diff --git a/.github/workflows/claude-issue-labeler.yml b/.github/workflows/claude-issue-labeler.yml index 2fe0ec9801..b0caa3f3d2 100644 --- a/.github/workflows/claude-issue-labeler.yml +++ b/.github/workflows/claude-issue-labeler.yml @@ -2,7 +2,7 @@ name: Claude Issue Labeler on: issues: - types: [opened] + types: [] # Disabled - replaced by claude-issue-processor.yml jobs: label-issue: diff --git a/.github/workflows/claude-issue-processor.yml b/.github/workflows/claude-issue-processor.yml new file mode 100644 index 0000000000..67cb6e93bd --- /dev/null +++ b/.github/workflows/claude-issue-processor.yml @@ -0,0 +1,220 @@ +name: Claude Issue Processor + +on: + issues: + types: [opened] + +jobs: + template-validation: + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + id-token: write + outputs: + template_type: ${{ steps.validate.outputs.template_type }} + validation_failed: ${{ steps.validate.outputs.validation_failed }} + + steps: + - name: Checkout repository (Issue templates only) + uses: actions/checkout@v4 + with: + sparse-checkout: | + .github/ISSUE_TEMPLATE + sparse-checkout-cone-mode: false + + - name: Validate and correct template usage + id: validate + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + github_token: ${{ secrets.GITHUB_TOKEN }} + prompt: | + REPO: ${{ github.repository }} + ISSUE NUMBER: ${{ github.event.issue.number }} + + A new issue has been opened. Your task is to validate that the correct issue template was used. + + STEPS: + 1. Read the issue using `gh issue view ${{ github.event.issue.number }} --json title,body,labels` + 2. Read the available issue templates from .github/ISSUE_TEMPLATE/ directory + 3. Analyze the issue content to determine which template SHOULD have been used: + - Keywords "site", "navigation", "docusaurus", "search", "layout", "menu" → site templates + - Keywords "documentation", "content", "tutorial", "guide", "missing", "incorrect" → content templates + - Labels or title containing "fix", "bug", "broken", "error" → fix templates + - Labels or title containing "add", "feature", "enhancement", "new" → add templates + 4. Compare the issue structure to the templates to see which was actually used + 5. If the wrong template was used: + - Extract the user's information from the current issue body + - Map it to the correct template structure + - Update the issue body using `gh issue edit ${{ github.event.issue.number }} --body "..."` + - Add a comment explaining the correction + 6. Output the template type by running: + echo "template_type=[content_fix|content_add|site_fix|site_add]" >> $GITHUB_OUTPUT + echo "validation_failed=[true|false]" >> $GITHUB_OUTPUT + + IMPORTANT: + - Preserve all user-provided information during template correction + - Be conservative - only change the template if it's clearly wrong + - Always set both output variables + claude_args: '--allowed-tools "Bash(gh issue:*),Read,Grep,Glob"' + + primary-labeling: + runs-on: ubuntu-latest + needs: template-validation + permissions: + contents: read + issues: write + id-token: write + outputs: + primary_label: ${{ steps.label.outputs.primary_label }} + should_continue: ${{ steps.label.outputs.should_continue }} + + steps: + - name: Assign primary AI label + id: label + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + github_token: ${{ secrets.GITHUB_TOKEN }} + prompt: | + REPO: ${{ github.repository }} + ISSUE NUMBER: ${{ github.event.issue.number }} + TEMPLATE TYPE: ${{ needs.template-validation.outputs.template_type }} + + Your task is to assign the primary "AI:" label to this issue. + + STEPS: + 1. Read the issue using `gh issue view ${{ github.event.issue.number }} --json title,body,labels` + 2. Analyze the issue to determine the primary label: + + DECISION TREE: + a) If TEMPLATE_TYPE contains "site" → Assign "AI:docusaurus" + b) Else if TEMPLATE_TYPE contains "content" → Assign "AI:docs" + c) Else check for SPECIAL CASES: + + DUPLICATE: Search for similar issues + - Run: gh search issues --repo ${{ github.repository }} --match title --state all --limit 5 --json number,title,state,url --jq '.[] | select(.number != ${{ github.event.issue.number }})' + - If similar issue found: + * Add label "duplicate" + * Comment: "This appears to be a duplicate of #[NUMBER]. Please see that issue for discussion." + * Close: gh issue close ${{ github.event.issue.number }} --reason "not planned" + * Set should_continue=false + + PRODUCT BUG: Keywords "crash", "error code", "software bug", "application error" AND mentions specific product behavior + - Add label "bug" + - Comment: "This appears to be a product bug rather than a documentation issue. Please report this to Netwrix Support: https://netwrix.com/en/support/" + - Close: gh issue close ${{ github.event.issue.number }} --reason "not planned" + - Set should_continue=false + + FEATURE PROPOSAL: Keywords "should add", "feature request", "enhancement", "please implement" + - Add label "proposal" + - Comment: "This appears to be a feature request. Please share your ideas on the Netwrix Community: https://community.netwrix.com/" + - Close: gh issue close ${{ github.event.issue.number }} --reason "not planned" + - Set should_continue=false + + 3. If NOT a special case, assign the appropriate AI label: + - gh issue edit ${{ github.event.issue.number }} --add-label "[AI:docs|AI:docusaurus]" + - Set should_continue=true + + 4. Output the results: + echo "primary_label=[LABEL]" >> $GITHUB_OUTPUT + echo "should_continue=[true|false]" >> $GITHUB_OUTPUT + + IMPORTANT: + - Only close issues for special cases (duplicate, bug, proposal) + - For normal documentation issues, just add the AI label and continue + - Always set both output variables + claude_args: '--allowed-tools "Bash(gh issue:*),Bash(gh search:*),Read"' + + secondary-labeling: + runs-on: ubuntu-latest + needs: [template-validation, primary-labeling] + if: needs.primary-labeling.outputs.should_continue == 'true' + permissions: + contents: read + issues: write + id-token: write + + steps: + - name: Checkout repository (CODEOWNERS only) + uses: actions/checkout@v4 + with: + sparse-checkout: | + .github/CODEOWNERS + sparse-checkout-cone-mode: false + + - name: Assign product labels and notify teams + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + github_token: ${{ secrets.GITHUB_TOKEN }} + prompt: | + REPO: ${{ github.repository }} + ISSUE NUMBER: ${{ github.event.issue.number }} + + Your task is to identify relevant product(s) and notify the appropriate teams. + + STEPS: + 1. Read the issue using `gh issue view ${{ github.event.issue.number }} --json body` + 2. Read .github/CODEOWNERS to understand product-to-team mappings + 3. Parse CODEOWNERS to extract product-team relationships: + - Look for lines like: /docs/productname/ @netwrix/team-docs + - Extract the product directory name and team handle + 4. Analyze the issue body for product mentions: + - Check for product names in dropdown selections (if preserved in body) + - Scan for product names mentioned in text + - Common products: Password Secure, Auditor, Access Analyzer, Privilege Secure, etc. + 5. For each detected product: + a) Normalize product name to label format: + - "Password Secure 9.3" → "password-secure" + - "Access Analyzer 12.0" → "access-analyzer" + - "Auditor 10.8" → "auditor" + - Remove spaces, convert to lowercase, keep hyphens + b) Add product label: gh issue edit ${{ github.event.issue.number }} --add-label "PRODUCT_LABEL" + c) Look up team from CODEOWNERS: + - Normalize label for directory match (remove hyphens): "password-secure" → "passwordsecure" + - Find line in CODEOWNERS: /docs/passwordsecure/ @netwrix/passwordsecure-docs + - Extract team handle + d) Notify team with comment: + gh issue comment ${{ github.event.issue.number }} --body "This issue appears to be related to [PRODUCT NAME]. Notifying [TEAM] for review." + + 6. Handle multiple products (repeat step 5 for each) + + PRODUCT NAME NORMALIZATION: + - "1Secure" → "1secure" + - "Access Analyzer" → "access-analyzer" (directory: accessanalyzer) + - "Access Information Center" → "access-information-center" (directory: accessinformationcenter) + - "Activity Monitor" → "activity-monitor" (directory: activitymonitor) + - "Auditor" → "auditor" + - "Change Tracker" → "change-tracker" (directory: changetracker) + - "Data Classification" → "data-classification" (directory: dataclassification) + - "Directory Manager" → "directory-manager" (directory: directorymanager) + - "Endpoint Policy Manager" → "endpoint-policy-manager" (directory: endpointpolicymanager) + - "Endpoint Protector" → "endpoint-protector" (directory: endpointprotector) + - "Identity Manager" → "identity-manager" (directory: identitymanager) + - "Identity Recovery" → "identity-recovery" (directory: identityrecovery) + - "Password Policy Enforcer" → "password-policy-enforcer" (directory: passwordpolicyenforcer) + - "Password Reset" → "password-reset" (directory: passwordreset) + - "Password Secure" → "password-secure" (directory: passwordsecure) + - "PingCastle" → "pingcastle" + - "Platform Governance for NetSuite" → "platform-governance-netsuite" (directory: platgovnetsuite) + - "Privilege Secure" → "privilege-secure" (directory: privilegesecure) + - "Recovery for Active Directory" → "recovery-for-active-directory" (directory: recoveryforactivedirectory) + - "Threat Manager" → "threat-manager" (directory: threatmanager) + - "Threat Prevention" → "threat-prevention" (directory: threatprevention) + + IMPORTANT: + - Multiple products may be mentioned - handle all of them + - Be case-insensitive when matching product names + - If no products are clearly identified, skip labeling (don't guess) + claude_args: '--allowed-tools "Bash(gh issue:*),Read,Grep"' + + - name: Handle labeling failures + if: failure() + run: | + gh issue comment ${{ github.event.issue.number }} \ + --body "⚠️ Automated product labeling failed. Manual review may be needed." + gh issue edit ${{ github.event.issue.number }} --add-label "automation-failed" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..18c9147181 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,128 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md index f6c6843689..46f67636e8 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md @@ -6,79 +6,69 @@ sidebar_position: 10 # Windows File Server Access & Sensitive Data Auditing Configuration -Permissions required for Enterprise Auditor to execute Access Auditing (SPAA) and/or Sensitive Data -Discovery Auditing scans on a Windows file server are dependent upon the Scan Mode Option selected. +Permissions required for Access Analyzer to execute Access Auditing (FSAA) and/or Sensitive Data +Discovery Auditing (SEEK) scans on a Windows file server are dependent upon the Scan Mode Option selected. See the -[File System Supported Platforms](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/filesystems.md) -topic for additional information. +[File System Supported Platforms](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/filesystems.md) topic +for additional information. However, additional considerations are needed when targeting a Windows File System Clusters or DFS Namespaces. -## Windows File System Clusters +## Windows File System (Standard) -The permissions necessary to collect file system data from a Windows File System Cluster must be set -for all nodes that comprise the cluster. +Configure the credential(s) with the following rights on the Windows host(s): + +- For **Local** or **Proxy as a Service Mode** Scans: + - Group membership in both of the following local groups: + - Power Users + - Backup Operators +- For **Applet** or **Proxy with Applet Mode** Scans: + - Group membership in the following group: + - Local Administrators + - Granted the “Log on as a batch” privilege + - Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet. + - The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. + - Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. +- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege +- Granted the “Backup files and directories” local policy privilege :::note -It is necessary to target the Windows File Server Cluster (name of the cluster) of -interest when running a File System scan against a Windows File System Cluster. +In order to collect data on administrative shares and local policies (logon policies) for a Windows target, the credential must have group membership in the local Administrators group. ::: +## Windows File System Clusters -Configure credentials on all cluster nodes according to the Windows Operating Systems required -permissions for the desired scan mode with these additional considerations: - -- For - [Applet Mode](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/scanoptions.md#applet-mode) - and - [Proxy Mode with Applet](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-with-applet): - - - Applet will be deployed to each node - - Credential used in the Connection Profile must have rights to deploy the applet to each node +The permissions necessary to collect file system data from a Windows File System Cluster must be set +for all nodes that comprise the cluster. -- For - [Proxy Mode as a Service](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-as-a-service): +:::note +It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) of interest when running a File System scan against a Windows File System Cluster. +::: - - Proxy Service must be installed on each node - - For Sensitive Data Discovery Auditing scans, the Sensitive Data Discovery Add-on must be - installed on each node +Configure credentials on all cluster nodes according to the Windows File System (Standard) permissions, with the following additional requirements: -Additionally, the credential used within the Connection Profile must have rights to remotely access -the registry on each individual cluster node. +* Remote Registry Service must be enabled on all nodes that comprise the cluster +* Group membership in the local Administrators group +* Granted the “Log on as a batch” privilege -:::tip -Remember, Remote Registry Service must be enabled on all nodes that comprise the cluster. -Configure the credential(s) with the following rights on all nodes: -::: +### Host List Considerations +It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually. -- Group membership in the local Administrators group -- Granted the “Log on as a batch” privilege +See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/hostmanagement/actions/overview) topic for additional information on host inventory. -**Host List Consideration** +- For FSAA and SDD scans, configure a custom host list to target the cluster's **Role Server**. -It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when -running a File System scan against a Windows File System Cluster. Within the Master Host Table, -there should be a host entry for the cluster as well as for each node. Additionally, each of these -host entries must have the name of the cluster in the `WinCluster` column in the host inventory -data. This may need to be updated manually. +The host targeted by the File System scans is only the host entry for the cluster. For example: -See the View/Edit section of the -[Host Management Activities](/docs/accessanalyzer/11.6/admin/hostmanagement/actions/overview.md) -topic for additional information on host inventory. +The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. **This File Server Role Server name will be our target host.** -- For FSAA and SDD scans, configure a custom host list to target the cluster's Role Server. -- For FSAC scans, configure a custom host list to target the Windows File Server Cluster. +### Least Privilege Permission Model for Windows Clusters -The host targeted by the File System scans is only the host entry for the cluster. For example: +If a least privilege model is required by the organization, then the credential must have READ access on the following registry key: -The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named -`ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the -StealthAUDIT Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and -`ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the -`WinCluster` column: `ExampleCluster1`. Only the `ExampleCluster1` host would be in the host list -targeted by the File System scans. +* `HKEY_LOCAL_MACHINE\Cluster\Nodes` **Sensitive Data Discovery Scans** @@ -89,58 +79,18 @@ comprise the cluster: - Power Users - Backup Operators -**Activity Auditing Scans** - -The Netwrix Activity Monitor must deploy an Activity Agent on all nodes that comprise the Windows -File System Cluster. The Activity Agent generates activity log files stored on each node. Enterprise -Auditor targets the Windows File Server Cluster (name of the cluster) of interest in order to read -the activity. See the -[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md) -topic for additional information. - -The credential used Enterprise Auditor to read the activity log files must have: - -- Membership in the local Administrators group - -The FileSystemAccess Data Collector needs to be specially configured to run the -[1-FSAC System Scans Job](/docs/accessanalyzer/11.6/solutions/filesystem/collection/1-fsac_system_scans.md) -against a Windows File System Cluster. On the -[FSAA: Activity Settings](/docs/accessanalyzer/11.6/admin/datacollector/fsaa/activitysettings.md), -configure the Host Mapping option. This provides a method for mapping between the target host and -the hosts where activity logs reside. However, this feature requires **advanced SQL scripting -knowledge** to build the query. - -**Membership in the local Administrators group** - -### Least Privilege Permission Model for Windows Cluster - -If a least privilege model is required by the organization, then the credential must have READ -access on the following registry keys: - -- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` -- `HKEY_LOCAL_MACHINE\Cluster\Nodes` - -Additionally, the credential must have READ access to the path where the activity log files are -located. - ## DFS Namespaces The FileSystem > 0.Collection > 0-FSDFS System Scans Job is configured by default to target the -default domain controller for the domain in which Enterprise Auditor resides. This is the -appropriate target host for this job when targeting a domain-based namespace. To target a standalone -namespace or multiple namespaces, create a custom host list of the server(s) hosting the -namespace(s). Then assign the custom host list to the 0-FSDFS System Scans Job. No additional host -list is require for the FileSystem > 0.Collection Job Group unless additional file servers are also -being targeted. +default domain controller for the domain in which Access Analyzer resides. This is the appropriate +target host for this job when targeting a domain-based namespace. To target a standalone namespace +or multiple namespaces, create a custom host list of the server(s) hosting the namespace(s). Then +assign the custom host list to the 0-FSDFS System Scans Job. No additional host list is require for +the FileSystem > 0.Collection Job Group unless additional file servers are also being targeted. **DFS as Part of a Windows Cluster Consideration** If the DFS hosting server is part of a Windows Cluster, then the Windows File System Clusters requirements must be included with the credential. -**DFS and Activity Auditing Consideration** -For activity monitoring, the Netwrix Activity Monitor must have a deployed Activity Agent on all DFS -servers identified by the 0-FSDFS System Scans