Skip to main content

Manage authorization-policy-change event

Contributors netapp-ahibbard

When authorization-policy-change event is configured for a storage virtual machine (SVM) and an audit is enabled, audit events are generated.

The authorization-policy-change events with the event-ids 4704 and 4705 are generated whenever the authorization rights are granted or revoked for an SMB user and SMB group. The authorization-policy-change events are generated when the authorization rights are assigned or revoked using vserver cifs users-and-groups privilege related commands.

The following example displays an authorization policy event with the ID 4704 generated, when the authorization rights for a SMB user group are assigned:

netapp-clus1::*> vserver cifs users-and-groups privilege add-privilege -user-or-group-name testcifslocalgroup -privileges *
- System
  - Provider
   [ Name]  NetApp-Security-Auditing
   [ Guid]  {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
   EventID 4704
   EventName User Right Assigned
   ...
   ...
  TargetUserOrGroupName testcifslocalgroup
  TargetUserOrGroupDomainName NETAPP-CLUS1
  TargetUserOrGroupSid S-1-5-21-2447422786-1297661003-4197201688-1004;
  PrivilegeList SeTcbPrivilege;SeBackupPrivilege;SeRestorePrivilege;SeTakeOwnershipPrivilege;SeSecurityPrivilege;SeChangeNotifyPrivilege;
  TargetType CIFS