • A member of local Administrators group
NetApp FilerOn the target server:
  • A member of local Administrators group
  • The Read permissions (resultant set) on the audited shared folders
  • The Read permissions (resultant set) on the audit logs folder and its contents and Delete permissions (resultant set) on the contents of this folder
  • To connect to NetApp Data ONTAP 7 or Data ONTAP 8 in 7-mode, an account must have the following capabilities:
    • login-http-admin
    • api-vfiler-list-info
    • api-volume-get-root-name 
    • api-system-cli
    • api-options-get
    • cli-cifs
  • To connect to NetApp Clustered Data ONTAP 8 and ONTAP 9, an account must be assigned a custom role on SVM that has the following capabilities with access query levels:
 versionreadonly
volumereadonly
vserver audit  readonly
vserver audit rotate-log  all
vserver cifs share     readonly 

          NOTE: You can also assign the builtin vsadmin role.
If you want to authenticate with AD user account, you must enable it to access SVM through ONTAPI. The credentials are case sensitive.
Oracle DatabaseOn the target server:
  • The CREATE SESSION system privilege must be granted to an account used to connect to Oracle Database.
  • Depending on your Oracle Database version, the SELECT privilege on the following objects must be granted to an account used to connect to Oracle Database:
Oracle Database 11g
  • aud$
  • gv_$xml_audit_trail
  • dba_stmt_audit_opts
  • v_$parameter
  • dba_obj_audit_opts
  • dba_audit_policies
  • dba_audit_mgmt_clean_events
  • gv_$instance
  • fga_log$
Oracle Database 12cIn addition to the privileges above, add the SELECT
privilege on the following objects:
  • gv_$unified_audit_trail
  • all_unified_audit_actions
  • audit_unified_policies
  • audit_unified_enabled_policies
NOTE: If you are going to configure Fine Grained Auditing, grant privileges,
depending on your Oracle Database version, and make sure that you
use Oracle Database Enterprise Edition.
Alternatively, you can grant the default administrator role to an account.
SharePointOn the target server:
  • A member of the local Administrators group on SharePoint server, where the Core Service will be deployed
  • The SharePoint_Shell_Access role on the SharePoint SQL Server configuration database
SharePoint OnlineIn the Cloud:
  • The account must be assigned the Global Administrator role in Azure AD domain ( Company Administrator in Azure AD PowerShell terms) — only required when first monitoring. Later, any regular account can be used to collect audit data.
NOTE: Accounts with multi-factor authentication are not supported.
SQL ServerOn the target server:
  • The System Administrator role on the target SQL Server
VMwareOn the target server:
  • At least Read-only role on the audited hosts
Windows Server
(including DNS, DHCP)
On the target server:
  • The Manage auditing and security log policy must be defined for this account
  • A member of the local Administrators group.
Event Log
(including 
IIS)
On the target server:
  • A member of the local Administrators group
Group PolicyOn the computer where Netwrix Auditor Server is installed (in 8.5, Netwrix Auditor Administrator Console):
  • A member of the local Administrators group (only for auditing local or trusted domain)
In the target domain:
  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled:
  • Permissions to the following registry key on each DC in the target domain: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
  • A member of one of the following groups: Administrators, Print Operators, Server Operators
  • The Share Read and Write permissions and Security Full control permissions for the logs backup folder.
Inactive UsersIn the target domain:
  • A member of the Domain Admins group
Logon ActivityIn the target domain:
  • If network traffic compression disabled: the Manage auditing and security log policy must be defined for this account
  • If network traffic compression enabled: the account must belong to the Domain Admins group
  • The account must belong to one of the following domain groups: Backup Operators or Server Operators (only if the account is not a member of the Domain Admins group).
Password ExpirationIn the target domain:
  • A member of the Domain Users group
User ActivityOn the target server:
  • A member of the local Administrators group.
For detailed instructions on how to configure these rights and permissions, refer to the Netwrix Auditor Installation and Configuration Guide.
Was this information helpful?