Job and populated into the dynamic host list. See the -[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md) -topic for additional information. diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md index acb0c98551..fedf4acdee 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md @@ -6,45 +6,81 @@ sidebar_position: 20 # Windows File Server Activity Auditing Configuration -In order for the Netwrix Activity Monitor to monitor Windows file server activity, an Activity Agent -must be deployed to the server. It cannot be deployed to a proxy server. However, additional -considerations are needed when targeting a Windows File System Clusters or DFS Namespaces. +In order for Netwrix Access Analyzer to collect and store Windows file server activity, an activity monitor agent for Netwrix Activity Monitor must be deployed to the server and monitoring. See the [Single Activity Agent Deployment](https://docs.netwrix.com/docs/activitymonitor/9_0/admin/agents/overview) topic for additional information. + +## Windows File System (Standard) + +Configure the credential(s) with the following rights on the Windows host(s): + +- For **Local** or **Proxy as a Service Mode** Scans: + - Group membership in both of the following local groups: + - Power Users + - Backup Operators +- For **Applet** or **Proxy with Applet Mode** Scans: + - Group membership in the following group: + - Local Administrators + - Granted the “Log on as a batch” privilege + - Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet. + - The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. +- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege +- Granted the “Backup files and directories” local policy privilege +- The service account in the credential profile requires access to the admin share (e.g. `C$`) where the `sbtfilemon.ini` file exists +- READ access on the following registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` ## Windows File System Clusters -In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all -nodes that comprise the Windows File System Cluster. The credential used to deploy the Activity -Agent must have the following permissions on the server: +In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all nodes that comprise the Windows File System Cluster. -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only +:::note +It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) when running a File System scan against a Windows File System Cluster. +::: + +Configure credentials according to the Windows File System (Standard) permissions on all cluster nodes that comprise the cluster, with the following additional requirements: -It is also necessary to enable the Remote Registry Service on the Activity Agent server. +- Remote Registry Service must be enabled on all nodes that comprise the cluster +- Group membership in the local Administrators group +- Granted the “Log on as a batch” privilege -For integration between the Activity Monitor and Enterprise Auditor, the credential used by -Enterprise Auditor to read the activity log files must have also have this permission. +### Host List Considerations -After the agent has been deployed, it is necessary to modify the HOST parameter in the -`SBTFilemon.ini` file to be the name of the cluster. For integration with Netwrix Enterprise -Auditor, this must be an exact match to the name of the cluster in the Master Host Table. +It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually. -## DFS Namespaces +See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/hostmanagement/actions/overview) topic for additional information on host inventory. -In order to monitor activity on DFS Namespaces, an Activity Agent needs to be deployed on all DFS -servers. +- For FSAC scans, configure a custom host list to target the cluster's **Role Server**. +The host targeted by the File System scans is only the host entry for the cluster. + +:::note Example: + +The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. This File Server Role Server name will be our target host. +::: + +### Host Mapping :::note -The FileSystem > 0.Collection > 0-FSDFS System Scans Job in Netwrix Enterprise Auditor can -be used to identify all DFS servers. +Host Mapping is only required for multi-role cluster setups. See topic [Windows File Server Activity Auditing Configuration - Multi-Role (Advanced) Setup](https://docs.netwrix.com/docs/activitymonitor/9_0/requirements/activityagent/windowsfs-activity) ::: +1. Create new table in the Access Analyzer database to be used as the Host Mapping table. The column names are case sensitive. + 1. **3 Columns:** LogLocation, HostName, Host + 2. **Data Type:** nvarchar(MAX) + +![Host Mapping Table Design](/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp) + +2. Configure the new host mapping table to such: + 1. **LogLocation:** Name of the host/node where activity logs reside. + 2. **HostName:** Name of the configured Report hostname as value in the Activity Monitor. + 3. **Host:** Name of the host being targeted in the FSAC scan and Bulk Import which the activity events will be mapped to (Role Server). + +![Host Mapping Table Example](/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp) + +3. Enable host mapping on the *Activity Settings* tab of the FSAC System Scan query configuraton. See topic [FSAA: Activity Settings](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/activitysettings) for additional information. -The credential used to deploy the Activity Agent must have the following permissions on the server: +### Least Privilege Permission Model for Windows Clusters -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only +If a least privilege model is required by the organization, then the credential must have READ access on the following registry keys: -It is also necessary to enable the Remote Registry Service on the Activity Agent server. +* `HKEY_LOCAL_MACHINE\Cluster\Nodes` +* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` -For integration between the Activity Monitor and Enterprise Auditor, the credential used by -Enterprise Auditor to read the activity log files must have also have this permission. +Additionally, the credential must have READ access to the path where the activity log files are located. diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/overview.md b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/overview.md index 2dc4e194fd..213e9d4458 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/overview.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/overview.md @@ -1,77 +1,56 @@ --- title: "Windows File Server Target Requirements" description: "Windows File Server Target Requirements" -sidebar_position: 110 +sidebar_position: 120 --- # Windows File Server Target Requirements -Netwrix Enterprise Auditor can execute Access Auditing (FSAA) and/or Sensitive Data Discovery -Auditing scans on Windows file servers. The Netwrix Activity Monitor can be configured to monitor -activity on Windows file servers and make the event data available for Enterprise Auditor Activity -Auditing (FSAC) scans. +Netwrix Access Analyzer (formerly Enterprise Auditor) can execute Access Auditing (FSAA) and/or +Sensitive Data Discovery Auditing (SEEK) scans on Windows file servers. The Netwrix Activity Monitor can be +configured to monitor activity on Windows file servers and make the event data available for Access +Analyzer Activity Auditing (FSAC) scans. ## Access & Sensitive Data Auditing Permissions -- Permissions vary based on the Scan Mode Option selected. See the +Permissions vary based on the Scan Mode Option selected. See the [File System Supported Platforms](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/filesystems.md) - topic for additional information. + topic for additional information on the various scan modes available and [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md). **Windows File System Cluster Requirements** -See the -[Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md) -topic for instructions. +See the [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md) topic for +instructions. **Windows File System DFS Namespaces Requirements** -See the -[Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md) -topic for instructions. +See the [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/access.md) topic for +instructions. -## Access & Sensitive Data Auditing Port Requirements +### Access & Sensitive Data Auditing Port Requirements -The firewall ports required by Enterprise Auditor for Access Auditing (FSAA) and/or Sensitive Data +The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the [File System Scan Options](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/scanoptions.md) topic for additional information. ## Activity Auditing Permissions -Requirements to Deploy the Activity Agent on the Windows File Server - -The Netwrix Activity Monitor must have an Activity Agent deployed on the Windows file server to be -monitored. While actively monitoring, the Activity Agent generates activity log files stored on the -server. The credential used to deploy the Activity Agent must have the following permissions on the -server: - -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only - -It is also necessary to enable the Remote Registry Service on the Activity Agent server. - -For integration between the Activity Monitor and Enterprise Auditor, the credential used by -Enterprise Auditor to read the activity log files must have also have this permission. +Permissions vary based on the Scan Mode Option selected. See the + [File System Supported Platforms](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/filesystems.md) + topic for additional information on the various scan modes available and [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md). **Windows File System Cluster Requirements** -See the -[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md) -topic for instructions. - -**Windows File System DFS Namespaces Requirements** - -See the -[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md) -topic for instructions. +See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/11.6/requirements/filesystem/filesystems/windowsfile/activity.md) topic for instructions. **Activity Monitor Archive Location** If the activity log files are being archived, configurable within the Netwrix Activity Monitor -Console, then the credential used by Enterprise Auditor to read the activity log files must also -have READ and WRITE permissions on the archive location. +Console, then the credential used by Access Analyzer to read the activity log files must also have +READ and WRITE permissions on the archive location. -## Activity Auditing Port Requirements +### Activity Auditing Port Requirements Firewall settings depend on the type of environment being targeted. The following firewall settings are required for communication between the Agent server and the Netwrix Activity Monitor Console: @@ -86,12 +65,12 @@ port range, which cannot be specified via an inbound rule. For more information, [Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. -Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor +**Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor** Firewall settings are dependent upon the type of environment being targeted. The following firewall -settings are required for communication between the agent server and the Enterprise Auditor Console: +settings are required for communication between the agent server and the Access Analyzer Console: -| Communication Direction | Protocol | Ports | Description | -| ---------------------------------- | -------- | ---------- | ------------------------------ | -| Enterprise Auditor to Agent Server | TCP | 445 | SMB, used for Agent Deployment | -| Enterprise Auditor to Agent Server | TCP | Predefined | WMI, used for Agent Deployment | +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | -------- | ---------- | ------------------------------ | +| Access Analyzer to Agent Server | TCP | 445 | SMB | +| Access Analyzer to Agent Server | TCP | Predefined | WMI | diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/appletmodescans/appletmodepermissions.md b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/appletmodescans/appletmodepermissions.md index 003803a41a..3d85f230e9 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/appletmodescans/appletmodepermissions.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/appletmodescans/appletmodepermissions.md @@ -6,27 +6,13 @@ sidebar_position: 10 # Applet Mode Permissions -When File System scans are run in applet mode, it means the File System applet is deployed to the -target host when the job is executed to conduct data collection. However, the applet can only be -deployed to a server with a Windows operating system. The data is collected on the Windows target -host where the applet is deployed. The final step in data collection is to compress and transfer the -data collected in the SQLite database(s), or Tier 2 database(s), back to the Enterprise Auditor -Console server. If the target host is a NAS device, the File System scans will default to local mode -for that host. - -Configure the credential(s) with the following rights on the Windows target host(s): - -- Group membership in the local Administrators group -- Granted the “Backup files and directories” local policy privilege -- Granted the “Log on as a batch” privilege -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the target host/proxy server as well as on the Enterprise Auditor Console -server. This is required by either the user account running the Enterprise Auditor application, when -manually executing jobs within the console, or the Schedule Service Account assigned within -Enterprise Auditor, when running jobs as a scheduled tasks. +When File System scans are run in applet mode, it means the File System applet is deployed to the target host when the job is executed to conduct data collection. However, the applet can only be deployed to a server with a Windows operating system. The data is collected on the Windows target host where the applet is deployed. The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the Access Analyzer Console server. If the target host is a NAS device, the File System scans will default to local mode for that host. + + +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the target host/proxy server as well as on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. + + +Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. :::tip Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for @@ -34,23 +20,25 @@ Applet Mode or Proxy Mode with Applet scans) to determine the system platform an the applet. ::: - :::warning The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. ::: +See the [Applet Mode Port Requirements](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodeports) topic for firewall rule information. + +## Accounts Used +- **Job Execution:** Scheduled Task or Console User (launches the job) +- **Target Access:** Connection Profile Account (always used for scanning) + +:::note +By default, the Applet will run as the connection profile account unless an additional credential is added to the connection profile using either **Task (Local)** or **Task (Domain)**. +::: + +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/filesystems/) page for specific requirements per target file system. -Sensitive Data Discovery Auditing scans also require .NET Framework 4.7.2 or later. to be installed -on the server where the applet is to be deployed in order for Sensitive Data Discovery collections -to successfully occur. The Sensitive Data Discovery Add-On must be installed on the Enterprise -Auditor Console server, which enables Sensitive Data criteria for scans. +## How do I determine if I’m using Applet Mode scanning? -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. +The best way to verify if you’re using Applet Mode scanning is via the FSAA Data Collector Query Settings > [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/scanserverselection) page: -See the -[Applet Mode Port Requirements](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/appletmodescans/appletmodeports.md) -topic for firewall rule information. +- **Automatic** — If the target host being scanned is a Windows host, NEA will deploy for FS scanning. diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/localmodescans/localmodepermissions.md b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/localmodescans/localmodepermissions.md index 736a8cd8ee..4c6bcba5b4 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/localmodescans/localmodepermissions.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/localmodescans/localmodepermissions.md @@ -6,51 +6,33 @@ sidebar_position: 10 # Local Mode Permissions -When File System scans are run in local mode, it means all of the data collection processing is -conducted by the Enterprise Auditor Console server across the network. The data is collected in the -SQLite database(s), or Tier 2 database(s), on the Enterprise Auditor Console server, and then -imported into theEnterprise Auditor database, or Tier 1 database, on the SQL Server. +When File System scans are run in local mode, it means all of the data collection processing is conducted by the Access Analyzer Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the Access Analyzer Console server, and then imported into the Access Analyzer database, or Tier 1 database, on the SQL Server. -The account used to run either a manual execution or a scheduled execution of the File System scans, -must have the following permissions on the StealthAUDIT Console server: + +The account used to run either a manual execution or a scheduled execution of the File System scans, must have the following permissions on the Access Analyzer Console server: - Group membership in either of the following local groups: - - Backup Operators - - Administrators + - Backup Operators + - Administrators + + +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. -Configure the credential(s) with the following rights on the Windows host(s): -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege +If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 additional GB of RAM per host.  By default, SDD scans are configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts at a time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). -For Windows Server target hosts, the credential also requires: -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege +Firewall rules must be configured to allow for communication between the applicable servers. See the [Local Mode Port Requirements](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/scanoptions/local-mode-scans/localmodeports) topic for firewall rule information. -In order to collect data on administrative shares and local policies (logon policies) for a Windows -target, the credential must have group membership in the local Administrators group. +## Accounts Used +- **Job Execution:** Scheduled Task Account or Console User (launches the job) +- **Target Access:** Connection Profile Account (always used for scanning) -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the Enterprise Auditor Console server. This is required by either the user -account running the Enterprise Auditor application, when manually executing jobs within the console, -or the Schedule Service Account assigned within Enterprise Auditor, when running jobs as a scheduled -tasks. +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/filesystems/) page for specific requirements per target file system. -The Sensitive Data Discovery Add-On must be installed on the Enterprise Auditor Console server, -which enables Sensitive Data criteria for scans. If running Sensitive Data Discovery (SDD) scans, it -will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 -additional GB of RAM per host.  By default, SDD scans are configured to run two concurrent threads. -For example, if the job is configured to scan 8 hosts at a time with two concurrent SDD threads, -then an extra 32 GB of RAM are required (8x2x2=32). +## How do I determine if I’m using Local Mode scanning? -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. +The best way to verify if you’re using Local Mode scanning is via the FSAA Data Collector Query Settings > [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/scanserverselection) page: -See the -[Local Mode Port Requirements](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/localmodescans/localmodeports.md) -topic for firewall rule information. +- **Automatic** — If the target host being scanned is a NAS/Non-Windows host, a Local Mode scan will be utilized. +- **Local Server** — This will utilize a Local Mode scan, regardless of the OSType of the target host. diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/asaservice/proxymodeservicepermissions.md b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/asaservice/proxymodeservicepermissions.md index 7ea9cd00f5..0b777a46bd 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/asaservice/proxymodeservicepermissions.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/asaservice/proxymodeservicepermissions.md @@ -6,72 +6,35 @@ sidebar_position: 10 # Proxy Mode as a Service Permissions -When File System scans are run in proxy mode as a service, there are two methods available for -deploying the service: +When File System scans are run in proxy mode as a service, there are two methods available for deploying the service: -- Pre-Installed File System Proxy Service – File System Proxy Service installation package must be - installed on the Windows proxy servers prior to executing the scans. This is the recommended - method. -- Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the - Windows proxy server when the job is executed +* Pre-Installed File System Proxy Service – File System Proxy Service installation package must be installed on the Windows proxy servers prior to executing the scans. This is the recommended method. +* Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed -The data collection processing is conducted by the proxy server where the service is running and -leverages a local mode-type scan to each of the target hosts. The final step in data collection is -to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to -the Enterprise Auditor Console server. +The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. -The secure communication is configured during the installation of the service on the proxy server. -The credential provided for the secure communications in the installation wizard is also added to -the Enterprise Auditor Connection Profile assigned to the File System Solution. **File System Proxy Service Credentials** -The service can be run either as LocalSystem or with a domain account supplied during the -installation of the File System Proxy Service with the following permission on the proxy server: +The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server: -- Membership in the local Administrators group -- Granted the Log on as a service privilege (**Local Security Policies** > **Local Policies** > - **User Rights Assignment** > **Log on as a service**) -- If running FSAC, the service account in the credential profile requires access to the admin share - (for example, `C$`) where the `sbtfilemon.ini` file exists +* Membership in the local Administrators group +* Granted the Log on as a service privilege (**Local Security Policies** > **Local Policies** > **User Rights Assignment** > **Log on as a service**) -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory. +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory. -**Windows File Server Target Host Credentials** - -Configure the credential(s) with the following rights on the Windows host(s): - -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege - -For Windows Server target hosts, the credential also requires: - -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - -In order to collect data on administrative shares and local policies (logon policies) for a Windows -target, the credential must have group membership in the local Administrators group. **Sensitive Data Discovery Auditing Consideration** -The Sensitive Data Discovery Add-on must be installed on the proxy server. This requirement is in -addition to having the Sensitive Data Discovery Add-on installed on the Enterprise Auditor Console -server. Sensitive Data Discovery Auditing scans also require .NET Framework 4.7.2 or later.If -running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of -RAM. Each thread requires a minimum of 2 additional GB of RAM per host.. By default, SDD scans are -configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts at a -time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). +Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later. If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 additional GB of RAM per host.. By default, SDD scans are configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts at a time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). **Secure Proxy Communication Considerations** For secure proxy communication via https, a credential is supplied during installation to provide -secure communications between the Enterprise Auditor server and the proxy server. This credential -must be a domain account, but no additional permissions are required. It is recommended to use the -same domain account configured to run the proxy service as a credential in the Connection Profile to -be used by the File System Solution +secure communications between the Access Analyzer server and the proxy server. This credential must +be a domain account, but no additional permissions are required. It is recommended to use the same +domain account configured to run the proxy service as a credential in the Connection Profile to be +used by the File System Solution **Secure Proxy Communication and Certificate Exchange** @@ -81,13 +44,27 @@ scan. See the [FSAA Applet Certificate Management Overview](/docs/accessanalyzer/11.6/admin/datacollector/fsaa/certificatemanagement/certificatemanagement.md) topic for additional information. -**Enterprise Auditor Connection Profile** +See the [Proxy Mode as a Service Port Requirements](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeserviceports) topic for firewall +rule information. + +## Accounts Used + +- **Job Execution:** Scheduled Task or Console User (launches the job) +- Console ↔ Proxy: **NAA** **Computer Account (Kerberos)** +- Target Access (Proxy ↔ Targets): Connection Profile Account +:::note +If the service is deployed by the File System Scan job (as opposed to manually installed), the account used by the connection profile will be used to run the FSAA Proxy Service unless **Run service as Local System** is checked on the Applet Settings page of the job query. Alternatively, a credential added to the connection profile using either **Task (Local)** or **Task (Domain)** can be used to run the service. + +## How do I determine if I’m using Proxy Mode with Service scanning? + +The best way to verify if you’re using Proxy Mode with Service scanning is via the FSAA Data Collector Query Settings:: + +### Pre-Install File System Proxy Service +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: Require applet to be running as a service on target +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. +**_OR_** -See the -[Proxy Mode as a Service Port Requirements](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/asaservice/proxymodeserviceports.md) -topic for firewall rule information. +### Deploy Service on Scan +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: Windows Service +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” diff --git a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/withapplet/proxymodeappletpermissions.md b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/withapplet/proxymodeappletpermissions.md index c03fadfc31..3a22926901 100644 --- a/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/withapplet/proxymodeappletpermissions.md +++ b/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/withapplet/proxymodeappletpermissions.md @@ -6,33 +6,15 @@ sidebar_position: 10 # Proxy Mode with Applet Permissions -When File System scans are run in proxy mode with applet, it means the File System applet is -deployed to the Windows proxy server when the job is executed to conduct data collection. The data -collection processing is initiated by the proxy server where the applet is deployed and leverages a -local mode-type scan to each of the target hosts. The final step in data collection is to compress -and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Enterprise -Auditor Console server. +When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. Configure the credential(s) with the following rights on the proxy server(s): - Group membership in the local Administrators group - Granted the Backup files and directories local policy privilege - Granted the Log on as a batch privilege -- If the applet is deployed as a service, the service account requires the Log on as a service - privilege - - See the - [FSAA: Applet Settings](/docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md) - topic for additional information on the applet launch mechanism - -- If running FSAC, the service account in the credential profile requires access to the admin share - (e.g. `C$`) where the `sbtfilemon.ini` file exists - -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the proxy server as well as on the Enterprise Auditor Console server. This -is required by either the user account running the Enterprise Auditor application, when manually -executing jobs within the console, or the Schedule Service Account assigned within Enterprise -Auditor, when running jobs as a scheduled tasks. +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the proxy server as well as on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. :::tip Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for @@ -47,31 +29,13 @@ for network authentication” must be disabled in order for the applet to start. ::: -Configure the credential(s) with the following rights on the Windows host(s): - -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege - -For Windows Server target hosts, the credential also requires: - -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - -Sensitive Data Discovery Auditing scans also require .NET Framework 4.7.2 or later. to be installed -on the server where the applet is to be deployed in order for Sensitive Data Discovery collections -to successfully occur. The Sensitive Data Discovery Add-On must be installed on the Enterprise -Auditor Console server, which enables Sensitive Data criteria for scans. +Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the +server where the applet is to be deployed in order for Sensitive Data Discovery collections to +successfully occur. -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. -See the -[Proxy Mode with Applet Port Requirements](/docs/accessanalyzer/11.6/requirements/filesystem/scanoptions/proxymodescans/withapplet/proxymodeappletports.md) -topic for firewall rule information. +See the [Proxy Mode with Applet Port Requirements](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletports) topic for firewall rule +information. **Secure Proxy Communication Considerations** @@ -80,3 +44,20 @@ must be configured via the File System Access Auditing Data Collector Wizard pri scan. See the [FSAA Applet Certificate Management Overview](/docs/accessanalyzer/11.6/admin/datacollector/fsaa/certificatemanagement/certificatemanagement.md) topic for additional information. + +## Accounts Used +- **Job Execution:** Scheduled Task or Console User (launches the job) +- Console ↔ Applet: **NAA** **Computer Account (Kerberos)** +- Target Access (Applet ↔ Targets): Connection Profile Account + +:::note +By default, the Applet will run as the connection profile account unless an additional credential is added to the connection profile using either **Task (Local)** or **Task (Domain)**. +::: + +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/11_6/requirements/filesystem/filesystems/) page for specific requirements per target file system. + +## **How do I determine if I’m using Proxy Mode with Applet scanning?** + +The best way to verify if you’re using Proxy Mode with Applet scanning is via the FSAA Data Collector Query Settings below: +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: MSTask Task Scheduler +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/11_6/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md index 0f7c03c296..6ba064a2da 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md @@ -72,5 +72,5 @@ settings are required for communication between the agent server and the Access | Communication Direction | Protocol | Ports | Description | | ------------------------------- | -------- | ---------- | ------------------------------ | -| Access Analyzer to Agent Server | TCP | 445 | SMB, used for Agent Deployment | -| Access Analyzer to Agent Server | TCP | Predefined | WMI, used for Agent Deployment | +| Access Analyzer to Agent Server | TCP | 445 | SMB | +| Access Analyzer to Agent Server | TCP | Predefined | WMI | diff --git a/docs/accessinformationcenter/12.0/admin/additionalconfig/gmsa.md b/docs/accessinformationcenter/12.0/admin/additionalconfig/gmsa.md index 4bc12cac43..fb0529cfb0 100644 --- a/docs/accessinformationcenter/12.0/admin/additionalconfig/gmsa.md +++ b/docs/accessinformationcenter/12.0/admin/additionalconfig/gmsa.md @@ -14,11 +14,10 @@ The following pre-requisites are required before configuring the Access Informat gMSA: - The gMSA must be added to the Local Administrator Group on the host where the AIC is installed -- In SQL Server Management Studio, the gMSA needs to be added to the **Security** > **Logins** node - for the SQL server where the AIC Database resides with the following settings: +- In SQL Server Management Studio, the gMSA needs the following rights on the Access Analyzer Database: - - On the General page, the **Login name** should be the `Domain\Name` of the gMSA - - On the Server Roles page, the **public** and **sysadmin** checkboxes must be selected + - **Database Role:** db_owner + - **Default Schema:** Set to dbo - Netwrix Access Information Center has been installed using one of the regular authentication methods, and not using the gMSA. See the diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.2.32703.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.2.32703.md new file mode 100644 index 0000000000..44d7232dcc --- /dev/null +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.2.32703.md @@ -0,0 +1,91 @@ +--- +title: "Version 9.2.2.32703" +description: "Version 9.2.2.32703" +sidebar_position: 9 +--- + +# New + +#### Server & Server Manager + +- Azure SQL is now officially supported. + +#### Server Manager + +- It is now mandatory to change the password for the Server Manager, if the default password was used. + +- The base configuration now allows the usage of an Azure SQL database as config database. + +- Non migratable data can now be cleaned up during ECC migration. + +#### Extended view (on web) + +- The web app now has a "Tools" page, providing quick access to various functionalities like API key management. + +- Locked users can be unlocked via the web app now. For this, the user right 'Is database administrator' is required. + +- Important stability and performance improvements for the new web app. + +# Changes + +#### All clients (on Windows & web) + +- Passwords are no longer automatically revealed in the quick view. The associated option “Reveal password in quick view” has been removed. + +# Improvements + +#### Extended view (on Windows) + +- The 'Hostname' field of SSH applications only accepts DNS names and IP addresses (IPv4 and IPv6). + +- Possibly dangerous file extensions can no longer be stored as document link. + +- Some documents can only be opened or executed after prior confirmation, as they may contain harmful content. + +#### Extended view (on Windows & web) + +- Documents can no longer be downloaded if the document extension is no longer allowed. + +# Fixes + +#### Server + +- Messages that are sent to a syslog server no longer have a leading Byte Order Mark (BOM). + +- The server is now validating the file extension of a document. + +- The timeout when creating a new database and when running an SQL benchmark has been increased. + +- The automatic check for corrupted passwords is operational again. + +#### Server Manager + +- The timeout when creating a new database and when running an SQL benchmark has been increased. + +#### Extended view (on Windows) + +- SSH applications that contain an invalid hostname configuration can no longer be executed for security reasons. This also applies to applications that obtain their hostname from passwords. + +#### Extended view (on web) + +- A list is no longer switching back to page 1 when a object was closed. + +- The layout of the web app is no longer broken when switching from basic view to advanced view. + +- It's no longer possible to create a seal template without name. + +- Some missing components of the new design of the web app have now also been updated. + +- Some errors in which texts were not loaded correctly have been fixed. + +- The web app is loading the correct language again. + +- Passwords can be moved to a different organisation unit using the 'Edit' view again. + +#### Basic view + +- Some errors in which texts were not loaded correctly have been fixed. + +#### Browser extensions + +- The autofill function of the browser extension has been improved. Websites that react to the 'webkitAnimationEnd' no longer hang. \ No newline at end of file diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.3.32988.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.3.32988.md new file mode 100644 index 0000000000..8e95ee4905 --- /dev/null +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.3.32988.md @@ -0,0 +1,57 @@ +--- +title: "Version 9.2.3.32988" +description: "Version 9.2.3.32988" +sidebar_position: 8 +--- + +# New + +#### Setup +- The Autofill add-on can now be installed independently from the Windows App. A new command line parameter 'INSTALL_WIN_APP' was added to the setup to control the installation of the Windows App in automatic deployments. + +# Changes + +#### Extended view (on Windows) +- The option "Allow documents without file extension" is now a separate option. The corresponding configuration option in the list of allowed file extensions has been removed. +- Obsolete executable files that are no longer required have been removed. +- All binaries are now published via the 'releases.netwrix.com' domain. This affects the setups of the Windows App and the server, the Safari extension for Mac, and the API. The check for new available versions is still executed via the old domain. Please adjust your firewall rules, if such are existing. + +#### Extended view (on Windows & web) +- In preparation for the removal of the logo views from the product, it is no longer possible to upload new logos to the database. This does not affect the upload of icons or the display of existing logos. + +# Improvements + +#### Server +- The logging of events during the ECC migration has been improved in order to make the identification of potential sources of errors easier. + +#### Web app (basic and extended view) +- The ordering and grouping of the elements from the 'Tools' page has been improved. +- Some small visual changes has been made in the web app. + +# Fixes + +#### Extended view (on Windows) +- When you log in via the Windows App to a database using its alias, errors are no longer written to the log. +- After changing a document links path, it's possible now to filter correctly for the new files extension. +- The sorting of columns in the password list is now correctly saved and loaded. +- The Windows App no longer crashes when the user tries to reveal a password while the reading pane is deactivated. +- When a RDP application without connected password is started, the window for entering credentials is opening again. + +#### Extended view (on web) +- A visual issue in the password field was resolved when a user is legitimates via the 'Everyone' right to a sealed record. +- The pagination on some lists is now working correctly. +- The selection of the Active Directory objects to be imported is now working correctly in the web app. +- The wizard for creating new organisational units is behaving correct again when the current user has no permissions to create roles. + +#### Web app (basic and extended view) +- When opening the web app via the browser extension, it is logging in automatically to the correct database. + +#### Server +- An issue in the MSI setups was resolved, which lead to displaying wrong license conditions. +- Generated OTP codes displayed in the Emergency WebViewer are now correct. +- OTP fields are now displayed in WebViewer exports. +- In older versions, there could be inconsistencies within the organisational structure. These have now been fixed. After the update, please check wether your organisational structure is still set up as expected. + +#### Server Manager +- When creating a database, the setting 'Activate realtime updates' is now saved correctly. +- When providing wrong SQL Server credentials in the database wizard of the Server Manager, it's no longer possible to proceed to the next page. \ No newline at end of file diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.4.33163.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.4.33163.md new file mode 100644 index 0000000000..c8217563a4 --- /dev/null +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.4.33163.md @@ -0,0 +1,51 @@ +--- +title: "Version 9.2.4.33163" +description: "Version 9.2.4.33163" +sidebar_position: 7 +--- + +# New + +#### Advanced view (on web) +- It's now possible again to remove all selected legitimates from the list when changing permissions of an object. + +#### Server +- The design of reports has been modernized. + +#### Server Manager +- The configuration of a Syslog server now allows much more detailed settings. For example, it is now possible to specify the message format (RFC 5424 oder RFC 3164). It is also possible to connect to a Syslog server via an encrypted TCP connection now. + +# Changes + +#### Web app (basic and extended view) +- During login, the field for entering the user name is no longer emptied when the database name is changed. + +#### Server Manager +- The old version of the Web App, displayed in the Server Manager as “Web app (Legacy)”, can no longer be created. Please use the new web app with immediate effect! + +# Improvements + +#### Web app (basic and extended view) +- Small visual adjustments ensure a more consistent display in the web app. + +#### Server +- The performance of the software was improved in many areas. +- A third-party package containing a vulnerability was updated. We are not aware of any instances where the vulnerability was exploited. + +#### Server Manager +- When adding an existing database in the Server Manager, you can now select whether the database should be activated automatically. + +# Fixes +#### Extended view (on Windows & web) +- The headers in the configuration of notifications are correct again. + +#### Extended view (on Windows) +- The button to open the website of a password is now disabled if no URL is configured. This also affects the offline add-on. +- We have fixed an issue where the native Windows App could become unresponsive. You no longer need to end the application via Task Manager. + +#### Extended view (on web) +- When configuring the password generator in a way that is not able to generate a password, the application no longer gets unresponsive. +- When a password is revealed in the quick view, it can be entered again if a reason is required. +- The quick view no longer closes automatically when another modal, such as entering a reason, is opened. +- The browser window no longer hangs when a user's password is changed. +- Pagination in image management now works correctly. \ No newline at end of file diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.5.33325.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.5.33325.md new file mode 100644 index 0000000000..9712d4fdf8 --- /dev/null +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.5.33325.md @@ -0,0 +1,24 @@ +--- +title: "Version 9.2.5.33325" +description: "Version 9.2.5.33325" +sidebar_position: 6 +--- + +# New + +#### Server +- A new endpoint for health checks was implemented to the Netwrix Password Secure service. + +# Improvements + +#### Extended view (on Windows & web) +- A problem was resolved, that prevented the retrieval of password histories +- During the configuration of a TOTP factor with a wrong token, a warning message will now be shown. + +#### Extended view (on web) +- Small visual adjustments ensure a more consistent display in the web app. + +# Fixes + +#### Web app (basic and extended view) +- A potential XSS vulnerability has been fixed. \ No newline at end of file diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.6.33415.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.6.33415.md new file mode 100644 index 0000000000..07dd93b0d4 --- /dev/null +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.6.33415.md @@ -0,0 +1,21 @@ +--- +title: "Version 9.2.6.33415" +description: "Version 9.2.6.33415" +sidebar_position: 5 +--- + +# Changes + +#### Server Manager +- The legacy web app was removed from the product completely. + +#### Server +- The SAML feature will soon be removed from Netwrix Password Secure! As a result of this announcement, it can no longer be installed on new systems. In addition, it can no longer be enabled for new databases. + +# Fixes + +#### Server +- The reports "All applications" and "Activities of the applications" are created correctly again. + +#### API (.NET and JavaScript) +- When logging in with an API key, it is no longer required to enter a second factor if such is configured for the user who created the key. \ No newline at end of file diff --git a/docs/passwordsecure/9.2/introduction/versionhistory/version_history.md b/docs/passwordsecure/9.2/introduction/versionhistory/version_history.md index 4c51cf7b85..ee56ab3d38 100644 --- a/docs/passwordsecure/9.2/introduction/versionhistory/version_history.md +++ b/docs/passwordsecure/9.2/introduction/versionhistory/version_history.md @@ -9,6 +9,16 @@ sidebar_position: 30 The previously released versions and the corresponding changelogs can be found in the following sections. +- [Version 9.2.6.33415](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.6.33415.md) + +- [Version 9.2.5.33325](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.5.33325.md) + +- [Version 9.2.4.33163](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.4.33163.md) + +- [Version 9.2.3.32988](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.3.32988.md) + +- [Version 9.2.2.32703](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.2.32703.md) + - [Version 9.2.1.32530](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.1.32530.md) - [Version 9.2.0.32454](/docs/passwordsecure/9.2/introduction/versionhistory/version_9.2.0.32454.md) diff --git a/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md b/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md index e933ad2949..3fb0d90acb 100644 --- a/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md +++ b/docs/passwordsecure/9.3/installation/installationclient/installation_with_parameters.md @@ -17,12 +17,15 @@ parameters listed in the following section enable you to adapt the type of clien Run the installation via the command line: **MSI-FILE.msi [PARAMETER]** -**Parameter** +**Parameter list** -- **AUTOFILL_ADDON_AUTOSTART=“0”**: Deactivates launching the Autofill Add-on in Windows autostart -- **INSTALL_AUTOFILL_ADDON=“0**”: Deactivates the installation of the Autofill Add-on. In the list +- **INSTALL_WIN_APP="0"**: Deactivates the installation of the Windows app. In the list of + the components to be installed in the setup, a check mark has not been set but this can be set + again by the user. +- **INSTALL_AUTOFILL_ADDON="0"**”: Deactivates the installation of the Autofill Add-on. In the list of the components to be installed in the setup, a check mark has not been set but this can be set - again by the user -- **INSTALL_OFFLINE_ADDON=“0”**: Deactivates the installation of the Offline Add-on. In the list of + again by the user. +- **AUTOFILL_ADDON_AUTOSTART="0"**: Deactivates launching the Autofill Add-on in Windows autostart +- **INSTALL_OFFLINE_ADDON="0"**: Deactivates the installation of the Offline Add-on. In the list of the components to be installed in the setup, a check mark has not been set but this can be set - again by the user + again by the user. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.2.32703.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.2.32703.md new file mode 100644 index 0000000000..44d7232dcc --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.2.32703.md @@ -0,0 +1,91 @@ +--- +title: "Version 9.2.2.32703" +description: "Version 9.2.2.32703" +sidebar_position: 9 +--- + +# New + +#### Server & Server Manager + +- Azure SQL is now officially supported. + +#### Server Manager + +- It is now mandatory to change the password for the Server Manager, if the default password was used. + +- The base configuration now allows the usage of an Azure SQL database as config database. + +- Non migratable data can now be cleaned up during ECC migration. + +#### Extended view (on web) + +- The web app now has a "Tools" page, providing quick access to various functionalities like API key management. + +- Locked users can be unlocked via the web app now. For this, the user right 'Is database administrator' is required. + +- Important stability and performance improvements for the new web app. + +# Changes + +#### All clients (on Windows & web) + +- Passwords are no longer automatically revealed in the quick view. The associated option “Reveal password in quick view” has been removed. + +# Improvements + +#### Extended view (on Windows) + +- The 'Hostname' field of SSH applications only accepts DNS names and IP addresses (IPv4 and IPv6). + +- Possibly dangerous file extensions can no longer be stored as document link. + +- Some documents can only be opened or executed after prior confirmation, as they may contain harmful content. + +#### Extended view (on Windows & web) + +- Documents can no longer be downloaded if the document extension is no longer allowed. + +# Fixes + +#### Server + +- Messages that are sent to a syslog server no longer have a leading Byte Order Mark (BOM). + +- The server is now validating the file extension of a document. + +- The timeout when creating a new database and when running an SQL benchmark has been increased. + +- The automatic check for corrupted passwords is operational again. + +#### Server Manager + +- The timeout when creating a new database and when running an SQL benchmark has been increased. + +#### Extended view (on Windows) + +- SSH applications that contain an invalid hostname configuration can no longer be executed for security reasons. This also applies to applications that obtain their hostname from passwords. + +#### Extended view (on web) + +- A list is no longer switching back to page 1 when a object was closed. + +- The layout of the web app is no longer broken when switching from basic view to advanced view. + +- It's no longer possible to create a seal template without name. + +- Some missing components of the new design of the web app have now also been updated. + +- Some errors in which texts were not loaded correctly have been fixed. + +- The web app is loading the correct language again. + +- Passwords can be moved to a different organisation unit using the 'Edit' view again. + +#### Basic view + +- Some errors in which texts were not loaded correctly have been fixed. + +#### Browser extensions + +- The autofill function of the browser extension has been improved. Websites that react to the 'webkitAnimationEnd' no longer hang. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.3.32988.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.3.32988.md new file mode 100644 index 0000000000..8e95ee4905 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.3.32988.md @@ -0,0 +1,57 @@ +--- +title: "Version 9.2.3.32988" +description: "Version 9.2.3.32988" +sidebar_position: 8 +--- + +# New + +#### Setup +- The Autofill add-on can now be installed independently from the Windows App. A new command line parameter 'INSTALL_WIN_APP' was added to the setup to control the installation of the Windows App in automatic deployments. + +# Changes + +#### Extended view (on Windows) +- The option "Allow documents without file extension" is now a separate option. The corresponding configuration option in the list of allowed file extensions has been removed. +- Obsolete executable files that are no longer required have been removed. +- All binaries are now published via the 'releases.netwrix.com' domain. This affects the setups of the Windows App and the server, the Safari extension for Mac, and the API. The check for new available versions is still executed via the old domain. Please adjust your firewall rules, if such are existing. + +#### Extended view (on Windows & web) +- In preparation for the removal of the logo views from the product, it is no longer possible to upload new logos to the database. This does not affect the upload of icons or the display of existing logos. + +# Improvements + +#### Server +- The logging of events during the ECC migration has been improved in order to make the identification of potential sources of errors easier. + +#### Web app (basic and extended view) +- The ordering and grouping of the elements from the 'Tools' page has been improved. +- Some small visual changes has been made in the web app. + +# Fixes + +#### Extended view (on Windows) +- When you log in via the Windows App to a database using its alias, errors are no longer written to the log. +- After changing a document links path, it's possible now to filter correctly for the new files extension. +- The sorting of columns in the password list is now correctly saved and loaded. +- The Windows App no longer crashes when the user tries to reveal a password while the reading pane is deactivated. +- When a RDP application without connected password is started, the window for entering credentials is opening again. + +#### Extended view (on web) +- A visual issue in the password field was resolved when a user is legitimates via the 'Everyone' right to a sealed record. +- The pagination on some lists is now working correctly. +- The selection of the Active Directory objects to be imported is now working correctly in the web app. +- The wizard for creating new organisational units is behaving correct again when the current user has no permissions to create roles. + +#### Web app (basic and extended view) +- When opening the web app via the browser extension, it is logging in automatically to the correct database. + +#### Server +- An issue in the MSI setups was resolved, which lead to displaying wrong license conditions. +- Generated OTP codes displayed in the Emergency WebViewer are now correct. +- OTP fields are now displayed in WebViewer exports. +- In older versions, there could be inconsistencies within the organisational structure. These have now been fixed. After the update, please check wether your organisational structure is still set up as expected. + +#### Server Manager +- When creating a database, the setting 'Activate realtime updates' is now saved correctly. +- When providing wrong SQL Server credentials in the database wizard of the Server Manager, it's no longer possible to proceed to the next page. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.4.33163.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.4.33163.md new file mode 100644 index 0000000000..c8217563a4 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.4.33163.md @@ -0,0 +1,51 @@ +--- +title: "Version 9.2.4.33163" +description: "Version 9.2.4.33163" +sidebar_position: 7 +--- + +# New + +#### Advanced view (on web) +- It's now possible again to remove all selected legitimates from the list when changing permissions of an object. + +#### Server +- The design of reports has been modernized. + +#### Server Manager +- The configuration of a Syslog server now allows much more detailed settings. For example, it is now possible to specify the message format (RFC 5424 oder RFC 3164). It is also possible to connect to a Syslog server via an encrypted TCP connection now. + +# Changes + +#### Web app (basic and extended view) +- During login, the field for entering the user name is no longer emptied when the database name is changed. + +#### Server Manager +- The old version of the Web App, displayed in the Server Manager as “Web app (Legacy)”, can no longer be created. Please use the new web app with immediate effect! + +# Improvements + +#### Web app (basic and extended view) +- Small visual adjustments ensure a more consistent display in the web app. + +#### Server +- The performance of the software was improved in many areas. +- A third-party package containing a vulnerability was updated. We are not aware of any instances where the vulnerability was exploited. + +#### Server Manager +- When adding an existing database in the Server Manager, you can now select whether the database should be activated automatically. + +# Fixes +#### Extended view (on Windows & web) +- The headers in the configuration of notifications are correct again. + +#### Extended view (on Windows) +- The button to open the website of a password is now disabled if no URL is configured. This also affects the offline add-on. +- We have fixed an issue where the native Windows App could become unresponsive. You no longer need to end the application via Task Manager. + +#### Extended view (on web) +- When configuring the password generator in a way that is not able to generate a password, the application no longer gets unresponsive. +- When a password is revealed in the quick view, it can be entered again if a reason is required. +- The quick view no longer closes automatically when another modal, such as entering a reason, is opened. +- The browser window no longer hangs when a user's password is changed. +- Pagination in image management now works correctly. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.5.33325.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.5.33325.md new file mode 100644 index 0000000000..9712d4fdf8 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.5.33325.md @@ -0,0 +1,24 @@ +--- +title: "Version 9.2.5.33325" +description: "Version 9.2.5.33325" +sidebar_position: 6 +--- + +# New + +#### Server +- A new endpoint for health checks was implemented to the Netwrix Password Secure service. + +# Improvements + +#### Extended view (on Windows & web) +- A problem was resolved, that prevented the retrieval of password histories +- During the configuration of a TOTP factor with a wrong token, a warning message will now be shown. + +#### Extended view (on web) +- Small visual adjustments ensure a more consistent display in the web app. + +# Fixes + +#### Web app (basic and extended view) +- A potential XSS vulnerability has been fixed. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.6.33415.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.6.33415.md new file mode 100644 index 0000000000..07dd93b0d4 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.6.33415.md @@ -0,0 +1,21 @@ +--- +title: "Version 9.2.6.33415" +description: "Version 9.2.6.33415" +sidebar_position: 5 +--- + +# Changes + +#### Server Manager +- The legacy web app was removed from the product completely. + +#### Server +- The SAML feature will soon be removed from Netwrix Password Secure! As a result of this announcement, it can no longer be installed on new systems. In addition, it can no longer be enabled for new databases. + +# Fixes + +#### Server +- The reports "All applications" and "Activities of the applications" are created correctly again. + +#### API (.NET and JavaScript) +- When logging in with an API key, it is no longer required to enter a second factor if such is configured for the user who created the key. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.0.33526.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.0.33526.md new file mode 100644 index 0000000000..2ababf1a50 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.0.33526.md @@ -0,0 +1,40 @@ +--- +title: "Version 9.3.0.33526" +description: "Version 9.3.0.33526" +sidebar_position: 4 +--- + +# New + +#### Server Manager +- It is now possible to create the web app with a [custom branding](/docs/passwordsecure/9_3/installation/installationwebapplication/installation_web_application#custom-branding). + +#### Server +- Users imported with Entra ID can now login with the first part of their username. + +# Changes +#### Server +- The IDP server was removed completely from the product. To allow the transfer to another system, SAML applications are still visible in the application management (read-only). + +#### Extended view (on Windows & web) +- The 'Rights template' filter group is obsolete. It can no longer be added to filters. It continues to work for existing filters, but will be removed completely in a future update. + +# Improvements +#### Server +- When redirecting the database logbook to a syslog server, the type of the data is now included too. + +# Fixes +#### Extended view (on Windows) +- An error was resolved that prevented RDP connections from established with the correct resolution. +- A crash of the Windows app, caused by using CTRL+Z in the login screen, is fixed. + +#### Extended view (on Windows & web) +- After breaking a seal, the password can be changed again. + +#### Server +- An error was resolved, which caused non-migratable documents being unable to be deleted permanently. +- Users provisioned via Entra ID can now login to the browser extension again. +- WebViewer exports can no longer be created with invalid configuration. + +#### Server Manager +- The setting 'Transfer logbook entries' is now correctly loaded when opening the syslog configuration of a database. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.1.33994.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.1.33994.md new file mode 100644 index 0000000000..af67788386 --- /dev/null +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.1.33994.md @@ -0,0 +1,69 @@ +--- +title: "Version 9.3.1.33994" +description: "Version 9.3.1.33994" +sidebar_position: 3 +--- + +# New +#### API (.NET and JavaScript) +- The JavaScript and .NET SDK now allow retrieving API key information so developers can limit displayed functionality based on permissions. + +# Changes +#### Extended view (on Windows & web) and basic view +- The "Display kind: Logo" option has been completely removed. +- The access to historical data has been reworked to improve performance and ECC migration. + +# Improvements +#### Web app (basic and extended view) +- The "wrong password" hint in the login screen changes once the lock time has expired. +- Text updates to improve clarity and consistency. This also affects the Windows app and the browser extensions. +- The second factor configuration now uses a more modern design. + +#### Server +- Improved performance of server side ECC migration. + +#### Extended view (on Windows) +- The "Last change" column now includes the time in table view. + +#### Extended view (on web) +- More lists, such as applications and tags, now support multi selection. + +#### Server +- ECC migration now writes logbook entries, so key rotations and errors are traceable. +- The performance when loading passwords via the browser extension has been significantly improved. + + +# Fixes +#### Server +- Fixed an issue preventing ECC migration when a user belonged to too many roles. +- Database activation works again when duplicated global options or user rights exist. +- Fixed an rare issue where a password could be revealed without a logbook entry being created. +- Active Directory profile synchronization now updates the “Last completed” value correctly. + +#### Web app (basic and extended view) +- Fixed various visual issues. +- Settings page tiles are no longer cut off in slim browser windows. + +#### Extended view (on web) +- Multiple legitimate permissions can be removed from an object again. +- Default values for Date form fields can now be saved. +- Moving a password no longer applies permission changes before confirmation. +- Users without permission to modify rights can no longer edit permissions via templates. +- The email notification search field no longer loses focus while typing. +- Object expiration dates can now be set correctly for non English or German browser languages. +- CSV export no longer fails when RegEx control characters are used as delimiters. +- Opening the quick view with the space bar no longer scrolls the page. +- The Active Directory import search now resets correctly. +- The list of organisational units is now displayed correctly in large environments. + +#### Extended view (on Windows) +- Remote Desktop resolution is now configured correctly when scaling is enabled. +- Table columns are no longer removed after filtering in table view. + +#### Basic view +- The "Empty entire bin" option is now available for basic users. + +#### Browser extension +- The most recent search result is now displayed correctly. +- The browser extension no longer interferes with XML display in Firefox when CTRL is pressed. +- Copying passwords and TOTP tokens from the browser extension works again. \ No newline at end of file diff --git a/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md b/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md index cc25f5b553..9b95c7a669 100644 --- a/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md +++ b/docs/passwordsecure/9.3/introduction/versionhistory/version_history.md @@ -9,6 +9,20 @@ sidebar_position: 30 The previously released versions and the corresponding changelogs can be found in the following sections. +- [Version 9.3.1.33994](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.1.33994.md) + +- [Version 9.3.0.33526](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.3.0.33526.md) + +- [Version 9.2.6.33415](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.6.33415.md) + +- [Version 9.2.5.33325](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.5.33325.md) + +- [Version 9.2.4.33163](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.4.33163.md) + +- [Version 9.2.3.32988](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.3.32988.md) + +- [Version 9.2.2.32703](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.2.32703.md) + - [Version 9.2.1.32530](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.1.32530.md) - [Version 9.2.0.32454](/docs/passwordsecure/9.3/introduction/versionhistory/version_9.2.0.32454.md) diff --git a/kb_allowlist.json b/kb_allowlist.json index b09d4b35a0..817c8c4088 100644 --- a/kb_allowlist.json +++ b/kb_allowlist.json @@ -24,8 +24,6 @@ "8.0", "8.1" ], - "identityrecovery": [ - "3.1" "dataclassification": [ "5.6.2", "5.7" @@ -40,6 +38,10 @@ "endpointprotector": [ "current" ], + "identityrecovery": [ + "2.6", + "3.1" + ], "passwordpolicyenforcer": [ "10.2", "11.0", @@ -58,7 +60,8 @@ "current" ], "recoveryforactivedirectory": [ - "2.6" + "2.6", + "3.1" ], "threatmanager": [ "3.0", diff --git a/netwrix_style_guide.md b/netwrix_style_guide.md new file mode 100644 index 0000000000..5f1c449b02 --- /dev/null +++ b/netwrix_style_guide.md @@ -0,0 +1,215 @@ +# Netwrix Style Guide and Documentation Standards + +This document establishes the writing principles and standards for Netwrix technical documentation. The document has two parts: the first part focuses on the high-level standards and principles Netwrix documentation adheres to, and the second part is a style guide providing specific writing guidelines for contributors to follow. + +This is a living document that will be updated as new standards emerge and feedback is incorporated. + +# Netwrix documentation standards + +Netwrix documentation must always be high quality, and high quality documentation features four key qualities: accuracy, clarity, professionalism, and consistency. + +## Accuracy + +It's essential that all Netwrix documentation is accurate. One of the primary purposes of documentation is to enable users to find the information they need without asking someone at Netwrix for help. This allows Netwrix support to help users with more complex issues that aren't covered in the documentation. + +Inaccuracies in documentation can cause all sorts of frustration for users. More importantly, inaccuracies in documentation cause users to lose trust in the documentation and escalate all their issues to support instead. Even minor inaccuracies, like a missing step or an outdated requirement, can cause users to waste their time, get frustrated, and go directly to support. This causes a waste of time and resources for both Netwrix support and the users themselves. + +One of the other primary purposes of technical documentation is to provide users with all the information they need to use Netwrix products successfully and safely. Major inaccuracies in documentation, can cause serious losses or damages for users. For example, if users end up exposing sensitive data as a result of correctly following the inaccurate documentation, such an exposure can cause a serious data breach and lead to not only loss of trust but lawsuits and financial damages. Netwrix is in the business of data security, and Netwrix has a responsibility to its users to provide documentation that not only teaches them how to use the products but also how to use the products without hurting themselves or others. + +There are three key ways to ensure that the technical documentation Netwrix provides is accurate: + +* **Verify all technical information:** Test all the technical information and procedures as you document them to ensure that they are all accurate, complete, and secure. You can do this yourself or enlist the help of a subject matter expert (SME) to do so. The completeness is an important point as well - if the documentation is missing key information a user needs to understand to use the product, the documentation is not really accurate. +* **Implement a technical review process:** It's best to implement a review process that requires a SME, like a relevant product manager (PM), manual tester, or engineer, to review the technical content in any new document. +* **Fix inaccuracies quickly:** It's best to have a system in place, like GitHub issues and/or JIRA for example, so that if any user, internal or external, encounters an inaccuracy, the user knows where to go to notify Netwrix. It should be clear for users where they need to go to tell Netwrix about the inaccuracies they find, and it should be a quick and easy process for them. Once these issues are raised, it's essential to validate the inaccuracy and fix it as quickly as possible, so that it's not out there much longer. + +## Clarity + +One of the most important qualities of excellent technical documentation is its clarity. A primary responsibility of technical documentation is to take complex information and make it easy to understand for its readers. If the documentation is riddled with technical jargon and unexplained terms, it's too difficult to read for most users. If the documentation is too difficult to read, it's effectively useless. This means that Netwrix documentation must be easy to understand to be useful. + +There are five key ways to ensure that the technical documentation Netwrix provides is easy to understand: + +* **Use simple, direct language:** A main goal of technical documentation is to take complex information and simplify it so that it's easier to understand. The more simple and direct the language in the documentation is, the easier it is to understand. Always use active voice ("The system sends a response", not "A response is sent") because it's more direct and easier to understand. Never use idioms ("this feature is a gamechanger") because non-native English speakers aren't always going to be familiar with them. +* **Write concisely:** Use short, simple sentences and eliminate unnecessary words. The fewer words the better, as long as you can successfully convey the meaning of the sentence. It's easy for readers to get lost in long, convoluted sentences. +* **Use examples:** Always provide examples when you can. High quality technical documentation features lots of examples that allow users to understand how the concepts you're explaining can be applied. If you're having trouble coming up with examples, reach out to a relevant SME for some help. +* **Define technical terms:** The technical documentation should have as little jargon and complexity as possible. This means that whenever you use a technical term or acronym, you should always define it on its first use, like subject matter experts (SMEs). Users shouldn't have to go elsewhere to look up the technical terms and acronyms you use, unless they want to learn more in depth. +* **Don't assume what your audience knows:** The users reading your documentation will have a wide range of technical experience. Always provide necessary context and background information that the less experienced users would benefit from. There's no harm in always erring on the side of overproviding context and information, as long as it doesn't bog the reader down. More advanced users will just skim and skip those details. More basic users will benefit from the information. + +## Consistency + +High quality technical documentation is standardized and consistent. Standardized terminology and conventions make documentation predictable and easier to navigate. This consistency refers to the terminology, language, and structure used throughout the documentation. + +There are three key ways you can ensure that Netwrix documentation is consistent: + +* **Use consistent terminology:** When you use one term in one document and a different term in another document to refer to the same concept, you can confuse the reader and make the documentation more difficult to understand. Always use the same term when it's possible. +* **Use consistent structure:** Consistent structure improves the predictability for users, which makes it faster for them to scan and navigate documents. All documentation folders should be organized in the same way, with the same essential sections, such as an overview, a getting started guide, a list of requirements, and a troubleshooting section. All documents themselves should be organized in the same way. For example, a getting started guide should always proceed with the same steps, with an introduction that explains the feature and why it matters, a list of requirements, and then the necessary steps to follow to use the feature. +* **Use consistent formatting:** All similar objects within a document should have the same format, also to make the document more predictable for users. The same headings should be used for the same sections and subsections. All tables should look the same. All notes should have the same format. All code samples should be formatted the same way. All screenshots should be formatted the same way, and they should be the same size. Use the same capitalization for headers and product names throughout the documentation. Use the same number and measurement standards throughout the documentation. + +## Professionalism + +It's important to remember that the Netwrix product documentation represents the quality of the Netwrix organization itself. This means that although the documentation should be simple, direct, and easy to understand, it must always be professional, respectful, and appropriate. Netwrix documentation should always be written in a neutral, informative tone. + +There are three key ways to ensure that Netwrix documentation is always professional: + +* **Avoid casual language:** The documentation should be simple, conversational, and easy to understand, but this doesn't mean that it should be casual. Don't use humor, slang, or colloquialisms. Don't swear. Don't use emojis. The content should be dry but helpful and easy to read. +* **Avoid marketing language:** This documentation is intended to be informative. It's not meant to sell users the products. Don't include promotional claims. Don't use superlatives (best, fastest, most powerful). Don't use buzzwords that don't really mean anything. This type of language causes readers to lose trust in the integrity of the documentation. +* **Avoid first person:** This means both first person plural (I, me, my, mine) and first person plural (we, us, our, ours). + +# Netwrix style guide + +This style guide establishes the specific rules for grammar, punctuation, and style. Consult this guide when you're writing or editing Netwrix documentation to ensure that your content adheres to Netwrix standards. + +## Grammar and Language + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Active voice** | Always use active voice rather than passive voice. | The Data Collection Account retrieves the audit logs. | The audit logs are retrieved by the Data Collection Account. | +| **Present tense** | Use present tense instead of future or past tense. | The monitoring plan collects data from Active Directory. | The monitoring plan will collect data from Active Directory. | +| **Second person** | Address the reader directly using "you."This includes the imperative mood which implies "you". | Configure your monitoring plan to enable auditing.ORConfigure the monitoring plan to enable auditing. | Users should configure their monitoring plan to enable auditing.

One must configure the monitoring plan to enable auditing. | +| **Contractions** | Use common contractions to maintain a conversational tone. | Don't include credentials in your API request. | Do not include credentials in your API request.OR You should've included credentials in your API request. | +| **Anthropomorphism** | Avoid attributing human characteristics to software, systems, or products. | Netwrix Auditor displays the alert when suspicious activity occurs. | Netwrix Auditor sees suspicious activity and tells you about it.

The system wants to verify your credentials. | +| **First person plural** | Avoid using "we" to refer to Netwrix. | This feature allows you to monitor SharePoint activity. | We've designed this feature to monitor SharePoint activity. | +| **Placeholder text** | Use descriptive placeholders in angle brackets. | `Get-NWXReport -Name ` | `Get-NWXReport -Name [report-name]`

`Get-NWXReport -Name REPORT_NAME` | +| **Latin abbreviations** | Use English equivalents instead of Latin abbreviations, like "e.g.", "i.e.", and "etc". | For example, configure multiple data collectors.

Use the PowerShell cmdlet (such as Get-NWXUser).Read this guide to learn how to secure your data, passwords, identities, and more. | E.g., configure multiple data collectors.

Use the PowerShell cmdlet (i.e., Get-NWXUser).Read this guide to learn how to secure your data, passwords, identities, etc. | +| **Gendered pronouns** | Avoid gendered pronouns if possible. Just use the noun it refers to again if there's no way around it. | The user sends the user's token to the database. | The user sends his/her token to the database. | +| **Gender-neutral pronouns** | Don't use collective plural pronouns ("they", "them", "their", "theirs") to refer to singular nouns. This leads to potential ambiguity. | The user contacts the administrator because the user knows the administrator wants to review access.Administrators want to to review their access. | The user contacts the administrator because they know they want to review access.An administrator wants to review their access. | +| **Jargon** | Define technical terms and acronyms on first use. Provide brief explanations if they're necessary. | Configure the Non-Owner Mailbox Access (NOMBA) monitoring plan.

Use a group Managed Service Account (gMSA) for authentication. | Configure NOMBA.

Use a gMSA for authentication. | +| **Sentence length** | Keep sentences concise. Aim for 25 words or fewer per sentence. | The monitoring plan collects data from Active Directory. It runs every hour. | The monitoring plan collects data from Active Directory and runs every hour and sends alerts to administrators and logs all events to the SQL Server database. | +| **Parallel structure** | Use parallel grammatical structure for items in a series. If the same subject performs multiple verbs, all verbs should be in the same form. | The data collector retrieves logs, processes events, and generates reports. | The data collector retrieves logs, processes events, and report generating. | +| **Double negatives** | Avoid double negatives. Use positive statements. | The configuration is valid. | The configuration is not invalid. | +| **Subject-verb agreement** | Ensure subjects and verbs agree in number. | The monitoring plan collects data.

The monitoring plans collect data. | The monitoring plan collect data.

The monitoring plans collects data. | +| **Imperatives in instructions** | Use imperative mood (commands) for instructions. | Click **Add** to create a monitoring plan. | You should click **Add** to create a monitoring plan.

The user can click **Add** to create a monitoring plan. | +| **Nominalizations** | Avoid turning verbs into nouns. Use strong verbs. | Configure the monitoring plan to collect data.

Install the application before you configure it. | Perform the configuration of the monitoring plan for data collection.

Installation of the application should occur before configuration. | +| **Conditional statements** | Use "if" clauses clearly. Place the condition before the action when possible. | If the authentication fails, check your credentials.

The monitoring plan runs only if you enable data collection. | Check your credentials if the authentication fails. (acceptable but less clear) | +| **Articles** | Use articles (a, an, the) appropriately. Don't omit them for brevity. | Configure the monitoring plan.

Create a new data collector.

Use an API token for authentication. | Configure monitoring plan.

Create new data collector.

Use API token for authentication. | +| **Redundancy** | Avoid redundant words and phrases. | Configure the settings.

Currently, the system is processing the request.The reason you need to monitor access is to ensure all access is secure. | Configure the settings configuration.

At this point in time, the system is currently in the process of processing the request.The **reason why** you need to monitor access is to ensure all access is secure.OR The **reason** you need to monitor access is **because** you need to ensure all access is secure. | +| **Dangling modifiers** | Ensure modifiers (descriptive phrases) clearly refer to the correct subject. It can lead to confusion. ("After swimming, Fred's fingers were wrinkled." It sounds like Fred's fingers were swimming.) | After configuring the monitoring plan, you can enable data collection.

To access the API, you must provide authentication credentials. | After configuring the monitoring plan, data collection can be enabled.

To access the API, authentication credentials must be provided. | +| **"Who" vs. "whom"** | Use "who" for subjects. Use "whom" for objects. | The administrator who configures the monitoring plan.

The administrator to whom you assign the role. | The administrator whom configures the monitoring plan.

The administrator who you assign the role to. | +| **Verb tense consistency** | Maintain consistent verb tense within sections. | The monitoring plan collects data, processes events, and generates reports. | The monitoring plan collects data, processed events, and will generate reports. | +| **One idea per sentence** | Express one main idea per sentence. | The monitoring plan collects data. It runs every hour. | The monitoring plan collects data from Active Directory and Exchange and SharePoint and also generates reports and sends alerts. | +| **Capitalization** | Capitalize proper nouns and product names. Use sentence case for common nouns. | Configure Netwrix Auditor to monitor Active Directory.

The data collector retrieves audit logs. | Configure netwrix auditor to monitor active directory.

The Data Collector retrieves Audit Logs. | +| **Idioms** | Don't use idioms ("from scratch", "across the board", "hit the nail on the head", and many more). Say what you mean more directly. Idioms can make documentation more confusing, especially for non-native English speakers. | It's difficult to ensure that all access is secure without using an access management tool. | It's **easier said than done** to ensure that all access is secure without using an access management tool. | +| **Run-on sentences** | Avoid run-on sentences. Use periods, semicolons, or coordinating conjunctions. | The monitoring plan collects data. It processes events and generates reports. | The monitoring plan collects data it processes events and generates reports. | +| **Misplaced modifiers** | Place modifiers (phrases that serve as adjectives) close to the words they modify. | The administrator **who configured the monitoring plan** reviewed the audit logs. | The administrator reviewed the audit logs **who configured the monitoring plan**. (It sounds like the logs configured the monitoring plan.) | +| **Ambiguous pronoun references** | Ensure pronouns have clear antecedents. | The monitoring plan and the data collector are configured. The monitoring plan runs every hour. | The monitoring plan and the data collector are configured. It runs every hour. (It's unclear whether "it" refers to the monitoring plan or the data collector.) | +| **Collective nouns** | Treat collective nouns (team, company, organization) as singular in American English. | The team configures the monitoring plan.

The data is processed hourly. | The team configure the monitoring plan.

The data are processed hourly. (American English) | +| **Ending sentences with prepositions** | Ending sentences with prepositions is acceptable and preferred. | Which monitoring plan is the data collector associated with?

This is the configuration you're working on. | With which monitoring plan is the data collector associated? This is the configuration on which you're working. | +| **Subjunctive mood** | Use subjunctive mood for hypothetical (clauses with "if" or "would", for example) or contrary-to-fact situations. Subject-verb agreement is different with the subjunctive mood: the hypothetical verb is plural, even for singular nouns. ("If the auditor were reviewing access, the auditor would detect the breaches.") | If the monitoring plan were configured correctly, data collection would succeed.

The administrator recommends that the user configure the account. | If the monitoring plan was configured correctly, data collection would succeed.

The administrator recommends that the user configures the account. | +| **"Whether" vs. "if"** | Use "whether" for alternatives, "if" for conditional statements. | Check whether the monitoring plan is configured.

If the monitoring plan fails, check the logs. | Check if the monitoring plan is configured. (less formal) | +| **"While" vs. "although"** | Use "while" for time, "although" or "whereas" for contrast. | Although the monitoring plan is active, data collection has not started.

The data collector runs while the monitoring plan is active. | While the monitoring plan is active, data collection has not started. (ambiguous) | +| **"Since" vs. "because"** | Use "since" for time, "because" for causation. | The monitoring plan has been active since January.

The data collection failed because the credentials are invalid. | The data collection failed since the credentials are invalid. (ambiguous) | +| **"Each" and "every"** | Use singular verbs with "each" and "every." | Each monitoring plan has its own data collector.

Every administrator needs to configure their account. | Each monitoring plan have their own data collectors.

Every administrator need to configure their accounts. | +| **"Affect" vs. "effect"** | Use "affect" as a verb (to influence), "effect" as a noun (result). | The configuration affects data collection.

The effect of the configuration is improved performance. | The configuration effects data collection.

The affect of the configuration is improved performance. | +| **"Ensure" vs. "assure" vs. "insure"** | Use "ensure" (make certain), "assure" (convince), "insure" (protect financially). | Ensure the Data Collection Account is configured.

We assure you that your data is secure. | Assure the Data Collection Account is configured.

We ensure you that your data is secure. | +| **"Complement" vs. "compliment"** | Use "complement" (complete/enhance), not "compliment" (praise). | The analysis module complements the data collector. | The analysis module compliments the data collector. | +| **"Principal" vs. "principle"** | Use "principal" (main), "principle" (rule/belief). | The principal component is the data collector.

Follow the principle of least privilege. | The principle component is the data collector.

Follow the principal of least privilege. | +| **"Then" vs. "than"** | Use "then" for time/sequence, "than" for comparisons. | Configure the monitoring plan, then enable data collection.

The new version is faster than the previous version. | Configure the monitoring plan, than enable data collection.

The new version is faster then the previous version. | +| **"Their," "there," "they're"** | Use "their" (possessive), "there" (location/existence), "they're" (they are). | The administrators configure their monitoring plans.

There are three data collectors.

They're configured correctly. | The administrators configure they're monitoring plans.

Their are three data collectors.

There configured correctly. | +| **"Comprise" vs. "compose"** | Use "comprise" (consist of), not "comprised of." Use "compose" (make up). | The monitoring plan comprises three components.

Three components compose the monitoring plan. | The monitoring plan is comprised of three components.

Three components comprise the monitoring plan. | +| **"Imply" vs. "infer"** | Use "imply" for "suggest" and "infer" for "conclude". | The error message implies a configuration issue.

You can infer that the credentials are invalid. | The error message infers a configuration issue.

You can imply that the credentials are invalid. | +| **"None" as singular or plural** | Use "none" as singular when meaning "not one," plural when meaning "not any." | None of the monitoring plans is configured correctly. (not one)

None of the data collectors are active. (not any) | None of the monitoring plans are configured correctly. (when meaning "not one") | +| **"That" vs. "which"** | Use "that" for restrictive clauses (no comma). Use "which" for nonrestrictive clauses (with comma). | The monitoring plan that collects Active Directory data runs hourly.

The monitoring plan, which was created yesterday, runs hourly. | The monitoring plan which collects Active Directory data runs hourly.

The monitoring plan, that was created yesterday, runs hourly. | +| **"Its" vs. "it's"** | Use "its" for possessive. Use "it's" only for "it is" or "it has." | The monitoring plan completes its data collection.

It's important to configure the Data Collection Account. | The monitoring plan completes it's data collection.

Its important to configure the Data Collection Account. | +| **"Fewer" vs. "less"** | Use "fewer" for countable items. Use "less" for uncountable quantities. | The new version has fewer errors.

The new version uses less memory. | The new version has less errors.

The new version uses fewer memory. | +| **"Between" vs. "among"** | Use "between" for two items. Use "among" for three or more items. | Choose between Netwrix Auditor and Netwrix Privilege Secure.

Distribute the load among all three data collectors. | Choose among Netwrix Auditor and Netwrix Privilege Secure.
Distribute the load between all three data collectors. | + +## Punctuation + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Oxford comma** | Use the Oxford comma in lists of three or more items. | Netwrix Auditor monitors Active Directory, file servers, and Exchange. | Netwrix Auditor monitors Active Directory, file servers and Exchange. | +| **Commas after introductory phrases** | Use commas after introductory phrases or clauses. | After you configure the monitoring plan, enable data collection.

To enable auditing, configure the Data Collection Account. | After you configure the monitoring plan enable data collection.

To enable auditing configure the Data Collection Account. | +| **Commas in compound sentences** | Use commas before coordinating conjunctions (FANBOYS - for, and, nor, but, or, yet, so) in compound sentences. | The data collector retrieves audit logs, and the analysis module processes them.

Configure the monitoring plan and enable data collection. (simple sentence) | The data collector retrieves audit logs and the analysis module processes them. | +| **Colons** | Use colons to introduce lists, examples, or explanations. | The monitoring plan requires three components: a data collector, an analysis module, and an action module. | The monitoring plan requires three components, a data collector, an analysis module, and an action module. | +| **Complete sentences before colons** | Use complete sentences before colons when you introduce a list. | Ensure that you do the following: * Authenticate to the system
* Send an initial request
* Validate the response | Ensure that you:* Authenticate to the system
* Send an initial request
* Validate the response | +| **Em dashes** | Use em dashes (—) without spaces for emphasis or interruption. | The API endpoint—available in version 12.0—supports OAuth 2.0. | The API endpoint - available in version 12.0 - supports OAuth 2.0. | +| **Hyphens** | Use hyphens for compound modifiers before nouns. | Configure the real-time monitoring plan.

The monitoring plan runs in real time. | Configure the real time monitoring plan.

The monitoring plan runs in real-time. | +| **Apostrophes** | Use apostrophes correctly for possessives and contractions. | The administrator's credentials

don't, can't, you're | The administrators credentials

dont, cant, your (when you mean "you are") | +| **Semicolons** | Use semicolons to connect closely related independent clauses. | The data collector retrieves audit logs; the analysis module processes them. | The data collector retrieves audit logs, the analysis module processes them. | +| **Slashes** | Avoid using slashes. Use "or" or rewrite the sentence.

**Exception:** Use slashes in established technical terms. | Configure the monitoring plan for SharePoint or SharePoint Online.

TCP/IP, client/server, read/write permissions | Configure the monitoring plan for SharePoint/SharePoint Online. | +| **Parentheses** | Use parentheses only for supplementary information that can be removed. | Configure the monitoring plan (see Configuration Guide for details). | Configure the monitoring plan (which is located in the Admin section). | +| **Quotation marks** | Use double quotation marks for quotes. Avoid using quotation marks for emphasis. | The error message displays "Invalid credentials."

Click the**Add** button to continue. | The error message displays 'Invalid credentials.'

Click the "Add" button to continue. | +| **Exclamation points** | Avoid exclamation points in technical documentation. | The installation completed successfully.

Warning: The configuration is invalid. | The installation completed successfully!

Warning! The configuration is invalid! | +| **Question marks** | Avoid using question marks. | **Heading:** Configuring monitoring plansThis presents an issue: ensuring all access is secure is difficult. | **Heading:** How do I configure monitoring plans?

This raises the question: how do you ensure all access is secure? | +| **Ampersands** | Don't use ampersands (&). Spell out "and" instead of using ampersands.

**Exception:** Use ampersands in established product names or code. | Configure Active Directory and Exchange monitoring.

Netwrix Auditor for Active Directory & Exchange (product name) | Configure Active Directory & Exchange monitoring. | +| **Periods in abbreviations** | Avoid periods in abbreviations and acronyms. | FSA, NOMBA, API, SQL, AD | F.S.A., N.O.M.B.A., A.P.I., S.Q.L., A.D. | +| **Ellipses** | Avoid ellipses in technical documentation. Use complete sentences. | The system is processing the request. Wait for the operation to complete. | The system is processing the request...

Wait for the operation to complete... | +| **Brackets** | Use square brackets for optional parameters or to clarify quoted text. | `Get-NWXReport [-Name ] [-StartDate ]`

The log states "The \[monitoring\] plan failed to start." | Use parentheses for optional parameters: `Get-NWXReport (-Name )` | +| **Underscores** | Use underscores only in code, file paths, or technical identifiers. Avoid in regular text. | The `user_id`parameter identifies the user.

Edit the`config_file.xml` file. | The user_id parameter identifies the user. | +| **Apostrophes with plural possessives** | Use apostrophes after the "s" when you are using a plural possessive ("the users' identities"). | You can use the the three tools' distinct features. | You can use the three tool's distinct features. | + +## Numbers and Dates + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Numbers** | Spell out zero through nine. Use numerals for 10 and above. | The monitoring plan has three data collectors.

The database contains 15 monitoring plans. | The monitoring plan has 3 data collectors.

The database contains fifteen monitoring plans. | +| **Numerals for units of measurement** | Use numerals with units of measurement. | 5 GB, 3 seconds | Five GB, three seconds | +| **Numbers at the start of a sentence** | Spell out numbers that begin a sentence or rewrite the sentence. | Twelve monitoring plans are configured.

You can configure up to 12 monitoring plans. | 12 monitoring plans are configured. | +| **Commas with numbers** | Use commas as thousands separators in numbers 1,000 and above. | The database contains 1,500 monitoring plans.

The system processes 10,000 events per second. | The database contains 1500 monitoring plans.

The system processes 10000 events per second. | +| **Dates** | Use the format Month Day, Year for dates. | January 15, 2025 | 15 January 2025


| +| **Time** | Use the 12-hour clock with AM and PM. | The monitoring plan runs at 3:00 PM. | The monitoring plan runs at 15:00. | + +## Formatting + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Headings** | Use sentence case for headings. Capitalize only the first word and proper nouns. | Configure the monitoring plan | Configure the Monitoring Plan

Configure The Monitoring Plan | +| **Headings with infinitives** | Start task-based headings with infinitives. | Install Netwrix Auditor

Configure monitoring plans | Installing Netwrix Auditor (in a heading for a section with multiple steps)

Configuring monitoring plans | +| **Headings with gerunds** | Start headings with gerunds ("-ing" verbs) when the topics are concepts, overviews, or when they describe continuous actions. | Reviewing audit logs | Review audit logs (unless it's a task) | +| **Bold text** | Use bold for UI elements, buttons, and menu items. | Click **Add** to create a new monitoring plan. | Click "Add" to create a new monitoring plan.

Click Add to create a new monitoring plan. | +| **Italic text** | Avoid italics. | This process is known as agentless monitoring. | Click the *Add* button. | +| **Code formatting** | Use monospace formatting for code, commands, file paths, and technical values. | Run the `Get-NWXUser`cmdlet to retrieve user information.

Edit the`C:\Program Files\Netwrix\config.xml` file. | Run the Get-NWXUser cmdlet to retrieve user information.

Edit the C:\\Program Files\\Netwrix\\config.xml file. | +| **Code blocks** | Use fenced code blocks with language identifiers. | `powershell
Get-NWXReport -Name "Active Directory Changes" -StartDate "2025-01-01"
` | `
Get-NWXReport -Name "Active Directory Changes" -StartDate "2025-01-01"
` | +| **Lists** | Use parallel structure for list items. | • Configure the monitoring plan
• Enable data collection
• Review the audit logs | • Configure the monitoring plan
• Data collection should be enabled
• Reviewing the audit logs | +| **Numbered lists** | Use numbered lists for sequential steps. Use standard numbered list format (1., 2., 3.). Don't use "Step 1", "Step 2", or similar prefixes. | 1. Open Netwrix Auditor.
2. Navigate to **Monitoring Plans**.
3. Click **Add**. | • Open Netwrix Auditor.
• Navigate to **Monitoring Plans**.
• Click **Add**. | +| **Links** | Write descriptive link text. Avoid "click here" or "this link." | See the [Configuration Guide](config-guide.md) for details. | Click [here](config-guide.md) for details.

See [this link](config-guide.md) for details. | +| **Placeholder text** | Use descriptive placeholders in angle brackets. | `Get-NWXReport -Name ` | `Get-NWXReport -Name [report-name]`

`Get-NWXReport -Name REPORT_NAME` | + +## Word Usage + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Product names** | Capitalize Netwrix product names correctly. | Netwrix Auditor, Netwrix Privilege Secure, Netwrix Password Secure | netwrix auditor, Netwrix auditor, NETWRIX AUDITOR | +| **Feature names** | Use sentence case for feature names unless they are proper nouns.

**Exception:** Use the correct case for established feature names. | monitoring plan, data collector, action module

Active Directory, SQL Server, SharePoint Online | Monitoring Plan, Data Collector, Action Module | +| **Acronyms** | Spell out acronyms on first use, then use the acronym. | Configure the File Server Auditing (FSA) monitoring plan. FSA collects data from file servers. | Configure the FSA monitoring plan. FSA collects data from file servers. | +| **"In order to"** | Use "to" instead of "in order to." | Configure the Data Collection Account to access audit logs. | Configure the Data Collection Account in order to access audit logs. | +| **"Please"** | Avoid "please" in instructions. Be direct. | Enter your credentials. | Please enter your credentials. | +| **Words that assume ease** | Avoid minimizing words that assume task difficulty (simple, easy, just). | Configure the monitoring plan. | Simply configure the monitoring plan.

Just configure the monitoring plan.

Easily configure the monitoring plan. | +| **"May" vs. "might" vs. "can"** | Use "might" for possibility and "can" for capability. Avoid "may". | The monitoring plan might fail if credentials are incorrect.

You can configure multiple data collectors. | The monitoring plan may fail if credentials are incorrect.You may configure multiple data collectors. (implies permission) | +| **"Should" vs. "must"** | Use "must" for requirements and "should" for recommendations. | You must configure the Data Collection Account before enabling auditing.

You should review the audit logs regularly. | You should configure the Data Collection Account. (if it's required) | + +## Organization + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Overview sections** | Place overview content before detailed instructions. | Place "Overview" before "Configuration." | Place "Configuration" before "Overview." | +| **Prerequisites** | List prerequisites before installation or configuration steps. | List system requirements before installation instructions. | Mention system requirements in the middle of installation instructions. | +| **Cross-references** | Place related links at the end of sections. | End the section with "For more information, see [Configuration Guide](config-guide.md)." | Start the section with "For more information, see [Configuration Guide](config-guide.md)." | +| **Filenames** | Use lowercase with hyphens for filenames. | `monitoring-plan-config.md`, `getting-started.md` | `MonitoringPlanConfig.md`, `Getting_Started.md`, `gettingstarted.md` | +| **Heading hierarchy** | Use heading levels consistently. Don't skip levels (H1 to H3 without H2). | H1 Product Name
H2 Overview
H3 Key Features | H1 Product Name
H3 Overview (skips H2) | +| **Section length** | Keep sections focused. Break long sections into subsections. | H2 Configuration
H3 Data collectors
H4 Analysis modules | ## Configuration
(5000 words of mixed content without subsections) | +| **Introduction sections** | Include a brief introduction at the start of each major section. Do not use an "Introduction" header. Just start the introduction at the beginning of the document. | H2 Configuration
Configure monitoring plans to collect audit data from your environment. | H2 Configuration
1. Open Netwrix Auditor.
2. Click **Add**. (no context)OR H2 ConfigurationH3 Introduction | +| **Example placement** | Place examples immediately after explaining concepts. | The monitoring plan collects data from Active Directory.

**Example:** Configure FSA to monitor file servers. | Explain multiple concepts, then group all examples at the end. | +| **Concepts before procedures** | Explain concepts before providing step-by-step instructions. | H2 About monitoring plans
Monitoring plans collect audit data.
H2 Configuring monitoring plans
1. Open Netwrix Auditor. | H2 Configuring monitoring plans
1. Open Netwrix Auditor.
H2 About monitoring plans (after the steps) | +| **Task grouping** | Group related tasks together in sections. | H2 Monitoring plan configuration
H3 Creating monitoring plans
H3 Editing monitoring plans
H3 Deleting monitoring plans | H2 Configuration
H3 Creating monitoring plans
H2 Administration
H3 Editing monitoring plans
H2 Maintenance
H3 Deleting monitoring plans | +| **Common before advanced** | Start with common tasks, then cover advanced topics. | H2 Basic Configuration
H2 Expert Topics | H2 Expert Topics
H2 Basic Configuration | +| **Tutorial structure** | Structure tutorials as: Objective, Prerequisites, Steps, Verification, Summary, Next steps. | H2 Objective
H2 Prerequisites
H2 Steps
H2 Verify
H2 Summary | Mix objectives, prerequisites, and steps without clear structure. | +| **Folder structure** | Organize documentation in folders by product, then version, and then topic area. | docs/auditor/10.7/admin/… | docs/auditor/admin/10.7… | +| **Navigation order** | Order navigation items logically for users who are learning from the start. (Overview, Getting Started, Guides, Reference, Troubleshooting) | Sidebar:
1. Overview
2. Getting Started
3. Configuration
4. Reference | Sidebar:
1. Reference
2. Troubleshooting
3. Overview | + +## API Documentation + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Endpoints** | Use code formatting for API endpoints. | Send a GET request to `/api/v1/users`. | Send a GET request to /api/v1/users. | +| **HTTP methods** | Use uppercase for HTTP methods. | Use the GET method to retrieve data. | Use the get method to retrieve data. | +| **Request and response examples** | Provide realistic examples with actual values. | {
"username": "jsmith",
"email": "[jsmith@example.com](mailto:jsmith@example.com)",
"role": "administrator"
} | {
"username": "string",
"email": "string",
"role": "string"
} | +| **Parameters** | Document all parameters with descriptions and data types. | `userId` (string, required): The unique identifier for the user. | `userId`: User ID. | +| **Status codes** | Document expected HTTP status codes. | Returns 200 OK on success or 404 Not Found if the user doesn't exist. | Returns a status code. | + +## Error Messages + +| Rule | Description | Do | Don't | +|------|-------------|-----|-------| +| **Error message formatting** | Format error messages clearly with the error code and description. | Error 1001: Invalid credentials. Verify your username and password. | An error occurred. | +| **Error message tone** | Use a neutral, helpful tone in error messages. | The monitoring plan configuration is invalid. Check the data collector settings. | You entered an invalid configuration. | +| **Next steps** | Provide actionable next steps in error messages. | The API request failed. Verify your authentication token and try again. | The API request failed. | \ No newline at end of file diff --git a/scripts/copy-kb-to-versions.mjs b/scripts/copy-kb-to-versions.mjs index 57380af103..b761e1bd8a 100644 --- a/scripts/copy-kb-to-versions.mjs +++ b/scripts/copy-kb-to-versions.mjs @@ -39,49 +39,6 @@ const PROJECT_ROOT = path.resolve(__dirname, '..'); const LOCKFILE = path.join(PROJECT_ROOT, '.kb-copy.lock'); const ASSET_DIRS = ['0-images', 'images', 'assets', 'media']; -// ============================================================================ -// Product Migration Control -// ============================================================================ - -/** - * Products that have been migrated to use the new autogenerated KB sidebar. - * - * For products in this list: - * - KB content will be copied to versioned docs folders - * - Sidebars use autogenerated structure (no generateKBSidebar() call) - * - * For products NOT in this list: - * - KB content will NOT be copied (script skips them) - * - Sidebars continue using generateKBSidebar() (old method) - * - * Add products to this list as their Phase 2 migration PR is merged. - */ -const MIGRATED_PRODUCTS = [ - // Add product IDs here as they complete migration - // Example: 'auditor', 'privilegesecure', 'threatprevention' - '1secure', // Migrated - uses autogenerated sidebar - 'accessanalyzer', // Already migrated - uses autogenerated sidebar - 'endpointpolicymanager', // Migrating - sidebar to be updated - 'identityrecovery', // Migrated - uses autogenerated sidebar - 'changetracker', // Migrating - sidebar to be updated - 'accessinformationcenter', // Migrating - sidebar to be updated - 'accessinformationcenter', // Migrated - uses autogenerated sidebar - 'activitymonitor', // Migrated - uses autogenerated sidebar - 'auditor', // Migrating - sidebar to be updated - 'changetracker', // Migrated - uses autogenerated sidebar - 'dataclassification', // Migrated - uses autogenerated sidebar - 'directorymanager', // Migrating - sidebar to be updated - 'endpointpolicymanager', // Migrated - uses autogenerated sidebar - 'endpointprotector', // Migrated - uses autogenerated sidebar - 'passwordpolicyenforcer', // Migrated - uses autogenerated sidebar - 'passwordreset', // Migrated - uses autogenerated sidebar - 'privilegesecure', // Migrated - uses autogenerated sidebar - 'privilegesecurediscovery', // Migrated - uses autogenerated sidebar - 'recoveryforactivedirectory', // Migrated - uses autogenerated sidebar - 'threatmanager', // Migrated - uses autogenerated sidebar - 'threatprevention', // Migrated - scripts page restructured, uses autogenerated sidebar -]; - // Build CONFIG dynamically from PRODUCTS function buildConfig() { const config = {}; @@ -640,14 +597,6 @@ function main() { continue; } - // Skip products that haven't been migrated yet - // If MIGRATED_PRODUCTS is empty, skip all products (nothing migrated yet) - // If MIGRATED_PRODUCTS has items, only process products in the list - if (MIGRATED_PRODUCTS.length === 0 || !MIGRATED_PRODUCTS.includes(product)) { - console.log(`\n⏭️ Skipping ${product} (not yet migrated)`); - continue; - } - console.log(`\n📚 Product: ${product}`); console.log('-'.repeat(60)); diff --git a/src/components/VersionSwitcher/index.js b/src/components/VersionSwitcher/index.js new file mode 100644 index 0000000000..84d40a6e2e --- /dev/null +++ b/src/components/VersionSwitcher/index.js @@ -0,0 +1,80 @@ +import React from 'react'; +import { useLocation } from '@docusaurus/router'; +import { PRODUCTS, generateRouteBasePath, urlToVersion } from '@site/src/config/products.js'; +import styles from './styles.module.css'; + +export default function VersionSwitcher() { + const location = useLocation(); + const pathname = location.pathname; + + // Parse URL to extract product and version + const pathParts = pathname.split('/').filter((part) => part); + + // Find the matching product by checking if pathname starts with product path + let matchedProduct = null; + let currentVersion = null; + + for (const product of PRODUCTS) { + // Extract the product path segment (e.g., 'passwordsecure' from 'docs/passwordsecure') + const productPathSegment = product.path.split('/').pop(); + + // Check if this product's path segment is in the URL + const productIndex = pathParts.indexOf(productPathSegment); + + if (productIndex !== -1) { + matchedProduct = product; + + // Check if there's a version segment after the product + if (pathParts[productIndex + 1]) { + const versionFromUrl = pathParts[productIndex + 1]; + // Check if it looks like a version (e.g., "9_3", "saas", "current") + if (/^(v?\d+(_\d+)*|saas|current)$/i.test(versionFromUrl)) { + currentVersion = urlToVersion(versionFromUrl); + } + } + break; + } + } + + // Don't render anything if: + // - No product matched + // - Product only has one version + if (!matchedProduct || matchedProduct.versions.length <= 1) { + return null; + } + + // Sort versions so latest is always first (on the left) + const sortedVersions = [...matchedProduct.versions].sort((a, b) => { + if (a.isLatest) return -1; + if (b.isLatest) return 1; + return 0; + }); + + return ( +
+
+ {sortedVersions.map((version) => { + // Use customLink if provided, otherwise generate the link + const versionLink = version.customLink || `/${generateRouteBasePath(matchedProduct.path, version.version)}`; + const isActive = currentVersion === version.version; + const badgeClass = version.isLatest + ? `${styles.versionBadge} ${styles.latestBadge}` + : styles.versionBadge; + const activeClass = isActive ? styles.activeBadge : ''; + + return ( + + {version.label} + + ); + })} +
+
+ ); +} diff --git a/src/components/VersionSwitcher/styles.module.css b/src/components/VersionSwitcher/styles.module.css new file mode 100644 index 0000000000..e54c6660d0 --- /dev/null +++ b/src/components/VersionSwitcher/styles.module.css @@ -0,0 +1,108 @@ +/* Version Switcher Container */ +.versionSwitcherContainer { + padding: 12px 16px; + border-bottom: 1px solid var(--ifm-color-emphasis-200); + margin-bottom: 12px; +} + +[data-theme='dark'] .versionSwitcherContainer { + border-bottom-color: var(--ifm-color-emphasis-300); +} + +/* Version Badges */ +.versionBadges { + display: flex; + flex-wrap: wrap; + gap: 8px; + align-items: center; +} + +/* Base Version Badge */ +.versionBadge { + display: inline-flex; + align-items: center; + justify-content: center; + padding: 4px 8px; + background: var(--ifm-color-primary-light); + color: white !important; + font-size: 0.75rem; + font-weight: 500; + border-radius: 6px; + text-decoration: none; + transition: all 0.2s ease; + white-space: nowrap; + cursor: pointer; +} + +.versionBadge:hover { + background: var(--ifm-color-primary); + color: white !important; + text-decoration: none; + transform: scale(1.05); +} + +/* Latest Version Badge (Green) */ +.latestBadge { + background: var(--ifm-color-success); + box-shadow: 0 2px 8px rgba(22, 163, 74, 0.3); +} + +.latestBadge:hover { + background: var(--ifm-color-success-dark); + color: white !important; +} + +/* Active Badge (currently viewing this version) */ +.activeBadge { + box-shadow: 0 0 0 2px var(--ifm-background-color), 0 0 0 4px var(--ifm-color-primary); +} + +.latestBadge.activeBadge { + box-shadow: 0 0 0 2px var(--ifm-background-color), 0 0 0 4px var(--ifm-color-success); +} + +/* Dark Mode */ +[data-theme='dark'] .versionBadge { + background: var(--ifm-color-primary-darker); + color: var(--ifm-color-primary-lightest) !important; +} + +[data-theme='dark'] .versionBadge:hover { + background: var(--ifm-color-primary); + color: white !important; +} + +[data-theme='dark'] .latestBadge { + background: var(--ifm-color-success-darker); + color: var(--ifm-color-success-lightest) !important; +} + +[data-theme='dark'] .latestBadge:hover { + background: var(--ifm-color-success); + color: white !important; +} + +[data-theme='dark'] .activeBadge { + box-shadow: 0 0 0 2px var(--ifm-background-surface-color), 0 0 0 4px var(--ifm-color-primary); +} + +[data-theme='dark'] .latestBadge.activeBadge { + box-shadow: 0 0 0 2px var(--ifm-background-surface-color), 0 0 0 4px var(--ifm-color-success); +} + +/* Responsive */ +@media screen and (max-width: 768px) { + .versionSwitcherContainer { + padding: 10px 12px; + margin-bottom: 10px; + } + + .versionBadges { + gap: 6px; + } + + .versionBadge { + font-size: 0.7rem; + padding: 3px 6px; + } +} diff --git a/src/config/products.js b/src/config/products.js index d95920cca0..ab7231b819 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -533,11 +533,19 @@ export const PRODUCTS = [ path: 'docs/recoveryforactivedirectory', categories: ['Identity Threat Detection & Response (ITDR)'], icon: '', + hideFromNavbar: true, // Old product name, superseded by Identity Recovery versions: [ + { + version: '3.1', + label: '3.1', + isLatest: true, + sidebarFile: './sidebars/identityrecovery/3.1.js', + customLink: '/docs/identityrecovery/3_1', // Points to Identity Recovery + }, { version: '2.6', label: '2.6', - isLatest: true, + isLatest: false, sidebarFile: './sidebars/recoveryforactivedirectory/2.6.js', }, ], @@ -557,6 +565,13 @@ export const PRODUCTS = [ isLatest: true, sidebarFile: './sidebars/identityrecovery/3.1.js', }, + { + version: '2.6', + label: '2.6', + isLatest: false, + sidebarFile: './sidebars/recoveryforactivedirectory/2.6.js', + customLink: '/docs/recoveryforactivedirectory/2_6', // Points to Recovery for AD + }, ], defaultVersion: '3.1', }, @@ -827,7 +842,8 @@ export function generateDocusaurusPlugins() { */ export function generateProductCategories() { return PRODUCT_CATEGORIES.map((category) => { - const categoryProducts = getProductsByCategory(category.title); + const categoryProducts = getProductsByCategory(category.title) + .filter(product => !product.hideFromNavbar); // Exclude products hidden from navbar/landing page const products = categoryProducts.map((product) => { const defaultVersion = getDefaultVersion(product); @@ -843,7 +859,7 @@ export function generateProductCategories() { if (product.versions.length > 1) { productInfo.versions = product.versions.map((version) => ({ version: version.label, - link: `/${generateRouteBasePath(product.path, version.version)}`, + link: version.customLink || `/${generateRouteBasePath(product.path, version.version)}`, isLatest: version.isLatest, })); } @@ -876,7 +892,8 @@ export function generateNavbarDropdowns() { return PRODUCT_CATEGORIES.filter((category) => category.title !== 'Other') // Exclude 'Other' category from navbar .map((category) => { - const categoryProducts = getProductsByCategory(category.title); + const categoryProducts = getProductsByCategory(category.title) + .filter(product => !product.hideFromNavbar); // Exclude products hidden from navbar const items = categoryProducts.map((product) => { const defaultVersion = getDefaultVersion(product); diff --git a/src/theme/DocSidebar/Desktop/Content/index.js b/src/theme/DocSidebar/Desktop/Content/index.js new file mode 100644 index 0000000000..059930f159 --- /dev/null +++ b/src/theme/DocSidebar/Desktop/Content/index.js @@ -0,0 +1,12 @@ +import React from 'react'; +import Content from '@theme-original/DocSidebar/Desktop/Content'; +import VersionSwitcher from '@site/src/components/VersionSwitcher'; + +export default function ContentWrapper(props) { + return ( + <> + + + + ); +} diff --git a/src/theme/DocSidebar/Mobile/Content/index.js b/src/theme/DocSidebar/Mobile/Content/index.js new file mode 100644 index 0000000000..156929190e --- /dev/null +++ b/src/theme/DocSidebar/Mobile/Content/index.js @@ -0,0 +1,12 @@ +import React from 'react'; +import Content from '@theme-original/DocSidebar/Mobile/Content'; +import VersionSwitcher from '@site/src/components/VersionSwitcher'; + +export default function ContentWrapper(props) { + return ( + <> + + + + ); +} diff --git a/src/theme/Root.js b/src/theme/Root.js index 10c9c1994e..a5da5b684d 100644 --- a/src/theme/Root.js +++ b/src/theme/Root.js @@ -26,7 +26,7 @@ export default function Root({ children }) { // attributeFilter: ['data-theme'] // }); - return () => observer.disconnect(); + // return () => observer.disconnect(); }, []); return ( diff --git a/src/utils/generateKBSidebar.js b/src/utils/generateKBSidebar.js deleted file mode 100644 index cbd0c7fdc4..0000000000 --- a/src/utils/generateKBSidebar.js +++ /dev/null @@ -1,176 +0,0 @@ -const path = require('path'); -const fs = require('fs'); - -// Extract title from markdown frontmatter, handling YAML folded blocks (>-) -function extractTitle(filePath, fallbackName) { - try { - const content = fs.readFileSync(filePath, 'utf8'); - if (content.startsWith('---')) { - const parts = content.split('---', 3); - if (parts.length >= 3) { - const frontmatter = parts[1]; - - // Look for sidebar_label first (Docusaurus best practice) - const label = extractYamlField(frontmatter, 'sidebar_label'); - if (label) return label; - - // Fall back to title - const title = extractYamlField(frontmatter, 'title'); - if (title) return title; - } - } - } catch (error) { - console.warn(`Error reading frontmatter from ${filePath}:`, error.message); - } - // Fallback to cleaned filename - return fallbackName.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase()); -} - -// Extract a YAML field value, handling both simple and folded block formats -function extractYamlField(frontmatter, fieldName) { - // First check for folded block format: field: >- followed by indented lines - const foldedMatch = frontmatter.match(new RegExp(`^\\s*${fieldName}:\\s*>-\\s*$`, 'm')); - if (foldedMatch) { - const lines = frontmatter.split('\n'); - const startIndex = lines.findIndex(line => line.match(new RegExp(`^\\s*${fieldName}:\\s*>-\\s*$`))); - if (startIndex !== -1) { - const result = []; - // Collect indented lines following the >- declaration - for (let i = startIndex + 1; i < lines.length; i++) { - const line = lines[i]; - // Stop if we hit another YAML key (non-indented line with colon) - if (line.match(/^\s*\w+:\s*/)) break; - // Skip empty lines, but collect indented content - if (line.trim()) { - result.push(line.replace(/^\s+/, '').trim()); - } - } - if (result.length > 0) { - return result.join(' ').trim(); - } - } - } - - // Try simple single-line format: field: value (but exclude folded blocks) - const simpleMatch = frontmatter.match(new RegExp(`^\\s*${fieldName}:\\s*['"]?([^'"\\n\\r>]+?)['"]?\\s*$`, 'm')); - if (simpleMatch && !simpleMatch[1].trim().startsWith('>')) { - return simpleMatch[1].trim(); - } - - return null; -} - -// Helper function to capitalize folder names with proper handling of acronyms -function capitalizeFolderName(folderName) { - // Common acronyms that should be all caps (based on actual KB folder names) - const acronyms = ['sql', 'faq', 'faqs', 'sso', 'api', 'url', 'http', 'https', 'ssl', 'tls', 'ldap', 'ad', 'vm', 'kb', 'csv', 'json', 'xml', 'html', 'css', 'saml', 'oauth', 'id', 'mfa', 'rds', 'ux', 'dpi']; - - return folderName - .split('-') - .map(word => { - const lowerWord = word.toLowerCase(); - // Check if this is a known acronym - if (acronyms.includes(lowerWord)) { - return word.toUpperCase(); - } - // Otherwise, capitalize first letter only - return word.charAt(0).toUpperCase() + word.slice(1).toLowerCase(); - }) - .join(' '); -} - -// Recursively process a folder and its subfolders to build sidebar items -function processFolderRecursive(folderPath, productName, relativePath = '') { - const items = []; - const entries = fs.readdirSync(folderPath, { withFileTypes: true }); - - // Get all markdown files in this folder - const markdownFiles = entries - .filter(entry => entry.isFile() && entry.name.endsWith('.md')) - .map(file => { - const filePath = path.join(folderPath, file.name); - const fallbackName = file.name.replace('.md', ''); - const fileRelativePath = relativePath ? `${relativePath}/${file.name.replace('.md', '')}` : file.name.replace('.md', ''); - - // Build the href path - use /docs/kb since routeBasePath is 'docs/kb' - const href = `/docs/kb/${productName}/${fileRelativePath}`; - - return { - type: 'link', - label: extractTitle(filePath, fallbackName), - href: href - }; - }) - .sort((a, b) => a.label.localeCompare(b.label)); - - // Get all subdirectories - const subfolders = entries - .filter(entry => entry.isDirectory() && !entry.name.startsWith('.') && !entry.name.startsWith('_')) - .sort((a, b) => a.name.localeCompare(b.name)); - - // Process each subfolder recursively - subfolders.forEach(subfolder => { - const subfolderPath = path.join(folderPath, subfolder.name); - const subfolderRelativePath = relativePath ? `${relativePath}/${subfolder.name}` : subfolder.name; - const subfolderItems = processFolderRecursive(subfolderPath, productName, subfolderRelativePath); - - if (subfolderItems.length > 0) { - const categoryLabel = capitalizeFolderName(subfolder.name); - - items.push({ - type: 'category', - label: categoryLabel, - collapsed: true, - items: subfolderItems - }); - } - }); - - // Add markdown files after subfolders (subfolders first, then files) - items.push(...markdownFiles); - - return items; -} - -function generateKBSidebar(productName) { - // Find the project root by looking for package.json - let currentDir = __dirname; - while (!fs.existsSync(path.join(currentDir, 'package.json')) && currentDir !== '/') { - currentDir = path.dirname(currentDir); - } - const kbPath = path.join(currentDir, 'docs', 'kb', productName); - - if (!fs.existsSync(kbPath)) { - return []; - } - - // Process the KB directory recursively, starting from the top level - // Skip root-level files (they should be organized into folders) - const items = []; - const entries = fs.readdirSync(kbPath, { withFileTypes: true }); - - // Only process directories at the top level - const topLevelFolders = entries - .filter(entry => entry.isDirectory() && !entry.name.startsWith('.') && !entry.name.startsWith('_')) - .sort((a, b) => a.name.localeCompare(b.name)); - - topLevelFolders.forEach(folder => { - const folderPath = path.join(kbPath, folder.name); - const folderItems = processFolderRecursive(folderPath, productName, folder.name); - - if (folderItems.length > 0) { - const categoryLabel = capitalizeFolderName(folder.name); - - items.push({ - type: 'category', - label: categoryLabel, - collapsed: true, - items: folderItems - }); - } - }); - - return items; -} - -module.exports = generateKBSidebar;